Documentation ¶
Overview ¶
Package policy provides advanced policy features to fine tune end-user permissions.
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var ( // DefaultPolicyGroups provides some sample policies to Admin Users. // Note that Name and Description fields are generally i18nized // that is why we rather declare here the corresponding message IDs. DefaultPolicyGroups = []*idm.PolicyGroup{ { Uuid: "public-access", Name: "PolicyGroup.PublicAccess.Title", Description: "PolicyGroup.PublicAccess.Description", ResourceGroup: idm.PolicyResourceGroup_rest, Policies: []*idm.Policy{ LadonToProtoPolicy(&ladon.DefaultPolicy{ ID: "discovery-policy", Description: "PolicyGroup.PublicAccess.Rule1", Subjects: []string{"profile:anon"}, Resources: []string{"rest:/config/discovery<.*>"}, Actions: []string{"GET"}, Effect: ladon.AllowAccess, }), LadonToProtoPolicy(&ladon.DefaultPolicy{ ID: "reset-password-policy", Description: "PolicyGroup.PublicAccess.Rule2", Subjects: []string{"profile:anon"}, Resources: []string{"rest:/auth/reset-password<.*>"}, Actions: []string{"PUT", "POST"}, Effect: ladon.AllowAccess, }), }, }, { Uuid: "public-access-install", Name: "PolicyGroup.PublicInstall.Title", Description: "PolicyGroup.PublicInstall.Description", ResourceGroup: idm.PolicyResourceGroup_rest, Policies: []*idm.Policy{ LadonToProtoPolicy(&ladon.DefaultPolicy{ ID: "install-policy", Description: "PolicyGroup.PublicInstall.Rule1", Subjects: []string{"profile:anon"}, Resources: []string{"rest:/install"}, Actions: []string{"GET", "POST"}, Effect: ladon.AllowAccess, }), }, }, { Uuid: "frontend-restricted-accesses", Name: "PolicyGroup.FrontendAccess.Title", Description: "PolicyGroup.FrontendAccess.Description", ResourceGroup: idm.PolicyResourceGroup_rest, Policies: []*idm.Policy{ LadonToProtoPolicy(&ladon.DefaultPolicy{ ID: "anon-default-policy", Description: "PolicyGroup.FrontendAccess.Rule1", Subjects: []string{"profile:anon"}, Resources: []string{ "rest:/config/frontend<.+>", "rest:/docstore/share/<.+>", "rest:/docstore/keystore/<.+>", "rest:/frontend/bootconf", }, Actions: []string{"GET", "POST"}, Effect: ladon.AllowAccess, Conditions: ladon.Conditions{ servicecontext.HttpMetaRemoteAddress: &ladon.StringMatchCondition{ Matches: "localhost|127.0.0.1|::1", }, }, }), LadonToProtoPolicy(&ladon.DefaultPolicy{ ID: "anon-frontend-logs", Description: "PolicyGroup.FrontendAccess.Rule2", Subjects: []string{"profile:anon"}, Resources: []string{"rest:/frontend/frontlogs"}, Actions: []string{"PUT"}, Effect: ladon.AllowAccess, Conditions: ladon.Conditions{ servicecontext.HttpMetaRemoteAddress: &ladon.StringMatchCondition{ Matches: "localhost|127.0.0.1|::1", }, }, }), }, }, { Uuid: "rest-apis-default-accesses", Name: "PolicyGroup.LoggedUsers.Title", Description: "PolicyGroup.LoggedUsers.Description", ResourceGroup: idm.PolicyResourceGroup_rest, Policies: []*idm.Policy{ LadonToProtoPolicy(&ladon.DefaultPolicy{ ID: "admin-default-policy", Description: "PolicyGroup.LoggedUsers.Rule1", Subjects: []string{"profile:admin"}, Resources: []string{"rest:<.+>"}, Actions: []string{"GET", "POST", "DELETE", "PUT", "PATCH"}, Effect: ladon.AllowAccess, }), LadonToProtoPolicy(&ladon.DefaultPolicy{ ID: "user-default-policy", Description: "PolicyGroup.LoggedUsers.Rule2", Subjects: []string{"profile:standard", "profile:shared"}, Resources: []string{ "rest:/acl", "rest:/acl/<.+>", "rest:/user", "rest:/user/<.+>", "rest:/workspace", "rest:/workspace/<.+>", "rest:/role", "rest:/role/<.+>", "rest:/graph<.+>", "rest:/docstore/bulk_delete/keystore", "rest:/docstore/keystore<.+>", "rest:/jobs/user", "rest:/jobs/user<.+>", "rest:/meta<.+>", "rest:/user-meta<.+>", "rest:/mailer/send", "rest:/search/nodes", "rest:/share<.+>", "rest:/activity<.+>", "rest:/changes", "rest:/changes<.+>", }, Actions: []string{"GET", "POST", "DELETE", "PUT", "PATCH"}, Effect: ladon.AllowAccess, }), LadonToProtoPolicy(&ladon.DefaultPolicy{ ID: "shares-default-policy", Description: "PolicyGroup.LoggedUsers.Rule3", Subjects: []string{"profile:standard", "profile:shared"}, Resources: []string{"rest:/docstore/share/<.+>"}, Actions: []string{"GET", "PUT"}, Effect: ladon.AllowAccess, }), }, }, { Uuid: "oidc-actions-policies", Name: "PolicyGroup.OIDC.Title", Description: "PolicyGroup.OIDC.Description", ResourceGroup: idm.PolicyResourceGroup_oidc, Policies: []*idm.Policy{ LadonToProtoPolicy(&ladon.DefaultPolicy{ ID: "all-users-login", Description: "PolicyGroup.OIDC.Rule1", Subjects: []string{"user:<.+>", "profile:<.+>", "role:<.+>"}, Resources: []string{"oidc"}, Actions: []string{"login"}, Effect: ladon.AllowAccess, }), }, }, { Uuid: "sample-acl-policy", Name: "PolicyGroup.ACLSample1.Title", Description: "PolicyGroup.ACLSample1.Description", ResourceGroup: idm.PolicyResourceGroup_acl, Policies: []*idm.Policy{ LadonToProtoPolicy(&ladon.DefaultPolicy{ ID: "acl-complex-rule1", Description: "PolicyGroup.ACLSample1.Rule1", Subjects: []string{"policy:sample-acl-policy"}, Resources: []string{"acl"}, Actions: []string{"read", "write"}, Effect: ladon.AllowAccess, }), LadonToProtoPolicy(&ladon.DefaultPolicy{ ID: "acl-complex-rule2", Description: "PolicyGroup.ACLSample1.Rule2", Subjects: []string{"policy:sample-acl-policy"}, Resources: []string{"acl"}, Actions: []string{"write"}, Effect: ladon.DenyAccess, Conditions: ladon.Conditions{ servicecontext.HttpMetaRemoteAddress: &conditions.StringNotMatchCondition{ Matches: "localhost|127.0.0.1|::1", }, utils.PolicyNodeMetaName: &ladon.StringMatchCondition{ Matches: "target", }, }, }), LadonToProtoPolicy(&ladon.DefaultPolicy{ ID: "acl-complex-rule3", Description: "PolicyGroup.ACLSample1.Rule3", Subjects: []string{"policy:sample-acl-policy"}, Resources: []string{"acl"}, Actions: []string{"read"}, Effect: ladon.DenyAccess, Conditions: ladon.Conditions{ servicecontext.HttpMetaRemoteAddress: &conditions.StringNotMatchCondition{ Matches: "localhost|127.0.0.1|::1", }, utils.PolicyNodeMetaName: &ladon.StringMatchCondition{ Matches: "(.+)\\.png", }, }, }), }, }, { Uuid: "limited-period-access-acl-policy2", Name: "PolicyGroup.ACLSamplePeriod.Title", Description: "PolicyGroup.ACLSamplePeriod.Description", ResourceGroup: idm.PolicyResourceGroup_acl, Policies: []*idm.Policy{ LadonToProtoPolicy(&ladon.DefaultPolicy{ ID: "acl-temporary-access2", Description: "PolicyGroup.ACLSamplePeriod.Rule1", Subjects: []string{"policy:limited-period-access-acl-policy2"}, Resources: []string{"acl"}, Actions: []string{"write", "read"}, Effect: ladon.AllowAccess, Conditions: ladon.Conditions{ servicecontext.ClientTime: &conditions.WithinPeriodCondition{ Matches: "2018-02-01T00:00+0100/2018-04-01T00:00+0100", }, }, }), }, }, { Uuid: "no-access-after-acl-policy", Name: "PolicyGroup.ACLSampleDateDisable.Title", Description: "PolicyGroup.ACLSampleDateDisable.Description", ResourceGroup: idm.PolicyResourceGroup_acl, Policies: []*idm.Policy{ LadonToProtoPolicy(&ladon.DefaultPolicy{ ID: "acl-date-rule1", Description: "PolicyGroup.ACLSampleDateDisable.Rule1", Subjects: []string{"policy:no-access-after-acl-policy"}, Resources: []string{"acl"}, Actions: []string{"read", "write"}, Effect: ladon.AllowAccess, }), LadonToProtoPolicy(&ladon.DefaultPolicy{ ID: "acl-date-rule2", Description: "PolicyGroup.ACLSampleDateDisable.Rule2", Subjects: []string{"policy:no-access-after-acl-policy"}, Resources: []string{"acl"}, Actions: []string{"read", "write"}, Effect: ladon.DenyAccess, Conditions: ladon.Conditions{ servicecontext.ServerTime: &conditions.DateAfterCondition{ Matches: "2018-02-28T23:59+0100", }, }, }), }, }, { Uuid: "office-hours-access-acl-policy", Name: "PolicyGroup.ACLSampleBusinessHours.Title", Description: "PolicyGroup.ACLSampleBusinessHours.Description", ResourceGroup: idm.PolicyResourceGroup_acl, Policies: []*idm.Policy{ LadonToProtoPolicy(&ladon.DefaultPolicy{ ID: "acl-office-hours-rule", Description: "PolicyGroup.ACLSampleBusinessHours.Rule1", Subjects: []string{"policy:office-hours-access-acl-policy"}, Resources: []string{"acl"}, Actions: []string{"read", "write"}, Effect: ladon.AllowAccess, Conditions: ladon.Conditions{ servicecontext.ClientTime: &conditions.OfficeHoursCondition{ Matches: "Monday-Friday/09:00/18:30", }, }, }), }, }, { Uuid: "no-external-access-acl-policy", Name: "PolicyGroup.ACLSampleExternalIP.Title", Description: "PolicyGroup.ACLSampleExternalIP.Description", ResourceGroup: idm.PolicyResourceGroup_acl, Policies: []*idm.Policy{ LadonToProtoPolicy(&ladon.DefaultPolicy{ ID: "acl-complex-rule4", Description: "PolicyGroup.ACLSampleExternalIP.Rule1", Subjects: []string{"policy:no-external-access-acl-policy"}, Resources: []string{"acl"}, Actions: []string{"read", "write"}, Effect: ladon.AllowAccess, }), LadonToProtoPolicy(&ladon.DefaultPolicy{ ID: "acl-complex-rule5", Description: "PolicyGroup.ACLSampleExternalIP.Rule2", Subjects: []string{"policy:no-external-access-acl-policy"}, Resources: []string{"acl"}, Actions: []string{"read", "write"}, Effect: ladon.DenyAccess, Conditions: ladon.Conditions{ servicecontext.HttpMetaRemoteAddress: &conditions.StringNotMatchCondition{ Matches: "localhost|127.0.0.1|::1", }, }, }), }, }, } )
Functions ¶
Types ¶
Directories ¶
Path | Synopsis |
---|---|
Package conditions provides implementation of basic condition rules to enable building elaborated policies.
|
Package conditions provides implementation of basic condition rules to enable building elaborated policies. |
Package grpc is the policy engine service
|
Package grpc is the policy engine service |
Package lang provides policy-related i18n strings
|
Package lang provides policy-related i18n strings |
Package rest is a gateway to the underlying grpc service
|
Package rest is a gateway to the underlying grpc service |
Click to show internal directories.
Click to hide internal directories.