a11e962eef
Moves the airflow web server container from its own pod into the Shipyard pod. This removes exposed network surface area from the Shipyard suite of software. Shipyard, after this change accesses the Airflow API using localhost in the same k8s pod. Change-Id: Ied4bd415a8d78c393b7256ead27a6a2176f4a2d6
110 lines
4.0 KiB
Plaintext
110 lines
4.0 KiB
Plaintext
# Actions requiring admin authority
|
|
#"admin_required": "role:admin"
|
|
|
|
# Rule to deny all access. Used for default denial
|
|
#"deny_all": "!"
|
|
|
|
# List workflow actions invoked by users
|
|
# GET /api/v1.0/actions
|
|
#"workflow_orchestrator:list_actions": "rule:admin_required"
|
|
|
|
# Create a workflow action
|
|
# POST /api/v1.0/actions
|
|
#"workflow_orchestrator:create_action": "rule:admin_required"
|
|
|
|
# Retrieve an action by its id
|
|
# GET /api/v1.0/actions/{action_id}
|
|
#"workflow_orchestrator:get_action": "rule:admin_required"
|
|
|
|
# Retrieve an action step by its id
|
|
# GET /api/v1.0/actions/{action_id}/steps/{step_id}
|
|
#"workflow_orchestrator:get_action_step": "rule:admin_required"
|
|
|
|
# Retrieve logs of an action step by its id
|
|
# GET /api/v1.0/actions/{action_id}/steps/{step_id}/logs
|
|
#"workflow_orchestrator:get_action_step_logs": "rule:admin_required"
|
|
|
|
# Retrieve an action validation by its id
|
|
# GET /api/v1.0/actions/{action_id}/validations/{validation_id}
|
|
#"workflow_orchestrator:get_action_validation": "rule:admin_required"
|
|
|
|
# Send a control to an action
|
|
# POST /api/v1.0/actions/{action_id}/control/{control_verb}
|
|
#"workflow_orchestrator:invoke_action_control": "rule:admin_required"
|
|
|
|
# Retrieve the status of the configdocs
|
|
# GET /api/v1.0/configdocs
|
|
#"workflow_orchestrator:get_configdocs_status": "rule:admin_required"
|
|
|
|
# Ingest configuration documents for the site design
|
|
# POST /api/v1.0/configdocs/{collection_id}
|
|
#"workflow_orchestrator:create_configdocs": "rule:admin_required"
|
|
|
|
# Retrieve a collection of configuration documents with redacted
|
|
# secrets
|
|
# GET /api/v1.0/configdocs/{collection_id}
|
|
#"workflow_orchestrator:get_configdocs": "rule:admin_required"
|
|
|
|
# Retrieve a collection of configuration documents with cleartext
|
|
# secrets.
|
|
# GET /api/v1.0/configdocs/{collection_id}
|
|
#"workflow_orchestrator:get_configdocs_cleartext": "rule:admin_required"
|
|
|
|
# Move documents from the Shipyard buffer to the committed documents
|
|
# POST /api/v1.0/commitconfigdocs
|
|
#"workflow_orchestrator:commit_configdocs": "rule:admin_required"
|
|
|
|
# Retrieve the configuration documents rendered by Deckhand into a
|
|
# complete design
|
|
# GET /api/v1.0/renderedconfigdocs
|
|
#"workflow_orchestrator:get_renderedconfigdocs": "rule:admin_required"
|
|
|
|
# Retrieve the configuration documents with cleartext secrets rendered
|
|
# by Deckhand into a complete design
|
|
# GET /api/v1.0/renderedconfigdocs
|
|
#"workflow_orchestrator:get_renderedconfigdocs_cleartext": "rule:admin_required"
|
|
|
|
# Retrieve the list of workflows (DAGs) that have been invoked in
|
|
# Airflow, whether via Shipyard or scheduled
|
|
# GET /api/v1.0/workflows
|
|
#"workflow_orchestrator:list_workflows": "rule:admin_required"
|
|
|
|
# Retrieve the detailed information for a workflow (DAG) from Airflow
|
|
# GET /api/v1.0/workflows/{id}
|
|
#"workflow_orchestrator:get_workflow": "rule:admin_required"
|
|
|
|
# Retrieve the details for a note. Further authorization is required
|
|
# depending on the topic of the note
|
|
# GET /api/v1.0/notedetails/{note_id}
|
|
#"workflow_orchestrator:get_notedetails": "rule:admin_required"
|
|
|
|
# Retrieve the statuses for the site
|
|
# GET /api/v1.0/site_statuses
|
|
#"workflow_orchestrator:get_site_statuses": "rule:admin_required"
|
|
|
|
# Create a workflow action to deploy the site
|
|
# POST /api/v1.0/actions
|
|
#"workflow_orchestrator:action_deploy_site": "rule:admin_required"
|
|
|
|
# Create a workflow action to update the site
|
|
# POST /api/v1.0/actions
|
|
#"workflow_orchestrator:action_update_site": "rule:admin_required"
|
|
|
|
# Create a workflow action to update the site software
|
|
# POST /api/v1.0/actions
|
|
#"workflow_orchestrator:action_update_software": "rule:admin_required"
|
|
|
|
# Create a workflow action to redeploy target servers
|
|
# POST /api/v1.0/actions
|
|
#"workflow_orchestrator:action_redeploy_server": "rule:admin_required"
|
|
|
|
# Create a workflow action to relabel target nodes
|
|
# POST /api/v1.0/actions
|
|
#"workflow_orchestrator:action_relabel_nodes": "rule:admin_required"
|
|
|
|
# Create a workflow action to invoke Helm tests on all releases or a
|
|
# targeted release
|
|
# POST /api/v1.0/actions
|
|
#"workflow_orchestrator:action_test_site": "rule:admin_required"
|
|
|