diff options
author | muraliparthatechm <muraliparthasarathy.k@techmahindra.com> | 2024-12-18 18:15:17 +0100 |
---|---|---|
committer | muraliparthatechm <muraliparthasarathy.k@techmahindra.com> | 2024-12-19 13:39:05 +0100 |
commit | 32fd1f3c1e22dbeb69e3cc150a6fb1b72ea0ed53 (patch) | |
tree | a068657e6b3d7f87506a30f4ec3ce639cf06c5bc /compose/config/opa-pdp/policies/role | |
parent | 522cfc28114b076fbcb1da8b2a16894e647ed10c (diff) |
Issue-ID: POLICY-5211
Change-Id: I8b75e6e850fae171fbc75fc67cb59171a78df4e0
Signed-off-by: muraliparthatechm <muraliparthasarathy.k@techmahindra.com>
Diffstat (limited to 'compose/config/opa-pdp/policies/role')
-rw-r--r-- | compose/config/opa-pdp/policies/role/policy.rego | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/compose/config/opa-pdp/policies/role/policy.rego b/compose/config/opa-pdp/policies/role/policy.rego new file mode 100644 index 00000000..54bdecf9 --- /dev/null +++ b/compose/config/opa-pdp/policies/role/policy.rego @@ -0,0 +1,53 @@ +# Role-based Access Control (RBAC) +# -------------------------------- +# +# This example defines an RBAC model for a Pet Store API. The Pet Store API allows +# users to look at pets, adopt them, update their stats, and so on. The policy +# controls which users can perform actions on which resources. The policy implements +# a classic Role-based Access Control model where users are assigned to roles and +# roles are granted the ability to perform some action(s) on some type of resource. +# +# This example shows how to: +# +# * Define an RBAC model in Rego that interprets role mappings represented in JSON. +# * Iterate/search across JSON data structures (e.g., role mappings) +# +# For more information see: +#package app.rbac +package role + +import rego.v1 + +# By default, deny requests. +default allow := false + +# Allow admins to do anything. +allow if user_is_admin + +# Allow the action if the user is granted permission to perform the action. +allow if { + # Find grants for the user. + some grant in user_is_granted + + # Check if the grant permits the action. + input.action == grant.action + input.type == grant.type +} + +# user_is_admin is true if "admin" is among the user's roles as per data.user_roles +user_is_admin if "admin" in data.role.user_roles[input.user] + +# user_is_granted is a set of grants for the user identified in the request. +# The `grant` will be contained if the set `user_is_granted` for every... +user_is_granted contains grant if { + # `role` assigned an element of the user_roles for this user... + some role in data.role.user_roles[input.user] + + # `grant` assigned a single grant from the grants list for 'role'... + some grant in data.role.role_grants[role] +} + +# * Rego comparison to other systems: https://www.openpolicyagent.org/docs/latest/comparison-to-other-systems/ +# * Rego Iteration: https://www.openpolicyagent.org/docs/latest/#iteration + + |