From 74c05696acea8b833d6f4a55c57f407ff5327fb3 Mon Sep 17 00:00:00 2001
From: "jiaxuyang.i__dcar" <jiaxuyang.i@dcarlife.com>
Date: Mon, 3 Jun 2024 11:39:32 +0800
Subject: [PATCH] feat: change permission or DescribeCluster to Read

Signed-off-by: jiaxuyang.i__dcar <jiaxuyang.i@dcarlife.com>
---
 service/frontend/templates/accesscontrolled.tmpl           | 7 +++++++
 .../frontend/wrappers/accesscontrolled/admin_generated.go  | 2 +-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/service/frontend/templates/accesscontrolled.tmpl b/service/frontend/templates/accesscontrolled.tmpl
index 6b72aa566aa..40e7966cfd9 100644
--- a/service/frontend/templates/accesscontrolled.tmpl
+++ b/service/frontend/templates/accesscontrolled.tmpl
@@ -42,6 +42,9 @@ import (
 {{$permissionMap = set $permissionMap "RefreshWorkflowTasks" "PermissionWrite"}}
 {{$permissionMap = set $permissionMap "UpdateDomain" "PermissionAdmin"}}
 
+{{$adminPermissionMap := dict }}
+{{$adminPermissionMap = set $adminPermissionMap "DescribeCluster" "PermissionRead"}}
+
 {{$nonDomainAuthAPIs := list "RegisterDomain" "DescribeDomain" "UpdateDomain" "DeprecateDomain" "ListDomains" "GetSearchAttributes" "GetClusterInfo" "RecordActivityTaskHeartbeat" "RespondActivityTaskCanceled" "RespondActivityTaskCompleted" "RespondActivityTaskFailed" "RespondDecisionTaskCompleted" "RespondDecisionTaskFailed" "RespondQueryTaskCompleted"}}
 {{$taskListAuthAPIs := list "PollForActivityTask" "PollForDecisionTask"}}
 {{$workflowTypeAuthAPIs := list "SignalWithStartWorkflowExecution" "StartWorkflowExecution"}}
@@ -92,7 +95,11 @@ func (a *{{$decorator}}) {{$method.Declaration}} {
 	attr := &authorization.Attributes{
 		APIName: "{{$method.Name}}",
 		{{- if eq $interfaceType "admin.Handler"}}
+		{{- if hasKey $adminPermissionMap $method.Name}}
+		Permission: authorization.{{get $adminPermissionMap $method.Name}},
+		{{- else}}
 		Permission:  authorization.PermissionAdmin,
+		{{- end}}
 		{{- else if hasKey $permissionMap $method.Name}}
 		Permission: authorization.{{get $permissionMap $method.Name}},
 		{{- end}}
diff --git a/service/frontend/wrappers/accesscontrolled/admin_generated.go b/service/frontend/wrappers/accesscontrolled/admin_generated.go
index fb2bb1553d7..ca3fe36f21f 100644
--- a/service/frontend/wrappers/accesscontrolled/admin_generated.go
+++ b/service/frontend/wrappers/accesscontrolled/admin_generated.go
@@ -127,7 +127,7 @@ func (a *adminHandler) DeleteWorkflow(ctx context.Context, ap1 *types.AdminDelet
 func (a *adminHandler) DescribeCluster(ctx context.Context) (dp1 *types.DescribeClusterResponse, err error) {
 	attr := &authorization.Attributes{
 		APIName:    "DescribeCluster",
-		Permission: authorization.PermissionAdmin,
+		Permission: authorization.PermissionRead,
 	}
 	isAuthorized, err := a.isAuthorized(ctx, attr)
 	if err != nil {