Skip to content

Delete builtin_roles #7477

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Jul 9, 2025
Merged

Delete builtin_roles #7477

merged 5 commits into from
Jul 9, 2025

Conversation

david-crespo
Copy link
Contributor

@david-crespo david-crespo commented Feb 4, 2025
edited
Loading

This came up in a meeting with @davepacheco — storing the roles in the DB and letting them be listed through the API is a legacy idea with no practical application that we know of. When I heard that I was curious how much could be deleted.

Fundamentally, all this machinery I've deleted was just in service of the role_view and role_list endpoints, which let you get something like this list:

fleet     admin
fleet     collaborator
fleet     viewer
silo      admin
silo      collaborator
silo      viewer
project   admin
project   collaborator
project   viewer

I think we thought this would be a dynamic list of roles, but all these things are hard-coded. As far as I can tell there is no relationship to the actual authorization system — this is basically just an unrelated copy of that stuff. This claim borne out by the fact that deleting all this stuff doesn't affect anything else, i.e., doesn't cause any tests to fail.

@david-crespo

This comment was marked as resolved.

Sign in to view
davepacheco
davepacheco reviewed Feb 5, 2025
View reviewed changes
schema/crdb/dbinit.sql
Comment on lines -2669 to -2893
* If the set of roles and their permissions are fixed, why store them in the
* database at all? Because what's dynamic is the assignment of roles to users.
* We have a separate table that says "user U has role ROLE on resource
* RESOURCE". How do we represent the ROLE part of this association? We use a
* foreign key into this "role_builtin" table.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't have a strong feeling either way on the PR overall but this note got me thinking: is there value in having this? It'd probably be better if we actually enforced that the (resource_type, role_name) column in role_assignment were a valid foreign key. Given how static this is today, these could as well be enum values instead. 🤷

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I think converting role to an enum would make a lot of sense.

@david-crespo david-crespo force-pushed the delete-builtin-roles branch from abf3eef to 0f46373 Compare June 27, 2025 00:37
@david-crespo david-crespo mentioned this pull request Jul 3, 2025
Closed
@david-crespo david-crespo force-pushed the delete-builtin-roles branch from 0f46373 to ed33ff6 Compare July 8, 2025 21:33
@david-crespo david-crespo mentioned this pull request Jul 8, 2025
Open
@david-crespo
Copy link
Contributor Author

I've checked this over 10 times and can't see any downside, so I'm going to merge it. Made #8554 as a followup to simplify further by using an enum for the role names.

@david-crespo david-crespo enabled auto-merge (squash) July 8, 2025 21:45
@david-crespo david-crespo merged commit b7b24d5 into main Jul 9, 2025
17 checks passed
@david-crespo david-crespo deleted the delete-builtin-roles branch July 9, 2025 04:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@davepacheco davepacheco davepacheco left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@david-crespo @davepacheco