feat(authz): Remove org-admin role, move privileges to admin role (#1740)

### Proposed Changes

* dont need a separate org-admin role, remove it from keycloak setup and
casbin config

### Checklist

- [ ] I have added or updated unit tests
- [ ] I have added or updated integration tests (if appropriate)
- [ ] I have added or updated documentation

### Testing Instructions

Author: elizabethhealy

docs/configuration.md

@@ -256,19 +256,10 @@ server:
       map:
         standard: opentdf-standard
         admin: opentdf-admin
-        org-admin: opentdf-org-admin
 
       ## Custom policy (see examples https://github.com/casbin/casbin/tree/master/examples)
       csv: |
-        p, role:org-admin, policy:attributes, *, *, allow
-        p, role:org-admin, policy:subject-mappings, *, *, allow
-        p, role:org-admin, policy:resource-mappings, *, *, allow
-        p, role:org-admin, policy:kas-registry, *, *, allow
-        p, role:org-admin, policy:unsafe, *, *, allow
-        p, role:admin, policy:attributes, read, allow
-        p, role:admin, policy:subject-mappings, read, allow
-        p, role:admin, policy:resource-mappings, read, allow
-        p, role:admin, policy:kas-registry, read, allow
+        p, role:admin, *, *, allow
         p, role:standard, policy:attributes, read, allow
         p, role:standard, policy:subject-mappings, read, allow
         p, role:standard, policy:resource-mappings, read, allow

lib/fixtures/keycloak.go

@@ -120,7 +120,6 @@ func SetupKeycloak(ctx context.Context, kcConnectParams KeycloakConnectParams) e
 
 	opentdfClientID := "opentdf"
 	opentdfSdkClientID := "opentdf-sdk"
-	opentdfOrgAdminRoleName := "opentdf-org-admin"
 	opentdfAdminRoleName := "opentdf-admin"
 	opentdfStandardRoleName := "opentdf-standard"
 	testingOnlyRoleName := "opentdf-testing-role"
@@ -155,7 +154,7 @@ func SetupKeycloak(ctx context.Context, kcConnectParams KeycloakConnectParams) e
 	}
 
 	// Create Roles
-	roles := []string{opentdfOrgAdminRoleName, opentdfAdminRoleName, opentdfStandardRoleName, testingOnlyRoleName}
+	roles := []string{opentdfAdminRoleName, opentdfStandardRoleName, testingOnlyRoleName}
 	for _, role := range roles {
 		_, err := client.CreateRealmRole(ctx, token.AccessToken, kcConnectParams.Realm, gocloak.Role{
 			Name: gocloak.StringP(role),
@@ -173,8 +172,7 @@ func SetupKeycloak(ctx context.Context, kcConnectParams KeycloakConnectParams) e
 	}
 
 	// Get the roles
-	var opentdfOrgAdminRole *gocloak.Role
-	// var opentdfAdminRole *gocloak.Role
+	var opentdfAdminRole *gocloak.Role
 	var opentdfStandardRole *gocloak.Role
 	var testingOnlyRole *gocloak.Role
 	realmRoles, err := client.GetRealmRoles(ctx, token.AccessToken, kcConnectParams.Realm, gocloak.GetRoleParams{
@@ -187,10 +185,8 @@ func SetupKeycloak(ctx context.Context, kcConnectParams KeycloakConnectParams) e
 	slog.Info(fmt.Sprintf("✅ Roles found: %d", len(realmRoles))) // , slog.String("roles", fmt.Sprintf("%v", realmRoles))
 	for _, role := range realmRoles {
 		switch *role.Name {
-		case opentdfOrgAdminRoleName:
-			opentdfOrgAdminRole = role
-		// case opentdfAdminRoleName:
-		// 	opentdfAdminRole = role
+		case opentdfAdminRoleName:
+			opentdfAdminRole = role
 		case opentdfStandardRoleName:
 			opentdfStandardRole = role
 		case testingOnlyRoleName:
@@ -207,7 +203,7 @@ func SetupKeycloak(ctx context.Context, kcConnectParams KeycloakConnectParams) e
 		ClientAuthenticatorType: gocloak.StringP("client-secret"),
 		Secret:                  gocloak.StringP("secret"),
 		ProtocolMappers:         &protocolMappers,
-	}, []gocloak.Role{*opentdfOrgAdminRole}, nil)
+	}, []gocloak.Role{*opentdfAdminRole}, nil)
 	if err != nil {
 		return err
 	}

opentdf-dev.yaml

@@ -49,15 +49,10 @@ server:
       map:
         # standard: opentdf-standard
         # admin: opentdf-admin
-        # org-admin: opentdf-org-admin
 
       ## Custom policy (see examples https://github.com/casbin/casbin/tree/master/examples)
       csv: #|
-      #  p, role:org-admin, policy:attributes, *, *, allow
-      #  p, role:org-admin, policy:subject-mappings, *, *, allow
-      #  p, role:org-admin, policy:resource-mappings, *, *, allow
-      #  p, role:org-admin, policy:kas-registry, *, *, allow
-      #  p, role:org-admin, policy:unsafe, *, *, allow
+      #  p, role:admin, *, *, allow
 
       ## Custom model (see https://casbin.org/docs/syntax-for-models/)
       model: #|

opentdf-example.yaml

@@ -40,15 +40,10 @@ server:
       map:
       #  standard: opentdf-standard
       #  admin: opentdf-admin
-      #  org-admin: opentdf-org-admin
 
       ## Custom policy (see examples https://github.com/casbin/casbin/tree/master/examples)
       csv: #|
-      #  p, role:org-admin, policy:attributes, *, *, allow
-      #  p, role:org-admin, policy:subject-mappings, *, *, allow
-      #  p, role:org-admin, policy:resource-mappings, *, *, allow
-      #  p, role:org-admin, policy:kas-registry, *, *, allow
-      #  p, role:org-admin, policy:unsafe, *, *, allow
+      #  p, role:admin, *, *, allow
       ## Custom model (see https://casbin.org/docs/syntax-for-models/)
       model: #|
       #  [request_definition]

opentdf-with-hsm.yaml

@@ -47,14 +47,9 @@ server:
         map:
         #  standard: opentdf-standard
         #  admin: opentdf-admin
-        #  org-admin: opentdf-org-admin
       ## Custom policy (see examples https://github.com/casbin/casbin/tree/master/examples)
       csv: #|
-      #  p, role:org-admin, policy:attributes, *, *, allow
-      #  p, role:org-admin, policy:subject-mappings, *, *, allow
-      #  p, role:org-admin, policy:resource-mappings, *, *, allow
-      #  p, role:org-admin, policy:kas-registry, *, *, allow
-      #  p, role:org-admin, policy:unsafe, *, *, allow
+      #  p, role:admin, *, *, allow
       ## Custom model (see https://casbin.org/docs/syntax-for-models/)
       model: #|
       #  [request_definition]

service/cmd/keycloak_data.yaml

@@ -13,7 +13,6 @@ realms:
       realm: opentdf
       enabled: true
     custom_realm_roles:
-      - name: opentdf-org-admin
       - name: opentdf-admin
       - name: opentdf-standard
     custom_client_roles:
@@ -35,7 +34,7 @@ realms:
           protocolMappers:
             - *customAudMapper
         sa_realm_roles: 
-          - opentdf-org-admin
+          - opentdf-admin
       - client:
           clientID: opentdf-sdk
           enabled: true
@@ -98,7 +97,7 @@ realms:
         groups:
           - mygroup
         realmRoles:
-          - opentdf-org-admin
+          - opentdf-admin
         clientRoles:
           realm-management:
             - view-clients

service/internal/auth/casbin.go

@@ -24,14 +24,12 @@ var (
 var defaultRoleClaim = "realm_access.roles"
 
 var defaultRoleMap = map[string]string{
-	"standard":  "opentdf-standard",
-	"admin":     "opentdf-admin",
-	"org-admin": "opentdf-org-admin",
+	"standard": "opentdf-standard",
+	"admin":    "opentdf-admin",
 }
 
 var defaultPolicy = `
 ## Roles (prefixed with role:)
-# org-admin - organization admin
 # admin - admin
 # standard - standard
 # unknown - unknown role or no role
@@ -46,70 +44,35 @@ var defaultPolicy = `
 # delete - delete the resource
 # unsafe - unsafe actions
 
-# Role: Org-Admin
-## gRPC routes
-p,	role:org-admin,		policy.*,																*,			allow
-p,	role:org-admin,		kasregistry.*,													*,			allow
-p,	role:org-admin,		kas.AccessService/Rewrap, 			        *,			allow
-p,  role:org-admin,   authorization.*,                        *,      allow
-## HTTP routes
-p,	role:org-admin,		/attributes*,														*,			allow
-p,	role:org-admin,		/namespaces*,														*,			allow
-p,	role:org-admin,		/subject-mappings*,											*,			allow
-p,	role:org-admin,		/resource-mappings*,										*,			allow
-p,	role:org-admin,		/key-access-servers*,										*,			allow
-p,	role:org-admin, 	/kas/v2/rewrap,						  		        *,      allow
-p,	role:org-admin,		/unsafe*,										            *,			allow
-p,	role:org-admin,		/v1/entitlements,						  				        *,      allow
-p,	role:org-admin,		/v1/authorization,						  				        *,      allow
-p,	role:org-admin,		/v1/token/authorization,						  				        *,      allow
 
 # Role: Admin
-## gRPC routes
-p,	role:admin,		    policy.*,																read,			allow
-p,	role:admin,		    policy.*,																write,			allow
-p,	role:admin,		    policy.*,																delete,			allow
-p,	role:admin,		    kasregistry.*,													*,			allow
-p,	role:admin,		    kas.AccessService/Rewrap, 			        *,			allow
-p,  role:admin,   authorization.*,                        *,      allow
-## HTTP routes
-p,	role:admin,		/attributes*,																*,			allow
-p,	role:admin,		/namespaces*,																*,			allow
-p,	role:admin,		/subject-mappings*,													*,			allow
-p,	role:admin,		/resource-mappings*,												*,			allow
-p,	role:admin,		/key-access-servers*,												*,			allow
-p,	role:admin,		/kas/v2/rewrap,						  				        *,      allow
-p,	role:admin,		/v1/entitlements,						  				        *,      allow
-p,	role:admin,		/v1/authorization,						  				        *,      allow
-p,	role:admin,		/v1/token/authorization,						  				        *,      allow
-
+## gRPC and HTTP routes
+p,	role:admin,		*,					*,			allow
 
 ## Role: Standard
 ## gRPC routes
 p,	role:standard,		policy.*,																read,			allow
 p,	role:standard,		kasregistry.*,													read,			allow
-p,	role:standard,    kas.AccessService/Rewrap, 			           *,			allow
-p,  role:standard,    authorization.AuthorizationService/GetDecisions,        read, allow
-p,  role:standard,    authorization.AuthorizationService/GetDecisionsByToken, read, allow
+p,	role:standard,      kas.AccessService/Rewrap, 			           *,			allow
+p,  role:standard,      authorization.AuthorizationService/GetDecisions,        read, allow
+p,  role:standard,      authorization.AuthorizationService/GetDecisionsByToken, read, allow
+
 ## HTTP routes
 p,	role:standard,		/attributes*,														read,			allow
 p,	role:standard,		/namespaces*,														read,			allow
 p,	role:standard,		/subject-mappings*,											read,			allow
 p,	role:standard,		/resource-mappings*,										read,			allow
 p,	role:standard,		/key-access-servers*,										read,			allow
 p,	role:standard,		/kas/v2/rewrap,													write,		allow
-p,	role:standard,		/entityresolution/resolve,							write,  	allow
-p,      role:standard,          /v1/authorization,                                                              write,          allow
-p,      role:standard,          /v1/token/authorization,                                                        write,          allow
+p,  role:standard,      /v1/authorization,                                                              write,          allow
+p,  role:standard,      /v1/token/authorization,                                                        write,          allow
 
 # Public routes
 ## gRPC routes
 ## for ERS, right now we don't care about requester role, just that a valid jwt is provided when the OPA engine calls (enforced in the ERS itself, not casbin)
-p,	role:unknown,			entityresolution.EntityResolutionService.ResolveEntities,					write,		allow
 p,	role:unknown,     kas.AccessService/Rewrap, 			                                  *,	  allow
 ## HTTP routes
 ## for ERS, right now we don't care about requester role, just that a valid jwt is provided when the OPA engine calls (enforced in the ERS itself, not casbin)
-p,	role:unknown,			/entityresolution/resolve,							  write,		allow
 p,	role:unknown,		  /kas/v2/rewrap,													  *,		allow
 
 `