Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor: Replace SelfSubjectAccessReview for better permissions check #505

Open
ccremer opened this issue Mar 2, 2023 · 0 comments
Open

Refactor: Replace SelfSubjectAccessReview for better permissions check #505

ccremer opened this issue Mar 2, 2023 · 0 comments
Labels
enhancement New feature or request

Comments

@ccremer
Copy link
Contributor

ccremer commented Mar 2, 2023
edited
Loading

Summary

As a user
I want to replace the current permission checking system with one better suited for UI
So that I get a slightly faster UI

Context

Currently, the frontend checks permissions using SelfSubjectAccessReview API in Kubernetes. This API gives returns true/false indicating whether the user is allowed to interact with the resource in question. However, each permission needs its own request for each verb, e.g. "list", "update" and "create" sum already to 3 individual request for a single resource like Organization.

Navigating all features (teams, organizations, billing, etc) with 4 organizations already sums up to 27 requests at least.

However, there is an API that is more suited for UI permission checks: SelfSubjectRulesReview (or kubectl auth can-i --list -n <namespace> equivalent). This returns a single response with list of all the resources that can the user can access in a single namespace. With 4 organizations we can reduce the number of requests to 5 (1 is for checking the cluster-scoped resources first, using the default namespace).

This issue is intended for a refactoring, functionally or visually it shouldn't change anything for the user. But it may improve responsiveness. However, there is a downside to this: While the number of request goes down, the JSON payload size increases, especially for OpenShift. The payload would possibly contain loads of other unrelated permissions.

In that sense, switching could be considered "premature optimization", so we might only address this when it's actually a problem with lots of small SelfSubjectAccessReview requests. We currently don't know whether it's better to have many small requests on demand or few larger requests relatively early.

Out of Scope

There is another issue to discuss which permissions to check. This issue here discusses how those permissions are checked.

Further links

Acceptance Criteria

No response

Implementation Ideas

The Rules review API requires a namespace even for cluster-scoped resources. Upon startup we can issue 1 request in the default namespace, as that lists the cluster-scoped resources as well.
Once loaded the Rules into frontend/store, we should implement helper functions that filter the desired permissions for each module/feature.
@ccremer ccremer added the enhancement New feature or request label Mar 2, 2023
@ccremer ccremer mentioned this issue Apr 18, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ccremer