auto policies setup fix (#2195)

treeverse · Jul 5, 2021 · 8288f4f · 8288f4f
1 parent 9ceed49
commit 8288f4f
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 3 deletions.
diff --git a/pkg/auth/setup.go b/pkg/auth/setup.go
@@ -117,6 +117,8 @@ func SetupBaseGroups(ctx context.Context, authService Service, ts time.Time) err
 				{
 					Action: []string{
 						"ci:*",
+						"retention:*",
+						"fs:ReadConfig",
 					},
 					Resource: permissions.All,
 					Effect:   model.StatementEffectAllow,
@@ -130,6 +132,8 @@ func SetupBaseGroups(ctx context.Context, authService Service, ts time.Time) err
 				{
 					Action: []string{
 						"ci:Read*",
+						"retention:Get*",
+						"fs:ReadConfig",
 					},
 					Resource: permissions.All,
 					Effect:   model.StatementEffectAllow,

diff --git a/pkg/ddl/000030_repeat_auth_migrations.down.sql b/pkg/ddl/000030_repeat_auth_migrations.down.sql
diff --git a/pkg/ddl/000030_repeat_auth_migrations.up.sql b/pkg/ddl/000030_repeat_auth_migrations.up.sql
@@ -0,0 +1,20 @@
+-- repeat migration 28 and 29: they were only now added auth/setup.go
+BEGIN;
+
+UPDATE auth_policies
+SET statement = statement || '[{"Action": ["fs:ReadConfig"], "Effect": "allow", "Resource": "*"}]'::jsonb
+WHERE display_name = 'RepoManagementReadAll' AND NOT statement @> '[{"Action": ["fs:ReadConfig"], "Effect": "allow", "Resource": "*"}]'::jsonb;
+
+UPDATE auth_policies
+SET statement = statement || '[{"Action": ["fs:ReadConfig"], "Effect": "allow", "Resource": "*"}]'::jsonb
+WHERE display_name = 'RepoManagementFullAccess' AND NOT statement @> '[{"Action": ["fs:ReadConfig"], "Effect": "allow", "Resource": "*"}]'::jsonb;
+
+UPDATE auth_policies
+SET statement = statement || '[{"Action": ["retention:Get*"], "Effect": "allow", "Resource": "*"}]'::jsonb
+WHERE display_name = 'RepoManagementReadAll' AND NOT statement @> '[{"Action": ["retention:Get*"], "Effect": "allow", "Resource": "*"}]'::jsonb;
+
+UPDATE auth_policies
+SET statement = statement || '[{"Action": ["retention:*"], "Effect": "allow", "Resource": "*"}]'::jsonb
+WHERE display_name = 'RepoManagementFullAccess' AND NOT statement @> '[{"Action": ["retention:*"], "Effect": "allow", "Resource": "*"}]'::jsonb;
+
+COMMIT;
diff --git a/pkg/permissions/actions.go b/pkg/permissions/actions.go
@@ -64,9 +64,10 @@ const (
 )
 
 var serviceSet = map[string]struct{}{
-	"fs":   {},
-	"auth": {},
-	"ci":   {},
+	"fs":        {},
+	"auth":      {},
+	"ci":        {},
+	"retention": {},
 }
 
 func IsValidAction(name string) error {