Files
portainer/api/bolt/role/predefined_roles.go
T
cong meng f9cf76234f feat(rbac): EE-226 Add a new RBAC "Operator" Role (#191)
* feat(rbac): EE-226 Add a new RBAC "Operator" Role

* feat(rbac): EE-226 prioritize Operator after EndpointAdmin and before Helpdesk

* feat(rbac): EE-226 access viewer shows incorrect effective role after introduce of Operator

* feat(rbac): EE-226 show roles order by priority other than name

* feat(rbac): EE-226 remove OperationK8sVolumeDetailsW authorization from operator role

* feat(rbac): EE-226 always increase bucket next sequence when create a role

Co-authored-by: Simon Meng <simon.meng@portainer.io>
2021-04-06 11:34:54 +12:00

69 lines
2.3 KiB
Go

package role
import (
portainer "github.com/portainer/portainer/api"
"github.com/portainer/portainer/api/bolt/errors"
"github.com/portainer/portainer/api/internal/authorization"
)
// CreateOrUpdatePredefinedRoles update the predefined roles. Create one if it does not exist yet.
func (service *Service) CreateOrUpdatePredefinedRoles() error {
predefinedRoles := map[portainer.RoleID]*portainer.Role{
portainer.RoleIDEndpointAdmin: &portainer.Role{
Name: "Endpoint administrator",
Description: "Full control of all resources in an endpoint",
ID: portainer.RoleIDEndpointAdmin,
Priority: 1,
Authorizations: authorization.DefaultEndpointAuthorizationsForEndpointAdministratorRole(),
},
portainer.RoleIDOperator: &portainer.Role{
Name: "Operator",
Description: "Operational control of all existing resources in an endpoint",
ID: portainer.RoleIDOperator,
Priority: 2,
Authorizations: authorization.DefaultEndpointAuthorizationsForOperatorRole(),
},
portainer.RoleIDHelpdesk: &portainer.Role{
Name: "Helpdesk",
Description: "Read-only access of all resources in an endpoint",
ID: portainer.RoleIDHelpdesk,
Priority: 3,
Authorizations: authorization.DefaultEndpointAuthorizationsForHelpDeskRole(),
},
portainer.RoleIDStandardUser: &portainer.Role{
Name: "Standard user",
Description: "Full control of assigned resources in an endpoint",
ID: portainer.RoleIDStandardUser,
Priority: 4,
Authorizations: authorization.DefaultEndpointAuthorizationsForStandardUserRole(),
},
portainer.RoleIDReadonly: &portainer.Role{
Name: "Read-only user",
Description: "Read-only access of assigned resources in an endpoint",
ID: portainer.RoleIDReadonly,
Priority: 5,
Authorizations: authorization.DefaultEndpointAuthorizationsForReadOnlyUserRole(),
},
}
for roleID, predefinedRole := range predefinedRoles {
_, err := service.Role(roleID)
if err == errors.ErrObjectNotFound {
err := service.CreateRole(predefinedRole)
if err != nil {
return err
}
} else if err != nil {
return err
} else {
err = service.UpdateRole(predefinedRole.ID, predefinedRole)
if err != nil {
return err
}
}
}
return nil
}