From 636ace1b867fbab15cc184c2a334485818548bae Mon Sep 17 00:00:00 2001
From: hongming <talonwan@yunify.com>
Date: Mon, 4 Nov 2019 10:16:47 +0800
Subject: [PATCH] refine iam policy rules

Signed-off-by: hongming <talonwan@yunify.com>
---
 pkg/controller/workspace/workspace_controller.go | 11 ++++++++---
 pkg/models/iam/am.go                             | 12 +++++++++++-
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/pkg/controller/workspace/workspace_controller.go b/pkg/controller/workspace/workspace_controller.go
index 4a022f85..f2c36cdf 100644
--- a/pkg/controller/workspace/workspace_controller.go
+++ b/pkg/controller/workspace/workspace_controller.go
@@ -574,10 +574,15 @@ func getWorkspaceAdmin(workspaceName string) *rbac.ClusterRole {
 			APIGroups: []string{"iam.kubesphere.io"},
 			Resources: []string{"users"},
 		},
+		{
+			Verbs:     []string{"get", "list"},
+			APIGroups: []string{"openpitrix.io"},
+			Resources: []string{"categories"},
+		},
 		{
 			Verbs:     []string{"*"},
 			APIGroups: []string{"openpitrix.io"},
-			Resources: []string{"applications", "apps", "apps/versions", "apps/events", "apps/action", "apps/audits", "repos", "repos/action", "categories", "attachments"},
+			Resources: []string{"applications", "apps", "apps/versions", "apps/events", "apps/action", "apps/audits", "repos", "repos/action", "attachments"},
 		},
 	}
 
@@ -610,13 +615,13 @@ func getWorkspaceRegular(workspaceName string) *rbac.ClusterRole {
 		{
 			Verbs:     []string{"get", "list"},
 			APIGroups: []string{"openpitrix.io"},
-			Resources: []string{"apps/events", "apps/action", "apps/audits"},
+			Resources: []string{"apps/events", "apps/action", "apps/audits", "categories"},
 		},
 
 		{
 			Verbs:     []string{"*"},
 			APIGroups: []string{"openpitrix.io"},
-			Resources: []string{"applications", "apps", "apps/versions", "repos", "repos/action", "categories", "attachments"},
+			Resources: []string{"applications", "apps", "apps/versions", "repos", "repos/action", "attachments"},
 		},
 	}
 
diff --git a/pkg/models/iam/am.go b/pkg/models/iam/am.go
index e1f4132d..3af5b369 100644
--- a/pkg/models/iam/am.go
+++ b/pkg/models/iam/am.go
@@ -481,7 +481,16 @@ func GetUserWorkspaceSimpleRules(workspace, username string) ([]models.SimpleRul
 		return nil, err
 	}
 
-	// workspace manager
+	// cluster-admin
+	if RulesMatchesRequired(clusterRules, rbacv1.PolicyRule{
+		Verbs:     []string{"*"},
+		APIGroups: []string{"*"},
+		Resources: []string{"*"},
+	}) {
+		return GetWorkspaceRoleSimpleRules(workspace, constants.WorkspaceAdmin), nil
+	}
+
+	// workspaces-manager
 	if RulesMatchesRequired(clusterRules, rbacv1.PolicyRule{
 		Verbs:     []string{"*"},
 		APIGroups: []string{"*"},
@@ -498,6 +507,7 @@ func GetUserWorkspaceSimpleRules(workspace, username string) ([]models.SimpleRul
 		}
 		return nil, err
 	}
+
 	return GetWorkspaceRoleSimpleRules(workspace, workspaceRole.Annotations[constants.DisplayNameAnnotationKey]), nil
 }
 
-- 
GitLab