-
Task
-
Resolution: Done
-
Normal
-
None
-
None
-
Product / Portfolio Work
-
False
-
-
False
-
None
-
Unset
-
None
-
-
It should be possible to implement a minimal version of Kessel compatibility in HBI by modifying the rbac middleware to (potentially behind an unleash flag):
- Send a lookup-resources request to Kessel to get workspaces where the user has the given permission
- If none are returned, this is equivalent to the user not having the permission in v1: return false, no filter
- If some are returned, and the default workspace is one of them, this is equivalent to the user having the permission in v1 without a filter: return true, no filter
- If some are returned, but the default workspace is not one of them, this is equivalent to the user having the permission in v1 with a filter: return true and the filter
It will also be necessary to (also likely behind a flag):
- Call ReportResource when a new host is stored or a property that's kept in inventory (like the assigned workspace) changes
- Call DeleteResource when a host is deleted or culled (ex: by Reaper)
..doing so will allow for end-to-end demos of HBI + Kessel with minimal upfront development
1.
|
Add phase 1 feature flag |
|
Closed | 
|
William Scalf |
2.
|
Add Kessel client library |
|
Closed |
|
Unassigned |
3.
|
Implement naive resource report and delete calls |
|
Closed |
|
Unassigned |
4.
|
Implement naive access logic |
|
Closed |
|
Unassigned |
5.
|
Record the demo in ephemeral |
|
Closed |
|
Unassigned |