search

rancher / terraform-provider-rancher2

Terraform Rancher2 provider
https://www.terraform.io/docs/providers/rancher2/
Mozilla Public License 2.0
260 stars 223 forks source link

[RFE] Add additional verbs updatepsa and manage-namespaces #1219

Open edwin-bruurs opened 1 year ago

edwin-bruurs commented 1 year ago

Is your feature request related to a problem? Please describe.

Currently it is not possible to create a custom roles giving a user the following permissions

rules {
  api_groups = ["management.cattle.io"]
  resources = ["projects"]
  verbs= ["manage-namespaces", "updatepsa"]
}

This is needed to give a user additional permissions to create a namespace in a project. See also the documentation on the Rancher webhook validation

Using the code above results in the error expected rules.0.verbs.0 to be one of [* create delete deletecollection get list patch update view watch own use bind escalate impersonate], got updateps and Error: expected rules.0.verbs.1 to be one of [* create delete deletecollection get list patch update view watch own use bind escalate impersonate], got manage-namespaces

Describe the solution you'd like

Add the verbs updatepsa and manage-namespaces to the allowed verbs list.

Describe alternatives you've considered

Using the * verb. But in many cases this will grant to much permissions over the resource (e.g. giving full permission over projects is not what you typically want).

Additional context

See also related issues on adding new verbs:

edwin-bruurs commented 1 year ago

I don't mind creating a MR if this feature is valuable.

matttrach commented 3 weeks ago

@edwin-bruurs what version of Rancher are you targeting with this change?

matttrach commented 3 weeks ago

I got an answer to this in another channel, this is targeting Rancher v2.10 and no backports are necessary.

alegrey91 commented 2 days ago

updatepsa and manage-namespaces added to the list of available verbs.