diff --git a/controllers/hosts.go b/controllers/hosts.go index dbfbc6d5..a1015cf9 100644 --- a/controllers/hosts.go +++ b/controllers/hosts.go @@ -253,19 +253,6 @@ func updateHost(w http.ResponseWriter, r *http.Request) { newHost := newHostData.ConvertAPIHostToNMHost(currHost) - if newHost.Name != currHost.Name { - // update any rag role ids - for _, nodeID := range newHost.Nodes { - node, err := logic.GetNodeByID(nodeID) - if err == nil && node.IsIngressGateway { - role, err := logic.GetRole(models.GetRAGRoleID(node.Network, currHost.ID.String())) - if err == nil { - role.UiName = models.GetRAGRoleName(node.Network, newHost.Name) - logic.UpdateRole(role) - } - } - } - } logic.UpdateHost(newHost, currHost) // update the in memory struct values if err = logic.UpsertHost(newHost); err != nil { logger.Log(0, r.Header.Get("user"), "failed to update a host:", err.Error()) diff --git a/logic/gateway.go b/logic/gateway.go index ba752197..ab68a436 100644 --- a/logic/gateway.go +++ b/logic/gateway.go @@ -188,30 +188,6 @@ func CreateIngressGateway(netid string, nodeid string, ingress models.IngressReq if err != nil { return models.Node{}, err } - // create network role for this gateway - CreateRole(models.UserRolePermissionTemplate{ - ID: models.GetRAGRoleID(node.Network, host.ID.String()), - UiName: models.GetRAGRoleName(node.Network, host.Name), - NetworkID: models.NetworkID(node.Network), - Default: true, - NetworkLevelAccess: map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope{ - models.RemoteAccessGwRsrc: { - models.RsrcID(node.ID.String()): models.RsrcPermissionScope{ - Read: true, - VPNaccess: true, - }, - }, - models.ExtClientsRsrc: { - models.AllExtClientsRsrcID: models.RsrcPermissionScope{ - Read: true, - Create: true, - Update: true, - Delete: true, - SelfOnly: true, - }, - }, - }, - }) err = SetNetworkNodesLastModified(netid) return node, err } diff --git a/logic/hosts.go b/logic/hosts.go index 48482e04..f8a310bf 100644 --- a/logic/hosts.go +++ b/logic/hosts.go @@ -294,7 +294,7 @@ func UpdateHostFromClient(newHost, currHost *models.Host) (sendPeerUpdate bool) if err == nil && node.IsIngressGateway { role, err := GetRole(models.GetRAGRoleID(node.Network, currHost.ID.String())) if err == nil { - role.UiName = models.GetRAGRoleName(node.Network, newHost.Name) + role.Name = models.GetRAGRoleName(node.Network, newHost.Name) UpdateRole(role) } } diff --git a/logic/user_mgmt.go b/logic/user_mgmt.go index 62ba22bf..3e22bb50 100644 --- a/logic/user_mgmt.go +++ b/logic/user_mgmt.go @@ -46,11 +46,16 @@ var IsNetworkRolesValid = func(networkRoles map[models.NetworkID]map[models.User return nil } +var MigrateUserRoleAndGroups = func(u models.User) { + +} + var UpdateUserGwAccess = func(currentUser, changeUser models.User) {} var UpdateRole = func(r models.UserRolePermissionTemplate) error { return nil } var InitialiseRoles = userRolesInit +var IntialiseGroups = func() {} var DeleteNetworkRoles = func(netID string) {} var CreateDefaultNetworkRolesAndGroups = func(netID models.NetworkID) {} var CreateDefaultUserPolicies = func(netID models.NetworkID) {} diff --git a/main.go b/main.go index 027b51c7..cbfe67dd 100644 --- a/main.go +++ b/main.go @@ -103,6 +103,7 @@ func initialize() { // Client Mode Prereq Check logic.SetJWTSecret() logic.InitialiseRoles() + logic.IntialiseGroups() err = serverctl.SetDefaults() if err != nil { logger.FatalLog("error setting defaults: ", err.Error()) diff --git a/migrate/migrate.go b/migrate/migrate.go index eda7a7d3..1df7461e 100644 --- a/migrate/migrate.go +++ b/migrate/migrate.go @@ -178,7 +178,10 @@ func updateNodes() { node.Tags[tagID] = struct{}{} logic.UpsertNode(&node) } - + host, err := logic.GetHost(node.HostID.String()) + if err == nil { + go logic.DeleteRole(models.GetRAGRoleID(node.Network, host.ID.String()), true) + } } if node.IsEgressGateway { egressRanges, update := removeInterGw(node.EgressGatewayRanges) @@ -356,42 +359,8 @@ func syncUsers() { // create default network user roles for existing networks if servercfg.IsPro { networks, _ := logic.GetNetworks() - nodes, err := logic.GetAllNodes() - if err == nil { - for _, netI := range networks { - logic.CreateDefaultNetworkRolesAndGroups(models.NetworkID(netI.NetID)) - networkNodes := logic.GetNetworkNodesMemory(nodes, netI.NetID) - for _, networkNodeI := range networkNodes { - if networkNodeI.IsIngressGateway { - h, err := logic.GetHost(networkNodeI.HostID.String()) - if err == nil { - logic.CreateRole(models.UserRolePermissionTemplate{ - ID: models.GetRAGRoleID(networkNodeI.Network, h.ID.String()), - UiName: models.GetRAGRoleName(networkNodeI.Network, h.Name), - NetworkID: models.NetworkID(netI.NetID), - NetworkLevelAccess: map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope{ - models.RemoteAccessGwRsrc: { - models.RsrcID(networkNodeI.ID.String()): models.RsrcPermissionScope{ - Read: true, - VPNaccess: true, - }, - }, - models.ExtClientsRsrc: { - models.AllExtClientsRsrcID: models.RsrcPermissionScope{ - Read: true, - Create: true, - Update: true, - Delete: true, - SelfOnly: true, - }, - }, - }, - }) - } - - } - } - } + for _, netI := range networks { + logic.CreateDefaultNetworkRolesAndGroups(models.NetworkID(netI.NetID)) } } @@ -429,34 +398,11 @@ func syncUsers() { user.PlatformRoleID = models.ServiceUser } logic.UpsertUser(user) - if len(user.RemoteGwIDs) > 0 { - // define user roles for network - // assign relevant network role to user - for remoteGwID := range user.RemoteGwIDs { - gwNode, err := logic.GetNodeByID(remoteGwID) - if err != nil { - continue - } - h, err := logic.GetHost(gwNode.HostID.String()) - if err != nil { - continue - } - r, err := logic.GetRole(models.GetRAGRoleID(gwNode.Network, h.ID.String())) - if err != nil { - continue - } - if netRoles, ok := user.NetworkRoles[models.NetworkID(gwNode.Network)]; ok { - netRoles[r.ID] = struct{}{} - } else { - user.NetworkRoles[models.NetworkID(gwNode.Network)] = map[models.UserRoleID]struct{}{ - r.ID: {}, - } - } - } - logic.UpsertUser(user) - } + logic.MigrateUserRoleAndGroups(user) + } } + } func createDefaultTagsAndPolicies() { diff --git a/models/user_mgmt.go b/models/user_mgmt.go index a87a0f4b..d97e2532 100644 --- a/models/user_mgmt.go +++ b/models/user_mgmt.go @@ -116,8 +116,9 @@ type RsrcPermissionScope struct { type UserRolePermissionTemplate struct { ID UserRoleID `json:"id"` - UiName string `json:"ui_name"` + Name string `json:"name"` Default bool `json:"default"` + MetaData string `json:"meta_data"` DenyDashboardAccess bool `json:"deny_dashboard_access"` FullAccess bool `json:"full_access"` NetworkID NetworkID `json:"network_id"` @@ -132,6 +133,8 @@ type CreateGroupReq struct { type UserGroup struct { ID UserGroupID `json:"id"` + Default bool `json:"default"` + Name string `json:"name"` NetworkRoles map[NetworkID]map[UserRoleID]struct{} `json:"network_roles"` MetaData string `json:"meta_data"` } diff --git a/pro/initialize.go b/pro/initialize.go index 66a49823..496758cb 100644 --- a/pro/initialize.go +++ b/pro/initialize.go @@ -136,6 +136,8 @@ func InitPro() { logic.InitialiseRoles = proLogic.UserRolesInit logic.UpdateUserGwAccess = proLogic.UpdateUserGwAccess logic.CreateDefaultUserPolicies = proLogic.CreateDefaultUserPolicies + logic.MigrateUserRoleAndGroups = proLogic.MigrateUserRoleAndGroups + logic.IntialiseGroups = proLogic.UserGroupsInit } func retrieveProLogo() string { diff --git a/pro/logic/migrate.go b/pro/logic/migrate.go new file mode 100644 index 00000000..d30e71e0 --- /dev/null +++ b/pro/logic/migrate.go @@ -0,0 +1,54 @@ +package logic + +import ( + "fmt" + + "github.com/gravitl/netmaker/logic" + "github.com/gravitl/netmaker/models" +) + +func MigrateUserRoleAndGroups(user models.User) { + var err error + if len(user.RemoteGwIDs) > 0 { + // define user roles for network + // assign relevant network role to user + for remoteGwID := range user.RemoteGwIDs { + gwNode, err := logic.GetNodeByID(remoteGwID) + if err != nil { + continue + } + var g models.UserGroup + if user.PlatformRoleID == models.ServiceUser { + g, err = GetUserGroup(models.UserGroupID(fmt.Sprintf("%s-%s-grp", gwNode.Network, models.NetworkUser))) + } else { + g, err = GetUserGroup(models.UserGroupID(fmt.Sprintf("%s-%s-grp", + gwNode.Network, models.NetworkAdmin))) + } + if err != nil { + continue + } + user.UserGroups[g.ID] = struct{}{} + + } + } + if len(user.NetworkRoles) > 0 { + for netID := range user.NetworkRoles { + var g models.UserGroup + if user.PlatformRoleID == models.ServiceUser { + g, err = GetUserGroup(models.UserGroupID(fmt.Sprintf("%s-%s-grp", netID, models.NetworkUser))) + } else { + g, err = GetUserGroup(models.UserGroupID(fmt.Sprintf("%s-%s-grp", + netID, models.NetworkAdmin))) + } + if err != nil { + continue + } + user.UserGroups[g.ID] = struct{}{} + if err != nil { + continue + } + } + + } + logic.UpsertUser(user) +} diff --git a/pro/logic/user_mgmt.go b/pro/logic/user_mgmt.go index 7673673b..6faa9084 100644 --- a/pro/logic/user_mgmt.go +++ b/pro/logic/user_mgmt.go @@ -30,6 +30,8 @@ var PlatformUserUserPermissionTemplate = models.UserRolePermissionTemplate{ var NetworkAdminAllPermissionTemplate = models.UserRolePermissionTemplate{ ID: models.UserRoleID(fmt.Sprintf("global-%s", models.NetworkAdmin)), + Name: "Network Admins", + MetaData: "Users with this role can manage all your networks configuration including adding and removing devices.", Default: true, FullAccess: true, NetworkID: models.AllNetworks, @@ -37,6 +39,8 @@ var NetworkAdminAllPermissionTemplate = models.UserRolePermissionTemplate{ var NetworkUserAllPermissionTemplate = models.UserRolePermissionTemplate{ ID: models.UserRoleID(fmt.Sprintf("global-%s", models.NetworkUser)), + Name: "Network Users", + MetaData: "Users with this role Cannot access the admin console, but can connect to nodes in your networks via RAC.", Default: true, FullAccess: false, NetworkID: models.AllNetworks, @@ -75,12 +79,44 @@ func UserRolesInit() { } +func UserGroupsInit() { + // create default network groups + var NetworkGlobalAdminGroup = models.UserGroup{ + ID: models.UserGroupID(fmt.Sprintf("global-%s-grp", models.NetworkAdmin)), + Default: true, + Name: "Network Admin Group", + MetaData: "Users in this group can manage all your networks configuration including adding and removing devices.", + NetworkRoles: map[models.NetworkID]map[models.UserRoleID]struct{}{ + models.NetworkID("*"): { + models.UserRoleID(fmt.Sprintf("global-%s", models.NetworkAdmin)): {}, + }, + }, + } + var NetworkGlobalUserGroup = models.UserGroup{ + ID: models.UserGroupID(fmt.Sprintf("global-%s-grp", models.NetworkUser)), + Name: "Network User Group", + Default: true, + NetworkRoles: map[models.NetworkID]map[models.UserRoleID]struct{}{ + models.NetworkID("*"): { + models.UserRoleID(fmt.Sprintf("global-%s", models.NetworkUser)): {}, + }, + }, + MetaData: "Users in this group cannot access the admin console, but can connect to nodes in your networks via RAC.", + } + d, _ := json.Marshal(NetworkGlobalAdminGroup) + database.Insert(NetworkGlobalAdminGroup.ID.String(), string(d), database.USER_GROUPS_TABLE_NAME) + d, _ = json.Marshal(NetworkGlobalUserGroup) + database.Insert(NetworkGlobalUserGroup.ID.String(), string(d), database.USER_GROUPS_TABLE_NAME) +} + func CreateDefaultNetworkRolesAndGroups(netID models.NetworkID) { if netID.String() == "" { return } var NetworkAdminPermissionTemplate = models.UserRolePermissionTemplate{ ID: models.UserRoleID(fmt.Sprintf("%s-%s", netID, models.NetworkAdmin)), + Name: fmt.Sprintf("%s Admin", netID), + MetaData: fmt.Sprintf("Users with this role can manage your network `%s` configuration including adding and removing devices.", netID), Default: true, NetworkID: netID, FullAccess: true, @@ -89,6 +125,8 @@ func CreateDefaultNetworkRolesAndGroups(netID models.NetworkID) { var NetworkUserPermissionTemplate = models.UserRolePermissionTemplate{ ID: models.UserRoleID(fmt.Sprintf("%s-%s", netID, models.NetworkUser)), + Name: fmt.Sprintf("%s User", netID), + MetaData: fmt.Sprintf("Users Cannot access the admin console, but can connect to nodes in your network `%s` via RAC.", netID), Default: true, FullAccess: false, NetworkID: netID, @@ -118,22 +156,24 @@ func CreateDefaultNetworkRolesAndGroups(netID models.NetworkID) { // create default network groups var NetworkAdminGroup = models.UserGroup{ - ID: models.UserGroupID(fmt.Sprintf("%s-%s-grp", netID, models.NetworkAdmin)), + ID: models.UserGroupID(fmt.Sprintf("%s-%s-grp", netID, models.NetworkAdmin)), + Name: fmt.Sprintf("%s Admin Group", netID), NetworkRoles: map[models.NetworkID]map[models.UserRoleID]struct{}{ netID: { models.UserRoleID(fmt.Sprintf("%s-%s", netID, models.NetworkAdmin)): {}, }, }, - MetaData: "The network group was automatically created by Netmaker.", + MetaData: fmt.Sprintf("User in this group can manage your network `%s` configuration including adding and removing devices.", netID), } var NetworkUserGroup = models.UserGroup{ - ID: models.UserGroupID(fmt.Sprintf("%s-%s-grp", netID, models.NetworkUser)), + ID: models.UserGroupID(fmt.Sprintf("%s-%s-grp", netID, models.NetworkUser)), + Name: fmt.Sprintf("%s User Group", netID), NetworkRoles: map[models.NetworkID]map[models.UserRoleID]struct{}{ netID: { models.UserRoleID(fmt.Sprintf("%s-%s", netID, models.NetworkUser)): {}, }, }, - MetaData: "The network group was automatically created by Netmaker.", + MetaData: fmt.Sprintf("Users in this group cannot access the admin console, but can connect to nodes in your network `%s` via RAC.", netID), } d, _ = json.Marshal(NetworkAdminGroup) database.Insert(NetworkAdminGroup.ID.String(), string(d), database.USER_GROUPS_TABLE_NAME)