editoast: migrate infra grant revoking to authz::v2#16974
Open
leovalais wants to merge 4 commits into
Open
Conversation
leovalais
force-pushed
the
lva/revoke-infra-grant-v2
branch
from
89fecf2 to
12d1fa4
Compare
Contributor
Author
|
rebase + conflicts + use of |
Sh099078
approved these changes
Jun 4, 2026
Signed-off-by: Léo VALAIS <leovalais+git@proton.me>
`Authorizer` is not dyn-compatible for more than one reason. Though it'll be useful at times to have *either* a `SystemAuthorizer` or a `UserAuthorizer` depending on the authentication mode. Signed-off-by: Léo VALAIS <leovalais+git@proton.me>
leovalais
force-pushed
the
lva/revoke-infra-grant-v2
branch
from
12d1fa4 to
790d964
Compare
Contributor
Author
|
rebase. + conflicts |
Removes the corresponding function in the `Regulator` and adapts all call sites. Adds the `Protected` operation, its tests, new `Check`s, their implementation in authorizers and their tests. CHANGE: now admins **can** revoke the last owner of a resource. It's fine because admins have access to everything so they can re-assign it if necessary. It will allow us to "retire" resources without deleting them for example. It's also much more consistent with our "admin" vison: "admins can do anything as long as it doesn't break internal consistency". Improvement: the batching endpoint now revokes all grants concurrently. Signed-off-by: Léo VALAIS <leovalais+git@proton.me>
Makes sure that our revoking rules below are always upheld: 1. Only owners (and admins) can fully revoke grants 2. The last owner of a resource cannot be revoked (admins can) 3. An owner cannot revoke another owner Signed-off-by: Léo VALAIS <leovalais+git@proton.me>
leovalais
force-pushed
the
lva/revoke-infra-grant-v2
branch
from
790d964 to
3f3aea0
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
refs https://github.com/osrd-project/osrd-confidential/issues/1168
Tip
review commits individually