Skip to content

Commit 9402071

Browse files
macabumacabu
authored
Secrets: Create more granular fixed roles for SecureValues (#108382)
1 parent 71cb623 commit 9402071

File tree

1 file changed

+42
-15
lines changed

1 file changed

+42
-15
lines changed

pkg/registry/apis/secret/accesscontrol.go

Lines changed: 42 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,25 @@ var (
2929

3030
func registerAccessControlRoles(service accesscontrol.Service) error {
3131
// SecureValues
32+
// These are broken down into more granular fixed roles on purpose.
33+
// For inline Secure Values, we want to allow creation and deletion by Editors because there's no API to read/update.
34+
// References are only available with the API and RBAC, so those roles can be granted to any basic role by Operators.
35+
secureValuesCreator := accesscontrol.RoleRegistration{
36+
Role: accesscontrol.RoleDTO{
37+
Name: "fixed:secret.securevalues:creator",
38+
DisplayName: "Secure Values Creator",
39+
Description: "Create secure values.",
40+
Group: "Secrets Manager",
41+
Permissions: []accesscontrol.Permission{
42+
{
43+
Action: ActionSecretSecureValuesCreate,
44+
Scope: ScopeAllSecureValues,
45+
},
46+
},
47+
},
48+
Grants: []string{string(org.RoleEditor)},
49+
}
50+
3251
secureValuesReader := accesscontrol.RoleRegistration{
3352
Role: accesscontrol.RoleDTO{
3453
Name: "fixed:secret.securevalues:reader",
@@ -45,32 +64,36 @@ func registerAccessControlRoles(service accesscontrol.Service) error {
4564
Grants: []string{string(org.RoleAdmin)},
4665
}
4766

48-
secureValuesWriter := accesscontrol.RoleRegistration{
67+
secureValuesUpdater := accesscontrol.RoleRegistration{
4968
Role: accesscontrol.RoleDTO{
50-
Name: "fixed:secret.securevalues:writer",
51-
DisplayName: "Secure Values Writer",
52-
Description: "Create, update and delete secure values.",
69+
Name: "fixed:secret.securevalues:updater",
70+
DisplayName: "Secure Values Updater",
71+
Description: "Update secure values.",
5372
Group: "Secrets Manager",
5473
Permissions: []accesscontrol.Permission{
55-
{
56-
Action: ActionSecretSecureValuesCreate,
57-
Scope: ScopeAllSecureValues,
58-
},
59-
{
60-
Action: ActionSecretSecureValuesRead,
61-
Scope: ScopeAllSecureValues,
62-
},
6374
{
6475
Action: ActionSecretSecureValuesWrite,
6576
Scope: ScopeAllSecureValues,
6677
},
78+
},
79+
},
80+
Grants: []string{string(org.RoleAdmin)},
81+
}
82+
83+
secureValuesDeleter := accesscontrol.RoleRegistration{
84+
Role: accesscontrol.RoleDTO{
85+
Name: "fixed:secret.securevalues:deleter",
86+
DisplayName: "Secure Values Deleter",
87+
Description: "Delete secure values.",
88+
Group: "Secrets Manager",
89+
Permissions: []accesscontrol.Permission{
6790
{
6891
Action: ActionSecretSecureValuesDelete,
6992
Scope: ScopeAllSecureValues,
7093
},
7194
},
7295
},
73-
Grants: []string{string(org.RoleAdmin)},
96+
Grants: []string{string(org.RoleEditor)},
7497
}
7598

7699
// Keepers
@@ -119,7 +142,11 @@ func registerAccessControlRoles(service accesscontrol.Service) error {
119142
}
120143

121144
return service.DeclareFixedRoles(
122-
secureValuesReader, secureValuesWriter,
123-
keepersReader, keepersWriter,
145+
secureValuesCreator,
146+
secureValuesReader,
147+
secureValuesUpdater,
148+
secureValuesDeleter,
149+
keepersReader,
150+
keepersWriter,
124151
)
125152
}

0 commit comments

Comments
 (0)