Skip to content

Commit

Permalink
[PF-578] Add role-based inheritance back to workspaces (#516)
Browse files Browse the repository at this point in the history 
* add role-based inheritance back to workspaces

* add comment pointing to WSM

* update writer and assigner roles
  • Loading branch information
@zloery
zloery committed Mar 22, 2021
1 parent e5d611b commit c34ff18
Showing 1 changed file with 21 additions and 6 deletions.
27 changes: 21 additions & 6 deletions src/main/resources/reference.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -118,18 +118,33 @@ resourceTypes = {
}
owner = {
roleActions = ["delete", "read_policies", "share_policy::owner", "share_policy::application", "share_policy::writer", "share_policy::reader", "own", "write", "read", "compute", "share_policy::share-reader", "share_policy::share-writer", "share_policy::can-compute", "share_policy::can-catalog", "read_auth_domain", "create_controlled_user_shared", "create_controlled_user_private", "create_referenced_resource", "update_referenced_resource", "delete_referenced_resource", "list_children", "remove_child", "add_child"]
# Workspace Manager also maintains a mapping of workspace roles to controlled resource roles. If you change this mapping, check that service's mapping as well.
descendantRoles = {
google-project = ["owner"]
controlled-user-shared-workspace-resource = ["editor", "writer", "reader"]
controlled-user-private-workspace-resource = ["assigner", "editor"]
controlled-application-shared-workspace-resource = ["editor", "writer", "reader"]
controlled-application-private-workspace-resource = ["editor"]
}
}
application = {
roleActions = ["read_policy::owner", "write", "read", "create_controlled_user_shared", "create_controlled_user_private", "create_controlled_application_shared", "create_controlled_application_private", "create_referenced_resource", "update_referenced_resource", "delete_referenced_resource", "list_children", "add_child", "remove_child", "read_auth_domain"]
}
writer = {
roleActions = ["read_policy::owner", "write", "read", "create_controlled_user_shared", "create_controlled_user_private", "create_referenced_resource", "update_referenced_resource", "delete_referenced_resource", "list_children", "add_child", "remove_child", "read_auth_domain"]
descendantRoles = {
controlled-user-shared-workspace-resource = ["editor", "writer", "reader"]
controlled-user-private-workspace-resource = ["editor"]
controlled-application-shared-workspace-resource = ["editor", "writer", "reader"]
controlled-application-private-workspace-resource = ["editor"]
}
}
reader = {
roleActions = ["read_policy::owner", "read", "read_auth_domain"]
descendantRoles = {
controlled-user-shared-workspace-resource = ["reader"]
controlled-application-shared-workspace-resource = ["reader"]
}
}
share-reader = {
roleActions = ["share_policy::reader", "read_policies"]
Expand Down Expand Up @@ -195,7 +210,7 @@ resourceTypes = {
roleActions = ["delete", "edit"]
}
writer = {
roleActions = ["write"]
roleActions = ["read", "write"]
}
reader = {
roleActions = ["read"]
Expand Down Expand Up @@ -248,13 +263,13 @@ resourceTypes = {
roleActions = ["delete", "read_policies", "share_policy::owner", "share_policy::editor", "share_policy::writer", "share_policy::reader", "own", "edit", "manage_private_user", "set_parent"]
}
assigner = {
roleActions = ["manage_private_user"]
roleActions = ["manage_private_user", "read_policies", "share_policy::editor", "share_policy::writer", "share_policy::reader"]
}
editor = {
roleActions = ["delete", "edit"]
}
writer = {
roleActions = ["write"]
roleActions = ["read", "write"]
}
reader = {
roleActions = ["read"]
Expand Down Expand Up @@ -307,7 +322,7 @@ resourceTypes = {
roleActions = ["delete", "edit"]
}
writer = {
roleActions = ["write"]
roleActions = ["read", "write"]
}
reader = {
roleActions = ["read"]
Expand Down Expand Up @@ -360,13 +375,13 @@ resourceTypes = {
roleActions = ["delete", "read_policies", "share_policy::owner", "share_policy::editor", "share_policy::writer", "share_policy::reader", "own", "edit", "manage_private_user", "set_parent"]
}
assigner = {
roleActions = ["manage_private_user"]
roleActions = ["manage_private_user", "read_policies", "share_policy::editor", "share_policy::writer", "share_policy::reader"]
}
editor = {
roleActions = ["delete", "edit"]
}
writer = {
roleActions = ["write"]
roleActions = ["read", "write"]
}
reader = {
roleActions = ["read"]
Expand Down

0 comments on commit c34ff18

Please sign in to comment.