Skip to content

Commit 80bc612

Browse files
Johaney-sJohaney-s
committed
feat(core): add PROXY role
* to remove perunadmin role for proxy, new role is created * it covers necessary method calls and attribute rights
1 parent e68f51c commit 80bc612

File tree

6 files changed

+278
-2
lines changed

6 files changed

+278
-2
lines changed

perun-base/src/main/java/cz/metacentrum/perun/core/api/Role.java

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,11 +36,12 @@ public class Role {
3636
public static final String PASSWORDRESETMANAGER = "PASSWORDRESETMANAGER";
3737
public static final String MEMBERSHIP = "MEMBERSHIP";
3838
public static final String MFA = "MFA";
39+
public static final String PROXY = "PROXY";
3940

4041
public static List<String> rolesAsList() {
4142
return Arrays.asList(AUDITCONSUMERADMIN, CABINETADMIN, ENGINE, FACILITYADMIN, FACILITYOBSERVER, TRUSTEDFACILITYADMIN, GROUPADMIN,
4243
GROUPOBSERVER, GROUPMEMBERSHIPMANAGER, MEMBERSHIP, NOTIFICATIONS, PASSWORDRESETMANAGER, PERUNADMIN, PERUNOBSERVER, REGISTRAR, RESOURCEADMIN, RESOURCEOBSERVER,
4344
RESOURCESELFSERVICE, RPC, SECURITYADMIN, SELF, SERVICEUSER, SPREGAPPLICATION, SPONSOR, TOPGROUPCREATOR, UNKNOWNROLENAME,
44-
VOADMIN, VOOBSERVER, SPONSORSHIP, MFA);
45+
VOADMIN, VOOBSERVER, SPONSORSHIP, MFA, PROXY);
4546
}
4647
}

perun-base/src/main/resources/perun-roles.yml

Lines changed: 61 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -107,6 +107,8 @@
107107
# MEMBERSHIP role represents principal's membership in a group, VO or association with facility. This role is not
108108
## explicitly saved in DB!!
109109
#
110+
# PROXY role is dedicated to service account updating user extsources and working with facilities.
111+
#
110112
# UNKNOWN exists, but it is not used in Perun.
111113
#
112114

@@ -139,6 +141,7 @@ perun_roles:
139141
- SPONSORSHIP
140142
- PASSWORDRESETMANAGER
141143
- MEMBERSHIP
144+
- PROXY
142145
- UNKNOWN
143146

144147
# A list of Perun policies that are loaded to the PerunPoliciesContainer.
@@ -216,6 +219,7 @@ perun_policies:
216219
getEntitylessAttributes_String_policy:
217220
policy_roles:
218221
- PERUNOBSERVER:
222+
- PROXY:
219223
include_policies:
220224
- default_policy
221225

@@ -234,6 +238,7 @@ perun_policies:
234238
getEntitylessKeys_AttributeDefinition_policy:
235239
policy_roles:
236240
- PERUNOBSERVER:
241+
- PROXY:
237242
include_policies:
238243
- default_policy
239244

@@ -539,6 +544,7 @@ perun_policies:
539544
policy_roles:
540545
- RPC:
541546
- PERUNOBSERVER:
547+
- PROXY:
542548
include_policies:
543549
- default_policy
544550

@@ -711,6 +717,7 @@ perun_policies:
711717
- FACILITYOBSERVER:
712718
- PERUNOBSERVER:
713719
- SPREGAPPLICATION:
720+
- PROXY:
714721
include_policies:
715722
- default_policy
716723

@@ -719,6 +726,7 @@ perun_policies:
719726
- FACILITYADMIN:
720727
- FACILITYOBSERVER:
721728
- PERUNOBSERVER:
729+
- PROXY:
722730
include_policies:
723731
- default_policy
724732

@@ -727,6 +735,7 @@ perun_policies:
727735
- FACILITYADMIN: Facility
728736
- FACILITYOBSERVER: Facility
729737
- PERUNOBSERVER:
738+
- PROXY:
730739
include_policies:
731740
- default_policy
732741

@@ -825,6 +834,7 @@ perun_policies:
825834
- FACILITYADMIN: Facility
826835
- FACILITYOBSERVER: Facility
827836
- PERUNOBSERVER:
837+
- PROXY:
828838
include_policies:
829839
- default_policy
830840

@@ -858,6 +868,7 @@ perun_policies:
858868
- FACILITYADMIN: Facility
859869
- FACILITYOBSERVER: Facility
860870
- PERUNOBSERVER:
871+
- PROXY:
861872
include_policies:
862873
- default_policy
863874

@@ -875,6 +886,7 @@ perun_policies:
875886
- FACILITYADMIN: Facility
876887
- FACILITYOBSERVER: Facility
877888
- PERUNOBSERVER:
889+
- PROXY:
878890
include_policies:
879891
- default_policy
880892

@@ -890,13 +902,15 @@ perun_policies:
890902
policy_roles:
891903
- FACILITYADMIN:
892904
- SPREGAPPLICATION:
905+
- PROXY:
893906
include_policies:
894907
- default_policy
895908

896909
deleteFacility_Facility_Boolean_policy:
897910
policy_roles:
898911
- FACILITYADMIN: Facility
899912
- SPREGAPPLICATION:
913+
- PROXY:
900914
include_policies:
901915
- default_policy
902916
mfa_rules:
@@ -1061,6 +1075,7 @@ perun_policies:
10611075
- PERUNOBSERVER:
10621076
- FACILITYADMIN: Facility
10631077
- FACILITYOBSERVER: Facility
1078+
- PROXY:
10641079
include_policies:
10651080
- default_policy
10661081

@@ -1325,6 +1340,7 @@ perun_policies:
13251340
- GROUPADMIN: Group
13261341
- VOADMIN: Vo
13271342
- SPREGAPPLICATION:
1343+
- PROXY:
13281344
include_policies:
13291345
- default_policy
13301346
mfa_rules:
@@ -1336,6 +1352,7 @@ perun_policies:
13361352
- GROUPADMIN: Group
13371353
- VOADMIN: Vo
13381354
- SPREGAPPLICATION:
1355+
- PROXY:
13391356
include_policies:
13401357
- default_policy
13411358
mfa_rules:
@@ -1416,6 +1433,7 @@ perun_policies:
14161433
- VOOBSERVER: Vo
14171434
- VOADMIN: Vo
14181435
- TRUSTEDFACILITYADMIN: Vo
1436+
- PROXY:
14191437
include_policies:
14201438
- default_policy
14211439

@@ -1431,6 +1449,7 @@ perun_policies:
14311449
- GROUPOBSERVER: Group
14321450
- VOADMIN: Vo
14331451
- TRUSTEDFACILITYADMIN: Vo
1452+
- PROXY:
14341453
include_policies:
14351454
- default_policy
14361455

@@ -1716,6 +1735,7 @@ perun_policies:
17161735
- GROUPOBSERVER: Group
17171736
- GROUPMEMBERSHIPMANAGER: Group
17181737
- VOADMIN: Vo
1738+
- PROXY:
17191739
include_policies:
17201740
- default_policy
17211741

@@ -2120,6 +2140,7 @@ perun_policies:
21202140
- GROUPOBSERVER: Vo
21212141
- GROUPMEMBERSHIPMANAGER: Vo
21222142
- VOADMIN: Vo
2143+
- PROXY:
21232144
include_policies:
21242145
- default_policy
21252146

@@ -2132,6 +2153,7 @@ perun_policies:
21322153
- GROUPOBSERVER: Group
21332154
- GROUPMEMBERSHIPMANAGER: Group
21342155
- VOADMIN: Vo
2156+
- PROXY:
21352157
include_policies:
21362158
- default_policy
21372159

@@ -2152,6 +2174,7 @@ perun_policies:
21522174
- PERUNOBSERVER:
21532175
- VOOBSERVER: Vo
21542176
- VOADMIN: Vo
2177+
- PROXY:
21552178
include_policies:
21562179
- default_policy
21572180

@@ -2161,6 +2184,7 @@ perun_policies:
21612184
- PERUNOBSERVER:
21622185
- VOOBSERVER: Vo
21632186
- VOADMIN: Vo
2187+
- PROXY:
21642188
include_policies:
21652189
- default_policy
21662190

@@ -2652,6 +2676,7 @@ perun_policies:
26522676
- GROUPADMIN: Group
26532677
- GROUPMEMBERSHIPMANAGER: Group
26542678
- VOADMIN: Vo
2679+
- PROXY:
26552680
include_policies:
26562681
- default_policy
26572682
mfa_rules:
@@ -2716,13 +2741,15 @@ perun_policies:
27162741
- VOADMIN: Vo
27172742
- SPREGAPPLICATION:
27182743
- PASSWORDRESETMANAGER:
2744+
- PROXY:
27192745
include_policies:
27202746
- default_policy
27212747

27222748
getMembersByUser_User_policy:
27232749
policy_roles:
27242750
- SELF: User
27252751
- PERUNOBSERVER:
2752+
- PROXY:
27262753
include_policies:
27272754
- default_policy
27282755

@@ -3244,6 +3271,7 @@ perun_policies:
32443271
- VOADMIN: Vo
32453272
- SPONSORSHIP: Member
32463273
- PASSWORDRESETMANAGER:
3274+
- PROXY:
32473275
include_policies:
32483276
- default_policy
32493277
mfa_rules:
@@ -4036,6 +4064,7 @@ perun_policies:
40364064
- VOADMIN: Vo
40374065
- VOOBSERVER: Vo
40384066
- PERUNOBSERVER:
4067+
- PROXY:
40394068
include_policies:
40404069
- default_policy
40414070

@@ -4052,6 +4081,7 @@ perun_policies:
40524081
- VOADMIN: Vo
40534082
- VOOBSERVER: Vo
40544083
- PERUNOBSERVER:
4084+
- PROXY:
40554085
include_policies:
40564086
- default_policy
40574087

@@ -4094,6 +4124,7 @@ perun_policies:
40944124
FACILITYADMIN: Facility
40954125
- TRUSTEDFACILITYADMIN: Vo
40964126
FACILITYOBSERVER: Facility
4127+
- PROXY:
40974128
include_policies:
40984129
- default_policy
40994130

@@ -4915,6 +4946,7 @@ perun_policies:
49154946
policy_roles:
49164947
- PERUNOBSERVER:
49174948
- SPREGAPPLICATION:
4949+
- PROXY:
49184950
include_policies:
49194951
- default_policy
49204952

@@ -5648,6 +5680,7 @@ perun_policies:
56485680
- SELF: User
56495681
- PERUNOBSERVER:
56505682
- SPREGAPPLICATION:
5683+
- PROXY:
56515684
include_policies:
56525685
- default_policy
56535686

@@ -5733,6 +5766,7 @@ perun_policies:
57335766
- PERUNOBSERVER:
57345767
- SPREGAPPLICATION:
57355768
- PASSWORDRESETMANAGER:
5769+
- PROXY:
57365770
include_policies:
57375771
- default_policy
57385772

@@ -5918,6 +5952,7 @@ perun_policies:
59185952
- VOADMIN:
59195953
- SELF: User
59205954
- PERUNOBSERVER:
5955+
- PROXY:
59215956
include_policies:
59225957
- default_policy
59235958

@@ -5968,6 +6003,7 @@ perun_policies:
59686003
- VOOBSERVER:
59696004
- VOADMIN:
59706005
- PERUNOBSERVER:
6006+
- PROXY:
59716007
include_policies:
59726008
- default_policy
59736009

@@ -6012,6 +6048,7 @@ perun_policies:
60126048
- VOOBSERVER:
60136049
- VOADMIN:
60146050
- PERUNOBSERVER:
6051+
- PROXY:
60156052
include_policies:
60166053
- default_policy
60176054

@@ -6463,7 +6500,8 @@ perun_policies:
64636500
- default_policy
64646501

64656502
updateUserExtSourceLastAccess_UserExtSource_policy:
6466-
policy_roles: []
6503+
policy_roles:
6504+
- PROXY:
64676505
include_policies:
64686506
- default_policy
64696507
mfa_rules:
@@ -6507,6 +6545,7 @@ perun_policies:
65076545
- FACILITYOBSERVER: Facility
65086546
- VOADMIN: Vo
65096547
- PERUNOBSERVER:
6548+
- PROXY:
65106549
include_policies:
65116550
- default_policy
65126551

@@ -6525,6 +6564,7 @@ perun_policies:
65256564
- FACILITYADMIN: Facility
65266565
- FACILITYOBSERVER: Facility
65276566
- PERUNOBSERVER:
6567+
- PROXY:
65286568
include_policies:
65296569
- default_policy
65306570

@@ -6533,6 +6573,7 @@ perun_policies:
65336573
- FACILITYADMIN: Facility
65346574
- FACILITYOBSERVER: Facility
65356575
- PERUNOBSERVER:
6576+
- PROXY:
65366577
include_policies:
65376578
- default_policy
65386579

@@ -6697,6 +6738,7 @@ perun_policies:
66976738
- TRUSTEDFACILITYADMIN: Vo
66986739
- SPONSOR: Vo
66996740
- PASSWORDRESETMANAGER:
6741+
- PROXY:
67006742
include_policies:
67016743
- default_policy
67026744

@@ -6717,6 +6759,7 @@ perun_policies:
67176759
- TOPGROUPCREATOR: Vo
67186760
- TRUSTEDFACILITYADMIN: Vo
67196761
- SPONSOR: Vo
6762+
- PROXY:
67206763
include_policies:
67216764
- default_policy
67226765

@@ -8600,6 +8643,23 @@ perun_roles_management:
86008643
assignable_to_attributes: false
86018644
display_name: "MFA"
86028645

8646+
PROXY:
8647+
primary_object:
8648+
assign_to_objects: {}
8649+
assignment_check:
8650+
- MFA:
8651+
entities_to_manage:
8652+
User: user_id
8653+
privileged_roles_to_manage:
8654+
- PERUNADMIN:
8655+
privileged_roles_to_read:
8656+
- PERUNADMIN:
8657+
- PERUNOBSERVER:
8658+
associated_read_roles: []
8659+
assignable_to_attributes: true
8660+
skip_mfa: true
8661+
display_name: "Proxy"
8662+
86038663
UNKNOWN:
86048664
primary_object:
86058665
assign_to_objects: {}

perun-base/src/test/resources/test-roles.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -200,5 +200,10 @@ perun_policies:
200200
- PASSWORDRESETMANAGER:
201201
include_policies: [ ]
202202

203+
test_proxy_role:
204+
policy_roles:
205+
- PROXY:
206+
include_policies: []
207+
203208
perun_roles_management: {}
204209
...

0 commit comments

Comments
 (0)