Skip to content

feat: OAuth support for all Logs commands#639

Open
srosenthal-dd wants to merge 3 commits into
DataDog:mainfrom
srosenthal-dd:stephen.rosenthal/oauth-logs-pipelines-restriction
Open

feat: OAuth support for all Logs commands#639
srosenthal-dd wants to merge 3 commits into
DataDog:mainfrom
srosenthal-dd:stephen.rosenthal/oauth-logs-pipelines-restriction

Conversation

@srosenthal-dd

@srosenthal-dd srosenthal-dd commented Jul 7, 2026

Copy link
Copy Markdown
Member

Addresses #608.

Summary

  • Adds logs_write_pipelines to default_scopes() (write scope, not added to read_only_scopes()). Needed for pipeline create/update/delete once the server-side route accepts OAuth (recently updated).
  • Fixes commands::logs_restriction (the pup logs-restriction CRUD subcommand: list/get/create/update/delete/roles): it used make_api_no_auth!, which explicitly skips the bearer token and always falls back to API+App key regardless of server support. Swapped to make_api! so it uses OAuth like the rest of the logs commands.

Note: pup logs restriction-queries list/get (the separate, older dedicated subcommand) and generic pup api passthrough already send the OAuth bearer correctly for these paths — this PR only fixes the logs-restriction CRUD surface.

Test plan

  • cargo build, cargo test --bin pup auth::types, cargo test --bin pup logs_restriction, cargo clippy --all-targets -- -D warnings, cargo fmt --check all clean
  • End-to-end against staging/prod once server-side changes deploy: OAuth login, then pup logs-restriction list/get/create/update/delete and pup api v1/logs/config/pipelines

Adds logs_write_pipelines to default_scopes() (not read_only_scopes(),
it's a write scope). Needed for pipeline create/update/delete once the
server-side route accepts OAuth (dogweb#170410).

Also fixes commands::logs_restriction (the pup logs-restriction CRUD
subcommand): it used make_api_no_auth!, which explicitly skips the
bearer token and always falls back to API+App key regardless of server
support. Swapped to make_api! so it actually uses OAuth like the rest
of the logs commands.

Addresses DataDog#608.
@srosenthal-dd srosenthal-dd changed the title Add logs_write_pipelines scope; fix logs-restriction OAuth auth feat: OAuth support for all Logs commands Jul 7, 2026
@srosenthal-dd

srosenthal-dd commented Jul 8, 2026

Copy link
Copy Markdown
Member Author

Validated e2e against sites: staging, US5, and EU. US1 support should land within the next ~hour as the server-side deployment completes.

@srosenthal-dd srosenthal-dd marked this pull request as ready for review July 8, 2026 18:43
@srosenthal-dd srosenthal-dd requested a review from a team as a code owner July 8, 2026 18:43

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0f1005d20f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread src/auth/types.rs
Codex flagged that logs-restriction create/update/delete/roles-add need
user_access_manage, which is high-privilege enough that it shouldn't be
in default_scopes() for every login. Rather than hardcode it into a
client-side allowlist, resolve_login_scopes() now passes explicit
--scopes/--extra-scopes/config scopes through unvalidated -- the OAuth
server is the source of truth for which scopes this client can request,
and already rejects the rest with invalid_scope. This means any scope
enabled server-side works immediately via an explicit opt-in, with no
pup release needed to add it to a list.

Also adds --extra-scopes, which adds to the normal scope set (defaults,
config, or read-only scopes) instead of replacing it like --scopes does,
so opting into one extra scope doesn't require retyping every other
scope you still want. Mutually exclusive with --scopes.

E2E verified on staging: `pup auth login --extra-scopes user_access_manage`
grants it alongside normal defaults, and `pup logs-restriction create/get/delete`
round-trips successfully against a real (cleaned-up) restriction query.
@srosenthal-dd

Copy link
Copy Markdown
Member Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ba1c955b21

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread src/main.rs Outdated
Codex caught that the AUTHENTICATION example still used --scopes with an
ellipsis, which the previous commit made a full replacement of the scope
set passed through unvalidated -- copying it literally would send "..."
to the OAuth server and fail with invalid_scope. Point at --extra-scopes
instead, which is what this opt-in is actually for.
@srosenthal-dd

Copy link
Copy Markdown
Member Author

@codex review

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. Hooray!

Reviewed commit: 3792770f37

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants