Merge pull request #1322 from wansir/policy-rules
refine iam policy rules
This commit is contained in:
KubeSphere CI Bot
@@ -45,6 +45,7 @@ const (
|
||||
ClusterAdmin = "cluster-admin"
|
||||
WorkspaceRegular = "workspace-regular"
|
||||
WorkspaceViewer = "workspace-viewer"
|
||||
WorkspacesManager = "workspaces-manager"
|
||||
DevopsOwner = "owner"
|
||||
DevopsReporter = "reporter"
|
||||
|
||||
|
||||
@@ -564,6 +564,11 @@ func getWorkspaceAdmin(workspaceName string) *rbac.ClusterRole {
|
||||
ResourceNames: []string{workspaceName},
|
||||
Resources: []string{"workspaces", "workspaces/*"},
|
||||
},
|
||||
{
|
||||
Verbs: []string{"watch"},
|
||||
APIGroups: []string{""},
|
||||
Resources: []string{"namespaces"},
|
||||
},
|
||||
{
|
||||
Verbs: []string{"list"},
|
||||
APIGroups: []string{"iam.kubesphere.io"},
|
||||
@@ -630,6 +635,11 @@ func getWorkspaceViewer(workspaceName string) *rbac.ClusterRole {
|
||||
ResourceNames: []string{workspaceName},
|
||||
Resources: []string{"workspaces", "workspaces/*"},
|
||||
},
|
||||
{
|
||||
Verbs: []string{"watch"},
|
||||
APIGroups: []string{""},
|
||||
Resources: []string{"namespaces"},
|
||||
},
|
||||
{
|
||||
Verbs: []string{"get", "list"},
|
||||
APIGroups: []string{"openpitrix.io"},
|
||||
|
||||
@@ -486,7 +486,7 @@ func GetUserWorkspaceSimpleRules(workspace, username string) ([]models.SimpleRul
|
||||
APIGroups: []string{"*"},
|
||||
Resources: []string{"workspaces", "workspaces/*"},
|
||||
}) {
|
||||
return GetWorkspaceRoleSimpleRules(workspace, constants.WorkspaceAdmin), nil
|
||||
return GetWorkspaceRoleSimpleRules(workspace, constants.WorkspacesManager), nil
|
||||
}
|
||||
|
||||
workspaceRole, err := GetUserWorkspaceRole(workspace, username)
|
||||
@@ -533,6 +533,12 @@ func GetWorkspaceRoleSimpleRules(workspace, roleName string) []models.SimpleRule
|
||||
{Name: "apps", Actions: []string{"view"}},
|
||||
{Name: "repos", Actions: []string{"view"}},
|
||||
}
|
||||
case constants.WorkspacesManager:
|
||||
workspaceRules = []models.SimpleRule{
|
||||
{Name: "workspaces", Actions: []string{"edit", "delete", "view"}},
|
||||
{Name: "members", Actions: []string{"edit", "delete", "create", "view"}},
|
||||
{Name: "roles", Actions: []string{"view"}},
|
||||
}
|
||||
}
|
||||
|
||||
return workspaceRules
|
||||
|
||||
Reference in New Issue
Block a user