rancher_restricted_admin_replacement.sh

#!/bin/bash

RANCHER_URL=$RANCHER_API_URL
API_TOKEN=$RANCHER_API_TOKEN

OLD_ROLE_NAME="Restricted Admin"
NEW_ROLE_NAME=""

get_role_id_by_name() {
  local role_name=$1
  curl -s -H "Authorization: Bearer $API_TOKEN" \
    "$RANCHER_URL/globalroles" | \
    jq -r ".data[] | select(.name == \"$role_name\") | .id"
}

# Get the role IDs
## defaults to restricted-admin, but for canonical naming retrieving anyway
RESTRICTED_ADMIN_ROLE_ID=$(get_role_id_by_name "$OLD_ROLE_NAME") 
NEW_ROLE_ID=$(get_role_id_by_name "$NEW_ROLE_NAME")

# Debug: Print the role IDs
echo "Old Role ID: $RESTRICTED_ADMIN_ROLE_ID"
echo "New Role ID: $NEW_ROLE_ID"

# Function to get all users with the Restricted Admin role
get_restricted_admin_users() {
  curl -s -H "Authorization: Bearer $API_TOKEN" \
    "$RANCHER_URL/globalrolebindings" | \
    jq -r ".data[] | select(.globalRoleId == \"$RESTRICTED_ADMIN_ROLE_ID\") | .userId"
}

update_user_role() {
  local user_id=$1

  response=$(curl -s -X POST -H "Authorization: Bearer $API_TOKEN" \
    -H "Content-Type: application/json" \
    -d "{ \"apiVersion\": \"management.cattle.io/v3\", \"kind\": \"GlobalRoleBinding\", \"metadata\": { \"name\": \"grb-$NEW_ROLE_ID-$user_id\" }, \"subject\": { \"kind\": \"User\", \"name\": \"$user_id\" }, \"roleRef\": { \"kind\": \"GlobalRole\", \"name\": \"$NEW_ROLE_ID\" }, \"globalRoleId\": \"$NEW_ROLE_ID\", \"userId\": \"$user_id\" }" \
 "$RANCHER_URL/globalRoleBindings")

  echo "Adding role to $user_id: $response"
}

restricted_admin_users=$(get_restricted_admin_users)

for user_id in $restricted_admin_users; do
  echo "Updating user $user_id to new role..."
  update_user_role $user_id
done

echo "All users updated."