Skip to content

feat: Role based Cadence-web #1108

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
ribaraka wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

feat: Role based Cadence-web #1108

ribaraka wants to merge 1 commit into from
+1,258 −62

Conversation

@ribaraka
Copy link
Contributor

@ribaraka ribaraka commented Dec 8, 2025
edited
Loading

Motivation: cadence-workflow/cadence#6706
Plan&Findings: cadence-workflow/cadence#7508

This PR adds out-of-the-box RBAC support for the Cadence Web UI.

  • UI RBAC aligned with Cadence (backend) JWT auth: tokens come from cookie (cadence-authorization) or env (CADENCE_WEB_JWT_TOKEN), are forwarded on all gRPC calls, and claims/groups drive what the UI shows/enables.
  • Auth endpoints: POST /api/auth/token to set the HttpOnly cookie, DELETE /api/auth/token to clear it, GET /api/auth/me to expose public auth context.
  • User context middleware populates gRPC metadata and user info for all route handlers.
  • Domain visibility: getAllDomains filters by READ_GROUPS/WRITE_GROUPS. Redirects respect the filtered list.
  • Workflow/domain actions: start/signal/terminate/etc. are disabled with “Not authorized” when the token lacks write access;
  • Login/logout UI: navbar shows JWT paste modal when unauthenticated.

@ribaraka ribaraka force-pushed the rbac branch 2 times, most recently from 319273d to 42b3e1c Compare December 9, 2025 03:49
@ribaraka ribaraka changed the title Role based Cadence-web feat: Role based Cadence-web Dec 9, 2025
@ribaraka ribaraka force-pushed the rbac branch 2 times, most recently from 6378636 to 165520e Compare December 9, 2025 04:35
@ribaraka
feat: Role based Cadence-web.
b1131fc 
- UI RBAC aligned with Cadence JWT auth: tokens come from cookie (cadence-authorization) or env (CADENCE_WEB_JWT_TOKEN), are forwarded on all gRPC calls, and claims/groups drive what the UI shows/enables.
- Auth endpoints: POST /api/auth/token to set the HttpOnly cookie, DELETE /api/auth/token to clear it, GET /api/auth/me to expose public auth context.
- User context middleware populates gRPC metadata and user info for all route handlers.
- Domain visibility: getAllDomains filters by READ_GROUPS/WRITE_GROUPS. Redirects respect the filtered list.
- Workflow/domain actions: start/signal/terminate/etc. are disabled with “Not authorized” when the token lacks write access;
- Login/logout UI: navbar shows JWT paste modal when unauthenticated.

Signed-off-by: Stanislav Bychkov <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ribaraka