feat(cli): provision scoped CLI data-plane service key#25
Open
tkkhq wants to merge 4 commits into
Open
Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates the CLI to create the reserved volcano-cli-data-plane service key with an explicit least-privilege permission scope (instead of relying on the server’s legacy default full-admin scope when no scope is provided), aligned with the updated hosting API spec.
Changes:
- Add a fixed least-privilege permissions list for the CLI data-plane key and pass it when creating the key.
- Update the internal API client wrapper to accept an optional
permissions []stringand include it in the create request body when provided. - Regenerate
internal/apiclientfrom the updated OpenAPI spec to include the newpermissionsfield and related model updates.
Reviewed changes
Copilot reviewed 3 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| internal/dataplane/service_key.go | Defines the least-privilege permissions and uses them when creating the reserved data-plane key. |
| internal/dataplane/service_key_test.go | Updates the create-key test to assert the request body includes scoped permissions. |
| internal/api/service_keys.go | Extends CreateServiceKey wrapper to accept optional permissions and serialize them when non-empty. |
| internal/apiclient/client.gen.go | Regenerated client/types: adds permissions to create-service-key body and updates response models (e.g., 403/429 variants). |
| internal/apiclient/common/common.gen.go | Regenerated shared models/enums (e.g., database log resource types, usage metric fields, updated comments). |
Files not reviewed (2)
- internal/apiclient/client.gen.go: Generated file
- internal/apiclient/common/common.gen.go: Generated file
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+81
to
+87
| assert.Equal(t, map[string]any{ | ||
| "name": CLIServiceKeyName, | ||
| "permissions": []any{ | ||
| "functions.invoke", "storage.upload", "storage.download", | ||
| "storage.list", "storage.delete", | ||
| }, | ||
| }, createBody) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Introduce the reserved
volcano-cli-data-planeservice key provisioned least-privilege from the start, used only for cloud data-plane routes.volcano-cli-data-planekey.{functions.invoke, storage.upload, storage.download, storage.list, storage.delete}— its full data-plane footprint (copy/move/set-visibility map tostorage.uploadserver-side) and nothing else (noauth.*, norealtime.*).internal/apiclient(oapi-codegen v2.7.0) so the create body carriespermissions.Dependency
Requires volcano-hosting #511 (adds
permissions[]to the create API and enforces service-key scopes). Until that ships, an omitted scope would default to full access server-side; this PR always sends the explicit scope.Tests
Reuse / create-on-missing / race-reload / cloud command auth headers;
TestServiceKeyCreatesMissingCLIKeyasserts the scoped create body.go build/vet+ api/dataplane/cloud/function suites green.Combines the former "provision" PR #23 (folded here — this PR now targets
mainand includes its commit) with the scoping change. Existing keys namedvolcano-cli-data-planestay full-access until rotated/recreated.