[automate-2710] Remove system:* perms, modify infra:* perms #3148
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
blakestier
changed the title
blakestier
force-pushed
the
auth-2710/update-roles-pols
branch
2 times, most recently
from
ea35c4d to
f38473e
Compare
blakestier
force-pushed
the
auth-2710/update-roles-pols
branch
5 times, most recently
from
6e8d7b3 to
d661d78
Compare
blakestier
commented
Mar 20, 2020
| @@ -48,6 +48,12 @@ func SystemPolicies() []*storage.Policy { | |||
| Resources: []string{"system:service:version"}, | |||
| Projects: []string{constants.AllProjectsID}, | |||
| }, | |||
| { | |||
| Effect: storage.Allow, | |||
| Actions: []string{"system:telemetryConfig:get"}, | |||
There was a problem hiding this comment.
everyone should have this access, and we were inadvertently denying it to all users, and providing it to certain roles by accident due to the system:* namespace.
blakestier
commented
Mar 20, 2020
| @@ -15,7 +15,7 @@ test_upgrade_strategy="none" | |||
|
|
|||
| # a2-iam-no-legacy-integration verifies permissions on an IAM v2 system | |||
| # without v1 legacy policies | |||
| test_deploy_inspec_profiles=(a2-iam-no-legacy-integration) | |||
| test_deploy_inspec_profiles=(a2-deploy-smoke) | |||
There was a problem hiding this comment.
expected functionality for v2 has changed, so the a2-iam-no-legacy-integration won't pass on both the pre and post upgrade. Smoke tests ensure the pre-upgrade is running.
msorens
approved these changes
Mar 23, 2020
| ingest:*:get, | ||
| ingest:*:list, | ||
| iam:projects:list, | ||
| iam:projects:get |
There was a problem hiding this comment.
I think you missed applications for viewer (you have it correctly for editor below):
| iam:teams:get, | ||
| iam:teamUsers:*, | ||
| iam:users:get, | ||
| iam:users:list |
There was a problem hiding this comment.
If the docs are valid, project owner is supposed to be a superset of editor, so it also needs applications:*.
bcmdarroch
reviewed
Mar 23, 2020
| WHERE | ||
| id = 'project-owner'; | ||
|
|
||
| UPDATE iam_statements |
There was a problem hiding this comment.
Even though it's not necessary with this migration, could we change the migration code to reflect the correct migration for reference?
There was a problem hiding this comment.
I'd prefer not to just change the migration for the policy in the migration code and not also change the roles, and keep this migration.
If it's really clutch that try to preserve the state of the world in the force-upgrade branch, I'd rather modify the migration code for policies AND roles and associated tests, and the datamigrations, and not add an additional SQL migration. Or I can pull this work out and point it to master, and then we'll need to be careful to fix the things in force-upgrade.
FWIW, this is why I didn't just change the migration like we'd discussed (these mostly assume that if I change the policy in the migration code, I should also change the roles (if the reason is to preserve the state of the world))
1- since this is a post migration migration (not just a data migration), then it's kind of weird that we're changing both-- if I'm strictly looking at the code in the future, I'm like "why do we have this migration if all the migration code already handles this?"
2- The other thing is that the datamigrations will overwrite the migration code-- so we'll create the roles in the v2 upgrade, then overwrite them in the datamigrations, then overwrite them again in the post v2 migrations. Not a huge deal, but feels off.
3- this change isn't really immediately related to the force upgrade-- I've put it here only bc we'd have to do a few modifications to force-upgrade in order to make it happy with this change.
I agree that it's annoying that we don't have a single source of truth, but I think that this will only be a source of truth for a moment in time, and we'll need to reference the sql migrations after that.
What do you think?
There was a problem hiding this comment.
If there's not a functional reason to update the migration code, I'm a :bigfan: of only ever touching that code again if necessary. It's a lot of high risk code we don't wanna maintain long-term.
bcmdarroch
approved these changes
Mar 23, 2020
blakestier
force-pushed
the
auth-2710/update-roles-pols
branch
from
5eabb5a to
3ddae43
Compare
blakestier
force-pushed
the
auth-2710/update-roles-pols
branch
from
3ddae43 to
ad1ff18
Compare
blakestier
force-pushed
the
auth-2710/update-roles-pols
branch
from
ad1ff18 to
a5664b2
Compare
|
there is a do not merge label on this pr because its currently pointed at master |
added 12 commits
March 25, 2020 08:39
Signed-off-by: Blake Johnson <[email protected]>
Signed-off-by: Blake Johnson <[email protected]>
Signed-off-by: Blake Johnson <[email protected]>
Signed-off-by: Blake Johnson <[email protected]>
Signed-off-by: Blake Johnson <[email protected]>
Signed-off-by: Blake Johnson <[email protected]>
Signed-off-by: Blake Johnson <[email protected]>
Signed-off-by: Blake Johnson <[email protected]>
Signed-off-by: Blake Johnson <[email protected]>
Signed-off-by: Blake Johnson <[email protected]>
Signed-off-by: Blake Johnson <[email protected]>
Signed-off-by: Blake Johnson <[email protected]>
blakestier
force-pushed
the
auth-2710/update-roles-pols
branch
from
a5664b2 to
0d67408
Compare
susanev
added a commit
that referenced
this pull request
Mar 26, 2020
* Remove IAM V1 conditionals from the UI and Cypress (#2753) * UI unit test cleanup post-merge of master Signed-off-by: michael sorens <[email protected]> * UI unit test cleanup post-merge of master Signed-off-by: michael sorens <[email protected]> * [Automate-1890] gateway v1 scrub (#2796) * [automate-2857] Update user service to teams v2 client (#2860) * Add method for proto parity Adding PurgeUserMembership to allow replacing the v1 team client with a v2 version. Signed-off-by: michael sorens <[email protected]> * Switch v1 team client to v2 team client Signed-off-by: michael sorens <[email protected]> * Implement necessary method for the revised interface Signed-off-by: michael sorens <[email protected]> * Update bldr.toml Removed dependency required rerunning `generate_bldr_config` Signed-off-by: michael sorens <[email protected]> * Correct admins team name per feedback Signed-off-by: michael sorens <[email protected]> * [automate-2720] IAM force upgrade migrations 🎉 (#2793) * Added general structure and TODOs for how to migrate up to the point of force upgrade Copied over code from migrator.go because we can't use the generic version anymore. Migrating up to the last SQL schema migration before we want to force upgrade. Started porting MigrateToV2 GRPC function over to the migration code. Signed-off-by: Tyler Cloke <[email protected]> * Remove ApplyV2DataMigrations db function and finish applying any data_migrations as part of the post-force-upgrade process Signed-off-by: Tyler Cloke <[email protected]> * Ported creation of default roles for v1 force upgrade Signed-off-by: Tyler Cloke <[email protected]> * Port defaultPolicies Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Port CreatePolicy Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Port code we might need for legacy migration Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * WIP Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Everything is compiling Signed-off-by: Tyler Cloke <[email protected]> * Added force_upgrade_status to only run force upgrade once Signed-off-by: Tyler Cloke <[email protected]> * Remove UpgradeToV2 from cli/gateway Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Remove auto-upgrade from studio Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Record migration status for versioning Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Rename constant Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Remove unused migration Signed-off-by: Tyler Cloke <[email protected]> * Use migration status to control migration logic Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Do TODOs Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Remove migration-related server code Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Updated our use of migration_status and cleaned up file layout Signed-off-by: Tyler Cloke <[email protected]> * Fixed variable name Signed-off-by: Tyler Cloke <[email protected]> * It working Signed-off-by: Tyler Cloke <[email protected]> * Initial porting work for tests Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Working on db tests Signed-off-by: Tyler Cloke <[email protected]> * It's passsssing Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Legacy Policy test Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Does not migrate legacy pols w/o subjs Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Legacy policies Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Migrates only valid v1 policies Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Simply log unmigrated policies These were already invalid in v1. No big deal if they aren't migrated. Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Add comment Signed-off-by: Tyler Cloke <[email protected]> * Renames/cleanup Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Remove ResetToV1 from gateway Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Updates bldr.toml Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Compilation errors from server change Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * remove resettov1 Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Fix :allthethings: Signed-off-by: Tyler Cloke <[email protected]> * Linting Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Trying to get CI happy Signed-off-by: Tyler Cloke <[email protected]> * Remove upgrade-to-v2 cmd Signed-off-by: Tyler Cloke <[email protected]> * Remove upgrade-to-v2 Signed-off-by: Tyler Cloke <[email protected]> * No longer have PreconditionFailed to tell v1 requests the gateway is in v2 mode. Just always use v2. Signed-off-by: Tyler Cloke <[email protected]> * Hopefully tests pass now Signed-off-by: Tyler Cloke <[email protected]> * Bldr config Signed-off-by: Tyler Cloke <[email protected]> * Add deny for infra:ingest:* to default policy migration Signed-off-by: Tyler Cloke <[email protected]> * Delete extra comment Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * add clarity to func Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Only migrate v1 policies on upgrade Signed-off-by: Blake Johnson <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Review comments Signed-off-by: Tyler Cloke <[email protected]> * Update components/authz-service/storage/postgres/postgres.go Co-Authored-By: M Sorens <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Update components/authz-service/storage/postgres/migration/migration.go Co-Authored-By: M Sorens <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Update components/authz-service/storage/postgres/migration/migration.go Co-Authored-By: M Sorens <[email protected]> Signed-off-by: Tyler Cloke <[email protected]> * Last review comments Signed-off-by: Tyler Cloke <[email protected]> Co-authored-by: Tyler Cloke <[email protected]> Co-authored-by: M Sorens <[email protected]> * [automate-2930] Fix NATS gateway test errors related to v2 force upgrade (#2933) * Add some logging around forced migration (#2938) * [automate-2861] Update authn service to teams v2 client (#2875) * [automate-2876] Update automate-deployment to teams v2 client (#2877) * Change IAM docs to focus on IAM v2 (#2715) * combine iamv1 pages into 1 Signed-off-by: susanev <[email protected]> * change users, teams, api tokens to iam v2 Signed-off-by: susanev <[email protected]> * added pages for policies, projects, roles Signed-off-by: susanev <[email protected]> * Copyedits and edits for clarity Signed-off-by: Mary Jinglewski <[email protected]> Co-authored-by: mjingle <[email protected]> Co-authored-by: susanev <[email protected]> * Auth 2926/teams v2 migrations (#2934) * Move operator team rename into schema migs Signed-off-by: Blake Johnson <[email protected]> * Integrate cli migration into schema migration Signed-off-by: Blake Johnson <[email protected]> * Remove datamigrations Signed-off-by: Blake Johnson <[email protected]> * Rename migration Signed-off-by: Blake Johnson <[email protected]> * Remove refs to datamigration Signed-off-by: Blake Johnson <[email protected]> * Remove refs to upgrade/reset iam * Cleanup after merge-from-master * Regenerate from protos after merge-from-master compile_go_protobuf_component automate-gateway && compile_go_protobuf_component api Signed-off-by: michael sorens <[email protected]> * Auth 2867/remove v1 tokens gateway apis (#2970) * remove tokens (v1) proto Signed-off-by: Blake Johnson <[email protected]> * Remove v1 tokens client Signed-off-by: Blake Johnson <[email protected]> * Modify UI to only use tokens v2 path Signed-off-by: Blake Johnson <[email protected]> * Update docs Signed-off-by: Blake Johnson <[email protected]> * Bright more files up to v2 for tokens Signed-off-by: Blake Johnson <[email protected]> * Update dev helper Signed-off-by: Blake Johnson <[email protected]> * Update docs Signed-off-by: Blake Johnson <[email protected]> * Remove v1 handler Signed-off-by: Blake Johnson <[email protected]> * Update bldr config Signed-off-by: Blake Johnson <[email protected]> * Remove v1 mock Signed-off-by: Blake Johnson <[email protected]> * remove v2 allusions Signed-off-by: Blake Johnson <[email protected]> * Revert docs change Signed-off-by: Blake Johnson <[email protected]> * [AUTOMATE-2866] Remove v1 users APIs from gateway (#2922) Signed-off-by: Tyler Cloke <[email protected]> * Fix force-upgrade merge conflicts (#2981) * Regenerate from protos after merge hab studio: compile_all_protobuf_components components/automate-chef-io: make sync_swagger_files Signed-off-by: michael sorens <[email protected]> * [automate-2868] Remove v1 policies (#2988) * [Automate-2950] Port introspection from v1 to v2 (#3032) * Relocate introspection protos to v2 Signed-off-by: michael sorens <[email protected]> * Rewire proto files together Signed-off-by: michael sorens <[email protected]> * Change exposed endpoints to v2 Signed-off-by: michael sorens <[email protected]> * Regenerate from protos Signed-off-by: michael sorens <[email protected]> * Relocate introspection endpoints to v2 Signed-off-by: michael sorens <[email protected]> * Rewire go files together Signed-off-by: michael sorens <[email protected]> * Change UI calls to v2 Signed-off-by: michael sorens <[email protected]> * Convert v1 integration test to v2 Signed-off-by: michael sorens <[email protected]> * Resolve path changes in cli component Starting with ` rebuild components/automate-cli/`, the error was: build github.com/chef/automate/components/automate-gateway/api/authz: cannot load github.com/chef/automate/components/automate-gateway/api/authz: no Go source files Traced that back to the same failure with just `make build` in the automate-cli directory, then to the same failure with just this: go build github.com/chef/automate/components/automate-cli/cmd/chef-automate Searching for api/authz in the cli directory led me to the files in this commit. Signed-off-by: michael sorens <[email protected]> * Regenerate bldr.toml The "repo health" task in buildkite failed saying: ``` The bldr config appears to be out of date! To fix this, run: hab studio run "source .studiorc && generate_bldr_config" ``` Ran the fix: # install_if_missing core/go go # generate_bldr_config Signed-off-by: michael sorens <[email protected]> * Delete v1 auth URL in UI Signed-off-by: michael sorens <[email protected]> * Replace auth_v2_url with iam_url in UI Signed-off-by: michael sorens <[email protected]> * Apply assorted review feedback Signed-off-by: michael sorens <[email protected]> * remove v1 team APIs from gateway & update dependent integration tests (#2952) * gateway: delete v1 team protos * gateway: drop v1 team stuff wherever it's imported * cli: use v2 teams client everywhere Signed-off-by: Brenna Hewer-Darroch <[email protected]> * [automate-2914] force-upgrade integration scenario: v1 -> v2 with migrated legacy policies (#2935) * v1 to force-upgrade v2 integration test reorganized all the IAM inspec tests Signed-off-by: Brenna Hewer-Darroch <[email protected]> Co-authored-by: Blake Johnson <[email protected]> Co-authored-by: M Sorens <[email protected]> * [Automate-2987] legacy ingest policy fix (#3044) * migration: any "{infra:ingest:*}" action is now "{ingest:*}" * update force-upgrade delete the "deny users infra:ingest" statement in infra legacy policy swap "infra:ingest:*" for "ingest:*" in ingest legacy policy * legacy policy migration testing Co-authored-by: Blake Johnson <[email protected]> Co-authored-by: Brenna Hewer-Darroch <[email protected]> * Resync bldr.toml generate_bldr_config Signed-off-by: michael sorens <[email protected]> * [automate-2916] v2 with no legacy policies -> force-upgrade to latest v2 integration test (#3009) * add v2 with no legacy force-upgrade to v2 we want to make sure that customers currently using v2 without v1 legacy policies are not disrupted by the force-upgrade. v1 legacy policies should not reappear. Signed-off-by: Brenna Hewer-Darroch <[email protected]> * [automate-2917] v2 with legacy policies -> force-upgrade to latest v2 integration test (#3008) * add force-upgrade v2 from v2 with legacy integration test we want to ensure that customers currently using IAM v2 are not disrupted by the force-upgrade Signed-off-by: Brenna Hewer-Darroch <[email protected]> * Vanished teams on force-upgrade (#3102) * Robust Deprecation of IAM v1 (#3104) * Robust Deprecation of v1 Signed-off-by: kagarmoe <[email protected]> * Deprecation on nav * Deprecation on nav Signed-off-by: kagarmoe <[email protected]> * Incorporates feedback Signed-off-by: kagarmoe <[email protected]> * Use feature branch iam-v2-overview.md Signed-off-by: kagarmoe <[email protected]> * Improve verb tense in IAM v2 Overview doc (#3033) * Improve verb tense in IAM v2 Overview doc Signed-off-by: Mary Jinglewski <[email protected]> * Edit progress so far Signed-off-by: Mary Jinglewski <[email protected]> * Incorporate Feedback Signed-off-by: Mary Jinglewski <[email protected]> * Active tense polishing Signed-off-by: Mary Jinglewski <[email protected]> * removes iam v2 from body Signed-off-by: kagarmoe <[email protected]> * Fix spaces Signed-off-by: kagarmoe <[email protected]> Co-authored-by: kagarmoe <[email protected]> * Revert "Improve verb tense in IAM v2 Overview doc (#3033)" (#3134) This reverts commit 746d6ea. * [automate-3065] Remove v1 authz storage (#3111) * fixes bad link Signed-off-by: kagarmoe <[email protected]> * Fix iam db migration tests to work locally (#3155) Signed-off-by: Tyler Cloke <[email protected]> * Revert "Revert "Improve verb tense in IAM v2 Overview doc (#303… (#3145) * Merge fix Signed-off-by: michael sorens <[email protected]> * [automate-3066] Delete authz v1 server code (#3146) * [automate-1886] farewell chef-automate admin-token (#3188) * chef-automate admin-token is no more Co-authored-by: Brenna Hewer-Darroch <[email protected]> Co-authored-by: Mary Jinglewski <[email protected]> * [automate-2710] Remove system:* perms, modify infra:* perms (#3148) * Update roles to have infra:nodes/nodeManagers over infra:* Signed-off-by: Blake Johnson <[email protected]> * Update roles to not have system access Signed-off-by: Blake Johnson <[email protected]> * Update docs with system change Signed-off-by: Blake Johnson <[email protected]> * update sql readme Signed-off-by: Blake Johnson <[email protected]> * Refactor query to work w/o policy Signed-off-by: Blake Johnson <[email protected]> * Add telemetry perms into default system policies Signed-off-by: Blake Johnson <[email protected]> * Update tests Signed-off-by: Blake Johnson <[email protected]> * Remove non-existent action for telemetry Signed-off-by: Blake Johnson <[email protected]> * remove (in tests) permission to request license to roles Signed-off-by: Blake Johnson <[email protected]> * Modify integration script Signed-off-by: Blake Johnson <[email protected]> * Add comments Signed-off-by: Blake Johnson <[email protected]> * Adds applications to roles Signed-off-by: Blake Johnson <[email protected]> * [Automate-2950] port introspection, wave two (#3050) * Update proto generation for v2-only Signed-off-by: michael sorens <[email protected]> * Remove v2 distinction in the generated code Signed-off-by: michael sorens <[email protected]> * Remove v1 protoc generation Signed-off-by: michael sorens <[email protected]> * Remove v2 from the generated pb file name Signed-off-by: michael sorens <[email protected]> * Correct path * Manual cleanup to get things building Not sure why these were not covered by the regeneration but was getting this error until I found and removed these: $ make build build github.com/chef/automate/components/automate-gateway/cmd/automate-gateway: cannot load github.com/chef/automate/components/automate-gateway/authz/policy_v2: open /Users/msorens/code/go/src/github.com/chef/automate/components/automate-gateway/authz/policy_v2: no such file or directory Signed-off-by: michael sorens <[email protected]> * Regenerate bldr.toml Signed-off-by: michael sorens <[email protected]> * Relocate pairs and policy under iam dir Signed-off-by: michael sorens <[email protected]> * Minor cleanup Signed-off-by: michael sorens <[email protected]> * Apply review feedback Signed-off-by: michael sorens <[email protected]> * Regenerate v2-only pb files compile_all_protobuf_components Signed-off-by: michael sorens <[email protected]> * Regenerate docs from protos make sync_swagger_files Signed-off-by: michael sorens <[email protected]> * Empty commit to add missing DCO. Signed-off-by: michael sorens <[email protected]> Co-authored-by: michael sorens <[email protected]> Co-authored-by: Brenna Hewer-Darroch <[email protected]> Co-authored-by: M Sorens <[email protected]> Co-authored-by: Blake Johnson <[email protected]> Co-authored-by: susan evans <[email protected]> Co-authored-by: mjingle <[email protected]> Co-authored-by: Kimberly Garmoe <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🔩 Description: What code changed, and why?
System actions are intended for internal use and are needed for Automate to work correctly (i.e. must be able to check the license status, the IAM version, etc. for the UI to render things correctly). They are not related to permissions a user might perform on Automate resources (i.e. create a user, delete a missing node). To keep system policies hidden from end users, we load them directly into OPA cache, keeping them out of policy database.
Since system actions are not intended for end users to use in their policies, actions like
system:*:list,system:*:getare not needed on the viewer roleThe only thing the editor gains with the
system:*is the ability to apply a license, but we want that to be admin-only anyway.We need to adjust our editor and viewer roles to be more explicit about what is allowed under infra because chef servers is getting added.
SCOPE CREEP:
In the making of this PR, we noticed 1) Roles were only accidentally getting access to telemetry due to the
system:*action (the existingtelemetry:*action was retired w/ v2 and 2) Ppl outside of Admin had the capacity to request/apply license and see the gateway endpoint due tosystem:*. . . we've tightened those perms here.Ideally, we have a follow-up to move telemetry and license out of the system namespace, but this gives us the desired functionality.
👍 Definition of Done
infra:*toinfra:nodes:*, infra:nodeManagers:*👟 How to Build and Test the Change
start_all_servicesrebuild components/authz-service/ && rebuild components/automate-cli && rebuild components/automate-deployment/ && rebuild components/automate-gateway && rebuild components/teams-service/export TOK=chef-automate iam token create adm --adminthe
'infrastructure-automation-access-legacypolicy no longer hasinfra:*statement actions (butinfra:nodes:*andinfra:nodeManagers:*instead).Builds:
Verify Private
Verify