Skip to content

Commit

Permalink
more stuff
Browse files Browse the repository at this point in the history
  • Loading branch information
@Gerrit91
Gerrit91 committed Jul 27, 2021
1 parent 33e2c4e commit 86b67a0
Showing 1 changed file with 23 additions and 16 deletions.
39 changes: 23 additions & 16 deletions docs/src/development/proposals/MEP4/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -119,7 +119,7 @@ Requirements: Tenant was created
$ metalctl project set 793bb6cd-8b46-479d-9209-0fedca428fe1
You are now acting on project 793bb6cd-8b46-479d-9209-0fedca428fe1.
```
- The user automatically got the `metal-project-owner` default role for the project he created including typical owner permissions.
- The user automatically got the `metal-project-owner` default role for the project (auto default role association can also be turned off) including typical owner permissions.
```
$ metalctl show-permissions
Project: 793bb6cd-8b46-479d-9209-0fedca428fe1
Expand Down Expand Up @@ -256,6 +256,11 @@ Admins should be able to see "everything", even resources of tenant's regular us

- The user requires permissions to create a tenant and project, this can be achieved through a role binding (e.g. provided by the admin):
```
$ metalctl rolebinding list
ID NAME TENANT PROJECT
40beeacc-4eba-4751-9c63-d82d81994d17 metal-project-creator metal-stack
66d19904-5de2-4c36-9fd2-cfdafe5d8ae2 metal-admin
45a72f32-5acb-47cd-8ac9-49764587ad46 metal-tenant-creator new-tenant
$ metalctl rolebinding describe 45a72f32-5acb-47cd-8ac9-49764587ad46
{
"id": "45a72f32-5acb-47cd-8ac9-49764587ad46",
Expand Down Expand Up @@ -372,7 +377,8 @@ A user creates a custom role `ci-builder` and a project token for it:
]
}
],
"userids": ["gerrit"],
"userids": [],
"projecttokens": ["19c92a80-f5ae-47be-973a-76e47894be8a"],
"resources": ["*"],
"oidcgroups: []
}
Expand All @@ -388,7 +394,7 @@ A user creates a custom role `ci-builder` and a project token for it:
Email: [email protected]
Tenant: metal-stack
Issuer: https://dex.test.io/dex
No expiration (project token)
No expiration (project token 19c92a80-f5ae-47be-973a-76e47894be8a)
$ metalctl show-permissions
Project: 793bb6cd-8b46-479d-9209-0fedca428fe1
Expand Down Expand Up @@ -533,6 +539,7 @@ type RoleBinding struct {
ProjectID string `json:"projectid" description:"the project this role binding belongs to"`
RoleIDs []string `json:"roleids" description:"the roles that this binding associates with the subjects"`
UserIDs []string `json:"userids" description:"the users that this binding associates with the roles"`
TokenIDs []string `json:"tokenids" description:"the project tokens that this binding associates with the roles"`
ResourceIDs []string `json:"resourceids" description:"the resources that this binding associates with the roles, be aware that these are flattened when multiple role bindings apply"`
OIDCGroups []string `json:"oidcgroups" description:"the oidc group claims that this binding associates with the roles"`
}
Expand Down Expand Up @@ -776,7 +783,7 @@ This section defines the new endpoints for the API.
#### File System Layout

| Endpoint | Method | Permission | Notes |
| :---------------------------------------------- | ------ | :------------------------------------- | :-------------------------------------------- |
| :---------------------------------------------- | :----- | :------------------------------------- | :-------------------------------------------- |
| /v2/filesystemlayout | GET | metal.v2.filesystemlayout.list | |
| /v2/filesystemlayout | POST | metal.v2.filesystemlayout.search | New! |
| /v2/filesystemlayout/:id | GET | metal.v2.filesystemlayout.get | |
Expand All @@ -792,7 +799,7 @@ This section defines the new endpoints for the API.
#### Firewall

| Endpoint | Method | Permission | Notes |
| :------------------------ | ------ | :-------------------------------- | :------------------------ |
| :------------------------ | :----- | :-------------------------------- | :------------------------ |
| /v2/firewall | GET | metal.v2.firewall.list | |
| /v2/firewall | POST | metal.v2.firewall.search | Was `/find` before |
| /v2/firewall/:id | GET | metal.v2.firewall.get | |
Expand All @@ -804,7 +811,7 @@ This section defines the new endpoints for the API.
#### Firmware

| Endpoint | Method | Permission | Notes |
| :------------------------------------------ | ------ | :----------------------------- | :---- |
| :------------------------------------------ | :----- | :----------------------------- | :---- |
| /v2/firmware | GET | metal.v2.firmware.list | |
| /v2/firmware/:kind/:vendor/:board/:revision | PUT | metal.v2.admin.firmware.create | |
| /v2/firmware/:kind/:vendor/:board/:revision | DELETE | metal.v2.admin.firmware.delete | |
Expand All @@ -816,15 +823,15 @@ This resource is a little different because it uses an S3 bucket for persistence
#### Health

| Endpoint | Method | Permission | Notes |
| :--------- | ------ | :------------------ | :---- |
| :--------- | :----- | :------------------ | :---- |
| /v2/health | GET | metal.v2.health.get | |

❓ This endpoint was public before (such that health checks can easily be performed through K8s deployments). To reduce attack surface this should require a permission.

#### IP

| Endpoint | Method | Permission | Notes |
| :------------------ | ------ | :-------------------------- | :-------------------- |
| :------------------ | :----- | :-------------------------- | :-------------------- |
| /v2/ip | GET | metal.v2.ip.list | |
| /v2/ip | POST | metal.v2.ip.search | Was `/find` before |
| /v2/ip/:id | GET | metal.v2.ip.get | |
Expand All @@ -836,7 +843,7 @@ This resource is a little different because it uses an S3 bucket for persistence
#### Image

| Endpoint | Method | Permission | Notes |
| :----------------------------------- | ------ | :-------------------------- | :---- |
| :----------------------------------- | :----- | :-------------------------- | :---- |
| /v2/image | GET | metal.v2.image.list | |
| /v2/image | POST | metal.v2.image.search | New! |
| /v2/image/:id | GET | metal.v2.image.get | |
Expand All @@ -851,7 +858,7 @@ This resource is a little different because it uses an S3 bucket for persistence
#### Machine

| Endpoint | Method | Permission | Notes |
| :----------------------------------------------- | ------ | :----------------------------------- | :--------------------------------------------------- |
| :----------------------------------------------- | :----- | :----------------------------------- | :--------------------------------------------------- |
| /v2/machine | GET | metal.v2.machine.list | |
| /v2/machine | POST | metal.v2.machine.search | Was `/find` before |
| /v2/machine/:id | GET | metal.v2.machine.get | |
Expand Down Expand Up @@ -889,7 +896,7 @@ This resource is a little different because it uses an S3 bucket for persistence
#### Network

| Endpoint | Method | Permission | Notes |
| :------------------------------------- | ------ | :---------------------------- | :---- |
| :------------------------------------- | :----- | :---------------------------- | :---- |
| /v2/network | GET | metal.v2.network.list | |
| /v2/network | POST | metal.v2.network.search | New! |
| /v2/network/:id | GET | metal.v2.network.get | |
Expand All @@ -903,7 +910,7 @@ This resource is a little different because it uses an S3 bucket for persistence
#### Partition

| Endpoint | Method | Permission | Notes |
| :--------------------- | ------ | :------------------------------ | :---- |
| :--------------------- | :----- | :------------------------------ | :---- |
| /v2/partition | GET | metal.v2.partition.list | |
| /v2/partition | POST | metal.v2.partition.search | New! |
| /v2/partition/:id | GET | metal.v2.partition.get | |
Expand All @@ -918,7 +925,7 @@ TBD
#### Size

| Endpoint | Method | Permission | Notes |
| :--------------------- | ------ | :------------------------- | :------------------------------------- |
| :--------------------- | :----- | :------------------------- | :------------------------------------- |
| /v2/size | GET | metal.v2.size.list | |
| /v2/size | POST | metal.v2.size.search | New! |
| /v2/size/:id | GET | metal.v2.size.get | |
Expand All @@ -932,7 +939,7 @@ TBD
This really is a pure admin-resource.

| Endpoint | Method | Permission | Notes |
| :------------- | ------ | :------------------------- | :---- |
| :------------- | :----- | :------------------------- | :---- |
| /v2/switch | GET | metal.v2.admin.size.list | |
| /v2/switch | POST | metal.v2.admin.size.search | New! |
| /v2/switch/:id | GET | metal.v2.admin.size.get | |
Expand All @@ -948,7 +955,7 @@ TBD
#### Version

| Endpoint | Method | Permission | Notes |
| :---------- | ------ | :------------------- | :---- |
| :---------- | :----- | :------------------- | :---- |
| /v2/version | GET | metal.v2.version.get | |

❓ This endpoint was public before (such that it can easily be shown in badges). To reduce attack surface this should require a permission.
Expand All @@ -958,7 +965,7 @@ TBD
We want a common scoping logic on the database for all resources. Therefore, all resources must use the same database fields that can be used for filtering.

| Scope | Field Name |
| -------- | ---------- |
| :------- | :--------- |
| Tenant | tenant_id |
| Project | project_id |
| Resource | id |
Expand Down

0 comments on commit 86b67a0

Please sign in to comment.