feat(ACI): EE-261 Add RBAC to ACI (#226)
Co-authored-by: Simon Meng <simon.meng@portainer.io>
This commit is contained in:
@@ -157,7 +157,10 @@ func DefaultEndpointAuthorizationsForEndpointAdministratorRole() portainer.Autho
|
||||
portainer.OperationPortainerEndpointUpdateSettings: true,
|
||||
portainer.OperationIntegrationStoridgeAdmin: true,
|
||||
portainer.EndpointResourcesAccess: true,
|
||||
}, DefaultK8sClusterAuthorizations()[portainer.RoleIDEndpointAdmin])
|
||||
},
|
||||
DefaultK8sClusterAuthorizations()[portainer.RoleIDEndpointAdmin],
|
||||
DefaultAzureAuthorizations()[portainer.RoleIDEndpointAdmin],
|
||||
)
|
||||
}
|
||||
|
||||
// DefaultEndpointAuthorizationsForHelpDeskRole returns the default endpoint authorizations
|
||||
@@ -209,7 +212,10 @@ func DefaultEndpointAuthorizationsForHelpDeskRole() portainer.Authorizations {
|
||||
portainer.OperationPortainerStackFile: true,
|
||||
portainer.OperationPortainerWebhookList: true,
|
||||
portainer.EndpointResourcesAccess: true,
|
||||
}, DefaultK8sClusterAuthorizations()[portainer.RoleIDHelpdesk])
|
||||
},
|
||||
DefaultK8sClusterAuthorizations()[portainer.RoleIDHelpdesk],
|
||||
DefaultAzureAuthorizations()[portainer.RoleIDHelpdesk],
|
||||
)
|
||||
|
||||
return authorizations
|
||||
}
|
||||
@@ -276,7 +282,10 @@ func DefaultEndpointAuthorizationsForOperatorRole() portainer.Authorizations {
|
||||
portainer.OperationPortainerWebsocketExec: true,
|
||||
portainer.OperationPortainerWebhookList: true,
|
||||
portainer.EndpointResourcesAccess: true,
|
||||
}, DefaultK8sClusterAuthorizations()[portainer.RoleIDOperator])
|
||||
},
|
||||
DefaultK8sClusterAuthorizations()[portainer.RoleIDOperator],
|
||||
DefaultAzureAuthorizations()[portainer.RoleIDOperator],
|
||||
)
|
||||
|
||||
return authorizations
|
||||
}
|
||||
@@ -403,7 +412,10 @@ func DefaultEndpointAuthorizationsForStandardUserRole() portainer.Authorizations
|
||||
portainer.OperationPortainerWebsocketExec: true,
|
||||
portainer.OperationPortainerWebhookList: true,
|
||||
portainer.OperationPortainerWebhookCreate: true,
|
||||
}, DefaultK8sClusterAuthorizations()[portainer.RoleIDStandardUser])
|
||||
},
|
||||
DefaultK8sClusterAuthorizations()[portainer.RoleIDStandardUser],
|
||||
DefaultAzureAuthorizations()[portainer.RoleIDStandardUser],
|
||||
)
|
||||
|
||||
return authorizations
|
||||
}
|
||||
@@ -456,7 +468,10 @@ func DefaultEndpointAuthorizationsForReadOnlyUserRole() portainer.Authorizations
|
||||
portainer.OperationPortainerStackInspect: true,
|
||||
portainer.OperationPortainerStackFile: true,
|
||||
portainer.OperationPortainerWebhookList: true,
|
||||
}, DefaultK8sClusterAuthorizations()[portainer.RoleIDReadonly])
|
||||
},
|
||||
DefaultK8sClusterAuthorizations()[portainer.RoleIDReadonly],
|
||||
DefaultAzureAuthorizations()[portainer.RoleIDReadonly],
|
||||
)
|
||||
|
||||
return authorizations
|
||||
}
|
||||
|
||||
@@ -0,0 +1,60 @@
|
||||
package authorization
|
||||
|
||||
import (
|
||||
portainer "github.com/portainer/portainer/api"
|
||||
)
|
||||
|
||||
// DefaultAzureAuthorizations returns a set of default azure authorizations based on user's role.
|
||||
func DefaultAzureAuthorizations() map[portainer.RoleID]portainer.Authorizations {
|
||||
return map[portainer.RoleID]portainer.Authorizations{
|
||||
portainer.RoleIDEndpointAdmin: {
|
||||
portainer.OperationAzureSubscriptionsList: true,
|
||||
portainer.OperationAzureSubscriptionGet: true,
|
||||
portainer.OperationAzureProviderGet: true,
|
||||
portainer.OperationAzureResourceGroupsList: true,
|
||||
portainer.OperationAzureResourceGroupGet: true,
|
||||
portainer.OperationAzureContainerGroupsList: true,
|
||||
portainer.OperationAzureContainerGroupGet: true,
|
||||
portainer.OperationAzureContainerGroupCreate: true,
|
||||
portainer.OperationAzureContainerGroupDelete: true,
|
||||
},
|
||||
portainer.RoleIDOperator: {
|
||||
portainer.OperationAzureSubscriptionsList: true,
|
||||
portainer.OperationAzureSubscriptionGet: true,
|
||||
portainer.OperationAzureProviderGet: true,
|
||||
portainer.OperationAzureResourceGroupsList: true,
|
||||
portainer.OperationAzureResourceGroupGet: true,
|
||||
portainer.OperationAzureContainerGroupsList: true,
|
||||
portainer.OperationAzureContainerGroupGet: true,
|
||||
},
|
||||
portainer.RoleIDHelpdesk: {
|
||||
portainer.OperationAzureSubscriptionsList: true,
|
||||
portainer.OperationAzureSubscriptionGet: true,
|
||||
portainer.OperationAzureProviderGet: true,
|
||||
portainer.OperationAzureResourceGroupsList: true,
|
||||
portainer.OperationAzureResourceGroupGet: true,
|
||||
portainer.OperationAzureContainerGroupsList: true,
|
||||
portainer.OperationAzureContainerGroupGet: true,
|
||||
},
|
||||
portainer.RoleIDStandardUser: {
|
||||
portainer.OperationAzureSubscriptionsList: true,
|
||||
portainer.OperationAzureSubscriptionGet: true,
|
||||
portainer.OperationAzureProviderGet: true,
|
||||
portainer.OperationAzureResourceGroupsList: true,
|
||||
portainer.OperationAzureResourceGroupGet: true,
|
||||
portainer.OperationAzureContainerGroupsList: true,
|
||||
portainer.OperationAzureContainerGroupGet: true,
|
||||
portainer.OperationAzureContainerGroupCreate: true,
|
||||
portainer.OperationAzureContainerGroupDelete: true,
|
||||
},
|
||||
portainer.RoleIDReadonly: {
|
||||
portainer.OperationAzureSubscriptionsList: true,
|
||||
portainer.OperationAzureSubscriptionGet: true,
|
||||
portainer.OperationAzureProviderGet: true,
|
||||
portainer.OperationAzureResourceGroupsList: true,
|
||||
portainer.OperationAzureResourceGroupGet: true,
|
||||
portainer.OperationAzureContainerGroupsList: true,
|
||||
portainer.OperationAzureContainerGroupGet: true,
|
||||
},
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user