- Much of the grunt work is generic OIDC
Also fixed
- store's principalId was not updated after user enables any auth provider
- Colour of InfoBox title in dark mode
- Issue where some kind of errors when enabling provider were shown as an empty box (exceptionToErrorsArray is now used, which also uses a better catch all stringify)
- An issue where enabling and disabling a provider in the same visit meant lost defaults
- An issue where Auth / Groups would not display (async part had been removed)
- Resource instance validation would show all fields as invalid once one field had failed
- RBAC Role type improvements
- Remove rule 'Non-Resource URL' field. RBAC role type is namespaced, non-resource url's are not.
- Apply additional validation (
- rule resource AND api group required, rather than default rule resource, non-resource url or api group required
- name is required
- Show Required indicator for all fields (reflecting validation)
- Other Role type improvements
- Show Required indicator for rule Verbs field
- This does mean that when the page initially loads we show an empty rule row with required fields... but user can ignore this and successfully save the role anyway. The alternative is to not show an empty rule to begin with... but this forces the user to `Add Resource`. I feel the later is more of an issue than the former.
- name is required
- Removed unused code (setVerb/getVerb)
- Improve handling of empty strings when setting arrays in a rule
- Remove required field for api groups for non-rancher types (rbac role/cluster role)
- There's a lot of validation for these types in the backend that would be tricky to do with the current mechanism up front
- Namespaced roles cannot use non-resource urls
- Rules with resources must have api groups (and vice versa)
- Roles with no rules are ok (guessing this is because there's no validation of the inherit role side)
- So let the api validation do it's thing for the complex cases on submit
- Apply basic rule validation to non-rancher role types
- Role Rule 'Resources' --> 'Resource
- For disabled radio buttons don't show standard grey colour, use the usual ith opacity
- Ensure default locked value is set after setting up subtype
- Builds on generic way to handle Management Global Roles and Role Templates
- Applies to rbac.authorization.k8s.io.role and rbac.authorization.k8s.io.clusterrole
- Remove spoofed rbac role template type
- Use spoof's base type's management global role and role template types
- Display these types as global, cluster and project tables in auth product
- Update Users list with actions
- Add User create/edit page
- Add User details page
- Brought over user/principal global role validation from ember world
- Make a common component used by all auth providers
- Component contains
- enabled/disabled banner
- settings are now aligned in a table
Also centre aligns the saml log in button on the log in page
- Add groups page with table to the auth product
- Allow user to assign roles to groups previously without roles or edit
groups with existing roles
Comments
- I haven't added any special ux for the case where there's no auth
provider and therefore no groups
- ./components/GlobalRoleBindings.vue will be updated when the same
component is used for assign global roles to a user principal
- ./components/GlobalRoleBindings.vue ln 139 Couldn't create a binding
without the generateName metadata property. Have given this a
`ui-` prefix. Is this correct?
- In order to determine which global roles are bound to each principal
(so we can filter by principals that have them).. we go out and fetch
ALL role bindings. Is this too costly?
- On the groups page the 'refresh' button is quite big, we should
consider reducing this
Cody Jackson
Nancy Butler
Richard Cox
Richard Cox
Neil MacDougall
Neil MacDougall
Lauren Harden
Vincent Fiduccia