From 8288f4ff7b6b862dfed0166861aa6ff91e8d7db9 Mon Sep 17 00:00:00 2001 From: johnnyaug Date: Mon, 5 Jul 2021 19:13:54 +0300 Subject: [PATCH] auto policies setup fix (#2195) --- pkg/auth/setup.go | 4 ++++ .../000030_repeat_auth_migrations.down.sql | 0 pkg/ddl/000030_repeat_auth_migrations.up.sql | 20 +++++++++++++++++++ pkg/permissions/actions.go | 7 ++++--- 4 files changed, 28 insertions(+), 3 deletions(-) create mode 100644 pkg/ddl/000030_repeat_auth_migrations.down.sql create mode 100644 pkg/ddl/000030_repeat_auth_migrations.up.sql diff --git a/pkg/auth/setup.go b/pkg/auth/setup.go index d42a172993e..5cb6a98918b 100644 --- a/pkg/auth/setup.go +++ b/pkg/auth/setup.go @@ -117,6 +117,8 @@ func SetupBaseGroups(ctx context.Context, authService Service, ts time.Time) err { Action: []string{ "ci:*", + "retention:*", + "fs:ReadConfig", }, Resource: permissions.All, Effect: model.StatementEffectAllow, @@ -130,6 +132,8 @@ func SetupBaseGroups(ctx context.Context, authService Service, ts time.Time) err { Action: []string{ "ci:Read*", + "retention:Get*", + "fs:ReadConfig", }, Resource: permissions.All, Effect: model.StatementEffectAllow, diff --git a/pkg/ddl/000030_repeat_auth_migrations.down.sql b/pkg/ddl/000030_repeat_auth_migrations.down.sql new file mode 100644 index 00000000000..e69de29bb2d diff --git a/pkg/ddl/000030_repeat_auth_migrations.up.sql b/pkg/ddl/000030_repeat_auth_migrations.up.sql new file mode 100644 index 00000000000..6f155202794 --- /dev/null +++ b/pkg/ddl/000030_repeat_auth_migrations.up.sql @@ -0,0 +1,20 @@ +-- repeat migration 28 and 29: they were only now added auth/setup.go +BEGIN; + +UPDATE auth_policies +SET statement = statement || '[{"Action": ["fs:ReadConfig"], "Effect": "allow", "Resource": "*"}]'::jsonb +WHERE display_name = 'RepoManagementReadAll' AND NOT statement @> '[{"Action": ["fs:ReadConfig"], "Effect": "allow", "Resource": "*"}]'::jsonb; + +UPDATE auth_policies +SET statement = statement || '[{"Action": ["fs:ReadConfig"], "Effect": "allow", "Resource": "*"}]'::jsonb +WHERE display_name = 'RepoManagementFullAccess' AND NOT statement @> '[{"Action": ["fs:ReadConfig"], "Effect": "allow", "Resource": "*"}]'::jsonb; + +UPDATE auth_policies +SET statement = statement || '[{"Action": ["retention:Get*"], "Effect": "allow", "Resource": "*"}]'::jsonb +WHERE display_name = 'RepoManagementReadAll' AND NOT statement @> '[{"Action": ["retention:Get*"], "Effect": "allow", "Resource": "*"}]'::jsonb; + +UPDATE auth_policies +SET statement = statement || '[{"Action": ["retention:*"], "Effect": "allow", "Resource": "*"}]'::jsonb +WHERE display_name = 'RepoManagementFullAccess' AND NOT statement @> '[{"Action": ["retention:*"], "Effect": "allow", "Resource": "*"}]'::jsonb; + +COMMIT; diff --git a/pkg/permissions/actions.go b/pkg/permissions/actions.go index 4cb423806a2..5e230c9af7c 100644 --- a/pkg/permissions/actions.go +++ b/pkg/permissions/actions.go @@ -64,9 +64,10 @@ const ( ) var serviceSet = map[string]struct{}{ - "fs": {}, - "auth": {}, - "ci": {}, + "fs": {}, + "auth": {}, + "ci": {}, + "retention": {}, } func IsValidAction(name string) error {