Store the silo admin group name #8850
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The silo admin group is a special group that is automatically created during silo creation where members are granted the silo admin role. This name however is not stored, but this is currently ok: any existing silo won't have the ability to delete groups, meaning that the automatically created admin group is there to stay and a group with a duplicate name cannot be created. Very soon there will be silos with provision types that _can_ delete groups, meaning this name has to be known in order for Nexus to create the appropriate policy when a group with a matching name is created again. It was a mistake not to store this parameter with the silo, so rectify that with this PR.
papertigers
reviewed
Aug 18, 2025
| /// at silo create time. | ||
| /// 2) assigned a policy granting members the silo admin role | ||
| /// | ||
| /// Prior to this column existing, for api_only and jit provision types, |
There was a problem hiding this comment.
Do I understand correctly that existing api/JIT based silos will continue to function as they did before? This change makes it so that we have the potential for storing the admin group name, and will be doing so for SCIM based silos?
There was a problem hiding this comment.
Correct yeah - existing silos didn't need this to function, though note that going forward any new silo created will record this field, including SCIM (which is the real type that needs it).
papertigers
approved these changes
Aug 27, 2025
david-crespo
approved these changes
Aug 27, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The silo admin group is a special group that is automatically created during silo creation where members are granted the silo admin role. This name however is not stored, but this is currently ok: any existing silo won't have the ability to delete groups, meaning that the automatically created admin group is there to stay and a group with a duplicate name cannot be created.
Very soon there will be silos with provision types that can delete groups, meaning this name has to be known in order for Nexus to create the appropriate policy when a group with a matching name is created again. It was a mistake not to store this parameter with the silo, so rectify that with this PR.