feat: remove RBAC middleware checks on playbook controllers

rely on ABAC check
flanksource · Jan 3, 2025 · 0cdcb7e · 0cdcb7e
1 parent 78df577
commit 0cdcb7e
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 10 deletions.
diff --git a/playbook/controllers.go b/playbook/controllers.go
@@ -43,9 +43,9 @@ func RegisterRoutes(e *echo.Echo) {
 	}, rbac.Authorization(policy.ObjectMonitor, policy.ActionRead))
 
 	runGroup := playbookGroup.Group("/run")
-	runGroup.POST("", HandlePlaybookRun, rbac.Playbook(policy.ActionPlaybookRun))
+	runGroup.POST("", HandlePlaybookRun)
 	runGroup.GET("/:id", HandleGetPlaybookRun, rbac.Playbook(policy.ActionRead))
-	runGroup.POST("/approve/:run_id", HandlePlaybookRunApproval, rbac.Playbook(policy.ActionPlaybookApprove))
+	runGroup.POST("/approve/:run_id", HandlePlaybookRunApproval)
 }
 
 type RunResponse struct {

diff --git a/rbac/objects.go b/rbac/objects.go
@@ -118,6 +118,9 @@ var dbResourceObjMap = map[string]string{
 	"people_roles":                      policy.ObjectDatabasePublic,
 	"people":                            policy.ObjectPeople,
 	"permissions":                       policy.ObjectDatabaseSystem,
+	"permission_groups":                 policy.ObjectDatabaseSystem,
+	"permissions_summary":               policy.ObjectDatabaseSystem,
+	"permissions_group_summary":         policy.ObjectDatabaseSystem,
 	"playbook_action_agent_data":        policy.ObjectPlaybooks,
 	"playbook_approvals":                policy.ObjectPlaybooks,
 	"playbook_names":                    policy.ObjectDatabasePublic,

diff --git a/rbac/policies.yaml b/rbac/policies.yaml
@@ -1,14 +1,14 @@
 - principal: everyone
   acl:
     - objects: database.kratos
-      actions: '!*'
+      actions: "!*"
     # Activate after UI update
     # - objects: connection
     #   actions: "!read"
 - principal: admin
   acl:
-    - objects: '*'
-      actions: '*'
+    - objects: "*"
+      actions: "*"
   inherit:
     - everyone
 - principal: viewer
@@ -32,13 +32,9 @@
     - objects: canaries,catalog,topology,playbooks,kubernetes-proxy,notification
       actions: create,read,update,delete
     - objects: connection
-      actions: 'create,read,update,delete'
+      actions: "create,read,update,delete"
     - objects: connection-detail
       actions: read
-    - objects: playbooks
-      actions: playbook:run
-    - objects: playbooks
-      actions: playbook:approve
   inherit:
     - viewer
 - principal: agent