opensource/supermq
1
0
Fork 0
mirror of https://github.com/absmach/supermq.git synced 2026-06-23 07:30:25 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
Files
362a4fc76d3f68052effbfdb34e3a7bcc5c55729
supermq/docker/spicedb/override-schema.zed
T
Steve Munene 362a4fc76d MG-370 - Add fine grained access control to rules engine (#402) 
* update go mod file

Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>

* fix rules endpoint tests

Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>

* fix yaml file

Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>

* fix build

Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>

* address comments

Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>

* remove roles from alarms

Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>

* change approach for schema combaine

Signed-off-by: Arvindh <arvindh91@gmail.com>

* change approach for schema combaine

Signed-off-by: Arvindh <arvindh91@gmail.com>

* fix permissions for rules

Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>

* fix authorization file

Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>

* fix linter

Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>

* fix linter

Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>

---------

Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: Arvindh <arvindh91@gmail.com>
Co-authored-by: Arvindh <arvindh91@gmail.com>
2026-03-05 11:42:51 +01:00

188 lines
9.9 KiB
Zed
Raw Blame History

// Copyright (c) Abstract Machines
// SPDX-License-Identifier: Apache-2.0
// Merge documentation
// - Source A (base): docker/supermq-docker/spicedb/schema.zed (SuperMQ upstream schema)
// - Source B (overlay): docker/spicedb/override-schema.zed (Magistrala schema extensions)
// - Merge script: scripts/combined-schema.sh
// - Output: docker/spicedb/combined-schema.zed
//
// How merge works:
// 1. The first `definition domain { ... }` block is treated as explicit domain overlay.
// 2. The first `definition team { ... }` block is treated as explicit team overlay.
// 3. Domain overlay relations/permissions are injected into SuperMQ `definition domain`.
// 4. Team overlay relations are injected into SuperMQ `definition team`.
// 5. `permission membership_extension = ...` from the domain overlay is injected into
// SuperMQ `domain.permission membership` before `organization->admin`.
// 6. Overlay `definition domain` and `definition team` blocks are removed before append,
// so only merged SuperMQ domain/team definitions remain.
// 7. Remaining definitions in this file (for example `alarm`, `rule`, `report`) are appended.
//
// Maintenance notes:
// - Keep all custom domain/team merge lines inside the two overlay blocks below.
// - Update `permission membership_extension` whenever domain membership additions change.
// - Regenerate combined schema with: `sh scripts/combine-schema.sh`
// - `scripts/supermq.sh` also regenerates combined schema after refreshing SuperMQ docker files.
// Overlay domain block consumed by scripts/combine-schema.sh during merge.
definition domain {
// Magistrala-specific relations
relation alarm_create: role#member | team#member
relation alarm_update: role#member | team#member
relation alarm_read: role#member | team#member
relation alarm_delete: role#member | team#member
relation alarm_manage_role: role#member | team#member
relation alarm_add_role_users: role#member | team#member
relation alarm_remove_role_users: role#member | team#member
relation alarm_view_role_users: role#member | team#member
relation rule_create: role#member | team#member
relation rule_update: role#member | team#member
relation rule_read: role#member | team#member
relation rule_delete: role#member | team#member
relation rule_manage_role: role#member | team#member
relation rule_add_role_users: role#member | team#member
relation rule_remove_role_users: role#member | team#member
relation rule_view_role_users: role#member | team#member
relation report_create: role#member | team#member
relation report_update: role#member | team#member
relation report_read: role#member | team#member
relation report_delete: role#member | team#member
relation report_manage_role: role#member | team#member
relation report_add_role_users: role#member | team#member
relation report_remove_role_users: role#member | team#member
relation report_view_role_users: role#member | team#member
// Magistrala-specific permissions
permission alarm_create_permission = alarm_create + team->alarm_create + organization->admin
permission alarm_update_permission = alarm_update + team->alarm_update + organization->admin
permission alarm_read_permission = alarm_read + team->alarm_read + organization->admin
permission alarm_delete_permission = alarm_delete + team->alarm_delete + organization->admin
permission alarm_manage_role_permission = alarm_manage_role + team->alarm_manage_role + organization->admin
permission alarm_add_role_users_permission = alarm_add_role_users + team->alarm_add_role_users + organization->admin
permission alarm_remove_role_users_permission = alarm_remove_role_users + team->alarm_remove_role_users + organization->admin
permission alarm_view_role_users_permission = alarm_view_role_users + team->alarm_view_role_users + organization->admin
permission rule_create_permission = rule_create + team->rule_create + organization->admin
permission rule_update_permission = rule_update + team->rule_update + organization->admin
permission rule_read_permission = rule_read + team->rule_read + organization->admin
permission rule_delete_permission = rule_delete + team->rule_delete + organization->admin
permission rule_manage_role_permission = rule_manage_role + team->rule_manage_role + organization->admin
permission rule_add_role_users_permission = rule_add_role_users + team->rule_add_role_users + organization->admin
permission rule_remove_role_users_permission = rule_remove_role_users + team->rule_remove_role_users + organization->admin
permission rule_view_role_users_permission = rule_view_role_users + team->rule_view_role_users + organization->admin
permission report_create_permission = report_create + team->report_create + organization->admin
permission report_update_permission = report_update + team->report_update + organization->admin
permission report_read_permission = report_read + team->report_read + organization->admin
permission report_delete_permission = report_delete + team->report_delete + organization->admin
permission report_manage_role_permission = report_manage_role + team->report_manage_role + organization->admin
permission report_add_role_users_permission = report_add_role_users + team->report_add_role_users + organization->admin
permission report_remove_role_users_permission = report_remove_role_users + team->report_remove_role_users + organization->admin
permission report_view_role_users_permission = report_view_role_users + team->report_view_role_users + organization->admin
// Explicit extension injected into SuperMQ domain `permission membership`.
permission membership_extension = alarm_create + alarm_update + alarm_read + alarm_delete + alarm_manage_role + alarm_add_role_users + alarm_remove_role_users + alarm_view_role_users + rule_create + rule_update + rule_read + rule_delete + rule_manage_role + rule_add_role_users + rule_remove_role_users + rule_view_role_users + report_create + report_update + report_read + report_delete + report_manage_role + report_add_role_users + report_remove_role_users + report_view_role_users
}
// Overlay team block consumed by scripts/combine-schema.sh during merge.
definition team {
relation alarm_create: role#member | team#member
relation alarm_update: role#member | team#member
relation alarm_read: role#member | team#member
relation alarm_delete: role#member | team#member
relation alarm_manage_role: role#member | team#member
relation alarm_add_role_users: role#member | team#member
relation alarm_remove_role_users: role#member | team#member
relation alarm_view_role_users: role#member | team#member
relation rule_create: role#member | team#member
relation rule_update: role#member | team#member
relation rule_read: role#member | team#member
relation rule_delete: role#member | team#member
relation rule_manage_role: role#member | team#member
relation rule_add_role_users: role#member | team#member
relation rule_remove_role_users: role#member | team#member
relation rule_view_role_users: role#member | team#member
relation report_create: role#member | team#member
relation report_update: role#member | team#member
relation report_read: role#member | team#member
relation report_delete: role#member | team#member
relation report_manage_role: role#member | team#member
relation report_add_role_users: role#member | team#member
relation report_remove_role_users: role#member | team#member
relation report_view_role_users: role#member | team#member
}
definition alarm {
relation domain: domain
relation update: role#member
relation read: role#member
relation delete: role#member
relation manage_role: role#member
relation add_role_users: role#member
relation remove_role_users: role#member
relation view_role_users: role#member
permission update_permission = update + domain->alarm_update_permission
permission read_permission = read + domain->alarm_read_permission
permission delete_permission = delete + domain->alarm_delete_permission
permission manage_role_permission = manage_role + domain->alarm_manage_role_permission
permission add_role_users_permission = add_role_users + domain->alarm_add_role_users_permission
permission remove_role_users_permission = remove_role_users + domain->alarm_remove_role_users_permission
permission view_role_users_permission = view_role_users + domain->alarm_view_role_users_permission
}
definition rule {
relation domain: domain
relation update: role#member
relation read: role#member
relation delete: role#member
relation manage_role: role#member
relation add_role_users: role#member
relation remove_role_users: role#member
relation view_role_users: role#member
permission update_permission = update + domain->rule_update_permission
permission read_permission = read + domain->rule_read_permission
permission delete_permission = delete + domain->rule_delete_permission
permission manage_role_permission = manage_role + domain->rule_manage_role_permission
permission add_role_users_permission = add_role_users + domain->rule_add_role_users_permission
permission remove_role_users_permission = remove_role_users + domain->rule_remove_role_users_permission
permission view_role_users_permission = view_role_users + domain->rule_view_role_users_permission
}
definition report {
relation domain: domain
relation update: role#member
relation read: role#member
relation delete: role#member
relation manage_role: role#member
relation add_role_users: role#member
relation remove_role_users: role#member
relation view_role_users: role#member
permission update_permission = update + domain->report_update_permission
permission read_permission = read + domain->report_read_permission
permission delete_permission = delete + domain->report_delete_permission
permission manage_role_permission = manage_role + domain->report_manage_role_permission
permission add_role_users_permission = add_role_users + domain->report_add_role_users_permission
permission remove_role_users_permission = remove_role_users + domain->report_remove_role_users_permission
permission view_role_users_permission = view_role_users + domain->report_view_role_users_permission
}
Reference in New Issue View Git Blame Copy Permalink