이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Chapter 6. Permission policies reference
Permission policies in Red Hat Developer Hub are a set of rules to govern access to resources or functionalities. These policies state the authorization level that is granted to users based on their roles. The permission policies are implemented to maintain security and confidentiality within a given environment.
You can define the following types of permissions in Developer Hub:
- resource type
- basic
The distinction between the two permission types depends on whether a permission includes a defined resource type.
You can define the resource type permission using either the associated resource type or the permission name as shown in the following example:
Example resource type permission definition
p, role:default/myrole, catalog.entity.read, read, allow g, user:default/myuser, role:default/myrole p, role:default/another-role, catalog-entity, read, allow g, user:default/another-user, role:default/another-role
You can define the basic permission in Developer Hub using the permission name as shown in the following example:
Example basic permission definition
p, role:default/myrole, catalog.entity.create, create, allow g, user:default/myuser, role:default/myrole
Developer Hub supports following permission policies:
- Catalog permissions
- .Catalog permissions
Name | Resource type | Policy | Description |
---|---|---|---|
|
|
| Allows a user or role to read from the catalog |
|
| Allows a user or role to create catalog entities, including registering an existing component in the catalog | |
|
|
| Allows a user or role to refresh a single or multiple entities from the catalog |
|
|
| Allows a user or role to delete a single or multiple entities from the catalog |
|
| Allows a user or role to read a single or multiple locations from the catalog | |
|
| Allows a user or role to create locations within the catalog | |
|
| Allows a user or role to delete locations from the catalog |
- Bulk import permission
- .Bulk import permission
Name | Resource type | Policy | Description |
---|---|---|---|
|
|
| Allows the user to access the bulk import endpoints, such as listing all repositories and organizations accessible by all GitHub integrations and managing the import requests |
- Scaffolder permissions
- .Scaffolder permissions
Name | Resource type | Policy | Description |
---|---|---|---|
|
|
| Allows the execution of an action from a template |
|
|
| Allows a user or role to read a single or multiple one parameters from a template |
|
|
| Allows a user or role to read a single or multiple steps from a template |
|
| Allows a user or role to trigger software templates which create new scaffolder tasks | |
|
| Allows a user or role to cancel currently running scaffolder tasks | |
|
| Allows a user or role to read all scaffolder tasks and their associated events and logs |
- RBAC permissions
- .RBAC permissions
Name | Resource type | Policy | Description |
---|---|---|---|
|
|
| Allows a user or role to read permission policies and roles |
|
|
| Allows a user or role to create a single or multiple permission policies and roles |
|
|
| Allows a user or role to update a single or multiple permission policies and roles |
|
|
| Allows a user or role to delete a single or multiple permission policies and roles |
- Kubernetes permissions
- .Kubernetes permissions
Name | Resource type | Policy | Description |
---|---|---|---|
|
| Allows a user or role to access the proxy endpoint |
- OCM permissions
-
Basic OCM permissions only restrict access to the cluster view, but they do not prevent access to the Kubernetes clusters in the resource view. For more effective permissions, consider applying a conditional policy to restrict access to catalog entities that are of type
kubernetes-cluster
. Access restriction is dependent on the set of permissions granted to a role. For example, if the role had full permissions (read
,update
, anddelete
), then you must specify all its permissions in thepermissionMapping
field.
Example permissionMapping definition
result: CONDITIONAL roleEntityRef: 'role:default/<YOUR_ROLE>' pluginId: catalog resourceType: catalog-entity permissionMapping: - read - update - delete conditions: not: rule: HAS_SPEC resourceType: catalog-entity params: key: type value: kubernetes-cluster
Name | Resource type | Policy | Description |
---|---|---|---|
|
| Allows a user or role to read from the OCM plugin | |
|
| Allows a user or role to read the cluster information in the OCM plugin |
- Topology permissions
- .Topology permissions
Name | Resource type | Policy | Description |
---|---|---|---|
|
| Allows a user or role to view the topology plugin | |
|
| Allows a user or role to access the proxy endpoint, allowing the user or role to read pod logs and events within RHDH |