From 0c2637fdad2e7c8e388bfa41bfbad3f47ab06775 Mon Sep 17 00:00:00 2001 From: Rick Bartra Date: Mon, 27 Aug 2018 13:02:09 -0400 Subject: [PATCH] Update Shipyard's default RBAC policy This commit updates Shipyard's default RBAC policy to include two additional roles: - admin_ucp - admin_ucp_viewer The default policy is implemented with this in mind: - The 'admin' and 'admin_ucp' roles have access to all of Shipyard's APIs. - The 'admin_ucp_viewer' role only has access to Shipyard's GET, LIST, and AUDIT APIs Automated Shipyard RBAC tests are found here [0]. [0] https://github.com/att-comdev/airship-tempest-plugin/tree/master/airship_tempest_plugin/tests/api/shipyard/rbac Change-Id: I5cf8910441c7a80829dd00320d817416ca22ff98 --- charts/shipyard/values.yaml | 37 +++++++++++++++++++++---------------- 1 file changed, 21 insertions(+), 16 deletions(-) diff --git a/charts/shipyard/values.yaml b/charts/shipyard/values.yaml index c744d29a..c39badd4 100644 --- a/charts/shipyard/values.yaml +++ b/charts/shipyard/values.yaml @@ -356,22 +356,27 @@ conf: threads: 1 workers: 4 policy: - admin_required: role:admin - workflow_orchestrator:list_actions: rule:admin_required - workflow_orchestrator:create_action: rule:admin_required - workflow_orchestrator:get_action: rule:admin_required - workflow_orchestrator:get_action_step: rule:admin_required - workflow_orchestrator:get_action_step_logs: rule:admin_required - workflow_orchestrator:get_action_validation: rule:admin_required - workflow_orchestrator:invoke_action_control: rule:admin_required - workflow_orchestrator:get_configdocs_status: rule:admin_required - workflow_orchestrator:create_configdocs: rule:admin_required - workflow_orchestrator:get_configdocs: rule:admin_required - workflow_orchestrator:commit_configdocs: rule:admin_required - workflow_orchestrator:get_renderedconfigdocs: rule:admin_required - workflow_orchestrator:list_workflows: rule:admin_required - workflow_orchestrator:get_workflow: rule:admin_required - workflow_orchestrator:get_site_statuses: rule:admin_required + admin_create: role:admin or role:admin_ucp + admin_read_access: rule:admin_create or role:admin_ucp_viewer + workflow_orchestrator:list_actions: rule:admin_read_access + workflow_orchestrator:create_action: rule:admin_create + workflow_orchestrator:get_action: rule:admin_read_access + workflow_orchestrator:get_action_step: rule:admin_read_access + workflow_orchestrator:get_action_step_logs: rule:admin_read_access + workflow_orchestrator:get_action_validation: rule:admin_read_access + workflow_orchestrator:invoke_action_control: rule:admin_create + workflow_orchestrator:get_configdocs_status: rule:admin_read_access + workflow_orchestrator:create_configdocs: rule:admin_create + workflow_orchestrator:get_configdocs: rule:admin_read_access + workflow_orchestrator:commit_configdocs: rule:admin_create + workflow_orchestrator:get_renderedconfigdocs: rule:admin_read_access + workflow_orchestrator:list_workflows: rule:admin_read_access + workflow_orchestrator:get_workflow: rule:admin_read_access + workflow_orchestrator:get_site_statuses: rule:admin_read_access + workflow_orchestrator:action_deploy_site: rule:admin_create + workflow_orchestrator:action_update_site: rule:admin_create + workflow_orchestrator:action_update_software: rule:admin_create + workflow_orchestrator:action_redeploy_server: rule:admin_create paste: app:shipyard-api: paste.app_factory: shipyard_airflow.shipyard_api:paste_start_shipyard