-
Notifications
You must be signed in to change notification settings - Fork 117
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ISSUE-897] Add ANONYMOUS Permission #917
[ISSUE-897] Add ANONYMOUS Permission #917
Conversation
Let's create an |
server/src/test/java/com/linecorp/centraldogma/server/metadata/MetadataServiceTest.java
Outdated
Show resolved
Hide resolved
@minwoox, please check if I've understood correctly 😄
|
Does "Users" mean the clients or the repository owners? The repository owners do not have to add the tokens. All they have to do is adding the read permission to the anonymous role. Here is the flow:
Please let me know if you have any further questions. 😉 |
/** | ||
* Holds a default application token. | ||
*/ | ||
public class ApplicationToken { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@minwoox, thank you so much for the detailed explanation. It helped me a lot 👍
It seems like com.linecorp.centraldogma.client.armeria.AbstractCentralDogmaBuilder
sets com.linecorp.centraldogma.internal.CsrfToken#ANONYMOUS
as accessToken by default(when no other accessToken is specified). So the question is, should we use CsrfToken#ANONYMOUS
when checking anonymous token, or should we create a new ApplicationToken#ANONYMOUS
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's simply a string, so it doesn't matter what we use.
Let's remove this class and use CsrfToken#ANONYMOUS
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've added a commit that uses CsrfToken#ANONYMOUS
and remove ApplicationToken
...main/java/com/linecorp/centraldogma/server/internal/api/auth/ApplicationTokenAuthorizer.java
Outdated
Show resolved
Hide resolved
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #917 +/- ##
=======================================
Coverage ? 66.80%
Complexity ? 3522
=======================================
Files ? 370
Lines ? 14494
Branches ? 1557
=======================================
Hits ? 9683
Misses ? 3931
Partials ? 880 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great! Thanks! 👍 👍 👍
server/src/main/java/com/linecorp/centraldogma/server/metadata/MetadataService.java
Outdated
Show resolved
Hide resolved
server/src/main/java/com/linecorp/centraldogma/server/metadata/PerRolePermissions.java
Outdated
Show resolved
Hide resolved
server/src/test/java/com/linecorp/centraldogma/server/internal/api/auth/PermissionTest.java
Outdated
Show resolved
Hide resolved
throw new UnsupportedOperationException( | ||
"Can't give a permission to guest for internal repository: " + repoName); | ||
"Can't give a permission to guest or anonymous for internal repository: " + repoName); | ||
} | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you also check if the anonymous permission has the write permission? If so, we should raise an exception.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've fixed to throw exception when trying to grant WRITE permission to anonymous user
…/MetadataService.java Co-authored-by: minux <[email protected]>
…/PerRolePermissions.java Co-authored-by: minux <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changes look reasonable to me 👍 Thanks @seonwoo960000 !
nit; we may need to update
centraldogma/site/src/sphinx/auth.rst
Line 293 in 2994712
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Excellent work, @seonwoo960000! 🙇
server/src/main/java/com/linecorp/centraldogma/server/metadata/PerRolePermissions.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, @seonwoo960000! 🙇♂️🙇♂️ This would be a go-to feature for many users.
@seonwoo960000 👍 👍 👍 |
Motivation
Modification
ProjectRole#ANONYMOUS
Result
ANONYMOUS
role to their projectLinks
#897