Github user naamashoresh commented on a diff in the pull request: https://github.com/apache/incubator-trafficcontrol/pull/544#discussion_r117629894 --- Diff: traffic_ops/app/db/seeds.sql --- @@ -81,10 +81,260 @@ insert into role (name, description, priv_level) values ('steering', 'Role for S insert into role (name, description, priv_level) values ('read-only user', 'Read-Only user', 10) ON CONFLICT (name) DO NOTHING; insert into role (name, description, priv_level) values ('portal', 'Portal User', 2) ON CONFLICT (name) DO NOTHING; insert into role (name, description, priv_level) values ('disallowed', 'Block all access', 0) ON CONFLICT (name) DO NOTHING; +insert into role (name, description, priv_level) values ('root', 'Role for full capabilities - super-user ', 30) ON CONFLICT DO NOTHING; -- tenants insert into tenant (name, active, parent_id) values ('root', true, null) ON CONFLICT DO NOTHING; +-- capabilities +insert into capability (name, description) values ('all-read', 'Full read access') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('all-write', 'Full write access') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('asn-read', 'View ASN configuration') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('asn-write', 'Create, edit or delete ASN configuration') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('basic-read', 'Basic read operations. Every user should have this capability') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('basic-write', 'Basic write operations. Every user should have this capability') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('cache-config-files-read', 'View the generated cache configuration files') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('cache-group-read', 'View cache-group configuration') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('cache-group-write', 'Create, edit or delete cache-group configuration') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('cache-stats-read', 'View Cache statistics read access') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('cdn-config-snapshot-read', 'View config snapshot at CDN level') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('cdn-config-snapshot-write', 'Config snapshot write access at CDN level') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('cdn-health-read', 'View CDN health') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('cdn-read', 'View CDN configuration') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('cdn-write', 'Create, edit or delete CDN configuration') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('cdn-security-keys-read', 'View CDN DNSSEC keys') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('cdn-security-keys-write', 'Create, edit or delete CDN DNSSEC keys') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('cdn-stats-read', 'View CDN statistics') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('cdn-stats-write', 'Create, edit or delete CDN statistics') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('change-log-read', 'View change-log') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('change-log-write', 'Create change-log entries') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('division-read', 'View division configuration') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('division-write', 'Create, edit or delete division configuration') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('ds-cache-read', 'View delivery-service cache assignment') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('ds-cache-read', 'Create, edit or delete delivery-service cache assignment') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('ds-health-read', 'View delivery-service health') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('ds-read', 'View delivery-service configuration') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('ds-write', 'Create, edit or delete delivery-service configuration') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('ds-security-keys-read', 'View delivery-service security keys') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('ds-security-keys-write', 'Create, edit or delete delivery-service security keys') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('ds-stats-read', 'View delivery-service statistics') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('ds-steering-read', 'View delivery-service steering configuration') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('ds-steering-write', 'Create, edit or delete delivery-service steering configuration') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('federation-routing-read', 'View federation routing') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('federation-routing-write', 'Create, edit or delete federation routing') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('job-read', 'View jobs') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('job-write', 'Create, edit or delete jobs') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('params-read', 'View parameters') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('params-write', 'Create, edit or delete parameters') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('phys-location-read', 'View physical location configuration') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('phys-location-write', 'Create, edit or delete physical location configuration') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('profile-read', 'View profiles') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('profile-write', 'Create, edit or delete profiles') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('queue-updates-write', 'Queue updates to caches') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('region-read', 'View region configuration') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('region-write', 'Create, edit or delete region configuration') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('role-read', 'View role configuration') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('role-write', 'Create, edit or delete role configuration') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('security-keys-read', 'View security keys') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('security-keys-write', 'Create, edit or delete security keys') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('server-pull-updates-read', 'Read server update indication') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('server-pull-updates-write', 'Write server update indication') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('server-read', 'View server configuration') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('server-write', 'Create, edit or delete server configuration') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('static-dns-read', 'View static DNS configuration') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('static-dns-write', 'Create, edit or delete static DNS configuration') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('status-read', 'View the list of defined statuses') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('to-extension-read', 'View Traffic Ops extensions') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('to-extension-write', 'Create, edit or delete Traffic Ops extensions') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('type-read', 'View types configuration') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('type-write', 'Create, edit or delete type configuration') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('user-read', 'View user configuration') ON CONFLICT (name) DO NOTHING; +insert into capability (name, description) values ('user-write', 'Create, edit or delete user configuration') ON CONFLICT (name) DO NOTHING; + +-- roles_capabilities +insert into role_capability (role_id, cap_name) values ((select id from role where name='root'), 'all-read') ON CONFLICT (role_id, cap_name) DO NOTHING; +insert into role_capability (role_id, cap_name) values ((select id from role where name='root'), 'all-write') ON CONFLICT (role_id, cap_name) DO NOTHING; + +-- api_capabilities +insert into api_capability (http_method, route, capability) values ('GET', '/', 'all-read') ON CONFLICT (http_method, route, capability) DO NOTHING; +insert into api_capability (http_method, route, capability) values ('POST', '/', 'all-write') ON CONFLICT (http_method, route, capability) DO NOTHING; +insert into api_capability (http_method, route, capability) values ('PUT', '/', 'all-write') ON CONFLICT (http_method, route, capability) DO NOTHING; +insert into api_capability (http_method, route, capability) values ('PATCH', '/', 'all-write') ON CONFLICT (http_method, route, capability) DO NOTHING; +insert into api_capability (http_method, route, capability) values ('DELETE', '/', 'all-write') ON CONFLICT (http_method, route, capability) DO NOTHING; + +insert into api_capability (http_method, route, capability) values ('GET', '/api/*/asns', 'asn-read') ON CONFLICT (http_method, route, capability) DO NOTHING; -- 4 +insert into api_capability (http_method, route, capability) values ('GET', '/api/*/asns/*', 'asn-read') ON CONFLICT (http_method, route, capability) DO NOTHING; -- 5 +insert into api_capability (http_method, route, capability) values ('POST', '/api/*/asns', 'asn-write') ON CONFLICT (http_method, route, capability) DO NOTHING; -- 6 +insert into api_capability (http_method, route, capability) values ('PUT', '/api/*/asns/*', 'asn-write') ON CONFLICT (http_method, route, capability) DO NOTHING; -- 7 +insert into api_capability (http_method, route, capability) values ('DELETE', '/api/*/asns/*', 'asn-write') ON CONFLICT (http_method, route, capability) DO NOTHING; -- 8 +insert into api_capability (http_method, route, capability) values ('GET', '/api/*/cache_stats', 'cache-stats-read') ON CONFLICT (http_method, route, capability) DO NOTHING; -- 11 +insert into api_capability (http_method, route, capability) values ('GET', '/internal/api/*/daily_summary', 'cache-stats-read') ON CONFLICT (http_method, route, capability) DO NOTHING; -- 12 --- End diff -- Since the first implementation of the API gateway reads the mapping from a file, and not from the DB table, I tend to either leave it as is, or remove everything from this table, for now, until the discussion yields some conclusions. What do you say?
--- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---