diff --git a/cli/templatecreate.go b/cli/templatecreate.go
index a49997c331..eb23b10fdb 100644
--- a/cli/templatecreate.go
+++ b/cli/templatecreate.go
@@ -28,6 +28,7 @@ func (r *RootCmd) templateCreate() *clibase.Cmd {
provisionerTags []string
variablesFile string
variables []string
+ disableEveryone bool
defaultTTL time.Duration
failureTTL time.Duration
inactivityTTL time.Duration
@@ -121,11 +122,12 @@ func (r *RootCmd) templateCreate() *clibase.Cmd {
}
createReq := codersdk.CreateTemplateRequest{
- Name: templateName,
- VersionID: job.ID,
- DefaultTTLMillis: ptr.Ref(defaultTTL.Milliseconds()),
- FailureTTLMillis: ptr.Ref(failureTTL.Milliseconds()),
- InactivityTTLMillis: ptr.Ref(inactivityTTL.Milliseconds()),
+ Name: templateName,
+ VersionID: job.ID,
+ DefaultTTLMillis: ptr.Ref(defaultTTL.Milliseconds()),
+ FailureTTLMillis: ptr.Ref(failureTTL.Milliseconds()),
+ InactivityTTLMillis: ptr.Ref(inactivityTTL.Milliseconds()),
+ DisableEveryoneGroupAccess: disableEveryone,
}
_, err = client.CreateTemplate(inv.Context(), organization.ID, createReq)
@@ -144,6 +146,12 @@ func (r *RootCmd) templateCreate() *clibase.Cmd {
},
}
cmd.Options = clibase.OptionSet{
+ {
+ Flag: "private",
+ Description: "Disable the default behavior of granting template access to the 'everyone' group. " +
+ "The template permissions must be updated to allow non-admin users to use this template.",
+ Value: clibase.BoolOf(&disableEveryone),
+ },
{
Flag: "variables-file",
Description: "Specify a file path with values for Terraform-managed variables.",
diff --git a/cli/testdata/coder_templates_create_--help.golden b/cli/testdata/coder_templates_create_--help.golden
index 4695d5dbfe..cf6e5c9e3a 100644
--- a/cli/testdata/coder_templates_create_--help.golden
+++ b/cli/testdata/coder_templates_create_--help.golden
@@ -17,6 +17,11 @@ Create a template from the current directory or as specified by flag
Specify an inactivity TTL for workspaces created from this template.
This licensed feature's default is 0h (off).
+ --private bool
+ Disable the default behavior of granting template access to the
+ 'everyone' group. The template permissions must be updated to allow
+ non-admin users to use this template.
+
--provisioner-tag string-array
Specify a set of tags to target provisioner daemons.
diff --git a/coderd/apidoc/docs.go b/coderd/apidoc/docs.go
index c29243d6c6..38414682ca 100644
--- a/coderd/apidoc/docs.go
+++ b/coderd/apidoc/docs.go
@@ -6664,6 +6664,10 @@ const docTemplate = `{
"description": "Description is a description of what the template contains. It must be\nless than 128 bytes.",
"type": "string"
},
+ "disable_everyone_group_access": {
+ "description": "DisableEveryoneGroupAccess allows optionally disabling the default\nbehavior of granting the 'everyone' group access to use the template.\nIf this is set to true, the template will not be available to all users,\nand must be explicitly granted to users or groups in the permissions settings\nof the template.",
+ "type": "boolean"
+ },
"display_name": {
"description": "DisplayName is the displayed name of the template.",
"type": "string"
diff --git a/coderd/apidoc/swagger.json b/coderd/apidoc/swagger.json
index 38f72a070b..8b4e09a041 100644
--- a/coderd/apidoc/swagger.json
+++ b/coderd/apidoc/swagger.json
@@ -5935,6 +5935,10 @@
"description": "Description is a description of what the template contains. It must be\nless than 128 bytes.",
"type": "string"
},
+ "disable_everyone_group_access": {
+ "description": "DisableEveryoneGroupAccess allows optionally disabling the default\nbehavior of granting the 'everyone' group access to use the template.\nIf this is set to true, the template will not be available to all users,\nand must be explicitly granted to users or groups in the permissions settings\nof the template.",
+ "type": "boolean"
+ },
"display_name": {
"description": "DisplayName is the displayed name of the template.",
"type": "string"
diff --git a/coderd/audit/audit.go b/coderd/audit/audit.go
index cf94161150..d3e83d19e8 100644
--- a/coderd/audit/audit.go
+++ b/coderd/audit/audit.go
@@ -42,6 +42,14 @@ type MockAuditor struct {
auditLogs []database.AuditLog
}
+// ResetLogs removes all audit logs from the mock auditor.
+// This is helpful for testing to get a clean slate.
+func (a *MockAuditor) ResetLogs() {
+ a.mutex.Lock()
+ defer a.mutex.Unlock()
+ a.auditLogs = make([]database.AuditLog, 0)
+}
+
func (a *MockAuditor) AuditLogs() []database.AuditLog {
a.mutex.Lock()
defer a.mutex.Unlock()
diff --git a/coderd/templates.go b/coderd/templates.go
index e54c0b3ddb..9aefb17417 100644
--- a/coderd/templates.go
+++ b/coderd/templates.go
@@ -274,22 +274,26 @@ func (api *API) postTemplateByOrganization(rw http.ResponseWriter, r *http.Reque
allowUserAutostop = ptr.NilToDefault(createTemplate.AllowUserAutostop, true)
)
+ defaultsGroups := database.TemplateACL{}
+ if !createTemplate.DisableEveryoneGroupAccess {
+ // The organization ID is used as the group ID for the everyone group
+ // in this organization.
+ defaultsGroups[organization.ID.String()] = []rbac.Action{rbac.ActionRead}
+ }
err = api.Database.InTx(func(tx database.Store) error {
now := database.Now()
dbTemplate, err = tx.InsertTemplate(ctx, database.InsertTemplateParams{
- ID: uuid.New(),
- CreatedAt: now,
- UpdatedAt: now,
- OrganizationID: organization.ID,
- Name: createTemplate.Name,
- Provisioner: importJob.Provisioner,
- ActiveVersionID: templateVersion.ID,
- Description: createTemplate.Description,
- CreatedBy: apiKey.UserID,
- UserACL: database.TemplateACL{},
- GroupACL: database.TemplateACL{
- organization.ID.String(): []rbac.Action{rbac.ActionRead},
- },
+ ID: uuid.New(),
+ CreatedAt: now,
+ UpdatedAt: now,
+ OrganizationID: organization.ID,
+ Name: createTemplate.Name,
+ Provisioner: importJob.Provisioner,
+ ActiveVersionID: templateVersion.ID,
+ Description: createTemplate.Description,
+ CreatedBy: apiKey.UserID,
+ UserACL: database.TemplateACL{},
+ GroupACL: defaultsGroups,
DisplayName: createTemplate.DisplayName,
Icon: createTemplate.Icon,
AllowUserCancelWorkspaceJobs: allowUserCancelWorkspaceJobs,
diff --git a/coderd/templates_test.go b/coderd/templates_test.go
index 03a3556f56..fbfdfd6786 100644
--- a/coderd/templates_test.go
+++ b/coderd/templates_test.go
@@ -48,25 +48,28 @@ func TestPostTemplateByOrganization(t *testing.T) {
t.Parallel()
auditor := audit.NewMock()
client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true, Auditor: auditor})
- user := coderdtest.CreateFirstUser(t, client)
- version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
+ owner := coderdtest.CreateFirstUser(t, client)
+ // By default, everyone in the org can read the template.
+ user, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
+ auditor.ResetLogs()
- expected := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+ version := coderdtest.CreateTemplateVersion(t, client, owner.OrganizationID, nil)
+
+ expected := coderdtest.CreateTemplate(t, client, owner.OrganizationID, version.ID)
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
defer cancel()
- got, err := client.Template(ctx, expected.ID)
+ got, err := user.Template(ctx, expected.ID)
require.NoError(t, err)
assert.Equal(t, expected.Name, got.Name)
assert.Equal(t, expected.Description, got.Description)
- require.Len(t, auditor.AuditLogs(), 4)
- assert.Equal(t, database.AuditActionLogin, auditor.AuditLogs()[0].Action)
- assert.Equal(t, database.AuditActionCreate, auditor.AuditLogs()[1].Action)
- assert.Equal(t, database.AuditActionWrite, auditor.AuditLogs()[2].Action)
- assert.Equal(t, database.AuditActionCreate, auditor.AuditLogs()[3].Action)
+ require.Len(t, auditor.AuditLogs(), 3)
+ assert.Equal(t, database.AuditActionCreate, auditor.AuditLogs()[0].Action)
+ assert.Equal(t, database.AuditActionWrite, auditor.AuditLogs()[1].Action)
+ assert.Equal(t, database.AuditActionCreate, auditor.AuditLogs()[2].Action)
})
t.Run("AlreadyExists", func(t *testing.T) {
@@ -126,6 +129,27 @@ func TestPostTemplateByOrganization(t *testing.T) {
require.Zero(t, got.DefaultTTLMillis)
})
+ t.Run("DisableEveryone", func(t *testing.T) {
+ t.Parallel()
+ auditor := audit.NewMock()
+ client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true, Auditor: auditor})
+ owner := coderdtest.CreateFirstUser(t, client)
+ user, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
+ version := coderdtest.CreateTemplateVersion(t, client, owner.OrganizationID, nil)
+
+ expected := coderdtest.CreateTemplate(t, client, owner.OrganizationID, version.ID, func(request *codersdk.CreateTemplateRequest) {
+ request.DisableEveryoneGroupAccess = true
+ })
+
+ ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+ defer cancel()
+
+ _, err := user.Template(ctx, expected.ID)
+ var apiErr *codersdk.Error
+ require.ErrorAs(t, err, &apiErr)
+ require.Equal(t, http.StatusNotFound, apiErr.StatusCode())
+ })
+
t.Run("Unauthorized", func(t *testing.T) {
t.Parallel()
client := coderdtest.New(t, nil)
diff --git a/codersdk/organizations.go b/codersdk/organizations.go
index 1eb2aab973..19af059277 100644
--- a/codersdk/organizations.go
+++ b/codersdk/organizations.go
@@ -108,6 +108,13 @@ type CreateTemplateRequest struct {
// InactivityTTLMillis allows optionally specifying the max lifetime before Coder
// deletes inactive workspaces created from this template.
InactivityTTLMillis *int64 `json:"inactivity_ttl_ms,omitempty"`
+
+ // DisableEveryoneGroupAccess allows optionally disabling the default
+ // behavior of granting the 'everyone' group access to use the template.
+ // If this is set to true, the template will not be available to all users,
+ // and must be explicitly granted to users or groups in the permissions settings
+ // of the template.
+ DisableEveryoneGroupAccess bool `json:"disable_everyone_group_access"`
}
// CreateWorkspaceRequest provides options for creating a new workspace.
diff --git a/docs/api/schemas.md b/docs/api/schemas.md
index e4fd03c5cd..2a15b0706d 100644
--- a/docs/api/schemas.md
+++ b/docs/api/schemas.md
@@ -1343,6 +1343,7 @@ AuthorizationObject can represent a "set" of objects, such as: all workspaces in
"allow_user_cancel_workspace_jobs": true,
"default_ttl_ms": 0,
"description": "string",
+ "disable_everyone_group_access": true,
"display_name": "string",
"failure_ttl_ms": 0,
"icon": "string",
@@ -1355,20 +1356,21 @@ AuthorizationObject can represent a "set" of objects, such as: all workspaces in
### Properties
-| Name | Type | Required | Restrictions | Description |
-| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -------- | ------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `allow_user_autostart` | boolean | false | | Allow user autostart allows users to set a schedule for autostarting their workspace. By default this is true. This can only be disabled when using an enterprise license. |
-| `allow_user_autostop` | boolean | false | | Allow user autostop allows users to set a custom workspace TTL to use in place of the template's DefaultTTL field. By default this is true. If false, the DefaultTTL will always be used. This can only be disabled when using an enterprise license. |
-| `allow_user_cancel_workspace_jobs` | boolean | false | | Allow users to cancel in-progress workspace jobs. \*bool as the default value is "true". |
-| `default_ttl_ms` | integer | false | | Default ttl ms allows optionally specifying the default TTL for all workspaces created from this template. |
-| `description` | string | false | | Description is a description of what the template contains. It must be less than 128 bytes. |
-| `display_name` | string | false | | Display name is the displayed name of the template. |
-| `failure_ttl_ms` | integer | false | | Failure ttl ms allows optionally specifying the max lifetime before Coder stops all resources for failed workspaces created from this template. |
-| `icon` | string | false | | Icon is a relative path or external URL that specifies an icon to be displayed in the dashboard. |
-| `inactivity_ttl_ms` | integer | false | | Inactivity ttl ms allows optionally specifying the max lifetime before Coder deletes inactive workspaces created from this template. |
-| `max_ttl_ms` | integer | false | | Max ttl ms allows optionally specifying the max lifetime for workspaces created from this template. |
-| `name` | string | true | | Name is the name of the template. |
-| `template_version_id` | string | true | | Template version ID is an in-progress or completed job to use as an initial version of the template. |
+| Name | Type | Required | Restrictions | Description |
+| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -------- | ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `allow_user_autostart` | boolean | false | | Allow user autostart allows users to set a schedule for autostarting their workspace. By default this is true. This can only be disabled when using an enterprise license. |
+| `allow_user_autostop` | boolean | false | | Allow user autostop allows users to set a custom workspace TTL to use in place of the template's DefaultTTL field. By default this is true. If false, the DefaultTTL will always be used. This can only be disabled when using an enterprise license. |
+| `allow_user_cancel_workspace_jobs` | boolean | false | | Allow users to cancel in-progress workspace jobs. \*bool as the default value is "true". |
+| `default_ttl_ms` | integer | false | | Default ttl ms allows optionally specifying the default TTL for all workspaces created from this template. |
+| `description` | string | false | | Description is a description of what the template contains. It must be less than 128 bytes. |
+| `disable_everyone_group_access` | boolean | false | | Disable everyone group access allows optionally disabling the default behavior of granting the 'everyone' group access to use the template. If this is set to true, the template will not be available to all users, and must be explicitly granted to users or groups in the permissions settings of the template. |
+| `display_name` | string | false | | Display name is the displayed name of the template. |
+| `failure_ttl_ms` | integer | false | | Failure ttl ms allows optionally specifying the max lifetime before Coder stops all resources for failed workspaces created from this template. |
+| `icon` | string | false | | Icon is a relative path or external URL that specifies an icon to be displayed in the dashboard. |
+| `inactivity_ttl_ms` | integer | false | | Inactivity ttl ms allows optionally specifying the max lifetime before Coder deletes inactive workspaces created from this template. |
+| `max_ttl_ms` | integer | false | | Max ttl ms allows optionally specifying the max lifetime for workspaces created from this template. |
+| `name` | string | true | | Name is the name of the template. |
+| `template_version_id` | string | true | | Template version ID is an in-progress or completed job to use as an initial version of the template. |
| This is required on creation to enable a user-flow of validating a template works. There is no reason the data-model cannot support empty templates, but it doesn't make sense for users. |
## codersdk.CreateTemplateVersionDryRunRequest
diff --git a/docs/api/templates.md b/docs/api/templates.md
index 50275ab168..b9e3033a83 100644
--- a/docs/api/templates.md
+++ b/docs/api/templates.md
@@ -129,6 +129,7 @@ curl -X POST http://coder-server:8080/api/v2/organizations/{organization}/templa
"allow_user_cancel_workspace_jobs": true,
"default_ttl_ms": 0,
"description": "string",
+ "disable_everyone_group_access": true,
"display_name": "string",
"failure_ttl_ms": 0,
"icon": "string",
diff --git a/docs/cli/templates_create.md b/docs/cli/templates_create.md
index bec1eb4165..123bd0bed9 100644
--- a/docs/cli/templates_create.md
+++ b/docs/cli/templates_create.md
@@ -48,6 +48,14 @@ Specify a failure TTL for workspaces created from this template. This licensed f
Specify an inactivity TTL for workspaces created from this template. This licensed feature's default is 0h (off).
+### --private
+
+| | |
+| ---- | ----------------- |
+| Type | bool |
+
+Disable the default behavior of granting template access to the 'everyone' group. The template permissions must be updated to allow non-admin users to use this template.
+
### --provisioner-tag
| | |
diff --git a/site/src/api/typesGenerated.ts b/site/src/api/typesGenerated.ts
index dea9dd7408..0af5c0c06a 100644
--- a/site/src/api/typesGenerated.ts
+++ b/site/src/api/typesGenerated.ts
@@ -179,6 +179,7 @@ export interface CreateTemplateRequest {
readonly allow_user_autostop?: boolean
readonly failure_ttl_ms?: number
readonly inactivity_ttl_ms?: number
+ readonly disable_everyone_group_access: boolean
}
// From codersdk/templateversions.go
diff --git a/site/src/pages/CreateTemplatePage/CreateTemplateForm.stories.tsx b/site/src/pages/CreateTemplatePage/CreateTemplateForm.stories.tsx
index 3a2a87bc65..22811b15cf 100644
--- a/site/src/pages/CreateTemplatePage/CreateTemplateForm.stories.tsx
+++ b/site/src/pages/CreateTemplatePage/CreateTemplateForm.stories.tsx
@@ -17,6 +17,7 @@ export default {
component: CreateTemplateForm,
args: {
isSubmitting: false,
+ allowDisableEveryoneAccess: true,
},
} as ComponentMeta
diff --git a/site/src/pages/CreateTemplatePage/CreateTemplateForm.tsx b/site/src/pages/CreateTemplatePage/CreateTemplateForm.tsx
index cbaa48adad..4b83316447 100644
--- a/site/src/pages/CreateTemplatePage/CreateTemplateForm.tsx
+++ b/site/src/pages/CreateTemplatePage/CreateTemplateForm.tsx
@@ -102,6 +102,7 @@ const defaultInitialValues: CreateTemplateData = {
allow_user_cancel_workspace_jobs: false,
allow_user_autostart: false,
allow_user_autostop: false,
+ allow_everyone_group_access: true,
}
type GetInitialValuesParams = {
@@ -174,6 +175,7 @@ export interface CreateTemplateFormProps {
logs?: ProvisionerJobLog[]
allowAdvancedScheduling: boolean
copiedTemplate?: Template
+ allowDisableEveryoneAccess: boolean
}
export const CreateTemplateForm: FC = ({
@@ -188,6 +190,7 @@ export const CreateTemplateForm: FC = ({
jobError,
logs,
allowAdvancedScheduling,
+ allowDisableEveryoneAccess,
}) => {
const styles = useStyles()
const form = useFormik({
@@ -379,44 +382,90 @@ export const CreateTemplateForm: FC = ({
- {/* Operations */}
+ {/* Permissions */}
-
-
+
+
+
+
+
{/* Variables */}
diff --git a/site/src/pages/CreateTemplatePage/CreateTemplatePage.tsx b/site/src/pages/CreateTemplatePage/CreateTemplatePage.tsx
index 7632d0b385..b22b6e72fe 100644
--- a/site/src/pages/CreateTemplatePage/CreateTemplatePage.tsx
+++ b/site/src/pages/CreateTemplatePage/CreateTemplatePage.tsx
@@ -39,6 +39,10 @@ const CreateTemplatePage: FC = () => {
const { entitlements } = useDashboard()
const allowAdvancedScheduling =
entitlements.features["advanced_template_scheduling"].enabled
+ // Requires the template RBAC feature, otherwise disabling everyone access
+ // means no one can access.
+ const allowDisableEveryoneAccess =
+ entitlements.features["template_rbac"].enabled
const onCancel = () => {
navigate(-1)
@@ -64,6 +68,7 @@ const CreateTemplatePage: FC = () => {
user_variable_values?: VariableValue[]
+ allow_everyone_group_access: boolean
}
interface CreateTemplateContext {
organizationId: string
@@ -457,11 +458,13 @@ export const createTemplateMachine =
default_ttl_hours,
max_ttl_hours,
parameter_values_by_name,
+ allow_everyone_group_access,
...safeTemplateData
} = templateData
return createTemplate(organizationId, {
...safeTemplateData,
+ disable_everyone_group_access: !allow_everyone_group_access,
default_ttl_ms: templateData.default_ttl_hours * 60 * 60 * 1000, // Convert hours to ms
max_ttl_ms: templateData.max_ttl_hours * 60 * 60 * 1000, // Convert hours to ms
template_version_id: version.id,