refine iam policy rules

Signed-off-by: N hongming <talonwan@yunify.com>

refine iam policy rules
Signed-off-by: N hongming <talonwan@yunify.com>
8b037cef · hongming · cae0911d · 8b037cef · 8b037cef · 8b037cef
Showing with 18 addition and 1 deletion

pkg/constants/constants.go pkg/constants/constants.go +1 -0

pkg/controller/workspace/workspace_controller.go pkg/controller/workspace/workspace_controller.go +10 -0

pkg/models/iam/am.go pkg/models/iam/am.go +7 -1

未找到文件。
--- a/pkg/constants/constants.go
+++ b/pkg/constants/constants.go
@@ -45,6 +45,7 @@ const (
 	ClusterAdmin                   = "cluster-admin"
 	WorkspaceRegular               = "workspace-regular"
 	WorkspaceViewer                = "workspace-viewer"
+	WorkspacesManager              = "workspaces-manager"
 	DevopsOwner                    = "owner"
 	DevopsReporter                 = "reporter"

--- a/pkg/controller/workspace/workspace_controller.go
+++ b/pkg/controller/workspace/workspace_controller.go
@@ -564,6 +564,11 @@ func getWorkspaceAdmin(workspaceName string) *rbac.ClusterRole {
 			ResourceNames: []string{workspaceName},
 			Resources:     []string{"workspaces", "workspaces/*"},
 		},
+		{
+			Verbs:     []string{"watch"},
+			APIGroups: []string{""},
+			Resources: []string{"namespaces"},
+		},
 		{
 			Verbs:     []string{"list"},
 			APIGroups: []string{"iam.kubesphere.io"},
@@ -630,6 +635,11 @@ func getWorkspaceViewer(workspaceName string) *rbac.ClusterRole {
 			ResourceNames: []string{workspaceName},
 			Resources:     []string{"workspaces", "workspaces/*"},
 		},
+		{
+			Verbs:     []string{"watch"},
+			APIGroups: []string{""},
+			Resources: []string{"namespaces"},
+		},
 		{
 			Verbs:     []string{"get", "list"},
 			APIGroups: []string{"openpitrix.io"},

--- a/pkg/models/iam/am.go
+++ b/pkg/models/iam/am.go
@@ -487,7 +487,7 @@ func GetUserWorkspaceSimpleRules(workspace, username string) ([]models.SimpleRul
 		APIGroups: []string{"*"},
 		Resources: []string{"workspaces", "workspaces/*"},
 	}) {
-		return GetWorkspaceRoleSimpleRules(workspace, constants.WorkspaceAdmin), nil
+		return GetWorkspaceRoleSimpleRules(workspace, constants.WorkspacesManager), nil
 	}
 	workspaceRole, err := GetUserWorkspaceRole(workspace, username)
@@ -534,6 +534,12 @@ func GetWorkspaceRoleSimpleRules(workspace, roleName string) []models.SimpleRule
 			{Name: "apps", Actions: []string{"view"}},
 			{Name: "repos", Actions: []string{"view"}},
 		}
+	case constants.WorkspacesManager:
+		workspaceRules = []models.SimpleRule{
+			{Name: "workspaces", Actions: []string{"edit", "delete", "view"}},
+			{Name: "members", Actions: []string{"edit", "delete", "create", "view"}},
+			{Name: "roles", Actions: []string{"view"}},
+		}
 	}
 	return workspaceRules