-
Notifications
You must be signed in to change notification settings - Fork 17
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add another notifications example with caveats for event types
- Loading branch information
1 parent
44954ef
commit d2760b5
Showing
1 changed file
with
58 additions
and
0 deletions.
There are no files selected for viewing
58 changes: 58 additions & 0 deletions
58
deploy/schemas/notifications/schema_subscribers_event_types.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,58 @@ | ||
| schema: |- | ||
| definition user {} | ||
| definition group { | ||
| relation member: user | group#member | ||
| } | ||
| definition role { | ||
| relation inventory_host_view: user:* | ||
| } | ||
| definition role_binding { | ||
| relation subject: user | group#member | ||
| relation granted: role | ||
| permission inventory_host_view = subject & granted->inventory_host_view | ||
| } | ||
| definition workspace { | ||
| relation parent: workspace | ||
| relation user_grant: role_binding | ||
| relation direct_notification_subscriber: user with event_types | ||
| permission inventory_host_view = user_grant->inventory_host_view | ||
| permission notification_subscriber = direct_notification_subscriber + parent->notification_subscriber | ||
| } | ||
| definition inventory/host { | ||
| relation workspace: workspace | ||
| permission view = workspace->inventory_host_view | ||
| // These have to be at least as granular as the associated permission | ||
| permission view_notification = view & workspace->notification_subscriber | ||
| } | ||
| caveat event_types(event_type string, event_types list<string>) { | ||
| event_type in event_types | ||
| } | ||
| relationships: |- | ||
| // There is a host_admin role | ||
| role:host_admin#inventory_host_view@user:* | ||
| // There is a workspace (org1/w1) underneath a root org workspace (org1) | ||
| workspace:org1/w1#parent@workspace:org1 | ||
| // There is a host within workspace:org/w1 | ||
| inventory/host:h1#workspace@workspace:org1/w1 | ||
| // There are two subscribers to host notifications in org1 for specific event types | ||
| workspace:org1#direct_notification_subscriber@user:u1[event_types:{"event_types":["host_new_cve"]}] | ||
| workspace:org1#direct_notification_subscriber@user:u2[event_types:{"event_types":["host_new_cve","host_patch_failure"]}] | ||
| // But only u1 has permissions (via the host_admin role) | ||
| workspace:org1/w1#user_grant@role_binding:u1_w1_host_admin | ||
| role_binding:u1_w1_host_admin#granted@role:host_admin | ||
| role_binding:u1_w1_host_admin#subject@user:u1 | ||
| // u3 also has permissions, but is not subscribed. | ||
| workspace:org1/w1#user_grant@role_binding:u3_w1_host_admin | ||
| role_binding:u3_w1_host_admin#granted@role:host_admin | ||
| role_binding:u3_w1_host_admin#subject@user:u3 |