Skip to content

Add limited collaborator role #9299

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 89 commits into
base: main
Choose a base branch
from
Open

Add limited collaborator role #9299

wants to merge 89 commits into from
+2,361 −1,360

Conversation

@charliepark
Copy link
Contributor

This PR adds a new role, of a "limited collaborator". The role essentially has restrictions on networking resources, as specified below.

Backstory: We had a request for limitations that could be applied to certain users, in https://github.com/oxidecomputer/customer-support/issues/416. We explored an alternate option (#9227), involving a new silo-level restrict_network_actions flag in the database, but the complexity of that solution suggested there could be a better approach. @davepacheco suggested exploring an exclusively role-based approach via Polar rules, which this PR realizes.

The limited collaborator role will not be able to create, modify, or delete (but will be able to read / list children of) the following resources:

  • VPC
  • Subnet
  • Firewall Rule
  • Custom Router
  • Route
  • Internet Gateway (including attach/detach IP pools and IP addresses)

Limited Collaborators will still be allowed full create / modify / delete permissions on these resources:

  • Floating IP
  • Instance Network Interfaces

@charliepark
add restrict_networking_actions code
3752d57
@charliepark
More development of Polar-based change to permissions
420ed2b
@charliepark
Polar working, perhaps; lots of permission rules
ad106d6
@charliepark
refactor; add a few tests that might still need a bit of tweaking
9966d8e
@charliepark
clean up migration files
a06feda
@charliepark
small cleanup
062d441
@charliepark
fix clippy issues
9450227
@charliepark
safer migratino file
9c709fd
@charliepark
merge main and resolve conflicts
37f1e1e
@charliepark
Update nexus, tests
91d7856
@charliepark
formatting
759f3a6
@charliepark
remove unused method
1f54b26
@charliepark
Move logic from silo to project
01434b2
@charliepark
Remove accidentally committed .bak files
56af8c8
@charliepark
cargo fmt
ced5348
@charliepark
Merge main
d8764d3
@charliepark
fix clippy issues
6cad94e
@charliepark
cargo fmt again
7737776
@charliepark
Update tests
ed3e5f4
@charliepark
Merge branch 'main' into restrict_networking_actions_4
f3b34a9
@charliepark
Update version number in dbint.sql
6f41131
@charliepark
Merge branch 'main' into restrict_networking_actions_4
937d15e
@charliepark
remove redundant Silo query
51207ca
@charliepark
Update tests
f3605a5
@charliepark
cargo fmt
d9b8bcd
@charliepark
Merge branch 'main' into restrict_networking_actions_4
c0e922d
@charliepark
Move restriction check to actor silo policy, rather than project silo
388e903
@charliepark
cargo fmt
4b4c392
@charliepark
Merge branch 'main' into restrict_networking_actions_4
901e241
@charliepark
Add test back in
2dae549
@charliepark
resolve merge conflict
11f0286
@charliepark
remove restrict_networking_actions code
62fe901
@charliepark
A bit more cleanup from old implementation
cab95ce
@charliepark
use main branch's version of openapi/nexus.json
2510870
@charliepark
re-add collaborator-no-networking to enum
eb4e51b
@charliepark
Update policy tests with new role permissions
fb03380
@charliepark
Remove old implementation tests
1935250
@charliepark
Remove old implementation tests from vpc_routers
27e29ac
@charliepark
Remove old Polar rules
9a0e099
@charliepark
Fix macro to have proper authz
3e82cf7
@charliepark
Remove unnecessary logic around create_default_vpc
cb2b99f
@charliepark
Correct comment
b2a1bb5
@charliepark
Improve integration test
b42393d
@charliepark
Change name of role from collaborator-no-networking to limited-collab…
9f4c70c 
…orator
@charliepark
Update snapshots
bdbd67b
@charliepark
Use InProjectLimited and InProjectFull in place of InProject and InPr…
cd3085a 
…ojectNetworking
@charliepark
cargo fmt
fa56b6f
@charliepark
Remove delete from authz list
5530a80
@charliepark
Update a few more spots
d54c6d7
@charliepark
Merge branch 'main' into restrict_networking_actions_5
af225b1
@charliepark
Merge branch 'main' into restrict_networking_actions_5
e2f495d
@charliepark
add silo level role with project inheritance
f9f953a
@charliepark
Switch authz for NIC to subnet Read vs CreateChild
1049914
@charliepark
Add integration tests for limited-collaborator
76e9294
@charliepark
Merge branch 'main' into restrict_networking_actions_5
af9c46b
@charliepark
cargo fmt
8595c2a
@charliepark
Add more comments about roles
428438b
@charliepark
Update openapi/nexus.json with a maybe too long description
06b388e
@charliepark
update OpenAPI spec
b511d18
@charliepark charliepark marked this pull request as ready for review October 30, 2025 14:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@charliepark @davepacheco