-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathpolicy.hujson
121 lines (107 loc) · 2.78 KB
/
policy.hujson
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
// THIS IS AN EXAMPLE POLICY FILE
// PLEASE PROVIDE YOUR OWN POLICY FILE
{
// Declare static groups of users.
"groups": {
//users that can access all resources
"group:system_admin": [
"sysadmin1@example.com",
"sysadmin2@example.com"
],
// Database Admins
"group:dba": ["dba1@example.com"],
// Site Reliability Engineers
"group:sre": ["sre@example.com"],
// General Employees
"group:all staff": ["all staff@example.com"],
"group:dev team": ["dev team@example.com"]
},
"hosts": {
"uat1": "100.101.102.103",
"production-backend": "104.105.106.0/24",
"web-server": "108.109.110.112",
},
// **************************************
// ************* Tag Groups *************
//
// Define the tags which can be applied to devices and by which users.
"tagOwners": {
// Resources
"tag:webserver": [],
"tag:database": ["johndoe@example.com"],
"tag:domain-controller": ["janedoe@example.com"],
"tag:production": ["infrastructure@example.com"],
"tag:linux-server": ["johndoe@example.com"],
"tag:windows-server": ["janedoe@example.com"],
"tag:security": ["johndoe@example.com"],
"tag:ci": ["johndoe@example.com"],
"tag:prod": [],
},
// **************************************
// ************* ACL Access *************
//
"acls": [
// Give Security appliances access to network
{
"action": "accept",
"src": ["tag:security"],
"dst": ["*:*"],
},
// Allow all connections.
// INFR team can access anything
{
"action": "accept",
"src": ["group:system_admin"],
"dst": ["*:*"],
},
// all employees can access their own devices
{
"action": "accept",
"src": ["autogroup:member"],
"dst": ["autogroup:self:*"],
},
// All employees can reach the domain controller
// Domain Controller can hit all client machines
{
"action": "accept",
"src": ["group:all staff"],
"dst": ["tag:domain-controller:*"],
},
{
"action": "accept",
"src": ["tag:domain-controller"],
"dst": ["group:all staff:*"],
},
// allow domain controllers to talk to other domain controllers
{
"action": "accept",
"src": ["tag:domain-controller"],
"dst": ["tag:domain-controller:*"],
},
// Allow database access to dba
{
"action": "accept",
"src": ["group:dba",
"tag:database"
],
"dst": ["tag:database:*"],
},
// Grant Dev Team and their pipeline access
{
"action": "accept",
"src": ["group:dev team" , "tag:ci"],
"dst": ["uat1:22"],
},
// Grant prod access to other resources tagged prod
{
"action": "accept",
"src": ["tag:prod"],
"dst": ["tag:prod:*"],
},
{
"action": "accept",
"src": ["tag:webserver", "group:sre"],
"dst": ["tag:database:*"],
},
],
}