Jump to: navigation, search

Difference between revisions of "Cyborg/Policy"

Line 25: Line 25:
 
| POST ||  || x || x ||  ||  ||  ||  || cyborg:arq:create || current rule: any role is allowed to do post action.This is too permissive,instead it should be at least "role:member" with scope_type ["project"]  
 
| POST ||  || x || x ||  ||  ||  ||  || cyborg:arq:create || current rule: any role is allowed to do post action.This is too permissive,instead it should be at least "role:member" with scope_type ["project"]  
 
|-
 
|-
| rowspan="2" | /v2/accelerator_requests/{accelerator_request_uuid} || GET || x ||  ||  ||  ||  ||  ||  || cyborg:arq:get_one ||  
+
| rowspan="2" | /v2/accelerator_requests/{arq_uuid} || GET || x ||  ||  ||  ||  ||  ||  || cyborg:arq:get_one ||  
 
|-
 
|-
 
| PATCH ||  ||  || x(admin_or_owner) ||  ||  ||  ||  || cyborg:arq:update ||  
 
| PATCH ||  ||  || x(admin_or_owner) ||  ||  ||  ||  || cyborg:arq:update ||  
 
|-
 
|-
| /v2/accelerator_requests?arqs={accelerator_request_uuid} || DELETE ||  ||  || x(admin_or_owner) ||  ||  ||  ||  || cyborg:arq:delete ||
+
| /v2/accelerator_requests?arqs={arq_uuid} || DELETE ||  ||  || x(admin_or_owner) ||  ||  ||  ||  || cyborg:arq:delete ||
 
|-
 
|-
 
| /v2/accelerator_requests?instance={instance_uuid} || DELETE ||  ||  || x(admin_or_owner) ||  ||  ||  ||  || cyborg:arq:delete ||
 
| /v2/accelerator_requests?instance={instance_uuid} || DELETE ||  ||  || x(admin_or_owner) ||  ||  ||  ||  || cyborg:arq:delete ||

Revision as of 07:18, 31 December 2019

Project-scope System-scope
Route Method reader member admin reader member admin no auth RBAC Name Notes
/ GET x N/A No restrictions on this route
/v2 GET x N/A No restrictions on this route
/v2/device_profiles GET x cyborg:device_profile:get_all
POST x x cyborg:device_profile:create
/v2/device_profiles/{device_profiles_uuid} GET x cyborg:device_profile:get_one
DELETE x(admin_or_owner) cyborg:device_profile:delete
/v2/device_profiles?value={device_profile_name1},{device_profile_name2} DELETE x(admin_or_owner) cyborg:device_profile:delete
/v2/accelerator_requests GET x cyborg:arq:get_all
POST x x cyborg:arq:create current rule: any role is allowed to do post action.This is too permissive,instead it should be at least "role:member" with scope_type ["project"]
/v2/accelerator_requests/{arq_uuid} GET x cyborg:arq:get_one
PATCH x(admin_or_owner) cyborg:arq:update
/v2/accelerator_requests?arqs={arq_uuid} DELETE x(admin_or_owner) cyborg:arq:delete
/v2/accelerator_requests?instance={instance_uuid} DELETE x(admin_or_owner) cyborg:arq:delete
/v2/devices GET x x? cyborg:device:get_all
GET x x? cyborg:device:get_one
PATCH x(admin_or_owner) x? cyborg:device:update Update the firmware or shell image (FPGA bitstream) for the specified device
/v2/deployables/{uuid} PATCH x(admin_or_owner) x? cyborg:deployable:update Update the FPGA bitstream for the specified deployable.

Reference:

Questions (tied to RBAC Name):

  • cyborg:arq:create
    • (Yumeng) current rule: any role is allowed to do post action. This is too permissive, instead, it should be at least "role:member" with scope_type ["project"]
  • cyborg:device:get_all
  • cyborg:device:update
    • (Yumeng) Is it necessary to allow a system-scope user to read and update one device? For example, when one device is shared by different projects, we should allow a role at a system-scope level to access this device, right?
  • cyborg:deployable:update
    • (Yumeng) ditto for deployable update