Github user naamashoresh commented on a diff in the pull request:
https://github.com/apache/incubator-trafficcontrol/pull/544#discussion_r117629894
--- Diff: traffic_ops/app/db/seeds.sql ---
@@ -81,10 +81,260 @@ insert into role (name, description, priv_level)
values ('steering', 'Role for S
insert into role (name, description, priv_level) values ('read-only user',
'Read-Only user', 10) ON CONFLICT (name) DO NOTHING;
insert into role (name, description, priv_level) values ('portal', 'Portal
User', 2) ON CONFLICT (name) DO NOTHING;
insert into role (name, description, priv_level) values ('disallowed',
'Block all access', 0) ON CONFLICT (name) DO NOTHING;
+insert into role (name, description, priv_level) values ('root', 'Role for
full capabilities - super-user ', 30) ON CONFLICT DO NOTHING;
-- tenants
insert into tenant (name, active, parent_id) values ('root', true, null)
ON CONFLICT DO NOTHING;
+-- capabilities
+insert into capability (name, description) values ('all-read', 'Full read
access') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('all-write', 'Full
write access') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('asn-read', 'View ASN
configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('asn-write', 'Create,
edit or delete ASN configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('basic-read', 'Basic
read operations. Every user should have this capability') ON CONFLICT (name) DO
NOTHING;
+insert into capability (name, description) values ('basic-write', 'Basic
write operations. Every user should have this capability') ON CONFLICT (name)
DO NOTHING;
+insert into capability (name, description) values
('cache-config-files-read', 'View the generated cache configuration files') ON
CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cache-group-read',
'View cache-group configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cache-group-write',
'Create, edit or delete cache-group configuration') ON CONFLICT (name) DO
NOTHING;
+insert into capability (name, description) values ('cache-stats-read',
'View Cache statistics read access') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values
('cdn-config-snapshot-read', 'View config snapshot at CDN level') ON CONFLICT
(name) DO NOTHING;
+insert into capability (name, description) values
('cdn-config-snapshot-write', 'Config snapshot write access at CDN level') ON
CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cdn-health-read',
'View CDN health') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cdn-read', 'View CDN
configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cdn-write', 'Create,
edit or delete CDN configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values
('cdn-security-keys-read', 'View CDN DNSSEC keys') ON CONFLICT (name) DO
NOTHING;
+insert into capability (name, description) values
('cdn-security-keys-write', 'Create, edit or delete CDN DNSSEC keys') ON
CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cdn-stats-read', 'View
CDN statistics') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cdn-stats-write',
'Create, edit or delete CDN statistics') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('change-log-read',
'View change-log') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('change-log-write',
'Create change-log entries') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('division-read', 'View
division configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('division-write',
'Create, edit or delete division configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('ds-cache-read', 'View
delivery-service cache assignment') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('ds-cache-read',
'Create, edit or delete delivery-service cache assignment') ON CONFLICT (name)
DO NOTHING;
+insert into capability (name, description) values ('ds-health-read', 'View
delivery-service health') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('ds-read', 'View
delivery-service configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('ds-write', 'Create,
edit or delete delivery-service configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values
('ds-security-keys-read', 'View delivery-service security keys') ON CONFLICT
(name) DO NOTHING;
+insert into capability (name, description) values
('ds-security-keys-write', 'Create, edit or delete delivery-service security
keys') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('ds-stats-read', 'View
delivery-service statistics') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('ds-steering-read',
'View delivery-service steering configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('ds-steering-write',
'Create, edit or delete delivery-service steering configuration') ON CONFLICT
(name) DO NOTHING;
+insert into capability (name, description) values
('federation-routing-read', 'View federation routing') ON CONFLICT (name) DO
NOTHING;
+insert into capability (name, description) values
('federation-routing-write', 'Create, edit or delete federation routing') ON
CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('job-read', 'View
jobs') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('job-write', 'Create,
edit or delete jobs') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('params-read', 'View
parameters') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('params-write',
'Create, edit or delete parameters') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('phys-location-read',
'View physical location configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('phys-location-write',
'Create, edit or delete physical location configuration') ON CONFLICT (name) DO
NOTHING;
+insert into capability (name, description) values ('profile-read', 'View
profiles') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('profile-write',
'Create, edit or delete profiles') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('queue-updates-write',
'Queue updates to caches') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('region-read', 'View
region configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('region-write',
'Create, edit or delete region configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('role-read', 'View role
configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('role-write', 'Create,
edit or delete role configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('security-keys-read',
'View security keys') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('security-keys-write',
'Create, edit or delete security keys') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values
('server-pull-updates-read', 'Read server update indication') ON CONFLICT
(name) DO NOTHING;
+insert into capability (name, description) values
('server-pull-updates-write', 'Write server update indication') ON CONFLICT
(name) DO NOTHING;
+insert into capability (name, description) values ('server-read', 'View
server configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('server-write',
'Create, edit or delete server configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('static-dns-read',
'View static DNS configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('static-dns-write',
'Create, edit or delete static DNS configuration') ON CONFLICT (name) DO
NOTHING;
+insert into capability (name, description) values ('status-read', 'View
the list of defined statuses') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('to-extension-read',
'View Traffic Ops extensions') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('to-extension-write',
'Create, edit or delete Traffic Ops extensions') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('type-read', 'View
types configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('type-write', 'Create,
edit or delete type configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('user-read', 'View user
configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('user-write', 'Create,
edit or delete user configuration') ON CONFLICT (name) DO NOTHING;
+
+-- roles_capabilities
+insert into role_capability (role_id, cap_name) values ((select id from
role where name='root'), 'all-read') ON CONFLICT (role_id, cap_name) DO NOTHING;
+insert into role_capability (role_id, cap_name) values ((select id from
role where name='root'), 'all-write') ON CONFLICT (role_id, cap_name) DO
NOTHING;
+
+-- api_capabilities
+insert into api_capability (http_method, route, capability) values ('GET',
'/', 'all-read') ON CONFLICT (http_method, route, capability) DO NOTHING;
+insert into api_capability (http_method, route, capability) values
('POST', '/', 'all-write') ON CONFLICT (http_method, route, capability) DO
NOTHING;
+insert into api_capability (http_method, route, capability) values ('PUT',
'/', 'all-write') ON CONFLICT (http_method, route, capability) DO NOTHING;
+insert into api_capability (http_method, route, capability) values
('PATCH', '/', 'all-write') ON CONFLICT (http_method, route, capability) DO
NOTHING;
+insert into api_capability (http_method, route, capability) values
('DELETE', '/', 'all-write') ON CONFLICT (http_method, route, capability) DO
NOTHING;
+
+insert into api_capability (http_method, route, capability) values ('GET',
'/api/*/asns', 'asn-read') ON CONFLICT (http_method, route, capability) DO
NOTHING; -- 4
+insert into api_capability (http_method, route, capability) values ('GET',
'/api/*/asns/*', 'asn-read') ON CONFLICT (http_method, route, capability) DO
NOTHING; -- 5
+insert into api_capability (http_method, route, capability) values
('POST', '/api/*/asns', 'asn-write') ON CONFLICT (http_method, route,
capability) DO NOTHING; -- 6
+insert into api_capability (http_method, route, capability) values ('PUT',
'/api/*/asns/*', 'asn-write') ON CONFLICT (http_method, route, capability) DO
NOTHING; -- 7
+insert into api_capability (http_method, route, capability) values
('DELETE', '/api/*/asns/*', 'asn-write') ON CONFLICT (http_method, route,
capability) DO NOTHING; -- 8
+insert into api_capability (http_method, route, capability) values ('GET',
'/api/*/cache_stats', 'cache-stats-read') ON CONFLICT (http_method, route,
capability) DO NOTHING; -- 11
+insert into api_capability (http_method, route, capability) values ('GET',
'/internal/api/*/daily_summary', 'cache-stats-read') ON CONFLICT (http_method,
route, capability) DO NOTHING; -- 12
--- End diff --
Since the first implementation of the API gateway reads the mapping from a
file, and not from the DB table, I tend to either leave it as is, or remove
everything from this table, for now, until the discussion yields some
conclusions. What do you say?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
