shishantbiswas/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2026-06-02 20:48:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: add rbac specificity for dbpurge (#21088)

Browse Source 
Related to
[`internal#1139`](https://github.com/coder/internal/issues/1139)

Continuation of #21074 

This implements some RBAC role specificity for `dbpurge`, ensuring that
we follow the least-privileged model for removing data from the
database. It is specified as following.

```go
Site: rbac.Permissions(map[string][]policy.Action{
	// DeleteOldWorkspaceAgentLogs
	// DeleteOldWorkspaceAgentStats
	// DeleteOldProvisionerDaemons
	// DeleteOldTelemetryLocks
	// DeleteOldAuditLogConnectionEvents
	// DeleteOldConnectionLogs
	rbac.ResourceSystem.Type: {policy.ActionDelete},
	// DeleteOldNotificationMessages
	rbac.ResourceNotificationMessage.Type: {policy.ActionDelete},
	// ExpirePrebuildsAPIKeys
	// DeleteExpiredAPIKeys
	rbac.ResourceApiKey.Type: {policy.ActionDelete},
	// DeleteOldAIBridgeRecords
	rbac.ResourceAibridgeInterception.Type: {policy.ActionDelete},
}),
```

| Position | Pull-request |
| -------- | ------------ |
| | [feat: add prometheus observability metrics for
`dbpurge`](https://github.com/coder/coder/pull/21074) |
|  | [feat: add rbac specificity for
`dbpurge`](https://github.com/coder/coder/pull/21088) |
This commit is contained in:
Jake Howell
2025-12-20 01:02:39 +11:00
committed by GitHub
parent 00793cc0b5
commit ea00e72063
5 changed files with 90 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
coderd/rbac/authz.go
+1
View File
@@ -79,6 +79,7 @@ const (
SubjectTypeFileReader SubjectType = "file_reader"
SubjectTypeUsagePublisher SubjectType = "usage_publisher"
SubjectAibridged SubjectType = "aibridged"
SubjectTypeDBPurge SubjectType = "dbpurge"
)
const (