Add viewer rule to armada API

Viewer will be able to do GET Tiller release and Tiller status
requests armada API defines. In addition, this change also
allows doing POST validate manfest request to a user with
viewer role.

Change-Id: I903ab656de1c6fdf979a193b1842dbd0842451d6
This commit is contained in:
Vladyslav Drok 2018-10-11 15:30:10 -07:00
parent 6078774b34
commit 95fd341b97
5 changed files with 36 additions and 27 deletions

View File

@ -18,13 +18,18 @@ RULE_ADMIN_REQUIRED = 'rule:admin_required'
RULE_ADMIN_OR_TARGET_PROJECT = ( RULE_ADMIN_OR_TARGET_PROJECT = (
'rule:admin_required or project_id:%(target.project.id)s') 'rule:admin_required or project_id:%(target.project.id)s')
RULE_SERVICE_OR_ADMIN = 'rule:service_or_admin' RULE_SERVICE_OR_ADMIN = 'rule:service_or_admin'
RULE_ADMIN_VIEWER = 'rule:admin_viewer'
rules = [ rules = [
policy.RuleDefault(name='admin_required', check_str='role:admin'), policy.RuleDefault(
name='admin_required', check_str='role:admin or role:admin_ucp'),
policy.RuleDefault( policy.RuleDefault(
name='service_or_admin', name='service_or_admin',
check_str='rule:admin_required or rule:service_role'), check_str='rule:admin_required or rule:service_role'),
policy.RuleDefault(name='service_role', check_str='role:service'), policy.RuleDefault(name='service_role', check_str='role:service'),
policy.RuleDefault(
name='admin_viewer',
check_str='role:admin_ucp_viewer or {}'.format(RULE_SERVICE_OR_ADMIN)),
] ]

View File

@ -25,7 +25,7 @@ armada_policies = [
}]), }]),
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name=base.ARMADA % 'validate_manifest', name=base.ARMADA % 'validate_manifest',
check_str=base.RULE_ADMIN_REQUIRED, check_str=base.RULE_ADMIN_VIEWER,
description='Validate manifest', description='Validate manifest',
operations=[{ operations=[{
'path': '/api/v1.0/validatedesign/', 'path': '/api/v1.0/validatedesign/',

View File

@ -17,7 +17,7 @@ from armada.common.policies import base
tiller_policies = [ tiller_policies = [
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name=base.TILLER % 'get_status', name=base.TILLER % 'get_status',
check_str=base.RULE_ADMIN_REQUIRED, check_str=base.RULE_ADMIN_VIEWER,
description='Get Tiller status', description='Get Tiller status',
operations=[{ operations=[{
'path': '/api/v1.0/status/', 'path': '/api/v1.0/status/',
@ -25,7 +25,7 @@ tiller_policies = [
}]), }]),
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name=base.TILLER % 'get_release', name=base.TILLER % 'get_release',
check_str=base.RULE_ADMIN_REQUIRED, check_str=base.RULE_ADMIN_VIEWER,
description='Get Tiller release', description='Get Tiller release',
operations=[{ operations=[{
'path': '/api/v1.0/releases/', 'path': '/api/v1.0/releases/',

View File

@ -184,16 +184,17 @@ conf:
'pipeline:main': 'pipeline:main':
pipeline: authtoken armada-api pipeline: authtoken armada-api
policy: policy:
admin_required: 'role:admin' admin_required: 'role:admin or role:admin_ucp'
service_or_admin: 'rule:admin_required or rule:service_role'
service_role: 'role:service'
admin_viewer: 'role:admin_ucp_viewer or rule:service_or_admin'
'armada:create_endpoints': 'rule:admin_required' 'armada:create_endpoints': 'rule:admin_required'
'armada:rollback_release': 'rule:admin_required' 'armada:rollback_release': 'rule:admin_required'
'armada:test_manifest': 'rule:admin_required' 'armada:test_manifest': 'rule:admin_required'
'armada:test_release': 'rule:admin_required' 'armada:test_release': 'rule:admin_required'
'armada:validate_manifest': 'rule:admin_required' 'armada:validate_manifest': 'rule:admin_viewer'
service_or_admin: 'rule:admin_required or rule:service_role' 'tiller:get_release': 'rule:admin_viewer'
service_role: 'role:service' 'tiller:get_status': 'rule:admin_viewer'
'tiller:get_released': 'rule:admin_required'
'tiller:get_status': 'rule:admin_required'
pod: pod:
env: env:

View File

@ -1,5 +1,5 @@
# #
#"admin_required": "role:admin" #"admin_required": "role:admin or role:admin_ucp"
# #
#"service_or_admin": "rule:admin_required or rule:service_role" #"service_or_admin": "rule:admin_required or rule:service_role"
@ -7,30 +7,33 @@
# #
#"service_role": "role:service" #"service_role": "role:service"
# install manifest charts #
# POST api/v1.0/apply/ #"admin_viewer": "role:admin_ucp_viewer or rule:service_or_admin"
# Install manifest charts
# POST /api/v1.0/apply/
#"armada:create_endpoints": "rule:admin_required" #"armada:create_endpoints": "rule:admin_required"
# rollback release # Validate manifest
# POST api/v1.0/rollback/{release} # POST /api/v1.0/validatedesign/
#"armada:rollback_release": "rule:admin_required" #"armada:validate_manifest": "rule:admin_viewer"
# validate installed manifest # Test release
# POST /api/v1.0/validate/
#"armada:validate_manifest": "rule:admin_required"
# validate install manifest
# GET /api/v1.0/test/{release} # GET /api/v1.0/test/{release}
#"armada:test_release": "rule:admin_required" #"armada:test_release": "rule:admin_required"
# validate install manifest # Test manifest
# POST /api/v1.0/tests/ # POST /api/v1.0/tests/
#"armada:test_manifest": "rule:admin_required" #"armada:test_manifest": "rule:admin_required"
# Get tiller status # Rollback release
# GET /api/v1.0/status/ # POST /api/v1.0/rollback/{release}
#"tiller:get_status": "rule:admin_required" #"armada:rollback_release": "rule:admin_required"
# Get tiller release # Get Tiller status
# GET /api/v1.0/status/
#"tiller:get_status": "rule:admin_viewer"
# Get Tiller release
# GET /api/v1.0/releases/ # GET /api/v1.0/releases/
#"tiller:get_release": "rule:admin_required" #"tiller:get_release": "rule:admin_viewer"