Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 6. Permission policies reference


Permission policies in Red Hat Developer Hub are a set of rules to govern access to resources or functionalities. These policies state the authorization level that is granted to users based on their roles. The permission policies are implemented to maintain security and confidentiality within a given environment.

You can define the following types of permissions in Developer Hub:

  • resource type
  • basic

The distinction between the two permission types depends on whether a permission includes a defined resource type.

You can define the resource type permission using either the associated resource type or the permission name as shown in the following example:

Example resource type permission definition

p, role:default/myrole, catalog.entity.read, read, allow
g, user:default/myuser, role:default/myrole

p, role:default/another-role, catalog-entity, read, allow
g, user:default/another-user, role:default/another-role

You can define the basic permission in Developer Hub using the permission name as shown in the following example:

Example basic permission definition

p, role:default/myrole, catalog.entity.create, create, allow
g, user:default/myuser, role:default/myrole

Developer Hub supports following permission policies:

Catalog permissions
.Catalog permissions
NameResource typePolicyDescription

catalog.entity.read

catalog-entity

read

Allows a user or role to read from the catalog

catalog.entity.create

 

create

Allows a user or role to create catalog entities, including registering an existing component in the catalog

catalog.entity.refresh

catalog-entity

update

Allows a user or role to refresh a single or multiple entities from the catalog

catalog.entity.delete

catalog-entity

delete

Allows a user or role to delete a single or multiple entities from the catalog

catalog.location.read

 

read

Allows a user or role to read a single or multiple locations from the catalog

catalog.location.create

 

create

Allows a user or role to create locations within the catalog

catalog.location.delete

 

delete

Allows a user or role to delete locations from the catalog

Bulk import permission
.Bulk import permission
NameResource typePolicyDescription

bulk.import

bulk-import

use

Allows the user to access the bulk import endpoints, such as listing all repositories and organizations accessible by all GitHub integrations and managing the import requests

Scaffolder permissions
.Scaffolder permissions
NameResource typePolicyDescription

scaffolder.action.execute

scaffolder-action

use

Allows the execution of an action from a template

scaffolder.template.parameter.read

scaffolder-template

read

Allows a user or role to read a single or multiple one parameters from a template

scaffolder.template.step.read

scaffolder-template

read

Allows a user or role to read a single or multiple steps from a template

scaffolder.task.create

 

create

Allows a user or role to trigger software templates which create new scaffolder tasks

scaffolder.task.cancel

 

use

Allows a user or role to cancel currently running scaffolder tasks

scaffolder.task.read

 

read

Allows a user or role to read all scaffolder tasks and their associated events and logs

RBAC permissions
.RBAC permissions
NameResource typePolicyDescription

policy.entity.read

policy-entity

read

Allows a user or role to read permission policies and roles

policy.entity.create

policy-entity

create

Allows a user or role to create a single or multiple permission policies and roles

policy.entity.update

policy-entity

update

Allows a user or role to update a single or multiple permission policies and roles

policy.entity.delete

policy-entity

delete

Allows a user or role to delete a single or multiple permission policies and roles

Kubernetes permissions
.Kubernetes permissions
NameResource typePolicyDescription

kubernetes.proxy

 

use

Allows a user or role to access the proxy endpoint

OCM permissions
Basic OCM permissions only restrict access to the cluster view, but they do not prevent access to the Kubernetes clusters in the resource view. For more effective permissions, consider applying a conditional policy to restrict access to catalog entities that are of type kubernetes-cluster. Access restriction is dependent on the set of permissions granted to a role. For example, if the role had full permissions (read, update, and delete), then you must specify all its permissions in the permissionMapping field.

Example permissionMapping definition

result: CONDITIONAL
roleEntityRef: 'role:default/<YOUR_ROLE>'
pluginId: catalog
resourceType: catalog-entity
permissionMapping:
  - read
  - update
  - delete
conditions:
  not:
    rule: HAS_SPEC
    resourceType: catalog-entity
    params:
      key: type
      value: kubernetes-cluster

NameResource typePolicyDescription

ocm.entity.read

 

read

Allows a user or role to read from the OCM plugin

ocm.cluster.read

 

read

Allows a user or role to read the cluster information in the OCM plugin

Topology permissions
.Topology permissions
NameResource typePolicyDescription

topology.view.read

 

read

Allows a user or role to view the topology plugin

kubernetes.proxy

 

use

Allows a user or role to access the proxy endpoint, allowing the user or role to read pod logs and events within RHDH

Red Hat logoGithubRedditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez leBlog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

© 2024 Red Hat, Inc.