blob: 54bdecf94de673b0fe5baacca6bf1c6064763a8a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
# Role-based Access Control (RBAC)
# --------------------------------
#
# This example defines an RBAC model for a Pet Store API. The Pet Store API allows
# users to look at pets, adopt them, update their stats, and so on. The policy
# controls which users can perform actions on which resources. The policy implements
# a classic Role-based Access Control model where users are assigned to roles and
# roles are granted the ability to perform some action(s) on some type of resource.
#
# This example shows how to:
#
# * Define an RBAC model in Rego that interprets role mappings represented in JSON.
# * Iterate/search across JSON data structures (e.g., role mappings)
#
# For more information see:
#package app.rbac
package role
import rego.v1
# By default, deny requests.
default allow := false
# Allow admins to do anything.
allow if user_is_admin
# Allow the action if the user is granted permission to perform the action.
allow if {
# Find grants for the user.
some grant in user_is_granted
# Check if the grant permits the action.
input.action == grant.action
input.type == grant.type
}
# user_is_admin is true if "admin" is among the user's roles as per data.user_roles
user_is_admin if "admin" in data.role.user_roles[input.user]
# user_is_granted is a set of grants for the user identified in the request.
# The `grant` will be contained if the set `user_is_granted` for every...
user_is_granted contains grant if {
# `role` assigned an element of the user_roles for this user...
some role in data.role.user_roles[input.user]
# `grant` assigned a single grant from the grants list for 'role'...
some grant in data.role.role_grants[role]
}
# * Rego comparison to other systems: https://www.openpolicyagent.org/docs/latest/comparison-to-other-systems/
# * Rego Iteration: https://www.openpolicyagent.org/docs/latest/#iteration
|
