-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: interact with plugins from service endpoint for least privilege #192
Conversation
antoine.choimet seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
Can you clarify what scenario you're in that needs this? I suppose this would allow service plugin creation with certain RBAC rules, but that shouldn't be a concern in the community edition. That aside we'd probably want to handle this either with a parameter or wrapper functions (probably the latter, since it'd allow preserving the existing |
The use case is that we have a tool to drive the creation and configuration of request termination plugin. For this tool we created a dedicated consumer, this consumer has a dedicated group and only a set of accessible paths. We don't want this consumer to be able to interact with a plugin at global level (/plugins), only with a targeted service. Yes ok for the implementation as a wrapper, so I give the path as a parameter of Create() function ? |
Hello @rainest, since the endpoint/query path is defined inside the function, and when I want to add a plugin at service level I need to add /services/SERVICE_NAME before /plugins, it seems not possible to me to wrap the functions to do this behaviour ? Am I wrong ? For example for Create : func (s *PluginService) Create(ctx context.Context,
plugin *Plugin, serviceIDorName *string,
) (*Plugin, error) {
queryPath := "/plugins"
method := "POST"
if plugin.ID != nil {
queryPath = queryPath + "/" + *plugin.ID
method = "PUT"
}
if serviceIDorName != nil {
queryPath = "/services/" + *serviceIDorName + queryPath
}
req, err := s.client.NewRequest(method, queryPath, nil, plugin)
if err != nil {
return nil, err
}
var createdPlugin Plugin
_, err = s.client.Do(ctx, req, &createdPlugin)
if err != nil {
return nil, err
}
return &createdPlugin, nil
} I can also add methods in the service_service.go, AddPlugin RemovePlugin UpdatePlugin maybe it will be more elegant. |
You'd leave the The exported functions determine the endpoint and perform any validation they need, and then pass the endpoint/plugin along to the helper. Roughly:
With that approach, |
Thanks for your reply @rainest , I tried to respond to your expectations and I created a sendRequest method common to the methods Create / CreateForService etc. Is it okay for you ? |
Ah, true, I suppose you can just use that for everything. It looks like something has broken on the List function, so that may require its own function--the Conceptually though, that looks good, so it should be good to go once the errors are addressed (note that you'll also need to sign the CLA). |
@rainest Ok I fixed the test and fixed the two lint errors. The CLA seems now signed. |
CI seems unhappy because third-party PRs can't upload covergage info, which is fine, but I thought we had something in place to skip that when it was unavailable. Checking around to see why that's not the case. |
@rainest Any news? Do I need to do something from my side? |
Codecov Report
@@ Coverage Diff @@
## main #192 +/- ##
===========================================
- Coverage 53.47% 39.78% -13.70%
===========================================
Files 44 44
Lines 3888 3924 +36
===========================================
- Hits 2079 1561 -518
- Misses 1353 2067 +714
+ Partials 456 296 -160
Flags with carried forward coverage won't be shown. Click here to find out more.
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
@achoimet it looks like CodeCov was just having issues the other day; integration tests that don't require a license are now completing fine. It does look like there are still a few linter errors around an incorrect error check that you do need to fix. |
Ok, linters issues are fixed. |
Ah, now we had inconvenient timing and need to fix #195 on our side 🤦 |
# Why Allows for better RBAC. # What Update the kong lib and use the new endpoints. # References - Kong/go-kong#192
# Why Allows for better RBAC. # What Update the kong lib and use the new endpoints. # References - Kong/go-kong#192
# Why Allows for better RBAC. # What Update the kong lib and use the new endpoints. # References - Kong/go-kong#192
# Why Allows for better RBAC. # What Update the kong lib and use the new endpoints. # References - Kong/go-kong#192
Hello,
Is it possible to add those methods to be able to CREATE/UPDATE/DELETE plugins from the service endpoints ? In this case we can enable least privilege with the kong community edition.