forked from uc-cdis/fence
-
Notifications
You must be signed in to change notification settings - Fork 1
/
ua.yaml
65 lines (61 loc) · 2.08 KB
/
ua.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
cloud_providers:
gdc-cleversafe:
backend: 'cleversafe'
service: 'storage'
bpa-cleversafe:
backend: 'cleversafe'
service: 'storage'
groups:
Test_Group:
projects:
- auth_id: Test_Group
privilege: ['read', 'update', 'create', 'delete', 'read-storage', 'write-storage', 'admin-storage']
- auth_id: Test_Group_1
privilege: ['read', 'read-storage']
Test_Group_1:
projects:
- auth_id: Test_Group_1
privilege: ['read', 'update', 'create', 'delete', 'read-storage', 'write-storage']
- auth_id: Test_Group
privilege: ['read', 'read-storage']
resources
users:
test:
admin: True
projects:
- auth_id: bar
resource: /programs/test/projects/bar
privilege: ['read', 'update', 'create', 'delete']
- auth_id: quux
resource: /programs/test/projects/quux
privilege: ['read', 'update', 'create', 'delete']
policies: ['data_upload']
# This chunk is currently how fence gets some setup information to arborist, the
# service which handles authz. All the content here (inside each subsection,
# policies/resources/roles) is exactly how it would be structured in requests
# to/from the arborist API.
authz:
policies:
- id: 'data_upload'
description: 'upload raw data files to S3'
role_ids: ['file_uploader']
resource_paths: ['/data_file']
resources:
- name: 'data_file'
description: 'data files, stored in S3'
- name: 'programs'
subresources:
- name: 'test'
subresources:
- name: 'projects'
subresources:
- name: 'bar'
- name: quux
roles:
- id: 'file_uploader'
description: 'can upload data files'
permissions:
- id: 'file_upload'
action:
service: 'fence'
method: 'file_upload'