-
Notifications
You must be signed in to change notification settings - Fork 27
/
scopes.yaml
166 lines (163 loc) · 4.91 KB
/
scopes.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
#
# Copyright (C) 2024, Pelican Project, Morgridge Institute for Research
#
# Licensed under the Apache License, Version 2.0 (the "License"); you
# may not use this file except in compliance with the License. You may
# obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# This file contains structured documentation about the scopes of JWTs
# that will be issued and exchanged for Pelican servers to communicate with
# each other as well as for users to access functions in Pelican server Web UI
# Naming convention: <resource_name>.<action_name> snake case for naming
############################
# Top-level Scopes #
############################
---
name: pelican.advertise
description: >-
For origin and cache to advertise itself to be registered at the director
issuedBy: ["origin", "cache"]
acceptedBy: ["director"]
---
name: pelican.director_test_report
description: >-
For the director to report test result of file transfer back to origins
issuedBy: ["director"]
acceptedBy: ["origin"]
---
name: pelican.director_service_discovery
description: >-
For director's Prometheus instance to discover available origins to scrape from
issuedBy: ["director"]
acceptedBy: ["director"]
---
name: pelican.namespace_delete
description: >-
For namespace client to delete a namespace from namespace registry
issuedBy: ["client"]
acceptedBy: ["registry"]
---
############################
# Web UI Scopes #
############################
name: web_ui.access
description: >-
For user to access various server Web UI
issuedBy: ["*"]
acceptedBy: ["*"]
---
############################
# Registry Scopes #
############################
name: registry.edit_registration
description: >-
For origin admin to edit namespace registration at the registry
issuedBy: ["origin"]
acceptedBy: ["registry"]
---
############################
# Monitoring Scopes #
############################
name: monitoring.scrape
description: >-
For server's Prometheus instance to scrape its Prometheus http data exporter at /metrics
issuedBy: ["*"]
acceptedBy: ["*"]
---
name: monitoring.query
description: >-
For Web UI user and third-party tools to access server's Prometheus query engine endpoints at /api/v1.0/prometheus
issuedBy: ["web_ui"]
acceptedBy: ["*"]
---
############################
# Broker Scopes #
############################
name: broker.reverse
description: >-
Permits reversal requests sent to the broker by a cache.
issuedBy: ["cache"]
acceptedBy: ["broker"]
---
name: broker.retrieve
description: >-
Permits retrieval of requests to an origin
issuedBy: ["origin"]
acceptedBy: ["broker"]
---
name: broker.callback
description: >-
Permits callbacks from the origin to the cache in response to a reversal request
issuedBy: ["origin"]
acceptedBy: [cache"]
---
############################
# LocalCache Scopes #
############################
name: localcache.purge
description: >-
Permits invocation of the purge routine in a local cache
issuedBy: ["localcache"]
acceptedBy: ["localcache"]
---
############################
# Storage Scopes #
############################
name: "storage.read"
description: >-
For granting object read permissions to the bearer of the token. This scope must also posses a path to be valid, eg `storage.read:/foo/bar`
issuedBy: ["origin"]
acceptedBy: ["origin", "cache"]
---
name: "storage.create"
description: >-
For granting object creation permissions to the bearer of token. This scope must also posses a path to be valid, eg `storage.create:/foo/bar`
issuedBy: ["origin"]
acceptedBy: ["origin", "cache"]
---
name: "storage.modify"
description: >-
For granting object modification permissions to the bearer of the token. This scope must also posses a path to be valid, eg `storage.modify:/foo/bar`
issuedBy: ["origin"]
acceptedBy: ["origin", "cache"]
---
name: "storage.stage"
description: >-
For granting object staging permissions to the bearer of the token. This scope must also posses a path to be valid, eg `storage.stage:/foo/bar`
issuedBy: ["origin"]
acceptedBy: ["origin", "cache"]
---
############################
# Lotman Scopes #
############################
name: "lot.create"
description: >-
For creating a new lot
issuedBy: ["origin"]
acceptedBy: ["cache"]
---
name: "lot.read"
description: >-
For getting/reading the contents of a lot from a cache
issuedBy: ["origin"]
acceptedBy: ["cache"]
---
name: "lot.modify"
description: >-
For modifying the contents of a lot in a cache
issuedBy: ["origin"]
acceptedBy: ["cache"]
---
name: "lot.delete"
description: >-
For deleting a lot from a cache
issuedBy: ["origin"]
acceptedBy: ["cache"]