[GitHub] [cloudstack] sureshanaparti commented on a change in pull request #4071: Dynamic roles improvements

GitBox Mon, 01 Jun 2020 11:30:23 -0700


sureshanaparti commented on a change in pull request #4071:
URL: https://github.com/apache/cloudstack/pull/4071#discussion_r433412427




##########
File path: engine/schema/src/main/resources/META-INF/db/schema-41310to41400.sql
##########
@@ -379,3 +379,81 @@ CREATE TABLE IF NOT EXISTS 
`cloud`.`kubernetes_cluster_details` (
     PRIMARY KEY(`id`),
     CONSTRAINT `fk_kubernetes_cluster_details__cluster_id` FOREIGN KEY 
`fk_kubernetes_cluster_details__cluster_id`(`cluster_id`) REFERENCES 
`kubernetes_cluster`(`id`) ON DELETE CASCADE
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+ALTER TABLE `cloud`.`roles` ADD COLUMN `is_default` tinyint(1) NOT NULL 
DEFAULT '0' COMMENT 'is this a default role';
+UPDATE `cloud`.`roles` SET `is_default` = 1 WHERE id IN (1, 2, 3, 4);
+
+-- Updated Default CloudStack roles with read-only and support admin and user 
roles
+INSERT INTO `cloud`.`roles` (`uuid`, `name`, `role_type`, `description`, 
`is_default`) VALUES (UUID(), 'Read-Only Admin', 'Admin', 'Default read-only 
admin role', 1) ON DUPLICATE KEY UPDATE name=name;
+INSERT INTO `cloud`.`roles` (`uuid`, `name`, `role_type`, `description`, 
`is_default`) VALUES (UUID(), 'Read-Only User', 'User', 'Default read-only user 
role', 1) ON DUPLICATE KEY UPDATE name=name;
+INSERT INTO `cloud`.`roles` (`uuid`, `name`, `role_type`, `description`, 
`is_default`) VALUES (UUID(), 'Admin-Support', 'Admin', 'Default admin support 
role', 1) ON DUPLICATE KEY UPDATE name=name;
+INSERT INTO `cloud`.`roles` (`uuid`, `name`, `role_type`, `description`, 
`is_default`) VALUES (UUID(), 'User-Support', 'User', 'Default user support 
role', 1) ON DUPLICATE KEY UPDATE name=name;
+
+-- Role permissions for Read-Only Admin
+SELECT id INTO @ReadOnlyAdminRoleId FROM `cloud`.`roles` WHERE name = 
'Read-Only Admin' AND is_default = 1;
+SELECT @ReadOnlyAdminSortOrder:=-1;
+INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, 
`permission`, `sort_order`) VALUES (UUID(), @ReadOnlyAdminRoleId, 'list*', 
'ALLOW', @ReadOnlyAdminSortOrder:=@ReadOnlyAdminSortOrder+1) ON DUPLICATE KEY 
UPDATE rule=rule;
+INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, 
`permission`, `sort_order`) VALUES (UUID(), @ReadOnlyAdminRoleId, 
'getUploadParamsFor*', 'DENY', 
@ReadOnlyAdminSortOrder:=@ReadOnlyAdminSortOrder+1) ON DUPLICATE KEY UPDATE 
rule=rule;
+INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, 
`permission`, `sort_order`) VALUES (UUID(), @ReadOnlyAdminRoleId, 'get*', 
'ALLOW', @ReadOnlyAdminSortOrder:=@ReadOnlyAdminSortOrder+1) ON DUPLICATE KEY 
UPDATE rule=rule;
+INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, 
`permission`, `sort_order`) VALUES (UUID(), @ReadOnlyAdminRoleId, 
'cloudianIsEnabled', 'ALLOW', 
@ReadOnlyAdminSortOrder:=@ReadOnlyAdminSortOrder+1) ON DUPLICATE KEY UPDATE 
rule=rule;
+INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, 
`permission`, `sort_order`) VALUES (UUID(), @ReadOnlyAdminRoleId, 
'quotaIsEnabled', 'ALLOW', @ReadOnlyAdminSortOrder:=@ReadOnlyAdminSortOrder+1) 
ON DUPLICATE KEY UPDATE rule=rule;
+INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, 
`permission`, `sort_order`) VALUES (UUID(), @ReadOnlyAdminRoleId, 
'quotaTariffList', 'ALLOW', @ReadOnlyAdminSortOrder:=@ReadOnlyAdminSortOrder+1) 
ON DUPLICATE KEY UPDATE rule=rule;
+INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, 
`permission`, `sort_order`) VALUES (UUID(), @ReadOnlyAdminRoleId, 
'quotaSummary', 'ALLOW', @ReadOnlyAdminSortOrder:=@ReadOnlyAdminSortOrder+1) ON 
DUPLICATE KEY UPDATE rule=rule;
+INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, 
`permission`, `sort_order`) VALUES (UUID(), @ReadOnlyAdminRoleId, '*', 'DENY', 
@ReadOnlyAdminSortOrder:=@ReadOnlyAdminSortOrder+1) ON DUPLICATE KEY UPDATE 
rule=rule;
+
+-- Role permissions for Read-Only User
+SELECT id INTO @ReadOnlyUserRoleId FROM `cloud`.`roles` WHERE name = 
'Read-Only User' AND is_default = 1;
+SELECT @ReadOnlyUserSortOrder:=-1;
+INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, 
`permission`, `sort_order`) SELECT UUID(), @ReadOnlyUserRoleId, rule, 'ALLOW', 
@ReadOnlyUserSortOrder:=@ReadOnlyUserSortOrder+1 FROM 
`cloud`.`role_permissions` WHERE role_id = 4 AND permission = 'ALLOW' AND rule 
LIKE 'list%';
+INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, 
`permission`, `sort_order`) SELECT UUID(), @ReadOnlyUserRoleId, rule, 'ALLOW', 
@ReadOnlyUserSortOrder:=@ReadOnlyUserSortOrder+1 FROM 
`cloud`.`role_permissions` WHERE role_id = 4 AND permission = 'ALLOW' AND rule 
LIKE 'get%' AND rule NOT LIKE 'getUploadParamsFor%';
+INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, 
`permission`, `sort_order`) VALUES (UUID(), @ReadOnlyUserRoleId, 
'cloudianIsEnabled', 'ALLOW', @ReadOnlyUserSortOrder:=@ReadOnlyUserSortOrder+1) 
ON DUPLICATE KEY UPDATE rule=rule;
+INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, 
`permission`, `sort_order`) VALUES (UUID(), @ReadOnlyUserRoleId, 
'quotaIsEnabled', 'ALLOW', @ReadOnlyUserSortOrder:=@ReadOnlyUserSortOrder+1) ON 
DUPLICATE KEY UPDATE rule=rule;
+INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, 
`permission`, `sort_order`) VALUES (UUID(), @ReadOnlyUserRoleId, 
'quotaTariffList', 'ALLOW', @ReadOnlyUserSortOrder:=@ReadOnlyUserSortOrder+1) 
ON DUPLICATE KEY UPDATE rule=rule;
+INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, 
`permission`, `sort_order`) VALUES (UUID(), @ReadOnlyUserRoleId, 
'quotaSummary', 'ALLOW', @ReadOnlyUserSortOrder:=@ReadOnlyUserSortOrder+1) ON 
DUPLICATE KEY UPDATE rule=rule;
+INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, 
`permission`, `sort_order`) VALUES (UUID(), @ReadOnlyUserRoleId, '*', 'DENY', 
@ReadOnlyUserSortOrder:=@ReadOnlyUserSortOrder+1) ON DUPLICATE KEY UPDATE 
rule=rule;
+
+-- Role permissions for Admin-Support
+SELECT id INTO @AdminSupportRoleId FROM `cloud`.`roles` WHERE name = 
'Admin-Support' AND is_default = 1;
+SELECT @AdminSupportSortOrder:=-1;
+INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, 
`permission`, `sort_order`) SELECT UUID(), @AdminSupportRoleId, rule, 'ALLOW', 
@AdminSupportSortOrder:=@AdminSupportSortOrder+1 FROM 
`cloud`.`role_permissions` WHERE role_id = @ReadOnlyAdminRoleId AND permission 
= 'ALLOW';
+INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, 
`permission`, `sort_order`) VALUES (UUID(), @AdminSupportRoleId, 
'prepareHostForMaintenance', 'ALLOW', 
@AdminSupportSortOrder:=@AdminSupportSortOrder+1) ON DUPLICATE KEY UPDATE 
rule=rule;
+INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, 
`permission`, `sort_order`) VALUES (UUID(), @AdminSupportRoleId, 
'cancelHostMaintenance', 'ALLOW', 
@AdminSupportSortOrder:=@AdminSupportSortOrder+1) ON DUPLICATE KEY UPDATE 
rule=rule;
+INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, 
`permission`, `sort_order`) VALUES (UUID(), @AdminSupportRoleId, 
'enableStorageMaintenance', 'ALLOW', 
@AdminSupportSortOrder:=@AdminSupportSortOrder+1) ON DUPLICATE KEY UPDATE 
rule=rule;
+INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, 
`permission`, `sort_order`) VALUES (UUID(), @AdminSupportRoleId, 
'cancelStorageMaintenance', 'ALLOW', 
@AdminSupportSortOrder:=@AdminSupportSortOrder+1) ON DUPLICATE KEY UPDATE 
rule=rule;
+INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, 
`permission`, `sort_order`) VALUES (UUID(), @AdminSupportRoleId, 
'createServiceOffering', 'ALLOW', 
@AdminSupportSortOrder:=@AdminSupportSortOrder+1) ON DUPLICATE KEY UPDATE 
rule=rule;
+INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, 
`permission`, `sort_order`) VALUES (UUID(), @AdminSupportRoleId, 
'createDiskOffering', 'ALLOW', 
@AdminSupportSortOrder:=@AdminSupportSortOrder+1) ON DUPLICATE KEY UPDATE 
rule=rule;
+INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, 
`permission`, `sort_order`) VALUES (UUID(), @AdminSupportRoleId, 
'createNetworkOffering', 'ALLOW', 
@AdminSupportSortOrder:=@AdminSupportSortOrder+1) ON DUPLICATE KEY UPDATE 
rule=rule;
+INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, 
`permission`, `sort_order`) VALUES (UUID(), @AdminSupportRoleId, 
'createVPCOffering', 'ALLOW', @AdminSupportSortOrder:=@AdminSupportSortOrder+1) 
ON DUPLICATE KEY UPDATE rule=rule;
+INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, 
`permission`, `sort_order`) VALUES (UUID(), @AdminSupportRoleId, 
'startVirtualMachine', 'ALLOW', 
@AdminSupportSortOrder:=@AdminSupportSortOrder+1) ON DUPLICATE KEY UPDATE 
rule=rule;
+INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, 
`permission`, `sort_order`) VALUES (UUID(), @AdminSupportRoleId, 
'stopVirtualMachine', 'ALLOW', 
@AdminSupportSortOrder:=@AdminSupportSortOrder+1) ON DUPLICATE KEY UPDATE 
rule=rule;
+INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, 
`permission`, `sort_order`) VALUES (UUID(), @AdminSupportRoleId, 
'rebootVirtualMachine', 'ALLOW', 
@AdminSupportSortOrder:=@AdminSupportSortOrder+1) ON DUPLICATE KEY UPDATE 
rule=rule;
+INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, 
`permission`, `sort_order`) VALUES (UUID(), @AdminSupportRoleId, 
'startKubernetesCluster', 'ALLOW', 
@AdminSupportSortOrder:=@AdminSupportSortOrder+1) ON DUPLICATE KEY UPDATE 
rule=rule;
+INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, 
`permission`, `sort_order`) VALUES (UUID(), @AdminSupportRoleId, 
'stopKubernetesCluster', 'ALLOW', 
@AdminSupportSortOrder:=@AdminSupportSortOrder+1) ON DUPLICATE KEY UPDATE 
rule=rule;
+INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, 
`permission`, `sort_order`) VALUES (UUID(), @AdminSupportRoleId, 
'attachVolume', 'ALLOW', @AdminSupportSortOrder:=@AdminSupportSortOrder+1) ON 
DUPLICATE KEY UPDATE rule=rule;
+INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, 
`permission`, `sort_order`) VALUES (UUID(), @AdminSupportRoleId, 
'detachVolume', 'ALLOW', @AdminSupportSortOrder:=@AdminSupportSortOrder+1) ON 
DUPLICATE KEY UPDATE rule=rule;
+INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, 
`permission`, `sort_order`) VALUES (UUID(), @AdminSupportRoleId, 
'uploadVolume', 'ALLOW', @AdminSupportSortOrder:=@AdminSupportSortOrder+1) ON 
DUPLICATE KEY UPDATE rule=rule;
+INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, 
`permission`, `sort_order`) VALUES (UUID(), @AdminSupportRoleId, 'attachIso', 
'ALLOW', @AdminSupportSortOrder:=@AdminSupportSortOrder+1) ON DUPLICATE KEY 
UPDATE rule=rule;
+INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, 
`permission`, `sort_order`) VALUES (UUID(), @AdminSupportRoleId, 'detachIso', 
'ALLOW', @AdminSupportSortOrder:=@AdminSupportSortOrder+1) ON DUPLICATE KEY 
UPDATE rule=rule;
+INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, 
`permission`, `sort_order`) VALUES (UUID(), @AdminSupportRoleId, 
'registerTemplate', 'ALLOW', @AdminSupportSortOrder:=@AdminSupportSortOrder+1) 
ON DUPLICATE KEY UPDATE rule=rule;
+INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, 
`permission`, `sort_order`) VALUES (UUID(), @AdminSupportRoleId, 'registerIso', 
'ALLOW', @AdminSupportSortOrder:=@AdminSupportSortOrder+1) ON DUPLICATE KEY 
UPDATE rule=rule;
+INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, 
`permission`, `sort_order`) VALUES (UUID(), @AdminSupportRoleId, 
'getUploadParamsFor*', 'ALLOW', 
@AdminSupportSortOrder:=@AdminSupportSortOrder+1) ON DUPLICATE KEY UPDATE 
rule=rule;
+INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, 
`permission`, `sort_order`) VALUES (UUID(), @AdminSupportRoleId, '*', 'DENY', 
@AdminSupportSortOrder:=@AdminSupportSortOrder+1) ON DUPLICATE KEY UPDATE 
rule=rule;
+
+-- Role permissions for User-Support
+SELECT id INTO @UserSupportRoleId FROM `cloud`.`roles` WHERE name = 
'User-Support' AND is_default = 1;
+SELECT @UserSupportSortOrder:=-1;
+INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, 
`permission`, `sort_order`) SELECT UUID(), @UserSupportRoleId, rule, 'ALLOW', 
@UserSupportSortOrder:=@UserSupportSortOrder+1 FROM `cloud`.`role_permissions` 
WHERE role_id = @ReadOnlyUserRoleId AND permission = 'ALLOW';

Review comment:
       > Same as above about the `rule` use?
   
   rules for the User support role are added from read-only user with 
additional api rules




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[GitHub] [cloudstack] sureshanaparti commented on a change in pull request #4071: Dynamic roles improvements

Reply via email to