Skip to content

Commit 0cdcb7e

Browse files
adityathebemoshloop
adityathebe
authored and
moshloop
committed
feat: remove RBAC middleware checks on playbook controllers
rely on ABAC check
1 parent 78df577 commit 0cdcb7e

File tree

3 files changed

+9
-10
lines changed

3 files changed

+9
-10
lines changed

playbook/controllers.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -43,9 +43,9 @@ func RegisterRoutes(e *echo.Echo) {
4343
}, rbac.Authorization(policy.ObjectMonitor, policy.ActionRead))
4444

4545
runGroup := playbookGroup.Group("/run")
46-
runGroup.POST("", HandlePlaybookRun, rbac.Playbook(policy.ActionPlaybookRun))
46+
runGroup.POST("", HandlePlaybookRun)
4747
runGroup.GET("/:id", HandleGetPlaybookRun, rbac.Playbook(policy.ActionRead))
48-
runGroup.POST("/approve/:run_id", HandlePlaybookRunApproval, rbac.Playbook(policy.ActionPlaybookApprove))
48+
runGroup.POST("/approve/:run_id", HandlePlaybookRunApproval)
4949
}
5050

5151
type RunResponse struct {

rbac/objects.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -118,6 +118,9 @@ var dbResourceObjMap = map[string]string{
118118
"people_roles": policy.ObjectDatabasePublic,
119119
"people": policy.ObjectPeople,
120120
"permissions": policy.ObjectDatabaseSystem,
121+
"permission_groups": policy.ObjectDatabaseSystem,
122+
"permissions_summary": policy.ObjectDatabaseSystem,
123+
"permissions_group_summary": policy.ObjectDatabaseSystem,
121124
"playbook_action_agent_data": policy.ObjectPlaybooks,
122125
"playbook_approvals": policy.ObjectPlaybooks,
123126
"playbook_names": policy.ObjectDatabasePublic,

rbac/policies.yaml

Lines changed: 4 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,14 @@
11
- principal: everyone
22
acl:
33
- objects: database.kratos
4-
actions: '!*'
4+
actions: "!*"
55
# Activate after UI update
66
# - objects: connection
77
# actions: "!read"
88
- principal: admin
99
acl:
10-
- objects: '*'
11-
actions: '*'
10+
- objects: "*"
11+
actions: "*"
1212
inherit:
1313
- everyone
1414
- principal: viewer
@@ -32,13 +32,9 @@
3232
- objects: canaries,catalog,topology,playbooks,kubernetes-proxy,notification
3333
actions: create,read,update,delete
3434
- objects: connection
35-
actions: 'create,read,update,delete'
35+
actions: "create,read,update,delete"
3636
- objects: connection-detail
3737
actions: read
38-
- objects: playbooks
39-
actions: playbook:run
40-
- objects: playbooks
41-
actions: playbook:approve
4238
inherit:
4339
- viewer
4440
- principal: agent

0 commit comments

Comments
 (0)