ironcore icon indicating copy to clipboard operation
ironcore copied to clipboard
verified publisher icon ironcore-dev

Hide resource visibility if user is not in defined group

Open lukasfrank opened this issue 2 years ago • 2 comments

Proposed Changes

  • Added pool-status-view-allowed-groups flag to api-server to define groups which can unhide the pool resources
  • If pool-status-view-allowed-groups is empty every user can see pool resources

Fixes #813

lukasfrank avatar Sep 13 '23 12:09 lukasfrank

Can we have this concept in a more extensible way?

  • Currently, via this flag, all pools are affected - fine grained control is not possible / extending this to other resources requires lots of coding and flag-passing again
  • The white-out happens after the fields are deserialized - can't we somehow enhance the individual codecs to respect custom tags in the struct definition to avoid iterating over the result objects again?

adracus avatar Sep 22 '23 06:09 adracus

@adracus how about using a SubResource for the pool capacity information? That way we can restrict the access via k8s RBAC and don't have to fiddle around in the Status on a per field level who is allowed to see what.

afritzler avatar Oct 04 '23 12:10 afritzler