We can now use policies to allow or not users to invoke Watcher API methods. I added, in the Admin guide section, a new documentation introducing watcher policy rules. Change-Id: Ie1f8a9e15561756f23242c6f6b0d53cdacf3505a blueprint: watcher-policies
4.0 KiB
Policies
Watcher's public API calls may be restricted to certain sets of users using a policy configuration file. This document explains exactly how policies are configured and what they apply to.
A policy is composed of a set of rules that are used in determining if a particular action may be performed by the authorized tenant.
Constructing a Policy Configuration File
A policy configuration file is a simply JSON object that contain sets of rules. Each top-level key is the name of a rule. Each rule is a string that describes an action that may be performed in the Watcher API.
The actions that may have a rule enforced on them are:
strategy:get_all
,strategy:detail
- List available strategiesGET /v1/strategies
GET /v1/strategies/detail
strategy:get
- Retrieve a specific strategy entityGET /v1/strategies/<STRATEGY_UUID>
GET /v1/strategies/<STRATEGY_NAME>
goal:get_all
,goal:detail
- List available goalsGET /v1/goals
GET /v1/goals/detail
goal:get
- Retrieve a specific goal entityGET /v1/goals/<GOAL_UUID>
GET /v1/goals/<GOAL_NAME>
audit_template:get_all
,audit_template:detail
- List available audit_templatesGET /v1/audit_templates
GET /v1/audit_templates/detail
audit_template:get
- Retrieve a specific audit template entityGET /v1/audit_templates/<AUDIT_TEMPLATE_UUID>
GET /v1/audit_templates/<AUDIT_TEMPLATE_NAME>
audit_template:create
- Create an audit template entityPOST /v1/audit_templates
audit_template:delete
- Delete an audit template entityDELETE /v1/audit_templates/<AUDIT_TEMPLATE_UUID>
DELETE /v1/audit_templates/<AUDIT_TEMPLATE_NAME>
audit_template:update
- Update an audit template entityPATCH /v1/audit_templates/<AUDIT_TEMPLATE_UUID>
PATCH /v1/audit_templates/<AUDIT_TEMPLATE_NAME>
audit:get_all
,audit:detail
- List available auditsGET /v1/audits
GET /v1/audits/detail
audit:get
- Retrieve a specific audit entityGET /v1/audits/<AUDIT_UUID>
audit:create
- Create an audit entityPOST /v1/audits
audit:delete
- Delete an audit entityDELETE /v1/audits/<AUDIT_UUID>
audit:update
- Update an audit entityPATCH /v1/audits/<AUDIT_UUID>
action_plan:get_all
,action_plan:detail
- List available action plansGET /v1/action_plans
GET /v1/action_plans/detail
action_plan:get
- Retrieve a specific action plan entityGET /v1/action_plans/<ACTION_PLAN_UUID>
action_plan:delete
- Delete an action plan entityDELETE /v1/action_plans/<ACTION_PLAN_UUID>
action_plan:update
- Update an action plan entityPATCH /v1/audits/<ACTION_PLAN_UUID>
action:get_all
,action:detail
- List available actionGET /v1/actions
GET /v1/actions/detail
action:get
- Retrieve a specific action plan entityGET /v1/actions/<ACTION_UUID>
To limit an action to a particular role or roles, you list the roles like so :
{
"audit:create": ["role:admin", "role:superuser"]
}
The above would add a rule that only allowed users that had roles of either "admin" or "superuser" to launch an audit.