From 73bb2a359456de1701dacbf92138a5249104ae60 Mon Sep 17 00:00:00 2001 From: Douglas Voet Date: Thu, 18 Jul 2024 15:37:30 -0400 Subject: [PATCH 1/9] roles for rawls --- src/main/resources/reference.conf | 21 ++++++++ src/main/resources/sam.conf | 85 +++++++++++++++++++++++++++++++ 2 files changed, 106 insertions(+) diff --git a/src/main/resources/reference.conf b/src/main/resources/reference.conf index 29c022e77..2974e518c 100644 --- a/src/main/resources/reference.conf +++ b/src/main/resources/reference.conf @@ -227,6 +227,9 @@ resourceTypes = { google-project = ["pet-creator"] } } + rawls = { + roleActions = ["read_job_result", "create_controlled_user_private", "read", "create_controlled_user_shared", "delete"] + } } authDomainConstrainable = true allowLeaving = true @@ -391,6 +394,9 @@ resourceTypes = { reader = { roleActions = ["read"] } + rawls = { + roleActions = ["delete"] + } } reuseIds = false } @@ -738,6 +744,9 @@ resourceTypes = { google-project = ["notebook-user"] } } + rawls = { + roleActions = ["delete"] + } } reuseIds = true } @@ -831,6 +840,9 @@ resourceTypes = { manager = { roleActions = ["delete", "status", "read_policies"] } + rawls = { + roleActions = ["delete", "status"] + } } reuseIds = false } @@ -869,6 +881,9 @@ resourceTypes = { user = { roleActions = ["connect", "status"] } + rawls = { + roleActions = ["delete", "status"] + } } reuseIds = false } @@ -1129,6 +1144,9 @@ resourceTypes = { system = { roleActions = ["read_profile"] } + rawls = { + roleActions = ["read_job_result", "delete"] + } } reuseIds = true } @@ -1430,6 +1448,9 @@ resourceTypes = { user = { roleActions = ["list_resources"] } + rawls = { + roleActions = ["list_resources"] + } } reuseIds = ${?LANDINGZONES_REUSE_IDS} } diff --git a/src/main/resources/sam.conf b/src/main/resources/sam.conf index 6ef178553..2320e28bd 100644 --- a/src/main/resources/sam.conf +++ b/src/main/resources/sam.conf @@ -265,6 +265,17 @@ resourceAccessPolicies { memberEmails = ${terra.support.emails} roles = ["support"] } + rawls { + memberEmails = [ + ${?RAWLS_SERVICE_ACCOUNT} + ] + descendantPermissions = [ + { + resourceTypeName = "workspace", + roles = ["rawls"] + } + ] + } } managed-group { support { @@ -277,6 +288,17 @@ resourceAccessPolicies { memberEmails = ${terra.support.emails} roles = ["support"] } + rawls { + memberEmails = [ + ${?RAWLS_SERVICE_ACCOUNT} + ] + descendantPermissions = [ + { + resourceTypeName = "billing-project", + roles = ["rawls"] + } + ] + } } dataset { support { @@ -303,6 +325,69 @@ resourceAccessPolicies { } ] } + rawls { + memberEmails = [ + ${?RAWLS_SERVICE_ACCOUNT} + ] + descendantPermissions = [ + { + resourceTypeName = "spend-profile", + roles = ["rawls"] + } + ] + } + } + landing-zone { + rawls { + memberEmails = [ + ${?RAWLS_SERVICE_ACCOUNT} + ] + descendantPermissions = [ + { + resourceTypeName = "landing-zone", + roles = ["rawls"] + } + ] + } + } + controlled-application-shared-workspace-resource { + rawls { + memberEmails = [ + ${?RAWLS_SERVICE_ACCOUNT} + ] + descendantPermissions = [ + { + resourceTypeName = "controlled-application-shared-workspace-resource", + roles = ["rawls"] + } + ] + } + } + kubernetes-app { + rawls { + memberEmails = [ + ${?RAWLS_SERVICE_ACCOUNT} + ] + descendantPermissions = [ + { + resourceTypeName = "kubernetes-app", + roles = ["rawls"] + } + ] + } + } + kubernetes-app-shared { + rawls { + memberEmails = [ + ${?RAWLS_SERVICE_ACCOUNT} + ] + descendantPermissions = [ + { + resourceTypeName = "kubernetes-app-shared", + roles = ["rawls"] + } + ] + } } } } From 1e2453fdbf491c8e1255232b02c4fdc3dc994342 Mon Sep 17 00:00:00 2001 From: Douglas Voet Date: Mon, 29 Jul 2024 12:10:30 -0400 Subject: [PATCH 2/9] rawls reader role --- src/main/resources/reference.conf | 2 +- src/main/resources/sam.conf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/resources/reference.conf b/src/main/resources/reference.conf index 2974e518c..32b0ffd54 100644 --- a/src/main/resources/reference.conf +++ b/src/main/resources/reference.conf @@ -228,7 +228,7 @@ resourceTypes = { } } rawls = { - roleActions = ["read_job_result", "create_controlled_user_private", "read", "create_controlled_user_shared", "delete"] + roleActions = ["read_job_result", "create_controlled_user_private", "create_controlled_user_shared", "delete"] } } authDomainConstrainable = true diff --git a/src/main/resources/sam.conf b/src/main/resources/sam.conf index 2320e28bd..d8f7a309a 100644 --- a/src/main/resources/sam.conf +++ b/src/main/resources/sam.conf @@ -272,7 +272,7 @@ resourceAccessPolicies { descendantPermissions = [ { resourceTypeName = "workspace", - roles = ["rawls"] + roles = ["rawls", "reader"] } ] } From 5affe543b3d03a723a93a11967dcc7ff06b2ea87 Mon Sep 17 00:00:00 2001 From: Douglas Voet Date: Mon, 29 Jul 2024 13:40:50 -0400 Subject: [PATCH 3/9] list_childred --- src/main/resources/reference.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/resources/reference.conf b/src/main/resources/reference.conf index 32b0ffd54..c7babb640 100644 --- a/src/main/resources/reference.conf +++ b/src/main/resources/reference.conf @@ -228,7 +228,7 @@ resourceTypes = { } } rawls = { - roleActions = ["read_job_result", "create_controlled_user_private", "create_controlled_user_shared", "delete"] + roleActions = ["read_job_result", "create_controlled_user_private", "create_controlled_user_shared", "delete", "list_children"] } } authDomainConstrainable = true From 8866da6128d414ea5b5c62ed4612bb775d54127d Mon Sep 17 00:00:00 2001 From: Douglas Voet Date: Tue, 30 Jul 2024 10:06:16 -0400 Subject: [PATCH 4/9] app roles --- src/main/resources/reference.conf | 6 ------ src/main/resources/sam.conf | 4 ++-- 2 files changed, 2 insertions(+), 8 deletions(-) diff --git a/src/main/resources/reference.conf b/src/main/resources/reference.conf index c7babb640..ffe465102 100644 --- a/src/main/resources/reference.conf +++ b/src/main/resources/reference.conf @@ -840,9 +840,6 @@ resourceTypes = { manager = { roleActions = ["delete", "status", "read_policies"] } - rawls = { - roleActions = ["delete", "status"] - } } reuseIds = false } @@ -881,9 +878,6 @@ resourceTypes = { user = { roleActions = ["connect", "status"] } - rawls = { - roleActions = ["delete", "status"] - } } reuseIds = false } diff --git a/src/main/resources/sam.conf b/src/main/resources/sam.conf index d8f7a309a..39a656139 100644 --- a/src/main/resources/sam.conf +++ b/src/main/resources/sam.conf @@ -371,7 +371,7 @@ resourceAccessPolicies { descendantPermissions = [ { resourceTypeName = "kubernetes-app", - roles = ["rawls"] + roles = ["manager"] } ] } @@ -384,7 +384,7 @@ resourceAccessPolicies { descendantPermissions = [ { resourceTypeName = "kubernetes-app-shared", - roles = ["rawls"] + roles = ["owner"] } ] } From aac82d08f8ed7670b9f48a9d224ea338b6aab790 Mon Sep 17 00:00:00 2001 From: Douglas Voet Date: Tue, 30 Jul 2024 10:52:20 -0400 Subject: [PATCH 5/9] comments and workspace add_child --- src/main/resources/reference.conf | 2 +- src/main/resources/sam.conf | 10 ++++++++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/src/main/resources/reference.conf b/src/main/resources/reference.conf index ffe465102..a3f8730a4 100644 --- a/src/main/resources/reference.conf +++ b/src/main/resources/reference.conf @@ -228,7 +228,7 @@ resourceTypes = { } } rawls = { - roleActions = ["read_job_result", "create_controlled_user_private", "create_controlled_user_shared", "delete", "list_children"] + roleActions = ["read_job_result", "create_controlled_user_private", "create_controlled_user_shared", "delete", "list_children", "add_child"] } } authDomainConstrainable = true diff --git a/src/main/resources/sam.conf b/src/main/resources/sam.conf index 39a656139..4b723235f 100644 --- a/src/main/resources/sam.conf +++ b/src/main/resources/sam.conf @@ -371,7 +371,10 @@ resourceAccessPolicies { descendantPermissions = [ { resourceTypeName = "kubernetes-app", - roles = ["manager"] + roles = [ + # leo checks for creator or manager role, rawls really only needs delete and status actions + "manager" + ] } ] } @@ -384,7 +387,10 @@ resourceAccessPolicies { descendantPermissions = [ { resourceTypeName = "kubernetes-app-shared", - roles = ["owner"] + roles = [ + # leo checks for user or owner role, rawls really only needs delete and status actions + "owner" + ] } ] } From 1871644c1898185c836f4855959801ec5d8739fb Mon Sep 17 00:00:00 2001 From: Douglas Voet Date: Tue, 30 Jul 2024 11:21:29 -0400 Subject: [PATCH 6/9] create-pet --- src/main/resources/reference.conf | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/main/resources/reference.conf b/src/main/resources/reference.conf index a3f8730a4..78f891ecf 100644 --- a/src/main/resources/reference.conf +++ b/src/main/resources/reference.conf @@ -1139,7 +1139,12 @@ resourceTypes = { roleActions = ["read_profile"] } rawls = { - roleActions = ["read_job_result", "delete"] + roleActions = [ + "read_job_result" + "delete" + # leonardo creates a pet even for a shared app + "create-pet" + ] } } reuseIds = true From 6d5c2412d946fd2ed347f11905be903da8f85d0e Mon Sep 17 00:00:00 2001 From: Douglas Voet Date: Tue, 30 Jul 2024 11:38:47 -0400 Subject: [PATCH 7/9] controlled-user-shared-workspace-resource/read --- src/main/resources/reference.conf | 6 ++++++ src/main/resources/sam.conf | 13 +++++++++++++ 2 files changed, 19 insertions(+) diff --git a/src/main/resources/reference.conf b/src/main/resources/reference.conf index 78f891ecf..7fbd4acfe 100644 --- a/src/main/resources/reference.conf +++ b/src/main/resources/reference.conf @@ -285,6 +285,12 @@ resourceTypes = { reader = { roleActions = ["read"] } + rawls = { + roleActions = [ + # rawls needs read workspace storage containers for clone operation + "read" + ] + } } reuseIds = false } diff --git a/src/main/resources/sam.conf b/src/main/resources/sam.conf index 4b723235f..1b5b858ae 100644 --- a/src/main/resources/sam.conf +++ b/src/main/resources/sam.conf @@ -363,6 +363,19 @@ resourceAccessPolicies { ] } } + controlled-user-shared-workspace-resource { + rawls { + memberEmails = [ + ${?RAWLS_SERVICE_ACCOUNT} + ] + descendantPermissions = [ + { + resourceTypeName = "controlled-user-shared-workspace-resource", + roles = ["rawls"] + } + ] + } + } kubernetes-app { rawls { memberEmails = [ From 3ddbd79898101f99d00b58ec903cd6fb4490880f Mon Sep 17 00:00:00 2001 From: Douglas Voet Date: Tue, 30 Jul 2024 12:24:08 -0400 Subject: [PATCH 8/9] comments --- src/main/resources/reference.conf | 36 ++++++++++++++++++++++++++----- src/main/resources/sam.conf | 6 +++++- 2 files changed, 36 insertions(+), 6 deletions(-) diff --git a/src/main/resources/reference.conf b/src/main/resources/reference.conf index 7fbd4acfe..1c7dfe08e 100644 --- a/src/main/resources/reference.conf +++ b/src/main/resources/reference.conf @@ -228,7 +228,22 @@ resourceTypes = { } } rawls = { - roleActions = ["read_job_result", "create_controlled_user_private", "create_controlled_user_shared", "delete", "list_children", "add_child"] + roleActions = [ + # workspace clone and delete + "read_job_result" + # workspace clone - create WDS + "create_controlled_user_private" + # workspace clone - create storage container + "create_controlled_user_shared" + # workspace delete - leo checks for this action when deleting runtimes + "delete" + # workspace delete - WSM ensures there are no children before deleting + "list_children" + # workspace clone - create WDS + "add_child" + # workspace clone - get storage container, get cloud context and spend profile id + "read" + ] } } authDomainConstrainable = true @@ -287,7 +302,7 @@ resourceTypes = { } rawls = { roleActions = [ - # rawls needs read workspace storage containers for clone operation + # workspace clone - read source workspace storage containers "read" ] } @@ -401,7 +416,10 @@ resourceTypes = { roleActions = ["read"] } rawls = { - roleActions = ["delete"] + roleActions = [ + # workspace delete + "delete" + ] } } reuseIds = false @@ -751,7 +769,10 @@ resourceTypes = { } } rawls = { - roleActions = ["delete"] + roleActions = [ + # billing project delete + "delete" + ] } } reuseIds = true @@ -1146,7 +1167,9 @@ resourceTypes = { } rawls = { roleActions = [ + # landing zone creation, billing project delete "read_job_result" + # billing project delete "delete" # leonardo creates a pet even for a shared app "create-pet" @@ -1454,7 +1477,10 @@ resourceTypes = { roleActions = ["list_resources"] } rawls = { - roleActions = ["list_resources"] + roleActions = [ + # billing project delete + "list_resources" + ] } } reuseIds = ${?LANDINGZONES_REUSE_IDS} diff --git a/src/main/resources/sam.conf b/src/main/resources/sam.conf index 1b5b858ae..d327590b8 100644 --- a/src/main/resources/sam.conf +++ b/src/main/resources/sam.conf @@ -272,7 +272,11 @@ resourceAccessPolicies { descendantPermissions = [ { resourceTypeName = "workspace", - roles = ["rawls", "reader"] + roles = [ + "rawls" + # WSM requires one of the roles in its hierarchy, discoverer is the lowest + "discoverer" + ] } ] } From 65770e615de247b3208a6d4005d6ae81f87eb142 Mon Sep 17 00:00:00 2001 From: Douglas Voet Date: Wed, 31 Jul 2024 09:33:02 -0400 Subject: [PATCH 9/9] tweaks --- src/main/resources/reference.conf | 2 ++ src/main/resources/sam.conf | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/src/main/resources/reference.conf b/src/main/resources/reference.conf index 1c7dfe08e..5b9a41ab7 100644 --- a/src/main/resources/reference.conf +++ b/src/main/resources/reference.conf @@ -304,6 +304,8 @@ resourceTypes = { roleActions = [ # workspace clone - read source workspace storage containers "read" + # wds clone needs to write db backup to target workspace storage container + "write" ] } } diff --git a/src/main/resources/sam.conf b/src/main/resources/sam.conf index d327590b8..ee98fd026 100644 --- a/src/main/resources/sam.conf +++ b/src/main/resources/sam.conf @@ -274,8 +274,8 @@ resourceAccessPolicies { resourceTypeName = "workspace", roles = [ "rawls" - # WSM requires one of the roles in its hierarchy, discoverer is the lowest - "discoverer" + # WSM requires one of the roles in its hierarchy, discoverer is the lowest but reader is the lowest that leo understands + "reader" ] } ]