blob: 509f8147e235a12804672015a3ea989f39ab42f0 [file] [log] [blame]
SF initial configuratora26c41e2022-10-06 13:33:13 +03001---
2# Default rules that should not be changed, but can be used as building blocks for more complex rules
3'admin_or_service': 'rule:is_admin or rule:is_service'
4'admin_api': 'rule:is_admin'
5# is_owner applies to API calls where a user is the target. is_owner will be True if the requestor is the target of the action
6'is_owner': 'username:%(username)s'
7'owner_api': 'rule:is_owner'
8'admin_or_owner': 'rule:is_admin or rule:is_owner'
9# group checking depending on the target project
10'is_ptl': 'group:%(project)s-ptl'
11'is_core': 'group:%(project)s-core'
12'is_dev': 'group:%(project)s-dev'
13'ptl_api': 'rule:is_ptl'
14'core_api': 'rule:is_core'
15'dev_api': 'rule:is_dev'
16'contributor_api': 'rule:ptl_api or rule:core_api or rule:dev_api'
17
18'authenticated_api': 'is_authenticated:True'
19'any': '@'
20'none': '!'
21# Backup API
22'managesf.backup:get': 'rule:admin_api'
23'managesf.backup:create': 'rule:admin_api'
24# Pages API CRUD
25'managesf.pages:get': 'rule:admin_api or rule:ptl_api'
26'managesf.pages:create': 'rule:admin_api or rule:ptl_api'
27'managesf.pages:delete': 'rule:admin_api or rule:ptl_api'
28# local user backend (for local authentication) API CRUD
29'managesf.localuser:get': 'rule:authenticated_api'
30'managesf.localuser:create_update': 'rule:admin_api or username:%(username)s'
31'managesf.localuser:delete': 'rule:admin_api or username:%(username)s'
32# This rule should be left alone, or local users will not be able to authenticate
33'managesf.localuser:bind': 'rule:any'
34# user API CRUD
35'managesf.user:get': 'rule:authenticated_api'
36'managesf.user:create': 'rule:admin_api or username:%(username)s'
37'managesf.user:delete': 'rule:admin_api'
38'managesf.user:update': 'rule:admin_api or username:%(username)s'
39# gerrit hooks API
40'managesf.hooks:trigger': 'rule:admin_or_service'
41# template tests for projects API
42'managesf.tests:add': 'rule:admin_api or rule:ptl_api'
43# config (permissions) API
44'managesf.config:get': 'rule:authenticated_api'
45# resources API
46'managesf.resources:get': 'rule:any'
47'managesf.resources:validate': 'rule:admin_or_service'
48'managesf.resources:apply': 'rule:admin_or_service'
49# jobs API
50'managesf.job:get': 'rule:any'
51'managesf.job:stop': 'rule:admin_or_service'
52'managesf.job:run': 'rule:admin_or_service'
53# nodes API
54'managesf.node:get': 'rule:any'
55'managesf.node:hold': 'rule:admin_or_service'
56'managesf.node:delete': 'rule:admin_or_service'
57'managesf.node:image-get': 'rule:any'
58'managesf.node:add_authorized_key': 'rule:admin_or_service'
59'managesf.node:image-start-update': 'rule:admin_or_service'
60'managesf.node:image-update-status': 'rule:admin_or_service'
61# zuul API
62'zuul.tenants:get': 'rule:any'
63'zuul.tenant.status:get': 'rule:any'
64'zuul.tenant.jobs:get': 'rule:any'
65'zuul.tenant.builds:get': 'rule:any'
66'zuul.tenant.console-stream:get': 'rule:any'
67'zuul.status:get': 'rule:any'
68'zuul.status.change:get': 'rule:any'
69'zuul.project.public_keys:get': 'rule:any'