feat: Role based Cadence-web #1108
Open
+1,519
−63
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ribaraka
force-pushed
the
rbac
branch
2 times, most recently
from
319273d to
42b3e1c
Compare
ribaraka
force-pushed
the
rbac
branch
3 times, most recently
from
165520e to
b1131fc
Compare
ribaraka
force-pushed
the
rbac
branch
3 times, most recently
from
84cb2e7 to
9bd8868
Compare
- UI RBAC aligned with Cadence JWT auth: tokens come from cookie (cadence-authorization) or env (CADENCE_WEB_JWT_TOKEN), are forwarded on all gRPC calls, and claims/groups drive what the UI shows/enables. - Auth endpoints: POST /api/auth/token to set the HttpOnly cookie, DELETE /api/auth/token to clear it, GET /api/auth/me to expose public auth context. - User context middleware populates gRPC metadata and user info for all route handlers. - Domain visibility: getAllDomains filters by READ_GROUPS/WRITE_GROUPS. Redirects respect the filtered list. - Workflow/domain actions: start/signal/terminate/etc. are disabled with “Not authorized” when the token lacks write access; - Login/logout UI: navbar shows JWT paste modal when unauthenticated. Signed-off-by: Stanislav Bychkov <stanislb@netapp.com>
simplified: - deduplicate splitGroupList - nav bar subtitle cleanup - remove env CADENCE_WEB_JWT_TOKEN and its usage
- Adjust secure-cookie detection to be proxy/request driven and correctly parse `x-forwarded-proto`, avoiding `NODE_ENV` forcing secure cookies. - Adopt Bearer-prefix stripping when setting the auth cookie - Added Cache-Control: no-store headers to prevent stale auth responses: - Treat tokens that fail JWT decoding as unauthenticated - Avoid extra domain fetch when RBAC is off
Contributor
Author
start pagerbac off: rbac on: |
Contributor
Author
|
user menu (un-auth user): input to enter a token: added an admin token (domains are appeared + pop message): user menu (after login): added a reader user: reader user inside a domain: added a writer user: writer user inside a domain: user redirected to "start page" when token is expired: |
Contributor
Author
|
Unauthorised error messages are shown when user access protected domain |
Contributor
Author
|
@Assem-Hafez @demirkayaender, when you available, please review my initial version of the feature to ship with this PR. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation: cadence-workflow/cadence#6706
Plan&Findings: cadence-workflow/cadence#7508
This PR adds out-of-the-box RBAC support for the Cadence Web UI.