From a6809aae9820adeb230295542677c5943a7df82b Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jjohnson2@lenovo.com>
Date: Thu, 2 May 2019 10:04:40 -0400
Subject: [PATCH] Add Monitor role

Add a monitor role that is only viable for monitoring relevant
tasks.
---
 confluent_server/confluent/auth.py                 | 9 +++++++++
 confluent_server/confluent/config/configmanager.py | 2 +-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/confluent_server/confluent/auth.py b/confluent_server/confluent/auth.py
index 136e36fe..e01e8826 100644
--- a/confluent_server/confluent/auth.py
+++ b/confluent_server/confluent/auth.py
@@ -68,6 +68,15 @@ _allowedbyrole = {
             '/node*/*/events/hardware/log',
         ],
     },
+    'Monitor': {
+        'retrieve': [
+            '/node*/health/hardware',
+            '/node*/power/state',
+            '/node*/sensors/*',
+            '/nodes/',
+            '/',
+        ],
+    }
 }
 
 _deniedbyrole = {
diff --git a/confluent_server/confluent/config/configmanager.py b/confluent_server/confluent/config/configmanager.py
index 8c2f588e..0d1f8284 100644
--- a/confluent_server/confluent/config/configmanager.py
+++ b/confluent_server/confluent/config/configmanager.py
@@ -99,7 +99,7 @@ _attraliases = {
     'bmcpass': 'secret.hardwaremanagementpassword',
     'switchpass': 'secret.hardwaremanagementpassword',
 }
-_validroles = ('Administrator', 'Operator')
+_validroles = ('Administrator', 'Operator', 'Monitor')
 
 def _mkpath(pathname):
     try: