Merge pull request #2331 from thedadams/revert-sar-changes

Revert "Expand * verbs when doing SAR checks on images"
acorn-io · Nov 14, 2023 · 152f48e · 152f48e
2 parents 4cfe634 + bf974ee
commit 152f48e
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 10 deletions.
diff --git a/pkg/roles/roles.go b/pkg/roles/roles.go
@@ -30,7 +30,7 @@ var (
 		},
 		ClusterEdit: {
 			{
-				Verbs: []string{"create", "update", "delete", "deletecollection"},
+				Verbs: []string{"create", "update", "delete"},
 				Resources: []string{
 					"projects",
 				},
@@ -91,7 +91,7 @@ var (
 		},
 		Edit: {
 			{
-				Verbs: []string{"create", "update", "delete", "deletecollection", "patch"},
+				Verbs: []string{"create", "update", "delete", "patch"},
 				Resources: []string{
 					"apps",
 					"devsessions",
@@ -100,7 +100,7 @@ var (
 				},
 			},
 			{
-				Verbs: []string{"update", "delete", "deletecollection", "patch"},
+				Verbs: []string{"update", "delete", "patch"},
 				Resources: []string{
 					"images",
 				},
@@ -117,7 +117,7 @@ var (
 				},
 			},
 			{
-				Verbs: []string{"delete", "deletecollection"},
+				Verbs: []string{"delete"},
 				Resources: []string{
 					"services",
 					"volumes",
@@ -136,7 +136,7 @@ var (
 		},
 		Build: {
 			{
-				Verbs: []string{"create", "delete", "deletecollection"},
+				Verbs: []string{"create", "delete"},
 				Resources: []string{
 					"builders",
 					"acornimagebuilds",
@@ -151,7 +151,7 @@ var (
 		},
 		Admin: {
 			{
-				Verbs: []string{"create", "update", "delete", "deletecollection", "patch", "get", "list", "watch"},
+				Verbs: []string{"create", "update", "delete", "patch", "get", "list", "watch"},
 				Resources: []string{
 					"projectvolumeclasses",
 					"clustervolumeclasses",
@@ -163,7 +163,7 @@ var (
 				APIGroups: []string{admin_acorn_io.Group},
 			},
 			{
-				Verbs: []string{"create", "update", "delete", "deletecollection", "patch"},
+				Verbs: []string{"create", "update", "delete", "patch"},
 				Resources: []string{
 					"imageallowrules",
 				},

diff --git a/pkg/server/registry/apigroups/acorn/apps/validator.go b/pkg/server/registry/apigroups/acorn/apps/validator.go
@@ -439,9 +439,6 @@ func (s *RBACValidator) getSARResourceRole(sar *authv1.SubjectAccessReview, serv
 	if len(rule.Verbs) == 0 {
 		return nil, fmt.Errorf("can not deploy acorn due to requesting role with empty verbs")
 	}
-	if slices.Contains(rule.Verbs, "*") {
-		rule.Verbs = v1.DefaultVerbs
-	}
 	if len(rule.Resources) == 0 {
 		rule.Resources = []string{"*"}
 	}