RBAC to ACL (#5338)

api/swagger.yml

@@ -71,6 +71,13 @@ components:
         type: string
 
   responses:
+    NotFoundOrNoACL:
+      description: Group not found, or group found but has no ACL
+      content:
+        application/json:
+          schema:
+            $ref: "#/components/schemas/ErrorNoACL"
+
     Unauthorized:
       description: Unauthorized
       content:
@@ -661,6 +668,18 @@ components:
           items:
             $ref: "#/components/schemas/ObjectError"
 
+    ErrorNoACL:
+      type: object
+      required:
+        - message
+      properties:
+        message:
+          description: short message explaining the error
+          type: string
+        no_acl:
+          description: "true if the group exists but has no ACL"
+          type: boolean
+
     User:
       type: object
       required:
@@ -991,6 +1010,28 @@ components:
           items:
             $ref: "#/components/schemas/Policy"
 
+    ACL:
+      type: object
+      required:
+        - permission
+      properties:
+        permission:
+          type: string
+          description: |
+            Permission level to give this ACL.  "Read", "Write", "Super" and
+            "Admin" are all supported.
+        all_repositories:
+          type: boolean
+          description: |
+            If true, this ACL applies to all repositories, including those
+            added in future.  Permission "Admin" allows changing ACLs, so
+            this is necessarily true for that permission.
+        repositories:
+          type: array
+          items:
+            type: string
+          description: Apply this ACL only to these repositories.
+
     StorageConfig:
       type: object
       required:
@@ -2179,6 +2220,54 @@ paths:
         default:
           $ref: "#/components/responses/ServerError"
 
+  /auth/groups/{groupId}/acl:
+    parameters:
+      - in: path
+        name: groupId
+        required: true
+        schema:
+          type: string
+
+    post:
+      tags:
+        - auth
+      operationId: setGroupACL
+      summary: set ACL of group
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: "#/components/schemas/ACL"
+      responses:
+        201:
+          description: ACL successfully changed
+        401:
+          $ref: "#/components/responses/Unauthorized"
+        404:
+          $ref: "#/components/responses/NotFound"
+        default:
+          $ref: "#/components/responses/ServerError"
+
+    get:
+      tags:
+        - auth
+      operationId: getGroupACL
+      summary: get ACL of group
+      responses:
+        200:
+          description: ACL of group
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/ACL"
+        401:
+          $ref: "#/components/responses/Unauthorized"
+        404:
+          $ref: "#/components/responses/NotFoundOrNoACL"
+        default:
+          $ref: "#/components/responses/ServerError"
+
   /repositories:
     get:
       tags: