AccessList: Add safety dangling ownerOf reference check#63466
Open
smallinsky wants to merge 1 commit intomasterfrom
Open
AccessList: Add safety dangling ownerOf reference check#63466smallinsky wants to merge 1 commit intomasterfrom
smallinsky wants to merge 1 commit intomasterfrom
Conversation
smallinsky
force-pushed
the
smallinsky/add-dangling-ownerOf-safety-check
branch
2 times, most recently
from
8282521 to
e262a42
Compare
smallinsky
force-pushed
the
smallinsky/add-dangling-ownerOf-safety-check
branch
2 times, most recently
from
32053ba to
a1a4bca
Compare
smallinsky
force-pushed
the
smallinsky/add-dangling-ownerOf-safety-check
branch
from
a1a4bca to
4702cfd
Compare
smallinsky
added
the
no-changelog
Contributor
Author
|
friendly ping @kopiczko @strideynet |
kopiczko
approved these changes
Feb 6, 2026
Contributor
kopiczko
left a comment
kopiczko
left a comment
There was a problem hiding this comment.
LGTM. Are you planning to add something similar for memberOf?
Comment on lines
+482
to
+483
| require.ElementsMatch(t, []string{"root"}, got, | ||
| `Should only include "root" (valid relationship), not "root2" (dangling reference)`) |
Contributor
There was a problem hiding this comment.
You can add require.NotContains(t, got, "root2") to make an explicit assertion.
Contributor
Author
For memberOf this check already exists. |
strideynet
approved these changes
Feb 6, 2026
public-teleport-github-review-bot
bot
removed the request for review
from bernardjkim
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
This is safeguard that make sure that RBAC check that is calculated using owernOf to traversal access list graph will be excluded if ownerOf is dangling (there is not accualty addaguate ownership relation inside access list).
Why
This solution in current state will not happen since all access list update flows calculates the ownerOf + we have async reconciler process to verify the correctnes of ownerOf/memberOf failed. But just in case this will help if wrong path will be introduced.