agent: controller publications should bypass authorization checks #1634
Assignees
Labels
Comments
psFried
added a commit
that referenced
this issue
Sep 26, 2024
Significantly refactors the `Publisher`, in order to address a number of outstanding issues. Introduces a `DraftPublication` struct that represents the desire to publish a draft, along with associated metadata and configuration. Also added the `Publisher::publish(&self, DraftPublication)` function, which handles build, commit, and retries. Fixes #1634 by bypassing authorization checks for controller-initiated publications. The `verify_user_authz` field of `DraftPublication` can be used to toggle this behavior. Takes care of a portion of #1520 by generating a new publication id for each attempted publication, rather than re-using the `publications.id` column value. This required adding a new `publications.pub_id` column to hold the effective publication id, since `publications.id` can no longer be used to join to `publication_specs` or `live_specs.last_pub_id`.
psFried
added a commit
that referenced
this issue
Sep 26, 2024
Significantly refactors the `Publisher`, in order to address a number of outstanding issues. Introduces a `DraftPublication` struct that represents the desire to publish a draft, along with associated metadata and configuration. Also added the `Publisher::publish(&self, DraftPublication)` function, which handles build, commit, and retries. Fixes #1634 by bypassing authorization checks for controller-initiated publications. The `verify_user_authz` field of `DraftPublication` can be used to toggle this behavior. Takes care of a portion of #1520 by generating a new publication id for each attempted publication, rather than re-using the `publications.id` column value. This required adding a new `publications.pub_id` column to hold the effective publication id, since `publications.id` can no longer be used to join to `publication_specs` or `live_specs.last_pub_id`.
psFried
added a commit
that referenced
this issue
Sep 26, 2024
Significantly refactors the `Publisher`, in order to address a number of outstanding issues. Introduces a `DraftPublication` struct that represents the desire to publish a draft, along with associated metadata and configuration. Also added the `Publisher::publish(&self, DraftPublication)` function, which handles build, commit, and retries. Fixes #1634 by bypassing authorization checks for controller-initiated publications. The `verify_user_authz` field of `DraftPublication` can be used to toggle this behavior. Takes care of a portion of #1520 by generating a new publication id for each attempted publication, rather than re-using the `publications.id` column value. This required adding a new `publications.pub_id` column to hold the effective publication id, since `publications.id` can no longer be used to join to `publication_specs` or `live_specs.last_pub_id`.
psFried
added a commit
that referenced
this issue
Sep 27, 2024
Significantly refactors the `Publisher`, in order to address a number of outstanding issues. Introduces a `DraftPublication` struct that represents the desire to publish a draft, along with associated metadata and configuration. Also added the `Publisher::publish(&self, DraftPublication)` function, which handles build, commit, and retries. Fixes #1634 by bypassing authorization checks for controller-initiated publications. The `verify_user_authz` field of `DraftPublication` can be used to toggle this behavior. Takes care of a portion of #1520 by generating a new publication id for each attempted publication, rather than re-using the `publications.id` column value. This required adding a new `publications.pub_id` column to hold the effective publication id, since `publications.id` can no longer be used to join to `publication_specs` or `live_specs.last_pub_id`.
psFried
added a commit
that referenced
this issue
Oct 4, 2024
Significantly refactors the `Publisher`, in order to address a number of outstanding issues. Introduces a `DraftPublication` struct that represents the desire to publish a draft, along with associated metadata and configuration. Also added the `Publisher::publish(&self, DraftPublication)` function, which handles build, commit, and retries. Fixes #1634 by bypassing authorization checks for controller-initiated publications. The `verify_user_authz` field of `DraftPublication` can be used to toggle this behavior. Takes care of a portion of #1520 by generating a new publication id for each attempted publication, rather than re-using the `publications.id` column value. This required adding a new `publications.pub_id` column to hold the effective publication id, since `publications.id` can no longer be used to join to `publication_specs` or `live_specs.last_pub_id`.
psFried
added a commit
that referenced
this issue
Oct 4, 2024
Significantly refactors the `Publisher`, in order to address a number of outstanding issues. Introduces a `DraftPublication` struct that represents the desire to publish a draft, along with associated metadata and configuration. Also added the `Publisher::publish(&self, DraftPublication)` function, which handles build, commit, and retries. Fixes #1634 by bypassing authorization checks for controller-initiated publications. The `verify_user_authz` field of `DraftPublication` can be used to toggle this behavior. Takes care of a portion of #1520 by generating a new publication id for each attempted publication, rather than re-using the `publications.id` column value. This required adding a new `publications.pub_id` column to hold the effective publication id, since `publications.id` can no longer be used to join to `publication_specs` or `live_specs.last_pub_id`.
psFried
added a commit
that referenced
this issue
Oct 4, 2024
Significantly refactors the `Publisher`, in order to address a number of outstanding issues. Introduces a `DraftPublication` struct that represents the desire to publish a draft, along with associated metadata and configuration. Also added the `Publisher::publish(&self, DraftPublication)` function, which handles build, commit, and retries. Fixes #1634 by bypassing authorization checks for controller-initiated publications. The `verify_user_authz` field of `DraftPublication` can be used to toggle this behavior. Takes care of a portion of #1520 by generating a new publication id for each attempted publication, rather than re-using the `publications.id` column value. This required adding a new `publications.pub_id` column to hold the effective publication id, since `publications.id` can no longer be used to join to `publication_specs` or `live_specs.last_pub_id`.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Automated publications that are performed by controllers should bypass authorization checks. We currently require controllers to assume the
estuary_support/role, which must have an authorization grant to every prefix in the system. We'd like to instead have agents bypass authZ checks for publications that are triggered by our automation.The text was updated successfully, but these errors were encountered: