Merge pull request #2330 from thedadams/explicit-deletecollection

Expand * verbs when doing SAR checks on images
acorn-io · Nov 14, 2023 · 4cfe634 · 4cfe634
2 parents 8fd5bd1 + 9620eca
commit 4cfe634
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 7 deletions.
diff --git a/pkg/roles/roles.go b/pkg/roles/roles.go
@@ -30,7 +30,7 @@ var (
 		},
 		ClusterEdit: {
 			{
-				Verbs: []string{"create", "update", "delete"},
+				Verbs: []string{"create", "update", "delete", "deletecollection"},
 				Resources: []string{
 					"projects",
 				},
@@ -91,7 +91,7 @@ var (
 		},
 		Edit: {
 			{
-				Verbs: []string{"create", "update", "delete", "patch"},
+				Verbs: []string{"create", "update", "delete", "deletecollection", "patch"},
 				Resources: []string{
 					"apps",
 					"devsessions",
@@ -100,7 +100,7 @@ var (
 				},
 			},
 			{
-				Verbs: []string{"update", "delete", "patch"},
+				Verbs: []string{"update", "delete", "deletecollection", "patch"},
 				Resources: []string{
 					"images",
 				},
@@ -117,7 +117,7 @@ var (
 				},
 			},
 			{
-				Verbs: []string{"delete"},
+				Verbs: []string{"delete", "deletecollection"},
 				Resources: []string{
 					"services",
 					"volumes",
@@ -136,7 +136,7 @@ var (
 		},
 		Build: {
 			{
-				Verbs: []string{"create", "delete"},
+				Verbs: []string{"create", "delete", "deletecollection"},
 				Resources: []string{
 					"builders",
 					"acornimagebuilds",
@@ -151,7 +151,7 @@ var (
 		},
 		Admin: {
 			{
-				Verbs: []string{"create", "update", "delete", "patch", "get", "list", "watch"},
+				Verbs: []string{"create", "update", "delete", "deletecollection", "patch", "get", "list", "watch"},
 				Resources: []string{
 					"projectvolumeclasses",
 					"clustervolumeclasses",
@@ -163,7 +163,7 @@ var (
 				APIGroups: []string{admin_acorn_io.Group},
 			},
 			{
-				Verbs: []string{"create", "update", "delete", "patch"},
+				Verbs: []string{"create", "update", "delete", "deletecollection", "patch"},
 				Resources: []string{
 					"imageallowrules",
 				},

diff --git a/pkg/server/registry/apigroups/acorn/apps/validator.go b/pkg/server/registry/apigroups/acorn/apps/validator.go
@@ -439,6 +439,9 @@ func (s *RBACValidator) getSARResourceRole(sar *authv1.SubjectAccessReview, serv
 	if len(rule.Verbs) == 0 {
 		return nil, fmt.Errorf("can not deploy acorn due to requesting role with empty verbs")
 	}
+	if slices.Contains(rule.Verbs, "*") {
+		rule.Verbs = v1.DefaultVerbs
+	}
 	if len(rule.Resources) == 0 {
 		rule.Resources = []string{"*"}
 	}