forked from uc-cdis/fence
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathbase_user.yaml
208 lines (199 loc) · 4.35 KB
/
base_user.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
authz:
# policies automatically given to anyone, even if they are not authenticated
anonymous_policies:
- open_data_reader
# policies automatically given to authenticated users (in addition to their other policies)
all_users_policies: []
groups:
# can CRUD programs and projects and upload data files
- name: data_submitters
policies:
- services.sheepdog-admin
- data_upload
- MyFirstProject_submitter
users:
# can create/update/delete indexd records
- name: indexd_admins
policies:
- indexd_admin
users:
resources:
- name: workspace
- name: data_file
- name: services
subresources:
- name: sheepdog
subresources:
- name: submission
subresources:
- name: program
- name: project
- name: 'indexd'
subresources:
- name: 'admin'
- name: audit
subresources:
- name: presigned_url
- name: login
- name: open
- name: programs
subresources:
- name: MyFirstProgram
subresources:
- name: projects
subresources:
- name: MyFirstProject
policies:
- id: workspace
description: be able to use workspace
resource_paths:
- /workspace
role_ids:
- workspace_user
- id: data_upload
description: upload raw data files to S3
role_ids:
- file_uploader
resource_paths:
- /data_file
- id: services.sheepdog-admin
description: CRUD access to programs and projects
role_ids:
- sheepdog_admin
resource_paths:
- /services/sheepdog/submission/program
- /services/sheepdog/submission/project
- id: indexd_admin
description: full access to indexd API
role_ids:
- indexd_admin
resource_paths:
- /programs
- id: open_data_reader
role_ids:
- peregrine_reader
- guppy_reader
- fence_storage_reader
resource_paths:
- /open
- id: all_programs_reader
role_ids:
- peregrine_reader
- guppy_reader
- fence_storage_reader
resource_paths:
- /programs
- id: MyFirstProject_submitter
role_ids:
- reader
- creator
- updater
- deleter
- storage_reader
- storage_writer
resource_paths:
- /programs/MyFirstProgram/projects/MyFirstProject
roles:
- id: file_uploader
permissions:
- id: file_upload
action:
service: fence
method: file_upload
- id: workspace_user
permissions:
- id: workspace_access
action:
service: jupyterhub
method: access
- id: sheepdog_admin
description: CRUD access to programs and projects
permissions:
- id: sheepdog_admin_action
action:
service: sheepdog
method: '*'
- id: indexd_admin
description: full access to indexd API
permissions:
- id: indexd_admin
action:
service: indexd
method: '*'
- id: admin
permissions:
- id: admin
action:
service: '*'
method: '*'
- id: creator
permissions:
- id: creator
action:
service: '*'
method: create
- id: reader
permissions:
- id: reader
action:
service: '*'
method: read
- id: updater
permissions:
- id: updater
action:
service: '*'
method: update
- id: deleter
permissions:
- id: deleter
action:
service: '*'
method: delete
- id: storage_writer
permissions:
- id: storage_creator
action:
service: '*'
method: write-storage
- id: storage_reader
permissions:
- id: storage_reader
action:
service: '*'
method: read-storage
- id: peregrine_reader
permissions:
- id: peregrine_reader
action:
method: read
service: peregrine
- id: guppy_reader
permissions:
- id: guppy_reader
action:
method: read
service: guppy
- id: fence_storage_reader
permissions:
- id: fence_storage_reader
action:
method: read-storage
service: fence
clients:
wts:
policies:
- all_programs_reader
- open_data_reader
users:
username2:
tags:
name: John Doe
email: [email protected]
policies:
- MyFirstProject_submitter
cloud_providers: {}
groups: {}