[a2-694] Add policy for applications service IAM v1 and v2 (#462)

* [a2-694] Add policy for applications service IAM v1 and v2 - For v1 add resource service_groups - For v2 add resource applications:serviceGroups Signed-off-by: kmacgugan <[email protected]> * -Add v2 IAM policies to viewer and editor role -Update v1 policies to actually be v1 policy and not the v2 ones Signed-off-by: kmacgugan <[email protected]> * Split iam role migration to datamigration directory Signed-off-by: kmacgugan <[email protected]> * Regenerate protos, remove END; from sql Signed-off-by: kmacgugan <[email protected]> * Add documents for default policies Signed-off-by: kmacgugan <[email protected]>
chef · Jun 5, 2019 · 7392f96 · 7392f96
1 parent cc42fcb
commit 7392f96
Show file tree

Hide file tree

Showing 10 changed files with 186 additions and 114 deletions.
diff --git a/api/external/applications/applications.pb.go b/api/external/applications/applications.pb.go
diff --git a/api/external/applications/applications.pb.policy-v1.go b/api/external/applications/applications.pb.policy-v1.go
diff --git a/api/external/applications/applications.pb.policy-v2.go b/api/external/applications/applications.pb.policy-v2.go
diff --git a/api/external/applications/applications.proto b/api/external/applications/applications.proto
@@ -18,44 +18,42 @@ import "api/external/common/query/parameters.proto";
 service ApplicationsService {
   rpc GetServiceGroups(ServiceGroupsReq) returns (ServiceGroups) {
     option (google.api.http).get = "/beta/applications/service-groups";
-    // TODO (dan, 2/2019): need to replace this once we have resources and such
-    // created in the auth system
     option (chef.automate.api.policy) = {
-      resource: "nodes"
+      resource: "service_groups"
       action: "list"
     };
     option (chef.automate.api.iam.policy) = {
-      resource: "infra:nodes"
-      action: "infra:nodes:list"
+      resource: "applications:serviceGroups"
+      action: "applications:serviceGroups:list"
     };
   };
   rpc GetServiceGroupsHealthCounts(ServiceGroupsHealthCountsReq) returns (HealthCounts) {
     // TODO (afiune, 3/2019): need to replace this once we have resources and such
     // created in the auth system
     option (google.api.http).get = "/beta/applications/service_groups_health_counts";
-    option (chef.automate.api.policy).resource = "nodes";
+    option (chef.automate.api.policy).resource = "service_groups";
     option (chef.automate.api.policy).action = "list";
-    option (chef.automate.api.iam.policy).resource = "infra:nodes";
-    option (chef.automate.api.iam.policy).action = "infra:nodes:list";
+    option (chef.automate.api.iam.policy).resource = "applications:serviceGroups";
+    option (chef.automate.api.iam.policy).action = "applications:serviceGroups:list";
   };
   rpc GetServices(ServicesReq) returns (ServicesRes) {
     // TODO (afiune, 4/2019): need to replace this once we have resources and such
     // created in the auth system
     option (google.api.http).get = "/beta/applications/services";
-    option (chef.automate.api.policy).resource = "nodes";
+    option (chef.automate.api.policy).resource = "service_groups";
     option (chef.automate.api.policy).action = "list";
-    option (chef.automate.api.iam.policy).resource = "infra:nodes";
-    option (chef.automate.api.iam.policy).action = "infra:nodes:list";
+    option (chef.automate.api.iam.policy).resource = "applications:serviceGroups";
+    option (chef.automate.api.iam.policy).action = "applications:serviceGroups:list";
   };
 
   rpc GetServicesBySG(ServicesBySGReq) returns (ServicesBySGRes) {
     // TODO (afiune, 4/2019): need to replace this once we have resources and such
     // created in the auth system
     option (google.api.http).get = "/beta/applications/service-groups/{service_group_id}";
-    option (chef.automate.api.policy).resource = "nodes";
+    option (chef.automate.api.policy).resource = "service_groups";
     option (chef.automate.api.policy).action = "list";
-    option (chef.automate.api.iam.policy).resource = "infra:nodes";
-    option (chef.automate.api.iam.policy).action = "infra:nodes:list";
+    option (chef.automate.api.iam.policy).resource = "applications:serviceGroups";
+    option (chef.automate.api.iam.policy).action = "applications:serviceGroups:list";
   };
   rpc GetVersion (common.version.VersionInfoRequest) returns (common.version.VersionInfo) {
     option (google.api.http).get = "/beta/applications/version";

diff --git a/components/authz-service/constants/v1/constants.go b/components/authz-service/constants/v1/constants.go
@@ -107,6 +107,9 @@ const (
 	// data collector endpoint and have them proxied to A2's data collector without
 	// the need of a legacy data collector token
 	CSNginxComplianceDataCollectorPolicyID = "6e792df9-e51f-4474-9539-40ca2a2b308c"
+
+	// ApplicationsServiceGroupsPolicyID correlates to the policy applications:serviceGroups
+	ApplicationsServiceGroupsPolicyID = "aee14d59-da0b-4974-ba6d-1a018b024874"
 )
 
 // These are only used for testing and memstore purposes.
@@ -135,6 +138,7 @@ var (
 		ComplianceTokenSearchProfilesPolicyID,
 		ReadOwnUserProfilePolicyID,
 		LocalUserSelfPolicyID,
+		ApplicationsServiceGroupsPolicyID,
 	}
 
 	// NonDeletablePolicyIDs is an array of non-deletable policy IDs.

diff --git a/components/authz-service/storage/postgres/datamigration/sql/07_update_v2_roles.up.sql b/components/authz-service/storage/postgres/datamigration/sql/07_update_v2_roles.up.sql
@@ -0,0 +1,15 @@
+BEGIN;
+
+UPDATE iam_roles
+    SET
+        actions = actions || '{applications:*:list, applications:*:get}'
+    WHERE
+        id = 'viewer';
+
+UPDATE iam_roles
+    SET
+        actions = actions || '{applications:*}'
+    WHERE
+        id = 'editor';
+
+COMMIT;
diff --git a/components/authz-service/storage/postgres/migration/sql/45_add_application_policies.up.sql b/components/authz-service/storage/postgres/migration/sql/45_add_application_policies.up.sql
@@ -0,0 +1,13 @@
+BEGIN;
+
+INSERT INTO policies
+    VALUES ('aee14d59-da0b-4974-ba6d-1a018b024874',
+            '{"action": "*", "effect": "allow", "resource": "service_groups", "subjects": ["user:*"]}',
+            CURRENT_TIMESTAMP,
+            1,
+            TRUE)
+    ON CONFLICT (id) DO UPDATE
+    SET policy_data='{"action": "*", "effect": "allow", "resource": "service_groups", "subjects": ["user:*"]}',
+        deletable=TRUE;
+
+COMMIT;
diff --git a/components/authz-service/storage/v1/storage.go b/components/authz-service/storage/v1/storage.go
@@ -300,6 +300,14 @@ func DefaultPolicies() (map[string]*Policy, error) {
 			Effect:   "allow",
 			Version:  1,
 		},
+		constants.ApplicationsServiceGroupsPolicyID: {
+			ID:       ids[constants.ApplicationsServiceGroupsPolicyID],
+			Subjects: []string{"user:*"},
+			Resource: "service_groups",
+			Action:   "*",
+			Effect:   "allow",
+			Version:  1,
+		},
 	}
 	return defaultPolicies, nil
 }
diff --git a/components/automate-chef-io/content/docs/default-policies.md b/components/automate-chef-io/content/docs/default-policies.md
@@ -144,6 +144,40 @@ EventFeed | GetEventTypeCounts | /event_type_counts | GET | events:types | count
 EventFeed | GetEventTaskCounts | /event_task_counts | GET | events:tasks | count
 EventFeed | GetEventStringBuckets | /eventstrings | GET | events:strings | read
 
+## Applications (BETA)
+
+### Applications page
+
+> These default policies allow all users to perform any action on application page resources
+
+```bash
+  {
+      "action": "*",
+      "resource": "service_groups",
+      "subjects": [
+          "user:*"
+      ]
+  },
+  {
+      "action": "*",
+      "resource": "service_groups:*",
+      "subjects": [
+          "user:*"
+      ]
+  }
+```
+
+### Applications Page
+
+> Corresponds to "Application tab (`/applications`)
+
+Service | Method | HTTP Endpoint | HTTP Method | Resource | Action
+---|---|---|---|---|---
+Applications | GetServiceGroups | /beta/applications/service-groups | GET | service_groups | list
+Applications | GetServiceGroupsHealthCounts | /beta/applications/service_groups_health_counts | GET | service_groups | list
+Applications | GetServices | /beta/applications/services | GET | service_groups| list
+Applications | GetServicesBySG | /beta/applications/service-groups/{service_group_id} | GET | service_groups | list
+
 ## Telemetry
 
 ### TelemetryPolicies

diff --git a/components/automate-chef-io/content/docs/iam-v2-api-reference.md b/components/automate-chef-io/content/docs/iam-v2-api-reference.md
@@ -209,8 +209,8 @@ Roles you create are Custom roles.
 Chef-managed Role Name | ID| Actions
 -----------------------|-----|--------
 Owner       | owner       | `*`
-Viewer      | viewer      | `infra:*:get`, `infra:*:list`, `compliance:*:get`, `compliance:*:list`, `system:*:get`, `system:*:list`, `event:*:get`, `event:*:list`, `ingest:*:get`, `ingest:*:list`
-Editor      | editor      | `infra:*`, `compliance:*`, `system:*`, `event:*`, `ingest:*`, `secrets:*`, `telemetry:*`
+Viewer      | viewer      | `infra:*:get`, `infra:*:list`, `compliance:*:get`, `compliance:*:list`, `system:*:get`, `system:*:list`, `event:*:get`, `event:*:list`, `ingest:*:get`, `ingest:*:list`, `applications:*:list`, `applications:*:get`
+Editor      | editor      | `infra:*`, `compliance:*`, `system:*`, `event:*`, `ingest:*`, `secrets:*`, `telemetry:*`, `applications:*`
 Ingest      | ingest      | `infra:ingest:*`, `compliance:profiles:get`, `compliance:profiles:list`
 
 ### Listing Roles