sensu · mjiderhamn · May 19, 2021
diff --git a/api/core/v2/rbac.go b/api/core/v2/rbac.go
@@ -65,6 +65,7 @@ var allowedVerbs = []string{
 	"create",
 	"update",
 	"delete",
+	"execute",
 }
 
 // FixtureSubject creates a Subject for testing

diff --git a/api/core/v2/rbac.pb.go b/api/core/v2/rbac.pb.go
diff --git a/api/core/v2/rbac.proto b/api/core/v2/rbac.proto
@@ -17,7 +17,7 @@ option (gogoproto.testgen_all) = true;
 message Rule {
   // Verbs is a list of verbs that apply to all of the listed resources for
   // this rule. These include "get", "list", "watch", "create", "update",
-  // "delete".
+  // "delete", "execute".
   // TODO: add support for "patch" (this is expensive and should be delayed
   // until a further release). TODO: add support for "watch" (via websockets)
   repeated string verbs = 1 [ (gogoproto.jsontag) = "verbs" ];

diff --git a/api/core/v2/rbac_test.go b/api/core/v2/rbac_test.go
@@ -156,7 +156,7 @@ func Test_validateVerbs(t *testing.T) {
 		},
 		{
 			name:    "explicit verbs",
-			verbs:   []string{"get", "list", "create", "update", "delete"},
+			verbs:   []string{"get", "list", "create", "update", "delete", "execute"},
 			wantErr: false,
 		},
 	}

diff --git a/backend/api/check.go b/backend/api/check.go
@@ -59,7 +59,7 @@ func (c *CheckClient) DeleteCheck(ctx context.Context, name string) error {
 
 // ExecuteCheck queues an ahoc check request, if authorized.
 func (c *CheckClient) ExecuteCheck(ctx context.Context, name string, req *corev2.AdhocRequest) error {
-	attrs := checkCreateAttributes(ctx, name)
+	attrs := checkExecuteAttributes(ctx, name)
 	if err := authorize(ctx, c.auth, attrs); err != nil {
 		return err
 	}
@@ -141,3 +141,14 @@ func checkDeleteAttributes(ctx context.Context, name string) *authorization.Attr
 		ResourceName: name,
 	}
 }
+
+func checkExecuteAttributes(ctx context.Context, name string) *authorization.Attributes {
+	return &authorization.Attributes{
+		APIGroup:     "core",
+		APIVersion:   "v2",
+		Namespace:    corev2.ContextNamespace(ctx),
+		Resource:     "checks",
+		Verb:         "execute",
+		ResourceName: name,
+	}
+}
diff --git a/backend/api/check_test.go b/backend/api/check_test.go
@@ -794,7 +794,7 @@ func TestExecuteCheck(t *testing.T) {
 							Resource:     "checks",
 							ResourceName: "default",
 							UserName:     "legit",
-							Verb:         "create",
+							Verb:         "execute",
 						}: true,
 					},
 				}

diff --git a/backend/apid/graphql/schema/rbac.graphql b/backend/apid/graphql/schema/rbac.graphql
@@ -4,7 +4,7 @@ Rule holds information that describes an action that can be taken
 type Rule {
   """
   Verbs is a list of verbs that apply to all of the listed resources for this
-  rule. These include "get", "list", "watch", "create", "update", "delete".
+  rule. These include "get", "list", "watch", "create", "update", "delete", "execute".
   TODO: add support for "patch" (this is expensive and should be delayed
   until a further release). TODO: add support for "watch" (via websockets)
   """