@@ -18,6 +18,7 @@ import (
1818
1919 "cdr.dev/slog"
2020
21+ "github.com/coder/coder/v2/coderd/prebuilds"
2122 "github.com/coder/coder/v2/coderd/rbac/policy"
2223 "github.com/coder/coder/v2/coderd/rbac/rolestore"
2324
@@ -358,6 +359,27 @@ var (
358359 }),
359360 Scope : rbac .ScopeAll ,
360361 }.WithCachedASTValue ()
362+
363+ subjectPrebuildsOrchestrator = rbac.Subject {
364+ FriendlyName : "Prebuilds Orchestrator" ,
365+ ID : prebuilds .OwnerID .String (),
366+ Roles : rbac .Roles ([]rbac.Role {
367+ {
368+ Identifier : rbac.RoleIdentifier {Name : "prebuilds-orchestrator" },
369+ DisplayName : "Coder" ,
370+ Site : rbac .Permissions (map [string ][]policy.Action {
371+ // May use template, read template-related info, & insert template-related resources (preset prebuilds).
372+ rbac .ResourceTemplate .Type : {policy .ActionRead , policy .ActionUpdate , policy .ActionUse },
373+ // May CRUD workspaces, and start/stop them.
374+ rbac .ResourceWorkspace .Type : {
375+ policy .ActionCreate , policy .ActionDelete , policy .ActionRead , policy .ActionUpdate ,
376+ policy .ActionWorkspaceStart , policy .ActionWorkspaceStop ,
377+ },
378+ }),
379+ },
380+ }),
381+ Scope : rbac .ScopeAll ,
382+ }.WithCachedASTValue ()
361383)
362384
363385// AsProvisionerd returns a context with an actor that has permissions required
@@ -412,6 +434,12 @@ func AsSystemReadProvisionerDaemons(ctx context.Context) context.Context {
412434 return context .WithValue (ctx , authContextKey {}, subjectSystemReadProvisionerDaemons )
413435}
414436
437+ // AsPrebuildsOrchestrator returns a context with an actor that has permissions
438+ // to read orchestrator workspace prebuilds.
439+ func AsPrebuildsOrchestrator (ctx context.Context ) context.Context {
440+ return context .WithValue (ctx , authContextKey {}, subjectPrebuildsOrchestrator )
441+ }
442+
415443var AsRemoveActor = rbac.Subject {
416444 ID : "remove-actor" ,
417445}
0 commit comments