Inside A Policy

A Policy is defined by a yaml description.

`Allow anything to anything:

statements:
    -
        actions: "*"
        allow: true
        resources: "*"

Allow only home/delete_user:

statements:
    -
        actions:
            - home/delete_user
        allow: true
        resources: "*"

Substitutions and Expressions

Very often, substitutions are allowed.

describe_{resource_type}

{ and } wrap a Python expression, and its value is substituted. To have a '{' double it up:

describe_{{resource_type}

Almost any Python expression is allowed, but there are restrictions to keep things secure. One of the restrictions is the values available. In Policies these are the values:

caller. ...
The user making the call. See later for the details of these fields
role. ...
The api id of the Role used for the call. See later for the details of these fields
arg. ...
The arguments to the method call.

When a Policy is used by a Role, or as part of a Resource's policies list, then additional, user-defined, parameters can be set.

When a policy is used in a Resource's policiy list there is also:

resource. ...
The resource itself

For any resources only a safe subset of properties is exposed. This subset is set by the for_context() method. By default, the api.Mixin implementation exposes:

..anyresource.api_id
The api id of the resource
..anyresource.urn
The urn of the resource
..anyresource.owning_user
The owning user of the resource (which has .urn, .api_id as normal). Users do not have this field

Your resources can override for_context() to provide a different, or extended set of properties:

def for_context(self):
    r = super().for_context()
    r['my_property`] = self.my_property
    return r

The returned properties are passed through attrdict - any dictionaries which should stay as dictionaries will need tagging to prevent attrdict converting them.

Properties Exposed by User

..user.owning_user
missing This field is not exposed to avoid infinite recursion

Properties Exposed by Role

..role.created_roles
A list of the Roles created by this Role

Syntax

statements[]
A list of statements. Each statement which has an opinion on the action can allow or disallow it. The first opinion is the one which applies.
statements[].actions
A list of actions this statement applies to. Each entry is a git wildcard, and can accept substitutions:
statements:
    -
        actions:
            - home/delete_user
            - */describe_{resource_type}
            - {application}/describe_*
        allow: true
        ...
statements[].allow
Whether this statement allows or disallows the action.
statements[].resources
The resources this statement applies to. This can be an expression or a list of strings.
statements:
    -
        actions:
            - home/delete_user
        allow: true
        resources:
            - u-0123456789abcdef
            - urn/home/user/joebloggs
        ...

or

statements:
    -
        actions:
            - process/get_runner_instruction
            - process/delete_runner
            - process/modify_job
            - process/start_job
        allow: true
        resources: "{[runner, *jobs]}"
statements[].conditions optional
A list of conditions - all must be True:
statements:
    -
        actions:
            - process/get_runner_instruction
            - process/delete_runner
            - process/modify_job
            - process/start_job
        allow: true
        resources: "{[runner, *jobs]}"
        conditions:
            - api.principal.username == 'joebloggs'