Make Sprocket the source of truth for org-team permissions (#726)#738
Open
Make Sprocket the source of truth for org-team permissions (#726)#738
Conversation
- Add sprocket.user_org_team_permission table and TypeORM entity - Resolve JWT org teams from Sprocket; optional ORG_TEAM_PERMISSION_DUAL_READ MLEDB fallback - Admin GraphQL CRUD for org-team permissions; wire loginAsUser and replay-parse override - Register FormerPlayerScrimGuard in MledbInterfaceModule for DI - Document source of truth and removal plan in reports/ Co-authored-by: Jake Bailey <asaxplayinghorse@gmail.com>
- Read platform:org-team-permission-dual-read and set ORG_TEAM_PERMISSION_DUAL_READ on core/monolith - Enable dual-read in Pulumi.prod.yaml until MLEDB backfill completes - Add SQL backfill script mledb.player_to_org -> sprocket.user_org_team_permission - Document Pulumi key and script path in issue-726 report Co-authored-by: Jake Bailey <asaxplayinghorse@gmail.com>
- When ORG_TEAM_PERMISSION_DUAL_READ=true, fetch player_to_org every time - Log mismatches (warn vs verbose for pre-backfill empty Sprocket) - Return semantics unchanged: prefer Sprocket rows, else MLEDB under dual-read - Update issue-726 ops doc for dual-read behavior Co-authored-by: Jake Bailey <asaxplayinghorse@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements GitHub issue #726: org-team / LO-style permission bits used in JWTs and guards now persist in Sprocket (
sprocket.user_org_team_permission) instead of readingmledb.player_to_orgon every login/refresh.What changed
sprocket.user_org_team_permission(migration1770500000000-UserOrgTeamPermission) with unique(userId, orgTeam)and FK tosprocket.user.UserOrgTeamPermissionService— list/replace/add/remove permissions.OrgTeamPermissionResolutionService— resolves org teams for a user id; prefers Sprocket rows.OauthController) — buildsorgTeamsfrom resolution (no directplayer_to_orgreads).loginAsUser— copies target user’s resolved org teams into the short-lived token.ReplayParseService— LO/admin override uses resolution instead of MLEDB.FormerPlayerScrimGuard— short-circuits for LO/admin via resolution; still uses MLE player for the FP check (guard is now a properMledbInterfaceModuleprovider).userOrgTeamPermissions,setUserOrgTeamPermissions,addUserOrgTeamPermission,removeUserOrgTeamPermission.reports/issue-726-org-team-permissions.md— source of truth, env flag, removal plan, Pulumi prod key, backfill SQL path.Dual-read compatibility (temporary)
If a user has no Sprocket permission rows and
ORG_TEAM_PERMISSION_DUAL_READ=true, resolution falls back to legacymledb.player_to_org. Default is off in app code; prod Pulumi setsplatform:org-team-permission-dual-read: "true"ininfra/platform/Pulumi.prod.yamluntil backfill is applied, then operators should set it tofalseand redeploy.Core/monolith Docker services receive
ORG_TEAM_PERMISSION_DUAL_READfrom Pulumi configplatform:org-team-permission-dual-read(infra/platform/src/Platform.ts).Backfill
Run
scripts/sql/backfill-user-org-team-permission-from-mledb.sqlagainst prod Postgres (same DB withmledb+sprocket). Idempotent (ON CONFLICT DO NOTHING).Proof
npm run build --workspace=core(passes).npm exec -- tsc --noEmit -p tsconfig.jsonininfra/platform(passes).Follow-ups (not in this PR)
platform:org-team-permission-dual-readtofalsein prod stack,pulumi up, then remove the dual-read code path when MLEDB is gone.