From 1bd4e23dbd005b1293ced489e8d853b43b9a78a2 Mon Sep 17 00:00:00 2001
From: Martin Schneppenheim <23424570+weeco@users.noreply.github.com>
Date: Tue, 25 Feb 2025 19:41:27 +0000
Subject: [PATCH] backend: require admin permissions for users and roles
 endpoints

---
 .../protogen/redpanda/api/console/v1alpha1/security.pb.go   | 6 +++---
 proto/redpanda/api/console/v1alpha1/security.proto          | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/backend/pkg/protogen/redpanda/api/console/v1alpha1/security.pb.go b/backend/pkg/protogen/redpanda/api/console/v1alpha1/security.pb.go
index 1d5130ea5..31a230f41 100644
--- a/backend/pkg/protogen/redpanda/api/console/v1alpha1/security.pb.go
+++ b/backend/pkg/protogen/redpanda/api/console/v1alpha1/security.pb.go
@@ -1056,7 +1056,7 @@ var file_redpanda_api_console_v1alpha1_security_proto_rawDesc = []byte{
 	0x74, 0x1a, 0x30, 0x2e, 0x72, 0x65, 0x64, 0x70, 0x61, 0x6e, 0x64, 0x61, 0x2e, 0x61, 0x70, 0x69,
 	0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x6f, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61,
 	0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x52, 0x6f, 0x6c, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f,
-	0x6e, 0x73, 0x65, 0x22, 0x08, 0x8a, 0xa6, 0x1d, 0x04, 0x08, 0x01, 0x10, 0x03, 0x12, 0x7b, 0x0a,
+	0x6e, 0x73, 0x65, 0x22, 0x08, 0x8a, 0xa6, 0x1d, 0x04, 0x08, 0x03, 0x10, 0x03, 0x12, 0x7b, 0x0a,
 	0x0a, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x52, 0x6f, 0x6c, 0x65, 0x12, 0x30, 0x2e, 0x72, 0x65,
 	0x64, 0x70, 0x61, 0x6e, 0x64, 0x61, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x6f,
 	0x6c, 0x65, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x43, 0x72, 0x65, 0x61,
@@ -1071,7 +1071,7 @@ var file_redpanda_api_console_v1alpha1_security_proto_rawDesc = []byte{
 	0x75, 0x65, 0x73, 0x74, 0x1a, 0x2e, 0x2e, 0x72, 0x65, 0x64, 0x70, 0x61, 0x6e, 0x64, 0x61, 0x2e,
 	0x61, 0x70, 0x69, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x6f, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x61, 0x6c,
 	0x70, 0x68, 0x61, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x52, 0x6f, 0x6c, 0x65, 0x52, 0x65, 0x73, 0x70,
-	0x6f, 0x6e, 0x73, 0x65, 0x22, 0x08, 0x8a, 0xa6, 0x1d, 0x04, 0x08, 0x01, 0x10, 0x03, 0x12, 0x7b,
+	0x6f, 0x6e, 0x73, 0x65, 0x22, 0x08, 0x8a, 0xa6, 0x1d, 0x04, 0x08, 0x03, 0x10, 0x03, 0x12, 0x7b,
 	0x0a, 0x0a, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x52, 0x6f, 0x6c, 0x65, 0x12, 0x30, 0x2e, 0x72,
 	0x65, 0x64, 0x70, 0x61, 0x6e, 0x64, 0x61, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x63, 0x6f, 0x6e, 0x73,
 	0x6f, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x44, 0x65, 0x6c,
@@ -1088,7 +1088,7 @@ var file_redpanda_api_console_v1alpha1_security_proto_rawDesc = []byte{
 	0x61, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x6f, 0x6c, 0x65, 0x2e, 0x76, 0x31,
 	0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x52, 0x6f, 0x6c, 0x65, 0x4d,
 	0x65, 0x6d, 0x62, 0x65, 0x72, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x08,
-	0x8a, 0xa6, 0x1d, 0x04, 0x08, 0x01, 0x10, 0x03, 0x12, 0x99, 0x01, 0x0a, 0x14, 0x55, 0x70, 0x64,
+	0x8a, 0xa6, 0x1d, 0x04, 0x08, 0x03, 0x10, 0x03, 0x12, 0x99, 0x01, 0x0a, 0x14, 0x55, 0x70, 0x64,
 	0x61, 0x74, 0x65, 0x52, 0x6f, 0x6c, 0x65, 0x4d, 0x65, 0x6d, 0x62, 0x65, 0x72, 0x73, 0x68, 0x69,
 	0x70, 0x12, 0x3a, 0x2e, 0x72, 0x65, 0x64, 0x70, 0x61, 0x6e, 0x64, 0x61, 0x2e, 0x61, 0x70, 0x69,
 	0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x6f, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61,
diff --git a/proto/redpanda/api/console/v1alpha1/security.proto b/proto/redpanda/api/console/v1alpha1/security.proto
index b565648ae..d708a4f5a 100644
--- a/proto/redpanda/api/console/v1alpha1/security.proto
+++ b/proto/redpanda/api/console/v1alpha1/security.proto
@@ -198,7 +198,7 @@ service SecurityService {
   // ListRoles lists all the roles based on optional filter.
   rpc ListRoles(ListRolesRequest) returns (ListRolesResponse) {
     option (redpanda.api.auth.v1.authorization) = {
-      required_permission: PERMISSION_VIEW
+      required_permission: PERMISSION_ADMIN
       api: API_REDPANDA_ADMIN
     };
   }
@@ -213,7 +213,7 @@ service SecurityService {
   // GetRole retrieves the specific role.
   rpc GetRole(GetRoleRequest) returns (GetRoleResponse) {
     option (redpanda.api.auth.v1.authorization) = {
-      required_permission: PERMISSION_VIEW
+      required_permission: PERMISSION_ADMIN
       api: API_REDPANDA_ADMIN
     };
   }
@@ -229,7 +229,7 @@ service SecurityService {
   // ListRoleMembership lists all the members assigned to a role based on optional filter.
   rpc ListRoleMembers(ListRoleMembersRequest) returns (ListRoleMembersResponse) {
     option (redpanda.api.auth.v1.authorization) = {
-      required_permission: PERMISSION_VIEW
+      required_permission: PERMISSION_ADMIN
       api: API_REDPANDA_ADMIN
     };
   }