[Workspace] Only OSD admin can create workspace

changelogs/fragments/6831.yml

@@ -0,0 +1,2 @@
+feat:
+- [Workspace] Only OSD admin can create workspace ([#6831](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/6831))

src/plugins/workspace/server/plugin.ts

@@ -112,7 +112,7 @@ export class WorkspacePlugin implements Plugin<WorkspacePluginSetup, WorkspacePl
     const globalConfig = await this.globalConfig$.pipe(first()).toPromise();
     const isPermissionControlEnabled = globalConfig.savedObjects.permission.enabled === true;
 
-    this.client = new WorkspaceClient(core);
+    this.client = new WorkspaceClient(core, isPermissionControlEnabled);
 
     await this.client.setup(core);
 

src/plugins/workspace/server/workspace_client.ts

@@ -4,6 +4,7 @@
  */
 
 import { i18n } from '@osd/i18n';
+import { getWorkspaceState } from '../../../core/server/utils';
 import {
   SavedObject,
   SavedObjectsClientContract,
@@ -32,12 +33,18 @@
   defaultMessage: 'workspace name has already been used, try with a different name',
 });
 
+const INVALID_PERMISSION_ERROR = i18n.translate('workspace.invalid.permission.error', {
+  defaultMessage: 'No permission to perform this operation, please contact OSD admin',
+});
+
 export class WorkspaceClient implements IWorkspaceClientImpl {
   private setupDep: CoreSetup;
   private savedObjects?: SavedObjectsServiceStart;
+  private isPermissionControlEnabled: boolean;
 
-  constructor(core: CoreSetup) {
+  constructor(core: CoreSetup, isPermissionControlEnabled: boolean) {
     this.setupDep = core;
+    this.isPermissionControlEnabled = isPermissionControlEnabled;
   }
 
   private getScopedClientWithoutPermission(
@@ -77,6 +84,14 @@
   private formatError(error: Error | any): string {
     return error.message || error.error || 'Error';
   }
+  private hasOSDAdminPermission(requestDetail: IRequestDetail) {
+    if (
+      this.isPermissionControlEnabled &&
+      !getWorkspaceState(requestDetail.request).isDashboardAdmin
+    ) {
+      throw new Error(INVALID_PERMISSION_ERROR);
+    }
+  }
   public async setup(core: CoreSetup): Promise<IResponse<boolean>> {
     this.setupDep.savedObjects.registerType(workspace);
     return {
@@ -89,6 +104,7 @@
     payload: Omit<WorkspaceAttributeWithPermission, 'id'>
   ): ReturnType<IWorkspaceClientImpl['create']> {
     try {
+      this.hasOSDAdminPermission(requestDetail);
       const { permissions, ...attributes } = payload;
       const id = generateRandomId(WORKSPACE_ID_SIZE);
       const client = this.getSavedObjectClientsFromRequestDetail(requestDetail);