Is it possible to protect stack from editing?

antmanler · October 16, 2015, 9:16am

When multiple users working on the same environment, one user may edit (or delete) other’s stack by mistake.

I wonder if it is possible to lock or make a app stack read only when finished deploying a stack.

denise · October 19, 2015, 5:06pm

Currently, there is no way to lock or make a read only stack.

I could see some issues with this concept as it would be another level of membership (on top of access control level, environment level) and something else to maintain.

kiboro · October 20, 2015, 11:29am

I don’t see this as anything complex. In my case all I’d like is a ‘read-only’ marker on a stack to stop accidental deletion. I know that if we do Rancher properly then accidentally deleting a stack isn’t the end of the world but it does still cause disruption.

This has already happened twice at our site and is likely to happen again. There’s only so many times I can hand out punitive beatings

antmanler · October 20, 2015, 11:43am

May be simply add a switcher when we want to mark one stack read-only just turn it on, then others must switch off explicitly in order to modify it.

denise · October 20, 2015, 4:43pm

After you make it read only, who has the power to make it “editable” again? We would need to have that ability to edit (stop/start/delete/etc) again.

If you want to specify that User A who made it read only is the only one with that power, then that’s an additional level of permissions that Rancher would need to add.

If we allowed anyone to make it editable again, that doesn’t prevent the users who keep accidentally deleting your stacks from deleting it. There is a confirmation page for deleting the stack, so it’s clear that they are just saying “Yes”, even if they shouldn’t’ be.

vincent · October 20, 2015, 5:16pm

I don’t think this is a bad idea for some of the higher-level resources (maybe Stack, Environment, and Host).

It would just be the digital equivalent of the write protect hole on a floppy (or for the young people, the little switch on the side of SD cards that makes your camera not want to take pictures). Sure you can cover it with tape, but you hopefully think twice before doing it (and can’t just ignore it like a delete confirm).

If we were to implement this it would be like “protect” and “unprotect” actions on the resource. Any user who otherwise has access can call them, but edit and other actions are disabled when protected.

denise · October 20, 2015, 7:11pm

I’ve added an enhancement request for Vince’s suggestion of how Rancher could handle it. If there is enough user interest, we could prioritize it.

Topic		Replies	Views
Access control on stacks? Rancher 1.x	1	703	July 9, 2016
Rancher Server user permissions Rancher 1.x	1	1036	July 22, 2016
User permission to spin up stack from catalog and tear down own stack but nothing else? Rancher 1.x	4	1349	July 3, 2016
Hardcode the stack name in catalog Rancher 1.x	2	880	June 6, 2017
User shouldn't see Infrastrucuture/Hosts	4	867	July 13, 2017

Is it possible to protect stack from editing?

Related Topics