Skip to content

chore: document RBAC usage #14065

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 11 commits into from
Sep 10, 2024
+420 −7
Merged

chore: document RBAC usage #14065

Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
d1b6de6
Document RBAC usage
dannykopping Jul 31, 2024
23e01c5
make fmt
dannykopping Jul 31, 2024
706a3d8
chore: fixup rbac/readme.md typos
Emyrk Jul 31, 2024
4681b9d
make fumpt
johnstcn Jul 31, 2024
6f240c9
Apply suggestions from code review
johnstcn Aug 1, 2024
c2f29d0
make fmt
johnstcn Aug 1, 2024
26ca907
Minor fixups, added troubleshooting (#14519) (#14530)
stirby Sep 2, 2024
cf25746
Update usage docs
dannykopping Sep 10, 2024
5fa2b96
Apply suggestions from code review
dannykopping Sep 10, 2024
257962b
Update coderd/rbac/USAGE.md
dannykopping Sep 10, 2024
02f7447
Appease the linter gods
dannykopping Sep 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 9 additions & 7 deletions coderd/rbac/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
# Authz

Package `authz` implements AuthoriZation for Coder.
Package `rbac` implements Role-Based Access Control for Coder.

## Overview

Authorization defines what **permission** a **subject** has to perform **actions** to **objects**:

- **Permission** is binary: _yes_ (allowed) or _no_ (denied).
- **Subject** in this case is anything that implements interface `authz.Subject`.
- **Action** here is an enumerated list of actions, but we stick to `Create`, `Read`, `Update`, and `Delete` here.
- **Object** here is anything that implements `authz.Object`.
- **Subject** in this case is anything that implements interface `rbac.Subject`.
- **Action** here is an enumerated list of actions. Actions can differ for each object type. They typically read like, `Create`, `Read`, `Update`, `Delete`, etc.
- **Object** here is anything that implements `rbac.Object`.

## Permission Structure

Expand Down Expand Up @@ -38,7 +38,7 @@ This can be represented by the following truth table, where Y represents _positi
| read | Y | \_ | Y |
| read | Y | N | N |
| read | \_ | \_ | \_ |
| read | \_ | N | Y |
| read | \_ | N | N |

## Permission Representation

Expand All @@ -49,11 +49,11 @@ This can be represented by the following truth table, where Y represents _positi
- `object` is any valid resource type.
- `id` is any valid UUID v4.
- `id` is included in the permission syntax, however only scopes may use `id` to specify a specific object.
- `action` is `create`, `read`, `modify`, or `delete`.
- `action` is `create`, `read`, `modify`, `delete`, or another verb.

## Example Permissions

- `+site.*.*.read`: allowed to perform the `read` action against all objects of type `app` in a given Coder deployment.
- `+site.app.*.read`: allowed to perform the `read` action against all objects of type `app` in a given Coder deployment.
- `-user.workspace.*.create`: user is not allowed to create workspaces.

## Roles
Expand Down Expand Up @@ -106,7 +106,9 @@ You can test outside of golang by using the `opa` cli.

**Evaluation**

```bash
opa eval --format=pretty "data.authz.allow" -d policy.rego -i input.json
```

**Partial Evaluation**

Expand Down
Loading
Loading