Skip to content

Commit 391405a

Browse files
binoyPeriesJanakaSandaruwan
authored andcommitted
docs: Update authz conditions with newly added attributes
Signed-off-by: binoyPeries <binoyperies98@gmail.com>
1 parent 81d7b55 commit 391405a

1 file changed

Lines changed: 16 additions & 8 deletions

File tree

docs/platform-engineer-guide/authorization/conditions.md

Lines changed: 16 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -43,22 +43,27 @@ CEL expressions reference a predefined set of attributes. Each attribute is regi
4343

4444
Currently the following attributes are available — more will be added in future releases:
4545

46-
| Attribute | Type | Available on | Description |
47-
| ----------------------------------------------------------------------------- | ------ | -------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- |
48-
| `resource.environment`<br/>[(dual-scoped)](#resource-identifiers-dual-scoped) | string | `releasebinding:create`, `releasebinding:view`, `releasebinding:update`, `releasebinding:delete`, `logs:view`, `metrics:view`, `traces:view` | Environment associated with the resource (e.g., `acme/prod`). |
46+
| Attribute | Type | Available on | Description |
47+
| ------------------------------------------------------------------------------- | ------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------- |
48+
| `resource.componentType`<br/>[(dual-scoped)](#resource-identifiers-dual-scoped) | string | `component:create`, `component:update`, `component:delete` | ComponentType (or ClusterComponentType) referenced by the component. |
49+
| `resource.environment`<br/>[(dual-scoped)](#resource-identifiers-dual-scoped) | string | `releasebinding:create`, `releasebinding:view`, `releasebinding:update`, `releasebinding:delete`, `resourcereleasebinding:create`, `resourcereleasebinding:view`, `resourcereleasebinding:update`, `resourcereleasebinding:delete`, `logs:view`, `wirelogs:view`, `metrics:view`, `traces:view` | Environment associated with the resource (e.g., `acme/prod`). |
50+
| `resource.resourceType`<br/>[(dual-scoped)](#resource-identifiers-dual-scoped) | string | `resource:create`, `resource:update`, `resource:delete` | ResourceType (or ClusterResourceType) referenced by the resource. |
51+
| `resource.workflow`<br/>[(dual-scoped)](#resource-identifiers-dual-scoped) | string | `workflowrun:create`, `workflowrun:update`, `workflowrun:delete` | Workflow (or ClusterWorkflow) referenced by the workflow run. |
4952

5053
When a condition lists multiple actions — whether explicitly (`["releasebinding:create", "logs:view"]`) or via a wildcard pattern (`releasebinding:*`) — the expression may only reference attributes registered for **every** action the entry covers. An attribute supported by only some of those actions is not usable in the condition.
5154

5255
### Resource Identifiers (Dual-Scoped)
5356

54-
Some resource kinds in OpenChoreo come in two variants — one namespace-scoped, one cluster-scoped. In conditions, both variants share a single logical name (such as `environment`). Conditions don't pick the variant by kind; they pick it by the **shape of the identifier**.
57+
Some resource kinds in OpenChoreo come in two variants — one namespace-scoped, one cluster-scoped (for example, `ComponentType` and `ClusterComponentType`). In conditions, both variants share a single logical attribute — `environment`, `componentType`, `resourceType`, or `workflow`. Conditions don't pick the variant by kind; they pick it by the **shape of the identifier**.
5558

56-
Attributes that identify such a resource (such as `resource.environment`) carry one of two forms:
59+
These dual-scoped attributes carry one of two forms:
5760

5861
- For the namespace-scoped variant: `{namespace}/{name}` — for example, `acme/prod`.
5962
- For the cluster-scoped variant: just `{name}` — for example, `prod`.
6063

61-
Match the same form in your CEL expression: `resource.environment == "acme/prod"` targets a namespace-scoped environment named `prod` in `acme`, while `resource.environment == "prod"` targets the cluster-scoped one.
64+
Match the same form in your CEL expression: `resource.environment == "acme/prod"` targets a namespace-scoped environment named `prod` in `acme`, while `resource.environment == "prod"` targets the cluster-scoped one. The same rule applies to `resource.componentType`, `resource.resourceType`, and `resource.workflow`.
65+
66+
Which form applies depends on the reference's `kind` in the resource being acted upon. Match the form the resource actually resolves to. When `kind` is omitted, it follows the CRD field's default.
6267

6368
For resources that exist in only one scope, the resource identifiers simply carry the resource name.
6469

@@ -95,7 +100,7 @@ This binding permits the `releasebinding:view` actions when the target environme
95100

96101
## Examples
97102

98-
A platform engineer needs to give the `backend-team` group `developer` access — but with two safety rails: release-binding mutations must stay out of production, and log access should be limited to `dev` and `staging`. A single role mapping can carry both rules, one condition per action group:
103+
A platform engineer needs to give the `backend-team` group `developer` access — but with three safety rails: release-binding mutations must stay out of production, log access should be limited to `dev` and `staging`, and the team should only be able to create `service` and `cronjob` components. A single role mapping can carry all three rules, one condition per action group:
99104

100105
```yaml
101106
apiVersion: openchoreo.dev/v1alpha1
@@ -120,10 +125,13 @@ spec:
120125
- actions:
121126
- logs:view
122127
expression: 'resource.environment in ["acme/dev", "acme/staging"]'
128+
- actions:
129+
- component:create
130+
expression: 'resource.componentType in ["service", "cronjob"]'
123131
effect: allow
124132
```
125133

126-
Read-only actions on `releasebinding` (e.g., `releasebinding:view`) and every other action in the `developer` role remain unrestricted — only the listed actions are gated.
134+
Read-only actions on `releasebinding` (e.g., `releasebinding:view`) and every other action in the `developer` role remain unrestricted — only the listed actions are gated. A `component:create` for any type other than the namespace-scoped `service` or `cronjob` (`acme/service`, `acme/cronjob`) fails its condition and is denied.
127135

128136
## Related Reading
129137

0 commit comments

Comments
 (0)