Add Identity Center Account Assignments to Unified Resource Cache #49580
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tcsc
added
no-changelog
smallinsky
reviewed
Dec 2, 2024
|
|
||
| // IdentityCenterAccountAssignment represents a requestable Identity Center | ||
| // Account Assignment | ||
| message IdentityCenterAccountAssignment { |
There was a problem hiding this comment.
Why do we need a second duplicated IdentityCenterAccountAssignment proto definition where IdentityCenterAccountAssignment is already defined in:
https://github.com/gravitational/teleport/blob/master/api/proto/teleport/legacy/types/types.proto#L3409
There was a problem hiding this comment.
So, types.IdentityCenterAccountAssignment is for specifying Account Assignments in role conditions. If I had known bettrer back when defining this, I'd have called them an AccountAssignmentCondition or AccountAssignmentExpression (as they can be globbed).
This definition, proto.IdentityCenterAccountAssignment allows Account Assignment resources to be included in a list of resources returned by ListResources ( essentially by having a parallel (and slightly simplified) definition of an identitycenterv1.AccountAssignment in the legacy authservice protobuf definitions).
The primary identitycenterv1.AccountAssignment gets copied into a proto.IdentityCenterAccountAssignment at read time and then gets shipped over to whatever client invoked ListResources(), then gets re-packed back into an identitycenterv1.AccountAssignment.
The reason we can't just include an identitycenterv1.AccountAssignment in the ListResources output that the legacy protobuf codegen used for the authservice and the new codegen used for identitycenter/v1 produce incompatible serialization code, so resulting generated code does not compile.
If there is a way around this that will let us use the definitions from identitycenter/v1, I'd be much happier.
tcsc
force-pushed
the
tcsc/idc-expose-accounts-as-apps
branch
7 times, most recently
from
ba6f65d to
aa1132c
Compare
And how. |
tcsc
force-pushed
the
tcsc/idc-expose-account-assignmens-via-resource-cache
branch
from
a5a936b to
a354833
Compare
r0mant
approved these changes
Dec 6, 2024
tcsc
force-pushed
the
tcsc/idc-expose-account-assignmens-via-resource-cache
branch
from
a354833 to
88f231a
Compare
Adds Identity Center Account Assignments to the Unified resource cache so they can be requested in access requests. Unfortunately we can't just include an `identitycenterv1.AccountAssignment` directly in the resource cache ListResources output because the legacy protobuf codegen used for the authservice and the new codegen used for identitycenter/v1 produce incompatible serialization code, so resulting generated code does not compile. To get around this issue, this change introduces a parallel (and slightly simplified) definition of an IdentityCenterAccountAssignment in the authservice protobuf spec to act as the wire format for this type. The cached `identitycenterv1.AccountAssignment` resources are copied into a `proto.IdentityCenterAccountAssignment` on a cache read. Includes: - adding resources to cache - adding account assignment paginated resource - account assignment role condition matching for RBAC
tcsc
force-pushed
the
tcsc/idc-expose-account-assignmens-via-resource-cache
branch
from
b15b40c to
a8d3470
Compare
smallinsky
approved these changes
Dec 9, 2024
public-teleport-github-review-bot
bot
removed the request for review
from eriktate
tcsc
deleted the
tcsc/idc-expose-account-assignmens-via-resource-cache
branch
tcsc
added a commit
that referenced
this pull request
Dec 10, 2024
Backports #49580 Adds Identity Center Account Assignments to the Unified resource cache so they can be requested in access requests. Unfortunately we can't just include an `identitycenterv1.AccountAssignment` directly in the resource cache ListResources output because the legacy protobuf codegen used for the authservice and the new codegen used for identitycenter/v1 produce incompatible serialization code, so resulting generated code does not compile. To get around this issue, this change introduces a parallel (and slightly simplified) definition of an IdentityCenterAccountAssignment in the authservice protobuf spec to act as the wire format for this type. The cached `identitycenterv1.AccountAssignment` resources are copied into a `proto.IdentityCenterAccountAssignment` on a cache read. Includes: - adding resources to cache - adding account assignment paginated resource - account assignment role condition matching for RBAC
tcsc
added a commit
that referenced
this pull request
Dec 10, 2024
Backports #49580 Adds Identity Center Account Assignments to the Unified resource cache so they can be requested in access requests. Unfortunately we can't just include an `identitycenterv1.AccountAssignment` directly in the resource cache ListResources output because the legacy protobuf codegen used for the authservice and the new codegen used for identitycenter/v1 produce incompatible serialization code, so resulting generated code does not compile. To get around this issue, this change introduces a parallel (and slightly simplified) definition of an IdentityCenterAccountAssignment in the authservice protobuf spec to act as the wire format for this type. The cached `identitycenterv1.AccountAssignment` resources are copied into a `proto.IdentityCenterAccountAssignment` on a cache read. Includes: - adding resources to cache - adding account assignment paginated resource - account assignment role condition matching for RBAC
tcsc
added a commit
that referenced
this pull request
Dec 10, 2024
Backports #49580 and #49977 Adds Identity Center Account Assignments to the Unified resource cache so they can be requested in access requests. Unfortunately we can't just include an `identitycenterv1.AccountAssignment` directly in the resource cache ListResources output because the legacy protobuf codegen used for the authservice and the new codegen used for identitycenter/v1 produce incompatible serialization code, so resulting generated code does not compile. To get around this issue, this change introduces a parallel (and slightly simplified) definition of an IdentityCenterAccountAssignment in the authservice protobuf spec to act as the wire format for this type. The cached `identitycenterv1.AccountAssignment` resources are copied into a `proto.IdentityCenterAccountAssignment` on a cache read. Includes: - adding resources to cache - adding account assignment paginated resource - account assignment role condition matching for RBAC
github-merge-queue bot
pushed a commit
that referenced
this pull request
Dec 10, 2024
…he (#49976) Backports #49580 and #49977 Adds Identity Center Account Assignments to the Unified resource cache so they can be requested in access requests. Unfortunately we can't just include an `identitycenterv1.AccountAssignment` directly in the resource cache ListResources output because the legacy protobuf codegen used for the authservice and the new codegen used for identitycenter/v1 produce incompatible serialization code, so resulting generated code does not compile. To get around this issue, this change introduces a parallel (and slightly simplified) definition of an IdentityCenterAccountAssignment in the authservice protobuf spec to act as the wire format for this type. The cached `identitycenterv1.AccountAssignment` resources are copied into a `proto.IdentityCenterAccountAssignment` on a cache read. Includes: - adding resources to cache - adding account assignment paginated resource - account assignment role condition matching for RBAC
github-merge-queue bot
pushed a commit
that referenced
this pull request
Dec 10, 2024
…he (#49976) Backports #49580 and #49977 Adds Identity Center Account Assignments to the Unified resource cache so they can be requested in access requests. Unfortunately we can't just include an `identitycenterv1.AccountAssignment` directly in the resource cache ListResources output because the legacy protobuf codegen used for the authservice and the new codegen used for identitycenter/v1 produce incompatible serialization code, so resulting generated code does not compile. To get around this issue, this change introduces a parallel (and slightly simplified) definition of an IdentityCenterAccountAssignment in the authservice protobuf spec to act as the wire format for this type. The cached `identitycenterv1.AccountAssignment` resources are copied into a `proto.IdentityCenterAccountAssignment` on a cache read. Includes: - adding resources to cache - adding account assignment paginated resource - account assignment role condition matching for RBAC
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds Identity Center Account Assignments to the Unified resource cache so they can be requested in access requests.
Unfortunately we can't just include an
identitycenterv1.AccountAssignmentdirectly in the resource cacheListResourcesoutput because the legacy protobuf codegen used for theauthserviceand the new codegen used foridentitycenter/v1produce incompatible serialization code, so resulting generated code does not compile.To get around this issue, this change introduces a parallel (and slightly simplified) definition of an
IdentityCenterAccountAssignmentin theauthserviceprotobuf spec to act as the wire format for this type. The cachedidentitycenterv1.AccountAssignmentresources are copied into aproto.IdentityCenterAccountAssignmenton a cache read.I'm not particularly thrilled with this solution, and if anyone has an alternative that lets us use the definitions from
identitycenter/v1without this parallel definition, I'd be much obliged.Change Includes: