Skip to content

[RBAC PR 2] Add admin break-glass bypass to RBAC authorization#2232

Open
philipfweiss wants to merge 2 commits into
DataJunction:mainfrom
philipfweiss:rbac-admin-bypass
Open

[RBAC PR 2] Add admin break-glass bypass to RBAC authorization#2232
philipfweiss wants to merge 2 commits into
DataJunction:mainfrom
philipfweiss:rbac-admin-bypass

Conversation

@philipfweiss

@philipfweiss philipfweiss commented Jun 5, 2026

Copy link
Copy Markdown
Contributor

Tracking: #2234 (step 2 of the RBAC enablement sequence).

The RBAC proposal's first resolution step is "if the user is an admin, allow immediately." That short-circuit didn't exist: is_admin was on the user model but never consulted in the authorization path, so there was no break-glass and a deny-by-default flip would lock out admins too.

This adds it:

  • Threads is_admin into AuthContext (from user.is_admin).
  • RBACAuthorizationService.authorize short-circuits for admins, approving all requests with reason="admin".
  • The bypass is a single explicit check and is logged for audit (username, id, and the requests granted), which also pre-pays for the audit-logging work later.

Below I verified the admin break galss:


Verification:

  1. Started local DJ server
./dev.sh up -d
DJ  : http://localhost:8000
UI  : http://localhost:3000
GET /health/
attempt=1 status=200 body=[{"name":"database","status":"ok"}]
  1. Enabled RBAC restrictive setting
authorization_provider= rbac
default_access_policy= restrictive
  1. Logged in as non-admin user. Then, verified that they're denied.
curl -sS -c /tmp/dj-pr2232.cookies \
  -X POST "http://localhost:8000/basic/login/" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  --data "username=dj&password=dj"
curl -sS -b /tmp/dj-pr2232.cookies "http://localhost:8000/whoami/"
curl -sS -b /tmp/dj-pr2232.cookies \
  -X POST "http://localhost:8000/nodes/source/" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "manual_admin_bypass.orders_non_admin",
    "catalog": "default",
    "schema": "public",
    "table": "orders_non_admin",
    "columns": [
      {"name": "id", "type": "int"}
    ]
  }'
  1. Marked same user as admin
docker exec dj-s0-postgres psql -U dj -d dj \
  -c "update users set is_admin = true where username = 'dj';"
GET /whoami/ -> {"username":"dj","is_admin":true} HTTP_STATUS:200
  1. Verified bypass works
curl -sS -b /tmp/dj-pr2232.cookies \
  -X POST "http://localhost:8000/nodes/source/" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "manual_admin_bypass.orders_admin",
    "catalog": "default",
    "schema": "public",
    "table": "orders_admin",
    "columns": [
      {"name": "id", "type": "int"}
    ]
  }'

Thread is_admin into AuthContext and short-circuit RBAC authorization for
admins, approving all requests. The bypass is a single explicit check and
is logged for audit, so it is easy to find and to later scope down if
admins should still respect some constraints.

Co-authored-by: Cursor <cursoragent@cursor.com>
@netlify

netlify Bot commented Jun 5, 2026

Copy link
Copy Markdown

Deploy Preview for thriving-cassata-78ae72 canceled.

Name Link
🔨 Latest commit d0d0bc7
🔍 Latest deploy log https://app.netlify.com/projects/thriving-cassata-78ae72/deploys/6a4597639cc9810008994d56

@philipfweiss philipfweiss changed the title Add admin break-glass bypass to RBAC authorization [RBAC PR 2] Add admin break-glass bypass to RBAC authorization Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant