-
Notifications
You must be signed in to change notification settings - Fork 367
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
upcoming: [M3-7413] - Update existing user account endpoints and mocks for Parent/Child Account Switching #9942
upcoming: [M3-7413] - Update existing user account endpoints and mocks for Parent/Child Account Switching #9942
Conversation
ssh_keys: string[]; | ||
tfa_enabled: boolean; | ||
username: string; | ||
user_type: UserType | null; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the new user_type
field. All of the other changes in the User interface were just reordering.
@@ -169,6 +172,7 @@ export type GlobalGrantTypes = | |||
| 'add_longview' | |||
| 'longview_subscription' | |||
| 'account_access' | |||
| 'child_account_access' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the new child_account_access
grant that returns true
for all admin parent accounts and any additional parent accounts that the admin parent grants permission to access the child accounts.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not that I am very privy to this architecture, but I was expecting an array of child accounts the parent has access to instead of just a boolean. I know it's handled in another way but just putting this thought out there for posterity.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The array of child accounts will be returned by a new API endpoint, GET /account/child-accounts
! This boolean is a new global grant that allows an unrestricted parent account to decide whether or not any other users associated with that parent account (i.e. non-admin, potentially restricted parent account users) will also have access to the data returned in GET /account/child-accounts
.
return res(ctx.json(profileFactory.build())); | ||
return res(ctx.json(accountUserFactory.build())); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was an existing bug... The mock request to*/account/users/:user
was returning profile instead of account data.
add_domains: false, | ||
add_firewalls: false, | ||
add_images: false, | ||
add_linodes: false, | ||
add_longview: false, | ||
add_nodebalancers: false, | ||
add_stackscripts: false, | ||
add_volumes: false, | ||
add_vpcs: false, | ||
cancel_account: false, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Proxy accounts have read only permissions by default and cannot be canceled.
ctx.json( | ||
grantsFactory.build({ | ||
global: { | ||
cancel_account: false, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Child accounts cannot be canceled while they have a user_type
of "child".
cancel_account: false, | ||
child_account_access: true, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Parent accounts cannot be canceled while they have a user_type of "parent". This "admin" parent account has default child_account_access
granted.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested locally and confirmed scenari outlined in PR description
- payload of GET /account/users and verify the user_type field is present and accurate with parent/child/proxy accounts and null in all other cases.
- ParentUser's permissions page returns
child_account_access
set to true. In all other cases, it should be false. - other users verify that GET /account/users/ returns the expected value for user_type in the payload.
@@ -169,6 +172,7 @@ export type GlobalGrantTypes = | |||
| 'add_longview' | |||
| 'longview_subscription' | |||
| 'account_access' | |||
| 'child_account_access' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not that I am very privy to this architecture, but I was expecting an array of child accounts the parent has access to instead of just a boolean. I know it's handled in another way but just putting this thought out there for posterity.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👪 ✅
Description 📝
GET /account/users
andGET /account/users/<username>
requests will return a newuser_type
field to allow us to distinguish between users.GET /account/users/<username>/grants
will return a new grant type:child_account_access
, which will be true for parent accounts with access to child account endpoints.These additions to existing endpoints set us up to implement account switching and user permissions flows.
Changes 🔄
User
interface and factory to include the newuser_type
fieldAccount
interface andGrant
factory to include the newchild_account_access
fieldaccount/users
endpoint to include a child, parent, and proxy userPreview 📷
GET /account/users
GET /account/users/<username>
GET /account/users/<username>/grants
How to test 🧪
Prerequisites
(How to setup test environment)
yarn up
.Verification steps
(How to verify changes)
GET /account/users
and verify theuser_type
field is present and accurate with parent/child/proxy accounts andnull
in all other cases.GET /account/users/<username>/grants
returnschild_account_access
set totrue
. In all other cases, it should befalse
.GET /account/users/<username>
returns the expected value foruser_type
in the payload.As an Author I have considered 🤔
Check all that apply