-
Notifications
You must be signed in to change notification settings - Fork 159
ACL Proposal
Eric Holmes edited this page Sep 7, 2016
·
6 revisions
We'd like to have more control over who has access to what.
I'm a company and I have two teams:
- backend services
- frontend
I only want to allow the frontend team access to frontend applications. The backend team should have access to all applications.
The core API of Empire is well defined and gives us a good place to wrap it with an ACL, using a policy based approach, similar to how IAM works. Unfortunately, IAM is not extensible to third party services, so we'd have to implement it ourselves.
Within code, a policy would be defined as:
type Policy struct {
// Either Allow or Deny
Effect Effect
// The actions allowed or denied. (e.g. empire:Run)
Actions []string
// Name of the resource. * for all.
Resource []string
}
And the policies for the above scenario could be represented as:
frontendPolicies := []Policy{
{
Effect: Allow,
Actions: []string{
"empire:AppsFind",
"empire:Run",
"empire:Deploy",
"empire:Set",
"empire:Config",
"empire:Restart",
"empire:Scale",
"empire:Rollback",
"empire:StreamLogs",
"empire:Tasks",
},
Resource: []string{"frontend"},
},
}
backendPolicies := []Policy{
{
Effect: Allow,
Actions: []string{
"empire:*",
},
Resource: []string{"*"},
},
}
These could easily be encoded to JSON, and provided to the empire server
command at boot.