-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathdashboard-policy.rego
58 lines (57 loc) · 2.43 KB
/
dashboard-policy.rego
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
package dataapi.authz
rule[{"action": {"name": "Policies", "columns": "NA", "copyrules" : `[{"action": {"name":"Allow",
"columns":"\"\"",
"runtime_eval":["input.request.role == \"foreman\"",
"input.request.operation == \"READ\""
],
"partial_eval":{}},
"policy":"Full priviledges for boss"
},
{"action": {"name":"RedactColumn",
"columns":"columns",
"runtime_eval":["input.request.role == \"worker\"",
"asset := assets[input.request.asset.namespace][input.request.asset.name]",
"columns := [c | asset.spec.assetMetadata.componentsMetadata[i].tags[_] == \"PII\"; c = i]"
],
"partial_eval":{}},
"policy":"Filtering PII columns for workers"
},
{"action": {"name":"BlockURL",
"columns":"\"\"",
"runtime_eval":["input.request.role == \"worker\"",
"asset := assets[input.request.asset.namespace][input.request.asset.name]",
"asset.spec.assetMetadata.tags[_] == \"control\""
],
"partial_eval":{}},
"policy":"Block controlling robots for Worker"
},
{"action": {"name":"BlockURL",
"columns":"\"\"",
"runtime_eval":["input.request.role == \"hr\"",
"asset := assets[input.request.asset.namespace][input.request.asset.name]",
"asset.spec.assetMetadata.tags[_] == \"control\""
],
"partial_eval":{}},
"policy":"Block controlling robots for HR"
},
{"action": {"name":"BlockURL",
"columns":"\"\"",
"runtime_eval":["input.request.role == \"hr\"",
"asset := assets[input.request.asset.namespace][input.request.asset.name]",
"asset.spec.assetMetadata.tags[_] == \"data\""
],
"partial_eval":{}},
"policy":"Block getting robot and manufacturing data for HR"
},
{"action": {"name":"Allow",
"columns":"\"\"",
"runtime_eval":["input.request.role == \"hr\"",
"asset := assets[input.request.asset.namespace][input.request.asset.name]",
"asset.spec.assetMetadata.tags[_] == \"personnel\""
],
"partial_eval":{}},
"policy":"Allow getting personnel data for HR"
}
]`}, "policy" : "runtime"}] {
1 == 1
}