diff options
Diffstat (limited to 'moonv4/moon_orchestrator/conf/policies/policy_rbac_admin')
6 files changed, 262 insertions, 0 deletions
diff --git a/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/assignment.json b/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/assignment.json new file mode 100644 index 00000000..f2378333 --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/assignment.json @@ -0,0 +1,48 @@ +{ + "subject_assignments": { + "role": { + "admin": ["root_role"], + "demo": ["dev_role"] + } + }, + "action_assignments": { + "action_id": { + "read": ["read"], + "write": ["write"] + } + }, + "object_assignments": { + "object_id": { + "authz.subjects": ["authz.subjects"], + "authz.objects": ["authz.objects"], + "authz.actions": ["authz.actions"], + "authz.subject_categories": ["authz.subject_categories"], + "authz.object_categories": ["authz.object_categories"], + "authz.action_categories": ["authz.action_categories"], + "authz.subject_scopes": ["authz.subject_scopes"], + "authz.object_scopes": ["authz.object_scopes"], + "authz.action_scopes": ["authz.action_scopes"], + "authz.subject_assignments": ["authz.subject_assignments"], + "authz.object_assignments": ["authz.object_assignments"], + "authz.action_assignments": ["authz.action_assignments"], + "authz.aggregation_algorithm": ["authz.aggregation_algorithm"], + "authz.sub_meta_rules": ["authz.sub_meta_rules"], + "authz.rules": ["authz.rules"], + "admin.subjects": ["admin.subjects"], + "admin.objects": ["admin.objects"], + "admin.actions": ["admin.actions"], + "admin.subject_categories": ["admin.subject_categories"], + "admin.object_categories": ["admin.object_categories"], + "admin.action_categories": ["admin.action_categories"], + "admin.subject_scopes": ["admin.subject_scopes"], + "admin.object_scopes": ["admin.object_scopes"], + "admin.action_scopes": ["admin.action_scopes"], + "admin.subject_assignments": ["admin.subject_assignments"], + "admin.object_assignments": ["admin.object_assignments"], + "admin.action_assignments": ["admin.action_assignments"], + "admin.aggregation_algorithm": ["admin.aggregation_algorithm"], + "admin.sub_meta_rules": ["admin.sub_meta_rules"], + "admin.rules": ["admin.rules"] + } + } +} diff --git a/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/metadata.json b/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/metadata.json new file mode 100644 index 00000000..9ee8a11d --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/metadata.json @@ -0,0 +1,18 @@ +{ + "name": "RBAC Admin Policy", + "model": "RBAC", + "genre": "admin", + "description": "", + + "subject_categories": [ + "role" + ], + + "action_categories": [ + "action_id" + ], + + "object_categories": [ + "object_id" + ] +} diff --git a/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/metarule.json b/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/metarule.json new file mode 100644 index 00000000..86dbfad2 --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/metarule.json @@ -0,0 +1,12 @@ +{ + "sub_meta_rules": { + "rbac_rule": { + "subject_categories": ["role"], + "action_categories": ["action_id"], + "object_categories": ["object_id"], + "algorithm": "inclusion" + } + }, + "aggregation": "all_true" +} + diff --git a/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/perimeter.json b/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/perimeter.json new file mode 100644 index 00000000..1155533e --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/perimeter.json @@ -0,0 +1,42 @@ +{ + "subjects": [ + "admin", + "demo" + ], + "actions": [ + "read", + "write" + ], + "objects": [ + "authz.subjects", + "authz.objects", + "authz.actions", + "authz.subject_categories", + "authz.object_categories", + "authz.action_categories", + "authz.subject_scopes", + "authz.object_scopes", + "authz.action_scopes", + "authz.subject_assignments", + "authz.object_assignments", + "authz.action_assignments", + "authz.aggregation_algorithm", + "authz.sub_meta_rules", + "authz.rules", + "admin.subjects", + "admin.objects", + "admin.actions", + "admin.subject_categories", + "admin.object_categories", + "admin.action_categories", + "admin.subject_scopes", + "admin.object_scopes", + "admin.action_scopes", + "admin.subject_assignments", + "admin.object_assignments", + "admin.action_assignments", + "admin.aggregation_algorithm", + "admin.sub_meta_rules", + "admin.rules" + ] +} diff --git a/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/rule.json b/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/rule.json new file mode 100644 index 00000000..c89ceff3 --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/rule.json @@ -0,0 +1,94 @@ +{ + "rbac_rule":[ + ["root_role" , "read", "authz.subjects"], + ["root_role" , "read", "authz.objects"], + ["root_role" , "read", "authz.actions"], + ["root_role" , "read", "authz.subject_categories"], + ["root_role" , "read", "authz.object_categories"], + ["root_role" , "read", "authz.action_categories"], + ["root_role" , "read", "authz.subject_scopes"], + ["root_role" , "read", "authz.object_scopes"], + ["root_role" , "read", "authz.action_scopes"], + ["root_role" , "read", "authz.subject_assignments"], + ["root_role" , "read", "authz.object_assignments"], + ["root_role" , "read", "authz.action_assignments"], + ["root_role" , "read", "authz.aggregation_algorithm"], + ["root_role" , "read", "authz.sub_meta_rules"], + ["root_role" , "read", "authz.rules"], + ["root_role" , "write", "authz.subjects"], + ["root_role" , "write", "authz.objects"], + ["root_role" , "write", "authz.actions"], + ["root_role" , "write", "authz.subject_categories"], + ["root_role" , "write", "authz.object_categories"], + ["root_role" , "write", "authz.action_categories"], + ["root_role" , "write", "authz.subject_scopes"], + ["root_role" , "write", "authz.object_scopes"], + ["root_role" , "write", "authz.action_scopes"], + ["root_role" , "write", "authz.subject_assignments"], + ["root_role" , "write", "authz.object_assignments"], + ["root_role" , "write", "authz.action_assignments"], + ["root_role" , "write", "authz.aggregation_algorithm"], + ["root_role" , "write", "authz.sub_meta_rules"], + ["root_role" , "write", "authz.rules"], + ["root_role" , "read", "admin.subjects"], + ["root_role" , "read", "admin.objects"], + ["root_role" , "read", "admin.actions"], + ["root_role" , "read", "admin.subject_categories"], + ["root_role" , "read", "admin.object_categories"], + ["root_role" , "read", "admin.action_categories"], + ["root_role" , "read", "admin.subject_scopes"], + ["root_role" , "read", "admin.object_scopes"], + ["root_role" , "read", "admin.action_scopes"], + ["root_role" , "read", "admin.subject_assignments"], + ["root_role" , "read", "admin.object_assignments"], + ["root_role" , "read", "admin.action_assignments"], + ["root_role" , "read", "admin.aggregation_algorithm"], + ["root_role" , "read", "admin.sub_meta_rules"], + ["root_role" , "read", "admin.rules"], + ["root_role" , "write", "admin.subjects"], + ["root_role" , "write", "admin.objects"], + ["root_role" , "write", "admin.actions"], + ["root_role" , "write", "admin.subject_categories"], + ["root_role" , "write", "admin.object_categories"], + ["root_role" , "write", "admin.action_categories"], + ["root_role" , "write", "admin.subject_scopes"], + ["root_role" , "write", "admin.object_scopes"], + ["root_role" , "write", "admin.action_scopes"], + ["root_role" , "write", "admin.subject_assignments"], + ["root_role" , "write", "admin.object_assignments"], + ["root_role" , "write", "admin.action_assignments"], + ["root_role" , "write", "admin.aggregation_algorithm"], + ["root_role" , "write", "admin.sub_meta_rules"], + ["root_role" , "write", "admin.rules"], + ["dev_role" , "read", "authz.subjects"], + ["dev_role" , "read", "authz.objects"], + ["dev_role" , "read", "authz.actions"], + ["dev_role" , "read", "authz.subject_categories"], + ["dev_role" , "read", "authz.object_categories"], + ["dev_role" , "read", "authz.action_categories"], + ["dev_role" , "read", "authz.subject_scopes"], + ["dev_role" , "read", "authz.object_scopes"], + ["dev_role" , "read", "authz.action_scopes"], + ["dev_role" , "read", "authz.subject_assignments"], + ["dev_role" , "read", "authz.object_assignments"], + ["dev_role" , "read", "authz.action_assignments"], + ["dev_role" , "read", "authz.aggregation_algorithm"], + ["dev_role" , "read", "authz.sub_meta_rules"], + ["dev_role" , "read", "authz.rules"], + ["dev_role" , "read", "admin.subjects"], + ["dev_role" , "read", "admin.objects"], + ["dev_role" , "read", "admin.actions"], + ["dev_role" , "read", "admin.subject_categories"], + ["dev_role" , "read", "admin.object_categories"], + ["dev_role" , "read", "admin.action_categories"], + ["dev_role" , "read", "admin.subject_scopes"], + ["dev_role" , "read", "admin.object_scopes"], + ["dev_role" , "read", "admin.action_scopes"], + ["dev_role" , "read", "admin.subject_assignments"], + ["dev_role" , "read", "admin.object_assignments"], + ["dev_role" , "read", "admin.action_assignments"], + ["dev_role" , "read", "admin.aggregation_algorithm"], + ["dev_role" , "read", "admin.sub_meta_rules"], + ["dev_role" , "read", "admin.rules"] + ] +} diff --git a/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/scope.json b/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/scope.json new file mode 100644 index 00000000..149056a6 --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/scope.json @@ -0,0 +1,48 @@ +{ + "subject_scopes": { + "role": [ + "root_role", + "dev_role" + ] + }, + "action_scopes": { + "action_id": [ + "read", + "write" + ] + }, + "object_scopes": { + "object_id": [ + "authz.subjects", + "authz.objects", + "authz.actions", + "authz.subject_categories", + "authz.object_categories", + "authz.action_categories", + "authz.subject_scopes", + "authz.object_scopes", + "authz.action_scopes", + "authz.subject_assignments", + "authz.object_assignments", + "authz.action_assignments", + "authz.aggregation_algorithm", + "authz.sub_meta_rules", + "authz.rules", + "admin.subjects", + "admin.objects", + "admin.actions", + "admin.subject_categories", + "admin.object_categories", + "admin.action_categories", + "admin.subject_scopes", + "admin.object_scopes", + "admin.action_scopes", + "admin.subject_assignments", + "admin.object_assignments", + "admin.action_assignments", + "admin.aggregation_algorithm", + "admin.sub_meta_rules", + "admin.rules" + ] + } +} |