feat(rbac): add missing service account roles

Author: skipi

ee/rbac/assets/permissions.yaml

@@ -70,6 +70,10 @@ permissions:
       description: "View the existing dashboards within the organization."
     - name: "organization.dashboards.manage"
       description: "Create new dashboard views."
+    - name: "organization.service_accounts.view"
+      description: "View service accounts within the organization."
+    - name: "organization.service_accounts.manage"
+      description: "Manage service accounts within the organization."
   project:
     - name: "project.view"
       description: "Access the project. This permission is needed to see any page within the project."

ee/rbac/assets/roles.yaml

@@ -39,6 +39,8 @@ roles:
         - "organization.custom_roles.view"
         - "organization.dashboards.view"
         - "organization.dashboards.manage"
+        - "organization.service_accounts.view"
+        - "organization.service_accounts.manage"
     - name: "Admin"
       description: "Admins can modify settings within the organization or any of its projects. However, they do not have access to billing information, and they cannot change general organization details, such as the organization name and URL."
       maps_to: "Admin"
@@ -77,6 +79,8 @@ roles:
         - "organization.dashboards.view"
         - "organization.dashboards.manage"
         - "project.delete"
+        - "organization.service_accounts.view"
+        - "organization.service_accounts.manage"
     - name: "Member"
       description: "Members can access the organization's homepage and the projects they are assigned to. However, they are not able to modify any settings."
       permissions:

front/test/support/stubs/permission_patrol.ex

@@ -2,7 +2,7 @@ defmodule Support.Stubs.PermissionPatrol do
   alias Support.Stubs.DB
 
   @all_organization_permissions "organization.custom_roles.view,organization.custom_roles.manage,organization.okta.view,organization.okta.manage,organization.contact_support,organization.delete,organization.view,organization.secrets_policy_settings.manage,organization.secrets_policy_settings.view,organization.activity_monitor.view,organization.projects.create,organization.audit_logs.view,organization.audit_logs.manage,organization.people.view,organization.people.invite,organization.people.manage,organization.groups.view,organization.groups.manage,organization.custom_roles.manage,organization.self_hosted_agents.view,organization.self_hosted_agents.manage,organization.general_settings.view,organization.general_settings.manage,organization.secrets.view,organization.secrets.manage,organization.ip_allow_list.view,organization.ip_allow_list.manage,organization.notifications.view,organization.notifications.manage,organization.pre_flight_checks.view,organization.pre_flight_checks.manage,organization.plans_and_billing.view,organization.plans_and_billing.manage,organization.repo_to_role_mappers.manage,organization.dashboards.view,organization.dashboards.manage,organization.instance_git_integration.manage,organization.service_accounts.view,organization.service_accounts.manage"
-  @all_project_permissions "project.view,project.delete,project.access.view,project.access.manage,project.debug,project.secrets.view,project.secrets.manage,project.notifications.view,project.notifications.manage,project.insights.view,project.insights.manage,project.artifacts.view,project.artifacts.delete,project.artifacts.view_settings,project.artifacts.modify_settings,project.scheduler.view,project.scheduler.manage,project.scheduler.run_manually,project.general_settings.view,project.general_settings.manage,project.repository_info.view,project.repository_info.manage,project.deployment_targets.view,project.deployment_targets.manage,project.pre_flight_checks.view,project.pre_flight_checks.manage,project.workflow.view,project.workflow.manage,project.job.view,project.job.rerun,project.job.stop,project.job.port_forwarding,project.job.attach,project.service_accounts.view,project.service_accounts.manage"
+  @all_project_permissions "project.view,project.delete,project.access.view,project.access.manage,project.debug,project.secrets.view,project.secrets.manage,project.notifications.view,project.notifications.manage,project.insights.view,project.insights.manage,project.artifacts.view,project.artifacts.delete,project.artifacts.view_settings,project.artifacts.modify_settings,project.scheduler.view,project.scheduler.manage,project.scheduler.run_manually,project.general_settings.view,project.general_settings.manage,project.repository_info.view,project.repository_info.manage,project.deployment_targets.view,project.deployment_targets.manage,project.pre_flight_checks.view,project.pre_flight_checks.manage,project.workflow.view,project.workflow.manage,project.job.view,project.job.rerun,project.job.stop,project.job.port_forwarding,project.job.attach"
 
   def init do
     DB.add_table(:user_permissions_key_value_store, [:key, :value])

helm-chart/templates/configmaps/features.yaml

@@ -112,6 +112,8 @@ data:
       enabled: true
     wf_editor_via_jobs:
       enabled: true
+    service_accounts:
+      enabled: true
 {{- else }}
   features.yml: |-
     activity_monitor:
@@ -216,4 +218,6 @@ data:
       enabled: true
     new_project_onboarding:
       enabled: true
+    service_accounts:
+      enabled: true
 {{- end }}

helm-chart/templates/configmaps/permissions.yaml

@@ -50,6 +50,10 @@ data:
           description: "Create new dashboard views."
         - name: "organization.instance_git_integration.manage"
           description: "Manage the instance Git integration settings."
+        - name: "organization.service_accounts.view"
+          description: "View service accounts within the organization."
+        - name: "organization.service_accounts.manage"
+          description: "Manage service accounts within the organization."
       project:
         - name: "project.view"
           description: "Access the project. This permission is needed to see any page within the project."
@@ -186,6 +190,10 @@ data:
           description: "Create new dashboard views."
         - name: "organization.instance_git_integration.manage"
           description: "Manage the instance Git integration settings."
+        - name: "organization.service_accounts.view"
+          description: "View service accounts within the organization."
+        - name: "organization.service_accounts.manage"
+          description: "Manage service accounts within the organization."
       project:
         - name: "project.view"
           description: "Access the project. This permission is needed to see any page within the project."
@@ -249,4 +257,5 @@ data:
           description: "Manually stop running jobs or workflows."
         - name: "project.job.attach"
           description: "SSH into the running job, or start a debug session."
-{{- end }}
+
+{{- end }}

helm-chart/templates/configmaps/roles.yaml

@@ -33,6 +33,8 @@ data:
             - "organization.dashboards.view"
             - "organization.dashboards.manage"
             - "organization.instance_git_integration.manage"
+            - "organization.service_accounts.view"
+            - "organization.service_accounts.manage"
         - name: "Admin"
           description: "Admins can modify settings within the organization or any of its projects. However, they do not have access to billing information, and they cannot change general organization details, such as the organization name and URL."
           maps_to: "Admin"
@@ -57,6 +59,8 @@ data:
             - "organization.dashboards.view"
             - "organization.dashboards.manage"
             - "project.delete"
+            - "organization.service_accounts.view"
+            - "organization.service_accounts.manage"
         - name: "Member"
           description: "Members can access the organization's homepage and the projects they are assigned to. However, they are not able to modify any settings."
           permissions: