feat(portal): Internet resources #6299
Conversation
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
AndrewDryga
force-pushed
the
andrew/internet-resources
branch
from
021e6b9
to
b4bb6d6
Compare
Terraform Cloud Plan Output |
There was a problem hiding this comment.
Will test more later. Left some minor wording suggestions.
- Since this is close to shipping and we're already bumping to 1.2, should we just make >1.2.0 the requirement here? Otherwise we'll bump to 1.2 and then to 1.3 after a few days.
- Is it possible to delete the Internet Resource via the REST API?
- On that note, do we need to update REST API docs / schema for it?
elixir/apps/domain/priv/repo/migrations/20240808165513_add_internet_resources.exs
Outdated
Show resolved
Hide resolved
| :drop -> :drop | ||
| end | ||
| cond do | ||
| resource.type == :internet and Version.match?(client_or_gateway_version, ">= 1.3.0") -> |
There was a problem hiding this comment.
I think we'll roll this out with the other changes for client 1.2.0 release.
| resource.type == :internet and Version.match?(client_or_gateway_version, ">= 1.3.0") -> | |
| resource.type == :internet and Version.match?(client_or_gateway_version, ">= 1.2.0") -> |
There was a problem hiding this comment.
We should not do that. 1.2 is for the wildcard. Better we bump the version twice because then we will have a way to develop internet resources and deploy without breaking everything.
There was a problem hiding this comment.
K, in that case I think we can release new clients today-ish and deploy prod right away, right?
There was a problem hiding this comment.
I just realized that after merging this PR #6325 if we send the internet resource to clients currently in main it might break some clients. Since now we send the resource to the clients, some of the clients can't support the deserialization of the internet resource.
Will have a PR asap to fix this.
| <fieldset class="mb-2"> | ||
| <.input | ||
| type="checkbox" | ||
| label="Allow users to access the internet outside of Firezone" |
There was a problem hiding this comment.
This comment isn't so much around function, but more around user experience. While I was trying to create a Policy for the Internet Resource, I saw this checkbox and wasn't actually sure what it was trying to convey.
Is this saying that users have the ability to stay signed in to the Firezone client to allow them to access private resources but bypass the Internet resource?
There was a problem hiding this comment.
cc @jamilbk that is what we discussed, this feature is really ambiguous, need much better content around it :(
There was a problem hiding this comment.
Hm yeah we may need a longer description and / or rewording here. Or we could keep this enabled behind the scenes for now and expose the option to disable it when we hear that requirement from customers. I'll give it some more thought tomorrow.
There was a problem hiding this comment.
I'd address disabling when we implement PAM
There was a problem hiding this comment.
Do we have any customer feedback around this feature? Has any customer explicitly asked one way or another for the enable/disable feature?
There was a problem hiding this comment.
Yeah so far they've just wanted to allow enabling/disabling, but I believe it has been only admins asking for the feature for their technical team (DevOps).
For the broader workforce, discovery calls from longer ago had expressed a need for this for Internet security for their workforce -- connecting from public cafes / coffee shops.
The other complication here is that, depending on the Policy that matches against your actor based which group you're in - you might be shown this flag or might not if you belong to multiple groups the Internet resource is enabled for. The portal would need a deterministic way to select policies (perhaps based on smaller group first).
Based on the above I'm reluctant to expose this option and instead just default it to true for now and hide the UI.
WDYGT?
There was a problem hiding this comment.
Yeah, I agree. I think setting the default to true and not exposing the option right now is probably the way to go.
This is made to sync this with #6299
[Refs](#6299 (comment)) The problem right now, after #6325 we send the internet resource up to the clients. The clients expect a certain format for the resources and panic if it isn't followed. Particularly, in the case of no `address` or no `name`. To fix this, we add a name and an address for the internet resource when it is converted to the callback type. Setting the `name` at that point actually makes a lot of sense since it homogenizes the name across all platforms. But the internet resource having an address makes no sense. So in a next PR, when I do the last UI changes I plan to make `address` optional for all resources on the clients and specialize the display of the internet resource. For now I wanted to get this in so that we don't ever panic on the internet resource existing. (This was tested on all platforms and it works)
…resource (#6396) In preparation for #6299 --------- Signed-off-by: Gabi <[email protected]> Co-authored-by: Thomas Eizinger <[email protected]>
|
I think this is essentially ready to go, just waiting on hiding the control preventing users to disable the resource so we can approach it more deliberately later. |
Co-authored-by: Jamil <[email protected]> Signed-off-by: Andrew Dryga <[email protected]>
Co-authored-by: Jamil <[email protected]> Signed-off-by: Andrew Dryga <[email protected]>
…ernet_resources.exs Co-authored-by: Jamil <[email protected]> Signed-off-by: Andrew Dryga <[email protected]>
Co-authored-by: Jamil <[email protected]> Signed-off-by: Andrew Dryga <[email protected]>
Co-authored-by: Jamil <[email protected]> Signed-off-by: Andrew Dryga <[email protected]>
AndrewDryga
force-pushed
the
andrew/internet-resources
branch
from
9c84801
to
e6db9bd
Compare
|
@AndrewDryga Pushed a small fix for tests and merging to start testing with live Clients. |
They will be sent in the API for connlib 1.3 and above.
I think in future we can make a whole menu section called "Internet Security" which will be a specialized UI for the new resource type (and now show it in Resources list) to improve the user experience around it.
Closes #5852