Allow managing local users and adding a server via web ui (#4498)

* Add token access to userACL (#4357) * Add node access to userACL (#4445) Co-authored-by: Lisa Kim <[email protected]>
gravitational · Oct 15, 2020 · 1ab776a · 1ab776a
1 parent 61a69b3
commit 1ab776a
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 1 deletion.
diff --git a/e b/e
diff --git a/lib/defaults/defaults.go b/lib/defaults/defaults.go
@@ -261,6 +261,9 @@ const (
 	// InactivityFlushPeriod is a period of inactivity
 	// that triggers upload of the data - flush.
 	InactivityFlushPeriod = 5 * time.Minute
+
+	// NodeJoinTokenTTL is when a token for nodes expires.
+	NodeJoinTokenTTL = 4 * time.Hour
 )
 
 var (

diff --git a/lib/web/ui/usercontext.go b/lib/web/ui/usercontext.go
@@ -43,6 +43,10 @@ type userACL struct {
 	TrustedClusters access `json:"trustedClusters"`
 	// Events defines access to audit logs
 	Events access `json:"events"`
+	// Tokens defines access to tokens.
+	Tokens access `json:"tokens"`
+	// Nodes defines access to nodes.
+	Nodes access `json:"nodes"`
 	// SSH defines access to servers
 	SSHLogins []string `json:"sshLogins"`
 }
@@ -118,6 +122,8 @@ func NewUserContext(user services.User, userRoles services.RoleSet) (*UserContex
 	trustedClusterAccess := newAccess(userRoles, ctx, services.KindTrustedCluster)
 	eventAccess := newAccess(userRoles, ctx, services.KindEvent)
 	userAccess := newAccess(userRoles, ctx, services.KindUser)
+	tokenAccess := newAccess(userRoles, ctx, services.KindToken)
+	nodeAccess := newAccess(userRoles, ctx, services.KindNode)
 	logins := getLogins(userRoles)
 
 	acl := userACL{
@@ -128,6 +134,8 @@ func NewUserContext(user services.User, userRoles services.RoleSet) (*UserContex
 		Events:          eventAccess,
 		SSHLogins:       logins,
 		Users:           userAccess,
+		Tokens:          tokenAccess,
+		Nodes:           nodeAccess,
 	}
 
 	// local user

diff --git a/lib/web/ui/usercontext_test.go b/lib/web/ui/usercontext_test.go
@@ -68,6 +68,8 @@ func (s *UserContextSuite) TestNewUserContext(c *check.C) {
 	c.Assert(userContext.ACL.Sessions, check.DeepEquals, denied)
 	c.Assert(userContext.ACL.Roles, check.DeepEquals, denied)
 	c.Assert(userContext.ACL.Users, check.DeepEquals, denied)
+	c.Assert(userContext.ACL.Tokens, check.DeepEquals, denied)
+	c.Assert(userContext.ACL.Nodes, check.DeepEquals, denied)
 	c.Assert(userContext.ACL.SSHLogins, check.DeepEquals, []string{"a", "b", "d"})
 
 	// test local auth type