Comments (7)
schema changes
- type Access struct {
+ type Grant struct {
...
- Grant string // policy | import
+ Source string // appeal | import
Status string // active | inactive
+ ProviderStatus string // active | inactive
- CreatedBy string // [email protected]
+ Owner *string // [email protected] | nil
...
}
scenarios
access exists in Grant tables |
access exists in provider | Grant.source |
Grant.status |
Grant.provider_status |
doable actions | notes |
---|---|---|---|---|---|---|
✅ | ✅ | appeal |
active |
active |
revoke Grant |
|
✅ | ❌ | appeal |
active |
inactive |
deactivate Grant OR grant access to the provider |
|
❌ | ✅ | import |
active |
active |
assign Grant.owner to a user OR revoke access from the provider |
will create new entry of Grant |
- will rename
access
entity togrant
to avoid confusion since "access" is the main scope of guardian itself - rename
grant
tosource
with valueappeal
for grant that is created from appeal, andimport
for grant that is imported from provider - add
ProviderStatus
to track the status of the actual access in the provider - rename
created_by
toowner
. Forsource=appeal
Grants, the value of this field going to be theAppeal.created_by
, and forsource=import
, initial value going to benil
until the Grant got assigned to someone
from guardian.
continuing the discussion for this.
assuming we have completed these issues:
there are two kind of cases that we want to collect the information of:
- accesses that are created from guardian but don't exist in the provider
- existing accesses in the provider that are not created through the guardian
Collecting information
The current decided approach in #206 is only for fetching accesses in provider and create the accesses for them. By that, apart from the access state/mapping itself, we only have the creation source information whether the access is created through guardian with approval flow or from outside of guardian (grant=import/policy
). Additional information that needs to be added is the current activeness of each access in the provider itself.
We can add an active_in_provider: boolean
flag in the access
entity for tracking the access activeness. This is different with status="active
where status
is for the access status in guardian and active_in_provider
is for the current status in the provider. We can use the "import existing access" function to update this information in accesses. And since in #206 it was decided that importing existing access going to be an api-based action, maybe we can consider it to run on a job as well so that the active_in_provider
information is kept up to date.
Presenting information
Options:
- add more query parameters in the list accesses API so that client can generate report and customize by passing params
- pros: more flexible and let the client generate their own report based on their use case
create a new API that returns the summary of the track drift result. It can be at the provider level (GET /providers/report
orGET /providers/:id/report
) or resource level (GET /resources/report
orGET /resources/:id/report
)- pros: information is summarized, and also can show list of recommendations
- cons: can't be customized, and the report might not suits what the user needs
from guardian.
@rahmatrhd will both of these statuses live in access objects? If yes, we will have three fields to be tracked?
grant: policy/import
active_in_provider/provider_status: true/false
active_in_policy/policy_status: true/false
from guardian.
for tracking access drift, essentially we only need to track two statuses which are active_in_provider: true/false
and status: pending/active/inactive
(active_in_policy/policy_status). While grant
is only to track the creation of the access itself (whether created through guardian (with approval) or not)
from guardian.
And all these statuses are at access object or status is on appeal?
from guardian.
if we use active_in_provider: true/false
, do we assume (only track) if provider only have two states of activeness active
& inactive
and ignore other possible statuses (if any)?
from guardian.
@ravisuhag grant
, status
, and active_in_provider
are in access
@mabdh makes sense, I think we can make it equivalent to access.status: pending/canceled/active/inactive
from guardian.
Related Issues (20)
- Able to change the policy for pending appeals HOT 1
- refactor appeal functions HOT 3
- Add resources conditionally
- Only allowed a few roles on Bigquery Dataset HOT 2
- Register Dataplex policy-tags as provider HOT 5
- Getting 3 times slack notification for same resource reminder HOT 2
- Shield as a provider in Guardian
- ability to trigger jobs through API end point HOT 1
- support `account_id` in grant expiry reminder notification
- Use `go install` in make setup instead of `go get`
- bigquery get activities test case is flaky
- bigquery client throwing error `CREDENTIALS_MISSING` HOT 3
- Add authentication to guardian using google idtoken (from google SSO login) HOT 18
- Disable dockertest on repository test during unit test HOT 2
- Add API to assign/update owner of a grant HOT 8
- Guardian Approval through Slack HOT 11
- bug(gcs): fetch resources not working for some gcs providers
- Multiple owners in Grants
- Fetch labels for bigquery dataset/table HOT 2
- Frontier provider get groups api needs to be refactored to get admin/owners list
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from guardian.