Closed
Description
User story
- As an admin, I want to inspect permissions for arbitrary RBAC groups.
Details
Currently the permission inspection UI in its "Group" mode restricts the user entry to group names starting with customer:. This is the name prefix assigned to all group names for users authenticated via OIDC via the Dex connector with the ID customer.
This restriction already affects us (as Giant Swarm staff) currently when testing and using a different Dex connector, in our case giantswarm.
Soon we will allow for additional Dex connectors to be configured.
Questions
- How about not restricting entry at all? In that case we should provide guidance, as users would be likely to omit the group prefix, leading to wrong results (in most cases: no permissions displayed).
- Such guidance could be given for example if we don't find a
:(colon) in the group name, in the form of an error message.
- Such guidance could be given for example if we don't find a
- Alternatively, can the web UI provide a list of all valid prefixes to choose from via e. g. a dropdown menu?
- If the user has
listaccess to RoleBinding and ClusterRoleBinding resources, we can collect prefixes from those. Might be a slow procedure. What about users who don't have access to these?
- If the user has
Metadata
Metadata
Assignees
Labels
No labels