Automate rbac documentation 8201 draft

[tkalir]

This is related to issue #8201

This is a draft, to get feedback on this solution before doing the refactoring for the rest of the actions.
The idea is that every action will have a permissionFactory that returns a permission node (like the ones used in controller.go right now) but the "resource" string will be a template that can be

1. filled before calling authorize() [which creates the node as used now] or
2. used as-is in the documentation.

I chose the copy objects action for the test here to show the need for RenamePlaceholder, which otherwise will both have the base placeholder from ObjectArnTemplate.

Actions names, like "copy_objects" here, will be extracted to a variable.

[N-o-Z]

@tkalir Thank you for this contribution! And you definitely made the right choice of feeling out the water before diving in!

I wanted to know, what did you have in mind regarding the doc generation in regards with this approach?

[tkalir]

@tkalir Thank you for this contribution! And you definitely made the right choice of feeling out the water before diving in!

I wanted to know, what did you have in mind regarding the doc generation in regards with this approach?

My general plan is:

1. fill the permission factory map so I can get the resource-action for every action by its name (some actions require permissions for multiple resources, so I keep the node structure and plan to reflect that in the generated docs). The "resource" column in the docs will show the pre filled arn template as it is in the permission node.

2. create some mapping (in yaml file or code) which includes

• action name
• operationId (so I can get the api endpoint from swagger.yaml)
• user friendly action name (there is no way to auto-generate a user-friendly name from ReadExternalPrincipal)
• at least for the moment, also hard code the "S3 gateway operation" section

3. create an endpoint that generates the markdown for the table from all that (I haven't looked into the specifics of how to integrate it yet)

As I mentioned here instead of writing the permission factories code manually it's also possible to have the permission node data in the yaml from point 2# and use code generation.

Thanks

[arielshaqed]

Hi @tkalir,
Sorry for the long silence on this issue. I want to review it.. Thanks! It looks like a very useful addition!
I think that the easiest way to generate dice would be to add an API to the Controller that writes a table of permissions, and then call that from the lakefs cli. An issue here is how to order the API calls. One way might be also to parse swagger.yml and output in the same order. Another might be to find a way to sort by camelcased words; perhaps by the second word. I think I prefer the first.

[tkalir]

@arielshaqed ok, thanks, I'm working on it.
I see you requested to review this - I planned to close this PR and open a new one when it's ready, but if you prefer I can update this one instead.