Skip to content

Commit

Permalink
Merge branch 'master' into production
Browse files Browse the repository at this point in the history
  • Loading branch information
@Johaney-s
Johaney-s committed Nov 14, 2022
2 parents 531fc17 + e26fea3 commit 0c7f13f
Show file tree
Hide file tree
Showing 13 changed files with 854 additions and 266 deletions.
3 changes: 2 additions & 1 deletion perun-base/src/main/java/cz/metacentrum/perun/core/api/Role.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ public class Role {
public static final String RPC = "RPC";
public static final String NOTIFICATIONS = "NOTIFICATIONS";
public static final String SERVICEUSER = "SERVICEUSER";
public static final String SPREGAPPLICATION = "SPREGAPPLICATION";
public static final String SPONSOR = "SPONSOR";
public static final String VOOBSERVER = "VOOBSERVER";
public static final String TOPGROUPCREATOR = "TOPGROUPCREATOR";
Expand All @@ -38,7 +39,7 @@ public class Role {
public static List<String> rolesAsList() {
return Arrays.asList(AUDITCONSUMERADMIN, CABINETADMIN, ENGINE, FACILITYADMIN, FACILITYOBSERVER, TRUSTEDFACILITYADMIN, GROUPADMIN,
GROUPOBSERVER, GROUPMEMBERSHIPMANAGER, MEMBERSHIP, NOTIFICATIONS, PERUNADMIN, PERUNOBSERVER, REGISTRAR, RESOURCEADMIN, RESOURCEOBSERVER,
RESOURCESELFSERVICE, RPC, SECURITYADMIN, SELF, SERVICEUSER, SPONSOR, TOPGROUPCREATOR, UNKNOWNROLENAME,
RESOURCESELFSERVICE, RPC, SECURITYADMIN, SELF, SERVICEUSER, SPREGAPPLICATION, SPONSOR, TOPGROUPCREATOR, UNKNOWNROLENAME,
VOADMIN, VOOBSERVER, SPONSORSHIP, MFA);
}
}
45 changes: 45 additions & 0 deletions perun-base/src/main/resources/perun-roles.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,9 @@
# It is a sign of an account with a Self role being created by someone else.
# The only role with privileges to create a Service user is the Perun administrator role.
#
# SPREGAPPLICATION is a role that can be assigned to a service account primarily to work
# with facilities, groups and attributes.
#
# SPONSOR users or groups of a VO can provide other users with VO membership even without them passing the VO registration.
# The sponsor role may be assigned to users or groups of users by VO administrators or Perun administrators.
# However, Sponsors are not allowed to delegate this role to other users or groups.
Expand Down Expand Up @@ -124,6 +127,7 @@ perun_roles:
- RPC
- NOTIFICATIONS
- SERVICEUSER
- SPREGAPPLICATION
- SPONSOR
- VOOBSERVER
- TOPGROUPCREATOR
Expand Down Expand Up @@ -592,6 +596,7 @@ perun_policies:
- FACILITYADMIN: Facility
- FACILITYOBSERVER: Facility
- PERUNOBSERVER:
- SPREGAPPLICATION:
include_policies:
- default_policy

Expand Down Expand Up @@ -668,6 +673,7 @@ perun_policies:
- FACILITYADMIN:
- FACILITYOBSERVER:
- PERUNOBSERVER:
- SPREGAPPLICATION:
include_policies:
- default_policy

Expand Down Expand Up @@ -846,12 +852,14 @@ perun_policies:
createFacility_Facility_policy:
policy_roles:
- FACILITYADMIN:
- SPREGAPPLICATION:
include_policies:
- default_policy

deleteFacility_Facility_Boolean_policy:
policy_roles:
- FACILITYADMIN: Facility
- SPREGAPPLICATION:
include_policies:
- default_policy
mfa_rules:
Expand All @@ -860,6 +868,7 @@ perun_policies:
updateFacility_Facility_policy:
policy_roles:
- FACILITYADMIN: Facility
- SPREGAPPLICATION:
include_policies:
- default_policy
mfa_rules:
Expand Down Expand Up @@ -1023,6 +1032,7 @@ perun_policies:
- PERUNOBSERVER:
- FACILITYADMIN: Facility
- FACILITYOBSERVER: Facility
- SPREGAPPLICATION:
include_policies:
- default_policy

Expand All @@ -1038,6 +1048,7 @@ perun_policies:
policy_roles:
- PERUNOBSERVER:
- SELF: User
- SPREGAPPLICATION:
include_policies:
- default_policy

Expand Down Expand Up @@ -1260,6 +1271,7 @@ perun_policies:
policy_roles:
- GROUPADMIN: Group
- VOADMIN: Vo
- SPREGAPPLICATION:
include_policies:
- default_policy
mfa_rules:
Expand All @@ -1270,6 +1282,7 @@ perun_policies:
policy_roles:
- GROUPADMIN: Group
- VOADMIN: Vo
- SPREGAPPLICATION:
include_policies:
- default_policy
mfa_rules:
Expand Down Expand Up @@ -1299,6 +1312,7 @@ perun_policies:
policy_roles:
- GROUPADMIN: Group
- VOADMIN: Vo
- SPREGAPPLICATION:
include_policies:
- default_policy
mfa_rules:
Expand Down Expand Up @@ -1440,6 +1454,7 @@ perun_policies:
- GROUPADMIN: Group
- GROUPMEMBERSHIPMANAGER: Group
- VOADMIN: Vo
- SPREGAPPLICATION:
include_policies:
- default_policy
mfa_rules:
Expand All @@ -1451,6 +1466,7 @@ perun_policies:
- GROUPADMIN: Group
- GROUPMEMBERSHIPMANAGER: Group
- VOADMIN: Vo
- SPREGAPPLICATION:
include_policies:
- default_policy
mfa_rules:
Expand All @@ -1463,6 +1479,7 @@ perun_policies:
- GROUPADMIN: Group
- GROUPMEMBERSHIPMANAGER: Group
- VOADMIN: Vo
- SPREGAPPLICATION:
include_policies:
- default_policy
mfa_rules:
Expand All @@ -1475,6 +1492,7 @@ perun_policies:
- GROUPADMIN: Group
- GROUPMEMBERSHIPMANAGER: Group
- VOADMIN: Vo
- SPREGAPPLICATION:
include_policies:
- default_policy
mfa_rules:
Expand All @@ -1490,6 +1508,7 @@ perun_policies:
- GROUPOBSERVER: Group
- GROUPMEMBERSHIPMANAGER: Group
- VOADMIN: Vo
- SPREGAPPLICATION:
include_policies:
- default_policy

Expand Down Expand Up @@ -1534,6 +1553,7 @@ perun_policies:
- GROUPOBSERVER: Group
- GROUPMEMBERSHIPMANAGER: Group
- VOADMIN: Vo
- SPREGAPPLICATION:
include_policies:
- default_policy

Expand Down Expand Up @@ -2588,6 +2608,7 @@ perun_policies:
- PERUNOBSERVER:
- VOOBSERVER: Vo
- VOADMIN: Vo
- SPREGAPPLICATION:
include_policies:
- default_policy

Expand Down Expand Up @@ -4769,6 +4790,7 @@ perun_policies:
getFacilities_Map<String_String>_policy:
policy_roles:
- PERUNOBSERVER:
- SPREGAPPLICATION:
include_policies:
- default_policy

Expand Down Expand Up @@ -5536,6 +5558,7 @@ perun_policies:
- VOADMIN:
- SELF: User
- PERUNOBSERVER:
- SPREGAPPLICATION:
include_policies:
- default_policy

Expand Down Expand Up @@ -5619,6 +5642,7 @@ perun_policies:
- SELF: User
- REGISTRAR:
- PERUNOBSERVER:
- SPREGAPPLICATION:
include_policies:
- default_policy

Expand Down Expand Up @@ -8005,11 +8029,13 @@ perun_roles_management:
privileged_roles_to_manage:
- PERUNADMIN:
- FACILITYADMIN: Facility
- SPREGAPPLICATION:
privileged_roles_to_read:
- PERUNADMIN:
- PERUNOBSERVER:
- FACILITYADMIN: Facility
- FACILITYOBSERVER: Facility
- SPREGAPPLICATION:
associated_read_roles:
- FACILITYOBSERVER
assignable_to_attributes: true
Expand All @@ -8027,11 +8053,13 @@ perun_roles_management:
privileged_roles_to_manage:
- PERUNADMIN:
- FACILITYADMIN: Facility
- SPREGAPPLICATION:
privileged_roles_to_read:
- PERUNADMIN:
- PERUNOBSERVER:
- FACILITYADMIN: Facility
- FACILITYOBSERVER: Facility
- SPREGAPPLICATION:
associated_read_roles: []
assignable_to_attributes: false
display_name: "Facility observer"
Expand Down Expand Up @@ -8220,6 +8248,23 @@ perun_roles_management:
assignable_to_attributes: false
display_name: "Service user"

SPREGAPPLICATION:
primary_object:
assign_to_objects: {}
assignment_check:
- MFA:
entities_to_manage:
User: user_id
privileged_roles_to_manage:
- PERUNADMIN:
privileged_roles_to_read:
- PERUNADMIN:
- PERUNOBSERVER:
associated_read_roles: []
assignable_to_attributes: true
skip_mfa: true
display_name: "SPREG application"

SPONSOR:
primary_object: Vo
assign_to_objects:
Expand Down
5 changes: 5 additions & 0 deletions perun-base/src/test/resources/test-roles.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -176,5 +176,10 @@ perun_policies:
- GROUPMEMBERSHIPMANAGER: Group
include_policies: []

test_spregapplication:
policy_roles:
- SPREGAPPLICATION:
include_policies: []

perun_roles_management: {}
...
6 changes: 6 additions & 0 deletions perun-cli/Perun/AuthzResolverAgent.pm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,4 +68,10 @@ sub refreshMfa
return Perun::Common::callManagerMethod('refreshMfa', '', @_);
}

sub getAllRolesManagementRules
{
return Perun::Common::callManagerMethod('getAllRolesManagementRules', '[]RoleManagementRules', @_);
}


1;
1 change: 1 addition & 0 deletions perun-cli/Perun/Common.pm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,7 @@ use Perun::beans::AttributePolicy;
use Perun::beans::AttributePolicyCollection;
use Perun::beans::AttributeRules;
use Perun::beans::OidcConfig;
use Perun::beans::RoleManagementRules;

sub newEmptyBean
{
Expand Down
Loading

0 comments on commit 0c7f13f

Please sign in to comment.