feat: add rbac for strict job queue control (#927)

implement RBAC for controlling job queue give permission to ClusterAdmin role to make changes in the strict case [excluding e2e_tests changes]
determined-ai · Apr 18, 2024 · 93b1a49 · 93b1a49
1 parent 33b3f2d
commit 93b1a49
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 1 deletion.
diff --git a/.circleci/devcluster/single-rbac.devcluster.yaml b/.circleci/devcluster/single-rbac.devcluster.yaml
@@ -25,6 +25,7 @@ stages:
           authz:
             type: rbac
             rbac_ui_enabled: true
+            strict_job_queue_control: true
         scim:
           enabled: true
           auth:

diff --git a/master/internal/job/authz_rbac.go b/master/internal/job/authz_rbac.go
@@ -7,7 +7,9 @@ import (
 
 	"github.com/determined-ai/determined/master/internal/authz"
 	"github.com/determined-ai/determined/master/internal/command"
+	"github.com/determined-ai/determined/master/internal/config"
 	"github.com/determined-ai/determined/master/internal/db"
+	"github.com/determined-ai/determined/master/internal/rbac"
 	"github.com/determined-ai/determined/master/pkg/model"
 	"github.com/determined-ai/determined/proto/pkg/jobv1"
 	"github.com/determined-ai/determined/proto/pkg/rbacv1"
@@ -114,7 +116,11 @@ func (a *JobAuthZRBAC) FilterJobs(
 func (a *JobAuthZRBAC) CanControlJobQueue(
 	ctx context.Context, curUser *model.User,
 ) (permErr error, err error) {
-	return nil, nil
+	if !config.GetMasterConfig().Security.AuthZ.StrictJobQueueControl {
+		return nil, nil
+	}
+	return rbac.CheckForPermission(ctx, "job", curUser, nil,
+		rbacv1.PermissionType_PERMISSION_TYPE_CONTROL_STRICT_JOB_QUEUE)
 }
 
 func init() {

diff --git a/master/static/migrations/20230627154016_precanned-jobq-control-permissions.tx.down.sql b/master/static/migrations/20230627154016_precanned-jobq-control-permissions.tx.down.sql
@@ -0,0 +1,3 @@
+DELETE FROM permission_assignments WHERE permission_id = 8101;
+
+DELETE FROM permissions WHERE id = 8101;
diff --git a/master/static/migrations/20230627154016_precanned-jobq-control-permissions.tx.up.sql b/master/static/migrations/20230627154016_precanned-jobq-control-permissions.tx.up.sql
@@ -0,0 +1,24 @@
+--  // Ability to control strict job queue.
+--  PERMISSION_TYPE_CONTROL_STRICT_JOB_QUEUE = 8101;
+
+INSERT into permissions(id, name, global_only) VALUES
+    (8101, 'control strict job queue', true);
+
+
+-- determined> select * from roles;
+-- +----+---------------------+----------------------------+
+-- | id | role_name           | created_at                 |
+-- |----+---------------------+----------------------------|
+-- | 1  | ClusterAdmin        | 2023-05-30 16:20:54.825443 |
+-- | 2  | WorkspaceAdmin      | 2023-05-30 16:20:54.825443 |
+-- | 3  | WorkspaceCreator    | 2023-05-30 16:20:54.825443 |
+-- | 4  | Viewer              | 2023-05-30 16:20:54.825443 |
+-- | 5  | Editor              | 2023-05-30 16:20:54.825443 |
+-- | 6  | ModelRegistryViewer | 2023-05-30 16:20:55.136146 |
+-- +----+---------------------+----------------------------+
+-- SELECT 6
+
+INSERT INTO permission_assignments (permission_id, role_id)
+SELECT 8101, roles.id
+FROM roles
+WHERE roles.role_name IN ('ClusterAdmin');