refactor: system role templates (#2524)

#### What type of PR is this?
/kind improvement
/area core
/milestone 2.0

#### What this PR does / why we need it:
优化系统角色模板配置
- 认证用户仅具有名为 system-states 的 ConfigMap 查看权限而非所有 ConfigMap查看权限
- 主题和插件的管理权限目前需要单独勾选 ConfigMap 和 Setting 的权限才可以看到表单和值
#### Which issue(s) this PR fixes:

Fixes #2523

#### Special notes for your reviewer:
/cc @halo-dev/sig-halo 
#### Does this PR introduce a user-facing change?

```release-note
None
```
pull/2535/head
guqing 2022-10-10 16:04:10 +08:00 committed by GitHub
parent 04300308fe
commit 36e8ae1a15
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 13 additions and 6 deletions

View File

@ -7,9 +7,12 @@ metadata:
halo.run/hidden: "true"
annotations:
rbac.authorization.halo.run/dependencies: |
[ "role-template-own-user-info", "role-template-own-permissions", "role-template-change-own-password",
"role-template-manage-configmaps" ]
rules: [ ]
[ "role-template-own-user-info", "role-template-own-permissions", "role-template-change-own-password" ]
rules:
- apiGroups: [ "" ]
resources: [ "configmaps" ]
resourceNames: [ "system-states" ]
verbs: [ "get" ]
---
apiVersion: v1alpha1
kind: "Role"

View File

@ -23,7 +23,7 @@ metadata:
halo.run/role-template: "true"
annotations:
rbac.authorization.halo.run/module: "Menus Management"
rbac.authorization.halo.run/display-name: "Menu Manage"
rbac.authorization.halo.run/display-name: "Menu View"
rbac.authorization.halo.run/ui-permissions: |
["system:menus:view"]
rules:

View File

@ -6,7 +6,7 @@ metadata:
halo.run/role-template: "true"
annotations:
rbac.authorization.halo.run/dependencies: |
[ "role-template-view-plugins", "role-template-manage-configmaps" ]
[ "role-template-view-plugins" ]
rbac.authorization.halo.run/module: "Plugins Management"
rbac.authorization.halo.run/display-name: "Plugin Manage"
rbac.authorization.halo.run/ui-permissions: |
@ -15,6 +15,8 @@ rules:
- apiGroups: [ "plugin.halo.run" ]
resources: [ "plugins" ]
verbs: [ "create", "patch", "update", "delete", "deletecollection" ]
- nonResourceURLs: [ "/apis/api.console.halo.run/v1alpha1/plugins/install" ]
verbs: [ "create" ]
---
apiVersion: v1alpha1
kind: "Role"
@ -23,7 +25,6 @@ metadata:
labels:
halo.run/role-template: "true"
annotations:
rbac.authorization.halo.run/dependencies: "[ \"role-template-view-settings\" ]"
rbac.authorization.halo.run/module: "Plugins Management"
rbac.authorization.halo.run/display-name: "Plugin View"
rbac.authorization.halo.run/ui-permissions: |
@ -32,3 +33,6 @@ rules:
- apiGroups: [ "plugin.halo.run" ]
resources: [ "plugins" ]
verbs: [ "get", "list" ]
- apiGroups: [ "api.console.halo.run" ]
resources: [ "plugins" ]
verbs: [ "get", "list" ]