Open moshloop opened 1 month ago
See https://casbin.org/docs/abac
Where request is:
playbook: name: name id: labels: {} config: name: name owners: [] id type: Kubernetes::Pod tags: {} path: [] teams: [] # teams the user is member of
Which would allow policies to be added like:
kind: Permission metadata: uid: abc permissions: - action: playbook:run team: everyone inherited: true config: #...selectorFields id: def # id of aws cluster - action: playbook:run owner: true - action: playbook:run team: SRE Team playbook: name or ID
Which corresponds to:
p, r.playbook.id == 'abc' && 'def' in r.config.path p, r.playbook.id == 'abc' && r.sub.id in r.config.owners p, r.playbook.id == 'abc' && 'everyone' in r.sub.teams && ' 'def' in r.config.path
p, r.playbook.id == 'abc' && 'def' in r.config.path
p, r.playbook.id == 'abc' && r.sub.id in r.config.owners
p, r.playbook.id == 'abc' && 'everyone' in r.sub.teams && ' 'def' in r.config.path
And then from a UI perspective on a config item there would be a permission tab/table with:
$owners
The permission table would need:
See https://casbin.org/docs/abac
Where request is:
Which would allow policies to be added like:
Which corresponds to:
p, r.playbook.id == 'abc' && 'def' in r.config.path
p, r.playbook.id == 'abc' && r.sub.id in r.config.owners
p, r.playbook.id == 'abc' && 'everyone' in r.sub.teams && ' 'def' in r.config.path
And then from a UI perspective on a config item there would be a permission tab/table with:
$owners
The permission table would need: