Merge pull request #108 from Cray-HPE/CASMCMS-8971-1.6

CASMCMS-8971: Multi-Tenancy OPA policy: Allow tenant admins to list their BOSv2 sessions
Cray-HPE · Apr 24, 2024 · 377723b · 377723b
2 parents aa80eea + e5a6021
commit 377723b
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 3 deletions.
diff --git a/kubernetes/cray-opa/Chart.yaml b/kubernetes/cray-opa/Chart.yaml
@@ -23,7 +23,7 @@
 #
 apiVersion: v2
 name: cray-opa
-version: 1.34.1
+version: 1.34.2
 description: Cray Open Policy Agent
 keywords:
   - opa

diff --git a/kubernetes/cray-opa/templates/policies/keycloak-admin.yaml b/kubernetes/cray-opa/templates/policies/keycloak-admin.yaml
@@ -1,5 +1,5 @@
 {{- /*
-Copyright 2021-2023 Hewlett Packard Enterprise Development LP
+Copyright 2021-2024 Hewlett Packard Enterprise Development LP
 */ -}}
 {{- range $name, $options := .Values.ingresses }}
 {{- if $options.policies.keycloak.admin }}
@@ -167,6 +167,7 @@ data:
         {"method": "GET",  "path": `^/apis/bos/v2/components$`}, # GET allows a listing of all active components states
         {"method": "GET",  "path": `^/apis/bos/v2/components/.*$`}, # GET information on an individual component
         {"method": "GET",  "path": `^/apis/bos/v2/healthz$`}, # Allow tenant admins to know the overall health of the deployment
+        {"method": "GET",  "path": `^/apis/bos/v2/sessions$`}, # GET BOSv2 Sessions (list all)
         {"method": "POST", "path": `^/apis/bos/v2/sessions$`}, # POST Creates a new BOSv2 Session
         {"method": "GET",  "path": `^/apis/bos/v2/sessions/.*$`}, # GET allows monitoring status of individual sessions
         {"method": "GET",  "path": `^/apis/bos/v2/sessions/.*?/status$`}, # Obtain more detailed status information for an individual session

diff --git a/kubernetes/cray-opa/tests/opa/keycloak-admin_test.rego.tpl b/kubernetes/cray-opa/tests/opa/keycloak-admin_test.rego.tpl
@@ -1,4 +1,4 @@
-# Copyright 2021-2023 Hewlett Packard Enterprise Development LP
+# Copyright 2021-2024 Hewlett Packard Enterprise Development LP
 
 package istio.authz
 ## HOW TO DO UNIT TESTING
@@ -188,6 +188,7 @@ test_tenant_admin {
   not allow.http_status with input as {"attributes": {"request": {"http": {"method": "GET", "path": "/apis/bos/v2/components", "headers": {"authorization": "Bearer {{ .tenantAdminToken }}", "cray-tenant-name": "vcluster-blue"}}}}}
   not allow.http_status with input as {"attributes": {"request": {"http": {"method": "GET", "path": "/apis/bos/v2/components/foo", "headers": {"authorization": "Bearer {{ .tenantAdminToken }}", "cray-tenant-name": "vcluster-blue"}}}}}
   not allow.http_status with input as {"attributes": {"request": {"http": {"method": "GET", "path": "/apis/bos/v2/healthz", "headers": {"authorization": "Bearer {{ .tenantAdminToken }}", "cray-tenant-name": "vcluster-blue"}}}}}
+  not allow.http_status with input as {"attributes": {"request": {"http": {"method": "GET", "path": "/apis/bos/v2/sessions", "headers": {"authorization": "Bearer {{ .tenantAdminToken }}", "cray-tenant-name": "vcluster-blue"}}}}}
   not allow.http_status with input as {"attributes": {"request": {"http": {"method": "POST", "path": "/apis/bos/v2/sessions", "headers": {"authorization": "Bearer {{ .tenantAdminToken }}", "cray-tenant-name": "vcluster-blue"}}}}}
   not allow.http_status with input as {"attributes": {"request": {"http": {"method": "GET", "path": "/apis/bos/v2/sessions/foo", "headers": {"authorization": "Bearer {{ .tenantAdminToken }}", "cray-tenant-name": "vcluster-blue"}}}}}
   not allow.http_status with input as {"attributes": {"request": {"http": {"method": "GET", "path": "/apis/bos/v2/sessions/foo/status", "headers": {"authorization": "Bearer {{ .tenantAdminToken }}", "cray-tenant-name": "vcluster-blue"}}}}}