X-Git-Url: https://osm.etsi.org/gitweb/?p=osm%2FNBI.git;a=blobdiff_plain;f=osm_nbi%2Froles_to_operations.yml;h=38cd6204fa075c6b832659196e2705beb0137264;hp=73d1a64d7f777d4a7ed195563c1c52d21954ebbd;hb=786aeddab7b7491a139c958ecec6439bee5da83a;hpb=29933fc257389f16f9c798f52a43e43800475a4a diff --git a/osm_nbi/roles_to_operations.yml b/osm_nbi/roles_to_operations.yml index 73d1a64..38cd620 100644 --- a/osm_nbi/roles_to_operations.yml +++ b/osm_nbi/roles_to_operations.yml @@ -17,50 +17,54 @@ ## --- -roles_to_operations: +roles: ## -# This file defines the mapping between user roles and operation permission. +# This file defines the mapping between user roles and operation permissions. # It uses the following pattern: # -# - role: -# operations: +# - name: +# permissions: # "": true | false # # defines the name of the role. This name will be matched with an -# existing role in the RBAC system. +# existing role in the RBAC system (e.g. keystone). # # NOTE: The role will only be used if there is an existing match. If there # isn't a role in the system that can be matched, the operation permissions # won't yield any result. # -# operations: is a list of operation permissions for the role. An operation +# permissions: is a dictionary of operation permissions for the role. An operation # permission is defined using the following pattern: # # "": true | false # # The operations are defined using an hierarchical tree. For this purpose, an # tag can represents the path for the following: -# - Root -# - Node -# - Leaf +# - default: what action to be taken by default, allow or deny +# - admin: allow or deny usin querey string ADMIN to act on behalf of other project +# - colon separated hierarchical tree # -# The root tag is defined using "." and the default value is false. +# The default and admin tag is considered false if missing. # When you use this tag, all the operation permissions will be set to the value # assigned. # NOTE 1: The default value is false. So if a value isn't specified, it will # default to false. -# NOTE 2: The root tag can be overridden by using more specific tags +# NOTE 2: The default tag can be overridden by using more specific tags # with a different value. # +# The 'force', 'public' and 'set_project' operation tags (respectively allowing/denying +# the use of the query-strings FORCE, PUBLIC and SET_PROJECT), take by default the +# value specified by the tag 'default' (false if not specified). +# # The node tag is defined by using an internal node of the tree, i.e. -# "nsds", "users.id". A node tag will affect all the nodes and leafs -# beneath it. It can be used to override a root tag. +# "nsds", "users:id". A node tag will affect all the nodes and leafs +# beneath it. It can be used to override a default tag. # NOTE 1: It can be overridden by using a more specific tag, such as a node which # is beneath it or a leaf. # -# The leaf tag is defined by using a leaf of the tree, i.e. "users.post", -# "ns_instances.get", "vim_accounts.id.get". A leaf tag will override all +# The leaf tag is defined by using a leaf of the tree, i.e. "users:post", +# "ns_instances:get", "vim_accounts:id:get". A leaf tag will override all # the values defined by the parent nodes, since it is the more specific tag that can # exist. # @@ -68,70 +72,82 @@ roles_to_operations: # - In order to find which tags are in use, check the resources_to_operations.yml. # - In order to find which roles are in use, check the RBAC system. # - Non existing tags will be ignored. -# - Tags finishing in a dot (excluding the root tag) will be ignored. +# - Tags finishing in a colon will be ignored. # - The anonymous role allows to bypass the role definition for paths that # shouldn't be verified. ## - - role: "system_admin" - operations: - ".": true + - name: "system_admin" + permissions: + default: true + admin: true - - role: "account_manager" - operations: - ".": false - "tokens": true - "users": true - "projects": true - "roles": true + - name: "account_manager" + permissions: + default: false + admin: false + force: true + tokens: true + users: true + projects: true + roles: true - - role: "project_admin" - operations: - ".": true - # Users - "users.post": false - "users.id.post": false - "users.id.delete": false - # Projects - "projects": false - # Roles - "roles": false + - name: "project_admin" + permissions: + default: true + admin: false + users: false + projects: false + roles: false - - role: "project_user" - operations: - ".": true - # NS Instances - "ns_instances": false - "ns_instances.get": true - # VNF Instances - "vnf_instances": false - # Users - "users": false - "users.id.get": true - "users.id.put": true - "users.id.patch": true - # Projects - "projects": false - # VIMs - "vims": false - "vims.get": true - "vims.id.get": true - # VIM Accounts - "vim_accounts": false - "vim_accounts.get": true - "vim_accounts.id.get": true - # SDN Controllers - "sdn_controllers": false - "sdn_controllers.get": true - "sdn_controllers.id.get": true - # WIMs - "wims": false - "wims.get": true - "wims.id.get": true - # WIM Accounts - "wim_accounts": false - "wim_accounts.get": true - "wim_accounts.id.get": true + - name: "project_user" + permissions: + default: false + admin: false + force: false + public: true + set_project: true + vnfds: true + nsds: true + slice_templates: true + ns_instances: true + vnf_instances: true + slice_instances: true + users: false + projects: false + roles: false + # VIMs + vims: false + vims:get: true + vims:id:get: true + # VIM Accounts + vim_accounts: false + vim_accounts:get: true + vim_accounts:id:get: true + # SDN Controllers + sdn_controllers: false + sdn_controllers:get: true + sdn_controllers:id:get: true + # K8s clusters + k8sclusters: false + k8sclusters:get: true + k8sclusters:id:get: true + # VCA + vca: false + vca:get: true + vca:id:get: true + # K8s repos + k8srepos: true + # OSM repos + osmrepos: true + # WIM Accounts + wim_accounts: false + wim_accounts:get: true + wim_accounts:id:get: true + # PDUs + pduds: false + pduds:get: true + pduds:id:get: true - - role: "anonymous" - operations: + - name: "anonymous" + permissions: