deckhand/etc/deckhand/policy.yaml.sample

# Default rule for most Admin APIs.
#"admin_api": "role:admin"

# Create a batch of documents specified in the request body, whereby
# a new revision is created. Also, roll back a revision to a previous
# one in the
# revision history, whereby the target revision's documents are re-
# created for
# the new revision.
# PUT  /api/v1.0/bucket/{bucket_name}/documents
# POST  /api/v1.0/rollback/{target_revision_id}
#"deckhand:create_cleartext_documents": "rule:admin_api"

# Create a batch of documents specified in the request body, whereby
# a new revision is created. Also, roll back a revision to a previous
# one in the
# history, whereby the target revision's documents are re-created for
# the new
# revision.
#
# Only enforced after ``create_cleartext_documents`` passes.
#
# Conditionally enforced for the endpoints below if the any of the
# documents in
# the request body have a ``metadata.storagePolicy`` of "encrypted".
# PUT  /api/v1.0/bucket/{bucket_name}/documents
# POST  /api/v1.0/rollback/{target_revision_id}
#"deckhand:create_encrypted_documents": "rule:admin_api"

# List cleartext documents for a revision (with no layering or
# substitution applied) as well as fully layered and substituted
# concrete
# documents.
# GET  api/v1.0/revisions/{revision_id}/documents
# GET  api/v1.0/revisions/{revision_id}/rendered-documents
#"deckhand:list_cleartext_documents": "rule:admin_api"

# List encrypted documents for a revision (with no layering or
# substitution applied) as well as fully layered and substituted
# concrete
# documents.
#
# Only enforced after ``list_cleartext_documents`` passes.
#
# Conditionally enforced for the endpoints below if any of the
# documents in the
# request body have a ``metadata.storagePolicy`` of "encrypted". If
# policy
# enforcement fails, encrypted documents are exluded from the
# response.
# GET  api/v1.0/revisions/{revision_id}/documents
# GET  api/v1.0/revisions/{revision_id}/rendered-documents
#"deckhand:list_encrypted_documents": "rule:admin_api"

# Show details for a revision.
# GET  /api/v1.0/revisions/{revision_id}
#"deckhand:show_revision": "rule:admin_api"

# List all revisions.
# GET  /api/v1.0/revisions
#"deckhand:list_revisions": "rule:admin_api"

# Delete all revisions. Warning: this is equivalent to purging the
# database.
# DELETE  /api/v1.0/revisions
#"deckhand:delete_revisions": "rule:admin_api"

# Show revision diff between two revisions.
# GET  /api/v1.0/revisions/{revision_id}/diff/{comparison_revision_id}
#"deckhand:show_revision_diff": "rule:admin_api"

# Create a revision tag.
# POST  /api/v1.0/revisions/{revision_id}/tags
#"deckhand:create_tag": "rule:admin_api"

# Show details for a revision tag.
# GET  /api/v1.0/revisions/{revision_id}/tags/{tag}
#"deckhand:show_tag": "rule:admin_api"

# List all tags for a revision.
# GET  /api/v1.0/revisions/{revision_id}/tags
#"deckhand:list_tags": "rule:admin_api"

# Delete a revision tag.
# DELETE  /api/v1.0/revisions/{revision_id}/tags/{tag}
#"deckhand:delete_tag": "rule:admin_api"

# Delete all tags for a revision.
# DELETE  /api/v1.0/revisions/{revision_id}/tags
#"deckhand:delete_tags": "rule:admin_api"

# Add the results of a validation for a particular revision.
# POST  /api/v1.0/revisions/{revision_id}/validations
#"deckhand:create_validation": "rule:admin_api"

# "List all validations that have been reported for a revision. Also
# lists the validation entries for a particular validation.
# GET  /api/v1.0/revisions/{revision_id}/validations
# GET  /api/v1.0/revisions/{revision_id}/validations/{validation_name}
#"deckhand:list_validations": "rule:admin_api"

# Gets the full details of a particular validation entry, including
# all posted error details.
# GET  /api/v1.0/revisions/{revision_id}/validations/{validation_name}/entries/{entry_id}
#"deckhand:show_validation": "rule:admin_api"