MB-46113: Expand sync gateway devops role to cluster scope

bryandmc · bryandmc · commit d712f1a9b62d · 2021-08-05T21:10:04.000Z
Change from requiring exact parameters (which aren't possible) to allowing any for bucket:scope:collection. This fixes a bug where it didn't seem possible to query the dev_ops permission despite having the sync gateway DevOps role. Discovered while helping sync gateway team integrate the new changes. Change-Id: I655353f1f8cd3825fbb823db02210ca3dfeac8db Reviewed-on: http://review.couchbase.org/c/ns_server/+/158846 Well-Formed: Build Bot <build@couchbase.com> Tested-by: Build Bot <build@couchbase.com> Reviewed-by: Artem Stemkovski <artem@couchbase.com>
diff --git a/src/menelaus_roles.erl b/src/menelaus_roles.erl
@@ -624,7 +624,7 @@ sync_gateway_roles(true) ->
        {desc, <<"Can manage Sync Gateway node-level configuration, "
                 "and access Sync Gateway's /metrics endpoint "
                 "for Prometheus integration.">>}],
-      [{[{collection, ?RBAC_COLLECTION_PARAMS}, sgw, dev_ops], all},
+      [{[{collection, [any, any, any]}, sgw, dev_ops], all},
        {[admin, stats_export], [read]}]}];
 sync_gateway_roles(false) ->
     [].
