Skip to content

Instantly share code, notes, and snippets.

@andrewsmedina

andrewsmedina/tsuru-authorization.rst

Last active September 15, 2015 19:45
Show Gist options
  • Save andrewsmedina/8a936c727fd3264181c2 to your computer and use it in GitHub Desktop.
Save andrewsmedina/8a936c727fd3264181c2 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
tsuru-authorization.rst

tsuru new authorization system

This document is a draft for the issue #1220

The goal is to change the authorization system to be more flexible based on users, permissions and roles. An user can have more than one role, and a role can have one or more permissions.

Use cases

These are examples of roles that the new authorization system should support:

admin

  • can do eveything
  • can create roles
  • can add and remove permissions in all roles
  • can add roles in users

cloud manager

  • can create pools
  • can add nodes to pools
  • can remove nodes
  • can't remove users
  • can't remove users from teams
  • cant remove apps from nodes
  • can add 'pool managers' to a specific pool

team leader in team 'x'

  • can create users
  • can create team 'x'
  • can add and remove users (team membems) in team 'x'
  • can unlock team 'x' apps
  • can create team 'x' apps

team member in team 'x'

  • can deploy in the team 'x' apps
  • can see team 'x' apps
  • can't remove team 'x' apps
  • can see members of team 'x'
  • can't add new users to team 'x'
  • can't remove users from team 'x'
  • can't create team 'x' apps

pool manager for pool 'z'

  • can rebalance pool 'z'
  • can move unit between pool 'z' nodes
  • can see all apps in pool 'z'
  • can't remove apps in pool 'z'
  • can add units in pool 'z' apps

service manager

  • can create new services
  • can view service instances related with its services
  • allow and disallow teams to use its services

read only developer in app 'y

  • see app 'y'
  • view app 'y' logs, envs
  • can't set and unset envs in app 'y'
  • can''t make deploys in app 'y'

How to check permissions

permissions.Check(name, contextType, context)

permissions.Check("deploy-team", Team, "avengers")

permissions.Check("app-create", Global, nil)

Adding permissions

permissions.Register(name, contextType)

permissions.Register("deploy-team", Team)

Client commands

tsuru team-create avengers

tsuru role-add team-leader contextType=contextValue

tsuru role-add team-leader team=avengers

tsuru role-permission-add team-leader deploy-team

@cezarsa
Copy link

cezarsa commented Sep 15, 2015 

tsuru role-add <role name> <context type>
tsuru role-permission-add <role name> <permission name>
tsuru user-role-add <role name> <context value>

e.g.

tsuru role-add team-member team
tsuru role-permission-add team-member "app.deploy" "app.update"
tsuru user-role-add myuser team-member teamA

@cezarsa
Copy link

cezarsa commented Sep 15, 2015 

func restart(w http.ResponseWriter, r *http.Request, t auth.Token) error {
    ...
    permissions.Check(u, "app.update.restart", []ContextIntance{
        permissions.Global,
        permissions.App{Name: appName},
        permissions.Team{Teams: u.Teams()},
        permissions.Pool{Name: instance.Pool},
    })
    ...
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment