-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathstack-acl.example.yaml
More file actions
43 lines (33 loc) · 1.22 KB
/
stack-acl.example.yaml
File metadata and controls
43 lines (33 loc) · 1.22 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# Quilt Stack ACL: simpler-stack
## Policies
# Each named policy declares:
# - the SSO groups that confer it
# - the permissions it grants
#
# A user qualifies for a policy if they belong to any of its listed groups.
# Their synthetic role is the union of all policies they qualify for.
policies:
# Since all users are members of Everyone,
# the two synthetic roles created by these policies are:
# - public (non-Employees)
# - internal_public (Employees)
# Names are deterministic: reversed policy ladder joined by '_'.
public:
sso.groups: [Everyone]
buckets.read: [quilt-example]
internal:
sso.groups: [Employees]
buckets.read_write: [quilt-bake, quilt-dev]
buckets.read: [quilt-leadership, udp-spec]
config.default_role: true
## Roles
# Each static role composes only the explicitly specified policies and/or grants.
# Users can match (and have) multiple static and synthetic roles.
# The last-matching role is selected at first login,
# the last-used role is selected thereafter.
roles:
exec:
sso.groups: [Executives]
config.policies: [public, internal]
buckets.read_write: [quilt-leadership]
config.is_admin: true