Last active
November 27, 2020 19:59
-
-
Save xeger/b08f4c98fb949fc7f49b7dfc62c80b08 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /usr/bin/env sh | |
| echo 'Example rules to evaluate on REPL' | |
| echo '(Ctrl+D to quit REPL)' | |
| echo '=================================' | |
| echo 'package authz # do this once at startup' | |
| echo 'allow with input as {"user": "alice", "privilege": "showFunds"}' | |
| echo 'allow with input as {"user": "bob", "privilege": "createDistributions", "path": ["noisy"]}' | |
| exec opa run -w authz.rego authz.yml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package authz | |
| # | |
| # Does user have a given role (including any restrictions e.g. in token?) | |
| # Four ways to hold a role: with(out) role restriction & with(out) path | |
| # | |
| effectiveRoles[role] { | |
| not input.roleRestriction | |
| data.users[input.user][role] | |
| } | |
| effectiveRoles[role] { | |
| input.roleRestriction[role] | |
| data.users[input.user][role] | |
| } | |
| effectiveRoles[role] { | |
| not input.roleRestriction | |
| some scope | |
| input.path[_] == scope | |
| data.partnerships[scope][input.user][role] | |
| } | |
| effectiveRoles[role] { | |
| input.roleRestriction[role] | |
| some scope | |
| input.path[_] == scope | |
| data.partnerships[scope][input.user][role] | |
| } | |
| superuser := effectiveRoles["president"] | |
| # | |
| # Does user have all required privileges? | |
| # | |
| default allow = false | |
| allow { | |
| superuser | |
| } | |
| allow { | |
| some role | |
| effectiveRoles[role] | |
| data.roles[role][input.privilege] | |
| } | |
| # | |
| # Enumeration of all user's privileges | |
| # | |
| capabilities[p] { | |
| superuser | |
| data.roles[_][p] | |
| } | |
| capabilities[p] { | |
| some role | |
| effectiveRoles[role] | |
| data.roles[r][p] | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Role definitions | |
| roles: | |
| accountant: | |
| showInvestors: true | |
| showFunds: true | |
| gp: | |
| showFunds: true | |
| createPositions: true | |
| createDistributions: true | |
| secretary: | |
| indexContacts: true | |
| showContacts: true | |
| # Scoped role grants | |
| partnerships: | |
| chocolate: | |
| alice: | |
| gp: true | |
| noisy: | |
| bob: | |
| gp: true | |
| sleepy: {} | |
| # Unscoped role grants | |
| users: | |
| alice: | |
| accountant: true | |
| bob: | |
| secretary: true | |
| carol: | |
| accountant: true | |
| secretary: true | |
| tony: | |
| president: true |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment