-
Notifications
You must be signed in to change notification settings - Fork 12
/
policy.example.yaml
212 lines (192 loc) · 4.51 KB
/
policy.example.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
rbac:
roleresource:
name: rolev2
idprefix: permrv2
rolebindingresource:
name: rolebinding
idprefix: permrbn
rolesubjecttypes:
- user
- client
roleowners:
- tenant
rolebindingsubjects:
- name: user
- name: client
- name: group
subjectrelation: member
unions:
- name: resourceowner
resourcetypes:
- name: tenant
- name: resourcemanager
resourcetypes:
- name: tenant
- name: group
- name: subject
resourcetypes:
- name: user
- name: client
resourcetypes:
- name: user
idprefix: idntusr
- name: client
idprefix: idntclt
- name: role
idprefix: permrol
relationships:
- relation: subject
targettypes:
- name: subject
- name: tenant
idprefix: tnntten
rolebindingv2:
&permsFromParent
inheritpermissionsfrom:
- parent
relationships:
- relation: parent
targettypes:
- name: tenant
- &grantRel
relation: grant
targettypes:
- name: rolebinding
- name: group
idprefix: idntgrp
rolebindingv2:
*permsFromParent
relationships:
- *grantRel
- relation: parent
targettypes:
- name: group
- name: tenant
- relation: direct_member
targettypes:
- name: user
- name: client
- relation: subgroup
targettypes:
- name: group
- name: loadbalancer
idprefix: loadbal
rolebindingv2:
inheritpermissionsfrom:
- owner
relationships:
- relation: owner
targettypes:
- name: resourceowner
- relation: grant
targettypes:
- name: rolebinding
actions:
- name: role_create
- name: role_get
- name: role_list
- name: role_update
- name: role_delete
- name: loadbalancer_create
- name: loadbalancer_get
- name: loadbalancer_list
- name: loadbalancer_update
- name: loadbalancer_delete
- name: member
actionbindings:
# subgroup and group members
- actionname: member
typename: group
conditions:
- relationshipaction:
relation: direct_member
- relationshipaction:
relation: subgroup
actionname: member
# role management - permissions on role
- actionname: role_get
typename: rolev2
conditions:
- relationshipaction:
relation: owner
actionname: role_get
- actionname: role_update
typename: rolev2
conditions:
- relationshipaction:
relation: owner
actionname: role_update
- actionname: role_delete
typename: rolev2
conditions:
- relationshipaction:
relation: owner
actionname: role_delete
# role management - permissions on owners and managers
- actionname: role_create
typename: resourcemanager
conditions:
- rolebindingv2: {}
- rolebinding: {}
- actionname: role_get
typename: resourcemanager
conditions:
- rolebindingv2: {}
- rolebinding: {}
- actionname: role_list
typename: resourcemanager
conditions:
- rolebindingv2: {}
- rolebinding: {}
- actionname: role_update
typename: resourcemanager
conditions:
- rolebindingv2: {}
- rolebinding: {}
- actionname: role_delete
typename: resourcemanager
conditions:
- rolebindingv2: {}
- rolebinding: {}
# loadbalancer management - permissions on loadbalancer
- actionname: loadbalancer_get
typename: loadbalancer
conditions:
- rolebinding: {}
- rolebindingv2: {}
- actionname: loadbalancer_update
typename: loadbalancer
conditions:
- rolebinding: {}
- rolebindingv2: {}
- actionname: loadbalancer_delete
typename: loadbalancer
conditions:
- rolebinding: {}
- rolebindingv2: {}
# loadbalancer management - permissions on owners and managers
- actionname: loadbalancer_create
typename: resourcemanager
conditions:
- rolebindingv2: {}
- rolebinding: {}
- actionname: loadbalancer_get
typename: resourcemanager
conditions:
- rolebindingv2: {}
- rolebinding: {}
- actionname: loadbalancer_list
typename: resourcemanager
conditions:
- rolebindingv2: {}
- rolebinding: {}
- actionname: loadbalancer_update
typename: resourcemanager
conditions:
- rolebindingv2: {}
- rolebinding: {}
- actionname: loadbalancer_delete
typename: resourcemanager
conditions:
- rolebindingv2: {}
- rolebinding: {}