Comments (11)
@utsav14nov Let's have the endpoint in this way - v1beta1/notifier/<notifier-type>/execute
where <notifier-type>
= slack
in this case
@rahmatrhd @mabdh @haveiss requesting for your comments.
from guardian.
@bsushmith I am trying to understand, so what the new endpoint responsibility is?
Is it being called when approve or reject button is clicked?
If yes, why not just using some appeal approval api ?
from guardian.
- how will the user authenticate to access the APIs?
- if slack can handle the authentication, we might as well treat the slack bot as a frontend client. And as @mabdh suggested, we can use the same approval API
from guardian.
- We can configure only one request url in slack for an app where it post data on every button action in slack. It post data regarding what action is pressed, which user has clicked , from which channel it is requested and other metadata etc.
- Approve and Reject endpoints need appeal_id and approval_step in url which needs to be build on runtime and slack doesn't supports it.
- Also only one request url is configured for the one app, we cannot configure post url for each button in slack.
- Slack Request is authenticated by our application through
X-Slack-Request-Timestamp
header sent through slack. There is a logic provided by slack to create this secret at backend and compare. This make sure that the request is coming from the authenticated slack app. - If above step is authenticated well, user slack id is provided in payload sent from slack which can be used to get email id of the user performed the action.
from guardian.
+1 on using same approval APIs, we should treat these as clients, very similar to CLI.
from guardian.
@utsav14nov can you also please share the link to the slack API that you refer to?
from guardian.
As discussed over the call, we all agreed on only on change in guardian i.e. adding support to notification messages to also send blocks/attachments to format notification better (Point 1 of changes recommended in above issue).
Rest flow will be taken care by separately other services.
cc: @mabdh @rahmatrhd @bsushmith
from guardian.
@utsav14nov Can we update the issue with final approach we are taking. Which also summarises the decisions taken.
from guardian.
@utsav14nov @bsushmith @rahmatrhd slack API on Approve/Reject button/action could capture account_id and action, account_id is an alphanumeric value and not exists in IAM users nor in appeal tables. If we add a flag into the post body of existing approval like source=slack
then we can change appeal Api to resolve the email id for a given account_id using slack Api and continue with the rest of the approval flow given email id exists in appeal tables.
from guardian.
@singhvikash11 one of the primary problems with the initial approach or using slack api directly was with respect to authentication.
Currently, guardian service is built in such a way that it expects authentication is already done before it receives the API call(primarily through shield), and it expects a specific header with authenticated user email which slack is unable to send. so instead of mingling the responsibilities here, the following approach can be taken -
- slack is just another client which has buttons configured -
approve
/reject
for example. These buttons will be configured with a endpoint(UI) - The UI will have an endpoint to take the slack call, and then through authentication for example with google IAP, can call guardian API's with appropriate json body.
The UI is out of scope for guardian changes and it will depend on how it will be implemented by different users. With this approach, it will be extensible for other notifier providers also if needed later.
@rahmatrhd @AkarshSatija @haveiss
from guardian.
@bsushmith @utsav14nov let's update the main thread's description with that approach
from guardian.
Related Issues (20)
- Able to change the policy for pending appeals HOT 1
- refactor appeal functions HOT 3
- Add resources conditionally
- Only allowed a few roles on Bigquery Dataset HOT 2
- Register Dataplex policy-tags as provider HOT 5
- Getting 3 times slack notification for same resource reminder HOT 2
- Shield as a provider in Guardian
- ability to trigger jobs through API end point HOT 1
- support `account_id` in grant expiry reminder notification
- Use `go install` in make setup instead of `go get`
- bigquery get activities test case is flaky
- bigquery client throwing error `CREDENTIALS_MISSING` HOT 3
- Add authentication to guardian using google idtoken (from google SSO login) HOT 18
- Disable dockertest on repository test during unit test HOT 2
- Add API to assign/update owner of a grant HOT 8
- bug(gcs): fetch resources not working for some gcs providers
- Multiple owners in Grants
- Fetch labels for bigquery dataset/table HOT 2
- Frontier provider get groups api needs to be refactored to get admin/owners list
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from guardian.