Documentation
¶
Index ¶
Constants ¶
View Source
const WildcardSymbol = "*"
Variables ¶
View Source
var RBACPermissions = map[string]PermissionDefinition{ WildcardSymbol: { Name: "Wildcard", Actions: map[Action]ActionDefinition{}, }, "user": { Actions: map[Action]ActionDefinition{ ActionRead: "read user data", ActionCreate: "create a new user", ActionUpdate: "update an existing user", ActionDelete: "delete an existing user", ActionReadPersonal: "read personal user data like user settings and auth links", ActionUpdatePersonal: "update personal data", }, }, "workspace": { Actions: workspaceActions, }, "workspace_dormant": { Actions: workspaceActions, }, "prebuilt_workspace": { Actions: map[Action]ActionDefinition{ ActionUpdate: "update prebuilt workspace settings", ActionDelete: "delete prebuilt workspace", }, }, "workspace_proxy": { Actions: map[Action]ActionDefinition{ ActionCreate: "create a workspace proxy", ActionDelete: "delete a workspace proxy", ActionUpdate: "update a workspace proxy", ActionRead: "read and use a workspace proxy", }, }, "license": { Actions: map[Action]ActionDefinition{ ActionCreate: "create a license", ActionRead: "read licenses", ActionDelete: "delete license", }, }, "audit_log": { Actions: map[Action]ActionDefinition{ ActionRead: "read audit logs", ActionCreate: "create new audit log entries", }, }, "connection_log": { Actions: map[Action]ActionDefinition{ ActionRead: "read connection logs", ActionUpdate: "upsert connection log entries", }, }, "deployment_config": { Actions: map[Action]ActionDefinition{ ActionRead: "read deployment config", ActionUpdate: "updating health information", }, }, "deployment_stats": { Actions: map[Action]ActionDefinition{ ActionRead: "read deployment stats", }, }, "replicas": { Actions: map[Action]ActionDefinition{ ActionRead: "read replicas", }, }, "template": { Actions: map[Action]ActionDefinition{ ActionCreate: "create a template", ActionUse: "use the template to initially create a workspace, then workspace lifecycle permissions take over", ActionRead: "read template", ActionUpdate: "update a template", ActionDelete: "delete a template", ActionViewInsights: "view insights", }, }, "group": { Actions: map[Action]ActionDefinition{ ActionCreate: "create a group", ActionRead: "read groups", ActionDelete: "delete a group", ActionUpdate: "update a group", }, }, "group_member": { Actions: map[Action]ActionDefinition{ ActionRead: "read group members", }, }, "file": { Actions: map[Action]ActionDefinition{ ActionCreate: "create a file", ActionRead: "read files", }, }, "provisioner_daemon": { Actions: map[Action]ActionDefinition{ ActionCreate: "create a provisioner daemon/key", ActionRead: "read provisioner daemon", ActionUpdate: "update a provisioner daemon", ActionDelete: "delete a provisioner daemon/key", }, }, "provisioner_jobs": { Actions: map[Action]ActionDefinition{ ActionRead: "read provisioner jobs", ActionUpdate: "update provisioner jobs", ActionCreate: "create provisioner jobs", }, }, "organization": { Actions: map[Action]ActionDefinition{ ActionCreate: "create an organization", ActionRead: "read organizations", ActionUpdate: "update an organization", ActionDelete: "delete an organization", }, }, "organization_member": { Actions: map[Action]ActionDefinition{ ActionCreate: "create an organization member", ActionRead: "read member", ActionUpdate: "update an organization member", ActionDelete: "delete member", }, }, "debug_info": { Actions: map[Action]ActionDefinition{ ActionRead: "access to debug routes", }, }, "system": { Actions: map[Action]ActionDefinition{ ActionCreate: "create system resources", ActionRead: "view system resources", ActionUpdate: "update system resources", ActionDelete: "delete system resources", }, Comment: ` // DEPRECATED: New resources should be created for new things, rather than adding them to System, which has become // an unmanaged collection of things that don't relate to one another. We can't effectively enforce // least privilege access control when unrelated resources are grouped together.`, }, "api_key": { Actions: map[Action]ActionDefinition{ ActionCreate: "create an api key", ActionRead: "read api key details (secrets are not stored)", ActionDelete: "delete an api key", ActionUpdate: "update an api key, eg expires", }, }, "tailnet_coordinator": { Actions: map[Action]ActionDefinition{ ActionCreate: "create a Tailnet coordinator", ActionRead: "view info about a Tailnet coordinator", ActionUpdate: "update a Tailnet coordinator", ActionDelete: "delete a Tailnet coordinator", }, }, "assign_role": { Actions: map[Action]ActionDefinition{ ActionAssign: "assign user roles", ActionUnassign: "unassign user roles", ActionRead: "view what roles are assignable", }, }, "assign_org_role": { Actions: map[Action]ActionDefinition{ ActionAssign: "assign org scoped roles", ActionUnassign: "unassign org scoped roles", ActionCreate: "create/delete custom roles within an organization", ActionRead: "view what roles are assignable within an organization", ActionUpdate: "edit custom roles within an organization", ActionDelete: "delete roles within an organization", }, }, "oauth2_app": { Actions: map[Action]ActionDefinition{ ActionCreate: "make an OAuth2 app", ActionRead: "read OAuth2 apps", ActionUpdate: "update the properties of the OAuth2 app", ActionDelete: "delete an OAuth2 app", }, }, "oauth2_app_secret": { Actions: map[Action]ActionDefinition{ ActionCreate: "create an OAuth2 app secret", ActionRead: "read an OAuth2 app secret", ActionUpdate: "update an OAuth2 app secret", ActionDelete: "delete an OAuth2 app secret", }, }, "oauth2_app_code_token": { Actions: map[Action]ActionDefinition{ ActionCreate: "create an OAuth2 app code token", ActionRead: "read an OAuth2 app code token", ActionDelete: "delete an OAuth2 app code token", }, }, "notification_message": { Actions: map[Action]ActionDefinition{ ActionCreate: "create notification messages", ActionRead: "read notification messages", ActionUpdate: "update notification messages", ActionDelete: "delete notification messages", }, }, "notification_template": { Actions: map[Action]ActionDefinition{ ActionRead: "read notification templates", ActionUpdate: "update notification templates", }, }, "notification_preference": { Actions: map[Action]ActionDefinition{ ActionRead: "read notification preferences", ActionUpdate: "update notification preferences", }, }, "webpush_subscription": { Actions: map[Action]ActionDefinition{ ActionCreate: "create webpush subscriptions", ActionRead: "read webpush subscriptions", ActionDelete: "delete webpush subscriptions", }, }, "inbox_notification": { Actions: map[Action]ActionDefinition{ ActionCreate: "create inbox notifications", ActionRead: "read inbox notifications", ActionUpdate: "update inbox notifications", }, }, "crypto_key": { Actions: map[Action]ActionDefinition{ ActionRead: "read crypto keys", ActionUpdate: "update crypto keys", ActionDelete: "delete crypto keys", ActionCreate: "create crypto keys", }, }, "idpsync_settings": { Actions: map[Action]ActionDefinition{ ActionRead: "read IdP sync settings", ActionUpdate: "update IdP sync settings", }, }, "workspace_agent_resource_monitor": { Actions: map[Action]ActionDefinition{ ActionRead: "read workspace agent resource monitor", ActionCreate: "create workspace agent resource monitor", ActionUpdate: "update workspace agent resource monitor", }, }, "workspace_agent_devcontainers": { Actions: map[Action]ActionDefinition{ ActionCreate: "create workspace agent devcontainers", }, }, }
RBACPermissions is indexed by the type
Functions ¶
This section is empty.
Types ¶
type Action ¶
type Action string
Action represents the allowed actions to be done on an object.
const ( ActionCreate Action = "create" ActionRead Action = "read" ActionUpdate Action = "update" ActionDelete Action = "delete" ActionUse Action = "use" ActionSSH Action = "ssh" ActionApplicationConnect Action = "application_connect" ActionViewInsights Action = "view_insights" ActionWorkspaceStart Action = "start" ActionWorkspaceStop Action = "stop" ActionAssign Action = "assign" ActionUnassign Action = "unassign" ActionReadPersonal Action = "read_personal" ActionUpdatePersonal Action = "update_personal" ActionCreateAgent Action = "create_agent" ActionDeleteAgent Action = "delete_agent" )
type ActionDefinition ¶
type ActionDefinition string
Human friendly description to explain the action.
type PermissionDefinition ¶
type PermissionDefinition struct { // name is optional. Used to override "Type" for function naming. Name string // Actions are a map of actions to some description of what the action // should represent. The key in the actions map is the verb to use // in the rbac policy. Actions map[Action]ActionDefinition // Comment is additional text to include in the generated object comment. Comment string }
Click to show internal directories.
Click to hide internal directories.