[IA-5060] Inherit manager roles to notebook-cluster and persistent-di…

…sk (#1535) * Fix Leo access control * Remove list_persistent_disk * Don't remove google-project actions just yet * Make sure to add set_parent * Remove authDomainConstrainable from the top level * Shared apps should be auth domain constrainable too * empty
broadinstitute · Sep 10, 2024 · ee698da · ee698da
1 parent 1cf4c65
commit ee698da
Showing 1 changed file with 29 additions and 3 deletions.
diff --git a/src/main/resources/reference.conf b/src/main/resources/reference.conf
@@ -175,6 +175,8 @@ resourceTypes = {
           wds-instance = ["owner"]
           kubernetes-app = ["manager"]
           kubernetes-app-shared = ["owner", "user"]
+          notebook-cluster = ["manager"]
+          persistent-disk = ["manager"]
         }
       }
       application = {
@@ -606,6 +608,12 @@ resourceTypes = {
     reuseIds = false
   }
   google-project = {
+    # TODO: remove the following actions when notebook-cluster and persistent-disk have migrated to have parent resources.
+    # - list_notebook_cluster
+    # - delete_notebook_cluster
+    # - stop_start_notebook_cluster
+    # - list_persistent_disk
+    # - delete_persistent_disk
     actionPatterns = {
       read_policies = {
         description = "list all policies and policy details for this google-project"
@@ -660,6 +668,8 @@ resourceTypes = {
         includedRoles = ["notebook-user", "pet-creator"]
         descendantRoles = {
           kubernetes-app = ["manager"]
+          notebook-cluster = ["manager"]
+          persistent-disk = ["manager"]
         }
       }
       notebook-user = {
@@ -790,6 +800,7 @@ resourceTypes = {
       }
       connect = {
         description = "connect to the Jupyter notebook running on the notebook cluster"
+        authDomainConstrainable = true
       }
       delete = {
         description = "delete the notebook cluster"
@@ -803,22 +814,29 @@ resourceTypes = {
       modify = {
         description = "modify attributes of the cluster"
       }
+      set_parent = {
+        description = "set parent of notebook cluster"
+      }
     }
     ownerRoleName = "creator"
     roles = {
       creator = {
-        roleActions = ["status", "connect", "delete", "read_policies", "stop_start", "modify"]
+        roleActions = ["status", "connect", "delete", "read_policies", "stop_start", "modify", "set_parent"]
+      }
+      manager = {
+        roleActions = ["status", "delete", "read_policies"]
       }
     }
     reuseIds = false
   }
   persistent-disk = {
     actionPatterns = {
       read = {
-        description = "read metadata and contents of persistent disk"
+        description = "read metadata of persistent disk"
       }
       attach = {
         description = "attach persistent disk to a VM"
+        authDomainConstrainable = true
       }
       modify = {
         description = "modify persistent disk"
@@ -829,11 +847,17 @@ resourceTypes = {
       read_policies = {
         description = "view all policies and policy details for the persistent disk"
       }
+      set_parent = {
+        description = "set parent of persistent disk"
+      }
     }
     ownerRoleName = "creator"
     roles = {
       creator = {
-        roleActions = ["read", "attach", "modify", "delete", "read_policies"]
+        roleActions = ["read", "attach", "modify", "delete", "read_policies", "set_parent"]
+      }
+      manager = {
+        roleActions = ["delete", "read", "read_policies"]
       }
     }
     reuseIds = false
@@ -845,6 +869,7 @@ resourceTypes = {
       }
       connect = {
         description = "connect to kubernetes application"
+        authDomainConstrainable = true
       }
       update = {
         description = "update kubernetes application"
@@ -883,6 +908,7 @@ resourceTypes = {
       }
       connect = {
         description = "connect to kubernetes application"
+        authDomainConstrainable = true
       }
       update = {
         description = "update kubernetes application"