RBAC policy defines the list of operations that are allowed/denied.
RBAC policy is of format:
{
"version": "1.0.0",
"filters": [],
"statement": [
{
"Action": [
"actions_list"
],
"Effect": "Allow/Deny",
"Resource": [
"resources_list"
]
},
],
}
Statement defines the list of allowed/denied actions.
The policy filters are used to define the conditions or criteria to which the policy statements apply. Currently filters are applicable only for resource - /admin/nodes. For other resources, the filters are ignored.
Note that we don't allow in the API path for resources. eg- we can't allow access to all APIs with prefix /admin/nodes by specifying "/admin/nodes" in the resources section.
The sample RBAC policies:
SuperAdmin Policy
{
"statement": [
{
"Action": [
"*"
],
"Effect": "Allow",
"Resource": [
"*"
],
},
],
"version": "1.0.0"
}
Above policy grants access to all operations on all resources. This policy is attached to superAdmin at the time of RainMaker deployment.
OTAImageFullAccessPolicy
{
"statement": [
{
"Action": [ "*" ],
"Effect": "Allow",
"Resource": [ "/admin/otaimage" ],
}
],
"version": "1.0.0",
}
Above policy grants access to all OTA image operations.
OTAJobFullAccessPolicy
{
"statement": [
{
"Action": [ "*" ],
"Effect": "Allow",
"Resource": [ "/admin/otajob" ]
}
],
"version": "1.0.0"
}
Above policy allows all OTA job operations.
UserOperationAccessPolicy
{
"statement": [
{
"Action": [ "api:Put","api:Post","api:Get" ],
"Effect": "Allow",
"Resource": [ "/admin/user2" ]
},
{
"Action": [ "api:Put","api:Get" ],
"Effect": "Allow",
"Resource": [ "/admin/user_role" ]
}
],
"version": "1.0.0"
}
Above policy allows Creating, modifying and fetching internal users. It also allows attaching, gettings roles of user using /admin/user_role API.
UserDeleteAccessPolicy
{
"statement": [
{
"Action": [ "api:Delete" ],
"Effect": "Allow",
"Resource": [ "/admin/user2" ]
}
],
"version": "1.0.0"
}
Above policy allows deleting internal users.
NodeAccessPolicy
{
"statement": [
{
"Action": [ "*" ],
"Effect": "Allow",
"Resource": [ "/admin/nodes" ]
}
],
"version": "1.0.0"
}
Above policy allowd all operations for /admin/nodes API.
ReadAllPolicy
{
"statement": [
{
"Action": [ "api:Get" ],
"Effect": "Allow",
"Resource": [ "*" ]
}
],
"version": "1.0.0"
}
Above policy allows GET method on all available APIs.
DeploymentSettingsPolicy
{
"statement": [
{
"Action": [ "*" ],
"Effect": "Allow",
"Resource": [ "/admin/deployment_settings","/admin/webhook", ""]
}
],
"version": "1.0.0"
}
Above policy allows GET method on all available APIs.
NodeImageAccessPolicy
{
"version": "1.0.0",
"filters": [{
"type": "nodes",
"rules": {
"tags": [
"location:pune",
"location:mumbai"
],
"type": [
"led_light",
"switch"
],
"model": [],
"fw": []
}
}],
"statement": [{
"Effect": "Allow",
"Action": [
"*"
],
"Resource": [
"/admin/otaimage",
"/admin/nodes"
]
},
{
"Effect": "Deny",
"Action": [
"api:Get",
"api:Put"
],
"Resource": [
"/admin/otajob"
]
}
]
}
The above policy allows accessing all API methods for /admin/otaimage and /admin/node APIs. API methods of /admin/nodes API are accessible only if nodes have one of the given tags in the policy filters. The policy denies access to GET and PUT /admin/otajob API explicitly.
Currently, the filters are applied only to nodes. The above policy grants access to all actions on all OTA images. It allows all actions on /admin/nodes only for nodes having tags location:pune,location:mumbai.
You can create policies as per your requirements with the same format as shown above.