Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🐛 Remove scope from initializingworkspaces virtual workspace #3264

Merged
merged 1 commit into from
Jan 23, 2025
Merged

🐛 Remove scope from initializingworkspaces virtual workspace #3264

merged 1 commit into from
Jan 23, 2025

Conversation

embik
Copy link
Member

@embik embik commented Jan 23, 2025

Summary

As part of #3235, we added scoping to the impersonation that happens in the initializingworkspaces virtual workspace when proxying through content access. This creates a fundamental problem: When creating APIBindings through it (a common activity done by kcp itself for the default API bindings in a WorkspaceType), the impersonated identity will always be out-of-scope for the workspace that holds the target APIExport for a default binding.

This means default API bindings would always be bound as system:anonymous / system:authenticated (the identity of out-of-scope entities), which means you cannot properly provide permissions to the owner of a workspace (which is the identity impersonated by the virtual workspace).

So for now we think we should undo the scoping in the virtual workspace.

Related issue(s)

Fixes #

Release Notes

NONE

@embik embik requested review from sttts and mjudeikis January 23, 2025 14:02
@kcp-ci-bot kcp-ci-bot added release-note-none Denotes a PR that doesn't merit a release note. dco-signoff: yes Indicates the PR's author has signed the DCO. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Jan 23, 2025
@sttts
Copy link
Member

sttts commented Jan 23, 2025

/lgtm
/approve
/retest

@kcp-ci-bot kcp-ci-bot added the lgtm Indicates that a PR is ready to be merged. label Jan 23, 2025
@kcp-ci-bot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 39086aa15908c5d1f6ca2fe6073684f74a31be71

@kcp-ci-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sttts

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kcp-ci-bot kcp-ci-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 23, 2025
@kcp-ci-bot kcp-ci-bot merged commit 2325423 into kcp-dev:main Jan 23, 2025
16 checks passed
@embik embik deleted the no-scope-in-vw branch January 23, 2025 15:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sttts sttts Awaiting requested review from sttts

@mjudeikis mjudeikis Awaiting requested review from mjudeikis

Assignees

@sttts sttts

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has signed the DCO. lgtm Indicates that a PR is ready to be merged. release-note-none Denotes a PR that doesn't merit a release note. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@embik @sttts @kcp-ci-bot