feat: limit project group creation to admins#1331
Open
olevski wants to merge 15 commits into
Open
Conversation
Contributor
|
You can access the deployment of this PR at https://renku-ci-ds-1331.dev.renku.ch |
olevski
force-pushed
the
feat-limit-project-group-creation-to-admins
branch
from
de41b99 to
0b80403
Compare
Member
Author
|
I tested in the CI deployment but if you switch off project and group creation and leave it like that, then the acceptance tests cannot pass because they need to create groups and/or projects in all cases. |
olevski
commented
May 29, 2026
Member
Author
There was a problem hiding this comment.
A bunch of stuff here is just reformatted and it shows up as a large diff. I added coments to indicate what is new.
olevski
commented
May 29, 2026
Comment on lines
+49
to
+85
| /platform/config/authorization: | ||
| get: | ||
| summary: Get the current authorization configuration for Renku | ||
| responses: | ||
| "200": | ||
| description: The authorization configuration | ||
| content: | ||
| application/json: | ||
| schema: | ||
| $ref: "#/components/schemas/AuthzConfig" | ||
| default: | ||
| $ref: "#/components/responses/Error" | ||
| tags: | ||
| - platform | ||
| patch: | ||
| summary: Update the authorization configuration | ||
| description: | | ||
| Requires admin permissions. | ||
| parameters: | ||
| - $ref: "#/components/parameters/If-Match" | ||
| requestBody: | ||
| required: true | ||
| content: | ||
| application/json: | ||
| schema: | ||
| $ref: "#/components/schemas/AuthzConfigPatch" | ||
| responses: | ||
| "200": | ||
| description: The updated platform configuration | ||
| content: | ||
| application/json: | ||
| schema: | ||
| $ref: "#/components/schemas/AuthzConfig" | ||
| default: | ||
| $ref: "#/components/responses/Error" | ||
| tags: | ||
| - platform |
olevski
commented
May 29, 2026
Comment on lines
+324
to
+352
| AuthzFlag: | ||
| type: boolean | ||
| description: | | ||
| Controlls whether only admins or every user can perform a specific action. | ||
| default: false | ||
| AuthzConfig: | ||
| description: The authorization configuration for the whole platform. | ||
| type: object | ||
| properties: | ||
| etag: | ||
| $ref: "#/components/schemas/ETag" | ||
| only_admins_can_create_projects: | ||
| $ref: "#/components/schemas/AuthzFlag" | ||
| only_admins_can_create_groups: | ||
| $ref: "#/components/schemas/AuthzFlag" | ||
| required: | ||
| - etag | ||
| - only_admins_can_create_projects | ||
| - only_admins_can_create_groups | ||
| additionalProperties: false | ||
| AuthzConfigPatch: | ||
| description: Patch of the configuration of RenkuLab | ||
| type: object | ||
| properties: | ||
| only_admins_can_create_projects: | ||
| $ref: "#/components/schemas/AuthzFlag" | ||
| only_admins_can_create_groups: | ||
| $ref: "#/components/schemas/AuthzFlag" | ||
| additionalProperties: false |
Coverage Report for CI Build 26645617463Coverage increased (+0.05%) to 86.362%Details
Uncovered Changes
Coverage Regressions13 previously-covered lines in 8 files lost coverage.
Coverage Stats
💛 - Coveralls |
SalimKayal
requested changes
May 29, 2026
| assert res.status_code == 200, (res.status_code, res.text) | ||
| assert not res.json["only_admins_can_create_groups"], res.text | ||
| assert not res.json["only_admins_can_create_groups"], res.text | ||
| await asyncio.sleep(5) |
Collaborator
There was a problem hiding this comment.
why asyncio.sleep(5) could this be a source of tests flakiness ?
Member
Author
There was a problem hiding this comment.
Oh my bad. I meant to remove that. It was from troubleshooting the tests. We dont need it anymore.
| resource_type=platform.object_type, | ||
| optional_resource_id=platform.object_id, | ||
| optional_subject_filter=sub_filter, | ||
| optional_relation="admin", |
Collaborator
There was a problem hiding this comment.
Suggested change
| optional_relation="admin", | |
| optional_relation=_Relation.admin.value, |
eikek
previously approved these changes
May 29, 2026
| ) | ||
|
|
||
| _v10 = """\ | ||
| definition user {} |
Member
There was a problem hiding this comment.
I think, this is the only change here:
definition platform {
relation admin: user
+ relation project_creator: user:*
+ relation group_creator: user:*
permission is_admin = admin
+ permission create_projects = is_admin + project_creator
+ permission create_groups = is_admin + group_creator
}
Member
Author
There was a problem hiding this comment.
Yes I meant to post the diff but I forgot. But I double checked just now to make sure. And yes that is the change from v9 to v10.
SalimKayal
previously approved these changes
May 29, 2026
Collaborator
SalimKayal
left a comment
SalimKayal
left a comment
There was a problem hiding this comment.
looks good on my side.
Make it so that (if configured) admins are the only one allowed to create projects and groups. By default we have the old behavior so that everyone who is logged in can create a group or project. The limits are applied in addition to all other authroization schemes and regardless of where the project will be created (username or group).
olevski
force-pushed
the
feat-limit-project-group-creation-to-admins
branch
from
8da33be to
9f8bc4e
Compare
Member
Author
|
I rebased and can confirm that the diff stays the same: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
/deploy
This gives the ability for admins to make it so that only themselves or other admins are the only ones who can create projects or groups. This is a requested feature from enterprise users who want strict control of who can control projects and resources. To avoid proliferation and ensure existing resources are properly managed.
By default this option is turned off and the behaviour as the same as what we have before this feature - i.e. anyone can make a project or a group.