feat(ACI): EE-261 Add RBAC to ACI (#226)

Co-authored-by: Simon Meng <simon.meng@portainer.io>
This commit is contained in:
cong meng
2021-04-09 12:20:33 +12:00
committed by GitHub
parent 4682056058
commit 6eb3dfd3c2
11 changed files with 270 additions and 23 deletions
+20 -5
View File
@@ -157,7 +157,10 @@ func DefaultEndpointAuthorizationsForEndpointAdministratorRole() portainer.Autho
portainer.OperationPortainerEndpointUpdateSettings: true,
portainer.OperationIntegrationStoridgeAdmin: true,
portainer.EndpointResourcesAccess: true,
}, DefaultK8sClusterAuthorizations()[portainer.RoleIDEndpointAdmin])
},
DefaultK8sClusterAuthorizations()[portainer.RoleIDEndpointAdmin],
DefaultAzureAuthorizations()[portainer.RoleIDEndpointAdmin],
)
}
// DefaultEndpointAuthorizationsForHelpDeskRole returns the default endpoint authorizations
@@ -209,7 +212,10 @@ func DefaultEndpointAuthorizationsForHelpDeskRole() portainer.Authorizations {
portainer.OperationPortainerStackFile: true,
portainer.OperationPortainerWebhookList: true,
portainer.EndpointResourcesAccess: true,
}, DefaultK8sClusterAuthorizations()[portainer.RoleIDHelpdesk])
},
DefaultK8sClusterAuthorizations()[portainer.RoleIDHelpdesk],
DefaultAzureAuthorizations()[portainer.RoleIDHelpdesk],
)
return authorizations
}
@@ -276,7 +282,10 @@ func DefaultEndpointAuthorizationsForOperatorRole() portainer.Authorizations {
portainer.OperationPortainerWebsocketExec: true,
portainer.OperationPortainerWebhookList: true,
portainer.EndpointResourcesAccess: true,
}, DefaultK8sClusterAuthorizations()[portainer.RoleIDOperator])
},
DefaultK8sClusterAuthorizations()[portainer.RoleIDOperator],
DefaultAzureAuthorizations()[portainer.RoleIDOperator],
)
return authorizations
}
@@ -403,7 +412,10 @@ func DefaultEndpointAuthorizationsForStandardUserRole() portainer.Authorizations
portainer.OperationPortainerWebsocketExec: true,
portainer.OperationPortainerWebhookList: true,
portainer.OperationPortainerWebhookCreate: true,
}, DefaultK8sClusterAuthorizations()[portainer.RoleIDStandardUser])
},
DefaultK8sClusterAuthorizations()[portainer.RoleIDStandardUser],
DefaultAzureAuthorizations()[portainer.RoleIDStandardUser],
)
return authorizations
}
@@ -456,7 +468,10 @@ func DefaultEndpointAuthorizationsForReadOnlyUserRole() portainer.Authorizations
portainer.OperationPortainerStackInspect: true,
portainer.OperationPortainerStackFile: true,
portainer.OperationPortainerWebhookList: true,
}, DefaultK8sClusterAuthorizations()[portainer.RoleIDReadonly])
},
DefaultK8sClusterAuthorizations()[portainer.RoleIDReadonly],
DefaultAzureAuthorizations()[portainer.RoleIDReadonly],
)
return authorizations
}
@@ -0,0 +1,60 @@
package authorization
import (
portainer "github.com/portainer/portainer/api"
)
// DefaultAzureAuthorizations returns a set of default azure authorizations based on user's role.
func DefaultAzureAuthorizations() map[portainer.RoleID]portainer.Authorizations {
return map[portainer.RoleID]portainer.Authorizations{
portainer.RoleIDEndpointAdmin: {
portainer.OperationAzureSubscriptionsList: true,
portainer.OperationAzureSubscriptionGet: true,
portainer.OperationAzureProviderGet: true,
portainer.OperationAzureResourceGroupsList: true,
portainer.OperationAzureResourceGroupGet: true,
portainer.OperationAzureContainerGroupsList: true,
portainer.OperationAzureContainerGroupGet: true,
portainer.OperationAzureContainerGroupCreate: true,
portainer.OperationAzureContainerGroupDelete: true,
},
portainer.RoleIDOperator: {
portainer.OperationAzureSubscriptionsList: true,
portainer.OperationAzureSubscriptionGet: true,
portainer.OperationAzureProviderGet: true,
portainer.OperationAzureResourceGroupsList: true,
portainer.OperationAzureResourceGroupGet: true,
portainer.OperationAzureContainerGroupsList: true,
portainer.OperationAzureContainerGroupGet: true,
},
portainer.RoleIDHelpdesk: {
portainer.OperationAzureSubscriptionsList: true,
portainer.OperationAzureSubscriptionGet: true,
portainer.OperationAzureProviderGet: true,
portainer.OperationAzureResourceGroupsList: true,
portainer.OperationAzureResourceGroupGet: true,
portainer.OperationAzureContainerGroupsList: true,
portainer.OperationAzureContainerGroupGet: true,
},
portainer.RoleIDStandardUser: {
portainer.OperationAzureSubscriptionsList: true,
portainer.OperationAzureSubscriptionGet: true,
portainer.OperationAzureProviderGet: true,
portainer.OperationAzureResourceGroupsList: true,
portainer.OperationAzureResourceGroupGet: true,
portainer.OperationAzureContainerGroupsList: true,
portainer.OperationAzureContainerGroupGet: true,
portainer.OperationAzureContainerGroupCreate: true,
portainer.OperationAzureContainerGroupDelete: true,
},
portainer.RoleIDReadonly: {
portainer.OperationAzureSubscriptionsList: true,
portainer.OperationAzureSubscriptionGet: true,
portainer.OperationAzureProviderGet: true,
portainer.OperationAzureResourceGroupsList: true,
portainer.OperationAzureResourceGroupGet: true,
portainer.OperationAzureContainerGroupsList: true,
portainer.OperationAzureContainerGroupGet: true,
},
}
}