...
Code Block | ||||
---|---|---|---|---|
| ||||
package policy.kafka.authz default allow = false allow = true { allowedActions := ["DESCRIBE", "CREATEDESCRIBE_CONFIGS", "READ"] input.action.operation == allowedActions[_] input.requestContext.header.name.clientId == "kowl" } allow = true { allowedActions := ["DESCRIBE", "DESCRIBE_CONFIGS"] allowedResourceTypesallowedTopics := ["__consumer_offsets","__strimzi_store_topic", "__strimzi-topic-operator-kstreams-topic-store-changelog",] input.action.resourcePattern.name == allowedTopics[_] } allow = true { allowedActions := ["GROUPDESCRIBE", "READ"] input.action.operation == allowedActions[_] allowedResourceTypes := ["CLUSTERGROUP"] input.action.resourcePattern.resourceType == allowedResourceTypes[_] input.requestContext.principal.name == "service-account-opacli" } allow = true { input.action.operation == "CREATE" input.action.resourcePattern.name == "kafka-cluster" input.action.resourcePattern.resourceType == "CLUSTER" input.requestContext.principal.name == "service-account-opacli" input.requestContext.header.name.clientId == "consumer-client" } allow = true { allowedActions := ["DESCRIBE","READ"] input.action.operation == allowedActions[_] input.action.resourcePattern.name == "my-topic" input.action.resourcePattern.resourceType == "TOPIC" input.requestContext.principal.name == "service-account-opacli" input.requestContext.header.name.clientId == "consumer-client" } allow = true { allowedActions := ["DESCRIBE","WRITE"] input.action.operation == allowedActions[_] input.action.resourcePattern.name == "my-topic" input.action.resourcePattern.resourceType == "TOPIC" input.requestContext.principal.name == "service-account-opacli" input.requestContext.header.name.clientId == "producer-client" } |
...