ocis-charts
ocis-charts copied to clipboard
owncloud
allow to configure unified roles
Description
allows configuring unified roles
Related Issue
- Fixes https://github.com/owncloud/ocis-charts/issues/738
Motivation and Context
How Has This Been Tested?
- I have no clue to test it on a functional level.
- Diff apporach:
diff --git a/deployments/development-install/helmfile.yaml b/deployments/development-install/helmfile.yaml
index 84f2def..4b0076f 100644
--- a/deployments/development-install/helmfile.yaml
+++ b/deployments/development-install/helmfile.yaml
@@ -23,6 +23,10 @@ releases:
- features:
demoUsers: true
+ roles:
+ availableUnifiedRoles:
+ - b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5
+ - d5041006-ebb3-4b4a-b6a4-7c180ecfb17d
- services:
idm:
causes
- name: GRAPH_SPACES_WEBDAV_BASE
value: "https://ocis.kube.owncloud.test"
+ - name: GRAPH_AVAILABLE_ROLES
+ value: "b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5,d5041006-ebb3-4b4a-b6a4-7c180ecfb17d"
- name: GRAPH_LDAP_URI
value: ldaps://idm:9235
Screenshots (if appropriate):
Types of changes
- [ ] Bug fix (non-breaking change which fixes an issue)
- [x] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing functionality to change)
- [ ] Technical debt
- [ ] Tests only (no source changes)
Checklist:
- [x] Code changes
- [ ] Unit tests added
- [ ] Acceptance tests added
- [x] Documentation generated (
make docs) and committed - [ ] Documentation ticket raised:
- [ ] Documentation PR created:
I have no clue to test it on a functional level.
Did
ocis graph list-unified-roles
list them at least?
list them at least?
yes, but I didn't see any button / info / reference to such roles in the WebUI. Maybe I didn't get what it's all about yet.
See the output
+----------------------------+--------------------------------------+----------+--------------------------------+--------------------------------+------------------------------------------+
| NAME | UID | ENABLED | DESCRIPTION | CONDITION | ALLOWED RESOURCE ACTIONS |
+----------------------------+--------------------------------------+----------+--------------------------------+--------------------------------+------------------------------------------+
| Viewer | b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5 | enabled | View and download. | exists @Resource.File | libre.graph/driveItem/path/read |
| | | | | exists @Resource.Folder | libre.graph/driveItem/quota/read |
| | | | | exists @Resource.File && | libre.graph/driveItem/content/read |
| | | | | @Subject.UserType=="Federated" | libre.graph/driveItem/children/read |
| | | | | exists @Resource.Folder && | libre.graph/driveItem/deleted/read |
| | | | | @Subject.UserType=="Federated" | libre.graph/driveItem/basic/read |
+----------------------------+--------------------------------------+----------+--------------------------------+--------------------------------+------------------------------------------+
| ViewerListGrants | d5041006-ebb3-4b4a-b6a4-7c180ecfb17d | disabled | View, download and show all | exists @Resource.File | libre.graph/driveItem/path/read |
| | | | invited people. | exists @Resource.Folder | libre.graph/driveItem/quota/read |
| | | | | exists @Resource.File && | libre.graph/driveItem/content/read |
| | | | | @Subject.UserType=="Federated" | libre.graph/driveItem/permissions/read |
| | | | | exists @Resource.Folder && | libre.graph/driveItem/children/read |
| | | | | @Subject.UserType=="Federated" | libre.graph/driveItem/deleted/read |
| | | | | | libre.graph/driveItem/basic/read |
+----------------------------+--------------------------------------+----------+--------------------------------+--------------------------------+------------------------------------------+
| SpaceViewer | a8d5fe5e-96e3-418d-825b-534dbdf22b99 | enabled | View and download. | exists @Resource.Root | libre.graph/driveItem/path/read |
| | | | | | libre.graph/driveItem/quota/read |
| | | | | | libre.graph/driveItem/content/read |
| | | | | | libre.graph/driveItem/permissions/read |
| | | | | | libre.graph/driveItem/children/read |
| | | | | | libre.graph/driveItem/deleted/read |
| | | | | | libre.graph/driveItem/basic/read |
+----------------------------+--------------------------------------+----------+--------------------------------+--------------------------------+------------------------------------------+
| Editor | fb6c3e19-e378-47e5-b277-9732f9de6e21 | enabled | View, download, upload, edit, | exists @Resource.Folder | libre.graph/driveItem/children/create |
| | | | add and delete. | exists @Resource.Folder && | libre.graph/driveItem/standard/delete |
| | | | | @Subject.UserType=="Federated" | libre.graph/driveItem/path/read |
| | | | | | libre.graph/driveItem/quota/read |
| | | | | | libre.graph/driveItem/content/read |
| | | | | | libre.graph/driveItem/upload/create |
| | | | | | libre.graph/driveItem/children/read |
| | | | | | libre.graph/driveItem/deleted/read |
| | | | | | libre.graph/driveItem/path/update |
| | | | | | libre.graph/driveItem/deleted/update |
| | | | | | libre.graph/driveItem/basic/read |
+----------------------------+--------------------------------------+----------+--------------------------------+--------------------------------+------------------------------------------+
| EditorListGrants | e8ea8b21-abd4-45d2-b893-8d1546378e9e | disabled | View, download, upload, edit, | exists @Resource.Folder | libre.graph/driveItem/children/create |
| | | | add, delete and show all | exists @Resource.Folder && | libre.graph/driveItem/standard/delete |
| | | | invited people. | @Subject.UserType=="Federated" | libre.graph/driveItem/path/read |
| | | | | | libre.graph/driveItem/quota/read |
| | | | | | libre.graph/driveItem/content/read |
| | | | | | libre.graph/driveItem/upload/create |
| | | | | | libre.graph/driveItem/permissions/read |
| | | | | | libre.graph/driveItem/children/read |
| | | | | | libre.graph/driveItem/deleted/read |
| | | | | | libre.graph/driveItem/path/update |
| | | | | | libre.graph/driveItem/deleted/update |
| | | | | | libre.graph/driveItem/basic/read |
+----------------------------+--------------------------------------+----------+--------------------------------+--------------------------------+------------------------------------------+
| SpaceEditor | 58c63c02-1d89-4572-916a-870abc5a1b7d | enabled | View, download, upload, edit, | exists @Resource.Root | libre.graph/driveItem/children/create |
| | | | add, delete including the | | libre.graph/driveItem/standard/delete |
| | | | history. | | libre.graph/driveItem/path/read |
| | | | | | libre.graph/driveItem/quota/read |
| | | | | | libre.graph/driveItem/content/read |
| | | | | | libre.graph/driveItem/upload/create |
| | | | | | libre.graph/driveItem/permissions/read |
| | | | | | libre.graph/driveItem/children/read |
| | | | | | libre.graph/driveItem/versions/read |
| | | | | | libre.graph/driveItem/deleted/read |
| | | | | | libre.graph/driveItem/path/update |
| | | | | | libre.graph/driveItem/versions/update |
| | | | | | libre.graph/driveItem/deleted/update |
| | | | | | libre.graph/driveItem/basic/read |
+----------------------------+--------------------------------------+----------+--------------------------------+--------------------------------+------------------------------------------+
| SpaceEditorWithoutVersions | 3284f2d5-0070-4ad8-ac40-c247f7c1fb27 | disabled | View, download, upload, edit, | exists @Resource.Root | libre.graph/driveItem/children/create |
| | | | add and delete. | | libre.graph/driveItem/standard/delete |
| | | | | | libre.graph/driveItem/path/read |
| | | | | | libre.graph/driveItem/quota/read |
| | | | | | libre.graph/driveItem/content/read |
| | | | | | libre.graph/driveItem/upload/create |
| | | | | | libre.graph/driveItem/permissions/read |
| | | | | | libre.graph/driveItem/children/read |
| | | | | | libre.graph/driveItem/deleted/read |
| | | | | | libre.graph/driveItem/path/update |
| | | | | | libre.graph/driveItem/deleted/update |
| | | | | | libre.graph/driveItem/basic/read |
+----------------------------+--------------------------------------+----------+--------------------------------+--------------------------------+------------------------------------------+
| FileEditor | 2d00ce52-1fc2-4dbc-8b95-a73b73395f5a | enabled | View, download and edit. | exists @Resource.File | libre.graph/driveItem/path/read |
| | | | | exists @Resource.File && | libre.graph/driveItem/quota/read |
| | | | | @Subject.UserType=="Federated" | libre.graph/driveItem/content/read |
| | | | | | libre.graph/driveItem/upload/create |
| | | | | | libre.graph/driveItem/children/read |
| | | | | | libre.graph/driveItem/deleted/read |
| | | | | | libre.graph/driveItem/deleted/update |
| | | | | | libre.graph/driveItem/basic/read |
+----------------------------+--------------------------------------+----------+--------------------------------+--------------------------------+------------------------------------------+
| FileEditorListGrants | c1235aea-d106-42db-8458-7d5610fb0a67 | disabled | View, download, edit and show | exists @Resource.File | libre.graph/driveItem/path/read |
| | | | all invited people. | exists @Resource.File && | libre.graph/driveItem/quota/read |
| | | | | @Subject.UserType=="Federated" | libre.graph/driveItem/content/read |
| | | | | | libre.graph/driveItem/upload/create |
| | | | | | libre.graph/driveItem/permissions/read |
| | | | | | libre.graph/driveItem/children/read |
| | | | | | libre.graph/driveItem/deleted/read |
| | | | | | libre.graph/driveItem/deleted/update |
| | | | | | libre.graph/driveItem/basic/read |
+----------------------------+--------------------------------------+----------+--------------------------------+--------------------------------+------------------------------------------+
| EditorLite | 1c996275-f1c9-4e71-abdf-a42f6495e960 | enabled | View, download and upload. | exists @Resource.Folder | libre.graph/driveItem/children/create |
| | | | | | libre.graph/driveItem/path/read |
| | | | | | libre.graph/driveItem/content/read |
| | | | | | libre.graph/driveItem/upload/create |
| | | | | | libre.graph/driveItem/children/read |
| | | | | | libre.graph/driveItem/path/update |
| | | | | | libre.graph/driveItem/basic/read |
+----------------------------+--------------------------------------+----------+--------------------------------+--------------------------------+------------------------------------------+
| SpaceManager | 312c0871-5ef7-4b3a-85b6-0e4074c64049 | enabled | View, download, upload, | exists @Resource.Root | libre.graph/driveItem/permissions/create |
| | | | edit, add, delete and manage | | libre.graph/driveItem/children/create |
| | | | members. | | libre.graph/driveItem/standard/delete |
| | | | | | libre.graph/driveItem/path/read |
| | | | | | libre.graph/driveItem/quota/read |
| | | | | | libre.graph/driveItem/content/read |
| | | | | | libre.graph/driveItem/upload/create |
| | | | | | libre.graph/driveItem/permissions/read |
| | | | | | libre.graph/driveItem/children/read |
| | | | | | libre.graph/driveItem/versions/read |
| | | | | | libre.graph/driveItem/deleted/read |
| | | | | | libre.graph/driveItem/path/update |
| | | | | | libre.graph/driveItem/permissions/delete |
| | | | | | libre.graph/driveItem/deleted/delete |
| | | | | | libre.graph/driveItem/versions/update |
| | | | | | libre.graph/driveItem/deleted/update |
| | | | | | libre.graph/driveItem/basic/read |
| | | | | | libre.graph/driveItem/permissions/update |
| | | | | | libre.graph/driveItem/permissions/deny |
+----------------------------+--------------------------------------+----------+--------------------------------+--------------------------------+------------------------------------------+
| SecureViewer | aa97fe03-7980-45ac-9e50-b325749fd7e6 | disabled | View only documents, images | exists @Resource.File | libre.graph/driveItem/path/read |
| | | | and PDFs. Watermarks will be | exists @Resource.Folder | libre.graph/driveItem/children/read |
| | | | applied. | | libre.graph/driveItem/basic/read |
+----------------------------+--------------------------------------+----------+--------------------------------+--------------------------------+------------------------------------------+
Example Use Case
An Admin wants to
- Use the default sharing roles
- Add the Secure Viewer Role
In that case he needs to use a comma-separated list as the config value with all default Roles and add the SecureViewer Id.
@wkloucek @d7oc What do you think about some templating which would make this easier for the admin, like having key values in a yaml values list with the id and a boolean to enable it?
Should be added here that the ocis version needs to be 6.4.0 to get the ocis graph list-unified-roles command. The code in here still uses 6.3.0
Also verified in Frontend now:
vs.
the last is with two entries (like in the diff above). The first is the latter entry in the diff output removed.
just for clarification: if no value is set, will the env var be empty or not set?
context: ocis will use the recommended defaults if nothing is set.
It will be empty:
helmfile template | grep -A 1 GRAPH_AVAILABLE_ROLES
Building dependency release=ocis, chart=../../charts/ocis
Templating release=ocis, chart=../../charts/ocis
- name: GRAPH_AVAILABLE_ROLES
value: ""
So this needs to be changed so the env variable is not set in this case?
Team discussion: Documentation will be removed here and just a pointer to ocis https://doc.owncloud.com/ocis/next/deployment/services/s-list/graph.html will be added. Documentation for the roles should be there and up-to-date
@wkloucek @d7oc I am not so happy with the solution. The admin needs to go to the documentation and seek the ids.
I thought it might be handy to maintain a list in the chart where you can just uncomment some roles in a full list.
We're referencing the product documentation all the time because it is will maintained. The oCIS chart is only best effort...