policies/policy.yaml - config - Gitiles

 ---
 # Default rules that should not be changed, but can be used as building blocks for more complex rules
 'admin_or_service': 'rule:is_admin or rule:is_service'
 'admin_api': 'rule:is_admin'
 # is_owner applies to API calls where a user is the target. is_owner will be True if the requestor is the target of the action
 'is_owner': 'username:%(username)s'
 'owner_api': 'rule:is_owner'
 'admin_or_owner': 'rule:is_admin or rule:is_owner'
 # group checking depending on the target project
 'is_ptl': 'group:%(project)s-ptl'
 'is_core': 'group:%(project)s-core'
 'is_dev': 'group:%(project)s-dev'
 'ptl_api': 'rule:is_ptl'
 'core_api': 'rule:is_core'
 'dev_api': 'rule:is_dev'
 'contributor_api': 'rule:ptl_api or rule:core_api or rule:dev_api'

 'authenticated_api': 'is_authenticated:True'
 'any': '@'
 'none': '!'
 # Backup API
 'managesf.backup:get': 'rule:admin_api'
 'managesf.backup:create': 'rule:admin_api'
 # Pages API CRUD
 'managesf.pages:get': 'rule:admin_api or rule:ptl_api'
 'managesf.pages:create': 'rule:admin_api or rule:ptl_api'
 'managesf.pages:delete': 'rule:admin_api or rule:ptl_api'
 # local user backend (for local authentication) API CRUD
 'managesf.localuser:get': 'rule:authenticated_api'
 'managesf.localuser:create_update': 'rule:admin_api or username:%(username)s'
 'managesf.localuser:delete': 'rule:admin_api or username:%(username)s'
 # This rule should be left alone, or local users will not be able to authenticate
 'managesf.localuser:bind': 'rule:any'
 # user API CRUD
 'managesf.user:get': 'rule:authenticated_api'
 'managesf.user:create': 'rule:admin_api or username:%(username)s'
 'managesf.user:delete': 'rule:admin_api'
 'managesf.user:update': 'rule:admin_api or username:%(username)s'
 # gerrit hooks API
 'managesf.hooks:trigger': 'rule:admin_or_service'
 # template tests for projects API
 'managesf.tests:add': 'rule:admin_api or rule:ptl_api'
 # config (permissions) API
 'managesf.config:get': 'rule:authenticated_api'
 # resources API
 'managesf.resources:get': 'rule:any'
 'managesf.resources:validate': 'rule:admin_or_service'
 'managesf.resources:apply': 'rule:admin_or_service'
 # jobs API
 'managesf.job:get': 'rule:any'
 'managesf.job:stop': 'rule:admin_or_service'
 'managesf.job:run': 'rule:admin_or_service'
 # nodes API
 'managesf.node:get': 'rule:any'
 'managesf.node:hold': 'rule:admin_or_service'
 'managesf.node:delete': 'rule:admin_or_service'
 'managesf.node:image-get': 'rule:any'
 'managesf.node:add_authorized_key': 'rule:admin_or_service'
 'managesf.node:image-start-update': 'rule:admin_or_service'
 'managesf.node:image-update-status': 'rule:admin_or_service'
 # zuul API
 'zuul.tenants:get': 'rule:any'
 'zuul.tenant.status:get': 'rule:any'
 'zuul.tenant.jobs:get': 'rule:any'
 'zuul.tenant.builds:get': 'rule:any'
 'zuul.tenant.console-stream:get': 'rule:any'
 'zuul.status:get': 'rule:any'
 'zuul.status.change:get': 'rule:any'
 'zuul.project.public_keys:get': 'rule:any'
	---
	# Default rules that should not be changed, but can be used as building blocks for more complex rules
	'admin_or_service': 'rule:is_admin or rule:is_service'
	'admin_api': 'rule:is_admin'
	# is_owner applies to API calls where a user is the target. is_owner will be True if the requestor is the target of the action
	'is_owner': 'username:%(username)s'
	'owner_api': 'rule:is_owner'
	'admin_or_owner': 'rule:is_admin or rule:is_owner'
	# group checking depending on the target project
	'is_ptl': 'group:%(project)s-ptl'
	'is_core': 'group:%(project)s-core'
	'is_dev': 'group:%(project)s-dev'
	'ptl_api': 'rule:is_ptl'
	'core_api': 'rule:is_core'
	'dev_api': 'rule:is_dev'
	'contributor_api': 'rule:ptl_api or rule:core_api or rule:dev_api'

	'authenticated_api': 'is_authenticated:True'
	'any': '@'
	'none': '!'
	# Backup API
	'managesf.backup:get': 'rule:admin_api'
	'managesf.backup:create': 'rule:admin_api'
	# Pages API CRUD
	'managesf.pages:get': 'rule:admin_api or rule:ptl_api'
	'managesf.pages:create': 'rule:admin_api or rule:ptl_api'
	'managesf.pages:delete': 'rule:admin_api or rule:ptl_api'
	# local user backend (for local authentication) API CRUD
	'managesf.localuser:get': 'rule:authenticated_api'
	'managesf.localuser:create_update': 'rule:admin_api or username:%(username)s'
	'managesf.localuser:delete': 'rule:admin_api or username:%(username)s'
	# This rule should be left alone, or local users will not be able to authenticate
	'managesf.localuser:bind': 'rule:any'
	# user API CRUD
	'managesf.user:get': 'rule:authenticated_api'
	'managesf.user:create': 'rule:admin_api or username:%(username)s'
	'managesf.user:delete': 'rule:admin_api'
	'managesf.user:update': 'rule:admin_api or username:%(username)s'
	# gerrit hooks API
	'managesf.hooks:trigger': 'rule:admin_or_service'
	# template tests for projects API
	'managesf.tests:add': 'rule:admin_api or rule:ptl_api'
	# config (permissions) API
	'managesf.config:get': 'rule:authenticated_api'
	# resources API
	'managesf.resources:get': 'rule:any'
	'managesf.resources:validate': 'rule:admin_or_service'
	'managesf.resources:apply': 'rule:admin_or_service'
	# jobs API
	'managesf.job:get': 'rule:any'
	'managesf.job:stop': 'rule:admin_or_service'
	'managesf.job:run': 'rule:admin_or_service'
	# nodes API
	'managesf.node:get': 'rule:any'
	'managesf.node:hold': 'rule:admin_or_service'
	'managesf.node:delete': 'rule:admin_or_service'
	'managesf.node:image-get': 'rule:any'
	'managesf.node:add_authorized_key': 'rule:admin_or_service'
	'managesf.node:image-start-update': 'rule:admin_or_service'
	'managesf.node:image-update-status': 'rule:admin_or_service'
	# zuul API
	'zuul.tenants:get': 'rule:any'
	'zuul.tenant.status:get': 'rule:any'
	'zuul.tenant.jobs:get': 'rule:any'
	'zuul.tenant.builds:get': 'rule:any'
	'zuul.tenant.console-stream:get': 'rule:any'
	'zuul.status:get': 'rule:any'
	'zuul.status.change:get': 'rule:any'
	'zuul.project.public_keys:get': 'rule:any'