This repository has been archived by the owner on Dec 7, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 3
Use access rights to restrict pipeline access #21
Comments
Some more thoughts on this (also based on the thoughts in #39).
|
JeanMertz
added a commit
that referenced
this issue
Jul 23, 2019
This commit builds on top of the new privileged-based layered API access introduced in abd8f76. The commit reverts part of the changes introduced in 5552179 and builds upon the parts that remain. It is now (again) possible to access the client without being authenticated. The client works as it did before, all data is accessible and visible. However, when you open a task, it will now show you either the original "run" button, or – depending on your access level – a button informing you that you need to authenticate to run the task, or if you are already authenticated but lack sufficient privileges, it will inform you that you cannot run said task. The "Authentication Required" button can be clicked to show a more friendly inline login field, that doesn't cover the entire screen, and can be ignored if you are not interested in authenticating. All in all, this provides a _much_ friendlier user experience, while also allowing for more fine-grained access control. This closes #19, #21, and #39.
This has been implemented in bf9ffe4. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Building on top of #19.
Once people can/have to authenticate themselves, it becomes possible to segregate people into groups with different access rights.
Similar to the linked issue, this is not about keeping outside people out, it's about having a simple way to give people within your organisation access to the exact pipelines they need, or keep some of the more destructive pipelines limited to a small part of the organisation.
The goal is to make it easy to restrict people from having access to one or more pipelines (denied list), or the reverse, to give them access to a subset of pipelines (allowed list).
For this to work, there needs to be a common type to base these access rights on.
One option would be to allow adding
tags
to pipelines, which can then be used in these allow/deny lists for access control.I don't know what the right solution is, but I do think it's important to keep it as simple as possible, but also give us some flexibility for the future (that's why
tags
could be a solution, as it allows more useful patterns in the future based on these primitives).The text was updated successfully, but these errors were encountered: