Skip to content

AccessList: Add safety dangling ownerOf reference check#63466

Open
smallinsky wants to merge 1 commit intomasterfrom
smallinsky/add-dangling-ownerOf-safety-check
Open

AccessList: Add safety dangling ownerOf reference check#63466
smallinsky wants to merge 1 commit intomasterfrom
smallinsky/add-dangling-ownerOf-safety-check

Conversation

@smallinsky
Copy link
Contributor

What

This is safeguard that make sure that RBAC check that is calculated using owernOf to traversal access list graph will be excluded if ownerOf is dangling (there is not accualty addaguate ownership relation inside access list).

Why

This solution in current state will not happen since all access list update flows calculates the ownerOf + we have async reconciler process to verify the correctnes of ownerOf/memberOf failed. But just in case this will help if wrong path will be introduced.

@smallinsky smallinsky requested a review from kopiczko February 3, 2026 21:02
@smallinsky smallinsky force-pushed the smallinsky/add-dangling-ownerOf-safety-check branch 2 times, most recently from 8282521 to e262a42 Compare February 3, 2026 21:05
@smallinsky smallinsky marked this pull request as ready for review February 3, 2026 21:05
@smallinsky smallinsky force-pushed the smallinsky/add-dangling-ownerOf-safety-check branch 2 times, most recently from 32053ba to a1a4bca Compare February 3, 2026 21:10
@smallinsky smallinsky force-pushed the smallinsky/add-dangling-ownerOf-safety-check branch from a1a4bca to 4702cfd Compare February 3, 2026 21:14
@smallinsky smallinsky added the no-changelog Indicates that a PR does not require a changelog entry label Feb 4, 2026
@smallinsky
Copy link
Contributor Author

smallinsky commented Feb 6, 2026

friendly ping @kopiczko @strideynet

Copy link
Contributor

@kopiczko kopiczko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Are you planning to add something similar for memberOf?

Comment on lines +482 to +483
require.ElementsMatch(t, []string{"root"}, got,
`Should only include "root" (valid relationship), not "root2" (dangling reference)`)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can add require.NotContains(t, got, "root2") to make an explicit assertion.

@smallinsky
Copy link
Contributor Author

LGTM. Are you planning to add something similar for memberOf?

For memberOf this check already exists.

@public-teleport-github-review-bot public-teleport-github-review-bot bot removed the request for review from bernardjkim February 6, 2026 11:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

no-changelog Indicates that a PR does not require a changelog entry size/sm

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants