Abdul/infra project owner (#6512)

* project owner wip Signed-off-by: Abdul-Az <aazeez@progress.com> * project owner actions Signed-off-by: Abdul-Az <aazeez@progress.com> * fix Signed-off-by: Abdul-Az <aazeez@progress.com> * doc update Signed-off-by: Abdul-Az <aazeez@progress.com> * pipeline fix Signed-off-by: Abdul-Az <aazeez@progress.com>
chef · Jan 11, 2022 · f7487d1 · f7487d1
1 parent 3a89461
commit f7487d1
Show file tree

Hide file tree

Showing 4 changed files with 396 additions and 0 deletions.
diff --git a/components/authz-service/storage/postgres/migration/sql/80_infra_project_owner.up.sql b/components/authz-service/storage/postgres/migration/sql/80_infra_project_owner.up.sql
@@ -0,0 +1,45 @@
+BEGIN;
+
+UPDATE iam_roles
+    SET
+        actions = '{
+            infra:*:list,
+            infra:*:get,
+            infra:infraServersOrgsRoles:create,
+            infra:infraServersOrgsRoles:update,
+            infra:infraServersOrgsRoles:delete,
+            infra:infraServersOrgsClient:create,
+            infra:infraServersOrgsClient:update,
+            infra:infraServersOrgsClient:delete,
+            infra:infraServersOrgsDataBags:create,
+            infra:infraServersOrgsDataBags:delete,
+            infra:infraServersOrgsDataBagsItem:create,
+            infra:infraServersOrgsDataBagsItem:update,
+            infra:infraServersOrgsDataBagsItem:delete,
+            infra:infraServersOrgsEnvironments:create,
+            infra:infraServersOrgsEnvironments:update,
+            infra:infraServersOrgsEnvironments:delete,
+            infra:infraServersOrgsNodes:update,
+            infra:infraServersOrgsNodes:delete,
+            infra:infraServersOrgsPolicyFiles:delete,
+            compliance:*,
+            event:*,
+            ingest:*,
+            secrets:*,
+            iam:projects:list,
+            iam:projects:get,
+            iam:projects:assign,
+            iam:policies:list,
+            iam:policies:get,
+            iam:policyMembers:*,
+            iam:teams:list,
+            iam:teams:get,
+            iam:teamUsers:*,
+            iam:users:get,
+            iam:users:list,
+            applications:*
+        }'
+    WHERE
+        id = 'project-owner';
+
+COMMIT;
diff --git a/components/authz-service/storage/postgres/migration/sql/README.md b/components/authz-service/storage/postgres/migration/sql/README.md
@@ -77,3 +77,6 @@
 - [`75_update_roles_pols.up.sql`](75_update_roles_pols.up.sql)
 - [`76_compliance_roles_pols.up.sql`](76_compliance_roles_pols.up.sql)
 - [`77_update_infra_service_policies.up.sql`](77_update_infra_service_policies.up.sql)
+- [`78_update_viewer_role_pols.up.sql`](78_update_viewer_role_pols.up.sql)
+- [`79_infra_editor_update.up.sql`](79_infra_editor_update.up.sql)
+- [`80_infra_project_owner.up.sql`](80_infra_project_owner.up.sql)
diff --git a/dev-docs/infra-server-iam.md b/dev-docs/infra-server-iam.md
@@ -77,3 +77,91 @@ Specify the action to restrict user access to the specific action
 | Get Node | GET | infra:infraServersOrgsNodes:get | /api/v0/infra/servers/{server_id}/orgs/{org_id}/nodes| https://{{< example_fqdn "automate" >}}/api/v0/infra/servers/{server_id}/orgs/{org_id}/nodes |
 | Update Node | POST | infra:infraServersOrgsNodes:update | /api/v0/infra/servers/{server_id}/orgs/{org_id}/nodes| https://{{< example_fqdn "automate" >}}/api/v0/infra/servers/{server_id}/orgs/{org_id}/nodes |
 | Delete Node | DELETE | infra:infraServersOrgsNodes:delete | /api/v0/infra/servers/{server_id}/orgs/{org_id}/nodes/{name}| https://{{< example_fqdn "automate" >}}/api/v0/infra/servers/{server_id}/orgs/{org_id}/nodes/{name} |
+
+
+## Three types of user policies automatically gets created with creation of every project
+
+
+Infra Viewer Policy Actions
+
+```   
+    secrets:*:get,
+    secrets:*:list,
+    infra:*:get,
+    infra:*:list,
+    compliance:*:get,
+    compliance:*:list,
+    event:*:get,
+    event:*:list,
+    ingest:*:get,
+    ingest:*:list,
+    iam:projects:list,
+    iam:projects:get,
+    applications:*:get,
+    applications:*:list
+```
+
+Infra Editor Policy Actions
+
+```
+    infra:*:list,
+    infra:*:get,
+    infra:infraServersOrgsRoles:create,
+    infra:infraServersOrgsRoles:update,
+    infra:infraServersOrgsClient:create,
+    infra:infraServersOrgsClient:update,
+    infra:infraServersOrgsDataBags:create,
+    infra:infraServersOrgsDataBagsItem:create,
+    infra:infraServersOrgsDataBagsItem:update,
+    infra:infraServersOrgsEnvironments:create,
+    infra:infraServersOrgsEnvironments:update,
+    infra:infraServersOrgsNodes:update,
+    compliance:*,
+    event:*,
+    ingest:*,
+    secrets:*,
+    iam:projects:list,
+    iam:projects:get,
+    iam:projects:assign,
+    applications:*
+```
+
+Infra Project Owner Policy Actions
+
+```
+    infra:*:list,
+    infra:*:get,
+    infra:infraServersOrgsRoles:create,
+    infra:infraServersOrgsRoles:update,
+    infra:infraServersOrgsRoles:delete,
+    infra:infraServersOrgsClient:create,
+    infra:infraServersOrgsClient:update,
+    infra:infraServersOrgsClient:delete,
+    infra:infraServersOrgsDataBags:create,
+    infra:infraServersOrgsDataBags:delete,
+    infra:infraServersOrgsDataBagsItem:create,
+    infra:infraServersOrgsDataBagsItem:update,
+    infra:infraServersOrgsDataBagsItem:delete,
+    infra:infraServersOrgsEnvironments:create,
+    infra:infraServersOrgsEnvironments:update,
+    infra:infraServersOrgsEnvironments:delete,
+    infra:infraServersOrgsNodes:update,
+    infra:infraServersOrgsNodes:delete,
+    infra:infraServersOrgsPolicyFiles:delete,
+    compliance:*,
+    event:*,
+    ingest:*,
+    secrets:*,
+    iam:projects:list,
+    iam:projects:get,
+    iam:projects:assign,
+    iam:policies:list,
+    iam:policies:get,
+    iam:policyMembers:*,
+    iam:teams:list,
+    iam:teams:get,
+    iam:teamUsers:*,
+    iam:users:get,
+    iam:users:list,
+    applications:*
+```