Comments (5)
- The API (fleetctl) allows to create an enroll secret that is <32 characters in length
- gitops users cannot GET/view enroll secrets
Hey @RachelElysia, thanks for erring towards bugs!
For (1), if I'm understanding correctly, the UI rejects secrets < 32 characters while the API/GitOps doesn't.
I think we should make this consistent w/ Fleet's way of doing validation: at the API level.
I think up to @rachaelshaw (API design DRI) if this is a bug or feature request. Rachael, I'm assigning you this bug to make the call.
from fleet.
For (2) I think this is the expected behavior but I can't find it on the manage access doc page.
@getvictor when you get the chance, can you please confirm that this is the expected behavior and open a PR to the manage access docs page? Thanks!
Why I think it's the expected behavior: GitOps users don't have read access to most items because they're used for the best practice GitOps workflow which only needs write access. As a IT admin using the GitOps workflow, I'll have another account to log into the Fleet UI to read items.
from fleet.
@noahtalerman @RachelElysia I'll add this to Feature Fest; I'd consider this a feature request since there are other places we have guardrails in the UI that aren't present in the API, and I think this is worth more consideration re: @getvictor's point about it potentially being a breaking change.
Basically, where I stand with adding API validations in minor versions is: if something would be broken in Fleet anyway without those validations, then they're worth adding to existing endpoints even if it could potentially break some API workflows (because it just makes an existing problem clearer earlier on.) If it's a validation that's potentially a breaking change and things still work without it, it should probably wait until a major version bump unless there's a really good reason.
I think if we only validate >= 32 characters when the secrets are created it shouldn't break things for the way we'd expect most people to use this API, but also we never know exactly how these endpoints are being used, so probably falls into the second category. Just realized both the API endpoints for adding secrets replace the entire list, so adding validation would be breaking for anyone that currently has a too-short enroll secret in use.
from fleet.
@getvictor saw these bugs with me so I'm removing the :reproduce
label
Added :product
to help confirm intended gitops behavior for both these bugs and decide if these are actually bugs
from fleet.
@noahtalerman
For (1), adding validation may break existing users. We would need to communicate the change.
For (2), gitops can view the team secrets (because they are part of the team config), but not the global secrets. Should we just let gitops view both types of secrets for consistency?
I don't think this issue is a bug. It should be prioritized along with other stories.
from fleet.
Related Issues (20)
- Future scheduled maintenance window doesn't "snap back" maintenance window calendar event into SLA HOT 2
- There is no usage doucmentation for the deploy security agents feature HOT 3
- Fleet desktop bubble is green despite failing policy
- Extra blank line appeared in leftmost image (when orb is expanded at ≈≤1024px) HOT 2
- Perhaps a "send to desktop" feature on fleetdm.com?
- Update psystages on nurture triggers HOT 3
- /start update HOT 2
- MacOS - App was not successfully installed but shows as installed in MDM and cannot be uninstalled HOT 1
- /pricing update
- Labels are not sorted in "Filter hosts" drop-down and list of labels for configuration profiles
- UI: Software no team HOT 1
- Backend: Software no team HOT 1
- Backend: Software no team HOT 2
- Research: iOS/iPadOS OS udpates HOT 3
- Add fleetd tables for AssetCacheTetheratorUtil, APU CLI, Apple Configurator CLI, and Cambrionix HOT 1
- Software tab on the Fleet UI doesn't show any results
- Text wrapping in Policies > Manage Automations > Calendar events modal HOT 1
- "App management" is coming soon HOT 3
- Support SCEP payload generation with the Fleet SCEP server
- Add SLSA provenance attestations for fleet client binary artifacts and server container image
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fleet.