Add viewer rule to armada API
Viewer will be able to do GET Tiller release and Tiller status requests armada API defines. In addition, this change also allows doing POST validate manfest request to a user with viewer role. Change-Id: I903ab656de1c6fdf979a193b1842dbd0842451d6
This commit is contained in:
parent
6078774b34
commit
95fd341b97
@ -18,13 +18,18 @@ RULE_ADMIN_REQUIRED = 'rule:admin_required'
|
||||
RULE_ADMIN_OR_TARGET_PROJECT = (
|
||||
'rule:admin_required or project_id:%(target.project.id)s')
|
||||
RULE_SERVICE_OR_ADMIN = 'rule:service_or_admin'
|
||||
RULE_ADMIN_VIEWER = 'rule:admin_viewer'
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(name='admin_required', check_str='role:admin'),
|
||||
policy.RuleDefault(
|
||||
name='admin_required', check_str='role:admin or role:admin_ucp'),
|
||||
policy.RuleDefault(
|
||||
name='service_or_admin',
|
||||
check_str='rule:admin_required or rule:service_role'),
|
||||
policy.RuleDefault(name='service_role', check_str='role:service'),
|
||||
policy.RuleDefault(
|
||||
name='admin_viewer',
|
||||
check_str='role:admin_ucp_viewer or {}'.format(RULE_SERVICE_OR_ADMIN)),
|
||||
]
|
||||
|
||||
|
||||
|
@ -25,7 +25,7 @@ armada_policies = [
|
||||
}]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.ARMADA % 'validate_manifest',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
check_str=base.RULE_ADMIN_VIEWER,
|
||||
description='Validate manifest',
|
||||
operations=[{
|
||||
'path': '/api/v1.0/validatedesign/',
|
||||
|
@ -17,7 +17,7 @@ from armada.common.policies import base
|
||||
tiller_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.TILLER % 'get_status',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
check_str=base.RULE_ADMIN_VIEWER,
|
||||
description='Get Tiller status',
|
||||
operations=[{
|
||||
'path': '/api/v1.0/status/',
|
||||
@ -25,7 +25,7 @@ tiller_policies = [
|
||||
}]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.TILLER % 'get_release',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
check_str=base.RULE_ADMIN_VIEWER,
|
||||
description='Get Tiller release',
|
||||
operations=[{
|
||||
'path': '/api/v1.0/releases/',
|
||||
|
@ -184,16 +184,17 @@ conf:
|
||||
'pipeline:main':
|
||||
pipeline: authtoken armada-api
|
||||
policy:
|
||||
admin_required: 'role:admin'
|
||||
admin_required: 'role:admin or role:admin_ucp'
|
||||
service_or_admin: 'rule:admin_required or rule:service_role'
|
||||
service_role: 'role:service'
|
||||
admin_viewer: 'role:admin_ucp_viewer or rule:service_or_admin'
|
||||
'armada:create_endpoints': 'rule:admin_required'
|
||||
'armada:rollback_release': 'rule:admin_required'
|
||||
'armada:test_manifest': 'rule:admin_required'
|
||||
'armada:test_release': 'rule:admin_required'
|
||||
'armada:validate_manifest': 'rule:admin_required'
|
||||
service_or_admin: 'rule:admin_required or rule:service_role'
|
||||
service_role: 'role:service'
|
||||
'tiller:get_released': 'rule:admin_required'
|
||||
'tiller:get_status': 'rule:admin_required'
|
||||
'armada:validate_manifest': 'rule:admin_viewer'
|
||||
'tiller:get_release': 'rule:admin_viewer'
|
||||
'tiller:get_status': 'rule:admin_viewer'
|
||||
|
||||
pod:
|
||||
env:
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
#"admin_required": "role:admin"
|
||||
#"admin_required": "role:admin or role:admin_ucp"
|
||||
|
||||
#
|
||||
#"service_or_admin": "rule:admin_required or rule:service_role"
|
||||
@ -7,30 +7,33 @@
|
||||
#
|
||||
#"service_role": "role:service"
|
||||
|
||||
# install manifest charts
|
||||
# POST api/v1.0/apply/
|
||||
#
|
||||
#"admin_viewer": "role:admin_ucp_viewer or rule:service_or_admin"
|
||||
|
||||
# Install manifest charts
|
||||
# POST /api/v1.0/apply/
|
||||
#"armada:create_endpoints": "rule:admin_required"
|
||||
|
||||
# rollback release
|
||||
# POST api/v1.0/rollback/{release}
|
||||
#"armada:rollback_release": "rule:admin_required"
|
||||
# Validate manifest
|
||||
# POST /api/v1.0/validatedesign/
|
||||
#"armada:validate_manifest": "rule:admin_viewer"
|
||||
|
||||
# validate installed manifest
|
||||
# POST /api/v1.0/validate/
|
||||
#"armada:validate_manifest": "rule:admin_required"
|
||||
|
||||
# validate install manifest
|
||||
# Test release
|
||||
# GET /api/v1.0/test/{release}
|
||||
#"armada:test_release": "rule:admin_required"
|
||||
|
||||
# validate install manifest
|
||||
# Test manifest
|
||||
# POST /api/v1.0/tests/
|
||||
#"armada:test_manifest": "rule:admin_required"
|
||||
|
||||
# Get tiller status
|
||||
# GET /api/v1.0/status/
|
||||
#"tiller:get_status": "rule:admin_required"
|
||||
# Rollback release
|
||||
# POST /api/v1.0/rollback/{release}
|
||||
#"armada:rollback_release": "rule:admin_required"
|
||||
|
||||
# Get tiller release
|
||||
# Get Tiller status
|
||||
# GET /api/v1.0/status/
|
||||
#"tiller:get_status": "rule:admin_viewer"
|
||||
|
||||
# Get Tiller release
|
||||
# GET /api/v1.0/releases/
|
||||
#"tiller:get_release": "rule:admin_required"
|
||||
#"tiller:get_release": "rule:admin_viewer"
|
||||
|
Loading…
x
Reference in New Issue
Block a user