api

Inside A Policy

A Policy is defined by a yaml description.

`Allow anything to anything:

statements:
    -
        actions: "*"
        allow: true
        resources: "*"

Allow only home/delete_user:

statements:
    -
        actions:
            - home/delete_user
        allow: true
        resources: "*"

Substitutions and Expressions

Very often, substitutions are allowed.

describe_{resource_type}

{ and } wrap a Python expression, and its value is substituted. To have a '{' double it up:

describe_{{resource_type}

Almost any Python expression is allowed, but there are restrictions to keep things secure. One of the restrictions is the values available. In Policies these are the values:

caller. ...: The user making the call. See later for the details of these fields
role. ...: The api id of the Role used for the call. See later for the details of these fields
arg. ...: The arguments to the method call.

When a Policy is used by a Role, or as part of a Resource's policies list, then additional, user-defined, parameters can be set.

When a policy is used in a Resource's policiy list there is also:

resource. ...: The resource itself

For any resources only a safe subset of properties is exposed. This subset is set by the for_context() method. By default, the api.Mixin implementation exposes:

..anyresource.api_id: The api id of the resource
..anyresource.urn: The urn of the resource
..anyresource.owning_user: The owning user of the resource (which has .urn, .api_id as normal). Users do not have this field

Your resources can override for_context() to provide a different, or extended set of properties:

def for_context(self):
    r = super().for_context()
    r['my_property`] = self.my_property
    return r

The returned properties are passed through attrdict - any dictionaries which should stay as dictionaries will need tagging to prevent attrdict converting them.

Properties Exposed by User

..user.owning_user: missing This field is not exposed to avoid infinite recursion

Properties Exposed by Role

..role.created_roles: A list of the Roles created by this Role

Syntax

statements[]

A list of statements. Each statement which has an opinion on the action can allow or disallow it. The first opinion is the one which applies.

statements[].actions

A list of actions this statement applies to. Each entry is a git wildcard, and can accept substitutions:

statements:
    -
        actions:
            - home/delete_user
            - */describe_{resource_type}
            - {application}/describe_*
        allow: true
        ...

statements[].allow

Whether this statement allows or disallows the action.

statements[].resources

The resources this statement applies to. This can be an expression or a list of strings.

statements:
    -
        actions:
            - home/delete_user
        allow: true
        resources:
            - u-0123456789abcdef
            - urn/home/user/joebloggs
        ...

statements:
    -
        actions:
            - process/get_runner_instruction
            - process/delete_runner
            - process/modify_job
            - process/start_job
        allow: true
        resources: "{[runner, *jobs]}"

statements[].conditions optional

A list of conditions - all must be True:

statements:
    -
        actions:
            - process/get_runner_instruction
            - process/delete_runner
            - process/modify_job
            - process/start_job
        allow: true
        resources: "{[runner, *jobs]}"
        conditions:
            - api.principal.username == 'joebloggs'

api

Inside A Policy

Substitutions and Expressions

Properties Exposed by User

Properties Exposed by Role

Syntax

On this page