Auth enhancements

salt/soc/files/kratos/schema.json

@@ -31,10 +31,6 @@
           "type": "string",
           "title": "Last Name"
         },
-        "role": {
-          "type": "string",
-          "title": "Role"
-        },
         "status": {
           "type": "string",
           "title": "Status"

salt/soc/files/soc/custom_roles

@@ -0,0 +1,20 @@
+# Define custom business role mappings, or remove mappings that come with 
+# the default SOC deployment.
+#
+# IMPORTANT: This file should be copied from the salt/default tree into
+#            the salt/local tree (preserving the same directory structure).
+#            Failure to do this will result in the customizations being
+#            overwritten on future upgrades.
+#
+# Syntax      => prebuiltRoleX: customRoleY: op
+# Explanation => roleY and roleZ are adjusted permissions of roleX, op is:
+#                + add the new permissions/role mappings (default)
+#                - remove existing prebuilt permissions
+#
+# In the example below, we will define a new role for junior analysts,
+# that is nearly identical to the analyst role that comes with SOC, with the
+# exception that it removes their ability to obtain details about other 
+# analysts in the system.
+#
+# analyst:        jr_analyst
+# user-monitor:   jr_analyst:-

salt/soc/files/soc/soc.json

@@ -85,6 +85,14 @@
       "statickeyauth": {
         "anonymousCidr": "{{ DNET }}/24",
         "apiKey": "{{ SENSORONIKEY }}"
+      },
+      "staticrbac": {
+        "roleFiles": [ 
+          "rbac/permissions", 
+          "rbac/roles", 
+          "rbac/users_roles",
+          "rbac/custom_roles"
+        ]
       }
     },
     "client": {

salt/soc/init.sls

@@ -62,6 +62,15 @@ soccustom:
     - mode: 600
     - template: jinja
 
+soccustomroles:
+  file.managed:
+    - name: /opt/so/conf/soc/custom_roles
+    - source: salt://soc/files/soc/custom_roles
+    - user: 939
+    - group: 939
+    - mode: 600
+    - template: jinja
+
 # we dont want this added too early in setup, so we add the onlyif to verify 'startup_states: highstate'
 # is in the minion config. That line is added before the final highstate during setup
 sosyncusers:
@@ -81,6 +90,8 @@ so-soc:
       - /opt/so/conf/soc/motd.md:/opt/sensoroni/html/motd.md:ro
       - /opt/so/conf/soc/banner.md:/opt/sensoroni/html/login/banner.md:ro
       - /opt/so/conf/soc/custom.js:/opt/sensoroni/html/js/custom.js:ro
+      - /opt/so/conf/soc/custom_roles:/opt/sensoroni/rbac/custom_roles:ro
+      - /opt/so/conf/elasticsearch/users_roles:/opt/sensoroni/rbac/users_roles:ro
       - /opt/so/log/soc/:/opt/sensoroni/logs/:rw
     {%- if salt['pillar.get']('nodestab', {}) %}
     - extra_hosts: