Merge pull request #878 from wansir/update-iam-policy

update iam policy

Merge pull request #878 from wansir/update-iam-policy
update iam policy
aba51265 · KubeSphere CI Bot · GitHub · a8122a58 · 42e1b823 · aba51265
隐藏空白更改
内联并排

Showing with 29 addition and 2 deletion

pkg/controller/workspace/workspace_controller.go pkg/controller/workspace/workspace_controller.go +21 -0

pkg/models/iam/am.go pkg/models/iam/am.go +8 -2

未找到文件。
--- a/pkg/controller/workspace/workspace_controller.go
+++ b/pkg/controller/workspace/workspace_controller.go
@@ -560,6 +560,11 @@ func getWorkspaceAdmin(workspaceName string) *rbac.ClusterRole {
 			APIGroups: []string{"iam.kubesphere.io"},
 			Resources: []string{"users"},
 		},
+		{
+			Verbs:     []string{"*"},
+			APIGroups: []string{"openpitrix.io"},
+			Resources: []string{"applications", "apps", "apps/versions", "apps/events", "apps/action", "apps/audits", "repos", "repos/action", "categories", "attachments"},
+		},
 	}

 	return admin
@@ -588,6 +593,17 @@ func getWorkspaceRegular(workspaceName string) *rbac.ClusterRole {
 			ResourceNames: []string{workspaceName},
 			Resources:     []string{"workspaces/members"},
 		},
+		{
+			Verbs:     []string{"get", "list"},
+			APIGroups: []string{"openpitrix.io"},
+			Resources: []string{"apps/events", "apps/action", "apps/audits"},
+		},
+
+		{
+			Verbs:     []string{"*"},
+			APIGroups: []string{"openpitrix.io"},
+			Resources: []string{"applications", "apps", "apps/versions", "repos", "repos/action", "categories", "attachments"},
+		},
 	}

 	return regular
@@ -605,6 +621,11 @@ func getWorkspaceViewer(workspaceName string) *rbac.ClusterRole {
 			ResourceNames: []string{workspaceName},
 			Resources:     []string{"workspaces", "workspaces/*"},
 		},
+		{
+			Verbs:     []string{"get", "list"},
+			APIGroups: []string{"openpitrix.io"},
+			Resources: []string{"applications", "apps", "apps/versions", "repos", "categories", "attachments"},
+		},
 	}
 	return viewer
 }
--- a/pkg/models/iam/am.go
+++ b/pkg/models/iam/am.go
@@ -513,12 +513,16 @@ func GetWorkspaceRoleSimpleRules(workspace, roleName string) []models.SimpleRule
 			{Name: "devops", Actions: []string{"edit", "delete", "create", "view"}},
 			{Name: "projects", Actions: []string{"edit", "delete", "create", "view"}},
 			{Name: "roles", Actions: []string{"view"}},
+			{Name: "apps", Actions: []string{"view", "create", "manage"}},
+			{Name: "repos", Actions: []string{"view", "manage"}},
 		}
 	case constants.WorkspaceRegular:
 		workspaceRules = []models.SimpleRule{
 			{Name: "members", Actions: []string{"view"}},
-			{Name: "devops", Actions: []string{"create"}},
-			{Name: "projects", Actions: []string{"create"}},
+			{Name: "devops", Actions: []string{"view", "create"}},
+			{Name: "projects", Actions: []string{"view", "create"}},
+			{Name: "apps", Actions: []string{"view", "create"}},
+			{Name: "repos", Actions: []string{"view"}},
 		}
 	case constants.WorkspaceViewer:
 		workspaceRules = []models.SimpleRule{
@@ -527,6 +531,8 @@ func GetWorkspaceRoleSimpleRules(workspace, roleName string) []models.SimpleRule
 			{Name: "devops", Actions: []string{"view"}},
 			{Name: "projects", Actions: []string{"view"}},
 			{Name: "roles", Actions: []string{"view"}},
+			{Name: "apps", Actions: []string{"view"}},
+			{Name: "repos", Actions: []string{"view"}},
 		}
 	}