-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: role version V8 #47912
base: master
Are you sure you want to change the base?
feat: role version V8 #47912
Conversation
This pull request is automatically being deployed by Amplify Hosting (learn more). |
This pull request is automatically being deployed by Amplify Hosting (learn more). |
@@ -959,11 +959,11 @@ func (r *RoleV6) GetPrivateKeyPolicy() keys.PrivateKeyPolicy { | |||
// setStaticFields sets static resource header and metadata fields. | |||
func (r *RoleV6) setStaticFields() { | |||
r.Kind = KindRole | |||
if r.Version != V3 && r.Version != V4 && r.Version != V5 && r.Version != V6 { | |||
if r.Version != V3 && r.Version != V4 && r.Version != V5 && r.Version != V6 && r.Version != V7 { | |||
// When incrementing the role version, make sure to update the | |||
// role version in the asset file used by the UI. | |||
// See: web/packages/teleport/src/Roles/templates/role.yaml |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
was this done? or if the relevant file name changed can we update this comment?
// maybeDowngradeRoleVersionToV7 downgrades the role version to V7 if | ||
// the client version passed through the gRPC metadata is below the version | ||
// specified in minSupportedRoleV8Version. | ||
func maybeDowngradeRoleVersionToV7(role *types.RoleV6, clientVersion *semver.Version) *types.RoleV6 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shouldn't you modify the role so that it won't grant access to the saml IDP apps if the v8 role wouldn't grant access?
app_labels
matcher forsaml_idp_service_provider
kind. App label matchers will only be enforced in SAML service provider starting version rolev8
. This is managed with a newCheckRoleSupportsSAMLIdPAppLabelMatcher
method which returns true when user is assigned with a role versionv8
.v7
andv8
all remains the same. No new fields added to the role and rule spec. Does not affect any RBAC behaviour except forsaml_idp_service_provider
resource.GetRole
is updated to downgrade the role versions fromv8
tov7
for clients that have version below than thev17.0.0
.v8
version.Not covered in this PR:
v7
v8
. Other presets remains as is.