1 # Copyright 2018 Whitestack, LLC
3 # Licensed under the Apache License, Version 2.0 (the "License"); you may
4 # not use this file except in compliance with the License. You may obtain
5 # a copy of the License at
7 # http://www.apache.org/licenses/LICENSE-2.0
9 # Unless required by applicable law or agreed to in writing, software
10 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12 # License for the specific language governing permissions and limitations
15 # For those usages not covered by the Apache License, Version 2.0 please
16 # contact: esousa@whitestack.com or glavado@whitestack.com
23 # This file defines the mapping between user roles and operation permissions.
24 # It uses the following pattern:
28 # "<OPERATION>": true | false
30 # <ROLE_NAME> defines the name of the role. This name will be matched with an
31 # existing role in the RBAC system (e.g. keystone).
33 # NOTE: The role will only be used if there is an existing match. If there
34 # isn't a role in the system that can be matched, the operation permissions
35 # won't yield any result.
37 # permissions: is a dictionary of operation permissions for the role. An operation
38 # permission is defined using the following pattern:
40 # "<OPERATION>": true | false
42 # The operations are defined using an hierarchical tree. For this purpose, an
43 # <OPERATION> tag can represents the path for the following:
44 # - default: what action to be taken by default, allow or deny
45 # - admin: allow or deny usin querey string ADMIN to act on behalf of other project
46 # - colon separated hierarchical tree
48 # The default and admin <OPERATION> tag is considered false if missing.
49 # When you use this tag, all the operation permissions will be set to the value
51 # NOTE 1: The default value is false. So if a value isn't specified, it will
53 # NOTE 2: The default <OPERATION> tag can be overridden by using more specific tags
54 # with a different value.
56 # The 'force', 'public' and 'set_project' operation tags (respectively allowing/denying
57 # the use of the query-strings FORCE, PUBLIC and SET_PROJECT), take by default the
58 # value specified by the tag 'default' (false if not specified).
60 # The node <OPERATION> tag is defined by using an internal node of the tree, i.e.
61 # "nsds", "users:id". A node <OPERATION> tag will affect all the nodes and leafs
62 # beneath it. It can be used to override a default <OPERATION> tag.
63 # NOTE 1: It can be overridden by using a more specific tag, such as a node which
64 # is beneath it or a leaf.
66 # The leaf <OPERATION> tag is defined by using a leaf of the tree, i.e. "users:post",
67 # "ns_instances:get", "vim_accounts:id:get". A leaf <OPERATION> tag will override all
68 # the values defined by the parent nodes, since it is the more specific tag that can
72 # - In order to find which tags are in use, check the resources_to_operations.yml.
73 # - In order to find which roles are in use, check the RBAC system.
74 # - Non existing tags will be ignored.
75 # - Tags finishing in a colon will be ignored.
76 # - The anonymous role allows to bypass the role definition for paths that
77 # shouldn't be verified.
80 - name: "system_admin"
85 - name: "account_manager"
95 - name: "project_admin"
105 - name: "project_user"
114 slice_templates: true
117 slice_instances: true
129 vim_accounts:get: true
130 vim_accounts:id:get: true
132 sdn_controllers: false
133 sdn_controllers:get: true
134 sdn_controllers:id:get: true
137 k8sclusters:get: true
138 k8sclusters:id:get: true
149 wim_accounts:get: true
150 wim_accounts:id:get: true