From 5b4146af64b11e90fe42bd9f0f218c062a111caa Mon Sep 17 00:00:00 2001
From: hongming <coder.scala@gmail.com>
Date: Fri, 22 Jun 2018 16:45:50 +0800
Subject: [PATCH] Refine default role name.

---
 pkg/apis/v1alpha/iam/policy.go       | 15 +++++++++++--
 pkg/models/controllers/namespaces.go | 32 ++++++++++++++--------------
 2 files changed, 29 insertions(+), 18 deletions(-)

diff --git a/pkg/apis/v1alpha/iam/policy.go b/pkg/apis/v1alpha/iam/policy.go
index b4529edff..19b007cc6 100644
--- a/pkg/apis/v1alpha/iam/policy.go
+++ b/pkg/apis/v1alpha/iam/policy.go
@@ -25,8 +25,10 @@ import (
 	"k8s.io/api/rbac/v1"
 )
 
-const rulesConfigPath = "/etc/kubesphere/rules.json"
-const clusterRulesConfigPath = "/etc/kubesphere/clusterrules.json"
+const (
+	rulesConfigPath        = "/etc/kubesphere/rules/rules.json"
+	clusterRulesConfigPath = "/etc/kubesphere/rules/clusterrules.json"
+)
 
 type roleList struct {
 	ClusterRoles []v1.ClusterRole `json:"clusterRoles" protobuf:"bytes,2,rep,name=clusterRoles"`
@@ -577,6 +579,15 @@ var (
 					},
 				},
 			},
+			{Name: "scale",
+				Rules: []v1.PolicyRule{
+					{
+						Verbs:     []string{"patch"},
+						APIGroups: []string{"apps"},
+						Resources: []string{"statefulsets"},
+					},
+				},
+			},
 		},
 	}
 
diff --git a/pkg/models/controllers/namespaces.go b/pkg/models/controllers/namespaces.go
index a3d425e9d..582f1e69d 100644
--- a/pkg/models/controllers/namespaces.go
+++ b/pkg/models/controllers/namespaces.go
@@ -40,16 +40,16 @@ import (
 const (
 	provider           = "kubernetes"
 	admin              = "admin"
-	normal             = "normal"
-	view               = "view"
+	editor             = "editor"
+	viewer             = "viewer"
 	kubectlNamespace   = "kubesphere"
 	kubectlConfigKey   = "config"
 	openpitrix_runtime = "openpitrix_runtime"
 )
 
-var adminRules = []rbac.PolicyRule{rbac.PolicyRule{Verbs: []string{"*"}, APIGroups: []string{"*"}, Resources: []string{"*"}}}
-var normalRules = []rbac.PolicyRule{rbac.PolicyRule{Verbs: []string{"*"}, APIGroups: []string{"", "apps", "extensions"}, Resources: []string{"*"}}}
-var viewRules = []rbac.PolicyRule{rbac.PolicyRule{Verbs: []string{"list", "get"}, APIGroups: []string{"", "apps", "extensions"}, Resources: []string{"*"}}}
+var adminRules = []rbac.PolicyRule{{Verbs: []string{"*"}, APIGroups: []string{"*"}, Resources: []string{"*"}}}
+var editorRules = []rbac.PolicyRule{{Verbs: []string{"*"}, APIGroups: []string{"", "apps", "extensions"}, Resources: []string{"*"}}}
+var viewerRules = []rbac.PolicyRule{{Verbs: []string{"list", "get"}, APIGroups: []string{"", "apps", "extensions"}, Resources: []string{"*"}}}
 
 type runTime struct {
 	RuntimeId         string `json:"runtime_id"`
@@ -114,10 +114,10 @@ func (ctl *NamespaceCtl) deleteOpRuntime(item v1.Namespace) {
 	makeHttpRequest("DELETE", url, string(body))
 }
 
-func (ctl *NamespaceCtl) createOpRuntime(namespace, user string) ([]byte, error) {
+func (ctl *NamespaceCtl) createOpRuntime(namespace string) ([]byte, error) {
 	zone := namespace
 	name := namespace
-	kubeConfig, err := ctl.getKubeConfig(user)
+	kubeConfig, err := ctl.getKubeConfig("admin")
 	if err != nil {
 		glog.Error(err)
 		return nil, err
@@ -156,8 +156,8 @@ func (ctl *NamespaceCtl) createDefaultRoleBinding(ns, user string) error {
 
 func (ctl *NamespaceCtl) createDefaultRole(ns string) error {
 	adminRole := &rbac.Role{ObjectMeta: metaV1.ObjectMeta{Name: admin, Namespace: ns}, Rules: adminRules}
-	normalRole := &rbac.Role{ObjectMeta: metaV1.ObjectMeta{Name: normal, Namespace: ns}, Rules: normalRules}
-	viewRole := &rbac.Role{ObjectMeta: metaV1.ObjectMeta{Name: view, Namespace: ns}, Rules: viewRules}
+	editorRole := &rbac.Role{ObjectMeta: metaV1.ObjectMeta{Name: editor, Namespace: ns}, Rules: editorRules}
+	viewerRole := &rbac.Role{ObjectMeta: metaV1.ObjectMeta{Name: viewer, Namespace: ns}, Rules: viewerRules}
 
 	role, _ := ctl.K8sClient.RbacV1().Roles(ns).Get(admin, metaV1.GetOptions{})
 
@@ -169,20 +169,20 @@ func (ctl *NamespaceCtl) createDefaultRole(ns string) error {
 		}
 	}
 
-	role, _ = ctl.K8sClient.RbacV1().Roles(ns).Get(normal, metaV1.GetOptions{})
+	role, _ = ctl.K8sClient.RbacV1().Roles(ns).Get(editor, metaV1.GetOptions{})
 
-	if role.Name != normal {
-		_, err := ctl.K8sClient.RbacV1().Roles(ns).Create(normalRole)
+	if role.Name != editor {
+		_, err := ctl.K8sClient.RbacV1().Roles(ns).Create(editorRole)
 		if err != nil {
 			glog.Error(err)
 			return err
 		}
 	}
 
-	role, _ = ctl.K8sClient.RbacV1().Roles(ns).Get(view, metaV1.GetOptions{})
+	role, _ = ctl.K8sClient.RbacV1().Roles(ns).Get(viewer, metaV1.GetOptions{})
 
-	if role.Name != view {
-		_, err := ctl.K8sClient.RbacV1().Roles(ns).Create(viewRole)
+	if role.Name != viewer {
+		_, err := ctl.K8sClient.RbacV1().Roles(ns).Create(viewerRole)
 		if err != nil {
 			glog.Error(err)
 			return err
@@ -206,7 +206,7 @@ func (ctl *NamespaceCtl) createRoleAndRuntime(item v1.Namespace) {
 			return
 		}
 
-		resp, err := ctl.createOpRuntime(ns, user)
+		resp, err := ctl.createOpRuntime(ns)
 		if err != nil {
 			glog.Error(err)
 			return