Description
Scope admin allows you to create collections in a scope of a bucket. As a consequence all the API which relates to managing collections now work based on user permissions. So GET of pools/default/buckets/<bucket_name>/collections would return collections that a user has access to while filtering out the ones it doesn’t.
From my basic understanding of how UI works, the permissions for each user are fetched at the beginning of login using checkPermissions API and cache them in order to serve different buttons to the user. However, all the permissions are bucket level permissions.
I see we check bucket level permissions to enable “Scopes & Collections” button, in ns_server/priv/public/ui/app/mn_admin/mn_buckets_list_item.html line 55. I’m not sure how much work is required to change these to collection level permission, as
rbac.cluster.collection[bucket.name:.:.].collections.read
|
Creating this bug for further evaluation to see what is required for UI to be able to grant access to scope admin users.
Attachments
Issue Links
- depends on
-
MB-41765 Should have a "scope-admin" role in Cheshire Cat
- Closed
Gerrit Reviews
For Gerrit Dashboard: MB-42422 | ||||||
---|---|---|---|---|---|---|
# | Subject | Branch | Project | Status | CR | V |
139234,2 | WIP MB-42422: Give scope_admin UI access | master | ns_server | Status: NEW | 0 | 0 |