search

cncf / clowarden

CLOWarden is a tool that manages access to resources across multiple services
https://clowarden.io
Apache License 2.0
39 stars 5 forks source link

Per Repo State File Support Question #181

Closed petermetz closed 3 months ago

petermetz commented 3 months ago

I'd like to gauge interest for accepting a contribution that would allow CLO warden to have the state (users, teams) stored in yaml files on a per repository basis:

  1. The main yaml file (the one that's global for the org) would define which repositories have access to which teams (so that maintainers of repositories can't write the state of another repository)
  2. The per repository state file would then declare only the teams and users of that repository and the maintainers of that repo would have control over it
  3. The use-case for this is supporting a GitHub org where there are different projects with different maintainers within the same org.

I understand that this might be adding a lot of complexity to the codebase and therefore might be undesired or better suited for a standalone project, but I figured it's worth to at least ask.

As a (rough) example MyCoolOrg would have CoolProjectA and CoolProjectBrepositories with maintainersPersonAandPersonB` respectively.

There are two teams defined to contain the maintainers of each repository mentioned above:

Then the configuration files could look like this, allowing each maintainer to manage their own repositories' teams, but not the others:

root-state.yaml

repositories:
  CoolProjectA
    teams:
      - maintainers-a
  CoolProjectB
    teams:
      - maintainers-b

state.yaml in repository CoolProjectA

teams:
  - name: maintainers-a               
    maintainers:
      - PersonA

state.yaml in repository CoolProjectB

teams:
  - name: maintainers-b
    maintainers:
      - PersonB

The end result of this setup would be that if PersonB tries to declare new team members in maintainers-a in the state.yaml file that they control (the state file of CoolProjectB) then that would fail because the root .yaml file doesn't declare that permission.

tegioz commented 3 months ago

Hi @petermetz 👋

As you mentioned, this would introduce a lot of complexity and we'd like to keep this tool as simple as possible for now.

I understand your use case and makes sense, but supporting per repository state files is out of the scope of CLOWarden at the moment. Actually, one of the main reasons this project was created was to keep all permissions across an organization centralized in a single location.

It may not be exactly what you need, but maybe this can help:

https://github.com/apps/settings

Thanks for the suggestion anyway! 🙂

petermetz commented 3 months ago

@tegioz Makes perfect sense! Thank you for the detailed explanation and the follow-up advice! :-)