diff --git a/alarms/operations.go b/alarms/operations.go index cb3ade574..94f97cba8 100644 --- a/alarms/operations.go +++ b/alarms/operations.go @@ -17,18 +17,24 @@ const ( OpListAlarms OpUpdateAlarm OpDeleteAlarm + OpAssignAlarm + OpAcknowledgeAlarm + OpResolveAlarm ) const ( - OpAddAlarmStr = "OpAddAlarm" - OpViewAlarmStr = "OpViewAlarm" - OpListAlarmsStr = "OpListAlarms" - OpUpdateAlarmStr = "OpUpdateAlarm" - OpDeleteAlarmStr = "OpDeleteAlarm" + OpAddAlarmStr = "OpAddAlarm" + OpViewAlarmStr = "OpViewAlarm" + OpListAlarmsStr = "OpListAlarms" + OpUpdateAlarmStr = "OpUpdateAlarm" + OpDeleteAlarmStr = "OpDeleteAlarm" + OpAssignAlarmStr = "OpAssignAlarm" + OpAcknowledgeAlarmStr = "OpAcknowledgeAlarm" + OpResolveAlarmStr = "OpResolveAlarm" ) func GetPermission(op permissions.Operation) (string, error) { - if op < OpAddAlarm || op > OpDeleteAlarm { + if op < OpAddAlarm || op > OpResolveAlarm { return "", errors.New("invalid operation") } @@ -51,6 +57,12 @@ func OperationName(op permissions.Operation) string { return OpUpdateAlarmStr case OpDeleteAlarm: return OpDeleteAlarmStr + case OpAssignAlarm: + return OpAssignAlarmStr + case OpAcknowledgeAlarm: + return OpAcknowledgeAlarmStr + case OpResolveAlarm: + return OpResolveAlarmStr default: return "unknown" } diff --git a/docker/permission.yaml b/docker/permission.yaml index a060e032c..e14de2987 100644 --- a/docker/permission.yaml +++ b/docker/permission.yaml @@ -22,6 +22,9 @@ rule: - enable: update_permission - disable: update_permission - delete: delete_permission + - alarm_assign: alarm_assign_permission + - alarm_acknowledge: alarm_acknowledge_permission + - alarm_resolve: alarm_resolve_permission roles_operations: - add: manage_role_permission - remove: manage_role_permission diff --git a/docker/spicedb/combined-schema.zed b/docker/spicedb/combined-schema.zed index 931b79543..81bed28d2 100644 --- a/docker/spicedb/combined-schema.zed +++ b/docker/spicedb/combined-schema.zed @@ -312,10 +312,6 @@ definition domain { relation alarm_update: role#member | team#member relation alarm_read: role#member | team#member relation alarm_delete: role#member | team#member - relation alarm_manage_role: role#member | team#member - relation alarm_add_role_users: role#member | team#member - relation alarm_remove_role_users: role#member | team#member - relation alarm_view_role_users: role#member | team#member relation rule_create: role#member | team#member relation rule_update: role#member | team#member relation rule_read: role#member | team#member @@ -353,7 +349,7 @@ definition domain { channel_manage_role + channel_add_role_users + channel_remove_role_users + channel_view_role_users + group_update + group_membership + group_read + group_delete + group_set_child + group_set_parent + group_manage_role + group_add_role_users + group_remove_role_users + group_view_role_users + - alarm_create + alarm_update + alarm_read + alarm_delete + alarm_manage_role + alarm_add_role_users + alarm_remove_role_users + alarm_view_role_users + rule_create + rule_update + rule_read + rule_delete + rule_manage_role + rule_add_role_users + rule_remove_role_users + rule_view_role_users + report_create + report_update + report_read + report_delete + report_manage_role + report_add_role_users + report_remove_role_users + report_view_role_users + + alarm_create + alarm_update + alarm_read + alarm_delete + rule_create + rule_update + rule_read + rule_delete + rule_manage_role + rule_add_role_users + rule_remove_role_users + rule_view_role_users + rule_alarm_assign + rule_alarm_acknowledge + rule_alarm_resolve + report_create + report_update + report_read + report_delete + report_manage_role + report_add_role_users + report_remove_role_users + report_view_role_users + organization->admin permission admin = (read & update & enable & disable & delete & manage_role & add_role_users & remove_role_users & view_role_users) + organization->admin @@ -403,10 +399,6 @@ definition domain { permission alarm_update_permission = alarm_update + team->alarm_update + organization->admin permission alarm_read_permission = alarm_read + team->alarm_read + organization->admin permission alarm_delete_permission = alarm_delete + team->alarm_delete + organization->admin - permission alarm_manage_role_permission = alarm_manage_role + team->alarm_manage_role + organization->admin - permission alarm_add_role_users_permission = alarm_add_role_users + team->alarm_add_role_users + organization->admin - permission alarm_remove_role_users_permission = alarm_remove_role_users + team->alarm_remove_role_users + organization->admin - permission alarm_view_role_users_permission = alarm_view_role_users + team->alarm_view_role_users + organization->admin permission rule_create_permission = rule_create + team->rule_create + organization->admin permission rule_update_permission = rule_update + team->rule_update + organization->admin permission rule_read_permission = rule_read + team->rule_read + organization->admin @@ -415,6 +407,9 @@ definition domain { permission rule_add_role_users_permission = rule_add_role_users + team->rule_add_role_users + organization->admin permission rule_remove_role_users_permission = rule_remove_role_users + team->rule_remove_role_users + organization->admin permission rule_view_role_users_permission = rule_view_role_users + team->rule_view_role_users + organization->admin + permission rule_alarm_assign_permission = rule_alarm_assign + team->rule_alarm_assign + organization->admin + permission rule_alarm_acknowledge_permission = rule_alarm_acknowledge + team->rule_alarm_acknowledge + organization->admin + permission rule_alarm_resolve_permission = rule_alarm_resolve + team->rule_alarm_resolve + organization->admin permission report_create_permission = report_create + team->report_create + organization->admin permission report_update_permission = report_update + team->report_update + organization->admin permission report_read_permission = report_read + team->report_read + organization->admin @@ -518,10 +513,6 @@ definition team { relation alarm_update: role#member | team#member relation alarm_read: role#member | team#member relation alarm_delete: role#member | team#member - relation alarm_manage_role: role#member | team#member - relation alarm_add_role_users: role#member | team#member - relation alarm_remove_role_users: role#member | team#member - relation alarm_view_role_users: role#member | team#member relation rule_create: role#member | team#member relation rule_update: role#member | team#member relation rule_read: role#member | team#member @@ -530,6 +521,9 @@ definition team { relation rule_add_role_users: role#member | team#member relation rule_remove_role_users: role#member | team#member relation rule_view_role_users: role#member | team#member + relation rule_alarm_assign: role#member | team#member + relation rule_alarm_acknowledge: role#member | team#member + relation rule_alarm_resolve: role#member | team#member relation report_create: role#member | team#member relation report_update: role#member | team#member relation report_read: role#member | team#member @@ -646,19 +640,9 @@ relation update: role#member relation read: role#member relation delete: role#member -relation manage_role: role#member -relation add_role_users: role#member -relation remove_role_users: role#member -relation view_role_users: role#member - permission update_permission = update + domain->alarm_update_permission permission read_permission = read + domain->alarm_read_permission permission delete_permission = delete + domain->alarm_delete_permission - -permission manage_role_permission = manage_role + domain->alarm_manage_role_permission -permission add_role_users_permission = add_role_users + domain->alarm_add_role_users_permission -permission remove_role_users_permission = remove_role_users + domain->alarm_remove_role_users_permission -permission view_role_users_permission = view_role_users + domain->alarm_view_role_users_permission } definition rule { @@ -673,6 +657,10 @@ relation add_role_users: role#member relation remove_role_users: role#member relation view_role_users: role#member +relation alarm_assign: role#member +relation alarm_acknowledge: role#member +relation alarm_resolve: role#member + permission update_permission = update + domain->rule_update_permission permission read_permission = read + domain->rule_read_permission permission delete_permission = delete + domain->rule_delete_permission @@ -681,6 +669,10 @@ permission manage_role_permission = manage_role + domain->rule_manage_role_permi permission add_role_users_permission = add_role_users + domain->rule_add_role_users_permission permission remove_role_users_permission = remove_role_users + domain->rule_remove_role_users_permission permission view_role_users_permission = view_role_users + domain->rule_view_role_users_permission + +permission alarm_assign_permission = alarm_assign + domain->rule_alarm_assign_permission +permission alarm_acknowledge_permission = alarm_acknowledge + domain->rule_alarm_acknowledge_permission +permission alarm_resolve_permission = alarm_resolve + domain->rule_alarm_resolve_permission } definition report { diff --git a/docker/spicedb/override-schema.zed b/docker/spicedb/override-schema.zed index 04201e318..ba377a838 100644 --- a/docker/spicedb/override-schema.zed +++ b/docker/spicedb/override-schema.zed @@ -32,10 +32,6 @@ definition domain { relation alarm_update: role#member | team#member relation alarm_read: role#member | team#member relation alarm_delete: role#member | team#member - relation alarm_manage_role: role#member | team#member - relation alarm_add_role_users: role#member | team#member - relation alarm_remove_role_users: role#member | team#member - relation alarm_view_role_users: role#member | team#member relation rule_create: role#member | team#member relation rule_update: role#member | team#member @@ -60,10 +56,6 @@ definition domain { permission alarm_update_permission = alarm_update + team->alarm_update + organization->admin permission alarm_read_permission = alarm_read + team->alarm_read + organization->admin permission alarm_delete_permission = alarm_delete + team->alarm_delete + organization->admin - permission alarm_manage_role_permission = alarm_manage_role + team->alarm_manage_role + organization->admin - permission alarm_add_role_users_permission = alarm_add_role_users + team->alarm_add_role_users + organization->admin - permission alarm_remove_role_users_permission = alarm_remove_role_users + team->alarm_remove_role_users + organization->admin - permission alarm_view_role_users_permission = alarm_view_role_users + team->alarm_view_role_users + organization->admin permission rule_create_permission = rule_create + team->rule_create + organization->admin permission rule_update_permission = rule_update + team->rule_update + organization->admin @@ -73,6 +65,9 @@ definition domain { permission rule_add_role_users_permission = rule_add_role_users + team->rule_add_role_users + organization->admin permission rule_remove_role_users_permission = rule_remove_role_users + team->rule_remove_role_users + organization->admin permission rule_view_role_users_permission = rule_view_role_users + team->rule_view_role_users + organization->admin + permission rule_alarm_assign_permission = rule_alarm_assign + team->rule_alarm_assign + organization->admin + permission rule_alarm_acknowledge_permission = rule_alarm_acknowledge + team->rule_alarm_acknowledge + organization->admin + permission rule_alarm_resolve_permission = rule_alarm_resolve + team->rule_alarm_resolve + organization->admin permission report_create_permission = report_create + team->report_create + organization->admin permission report_update_permission = report_update + team->report_update + organization->admin @@ -84,7 +79,7 @@ definition domain { permission report_view_role_users_permission = report_view_role_users + team->report_view_role_users + organization->admin // Explicit extension injected into SuperMQ domain `permission membership`. - permission membership_extension = alarm_create + alarm_update + alarm_read + alarm_delete + alarm_manage_role + alarm_add_role_users + alarm_remove_role_users + alarm_view_role_users + rule_create + rule_update + rule_read + rule_delete + rule_manage_role + rule_add_role_users + rule_remove_role_users + rule_view_role_users + report_create + report_update + report_read + report_delete + report_manage_role + report_add_role_users + report_remove_role_users + report_view_role_users + permission membership_extension = alarm_create + alarm_update + alarm_read + alarm_delete + rule_create + rule_update + rule_read + rule_delete + rule_manage_role + rule_add_role_users + rule_remove_role_users + rule_view_role_users + rule_alarm_assign + rule_alarm_acknowledge + rule_alarm_resolve + report_create + report_update + report_read + report_delete + report_manage_role + report_add_role_users + report_remove_role_users + report_view_role_users } @@ -95,10 +90,6 @@ definition team { relation alarm_update: role#member | team#member relation alarm_read: role#member | team#member relation alarm_delete: role#member | team#member - relation alarm_manage_role: role#member | team#member - relation alarm_add_role_users: role#member | team#member - relation alarm_remove_role_users: role#member | team#member - relation alarm_view_role_users: role#member | team#member relation rule_create: role#member | team#member relation rule_update: role#member | team#member @@ -108,6 +99,9 @@ definition team { relation rule_add_role_users: role#member | team#member relation rule_remove_role_users: role#member | team#member relation rule_view_role_users: role#member | team#member + relation rule_alarm_assign: role#member | team#member + relation rule_alarm_acknowledge: role#member | team#member + relation rule_alarm_resolve: role#member | team#member relation report_create: role#member | team#member relation report_update: role#member | team#member @@ -127,19 +121,9 @@ relation update: role#member relation read: role#member relation delete: role#member -relation manage_role: role#member -relation add_role_users: role#member -relation remove_role_users: role#member -relation view_role_users: role#member - permission update_permission = update + domain->alarm_update_permission permission read_permission = read + domain->alarm_read_permission permission delete_permission = delete + domain->alarm_delete_permission - -permission manage_role_permission = manage_role + domain->alarm_manage_role_permission -permission add_role_users_permission = add_role_users + domain->alarm_add_role_users_permission -permission remove_role_users_permission = remove_role_users + domain->alarm_remove_role_users_permission -permission view_role_users_permission = view_role_users + domain->alarm_view_role_users_permission } definition rule { @@ -154,6 +138,10 @@ relation add_role_users: role#member relation remove_role_users: role#member relation view_role_users: role#member +relation alarm_assign: role#member +relation alarm_acknowledge: role#member +relation alarm_resolve: role#member + permission update_permission = update + domain->rule_update_permission permission read_permission = read + domain->rule_read_permission permission delete_permission = delete + domain->rule_delete_permission @@ -162,6 +150,10 @@ permission manage_role_permission = manage_role + domain->rule_manage_role_permi permission add_role_users_permission = add_role_users + domain->rule_add_role_users_permission permission remove_role_users_permission = remove_role_users + domain->rule_remove_role_users_permission permission view_role_users_permission = view_role_users + domain->rule_view_role_users_permission + +permission alarm_assign_permission = alarm_assign + domain->rule_alarm_assign_permission +permission alarm_acknowledge_permission = alarm_acknowledge + domain->rule_alarm_acknowledge_permission +permission alarm_resolve_permission = alarm_resolve + domain->rule_alarm_resolve_permission } definition report {