# Copyright 2018 Whitestack, LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # # For those usages not covered by the Apache License, Version 2.0 please # contact: esousa@whitestack.com or glavado@whitestack.com ## --- roles_to_operations: ## # This file defines the mapping between user roles and operation permission. # It uses the following pattern: # # - role: # operations: # "": true | false # # defines the name of the role. This name will be matched with an # existing role in the RBAC system. # # NOTE: The role will only be used if there is an existing match. If there # isn't a role in the system that can be matched, the operation permissions # won't yield any result. # # operations: is a list of operation permissions for the role. An operation # permission is defined using the following pattern: # # "": true | false # # The operations are defined using an hierarchical tree. For this purpose, an # tag can represents the path for the following: # - Root # - Node # - Leaf # # The root tag is defined using "." and the default value is false. # When you use this tag, all the operation permissions will be set to the value # assigned. # NOTE 1: The default value is false. So if a value isn't specified, it will # default to false. # NOTE 2: The root tag can be overridden by using more specific tags # with a different value. # # The node tag is defined by using an internal node of the tree, i.e. # "nsds", "users.id". A node tag will affect all the nodes and leafs # beneath it. It can be used to override a root tag. # NOTE 1: It can be overridden by using a more specific tag, such as a node which # is beneath it or a leaf. # # The leaf tag is defined by using a leaf of the tree, i.e. "users.post", # "ns_instances.get", "vim_accounts.id.get". A leaf tag will override all # the values defined by the parent nodes, since it is the more specific tag that can # exist. # # General notes: # - In order to find which tags are in use, check the resources_to_operations.yml. # - In order to find which roles are in use, check the RBAC system. # - Non existing tags will be ignored. # - Tags finishing in a dot (excluding the root tag) will be ignored. # - The anonymous role allows to bypass the role definition for paths that # shouldn't be verified. ## - role: "system_admin" operations: ":": true - role: "account_manager" operations: ":": false "tokens": true "users": true "projects": true "roles": true - role: "project_admin" operations: ":": true # Users "users:post": false "users:id:post": false "users:id:delete": false # Projects "projects": false # Roles "roles": false - role: "project_user" operations: ":": true # NS Instances "ns_instances": false "ns_instances:get": true # VNF Instances "vnf_instances": false # Users "users": false "users:id:get": true "users:id:put": true "users:id:patch": true # Projects "projects": false # VIMs "vims": false "vims:get": true "vims:id:get": true # VIM Accounts "vim_accounts": false "vim_accounts:get": true "vim_accounts:id:get": true # SDN Controllers "sdn_controllers": false "sdn_controllers:get": true "sdn_controllers:id:get": true # WIMs "wims": false "wims:get": true "wims:id:get": true # WIM Accounts "wim_accounts": false "wim_accounts:get": true "wim_accounts:id:get": true - role: "anonymous" operations: