diff --git a/files/rhea/user-policies.cedar b/files/rhea/user-policies.cedar index ee275e8..2ab7dce 100644 --- a/files/rhea/user-policies.cedar +++ b/files/rhea/user-policies.cedar @@ -7,7 +7,7 @@ permit ( // These are wide open permit (principal, action, resource) -when { context.url like "*/home/projects/" || context.url like "*/home/" }; +when { context.url like "*/home/projects/" || context.url like "*/home/workspaces/" || context.url like "*/home/" }; permit ( principal in Group::"kuiper", @@ -25,6 +25,7 @@ when { context.url like "*/genesis/ansible*" || context.url like "*/genesis/projects*" || + context.url like "*/genesis/workspaces*" || context.url like "*/genesis/storage*" || context.url like "*/genesis/network*" || context.url like "*/genesis/license*" || diff --git a/templates/crds/group.yaml b/templates/crds/group.yaml index 9a26ae7..024ed40 100644 --- a/templates/crds/group.yaml +++ b/templates/crds/group.yaml @@ -32,8 +32,8 @@ spec: spec: type: object x-kubernetes-validations: - - rule: "self.type == 'service' || self.type == 'role' || self.type == 'project' || self.type == 'posix'" - message: "Group type needs to be either service, role, project, or posix" + - rule: "self.type == 'service' || self.type == 'role' || self.type == 'project' || self.type == 'workspace' || self.type == 'posix'" + message: "Group type needs to be either service, role, project, workspace, or posix" required: - members - type