From 76a5b9396ccb2f1c637553afd5f80f6f3f0f2a21 Mon Sep 17 00:00:00 2001
From: Mike Bonnet <mikeb@redhat.com>
Date: Nov 21 2019 19:17:03 +0000
Subject: support granting the "edit" role to users and groups


This change also moves the "system:authenticated" group from the "view" to the "edit" role.
This allows all users to access the pod console and view secrets, which helps when debugging test
failures.

---

diff --git a/c3iaas/templates/c3iaas-request-project-template.yaml b/c3iaas/templates/c3iaas-request-project-template.yaml
index 7153a63..6c8dea0 100644
--- a/c3iaas/templates/c3iaas-request-project-template.yaml
+++ b/c3iaas/templates/c3iaas-request-project-template.yaml
@@ -57,10 +57,14 @@ objects:
           value: ""
         - name: ADMIN_GROUPS
           value: ""
+        - name: EDIT_USERS
+          value: ""
+        - name: EDIT_GROUPS
+          value: "system:authenticated"
         - name: VIEW_USERS
           value: ""
         - name: VIEW_GROUPS
-          value: "system:authenticated"
+          value: ""
         - name: LIFETIME_IN_MINUTES
           value: "30"
         jenkinsfile: |-
diff --git a/vars/c3iaasRequestProjectJob.groovy b/vars/c3iaasRequestProjectJob.groovy
index e44a260..dcb6ea5 100644
--- a/vars/c3iaasRequestProjectJob.groovy
+++ b/vars/c3iaasRequestProjectJob.groovy
@@ -9,6 +9,8 @@ import java.time.temporal.ChronoUnit
 def call(Map args=[:]) {
   String[] projectAdminUsers = []
   String[] projectAdminGroups = []
+  String[] projectEditUsers = []
+  String[] projectEditGroups = []
   String[] projectViewUsers = []
   String[] projectViewGroups = []
   Instant projectExpirationInstant;
@@ -77,6 +79,14 @@ def call(Map args=[:]) {
             validateUserNames(projectAdminGroups)
             echo "Project admin groups: $projectAdminGroups"
 
+            projectEditUsers = env.EDIT_USERS ? env.EDIT_USERS.split(',') : []
+            validateUserNames(projectEditUsers)
+            echo "Project edit users: $projectEditUsers"
+
+            projectEditGroups = env.EDIT_GROUPS ? env.EDIT_GROUPS.split(',') : []
+            validateUserNames(projectEditGroups)
+            echo "Project edit groups: $projectEditGroups"
+
             projectViewUsers = env.VIEW_USERS ? env.VIEW_USERS.split(',') : []
             validateUserNames(projectViewUsers)
             echo "Project view users: $projectViewUsers"
@@ -130,6 +140,7 @@ def call(Map args=[:]) {
             openshift.withCluster() {
               openshift.withProject(env.PROJECT_NAME) {
                 assignRole('admin', projectAdminUsers, projectAdminGroups)
+                assignRole('edit', projectEditUsers, projectEditGroups)
                 assignRole('view', projectViewUsers, projectViewGroups)
               }
             }