Enhance add-access-rule command UX with intuitive name-based flags#3758
Draft
Enhance add-access-rule command UX with intuitive name-based flags#3758
Conversation
This commit improves the user experience for the add-access-rule command by replacing the positional GUID-based SELECTOR argument with intuitive flags that accept human-readable names and support cross-space/org resolution. Changes: **Command Interface:** - Remove positional SELECTOR argument (breaking change, acceptable for unreleased feature) - Add new flags: --source-app, --source-space, --source-org, --source-any, --selector - Support hierarchical name resolution: - --source-app APP_NAME (looks in current space) - --source-app APP_NAME --source-space SPACE (cross-space in current org) - --source-app APP_NAME --source-space SPACE --source-org ORG (cross-org) - --source-space SPACE (space-level rule) - --source-org ORG (org-level rule) - --source-any (allow any authenticated app) - --selector SELECTOR (raw GUID-based selector for advanced users) - Validate exactly one primary source is specified - Display verbose output showing resolved selector for transparency **Terminology Update:** - Rename all "target" terminology to "source" throughout codebase - Access rules specify the source (who can access), not the target - Update AccessRuleWithRoute.TargetName → SourceName - Update resolveAccessRuleTarget() → resolveAccessRuleSource() - Update access-rules list command table header: "target" → "source" **Error Handling:** - Provide helpful error messages when app not found in current space - Suggest using --source-space and --source-org flags for cross-space/org access - Follow CF CLI patterns from add-network-policy command **Testing:** - Add 17 comprehensive test cases for add-access-rule command - Update 19 actor tests to use new SourceName field - All tests passing (36/36) **Domain Integration:** - Add enforce_access_rules support to create-shared-domain and create-private-domain - Add --enforce-access-rules and --access-rules-scope flags - Update domain resource with new fields Examples: # Simple case - app in current space cf add-access-rule allow-frontend apps.identity --source-app frontend-app --hostname backend # Cross-space access cf add-access-rule allow-other apps.identity --source-app api-client --source-space other-space --hostname backend # Cross-org access cf add-access-rule allow-prod apps.identity --source-app client --source-space prod-space --source-org prod-org --hostname api # Space-level rule cf add-access-rule allow-monitoring apps.identity --source-space monitoring --hostname api # Org-level rule cf add-access-rule allow-platform apps.identity --source-org platform --hostname shared-api # Any authenticated app cf add-access-rule allow-all apps.identity --source-any --hostname public-api Related to: cloudfoundry/community#1438
Author
|
Don't worry about this PR just yet, just doing some more POC work on the RFC: cloudfoundry/community#1438 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR enhances the user experience of the
add-access-rulecommand by replacing the positional GUID-basedSELECTORargument with intuitive flags that accept human-readable names and support cross-space/org resolution.Related to: cloudfoundry/community#1438
Motivation
The original
add-access-rulecommand required users to manually construct GUID-based selectors (e.g.,cf:app:d76446a1-f429-4444-8797-be2f78b75b08), which was cumbersome and error-prone. This PR follows CF CLI conventions from commands likeadd-network-policyto provide a more user-friendly interface.Changes
Command Interface Improvements
Before:
After:
New Flags
--source-app APP_NAME- Specify source app by name (resolves to GUID)--source-space SPACE_NAME- Specify space context for app lookup or create space-level rule--source-org ORG_NAME- Specify org context for space/app lookup or create org-level rule--source-any- Allow any authenticated app--selector SELECTOR- Raw GUID-based selector for advanced usersTerminology Update
AccessRuleWithRoute.TargetName→SourceNameresolveAccessRuleTarget()→resolveAccessRuleSource()access-ruleslist command table header: "target" → "source"Enhanced Output
The command now displays verbose output showing both human-readable source and the resolved selector:
Validation & Error Handling
--source-spaceand--source-orgflags for cross-space/org accessadd-network-policycommandDomain Integration
--enforce-access-rulesand--access-rules-scopeflags tocreate-shared-domainandcreate-private-domaincommandsTesting
add-access-rulecommandSourceNamefieldBreaking Changes
SELECTORargument - This is a breaking change, but acceptable since the access rules feature has not been released yet--source-app,--source-space,--source-org,--source-any, or--selector) insteadChecklist
Next Steps
This PR is marked as draft pending: