-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpyfi.polar
66 lines (55 loc) · 2.14 KB
/
pyfi.polar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
actor UserModel {}
resource ProcessorModel {
permissions = ["read", "push", "delete"];
roles = ["contributor", "maintainer", "admin"];
"read" if "contributor";
"push" if "maintainer";
"delete" if "admin";
"maintainer" if "admin";
"contributor" if "maintainer";
}
allow(actor, action, resource) if has_permission(actor, action, resource);
allow(user: UserModel, "read", user2: UserModel) if
user.name = user2.name or
(role in user.roles and
role.name = "admin");
allow(user: UserModel, "read", call: CallModel) if
call.owner = user.name;
# Need to read from socket table to be able to execute task
allow(user: UserModel, "read", socket: SocketModel) if
socket.owner = user.name or
(role in user.roles and
role.name = "admin");
# Privilege based access
allow(user: UserModel, "read", log: LogModel) if
log.public = true and
has_privilege(user, "READ_LOG", log);
allow(user: UserModel, "read", processor: ProcessorModel) if
has_role(user, "contributor", processor);
has_privilege(actor: UserModel, priv_name: String, _: LogModel) if
(privilege in actor.privileges and
privilege.name = priv_name) or
(role in actor.roles and
priv in role.privileges and
priv.name = priv_name);
has_role(actor: UserModel, role_name: String, _: ProcessorModel) if
role in actor.roles and
role.name = role_name;
allow(_: UserModel, "read", _: PasswordModel);
allow(_: UserModel, "read", _: WorkerModel);
allow(_: UserModel, "read", _: PrivilegeModel);
allow(_: UserModel, "read", _: AgentModel);
allow(_: UserModel, "read", _: FileModel);
allow(_: UserModel, "read", _: EventModel);
allow(_: UserModel, "read", _: NodeModel);
allow(_: UserModel, "read", _: PlugModel);
allow(_: UserModel, "read", _: TaskModel);
allow(_: UserModel, "read", _: CallModel);
allow(_: UserModel, "read", _: LogModel);
allow(_: UserModel, "read", _: QueueModel);
allow(_: UserModel, "read", _: SocketModel);
allow(_: UserModel, "read", _: RoleModel);
allow(_: UserModel, "read", _: SchedulerModel);
allow(_: UserModel, "read", _: ArgumentModel);
allow(_: UserModel, "read", _: DeploymentModel);
allow(_: UserModel, "read", _: NetworkModel);