-Add v2 IAM policies to viewer and editor role

-Update v1 policies to actually be v1 policy and not the v2 ones Signed-off-by: kmacgugan <[email protected]>
chef · May 31, 2019 · 7c7959a · 7c7959a
1 parent 3a9da67
commit 7c7959a
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 5 deletions.
diff --git a/api/external/applications/applications.proto b/api/external/applications/applications.proto
@@ -18,8 +18,6 @@ import "api/external/common/query/parameters.proto";
 service ApplicationsService {
   rpc GetServiceGroups(ServiceGroupsReq) returns (ServiceGroups) {
     option (google.api.http).get = "/beta/applications/service-groups";
-    // TODO (dan, 2/2019): need to replace this once we have resources and such
-    // created in the auth system
     option (chef.automate.api.policy) = {
       resource: "service_groups"
       action: "list"

diff --git a/components/authz-service/storage/postgres/migration/sql/45_add_application_policies.up.sql b/components/authz-service/storage/postgres/migration/sql/45_add_application_policies.up.sql
@@ -2,12 +2,23 @@ BEGIN;
 
 INSERT INTO policies
     VALUES ('aee14d59-da0b-4974-ba6d-1a018b024874',
-            '{"action": "*", "effect": "allow", "resource": "applications:serviceGroups", "subjects": ["user:*"]}',
+            '{"action": "*", "effect": "allow", "resource": "service_groups", "subjects": ["user:*"]}',
             CURRENT_TIMESTAMP,
             1,
             TRUE)
     ON CONFLICT (id) DO UPDATE
-    SET policy_data='{"action": "list", "effect": "allow", "resource": "applications:serviceGroups", "subjects": ["user:*"]}',
+    SET policy_data='{"action": "list", "effect": "allow", "resource": "service_groups", "subjects": ["user:*"]}',
         deletable=TRUE;
 
+UPDATE iam_roles
+    SET
+        actions = actions || '{applications:*:list}'
+    WHERE
+        id = 'viewer';
+
+UPDATE iam_roles
+    SET
+        actions = actions || '{applications:*}'
+    WHERE
+        id = 'editor';
 END;
diff --git a/components/authz-service/storage/v1/storage.go b/components/authz-service/storage/v1/storage.go
@@ -303,7 +303,7 @@ func DefaultPolicies() (map[string]*Policy, error) {
 		constants.ApplicationsServiceGroupsPolicyID: {
 			ID:       ids[constants.ApplicationsServiceGroupsPolicyID],
 			Subjects: []string{"user:*"},
-			Resource: "applications:serviceGroups",
+			Resource: "service_groups",
 			Action:   "*",
 			Effect:   "allow",
 			Version:  1,

diff --git a/components/authz-service/storage/v2/storage.go b/components/authz-service/storage/v2/storage.go
@@ -234,6 +234,7 @@ func DefaultRoles() []Role {
 			"ingest:*",
 			"secrets:*",
 			"telemetry:*",
+			"applications:*",
 		},
 		Type: ChefManaged,
 	}
@@ -254,6 +255,7 @@ func DefaultRoles() []Role {
 			"event:*:list",
 			"ingest:*:get",
 			"ingest:*:list",
+			"applications:*:list",
 		},
 		Type: ChefManaged,
 	}