From ee698da86dc9c22dd25762f2cfb2d2cda31c64a3 Mon Sep 17 00:00:00 2001 From: Robert Title Date: Tue, 10 Sep 2024 11:50:38 -0400 Subject: [PATCH] [IA-5060] Inherit manager roles to notebook-cluster and persistent-disk (#1535) * Fix Leo access control * Remove list_persistent_disk * Don't remove google-project actions just yet * Make sure to add set_parent * Remove authDomainConstrainable from the top level * Shared apps should be auth domain constrainable too * empty --- src/main/resources/reference.conf | 32 ++++++++++++++++++++++++++++--- 1 file changed, 29 insertions(+), 3 deletions(-) diff --git a/src/main/resources/reference.conf b/src/main/resources/reference.conf index 3dde1994b..05c9bf2fb 100644 --- a/src/main/resources/reference.conf +++ b/src/main/resources/reference.conf @@ -175,6 +175,8 @@ resourceTypes = { wds-instance = ["owner"] kubernetes-app = ["manager"] kubernetes-app-shared = ["owner", "user"] + notebook-cluster = ["manager"] + persistent-disk = ["manager"] } } application = { @@ -606,6 +608,12 @@ resourceTypes = { reuseIds = false } google-project = { + # TODO: remove the following actions when notebook-cluster and persistent-disk have migrated to have parent resources. + # - list_notebook_cluster + # - delete_notebook_cluster + # - stop_start_notebook_cluster + # - list_persistent_disk + # - delete_persistent_disk actionPatterns = { read_policies = { description = "list all policies and policy details for this google-project" @@ -660,6 +668,8 @@ resourceTypes = { includedRoles = ["notebook-user", "pet-creator"] descendantRoles = { kubernetes-app = ["manager"] + notebook-cluster = ["manager"] + persistent-disk = ["manager"] } } notebook-user = { @@ -790,6 +800,7 @@ resourceTypes = { } connect = { description = "connect to the Jupyter notebook running on the notebook cluster" + authDomainConstrainable = true } delete = { description = "delete the notebook cluster" @@ -803,11 +814,17 @@ resourceTypes = { modify = { description = "modify attributes of the cluster" } + set_parent = { + description = "set parent of notebook cluster" + } } ownerRoleName = "creator" roles = { creator = { - roleActions = ["status", "connect", "delete", "read_policies", "stop_start", "modify"] + roleActions = ["status", "connect", "delete", "read_policies", "stop_start", "modify", "set_parent"] + } + manager = { + roleActions = ["status", "delete", "read_policies"] } } reuseIds = false @@ -815,10 +832,11 @@ resourceTypes = { persistent-disk = { actionPatterns = { read = { - description = "read metadata and contents of persistent disk" + description = "read metadata of persistent disk" } attach = { description = "attach persistent disk to a VM" + authDomainConstrainable = true } modify = { description = "modify persistent disk" @@ -829,11 +847,17 @@ resourceTypes = { read_policies = { description = "view all policies and policy details for the persistent disk" } + set_parent = { + description = "set parent of persistent disk" + } } ownerRoleName = "creator" roles = { creator = { - roleActions = ["read", "attach", "modify", "delete", "read_policies"] + roleActions = ["read", "attach", "modify", "delete", "read_policies", "set_parent"] + } + manager = { + roleActions = ["delete", "read", "read_policies"] } } reuseIds = false @@ -845,6 +869,7 @@ resourceTypes = { } connect = { description = "connect to kubernetes application" + authDomainConstrainable = true } update = { description = "update kubernetes application" @@ -883,6 +908,7 @@ resourceTypes = { } connect = { description = "connect to kubernetes application" + authDomainConstrainable = true } update = { description = "update kubernetes application"