f9cf76234f
* feat(rbac): EE-226 Add a new RBAC "Operator" Role * feat(rbac): EE-226 prioritize Operator after EndpointAdmin and before Helpdesk * feat(rbac): EE-226 access viewer shows incorrect effective role after introduce of Operator * feat(rbac): EE-226 show roles order by priority other than name * feat(rbac): EE-226 remove OperationK8sVolumeDetailsW authorization from operator role * feat(rbac): EE-226 always increase bucket next sequence when create a role Co-authored-by: Simon Meng <simon.meng@portainer.io>
69 lines
2.3 KiB
Go
69 lines
2.3 KiB
Go
package role
|
|
|
|
import (
|
|
portainer "github.com/portainer/portainer/api"
|
|
"github.com/portainer/portainer/api/bolt/errors"
|
|
"github.com/portainer/portainer/api/internal/authorization"
|
|
)
|
|
|
|
// CreateOrUpdatePredefinedRoles update the predefined roles. Create one if it does not exist yet.
|
|
func (service *Service) CreateOrUpdatePredefinedRoles() error {
|
|
predefinedRoles := map[portainer.RoleID]*portainer.Role{
|
|
portainer.RoleIDEndpointAdmin: &portainer.Role{
|
|
Name: "Endpoint administrator",
|
|
Description: "Full control of all resources in an endpoint",
|
|
ID: portainer.RoleIDEndpointAdmin,
|
|
Priority: 1,
|
|
Authorizations: authorization.DefaultEndpointAuthorizationsForEndpointAdministratorRole(),
|
|
},
|
|
portainer.RoleIDOperator: &portainer.Role{
|
|
Name: "Operator",
|
|
Description: "Operational control of all existing resources in an endpoint",
|
|
ID: portainer.RoleIDOperator,
|
|
Priority: 2,
|
|
Authorizations: authorization.DefaultEndpointAuthorizationsForOperatorRole(),
|
|
},
|
|
portainer.RoleIDHelpdesk: &portainer.Role{
|
|
Name: "Helpdesk",
|
|
Description: "Read-only access of all resources in an endpoint",
|
|
ID: portainer.RoleIDHelpdesk,
|
|
Priority: 3,
|
|
Authorizations: authorization.DefaultEndpointAuthorizationsForHelpDeskRole(),
|
|
},
|
|
portainer.RoleIDStandardUser: &portainer.Role{
|
|
Name: "Standard user",
|
|
Description: "Full control of assigned resources in an endpoint",
|
|
ID: portainer.RoleIDStandardUser,
|
|
Priority: 4,
|
|
Authorizations: authorization.DefaultEndpointAuthorizationsForStandardUserRole(),
|
|
},
|
|
portainer.RoleIDReadonly: &portainer.Role{
|
|
Name: "Read-only user",
|
|
Description: "Read-only access of assigned resources in an endpoint",
|
|
ID: portainer.RoleIDReadonly,
|
|
Priority: 5,
|
|
Authorizations: authorization.DefaultEndpointAuthorizationsForReadOnlyUserRole(),
|
|
},
|
|
}
|
|
|
|
for roleID, predefinedRole := range predefinedRoles {
|
|
_, err := service.Role(roleID)
|
|
|
|
if err == errors.ErrObjectNotFound {
|
|
err := service.CreateRole(predefinedRole)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
} else if err != nil {
|
|
return err
|
|
} else {
|
|
err = service.UpdateRole(predefinedRole.ID, predefinedRole)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|