Skip to content

Commit

Permalink
chore: only support custom role priviledge rule setup
Browse files Browse the repository at this point in the history
  • Loading branch information
@ahmad-ibra
ahmad-ibra committed Jun 19, 2024
1 parent 656bcc2 commit 4a62e7a
Show file tree
Hide file tree
Showing 5 changed files with 76 additions and 68 deletions.
14 changes: 1 addition & 13 deletions pkg/config/constants.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,10 +51,7 @@ const (
ValidatorVsphereEntityVirtualMachine = "Virtual Machine"
ValidatorVsphereEntityVirtualApp = "Virtual App"
ValidatorVsphereVersionConstraint = ">= 6.0, < 9.0"
SpectroRootLevelPrivilegesV6_7 = "Spectro Root-level Role Privileges vSphere 6.7"
SpectroRootLevelPrivilegesV7_0 = "Spectro Root-level Role Privileges vSphere 7.0"
SpectroRootLevelPrivilegesV8_0 = "Spectro Root-level Role Privileges vSphere 8.0"
CustomPrivileges = "Custom Root-level Role Privileges vSphere"
ValidatorVsphereRolePrivilegeFiles = "vsphere-root-level-privileges-all.yaml"
SpectroEntityPrivileges = "Spectro Entity Privileges"
CustomEntityPrivileges = "Custom Entity Privileges"
SpectroCloudTags = "Spectro Cloud Tags"
Expand Down Expand Up @@ -171,15 +168,6 @@ var (
},
}

ValidatorPluginVsphereRolePrivilegeChoices = []string{
SpectroRootLevelPrivilegesV6_7,
SpectroRootLevelPrivilegesV7_0,
SpectroRootLevelPrivilegesV8_0,
CustomPrivileges,
}
ValidatorPluginVsphereRolePrivilegeFiles = map[string]string{
CustomPrivileges: "vsphere-root-level-privileges-all.yaml",
}
ValidatorPluginVsphereEntityPrivilegeChoices = []string{
SpectroEntityPrivileges,
CustomEntityPrivileges,
Expand Down
10 changes: 2 additions & 8 deletions pkg/services/validator/vmware.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -331,20 +331,14 @@ func readRolePrivilegeRule(c *components.VspherePluginConfig, r *components.Vsph
log.InfoCLI(`Privilege validation rule will be applied for username %s`, c.Account.Username)
r.Username = c.Account.Username
}
privilegeSet, err := prompts.Select("Root-level privilege set", cfg.ValidatorPluginVsphereRolePrivilegeChoices)
privileges, err := LoadPrivileges(cfg.ValidatorVsphereRolePrivilegeFiles)
if err != nil {
return err
}
privileges, err := LoadPrivileges(cfg.ValidatorPluginVsphereRolePrivilegeFiles[privilegeSet])
privileges, err = selectPrivileges(privileges)
if err != nil {
return err
}
if privilegeSet == cfg.CustomPrivileges {
privileges, err = selectPrivileges(privileges)
if err != nil {
return err
}
}
r.Privileges = privileges
if idx == -1 {
c.VsphereRolePrivilegeRules = append(c.VsphereRolePrivilegeRules, *r)
Expand Down
15 changes: 15 additions & 0 deletions pkg/utils/embed/resources/validator/vsphere-spectro-cloud-tags.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
---
- name: "Datacenter: k8s-region (ensure that the selected datacenter has a 'k8s-region' tag)"
entityType: "datacenter"
entityName: ""
tag: "k8s-region"
clusterName: ""
clusterScoped: false
ruleType: Spectro Cloud Tags
- name: "Cluster: k8s-zone (ensure that the selected cluster has a 'k8s-zone' tag)"
entityType: "cluster"
entityName: ""
tag: "k8s-zone"
clusterName: ""
clusterScoped: true
ruleType: Spectro Cloud Tags
8 changes: 8 additions & 0 deletions pkg/utils/embed/resources/validator/vsphere-spectro-entity-privileges.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
- name: "Read folder: spectro-templates"
entityType: "folder"
entityName: "spectro-templates"
privileges:
- Folder.Create
clusterName: ""
clusterScoped: false
ruleType: Spectro Entity Privileges
97 changes: 50 additions & 47 deletions tests/integration/_validator/testcases/test_validator.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -270,53 +270,56 @@ func (t *ValidatorTest) testDeployInteractive(ctx *test.TestContext) (tr *test.T
"y", // enable vsphere plugin
cfg.ValidatorHelmRepository, // validator-plugin-vsphere helm chart repo
cfg.ValidatorChartVersions[cfg.ValidatorPluginVsphere], // validator-plugin-vsphere helm chart version
"y", // Re-use validator chart security configuration
"vsphere-creds", // vSphere secret name
"fake.vsphere.com", // vSphere domain
"bob@vsphere.com", // vSphere username
"password", // vSphere password
"y", // insecure skip verify
"DC0", // datacenter
"y", // Enable NTP check
"ntpd", // NTP rule name
"y", // are hosts cluster scoped
"C0", // cluster name
"DC0_C0_H0", // host1
"y", // add more hosts
"DC0_C0_H1", // host2
"n", // add more hosts
"n", // add more validation rules
"y", // Check role privileges
"role rule 1", // Role privilege rule name
"user1@vsphere.local", // user to check role privileges against
cfg.SpectroRootLevelPrivilegesV7_0, // vSphere permission version
"n", // add more role privilege checks
"y", // check entity privileges
"entity rule 1", // entity privilege rule name
cfg.SpectroEntityPrivileges, // entity level permissions
"Read folder: spectro-templates", // spectro entity permission
"user2@vsphere.local", // user to check entity privileges against
"n", // add more entity permission checks
"y", // check compute resource requirements
"resource requirement rule 1", // resource requirement rule name
"Cluster", // select cluster for resource check
"C0", // cluster name for resource check
"master-pool", // node pool name
"1", // number of nodes
"2GHz", // per node cpu
"4Gi", // per node memory
"10Gi", // per node storage
"y", // add another node pool
"worker-pool", // node pool name
"3", // number of nodes
"3GHz", // per node cpu
"8Gi", // per node memory
"20Gi", // per node storage
"n", // add more node pools
"n", // add more resource requirement checks
"y", // check tags on entities
"tag rule 1", // tag rule name
cfg.SpectroCloudTags, // zone & region tags
"y", // Re-use validator chart security configuration
"vsphere-creds", // vSphere secret name
"fake.vsphere.com", // vSphere domain
"bob@vsphere.com", // vSphere username
"password", // vSphere password
"y", // insecure skip verify
"DC0", // datacenter
"y", // Enable NTP check
"ntpd", // NTP rule name
"y", // are hosts cluster scoped
"C0", // cluster name
"DC0_C0_H0", // host1
"y", // add more hosts
"DC0_C0_H1", // host2
"n", // add more hosts
"n", // add more validation rules
"y", // Check role privileges
"role rule 1", // Role privilege rule name
"user1@vsphere.local", // user to check role privileges against
"System.Read", // role privilege
"y", // add another role privilege to this rule
"Alarm.Acknowledge", // role privilege
"n", // add another role privilege to this rule
"n", // add another role privilege rule
"y", // check entity privileges
"entity rule 1", // entity privilege rule name
cfg.SpectroEntityPrivileges, // entity level permissions
"Read folder: spectro-templates", // spectro entity permission
"user2@vsphere.local", // user to check entity privileges against
"n", // add more entity permission checks
"y", // check compute resource requirements
"resource requirement rule 1", // resource requirement rule name
"Cluster", // select cluster for resource check
"C0", // cluster name for resource check
"master-pool", // node pool name
"1", // number of nodes
"2GHz", // per node cpu
"4Gi", // per node memory
"10Gi", // per node storage
"y", // add another node pool
"worker-pool", // node pool name
"3", // number of nodes
"3GHz", // per node cpu
"8Gi", // per node memory
"20Gi", // per node storage
"n", // add more node pools
"n", // add more resource requirement checks
"y", // check tags on entities
"tag rule 1", // tag rule name
cfg.SpectroCloudTags, // zone & region tags
"Cluster: k8s-zone (ensure that the selected cluster has a 'k8s-zone' tag)", // zone tag
"C0", // cluster name
"n", // add another tag rule
Expand Down

0 comments on commit 4a62e7a

Please sign in to comment.