From 08ee79c11f3b3b5edc43bd78b722cf0b61dab70f Mon Sep 17 00:00:00 2001 From: Antony Natale <43508092+tonytheleg@users.noreply.github.com> Date: Fri, 15 Nov 2024 08:11:21 -0500 Subject: [PATCH] multiple updates to address spicedb validation errors (#235) --- data/host-service-account.json | 2 +- data/host.json | 4 +- data/k8s-cluster-reporter.json | 9 + data/k8s-cluster.json | 4 +- data/k8s-policy.json | 4 +- data/k8spolicy_ispropagatedto_k8scluster.json | 2 +- deploy/schema.yaml | 521 +++++++++++++++--- deploy/schema.zed | 475 ++++++++++++++++ docker-compose.yaml | 2 + internal/service/common/common.go | 13 +- internal/service/resources/hosts/hosts.go | 3 +- .../resources/k8sclusters/k8scluster.go | 3 +- .../resources/k8spolicies/k8spolicies.go | 3 +- test/e2e/inventory_http_test.go | 15 +- 14 files changed, 970 insertions(+), 90 deletions(-) create mode 100644 data/k8s-cluster-reporter.json create mode 100644 deploy/schema.zed diff --git a/data/host-service-account.json b/data/host-service-account.json index e0d70aed..57a49547 100644 --- a/data/host-service-account.json +++ b/data/host-service-account.json @@ -1,7 +1,7 @@ { "rhel_host": { "metadata": { - "workspace_id": "hbi/rhel_host" + "workspace_id": "workspace1" }, "reporter_data": { "reporter_type": "OCM", diff --git a/data/host.json b/data/host.json index 0a0998ce..dee4c1b3 100644 --- a/data/host.json +++ b/data/host.json @@ -1,8 +1,8 @@ { "rhel_host": { "metadata": { - "resource_type": "rhel-host", - "workspace_id": "hbi/rhel_host" + "resource_type": "rhel_host", + "workspace_id": "01932c7e-e93e-719c-a488-3159877367b0" }, "reporter_data": { "reporter_type": "OCM", diff --git a/data/k8s-cluster-reporter.json b/data/k8s-cluster-reporter.json new file mode 100644 index 00000000..ede3bbcf --- /dev/null +++ b/data/k8s-cluster-reporter.json @@ -0,0 +1,9 @@ +{ + "reporter_data": { + "reporter_type": "OCM", + "reporter_version": "0.1", + "local_resource_id": "2", + "api_href": "www.example.com", + "console_href": "www.example.com" + } +} diff --git a/data/k8s-cluster.json b/data/k8s-cluster.json index 8c44b749..79de31bc 100644 --- a/data/k8s-cluster.json +++ b/data/k8s-cluster.json @@ -1,8 +1,8 @@ { "k8s_cluster": { "metadata": { - "resource_type": "k8s-cluster", - "workspace_id": "hbi/k8s_cluster" + "resource_type": "k8s_cluster", + "workspace_id": "01932c7e-e93e-719c-a488-3159877367b0" }, "reporter_data": { "reporter_type": "ACM", diff --git a/data/k8s-policy.json b/data/k8s-policy.json index 8af96bbb..dc316c29 100644 --- a/data/k8s-policy.json +++ b/data/k8s-policy.json @@ -1,8 +1,8 @@ { "k8s_policy": { "metadata": { - "resource_type": "k8s-policy", - "workspace_id": "hbi/k8s_policy" + "resource_type": "k8s_policy", + "workspace_id": "01932c7e-e93e-719c-a488-3159877367b0" }, "reporter_data": { "reporter_type": "ACM", diff --git a/data/k8spolicy_ispropagatedto_k8scluster.json b/data/k8spolicy_ispropagatedto_k8scluster.json index 48db35e4..c00ed486 100644 --- a/data/k8spolicy_ispropagatedto_k8scluster.json +++ b/data/k8spolicy_ispropagatedto_k8scluster.json @@ -3,7 +3,7 @@ "metadata": { }, "reporter_data": { - "reporter_type": "OCM", + "reporter_type": "ACM", "reporter_version": "0.1", "subject_local_resource_id": "1", "object_local_resource_id": "2" diff --git a/deploy/schema.yaml b/deploy/schema.yaml index 721b1467..c3789571 100644 --- a/deploy/schema.yaml +++ b/deploy/schema.yaml @@ -1,91 +1,476 @@ schema: |- - // TODO: should we prefix all relations? - // TODO: do we need to distinguish between service account and user principles as separate types? - definition rbac/user {} + definition notifications/integration { + permission workspace = t_workspace + relation t_workspace: rbac/workspace + permission view = t_workspace->notifications_integration_view + permission edit = t_workspace->notifications_integration_edit + permission test = t_workspace->notifications_integration_test + permission view_history = t_workspace->notifications_integration_view_history + permission delete = t_workspace->notifications_integration_delete + permission disable = t_workspace->notifications_integration_disable + permission enable = t_workspace->notifications_integration_enable + } - // TODO: Add permissions here - definition rbac/realm { - relation user_grant: rbac/role_binding + definition rbac/principal {} + + definition rbac/platform { + permission binding = t_binding + relation t_binding: rbac/role_binding + permission notifications_integration_create = t_binding->notifications_integration_create + permission notifications_daily_digest_preference_edit = t_binding->notifications_daily_digest_preference_edit + permission notifications_daily_digest_preference_view = t_binding->notifications_daily_digest_preference_view + permission notifications_integration_subscribe_drawer = t_binding->notifications_integration_subscribe_drawer + permission notifications_integration_subscribe_email = t_binding->notifications_integration_subscribe_email + permission notifications_event_log_view = t_binding->notifications_event_log_view + permission notifications_behavior_groups_view = t_binding->notifications_behavior_groups_view + permission notifications_behavior_groups_edit = t_binding->notifications_behavior_groups_edit + permission notifications_bundles_view = t_binding->notifications_bundles_view + permission notifications_applications_view = t_binding->notifications_applications_view + permission notifications_event_types_view = t_binding->notifications_event_types_view + permission notifications_integration_view = t_binding->notifications_integration_view + permission notifications_integration_edit = t_binding->notifications_integration_edit + permission notifications_integration_test = t_binding->notifications_integration_test + permission notifications_integration_view_history = t_binding->notifications_integration_view_history + permission notifications_integration_delete = t_binding->notifications_integration_delete + permission notifications_integration_disable = t_binding->notifications_integration_disable + permission notifications_integration_enable = t_binding->notifications_integration_enable } - // TODO: Add permissions here OR roll up to realm directly from top level workspaces instead of tenant. definition rbac/tenant { - // Every tenant should be connected to a common "realm" for global bindings. - relation realm: rbac/realm - relation user_grant: rbac/role_binding - relation member: rbac/user + permission platform = t_platform + relation t_platform: rbac/platform + permission binding = t_binding + relation t_binding: rbac/role_binding + permission notifications_integration_create = t_binding->notifications_integration_create + t_platform->notifications_integration_create + permission notifications_daily_digest_preference_edit = t_binding->notifications_daily_digest_preference_edit + t_platform->notifications_daily_digest_preference_edit + permission notifications_daily_digest_preference_view = t_binding->notifications_daily_digest_preference_view + t_platform->notifications_daily_digest_preference_view + permission notifications_integration_subscribe_drawer = t_binding->notifications_integration_subscribe_drawer + t_platform->notifications_integration_subscribe_drawer + permission notifications_integration_subscribe_email = t_binding->notifications_integration_subscribe_email + t_platform->notifications_integration_subscribe_email + permission notifications_event_log_view = t_binding->notifications_event_log_view + t_platform->notifications_event_log_view + permission notifications_behavior_groups_view = t_binding->notifications_behavior_groups_view + t_platform->notifications_behavior_groups_view + permission notifications_behavior_groups_edit = t_binding->notifications_behavior_groups_edit + t_platform->notifications_behavior_groups_edit + permission notifications_bundles_view = t_binding->notifications_bundles_view + t_platform->notifications_bundles_view + permission notifications_applications_view = t_binding->notifications_applications_view + t_platform->notifications_applications_view + permission notifications_event_types_view = t_binding->notifications_event_types_view + t_platform->notifications_event_types_view + permission notifications_integration_view = t_binding->notifications_integration_view + t_platform->notifications_integration_view + permission notifications_integration_edit = t_binding->notifications_integration_edit + t_platform->notifications_integration_edit + permission notifications_integration_test = t_binding->notifications_integration_test + t_platform->notifications_integration_test + permission notifications_integration_view_history = t_binding->notifications_integration_view_history + t_platform->notifications_integration_view_history + permission notifications_integration_delete = t_binding->notifications_integration_delete + t_platform->notifications_integration_delete + permission notifications_integration_disable = t_binding->notifications_integration_disable + t_platform->notifications_integration_disable + permission notifications_integration_enable = t_binding->notifications_integration_enable + t_platform->notifications_integration_enable } definition rbac/group { - relation owner: rbac/tenant - relation member: rbac/user | rbac/group#member + permission owner = t_owner + relation t_owner: rbac/tenant + permission member = t_member + relation t_member: rbac/principal | rbac/group#member } definition rbac/role { - relation notifications_daily_digest_preference_edit: rbac/user:* - relation notifications_daily_digest_preference_view: rbac/user:* - relation notifications_integration_create: rbac/user:* - relation notifications_integration_subscribe_drawer: rbac/user:* - relation notifications_integration_subscribe_email: rbac/user:* - relation notifications_integration_view: rbac/user:* - relation notifications_integration_edit: rbac/user:* - relation notifications_integration_test: rbac/user:* - relation notifications_integration_view_history: rbac/user:* - relation notifications_integration_delete: rbac/user:* - relation notifications_integration_disable: rbac/user:* - relation notifications_integration_enable: rbac/user:* - relation notifications_event_log_view: rbac/user:* + permission all_all_all = t_all_all_all + relation t_all_all_all: rbac/principal:* + permission child = t_child + relation t_child: rbac/role + permission notifications_all_all = t_notifications_all_all + relation t_notifications_all_all: rbac/principal:* + permission notifications_integrations_all = t_notifications_integrations_all + relation t_notifications_integrations_all: rbac/principal:* + permission notifications_all_write = t_notifications_all_write + relation t_notifications_all_write: rbac/principal:* + permission notifications_integrations_write = t_notifications_integrations_write + relation t_notifications_integrations_write: rbac/principal:* + permission notifications_integration_create = notifications_integrations_write + notifications_integrations_all + notifications_all_write + notifications_all_all + all_all_all + t_child->notifications_integration_create + permission notifications_notifications_all = t_notifications_notifications_all + relation t_notifications_notifications_all: rbac/principal:* + permission notifications_notifications_write = t_notifications_notifications_write + relation t_notifications_notifications_write: rbac/principal:* + permission notifications_daily_digest_preference_edit = notifications_notifications_write + notifications_notifications_all + notifications_all_write + notifications_all_all + all_all_all + t_child->notifications_daily_digest_preference_edit + permission notifications_all_read = t_notifications_all_read + relation t_notifications_all_read: rbac/principal:* + permission notifications_notifications_read = t_notifications_notifications_read + relation t_notifications_notifications_read: rbac/principal:* + permission notifications_daily_digest_preference_view = notifications_notifications_read + notifications_notifications_all + notifications_all_read + notifications_all_all + all_all_all + t_child->notifications_daily_digest_preference_view + permission notifications_integrations_read = t_notifications_integrations_read + relation t_notifications_integrations_read: rbac/principal:* + permission notifications_integration_subscribe_drawer = notifications_integrations_read + notifications_integrations_all + notifications_all_read + notifications_all_all + all_all_all + t_child->notifications_integration_subscribe_drawer + permission notifications_integration_subscribe_email = notifications_integrations_read + notifications_integrations_all + notifications_all_read + notifications_all_all + all_all_all + t_child->notifications_integration_subscribe_email + permission notifications_events_all = t_notifications_events_all + relation t_notifications_events_all: rbac/principal:* + permission notifications_events_read = t_notifications_events_read + relation t_notifications_events_read: rbac/principal:* + permission notifications_event_log_view = notifications_events_read + notifications_events_all + notifications_all_read + notifications_all_all + all_all_all + t_child->notifications_event_log_view + permission notifications_behavior_groups_view = notifications_notifications_read + notifications_notifications_all + notifications_all_read + notifications_all_all + all_all_all + t_child->notifications_behavior_groups_view + permission notifications_behavior_groups_edit = notifications_notifications_write + notifications_notifications_all + notifications_all_write + notifications_all_all + all_all_all + t_child->notifications_behavior_groups_edit + permission notifications_bundles_view = notifications_notifications_read + notifications_notifications_all + notifications_all_read + notifications_all_all + all_all_all + t_child->notifications_bundles_view + permission notifications_applications_view = notifications_notifications_read + notifications_notifications_all + notifications_all_read + notifications_all_all + all_all_all + t_child->notifications_applications_view + permission notifications_event_types_view = notifications_notifications_read + notifications_notifications_all + notifications_all_read + notifications_all_all + all_all_all + t_child->notifications_event_types_view + permission notifications_integration_view = notifications_integrations_read + notifications_integrations_all + notifications_all_read + notifications_all_all + all_all_all + t_child->notifications_integration_view + permission notifications_integration_edit = notifications_integrations_write + notifications_integrations_all + notifications_all_write + notifications_all_all + all_all_all + t_child->notifications_integration_edit + permission notifications_integration_test = notifications_integrations_write + notifications_integrations_all + notifications_all_write + notifications_all_all + all_all_all + t_child->notifications_integration_test + permission notifications_integration_view_history = notifications_integrations_read + notifications_integrations_all + notifications_all_read + notifications_all_all + all_all_all + t_child->notifications_integration_view_history + permission notifications_integration_delete = notifications_integrations_write + notifications_integrations_all + notifications_all_write + notifications_all_all + all_all_all + t_child->notifications_integration_delete + permission notifications_integration_disable = notifications_integrations_write + notifications_integrations_all + notifications_all_write + notifications_all_all + all_all_all + t_child->notifications_integration_disable + permission notifications_integration_enable = notifications_integrations_write + notifications_integrations_all + notifications_all_write + notifications_all_all + all_all_all + t_child->notifications_integration_enable + permission advisor_disable_recommendations_write = t_advisor_disable_recommendations_write + relation t_advisor_disable_recommendations_write: rbac/principal:* + permission advisor_weekly_email_read = t_advisor_weekly_email_read + relation t_advisor_weekly_email_read: rbac/principal:* + permission advisor_recommendation_results_read = t_advisor_recommendation_results_read + relation t_advisor_recommendation_results_read: rbac/principal:* + permission advisor_exports_read = t_advisor_exports_read + relation t_advisor_exports_read: rbac/principal:* + permission advisor_all_read = t_advisor_all_read + relation t_advisor_all_read: rbac/principal:* + permission advisor_all_all = t_advisor_all_all + relation t_advisor_all_all: rbac/principal:* + permission ansible_wisdom_admin_dashboard_chart_recommendations_read = t_ansible_wisdom_admin_dashboard_chart_recommendations_read + relation t_ansible_wisdom_admin_dashboard_chart_recommendations_read: rbac/principal:* + permission ansible_wisdom_admin_dashboard_chart_user_sentiment_read = t_ansible_wisdom_admin_dashboard_chart_user_sentiment_read + relation t_ansible_wisdom_admin_dashboard_chart_user_sentiment_read: rbac/principal:* + permission ansible_wisdom_admin_dashboard_chart_module_usage_read = t_ansible_wisdom_admin_dashboard_chart_module_usage_read + relation t_ansible_wisdom_admin_dashboard_chart_module_usage_read: rbac/principal:* + permission ansible_wisdom_admin_dashboard_chart_active_users_read = t_ansible_wisdom_admin_dashboard_chart_active_users_read + relation t_ansible_wisdom_admin_dashboard_chart_active_users_read: rbac/principal:* + permission automation_analytics_all_read = t_automation_analytics_all_read + relation t_automation_analytics_all_read: rbac/principal:* + permission automation_analytics_all_write = t_automation_analytics_all_write + relation t_automation_analytics_all_write: rbac/principal:* + permission automation_analytics_all_all = t_automation_analytics_all_all + relation t_automation_analytics_all_all: rbac/principal:* + permission compliance_report_read = t_compliance_report_read + relation t_compliance_report_read: rbac/principal:* + permission compliance_report_delete = t_compliance_report_delete + relation t_compliance_report_delete: rbac/principal:* + permission compliance_policy_read = t_compliance_policy_read + relation t_compliance_policy_read: rbac/principal:* + permission compliance_policy_create = t_compliance_policy_create + relation t_compliance_policy_create: rbac/principal:* + permission compliance_policy_update = t_compliance_policy_update + relation t_compliance_policy_update: rbac/principal:* + permission compliance_policy_delete = t_compliance_policy_delete + relation t_compliance_policy_delete: rbac/principal:* + permission compliance_policy_write = t_compliance_policy_write + relation t_compliance_policy_write: rbac/principal:* + permission compliance_all_all = t_compliance_all_all + relation t_compliance_all_all: rbac/principal:* + permission compliance_system_read = t_compliance_system_read + relation t_compliance_system_read: rbac/principal:* + permission config_manager_activation_keys_read = t_config_manager_activation_keys_read + relation t_config_manager_activation_keys_read: rbac/principal:* + permission config_manager_activation_keys_write = t_config_manager_activation_keys_write + relation t_config_manager_activation_keys_write: rbac/principal:* + permission config_manager_activation_keys_all = t_config_manager_activation_keys_all + relation t_config_manager_activation_keys_all: rbac/principal:* + permission config_manager_state_read = t_config_manager_state_read + relation t_config_manager_state_read: rbac/principal:* + permission config_manager_state_write = t_config_manager_state_write + relation t_config_manager_state_write: rbac/principal:* + permission config_manager_state_changes_read = t_config_manager_state_changes_read + relation t_config_manager_state_changes_read: rbac/principal:* + permission content_sources_repositories_read = t_content_sources_repositories_read + relation t_content_sources_repositories_read: rbac/principal:* + permission content_sources_repositories_write = t_content_sources_repositories_write + relation t_content_sources_repositories_write: rbac/principal:* + permission content_sources_repositories_upload = t_content_sources_repositories_upload + relation t_content_sources_repositories_upload: rbac/principal:* + permission content_sources_templates_read = t_content_sources_templates_read + relation t_content_sources_templates_read: rbac/principal:* + permission content_sources_templates_write = t_content_sources_templates_write + relation t_content_sources_templates_write: rbac/principal:* + permission content_sources_all_all = t_content_sources_all_all + relation t_content_sources_all_all: rbac/principal:* + permission cost_management_aws_account_all = t_cost_management_aws_account_all + relation t_cost_management_aws_account_all: rbac/principal:* + permission cost_management_aws_account_read = t_cost_management_aws_account_read + relation t_cost_management_aws_account_read: rbac/principal:* + permission cost_management_gcp_account_all = t_cost_management_gcp_account_all + relation t_cost_management_gcp_account_all: rbac/principal:* + permission cost_management_gcp_account_read = t_cost_management_gcp_account_read + relation t_cost_management_gcp_account_read: rbac/principal:* + permission cost_management_gcp_project_all = t_cost_management_gcp_project_all + relation t_cost_management_gcp_project_all: rbac/principal:* + permission cost_management_gcp_project_read = t_cost_management_gcp_project_read + relation t_cost_management_gcp_project_read: rbac/principal:* + permission cost_management_openshift_cluster_all = t_cost_management_openshift_cluster_all + relation t_cost_management_openshift_cluster_all: rbac/principal:* + permission cost_management_openshift_cluster_read = t_cost_management_openshift_cluster_read + relation t_cost_management_openshift_cluster_read: rbac/principal:* + permission cost_management_oci_payer_tenant_id_all = t_cost_management_oci_payer_tenant_id_all + relation t_cost_management_oci_payer_tenant_id_all: rbac/principal:* + permission cost_management_oci_payer_tenant_id_read = t_cost_management_oci_payer_tenant_id_read + relation t_cost_management_oci_payer_tenant_id_read: rbac/principal:* + permission cost_management_settings_all = t_cost_management_settings_all + relation t_cost_management_settings_all: rbac/principal:* + permission cost_management_settings_read = t_cost_management_settings_read + relation t_cost_management_settings_read: rbac/principal:* + permission cost_management_settings_write = t_cost_management_settings_write + relation t_cost_management_settings_write: rbac/principal:* + permission cost_management_aws_organizational_unit_all = t_cost_management_aws_organizational_unit_all + relation t_cost_management_aws_organizational_unit_all: rbac/principal:* + permission cost_management_aws_organizational_unit_read = t_cost_management_aws_organizational_unit_read + relation t_cost_management_aws_organizational_unit_read: rbac/principal:* + permission cost_management_azure_subscription_guid_all = t_cost_management_azure_subscription_guid_all + relation t_cost_management_azure_subscription_guid_all: rbac/principal:* + permission cost_management_azure_subscription_guid_read = t_cost_management_azure_subscription_guid_read + relation t_cost_management_azure_subscription_guid_read: rbac/principal:* + permission cost_management_openshift_node_all = t_cost_management_openshift_node_all + relation t_cost_management_openshift_node_all: rbac/principal:* + permission cost_management_openshift_node_read = t_cost_management_openshift_node_read + relation t_cost_management_openshift_node_read: rbac/principal:* + permission cost_management_openshift_project_all = t_cost_management_openshift_project_all + relation t_cost_management_openshift_project_all: rbac/principal:* + permission cost_management_openshift_project_read = t_cost_management_openshift_project_read + relation t_cost_management_openshift_project_read: rbac/principal:* + permission cost_management_cost_model_all = t_cost_management_cost_model_all + relation t_cost_management_cost_model_all: rbac/principal:* + permission cost_management_cost_model_read = t_cost_management_cost_model_read + relation t_cost_management_cost_model_read: rbac/principal:* + permission cost_management_cost_model_write = t_cost_management_cost_model_write + relation t_cost_management_cost_model_write: rbac/principal:* + permission cost_management_all_all = t_cost_management_all_all + relation t_cost_management_all_all: rbac/principal:* + permission hybrid_committed_spend_reports_read = t_hybrid_committed_spend_reports_read + relation t_hybrid_committed_spend_reports_read: rbac/principal:* + permission idmsvc_all_all = t_idmsvc_all_all + relation t_idmsvc_all_all: rbac/principal:* + permission idmsvc_token_create = t_idmsvc_token_create + relation t_idmsvc_token_create: rbac/principal:* + permission idmsvc_domains_list = t_idmsvc_domains_list + relation t_idmsvc_domains_list: rbac/principal:* + permission idmsvc_domains_read = t_idmsvc_domains_read + relation t_idmsvc_domains_read: rbac/principal:* + permission idmsvc_domains_create = t_idmsvc_domains_create + relation t_idmsvc_domains_create: rbac/principal:* + permission idmsvc_domains_update = t_idmsvc_domains_update + relation t_idmsvc_domains_update: rbac/principal:* + permission idmsvc_domains_delete = t_idmsvc_domains_delete + relation t_idmsvc_domains_delete: rbac/principal:* + permission integrations_endpoints_read = t_integrations_endpoints_read + relation t_integrations_endpoints_read: rbac/principal:* + permission integrations_endpoints_write = t_integrations_endpoints_write + relation t_integrations_endpoints_write: rbac/principal:* + permission integrations_all_all = t_integrations_all_all + relation t_integrations_all_all: rbac/principal:* + permission inventory_all_read = t_inventory_all_read + relation t_inventory_all_read: rbac/principal:* + permission inventory_all_all = t_inventory_all_all + relation t_inventory_all_all: rbac/principal:* + permission inventory_hosts_read = t_inventory_hosts_read + relation t_inventory_hosts_read: rbac/principal:* + permission inventory_hosts_write = t_inventory_hosts_write + relation t_inventory_hosts_write: rbac/principal:* + permission inventory_hosts_all = t_inventory_hosts_all + relation t_inventory_hosts_all: rbac/principal:* + permission inventory_groups_read = t_inventory_groups_read + relation t_inventory_groups_read: rbac/principal:* + permission inventory_groups_write = t_inventory_groups_write + relation t_inventory_groups_write: rbac/principal:* + permission inventory_groups_all = t_inventory_groups_all + relation t_inventory_groups_all: rbac/principal:* + permission malware_detection_all_all = t_malware_detection_all_all + relation t_malware_detection_all_all: rbac/principal:* + permission malware_detection_all_read = t_malware_detection_all_read + relation t_malware_detection_all_read: rbac/principal:* + permission malware_detection_acknowledgements_write = t_malware_detection_acknowledgements_write + relation t_malware_detection_acknowledgements_write: rbac/principal:* + permission ocp_advisor_toggle_recommendations_write = t_ocp_advisor_toggle_recommendations_write + relation t_ocp_advisor_toggle_recommendations_write: rbac/principal:* + permission ocp_advisor_recommendation_results_read = t_ocp_advisor_recommendation_results_read + relation t_ocp_advisor_recommendation_results_read: rbac/principal:* + permission ocp_advisor_exports_read = t_ocp_advisor_exports_read + relation t_ocp_advisor_exports_read: rbac/principal:* + permission ocp_advisor_all_all = t_ocp_advisor_all_all + relation t_ocp_advisor_all_all: rbac/principal:* + permission patch_template_write = t_patch_template_write + relation t_patch_template_write: rbac/principal:* + permission patch_all_all = t_patch_all_all + relation t_patch_all_all: rbac/principal:* + permission patch_all_read = t_patch_all_read + relation t_patch_all_read: rbac/principal:* + permission patch_all_write = t_patch_all_write + relation t_patch_all_write: rbac/principal:* + permission patch_system_write = t_patch_system_write + relation t_patch_system_write: rbac/principal:* + permission playbook_dispatcher_run_read = t_playbook_dispatcher_run_read + relation t_playbook_dispatcher_run_read: rbac/principal:* + permission playbook_dispatcher_run_write = t_playbook_dispatcher_run_write + relation t_playbook_dispatcher_run_write: rbac/principal:* + permission policies_policies_read = t_policies_policies_read + relation t_policies_policies_read: rbac/principal:* + permission policies_policies_write = t_policies_policies_write + relation t_policies_policies_write: rbac/principal:* + permission policies_all_all = t_policies_all_all + relation t_policies_all_all: rbac/principal:* + permission provisioning_pubkey_all = t_provisioning_pubkey_all + relation t_provisioning_pubkey_all: rbac/principal:* + permission provisioning_pubkey_read = t_provisioning_pubkey_read + relation t_provisioning_pubkey_read: rbac/principal:* + permission provisioning_pubkey_write = t_provisioning_pubkey_write + relation t_provisioning_pubkey_write: rbac/principal:* + permission provisioning_reservation_all = t_provisioning_reservation_all + relation t_provisioning_reservation_all: rbac/principal:* + permission provisioning_reservation_read = t_provisioning_reservation_read + relation t_provisioning_reservation_read: rbac/principal:* + permission provisioning_reservation_write = t_provisioning_reservation_write + relation t_provisioning_reservation_write: rbac/principal:* + permission provisioning_reservation_aws_all = t_provisioning_reservation_aws_all + relation t_provisioning_reservation_aws_all: rbac/principal:* + permission provisioning_reservation_aws_read = t_provisioning_reservation_aws_read + relation t_provisioning_reservation_aws_read: rbac/principal:* + permission provisioning_reservation_aws_write = t_provisioning_reservation_aws_write + relation t_provisioning_reservation_aws_write: rbac/principal:* + permission provisioning_reservation_azure_all = t_provisioning_reservation_azure_all + relation t_provisioning_reservation_azure_all: rbac/principal:* + permission provisioning_reservation_azure_read = t_provisioning_reservation_azure_read + relation t_provisioning_reservation_azure_read: rbac/principal:* + permission provisioning_reservation_azure_write = t_provisioning_reservation_azure_write + relation t_provisioning_reservation_azure_write: rbac/principal:* + permission provisioning_reservation_gcp_all = t_provisioning_reservation_gcp_all + relation t_provisioning_reservation_gcp_all: rbac/principal:* + permission provisioning_reservation_gcp_read = t_provisioning_reservation_gcp_read + relation t_provisioning_reservation_gcp_read: rbac/principal:* + permission provisioning_reservation_gcp_write = t_provisioning_reservation_gcp_write + relation t_provisioning_reservation_gcp_write: rbac/principal:* + permission provisioning_all_all = t_provisioning_all_all + relation t_provisioning_all_all: rbac/principal:* + permission provisioning_source_all = t_provisioning_source_all + relation t_provisioning_source_all: rbac/principal:* + permission provisioning_source_read = t_provisioning_source_read + relation t_provisioning_source_read: rbac/principal:* + permission rbac_principal_read = t_rbac_principal_read + relation t_rbac_principal_read: rbac/principal:* + permission rbac_all_all = t_rbac_all_all + relation t_rbac_all_all: rbac/principal:* + permission remediations_remediation_read = t_remediations_remediation_read + relation t_remediations_remediation_read: rbac/principal:* + permission remediations_remediation_write = t_remediations_remediation_write + relation t_remediations_remediation_write: rbac/principal:* + permission remediations_remediation_execute = t_remediations_remediation_execute + relation t_remediations_remediation_execute: rbac/principal:* + permission remediations_all_all = t_remediations_all_all + relation t_remediations_all_all: rbac/principal:* + permission remediations_all_read = t_remediations_all_read + relation t_remediations_all_read: rbac/principal:* + permission remediations_all_write = t_remediations_all_write + relation t_remediations_all_write: rbac/principal:* + permission ros_all_all = t_ros_all_all + relation t_ros_all_all: rbac/principal:* + permission ros_all_read = t_ros_all_read + relation t_ros_all_read: rbac/principal:* + permission sources_all_all = t_sources_all_all + relation t_sources_all_all: rbac/principal:* + permission staleness_staleness_read = t_staleness_staleness_read + relation t_staleness_staleness_read: rbac/principal:* + permission staleness_staleness_write = t_staleness_staleness_write + relation t_staleness_staleness_write: rbac/principal:* + permission staleness_staleness_all = t_staleness_staleness_all + relation t_staleness_staleness_all: rbac/principal:* + permission subscriptions_products_read = t_subscriptions_products_read + relation t_subscriptions_products_read: rbac/principal:* + permission subscriptions_products_write = t_subscriptions_products_write + relation t_subscriptions_products_write: rbac/principal:* + permission subscriptions_cloud_access_read = t_subscriptions_cloud_access_read + relation t_subscriptions_cloud_access_read: rbac/principal:* + permission subscriptions_cloud_access_write = t_subscriptions_cloud_access_write + relation t_subscriptions_cloud_access_write: rbac/principal:* + permission subscriptions_all_all = t_subscriptions_all_all + relation t_subscriptions_all_all: rbac/principal:* + permission subscriptions_reports_read = t_subscriptions_reports_read + relation t_subscriptions_reports_read: rbac/principal:* + permission subscriptions_manifests_read = t_subscriptions_manifests_read + relation t_subscriptions_manifests_read: rbac/principal:* + permission subscriptions_manifests_write = t_subscriptions_manifests_write + relation t_subscriptions_manifests_write: rbac/principal:* + permission subscriptions_organization_read = t_subscriptions_organization_read + relation t_subscriptions_organization_read: rbac/principal:* + permission subscriptions_organization_write = t_subscriptions_organization_write + relation t_subscriptions_organization_write: rbac/principal:* + permission tasks_all_all = t_tasks_all_all + relation t_tasks_all_all: rbac/principal:* + permission vulnerability_vulnerability_results_read = t_vulnerability_vulnerability_results_read + relation t_vulnerability_vulnerability_results_read: rbac/principal:* + permission vulnerability_cve_business_risk_and_status_write = t_vulnerability_cve_business_risk_and_status_write + relation t_vulnerability_cve_business_risk_and_status_write: rbac/principal:* + permission vulnerability_system_cve_status_write = t_vulnerability_system_cve_status_write + relation t_vulnerability_system_cve_status_write: rbac/principal:* + permission vulnerability_advanced_report_read = t_vulnerability_advanced_report_read + relation t_vulnerability_advanced_report_read: rbac/principal:* + permission vulnerability_report_and_export_read = t_vulnerability_report_and_export_read + relation t_vulnerability_report_and_export_read: rbac/principal:* + permission vulnerability_system_opt_out_write = t_vulnerability_system_opt_out_write + relation t_vulnerability_system_opt_out_write: rbac/principal:* + permission vulnerability_system_opt_out_read = t_vulnerability_system_opt_out_read + relation t_vulnerability_system_opt_out_read: rbac/principal:* + permission vulnerability_toggle_cves_without_errata_write = t_vulnerability_toggle_cves_without_errata_write + relation t_vulnerability_toggle_cves_without_errata_write: rbac/principal:* + permission vulnerability_all_read = t_vulnerability_all_read + relation t_vulnerability_all_read: rbac/principal:* + permission vulnerability_all_write = t_vulnerability_all_write + relation t_vulnerability_all_write: rbac/principal:* + permission vulnerability_all_all = t_vulnerability_all_all + relation t_vulnerability_all_all: rbac/principal:* } definition rbac/role_binding { - relation subject: rbac/user | rbac/group#member - relation granted: rbac/role - permission notifications_daily_digest_preference_edit = subject & granted->notifications_daily_digest_preference_edit - permission notifications_daily_digest_preference_view = subject & granted->notifications_daily_digest_preference_view - permission notifications_integration_create = subject & granted->notifications_integration_create - permission notifications_integration_subscribe_drawer = subject & granted->notifications_integration_subscribe_drawer - permission notifications_integration_subscribe_email = subject & granted->notifications_integration_subscribe_email - permission notifications_integration_view = subject & granted->notifications_integration_view - permission notifications_integration_edit = subject & granted->notifications_integration_edit - permission notifications_integration_test = subject & granted->notifications_integration_test - permission notifications_integration_view_history = subject & granted->notifications_integration_view_history - permission notifications_integration_delete = subject & granted->notifications_integration_delete - permission notifications_integration_disable = subject & granted->notifications_integration_disable - permission notifications_integration_enable = subject & granted->notifications_integration_enable - permission notifications_event_log_view = subject & granted->notifications_event_log_view + permission subject = t_subject + relation t_subject: rbac/principal | rbac/group#member + permission role = t_role + relation t_role: rbac/role + permission notifications_integration_create = (subject & t_role->notifications_integration_create) + permission notifications_daily_digest_preference_edit = (subject & t_role->notifications_daily_digest_preference_edit) + permission notifications_daily_digest_preference_view = (subject & t_role->notifications_daily_digest_preference_view) + permission notifications_integration_subscribe_drawer = (subject & t_role->notifications_integration_subscribe_drawer) + permission notifications_integration_subscribe_email = (subject & t_role->notifications_integration_subscribe_email) + permission notifications_event_log_view = (subject & t_role->notifications_event_log_view) + permission notifications_behavior_groups_view = (subject & t_role->notifications_behavior_groups_view) + permission notifications_behavior_groups_edit = (subject & t_role->notifications_behavior_groups_edit) + permission notifications_bundles_view = (subject & t_role->notifications_bundles_view) + permission notifications_applications_view = (subject & t_role->notifications_applications_view) + permission notifications_event_types_view = (subject & t_role->notifications_event_types_view) + permission notifications_integration_view = (subject & t_role->notifications_integration_view) + permission notifications_integration_edit = (subject & t_role->notifications_integration_edit) + permission notifications_integration_test = (subject & t_role->notifications_integration_test) + permission notifications_integration_view_history = (subject & t_role->notifications_integration_view_history) + permission notifications_integration_delete = (subject & t_role->notifications_integration_delete) + permission notifications_integration_disable = (subject & t_role->notifications_integration_disable) + permission notifications_integration_enable = (subject & t_role->notifications_integration_enable) } definition rbac/workspace { - relation parent: rbac/workspace | rbac/tenant - relation user_grant: rbac/role_binding - permission notifications_daily_digest_preference_edit = user_grant->notifications_daily_digest_preference_edit + parent->notifications_daily_digest_preference_edit - permission notifications_daily_digest_preference_view = user_grant->notifications_daily_digest_preference_view + parent->notifications_daily_digest_preference_view - permission notifications_integration_create = user_grant->notifications_integration_create + parent->notifications_integration_create - permission notifications_integration_subscribe_drawer = user_grant->notifications_integration_subscribe_drawer + parent->notifications_integration_subscribe_drawer - permission notifications_integration_subscribe_email = user_grant->notifications_integration_subscribe_email + parent->notifications_integration_subscribe_email - permission notifications_integration_view = user_grant->notifications_integration_view + parent->notifications_integration_view - permission notifications_integration_edit = user_grant->notifications_integration_edit + parent->notifications_integration_edit - permission notifications_integration_test = user_grant->notifications_integration_test + parent->notifications_integration_test - permission notifications_integration_view_history = user_grant->notifications_integration_view_history + parent->notifications_integration_view_history - permission notifications_integration_delete = user_grant->notifications_integration_delete + parent->notifications_integration_delete - permission notifications_integration_disable = user_grant->notifications_integration_disable + parent->notifications_integration_disable - permission notifications_integration_enable = user_grant->notifications_integration_enable + parent->notifications_integration_enable - permission notifications_event_log_view = user_grant->notifications_event_log_view + parent->notifications_event_log_view + permission parent = t_parent + relation t_parent: rbac/workspace | rbac/tenant + permission binding = t_binding + relation t_binding: rbac/role_binding + permission notifications_integration_create = t_binding->notifications_integration_create + t_parent->notifications_integration_create + permission notifications_daily_digest_preference_edit = t_binding->notifications_daily_digest_preference_edit + t_parent->notifications_daily_digest_preference_edit + permission notifications_daily_digest_preference_view = t_binding->notifications_daily_digest_preference_view + t_parent->notifications_daily_digest_preference_view + permission notifications_integration_subscribe_drawer = t_binding->notifications_integration_subscribe_drawer + t_parent->notifications_integration_subscribe_drawer + permission notifications_integration_subscribe_email = t_binding->notifications_integration_subscribe_email + t_parent->notifications_integration_subscribe_email + permission notifications_event_log_view = t_binding->notifications_event_log_view + t_parent->notifications_event_log_view + permission notifications_behavior_groups_view = t_binding->notifications_behavior_groups_view + t_parent->notifications_behavior_groups_view + permission notifications_behavior_groups_edit = t_binding->notifications_behavior_groups_edit + t_parent->notifications_behavior_groups_edit + permission notifications_bundles_view = t_binding->notifications_bundles_view + t_parent->notifications_bundles_view + permission notifications_applications_view = t_binding->notifications_applications_view + t_parent->notifications_applications_view + permission notifications_event_types_view = t_binding->notifications_event_types_view + t_parent->notifications_event_types_view + permission notifications_integration_view = t_binding->notifications_integration_view + t_parent->notifications_integration_view + permission notifications_integration_edit = t_binding->notifications_integration_edit + t_parent->notifications_integration_edit + permission notifications_integration_test = t_binding->notifications_integration_test + t_parent->notifications_integration_test + permission notifications_integration_view_history = t_binding->notifications_integration_view_history + t_parent->notifications_integration_view_history + permission notifications_integration_delete = t_binding->notifications_integration_delete + t_parent->notifications_integration_delete + permission notifications_integration_disable = t_binding->notifications_integration_disable + t_parent->notifications_integration_disable + permission notifications_integration_enable = t_binding->notifications_integration_enable + t_parent->notifications_integration_enable } - definition notifications/integration { - relation workspace: rbac/workspace - permission view = workspace->notifications_integration_view + definition hbi/rhel_host { + relation t_workspace: rbac/workspace + } - // Edit display name, connectivity settings, and event type mappings - permission edit = workspace->notifications_integration_edit - permission test = workspace->notifications_integration_test - permission view_history = workspace->notifications_integration_view_history - permission delete = workspace->notifications_integration_delete - permission disable = workspace->notifications_integration_disable - permission enable = workspace->notifications_integration_enable + definition acm/k8s_cluster { + relation t_workspace: rbac/workspace } - definition hbi/rhel_host { - relation workspace: rbac/workspace + definition acm/k8s_policy { + relation t_workspace: rbac/workspace } diff --git a/deploy/schema.zed b/deploy/schema.zed new file mode 100644 index 00000000..df3973c6 --- /dev/null +++ b/deploy/schema.zed @@ -0,0 +1,475 @@ +definition notifications/integration { + permission workspace = t_workspace + relation t_workspace: rbac/workspace + permission view = t_workspace->notifications_integration_view + permission edit = t_workspace->notifications_integration_edit + permission test = t_workspace->notifications_integration_test + permission view_history = t_workspace->notifications_integration_view_history + permission delete = t_workspace->notifications_integration_delete + permission disable = t_workspace->notifications_integration_disable + permission enable = t_workspace->notifications_integration_enable +} + +definition rbac/principal {} + +definition rbac/platform { + permission binding = t_binding + relation t_binding: rbac/role_binding + permission notifications_integration_create = t_binding->notifications_integration_create + permission notifications_daily_digest_preference_edit = t_binding->notifications_daily_digest_preference_edit + permission notifications_daily_digest_preference_view = t_binding->notifications_daily_digest_preference_view + permission notifications_integration_subscribe_drawer = t_binding->notifications_integration_subscribe_drawer + permission notifications_integration_subscribe_email = t_binding->notifications_integration_subscribe_email + permission notifications_event_log_view = t_binding->notifications_event_log_view + permission notifications_behavior_groups_view = t_binding->notifications_behavior_groups_view + permission notifications_behavior_groups_edit = t_binding->notifications_behavior_groups_edit + permission notifications_bundles_view = t_binding->notifications_bundles_view + permission notifications_applications_view = t_binding->notifications_applications_view + permission notifications_event_types_view = t_binding->notifications_event_types_view + permission notifications_integration_view = t_binding->notifications_integration_view + permission notifications_integration_edit = t_binding->notifications_integration_edit + permission notifications_integration_test = t_binding->notifications_integration_test + permission notifications_integration_view_history = t_binding->notifications_integration_view_history + permission notifications_integration_delete = t_binding->notifications_integration_delete + permission notifications_integration_disable = t_binding->notifications_integration_disable + permission notifications_integration_enable = t_binding->notifications_integration_enable +} + +definition rbac/tenant { + permission platform = t_platform + relation t_platform: rbac/platform + permission binding = t_binding + relation t_binding: rbac/role_binding + permission notifications_integration_create = t_binding->notifications_integration_create + t_platform->notifications_integration_create + permission notifications_daily_digest_preference_edit = t_binding->notifications_daily_digest_preference_edit + t_platform->notifications_daily_digest_preference_edit + permission notifications_daily_digest_preference_view = t_binding->notifications_daily_digest_preference_view + t_platform->notifications_daily_digest_preference_view + permission notifications_integration_subscribe_drawer = t_binding->notifications_integration_subscribe_drawer + t_platform->notifications_integration_subscribe_drawer + permission notifications_integration_subscribe_email = t_binding->notifications_integration_subscribe_email + t_platform->notifications_integration_subscribe_email + permission notifications_event_log_view = t_binding->notifications_event_log_view + t_platform->notifications_event_log_view + permission notifications_behavior_groups_view = t_binding->notifications_behavior_groups_view + t_platform->notifications_behavior_groups_view + permission notifications_behavior_groups_edit = t_binding->notifications_behavior_groups_edit + t_platform->notifications_behavior_groups_edit + permission notifications_bundles_view = t_binding->notifications_bundles_view + t_platform->notifications_bundles_view + permission notifications_applications_view = t_binding->notifications_applications_view + t_platform->notifications_applications_view + permission notifications_event_types_view = t_binding->notifications_event_types_view + t_platform->notifications_event_types_view + permission notifications_integration_view = t_binding->notifications_integration_view + t_platform->notifications_integration_view + permission notifications_integration_edit = t_binding->notifications_integration_edit + t_platform->notifications_integration_edit + permission notifications_integration_test = t_binding->notifications_integration_test + t_platform->notifications_integration_test + permission notifications_integration_view_history = t_binding->notifications_integration_view_history + t_platform->notifications_integration_view_history + permission notifications_integration_delete = t_binding->notifications_integration_delete + t_platform->notifications_integration_delete + permission notifications_integration_disable = t_binding->notifications_integration_disable + t_platform->notifications_integration_disable + permission notifications_integration_enable = t_binding->notifications_integration_enable + t_platform->notifications_integration_enable +} + +definition rbac/group { + permission owner = t_owner + relation t_owner: rbac/tenant + permission member = t_member + relation t_member: rbac/principal | rbac/group#member +} + +definition rbac/role { + permission all_all_all = t_all_all_all + relation t_all_all_all: rbac/principal:* + permission child = t_child + relation t_child: rbac/role + permission notifications_all_all = t_notifications_all_all + relation t_notifications_all_all: rbac/principal:* + permission notifications_integrations_all = t_notifications_integrations_all + relation t_notifications_integrations_all: rbac/principal:* + permission notifications_all_write = t_notifications_all_write + relation t_notifications_all_write: rbac/principal:* + permission notifications_integrations_write = t_notifications_integrations_write + relation t_notifications_integrations_write: rbac/principal:* + permission notifications_integration_create = notifications_integrations_write + notifications_integrations_all + notifications_all_write + notifications_all_all + all_all_all + t_child->notifications_integration_create + permission notifications_notifications_all = t_notifications_notifications_all + relation t_notifications_notifications_all: rbac/principal:* + permission notifications_notifications_write = t_notifications_notifications_write + relation t_notifications_notifications_write: rbac/principal:* + permission notifications_daily_digest_preference_edit = notifications_notifications_write + notifications_notifications_all + notifications_all_write + notifications_all_all + all_all_all + t_child->notifications_daily_digest_preference_edit + permission notifications_all_read = t_notifications_all_read + relation t_notifications_all_read: rbac/principal:* + permission notifications_notifications_read = t_notifications_notifications_read + relation t_notifications_notifications_read: rbac/principal:* + permission notifications_daily_digest_preference_view = notifications_notifications_read + notifications_notifications_all + notifications_all_read + notifications_all_all + all_all_all + t_child->notifications_daily_digest_preference_view + permission notifications_integrations_read = t_notifications_integrations_read + relation t_notifications_integrations_read: rbac/principal:* + permission notifications_integration_subscribe_drawer = notifications_integrations_read + notifications_integrations_all + notifications_all_read + notifications_all_all + all_all_all + t_child->notifications_integration_subscribe_drawer + permission notifications_integration_subscribe_email = notifications_integrations_read + notifications_integrations_all + notifications_all_read + notifications_all_all + all_all_all + t_child->notifications_integration_subscribe_email + permission notifications_events_all = t_notifications_events_all + relation t_notifications_events_all: rbac/principal:* + permission notifications_events_read = t_notifications_events_read + relation t_notifications_events_read: rbac/principal:* + permission notifications_event_log_view = notifications_events_read + notifications_events_all + notifications_all_read + notifications_all_all + all_all_all + t_child->notifications_event_log_view + permission notifications_behavior_groups_view = notifications_notifications_read + notifications_notifications_all + notifications_all_read + notifications_all_all + all_all_all + t_child->notifications_behavior_groups_view + permission notifications_behavior_groups_edit = notifications_notifications_write + notifications_notifications_all + notifications_all_write + notifications_all_all + all_all_all + t_child->notifications_behavior_groups_edit + permission notifications_bundles_view = notifications_notifications_read + notifications_notifications_all + notifications_all_read + notifications_all_all + all_all_all + t_child->notifications_bundles_view + permission notifications_applications_view = notifications_notifications_read + notifications_notifications_all + notifications_all_read + notifications_all_all + all_all_all + t_child->notifications_applications_view + permission notifications_event_types_view = notifications_notifications_read + notifications_notifications_all + notifications_all_read + notifications_all_all + all_all_all + t_child->notifications_event_types_view + permission notifications_integration_view = notifications_integrations_read + notifications_integrations_all + notifications_all_read + notifications_all_all + all_all_all + t_child->notifications_integration_view + permission notifications_integration_edit = notifications_integrations_write + notifications_integrations_all + notifications_all_write + notifications_all_all + all_all_all + t_child->notifications_integration_edit + permission notifications_integration_test = notifications_integrations_write + notifications_integrations_all + notifications_all_write + notifications_all_all + all_all_all + t_child->notifications_integration_test + permission notifications_integration_view_history = notifications_integrations_read + notifications_integrations_all + notifications_all_read + notifications_all_all + all_all_all + t_child->notifications_integration_view_history + permission notifications_integration_delete = notifications_integrations_write + notifications_integrations_all + notifications_all_write + notifications_all_all + all_all_all + t_child->notifications_integration_delete + permission notifications_integration_disable = notifications_integrations_write + notifications_integrations_all + notifications_all_write + notifications_all_all + all_all_all + t_child->notifications_integration_disable + permission notifications_integration_enable = notifications_integrations_write + notifications_integrations_all + notifications_all_write + notifications_all_all + all_all_all + t_child->notifications_integration_enable + permission advisor_disable_recommendations_write = t_advisor_disable_recommendations_write + relation t_advisor_disable_recommendations_write: rbac/principal:* + permission advisor_weekly_email_read = t_advisor_weekly_email_read + relation t_advisor_weekly_email_read: rbac/principal:* + permission advisor_recommendation_results_read = t_advisor_recommendation_results_read + relation t_advisor_recommendation_results_read: rbac/principal:* + permission advisor_exports_read = t_advisor_exports_read + relation t_advisor_exports_read: rbac/principal:* + permission advisor_all_read = t_advisor_all_read + relation t_advisor_all_read: rbac/principal:* + permission advisor_all_all = t_advisor_all_all + relation t_advisor_all_all: rbac/principal:* + permission ansible_wisdom_admin_dashboard_chart_recommendations_read = t_ansible_wisdom_admin_dashboard_chart_recommendations_read + relation t_ansible_wisdom_admin_dashboard_chart_recommendations_read: rbac/principal:* + permission ansible_wisdom_admin_dashboard_chart_user_sentiment_read = t_ansible_wisdom_admin_dashboard_chart_user_sentiment_read + relation t_ansible_wisdom_admin_dashboard_chart_user_sentiment_read: rbac/principal:* + permission ansible_wisdom_admin_dashboard_chart_module_usage_read = t_ansible_wisdom_admin_dashboard_chart_module_usage_read + relation t_ansible_wisdom_admin_dashboard_chart_module_usage_read: rbac/principal:* + permission ansible_wisdom_admin_dashboard_chart_active_users_read = t_ansible_wisdom_admin_dashboard_chart_active_users_read + relation t_ansible_wisdom_admin_dashboard_chart_active_users_read: rbac/principal:* + permission automation_analytics_all_read = t_automation_analytics_all_read + relation t_automation_analytics_all_read: rbac/principal:* + permission automation_analytics_all_write = t_automation_analytics_all_write + relation t_automation_analytics_all_write: rbac/principal:* + permission automation_analytics_all_all = t_automation_analytics_all_all + relation t_automation_analytics_all_all: rbac/principal:* + permission compliance_report_read = t_compliance_report_read + relation t_compliance_report_read: rbac/principal:* + permission compliance_report_delete = t_compliance_report_delete + relation t_compliance_report_delete: rbac/principal:* + permission compliance_policy_read = t_compliance_policy_read + relation t_compliance_policy_read: rbac/principal:* + permission compliance_policy_create = t_compliance_policy_create + relation t_compliance_policy_create: rbac/principal:* + permission compliance_policy_update = t_compliance_policy_update + relation t_compliance_policy_update: rbac/principal:* + permission compliance_policy_delete = t_compliance_policy_delete + relation t_compliance_policy_delete: rbac/principal:* + permission compliance_policy_write = t_compliance_policy_write + relation t_compliance_policy_write: rbac/principal:* + permission compliance_all_all = t_compliance_all_all + relation t_compliance_all_all: rbac/principal:* + permission compliance_system_read = t_compliance_system_read + relation t_compliance_system_read: rbac/principal:* + permission config_manager_activation_keys_read = t_config_manager_activation_keys_read + relation t_config_manager_activation_keys_read: rbac/principal:* + permission config_manager_activation_keys_write = t_config_manager_activation_keys_write + relation t_config_manager_activation_keys_write: rbac/principal:* + permission config_manager_activation_keys_all = t_config_manager_activation_keys_all + relation t_config_manager_activation_keys_all: rbac/principal:* + permission config_manager_state_read = t_config_manager_state_read + relation t_config_manager_state_read: rbac/principal:* + permission config_manager_state_write = t_config_manager_state_write + relation t_config_manager_state_write: rbac/principal:* + permission config_manager_state_changes_read = t_config_manager_state_changes_read + relation t_config_manager_state_changes_read: rbac/principal:* + permission content_sources_repositories_read = t_content_sources_repositories_read + relation t_content_sources_repositories_read: rbac/principal:* + permission content_sources_repositories_write = t_content_sources_repositories_write + relation t_content_sources_repositories_write: rbac/principal:* + permission content_sources_repositories_upload = t_content_sources_repositories_upload + relation t_content_sources_repositories_upload: rbac/principal:* + permission content_sources_templates_read = t_content_sources_templates_read + relation t_content_sources_templates_read: rbac/principal:* + permission content_sources_templates_write = t_content_sources_templates_write + relation t_content_sources_templates_write: rbac/principal:* + permission content_sources_all_all = t_content_sources_all_all + relation t_content_sources_all_all: rbac/principal:* + permission cost_management_aws_account_all = t_cost_management_aws_account_all + relation t_cost_management_aws_account_all: rbac/principal:* + permission cost_management_aws_account_read = t_cost_management_aws_account_read + relation t_cost_management_aws_account_read: rbac/principal:* + permission cost_management_gcp_account_all = t_cost_management_gcp_account_all + relation t_cost_management_gcp_account_all: rbac/principal:* + permission cost_management_gcp_account_read = t_cost_management_gcp_account_read + relation t_cost_management_gcp_account_read: rbac/principal:* + permission cost_management_gcp_project_all = t_cost_management_gcp_project_all + relation t_cost_management_gcp_project_all: rbac/principal:* + permission cost_management_gcp_project_read = t_cost_management_gcp_project_read + relation t_cost_management_gcp_project_read: rbac/principal:* + permission cost_management_openshift_cluster_all = t_cost_management_openshift_cluster_all + relation t_cost_management_openshift_cluster_all: rbac/principal:* + permission cost_management_openshift_cluster_read = t_cost_management_openshift_cluster_read + relation t_cost_management_openshift_cluster_read: rbac/principal:* + permission cost_management_oci_payer_tenant_id_all = t_cost_management_oci_payer_tenant_id_all + relation t_cost_management_oci_payer_tenant_id_all: rbac/principal:* + permission cost_management_oci_payer_tenant_id_read = t_cost_management_oci_payer_tenant_id_read + relation t_cost_management_oci_payer_tenant_id_read: rbac/principal:* + permission cost_management_settings_all = t_cost_management_settings_all + relation t_cost_management_settings_all: rbac/principal:* + permission cost_management_settings_read = t_cost_management_settings_read + relation t_cost_management_settings_read: rbac/principal:* + permission cost_management_settings_write = t_cost_management_settings_write + relation t_cost_management_settings_write: rbac/principal:* + permission cost_management_aws_organizational_unit_all = t_cost_management_aws_organizational_unit_all + relation t_cost_management_aws_organizational_unit_all: rbac/principal:* + permission cost_management_aws_organizational_unit_read = t_cost_management_aws_organizational_unit_read + relation t_cost_management_aws_organizational_unit_read: rbac/principal:* + permission cost_management_azure_subscription_guid_all = t_cost_management_azure_subscription_guid_all + relation t_cost_management_azure_subscription_guid_all: rbac/principal:* + permission cost_management_azure_subscription_guid_read = t_cost_management_azure_subscription_guid_read + relation t_cost_management_azure_subscription_guid_read: rbac/principal:* + permission cost_management_openshift_node_all = t_cost_management_openshift_node_all + relation t_cost_management_openshift_node_all: rbac/principal:* + permission cost_management_openshift_node_read = t_cost_management_openshift_node_read + relation t_cost_management_openshift_node_read: rbac/principal:* + permission cost_management_openshift_project_all = t_cost_management_openshift_project_all + relation t_cost_management_openshift_project_all: rbac/principal:* + permission cost_management_openshift_project_read = t_cost_management_openshift_project_read + relation t_cost_management_openshift_project_read: rbac/principal:* + permission cost_management_cost_model_all = t_cost_management_cost_model_all + relation t_cost_management_cost_model_all: rbac/principal:* + permission cost_management_cost_model_read = t_cost_management_cost_model_read + relation t_cost_management_cost_model_read: rbac/principal:* + permission cost_management_cost_model_write = t_cost_management_cost_model_write + relation t_cost_management_cost_model_write: rbac/principal:* + permission cost_management_all_all = t_cost_management_all_all + relation t_cost_management_all_all: rbac/principal:* + permission hybrid_committed_spend_reports_read = t_hybrid_committed_spend_reports_read + relation t_hybrid_committed_spend_reports_read: rbac/principal:* + permission idmsvc_all_all = t_idmsvc_all_all + relation t_idmsvc_all_all: rbac/principal:* + permission idmsvc_token_create = t_idmsvc_token_create + relation t_idmsvc_token_create: rbac/principal:* + permission idmsvc_domains_list = t_idmsvc_domains_list + relation t_idmsvc_domains_list: rbac/principal:* + permission idmsvc_domains_read = t_idmsvc_domains_read + relation t_idmsvc_domains_read: rbac/principal:* + permission idmsvc_domains_create = t_idmsvc_domains_create + relation t_idmsvc_domains_create: rbac/principal:* + permission idmsvc_domains_update = t_idmsvc_domains_update + relation t_idmsvc_domains_update: rbac/principal:* + permission idmsvc_domains_delete = t_idmsvc_domains_delete + relation t_idmsvc_domains_delete: rbac/principal:* + permission integrations_endpoints_read = t_integrations_endpoints_read + relation t_integrations_endpoints_read: rbac/principal:* + permission integrations_endpoints_write = t_integrations_endpoints_write + relation t_integrations_endpoints_write: rbac/principal:* + permission integrations_all_all = t_integrations_all_all + relation t_integrations_all_all: rbac/principal:* + permission inventory_all_read = t_inventory_all_read + relation t_inventory_all_read: rbac/principal:* + permission inventory_all_all = t_inventory_all_all + relation t_inventory_all_all: rbac/principal:* + permission inventory_hosts_read = t_inventory_hosts_read + relation t_inventory_hosts_read: rbac/principal:* + permission inventory_hosts_write = t_inventory_hosts_write + relation t_inventory_hosts_write: rbac/principal:* + permission inventory_hosts_all = t_inventory_hosts_all + relation t_inventory_hosts_all: rbac/principal:* + permission inventory_groups_read = t_inventory_groups_read + relation t_inventory_groups_read: rbac/principal:* + permission inventory_groups_write = t_inventory_groups_write + relation t_inventory_groups_write: rbac/principal:* + permission inventory_groups_all = t_inventory_groups_all + relation t_inventory_groups_all: rbac/principal:* + permission malware_detection_all_all = t_malware_detection_all_all + relation t_malware_detection_all_all: rbac/principal:* + permission malware_detection_all_read = t_malware_detection_all_read + relation t_malware_detection_all_read: rbac/principal:* + permission malware_detection_acknowledgements_write = t_malware_detection_acknowledgements_write + relation t_malware_detection_acknowledgements_write: rbac/principal:* + permission ocp_advisor_toggle_recommendations_write = t_ocp_advisor_toggle_recommendations_write + relation t_ocp_advisor_toggle_recommendations_write: rbac/principal:* + permission ocp_advisor_recommendation_results_read = t_ocp_advisor_recommendation_results_read + relation t_ocp_advisor_recommendation_results_read: rbac/principal:* + permission ocp_advisor_exports_read = t_ocp_advisor_exports_read + relation t_ocp_advisor_exports_read: rbac/principal:* + permission ocp_advisor_all_all = t_ocp_advisor_all_all + relation t_ocp_advisor_all_all: rbac/principal:* + permission patch_template_write = t_patch_template_write + relation t_patch_template_write: rbac/principal:* + permission patch_all_all = t_patch_all_all + relation t_patch_all_all: rbac/principal:* + permission patch_all_read = t_patch_all_read + relation t_patch_all_read: rbac/principal:* + permission patch_all_write = t_patch_all_write + relation t_patch_all_write: rbac/principal:* + permission patch_system_write = t_patch_system_write + relation t_patch_system_write: rbac/principal:* + permission playbook_dispatcher_run_read = t_playbook_dispatcher_run_read + relation t_playbook_dispatcher_run_read: rbac/principal:* + permission playbook_dispatcher_run_write = t_playbook_dispatcher_run_write + relation t_playbook_dispatcher_run_write: rbac/principal:* + permission policies_policies_read = t_policies_policies_read + relation t_policies_policies_read: rbac/principal:* + permission policies_policies_write = t_policies_policies_write + relation t_policies_policies_write: rbac/principal:* + permission policies_all_all = t_policies_all_all + relation t_policies_all_all: rbac/principal:* + permission provisioning_pubkey_all = t_provisioning_pubkey_all + relation t_provisioning_pubkey_all: rbac/principal:* + permission provisioning_pubkey_read = t_provisioning_pubkey_read + relation t_provisioning_pubkey_read: rbac/principal:* + permission provisioning_pubkey_write = t_provisioning_pubkey_write + relation t_provisioning_pubkey_write: rbac/principal:* + permission provisioning_reservation_all = t_provisioning_reservation_all + relation t_provisioning_reservation_all: rbac/principal:* + permission provisioning_reservation_read = t_provisioning_reservation_read + relation t_provisioning_reservation_read: rbac/principal:* + permission provisioning_reservation_write = t_provisioning_reservation_write + relation t_provisioning_reservation_write: rbac/principal:* + permission provisioning_reservation_aws_all = t_provisioning_reservation_aws_all + relation t_provisioning_reservation_aws_all: rbac/principal:* + permission provisioning_reservation_aws_read = t_provisioning_reservation_aws_read + relation t_provisioning_reservation_aws_read: rbac/principal:* + permission provisioning_reservation_aws_write = t_provisioning_reservation_aws_write + relation t_provisioning_reservation_aws_write: rbac/principal:* + permission provisioning_reservation_azure_all = t_provisioning_reservation_azure_all + relation t_provisioning_reservation_azure_all: rbac/principal:* + permission provisioning_reservation_azure_read = t_provisioning_reservation_azure_read + relation t_provisioning_reservation_azure_read: rbac/principal:* + permission provisioning_reservation_azure_write = t_provisioning_reservation_azure_write + relation t_provisioning_reservation_azure_write: rbac/principal:* + permission provisioning_reservation_gcp_all = t_provisioning_reservation_gcp_all + relation t_provisioning_reservation_gcp_all: rbac/principal:* + permission provisioning_reservation_gcp_read = t_provisioning_reservation_gcp_read + relation t_provisioning_reservation_gcp_read: rbac/principal:* + permission provisioning_reservation_gcp_write = t_provisioning_reservation_gcp_write + relation t_provisioning_reservation_gcp_write: rbac/principal:* + permission provisioning_all_all = t_provisioning_all_all + relation t_provisioning_all_all: rbac/principal:* + permission provisioning_source_all = t_provisioning_source_all + relation t_provisioning_source_all: rbac/principal:* + permission provisioning_source_read = t_provisioning_source_read + relation t_provisioning_source_read: rbac/principal:* + permission rbac_principal_read = t_rbac_principal_read + relation t_rbac_principal_read: rbac/principal:* + permission rbac_all_all = t_rbac_all_all + relation t_rbac_all_all: rbac/principal:* + permission remediations_remediation_read = t_remediations_remediation_read + relation t_remediations_remediation_read: rbac/principal:* + permission remediations_remediation_write = t_remediations_remediation_write + relation t_remediations_remediation_write: rbac/principal:* + permission remediations_remediation_execute = t_remediations_remediation_execute + relation t_remediations_remediation_execute: rbac/principal:* + permission remediations_all_all = t_remediations_all_all + relation t_remediations_all_all: rbac/principal:* + permission remediations_all_read = t_remediations_all_read + relation t_remediations_all_read: rbac/principal:* + permission remediations_all_write = t_remediations_all_write + relation t_remediations_all_write: rbac/principal:* + permission ros_all_all = t_ros_all_all + relation t_ros_all_all: rbac/principal:* + permission ros_all_read = t_ros_all_read + relation t_ros_all_read: rbac/principal:* + permission sources_all_all = t_sources_all_all + relation t_sources_all_all: rbac/principal:* + permission staleness_staleness_read = t_staleness_staleness_read + relation t_staleness_staleness_read: rbac/principal:* + permission staleness_staleness_write = t_staleness_staleness_write + relation t_staleness_staleness_write: rbac/principal:* + permission staleness_staleness_all = t_staleness_staleness_all + relation t_staleness_staleness_all: rbac/principal:* + permission subscriptions_products_read = t_subscriptions_products_read + relation t_subscriptions_products_read: rbac/principal:* + permission subscriptions_products_write = t_subscriptions_products_write + relation t_subscriptions_products_write: rbac/principal:* + permission subscriptions_cloud_access_read = t_subscriptions_cloud_access_read + relation t_subscriptions_cloud_access_read: rbac/principal:* + permission subscriptions_cloud_access_write = t_subscriptions_cloud_access_write + relation t_subscriptions_cloud_access_write: rbac/principal:* + permission subscriptions_all_all = t_subscriptions_all_all + relation t_subscriptions_all_all: rbac/principal:* + permission subscriptions_reports_read = t_subscriptions_reports_read + relation t_subscriptions_reports_read: rbac/principal:* + permission subscriptions_manifests_read = t_subscriptions_manifests_read + relation t_subscriptions_manifests_read: rbac/principal:* + permission subscriptions_manifests_write = t_subscriptions_manifests_write + relation t_subscriptions_manifests_write: rbac/principal:* + permission subscriptions_organization_read = t_subscriptions_organization_read + relation t_subscriptions_organization_read: rbac/principal:* + permission subscriptions_organization_write = t_subscriptions_organization_write + relation t_subscriptions_organization_write: rbac/principal:* + permission tasks_all_all = t_tasks_all_all + relation t_tasks_all_all: rbac/principal:* + permission vulnerability_vulnerability_results_read = t_vulnerability_vulnerability_results_read + relation t_vulnerability_vulnerability_results_read: rbac/principal:* + permission vulnerability_cve_business_risk_and_status_write = t_vulnerability_cve_business_risk_and_status_write + relation t_vulnerability_cve_business_risk_and_status_write: rbac/principal:* + permission vulnerability_system_cve_status_write = t_vulnerability_system_cve_status_write + relation t_vulnerability_system_cve_status_write: rbac/principal:* + permission vulnerability_advanced_report_read = t_vulnerability_advanced_report_read + relation t_vulnerability_advanced_report_read: rbac/principal:* + permission vulnerability_report_and_export_read = t_vulnerability_report_and_export_read + relation t_vulnerability_report_and_export_read: rbac/principal:* + permission vulnerability_system_opt_out_write = t_vulnerability_system_opt_out_write + relation t_vulnerability_system_opt_out_write: rbac/principal:* + permission vulnerability_system_opt_out_read = t_vulnerability_system_opt_out_read + relation t_vulnerability_system_opt_out_read: rbac/principal:* + permission vulnerability_toggle_cves_without_errata_write = t_vulnerability_toggle_cves_without_errata_write + relation t_vulnerability_toggle_cves_without_errata_write: rbac/principal:* + permission vulnerability_all_read = t_vulnerability_all_read + relation t_vulnerability_all_read: rbac/principal:* + permission vulnerability_all_write = t_vulnerability_all_write + relation t_vulnerability_all_write: rbac/principal:* + permission vulnerability_all_all = t_vulnerability_all_all + relation t_vulnerability_all_all: rbac/principal:* +} + +definition rbac/role_binding { + permission subject = t_subject + relation t_subject: rbac/principal | rbac/group#member + permission role = t_role + relation t_role: rbac/role + permission notifications_integration_create = (subject & t_role->notifications_integration_create) + permission notifications_daily_digest_preference_edit = (subject & t_role->notifications_daily_digest_preference_edit) + permission notifications_daily_digest_preference_view = (subject & t_role->notifications_daily_digest_preference_view) + permission notifications_integration_subscribe_drawer = (subject & t_role->notifications_integration_subscribe_drawer) + permission notifications_integration_subscribe_email = (subject & t_role->notifications_integration_subscribe_email) + permission notifications_event_log_view = (subject & t_role->notifications_event_log_view) + permission notifications_behavior_groups_view = (subject & t_role->notifications_behavior_groups_view) + permission notifications_behavior_groups_edit = (subject & t_role->notifications_behavior_groups_edit) + permission notifications_bundles_view = (subject & t_role->notifications_bundles_view) + permission notifications_applications_view = (subject & t_role->notifications_applications_view) + permission notifications_event_types_view = (subject & t_role->notifications_event_types_view) + permission notifications_integration_view = (subject & t_role->notifications_integration_view) + permission notifications_integration_edit = (subject & t_role->notifications_integration_edit) + permission notifications_integration_test = (subject & t_role->notifications_integration_test) + permission notifications_integration_view_history = (subject & t_role->notifications_integration_view_history) + permission notifications_integration_delete = (subject & t_role->notifications_integration_delete) + permission notifications_integration_disable = (subject & t_role->notifications_integration_disable) + permission notifications_integration_enable = (subject & t_role->notifications_integration_enable) +} + +definition rbac/workspace { + permission parent = t_parent + relation t_parent: rbac/workspace | rbac/tenant + permission binding = t_binding + relation t_binding: rbac/role_binding + permission notifications_integration_create = t_binding->notifications_integration_create + t_parent->notifications_integration_create + permission notifications_daily_digest_preference_edit = t_binding->notifications_daily_digest_preference_edit + t_parent->notifications_daily_digest_preference_edit + permission notifications_daily_digest_preference_view = t_binding->notifications_daily_digest_preference_view + t_parent->notifications_daily_digest_preference_view + permission notifications_integration_subscribe_drawer = t_binding->notifications_integration_subscribe_drawer + t_parent->notifications_integration_subscribe_drawer + permission notifications_integration_subscribe_email = t_binding->notifications_integration_subscribe_email + t_parent->notifications_integration_subscribe_email + permission notifications_event_log_view = t_binding->notifications_event_log_view + t_parent->notifications_event_log_view + permission notifications_behavior_groups_view = t_binding->notifications_behavior_groups_view + t_parent->notifications_behavior_groups_view + permission notifications_behavior_groups_edit = t_binding->notifications_behavior_groups_edit + t_parent->notifications_behavior_groups_edit + permission notifications_bundles_view = t_binding->notifications_bundles_view + t_parent->notifications_bundles_view + permission notifications_applications_view = t_binding->notifications_applications_view + t_parent->notifications_applications_view + permission notifications_event_types_view = t_binding->notifications_event_types_view + t_parent->notifications_event_types_view + permission notifications_integration_view = t_binding->notifications_integration_view + t_parent->notifications_integration_view + permission notifications_integration_edit = t_binding->notifications_integration_edit + t_parent->notifications_integration_edit + permission notifications_integration_test = t_binding->notifications_integration_test + t_parent->notifications_integration_test + permission notifications_integration_view_history = t_binding->notifications_integration_view_history + t_parent->notifications_integration_view_history + permission notifications_integration_delete = t_binding->notifications_integration_delete + t_parent->notifications_integration_delete + permission notifications_integration_disable = t_binding->notifications_integration_disable + t_parent->notifications_integration_disable + permission notifications_integration_enable = t_binding->notifications_integration_enable + t_parent->notifications_integration_enable +} + +definition hbi/rhel_host { + relation t_workspace: rbac/workspace +} + +definition acm/k8s_cluster { + relation t_workspace: rbac/workspace +} + +definition acm/k8s_policy { + relation t_workspace: rbac/workspace +} diff --git a/docker-compose.yaml b/docker-compose.yaml index 763367ad..58c6e4e4 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -52,6 +52,8 @@ services: relations-api: image: "quay.io/cloudservices/kessel-relations:latest" hostname: relations-api + volumes: + - ./deploy/schema.zed:/deploy/schema.zed:ro,z environment: - "SPICEDB_PRESHARED=${SPICEDB_GRPC_PRESHARED_KEY}" # - "SPICEDB_PRESHARED_FILE=/run/secrets/spicedb_pre_shared" diff --git a/internal/service/common/common.go b/internal/service/common/common.go index 43bea757..00a1185b 100644 --- a/internal/service/common/common.go +++ b/internal/service/common/common.go @@ -77,8 +77,8 @@ func ReporterRelationshipIdFromPb(relationshipType, reporterId string, reporter return model.ReporterRelationshipId{}, errors.New("invalid relationship type, not in the expected format subject_relation_object ") } - subjectType := res[0] - objectType := res[2] + subjectType := conform(res[0]) + objectType := conform(res[2]) return model.ReporterRelationshipId{ ReporterId: reporterId, @@ -106,8 +106,8 @@ func RelationshipFromPb(relationshipType, reporterId string, relationshipData mo return nil, errors.New("invalid relationship type, not in the expected format subject_relation_object ") } - subjectType := res[0] - objectType := res[2] + subjectType := conform(res[0]) + objectType := conform(res[2]) return &model.Relationship{ ID: uuid.UUID{}, @@ -129,3 +129,8 @@ func RelationshipFromPb(relationshipType, reporterId string, relationshipData mo }, }, nil } + +// Conform converts any hyphens in resource types to underscores to conform with SpiceDB validation requirements +func conform(resource string) string { + return strings.ReplaceAll(resource, "-", "_") +} diff --git a/internal/service/resources/hosts/hosts.go b/internal/service/resources/hosts/hosts.go index eda1cd30..acfe5742 100644 --- a/internal/service/resources/hosts/hosts.go +++ b/internal/service/resources/hosts/hosts.go @@ -2,6 +2,7 @@ package hosts import ( "context" + pb "github.com/project-kessel/inventory-api/api/kessel/inventory/v1beta1/resources" authnapi "github.com/project-kessel/inventory-api/internal/authn/api" "github.com/project-kessel/inventory-api/internal/biz/model" @@ -11,7 +12,7 @@ import ( ) const ( - ResourceType = "rhel-host" + ResourceType = "rhel_host" ) // HostsService handles requests for Rhel hosts diff --git a/internal/service/resources/k8sclusters/k8scluster.go b/internal/service/resources/k8sclusters/k8scluster.go index 7dddc8cc..83a52ec8 100644 --- a/internal/service/resources/k8sclusters/k8scluster.go +++ b/internal/service/resources/k8sclusters/k8scluster.go @@ -2,6 +2,7 @@ package k8sclusters import ( "context" + "github.com/project-kessel/inventory-api/internal/biz/resources" pb "github.com/project-kessel/inventory-api/api/kessel/inventory/v1beta1/resources" @@ -12,7 +13,7 @@ import ( ) const ( - ResourceType = "k8s-cluster" + ResourceType = "k8s_cluster" ) // K8sClustersService handles requests for k8s clusters diff --git a/internal/service/resources/k8spolicies/k8spolicies.go b/internal/service/resources/k8spolicies/k8spolicies.go index e405369e..f777aa52 100644 --- a/internal/service/resources/k8spolicies/k8spolicies.go +++ b/internal/service/resources/k8spolicies/k8spolicies.go @@ -2,6 +2,7 @@ package k8spolicies import ( "context" + "github.com/project-kessel/inventory-api/internal/biz/model" "github.com/project-kessel/inventory-api/internal/biz/resources" @@ -12,7 +13,7 @@ import ( ) const ( - ResourceType = "k8s-policy" + ResourceType = "k8s_policy" ) // K8sPoliciesService handles requests for K8s Policies diff --git a/test/e2e/inventory_http_test.go b/test/e2e/inventory_http_test.go index d9253c2c..8fa6c95e 100644 --- a/test/e2e/inventory_http_test.go +++ b/test/e2e/inventory_http_test.go @@ -5,16 +5,17 @@ import ( "crypto/tls" "crypto/x509" "fmt" + nethttp "net/http" + "os" + "strconv" + "testing" + "github.com/go-kratos/kratos/v2/log" "github.com/go-kratos/kratos/v2/transport/http" v1 "github.com/project-kessel/inventory-api/api/kessel/inventory/v1" "github.com/project-kessel/inventory-api/api/kessel/inventory/v1beta1/resources" "github.com/project-kessel/inventory-client-go/v1beta1" "github.com/stretchr/testify/assert" - nethttp "net/http" - "os" - "strconv" - "testing" ) var inventoryapi_http_url string @@ -150,7 +151,7 @@ func TestInventoryAPIHTTP_CreateRHELHost(t *testing.T) { } request := resources.CreateRhelHostRequest{RhelHost: &resources.RhelHost{ Metadata: &resources.Metadata{ - ResourceType: "rhel-host", + ResourceType: "rhel_host", WorkspaceId: "workspace1", OrgId: "", }, @@ -183,7 +184,7 @@ func TestInventoryAPIHTTP_K8SCluster_CreateK8SCluster(t *testing.T) { request := resources.CreateK8SClusterRequest{ K8SCluster: &resources.K8SCluster{ Metadata: &resources.Metadata{ - ResourceType: "k8s-cluster", + ResourceType: "k8s_cluster", WorkspaceId: "", OrgId: "", }, @@ -238,7 +239,7 @@ func TestInventoryAPIHTTP_K8SPolicy_CreateK8SPolicy(t *testing.T) { request := resources.CreateK8SPolicyRequest{ K8SPolicy: &resources.K8SPolicy{ Metadata: &resources.Metadata{ - ResourceType: "k8s-policy", + ResourceType: "k8s_policy", WorkspaceId: "default", OrgId: "", },