From 84ac0f05a9fec435cd010d31b086f0de8a8a78ed Mon Sep 17 00:00:00 2001 From: Martin Angers Date: Tue, 22 Feb 2022 16:57:36 -0500 Subject: [PATCH] Grant write to policies to global maintainer (#4321) --- ...-4260-global-maintainer-can-write-team-policy | 1 + docs/01-Using-Fleet/09-Permissions.md | 2 ++ server/authz/policy.rego | 16 ++++------------ server/authz/policy_test.go | 2 +- server/service/team_policies_test.go | 2 +- 5 files changed, 9 insertions(+), 14 deletions(-) create mode 100644 changes/issue-4260-global-maintainer-can-write-team-policy diff --git a/changes/issue-4260-global-maintainer-can-write-team-policy b/changes/issue-4260-global-maintainer-can-write-team-policy new file mode 100644 index 0000000000..353f1e80db --- /dev/null +++ b/changes/issue-4260-global-maintainer-can-write-team-policy @@ -0,0 +1 @@ +* Grant write access to team policies to the global maintainer role. diff --git a/docs/01-Using-Fleet/09-Permissions.md b/docs/01-Using-Fleet/09-Permissions.md index 721bc02bc3..e9ba0713ed 100644 --- a/docs/01-Using-Fleet/09-Permissions.md +++ b/docs/01-Using-Fleet/09-Permissions.md @@ -37,6 +37,8 @@ The following table depicts various permissions levels for each role. | Delete labels | | ✅ | ✅ | | Add policies for all hosts | | ✅ | ✅ | | Remove policies for all hosts | | ✅ | ✅ | +| Add policies for hosts assigned to team\* | | ✅ | ✅ | +| Remove policies for hosts assigned to team\* | | ✅ | ✅ | | Create users | | | ✅ | | Edit users | | | ✅ | | Delete users | | | ✅ | diff --git a/server/authz/policy.rego b/server/authz/policy.rego index a83e4ec856..31f6e25dd7 100644 --- a/server/authz/policy.rego +++ b/server/authz/policy.rego @@ -438,25 +438,17 @@ allow { # Policies ## -# Global Admin can read and write policies +# Global Admin and Maintainer can read and write policies allow { object.type == "policy" - subject.global_role == admin + subject.global_role == [admin,maintainer][_] action == [read, write][_] } -# Global Maintainer can read and write global policies -allow { - is_null(object.team_id) - object.type == "policy" - subject.global_role == maintainer - action == [read, write][_] -} - -# Global Maintainer and Observer users can read any policies +# Global Observer can read any policies allow { object.type == "policy" - subject.global_role == [maintainer,observer][_] + subject.global_role == observer action == read } diff --git a/server/authz/policy_test.go b/server/authz/policy_test.go index 337ce174b5..0f2a4aae21 100644 --- a/server/authz/policy_test.go +++ b/server/authz/policy_test.go @@ -681,7 +681,7 @@ func TestAuthorizePolicies(t *testing.T) { {user: test.UserAdmin, object: teamPolicy, action: write, allow: true}, {user: test.UserAdmin, object: teamPolicy, action: read, allow: true}, - {user: test.UserMaintainer, object: teamPolicy, action: write, allow: false}, + {user: test.UserMaintainer, object: teamPolicy, action: write, allow: true}, {user: test.UserMaintainer, object: teamPolicy, action: read, allow: true}, {user: test.UserObserver, object: teamPolicy, action: write, allow: false}, {user: test.UserObserver, object: teamPolicy, action: read, allow: true}, diff --git a/server/service/team_policies_test.go b/server/service/team_policies_test.go index f06a8c1685..654ddf5bba 100644 --- a/server/service/team_policies_test.go +++ b/server/service/team_policies_test.go @@ -78,7 +78,7 @@ func TestTeamPoliciesAuth(t *testing.T) { { "global maintainer", &fleet.User{GlobalRole: ptr.String(fleet.RoleMaintainer)}, - true, + false, false, }, {