fix: service account handler eligibility for manager role#943
Open
rohan-chaturvedi wants to merge 1 commit into
Open
fix: service account handler eligibility for manager role#943rohan-chaturvedi wants to merge 1 commit into
rohan-chaturvedi wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🔍 Overview
Members with the default Manager role were never provisioned as Service Account handlers, so they held no copy of SA keyrings and couldn't perform any operation requiring them — generating tokens for client-side-KMS SAs ("Cannot create token: you are not a handler...") or enabling server-side key management ("You do not have handler access to this service account"). Since escaping the first error requires the second operation, Managers were fully locked out of client-side SAs. SSK-enabled and team-owned SAs were unaffected.
Root cause: default roles store an empty
permissionsJSON in the DB (their permissions resolve at runtime from thedefault_rolestemplate), butresolve_service_account_handlers— the query deciding who gets SA keys wrapped for them — filtered on the stored JSON. Every default role except Owner/Admin (rescued by name) was silently excluded, while the UI resolved permissions from the template and advertised the operations as permitted.💡 Proposed Changes
default_rolestemplate for default roles, stored JSON for custom roles. Custom-role semantics unchanged; net change to the eligible set is exactly + default Manager.identity_key(key ceremony incomplete) — wrapping for them is impossible and throws client-side.🖼️ Screenshots or Demo
N/A — backend-only.
📝 Release Notes
Fixed: default-role Managers are now provisioned with Service Account handler keys, enabling token generation and key-management operations. Applies to newly created SAs immediately; pre-existing SAs are healed the next time an Owner/Admin changes a member's role to one with Service Account permissions (triggers an org-wide re-wrap).
🧪 Testing
backend/tests/graphene/queries/test_service_accounts.py(10 tests) pins the eligibility contract per role type.test_file_read_permission_error, container runs as root), unrelated.🎯 Reviewer Focus
The eligibility predicate in
backend/backend/graphene/queries/service_accounts.py. Key invariant: the new eligible set is a strict superset of the old —UpdateServiceAccountHandlersMutationdelete-and-recreates handler rows from this list, so a shrunken set would revoke existing key custody.✨ How to Test the Changes Locally
💚 Did You...