Delete builtin_roles

common/src/api/external/mod.rs

@@ -497,72 +497,6 @@ fn name_schema(
     .into()
 }
 
-/// Name for a built-in role
-#[derive(
-    Clone,
-    Debug,
-    DeserializeFromStr,
-    Display,
-    Eq,
-    FromStr,
-    Ord,
-    PartialEq,
-    PartialOrd,
-    SerializeDisplay,
-)]
-#[display("{resource_type}.{role_name}")]
-pub struct RoleName {
-    // "resource_type" is generally the String value of one of the
-    // `ResourceType` variants.  We could store the parsed `ResourceType`
-    // instead, but it's useful to be able to represent RoleNames for resource
-    // types that we don't know about.  That could happen if we happen to find
-    // them in the database, for example.
-    #[from_str(regex = "[a-z-]+")]
-    resource_type: String,
-    #[from_str(regex = "[a-z-]+")]
-    role_name: String,
-}
-
-impl RoleName {
-    pub fn new(resource_type: &str, role_name: &str) -> RoleName {
-        RoleName {
-            resource_type: String::from(resource_type),
-            role_name: String::from(role_name),
-        }
-    }
-}
-
-/// Custom JsonSchema implementation to encode the constraints on RoleName
-impl JsonSchema for RoleName {
-    fn schema_name() -> String {
-        "RoleName".to_string()
-    }
-    fn json_schema(
-        _: &mut schemars::gen::SchemaGenerator,
-    ) -> schemars::schema::Schema {
-        schemars::schema::Schema::Object(schemars::schema::SchemaObject {
-            metadata: Some(Box::new(schemars::schema::Metadata {
-                title: Some("A name for a built-in role".to_string()),
-                description: Some(
-                    "Role names consist of two string components \
-                     separated by dot (\".\")."
-                        .to_string(),
-                ),
-                ..Default::default()
-            })),
-            instance_type: Some(schemars::schema::SingleOrVec::Single(
-                Box::new(schemars::schema::InstanceType::String),
-            )),
-            string: Some(Box::new(schemars::schema::StringValidation {
-                max_length: Some(63),
-                min_length: None,
-                pattern: Some("[a-z-]+\\.[a-z-]+".to_string()),
-            })),
-            ..Default::default()
-        })
-    }
-}
-
 /// Byte count to express memory or storage capacity.
 //
 // The maximum supported byte count is [`i64::MAX`].  This makes it somewhat
@@ -3595,8 +3529,8 @@ mod test {
     use super::VpcFirewallRuleHostFilter;
     use super::VpcFirewallRuleTarget;
     use super::{
-        ByteCount, Digest, L4Port, L4PortRange, Name, RoleName,
-        VpcFirewallRuleAction, VpcFirewallRuleDirection, VpcFirewallRuleFilter,
+        ByteCount, Digest, L4Port, L4PortRange, Name, VpcFirewallRuleAction,
+        VpcFirewallRuleDirection, VpcFirewallRuleFilter,
         VpcFirewallRulePriority, VpcFirewallRuleProtocol,
         VpcFirewallRuleStatus, VpcFirewallRuleUpdate,
         VpcFirewallRuleUpdateParams,
@@ -3679,54 +3613,6 @@ mod test {
         }
     }
 
-    #[test]
-    fn test_role_name_parse() {
-        // Error cases
-        let bad_inputs = vec![
-            // empty string is always worth testing
-            "",
-            // missing dot
-            "project",
-            // extra dot (or, illegal character in the second component)
-            "project.admin.super",
-            // missing resource type (or, another bogus resource type)
-            ".admin",
-            // missing role name
-            "project.",
-            // illegal characters in role name
-            "project.not_good",
-        ];
-
-        for input in bad_inputs {
-            eprintln!("check name {:?} (expecting error)", input);
-            let result =
-                input.parse::<RoleName>().expect_err("unexpectedly succeeded");
-            eprintln!("(expected) error: {:?}", result);
-        }
-
-        eprintln!("check name \"project.admin\" (expecting success)");
-        let role_name =
-            "project.admin".parse::<RoleName>().expect("failed to parse");
-        assert_eq!(role_name.to_string(), "project.admin");
-        assert_eq!(role_name.resource_type, "project");
-        assert_eq!(role_name.role_name, "admin");
-
-        eprintln!("check name \"barf.admin\" (expecting success)");
-        let role_name =
-            "barf.admin".parse::<RoleName>().expect("failed to parse");
-        assert_eq!(role_name.to_string(), "barf.admin");
-        assert_eq!(role_name.resource_type, "barf");
-        assert_eq!(role_name.role_name, "admin");
-
-        eprintln!("check name \"organization.super-user\" (expecting success)");
-        let role_name = "organization.super-user"
-            .parse::<RoleName>()
-            .expect("failed to parse");
-        assert_eq!(role_name.to_string(), "organization.super-user");
-        assert_eq!(role_name.resource_type, "organization");
-        assert_eq!(role_name.role_name, "super-user");
-    }
-
     #[test]
     fn test_resource_name_parse() {
         let bad_inputs = vec![

nexus/auth/src/authz/api_resources.rs

@@ -960,14 +960,6 @@ authz_resource! {
     polar_snippet = FleetChild,
 }
 
-authz_resource! {
-    name = "RoleBuiltin",
-    parent = "Fleet",
-    primary_key = (String, String),
-    roles_allowed = false,
-    polar_snippet = FleetChild,
-}
-
 authz_resource! {
     name = "UserBuiltin",
     parent = "Fleet",

nexus/auth/src/authz/mod.rs

@@ -67,9 +67,8 @@
 //!
 //! ## Role lookup
 //!
-//! Users, roles, and API resources are all stored in the database.  Naturally,
-//! so is the relationship that says a particular user has a particular role for
-//! a particular resource.
+//! Users and API resources are stored in the database, as is the relationship
+//! that says a particular user has a particular role for a particular resource.
 //!
 //! Suppose a built-in user "cookie-monster" has the "viewer" role for a Project
 //! "monster-foodies".  It looks like this:
@@ -91,26 +90,16 @@
 //! |   |    |
 //! |   |    +---------------------------------------------------------------+
 //! |   |                                                                    |
-//! |   | table: "role_builtin"                                              |
-//! |   | primary key: (resource_type, role_name)                            |
-//! |   | +---------------+-----------+-----+                                |
-//! |   | | resource_type | role_name | ... |                                |
-//! |   | +---------------+-----------+-----+                                |
-//! +---|-> "project "    | "viewer"  | ... |                                |
-//! |   | +---------------+--^--------+-----+                                |
-//! |   |                    |                                               |
-//! | +-|--------------------+                                               |
-//! | | |                                                                    |
-//! | | | table: "role_assignment"                                           |
-//! | | | (assigns built-in roles to users on arbitrary resources)           |
-//! | | | +---------------+-----------+-------------+-------------+---+      |
-//! | | | | resource_type | role_name | resource_id | identity_id |...|      |
-//! | | | +---------------+-----------+-------------+-------------+---+      |
-//! | | | | "project "    | "viewer"  |         123 |         234 |...|      |
-//! | | | +--^------------+--^--------+----------^--+-----------^-+---+      |
-//! | | |    |               |                   |              |            |
-//! +-|-|----+               |                   |              +------------+
-//!   +-|--------------------+                   |
+//! |   | table: "role_assignment"                                           |
+//! |   | (assigns roles to users on arbitrary resources)                    |
+//! |   | +---------------+-----------+-------------+-------------+---+      |
+//! |   | | resource_type | role_name | resource_id | identity_id |...|      |
+//! |   | +---------------+-----------+-------------+-------------+---+      |
+//! |   | | "project "    | "viewer"  |         123 |         234 |...|      |
+//! |   | +--^------------+--^--------+----------^--+-----------^-+---+      |
+//! |   |    |                                   |              |            |
+//! +---|----+                                   |              +------------+
+//!     |                                        |
 //!     +----------------------------------------+
 //! ```
 //!

nexus/auth/src/authz/oso_generic.rs

@@ -153,7 +153,6 @@ pub fn make_omicron_oso(log: &slog::Logger) -> Result<OsoInit, anyhow::Error> {
         DeviceAccessToken::init(),
         PhysicalDisk::init(),
         Rack::init(),
-        RoleBuiltin::init(),
         SshKey::init(),
         Silo::init(),
         SiloUser::init(),

nexus/db-fixed-data/src/lib.rs

@@ -39,7 +39,6 @@ use std::sync::LazyLock;
 pub mod allow_list;
 pub mod project;
 pub mod role_assignment;
-pub mod role_builtin;
 pub mod silo;
 pub mod silo_user;
 pub mod user_builtin;

nexus/db-fixed-data/src/role_assignment.rs

@@ -4,10 +4,10 @@
 //! Built-in assignments for built-in users and built-in roles
 
 use super::FLEET_ID;
-use super::role_builtin;
 use super::user_builtin;
 use nexus_db_model::IdentityType;
 use nexus_db_model::RoleAssignment;
+use omicron_common::api::external::ResourceType;
 use std::sync::LazyLock;
 
 pub static BUILTIN_ROLE_ASSIGNMENTS: LazyLock<Vec<RoleAssignment>> =
@@ -20,9 +20,9 @@ pub static BUILTIN_ROLE_ASSIGNMENTS: LazyLock<Vec<RoleAssignment>> =
             RoleAssignment::new(
                 IdentityType::UserBuiltin,
                 user_builtin::USER_INTERNAL_API.id,
-                role_builtin::FLEET_ADMIN.resource_type,
+                ResourceType::Fleet,
                 *FLEET_ID,
-                role_builtin::FLEET_ADMIN.role_name,
+                "admin",
             ),
             // The "USER_SERVICE_BALANCER" user gets the "admin" role on the
             // Fleet.
@@ -33,9 +33,9 @@ pub static BUILTIN_ROLE_ASSIGNMENTS: LazyLock<Vec<RoleAssignment>> =
             RoleAssignment::new(
                 IdentityType::UserBuiltin,
                 user_builtin::USER_SERVICE_BALANCER.id,
-                role_builtin::FLEET_ADMIN.resource_type,
+                ResourceType::Fleet,
                 *FLEET_ID,
-                role_builtin::FLEET_ADMIN.role_name,
+                "admin",
             ),
             // The "internal-read" user gets the "viewer" role on the sole
             // Fleet.  This will grant them the ability to read various control
@@ -44,19 +44,19 @@ pub static BUILTIN_ROLE_ASSIGNMENTS: LazyLock<Vec<RoleAssignment>> =
             RoleAssignment::new(
                 IdentityType::UserBuiltin,
                 user_builtin::USER_INTERNAL_READ.id,
-                role_builtin::FLEET_VIEWER.resource_type,
+                ResourceType::Fleet,
                 *FLEET_ID,
-                role_builtin::FLEET_VIEWER.role_name,
+                "viewer",
             ),
-            // The "external-authenticator" user gets the "authenticator" role
-            // on the sole fleet.  This grants them the ability to create
-            // sessions.
+            // The "external-authenticator" user gets the
+            // "external-authenticator" role on the sole fleet.  This grants
+            // them the ability to create sessions.
             RoleAssignment::new(
                 IdentityType::UserBuiltin,
                 user_builtin::USER_EXTERNAL_AUTHN.id,
-                role_builtin::FLEET_AUTHENTICATOR.resource_type,
+                ResourceType::Fleet,
                 *FLEET_ID,
-                role_builtin::FLEET_AUTHENTICATOR.role_name,
+                "external-authenticator",
             ),
         ]
     });