sureshanaparti commented on a change in pull request #4071: URL: https://github.com/apache/cloudstack/pull/4071#discussion_r433407021
########## File path: engine/schema/src/main/resources/META-INF/db/schema-41310to41400.sql ########## @@ -379,3 +379,81 @@ CREATE TABLE IF NOT EXISTS `cloud`.`kubernetes_cluster_details` ( PRIMARY KEY(`id`), CONSTRAINT `fk_kubernetes_cluster_details__cluster_id` FOREIGN KEY `fk_kubernetes_cluster_details__cluster_id`(`cluster_id`) REFERENCES `kubernetes_cluster`(`id`) ON DELETE CASCADE ) ENGINE=InnoDB DEFAULT CHARSET=utf8; + +ALTER TABLE `cloud`.`roles` ADD COLUMN `is_default` tinyint(1) NOT NULL DEFAULT '0' COMMENT 'is this a default role'; +UPDATE `cloud`.`roles` SET `is_default` = 1 WHERE id IN (1, 2, 3, 4); + +-- Updated Default CloudStack roles with read-only and support admin and user roles +INSERT INTO `cloud`.`roles` (`uuid`, `name`, `role_type`, `description`, `is_default`) VALUES (UUID(), 'Read-Only Admin', 'Admin', 'Default read-only admin role', 1) ON DUPLICATE KEY UPDATE name=name; +INSERT INTO `cloud`.`roles` (`uuid`, `name`, `role_type`, `description`, `is_default`) VALUES (UUID(), 'Read-Only User', 'User', 'Default read-only user role', 1) ON DUPLICATE KEY UPDATE name=name; +INSERT INTO `cloud`.`roles` (`uuid`, `name`, `role_type`, `description`, `is_default`) VALUES (UUID(), 'Admin-Support', 'Admin', 'Default admin support role', 1) ON DUPLICATE KEY UPDATE name=name; +INSERT INTO `cloud`.`roles` (`uuid`, `name`, `role_type`, `description`, `is_default`) VALUES (UUID(), 'User-Support', 'User', 'Default user support role', 1) ON DUPLICATE KEY UPDATE name=name; + +-- Role permissions for Read-Only Admin +SELECT id INTO @ReadOnlyAdminRoleId FROM `cloud`.`roles` WHERE name = 'Read-Only Admin' AND is_default = 1; +SELECT @ReadOnlyAdminSortOrder:=-1; +INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, `permission`, `sort_order`) VALUES (UUID(), @ReadOnlyAdminRoleId, 'list*', 'ALLOW', @ReadOnlyAdminSortOrder:=@ReadOnlyAdminSortOrder+1) ON DUPLICATE KEY UPDATE rule=rule; +INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, `permission`, `sort_order`) VALUES (UUID(), @ReadOnlyAdminRoleId, 'getUploadParamsFor*', 'DENY', @ReadOnlyAdminSortOrder:=@ReadOnlyAdminSortOrder+1) ON DUPLICATE KEY UPDATE rule=rule; +INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, `permission`, `sort_order`) VALUES (UUID(), @ReadOnlyAdminRoleId, 'get*', 'ALLOW', @ReadOnlyAdminSortOrder:=@ReadOnlyAdminSortOrder+1) ON DUPLICATE KEY UPDATE rule=rule; +INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, `permission`, `sort_order`) VALUES (UUID(), @ReadOnlyAdminRoleId, 'cloudianIsEnabled', 'ALLOW', @ReadOnlyAdminSortOrder:=@ReadOnlyAdminSortOrder+1) ON DUPLICATE KEY UPDATE rule=rule; +INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, `permission`, `sort_order`) VALUES (UUID(), @ReadOnlyAdminRoleId, 'quotaIsEnabled', 'ALLOW', @ReadOnlyAdminSortOrder:=@ReadOnlyAdminSortOrder+1) ON DUPLICATE KEY UPDATE rule=rule; +INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, `permission`, `sort_order`) VALUES (UUID(), @ReadOnlyAdminRoleId, 'quotaTariffList', 'ALLOW', @ReadOnlyAdminSortOrder:=@ReadOnlyAdminSortOrder+1) ON DUPLICATE KEY UPDATE rule=rule; +INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, `permission`, `sort_order`) VALUES (UUID(), @ReadOnlyAdminRoleId, 'quotaSummary', 'ALLOW', @ReadOnlyAdminSortOrder:=@ReadOnlyAdminSortOrder+1) ON DUPLICATE KEY UPDATE rule=rule; +INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, `permission`, `sort_order`) VALUES (UUID(), @ReadOnlyAdminRoleId, '*', 'DENY', @ReadOnlyAdminSortOrder:=@ReadOnlyAdminSortOrder+1) ON DUPLICATE KEY UPDATE rule=rule; + +-- Role permissions for Read-Only User +SELECT id INTO @ReadOnlyUserRoleId FROM `cloud`.`roles` WHERE name = 'Read-Only User' AND is_default = 1; +SELECT @ReadOnlyUserSortOrder:=-1; +INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`, `permission`, `sort_order`) SELECT UUID(), @ReadOnlyUserRoleId, rule, 'ALLOW', @ReadOnlyUserSortOrder:=@ReadOnlyUserSortOrder+1 FROM `cloud`.`role_permissions` WHERE role_id = 4 AND permission = 'ALLOW' AND rule LIKE 'list%'; Review comment: > Should the `rule` here be `list*` or `get*` etc.? Or was `rule` declared somewhere I missed ? the 'list*' and 'get*' rules for the User role are added for read-only user ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org