Update Shipyard's default RBAC policy

This commit updates Shipyard's default RBAC policy to include two additional roles: - admin_ucp - admin_ucp_viewer The default policy is implemented with this in mind: - The 'admin' and 'admin_ucp' roles have access to all of Shipyard's APIs. - The 'admin_ucp_viewer' role only has access to Shipyard's GET, LIST, and AUDIT APIs Automated Shipyard RBAC tests are found here [0]. [0] https://github.com/att-comdev/airship-tempest-plugin/tree/master/airship_tempest_plugin/tests/api/shipyard/rbac Change-Id: I5cf8910441c7a80829dd00320d817416ca22ff98
2018-08-27 13:02:09 -04:00 · 2018-08-27 13:02:09 -04:00 · 0c2637fdad
commit 0c2637fdad
parent 6d01f3f07b
1 changed files with 21 additions and 16 deletions
--- a/charts/shipyard/values.yaml
+++ b/charts/shipyard/values.yaml
@ -356,22 +356,27 @@ conf:
    threads: 1
    workers: 4
  policy:
-    admin_required: role:admin
-    workflow_orchestrator:list_actions: rule:admin_required
-    workflow_orchestrator:create_action: rule:admin_required
-    workflow_orchestrator:get_action: rule:admin_required
-    workflow_orchestrator:get_action_step: rule:admin_required
-    workflow_orchestrator:get_action_step_logs: rule:admin_required
-    workflow_orchestrator:get_action_validation: rule:admin_required
-    workflow_orchestrator:invoke_action_control: rule:admin_required
-    workflow_orchestrator:get_configdocs_status: rule:admin_required
-    workflow_orchestrator:create_configdocs: rule:admin_required
-    workflow_orchestrator:get_configdocs: rule:admin_required
-    workflow_orchestrator:commit_configdocs: rule:admin_required
-    workflow_orchestrator:get_renderedconfigdocs: rule:admin_required
-    workflow_orchestrator:list_workflows: rule:admin_required
-    workflow_orchestrator:get_workflow: rule:admin_required
-    workflow_orchestrator:get_site_statuses: rule:admin_required
+    admin_create: role:admin or role:admin_ucp
+    admin_read_access: rule:admin_create or role:admin_ucp_viewer
+    workflow_orchestrator:list_actions: rule:admin_read_access
+    workflow_orchestrator:create_action: rule:admin_create
+    workflow_orchestrator:get_action: rule:admin_read_access
+    workflow_orchestrator:get_action_step: rule:admin_read_access
+    workflow_orchestrator:get_action_step_logs: rule:admin_read_access
+    workflow_orchestrator:get_action_validation: rule:admin_read_access
+    workflow_orchestrator:invoke_action_control: rule:admin_create
+    workflow_orchestrator:get_configdocs_status: rule:admin_read_access
+    workflow_orchestrator:create_configdocs: rule:admin_create
+    workflow_orchestrator:get_configdocs: rule:admin_read_access
+    workflow_orchestrator:commit_configdocs: rule:admin_create
+    workflow_orchestrator:get_renderedconfigdocs: rule:admin_read_access
+    workflow_orchestrator:list_workflows: rule:admin_read_access
+    workflow_orchestrator:get_workflow: rule:admin_read_access
+    workflow_orchestrator:get_site_statuses: rule:admin_read_access
+    workflow_orchestrator:action_deploy_site: rule:admin_create
+    workflow_orchestrator:action_update_site: rule:admin_create
+    workflow_orchestrator:action_update_software: rule:admin_create
+    workflow_orchestrator:action_redeploy_server: rule:admin_create
  paste:
    app:shipyard-api:
      paste.app_factory: shipyard_airflow.shipyard_api:paste_start_shipyard