From 95fd341b9739dff7613b8740c8da12086c5926b0 Mon Sep 17 00:00:00 2001 From: Vladyslav Drok Date: Thu, 11 Oct 2018 15:30:10 -0700 Subject: [PATCH] Add viewer rule to armada API Viewer will be able to do GET Tiller release and Tiller status requests armada API defines. In addition, this change also allows doing POST validate manfest request to a user with viewer role. Change-Id: I903ab656de1c6fdf979a193b1842dbd0842451d6 --- armada/common/policies/base.py | 7 +++++- armada/common/policies/service.py | 2 +- armada/common/policies/tiller.py | 4 ++-- charts/armada/values.yaml | 13 ++++++----- etc/armada/policy.yaml | 37 +++++++++++++++++-------------- 5 files changed, 36 insertions(+), 27 deletions(-) diff --git a/armada/common/policies/base.py b/armada/common/policies/base.py index 3b035367..c929cde8 100644 --- a/armada/common/policies/base.py +++ b/armada/common/policies/base.py @@ -18,13 +18,18 @@ RULE_ADMIN_REQUIRED = 'rule:admin_required' RULE_ADMIN_OR_TARGET_PROJECT = ( 'rule:admin_required or project_id:%(target.project.id)s') RULE_SERVICE_OR_ADMIN = 'rule:service_or_admin' +RULE_ADMIN_VIEWER = 'rule:admin_viewer' rules = [ - policy.RuleDefault(name='admin_required', check_str='role:admin'), + policy.RuleDefault( + name='admin_required', check_str='role:admin or role:admin_ucp'), policy.RuleDefault( name='service_or_admin', check_str='rule:admin_required or rule:service_role'), policy.RuleDefault(name='service_role', check_str='role:service'), + policy.RuleDefault( + name='admin_viewer', + check_str='role:admin_ucp_viewer or {}'.format(RULE_SERVICE_OR_ADMIN)), ] diff --git a/armada/common/policies/service.py b/armada/common/policies/service.py index 00cdf753..34e5515d 100644 --- a/armada/common/policies/service.py +++ b/armada/common/policies/service.py @@ -25,7 +25,7 @@ armada_policies = [ }]), policy.DocumentedRuleDefault( name=base.ARMADA % 'validate_manifest', - check_str=base.RULE_ADMIN_REQUIRED, + check_str=base.RULE_ADMIN_VIEWER, description='Validate manifest', operations=[{ 'path': '/api/v1.0/validatedesign/', diff --git a/armada/common/policies/tiller.py b/armada/common/policies/tiller.py index b1d9d4c1..fe9b2e6e 100644 --- a/armada/common/policies/tiller.py +++ b/armada/common/policies/tiller.py @@ -17,7 +17,7 @@ from armada.common.policies import base tiller_policies = [ policy.DocumentedRuleDefault( name=base.TILLER % 'get_status', - check_str=base.RULE_ADMIN_REQUIRED, + check_str=base.RULE_ADMIN_VIEWER, description='Get Tiller status', operations=[{ 'path': '/api/v1.0/status/', @@ -25,7 +25,7 @@ tiller_policies = [ }]), policy.DocumentedRuleDefault( name=base.TILLER % 'get_release', - check_str=base.RULE_ADMIN_REQUIRED, + check_str=base.RULE_ADMIN_VIEWER, description='Get Tiller release', operations=[{ 'path': '/api/v1.0/releases/', diff --git a/charts/armada/values.yaml b/charts/armada/values.yaml index 0cb11ff5..cb063355 100644 --- a/charts/armada/values.yaml +++ b/charts/armada/values.yaml @@ -184,16 +184,17 @@ conf: 'pipeline:main': pipeline: authtoken armada-api policy: - admin_required: 'role:admin' + admin_required: 'role:admin or role:admin_ucp' + service_or_admin: 'rule:admin_required or rule:service_role' + service_role: 'role:service' + admin_viewer: 'role:admin_ucp_viewer or rule:service_or_admin' 'armada:create_endpoints': 'rule:admin_required' 'armada:rollback_release': 'rule:admin_required' 'armada:test_manifest': 'rule:admin_required' 'armada:test_release': 'rule:admin_required' - 'armada:validate_manifest': 'rule:admin_required' - service_or_admin: 'rule:admin_required or rule:service_role' - service_role: 'role:service' - 'tiller:get_released': 'rule:admin_required' - 'tiller:get_status': 'rule:admin_required' + 'armada:validate_manifest': 'rule:admin_viewer' + 'tiller:get_release': 'rule:admin_viewer' + 'tiller:get_status': 'rule:admin_viewer' pod: env: diff --git a/etc/armada/policy.yaml b/etc/armada/policy.yaml index 589ad21a..625caaa9 100644 --- a/etc/armada/policy.yaml +++ b/etc/armada/policy.yaml @@ -1,5 +1,5 @@ # -#"admin_required": "role:admin" +#"admin_required": "role:admin or role:admin_ucp" # #"service_or_admin": "rule:admin_required or rule:service_role" @@ -7,30 +7,33 @@ # #"service_role": "role:service" -# install manifest charts -# POST api/v1.0/apply/ +# +#"admin_viewer": "role:admin_ucp_viewer or rule:service_or_admin" + +# Install manifest charts +# POST /api/v1.0/apply/ #"armada:create_endpoints": "rule:admin_required" -# rollback release -# POST api/v1.0/rollback/{release} -#"armada:rollback_release": "rule:admin_required" +# Validate manifest +# POST /api/v1.0/validatedesign/ +#"armada:validate_manifest": "rule:admin_viewer" -# validate installed manifest -# POST /api/v1.0/validate/ -#"armada:validate_manifest": "rule:admin_required" - -# validate install manifest +# Test release # GET /api/v1.0/test/{release} #"armada:test_release": "rule:admin_required" -# validate install manifest +# Test manifest # POST /api/v1.0/tests/ #"armada:test_manifest": "rule:admin_required" -# Get tiller status -# GET /api/v1.0/status/ -#"tiller:get_status": "rule:admin_required" +# Rollback release +# POST /api/v1.0/rollback/{release} +#"armada:rollback_release": "rule:admin_required" -# Get tiller release +# Get Tiller status +# GET /api/v1.0/status/ +#"tiller:get_status": "rule:admin_viewer" + +# Get Tiller release # GET /api/v1.0/releases/ -#"tiller:get_release": "rule:admin_required" +#"tiller:get_release": "rule:admin_viewer"