From 67d6ea07bc9b79b9f2734058fc49f7ccea1d445a Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Tue, 11 Feb 2025 20:34:49 +0100
Subject: [PATCH] web: use restricted-access user joining nodes

---
 .../pages/cluster/wizard/ClusterJoinInitial.ts  | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/web/src/pages/cluster/wizard/ClusterJoinInitial.ts b/web/src/pages/cluster/wizard/ClusterJoinInitial.ts
index 4e49a289..a05b609d 100644
--- a/web/src/pages/cluster/wizard/ClusterJoinInitial.ts
+++ b/web/src/pages/cluster/wizard/ClusterJoinInitial.ts
@@ -10,6 +10,8 @@ import "../../../elements/forms/HorizontalFormElement";
 import { WizardFormPage } from "../../../elements/wizard/WizardFormPage";
 import { Roles } from "../RolesPage";
 
+export const joinUserUsername = "gravity-system:cluster:join";
+
 @customElement("gravity-cluster-join-initial")
 export class ClusterJoinInitial extends WizardFormPage {
     sidebarLabel = () => "Node details";
@@ -33,10 +35,21 @@ export class ClusterJoinInitial extends WizardFormPage {
         const info = await new ClusterInstancesApi(DEFAULT_CONFIG).clusterGetInstanceInfo();
         this.host.state["node_ip"] = info.instanceIP;
 
-        const user = await new RolesApiApi(DEFAULT_CONFIG).apiUsersMe();
+        await new RolesApiApi(DEFAULT_CONFIG).apiPutUsers({
+            username: joinUserUsername,
+            authAPIUsersPutInput: {
+                password: "",
+                permissions: [
+                    {
+                        methods: ["POST"],
+                        path: "/api/v1/etcd/join",
+                    },
+                ],
+            },
+        });
 
         const token = await new RolesApiApi(DEFAULT_CONFIG).apiPutTokens({
-            username: user.username,
+            username: joinUserUsername,
         });
         this.host.state["join_token"] = token.key;
         return true;