documentation icon indicating copy to clipboard operation
documentation copied to clipboard

Published 20 hours ago verified publisher icon DataDog

Add App Builder identity information

Open ksun154 opened this issue 4 months ago • 2 comments

What does this PR do? What is the motivation?

Apps currently “run as” end users during execution. This introduces a number of confusing authorization scenarios that we would like to solve by running apps as the author of the app.

Apps currently “run as” the viewing user, which means a malicious app creator can trick a large number of unsuspecting users into performing actions by putting a malicious app into a widely viewed dashboard. Additionally, even in the non-malicious case, each viewing user needs “resolve” permissions on the connections used in the app. This means that broad access sensitive information needs to be granted in order for an app to be useful.

To make this better we would like to switch App Builder actions from executing as the current authenticated user to the app creator. This conforms with Workflow Automation’s permission model. This will only apply in the app's published mode. Edit mode will continue to run as the editor.

Modeled after workflows docs: Access and Authentication

Merge instructions

Merge readiness:

  • [ ] Ready for merge

For Datadog employees:

Your branch name MUST follow the <name>/<description> convention and include the forward slash (/). Without this format, your pull request will not pass CI, the GitLab pipeline will not run, and you won't get a branch preview. Getting a branch preview makes it easier for us to check any issues with your PR, such as broken links.

If your branch doesn't follow this format, rename it or create a new branch and PR.

[6/5/2025] Merge queue has been disabled on the documentation repo. If you have write access to the repo, the PR has been reviewed by a Documentation team member, and all of the required checks have passed, you can use the Squash and Merge button to merge the PR. If you don't have write access, or you need help, reach out in the #documentation channel in Slack.

Additional notes

ksun154 avatar Jun 18 '25 20:06 ksun154

✅ Documentation Team Review

The documentation team has approved this pull request. Thank you for your contribution!

github-actions[bot] avatar Jun 18 '25 20:06 github-actions[bot]

Preview links (active after the build_preview check completes)

Modified Files

  • https://docs-staging.datadoghq.com/kelly.sun/run-as-author/actions/app_builder/auth

github-actions[bot] avatar Jun 18 '25 20:06 github-actions[bot]

@ksun154 - Looking through the backlog of PRs I approved. Checking if this is ready to merge?

brett0000FF avatar Jul 17 '25 22:07 brett0000FF

@brett0000FF there was an bug with the eng feature that is blocking the rollout, so I was going to merge once it's fixed and we get the change out!

ksun154 avatar Jul 18 '25 13:07 ksun154

@ksun154 - Noted, sounds good. Thanks!

brett0000FF avatar Jul 18 '25 14:07 brett0000FF