shishantbiswas/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2026-06-02 20:48:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(coderd/rbac): grant org members provisioner_daemon.{create,read} for user-scoped daemons

Browse Source 
The enumerate-org-member refactor dropped ResourceProvisionerDaemon from
the Member perm sets, which broke TestProvisionerDaemonServe/UserLocal:
creating a user-scoped daemon (tags={"scope":"user","owner":<user_id>})
goes through UpsertProvisionerDaemon in dbauthz, which sets
WithOwner(tag_owner) on the RBAC object, causing the policy to evaluate
the Member-scope grant.

Add ResourceProvisionerDaemon.Type: {policy.ActionCreate, policy.ActionRead}
to both the organization-member and organization-service-account Member
perm sets. Create restores the daemon-serve flow; read is granted for
symmetry with workspace ownership so members can inspect daemons they
spawned. No production call site exercises the member-scope read path
today (read on the bare InOrg object continues to require Org-level
perms), but granting it keeps the role consistent with how members own
their other workspace-adjacent resources.

Update and delete remain dead at Member scope.
This commit is contained in:
Steven Masley
2026-06-01 20:18:02 +00:00
parent 0e23625c25
commit 5253fe8e71
1 changed files with 18 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
coderd/rbac/roles.go
+18
View File
@@ -1085,6 +1085,15 @@ func OrgMemberPermissions(org OrgSettings) OrgRolePermissions {
// workspace build (File.RBACObject sets WithOwner(CreatedBy)).
ResourceFile.Type: {policy.ActionCreate, policy.ActionRead},
// Create and read user-scoped provisioner daemons. The Upsert
// path in dbauthz sets WithOwner(tag_owner) when scope=user, so
// members can run their own daemons. Read is granted for
// symmetry with workspace ownership: members can inspect
// daemons they spawned even though no production call site
// currently uses the member-scope read path (read on the bare
// InOrg object continues to require Org-level perms).
ResourceProvisionerDaemon.Type: {policy.ActionCreate, policy.ActionRead},
// Tasks ride along with workspaces and are owner-scoped.
ResourceTask.Type: ResourceTask.AvailableActions(),
@@ -1211,6 +1220,15 @@ func OrgServiceAccountPermissions(org OrgSettings) OrgRolePermissions {
// WithOwner(CreatedBy)).
ResourceFile.Type: {policy.ActionCreate, policy.ActionRead},
// Create and read user-scoped provisioner daemons. The Upsert
// path in dbauthz sets WithOwner(tag_owner) when scope=user, so
// service accounts can run their own daemons. Read is granted
// for symmetry with workspace ownership: service accounts can
// inspect daemons they spawned even though no production call
// site currently uses the member-scope read path (read on the
// bare InOrg object continues to require Org-level perms).
ResourceProvisionerDaemon.Type: {policy.ActionCreate, policy.ActionRead},
// Tasks ride along with workspaces and are owner-scoped.
ResourceTask.Type: ResourceTask.AvailableActions(),