jesus/provisioning
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
provisioning/config/cedar-policies/admin.cedar
Jesús Pérez 6a59d34bb1
chore: update provisioning configuration and documentation 
Update configuration files, templates, and internal documentation
for the provisioning repository system.

Configuration Updates:
- KMS configuration modernization
- Plugin system settings
- Service port mappings
- Test cluster topologies
- Installation configuration examples
- VM configuration defaults
- Cedar authorization policies

Documentation Updates:
- Library module documentation
- Extension API guides
- AI system documentation
- Service management guides
- Test environment setup
- Plugin usage guides
- Validator configuration documentation

All changes are backward compatible.
2025-12-11 21:50:42 +00:00

232 lines
6.9 KiB
Plaintext
Raw Blame History

// Administrative Authorization Policies
// Super-user permissions and emergency access
// ============================================================================
// PLATFORM ADMIN POLICIES
// ============================================================================
// Platform admins have full access to all environments
@id("admin-full-access")
@description("Platform admins have unrestricted access")
permit (
principal in Provisioning::Team::"platform-admin",
action,
resource
);
// ============================================================================
// EMERGENCY ACCESS POLICIES
// ============================================================================
// Emergency access with special approval bypasses some restrictions
@id("emergency-access")
@description("Emergency approval bypasses time restrictions")
permit (
principal in [Provisioning::Team::"platform-admin", Provisioning::Team::"sre"],
action in [
Provisioning::Action::"deploy",
Provisioning::Action::"delete",
Provisioning::Action::"rollback",
Provisioning::Action::"update"
],
resource
) when {
context has approval_id &&
context.approval_id.startsWith("EMERGENCY-")
};
// ============================================================================
// AUDIT AND COMPLIANCE POLICIES
// ============================================================================
// Audit actions always allowed for audit team
@id("audit-access")
@description("Audit team can view all resources")
permit (
principal in Provisioning::Team::"audit",
action in [
Provisioning::Action::"read",
Provisioning::Action::"list",
Provisioning::Action::"monitor"
],
resource
);
// Forbid audit team from making changes
@id("audit-no-modify")
@description("Audit team cannot modify resources")
forbid (
principal in Provisioning::Team::"audit",
action in [
Provisioning::Action::"create",
Provisioning::Action::"delete",
Provisioning::Action::"update",
Provisioning::Action::"deploy",
Provisioning::Action::"rollback",
Provisioning::Action::"admin"
],
resource
);
// ============================================================================
// SRE TEAM POLICIES
// ============================================================================
// SRE team has elevated access but not admin
@id("sre-elevated-access")
@description("SRE team has elevated permissions")
permit (
principal in Provisioning::Team::"sre",
action in [
Provisioning::Action::"read",
Provisioning::Action::"list",
Provisioning::Action::"monitor",
Provisioning::Action::"ssh",
Provisioning::Action::"deploy",
Provisioning::Action::"rollback"
],
resource
);
// SRE can perform updates with approval
@id("sre-update-approval")
@description("SRE updates require approval")
permit (
principal in Provisioning::Team::"sre",
action == Provisioning::Action::"update",
resource
) when {
context has approval_id &&
context.approval_id != ""
};
// SRE cannot delete resources without approval
@id("sre-delete-restricted")
@description("SRE deletions require approval")
permit (
principal in Provisioning::Team::"sre",
action == Provisioning::Action::"delete",
resource
) when {
context has approval_id &&
context.approval_id != ""
};
// ============================================================================
// SECURITY TEAM POLICIES
// ============================================================================
// Security team has read access to everything
@id("security-read-all")
@description("Security team can view all resources")
permit (
principal in Provisioning::Team::"security",
action in [
Provisioning::Action::"read",
Provisioning::Action::"list",
Provisioning::Action::"monitor"
],
resource
);
// Security team can lock down resources
@id("security-lockdown")
@description("Security team can perform emergency lockdowns")
permit (
principal in Provisioning::Team::"security",
action == Provisioning::Action::"admin",
resource
) when {
context has operation &&
context.operation == "lockdown"
};
// ============================================================================
// CROSS-ENVIRONMENT POLICIES
// ============================================================================
// Nobody can perform admin operations without MFA (except platform-admin)
@id("admin-action-mfa")
@description("Admin actions require MFA verification")
forbid (
principal,
action == Provisioning::Action::"admin",
resource
) when {
context.mfa_verified != true
} unless {
principal in Provisioning::Team::"platform-admin"
};
// ============================================================================
// WORKSPACE OWNERSHIP POLICIES
// ============================================================================
// Workspace owners have full control over their workspaces
@id("workspace-owner-access")
@description("Workspace owners control their resources")
permit (
principal,
action in [
Provisioning::Action::"create",
Provisioning::Action::"delete",
Provisioning::Action::"update",
Provisioning::Action::"read",
Provisioning::Action::"list"
],
resource
) when {
resource has workspace &&
resource.workspace.owner == principal
};
// ============================================================================
// TIME-BASED RESTRICTIONS
// ============================================================================
// Maintenance window policies (outside business hours for critical ops)
@id("maintenance-window")
@description("Critical operations allowed during maintenance window")
permit (
principal in [Provisioning::Team::"platform-admin", Provisioning::Team::"sre"],
action in [
Provisioning::Action::"update",
Provisioning::Action::"deploy"
],
resource in Provisioning::Environment::"production"
) when {
// Maintenance window: 22:00 - 06:00 UTC
context.time.split("T")[1].split(":")[0].decimal() >= 22 ||
context.time.split("T")[1].split(":")[0].decimal() <= 6
};
// ============================================================================
// RATE LIMITING HINTS
// ============================================================================
// Note: Cedar doesn't enforce rate limits directly, but can provide hints
// Rate limiting should be implemented in middleware using these policy IDs
// Critical operations should be rate limited
@id("rate-limit-critical")
@description("Hint: Rate limit critical operations")
permit (
principal,
action in [
Provisioning::Action::"delete",
Provisioning::Action::"admin"
],
resource in Provisioning::Environment::"production"
) when {
// Hint: Implement rate limit in middleware
// Max 10 operations per hour per principal
true
};
// ============================================================================
// DEFAULT DENY POLICY
// ============================================================================
// Note: Cedar defaults to deny-by-default, so this is implicit
// All actions not explicitly permitted are denied
Reference in New Issue View Git Blame Copy Permalink