Joseph Doherty
c1619d95f5
Standardize the control-plane admin role VALUES on the canonical six
(ZB.MOM.WW.Auth CanonicalRole). OtOpcUa uses four:
ConfigViewer -> Viewer
ConfigEditor -> Designer
FleetAdmin -> Administrator
DriverOperator -> Operator (appsettings-only string role)
This is a rename, not a permission change: enforcement semantics are
preserved (whoever could deploy/administer/operate before still can).
- AdminRole enum members renamed (persisted as string names via
HasConversion<string>); RoleGrants.razor dropdown default updated.
- EF DATA migration CanonicalizeAdminRoles rewrites existing
LdapGroupRoleMapping.Role rows old->new (Up) and back (Down); schema /
model snapshot byte-identical (no pending model changes).
- Enforcement role STRINGS canonicalized:
* Security policies keep their NAMES ("DriverOperator"/"FleetAdmin")
but require canonical roles: RequireRole("Operator","Administrator")
and RequireRole("Administrator").
* Deployments.razor [Authorize(Roles="Administrator,Designer")].
* DevStub now grants "Administrator"; LdapOptions/doc-comment examples
canonicalized.
- Data-plane authorization (NodePermissions/NodeAcl/IPermissionEvaluator/
TriePermissionEvaluator/UserAuthorizationState) UNTOUCHED.
- New CanonicalAdminRolesTests pins canonical claim values end-to-end and
the real registered policies; existing role-string tests updated.
38 lines
2.0 KiB
C#
38 lines
2.0 KiB
C#
namespace ZB.MOM.WW.OtOpcUa.Configuration.Enums;
|
|
|
|
/// <summary>
|
|
/// Admin UI roles per <c>admin-ui.md</c> §"Admin Roles" and Phase 6.2 Stream A.
|
|
/// These govern Admin UI capabilities (cluster CRUD, draft → publish, fleet-wide admin
|
|
/// actions) — they do NOT govern OPC UA data-path authorization, which reads
|
|
/// <see cref="Entities.NodeAcl"/> joined against LDAP group memberships directly.
|
|
/// </summary>
|
|
/// <remarks>
|
|
/// <para>
|
|
/// Per <c>docs/v2/plan.md</c> decision #150 the two concerns share zero runtime code path:
|
|
/// the control plane (Admin UI) consumes <see cref="Entities.LdapGroupRoleMapping"/>; the
|
|
/// data plane consumes <see cref="Entities.NodeAcl"/> rows directly. Having them in one
|
|
/// table would collapse the distinction + let a user inherit tag permissions via their
|
|
/// admin-role claim path.
|
|
/// </para>
|
|
/// <para>
|
|
/// Task 1.7 standardized the member names on the canonical control-plane role vocabulary
|
|
/// (<c>ZB.MOM.WW.Auth</c> <c>CanonicalRole</c>): <c>ConfigViewer → Viewer</c>,
|
|
/// <c>ConfigEditor → Designer</c>, <c>FleetAdmin → Administrator</c>. The appsettings-only
|
|
/// <c>DriverOperator</c> string role likewise became <c>Operator</c>. These members persist
|
|
/// as their string names (EF <c>HasConversion<string></c>); the rename is paired with
|
|
/// a data migration (<c>CanonicalizeAdminRoles</c>) that rewrites existing rows. This is a
|
|
/// rename, not a permission change — enforcement semantics are preserved.
|
|
/// </para>
|
|
/// </remarks>
|
|
public enum AdminRole
|
|
{
|
|
/// <summary>Read-only Admin UI access — can view cluster state, drafts, publish history. (Canonical: Viewer; was ConfigViewer.)</summary>
|
|
Viewer,
|
|
|
|
/// <summary>Can author drafts + submit for publish. (Canonical: Designer; was ConfigEditor.)</summary>
|
|
Designer,
|
|
|
|
/// <summary>Full Admin UI privileges including publish + fleet-admin actions. (Canonical: Administrator; was FleetAdmin.)</summary>
|
|
Administrator,
|
|
}
|