Enhance add-access-rule command UX with intuitive name-based flags#3758
Draft
Enhance add-access-rule command UX with intuitive name-based flags#3758
Conversation
This commit improves the user experience for the add-access-rule command by replacing the positional GUID-based SELECTOR argument with intuitive flags that accept human-readable names and support cross-space/org resolution. Changes: **Command Interface:** - Remove positional SELECTOR argument (breaking change, acceptable for unreleased feature) - Add new flags: --source-app, --source-space, --source-org, --source-any, --selector - Support hierarchical name resolution: - --source-app APP_NAME (looks in current space) - --source-app APP_NAME --source-space SPACE (cross-space in current org) - --source-app APP_NAME --source-space SPACE --source-org ORG (cross-org) - --source-space SPACE (space-level rule) - --source-org ORG (org-level rule) - --source-any (allow any authenticated app) - --selector SELECTOR (raw GUID-based selector for advanced users) - Validate exactly one primary source is specified - Display verbose output showing resolved selector for transparency **Terminology Update:** - Rename all "target" terminology to "source" throughout codebase - Access rules specify the source (who can access), not the target - Update AccessRuleWithRoute.TargetName → SourceName - Update resolveAccessRuleTarget() → resolveAccessRuleSource() - Update access-rules list command table header: "target" → "source" **Error Handling:** - Provide helpful error messages when app not found in current space - Suggest using --source-space and --source-org flags for cross-space/org access - Follow CF CLI patterns from add-network-policy command **Testing:** - Add 17 comprehensive test cases for add-access-rule command - Update 19 actor tests to use new SourceName field - All tests passing (36/36) **Domain Integration:** - Add enforce_access_rules support to create-shared-domain and create-private-domain - Add --enforce-access-rules and --access-rules-scope flags - Update domain resource with new fields Examples: # Simple case - app in current space cf add-access-rule allow-frontend apps.identity --source-app frontend-app --hostname backend # Cross-space access cf add-access-rule allow-other apps.identity --source-app api-client --source-space other-space --hostname backend # Cross-org access cf add-access-rule allow-prod apps.identity --source-app client --source-space prod-space --source-org prod-org --hostname api # Space-level rule cf add-access-rule allow-monitoring apps.identity --source-space monitoring --hostname api # Org-level rule cf add-access-rule allow-platform apps.identity --source-org platform --hostname shared-api # Any authenticated app cf add-access-rule allow-all apps.identity --source-any --hostname public-api Related to: cloudfoundry/community#1438
Author
|
Don't worry about this PR just yet, just doing some more POC work on the RFC: cloudfoundry/community#1438 |
Per RFC commits 882b69a and 11752f2, access rules no longer have user-provided names. They are identified by their selector only, with labels/annotations used for metadata instead. Changes: - Removed RULE_NAME argument from add-access-rule command - Removed Name field from AccessRule API resource - Updated access-rules list to show 4 columns (route, selector, scope, source) - SourceName now represents resolved app/space/org name from selector - Updated remove-access-rule to use --selector flag instead of rule name - Renamed DeleteAccessRule() to DeleteAccessRuleBySelector() - Updated all tests to remove Name field references All tests passing.
…lumns Changed table format from: route selector scope source backend.apps.identity ... app frontend-app To: host domain path selector scope source backend apps.identity ... app frontend-app api apps.identity /metrics ... space monitoring This provides better clarity by separating the route components into individual columns, making it easier to scan and filter visually.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR enhances the user experience of the access-rules commands by providing intuitive name-based flags and aligning with recent RFC updates that removed rule names.
Related to: cloudfoundry/community#1438
Motivation
The original
add-access-rulecommand required users to manually construct GUID-based selectors (e.g.,cf:app:d76446a1-f429-4444-8797-be2f78b75b08), which was cumbersome and error-prone. This PR follows CF CLI conventions from commands likeadd-network-policyto provide a more user-friendly interface.Additionally, per RFC commits 882b69a and 11752f2, access rules no longer have user-provided names. They are now identified by their selector only, with labels/annotations used for metadata instead.
Changes
RFC Alignment: Removed Rule Names
Key Changes:
RULE_NAMEpositional argument fromadd-access-rulecommandNamefield from AccessRule API resourceaccess-ruleslist command to show 4 columns: route, selector, scope, sourcesourcecolumn shows the resolved name of the app/space/org from the selectorremove-access-ruleto use--selectorflag instead of rule nameDeleteAccessRule()toDeleteAccessRuleBySelector()Command Interface Improvements
Before:
After:
New Flags
add-access-rule:
--source-app APP_NAME- Specify source app by name (resolves to GUID)--source-space SPACE_NAME- Specify space context for app lookup or create space-level rule--source-org ORG_NAME- Specify org context for space/app lookup or create org-level rule--source-any- Allow any authenticated app--selector SELECTOR- Raw GUID-based selector for advanced usersremove-access-rule:
--selector SELECTOR- Required. Specify the selector to removeTerminology Update
AccessRuleWithRoute.TargetName→SourceNameresolveAccessRuleTarget()→resolveAccessRuleSource()access-ruleslist command table header: "target" → "source"Enhanced Output
add-access-rule:
access-rules:
Validation & Error Handling
--source-spaceand--source-orgflags for cross-space/org accessadd-network-policycommandDomain Integration
--enforce-access-rulesand--access-rules-scopeflags tocreate-shared-domainandcreate-private-domaincommandsTesting
add-access-rulecommandBreaking Changes
RULE_NAMEpositional argument fromadd-access-rulecommandNamefield from AccessRule API resourceremove-access-ruleto require--selectorflag instead of rule nameChecklist
Next Steps
This PR is marked as draft pending: