fix: updated policy for analytics (#3035)

deploy/jenkins/jenkins-server-setup.sh

@@ -163,6 +163,11 @@ apt install -y python-psycopg2
 echo -e "\n\e[0;32m${bold}Installating libpng-dev${normal}"
 apt install -y libpng-dev
 
+echo -e "\n\e[0;32m${bold}Installating OPA${normal}"
+curl -k -L -o opa https://openpolicyagent.org/downloads/v0.34.2/opa_linux_amd64_static
+chmod 755 ./opa
+mv opa /usr/local/bin/
+
 echo -e "\n\e[0;32m${bold}Clean up${normal}"
 sudo apt -y autoremove
 

kubernetes/opa/analytics/policies.rego

@@ -11,25 +11,37 @@ urls_to_action_mapping := {
 }
 
 getDataExhaustRequest {
-  super.public_role_check
+  acls := ["getDataExhaustRequest"]
+  roles := ["ORG_ADMIN", "REPORT_ADMIN", "CONTENT_CREATOR", "COURSE_MENTOR", "PROGRAM_MANAGER", "PROGRAM_DESIGNER"]
+  super.acls_check(acls)
+  super.role_check(roles)
   http_request.headers["x-channel-id"]
   http_request.headers["x-authenticated-userid"] == super.userid
 }
 
 getDataExhaustRequest {
-  super.public_role_check
+  acls := ["getDataExhaustRequest"]
+  roles := ["ORG_ADMIN", "REPORT_ADMIN", "CONTENT_CREATOR", "COURSE_MENTOR", "PROGRAM_MANAGER", "PROGRAM_DESIGNER"]
+  super.acls_check(acls)
+  super.role_check(roles)  
   http_request.headers["x-channel-id"]
   not http_request.headers["x-authenticated-userid"]
 }
 
 listDataExhaustRequest {
-  super.public_role_check
+  acls := ["listDataExhaustRequest"]
+  roles := ["ORG_ADMIN", "REPORT_ADMIN", "CONTENT_CREATOR", "COURSE_MENTOR", "PROGRAM_MANAGER", "PROGRAM_DESIGNER"]
+  super.acls_check(acls)
+  super.role_check(roles)  
   http_request.headers["x-channel-id"]
   http_request.headers["x-authenticated-userid"] == super.userid
 }
 
 listDataExhaustRequest {
-  super.public_role_check
+  acls := ["listDataExhaustRequest"]
+  roles := ["ORG_ADMIN", "REPORT_ADMIN", "CONTENT_CREATOR", "COURSE_MENTOR", "PROGRAM_MANAGER", "PROGRAM_DESIGNER"]
+  super.acls_check(acls)
+  super.role_check(roles)  
   http_request.headers["x-channel-id"]
   not http_request.headers["x-authenticated-userid"]
 }