MB-47612: New RBAC roles and privileges for Sync Gateway

bryandmc · bryandmc · commit 6a3560be8df4 · 2021-08-04T23:39:15.000Z
Added sync gateway roles to main list of roles; upgraded from only being available in developer preview. Change-Id: I58b9b6e7e98bf66182a5843acdb958e48cc8a9d0 Reviewed-on: http://review.couchbase.org/c/ns_server/+/158761 Well-Formed: Build Bot <build@couchbase.com> Tested-by: Build Bot <build@couchbase.com> Reviewed-by: Artem Stemkovski <artem@couchbase.com>
diff --git a/src/menelaus_roles.erl b/src/menelaus_roles.erl
@@ -560,6 +560,45 @@ roles() ->
        {[admin, memcached, idle], [write]},
        {[settings, autocompaction], [read]},
        {[pools], [read]}]},
+     {sync_gateway_configurator, ?RBAC_COLLECTION_PARAMS,
+      [{name, <<"Sync Gateway Architect">>},
+       {folder, mobile},
+       {desc, <<"Can manage Sync Gateway databases and users, "
+                "and access Sync Gateway's /metrics endpoint. "
+                "This user cannot read application data.">>}],
+      [{[{collection, ?RBAC_COLLECTION_PARAMS}, sgw], all}]},
+     {sync_gateway_app, ?RBAC_COLLECTION_PARAMS,
+      [{name, <<"Sync Gateway Application">>},
+       {folder, mobile},
+       {desc, <<"Can manage Sync Gateway users and roles, and "
+                "read and write application data through Sync "
+                "Gateway.">>}],
+      [{[{collection, ?RBAC_COLLECTION_PARAMS}, sgw, auth], [configure]},
+       {[{collection, ?RBAC_COLLECTION_PARAMS}, sgw, principal], [read, write]},
+       {[{collection, ?RBAC_COLLECTION_PARAMS}, sgw, appdata], [read, write]},
+       {[{collection, ?RBAC_COLLECTION_PARAMS}, sgw, principal_appdata], [read]}]},
+     {sync_gateway_app_ro, ?RBAC_COLLECTION_PARAMS,
+      [{name, <<"Sync Gateway Application Read Only">>},
+       {folder, mobile},
+       {desc, <<"Can read Sync Gateway users and roles, and "
+                "read application data through Sync Gateway.">>}],
+      [{[{collection, ?RBAC_COLLECTION_PARAMS}, sgw, appdata], [read]},
+       {[{collection, ?RBAC_COLLECTION_PARAMS}, sgw, principal], [read]},
+       {[{collection, ?RBAC_COLLECTION_PARAMS}, sgw, principal_appdata], [read]}]},
+     {sync_gateway_replicator, ?RBAC_COLLECTION_PARAMS,
+      [{name, <<"Sync Gateway Replicator">>},
+       {folder, mobile},
+       {desc, <<"Can manage Inter-Sync Gateway Replications. "
+                "This user cannot read application data.">>}],
+      [{[{collection, ?RBAC_COLLECTION_PARAMS}, sgw, replications], all}]},
+     {sync_gateway_dev_ops, [],
+      [{name, <<"Sync Gateway Dev Ops">>},
+       {folder, mobile},
+       {desc, <<"Can manage Sync Gateway node-level configuration, "
+                "and access Sync Gateway's /metrics endpoint "
+                "for Prometheus integration.">>}],
+      [{[{collection, ?RBAC_COLLECTION_PARAMS}, sgw, dev_ops], all},
+       {[admin, stats_export], [read]}]},
      {external_stats_reader, [],
       [{name, <<"External Stats Reader">>},
        {folder, admin},
