This document is a draft for the issue #1220
The goal is to change the authorization system to be more flexible based on users, permissions and roles. An user can have more than one role, and a role can have one or more permissions.
These are examples of roles that the new authorization system should support:
- can do eveything
- can create roles
- can add and remove permissions in all roles
- can add roles in users
- can create pools
- can add nodes to pools
- can remove nodes
- can't remove users
- can't remove users from teams
- cant remove apps from nodes
- can add 'pool managers' to a specific pool
- can create users
- can create team 'x'
- can add and remove users (team membems) in team 'x'
- can unlock team 'x' apps
- can create team 'x' apps
- can deploy in the team 'x' apps
- can see team 'x' apps
- can't remove team 'x' apps
- can see members of team 'x'
- can't add new users to team 'x'
- can't remove users from team 'x'
- can't create team 'x' apps
- can rebalance pool 'z'
- can move unit between pool 'z' nodes
- can see all apps in pool 'z'
- can't remove apps in pool 'z'
- can add units in pool 'z' apps
- can create new services
- can view service instances related with its services
- allow and disallow teams to use its services
- see app 'y'
- view app 'y' logs, envs
- can't set and unset envs in app 'y'
- can''t make deploys in app 'y'
permissions.Check(name, contextType, context)
permissions.Check("deploy-team", Team, "avengers")
permissions.Check("app-create", Global, nil)
permissions.Register(name, contextType)
permissions.Register("deploy-team", Team)
tsuru team-create avengers
tsuru role-add team-leader contextType=contextValue
tsuru role-add team-leader team=avengers
tsuru role-permission-add team-leader deploy-team
e.g.