Skip to content

Commit

Permalink
comments
Browse files Browse the repository at this point in the history
  • Loading branch information
dvoet committed Jul 30, 2024
1 parent 6d5c241 commit 3ddbd79
Show file tree
Hide file tree
Showing 2 changed files with 36 additions and 6 deletions.
36 changes: 31 additions & 5 deletions src/main/resources/reference.conf
Original file line number Diff line number Diff line change
Expand Up @@ -228,7 +228,22 @@ resourceTypes = {
}
}
rawls = {
roleActions = ["read_job_result", "create_controlled_user_private", "create_controlled_user_shared", "delete", "list_children", "add_child"]
roleActions = [
# workspace clone and delete
"read_job_result"
# workspace clone - create WDS
"create_controlled_user_private"
# workspace clone - create storage container
"create_controlled_user_shared"
# workspace delete - leo checks for this action when deleting runtimes
"delete"
# workspace delete - WSM ensures there are no children before deleting
"list_children"
# workspace clone - create WDS
"add_child"
# workspace clone - get storage container, get cloud context and spend profile id
"read"
]
}
}
authDomainConstrainable = true
Expand Down Expand Up @@ -287,7 +302,7 @@ resourceTypes = {
}
rawls = {
roleActions = [
# rawls needs read workspace storage containers for clone operation
# workspace clone - read source workspace storage containers
"read"
]
}
Expand Down Expand Up @@ -401,7 +416,10 @@ resourceTypes = {
roleActions = ["read"]
}
rawls = {
roleActions = ["delete"]
roleActions = [
# workspace delete
"delete"
]
}
}
reuseIds = false
Expand Down Expand Up @@ -751,7 +769,10 @@ resourceTypes = {
}
}
rawls = {
roleActions = ["delete"]
roleActions = [
# billing project delete
"delete"
]
}
}
reuseIds = true
Expand Down Expand Up @@ -1146,7 +1167,9 @@ resourceTypes = {
}
rawls = {
roleActions = [
# landing zone creation, billing project delete
"read_job_result"
# billing project delete
"delete"
# leonardo creates a pet even for a shared app
"create-pet"
Expand Down Expand Up @@ -1454,7 +1477,10 @@ resourceTypes = {
roleActions = ["list_resources"]
}
rawls = {
roleActions = ["list_resources"]
roleActions = [
# billing project delete
"list_resources"
]
}
}
reuseIds = ${?LANDINGZONES_REUSE_IDS}
Expand Down
6 changes: 5 additions & 1 deletion src/main/resources/sam.conf
Original file line number Diff line number Diff line change
Expand Up @@ -272,7 +272,11 @@ resourceAccessPolicies {
descendantPermissions = [
{
resourceTypeName = "workspace",
roles = ["rawls", "reader"]
roles = [
"rawls"
# WSM requires one of the roles in its hierarchy, discoverer is the lowest
"discoverer"
]
}
]
}
Expand Down

0 comments on commit 3ddbd79

Please sign in to comment.