diff --git a/pkg/provision/migrations_202109_roles.go b/pkg/provision/migrations_202109_roles.go index fd78fcca5..f66fdb8f4 100644 --- a/pkg/provision/migrations_202109_roles.go +++ b/pkg/provision/migrations_202109_roles.go @@ -14,7 +14,7 @@ func migratePre202109Roles(ctx context.Context, log *zap.Logger, s store.Storer) obsoleteAdminsID uint64 = 2 ) - log.Info("migrating pre-2021.6 roles") + log.Info("migrating pre-2021.9 roles") m, err := loadRoles(ctx, s) if err != nil { return @@ -38,12 +38,14 @@ func migratePre202109Roles(ctx context.Context, log *zap.Logger, s store.Storer) // let's see if admin role is still here: if m["admins"] != nil && m["admins"].ID == obsoleteAdminsID { - log.Info("migrating 'admins' role to new ID") + log.Info("migrating 'admins' role to new ID and renaming it to 'admin'") // everyone role still present and it is using "hardcoded" ID // we can remove it m["admins"].ID = id.Next() m["admins"].UpdatedAt = now() + m["admins"].Handle = "admin" + m["admins"].Name = "Administrator" if err = store.DeleteRoleByID(ctx, s, obsoleteAdminsID); err != nil { return diff --git a/provision/000_base/compose_access_control.yaml b/provision/000_base/compose_access_control.yaml index ce3960e2f..9ee9bef49 100644 --- a/provision/000_base/compose_access_control.yaml +++ b/provision/000_base/compose_access_control.yaml @@ -22,7 +22,7 @@ allow: corteza::compose:record/*/*/*: - read - admins: + admin: corteza::compose/: - grant - settings.read @@ -68,7 +68,7 @@ allow: - update - delete - low_code_admins: + low-code-admin: corteza::compose/: - grant - settings.read diff --git a/provision/000_base/roles.yaml b/provision/000_base/roles.yaml index 2dc7a8d99..dd6877833 100644 --- a/provision/000_base/roles.yaml +++ b/provision/000_base/roles.yaml @@ -1,17 +1,17 @@ roles: # bypass and other system roles are # programmatically (re)created on server start - admins: - name: Administrators + admin: + name: Administrator - security_admins: - name: Security administrators + security-admin: + name: Security administrator - low_code_admins: - name: Low code administrators + low-code-admin: + name: Low code administrator - owners: - name: Owners + owner: + name: Owner meta: description: |- Automatically assigned to resource owner @@ -24,8 +24,8 @@ roles: - corteza::system:authClient - corteza::automation:workflow - creators: - name: Creators + creator: + name: Creator meta: description: |- Automatically assigned to user created the resource. @@ -37,8 +37,8 @@ roles: - corteza::system:authClient - corteza::automation:workflow - updaters: - name: Updaters + updater: + name: Updater meta: description: |- Automatically assigned to user that was the last to update the resource. @@ -51,8 +51,8 @@ roles: - corteza::system:authClient - corteza::automation:workflow - deleters: - name: Deleters + deleter: + name: Deleter meta: description: |- Automatically assigned to user that was the last to update the resource. diff --git a/provision/000_base/system_access_control.yaml b/provision/000_base/system_access_control.yaml index 59ee8e489..7d6624db7 100644 --- a/provision/000_base/system_access_control.yaml +++ b/provision/000_base/system_access_control.yaml @@ -15,7 +15,7 @@ allow: corteza::system:auth-client/*: - authorize - admins: + admin: corteza::system/: - grant - action-log.read @@ -97,7 +97,7 @@ allow: - delete - run - security_admins: + security-admin: corteza::compose/: - grant - action-log.read @@ -162,4 +162,4 @@ allow: - read - update - delete - - run \ No newline at end of file + - run diff --git a/provision/200_federation/2000_access_control.yaml b/provision/200_federation/2000_access_control.yaml index 1e2595c5e..af8242e79 100644 --- a/provision/200_federation/2000_access_control.yaml +++ b/provision/200_federation/2000_access_control.yaml @@ -1,5 +1,5 @@ allow: - admins: + admin: corteza::federation/: - grant - pair diff --git a/provision/300_automation/1000_roles.yaml b/provision/300_automation/1000_roles.yaml index adb5e3edf..272f6e0b4 100644 --- a/provision/300_automation/1000_roles.yaml +++ b/provision/300_automation/1000_roles.yaml @@ -1,3 +1,3 @@ roles: - developers: - name: Developers + developer: + name: Developer