Skip to content

chore: document RBAC usage #14065

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 11 commits into from
Sep 10, 2024
Merged

chore: document RBAC usage #14065

Changes from 1 commit
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
d1b6de6
Document RBAC usage
dannykopping Jul 31, 2024
23e01c5
make fmt
dannykopping Jul 31, 2024
706a3d8
chore: fixup rbac/readme.md typos
Emyrk Jul 31, 2024
4681b9d
make fumpt
johnstcn Jul 31, 2024
6f240c9
Apply suggestions from code review
johnstcn Aug 1, 2024
c2f29d0
make fmt
johnstcn Aug 1, 2024
26ca907
Minor fixups, added troubleshooting (#14519) (#14530)
stirby Sep 2, 2024
cf25746
Update usage docs
dannykopping Sep 10, 2024
5fa2b96
Apply suggestions from code review
dannykopping Sep 10, 2024
257962b
Update coderd/rbac/USAGE.md
dannykopping Sep 10, 2024
02f7447
Appease the linter gods
dannykopping Sep 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
chore: fixup rbac/readme.md typos 
- Truth table had an incorrect result value in final row
- Permission format examples was missing the object type
- Fix actions list
- Code block a bash command
  • Loading branch information
@Emyrk @dannykopping
Emyrk authored and dannykopping committed Sep 10, 2024
commit 706a3d8b442f7afb94222dc365611c2f3c5bfd3d
12 changes: 7 additions & 5 deletions coderd/rbac/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ Authorization defines what **permission** a **subject** has to perform **actions

- **Permission** is binary: _yes_ (allowed) or _no_ (denied).
- **Subject** in this case is anything that implements interface `rbac.Subject`.
- **Action** here is an enumerated list of actions, but we stick to `Create`, `Read`, `Update`, and `Delete` here.
- **Action** here is an enumerated list of actions. Actions can differ for each object type. They typically read like, `Create`, `Read`, `Update`, `Delete`, etc.
- **Object** here is anything that implements `rbac.Object`.

## Permission Structure
Expand All @@ -34,11 +34,11 @@ Both **negative** and **positive** permissions override **abstain** at the same
This can be represented by the following truth table, where Y represents _positive_, N represents _negative_, and \_ represents _abstain_:

| Action | Positive | Negative | Result |
| ------ | -------- | -------- | ------ |
| ------ | -------- | -------- |--------|
| read | Y | \_ | Y |
| read | Y | N | N |
| read | \_ | \_ | \_ |
| read | \_ | N | Y |
| read | \_ | N | N |

## Permission Representation

Expand All @@ -49,11 +49,11 @@ This can be represented by the following truth table, where Y represents _positi
- `object` is any valid resource type.
- `id` is any valid UUID v4.
- `id` is included in the permission syntax, however only scopes may use `id` to specify a specific object.
- `action` is `create`, `read`, `modify`, or `delete`.
- `action` is `create`, `read`, `modify`, `delete`, or another verb.

## Example Permissions

- `+site.*.*.read`: allowed to perform the `read` action against all objects of type `app` in a given Coder deployment.
- `+site.app.*.read`: allowed to perform the `read` action against all objects of type `app` in a given Coder deployment.
- `-user.workspace.*.create`: user is not allowed to create workspaces.

## Roles
Expand Down Expand Up @@ -106,7 +106,9 @@ You can test outside of golang by using the `opa` cli.

**Evaluation**

```bash
opa eval --format=pretty "data.authz.allow" -d policy.rego -i input.json
```

**Partial Evaluation**

Expand Down