UI Support for New Global Roles Fields

[MbolotSuse]

Is your feature request related to a problem? Please describe.

The backend is adding support for 4 new fields on global role objects:

• InheritedClusterRoles: The names of RoleTemplates whose permissions are granted by this GlobalRole in every cluster besides the local cluster.
  • RC - Key Points
    • array of strings
    • Roles apply to ALL downstream clusters, present and future. Does NOT apply to local cluster
    • Role may only exist in downstream cluster, UI cannot show pre-populated list of existing cluster roles
    • This sees to be a way to avoid manually assigning users/groups a cluster role every time a new cluster is created
• NamespacedRules: A map of the namespaces to the rules that this GlobalRole provides in that namespace.
  • RC - Key Points
    • map of namespace name to array of Grants (resources + verbs)
    • DOES apply to local cluster. Does NOT apply to downstream.
    • This seems to be a way to allow limited access to the local cluster
• Status: The status of the backing RBAC for this GlobalRole.
  • RC - Key Points
    • Think this contains the status of all the native rbac resources used to support this global role
• InheritedFleetWorkspacePermissions: Allows granting access to all fleet workspaces except fleet-local.
  • RC - Key Points
    • two properties
      • ResourceRules - array of grants. Applies to ALL workspaces EXCEPT local. Allows user with this role to user fleet to manage resources in all clusters in all workspaces EXCEPT those in local local(?)
      • WorkspaceVerbs - array of verbs. verb permissions on the workspace resource itself cover every workspace EXCEPT local
    • Used in the Restricted Admin replacement global role i.e this seems to be admin level like permissions in Fleet... excluding local workspace and local cluster

While the UI does not need to support these fields immediately, eventually it should include support for users to edit the first two fields, and view the second (whatever form that ends up taking).

Note: Backend support for these values is currently a work in progress. This issue exists mostly for tracking purposes at the moment, and will be updated once the backend has fully implemented the above fieds.

Describe the solution you'd like
The UI should allow users to add/remove the names of existing role templates to the InheritedClusterRoles field.
The UI should allow users to add/remove rules (using the same format/UI currently used for the Rules field) specific to namespaces using the NamespaceRules field.
The UI should read the Status field, and change the display of a global role in some way to indicate the status of a GlobalRole.

Describe alternatives you've considered
N/A

Additional context
Backend Issues:

• [RFE] Add new "InheritedClusterRoles" field rancher#42213
• [RFE] Add new "NamespacedRules" field. rancher#42215
• [RFE] Add new "Status" field rancher#42217
• [RFE] Fleet RBAC in Rancher rancher#42170

[gaktive]

Checking into the state of this ticket since there was a meeting about this some time ago.

[JonCrowther]

For the initial release which is expected to be v2.9, there is very minimal UI work required. Since this is an attempt to replace restricted admin, we'd like to update this warning to inform users that the restricted admin global role will be removed in v2.10

Eventually, we may want to provide users a way to modify the new fields being added to global roles:

• inheritedClusterRoles: Represents a list of roletemplates that apply to downstream clusters
• namespacedRules: Rules that apply only to specific namespaces
• InheritedFleetWorkspacePermissions: Rules for fleet workspace access

While it would be nice to have these in 2.9, but aren't really high priority. These are available via the public API and users can interact with them via kubectl and get information about them using kubectl explain so the UI portion is less urgent.