A Policy
is defined by a yaml description.
`Allow anything to anything:
statements:
-
actions: "*"
allow: true
resources: "*"
Allow only home/delete_user:
statements:
-
actions:
- home/delete_user
allow: true
resources: "*"
Very often, substitutions are allowed.
describe_{resource_type}
{ and } wrap a Python expression, and its value is substituted. To have a '{' double it up:
describe_{{resource_type}
Almost any Python expression is allowed, but there are restrictions to keep things secure. One of the restrictions is the values available. In Policies these are the values:
caller. ...
role. ...
arg. ...
When a Policy is used by a Role, or as part of a Resource's policies list, then additional, user-defined, parameters can be set.
When a policy is used in a Resource's policiy list there is also:
resource. ...
For any resources only a safe subset of properties is exposed.
This subset is set by the for_context()
method. By default, the api.Mixin
implementation exposes:
..anyresource.api_id
..anyresource.urn
..anyresource.owning_user
.urn
, .api_id
as normal). Users do not have this fieldYour resources can override for_context()
to provide a different, or extended set of properties:
def for_context(self):
r = super().for_context()
r['my_property`] = self.my_property
return r
The returned properties are passed through attrdict - any dictionaries which should stay as dictionaries will need tagging to prevent attrdict converting them.
..user.owning_user
..role.created_roles
statements[]
statements[].actions
statements:
-
actions:
- home/delete_user
- */describe_{resource_type}
- {application}/describe_*
allow: true
...
statements[].allow
statements[].resources
statements:
-
actions:
- home/delete_user
allow: true
resources:
- u-0123456789abcdef
- urn/home/user/joebloggs
...
or
statements:
-
actions:
- process/get_runner_instruction
- process/delete_runner
- process/modify_job
- process/start_job
allow: true
resources: "{[runner, *jobs]}"
statements[].conditions
optionalTrue
:statements:
-
actions:
- process/get_runner_instruction
- process/delete_runner
- process/modify_job
- process/start_job
allow: true
resources: "{[runner, *jobs]}"
conditions:
- api.principal.username == 'joebloggs'