Skip to content

feat(cli): provision scoped CLI data-plane service key#25

Open
tkkhq wants to merge 4 commits into
mainfrom
feat/scoped-data-plane-key
Open

feat(cli): provision scoped CLI data-plane service key#25
tkkhq wants to merge 4 commits into
mainfrom
feat/scoped-data-plane-key

Conversation

@tkkhq

@tkkhq tkkhq commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Summary

Introduce the reserved volcano-cli-data-plane service key provisioned least-privilege from the start, used only for cloud data-plane routes.

  • Add service-key API helpers + a data-plane credential service that reuses or creates the reserved volcano-cli-data-plane key.
  • Wire cloud storage object commands and function invoke to use that key for data-plane routes (management — bucket/policy/stats, function list/deploy/delete — keeps using the platform token).
  • Provision it scoped: the key requests {functions.invoke, storage.upload, storage.download, storage.list, storage.delete} — its full data-plane footprint (copy/move/set-visibility map to storage.upload server-side) and nothing else (no auth.*, no realtime.*).
  • Regenerated internal/apiclient (oapi-codegen v2.7.0) so the create body carries permissions.

Dependency

Requires volcano-hosting #511 (adds permissions[] to the create API and enforces service-key scopes). Until that ships, an omitted scope would default to full access server-side; this PR always sends the explicit scope.

Tests

Reuse / create-on-missing / race-reload / cloud command auth headers; TestServiceKeyCreatesMissingCLIKey asserts the scoped create body. go build/vet + api/dataplane/cloud/function suites green.

Combines the former "provision" PR #23 (folded here — this PR now targets main and includes its commit) with the scoping change. Existing keys named volcano-cli-data-plane stay full-access until rotated/recreated.

Copilot AI review requested due to automatic review settings July 2, 2026 22:48
@tkkhq tkkhq requested a review from a team as a code owner July 2, 2026 22:48

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the CLI to create the reserved volcano-cli-data-plane service key with an explicit least-privilege permission scope (instead of relying on the server’s legacy default full-admin scope when no scope is provided), aligned with the updated hosting API spec.

Changes:

  • Add a fixed least-privilege permissions list for the CLI data-plane key and pass it when creating the key.
  • Update the internal API client wrapper to accept an optional permissions []string and include it in the create request body when provided.
  • Regenerate internal/apiclient from the updated OpenAPI spec to include the new permissions field and related model updates.

Reviewed changes

Copilot reviewed 3 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
internal/dataplane/service_key.go Defines the least-privilege permissions and uses them when creating the reserved data-plane key.
internal/dataplane/service_key_test.go Updates the create-key test to assert the request body includes scoped permissions.
internal/api/service_keys.go Extends CreateServiceKey wrapper to accept optional permissions and serialize them when non-empty.
internal/apiclient/client.gen.go Regenerated client/types: adds permissions to create-service-key body and updates response models (e.g., 403/429 variants).
internal/apiclient/common/common.gen.go Regenerated shared models/enums (e.g., database log resource types, usage metric fields, updated comments).
Files not reviewed (2)
  • internal/apiclient/client.gen.go: Generated file
  • internal/apiclient/common/common.gen.go: Generated file

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +81 to +87
assert.Equal(t, map[string]any{
"name": CLIServiceKeyName,
"permissions": []any{
"functions.invoke", "storage.upload", "storage.download",
"storage.list", "storage.delete",
},
}, createBody)
@tkkhq tkkhq changed the title feat(cli): request least-privilege scope for the data-plane service key feat(cli): provision scoped CLI data-plane service key Jul 2, 2026
@tkkhq tkkhq changed the base branch from ted/cli-data-plane-service-key to main July 2, 2026 23:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants