mirror of
https://github.com/fosrl/pangolin.git
synced 2026-07-16 06:08:33 -05:00
[PR #2980] Auto-create roles referenced in blueprints #18282
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/fosrl/pangolin/pull/2980
Author: @rinseaid
Created: 5/3/2026
Status: 🔄 Open
Base:
main← Head:blueprint-auto-create-roles📝 Commits (1)
4786fc3Auto-create roles referenced in blueprints📊 Changes
2 files changed (+64 additions, -8 deletions)
View changed files
📝
server/lib/blueprints/clientResources.ts(+48 -6)📝
server/lib/blueprints/proxyResources.ts(+16 -2)📄 Description
By creating this pull request, I grant the project maintainers an unlimited,
perpetual license to use, modify, and redistribute these contributions under any terms they
choose, including both the AGPLv3 and the Fossorial Commercial license terms. I
represent that I have the right to grant this license for all contributed content.
Preface
This PR was developed with Claude Code (claude-opus-4-6). I drove the direction and tested everything, but Claude did all of the actual coding. I reviewed, tested, and validated all changes.
Description
When a blueprint references a role that doesn't exist yet, create it automatically instead of failing or silently dropping the association.
sso-roles) previously threwRole not found, blocking the entire blueprint apply. Now auto-creates the role.roles) previously ran aWHERE INquery and silently ignored any role names that didn't match. Now auto-creates missing roles before associating them.getOrg,getResource,listResources.Blueprints are the declarative source of truth for resource configuration. Requiring roles to be pre-created through the UI before they can be referenced in a blueprint breaks the declarative workflow and adds a manual step that's easy to forget. This is especially relevant when integrating with an external IdP where SSO group-to-role mappings should just work on first apply.
How to test?
sso-rolesreferencing a role that does not exist. Verify the role is created with default permissions and the resource association succeeds.roles(client resource) referencing a role that does not exist, for both new and existing resources. Verify the same.🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.