osm_nbi/roles_to_operations.yml

# Copyright 2018 Whitestack, LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
#         http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# For those usages not covered by the Apache License, Version 2.0 please
# contact: esousa@whitestack.com or glavado@whitestack.com
##

---
roles:

##
# This file defines the mapping between user roles and operation permissions.
# It uses the following pattern:
#
#    - name: <ROLE_NAME>
#      permissions:
#        "<OPERATION>": true | false
#
# <ROLE_NAME> defines the name of the role. This name will be matched with an
# existing role in the RBAC system (e.g. keystone).
#
# NOTE: The role will only be used if there is an existing match. If there
#       isn't a role in the system that can be matched, the operation permissions
#       won't yield any result.
#
# permissions: is a dictionary of operation permissions for the role. An operation
# permission is defined using the following pattern:
#
#    "<OPERATION>": true | false
#
# The operations are defined using an hierarchical tree. For this purpose, an
# <OPERATION> tag can represents the path for the following:
#    - default:  what action to be taken by default, allow or deny
#    - admin: allow or deny usin querey string ADMIN to act on behalf of other project
#    - colon separated hierarchical tree
#
# The default and admin <OPERATION> tag is considered false if missing.
# When you use this tag, all the operation permissions will be set to the value
# assigned.
# NOTE 1: The default value is false. So if a value isn't specified, it will
#         default to false.
# NOTE 2: The default <OPERATION> tag can be overridden by using more specific tags
#         with a different value.
#
# The node <OPERATION> tag is defined by using an internal node of the tree, i.e.
# "nsds", "users:id". A node <OPERATION> tag will affect all the nodes and leafs
# beneath it. It can be used to override a default <OPERATION> tag.
# NOTE 1: It can be overridden by using a more specific tag, such as a node which
#         is beneath it or a leaf.
#
# The leaf <OPERATION> tag is defined by using a leaf of the tree, i.e. "users:post",
# "ns_instances:get", "vim_accounts:id:get". A leaf <OPERATION> tag will override all
# the values defined by the parent nodes, since it is the more specific tag that can
# exist.
#
# General notes:
#    - In order to find which tags are in use, check the resources_to_operations.yml.
#    - In order to find which roles are in use, check the RBAC system.
#    - Non existing tags will be ignored.
#    - Tags finishing in a colon will be ignored.
#    - The anonymous role allows to bypass the role definition for paths that
#      shouldn't be verified.
##

  - name: "system_admin"
    permissions:
        default: true
        admin:   true

  - name: "account_manager"
    permissions:
        default:  false
        admin:    false
        tokens:   true
        users:    true
        projects: true
        roles:    true

  - name: "project_admin"
    permissions:
        default: true
        # Users
        users:post:      false
        users:id:patch:  false
        users:id:delete: false
        users:id:put:    false
        # Projects
        projects: false
        # Roles
        roles:    false

  - name: "project_user"
    permissions:
        default: true
        # NS Instances
        ns_instances: false
        ns_instances:get: true
        # VNF Instances
        vnf_instances: false
        # Users
        users: false
        users:id:get: true
        users:id:put: true
        users:id:patch: true
        # Projects
        projects: false
        # VIMs
        vims: false
        vims:get: true
        vims:id:get: true
        # VIM Accounts
        vim_accounts: false
        vim_accounts:get: true
        vim_accounts:id:get: true
        # SDN Controllers
        sdn_controllers: false
        sdn_controllers:get: true
        sdn_controllers:id:get: true
        # WIMs
        wims: false
        wims:get: true
        wims:id:get: true
        # WIM Accounts
        wim_accounts: false
        wim_accounts:get: true
        wim_accounts:id:get: true

  - name: "anonymous"
    permissions: