Merge pull request #56 from uselagoon/report-view

feat: allow users with access to Group tenants to view and list reports
uselagoon · May 31, 2023 · e4c13d0 · e4c13d0
2 parents 6d12d5d + e3837ea
commit e4c13d0
Show file tree

Hide file tree

Showing 2 changed files with 255 additions and 58 deletions.
diff --git a/internal/sync/roles.go b/internal/sync/roles.go
@@ -91,9 +91,9 @@ func generateProjectGroupRole(group keycloak.Group) (
 	}
 	return name, &opensearch.Role{
 		RolePermissions: opensearch.RolePermissions{
-			ClusterPermissions: []string{
-				"cluster:admin/opendistro/reports/menu/download",
-			},
+			// use an empty slice instead of omitting this entirely because the
+			// Opensearch API errors if this field is omitted.
+			ClusterPermissions: []string{},
 			IndexPermissions: []opensearch.IndexPermission{
 				{
 					AllowedActions: []string{
@@ -171,7 +171,12 @@ func generateRegularGroupRole(log *zap.Logger, projectNames map[int]string,
 	}
 	return group.Name, &opensearch.Role{
 		RolePermissions: opensearch.RolePermissions{
+			// Allow users to read and download Reports
+			// https://github.com/opensearch-project/security/blob/2.7.0.0/config/
+			// 		roles.yml#L126-L132
 			ClusterPermissions: []string{
+				"cluster:admin/opendistro/reports/instance/list",
+				"cluster:admin/opendistro/reports/instance/get",
 				"cluster:admin/opendistro/reports/menu/download",
 			},
 			IndexPermissions: indexPermissions,