[RBAC PR 3] Add configurable default-access role to RBAC#2233
Open
philipfweiss wants to merge 3 commits into
Open
[RBAC PR 3] Add configurable default-access role to RBAC#2233philipfweiss wants to merge 3 commits into
philipfweiss wants to merge 3 commits into
Conversation
Thread is_admin into AuthContext and short-circuit RBAC authorization for admins, approving all requests. The bypass is a single explicit check and is logged for audit, so it is easy to find and to later scope down if admins should still respect some constraints.
✅ Deploy Preview for thriving-cassata-78ae72 canceled.
|
This was referenced Jun 5, 2026
6da138a to
e44c260
Compare
Add a DEFAULT_ACCESS_ROLE setting whose scopes are evaluated as a fallback when no explicit grant matches, so deployments can express graceful defaults (e.g. read on *) without flipping the whole policy to permissive. The default role's scopes are pre-loaded into AuthContext and evaluated together with the principal's own scopes: _make_decision now gathers all candidate scopes (explicit grants + default role) and resolves them in one step, then falls back to default_access_policy. Collecting candidates before deciding (rather than a nested allow-ladder) keeps the door open for future deny/precedence rules.
6da138a to
64822f3
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Tracking: #2234 (step 3 of the RBAC enablement sequence).
Stacked on #2232.
With
default_access_policy=restrictive, every reques is denied unless an explicit user or group grant matches. That leaves no way to express a baseline like "everyone can read" short of flipping the whole policy back topermissiveor hand-granting every principal.This adds a configurable default-access role:
default_access_rolesetting (defaultNone).AuthContext.from_userloads the named role's scopes intoAuthContext.default_scopes(empty when the setting is unset or the role does not exist).RBACAuthorizationServiceresolves the principal's own scopes and the default-role scopes together; if none grant the request, it falls back todefault_access_policy.How I verifie:
Run against the PR branch with a restrictive RBAC config and the seeded Roads data. The user
djis a normal non-admin.1. Started the PR server, restrictive policy, no default role.
2. Logged in as non-admin
dj; baseline denies both read and write.3. Created a default-access role that grants read broadly.
4. Restarted the server with the role wired in as the default.
5. Same non-admin user now gets fallback read, while writes stay denied.
The read flips from
403to200once the default role is configured; the write stays403because the role grants onlyREAD. Unsettingdefault_access_role, or pointing it at a role that does not exist, loads no scopes and falls back todefault_access_policy.