feat(project,usergroup): supports extended RBAC roles

rapyuta-robotics · Sep 26, 2023 · 7a84b72 · 7a84b72
1 parent 117fd86
commit 7a84b72
Show file tree

Hide file tree

Showing 6 changed files with 42 additions and 9 deletions.
diff --git a/riocli/apply/manifests/project.yaml b/riocli/apply/manifests/project.yaml
@@ -5,9 +5,15 @@ metadata:
   organizationGUID: org-guid
 spec:
   users:
-    - emailID: "[email protected]"
+    - emailID: "[email protected]"
+      role: "admin"
+    - emailID: "[email protected]"
+      role: "viewer"
   userGroups:
-    - name: dev-group
+    - name: "dev-group"
+      role: "admin"
+    - name: "qa-group"
+      role: "viewer"
   features:
     vpn: true
     tracing: false
diff --git a/riocli/apply/manifests/usergroup.yaml b/riocli/apply/manifests/usergroup.yaml
@@ -15,4 +15,6 @@ spec:
     - emailID: [email protected]
   projects:
     - name: project01
+      role: viewer
     - name: project02
+      role: admin
diff --git a/riocli/jsonschema/schemas/project-schema.yaml b/riocli/jsonschema/schemas/project-schema.yaml
@@ -79,8 +79,11 @@ definitions:
         type: string
       userGroupGUID:
         type: string
+      role:
+        "$ref": "#/definitions/roleSpec"
     required:
       - name
+      - role
   user:
     type: object
     properties:
@@ -92,8 +95,11 @@ definitions:
         type: string
       userGUID:
         "$ref": "#/definitions/uuid"
+      role:
+        "$ref": "#/definitions/roleSpec"
     required:
       - emailID
+      - role
   projectStatus:
     type: object
     properties:
@@ -103,3 +109,8 @@ definitions:
         type: string
       tracing:
         type: string
+  roleSpec:
+    type: string
+    enum:
+      - admin
+      - viewer
diff --git a/riocli/jsonschema/schemas/usergroup-schema.yaml b/riocli/jsonschema/schemas/usergroup-schema.yaml
@@ -86,6 +86,11 @@ definitions:
         pattern: "^project-([a-z0-9]{20}|[a-z]{24})$"
       name:
         type: string
+      role:
+        type: string
+        enum:
+          - viewer
+          - admin
     oneOf:
       - required:
           - guid

diff --git a/riocli/usergroup/inspect.py b/riocli/usergroup/inspect.py
@@ -52,9 +52,10 @@ def to_manifest(usergroup: UserGroup, org_guid: str) -> typing.Dict:
     """
     Transform a usergroup resource to a rio apply manifest construct
     """
+    role_map = {i['projectGUID']: i['groupRole'] for i in (usergroup.role_in_projects or [])}
     members = {m.email_id for m in usergroup.members}
     admins = {a.email_id for a in usergroup.admins}
-    projects = [p.name for p in usergroup.projects]
+    projects = [{'name': p.name, 'role': role_map[p.guid]} for p in (usergroup.projects or [])]
 
     return {
         'apiVersion': 'api.rapyuta.io/v2',
@@ -68,6 +69,6 @@ def to_manifest(usergroup: UserGroup, org_guid: str) -> typing.Dict:
             'description': usergroup.description,
             'members': [{'emailID': m} for m in list(members - admins)],
             'admins': [{'emailID': a} for a in list(admins)],
-            'projects': [{'name': p} for p in projects],
+            'projects': projects,
         },
     }
diff --git a/riocli/usergroup/model.py b/riocli/usergroup/model.py
@@ -72,6 +72,7 @@ def delete_object(self, client: Client, obj: typing.Any) -> typing.Any:
         return client.delete_usergroup(self.metadata.organization, obj.guid)
 
     def _modify_payload(self, group: typing.Dict) -> typing.Dict:
+        group['spec']['userGroupRoleInProjects'] = []
         for entity in ('members', 'admins'):
             for u in group['spec'].get(entity, []):
                 if USER_GUID in u:
@@ -80,10 +81,16 @@ def _modify_payload(self, group: typing.Dict) -> typing.Dict:
                 u.pop(USER_EMAIL)
 
         for p in group['spec'].get('projects', []):
-            if 'guid' in p:
-                continue
-            p['guid'] = self.project_name_to_guid_map.get(p['name'])
-            p.pop('name')
+            if 'guid' not in p:
+                p['guid'] = self.project_name_to_guid_map.get(p['name'])
+                p.pop('name')
+
+            if 'role' in p:
+                group['spec']['userGroupRoleInProjects'].append({
+                    'projectGUID': p['guid'],
+                    'groupRole': p['role'],
+                })
+                p.pop('role')
 
         return group
 
@@ -106,7 +113,8 @@ def _create_update_payload(old: typing.Any, new: typing.Dict) -> typing.Dict:
                 'members': {'add': [], 'remove': []},
                 'projects': {'add': [], 'remove': []},
                 'admins': {'add': [], 'remove': []}
-            }
+            },
+            'userGroupRoleInProjects': new['spec'].get('userGroupRoleInProjects', []),
         }
 
         entity_sets = {