Skip to content

Commit 1f4fb0e

Browse files
EmyrkEmyrk
committed
Add provisioner stuff
1 parent 0ffffeb commit 1f4fb0e

File tree

1 file changed

+44
-0
lines changed

1 file changed

+44
-0
lines changed

coderd/database/spice/policy/schema.zed

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -67,6 +67,15 @@ definition team {
6767
relation template_permission_manager: group#membership | user
6868
relation template_insights_viewer: group#membership | user
6969

70+
71+
/*******************
72+
* Provisioner Roles *
73+
*******************/
74+
relation provisioner_viewer: group#membership | user
75+
relation provisioner_creator: group#membership | user
76+
relation provisioner_deletor: group#membership | user
77+
relation provisioner_editor: group#membership | user
78+
7079
/*******************
7180
* Other Roles *
7281
*******************/
@@ -98,7 +107,19 @@ definition team {
98107
permission edit_templates = platform->super_admin + template_editor + parent->edit_templates
99108
permission delete_templates = platform->super_admin + template_deletor + parent->delete_templates
100109
permission manage_template_permissions = platform->super_admin + template_permission_manager + parent->manage_template_permissions
110+
// Creating a template, version, and file are all the same permissions
101111
permission create_template = platform->super_admin + template_creator + parent->create_template
112+
permission create_template_version = create_template
113+
permission create_file = create_template
114+
115+
116+
/************************
117+
* Provisioner Permissions *
118+
************************/
119+
permission view_provisioners = platform->super_admin + template_viewer + parent->view_provisioners
120+
permission edit_provisioners = platform->super_admin + template_editor + parent->edit_provisioners
121+
permission delete_provisioners = platform->super_admin + template_deletor + parent->delete_provisioners
122+
permission create_provisioners = platform->super_admin + template_creator + parent->create_provisioners
102123
}
103124

104125
// group is a collection of users and operates exactly like a user from
@@ -182,10 +203,12 @@ definition template {
182203
// workspace relates a given workspace to a template. This allows
183204
// 'view' permission to be granted through the workspace, so a person who can
184205
// view a workspce, can also view the template it is using.
206+
// TODO: Add deleted caveat?
185207
relation workspace: workspace
186208

187209
permission view = owner->template_viewer + workspace->view
188210
permission view_insights = owner->view_template_insights
211+
// Edit allows adding and promoting template versions.
189212
permission edit = owner->edit_templates
190213
permission delete = owner->delete_templates
191214
permission edit_pemissions = owner->manage_template_permissions
@@ -196,3 +219,24 @@ definition template_version {
196219

197220
permission view = template->view
198221
}
222+
223+
definition file {
224+
relation template_version: template_version
225+
226+
permission view = template_version -> view
227+
}
228+
229+
definition provisioner {
230+
// owning team for pulling permissions through.
231+
relation owner: team
232+
233+
permission view = owner -> view_provisioners
234+
}
235+
236+
definition job {
237+
relation template_version: template_version
238+
relation workspace_build: workspace_build
239+
// dry runs?
240+
241+
permission view = template_version->view + workspace_build->view
242+
}

0 commit comments

Comments
 (0)