fix: updates grant remove and list for launch (#1547)

* fix: updates grant remove to sync with add, and list to be filter instead of pos arg * improve: minor * improve: doc * improve: minor * improve: wording Co-authored-by: Bruce MacDonald <brucewmacdonald@gmail.com> * update: none Co-authored-by: Bruce MacDonald <brucewmacdonald@gmail.com> * improve: remove exactargs(0) * improve: rename infra_access to infra_grants * improve: docs Co-authored-by: Bruce MacDonald <brucewmacdonald@gmail.com>
infrahq · Apr 11, 2022 · bfb0c64 · bfb0c64
1 parent d41ba49
commit bfb0c64
Show file tree

Hide file tree

Showing 7 changed files with 244 additions and 254 deletions.
diff --git a/docs/connectors/kubernetes.md b/docs/connectors/kubernetes.md
@@ -56,23 +56,23 @@ infra grants add engineering kubernetes.example --role view
 This command will grant the user `dev@example.com` read-only access into a cluster, giving that user the privileges to query Kubernetes resources but not modify any resources.
 
 ```bash
-infra grants add --user dev@example.com --role view kubernetes.cluster
+infra grants add dev@example.com kubernetes.cluster --role view 
 ```
 
 ### Example: Grant user `ops@example.com` the `admin` role to a namespace
 
 This command will grant the user `ops@example.com` admin access into a namespace, giving that user the privileges to create, update, and delete any resource so long as the resources they’re modifying exist in the namespace.
 
 ```bash
-infra grants add --user ops@example.com --role admin kubernetes.cluster.namespace
+infra grants add ops@example.com kubernetes.cluster.namespace --role admin 
 ```
 
 ### Example: Revoke from the user `ops@example.com` the `admin` role to a namespace
 
 This command will remove the `admin` role, granted in the previous example, from `ops@example.com`.
 
 ```bash
-infra grants remove --user ops@example.com --role cluster-admin kubernetes.cluster.namespace
+infra grants remove ops@example.com kubernetes.cluster.namespace --role cluster-admin 
 ```
 
 ## Additional Information

diff --git a/docs/getting-started/quickstart.md b/docs/getting-started/quickstart.md
@@ -99,13 +99,13 @@ infra id add name@example.com
 Grant the user Infra administrator privileges.
 
 ```
-infra grants add --user name@example.com --role admin infra
+infra grants add name@example.com infra --role admin
 ```
 
 Grant the user Kubernetes cluster administrator privileges.
 
 ```
-infra grants add --user name@example.com --role cluster-admin kubernetes.example-name
+infra grants add name@example.com kubernetes.example-name --role cluster-admin 
 ```
 
 > To view different roles allowed for Kubernetes clusters, see [Kubernetes Roles](../connectors/kubernetes.md#roles)
@@ -175,7 +175,7 @@ infra grants list
 Note: this requires the user to have the admin role within Infra.
 
 An example to grant the permission:
-infra grants add --user name@example.com --role admin infra
+infra grants add name@example.com infra --role admin
 ```
 </details>
 

diff --git a/docs/guides/granting-access.md b/docs/guides/granting-access.md
@@ -14,7 +14,7 @@ To grant access, use `infra grants add`:
 infra grants add user@example.com kubernetes.staging --role edit
 ```
 
-Note: the same command can be used to grant access to a group, for example:
+Note: the same command can be used to grant access to a group using the boolean [--group] flag, for example:
 
 ```
 infra grants add --group engineering kubernetes.staging --role edit
@@ -32,7 +32,7 @@ infra grants remove user@example.com kubernetes.staging --role edit
 
 ```
 infra grants list
-  PROVIDER  IDENTITY     ACCESS  RESOURCE                   
+  PROVIDER  IDENTITY     ACCESS  DESTINATION                   
   okta      Everyone     edit    kubernetes.development
   okta      Engineering  edit    kubernetes.development.monitoring  
   okta      Design       edit    kubernetes.development.web 

diff --git a/docs/guides/managing-admins.md b/docs/guides/managing-admins.md
@@ -13,25 +13,25 @@ Infra has built-in roles for promoting users to manage Infra.
 This will provide `admin@example.com` full access to the Infra API, including creating additional grants, managing identity providers, managing destinations, and managing other users.
 
 ```
-infra grants add infra --user admin@example.com --role admin
+infra grants add admin@example.com infra --role admin
 ```
 
 ## Setting a group to an Infra admin
 
 ```
-infra grants add infra --group engineering --role admin
+infra grants add --group engineering infra --role admin
 ```
 
 ## Revoking admin access
 
 ```
-infra grants remove infra --user admin@example.com --role admin
+infra grants remove admin@example.com infra --role admin
 ```
 
 ## Giving a user limited access to Infra
 
 This Grant will provide `dev@example.com` *some* access to the Infra API, including logging in and using a destination they have been granted access to, listing destinations, and updating their own user. It does *not* include access to creating additional grants, managing identity providers, managing destinations, or managing other users.
 
 ```
-infra grants add infra --user dev@example.com --role user
-```
+infra grants add dev@example.com infra --role user
+```
diff --git a/docs/reference/cli-reference.md b/docs/reference/cli-reference.md
@@ -178,7 +178,13 @@ infra destinations remove DESTINATION [flags]
 List grants
 
 ```
-infra grants list [DESTINATION] [flags]
+infra grants list [flags]
+```
+
+### Options
+
+```
+      --destination string   Filter by destination
 ```
 
 ### Options inherited from parent commands
@@ -197,7 +203,7 @@ Grant access to a destination
 
 Grant one or more identities access to a destination. 
 
-IDENTITY is one that is being given access.
+IDENTITY is the subject that is being given access.
 DESTINATION is what the identity will gain access to. 
 
 Use [--role] if further fine grained permissions are needed. If not specified, user will gain the permission 'connect' to the destination. 
@@ -207,7 +213,8 @@ Use [--group] or [-g] if identity is of type group.
 $ infra grants add devGroup -group ...
 $ infra grants add devGroup -g ...
 
-For full documentation on grants, see  https://github.com/infrahq/infra/blob/main/docs/using-infra/grants.md 
+For full documentation on grants with more examples, see: 
+  https://github.com/infrahq/infra/blob/main/docs/guides
 
 
 ```
@@ -217,7 +224,7 @@ infra grants add IDENTITY DESTINATION [flags]
 ### Options
 
 ```
-  -g, --group         Marks identity as type 'group'
+  -g, --group         Required if identity is of type 'group'
       --role string   Type of access that identity will be given (default "connect")
 ```
 
@@ -233,17 +240,29 @@ infra grants add IDENTITY DESTINATION [flags]
 
 Revoke access to a destination
 
+### Synopsis
+
+Revokes access that user has to the destination.
+
+IDENTITY is one that was being given access.
+DESTINATION is what the identity will lose access to. 
+
+Use [--role] to specify the exact grant being deleted. 
+If not specified, it will revoke all roles for that user within the destination. 
+
+Use [--group] or [-g] if identity is of type group. 
+$ infra grants remove devGroup -g ...
+
+
 ```
-infra grants remove DESTINATION [flags]
+infra grants remove IDENTITY DESTINATION [flags]
 ```
 
 ### Options
 
 ```
-  -g, --group string     Group to revoke access from
-  -m, --machine string   Machine to revoke access from
-  -r, --role string      Role to revoke
-  -u, --user string      User to revoke access from
+  -g, --group         Group to revoke access from
+      --role string   Role to revoke
 ```
 
 ### Options inherited from parent commands