Allow Robot Accounts to Manage Robots with Full Permissions #21251
Comments
|
For security consideration, the created robot account's permission should never exceed the creator robot account. as you can see in the error log: |
Okay, but if you select only project-by-project, this will work fine. |
|
Closing the issue b/c it's working as designed. |
|
Hi, |
Expected behavior and actual behavior:
When you have a Robot account system with the following permissions:
Project [Create, List]
Robot Account [Create, Delete, List, Read]
And you check the "Cover all projects" option, along with selecting the Repository [Pull] action, the expected behavior is that the Robot account should be able to perform all the specified actions across all projects.
However, the actual behavior you are observing is that the Robot account is not able to perform the selected actions as expected :
{"errors":[{"code":"DENIED","message":"permission scope is invalid. It must be equal to or more restrictive than the creator robot's permissions: robot$crossplane"}]}
Steps to reproduce the problem:
curl -k -X 'POST' 'https:///api/v2.0/robots' -u 'robot$crossplane:' -H 'Content-Type: application/json' -d '{"name": "puller","description": "puller","level": "system","duration": -1,"permissions": [{"kind": "project","namespace": "dev","access":[{"resource": "repository","action": "pull"}]}]}'
Versions:
Please specify the versions of the following systems:
Additional context:
The text was updated successfully, but these errors were encountered: