Apply RBAC to listing project and creating project APIs

2022-08-01 17:28:45 +08:00 · 2022-08-01 17:28:45 +08:00 · ffabfbea59
--- a/registry/raft-registry/src/network/api_v1.rs
+++ b/registry/raft-registry/src/network/api_v1.rs
@ -42,7 +42,7 @@ impl FeathrApiV1 {
        limit: Query<Option<usize>>,
    ) -> poem::Result<Json<Vec<String>>> {
        data.0
-            .check_permission(credential.0, None, Permission::Read)
+            .check_permission(credential.0, Some("global"), Permission::Read)
            .await?;
        data.0
            .request(
@ -67,7 +67,7 @@ impl FeathrApiV1 {
        def: Json<ProjectDef>,
    ) -> poem::Result<Json<CreationResponse>> {
        data.0
-            .check_permission(credential.0, None, Permission::Write)
+            .check_permission(credential.0, Some("global"), Permission::Write)
            .await?;
        let mut definition = def.0;
        if definition.id.is_empty() {
--- a/registry/raft-registry/src/network/api_v2.rs
+++ b/registry/raft-registry/src/network/api_v2.rs
@ -43,7 +43,7 @@ impl FeathrApiV2 {
        offset: Query<Option<usize>>,
    ) -> poem::Result<Json<Vec<String>>> {
        data.0
-            .check_permission(credential.0, None, Permission::Read)
+            .check_permission(credential.0, Some("global"), Permission::Read)
            .await?;
        data.0
            .request(
@ -68,7 +68,7 @@ impl FeathrApiV2 {
        def: Json<ProjectDef>,
    ) -> poem::Result<Json<CreationResponse>> {
        data.0
-            .check_permission(credential.0, None, Permission::Write)
+            .check_permission(credential.0, Some("global"), Permission::Write)
            .await?;
        let mut definition = def.0;
        if definition.id.is_empty() {
--- a/registry/sql-provider/src/lib.rs
+++ b/registry/sql-provider/src/lib.rs
@ -541,6 +541,14 @@ where
        if self.check_permission(&grant.credential, &grant.resource, grant.permission)? {
            return Ok(());
        }
+        
+        // Any grant implies global read (to list projects) and grant write (to create project) permission
+        let mut grant = grant.clone();
+        grant.resource = Resource::Global;
+        grant.permission = Permission::Read;
+        self.grant_permission(&grant).await?;
+        grant.permission = Permission::Write;
+        self.grant_permission(&grant).await?;

        let mut grant = grant.clone();