| Eduardo Sousa | 29933fc | 2018-11-14 06:36:35 +0000 | [diff] [blame] | 1 | # Copyright 2018 Whitestack, LLC |
| 2 | # |
| 3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may |
| 4 | # not use this file except in compliance with the License. You may obtain |
| 5 | # a copy of the License at |
| 6 | # |
| 7 | # http://www.apache.org/licenses/LICENSE-2.0 |
| 8 | # |
| 9 | # Unless required by applicable law or agreed to in writing, software |
| 10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
| 12 | # License for the specific language governing permissions and limitations |
| 13 | # under the License. |
| 14 | # |
| 15 | # For those usages not covered by the Apache License, Version 2.0 please |
| 16 | # contact: esousa@whitestack.com or glavado@whitestack.com |
| 17 | ## |
| 18 | |
| 19 | --- |
| 20 | roles_to_operations: |
| 21 | |
| 22 | ## |
| 23 | # This file defines the mapping between user roles and operation permission. |
| 24 | # It uses the following pattern: |
| 25 | # |
| 26 | # - role: <ROLE_NAME> |
| 27 | # operations: |
| 28 | # "<OPERATION>": true | false |
| 29 | # |
| 30 | # <ROLE_NAME> defines the name of the role. This name will be matched with an |
| 31 | # existing role in the RBAC system. |
| 32 | # |
| 33 | # NOTE: The role will only be used if there is an existing match. If there |
| 34 | # isn't a role in the system that can be matched, the operation permissions |
| 35 | # won't yield any result. |
| 36 | # |
| 37 | # operations: is a list of operation permissions for the role. An operation |
| 38 | # permission is defined using the following pattern: |
| 39 | # |
| 40 | # "<OPERATION>": true | false |
| 41 | # |
| 42 | # The operations are defined using an hierarchical tree. For this purpose, an |
| 43 | # <OPERATION> tag can represents the path for the following: |
| 44 | # - Root |
| 45 | # - Node |
| 46 | # - Leaf |
| 47 | # |
| 48 | # The root <OPERATION> tag is defined using "." and the default value is false. |
| 49 | # When you use this tag, all the operation permissions will be set to the value |
| 50 | # assigned. |
| 51 | # NOTE 1: The default value is false. So if a value isn't specified, it will |
| 52 | # default to false. |
| 53 | # NOTE 2: The root <OPERATION> tag can be overridden by using more specific tags |
| 54 | # with a different value. |
| 55 | # |
| 56 | # The node <OPERATION> tag is defined by using an internal node of the tree, i.e. |
| 57 | # "nsds", "users.id". A node <OPERATION> tag will affect all the nodes and leafs |
| 58 | # beneath it. It can be used to override a root <OPERATION> tag. |
| 59 | # NOTE 1: It can be overridden by using a more specific tag, such as a node which |
| 60 | # is beneath it or a leaf. |
| 61 | # |
| 62 | # The leaf <OPERATION> tag is defined by using a leaf of the tree, i.e. "users.post", |
| 63 | # "ns_instances.get", "vim_accounts.id.get". A leaf <OPERATION> tag will override all |
| 64 | # the values defined by the parent nodes, since it is the more specific tag that can |
| 65 | # exist. |
| 66 | # |
| 67 | # General notes: |
| 68 | # - In order to find which tags are in use, check the resources_to_operations.yml. |
| 69 | # - In order to find which roles are in use, check the RBAC system. |
| 70 | # - Non existing tags will be ignored. |
| 71 | # - Tags finishing in a dot (excluding the root <OPERATION> tag) will be ignored. |
| 72 | # - The anonymous role allows to bypass the role definition for paths that |
| 73 | # shouldn't be verified. |
| 74 | ## |
| 75 | |
| 76 | - role: "system_admin" |
| 77 | operations: |
| 78 | ".": true |
| 79 | |
| 80 | - role: "account_manager" |
| 81 | operations: |
| 82 | ".": false |
| 83 | "tokens": true |
| 84 | "users": true |
| 85 | "projects": true |
| 86 | "roles": true |
| 87 | |
| 88 | - role: "project_admin" |
| 89 | operations: |
| 90 | ".": true |
| 91 | # Users |
| 92 | "users.post": false |
| 93 | "users.id.post": false |
| 94 | "users.id.delete": false |
| 95 | # Projects |
| 96 | "projects": false |
| 97 | # Roles |
| 98 | "roles": false |
| 99 | |
| 100 | - role: "project_user" |
| 101 | operations: |
| 102 | ".": true |
| 103 | # NS Instances |
| 104 | "ns_instances": false |
| 105 | "ns_instances.get": true |
| 106 | # VNF Instances |
| 107 | "vnf_instances": false |
| 108 | # Users |
| 109 | "users": false |
| 110 | "users.id.get": true |
| 111 | "users.id.put": true |
| 112 | "users.id.patch": true |
| 113 | # Projects |
| 114 | "projects": false |
| 115 | # VIMs |
| 116 | "vims": false |
| 117 | "vims.get": true |
| 118 | "vims.id.get": true |
| 119 | # VIM Accounts |
| 120 | "vim_accounts": false |
| 121 | "vim_accounts.get": true |
| 122 | "vim_accounts.id.get": true |
| 123 | # SDN Controllers |
| 124 | "sdn_controllers": false |
| 125 | "sdn_controllers.get": true |
| 126 | "sdn_controllers.id.get": true |
| 127 | # WIMs |
| 128 | "wims": false |
| 129 | "wims.get": true |
| 130 | "wims.id.get": true |
| 131 | # WIM Accounts |
| 132 | "wim_accounts": false |
| 133 | "wim_accounts.get": true |
| 134 | "wim_accounts.id.get": true |
| 135 | |
| 136 | - role: "anonymous" |
| 137 | operations: |