Fly login in 4.x — support for user-based access?


#1

Hi,

We’ve just installed 4.0.0 and we’re very excited with being able to whitelist oauth groups in teams, getting us closer to RBAC.

However, in fly it seems that each login is still tied to one and only one team. That is, if we want to interact with pipelines that belong to other teams, regardless of our oauth group being whitelisted with them, we have to logout and login back again.

I’d expect the fly login target to be (instance + user) and no longer (instance + team).

Is this intentional or are there plans to have fly behave as the UI does?


#2

People were already using different targets for different teams, so it was easier to just keep supporting that rather than introduce (and possibly require) a team flag on every command.

If you do that, you at least don’t have to keep logging out and back in - just have different targets for different teams. You’ll still have to “log in” to each once though, just to refresh their token. The web UI will at least auto-login the rest after you log in for the first time.

I think we could pretty easily support both in the future, i.e. always log in with a default team that you target, but support overriding the team on a command-by-command basis.