mirror of
https://github.com/absmach/supermq.git
synced 2026-06-23 07:10:19 +00:00
Steve Munene
2ef8437d8b
* add access control to rules engine Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> * add access control to reports Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> * add access control to alarms Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> * fix failing linter Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> * remove unused variables Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> * update authorization method Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> * revert code Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> * remove roles Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> * update alarm permissions Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> * update alarm permissions Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> * address comments Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> * fix tests Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> * revert endpoint changes Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> * fix make fetch Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> * revert env variable Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> * remove rule prefix Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> * remove trailing line Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> * remove unused constants Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> * re consumer Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> * update listing Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> * fix tests Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> * fix linter Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> * fix rule roles interface Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> * refactor listing commands Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> * fetch supermq Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> * address coments Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> * update script Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> * address comments Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> * fetch supermq Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> * fix time layout Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> * fix failing linter Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> * fix failing linter Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> * fix role name Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> * fix failing linter Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> * address comments Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> * remove white spaces Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> * update check usperadmin method Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> * update go mod file Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> * fix tests Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> * add missing env variable Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> --------- Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
169 lines
8.9 KiB
Zed
169 lines
8.9 KiB
Zed
// Copyright (c) Abstract Machines
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
// Merge documentation
|
|
// - Source A (base): docker/supermq-docker/spicedb/schema.zed (SuperMQ upstream schema)
|
|
// - Source B (overlay): docker/spicedb/override-schema.zed (Magistrala schema extensions)
|
|
// - Merge script: scripts/combined-schema.sh
|
|
// - Output: docker/spicedb/combined-schema.zed
|
|
//
|
|
// How merge works:
|
|
// 1. The first `definition domain { ... }` block is treated as explicit domain overlay.
|
|
// 2. The first `definition team { ... }` block is treated as explicit team overlay.
|
|
// 3. Domain overlay relations/permissions are injected into SuperMQ `definition domain`.
|
|
// 4. Team overlay relations are injected into SuperMQ `definition team`.
|
|
// 5. `permission membership_extension = ...` from the domain overlay is injected into
|
|
// SuperMQ `domain.permission membership` before `organization->admin`.
|
|
// 6. Overlay `definition domain` and `definition team` blocks are removed before append,
|
|
// so only merged SuperMQ domain/team definitions remain.
|
|
// 7. Remaining definitions in this file (for example `alarm`, `rule`, `report`) are appended.
|
|
//
|
|
// Maintenance notes:
|
|
// - Keep all custom domain/team merge lines inside the two overlay blocks below.
|
|
// - Update `permission membership_extension` whenever domain membership additions change.
|
|
// - Regenerate combined schema with: `sh scripts/combine-schema.sh`
|
|
// - `scripts/supermq.sh` also regenerates combined schema after refreshing SuperMQ docker files.
|
|
|
|
// Overlay domain block consumed by scripts/combine-schema.sh during merge.
|
|
definition domain {
|
|
|
|
// Magistrala-specific relations
|
|
relation alarm_update: role#member | team#member
|
|
relation alarm_read: role#member | team#member
|
|
relation alarm_delete: role#member | team#member
|
|
|
|
relation rule_create: role#member | team#member
|
|
relation rule_update: role#member | team#member
|
|
relation rule_read: role#member | team#member
|
|
relation rule_delete: role#member | team#member
|
|
relation rule_manage_role: role#member | team#member
|
|
relation rule_add_role_users: role#member | team#member
|
|
relation rule_remove_role_users: role#member | team#member
|
|
relation rule_view_role_users: role#member | team#member
|
|
relation alarm_assign: role#member | team#member
|
|
relation alarm_acknowledge: role#member | team#member
|
|
relation alarm_resolve: role#member | team#member
|
|
|
|
relation report_create: role#member | team#member
|
|
relation report_update: role#member | team#member
|
|
relation report_read: role#member | team#member
|
|
relation report_delete: role#member | team#member
|
|
relation report_manage_role: role#member | team#member
|
|
relation report_add_role_users: role#member | team#member
|
|
relation report_remove_role_users: role#member | team#member
|
|
relation report_view_role_users: role#member | team#member
|
|
|
|
// Magistrala-specific permissions
|
|
permission alarm_update_permission = alarm_update + team->alarm_update + organization->admin
|
|
permission alarm_read_permission = alarm_read + team->alarm_read + organization->admin
|
|
permission alarm_delete_permission = alarm_delete + team->alarm_delete + organization->admin
|
|
|
|
permission rule_create_permission = rule_create + team->rule_create + organization->admin
|
|
permission rule_update_permission = rule_update + team->rule_update + organization->admin
|
|
permission rule_read_permission = rule_read + team->rule_read + organization->admin
|
|
permission rule_delete_permission = rule_delete + team->rule_delete + organization->admin
|
|
permission rule_manage_role_permission = rule_manage_role + team->rule_manage_role + organization->admin
|
|
permission rule_add_role_users_permission = rule_add_role_users + team->rule_add_role_users + organization->admin
|
|
permission rule_remove_role_users_permission = rule_remove_role_users + team->rule_remove_role_users + organization->admin
|
|
permission rule_view_role_users_permission = rule_view_role_users + team->rule_view_role_users + organization->admin
|
|
permission alarm_assign_permission = alarm_assign + team->alarm_assign + organization->admin
|
|
permission alarm_acknowledge_permission = alarm_acknowledge + team->alarm_acknowledge + organization->admin
|
|
permission alarm_resolve_permission = alarm_resolve + team->alarm_resolve + organization->admin
|
|
|
|
permission report_create_permission = report_create + team->report_create + organization->admin
|
|
permission report_update_permission = report_update + team->report_update + organization->admin
|
|
permission report_read_permission = report_read + team->report_read + organization->admin
|
|
permission report_delete_permission = report_delete + team->report_delete + organization->admin
|
|
permission report_manage_role_permission = report_manage_role + team->report_manage_role + organization->admin
|
|
permission report_add_role_users_permission = report_add_role_users + team->report_add_role_users + organization->admin
|
|
permission report_remove_role_users_permission = report_remove_role_users + team->report_remove_role_users + organization->admin
|
|
permission report_view_role_users_permission = report_view_role_users + team->report_view_role_users + organization->admin
|
|
|
|
// Explicit extension injected into SuperMQ domain `permission membership`.
|
|
permission membership_extension = alarm_update + alarm_read + alarm_delete + rule_create + rule_update + rule_read + rule_delete + rule_manage_role + rule_add_role_users + rule_remove_role_users + rule_view_role_users + alarm_assign + alarm_acknowledge + alarm_resolve + report_create + report_update + report_read + report_delete + report_manage_role + report_add_role_users + report_remove_role_users + report_view_role_users
|
|
|
|
}
|
|
|
|
// Overlay team block consumed by scripts/combine-schema.sh during merge.
|
|
definition team {
|
|
|
|
relation alarm_update: role#member | team#member
|
|
relation alarm_read: role#member | team#member
|
|
relation alarm_delete: role#member | team#member
|
|
|
|
relation rule_create: role#member | team#member
|
|
relation rule_update: role#member | team#member
|
|
relation rule_read: role#member | team#member
|
|
relation rule_delete: role#member | team#member
|
|
relation rule_manage_role: role#member | team#member
|
|
relation rule_add_role_users: role#member | team#member
|
|
relation rule_remove_role_users: role#member | team#member
|
|
relation rule_view_role_users: role#member | team#member
|
|
relation alarm_assign: role#member | team#member
|
|
relation alarm_acknowledge: role#member | team#member
|
|
relation alarm_resolve: role#member | team#member
|
|
|
|
relation report_create: role#member | team#member
|
|
relation report_update: role#member | team#member
|
|
relation report_read: role#member | team#member
|
|
relation report_delete: role#member | team#member
|
|
relation report_manage_role: role#member | team#member
|
|
relation report_add_role_users: role#member | team#member
|
|
relation report_remove_role_users: role#member | team#member
|
|
relation report_view_role_users: role#member | team#member
|
|
}
|
|
|
|
definition rule {
|
|
relation domain: domain
|
|
|
|
relation update: role#member
|
|
relation read: role#member
|
|
relation delete: role#member
|
|
|
|
relation manage_role: role#member
|
|
relation add_role_users: role#member
|
|
relation remove_role_users: role#member
|
|
relation view_role_users: role#member
|
|
|
|
relation alarm_read: role#member
|
|
relation alarm_assign: role#member
|
|
relation alarm_acknowledge: role#member
|
|
relation alarm_resolve: role#member
|
|
|
|
permission update_permission = update + domain->rule_update_permission
|
|
permission read_permission = read + domain->rule_read_permission
|
|
permission delete_permission = delete + domain->rule_delete_permission
|
|
|
|
permission manage_role_permission = manage_role + domain->rule_manage_role_permission
|
|
permission add_role_users_permission = add_role_users + domain->rule_add_role_users_permission
|
|
permission remove_role_users_permission = remove_role_users + domain->rule_remove_role_users_permission
|
|
permission view_role_users_permission = view_role_users + domain->rule_view_role_users_permission
|
|
|
|
permission alarm_read_permission = alarm_read + domain->alarm_read_permission
|
|
permission alarm_assign_permission = alarm_assign + domain->alarm_assign_permission
|
|
permission alarm_acknowledge_permission = alarm_acknowledge + domain->alarm_acknowledge_permission
|
|
permission alarm_resolve_permission = alarm_resolve + domain->alarm_resolve_permission
|
|
}
|
|
|
|
definition report {
|
|
relation domain: domain
|
|
|
|
relation update: role#member
|
|
relation read: role#member
|
|
relation delete: role#member
|
|
|
|
relation manage_role: role#member
|
|
relation add_role_users: role#member
|
|
relation remove_role_users: role#member
|
|
relation view_role_users: role#member
|
|
|
|
permission update_permission = update + domain->report_update_permission
|
|
permission read_permission = read + domain->report_read_permission
|
|
permission delete_permission = delete + domain->report_delete_permission
|
|
|
|
permission manage_role_permission = manage_role + domain->report_manage_role_permission
|
|
permission add_role_users_permission = add_role_users + domain->report_add_role_users_permission
|
|
permission remove_role_users_permission = remove_role_users + domain->report_remove_role_users_permission
|
|
permission view_role_users_permission = view_role_users + domain->report_view_role_users_permission
|
|
}
|