mirror of
https://github.com/coder/coder.git
synced 2026-06-04 13:38:21 +00:00
Thomas Kosiewski
79126ab6c7
# Add Composite API Key Scopes This PR adds high-level composite API key scopes to simplify token creation with common permission sets: - `coder:workspaces.create` - Create and update workspaces - `coder:workspaces.operate` - Read and update workspaces - `coder:workspaces.delete` - Read and delete workspaces - `coder:workspaces.access` - Read, SSH, and connect to workspace applications - `coder:templates.build` - Read templates and create/read files - `coder:templates.author` - Full template management with insights - `coder:apikeys.manage_self` - Manage your own API keys These composite scopes are persisted in the database and expanded during authorization, providing a more intuitive way to grant permissions compared to the granular resource:action scopes.
check-scopes
Validates that the DB enum api_key_scope contains every <resource>:<action> derived from coderd/rbac/policy/RBACPermissions.
- Exits 0 when all scopes are present in
coderd/database/dump.sql. - Exits 1 and prints missing values with suggested
ALTER TYPEstatements otherwise.
Usage
Ensure the schema dump is up-to-date, then run the check:
make -B gen/db # forces DB dump regeneration
make lint/check-scopes
Or directly:
go run ./tools/check-scopes
Optional flags:
-dump path— override path todump.sql(defaultcoderd/database/dump.sql).
Remediation
When the tool reports missing values:
-
Create a DB migration extending the enum, e.g.:
ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'template:view_insights'; -
Regenerate and re-run:
make -B gen/db && make lint/check-scopes -
Decide whether each new scope is public (exposed in the catalog) or internal-only.
- If public, add it to the curated map in
coderd/rbac/scopes_catalog.go(externalLowLevel) so it appears in the public catalog and can be requested by users.
- If public, add it to the curated map in