Skip to content

Commit

Permalink
feat: add rbac for strict job queue control (#927)
Browse files Browse the repository at this point in the history
implement RBAC for controlling job queue
give permission to ClusterAdmin role to make changes in the strict case

[excluding e2e_tests changes]
  • Loading branch information
hamidzr authored and djanicekpach committed Feb 29, 2024
1 parent af44705 commit e8709a6
Show file tree
Hide file tree
Showing 4 changed files with 35 additions and 1 deletion.
1 change: 1 addition & 0 deletions .circleci/devcluster/single-rbac.devcluster.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ stages:
authz:
type: rbac
rbac_ui_enabled: true
strict_job_queue_control: true
scim:
enabled: true
auth:
Expand Down
8 changes: 7 additions & 1 deletion master/internal/job/authz_rbac.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,9 @@ import (

"github.com/determined-ai/determined/master/internal/authz"
"github.com/determined-ai/determined/master/internal/command"
"github.com/determined-ai/determined/master/internal/config"
"github.com/determined-ai/determined/master/internal/db"
"github.com/determined-ai/determined/master/internal/rbac"
"github.com/determined-ai/determined/master/pkg/model"
"github.com/determined-ai/determined/proto/pkg/jobv1"
"github.com/determined-ai/determined/proto/pkg/rbacv1"
Expand Down Expand Up @@ -114,7 +116,11 @@ func (a *JobAuthZRBAC) FilterJobs(
func (a *JobAuthZRBAC) CanControlJobQueue(
ctx context.Context, curUser *model.User,
) (permErr error, err error) {
return nil, nil
if !config.GetMasterConfig().Security.AuthZ.StrictJobQueueControl {
return nil, nil
}
return rbac.CheckForPermission(ctx, "job", curUser, nil,
rbacv1.PermissionType_PERMISSION_TYPE_CONTROL_STRICT_JOB_QUEUE)
}

func init() {
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
DELETE FROM permission_assignments WHERE permission_id = 8101;

DELETE FROM permissions WHERE id = 8101;
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
-- // Ability to control strict job queue.
-- PERMISSION_TYPE_CONTROL_STRICT_JOB_QUEUE = 8101;

INSERT into permissions(id, name, global_only) VALUES
(8101, 'control strict job queue', true);


-- determined> select * from roles;
-- +----+---------------------+----------------------------+
-- | id | role_name | created_at |
-- |----+---------------------+----------------------------|
-- | 1 | ClusterAdmin | 2023-05-30 16:20:54.825443 |
-- | 2 | WorkspaceAdmin | 2023-05-30 16:20:54.825443 |
-- | 3 | WorkspaceCreator | 2023-05-30 16:20:54.825443 |
-- | 4 | Viewer | 2023-05-30 16:20:54.825443 |
-- | 5 | Editor | 2023-05-30 16:20:54.825443 |
-- | 6 | ModelRegistryViewer | 2023-05-30 16:20:55.136146 |
-- +----+---------------------+----------------------------+
-- SELECT 6

INSERT INTO permission_assignments (permission_id, role_id)
SELECT 8101, roles.id
FROM roles
WHERE roles.role_name IN ('ClusterAdmin');

0 comments on commit e8709a6

Please sign in to comment.