| # Copyright 2018 Whitestack, LLC |
| # |
| # Licensed under the Apache License, Version 2.0 (the "License"); you may |
| # not use this file except in compliance with the License. You may obtain |
| # a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
| # License for the specific language governing permissions and limitations |
| # under the License. |
| # |
| # For those usages not covered by the Apache License, Version 2.0 please |
| # contact: esousa@whitestack.com or glavado@whitestack.com |
| ## |
| |
| --- |
| roles: |
| |
| ## |
| # This file defines the mapping between user roles and operation permissions. |
| # It uses the following pattern: |
| # |
| # - name: <ROLE_NAME> |
| # permissions: |
| # "<OPERATION>": true | false |
| # |
| # <ROLE_NAME> defines the name of the role. This name will be matched with an |
| # existing role in the RBAC system (e.g. keystone). |
| # |
| # NOTE: The role will only be used if there is an existing match. If there |
| # isn't a role in the system that can be matched, the operation permissions |
| # won't yield any result. |
| # |
| # permissions: is a dictionary of operation permissions for the role. An operation |
| # permission is defined using the following pattern: |
| # |
| # "<OPERATION>": true | false |
| # |
| # The operations are defined using an hierarchical tree. For this purpose, an |
| # <OPERATION> tag can represents the path for the following: |
| # - default: what action to be taken by default, allow or deny |
| # - admin: allow or deny usin querey string ADMIN to act on behalf of other project |
| # - colon separated hierarchical tree |
| # |
| # The default and admin <OPERATION> tag is considered false if missing. |
| # When you use this tag, all the operation permissions will be set to the value |
| # assigned. |
| # NOTE 1: The default value is false. So if a value isn't specified, it will |
| # default to false. |
| # NOTE 2: The default <OPERATION> tag can be overridden by using more specific tags |
| # with a different value. |
| # |
| # The 'force', 'public' and 'set_project' operation tags (respectively allowing/denying |
| # the use of the query-strings FORCE, PUBLIC and SET_PROJECT), take by default the |
| # value specified by the tag 'default' (false if not specified). |
| # |
| # The node <OPERATION> tag is defined by using an internal node of the tree, i.e. |
| # "nsds", "users:id". A node <OPERATION> tag will affect all the nodes and leafs |
| # beneath it. It can be used to override a default <OPERATION> tag. |
| # NOTE 1: It can be overridden by using a more specific tag, such as a node which |
| # is beneath it or a leaf. |
| # |
| # The leaf <OPERATION> tag is defined by using a leaf of the tree, i.e. "users:post", |
| # "ns_instances:get", "vim_accounts:id:get". A leaf <OPERATION> tag will override all |
| # the values defined by the parent nodes, since it is the more specific tag that can |
| # exist. |
| # |
| # General notes: |
| # - In order to find which tags are in use, check the resources_to_operations.yml. |
| # - In order to find which roles are in use, check the RBAC system. |
| # - Non existing tags will be ignored. |
| # - Tags finishing in a colon will be ignored. |
| # - The anonymous role allows to bypass the role definition for paths that |
| # shouldn't be verified. |
| ## |
| |
| - name: "system_admin" |
| permissions: |
| default: true |
| admin: true |
| |
| - name: "account_manager" |
| permissions: |
| default: false |
| admin: false |
| force: true |
| tokens: true |
| users: true |
| projects: true |
| roles: true |
| |
| - name: "project_admin" |
| permissions: |
| default: true |
| admin: false |
| projects: false |
| roles: false |
| # Users |
| users: false |
| users:id:patch: true |
| |
| - name: "project_user" |
| permissions: |
| default: false |
| admin: false |
| force: false |
| public: true |
| set_project: true |
| vnfds: true |
| nsds: true |
| slice_templates: true |
| ns_instances: true |
| vnf_instances: true |
| slice_instances: true |
| projects: false |
| roles: false |
| # Users |
| users: false |
| users:id:patch: true |
| # VIMs |
| vims: false |
| vims:get: true |
| vims:id:get: true |
| # VIM Accounts |
| vim_accounts: false |
| vim_accounts:get: true |
| vim_accounts:id:get: true |
| # SDN Controllers |
| sdn_controllers: false |
| sdn_controllers:get: true |
| sdn_controllers:id:get: true |
| # K8s clusters |
| k8sclusters: false |
| k8sclusters:get: true |
| k8sclusters:id:get: true |
| # VCA |
| vca: false |
| vca:get: true |
| vca:id:get: true |
| # K8s repos |
| k8srepos: true |
| # OSM repos |
| osmrepos: true |
| # WIM Accounts |
| wim_accounts: false |
| wim_accounts:get: true |
| wim_accounts:id:get: true |
| # PDUs |
| pduds: false |
| pduds:get: true |
| pduds:id:get: true |
| # Alarms |
| alarms: false |
| alarms:get: true |
| alarms:id:get: true |
| |
| - name: "anonymous" |
| permissions: |