ABAC

[moshloop]

See https://casbin.org/docs/abac

Where request is:

playbook:
  name: name
  id: 
  labels: {}
config:
  name: name
  owners: []
  id
  type: Kubernetes::Pod 
  tags: {}
  path: []
teams: [] # teams the user is member of

Which would allow policies to be added like:

kind: Permission
metadata: 
   uid: abc
permissions:
   - action: playbook:run
     team: everyone
     inherited: true
     config:
         #...selectorFields
         id: def # id of aws cluster
    - action: playbook:run
       owner: true
    - action: playbook:run
       team: SRE Team
       playbook: name or ID

Which corresponds to:

p, r.playbook.id == 'abc' && 'def' in r.config.path
p, r.playbook.id == 'abc' && r.sub.id in r.config.owners
p, r.playbook.id == 'abc' && 'everyone' in r.sub.teams && ' 'def' in r.config.path

And then from a UI perspective on a config item there would be a permission tab/table with:

action	playbook	User/Team
playbook:run	*	editors (default global policy)

And on the playbook permissions tab

action	playbook	User/Team
playbook:run	*	editors (default policy)
playbook:run	playbook id	$owners
playbook:run	playbook id	SRE Team

The permission table would need:

• playbook_id (optional, if empty all playbooks)
• config_id (optional if empty all configs)
• config_selector (
• inherited (id in r.config.id) or (id in r.config.path)
• deny
• action
• user
• team