osm_nbi/roles_to_operations.yml - osm/NBI - Gitiles

 # Copyright 2018 Whitestack, LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may
 # not use this file except in compliance with the License. You may obtain
 # a copy of the License at
 #
 #         http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations
 # under the License.
 #
 # For those usages not covered by the Apache License, Version 2.0 please
 # contact: esousa@whitestack.com or glavado@whitestack.com
 ##

 ---
 roles_to_operations:

 ##
 # This file defines the mapping between user roles and operation permission.
 # It uses the following pattern:
 #
 #    - role: <ROLE_NAME>
 #      operations:
 #        "<OPERATION>": true | false
 #
 # <ROLE_NAME> defines the name of the role. This name will be matched with an
 # existing role in the RBAC system.
 #
 # NOTE: The role will only be used if there is an existing match. If there
 #       isn't a role in the system that can be matched, the operation permissions
 #       won't yield any result.
 #
 # operations: is a list of operation permissions for the role. An operation
 # permission is defined using the following pattern:
 #
 #    "<OPERATION>": true | false
 #
 # The operations are defined using an hierarchical tree. For this purpose, an
 # <OPERATION> tag can represents the path for the following:
 #    - Root
 #    - Node
 #    - Leaf
 #
 # The root <OPERATION> tag is defined using "." and the default value is false.
 # When you use this tag, all the operation permissions will be set to the value
 # assigned.
 # NOTE 1: The default value is false. So if a value isn't specified, it will
 #         default to false.
 # NOTE 2: The root <OPERATION> tag can be overridden by using more specific tags
 #         with a different value.
 #
 # The node <OPERATION> tag is defined by using an internal node of the tree, i.e.
 # "nsds", "users.id". A node <OPERATION> tag will affect all the nodes and leafs
 # beneath it. It can be used to override a root <OPERATION> tag.
 # NOTE 1: It can be overridden by using a more specific tag, such as a node which
 #         is beneath it or a leaf.
 #
 # The leaf <OPERATION> tag is defined by using a leaf of the tree, i.e. "users.post",
 # "ns_instances.get", "vim_accounts.id.get". A leaf <OPERATION> tag will override all
 # the values defined by the parent nodes, since it is the more specific tag that can
 # exist.
 #
 # General notes:
 #    - In order to find which tags are in use, check the resources_to_operations.yml.
 #    - In order to find which roles are in use, check the RBAC system.
 #    - Non existing tags will be ignored.
 #    - Tags finishing in a dot (excluding the root <OPERATION> tag) will be ignored.
 #    - The anonymous role allows to bypass the role definition for paths that
 #      shouldn't be verified.
 ##

   - role: "system_admin"
     operations:
       ":": true

   - role: "account_manager"
     operations:
       ":": false
       "tokens": true
       "users": true
       "projects": true
       "roles": true

   - role: "project_admin"
     operations:
       ":": true
       # Users
       "users:post": false
       "users:id:post": false
       "users:id:delete": false
       # Projects
       "projects": false
       # Roles
       "roles": false

   - role: "project_user"
     operations:
       ":": true
       # NS Instances
       "ns_instances": false
       "ns_instances:get": true
       # VNF Instances
       "vnf_instances": false
       # Users
       "users": false
       "users:id:get": true
       "users:id:put": true
       "users:id:patch": true
       # Projects
       "projects": false
       # VIMs
       "vims": false
       "vims:get": true
       "vims:id:get": true
       # VIM Accounts
       "vim_accounts": false
       "vim_accounts:get": true
       "vim_accounts:id:get": true
       # SDN Controllers
       "sdn_controllers": false
       "sdn_controllers:get": true
       "sdn_controllers:id:get": true
       # WIMs
       "wims": false
       "wims:get": true
       "wims:id:get": true
       # WIM Accounts
       "wim_accounts": false
       "wim_accounts:get": true
       "wim_accounts:id:get": true

   - role: "anonymous"
     operations:
	# Copyright 2018 Whitestack, LLC
	#
	# Licensed under the Apache License, Version 2.0 (the "License"); you may
	# not use this file except in compliance with the License. You may obtain
	# a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
	# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
	# License for the specific language governing permissions and limitations
	# under the License.
	#
	# For those usages not covered by the Apache License, Version 2.0 please
	# contact: esousa@whitestack.com or glavado@whitestack.com
	##

	---
	roles_to_operations:

	##
	# This file defines the mapping between user roles and operation permission.
	# It uses the following pattern:
	#
	# - role: <ROLE_NAME>
	# operations:
	# "<OPERATION>": true \| false
	#
	# <ROLE_NAME> defines the name of the role. This name will be matched with an
	# existing role in the RBAC system.
	#
	# NOTE: The role will only be used if there is an existing match. If there
	# isn't a role in the system that can be matched, the operation permissions
	# won't yield any result.
	#
	# operations: is a list of operation permissions for the role. An operation
	# permission is defined using the following pattern:
	#
	# "<OPERATION>": true \| false
	#
	# The operations are defined using an hierarchical tree. For this purpose, an
	# <OPERATION> tag can represents the path for the following:
	# - Root
	# - Node
	# - Leaf
	#
	# The root <OPERATION> tag is defined using "." and the default value is false.
	# When you use this tag, all the operation permissions will be set to the value
	# assigned.
	# NOTE 1: The default value is false. So if a value isn't specified, it will
	# default to false.
	# NOTE 2: The root <OPERATION> tag can be overridden by using more specific tags
	# with a different value.
	#
	# The node <OPERATION> tag is defined by using an internal node of the tree, i.e.
	# "nsds", "users.id". A node <OPERATION> tag will affect all the nodes and leafs
	# beneath it. It can be used to override a root <OPERATION> tag.
	# NOTE 1: It can be overridden by using a more specific tag, such as a node which
	# is beneath it or a leaf.
	#
	# The leaf <OPERATION> tag is defined by using a leaf of the tree, i.e. "users.post",
	# "ns_instances.get", "vim_accounts.id.get". A leaf <OPERATION> tag will override all
	# the values defined by the parent nodes, since it is the more specific tag that can
	# exist.
	#
	# General notes:
	# - In order to find which tags are in use, check the resources_to_operations.yml.
	# - In order to find which roles are in use, check the RBAC system.
	# - Non existing tags will be ignored.
	# - Tags finishing in a dot (excluding the root <OPERATION> tag) will be ignored.
	# - The anonymous role allows to bypass the role definition for paths that
	# shouldn't be verified.
	##

	- role: "system_admin"
	operations:
	":": true

	- role: "account_manager"
	operations:
	":": false
	"tokens": true
	"users": true
	"projects": true
	"roles": true

	- role: "project_admin"
	operations:
	":": true
	# Users
	"users:post": false
	"users:id:post": false
	"users:id:delete": false
	# Projects
	"projects": false
	# Roles
	"roles": false

	- role: "project_user"
	operations:
	":": true
	# NS Instances
	"ns_instances": false
	"ns_instances:get": true
	# VNF Instances
	"vnf_instances": false
	# Users
	"users": false
	"users:id:get": true
	"users:id:put": true
	"users:id:patch": true
	# Projects
	"projects": false
	# VIMs
	"vims": false
	"vims:get": true
	"vims:id:get": true
	# VIM Accounts
	"vim_accounts": false
	"vim_accounts:get": true
	"vim_accounts:id:get": true
	# SDN Controllers
	"sdn_controllers": false
	"sdn_controllers:get": true
	"sdn_controllers:id:get": true
	# WIMs
	"wims": false
	"wims:get": true
	"wims:id:get": true
	# WIM Accounts
	"wim_accounts": false
	"wim_accounts:get": true
	"wim_accounts:id:get": true

	- role: "anonymous"
	operations: