coder
diff --git a/‎README.md
Lines changed: 3 additions & 1 deletion b/‎README.md
Lines changed: 3 additions & 1 deletion
diff --git a/‎cli/templateplan.go
Lines changed: 1 addition & 1 deletion b/‎cli/templateplan.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/database/migrations/000034_remove_admin_role.down.sql
Lines changed: 22 additions & 0 deletions b/‎coderd/database/migrations/000034_remove_admin_role.down.sql
Lines changed: 22 additions & 0 deletions
diff --git a/‎coderd/database/migrations/000034_remove_admin_role.up.sql
Lines changed: 20 additions & 0 deletions b/‎coderd/database/migrations/000034_remove_admin_role.up.sql
Lines changed: 20 additions & 0 deletions
diff --git a/‎coderd/database/postgres/postgres.go
Lines changed: 16 additions & 4 deletions b/‎coderd/database/postgres/postgres.go
Lines changed: 16 additions & 4 deletions
diff --git a/‎coderd/httpmw/authorize_test.go
Lines changed: 1 addition & 1 deletion b/‎coderd/httpmw/authorize_test.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/provisionerjobs_internal_test.go
Lines changed: 2 additions & 2 deletions b/‎coderd/provisionerjobs_internal_test.go
Lines changed: 2 additions & 2 deletions
diff --git a/‎coderd/rbac/authz_internal_test.go
Lines changed: 3 additions & 3 deletions b/‎coderd/rbac/authz_internal_test.go
Lines changed: 3 additions & 3 deletions
diff --git a/‎coderd/rbac/builtin.go
Lines changed: 16 additions & 9 deletions b/‎coderd/rbac/builtin.go
Lines changed: 16 additions & 9 deletions
diff --git a/‎coderd/rbac/builtin_internal_test.go
Lines changed: 1 addition & 1 deletion b/‎coderd/rbac/builtin_internal_test.go
Lines changed: 1 addition & 1 deletion
@@ -54,7 +54,7 @@ curl -L https://coder.com/install.sh | sh -s -- --help
 
 > See [install](docs/install.md) for additional methods.
 
-Once installed, you can start a production deployment with a single command:
+Once installed, you can start a production deployment<sup>1</sup> with a single command:
 
 ```sh
 # Automatically sets up an external access URL on *.try.coder.app
@@ -64,6 +64,8 @@ coder server --tunnel
 coder server --postgres-url <url> --access-url <url>
 ```
 
+> <sup>1</sup> The embedded database is great for trying out Coder with small deployments, but do consider using an external database for increased assurance and control.
+
 Use `coder --help` to get a complete list of flags and environment variables. Use our [quickstart guide](https://coder.com/docs/coder-oss/latest/quickstart) for a full walkthrough.
 
 ## Documentation
 
@@ -8,7 +8,7 @@ func templatePlan() *cobra.Command {
 	return &cobra.Command{
 		Use:   "plan <directory>",
 		Args:  cobra.MinimumNArgs(1),
-		Short: "Plan a template update from the current directory",
+		Short: "Plan a template push from the current directory",
 		RunE: func(cmd *cobra.Command, args []string) error {
 			return nil
 		},
 
@@ -0,0 +1,22 @@
+UPDATE
+	users
+SET
+    -- Replace 'template-admin' and 'user-admin' role with 'admin'
+    rbac_roles = array_append(
+            array_remove(
+                array_remove(rbac_roles, 'template-admin'),
+                    'user-admin'
+                ), 'admin')
+WHERE
+    -- Only on existing admins. If they have either role, make them an admin
+    ARRAY ['template-admin', 'user-admin'] && rbac_roles;
+
+
+UPDATE
+    users
+SET
+    -- Replace 'owner' with 'admin'
+    rbac_roles = array_replace(rbac_roles, 'owner', 'admin')
+WHERE
+    -- Only on the owner
+    'owner' = ANY(rbac_roles);
@@ -0,0 +1,20 @@
+UPDATE
+    users
+SET
+    -- Replace the role 'admin' with the role 'owner'
+    rbac_roles = array_replace(rbac_roles, 'admin', 'owner')
+WHERE
+    -- Update the first user with the role 'admin'. This should be the first
+    -- user ever, but if that user was demoted from an admin, then choose
+    -- the next best user.
+    id = (SELECT id FROM users WHERE 'admin' = ANY(rbac_roles) ORDER BY created_at ASC LIMIT 1);
+
+
+UPDATE
+    users
+SET
+    -- Replace 'admin' role with 'template-admin' and 'user-admin'
+    rbac_roles = array_cat(array_remove(rbac_roles, 'admin'), ARRAY ['template-admin', 'user-admin'])
+WHERE
+    -- Only on existing admins
+    'admin' = ANY(rbac_roles);
@@ -9,6 +9,7 @@ import (
 	"sync"
 	"time"
 
+	"github.com/cenkalti/backoff/v4"
 	"github.com/ory/dockertest/v3"
 	"github.com/ory/dockertest/v3/docker"
 	"golang.org/x/xerrors"
@@ -123,27 +124,38 @@ func Open() (string, func(), error) {
 	}
 
 	pool.MaxWait = 120 * time.Second
+
+	// Record the error that occurs during the retry.
+	// The 'pool' pkg hardcodes a deadline error devoid
+	// of any useful context.
+	var retryErr error
 	err = pool.Retry(func() error {
 		db, err := sql.Open("postgres", dbURL)
 		if err != nil {
-			return xerrors.Errorf("open postgres: %w", err)
+			retryErr = xerrors.Errorf("open postgres: %w", err)
+			return retryErr
 		}
 		defer db.Close()
 
 		err = db.Ping()
 		if err != nil {
-			return xerrors.Errorf("ping postgres: %w", err)
+			retryErr = xerrors.Errorf("ping postgres: %w", err)
+			return retryErr
 		}
+
 		err = database.MigrateUp(db)
 		if err != nil {
-			return xerrors.Errorf("migrate db: %w", err)
+			retryErr = xerrors.Errorf("migrate db: %w", err)
+			// Only try to migrate once.
+			return backoff.Permanent(retryErr)
 		}
 
 		return nil
 	})
 	if err != nil {
-		return "", nil, err
+		return "", nil, retryErr
 	}
+
 	return dbURL, func() {
 		_ = pool.Purge(resource)
 		_ = os.RemoveAll(tempDir)
 
@@ -40,7 +40,7 @@ func TestExtractUserRoles(t *testing.T) {
 		{
 			Name: "Admin",
 			AddUser: func(db database.Store) (database.User, []string, string) {
-				roles := []string{rbac.RoleAdmin()}
+				roles := []string{rbac.RoleOwner()}
 				user, token := addUser(t, db, roles...)
 				return user, append(roles, rbac.RoleMember()), token
 			},
 
@@ -17,9 +17,9 @@ import (
 
 	"cdr.dev/slog"
 	"cdr.dev/slog/sloggers/slogtest"
-
 	"github.com/coder/coder/coderd/database"
 	"github.com/coder/coder/coderd/database/databasefake"
+	"github.com/coder/coder/coderd/rbac"
 	"github.com/coder/coder/codersdk"
 	"github.com/coder/coder/testutil"
 )
@@ -78,7 +78,7 @@ func TestProvisionerJobLogs_Unit(t *testing.T) {
 		require.NoError(t, err)
 		_, err = fDB.InsertUser(ctx, database.InsertUserParams{
 			ID:        userID,
-			RBACRoles: []string{"admin"},
+			RBACRoles: []string{rbac.RoleOwner()},
 		})
 		require.NoError(t, err)
 		_, err = fDB.InsertWorkspaceBuild(ctx, database.InsertWorkspaceBuildParams{
 
@@ -87,7 +87,7 @@ func TestFilter(t *testing.T) {
 		{
 			Name:       "Admin",
 			SubjectID:  userIDs[0].String(),
-			Roles:      []string{RoleOrgMember(orgIDs[0]), "auditor", RoleAdmin(), RoleMember()},
+			Roles:      []string{RoleOrgMember(orgIDs[0]), "auditor", RoleOwner(), RoleMember()},
 			ObjectType: ResourceWorkspace.Type,
 			Action:     ActionRead,
 		},
@@ -292,7 +292,7 @@ func TestAuthorizeDomain(t *testing.T) {
 	user = subject{
 		UserID: "me",
 		Roles: []Role{
-			must(RoleByName(RoleAdmin())),
+			must(RoleByName(RoleOwner())),
 			must(RoleByName(RoleMember())),
 		},
 	}
@@ -499,7 +499,7 @@ func TestAuthorizeLevels(t *testing.T) {
 	user := subject{
 		UserID: "me",
 		Roles: []Role{
-			must(RoleByName(RoleAdmin())),
+			must(RoleByName(RoleOwner())),
 			{
 				Name: "org-deny:" + defOrg.String(),
 				Org: map[string][]Permission{
 
@@ -9,7 +9,7 @@ import (
 )
 
 const (
-	admin         string = "admin"
+	owner         string = "owner"
 	member        string = "member"
 	templateAdmin string = "template-admin"
 	userAdmin     string = "user-admin"
@@ -24,8 +24,8 @@ const (
 // Once we have a database implementation, the "default" roles can be defined on the
 // site and orgs, and these functions can be removed.
 
-func RoleAdmin() string {
-	return roleName(admin, "")
+func RoleOwner() string {
+	return roleName(owner, "")
 }
 
 func RoleTemplateAdmin() string {
@@ -59,10 +59,10 @@ var (
 	// https://github.com/coder/coder/issues/1194
 	builtInRoles = map[string]func(orgID string) Role{
 		// admin grants all actions to all resources.
-		admin: func(_ string) Role {
+		owner: func(_ string) Role {
 			return Role{
-				Name:        admin,
-				DisplayName: "Admin",
+				Name:        owner,
+				DisplayName: "Owner",
 				Site: permissions(map[Object][]Action{
 					ResourceWildcard: {WildcardSymbol},
 				}),
@@ -123,7 +123,10 @@ var (
 				Name:        userAdmin,
 				DisplayName: "User Admin",
 				Site: permissions(map[Object][]Action{
-					ResourceUser: {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
+					ResourceRoleAssignment: {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
+					ResourceUser:           {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
+					// Full perms to manage org members
+					ResourceOrganizationMember: {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
 				}),
 			}
 		},
@@ -187,15 +190,19 @@ var (
 	// The first key is the actor role, the second is the roles they can assign.
 	//	map[actor_role][assign_role]<can_assign>
 	assignRoles = map[string]map[string]bool{
-		admin: {
-			admin:         true,
+		owner: {
+			owner:         true,
 			auditor:       true,
 			member:        true,
 			orgAdmin:      true,
 			orgMember:     true,
 			templateAdmin: true,
 			userAdmin:     true,
 		},
+		userAdmin: {
+			member:    true,
+			orgMember: true,
+		},
 		orgAdmin: {
 			orgAdmin:  true,
 			orgMember: true,
 
@@ -16,7 +16,7 @@ func TestRoleByName(t *testing.T) {
 		testCases := []struct {
 			Role Role
 		}{
-			{Role: builtInRoles[admin]("")},
+			{Role: builtInRoles[owner]("")},
 			{Role: builtInRoles[member]("")},
 			{Role: builtInRoles[templateAdmin]("")},
 			{Role: builtInRoles[userAdmin]("")},
Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,7 @@ func TestExtractUserRoles(t *testing.T) {`
`40`	`40`	`{`
`41`	`41`	`Name: "Admin",`
`42`	`42`	`AddUser: func(db database.Store) (database.User, []string, string) {`
`43`		`- roles := []string{rbac.RoleAdmin()}`
	`43`	`+ roles := []string{rbac.RoleOwner()}`
`44`	`44`	`user, token := addUser(t, db, roles...)`
`45`	`45`	`return user, append(roles, rbac.RoleMember()), token`
`46`	`46`	`},`