6a59d34bb1
Update configuration files, templates, and internal documentation for the provisioning repository system. Configuration Updates: - KMS configuration modernization - Plugin system settings - Service port mappings - Test cluster topologies - Installation configuration examples - VM configuration defaults - Cedar authorization policies Documentation Updates: - Library module documentation - Extension API guides - AI system documentation - Service management guides - Test environment setup - Plugin usage guides - Validator configuration documentation All changes are backward compatible.
271 lines
6.8 KiB
Plaintext
271 lines
6.8 KiB
Plaintext
// Cedar Authorization Schema for Provisioning Platform
|
|
// Defines entities, actions, and their relationships
|
|
|
|
// ============================================================================
|
|
// NAMESPACES
|
|
// ============================================================================
|
|
namespace Provisioning {
|
|
|
|
// ==========================================================================
|
|
// ENTITY TYPES
|
|
// ==========================================================================
|
|
|
|
// User entity represents authenticated principals
|
|
entity User = {
|
|
"email": String,
|
|
"username": String,
|
|
"mfa_enabled": Bool,
|
|
"created_at": String,
|
|
} tags ["principal"];
|
|
|
|
// Team entity represents groups of users
|
|
entity Team = {
|
|
"name": String,
|
|
"description": String,
|
|
"created_at": String,
|
|
} tags ["principal"];
|
|
|
|
// Environment entity represents deployment environments
|
|
entity Environment = {
|
|
"name": String,
|
|
"tier": String, // "development", "staging", "production"
|
|
"requires_approval": Bool,
|
|
"requires_mfa": Bool,
|
|
} tags ["resource"];
|
|
|
|
// Workspace entity represents logical isolation boundaries
|
|
entity Workspace = {
|
|
"name": String,
|
|
"owner": User,
|
|
"environment": Environment,
|
|
"created_at": String,
|
|
} tags ["resource"];
|
|
|
|
// Server entity represents compute instances
|
|
entity Server = {
|
|
"hostname": String,
|
|
"provider": String,
|
|
"workspace": Workspace,
|
|
"environment": Environment,
|
|
"status": String,
|
|
} tags ["resource"];
|
|
|
|
// Taskserv entity represents infrastructure services
|
|
entity Taskserv = {
|
|
"name": String,
|
|
"category": String,
|
|
"version": String,
|
|
"workspace": Workspace,
|
|
"environment": Environment,
|
|
} tags ["resource"];
|
|
|
|
// Cluster entity represents multi-node deployments
|
|
entity Cluster = {
|
|
"name": String,
|
|
"type": String,
|
|
"workspace": Workspace,
|
|
"environment": Environment,
|
|
"node_count": Long,
|
|
} tags ["resource"];
|
|
|
|
// Workflow entity represents orchestrated operations
|
|
entity Workflow = {
|
|
"workflow_id": String,
|
|
"workflow_type": String,
|
|
"workspace": Workspace,
|
|
"environment": Environment,
|
|
"status": String,
|
|
} tags ["resource"];
|
|
|
|
// Secret entity represents stored secrets (DB credentials, API keys, SSH keys, etc.)
|
|
entity Secret = {
|
|
"secret_id": String,
|
|
"secret_type": String, // "database", "application", "ssh", "provider"
|
|
"workspace": Workspace,
|
|
"domain": String, // "postgres", "redis", "web-api", "ssh", etc.
|
|
"ttl_hours": Long,
|
|
"auto_rotate": Bool,
|
|
"created_by": User,
|
|
"is_expired": Bool,
|
|
"tags": Set<String>,
|
|
} tags ["resource", "sensitive"];
|
|
|
|
// ==========================================================================
|
|
// ACTION TYPES
|
|
// ==========================================================================
|
|
|
|
// Resource lifecycle actions
|
|
action create appliesTo {
|
|
principal: [User, Team],
|
|
resource: [Server, Taskserv, Cluster, Workspace, Workflow],
|
|
context: {
|
|
"mfa_verified": Bool,
|
|
"ip_address": String,
|
|
"time": String,
|
|
"approval_id": String?,
|
|
"reason": String?,
|
|
}
|
|
};
|
|
|
|
action delete appliesTo {
|
|
principal: [User, Team],
|
|
resource: [Server, Taskserv, Cluster, Workspace, Workflow],
|
|
context: {
|
|
"mfa_verified": Bool,
|
|
"ip_address": String,
|
|
"time": String,
|
|
"approval_id": String?,
|
|
"force": Bool,
|
|
}
|
|
};
|
|
|
|
action update appliesTo {
|
|
principal: [User, Team],
|
|
resource: [Server, Taskserv, Cluster, Workspace, Workflow],
|
|
context: {
|
|
"mfa_verified": Bool,
|
|
"ip_address": String,
|
|
"time": String,
|
|
"changes": String,
|
|
}
|
|
};
|
|
|
|
// Read operations
|
|
action read appliesTo {
|
|
principal: [User, Team],
|
|
resource: [Server, Taskserv, Cluster, Workspace, Workflow],
|
|
context: {
|
|
"ip_address": String,
|
|
"time": String,
|
|
}
|
|
};
|
|
|
|
action list appliesTo {
|
|
principal: [User, Team],
|
|
resource: [Server, Taskserv, Cluster, Workspace, Workflow],
|
|
context: {
|
|
"ip_address": String,
|
|
"time": String,
|
|
}
|
|
};
|
|
|
|
// Deployment actions
|
|
action deploy appliesTo {
|
|
principal: [User, Team],
|
|
resource: [Server, Taskserv, Cluster, Workflow],
|
|
context: {
|
|
"mfa_verified": Bool,
|
|
"ip_address": String,
|
|
"time": String,
|
|
"approval_id": String?,
|
|
"deployment_config": String,
|
|
}
|
|
};
|
|
|
|
action rollback appliesTo {
|
|
principal: [User, Team],
|
|
resource: [Server, Taskserv, Cluster, Workflow],
|
|
context: {
|
|
"mfa_verified": Bool,
|
|
"ip_address": String,
|
|
"time": String,
|
|
"approval_id": String?,
|
|
"target_version": String,
|
|
}
|
|
};
|
|
|
|
// Administrative actions
|
|
action admin appliesTo {
|
|
principal: [User, Team],
|
|
resource: [Server, Taskserv, Cluster, Workspace, Workflow],
|
|
context: {
|
|
"mfa_verified": Bool,
|
|
"ip_address": String,
|
|
"time": String,
|
|
"operation": String,
|
|
}
|
|
};
|
|
|
|
// SSH and access actions
|
|
action ssh appliesTo {
|
|
principal: [User, Team],
|
|
resource: [Server],
|
|
context: {
|
|
"ip_address": String,
|
|
"time": String,
|
|
"ssh_key_fingerprint": String,
|
|
}
|
|
};
|
|
|
|
// Workflow execution actions
|
|
action execute appliesTo {
|
|
principal: [User, Team],
|
|
resource: [Workflow],
|
|
context: {
|
|
"mfa_verified": Bool,
|
|
"ip_address": String,
|
|
"time": String,
|
|
"workflow_params": String,
|
|
}
|
|
};
|
|
|
|
action monitor appliesTo {
|
|
principal: [User, Team],
|
|
resource: [Server, Taskserv, Cluster, Workflow],
|
|
context: {
|
|
"ip_address": String,
|
|
"time": String,
|
|
}
|
|
};
|
|
|
|
// Secret-specific actions
|
|
action access appliesTo {
|
|
principal: [User, Team],
|
|
resource: [Secret],
|
|
context: {
|
|
"mfa_verified": Bool,
|
|
"ip_address": String,
|
|
"time": String,
|
|
"secret_type": String,
|
|
"domain": String,
|
|
}
|
|
};
|
|
|
|
action rotate appliesTo {
|
|
principal: [User, Team],
|
|
resource: [Secret],
|
|
context: {
|
|
"mfa_verified": Bool,
|
|
"ip_address": String,
|
|
"time": String,
|
|
"approval_id": String?,
|
|
"reason": String?,
|
|
}
|
|
};
|
|
|
|
action renew appliesTo {
|
|
principal: [User, Team],
|
|
resource: [Secret],
|
|
context: {
|
|
"mfa_verified": Bool,
|
|
"ip_address": String,
|
|
"time": String,
|
|
}
|
|
};
|
|
|
|
// ==========================================================================
|
|
// ENTITY RELATIONSHIPS
|
|
// ==========================================================================
|
|
|
|
// User membership in Teams
|
|
entityTypes User memberOf [Team];
|
|
|
|
// Resource hierarchy
|
|
entityTypes Server memberOf [Workspace, Environment];
|
|
entityTypes Taskserv memberOf [Workspace, Environment];
|
|
entityTypes Cluster memberOf [Workspace, Environment];
|
|
entityTypes Workflow memberOf [Workspace, Environment];
|
|
entityTypes Secret memberOf [Workspace];
|
|
entityTypes Workspace memberOf [Environment];
|
|
}
|