Feat: Add a public token type that has only READ access to calling deployments #647
Conversation
| @@ -28,6 +28,7 @@ const ( | |||
| TokenTypeWorkspace string = "workspace" | |||
| TokenTypeWorker string = "worker" | |||
| TokenTypeMachine string = "machine" | |||
| TokenTypePublic string = "public" // TODO: naming could be improved | |||
There was a problem hiding this comment.
what should we name it?
There was a problem hiding this comment.
I think TokenTypeReadOnly because its being used as just that. If we decide to have permissions on tokens, then having a "Public" token is redundant with a "Workspace" token. So this feels more like a temporary feature to me until we have something more elaborate.
If we want to get more specific, TokenTypeDeploymentReadOnly. This creates room for other resource types like tasks or volumes, but it could make the auth closure logic more complicated to follow, challenging to add more token types, and difficult to maintain.
There was a problem hiding this comment.
what about TokenTypeRequestOnly?
There was a problem hiding this comment.
or TokenTypeCallAPIOnly
There was a problem hiding this comment.
I think those are less clear. Neither "Request" nor "CallAPIOnly" indicate to me that this is a read-only token. In both names, one could still assume they have write permissions.
There was a problem hiding this comment.
TokenTypeDeploymentReadOnly sounds like they can list deployments as well. I can't think of the perfect name for this.
what about TokenTypeAPIRestricted
Added a new
token_typecalledpublicthat gives READONLY for making HTTP requests to deployments, but prevents access to other resources.This will allow our users to safely distribute Beta9 api tokens to their own users