Skip to content

serviceability: authorize user instructions via Permission accounts#3984

Open
juan-malbeclabs wants to merge 2 commits into
mainfrom
perm-user
Open

serviceability: authorize user instructions via Permission accounts#3984
juan-malbeclabs wants to merge 2 commits into
mainfrom
perm-user

Conversation

@juan-malbeclabs

@juan-malbeclabs juan-malbeclabs commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Summary

Gate the administrative user instructions via authorize():

  • UpdateUser -> USER_ADMIN (uses split_trailing_permission for its optional old/new tenant accounts)
  • CheckAccessPass -> ACTIVATOR
  • accesspass CheckStatus -> ACTIVATOR | USER_ADMIN (activator or foundation)

Behavior preserved via the legacy foundation/activator fallback while RequirePermissionAccounts is off.

CreateUser/CreateSubscribeUser and SetBgpStatus are intentionally not migrated: the account owner authorizes via access-pass ownership (create) or device.metrics_publisher_pk (set_bgp_status), so the owner must not need a Permission account — the Permission system is for administrators only.

Final PR in the incremental Permission-system rollout; see PERMISSION.md.

Testing Verification

  • User and accesspass integration suites (user_tests, user_old, user_migration, create_subscribe, delete_user_dynamic_accesspass, accesspass_test) and SDK command tests pass.
  • cargo test -p doublezero-serviceability, cargo test -p doublezero_sdk, make rust-lint pass.

Permission migration series

One of 8 per-domain PRs migrating serviceability instructions to the Permission (authorize()) system. The branches partition the change set with no overlap and can be reviewed and merged independently (only the CHANGELOG entry conflicts trivially).

PR Domain Flag(s)
#3977 Governance (globalstate/globalconfig/allowlists) GLOBALSTATE_ADMIN
#3978 Contributor CONTRIBUTOR_ADMIN
#3979 Infra (location/exchange) INFRA_ADMIN
#3980 Devices + interfaces NETWORK_ADMIN, HEALTH_ORACLE
#3981 Links NETWORK_ADMIN, HEALTH_ORACLE
#3982 Multicast MULTICAST_ADMIN, ACCESS_PASS_ADMIN
#3983 Tenant TENANT_ADMIN
#3984 User (update / check_access_pass / check_status) USER_ADMIN, ACTIVATOR ← this PR

Migrate UpdateUser to USER_ADMIN, CheckAccessPass to ACTIVATOR, and
accesspass CheckStatus to ACTIVATOR|USER_ADMIN via authorize(). UpdateUser uses
split_trailing_permission for its optional tenant accounts. Behavior preserved
via the legacy foundation/activator fallback. User create and set_bgp_status
are intentionally left owner-authorized (access-pass ownership /
device.metrics_publisher_pk) and are not part of the admin Permission system.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant