You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This seems wrong. If I can update a queue, I can change who owns it and who has what permissions, or its resource limits so it can't do useful work. All that seems well beyond the scope of a permission called CreateQueue, which I'd say should allow you only to create queues, not to mess with existing queues.
I propose:
adding a queue-specific queue.PermissionVerb called queue.PermissionVerbUpdate
renaming global permission permissions.DeleteQueue to permissions.ModifyQueue
changing submit.UpdateQueue() to require both queue.PermissionVerbUpdate and permissions.ModifyQueue (but not permissions.CreateQueue
Right now, all a user needs in order to update a queue is
permissions.CreateQueue
:https://github.com/G-Research/armada/blob/1476c18bec337b77434c038ec8dea6458ba253ff/internal/armada/server/submit.go#L158-L172
This seems wrong. If I can update a queue, I can change who owns it and who has what permissions, or its resource limits so it can't do useful work. All that seems well beyond the scope of a permission called
CreateQueue
, which I'd say should allow you only to create queues, not to mess with existing queues.I propose:
queue.PermissionVerb
calledqueue.PermissionVerbUpdate
permissions.DeleteQueue
topermissions.ModifyQueue
submit.UpdateQueue()
to require bothqueue.PermissionVerbUpdate
andpermissions.ModifyQueue
(but notpermissions.CreateQueue
┆Issue is synchronized with this Jira Task by Unito
The text was updated successfully, but these errors were encountered: