Add CreateDefaultRole and CreateAdminRole options

Makefile

@@ -155,6 +155,12 @@ protobuild:
 	@protoc-go-inject-tag -input=./internal/oplog/oplog_test/oplog_test.pb.go
 	@protoc-go-inject-tag -input=./internal/iam/store/group_member.pb.go
 	@protoc-go-inject-tag -input=./internal/iam/store/role.pb.go
+	@protoc-go-inject-tag -input=./internal/iam/store/role_global_individual_org_grant_scope.pb.go
+	@protoc-go-inject-tag -input=./internal/iam/store/role_global_individual_project_grant_scope.pb.go
+	@protoc-go-inject-tag -input=./internal/iam/store/role_org_individual_grant_scope.pb.go
+	@protoc-go-inject-tag -input=./internal/iam/store/role_global.pb.go
+	@protoc-go-inject-tag -input=./internal/iam/store/role_org.pb.go
+	@protoc-go-inject-tag -input=./internal/iam/store/role_project.pb.go
 	@protoc-go-inject-tag -input=./internal/iam/store/principal_role.pb.go
 	@protoc-go-inject-tag -input=./internal/iam/store/role_grant.pb.go
 	@protoc-go-inject-tag -input=./internal/iam/store/role_grant_scope.pb.go

globals/globals.go

@@ -18,6 +18,7 @@ const (
 	GrantScopeThis        = "this"
 	GrantScopeChildren    = "children"
 	GrantScopeDescendants = "descendants"
+	GrantScopeIndividual  = "individual"
 
 	// CorrelationIdKey defines the http header and grpc metadata key used for specifying a
 	// correlation id. When getting the correlationId (from the http header or grpc metadata)

internal/api/genapi/input.go

@@ -228,6 +228,18 @@ var inputStructs = []*structInfo{
 				FieldType: "bool",
 				Query:     true,
 			},
+			{
+				Name:      "CreateAdminRole",
+				ProtoName: "create_admin_role",
+				FieldType: "bool",
+				Query:     false,
+			},
+			{
+				Name:      "CreateDefaultRole",
+				ProtoName: "create_default_role",
+				FieldType: "bool",
+				Query:     false,
+			},
 		},
 		versionEnabled:      true,
 		createResponseTypes: []string{CreateResponseType, ReadResponseType, UpdateResponseType, DeleteResponseType, ListResponseType},

internal/cmd/base/dev.go

@@ -160,10 +160,7 @@ func (b *Server) CreateDevDatabase(ctx context.Context, opt ...Option) error {
 		return nil
 	}
 
-	if _, _, err := b.CreateInitialScopes(ctx, WithIamOptions(
-		iam.WithSkipAdminRoleCreation(true),
-		iam.WithSkipDefaultRoleCreation(true),
-	)); err != nil {
+	if _, _, err := b.CreateInitialScopes(ctx); err != nil {
 		return err
 	}
 

internal/cmd/commands/database/init.go

@@ -11,7 +11,9 @@ import (
 	"github.com/hashicorp/boundary/internal/cmd/base"
 	"github.com/hashicorp/boundary/internal/cmd/config"
 	"github.com/hashicorp/boundary/internal/errors"
+	"github.com/hashicorp/boundary/internal/iam"
 	"github.com/hashicorp/boundary/internal/types/scope"
+	"github.com/hashicorp/boundary/version"
 	"github.com/hashicorp/go-secure-stdlib/mlock"
 	"github.com/hashicorp/go-secure-stdlib/parseutil"
 	"github.com/mitchellh/cli"
@@ -44,6 +46,8 @@ type InitCommand struct {
 	flagMigrationUrl                             string
 	flagSkipInitialLoginRoleCreation             bool
 	flagSkipInitialAuthenticatedUserRoleCreation bool
+	flagCreateInitialLoginRole                   bool
+	flagCreateInitialAuthenticatedUserRole       bool
 	flagSkipAuthMethodCreation                   bool
 	flagSkipScopesCreation                       bool
 	flagSkipHostResourcesCreation                bool
@@ -395,7 +399,14 @@ func (c *InitCommand) Run(args []string) (retCode int) {
 		return base.CommandSuccess
 	}
 
-	orgScope, projScope, err := c.CreateInitialScopes(c.Context)
+	iamOpts := []iam.Option{}
+	if version.SupportsFeature(version.Binary, version.CreateDefaultAndAdminRoles) {
+		iamOpts = []iam.Option{
+			iam.WithCreateAdminRole(c.flagCreateInitialAuthenticatedUserRole),
+			iam.WithCreateDefaultRole(c.flagCreateInitialLoginRole),
+		}
+	}
+	orgScope, projScope, err := c.CreateInitialScopes(c.Context, base.WithIamOptions(iamOpts...))
 	if err != nil {
 		c.UI.Error(fmt.Errorf("Error creating initial scopes: %w", err).Error())
 		return base.CommandCliError

internal/cmd/commands/scopescmd/funcs.go

@@ -11,12 +11,15 @@ import (
 	"github.com/hashicorp/boundary/api"
 	"github.com/hashicorp/boundary/api/scopes"
 	"github.com/hashicorp/boundary/internal/cmd/base"
+	"github.com/hashicorp/boundary/version"
 )
 
 const (
 	flagPrimaryAuthMethodIdName     = "primary-auth-method-id"
 	flagSkipAdminRoleCreationName   = "skip-admin-role-creation"
 	flagSkipDefaultRoleCreationName = "skip-default-role-creation"
+	flagCreateAdminRoleName         = "create-admin-role"
+	flagCreateDefaultRoleName       = "create-default-role"
 	flagStoragePolicyIdName         = "storage-policy-id"
 )
 
@@ -28,17 +31,25 @@ func init() {
 }
 
 func extraActionsFlagsMapFuncImpl() map[string][]string {
-	return map[string][]string{
-		"create":                {flagSkipAdminRoleCreationName, flagSkipDefaultRoleCreationName},
+	extraActionsFlagsMap := map[string][]string{
 		"update":                {flagPrimaryAuthMethodIdName},
 		"attach-storage-policy": {"id", "version", flagStoragePolicyIdName},
 		"detach-storage-policy": {"id", "version"},
 	}
+	if version.SupportsFeature(version.Binary, version.CreateDefaultAndAdminRoles) {
+		extraActionsFlagsMap["create"] = append(extraActionsFlagsMap["create"], flagCreateAdminRoleName, flagCreateDefaultRoleName)
+	}
+	if version.SupportsFeature(version.Binary, version.SkipDefaultAndAdminRoleCreation) {
+		extraActionsFlagsMap["create"] = append(extraActionsFlagsMap["create"], flagSkipAdminRoleCreationName, flagSkipDefaultRoleCreationName)
+	}
+	return extraActionsFlagsMap
 }
 
 type extraCmdVars struct {
 	flagSkipAdminRoleCreation   bool
 	flagSkipDefaultRoleCreation bool
+	flagCreateAdminRole         bool
+	flagCreateDefaultRole       bool
 	flagPrimaryAuthMethodId     string
 	flagStoragePolicyId         string
 }
@@ -50,13 +61,13 @@ func extraFlagsFuncImpl(c *Command, set *base.FlagSets, f *base.FlagSet) {
 			f.BoolVar(&base.BoolVar{
 				Name:   flagSkipAdminRoleCreationName,
 				Target: &c.flagSkipAdminRoleCreation,
-				Usage:  "If set, a role granting the current user access to administer the newly-created scope will not automatically be created",
+				Usage:  "Deprecated: If set, a role granting the current user access to administer the newly-created scope will not automatically be created",
 			})
 		case flagSkipDefaultRoleCreationName:
 			f.BoolVar(&base.BoolVar{
 				Name:   flagSkipDefaultRoleCreationName,
 				Target: &c.flagSkipDefaultRoleCreation,
-				Usage:  "If set, a role granting the anonymous user access to log into auth methods and a few other actions within the newly-created scope will not automatically be created",
+				Usage:  "Deprecated: If set, a role granting the anonymous user access to log into auth methods and a few other actions within the newly-created scope will not automatically be created",
 			})
 		case flagPrimaryAuthMethodIdName:
 			f.StringVar(&base.StringVar{
@@ -70,6 +81,18 @@ func extraFlagsFuncImpl(c *Command, set *base.FlagSets, f *base.FlagSet) {
 				Target: &c.flagStoragePolicyId,
 				Usage:  "The public ID of the Storage Policy to attach to this scope. Can only attach to the global scope and an Org scope.",
 			})
+		case flagCreateAdminRoleName:
+			f.BoolVar(&base.BoolVar{
+				Name:   flagCreateAdminRoleName,
+				Target: &c.flagCreateAdminRole,
+				Usage:  "If set, a role granting the current user access to administer the newly-created scope will automatically be created",
+			})
+		case flagCreateDefaultRoleName:
+			f.BoolVar(&base.BoolVar{
+				Name:   flagCreateDefaultRoleName,
+				Target: &c.flagCreateDefaultRole,
+				Usage:  "If set, a role granting the anonymous user access to log into auth methods and a few other actions within the newly-created scope will automatically be created",
+			})
 		}
 	}
 }
@@ -84,12 +107,38 @@ func extraFlagsHandlingFuncImpl(c *Command, _ *base.FlagSets, opts *[]scopes.Opt
 		}
 	}
 
-	if c.flagSkipAdminRoleCreation {
-		*opts = append(*opts, scopes.WithSkipAdminRoleCreation(c.flagSkipAdminRoleCreation))
+	if version.SupportsFeature(version.Binary, version.CreateDefaultAndAdminRoles) {
+		if c.flagCreateAdminRole && c.flagSkipAdminRoleCreation {
+			c.UI.Error("Cannot set both --create-admin-role and --skip-admin-role-creation to true")
+		}
+		if c.flagCreateDefaultRole && c.flagSkipDefaultRoleCreation {
+			c.UI.Error("Cannot set both --create-default-role and --skip-default-role-creation to true")
+		}
+		if !c.flagCreateAdminRole && !c.flagSkipAdminRoleCreation {
+			c.UI.Output("Warning: --skip-admin-role-creation is deprecated and will be removed in a future version. Use --create-admin-role instead.")
+			*opts = append(*opts, scopes.WithSkipAdminRoleCreation(!c.flagSkipAdminRoleCreation))
+		}
+		if !c.flagCreateDefaultRole && !c.flagSkipDefaultRoleCreation {
+			c.UI.Output("Warning: --skip-default-role-creation is deprecated and will be removed in a future version. Use --create-default-role instead.")
+			*opts = append(*opts, scopes.WithSkipDefaultRoleCreation(!c.flagSkipDefaultRoleCreation))
+		}
+		if c.flagCreateAdminRole {
+			*opts = append(*opts, scopes.WithCreateAdminRole(c.flagCreateAdminRole))
+		}
+		if c.flagCreateDefaultRole {
+			*opts = append(*opts, scopes.WithCreateDefaultRole(c.flagCreateDefaultRole))
+		}
 	}
-	if c.flagSkipDefaultRoleCreation {
-		*opts = append(*opts, scopes.WithSkipDefaultRoleCreation(c.flagSkipDefaultRoleCreation))
+
+	if version.SupportsFeature(version.Binary, version.SkipDefaultAndAdminRoleCreation) {
+		if c.flagSkipAdminRoleCreation {
+			*opts = append(*opts, scopes.WithSkipAdminRoleCreation(c.flagSkipAdminRoleCreation))
+		}
+		if c.flagSkipDefaultRoleCreation {
+			*opts = append(*opts, scopes.WithSkipDefaultRoleCreation(c.flagSkipDefaultRoleCreation))
+		}
 	}
+
 	if c.flagPrimaryAuthMethodId != "" {
 		*opts = append(*opts, scopes.WithPrimaryAuthMethodId(c.flagPrimaryAuthMethodId))
 	}

internal/daemon/controller/handlers/roles/role_service_test.go

@@ -220,7 +220,7 @@ func TestList(t *testing.T) {
 	var totalRoles []*pb.Role
 	for i := 0; i < 10; i++ {
 		or := iam.TestRole(t, conn, oWithRoles.GetPublicId())
-		_ = iam.TestRoleGrantScope(t, conn, or.GetPublicId(), globals.GrantScopeChildren)
+		_ = iam.TestRoleGrantScope(t, conn, or, globals.GrantScopeChildren)
 		wantOrgRoles = append(wantOrgRoles, &pb.Role{
 			Id:                or.GetPublicId(),
 			ScopeId:           or.GetScopeId(),
@@ -2791,7 +2791,7 @@ func TestAddGrantScopes(t *testing.T) {
 			assert, require := assert.New(t), require.New(t)
 			role := iam.TestRole(t, conn, tc.scopeId, iam.WithGrantScopeIds([]string{"testing-none"}))
 			for _, e := range tc.existing {
-				_ = iam.TestRoleGrantScope(t, conn, role.GetPublicId(), e)
+				_ = iam.TestRoleGrantScope(t, conn, role, e)
 			}
 			req := &pbs.AddRoleGrantScopesRequest{
 				Id:      role.GetPublicId(),
@@ -3129,7 +3129,7 @@ func TestSetGrantScopes(t *testing.T) {
 			assert, require := assert.New(t), require.New(t)
 			role := iam.TestRole(t, conn, tc.scopeId, iam.WithGrantScopeIds([]string{"testing-none"}))
 			for _, e := range tc.existing {
-				_ = iam.TestRoleGrantScope(t, conn, role.GetPublicId(), e)
+				_ = iam.TestRoleGrantScope(t, conn, role, e)
 			}
 			req := &pbs.SetRoleGrantScopesRequest{
 				Id:      role.GetPublicId(),
@@ -3326,7 +3326,7 @@ func TestRemoveGrantScopes(t *testing.T) {
 			assert, require := assert.New(t), require.New(t)
 			role := iam.TestRole(t, conn, tc.scopeId, iam.WithGrantScopeIds([]string{"testing-none"}))
 			for _, e := range tc.existing {
-				_ = iam.TestRoleGrantScope(t, conn, role.GetPublicId(), e)
+				_ = iam.TestRoleGrantScope(t, conn, role, e)
 			}
 			req := &pbs.RemoveRoleGrantScopesRequest{
 				Id:      role.GetPublicId(),

internal/daemon/controller/handlers/scopes/scope_service.go

@@ -42,6 +42,7 @@
 	"github.com/hashicorp/boundary/internal/types/scope"
 	"github.com/hashicorp/boundary/internal/util"
 	pb "github.com/hashicorp/boundary/sdk/pbs/controller/api/resources/scopes"
+	"github.com/hashicorp/boundary/version"
 	wrappingKms "github.com/hashicorp/go-kms-wrapping/extras/kms/v2"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
@@ -650,8 +651,25 @@
 	if item.GetDescription() != nil {
 		opts = append(opts, iam.WithDescription(item.GetDescription().GetValue()))
 	}
-	opts = append(opts, iam.WithSkipAdminRoleCreation(req.GetSkipAdminRoleCreation()))
-	opts = append(opts, iam.WithSkipDefaultRoleCreation(req.GetSkipDefaultRoleCreation()))
+
+	if req.GetCreateDefaultRole() && req.GetSkipDefaultRoleCreation() {
+		return nil, handlers.InvalidArgumentErrorf("Cannot set both create_default_role and skip_default_role_creation to true.", map[string]string{"create_default_role": "Cannot set both create_default_role and skip_default_role_creation to true."})
+	}
+	if !req.GetCreateDefaultRole() && !req.GetSkipDefaultRoleCreation() {
+	}
+
+	if version.SupportsFeature(version.Binary, version.CreateDefaultAndAdminRoles) {
+		opts = append(opts,
+			iam.WithCreateAdminRole(req.GetCreateAdminRole()),
+			iam.WithCreateDefaultRole(req.GetCreateDefaultRole()),
+		)
+	}
+	if version.SupportsFeature(version.Binary, version.SkipDefaultAndAdminRoleCreation) {
+		opts = append(opts,
+			iam.WithSkipAdminRoleCreation(req.GetSkipAdminRoleCreation()),
+			iam.WithSkipDefaultRoleCreation(req.GetSkipDefaultRoleCreation()),
+		)
+	}
 
 	parentScope := authResults.Scope
 	var iamScope *iam.Scope

internal/daemon/controller/handlers/targets/tcp/target_service_test.go

@@ -1295,7 +1295,7 @@ func TestCreate(t *testing.T) {
 	r := iam.TestRole(t, conn, "global")
 	_ = iam.TestUserRole(t, conn, r.GetPublicId(), at.GetIamUserId())
 	_ = iam.TestRoleGrant(t, conn, r.GetPublicId(), "ids=*;type=*;actions=*")
-	_ = iam.TestRoleGrantScope(t, conn, r.GetPublicId(), globals.GrantScopeDescendants)
+	_ = iam.TestRoleGrantScope(t, conn, r, globals.GrantScopeDescendants)
 
 	// Ensure we are using the OSS worker filter function. This prevents us from
 	// running tests in parallel.

internal/db/schema/migrations/oss/postgres/0/06_iam.up.sql

@@ -332,6 +332,7 @@ create table iam_role (
   );
 
   -- Grants are immutable, which is enforced via the trigger below
+  -- Altered in 100/05_iam_grant.up.sql to add constraint on canonical_grant
   create table iam_role_grant (
     create_time wt_timestamp,
     role_id wt_role_id -- pk