| SF initial configurator | a26c41e | 2022-10-06 13:33:13 +0300 | [diff] [blame] | 1 | --- |
| 2 | # Default rules that should not be changed, but can be used as building blocks for more complex rules |
| 3 | 'admin_or_service': 'rule:is_admin or rule:is_service' |
| 4 | 'admin_api': 'rule:is_admin' |
| 5 | # is_owner applies to API calls where a user is the target. is_owner will be True if the requestor is the target of the action |
| 6 | 'is_owner': 'username:%(username)s' |
| 7 | 'owner_api': 'rule:is_owner' |
| 8 | 'admin_or_owner': 'rule:is_admin or rule:is_owner' |
| 9 | # group checking depending on the target project |
| 10 | 'is_ptl': 'group:%(project)s-ptl' |
| 11 | 'is_core': 'group:%(project)s-core' |
| 12 | 'is_dev': 'group:%(project)s-dev' |
| 13 | 'ptl_api': 'rule:is_ptl' |
| 14 | 'core_api': 'rule:is_core' |
| 15 | 'dev_api': 'rule:is_dev' |
| 16 | 'contributor_api': 'rule:ptl_api or rule:core_api or rule:dev_api' |
| 17 | |
| 18 | 'authenticated_api': 'is_authenticated:True' |
| 19 | 'any': '@' |
| 20 | 'none': '!' |
| 21 | # Backup API |
| 22 | 'managesf.backup:get': 'rule:admin_api' |
| 23 | 'managesf.backup:create': 'rule:admin_api' |
| 24 | # Pages API CRUD |
| 25 | 'managesf.pages:get': 'rule:admin_api or rule:ptl_api' |
| 26 | 'managesf.pages:create': 'rule:admin_api or rule:ptl_api' |
| 27 | 'managesf.pages:delete': 'rule:admin_api or rule:ptl_api' |
| 28 | # local user backend (for local authentication) API CRUD |
| 29 | 'managesf.localuser:get': 'rule:authenticated_api' |
| 30 | 'managesf.localuser:create_update': 'rule:admin_api or username:%(username)s' |
| 31 | 'managesf.localuser:delete': 'rule:admin_api or username:%(username)s' |
| 32 | # This rule should be left alone, or local users will not be able to authenticate |
| 33 | 'managesf.localuser:bind': 'rule:any' |
| 34 | # user API CRUD |
| 35 | 'managesf.user:get': 'rule:authenticated_api' |
| 36 | 'managesf.user:create': 'rule:admin_api or username:%(username)s' |
| 37 | 'managesf.user:delete': 'rule:admin_api' |
| 38 | 'managesf.user:update': 'rule:admin_api or username:%(username)s' |
| 39 | # gerrit hooks API |
| 40 | 'managesf.hooks:trigger': 'rule:admin_or_service' |
| 41 | # template tests for projects API |
| 42 | 'managesf.tests:add': 'rule:admin_api or rule:ptl_api' |
| 43 | # config (permissions) API |
| 44 | 'managesf.config:get': 'rule:authenticated_api' |
| 45 | # resources API |
| 46 | 'managesf.resources:get': 'rule:any' |
| 47 | 'managesf.resources:validate': 'rule:admin_or_service' |
| 48 | 'managesf.resources:apply': 'rule:admin_or_service' |
| 49 | # jobs API |
| 50 | 'managesf.job:get': 'rule:any' |
| 51 | 'managesf.job:stop': 'rule:admin_or_service' |
| 52 | 'managesf.job:run': 'rule:admin_or_service' |
| 53 | # nodes API |
| 54 | 'managesf.node:get': 'rule:any' |
| 55 | 'managesf.node:hold': 'rule:admin_or_service' |
| 56 | 'managesf.node:delete': 'rule:admin_or_service' |
| 57 | 'managesf.node:image-get': 'rule:any' |
| 58 | 'managesf.node:add_authorized_key': 'rule:admin_or_service' |
| 59 | 'managesf.node:image-start-update': 'rule:admin_or_service' |
| 60 | 'managesf.node:image-update-status': 'rule:admin_or_service' |
| 61 | # zuul API |
| 62 | 'zuul.tenants:get': 'rule:any' |
| 63 | 'zuul.tenant.status:get': 'rule:any' |
| 64 | 'zuul.tenant.jobs:get': 'rule:any' |
| 65 | 'zuul.tenant.builds:get': 'rule:any' |
| 66 | 'zuul.tenant.console-stream:get': 'rule:any' |
| 67 | 'zuul.status:get': 'rule:any' |
| 68 | 'zuul.status.change:get': 'rule:any' |
| 69 | 'zuul.project.public_keys:get': 'rule:any' |