blob: bf4bd3c832053c633142a22bc7c4990ec3fa7334 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
#!/usr/bin/env bash
# as user demo
. openrc demo
# create authz intraextension
moon intraextension add policy_mls_authz test_authz
# create admin intraextension
moon intraextension add policy_rbac_admin test_admin
# create tenant
moon tenant add --authz xxx --admin xxx demo
# select the authz tenant
moon intraextension select `test_authz_uuid`
# check that moon blocks modification of object assignments
moon object assignment add `vm1_uuid` `object_security_level_uuid` `high_uuid`
# as user admin
. openrc admin
# select the admin intraextension
moon intraextension select `test_admin_uuid`
# add write permission to the dev_role user for assignment table
moon rule add `rbac_rule_uuid` [`dev_role_uuid`, `write_uuid`, `authz.assignment`]
# as user demo
. openrc demo
# select the authz intraextension
moon intraextension select `test_authz_uuid`
# check that moon authorizes modification of rule table by demo
moon object assignment add `vm1_uuid` `object_security_level_uuid` `high_uuid`
|