From 8b037cef3fd58077c5fa293977f2c61bab21f6c4 Mon Sep 17 00:00:00 2001
From: hongming <talonwan@yunify.com>
Date: Sat, 2 Nov 2019 13:28:12 +0800
Subject: [PATCH] refine iam policy rules

Signed-off-by: hongming <talonwan@yunify.com>
---
 pkg/constants/constants.go                       |  1 +
 pkg/controller/workspace/workspace_controller.go | 10 ++++++++++
 pkg/models/iam/am.go                             |  8 +++++++-
 3 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/pkg/constants/constants.go b/pkg/constants/constants.go
index c774b7210..a3a4482d3 100644
--- a/pkg/constants/constants.go
+++ b/pkg/constants/constants.go
@@ -45,6 +45,7 @@ const (
 	ClusterAdmin                   = "cluster-admin"
 	WorkspaceRegular               = "workspace-regular"
 	WorkspaceViewer                = "workspace-viewer"
+	WorkspacesManager              = "workspaces-manager"
 	DevopsOwner                    = "owner"
 	DevopsReporter                 = "reporter"
 
diff --git a/pkg/controller/workspace/workspace_controller.go b/pkg/controller/workspace/workspace_controller.go
index 581b6e8be..4a022f85f 100644
--- a/pkg/controller/workspace/workspace_controller.go
+++ b/pkg/controller/workspace/workspace_controller.go
@@ -564,6 +564,11 @@ func getWorkspaceAdmin(workspaceName string) *rbac.ClusterRole {
 			ResourceNames: []string{workspaceName},
 			Resources:     []string{"workspaces", "workspaces/*"},
 		},
+		{
+			Verbs:     []string{"watch"},
+			APIGroups: []string{""},
+			Resources: []string{"namespaces"},
+		},
 		{
 			Verbs:     []string{"list"},
 			APIGroups: []string{"iam.kubesphere.io"},
@@ -630,6 +635,11 @@ func getWorkspaceViewer(workspaceName string) *rbac.ClusterRole {
 			ResourceNames: []string{workspaceName},
 			Resources:     []string{"workspaces", "workspaces/*"},
 		},
+		{
+			Verbs:     []string{"watch"},
+			APIGroups: []string{""},
+			Resources: []string{"namespaces"},
+		},
 		{
 			Verbs:     []string{"get", "list"},
 			APIGroups: []string{"openpitrix.io"},
diff --git a/pkg/models/iam/am.go b/pkg/models/iam/am.go
index 29a264634..e1f4132da 100644
--- a/pkg/models/iam/am.go
+++ b/pkg/models/iam/am.go
@@ -487,7 +487,7 @@ func GetUserWorkspaceSimpleRules(workspace, username string) ([]models.SimpleRul
 		APIGroups: []string{"*"},
 		Resources: []string{"workspaces", "workspaces/*"},
 	}) {
-		return GetWorkspaceRoleSimpleRules(workspace, constants.WorkspaceAdmin), nil
+		return GetWorkspaceRoleSimpleRules(workspace, constants.WorkspacesManager), nil
 	}
 
 	workspaceRole, err := GetUserWorkspaceRole(workspace, username)
@@ -534,6 +534,12 @@ func GetWorkspaceRoleSimpleRules(workspace, roleName string) []models.SimpleRule
 			{Name: "apps", Actions: []string{"view"}},
 			{Name: "repos", Actions: []string{"view"}},
 		}
+	case constants.WorkspacesManager:
+		workspaceRules = []models.SimpleRule{
+			{Name: "workspaces", Actions: []string{"edit", "delete", "view"}},
+			{Name: "members", Actions: []string{"edit", "delete", "create", "view"}},
+			{Name: "roles", Actions: []string{"view"}},
+		}
 	}
 
 	return workspaceRules