From ca49563c94af819f585e9e38c5e4e2799010f0de Mon Sep 17 00:00:00 2001
From: Chris Baker <1675087+cgbaker@users.noreply.github.com>
Date: Sun, 22 Mar 2020 14:21:51 +0000
Subject: [PATCH] added new ACL capabilities related to autoscaling: -
 read-job-scaling - scale-job - list-scaling-policies - read-scaling-policy

updated the read and right policy dispositions, added the new autoscaler disposition
---
 acl/policy.go      | 62 +++++++++++++++++++++++++++++-----------------
 acl/policy_test.go | 23 +++++++++++++++++
 2 files changed, 62 insertions(+), 23 deletions(-)

diff --git a/acl/policy.go b/acl/policy.go
index cce0d9c47..887ee95a8 100644
--- a/acl/policy.go
+++ b/acl/policy.go
@@ -11,10 +11,11 @@ const (
 	// The following levels are the only valid values for the `policy = "read"` stanza.
 	// When policies are merged together, the most privilege is granted, except for deny
 	// which always takes precedence and supercedes.
-	PolicyDeny  = "deny"
-	PolicyRead  = "read"
-	PolicyList  = "list"
-	PolicyWrite = "write"
+	PolicyDeny       = "deny"
+	PolicyRead       = "read"
+	PolicyList       = "list"
+	PolicyWrite      = "write"
+	PolicyAutoscaler = "autoscaler"
 )
 
 const (
@@ -23,23 +24,26 @@ const (
 	// combined we take the union of all capabilities. If the deny capability is present, it
 	// takes precedence and overwrites all other capabilities.
 
-	NamespaceCapabilityDeny              = "deny"
-	NamespaceCapabilityListJobs          = "list-jobs"
-	NamespaceCapabilityReadJob           = "read-job"
-	NamespaceCapabilityScaleJob          = "scale-job"
-	NamespaceCapabilitySubmitJob         = "submit-job"
-	NamespaceCapabilityDispatchJob       = "dispatch-job"
-	NamespaceCapabilityReadLogs          = "read-logs"
-	NamespaceCapabilityReadFS            = "read-fs"
-	NamespaceCapabilityAllocExec         = "alloc-exec"
-	NamespaceCapabilityAllocNodeExec     = "alloc-node-exec"
-	NamespaceCapabilityAllocLifecycle    = "alloc-lifecycle"
-	NamespaceCapabilitySentinelOverride  = "sentinel-override"
-	NamespaceCapabilityCSIRegisterPlugin = "csi-register-plugin"
-	NamespaceCapabilityCSIWriteVolume    = "csi-write-volume"
-	NamespaceCapabilityCSIReadVolume     = "csi-read-volume"
-	NamespaceCapabilityCSIListVolume     = "csi-list-volume"
-	NamespaceCapabilityCSIMountVolume    = "csi-mount-volume"
+	NamespaceCapabilityDeny                = "deny"
+	NamespaceCapabilityListJobs            = "list-jobs"
+	NamespaceCapabilityReadJob             = "read-job"
+	NamespaceCapabilitySubmitJob           = "submit-job"
+	NamespaceCapabilityDispatchJob         = "dispatch-job"
+	NamespaceCapabilityReadLogs            = "read-logs"
+	NamespaceCapabilityReadFS              = "read-fs"
+	NamespaceCapabilityAllocExec           = "alloc-exec"
+	NamespaceCapabilityAllocNodeExec       = "alloc-node-exec"
+	NamespaceCapabilityAllocLifecycle      = "alloc-lifecycle"
+	NamespaceCapabilitySentinelOverride    = "sentinel-override"
+	NamespaceCapabilityCSIRegisterPlugin   = "csi-register-plugin"
+	NamespaceCapabilityCSIWriteVolume      = "csi-write-volume"
+	NamespaceCapabilityCSIReadVolume       = "csi-read-volume"
+	NamespaceCapabilityCSIListVolume       = "csi-list-volume"
+	NamespaceCapabilityCSIMountVolume      = "csi-mount-volume"
+	NamespaceCapabilityListScalingPolicies = "list-scaling-policies"
+	NamespaceCapabilityReadScalingPolicy   = "read-scaling-policy"
+	NamespaceCapabilityReadJobScaling      = "read-job-scaling"
+	NamespaceCapabilityScaleJob            = "scale-job"
 )
 
 var (
@@ -122,7 +126,7 @@ type PluginPolicy struct {
 // isPolicyValid makes sure the given string matches one of the valid policies.
 func isPolicyValid(policy string) bool {
 	switch policy {
-	case PolicyDeny, PolicyRead, PolicyWrite:
+	case PolicyDeny, PolicyRead, PolicyWrite, PolicyAutoscaler:
 		return true
 	default:
 		return false
@@ -145,7 +149,8 @@ func isNamespaceCapabilityValid(cap string) bool {
 		NamespaceCapabilitySubmitJob, NamespaceCapabilityDispatchJob, NamespaceCapabilityReadLogs,
 		NamespaceCapabilityReadFS, NamespaceCapabilityAllocLifecycle,
 		NamespaceCapabilityAllocExec, NamespaceCapabilityAllocNodeExec,
-		NamespaceCapabilityCSIReadVolume, NamespaceCapabilityCSIWriteVolume, NamespaceCapabilityCSIListVolume, NamespaceCapabilityCSIMountVolume, NamespaceCapabilityCSIRegisterPlugin:
+		NamespaceCapabilityCSIReadVolume, NamespaceCapabilityCSIWriteVolume, NamespaceCapabilityCSIListVolume, NamespaceCapabilityCSIMountVolume, NamespaceCapabilityCSIRegisterPlugin,
+		NamespaceCapabilityListScalingPolicies, NamespaceCapabilityReadScalingPolicy, NamespaceCapabilityReadJobScaling, NamespaceCapabilityScaleJob:
 		return true
 	// Separate the enterprise-only capabilities
 	case NamespaceCapabilitySentinelOverride:
@@ -163,9 +168,13 @@ func expandNamespacePolicy(policy string) []string {
 		NamespaceCapabilityReadJob,
 		NamespaceCapabilityCSIListVolume,
 		NamespaceCapabilityCSIReadVolume,
+		NamespaceCapabilityReadJobScaling,
+		NamespaceCapabilityListScalingPolicies,
+		NamespaceCapabilityReadScalingPolicy,
 	}
 
 	write := append(read, []string{
+		NamespaceCapabilityScaleJob,
 		NamespaceCapabilitySubmitJob,
 		NamespaceCapabilityDispatchJob,
 		NamespaceCapabilityReadLogs,
@@ -183,6 +192,13 @@ func expandNamespacePolicy(policy string) []string {
 		return read
 	case PolicyWrite:
 		return write
+	case PolicyAutoscaler:
+		return []string{
+			NamespaceCapabilityListScalingPolicies,
+			NamespaceCapabilityReadScalingPolicy,
+			NamespaceCapabilityReadJobScaling,
+			NamespaceCapabilityScaleJob,
+		}
 	default:
 		return nil
 	}
diff --git a/acl/policy_test.go b/acl/policy_test.go
index d8d21ac81..aff25356f 100644
--- a/acl/policy_test.go
+++ b/acl/policy_test.go
@@ -32,6 +32,9 @@ func TestParse(t *testing.T) {
 							NamespaceCapabilityReadJob,
 							NamespaceCapabilityCSIListVolume,
 							NamespaceCapabilityCSIReadVolume,
+							NamespaceCapabilityReadJobScaling,
+							NamespaceCapabilityListScalingPolicies,
+							NamespaceCapabilityReadScalingPolicy,
 						},
 					},
 				},
@@ -48,6 +51,9 @@ func TestParse(t *testing.T) {
 			namespace "secret" {
 				capabilities = ["deny", "read-logs"]
 			}
+			namespace "autoscaler" {
+				policy = "autoscaler"
+			}
 			agent {
 				policy = "read"
 			}
@@ -75,6 +81,9 @@ func TestParse(t *testing.T) {
 							NamespaceCapabilityReadJob,
 							NamespaceCapabilityCSIListVolume,
 							NamespaceCapabilityCSIReadVolume,
+							NamespaceCapabilityReadJobScaling,
+							NamespaceCapabilityListScalingPolicies,
+							NamespaceCapabilityReadScalingPolicy,
 						},
 					},
 					{
@@ -85,6 +94,10 @@ func TestParse(t *testing.T) {
 							NamespaceCapabilityReadJob,
 							NamespaceCapabilityCSIListVolume,
 							NamespaceCapabilityCSIReadVolume,
+							NamespaceCapabilityReadJobScaling,
+							NamespaceCapabilityListScalingPolicies,
+							NamespaceCapabilityReadScalingPolicy,
+							NamespaceCapabilityScaleJob,
 							NamespaceCapabilitySubmitJob,
 							NamespaceCapabilityDispatchJob,
 							NamespaceCapabilityReadLogs,
@@ -102,6 +115,16 @@ func TestParse(t *testing.T) {
 							NamespaceCapabilityReadLogs,
 						},
 					},
+					{
+						Name:   "autoscaler",
+						Policy: PolicyAutoscaler,
+						Capabilities: []string{
+							NamespaceCapabilityListScalingPolicies,
+							NamespaceCapabilityReadScalingPolicy,
+							NamespaceCapabilityReadJobScaling,
+							NamespaceCapabilityScaleJob,
+						},
+					},
 				},
 				Agent: &AgentPolicy{
 					Policy: PolicyRead,