* feat(rbac): EE-226 Add a new RBAC "Operator" Role
* feat(rbac): EE-226 prioritize Operator after EndpointAdmin and before Helpdesk
* feat(rbac): EE-226 access viewer shows incorrect effective role after introduce of Operator
* feat(rbac): EE-226 show roles order by priority other than name
* feat(rbac): EE-226 remove OperationK8sVolumeDetailsW authorization from operator role
* feat(rbac): EE-226 always increase bucket next sequence when create a role
Co-authored-by: Simon Meng <simon.meng@portainer.io>
* feat(docker) EE-131 relocate the Docker features/security settings to be available per endpoint
* feat(docker) EE-131 allow endpoint admin role user to update endpoint settings
* feat(docker) EE-131 populate volume browsing authorizations to user endpoint authorizations when user toggle the setting of volume management for non-administrators
* feat(docker) EE-131 remove parameter volumeBrowsingAuthorizations from all DefaultEndpointAuthorizationsForxxx functions
* feat(docker) EE-131 fix a layout bug of the browse button
* feat(ACI): EE-273 move migrator of 27 into migrate_dbversion26.go
* feat(docker) EE-131 in container creation view, show the privileged mode toggle if cureent user is admin or endpoint admin
Co-authored-by: Simon Meng <simon.meng@portainer.io>
* refactor(stack): create unique name function
* refactor(stack): change stack resource control id
* feat(stacks): validate stack unique name in endpoint
* feat(stacks): prevent name collision with external stacks
* refactor(stacks): move resource id util
* refactor(stacks): supply resource id util with name and endpoint
* fix(docker): calculate swarm resource id
* feat(stack): prevent migration if stack name already exist
* feat(authorization): use stackutils
* * handle teams been added or removed in the resource pool
* do not delete role bindings but just remove the user subject
* * fix missing rolemap
* * revert the role bindings changes (not the cause of the issue)
* * fix token cache cleaning endpoint tokens
* * partially ignore errors during user deletion
* collect all errors during user deletion
* remove role/cluster role bindings when empty
* + update resource pool access endpoint
* remove bindings when user is removed from resource pool
* remove token cache when user is added to the resource pool
* - remove delete tokens endpoint
* use actual TriggerUserAuthUpdate
* * fix comments
* * improve error returns
* fix(rbac): Not enforcing on backend for resource creation, application edit and console log operations of users that this should be prevented for
* + k8s access user namespaces policy
+ debug logs
* fix multiple authorization calculation issues
* * use endpoint role rather than user role for calculating authorizations
* * fix namespace role binding
* * check user authorization in k8s pod exec
* * fix some of the logging messages
Co-authored-by: yi-portainer <yi.chen@portainer.io>
* fix(frontend): show failing placement details for endpoint-admin and helpdesk users
* fix(frontend): add excludeAuthorization directive to determine endpoint-admin and helpdesk users
* fix(k8s/rbac): add OperationK8sApplicationErrorDetailsR authorization for endpoint-admin and helpdesk users
Co-authored-by: Simon Meng <simon.meng@portainer.io>
* + endpoint and namespace level authorizations
+ user namespace authorization API
+ k8s client setup service account with k8s roles and policies by portainer role
* User authorization changes refresh token cache
* rbac authorizes k8s requests
* CE to EE migrator to include new authorizations
* code clean up
* comments
* * merge in the RestrictDefaultNamespace changes
* - remove unnecessary check for default namespace
* + updates namespace access policies when generating token
* * updates namespace access policies when querying the user namespace endpoint
* + k8s rule in rbac.go for endpoint access test
+ missing k8s cluster rules for different roles
* feat(rbac): update kube rbac
* feat(rbac): use the authorization directive
* feat(rbac): Update namespace access policies when user/team is deleted
* refactor(app): use new angular-multi-select capabilities
* feat(rbac): fix authorizations
* feat(rbac): fix userAccessPolicies update bug
* feat(rbac): add W applications authorizations
* feat(rbac): add application details W authorizations
* feat(rbac): add configurations W autohorizations
* feat(rbac): add configuration details W authorizations
* feat(rbac): add volumes W authorizations
* feat(rbac): add volume details W authorizations
* feat(rbac): add componentstatus to portainer-view role and add cluster/node authorizations
* fix(rbac): disable application note for non authorized user
* fix(rbac): add endpoints list and components status to portainer-basic
* fix(rbac): allow user to access default namespace when restrict default namespace isn't activated
* fix(rbac): remove default namespace from useraccesspolicies when restrict default namespace isn't activated
* fix(rbac): change some things
* fix(rbac): allow standard user to access container console
* - removed unused parameter
* fix(rbac): fix team authorizations
Co-authored-by: Maxime Bajeux <max.bajeux@gmail.com>
Co-authored-by: xAt0mZ <baron_l@epitech.eu>
* refactor(rbac): move client extension code
* feat(app): remove checks for extension
* feat(rbac): remove checks for extensions
* feat(extensions): remove reference to rbac extensions
* feat(roles): add changes from codebase before removal of rbac
* refactor(security): remove rbac service
* refactor(security): use AdminAccess as an alias
* fix(access): rename policies type
* style(security): add comment about Aliasing AdminAccess to RestrictedAccess
* feat(bolt): add auth migration from ce to ee
* feat(stacks): use authorized access to stop/start stacks
* fix(bolt): supply right params to migrator
* feat(rbac): get authorization on client side
* feat(custom-templates): introduce types
* feat(custom-templates): introduce data layer service
* feat(custom-templates): introduce http handler
* feat(custom-templates): create routes and view stubs
* feat(custom-templates): add create custom template ui
* feat(custom-templates): add json keys
* feat(custom-templates): introduce custom templates list page
* feat(custom-templates): introduce update page
* feat(stack): create template from stack
* feat(stacks): create stack from custom template
* feat(custom-templates): disable edit/delete of templates
* fix(custom-templates): fail update on non admin/owner
* fix(custom-templates): add ng-inject decorator
* chore(plop): revert template
* feat(stacks): remove actions column
* feat(stack): add button to create template from stack
* feat(stacks): add empty state for templates
* feat(custom-templates): show templates in a list
* feat(custom-template): replace table with list
* feat(custom-templates): move create template button
* refactor(custom-templates): introduce more fields
* feat(custom-templates): use stack type when creating template
* feat(custom-templates): use same type as stack
* feat(custom-templates): add edit and delete buttons to template item
* feat(custom-templates): customize stack before deploy
* feat(stack): show template details
* feat(custom-templates): move customize
* feat(custom-templates): create description required
* fix(template): show platform icon
* fix(custom-templates): show spinner when creating stack
* feat(custom-templates): prevent user from edit templates
* feat(custom-templates): use resource control for custom templates
* feat(custom-templates): show created templates
* feat(custom-templates): filter templates by stack type
* fix(custom-templates): create swarm or standalone stack
* feat(stacks): filter templates by type
* feat(resource-control): disable resource control on public
* feat(custom-template): apply access control on edit
* feat(custom-template): add form validation
* feat(stack): disable create custom template from external task
* refactor(custom-templates): create template from file and type
* feat(templates): introduce a file handler that returns template docker file
* feat(template): introduce template duplication
* feat(custom-template): enforce unique template name
* fix(template): rename copy button
* fix(custom-template): clear access control selection between templates
* fix(custom-templates): show required fields
* refactor(filesystem): use a constant for temp path