From 628a02ad152a570fe4efe50f44555df7f35a1e8b Mon Sep 17 00:00:00 2001 From: Louis Ruch Date: Fri, 5 Feb 2021 09:41:48 -0800 Subject: [PATCH] Scope role grants (#913) * Add scope read grant to default roles * Update CHANGELOG.md Co-authored-by: Jeff Mitchell --- CHANGELOG.md | 6 ++++++ internal/cmd/base/initial_resources.go | 2 +- internal/cmd/commands/scopes/funcs.go | 2 +- internal/iam/repository_scope.go | 2 +- 4 files changed, 9 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 952921dc2f..19998da2ad 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,6 +22,8 @@ Canonical reference for changes, improvements, and bugfixes for Boundary. * server: When running single-server mode and `controllers` is not specified in the `worker` block, use `public_cluster_addr` if given ([PR](https://github.com/hashicorp/boundary/pull/904)) +* server: Add `read` action to default scope grant + ([PR](https://github.com/hashicorp/boundary/pull/913)) ### Bug Fixes @@ -45,6 +47,10 @@ database migrate` command. * controller/worker: Require names to be all lowercase. This removes ambiguity or accidental mismatching when using upcoming filtering features. +* api/cli: Due to visibility changes on collection listing, a list + will not include any resources if the user only has `list` as an authorized action. + As a result `scope list`, which is used by the UI to populate the login scope dropdown, + will be empty if the role granting the `u_anon` user `list` privileges is not updated to also contain a `read` action ### New and Improved diff --git a/internal/cmd/base/initial_resources.go b/internal/cmd/base/initial_resources.go index 5361634492..a7203bfb84 100644 --- a/internal/cmd/base/initial_resources.go +++ b/internal/cmd/base/initial_resources.go @@ -54,7 +54,7 @@ func (b *Server) CreateInitialLoginRole(ctx context.Context) (*iam.Role, error) return nil, fmt.Errorf("error creating role for default generated grants: %w", err) } if _, err := iamRepo.AddRoleGrants(cancelCtx, role.PublicId, role.Version, []string{ - "type=scope;actions=list", + "id=*;type=scope;actions=list,read", "id=*;type=auth-method;actions=authenticate,list", "id={{account.id}};actions=read,change-password", }); err != nil { diff --git a/internal/cmd/commands/scopes/funcs.go b/internal/cmd/commands/scopes/funcs.go index 1f7cd34188..ea41bcf53c 100644 --- a/internal/cmd/commands/scopes/funcs.go +++ b/internal/cmd/commands/scopes/funcs.go @@ -53,7 +53,7 @@ func generateScopeTableOutput(in *scopes.Scope) string { ret = append(ret, " Authorized Actions on Scope's Collections:") for _, key := range keys { ret = append(ret, - fmt.Sprintf(" %ss:", key), + fmt.Sprintf(" %s:", key), base.WrapSlice(6, in.AuthorizedCollectionActions[key]), ) } diff --git a/internal/iam/repository_scope.go b/internal/iam/repository_scope.go index 9a91f02b3c..6397516e68 100644 --- a/internal/iam/repository_scope.go +++ b/internal/iam/repository_scope.go @@ -280,7 +280,7 @@ func (r *Repository) CreateScope(ctx context.Context, s *Scope, userId string, o // Grants { grants := []interface{}{} - roleGrant, err := NewRoleGrant(defaultRolePublicId, "type=scope;actions=list") + roleGrant, err := NewRoleGrant(defaultRolePublicId, "id=*;type=scope;actions=list,read") if err != nil { return errors.Wrap(err, op, errors.WithMsg("unable to create in memory role grant")) }