Difference between revisions of "Cyborg/Policy"
< Cyborg
Yumeng bao (talk | contribs) (Scoped-RBAC Policy for Cyborg API V2) |
Yumeng bao (talk | contribs) |
||
| Line 13: | Line 13: | ||
| rowspan="2" | /v2/device_profiles || GET || x || || || || || || || cyborg:device_profile:get_all || | | rowspan="2" | /v2/device_profiles || GET || x || || || || || || || cyborg:device_profile:get_all || | ||
|- | |- | ||
| − | | POST || || | + | | POST || || x || x || || || || || cyborg:device_profile:create || |
|- | |- | ||
| rowspan="2" | /v2/device_profiles/{device_profiles_uuid} || GET || x || || || || || || || cyborg:device_profile:get_one || | | rowspan="2" | /v2/device_profiles/{device_profiles_uuid} || GET || x || || || || || || || cyborg:device_profile:get_one || | ||
|- | |- | ||
| − | | DELETE || || || x || || || || || cyborg:device_profile:delete || | + | | DELETE || || || x(admin_or_owner) || || || || || cyborg:device_profile:delete || |
|- | |- | ||
| /v2/device_profiles?value={device_profile_name1},{device_profile_name2} || DELETE || || || x || || || || || cyborg:device_profile:delete || | | /v2/device_profiles?value={device_profile_name1},{device_profile_name2} || DELETE || || || x || || || || || cyborg:device_profile:delete || | ||
| Line 23: | Line 23: | ||
| rowspan="2" | /v2/accelerator_requests || GET || x || || || || || || || cyborg:arq:get_all || | | rowspan="2" | /v2/accelerator_requests || GET || x || || || || || || || cyborg:arq:get_all || | ||
|- | |- | ||
| − | | POST || || | + | | POST || || x || x || || || || || cyborg:arq:create || current rule: any role is allowed to do post action.This is too permissive,instead it should be at least "role:member" with scope_type ["project"] |
|- | |- | ||
| rowspan="2" | /v2/accelerator_requests/{accelerator_request_uuid} || GET || x || || || || || || || cyborg:arq:get_one || | | rowspan="2" | /v2/accelerator_requests/{accelerator_request_uuid} || GET || x || || || || || || || cyborg:arq:get_one || | ||
|- | |- | ||
| − | | PATCH || || || x || || || || || cyborg:arq:update || | + | | PATCH || || || x(admin_or_owner) || || || || || cyborg:arq:update || |
|- | |- | ||
| /v2/accelerator_requests?arqs={accelerator_request_uuid} || DELETE || || || x || || || || || cyborg:arq:delete || | | /v2/accelerator_requests?arqs={accelerator_request_uuid} || DELETE || || || x || || || || || cyborg:arq:delete || | ||
| Line 37: | Line 37: | ||
| GET || x || || || x? || || || || cyborg:device:get_one || | | GET || x || || || x? || || || || cyborg:device:get_one || | ||
|- | |- | ||
| − | | PATCH || || || x || || || x? || || cyborg:device:update || Update the firmware or shell image (FPGA bitstream) for the specified device | + | | PATCH || || || x(admin_or_owner) || || || x? || || cyborg:device:update || Update the firmware or shell image (FPGA bitstream) for the specified device |
|- | |- | ||
| − | | /v2/deployables/{uuid} || PATCH || || || x || || || x? || || cyborg:deployable:update || Update the FPGA bitstream for the specified deployable. | + | | /v2/deployables/{uuid} || PATCH || || || x(admin_or_owner) || || || x? || || cyborg:deployable:update || Update the FPGA bitstream for the specified deployable. |
|- | |- | ||
|} | |} | ||
| Line 45: | Line 45: | ||
Questions (tied to RBAC Name): | Questions (tied to RBAC Name): | ||
* cyborg:arq:create | * cyborg:arq:create | ||
| − | ** (Yumeng) current rule: any role is allowed to do post action. | + | ** (Yumeng) current rule: any role is allowed to do post action. This is too permissive,instead it should be at least "role:member" with scope_type ["project"] |
* cyborg:device:get_all | * cyborg:device:get_all | ||
* cyborg:device:update | * cyborg:device:update | ||
Revision as of 08:01, 23 December 2019
| Project-scope | System-scope | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Route | Method | reader | member | admin | reader | member | admin | no auth | RBAC Name | Notes |
| / | GET | x | N/A | No restrictions on this route | ||||||
| /v2 | GET | x | N/A | No restrictions on this route | ||||||
| /v2/device_profiles | GET | x | cyborg:device_profile:get_all | |||||||
| POST | x | x | cyborg:device_profile:create | |||||||
| /v2/device_profiles/{device_profiles_uuid} | GET | x | cyborg:device_profile:get_one | |||||||
| DELETE | x(admin_or_owner) | cyborg:device_profile:delete | ||||||||
| /v2/device_profiles?value={device_profile_name1},{device_profile_name2} | DELETE | x | cyborg:device_profile:delete | |||||||
| /v2/accelerator_requests | GET | x | cyborg:arq:get_all | |||||||
| POST | x | x | cyborg:arq:create | current rule: any role is allowed to do post action.This is too permissive,instead it should be at least "role:member" with scope_type ["project"] | ||||||
| /v2/accelerator_requests/{accelerator_request_uuid} | GET | x | cyborg:arq:get_one | |||||||
| PATCH | x(admin_or_owner) | cyborg:arq:update | ||||||||
| /v2/accelerator_requests?arqs={accelerator_request_uuid} | DELETE | x | cyborg:arq:delete | |||||||
| /v2/accelerator_requests?instance={instance_uuid} | DELETE | x | cyborg:arq:delete | |||||||
| /v2/devices | GET | x | x? | cyborg:device:get_all | ||||||
| GET | x | x? | cyborg:device:get_one | |||||||
| PATCH | x(admin_or_owner) | x? | cyborg:device:update | Update the firmware or shell image (FPGA bitstream) for the specified device | ||||||
| /v2/deployables/{uuid} | PATCH | x(admin_or_owner) | x? | cyborg:deployable:update | Update the FPGA bitstream for the specified deployable. | |||||
Questions (tied to RBAC Name):
- cyborg:arq:create
- (Yumeng) current rule: any role is allowed to do post action. This is too permissive,instead it should be at least "role:member" with scope_type ["project"]
- cyborg:device:get_all
- cyborg:device:update
- (Yumeng) Is it necessary to allow a system-scope user to read and update ond device? For example, when one device is shared by different projects, we should allow a role at a system-scope level
to access this device, right?
- cyborg:deployable:update
- (Yumeng) ditto for deployable update
