From 6842a572f65bcc3b38d86d711432a5c893213f4c Mon Sep 17 00:00:00 2001 From: anshuman-gojek Date: Mon, 22 Apr 2024 07:25:57 +0000 Subject: [PATCH] Deploy website - based on 88dd3e9ea6e0a575db1487d10b6d1956dfd3e0d2 --- 404.html | 4 ++-- assets/js/91c76d4c.1602c26e.js | 1 + assets/js/91c76d4c.2d9e22d4.js | 1 - .../{runtime~main.30384e40.js => runtime~main.47301465.js} | 2 +- concepts/architecture/index.html | 4 ++-- concepts/glossary/index.html | 4 ++-- guides/adding-metadata-key/index.html | 4 ++-- guides/check-permission/index.html | 4 ++-- guides/managing-group/index.html | 4 ++-- guides/managing-organization/index.html | 4 ++-- guides/managing-project/index.html | 4 ++-- guides/managing-relation/index.html | 4 ++-- guides/managing-resource/index.html | 4 ++-- guides/managing-user/index.html | 4 ++-- guides/overview/index.html | 4 ++-- index.html | 4 ++-- installation/index.html | 4 ++-- reference/api/index.html | 4 ++-- reference/cli/index.html | 6 +++--- reference/configurations/index.html | 4 ++-- support/index.html | 4 ++-- tour/add-to-group/index.html | 4 ++-- tour/check-permissions/index.html | 4 ++-- tour/creating-group/index.html | 4 ++-- tour/creating-organization/index.html | 4 ++-- tour/creating-project/index.html | 4 ++-- tour/intro/index.html | 4 ++-- tour/setup-server/index.html | 4 ++-- tour/shield-as-proxy/index.html | 4 ++-- tour/what-is-in-shield/index.html | 4 ++-- 30 files changed, 57 insertions(+), 57 deletions(-) create mode 100644 assets/js/91c76d4c.1602c26e.js delete mode 100644 assets/js/91c76d4c.2d9e22d4.js rename assets/js/{runtime~main.30384e40.js => runtime~main.47301465.js} (98%) diff --git a/404.html b/404.html index 97b49c811..49a88e606 100644 --- a/404.html +++ b/404.html @@ -7,13 +7,13 @@ - +
Skip to main content

Page Not Found

We could not find what you were looking for.

Please contact the owner of the site that linked you to the original URL and let them know their link is broken.

- + \ No newline at end of file diff --git a/assets/js/91c76d4c.1602c26e.js b/assets/js/91c76d4c.1602c26e.js new file mode 100644 index 000000000..362cd8441 --- /dev/null +++ b/assets/js/91c76d4c.1602c26e.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkshield=self.webpackChunkshield||[]).push([[238],{5680:(e,l,i)=>{i.d(l,{xA:()=>g,yg:()=>u});var a=i(6540);function n(e,l,i){return l in e?Object.defineProperty(e,l,{value:i,enumerable:!0,configurable:!0,writable:!0}):e[l]=i,e}function t(e,l){var i=Object.keys(e);if(Object.getOwnPropertySymbols){var a=Object.getOwnPropertySymbols(e);l&&(a=a.filter((function(l){return Object.getOwnPropertyDescriptor(e,l).enumerable}))),i.push.apply(i,a)}return i}function r(e){for(var l=1;l=0||(n[i]=e[i]);return n}(e,l);if(Object.getOwnPropertySymbols){var t=Object.getOwnPropertySymbols(e);for(a=0;a=0||Object.prototype.propertyIsEnumerable.call(e,i)&&(n[i]=e[i])}return n}var s=a.createContext({}),o=function(e){var l=a.useContext(s),i=l;return e&&(i="function"==typeof e?e(l):r(r({},l),e)),i},g=function(e){var l=o(e.components);return a.createElement(s.Provider,{value:l},e.children)},c="mdxType",h={inlineCode:"code",wrapper:function(e){var l=e.children;return a.createElement(a.Fragment,{},l)}},p=a.forwardRef((function(e,l){var i=e.components,n=e.mdxType,t=e.originalType,s=e.parentName,g=d(e,["components","mdxType","originalType","parentName"]),c=o(i),p=n,u=c["".concat(s,".").concat(p)]||c[p]||h[p]||t;return i?a.createElement(u,r(r({ref:l},g),{},{components:i})):a.createElement(u,r({ref:l},g))}));function u(e,l){var i=arguments,n=l&&l.mdxType;if("string"==typeof e||n){var t=i.length,r=new Array(t);r[0]=p;var d={};for(var s in l)hasOwnProperty.call(l,s)&&(d[s]=l[s]);d.originalType=e,d[c]="string"==typeof e?e:n,r[1]=d;for(var o=2;o{i.r(l),i.d(l,{assets:()=>s,contentTitle:()=>r,default:()=>c,frontMatter:()=>t,metadata:()=>d,toc:()=>o});var a=i(8168),n=(i(6540),i(5680));const t={},r="CLI",d={unversionedId:"reference/cli",id:"reference/cli",title:"CLI",description:"shield action",source:"@site/docs/reference/cli.md",sourceDirName:"reference",slug:"/reference/cli",permalink:"/shield/reference/cli",draft:!1,editUrl:"https://github.com/goto/shield/edit/master/docs/docs/reference/cli.md",tags:[],version:"current",frontMatter:{},sidebar:"docsSidebar",previous:{title:"Shield",permalink:"/shield/reference/api"}},s={},o=[{value:"shield action",id:"shield-action",level:2},{value:"shield action create [flags]",id:"shield-action-create-flags",level:3},{value:"shield action list",id:"shield-action-list",level:3},{value:"shield auth",id:"shield-auth",level:2},{value:"shield completion [bash|zsh|fish|powershell]",id:"shield-completion-bashzshfishpowershell",level:2},{value:"shield config <command>",id:"shield-config-command",level:2},{value:"shield config init",id:"shield-config-init",level:3},{value:"shield config list",id:"shield-config-list",level:3},{value:"shield environment",id:"shield-environment",level:2},{value:"shield group",id:"shield-group",level:2},{value:"shield group create [flags]",id:"shield-group-create-flags",level:3},{value:"shield group edit [flags]",id:"shield-group-edit-flags",level:3},{value:"shield group list",id:"shield-group-list",level:3},{value:"shield group view [flags]",id:"shield-group-view-flags",level:3},{value:"shield namespace",id:"shield-namespace",level:2},{value:"shield namespace create [flags]",id:"shield-namespace-create-flags",level:3},{value:"shield namespace edit [flags]",id:"shield-namespace-edit-flags",level:3},{value:"shield namespace list",id:"shield-namespace-list",level:3},{value:"shield namespace view",id:"shield-namespace-view",level:3},{value:"shield organization",id:"shield-organization",level:2},{value:"shield organization admlist",id:"shield-organization-admlist",level:3},{value:"shield organization create [flags]",id:"shield-organization-create-flags",level:3},{value:"shield organization edit [flags]",id:"shield-organization-edit-flags",level:3},{value:"shield organization list",id:"shield-organization-list",level:3},{value:"shield organization view [flags]",id:"shield-organization-view-flags",level:3},{value:"shield policy",id:"shield-policy",level:2},{value:"shield policy create [flags]",id:"shield-policy-create-flags",level:3},{value:"shield policy list",id:"shield-policy-list",level:3},{value:"shield project",id:"shield-project",level:2},{value:"shield project create [flags]",id:"shield-project-create-flags",level:3},{value:"shield project edit [flags]",id:"shield-project-edit-flags",level:3},{value:"shield project list",id:"shield-project-list",level:3},{value:"shield project view [flags]",id:"shield-project-view-flags",level:3},{value:"shield role",id:"shield-role",level:2},{value:"shield role create [flags]",id:"shield-role-create-flags",level:3},{value:"shield role list",id:"shield-role-list",level:3},{value:"shield server <command>",id:"shield-server-command",level:2},{value:"shield server init [flags]",id:"shield-server-init-flags",level:3},{value:"shield server migrate [flags]",id:"shield-server-migrate-flags",level:3},{value:"shield server migration-rollback [flags]",id:"shield-server-migration-rollback-flags",level:3},{value:"shield server start [flags]",id:"shield-server-start-flags",level:3},{value:"shield user",id:"shield-user",level:2},{value:"shield user create [flags]",id:"shield-user-create-flags",level:3},{value:"shield user edit [flags]",id:"shield-user-edit-flags",level:3},{value:"shield user list",id:"shield-user-list",level:3},{value:"shield user view [flags]",id:"shield-user-view-flags",level:3}],g={toc:o};function c(e){let{components:l,...i}=e;return(0,n.yg)("wrapper",(0,a.A)({},g,i,{components:l,mdxType:"MDXLayout"}),(0,n.yg)("h1",{id:"cli"},"CLI"),(0,n.yg)("h2",{id:"shield-action"},(0,n.yg)("inlineCode",{parentName:"h2"},"shield action")),(0,n.yg)("p",null,"Manage actions"),(0,n.yg)("h3",{id:"shield-action-create-flags"},(0,n.yg)("inlineCode",{parentName:"h3"},"shield action create [flags]")),(0,n.yg)("p",null,"Create an action"),(0,n.yg)("pre",null,(0,n.yg)("code",{parentName:"pre"},"-f, --file string Path to the action body file\n-H, --header string Header :\n")),(0,n.yg)("h3",{id:"shield-action-list"},(0,n.yg)("inlineCode",{parentName:"h3"},"shield action list")),(0,n.yg)("p",null,"List all actions"),(0,n.yg)("h2",{id:"shield-auth"},(0,n.yg)("inlineCode",{parentName:"h2"},"shield auth")),(0,n.yg)("p",null,"Auth configs that need to be used with shield"),(0,n.yg)("h2",{id:"shield-completion-bashzshfishpowershell"},(0,n.yg)("inlineCode",{parentName:"h2"},"shield completion [bash|zsh|fish|powershell]")),(0,n.yg)("p",null,"Generate shell completion scripts"),(0,n.yg)("h2",{id:"shield-config-command"},(0,n.yg)("inlineCode",{parentName:"h2"},"shield config ")),(0,n.yg)("p",null,"Manage client configurations"),(0,n.yg)("h3",{id:"shield-config-init"},(0,n.yg)("inlineCode",{parentName:"h3"},"shield config init")),(0,n.yg)("p",null,"Initialize a new client configuration"),(0,n.yg)("h3",{id:"shield-config-list"},(0,n.yg)("inlineCode",{parentName:"h3"},"shield config list")),(0,n.yg)("p",null,"List client configuration settings"),(0,n.yg)("h2",{id:"shield-environment"},(0,n.yg)("inlineCode",{parentName:"h2"},"shield environment")),(0,n.yg)("p",null,"List of supported environment variables"),(0,n.yg)("h2",{id:"shield-group"},(0,n.yg)("inlineCode",{parentName:"h2"},"shield group")),(0,n.yg)("p",null,"Manage groups"),(0,n.yg)("h3",{id:"shield-group-create-flags"},(0,n.yg)("inlineCode",{parentName:"h3"},"shield group create [flags]")),(0,n.yg)("p",null,"Create a group"),(0,n.yg)("pre",null,(0,n.yg)("code",{parentName:"pre"},"-f, --file string Path to the group body file\n-H, --header string Header :\n")),(0,n.yg)("h3",{id:"shield-group-edit-flags"},(0,n.yg)("inlineCode",{parentName:"h3"},"shield group edit [flags]")),(0,n.yg)("p",null,"Edit a group"),(0,n.yg)("pre",null,(0,n.yg)("code",{parentName:"pre"},"-f, --file string Path to the group body file\n")),(0,n.yg)("h3",{id:"shield-group-list"},(0,n.yg)("inlineCode",{parentName:"h3"},"shield group list")),(0,n.yg)("p",null,"List all groups"),(0,n.yg)("h3",{id:"shield-group-view-flags"},(0,n.yg)("inlineCode",{parentName:"h3"},"shield group view [flags]")),(0,n.yg)("p",null,"View a group"),(0,n.yg)("pre",null,(0,n.yg)("code",{parentName:"pre"},"-m, --metadata Set this flag to see metadata\n")),(0,n.yg)("h2",{id:"shield-namespace"},(0,n.yg)("inlineCode",{parentName:"h2"},"shield namespace")),(0,n.yg)("p",null,"Manage namespaces"),(0,n.yg)("h3",{id:"shield-namespace-create-flags"},(0,n.yg)("inlineCode",{parentName:"h3"},"shield namespace create [flags]")),(0,n.yg)("p",null,"Create a namespace"),(0,n.yg)("pre",null,(0,n.yg)("code",{parentName:"pre"},"-f, --file string Path to the namespace body file\n")),(0,n.yg)("h3",{id:"shield-namespace-edit-flags"},(0,n.yg)("inlineCode",{parentName:"h3"},"shield namespace edit [flags]")),(0,n.yg)("p",null,"Edit a namespace"),(0,n.yg)("pre",null,(0,n.yg)("code",{parentName:"pre"},"-f, --file string Path to the namespace body file\n")),(0,n.yg)("h3",{id:"shield-namespace-list"},(0,n.yg)("inlineCode",{parentName:"h3"},"shield namespace list")),(0,n.yg)("p",null,"List all namespaces"),(0,n.yg)("h3",{id:"shield-namespace-view"},(0,n.yg)("inlineCode",{parentName:"h3"},"shield namespace view")),(0,n.yg)("p",null,"View a namespace"),(0,n.yg)("h2",{id:"shield-organization"},(0,n.yg)("inlineCode",{parentName:"h2"},"shield organization")),(0,n.yg)("p",null,"Manage organizations"),(0,n.yg)("h3",{id:"shield-organization-admlist"},(0,n.yg)("inlineCode",{parentName:"h3"},"shield organization admlist")),(0,n.yg)("p",null,"list admins of an organization"),(0,n.yg)("h3",{id:"shield-organization-create-flags"},(0,n.yg)("inlineCode",{parentName:"h3"},"shield organization create [flags]")),(0,n.yg)("p",null,"Create an organization"),(0,n.yg)("pre",null,(0,n.yg)("code",{parentName:"pre"},"-f, --file string Path to the organization body file\n-H, --header string Header :\n")),(0,n.yg)("h3",{id:"shield-organization-edit-flags"},(0,n.yg)("inlineCode",{parentName:"h3"},"shield organization edit [flags]")),(0,n.yg)("p",null,"Edit an organization"),(0,n.yg)("pre",null,(0,n.yg)("code",{parentName:"pre"},"-f, --file string Path to the organization body file\n")),(0,n.yg)("h3",{id:"shield-organization-list"},(0,n.yg)("inlineCode",{parentName:"h3"},"shield organization list")),(0,n.yg)("p",null,"List all organizations"),(0,n.yg)("h3",{id:"shield-organization-view-flags"},(0,n.yg)("inlineCode",{parentName:"h3"},"shield organization view [flags]")),(0,n.yg)("p",null,"View an organization"),(0,n.yg)("pre",null,(0,n.yg)("code",{parentName:"pre"},"-m, --metadata Set this flag to see metadata\n")),(0,n.yg)("h2",{id:"shield-policy"},(0,n.yg)("inlineCode",{parentName:"h2"},"shield policy")),(0,n.yg)("p",null,"Manage policies"),(0,n.yg)("h3",{id:"shield-policy-create-flags"},(0,n.yg)("inlineCode",{parentName:"h3"},"shield policy create [flags]")),(0,n.yg)("p",null,"Create a policy"),(0,n.yg)("pre",null,(0,n.yg)("code",{parentName:"pre"},"-f, --file string Path to the policy body file\n-H, --header string Header :\n")),(0,n.yg)("h3",{id:"shield-policy-list"},(0,n.yg)("inlineCode",{parentName:"h3"},"shield policy list")),(0,n.yg)("p",null,"List all policies"),(0,n.yg)("h2",{id:"shield-project"},(0,n.yg)("inlineCode",{parentName:"h2"},"shield project")),(0,n.yg)("p",null,"Manage projects"),(0,n.yg)("h3",{id:"shield-project-create-flags"},(0,n.yg)("inlineCode",{parentName:"h3"},"shield project create [flags]")),(0,n.yg)("p",null,"Create a project"),(0,n.yg)("pre",null,(0,n.yg)("code",{parentName:"pre"},"-f, --file string Path to the project body file\n-H, --header string Header :\n")),(0,n.yg)("h3",{id:"shield-project-edit-flags"},(0,n.yg)("inlineCode",{parentName:"h3"},"shield project edit [flags]")),(0,n.yg)("p",null,"Edit a project"),(0,n.yg)("pre",null,(0,n.yg)("code",{parentName:"pre"},"-f, --file string Path to the project body file\n")),(0,n.yg)("h3",{id:"shield-project-list"},(0,n.yg)("inlineCode",{parentName:"h3"},"shield project list")),(0,n.yg)("p",null,"List all projects"),(0,n.yg)("h3",{id:"shield-project-view-flags"},(0,n.yg)("inlineCode",{parentName:"h3"},"shield project view [flags]")),(0,n.yg)("p",null,"View a project"),(0,n.yg)("pre",null,(0,n.yg)("code",{parentName:"pre"},"-m, --metadata Set this flag to see metadata\n")),(0,n.yg)("h2",{id:"shield-role"},(0,n.yg)("inlineCode",{parentName:"h2"},"shield role")),(0,n.yg)("p",null,"Manage roles"),(0,n.yg)("h3",{id:"shield-role-create-flags"},(0,n.yg)("inlineCode",{parentName:"h3"},"shield role create [flags]")),(0,n.yg)("p",null,"Create a role"),(0,n.yg)("pre",null,(0,n.yg)("code",{parentName:"pre"},"-f, --file string Path to the role body file\n-H, --header string Header :\n")),(0,n.yg)("h3",{id:"shield-role-list"},(0,n.yg)("inlineCode",{parentName:"h3"},"shield role list")),(0,n.yg)("p",null,"List all roles"),(0,n.yg)("h2",{id:"shield-server-command"},(0,n.yg)("inlineCode",{parentName:"h2"},"shield server ")),(0,n.yg)("p",null,"Server management"),(0,n.yg)("h3",{id:"shield-server-init-flags"},(0,n.yg)("inlineCode",{parentName:"h3"},"shield server init [flags]")),(0,n.yg)("p",null,"Initialize server"),(0,n.yg)("pre",null,(0,n.yg)("code",{parentName:"pre"},'-o, --output string Output config file path (default "./config.yaml")\n-r, --resources string URL path of resources. Full path prefixed with scheme where resources config yaml files are kept\n e.g.:\n local storage file "file:///tmp/resources_config"\n GCS Bucket "gs://shield-bucket-example"\n (default: file://{pwd}/resources_config)\n \n-u, --rule string URL path of rules. Full path prefixed with scheme where ruleset yaml files are kept\n e.g.:\n local storage file "file:///tmp/rules"\n GCS Bucket "gs://shield-bucket-example"\n (default: file://{pwd}/rules)\n \n')),(0,n.yg)("h3",{id:"shield-server-migrate-flags"},(0,n.yg)("inlineCode",{parentName:"h3"},"shield server migrate [flags]")),(0,n.yg)("p",null,"Run DB Schema Migrations"),(0,n.yg)("pre",null,(0,n.yg)("code",{parentName:"pre"},"-c, --config string Config file path\n")),(0,n.yg)("h3",{id:"shield-server-migration-rollback-flags"},(0,n.yg)("inlineCode",{parentName:"h3"},"shield server migration-rollback [flags]")),(0,n.yg)("p",null,"Run DB Schema Migrations Rollback to last state"),(0,n.yg)("pre",null,(0,n.yg)("code",{parentName:"pre"},"-c, --config string Config file path\n")),(0,n.yg)("h3",{id:"shield-server-start-flags"},(0,n.yg)("inlineCode",{parentName:"h3"},"shield server start [flags]")),(0,n.yg)("p",null,"Start server and proxy default on port 8080"),(0,n.yg)("pre",null,(0,n.yg)("code",{parentName:"pre"},"-c, --config string Config file path\n")),(0,n.yg)("h2",{id:"shield-user"},(0,n.yg)("inlineCode",{parentName:"h2"},"shield user")),(0,n.yg)("p",null,"Manage users"),(0,n.yg)("h3",{id:"shield-user-create-flags"},(0,n.yg)("inlineCode",{parentName:"h3"},"shield user create [flags]")),(0,n.yg)("p",null,"Create an user"),(0,n.yg)("pre",null,(0,n.yg)("code",{parentName:"pre"},"-f, --file string Path to the user body file\n-H, --header string Header :\n")),(0,n.yg)("h3",{id:"shield-user-edit-flags"},(0,n.yg)("inlineCode",{parentName:"h3"},"shield user edit [flags]")),(0,n.yg)("p",null,"Edit an user"),(0,n.yg)("pre",null,(0,n.yg)("code",{parentName:"pre"},"-f, --file string Path to the user body file\n")),(0,n.yg)("h3",{id:"shield-user-list"},(0,n.yg)("inlineCode",{parentName:"h3"},"shield user list")),(0,n.yg)("p",null,"List all users"),(0,n.yg)("h3",{id:"shield-user-view-flags"},(0,n.yg)("inlineCode",{parentName:"h3"},"shield user view [flags]")),(0,n.yg)("p",null,"View an user"),(0,n.yg)("pre",null,(0,n.yg)("code",{parentName:"pre"},"-m, --metadata Set this flag to see metadata\n")))}c.isMDXComponent=!0}}]); \ No newline at end of file diff --git a/assets/js/91c76d4c.2d9e22d4.js b/assets/js/91c76d4c.2d9e22d4.js deleted file mode 100644 index 9cafdfbc2..000000000 --- a/assets/js/91c76d4c.2d9e22d4.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkshield=self.webpackChunkshield||[]).push([[238],{5680:(e,l,i)=>{i.d(l,{xA:()=>g,yg:()=>u});var a=i(6540);function s(e,l,i){return l in e?Object.defineProperty(e,l,{value:i,enumerable:!0,configurable:!0,writable:!0}):e[l]=i,e}function t(e,l){var i=Object.keys(e);if(Object.getOwnPropertySymbols){var a=Object.getOwnPropertySymbols(e);l&&(a=a.filter((function(l){return Object.getOwnPropertyDescriptor(e,l).enumerable}))),i.push.apply(i,a)}return i}function r(e){for(var l=1;l=0||(s[i]=e[i]);return s}(e,l);if(Object.getOwnPropertySymbols){var t=Object.getOwnPropertySymbols(e);for(a=0;a=0||Object.prototype.propertyIsEnumerable.call(e,i)&&(s[i]=e[i])}return s}var d=a.createContext({}),o=function(e){var l=a.useContext(d),i=l;return e&&(i="function"==typeof e?e(l):r(r({},l),e)),i},g=function(e){var l=o(e.components);return a.createElement(d.Provider,{value:l},e.children)},h="mdxType",p={inlineCode:"code",wrapper:function(e){var l=e.children;return a.createElement(a.Fragment,{},l)}},c=a.forwardRef((function(e,l){var i=e.components,s=e.mdxType,t=e.originalType,d=e.parentName,g=n(e,["components","mdxType","originalType","parentName"]),h=o(i),c=s,u=h["".concat(d,".").concat(c)]||h[c]||p[c]||t;return i?a.createElement(u,r(r({ref:l},g),{},{components:i})):a.createElement(u,r({ref:l},g))}));function u(e,l){var i=arguments,s=l&&l.mdxType;if("string"==typeof e||s){var t=i.length,r=new Array(t);r[0]=c;var n={};for(var d in l)hasOwnProperty.call(l,d)&&(n[d]=l[d]);n.originalType=e,n[h]="string"==typeof e?e:s,r[1]=n;for(var o=2;o{i.r(l),i.d(l,{assets:()=>d,contentTitle:()=>r,default:()=>h,frontMatter:()=>t,metadata:()=>n,toc:()=>o});var a=i(8168),s=(i(6540),i(5680));const t={},r="CLI",n={unversionedId:"reference/cli",id:"reference/cli",title:"CLI",description:"shield action",source:"@site/docs/reference/cli.md",sourceDirName:"reference",slug:"/reference/cli",permalink:"/shield/reference/cli",draft:!1,editUrl:"https://github.com/goto/shield/edit/master/docs/docs/reference/cli.md",tags:[],version:"current",frontMatter:{},sidebar:"docsSidebar",previous:{title:"Shield",permalink:"/shield/reference/api"}},d={},o=[{value:"shield action",id:"shield-action",level:2},{value:"shield action create flags",id:"shield-action-create-flags",level:3},{value:"shield action edit flags",id:"shield-action-edit-flags",level:3},{value:"shield action list",id:"shield-action-list",level:3},{value:"shield action view",id:"shield-action-view",level:3},{value:"shield auth",id:"shield-auth",level:2},{value:"shield completion bash|zsh|fish|powershell",id:"shield-completion-bashzshfishpowershell",level:2},{value:"shield config",id:"shield-config",level:2},{value:"shield config init",id:"shield-config-init",level:3},{value:"shield config list",id:"shield-config-list",level:3},{value:"shield environment",id:"shield-environment",level:2},{value:"shield group",id:"shield-group",level:2},{value:"shield group create flags",id:"shield-group-create-flags",level:3},{value:"shield group edit flags",id:"shield-group-edit-flags",level:3},{value:"shield group list",id:"shield-group-list",level:3},{value:"shield group view flags",id:"shield-group-view-flags",level:3},{value:"shield namespace",id:"shield-namespace",level:2},{value:"shield namespace create flags",id:"shield-namespace-create-flags",level:3},{value:"shield namespace edit flags",id:"shield-namespace-edit-flags",level:3},{value:"shield namespace list",id:"shield-namespace-list",level:3},{value:"shield namespace view",id:"shield-namespace-view",level:3},{value:"shield organization",id:"shield-organization",level:2},{value:"shield organization admadd flags",id:"shield-organization-admadd-flags",level:3},{value:"shield organization admlist",id:"shield-organization-admlist",level:3},{value:"shield organization admremove flags",id:"shield-organization-admremove-flags",level:3},{value:"shield organization create flags",id:"shield-organization-create-flags",level:3},{value:"shield organization edit flags",id:"shield-organization-edit-flags",level:3},{value:"shield organization list",id:"shield-organization-list",level:3},{value:"shield organization view flags",id:"shield-organization-view-flags",level:3},{value:"shield policy",id:"shield-policy",level:2},{value:"shield policy create flags",id:"shield-policy-create-flags",level:3},{value:"shield policy edit flags",id:"shield-policy-edit-flags",level:3},{value:"shield policy list",id:"shield-policy-list",level:3},{value:"shield policy view",id:"shield-policy-view",level:3},{value:"shield project",id:"shield-project",level:2},{value:"shield project create flags",id:"shield-project-create-flags",level:3},{value:"shield project edit flags",id:"shield-project-edit-flags",level:3},{value:"shield project list",id:"shield-project-list",level:3},{value:"shield project view flags",id:"shield-project-view-flags",level:3},{value:"shield role",id:"shield-role",level:2},{value:"shield role create flags",id:"shield-role-create-flags",level:3},{value:"shield role edit flags",id:"shield-role-edit-flags",level:3},{value:"shield role list",id:"shield-role-list",level:3},{value:"shield role view flags",id:"shield-role-view-flags",level:3},{value:"shield server",id:"shield-server",level:2},{value:"shield server init flags",id:"shield-server-init-flags",level:3},{value:"shield server migrate flags",id:"shield-server-migrate-flags",level:3},{value:"shield server migration-rollback flags",id:"shield-server-migration-rollback-flags",level:3},{value:"shield server start flags",id:"shield-server-start-flags",level:3},{value:"shield user",id:"shield-user",level:2},{value:"shield user create flags",id:"shield-user-create-flags",level:3},{value:"shield user edit flags",id:"shield-user-edit-flags",level:3},{value:"shield user list",id:"shield-user-list",level:3},{value:"shield user view flags",id:"shield-user-view-flags",level:3}],g={toc:o};function h(e){let{components:l,...i}=e;return(0,s.yg)("wrapper",(0,a.A)({},g,i,{components:l,mdxType:"MDXLayout"}),(0,s.yg)("h1",{id:"cli"},"CLI"),(0,s.yg)("h2",{id:"shield-action"},"shield action"),(0,s.yg)("p",null,"Manage actions"),(0,s.yg)("h3",{id:"shield-action-create-flags"},"shield action create ","[flags]"),(0,s.yg)("p",null,"Create an action"),(0,s.yg)("pre",null,(0,s.yg)("code",{parentName:"pre"},"-f, --file string Path to the action body file\n-H, --header string Header :\n")),(0,s.yg)("h3",{id:"shield-action-edit-flags"},"shield action edit ","[flags]"),(0,s.yg)("p",null,"Edit an action"),(0,s.yg)("pre",null,(0,s.yg)("code",{parentName:"pre"},"-f, --file string Path to the action body file\n")),(0,s.yg)("h3",{id:"shield-action-list"},"shield action list"),(0,s.yg)("p",null,"List all actions"),(0,s.yg)("h3",{id:"shield-action-view"},"shield action view"),(0,s.yg)("p",null,"View an action"),(0,s.yg)("h2",{id:"shield-auth"},"shield auth"),(0,s.yg)("p",null,"Auth configs that need to be used with shield"),(0,s.yg)("h2",{id:"shield-completion-bashzshfishpowershell"},"shield completion ","[bash|zsh|fish|powershell]"),(0,s.yg)("p",null,"Generate shell completion scripts"),(0,s.yg)("h2",{id:"shield-config"},"shield config"),(0,s.yg)("p",null,"Manage client configurations"),(0,s.yg)("h3",{id:"shield-config-init"},"shield config init"),(0,s.yg)("p",null,"Initialize a new client configuration"),(0,s.yg)("h3",{id:"shield-config-list"},"shield config list"),(0,s.yg)("p",null,"List client configuration settings"),(0,s.yg)("h2",{id:"shield-environment"},"shield environment"),(0,s.yg)("p",null,"List of supported environment variables"),(0,s.yg)("h2",{id:"shield-group"},"shield group"),(0,s.yg)("p",null,"Manage groups"),(0,s.yg)("h3",{id:"shield-group-create-flags"},"shield group create ","[flags]"),(0,s.yg)("p",null,"Create a group"),(0,s.yg)("pre",null,(0,s.yg)("code",{parentName:"pre"},"-f, --file string Path to the group body file\n-H, --header string Header :\n")),(0,s.yg)("h3",{id:"shield-group-edit-flags"},"shield group edit ","[flags]"),(0,s.yg)("p",null,"Edit a group"),(0,s.yg)("pre",null,(0,s.yg)("code",{parentName:"pre"},"-f, --file string Path to the group body file\n")),(0,s.yg)("h3",{id:"shield-group-list"},"shield group list"),(0,s.yg)("p",null,"List all groups"),(0,s.yg)("h3",{id:"shield-group-view-flags"},"shield group view ","[flags]"),(0,s.yg)("p",null,"View a group"),(0,s.yg)("pre",null,(0,s.yg)("code",{parentName:"pre"},"-m, --metadata Set this flag to see metadata\n")),(0,s.yg)("h2",{id:"shield-namespace"},"shield namespace"),(0,s.yg)("p",null,"Manage namespaces"),(0,s.yg)("h3",{id:"shield-namespace-create-flags"},"shield namespace create ","[flags]"),(0,s.yg)("p",null,"Create a namespace"),(0,s.yg)("pre",null,(0,s.yg)("code",{parentName:"pre"},"-f, --file string Path to the namespace body file\n")),(0,s.yg)("h3",{id:"shield-namespace-edit-flags"},"shield namespace edit ","[flags]"),(0,s.yg)("p",null,"Edit a namespace"),(0,s.yg)("pre",null,(0,s.yg)("code",{parentName:"pre"},"-f, --file string Path to the namespace body file\n")),(0,s.yg)("h3",{id:"shield-namespace-list"},"shield namespace list"),(0,s.yg)("p",null,"List all namespaces"),(0,s.yg)("h3",{id:"shield-namespace-view"},"shield namespace view"),(0,s.yg)("p",null,"View a namespace"),(0,s.yg)("h2",{id:"shield-organization"},"shield organization"),(0,s.yg)("p",null,"Manage organizations"),(0,s.yg)("h3",{id:"shield-organization-admadd-flags"},"shield organization admadd ","[flags]"),(0,s.yg)("p",null,"add admins to an organization"),(0,s.yg)("pre",null,(0,s.yg)("code",{parentName:"pre"},"-f, --file string Path to the provider config\n")),(0,s.yg)("h3",{id:"shield-organization-admlist"},"shield organization admlist"),(0,s.yg)("p",null,"list admins of an organization"),(0,s.yg)("h3",{id:"shield-organization-admremove-flags"},"shield organization admremove ","[flags]"),(0,s.yg)("p",null,"remove admins from an organization"),(0,s.yg)("pre",null,(0,s.yg)("code",{parentName:"pre"},"-u, --user string Id of the user to be removed\n")),(0,s.yg)("h3",{id:"shield-organization-create-flags"},"shield organization create ","[flags]"),(0,s.yg)("p",null,"Create an organization"),(0,s.yg)("pre",null,(0,s.yg)("code",{parentName:"pre"},"-f, --file string Path to the organization body file\n-H, --header string Header :\n")),(0,s.yg)("h3",{id:"shield-organization-edit-flags"},"shield organization edit ","[flags]"),(0,s.yg)("p",null,"Edit an organization"),(0,s.yg)("pre",null,(0,s.yg)("code",{parentName:"pre"},"-f, --file string Path to the organization body file\n")),(0,s.yg)("h3",{id:"shield-organization-list"},"shield organization list"),(0,s.yg)("p",null,"List all organizations"),(0,s.yg)("h3",{id:"shield-organization-view-flags"},"shield organization view ","[flags]"),(0,s.yg)("p",null,"View an organization"),(0,s.yg)("pre",null,(0,s.yg)("code",{parentName:"pre"},"-m, --metadata Set this flag to see metadata\n")),(0,s.yg)("h2",{id:"shield-policy"},"shield policy"),(0,s.yg)("p",null,"Manage policies"),(0,s.yg)("h3",{id:"shield-policy-create-flags"},"shield policy create ","[flags]"),(0,s.yg)("p",null,"Create a policy"),(0,s.yg)("pre",null,(0,s.yg)("code",{parentName:"pre"},"-f, --file string Path to the policy body file\n-H, --header string Header :\n")),(0,s.yg)("h3",{id:"shield-policy-edit-flags"},"shield policy edit ","[flags]"),(0,s.yg)("p",null,"Edit a policy"),(0,s.yg)("pre",null,(0,s.yg)("code",{parentName:"pre"},"-f, --file string Path to the policy body file\n")),(0,s.yg)("h3",{id:"shield-policy-list"},"shield policy list"),(0,s.yg)("p",null,"List all policies"),(0,s.yg)("h3",{id:"shield-policy-view"},"shield policy view"),(0,s.yg)("p",null,"View a policy"),(0,s.yg)("h2",{id:"shield-project"},"shield project"),(0,s.yg)("p",null,"Manage projects"),(0,s.yg)("h3",{id:"shield-project-create-flags"},"shield project create ","[flags]"),(0,s.yg)("p",null,"Create a project"),(0,s.yg)("pre",null,(0,s.yg)("code",{parentName:"pre"},"-f, --file string Path to the project body file\n-H, --header string Header :\n")),(0,s.yg)("h3",{id:"shield-project-edit-flags"},"shield project edit ","[flags]"),(0,s.yg)("p",null,"Edit a project"),(0,s.yg)("pre",null,(0,s.yg)("code",{parentName:"pre"},"-f, --file string Path to the project body file\n")),(0,s.yg)("h3",{id:"shield-project-list"},"shield project list"),(0,s.yg)("p",null,"List all projects"),(0,s.yg)("h3",{id:"shield-project-view-flags"},"shield project view ","[flags]"),(0,s.yg)("p",null,"View a project"),(0,s.yg)("pre",null,(0,s.yg)("code",{parentName:"pre"},"-m, --metadata Set this flag to see metadata\n")),(0,s.yg)("h2",{id:"shield-role"},"shield role"),(0,s.yg)("p",null,"Manage roles"),(0,s.yg)("h3",{id:"shield-role-create-flags"},"shield role create ","[flags]"),(0,s.yg)("p",null,"Create a role"),(0,s.yg)("pre",null,(0,s.yg)("code",{parentName:"pre"},"-f, --file string Path to the role body file\n-H, --header string Header :\n")),(0,s.yg)("h3",{id:"shield-role-edit-flags"},"shield role edit ","[flags]"),(0,s.yg)("p",null,"Edit a role"),(0,s.yg)("pre",null,(0,s.yg)("code",{parentName:"pre"},"-f, --file string Path to the role body file\n")),(0,s.yg)("h3",{id:"shield-role-list"},"shield role list"),(0,s.yg)("p",null,"List all roles"),(0,s.yg)("h3",{id:"shield-role-view-flags"},"shield role view ","[flags]"),(0,s.yg)("p",null,"View a role"),(0,s.yg)("pre",null,(0,s.yg)("code",{parentName:"pre"},"-m, --metadata Set this flag to see metadata\n")),(0,s.yg)("h2",{id:"shield-server"},"shield server"),(0,s.yg)("p",null,"Server management"),(0,s.yg)("h3",{id:"shield-server-init-flags"},"shield server init ","[flags]"),(0,s.yg)("p",null,"Initialize server"),(0,s.yg)("pre",null,(0,s.yg)("code",{parentName:"pre"},'-o, --output string Output config file path (default "./config.yaml")\n-r, --resources string URL path of resources. Full path prefixed with scheme where resources config yaml files are kept\n e.g.:\n local storage file "file:///tmp/resources_config"\n GCS Bucket "gs://shield-bucket-example"\n (default: file://{pwd}/resources_config)\n \n-u, --rule string URL path of rules. Full path prefixed with scheme where ruleset yaml files are kept\n e.g.:\n local storage file "file:///tmp/rules"\n GCS Bucket "gs://shield-bucket-example"\n (default: file://{pwd}/rules)\n')),(0,s.yg)("h3",{id:"shield-server-migrate-flags"},"shield server migrate ","[flags]"),(0,s.yg)("p",null,"Run DB Schema Migrations"),(0,s.yg)("pre",null,(0,s.yg)("code",{parentName:"pre"},"-c, --config string Config file path\n")),(0,s.yg)("h3",{id:"shield-server-migration-rollback-flags"},"shield server migration-rollback ","[flags]"),(0,s.yg)("p",null,"Run DB Schema Migrations Rollback to last state"),(0,s.yg)("pre",null,(0,s.yg)("code",{parentName:"pre"},"-c, --config string Config file path\n")),(0,s.yg)("h3",{id:"shield-server-start-flags"},"shield server start ","[flags]"),(0,s.yg)("p",null,"Start server and proxy default on port 8080"),(0,s.yg)("pre",null,(0,s.yg)("code",{parentName:"pre"},"-c, --config string Config file path\n")),(0,s.yg)("h2",{id:"shield-user"},"shield user"),(0,s.yg)("p",null,"Manage users"),(0,s.yg)("h3",{id:"shield-user-create-flags"},"shield user create ","[flags]"),(0,s.yg)("p",null,"Create an user"),(0,s.yg)("pre",null,(0,s.yg)("code",{parentName:"pre"},"-f, --file string Path to the user body file\n-H, --header string Header :\n")),(0,s.yg)("h3",{id:"shield-user-edit-flags"},"shield user edit ","[flags]"),(0,s.yg)("p",null,"Edit an user"),(0,s.yg)("pre",null,(0,s.yg)("code",{parentName:"pre"},"-f, --file string Path to the user body file\n")),(0,s.yg)("h3",{id:"shield-user-list"},"shield user list"),(0,s.yg)("p",null,"List all users"),(0,s.yg)("h3",{id:"shield-user-view-flags"},"shield user view ","[flags]"),(0,s.yg)("p",null,"View an user"),(0,s.yg)("pre",null,(0,s.yg)("code",{parentName:"pre"},"-m, --metadata Set this flag to see metadata\n")))}h.isMDXComponent=!0}}]); \ No newline at end of file diff --git a/assets/js/runtime~main.30384e40.js b/assets/js/runtime~main.47301465.js similarity index 98% rename from assets/js/runtime~main.30384e40.js rename to assets/js/runtime~main.47301465.js index 32afca9af..db7c54374 100644 --- a/assets/js/runtime~main.30384e40.js +++ b/assets/js/runtime~main.47301465.js @@ -1 +1 @@ -(()=>{"use strict";var e,a,t,r,o,d={},c={};function f(e){var a=c[e];if(void 0!==a)return a.exports;var t=c[e]={id:e,loaded:!1,exports:{}};return d[e].call(t.exports,t,t.exports,f),t.loaded=!0,t.exports}f.m=d,f.c=c,e=[],f.O=(a,t,r,o)=>{if(!t){var d=1/0;for(i=0;i=o)&&Object.keys(f.O).every((e=>f.O[e](t[n])))?t.splice(n--,1):(c=!1,o0&&e[i-1][2]>o;i--)e[i]=e[i-1];e[i]=[t,r,o]},f.n=e=>{var a=e&&e.__esModule?()=>e.default:()=>e;return f.d(a,{a:a}),a},t=Object.getPrototypeOf?e=>Object.getPrototypeOf(e):e=>e.__proto__,f.t=function(e,r){if(1&r&&(e=this(e)),8&r)return e;if("object"==typeof e&&e){if(4&r&&e.__esModule)return e;if(16&r&&"function"==typeof e.then)return e}var o=Object.create(null);f.r(o);var d={};a=a||[null,t({}),t([]),t(t)];for(var c=2&r&&e;"object"==typeof c&&!~a.indexOf(c);c=t(c))Object.getOwnPropertyNames(c).forEach((a=>d[a]=()=>e[a]));return d.default=()=>e,f.d(o,d),o},f.d=(e,a)=>{for(var t in a)f.o(a,t)&&!f.o(e,t)&&Object.defineProperty(e,t,{enumerable:!0,get:a[t]})},f.f={},f.e=e=>Promise.all(Object.keys(f.f).reduce(((a,t)=>(f.f[t](e,a),a)),[])),f.u=e=>"assets/js/"+({22:"2a52c330",46:"fdfd3bf4",59:"551b3f3a",85:"56b3faef",156:"0ab57e89",158:"5fd4dfaa",202:"1d8e60bc",238:"91c76d4c",344:"6550eba9",350:"7e06178c",375:"00e4296b",401:"17896441",416:"d9e16301",441:"b95ea484",449:"2118de21",510:"1a8b86dc",565:"a420f8de",569:"97e0d009",581:"935f2afb",699:"8a1416ba",714:"1be78505",718:"58175526",743:"5ee7b1bc",758:"c5e4a08a",773:"83a85fa4",803:"3b8c55ea",840:"a0ba3cf3",851:"1f2d7c49",899:"a09c2993",900:"7614d37a"}[e]||e)+"."+{22:"a0e62c6d",46:"724f21a5",59:"215e3a07",85:"b69ecac8",156:"1be548c6",158:"3ed8bba7",202:"e0d26009",238:"2d9e22d4",344:"0c45416f",350:"0d0bb0dc",375:"73e45315",401:"7d3f4967",416:"415f209d",441:"2ed85bb9",449:"36506080",510:"22fb34e2",553:"7dee0131",565:"fd5b3ade",569:"bb9fcedd",581:"0b8611bf",699:"afe13c19",714:"1fede52d",718:"bb3240f2",743:"14ce3227",758:"0ac6d694",773:"8ce5e5b5",774:"4451b760",803:"718f1096",840:"f954076c",851:"a07ea74c",899:"4417531c",900:"3176a232"}[e]+".js",f.miniCssF=e=>{},f.g=function(){if("object"==typeof globalThis)return globalThis;try{return this||new Function("return this")()}catch(e){if("object"==typeof window)return window}}(),f.o=(e,a)=>Object.prototype.hasOwnProperty.call(e,a),r={},o="shield:",f.l=(e,a,t,d)=>{if(r[e])r[e].push(a);else{var c,n;if(void 0!==t)for(var b=document.getElementsByTagName("script"),i=0;i{c.onerror=c.onload=null,clearTimeout(s);var o=r[e];if(delete r[e],c.parentNode&&c.parentNode.removeChild(c),o&&o.forEach((e=>e(t))),a)return a(t)},s=setTimeout(u.bind(null,void 0,{type:"timeout",target:c}),12e4);c.onerror=u.bind(null,c.onerror),c.onload=u.bind(null,c.onload),n&&document.head.appendChild(c)}},f.r=e=>{"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},f.p="/shield/",f.gca=function(e){return e={17896441:"401",58175526:"718","2a52c330":"22",fdfd3bf4:"46","551b3f3a":"59","56b3faef":"85","0ab57e89":"156","5fd4dfaa":"158","1d8e60bc":"202","91c76d4c":"238","6550eba9":"344","7e06178c":"350","00e4296b":"375",d9e16301:"416",b95ea484:"441","2118de21":"449","1a8b86dc":"510",a420f8de:"565","97e0d009":"569","935f2afb":"581","8a1416ba":"699","1be78505":"714","5ee7b1bc":"743",c5e4a08a:"758","83a85fa4":"773","3b8c55ea":"803",a0ba3cf3:"840","1f2d7c49":"851",a09c2993:"899","7614d37a":"900"}[e]||e,f.p+f.u(e)},(()=>{var e={354:0,869:0};f.f.j=(a,t)=>{var r=f.o(e,a)?e[a]:void 0;if(0!==r)if(r)t.push(r[2]);else if(/^(354|869)$/.test(a))e[a]=0;else{var o=new Promise(((t,o)=>r=e[a]=[t,o]));t.push(r[2]=o);var d=f.p+f.u(a),c=new Error;f.l(d,(t=>{if(f.o(e,a)&&(0!==(r=e[a])&&(e[a]=void 0),r)){var o=t&&("load"===t.type?"missing":t.type),d=t&&t.target&&t.target.src;c.message="Loading chunk "+a+" failed.\n("+o+": "+d+")",c.name="ChunkLoadError",c.type=o,c.request=d,r[1](c)}}),"chunk-"+a,a)}},f.O.j=a=>0===e[a];var a=(a,t)=>{var r,o,d=t[0],c=t[1],n=t[2],b=0;if(d.some((a=>0!==e[a]))){for(r in c)f.o(c,r)&&(f.m[r]=c[r]);if(n)var i=n(f)}for(a&&a(t);b{"use strict";var e,a,t,r,o,d={},c={};function f(e){var a=c[e];if(void 0!==a)return a.exports;var t=c[e]={id:e,loaded:!1,exports:{}};return d[e].call(t.exports,t,t.exports,f),t.loaded=!0,t.exports}f.m=d,f.c=c,e=[],f.O=(a,t,r,o)=>{if(!t){var d=1/0;for(i=0;i=o)&&Object.keys(f.O).every((e=>f.O[e](t[n])))?t.splice(n--,1):(c=!1,o0&&e[i-1][2]>o;i--)e[i]=e[i-1];e[i]=[t,r,o]},f.n=e=>{var a=e&&e.__esModule?()=>e.default:()=>e;return f.d(a,{a:a}),a},t=Object.getPrototypeOf?e=>Object.getPrototypeOf(e):e=>e.__proto__,f.t=function(e,r){if(1&r&&(e=this(e)),8&r)return e;if("object"==typeof e&&e){if(4&r&&e.__esModule)return e;if(16&r&&"function"==typeof e.then)return e}var o=Object.create(null);f.r(o);var d={};a=a||[null,t({}),t([]),t(t)];for(var c=2&r&&e;"object"==typeof c&&!~a.indexOf(c);c=t(c))Object.getOwnPropertyNames(c).forEach((a=>d[a]=()=>e[a]));return d.default=()=>e,f.d(o,d),o},f.d=(e,a)=>{for(var t in a)f.o(a,t)&&!f.o(e,t)&&Object.defineProperty(e,t,{enumerable:!0,get:a[t]})},f.f={},f.e=e=>Promise.all(Object.keys(f.f).reduce(((a,t)=>(f.f[t](e,a),a)),[])),f.u=e=>"assets/js/"+({22:"2a52c330",46:"fdfd3bf4",59:"551b3f3a",85:"56b3faef",156:"0ab57e89",158:"5fd4dfaa",202:"1d8e60bc",238:"91c76d4c",344:"6550eba9",350:"7e06178c",375:"00e4296b",401:"17896441",416:"d9e16301",441:"b95ea484",449:"2118de21",510:"1a8b86dc",565:"a420f8de",569:"97e0d009",581:"935f2afb",699:"8a1416ba",714:"1be78505",718:"58175526",743:"5ee7b1bc",758:"c5e4a08a",773:"83a85fa4",803:"3b8c55ea",840:"a0ba3cf3",851:"1f2d7c49",899:"a09c2993",900:"7614d37a"}[e]||e)+"."+{22:"a0e62c6d",46:"724f21a5",59:"215e3a07",85:"b69ecac8",156:"1be548c6",158:"3ed8bba7",202:"e0d26009",238:"1602c26e",344:"0c45416f",350:"0d0bb0dc",375:"73e45315",401:"7d3f4967",416:"415f209d",441:"2ed85bb9",449:"36506080",510:"22fb34e2",553:"7dee0131",565:"fd5b3ade",569:"bb9fcedd",581:"0b8611bf",699:"afe13c19",714:"1fede52d",718:"bb3240f2",743:"14ce3227",758:"0ac6d694",773:"8ce5e5b5",774:"4451b760",803:"718f1096",840:"f954076c",851:"a07ea74c",899:"4417531c",900:"3176a232"}[e]+".js",f.miniCssF=e=>{},f.g=function(){if("object"==typeof globalThis)return globalThis;try{return this||new Function("return this")()}catch(e){if("object"==typeof window)return window}}(),f.o=(e,a)=>Object.prototype.hasOwnProperty.call(e,a),r={},o="shield:",f.l=(e,a,t,d)=>{if(r[e])r[e].push(a);else{var c,n;if(void 0!==t)for(var b=document.getElementsByTagName("script"),i=0;i{c.onerror=c.onload=null,clearTimeout(s);var o=r[e];if(delete r[e],c.parentNode&&c.parentNode.removeChild(c),o&&o.forEach((e=>e(t))),a)return a(t)},s=setTimeout(u.bind(null,void 0,{type:"timeout",target:c}),12e4);c.onerror=u.bind(null,c.onerror),c.onload=u.bind(null,c.onload),n&&document.head.appendChild(c)}},f.r=e=>{"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},f.p="/shield/",f.gca=function(e){return e={17896441:"401",58175526:"718","2a52c330":"22",fdfd3bf4:"46","551b3f3a":"59","56b3faef":"85","0ab57e89":"156","5fd4dfaa":"158","1d8e60bc":"202","91c76d4c":"238","6550eba9":"344","7e06178c":"350","00e4296b":"375",d9e16301:"416",b95ea484:"441","2118de21":"449","1a8b86dc":"510",a420f8de:"565","97e0d009":"569","935f2afb":"581","8a1416ba":"699","1be78505":"714","5ee7b1bc":"743",c5e4a08a:"758","83a85fa4":"773","3b8c55ea":"803",a0ba3cf3:"840","1f2d7c49":"851",a09c2993:"899","7614d37a":"900"}[e]||e,f.p+f.u(e)},(()=>{var e={354:0,869:0};f.f.j=(a,t)=>{var r=f.o(e,a)?e[a]:void 0;if(0!==r)if(r)t.push(r[2]);else if(/^(354|869)$/.test(a))e[a]=0;else{var o=new Promise(((t,o)=>r=e[a]=[t,o]));t.push(r[2]=o);var d=f.p+f.u(a),c=new Error;f.l(d,(t=>{if(f.o(e,a)&&(0!==(r=e[a])&&(e[a]=void 0),r)){var o=t&&("load"===t.type?"missing":t.type),d=t&&t.target&&t.target.src;c.message="Loading chunk "+a+" failed.\n("+o+": "+d+")",c.name="ChunkLoadError",c.type=o,c.request=d,r[1](c)}}),"chunk-"+a,a)}},f.O.j=a=>0===e[a];var a=(a,t)=>{var r,o,d=t[0],c=t[1],n=t[2],b=0;if(d.some((a=>0!==e[a]))){for(r in c)f.o(c,r)&&(f.m[r]=c[r]);if(n)var i=n(f)}for(a&&a(t);b - + @@ -17,7 +17,7 @@ There are a few different middlewares which are rule-matching, prefix, basic_auth, attribute and authz. We'll discuss each one in details in the upcoming sections.

  • Hook: Hooks are engaged after a response is received form the backend service. Currently we just have a single resource creation hook named authz.

  • Let's have a look at the Shield's Architecture where we will also be discussing about the different middlewares and hoooks.

    Shield Proxy Architecture

    Shield Proxy Architecture

    Sheild's proxy is build from two major components which are middlewares and hooks. Let's dive deeper into each of these components.

    Middleware

    Middlewares in shield have the following interface.

    type Middleware interface {
    Info() *MiddlewareInfo
    ServeHTTP(rw http.ResponseWriter, req *http.Request)
    }

    type MiddlewareInfo struct {
    Name string
    Description string
    }

    Shield is designed to execute the middlewares in a fixed order maintained by a stack. The order followed is

    • Rule match
    • Attributes
    • Basic auth
    • Authz
    • Prefix

    Rule match

    The rule match middleware finds the rule configured for a path and enriches the ctx with it. It also enriched the ctx with the request body.

    Attributes

    The attributes middleware builds a map of the attributes passed and enriches the ctx with it.

    Basic auth

    This middleware can be configured to support basic authentication with shield.

    Authz

    This middleware checks in the SpiceDB if the user is authorized with atleast one (OR operation) the permissions.

    Prefix

    This middleware strips a configured prefix from the request's URL path.

    Hook

    Hooks in shield have the following interface.

    type Service interface {
    Info() Info
    ServeHook(res *http.Response, err error) (*http.Response, error)
    }

    Shield only have a single hook

    • Authz

    Authz

    Authz hook persists the resource been created in the configfured backencd in Shield's DB. It does not create any relation by default but relations can be configured too. The relashions are created and stored both in Shield's DB and SpiceDB.

    - + \ No newline at end of file diff --git a/concepts/glossary/index.html b/concepts/glossary/index.html index 14a9e166b..af7dd904c 100644 --- a/concepts/glossary/index.html +++ b/concepts/glossary/index.html @@ -7,13 +7,13 @@ - +

    Glossary

    Backend

    External Service which wants to use Shield for authz. It can verify access via Shield Proxy & API.

    Permission

    Ability to carry out any action, in Shield or configured Backends.

    Principal

    To whom we can grant Permission to. They can be of types:

    1. User: A person or service account who can be a Principal. It is identified by Email ID.
    2. Group: Collection of Users.
    3. All Registered Users: Collection of users who have registered in Shield. Any user who registers in Shield becomes part of this Principal.

    Resource

    Entity which needs authorization to be accessed. For example, a GCE instance is a resource over which we need permission such as edit & view.

    Resource Type

    Classification that contains Resource instances. For example, GCE can be a resource type for GCE instances.

    Project

    By which we can group Resources, of various different Resource Types, who have common environment.

    Organization

    Organization is the root node in the hierarchy of Resources, being a collection of Projects.

    Namespace

    Type of objects over which we want authorization. They are of two types:

    1. System Namespace: Objects like Organization, Project & Team, over which we need authorization to actions such as adding user to team, adding user as owner of project.

    2. Resource Namespace: Resources Types over which we need authorization. For example, we need edit & view permissions over GCE Instances.

    Role

    Its an IAM Identity that describes what are the permissions one Principal has.

    Policy

    Defines what Permission does a Role have.

    Entity

    Instance of a namespace.

    Spicedb

    SpiceDB is a Zanzibar-inspired open source database system for managing security-critical application permissions.

    - + \ No newline at end of file diff --git a/guides/adding-metadata-key/index.html b/guides/adding-metadata-key/index.html index b8701b651..b61d5d5aa 100644 --- a/guides/adding-metadata-key/index.html +++ b/guides/adding-metadata-key/index.html @@ -7,13 +7,13 @@ - +

    Adding Metadata Keys

    A metadata-key in Shield looks like

    {
    "metadatakey": {
    "key": "manager",
    "description": "manager of this user"
    }
    }

    API Interface

    Create metadata keys

    $ curl --location --request POST 'http://localhost:8000/admin/v1beta1/metadatakey'
    --header 'Content-Type: application/json'
    --header 'Accept: application/json'
    --data-raw '{
    "key": "manager",
    "description": "manager of this user"
    }'
    - + \ No newline at end of file diff --git a/guides/check-permission/index.html b/guides/check-permission/index.html index deef6c25e..e22eaae95 100644 --- a/guides/check-permission/index.html +++ b/guides/check-permission/index.html @@ -7,13 +7,13 @@ - +

    Checking Pemrissions

    There are two ways to check a user permission on a resource in shield,

    API Interface

    $ curl --location --request POST 'http://localhost:8000/admin/v1beta1/check'
    --header 'Content-Type: application/json'
    --header 'Accept: application/json'
    --header 'X-Shield-Email: doe.john@gotocompany.com'
    --data-raw '{
    "objectId": "test-resource-beta1",
    "objectNamespace": "entropy/firehose",
    "permission": "owner"
    }'

    Proxy Middleware

    Users can add middleware in the rules set to check permission. Middlewares will be called before the proxy call and will not call the services if authorization fails.

    The shield will read the action from the config, resource id from the path params, and UserId of the current user.

    - name: test-res
    path: /test-res
    target: "http://127.0.0.1:3000/"
    methods: ["PUT"]
    frontends:
    - name: test_api
    path: "/test-res/{resource_id}"
    method: "PUT"
    middlewares:
    - name: authz
    config:
    actions:
    - test-res_all_actions
    - test-res_cancel
    attributes:
    project:
    key: X-Shield-Project
    type: header
    source: request
    - + \ No newline at end of file diff --git a/guides/managing-group/index.html b/guides/managing-group/index.html index 0760cf8f8..3007ad9da 100644 --- a/guides/managing-group/index.html +++ b/guides/managing-group/index.html @@ -7,13 +7,13 @@ - +

    Managing Group

    A group in Shield looks like

    {
    "group": {
    "id": "2105beab-5d04-4fc5-b0ec-8d6f60b67ab2",
    "name": "Data Batching",
    "slug": "data-batching",
    "orgId": "4eb3c3b4-962b-4b45-b55b-4c07d3810ca8",
    "metadata": {
    "description": "group for users in data batching domain",
    "org-name": "gotocompany"
    },
    "createdAt": "2022-12-14T10:22:14.394120Z",
    "updatedAt": "2022-12-14T10:25:34.890645Z"
    }
    }

    API Interface

    Create groups

    $ curl --location --request POST 'http://localhost:8000/admin/v1beta1/groups'
    --header 'Content-Type: application/json'
    --header 'Accept: application/json'
    --data-raw '{
    "name": "Data Batching",
    "slug": "data-batching",
    "metadata": {
    "description": "group for users in data batching domain"
    },
    "orgId": "4eb3c3b4-962b-4b45-b55b-4c07d3810ca8"
    }'

    List groups

    $ curl --location --request GET 'http://localhost:8000/admin/v1beta1/groups?orgId=4eb3c3b4-962b-4b45-b55b-4c07d3810ca8'
    --header 'Accept: application/json'

    Get groups

    $ curl --location --request GET 'http://localhost:8000/admin/v1beta1/groups/2105beab-5d04-4fc5-b0ec-8d6f60b67ab2'
    --header 'Accept: application/json'

    Update group

    $ curl --location --request PUT 'http://localhost:8000/admin/v1beta1/groups/2105beab-5d04-4fc5-b0ec-8d6f60b67ab2'
    --header 'Content-Type: application/json'
    --header 'Accept: application/json'
    --data-raw '{
    "name": "Data Batching",
    "slug": "data-batching",
    "orgId": "4eb3c3b4-962b-4b45-b55b-4c07d3810ca8",
    "metadata": {
    "description": "group for users in data batching domain",
    "org-name": "gotocompany"
    }
    }'

    Get all users in a group

    curl --location --request GET 'http://localhost:8000/admin/v1beta1/groups/86e2f95d-92c7-4c59-8fed-b7686cccbf4f/relations?subjectType=user&role=manager'
    --header 'Accept: application/json'
    - + \ No newline at end of file diff --git a/guides/managing-organization/index.html b/guides/managing-organization/index.html index abfb5262f..751a377c6 100644 --- a/guides/managing-organization/index.html +++ b/guides/managing-organization/index.html @@ -7,13 +7,13 @@ - +

    Managing Organization

    A organization in Shield looks like

    {
    "organizations": [
    {
    "id": "4eb3c3b4-962b-4b45-b55b-4c07d3810ca8",
    "name": "gotocompany",
    "slug": "gotocompany",
    "metadata": {
    "description": "Goto company"
    },
    "createdAt": "2022-12-07T14:10:42.755848Z",
    "updatedAt": "2022-12-07T14:10:42.755848Z"
    }
    ]
    }

    API Interface

    Create Organizations

    $ curl --location --request POST 'http://localhost:8000/admin/v1beta1/organizations'
    --header 'Content-Type: application/json'
    --header 'Accept: application/json'
    --data-raw '{
    "name": "gotocompany",
    "slug": "gotocompany",
    "metadata": {
    "description": "Goto company"
    }
    }'

    List Organizations

    $ curl --location --request GET 'http://localhost:8000/admin/v1beta1/organizations'
    --header 'Accept: application/json'

    Get Organizations

    $ curl --location --request GET 'http://localhost:8000/admin/v1beta1/organizations/4eb3c3b4-962b-4b45-b55b-4c07d3810ca8'
    --header 'Accept: application/json'

    Update Organizations

    $ curl --location --request PUT 'http://localhost:8000/admin/v1beta1/organizations/4eb3c3b4-962b-4b45-b55b-4c07d3810ca8'
    --header 'Content-Type: application/json'
    --header 'Accept: application/json'
    --data-raw '{
    "name": "gotocompany",
    "slug": "gotocompany",
    "metadata": {
    "description": "Goto company",
    "url": "github.com/goto"
    }
    } '
    - + \ No newline at end of file diff --git a/guides/managing-project/index.html b/guides/managing-project/index.html index 0b726c7e7..562bff09a 100644 --- a/guides/managing-project/index.html +++ b/guides/managing-project/index.html @@ -7,13 +7,13 @@ - +

    Managing Project

    A project in Shield looks like

    {
    "projects": [
    {
    "id": "1b89026b-6713-4327-9d7e-ed03345da288",
    "name": "Project Alpha",
    "slug": "project-alpha",
    "orgId": "4eb3c3b4-962b-4b45-b55b-4c07d3810ca8",
    "metadata": {
    "description": "Project Alpha"
    },
    "createdAt": "2022-12-07T14:31:46.436081Z",
    "updatedAt": "2022-12-07T14:31:46.436081Z"
    }
    ]
    }

    API Interface

    Create projects

    $ curl --location --request POST 'http://localhost:8000/admin/v1beta1/projects'
    --header 'Content-Type: application/json'
    --header 'Accept: application/json'
    --data-raw '{
    "name": "Project Beta",
    "slug": "project-beta",
    "metadata": {
    "description": "Project Beta"
    },
    "orgId": "4eb3c3b4-962b-4b45-b55b-4c07d3810ca8"
    }'

    List projects

    $ curl --location --request GET 'http://localhost:8000/admin/v1beta1/projects'
    --header 'Accept: application/json'

    Get Projects

    $ curl --location --request GET 'http://localhost:8000/admin/v1beta1/projects/457944c2-2a4c-4e6f-b1f7-3e1e109fe94c'
    --header 'Accept: application/json'

    Update Projects

    $ curl --location --request PUT 'http://localhost:8000/admin/v1beta1/projects/457944c2-2a4c-4e6f-b1f7-3e1e109fe94c'
    --header 'Content-Type: application/json'
    --header 'Accept: application/json'
    --data-raw '{
    "name": "Project Beta",
    "slug": "project-beta",
    "metadata": {
    "description": "Project Beta by gotocompany"
    },
    "orgId": "4eb3c3b4-962b-4b45-b55b-4c07d3810ca8"
    }'
    - + \ No newline at end of file diff --git a/guides/managing-relation/index.html b/guides/managing-relation/index.html index 4d0e33252..98d8faa27 100644 --- a/guides/managing-relation/index.html +++ b/guides/managing-relation/index.html @@ -7,13 +7,13 @@ - +

    Managing Relations

    A relation in Shield looks like

    {
    "relations": [
    {
    "id": "08effbce-42cb-4b7e-a808-ad17cd3445df",
    "objectId": "a9f784cf-0f29-486f-92d0-51300295f7e8",
    "objectNamespace": "entropy/firehose",
    "subject": "user:598688c6-8c6d-487f-b324-ef3f4af120bb",
    "roleName": "entropy/firehose:owner",
    "createdAt": null,
    "updatedAt": null
    }
    ]
    }

    API Interface

    Create Relations

    $ curl --location --request POST 'http://localhost:8000/admin/v1beta1/relations'
    --header 'Content-Type: application/json'
    --header 'Accept: application/json'
    --data-raw '{
    "objectId": "a9f784cf-0f29-486f-92d0-51300295f7e8",
    "objectNamespace": "entropy/firehose",
    "subject": "user:doe.john@gotocompany.com",
    "roleName": "owner"
    }'

    List Relations

    $ curl --location --request GET 'http://localhost:8000/admin/v1beta1/relations'
    --header 'Accept: application/json'

    Get Relations

    $ curl --location --request GET 'http://localhost:8000/admin/v1beta1/relations/f959a605-8755-4ee4-b898-a1e26f596c4d'
    --header 'Accept: application/json'

    Delete relation

    $ curl --location --request DELETE 'http://localhost:8000/admin/v1beta1/
    object/a9f784cf-0f29-486f-92d0-51300295f7e8/
    subject/448d52d4-48cb-495e-8ec5-8afc55c624ca/
    role/owner'
    --header 'Accept: application/json'
    - + \ No newline at end of file diff --git a/guides/managing-resource/index.html b/guides/managing-resource/index.html index 75558309d..8be40bf4b 100644 --- a/guides/managing-resource/index.html +++ b/guides/managing-resource/index.html @@ -7,14 +7,14 @@ - +

    Manage Resources

    A resource in Shield looks like

    {
    "resource": {
    "id": "5723e961-7259-48b3-b721-292868d652d7",
    "name": "test-random-name",
    "project": {
    "id": "1b89026b-6713-4327-9d7e-ed03345da288",
    "name": "",
    "slug": "",
    "orgId": "",
    "metadata": null,
    "createdAt": null,
    "updatedAt": null
    },
    "organization": {
    "id": "4eb3c3b4-962b-4b45-b55b-4c07d3810ca8",
    "name": "",
    "slug": "",
    "metadata": null,
    "createdAt": null,
    "updatedAt": null
    },
    "namespace": {
    "id": "entropy/firehose",
    "name": "",
    "createdAt": null,
    "updatedAt": null
    },
    "createdAt": "2022-12-13T11:59:23.964065Z",
    "updatedAt": "2022-12-13T11:59:23.964065Z",
    "user": {
    "id": "2fd7f306-61db-4198-9623-6f5f1809df11",
    "name": "",
    "slug": "",
    "email": "",
    "metadata": null,
    "createdAt": null,
    "updatedAt": null
    },
    "urn": "r/entropy/firehose/test-random-name"
    }
    }

    API Interface

    Create resources

    There are two ways to create a resource in the shield,

    API Interface

    $ curl --location --request POST 'http://localhost:8000/admin/v1beta1/resources'
    --header 'Content-Type: application/json'
    --header 'Accept: application/json'
    --header 'X-Shield-Email: admin@gotocompany.com'
    --data-raw '{
    "name": "test-resource-beta",
    "projectId": "1b89026b-6713-4327-9d7e-ed03345da288",
    "namespaceId": "entropy/firehose",
    "relations": [
    {
    "subject": "user:john.doe@gotocompany.com",
    "roleName": "owner"
    }
    ]
    }'

    Proxy Hook

    Users can add hooks to rules set to create a resource. The hook will be called after the proxy request is completed. Hooks can read query, header, params, payload, and response to get the values for Resource.

    - name: test-res
    path: /test-res
    target: "http://127.0.0.1:3000/"
    methods: ["POST"]
    frontends:
    - name: create test-res
    path: "/test-res"
    method: "POST"
    hooks:
    - name: authz
    config:
    attributes:
    project:
    key: project
    type: json_payload
    organization:
    key: organization
    type: json_payload
    team:
    key: team
    type: json_payload
    resource:
    key: urns.#.id
    type: json_payload

    List resources

    $ curl --location --request GET 'http://localhost:8000/admin/v1beta1/resources'
    --header 'Accept: application/json'

    Get resources

    $ curl -curl --location --request GET 'http://localhost:8000/admin/v1beta1/resources/28105b9a-1717-47cf-a5d9-49249b6638df'
    --header 'Accept: application/json'

    Update resource

    $ curl --location --request PUT 'http://localhost:8000/admin/v1beta1/resources/a9f784cf-0f29-486f-92d0-51300295f7e8'
    --header 'Content-Type: application/json'
    --header 'Accept: application/json'
    --data-raw '{
    "name": "test-resource-beta1",
    "projectId": "1b89026b-6713-4327-9d7e-ed03345da288",
    "namespaceId": "entropy/firehose"
    }'
    - + \ No newline at end of file diff --git a/guides/managing-user/index.html b/guides/managing-user/index.html index 028efcd74..5ecdfe7ee 100644 --- a/guides/managing-user/index.html +++ b/guides/managing-user/index.html @@ -7,13 +7,13 @@ - +

    Managing Users

    A project in Shield looks like

    {
    "users": [
    {
    "id": "598688c6-8c6d-487f-b324-ef3f4af120bb",
    "name": "John Doe",
    "slug": "",
    "email": "john.doe@gotocompany.com",
    "metadata": {
    "role": "\"user-1\""
    },
    "createdAt": "2022-12-09T10:45:19.134019Z",
    "updatedAt": "2022-12-09T10:45:19.134019Z"
    }
    ]
    }

    One thing to note here is that Shield only allow to have metadata key from a specific set of keys. This constraint is only for users. We can add metadata key using this metadata key API

    API Interface

    Create users

    $ curl --location --request POST 'http://localhost:8000/admin/v1beta1/users'
    --header 'Content-Type: application/json'
    --header 'Accept: application/json'
    --header 'X-Shield-Email: admin@gotocompany.com'
    --data-raw '{
    "name": "Jonny Doe",
    "email": "jonny.doe@gotocompany.com",
    "metadata": {
    "role": "user-3"
    }
    }'

    List users

    curl --location --request GET 'http://localhost:8000/admin/v1beta1/users'
    --header 'Accept: application/json'

    Get Users

    $ curl --location --request GET 'http://localhost:8000/admin/v1beta1/users/e9fba4af-ab23-4631-abba-597b1c8e6608'
    --header 'Accept: application/json''

    Update Projects

    $ curl --location --request PUT 'http://localhost:8000/admin/v1beta1/users/e9fba4af-ab23-4631-abba-597b1c8e6608'
    --header 'Content-Type: application/json'
    --header 'Accept: application/json'
    --data-raw '{
    "name": "Jonny Doe",
    "email": "john.doe001@gotocompany.com",
    "metadata": {
    "role" : "user-3"
    }
    }'
    - + \ No newline at end of file diff --git a/guides/overview/index.html b/guides/overview/index.html index 17aed11c1..44f8a9afe 100644 --- a/guides/overview/index.html +++ b/guides/overview/index.html @@ -7,14 +7,14 @@ - +

    Overview

    The following topics will describe how to use Shield. It respects multi-tenancy using namespace, which can either be a system namespace or a resource namespace. System namespace is composed of a backend and a resource type which allows onboard multiple instances of a service by changing the backend. While resource namespaces allows to onboard multiple organizations, project and groups.

    Managing Organizations

    Organizations are the top most level object in Sheild's system.

    Managing Projects

    Project comes under an organization, and they can have multiple resources belonging to them.

    Managing Resources

    Resources have some basic information about the resources being created on the backend. They can be used for authorization purpose.

    Managing Groups

    Groups fall under anorganization too, an they are a colection of users with different roles.

    Managing Namespaces, Policies, Roles and Actions

    All of these are managed by configuration files and shall not be modified via APIs.

    Managing Users and their Metadata

    User represent a real life user distinguished by their emails.

    Managing Relations

    Relations are a copy of the relationships being managed in SpiceDB.

    Checking Permission

    Shield provides an API to check if a user has a certain permissions on a resource.

    Where to go next?

    We recomment you to check all the guides for having a clear understanding of the APIs. For testing these APIs on local, you can import the Swagger.

    - + \ No newline at end of file diff --git a/index.html b/index.html index 4215a09ab..a7394e7a7 100644 --- a/index.html +++ b/index.html @@ -7,14 +7,14 @@ - +

    Introduction

    Welcome to the introductory guide to Shield! This guide is the best place to start with Shield. We cover what Shield is, what problems it can solve, how it works, and how you can get started using it. If you are familiar with the basics of Shield, the guides provides a more detailed reference of available features.

    What is Shield?

    Shield is a cloud-native role-based authorization-aware reverse-proxy service that helps you manage the authorization of given resources. In uses SpiceDB authorization engine, which is an open source fine-grained permissions database inspired by Google Zanzibar.

    Shield flow diagram

    Shield being a reverse-proxy, intercepts the request between a client and the backend. It offers configurable authorization on each url path. This is handled by authz middleware. This is a non-mandatory step, and can be left unprotected as well.

    A Resource Creation Hook comes handy when a resource needs to be created or updated in the backed. Shield keeps a record or the resource within it's database in order to check authorization later. The resource creation/updation request goes to the backend and when a successful response is received, the hook creates an instance of it in the database.

    We can also configure role assignments to certian user or group on this resource as well during the resource creation.

    We will talk more with example about the rule configuration in detail, in the guides.

    How does shield work?

    Here are the steps to work with Shield.

    1. Configure policies: This step involes defition of resource types that will exist in the connected backend. User can also configure the roles and permissions that exist.

    2. Configure rules: This step involves defining the authorization(via authz middleware) and resource creation(via hook) for each path in the backend.

    3. Making Shield proxy request: User can now hit at the shield server followed by the url path.

    Features

    • Organization and Project Management

      Shield provides API to create and manage organizations/projects. Admins can create projects and groups within organizations.

    • Group Management

      In group management, group admins can manage groups, add-remove members to the groups, and assign roles to the members.

    • Policy Management

      Users can create policies to define which roles can perform what action on the resources.

    • Reverse Proxy

      Shield can also restrict access to the proxy api to the users as per attributes and policies.

    • GRPC/REST based APIs

    Using Shield

    You can manage organizations, projects, group, users and resources in any of the following ways:

    Shield Command Line Interface

    You can use the Shield command line interface to issue commands and to perform the entire Shield features. Using the command line can be faster and more convenient than using API. For more information on using the Shield CLI, see the CLI Reference page.

    HTTPS API

    You can manage relation creation, checking authorization on a resource and much more by using the Shield HTTPS API, which lets you issue HTTPS requests directly to the service. For more information, see the API Reference page.

    - + \ No newline at end of file diff --git a/installation/index.html b/installation/index.html index 7c673f1f2..617dc5fb1 100644 --- a/installation/index.html +++ b/installation/index.html @@ -7,7 +7,7 @@ - + @@ -15,7 +15,7 @@

    Installation

    We provide pre-built binaries, Docker Images and Helm Charts

    Binary (Cross-platform)

    Download the appropriate version for your platform from releases page. Once downloaded, the binary can be run from anywhere. You don’t need to install it into a global location. This works well for shared hosts and other systems where you don’t have a privileged account. Ideally, you should install it somewhere in your PATH for easy use. /usr/local/bin is the most probable location.

    Homebrew

    # Install shield (requires homebrew installed)
    $ brew install goto/taps/shield

    # Upgrade shield (requires homebrew installed)
    $ brew upgrade shield

    # Check for installed shield version
    $ shield version

    Docker

    Prerequisites

    • Docker installed

    Run Docker Image

    Shield provides Docker image as part of the release. Make sure you have Spicedb and postgres running on your local and run the following.

    # Download docker image from docker hub
    $ docker pull gotocompany/shield

    # Run the following docker command with minimal config.
    $ docker run -p 8080:8080 \
    -e SHIELD_DB_DRIVER=postgres \
    -e SHIELD_DB_URL=postgres://shield:@localhost:5432/shield?sslmode=disable \
    -e SHIELD_SPICEDB_HOST=spicedb.localhost:50051 \
    -e SHIELD_SPICEDB_PRE_SHARED_KEY=randomkey
    -v .config:.config
    gotocompany/shield serve

    Compiling from source

    Prerequisites

    Shield requires the following dependencies:

    • Golang (version 1.21 or above)
    • Git

    Build

    Run the following commands to compile shield from source

    git clone git@github.com:goto/shield.git
    cd shield
    make build

    Use the following command to test

    ./shield version

    Shield service can be started with the following command although there are few required configurations for it to start.

    ./shield server start
    - + \ No newline at end of file diff --git a/reference/api/index.html b/reference/api/index.html index da19b4c97..8b8250af4 100644 --- a/reference/api/index.html +++ b/reference/api/index.html @@ -7,14 +7,14 @@ - +

    Shield

    Version: 0.1.0

    /v1beta1/actions

    GET

    Summary

    Get all Actions

    Responses
    CodeDescriptionSchema
    200A successful response.v1beta1ListActionsResponse
    defaultAn unexpected error response.rpcStatus

    POST

    Summary

    Create Action

    Parameters
    NameLocated inDescriptionRequiredSchema
    bodybodyYesv1beta1ActionRequestBody
    Responses
    CodeDescriptionSchema
    200A successful response.v1beta1CreateActionResponse
    defaultAn unexpected error response.rpcStatus

    /v1beta1/check

    POST

    Summary

    check permission for action on a resource by an user

    Parameters
    NameLocated inDescriptionRequiredSchema
    bodybodyYesv1beta1CheckResourcePermissionRequest
    Responses
    CodeDescriptionSchema
    200A successful response.v1beta1CheckResourcePermissionResponse
    defaultAn unexpected error response.rpcStatus

    /v1beta1/groups

    GET

    Summary

    Get all Groups

    Parameters
    NameLocated inDescriptionRequiredSchema
    userIdqueryNostring
    orgIdqueryNostring
    Responses
    CodeDescriptionSchema
    200A successful response.v1beta1ListGroupsResponse
    defaultAn unexpected error response.rpcStatus

    POST

    Summary

    Create Group

    Parameters
    NameLocated inDescriptionRequiredSchema
    bodybodyYesv1beta1GroupRequestBody
    Responses
    CodeDescriptionSchema
    200A successful response.v1beta1CreateGroupResponse
    defaultAn unexpected error response.rpcStatus

    /v1beta1/groups/{id}

    GET

    Summary

    Get Group by ID

    Parameters
    NameLocated inDescriptionRequiredSchema
    idpathYesstring
    Responses
    CodeDescriptionSchema
    200A successful response.v1beta1GetGroupResponse
    defaultAn unexpected error response.rpcStatus

    PUT

    Summary

    Update Group by ID

    Parameters
    NameLocated inDescriptionRequiredSchema
    idpathYesstring
    bodybodyYesv1beta1GroupRequestBody
    Responses
    CodeDescriptionSchema
    200A successful response.v1beta1UpdateGroupResponse
    defaultAn unexpected error response.rpcStatus

    /v1beta1/groups/{id}/relations

    GET

    Summary

    Get all relations for a group

    Parameters
    NameLocated inDescriptionRequiredSchema
    idpathYesstring
    subjectTypequeryNostring
    rolequeryNostring
    Responses
    CodeDescriptionSchema
    200A successful response.v1beta1ListGroupRelationsResponse
    defaultAn unexpected error response.rpcStatus

    /v1beta1/metadatakey

    POST

    Summary

    Create Metadata Key

    Parameters
    NameLocated inDescriptionRequiredSchema
    bodybodyYesv1beta1MetadataKeyRequestBody
    Responses
    CodeDescriptionSchema
    200A successful response.v1beta1CreateMetadataKeyResponse
    defaultAn unexpected error response.rpcStatus

    /v1beta1/namespaces

    GET

    Summary

    Get all Namespaces

    Responses
    CodeDescriptionSchema
    200A successful response.v1beta1ListNamespacesResponse
    defaultAn unexpected error response.rpcStatus

    POST

    Summary

    Create Namespace

    Parameters
    NameLocated inDescriptionRequiredSchema
    bodybodyYesv1beta1NamespaceRequestBody
    Responses
    CodeDescriptionSchema
    200A successful response.v1beta1CreateNamespaceResponse
    defaultAn unexpected error response.rpcStatus

    /v1beta1/namespaces/{id}

    GET

    Summary

    Get Namespace by ID

    Parameters
    NameLocated inDescriptionRequiredSchema
    idpathYesstring
    Responses
    CodeDescriptionSchema
    200A successful response.v1beta1GetNamespaceResponse
    defaultAn unexpected error response.rpcStatus

    PUT

    Summary

    Update Namespace by ID

    Parameters
    NameLocated inDescriptionRequiredSchema
    idpathYesstring
    bodybodyYesv1beta1NamespaceRequestBody
    Responses
    CodeDescriptionSchema
    200A successful response.v1beta1UpdateNamespaceResponse
    defaultAn unexpected error response.rpcStatus

    /v1beta1/object/{objectId}/subject/{subjectId}/role/{role}

    DELETE

    Summary

    Remove a subject having a role from an object

    Parameters
    NameLocated inDescriptionRequiredSchema
    objectIdpathYesstring
    subjectIdpathYesstring
    rolepathYesstring
    Responses
    CodeDescriptionSchema
    200A successful response.v1beta1DeleteRelationResponse
    defaultAn unexpected error response.rpcStatus

    /v1beta1/organizations

    GET

    Summary

    Get all Organization

    Responses
    CodeDescriptionSchema
    200A successful response.v1beta1ListOrganizationsResponse
    defaultAn unexpected error response.rpcStatus

    POST

    Summary

    Create Organization

    Parameters
    NameLocated inDescriptionRequiredSchema
    bodybodyYesv1beta1OrganizationRequestBody
    Responses
    CodeDescriptionSchema
    200A successful response.v1beta1CreateOrganizationResponse
    defaultAn unexpected error response.rpcStatus

    /v1beta1/organizations/{id}

    GET

    Summary

    Get Organization by ID

    Parameters
    NameLocated inDescriptionRequiredSchema
    idpathYesstring
    Responses
    CodeDescriptionSchema
    200A successful response.v1beta1GetOrganizationResponse
    defaultAn unexpected error response.rpcStatus

    PUT

    Summary

    Update Organization by ID

    Parameters
    NameLocated inDescriptionRequiredSchema
    idpathYesstring
    bodybodyYesv1beta1OrganizationRequestBody
    Responses
    CodeDescriptionSchema
    200A successful response.v1beta1UpdateOrganizationResponse
    defaultAn unexpected error response.rpcStatus

    /v1beta1/organizations/{id}/admins

    GET

    Summary

    Get all Admins of an Organization

    Parameters
    NameLocated inDescriptionRequiredSchema
    idpathYesstring
    Responses
    CodeDescriptionSchema
    200A successful response.v1beta1ListOrganizationAdminsResponse
    defaultAn unexpected error response.rpcStatus

    /v1beta1/policies

    GET

    Summary

    Get all Policy

    Responses
    CodeDescriptionSchema
    200A successful response.v1beta1ListPoliciesResponse
    defaultAn unexpected error response.rpcStatus

    POST

    Summary

    Create Policy

    Parameters
    NameLocated inDescriptionRequiredSchema
    bodybodyYesv1beta1PolicyRequestBody
    Responses
    CodeDescriptionSchema
    200A successful response.v1beta1CreatePolicyResponse
    defaultAn unexpected error response.rpcStatus

    /v1beta1/projects

    GET

    Summary

    Get all Project

    Responses
    CodeDescriptionSchema
    200A successful response.v1beta1ListProjectsResponse
    defaultAn unexpected error response.rpcStatus

    POST

    Summary

    Create Project

    Parameters
    NameLocated inDescriptionRequiredSchema
    bodybodyYesv1beta1ProjectRequestBody
    Responses
    CodeDescriptionSchema
    200A successful response.v1beta1CreateProjectResponse
    defaultAn unexpected error response.rpcStatus

    /v1beta1/projects/{id}

    GET

    Summary

    Get Project by ID

    Parameters
    NameLocated inDescriptionRequiredSchema
    idpathYesstring
    Responses
    CodeDescriptionSchema
    200A successful response.v1beta1GetProjectResponse
    defaultAn unexpected error response.rpcStatus

    PUT

    Summary

    Update Project by ID

    Parameters
    NameLocated inDescriptionRequiredSchema
    idpathYesstring
    bodybodyYesv1beta1ProjectRequestBody
    Responses
    CodeDescriptionSchema
    200A successful response.v1beta1UpdateProjectResponse
    defaultAn unexpected error response.rpcStatus

    /v1beta1/projects/{id}/admins

    GET

    Summary

    Get all Admins of a Project

    Parameters
    NameLocated inDescriptionRequiredSchema
    idpathYesstring
    Responses
    CodeDescriptionSchema
    200A successful response.v1beta1ListProjectAdminsResponse
    defaultAn unexpected error response.rpcStatus

    /v1beta1/relations

    GET

    Summary

    Get all Relations

    Responses
    CodeDescriptionSchema
    200A successful response.v1beta1ListRelationsResponse
    defaultAn unexpected error response.rpcStatus

    POST

    Summary

    Create Relation

    Parameters
    NameLocated inDescriptionRequiredSchema
    bodybodyYesv1beta1RelationRequestBody
    Responses
    CodeDescriptionSchema
    200A successful response.v1beta1CreateRelationResponse
    defaultAn unexpected error response.rpcStatus

    /v1beta1/relations/{id}

    GET

    Summary

    Get Relation by ID

    Parameters
    NameLocated inDescriptionRequiredSchema
    idpathYesstring
    Responses
    CodeDescriptionSchema
    200A successful response.v1beta1GetRelationResponse
    defaultAn unexpected error response.rpcStatus

    /v1beta1/resources

    GET

    Summary

    Get all Resources

    Parameters
    NameLocated inDescriptionRequiredSchema
    groupIdqueryNostring
    projectIdqueryNostring
    organizationIdqueryNostring
    namespaceIdqueryNostring
    Responses
    CodeDescriptionSchema
    200A successful response.v1beta1ListResourcesResponse
    defaultAn unexpected error response.rpcStatus

    POST

    Summary

    Create Resource

    Parameters
    NameLocated inDescriptionRequiredSchema
    bodybodyYesv1beta1ResourceRequestBody
    Responses
    CodeDescriptionSchema
    200A successful response.v1beta1CreateResourceResponse
    defaultAn unexpected error response.rpcStatus

    /v1beta1/resources/{id}

    GET

    Summary

    Get Resource by ID

    Parameters
    NameLocated inDescriptionRequiredSchema
    idpathYesstring
    Responses
    CodeDescriptionSchema
    200A successful response.v1beta1GetResourceResponse
    defaultAn unexpected error response.rpcStatus

    PUT

    Summary

    Update Resource by ID

    Parameters
    NameLocated inDescriptionRequiredSchema
    idpathYesstring
    bodybodyYesv1beta1ResourceRequestBody
    Responses
    CodeDescriptionSchema
    200A successful response.v1beta1UpdateResourceResponse
    defaultAn unexpected error response.rpcStatus

    /v1beta1/roles

    GET

    Summary

    Get all Roles

    Responses
    CodeDescriptionSchema
    200A successful response.v1beta1ListRolesResponse
    defaultAn unexpected error response.rpcStatus

    POST

    Summary

    Create Role

    Parameters
    NameLocated inDescriptionRequiredSchema
    bodybodyYesv1beta1RoleRequestBody
    Responses
    CodeDescriptionSchema
    200A successful response.v1beta1CreateRoleResponse
    defaultAn unexpected error response.rpcStatus

    /v1beta1/users

    GET

    Summary

    Get All Users

    Parameters
    NameLocated inDescriptionRequiredSchema
    pageSizequeryNointeger
    pageNumqueryNointeger
    keywordqueryNostring
    Responses
    CodeDescriptionSchema
    200A successful response.v1beta1ListUsersResponse
    defaultAn unexpected error response.rpcStatus

    POST

    Summary

    Create User

    Parameters
    NameLocated inDescriptionRequiredSchema
    bodybodyYesv1beta1UserRequestBody
    Responses
    CodeDescriptionSchema
    200A successful response.v1beta1CreateUserResponse
    defaultAn unexpected error response.rpcStatus

    /v1beta1/users/self

    GET

    Summary

    Get current user

    Responses
    CodeDescriptionSchema
    200A successful response.v1beta1GetCurrentUserResponse
    defaultAn unexpected error response.rpcStatus

    PUT

    Summary

    Update current User

    Parameters
    NameLocated inDescriptionRequiredSchema
    bodybodyYesv1beta1UserRequestBody
    Responses
    CodeDescriptionSchema
    200A successful response.v1beta1UpdateCurrentUserResponse
    defaultAn unexpected error response.rpcStatus

    /v1beta1/users/{id}

    GET

    Summary

    Get a User by id

    Parameters
    NameLocated inDescriptionRequiredSchema
    idpathYesstring
    Responses
    CodeDescriptionSchema
    200A successful response.v1beta1GetUserResponse
    defaultAn unexpected error response.rpcStatus

    PUT

    Summary

    Update User by ID

    Parameters
    NameLocated inDescriptionRequiredSchema
    idpathYesstring
    bodybodyYesv1beta1UserRequestBody
    Responses
    CodeDescriptionSchema
    200A successful response.v1beta1UpdateUserResponse
    defaultAn unexpected error response.rpcStatus

    /v1beta1/users/{id}/groups

    GET

    Summary

    List Groups of a User

    Parameters
    NameLocated inDescriptionRequiredSchema
    idpathYesstring
    rolequeryNostring
    Responses
    CodeDescriptionSchema
    200A successful response.v1beta1ListUserGroupsResponse
    defaultAn unexpected error response.rpcStatus

    Models

    CheckResourcePermissionResponseResourcePermissionResponse

    NameTypeDescriptionRequired
    objectIdstringNo
    objectNamespacestringNo
    permissionstringNo
    allowedbooleanNo

    protobufAny

    NameTypeDescriptionRequired
    @typestringNo

    protobufNullValue

    NullValue is a singleton enumeration to represent the null value for the Value type union.

    The JSON representation for NullValue is JSON null.

    • NULL_VALUE: Null value.
    NameTypeDescriptionRequired
    protobufNullValuestringNullValue is a singleton enumeration to represent the null value for the Value type union. The JSON representation for NullValue is JSON null. - NULL_VALUE: Null value.

    rpcStatus

    NameTypeDescriptionRequired
    codeintegerNo
    messagestringNo
    details[ protobufAny ]No

    v1beta1Action

    NameTypeDescriptionRequired
    idstringNo
    namestringNo
    namespacev1beta1NamespaceNo
    createdAtdateTimeNo
    updatedAtdateTimeNo
    namespaceIdstringNo

    v1beta1ActionRequestBody

    NameTypeDescriptionRequired
    idstringNo
    namestringNo
    namespaceIdstringNo

    v1beta1CheckResourcePermissionRequest

    NameTypeDescriptionRequired
    objectIdstringNo
    objectNamespacestringNo
    permissionstringNo
    resourcePermissions[ v1beta1ResourcePermission ]No

    v1beta1CheckResourcePermissionResponse

    NameTypeDescriptionRequired
    statusbooleanNo
    resourcePermissions[ CheckResourcePermissionResponseResourcePermissionResponse ]No

    v1beta1CreateActionResponse

    NameTypeDescriptionRequired
    actionv1beta1ActionNo

    v1beta1CreateGroupResponse

    NameTypeDescriptionRequired
    groupv1beta1GroupNo

    v1beta1CreateMetadataKeyResponse

    NameTypeDescriptionRequired
    metadatakeyv1beta1MetadataKeyNo

    v1beta1CreateNamespaceResponse

    NameTypeDescriptionRequired
    namespacev1beta1NamespaceNo

    v1beta1CreateOrganizationResponse

    NameTypeDescriptionRequired
    organizationv1beta1OrganizationNo

    v1beta1CreatePolicyResponse

    NameTypeDescriptionRequired
    policies[ v1beta1Policy ]No

    v1beta1CreateProjectResponse

    NameTypeDescriptionRequired
    projectv1beta1ProjectNo

    v1beta1CreateRelationResponse

    NameTypeDescriptionRequired
    relationv1beta1RelationNo

    v1beta1CreateResourceResponse

    NameTypeDescriptionRequired
    resourcev1beta1ResourceNo

    v1beta1CreateRoleResponse

    NameTypeDescriptionRequired
    rolev1beta1RoleNo

    v1beta1CreateUserResponse

    NameTypeDescriptionRequired
    userv1beta1UserNo

    v1beta1DeleteRelationResponse

    NameTypeDescriptionRequired
    messagestringNo

    v1beta1GetCurrentUserResponse

    NameTypeDescriptionRequired
    userv1beta1UserNo

    v1beta1GetGroupResponse

    NameTypeDescriptionRequired
    groupv1beta1GroupNo

    v1beta1GetNamespaceResponse

    NameTypeDescriptionRequired
    namespacev1beta1NamespaceNo

    v1beta1GetOrganizationResponse

    NameTypeDescriptionRequired
    organizationv1beta1OrganizationNo

    v1beta1GetProjectResponse

    NameTypeDescriptionRequired
    projectv1beta1ProjectNo

    v1beta1GetRelationResponse

    NameTypeDescriptionRequired
    relationv1beta1RelationNo

    v1beta1GetResourceResponse

    NameTypeDescriptionRequired
    resourcev1beta1ResourceNo

    v1beta1GetUserResponse

    NameTypeDescriptionRequired
    userv1beta1UserNo

    v1beta1Group

    NameTypeDescriptionRequired
    idstringNo
    namestringNo
    slugstringNo
    orgIdstringNo
    metadataobjectNo
    createdAtdateTimeNo
    updatedAtdateTimeNo

    v1beta1GroupRelation

    NameTypeDescriptionRequired
    subjectTypestringNo
    rolestringNo
    userv1beta1UserNo
    groupv1beta1GroupNo

    v1beta1GroupRequestBody

    NameTypeDescriptionRequired
    namestringNo
    slugstringNo
    metadataobjectNo
    orgIdstringNo

    v1beta1ListActionsResponse

    NameTypeDescriptionRequired
    actions[ v1beta1Action ]No

    v1beta1ListGroupRelationsResponse

    NameTypeDescriptionRequired
    relations[ v1beta1GroupRelation ]No

    v1beta1ListGroupsResponse

    NameTypeDescriptionRequired
    groups[ v1beta1Group ]No

    v1beta1ListNamespacesResponse

    NameTypeDescriptionRequired
    namespaces[ v1beta1Namespace ]No

    v1beta1ListOrganizationAdminsResponse

    NameTypeDescriptionRequired
    users[ v1beta1User ]No

    v1beta1ListOrganizationsResponse

    NameTypeDescriptionRequired
    organizations[ v1beta1Organization ]No

    v1beta1ListPoliciesResponse

    NameTypeDescriptionRequired
    policies[ v1beta1Policy ]No

    v1beta1ListProjectAdminsResponse

    NameTypeDescriptionRequired
    users[ v1beta1User ]No

    v1beta1ListProjectsResponse

    NameTypeDescriptionRequired
    projects[ v1beta1Project ]No

    v1beta1ListRelationsResponse

    NameTypeDescriptionRequired
    relations[ v1beta1Relation ]No

    v1beta1ListResourcesResponse

    NameTypeDescriptionRequired
    resources[ v1beta1Resource ]No

    v1beta1ListRolesResponse

    NameTypeDescriptionRequired
    roles[ v1beta1Role ]No

    v1beta1ListUserGroupsResponse

    NameTypeDescriptionRequired
    groups[ v1beta1Group ]No

    v1beta1ListUsersResponse

    NameTypeDescriptionRequired
    countintegerNo
    users[ v1beta1User ]No

    v1beta1MetadataKey

    NameTypeDescriptionRequired
    keystringNo
    descriptionstringNo

    v1beta1MetadataKeyRequestBody

    NameTypeDescriptionRequired
    keystringNo
    descriptionstringNo

    v1beta1Namespace

    NameTypeDescriptionRequired
    idstringNo
    namestringNo
    createdAtdateTimeNo
    updatedAtdateTimeNo

    v1beta1NamespaceRequestBody

    NameTypeDescriptionRequired
    idstringNo
    namestringNo

    v1beta1Organization

    NameTypeDescriptionRequired
    idstringNo
    namestringNo
    slugstringNo
    metadataobjectNo
    createdAtdateTimeNo
    updatedAtdateTimeNo

    v1beta1OrganizationRequestBody

    NameTypeDescriptionRequired
    namestringNo
    slugstringNo
    metadataobjectNo

    v1beta1Policy

    NameTypeDescriptionRequired
    idstringNo
    rolev1beta1RoleNo
    actionv1beta1ActionNo
    namespacev1beta1NamespaceNo
    createdAtdateTimeNo
    updatedAtdateTimeNo
    namespaceIdstringNo
    roleIdstringNo
    actionIdstringNo

    v1beta1PolicyRequestBody

    NameTypeDescriptionRequired
    roleIdstringNo
    actionIdstringNo
    namespaceIdstringNo

    v1beta1Project

    NameTypeDescriptionRequired
    idstringNo
    namestringNo
    slugstringNo
    orgIdstringNo
    metadataobjectNo
    createdAtdateTimeNo
    updatedAtdateTimeNo

    v1beta1ProjectRequestBody

    NameTypeDescriptionRequired
    namestringNo
    slugstringNo
    metadataobjectNo
    orgIdstringNo

    v1beta1Relation

    NameTypeDescriptionRequired
    idstringNo
    objectIdstringNo
    objectNamespacestringNo
    subjectstringNo
    roleNamestringNo
    createdAtdateTimeNo
    updatedAtdateTimeNo

    v1beta1RelationRequestBody

    NameTypeDescriptionRequired
    objectIdstringNo
    objectNamespacestringNo
    subjectstringNo
    roleNamestringNo

    v1beta1Resource

    NameTypeDescriptionRequired
    idstringNo
    namestringNo
    projectv1beta1ProjectNo
    organizationv1beta1OrganizationNo
    namespacev1beta1NamespaceNo
    createdAtdateTimeNo
    updatedAtdateTimeNo
    userv1beta1UserNo
    urnstringNo

    v1beta1ResourcePermission

    NameTypeDescriptionRequired
    objectIdstringNo
    objectNamespacestringNo
    permissionstringNo

    v1beta1ResourceRequestBody

    NameTypeDescriptionRequired
    namestringNo
    projectIdstringNo
    namespaceIdstringNo
    relations[ v1beta1Relation ]No

    v1beta1Role

    NameTypeDescriptionRequired
    idstringNo
    namestringNo
    types[ string ]No
    namespacev1beta1NamespaceNo
    metadataobjectNo
    createdAtdateTimeNo
    updatedAtdateTimeNo
    namespaceIdstringNo

    v1beta1RoleRequestBody

    NameTypeDescriptionRequired
    idstringNo
    namestringNo
    types[ string ]No
    namespaceIdstringNo
    metadataobjectNo

    v1beta1UpdateCurrentUserResponse

    NameTypeDescriptionRequired
    userv1beta1UserNo

    v1beta1UpdateGroupResponse

    NameTypeDescriptionRequired
    groupv1beta1GroupNo

    v1beta1UpdateNamespaceResponse

    NameTypeDescriptionRequired
    namespacev1beta1NamespaceNo

    v1beta1UpdateOrganizationResponse

    NameTypeDescriptionRequired
    organizationv1beta1OrganizationNo

    v1beta1UpdateProjectResponse

    NameTypeDescriptionRequired
    projectv1beta1ProjectNo

    v1beta1UpdateResourceResponse

    NameTypeDescriptionRequired
    resourcev1beta1ResourceNo

    v1beta1UpdateUserResponse

    NameTypeDescriptionRequired
    userv1beta1UserNo

    v1beta1User

    NameTypeDescriptionRequired
    idstringNo
    namestringNo
    slugstringNo
    emailstringNo
    metadataobjectNo
    createdAtdateTimeNo
    updatedAtdateTimeNo

    v1beta1UserRequestBody

    NameTypeDescriptionRequired
    namestringNo
    emailstringNo
    metadataobjectNo
    - + \ No newline at end of file diff --git a/reference/cli/index.html b/reference/cli/index.html index a0047723a..10708c546 100644 --- a/reference/cli/index.html +++ b/reference/cli/index.html @@ -7,13 +7,13 @@ - +
    -

    CLI

    shield action

    Manage actions

    shield action create [flags]

    Create an action

    -f, --file string     Path to the action body file
    -H, --header string Header <key>:<value>

    shield action edit [flags]

    Edit an action

    -f, --file string   Path to the action body file

    shield action list

    List all actions

    shield action view

    View an action

    shield auth

    Auth configs that need to be used with shield

    shield completion [bash|zsh|fish|powershell]

    Generate shell completion scripts

    shield config

    Manage client configurations

    shield config init

    Initialize a new client configuration

    shield config list

    List client configuration settings

    shield environment

    List of supported environment variables

    shield group

    Manage groups

    shield group create [flags]

    Create a group

    -f, --file string     Path to the group body file
    -H, --header string Header <key>:<value>

    shield group edit [flags]

    Edit a group

    -f, --file string   Path to the group body file

    shield group list

    List all groups

    shield group view [flags]

    View a group

    -m, --metadata   Set this flag to see metadata

    shield namespace

    Manage namespaces

    shield namespace create [flags]

    Create a namespace

    -f, --file string   Path to the namespace body file

    shield namespace edit [flags]

    Edit a namespace

    -f, --file string   Path to the namespace body file

    shield namespace list

    List all namespaces

    shield namespace view

    View a namespace

    shield organization

    Manage organizations

    shield organization admadd [flags]

    add admins to an organization

    -f, --file string   Path to the provider config

    shield organization admlist

    list admins of an organization

    shield organization admremove [flags]

    remove admins from an organization

    -u, --user string   Id of the user to be removed

    shield organization create [flags]

    Create an organization

    -f, --file string     Path to the organization body file
    -H, --header string Header <key>:<value>

    shield organization edit [flags]

    Edit an organization

    -f, --file string   Path to the organization body file

    shield organization list

    List all organizations

    shield organization view [flags]

    View an organization

    -m, --metadata   Set this flag to see metadata

    shield policy

    Manage policies

    shield policy create [flags]

    Create a policy

    -f, --file string     Path to the policy body file
    -H, --header string Header <key>:<value>

    shield policy edit [flags]

    Edit a policy

    -f, --file string   Path to the policy body file

    shield policy list

    List all policies

    shield policy view

    View a policy

    shield project

    Manage projects

    shield project create [flags]

    Create a project

    -f, --file string     Path to the project body file
    -H, --header string Header <key>:<value>

    shield project edit [flags]

    Edit a project

    -f, --file string   Path to the project body file

    shield project list

    List all projects

    shield project view [flags]

    View a project

    -m, --metadata   Set this flag to see metadata

    shield role

    Manage roles

    shield role create [flags]

    Create a role

    -f, --file string     Path to the role body file
    -H, --header string Header <key>:<value>

    shield role edit [flags]

    Edit a role

    -f, --file string   Path to the role body file

    shield role list

    List all roles

    shield role view [flags]

    View a role

    -m, --metadata   Set this flag to see metadata

    shield server

    Server management

    shield server init [flags]

    Initialize server

    -o, --output string      Output config file path (default "./config.yaml")
    -r, --resources string URL path of resources. Full path prefixed with scheme where resources config yaml files are kept
    e.g.:
    local storage file "file:///tmp/resources_config"
    GCS Bucket "gs://shield-bucket-example"
    (default: file://{pwd}/resources_config)

    -u, --rule string URL path of rules. Full path prefixed with scheme where ruleset yaml files are kept
    e.g.:
    local storage file "file:///tmp/rules"
    GCS Bucket "gs://shield-bucket-example"
    (default: file://{pwd}/rules)

    shield server migrate [flags]

    Run DB Schema Migrations

    -c, --config string   Config file path

    shield server migration-rollback [flags]

    Run DB Schema Migrations Rollback to last state

    -c, --config string   Config file path

    shield server start [flags]

    Start server and proxy default on port 8080

    -c, --config string   Config file path

    shield user

    Manage users

    shield user create [flags]

    Create an user

    -f, --file string     Path to the user body file
    -H, --header string Header <key>:<value>

    shield user edit [flags]

    Edit an user

    -f, --file string   Path to the user body file

    shield user list

    List all users

    shield user view [flags]

    View an user

    -m, --metadata   Set this flag to see metadata
    - +

    CLI

    shield action

    Manage actions

    shield action create [flags]

    Create an action

    -f, --file string     Path to the action body file
    -H, --header string Header <key>:<value>

    shield action list

    List all actions

    shield auth

    Auth configs that need to be used with shield

    shield completion [bash|zsh|fish|powershell]

    Generate shell completion scripts

    shield config <command>

    Manage client configurations

    shield config init

    Initialize a new client configuration

    shield config list

    List client configuration settings

    shield environment

    List of supported environment variables

    shield group

    Manage groups

    shield group create [flags]

    Create a group

    -f, --file string     Path to the group body file
    -H, --header string Header <key>:<value>

    shield group edit [flags]

    Edit a group

    -f, --file string   Path to the group body file

    shield group list

    List all groups

    shield group view [flags]

    View a group

    -m, --metadata   Set this flag to see metadata

    shield namespace

    Manage namespaces

    shield namespace create [flags]

    Create a namespace

    -f, --file string   Path to the namespace body file

    shield namespace edit [flags]

    Edit a namespace

    -f, --file string   Path to the namespace body file

    shield namespace list

    List all namespaces

    shield namespace view

    View a namespace

    shield organization

    Manage organizations

    shield organization admlist

    list admins of an organization

    shield organization create [flags]

    Create an organization

    -f, --file string     Path to the organization body file
    -H, --header string Header <key>:<value>

    shield organization edit [flags]

    Edit an organization

    -f, --file string   Path to the organization body file

    shield organization list

    List all organizations

    shield organization view [flags]

    View an organization

    -m, --metadata   Set this flag to see metadata

    shield policy

    Manage policies

    shield policy create [flags]

    Create a policy

    -f, --file string     Path to the policy body file
    -H, --header string Header <key>:<value>

    shield policy list

    List all policies

    shield project

    Manage projects

    shield project create [flags]

    Create a project

    -f, --file string     Path to the project body file
    -H, --header string Header <key>:<value>

    shield project edit [flags]

    Edit a project

    -f, --file string   Path to the project body file

    shield project list

    List all projects

    shield project view [flags]

    View a project

    -m, --metadata   Set this flag to see metadata

    shield role

    Manage roles

    shield role create [flags]

    Create a role

    -f, --file string     Path to the role body file
    -H, --header string Header <key>:<value>

    shield role list

    List all roles

    shield server <command>

    Server management

    shield server init [flags]

    Initialize server

    -o, --output string      Output config file path (default "./config.yaml")
    -r, --resources string URL path of resources. Full path prefixed with scheme where resources config yaml files are kept
    e.g.:
    local storage file "file:///tmp/resources_config"
    GCS Bucket "gs://shield-bucket-example"
    (default: file://{pwd}/resources_config)

    -u, --rule string URL path of rules. Full path prefixed with scheme where ruleset yaml files are kept
    e.g.:
    local storage file "file:///tmp/rules"
    GCS Bucket "gs://shield-bucket-example"
    (default: file://{pwd}/rules)

    shield server migrate [flags]

    Run DB Schema Migrations

    -c, --config string   Config file path

    shield server migration-rollback [flags]

    Run DB Schema Migrations Rollback to last state

    -c, --config string   Config file path

    shield server start [flags]

    Start server and proxy default on port 8080

    -c, --config string   Config file path

    shield user

    Manage users

    shield user create [flags]

    Create an user

    -f, --file string     Path to the user body file
    -H, --header string Header <key>:<value>

    shield user edit [flags]

    Edit an user

    -f, --file string   Path to the user body file

    shield user list

    List all users

    shield user view [flags]

    View an user

    -m, --metadata   Set this flag to see metadata
    + \ No newline at end of file diff --git a/reference/configurations/index.html b/reference/configurations/index.html index 8a537ddda..77e78e191 100644 --- a/reference/configurations/index.html +++ b/reference/configurations/index.html @@ -7,13 +7,13 @@ - +

    Configurations

    Shield can be configured with config.yaml file. An example of such is:

    version: 1

    # logging configuration
    log:
    # debug, info, warning, error, fatal - default 'info'
    level: debug

    app:
    port: 8000
    identity_proxy_header: X-Shield-Email
    # full path prefixed with scheme where resources config yaml files are kept
    # e.g.:
    # local storage file "file:///tmp/resources_config"
    # GCS Bucket "gs://shield/resources_config"
    resources_config_path: file:///tmp/resources_config\
    # secret required to access resources config
    # e.g.:
    # system environment variable "env://TEST_RULESET_SECRET"
    # local file "file:///opt/auth.json"
    # secret string "val://user:password"
    # optional
    resources_config_path_secret: env://TEST_RESOURCE_CONFIG_SECRET

    db:
    driver: postgres
    url: postgres://shield:@localhost:5432/shield?sslmode=disable
    max_query_timeout: 500ms

    spicedb:
    host: spicedb.localhost
    pre_shared_key: randomkey
    port: 50051

    # proxy configuration
    proxy:
    services:
    - name: test
    host: 0.0.0.0
    # port where the proxy will be listening on for requests
    port: 5556
    # full path prefixed with scheme where ruleset yaml files are kept
    # e.g.:
    # local storage file "file:///tmp/rules"
    # GCS Bucket "gs://shield/rules"
    ruleset: file:///tmp/rules
    # secret required to access ruleset
    # e.g.:
    # system environment variable "env://TEST_RULESET_SECRET"
    # local file "file:///opt/auth.json"
    # secret string "val://user:password"
    # optional
    ruleset_secret: env://TEST_RULESET_SECRET
    - + \ No newline at end of file diff --git a/support/index.html b/support/index.html index 7ca2a34a7..985d98a70 100644 --- a/support/index.html +++ b/support/index.html @@ -7,13 +7,13 @@ - +
    - + \ No newline at end of file diff --git a/tour/add-to-group/index.html b/tour/add-to-group/index.html index 0d313b5f6..7f53e94fe 100644 --- a/tour/add-to-group/index.html +++ b/tour/add-to-group/index.html @@ -7,13 +7,13 @@ - +

    Adding to a group

    In this part we'll learn to add members and managers to a group. For this, we'll be using relations API. Also, we have added two new users to shield john.doe@gotocompany.com and doe.john@gotocompany.com.

    Add a Member to a Group

    curl --location --request POST 'http://localhost:8000/admin/v1beta1/relations'
    --header 'Content-Type: application/json'
    --data-raw '{
    "objectId": "86e2f95d-92c7-4c59-8fed-b7686cccbf4f",
    "objectNamespace": "group",
    "subject": "user:doe.john@gotocompany.com",
    "roleName": "member"
    }'
    {
    "relation": {
    "id": "7cd5d527-6304-4dc7-9e35-4b1a7d3988a0",
    "objectId": "86e2f95d-92c7-4c59-8fed-b7686cccbf4f",
    "objectNamespace": "group",
    "subject": "user:448d52d4-48cb-495e-8ec5-8afc55c624ca",
    "roleName": "group:member",
    "createdAt": null,
    "updatedAt": null
    }
    }

    Add a Manager to a Group

    curl --location --request POST 'http://localhost:8000/admin/v1beta1/relations'
    --header 'Content-Type: application/json'
    --data-raw '{
    "objectId": "86e2f95d-92c7-4c59-8fed-b7686cccbf4f",
    "objectNamespace": "group",
    "subject": "user:doe.john@gotocompany.com",
    "roleName": "manager"
    }'
    200
    {
    "relation": {
    "id": "d8c5d2ca-73db-4185-bed8-c802c212a287",
    "objectId": "86e2f95d-92c7-4c59-8fed-b7686cccbf4f",
    "objectNamespace": "group",
    "subject": "user:448d52d4-48cb-495e-8ec5-8afc55c624ca",
    "roleName": "group:manager",
    "createdAt": null,
    "updatedAt": null
    }
    }
    - + \ No newline at end of file diff --git a/tour/check-permissions/index.html b/tour/check-permissions/index.html index 77bf1f886..2e6ce8067 100644 --- a/tour/check-permissions/index.html +++ b/tour/check-permissions/index.html @@ -7,14 +7,14 @@ - +

    Checking permissions in SpiceDB

    In this part of the tour, we'll learn how can we use Shield's permission checking system. Through this we are going to verify all the relations we have created till now.

    We can either use the check API or zed tool. In this tour we will be using the zed tool.

    1 Check the owner of the organization

    zed permission check organization:4eb3c3b4-962b-4b45-b55b-4c07d3810ca8 owner user:2fd7f306-61db-4198-9623-6f5f1809df11
    true

    2 Check the organization of the project

    shield % zed permission check project:1b89026b-6713-4327-9d7e-ed03345da288 organization organization:4eb3c3b4-962b-4b45-b55b-4c07d3810ca8
    true

    3 Check the organization of the group

    zed permission check group:86e2f95d-92c7-4c59-8fed-b7686cccbf4f organization organization:4eb3c3b4-962b-4b45-b55b-4c07d3810ca8
    true

    4 Check the owner group of the resource

    zed permission check entropy/firehose:28105b9a-1717-47cf-a5d9-49249b6638df owner group:86e2f95d-92c7-4c59-8fed-b7686cccbf4f
    false

    Note, this returns a false, even though we created a relation, where this group was an owner of this resource. Let's revisit the authz schema for entropy/firehose where we have

    definition entropy/firehose {
    ...
    relation owner: user | group#membership
    ...
    }

    We gave the owner right not to the group, but the entities holding membership permisssion in the group schema, namely member + manager which are of type user.

    definition group {
    ...
    relation member: user
    relation manager: user
    permission membership = member + manager
    ...
    }

    So, all the members of the group have the permission on this resource, which we have validated below.

    zed permission check entropy/firehose:28105b9a-1717-47cf-a5d9-49249b6638df owner user:598688c6-8c6d-487f-b324-ef3f4af120bb
    true
    - + \ No newline at end of file diff --git a/tour/creating-group/index.html b/tour/creating-group/index.html index c25ee8642..cb482a6ab 100644 --- a/tour/creating-group/index.html +++ b/tour/creating-group/index.html @@ -7,13 +7,13 @@ - +

    Creating a group in organization

    In this, we will be using the organization id of the organization we created. Groups in shield belong to one organization.

    curl --location --request POST 'http://localhost:8000/admin/v1beta1/groups'
    --header 'Content-Type: application/json'
    --data-raw '{
    "name": "Data Streaming",
    "slug": "data-streaming",
    "metadata": {
    "description": "group for users in data streaming domain"
    },
    "orgId": "4eb3c3b4-962b-4b45-b55b-4c07d3810ca8"
    }'
    200
    {
    "group": {
    "id": "86e2f95d-92c7-4c59-8fed-b7686cccbf4f",
    "name": "Data Streaming",
    "slug": "data-streaming",
    "orgId": "4eb3c3b4-962b-4b45-b55b-4c07d3810ca8",
    "metadata": {
    "description": "group for users in data streaming domain"
    },
    "createdAt": "2022-12-07T17:03:59.456847Z",
    "updatedAt": "2022-12-07T17:03:59.456847Z"
    }
    }

    Relations Table

    It got an entry for the role group:organization for the organization 4eb3c3b4-962b-4b45-b55b-4c07d3810ca8.

                      id                  | subject_namespace_id |              subject_id              | object_namespace_id |              object_id               |        role_id         |          created_at           |          updated_at           | deleted_at 
    --------------------------------------+----------------------+--------------------------------------+---------------------+--------------------------------------+------------------------+-------------------------------+-------------------------------+------------
    460c44a6-f074-4abe-8f8e-949e7a3f5ec2 | user | 2fd7f306-61db-4198-9623-6f5f1809df11 | organization | 4eb3c3b4-962b-4b45-b55b-4c07d3810ca8 | organization:owner | 2022-12-07 14:10:42.881572+00 | 2022-12-07 14:10:42.881572+00 |
    10797ec9-6744-4064-8408-c0919e71fbca | organization | 4eb3c3b4-962b-4b45-b55b-4c07d3810ca8 | project | 1b89026b-6713-4327-9d7e-ed03345da288 | project:organization | 2022-12-07 14:31:46.517828+00 | 2022-12-07 14:31:46.517828+00 |
    29b82d6e-b6fd-4009-9727-1e619c802e23 | organization | 4eb3c3b4-962b-4b45-b55b-4c07d3810ca8 | group | 86e2f95d-92c7-4c59-8fed-b7686cccbf4f | group:organization | 2022-12-07 17:03:59.537254+00 | 2022-12-07 17:03:59.537254+00 |
    (3 rows)
    - + \ No newline at end of file diff --git a/tour/creating-organization/index.html b/tour/creating-organization/index.html index b86d2b5ba..8f721ed43 100644 --- a/tour/creating-organization/index.html +++ b/tour/creating-organization/index.html @@ -7,13 +7,13 @@ - +

    Creating an organization

    Before creating a new organization, let's create an organization admin user.

    User creation in Shield

    curl --location --request POST 'http://localhost:8000/admin/v1beta1/users'
    --header 'Content-Type: application/json'
    --header 'X-Shield-Email: admin@gotocompany.com'
    --data-raw '{
    "name": "Shield Org Admin",
    "email": "admin@gotocompany.com",
    "metadata": {
    "role": "organization admin"
    }
    }'

    Note that this will return an error response

    500
    {
    "code": 13,
    "message": "internal server error",
    "details": []
    }

    This is because metadata key role is not defined in metadata_keys table. So, let's first create it.

    curl --location --request POST 'http://localhost:8000/admin/v1beta1/metadatakey'
    --header 'Content-Type: application/json'
    --data-raw '{
    "key": "role",
    "description": "role of user in organization"
    }'
    200
    {
    "metadatakey": {
    "key": "role",
    "description": "role of user in organization"
    }
    }

    Now, we can retry the above user creation request and it should be successful.

    200
    {
    "user": {
    "id": "2fd7f306-61db-4198-9623-6f5f1809df11",
    "name": "Shield Org Admin",
    "slug": "",
    "email": "admin@gotocompany.com",
    "metadata": {
    "role": "organization admin"
    },
    "createdAt": "2022-12-07T13:35:19.005545Z",
    "updatedAt": "2022-12-07T13:35:19.005545Z"
    }
    }

    From now onwards, we can use the above user to perform all the admin operations. Let's begin with organization creation.

    Organization creation in Shield

    curl --location --request POST 'http://localhost:8000/admin/v1beta1/organizations'
    --header 'Content-Type: application/json'
    --header 'X-Shield-Email: admin@gotocompany.com'
    --data-raw '{
    "name": "gotocompany",
    "slug": "gotocompany",
    "metadata": {
    "description": "Goto company"
    }
    }'
    200
    {
    "organization": {
    "id": "4eb3c3b4-962b-4b45-b55b-4c07d3810ca8",
    "name": "gotocompany",
    "slug": "gotocompany",
    "metadata": {
    "description": "Goto company"
    },
    "createdAt": "2022-12-07T14:10:42.755848Z",
    "updatedAt": "2022-12-07T14:10:42.755848Z"
    }
    }

    Now, let's have a look at relations table where an organization:owner relationship is created.

                      id                  | subject_namespace_id |              subject_id              | object_namespace_id |              object_id               |      role_id       |          created_at           |          updated_at           | deleted_at 
    --------------------------------------+----------------------+--------------------------------------+---------------------+--------------------------------------+--------------------+-------------------------------+-------------------------------+------------
    460c44a6-f074-4abe-8f8e-949e7a3f5ec2 | user | 2fd7f306-61db-4198-9623-6f5f1809df11 | organization | 4eb3c3b4-962b-4b45-b55b-4c07d3810ca8 | organization:owner | 2022-12-07 14:10:42.881572+00 | 2022-12-07 14:10:42.881572+00 |
    (1 row)
    - + \ No newline at end of file diff --git a/tour/creating-project/index.html b/tour/creating-project/index.html index 5d1703df8..63d106250 100644 --- a/tour/creating-project/index.html +++ b/tour/creating-project/index.html @@ -7,13 +7,13 @@ - +

    Creating a project in organization

    In this, we will be using the organization id of the organization we just created. Projects in shield belong to one organization.

    curl --location --request POST 'http://localhost:8000/admin/v1beta1/projects'
    --header 'Content-Type: application/json'
    --data-raw '{
    "name": "Project Alpha",
    "slug": "project-alpha",
    "metadata": {
    "description": "Project Alpha"
    },
    "orgId": "4eb3c3b4-962b-4b45-b55b-4c07d3810ca8"
    }'
    200
    {
    "project": {
    "id": "1b89026b-6713-4327-9d7e-ed03345da288",
    "name": "Project Alpha",
    "slug": "project-alpha",
    "orgId": "",
    "metadata": {
    "description": "Project Alpha"
    },
    "createdAt": "2022-12-07T14:31:46.436081Z",
    "updatedAt": "2022-12-07T14:31:46.436081Z"
    }
    }

    Relations Table

    It got an entry for the role project:organization for the organization 4eb3c3b4-962b-4b45-b55b-4c07d3810ca8.

                      id                  | subject_namespace_id |              subject_id              | object_namespace_id |              object_id               |        role_id         |          created_at           |          updated_at           | deleted_at 
    --------------------------------------+----------------------+--------------------------------------+---------------------+--------------------------------------+------------------------+-------------------------------+-------------------------------+------------
    460c44a6-f074-4abe-8f8e-949e7a3f5ec2 | user | 2fd7f306-61db-4198-9623-6f5f1809df11 | organization | 4eb3c3b4-962b-4b45-b55b-4c07d3810ca8 | organization:owner | 2022-12-07 14:10:42.881572+00 | 2022-12-07 14:10:42.881572+00 |
    10797ec9-6744-4064-8408-c0919e71fbca | organization | 4eb3c3b4-962b-4b45-b55b-4c07d3810ca8 | project | 1b89026b-6713-4327-9d7e-ed03345da288 | project:organization | 2022-12-07 14:31:46.517828+00 | 2022-12-07 14:31:46.517828+00 |
    (2 rows)
    - + \ No newline at end of file diff --git a/tour/intro/index.html b/tour/intro/index.html index fd50f9635..547df6b58 100644 --- a/tour/intro/index.html +++ b/tour/intro/index.html @@ -7,13 +7,13 @@ - +

    Introduction

    Welcome to this tour of Shield. In this tour, we will take you through setting up the Shield's server and configuring it to a backend service demonstrating Shield as a proxy.

    We are going to cover this tour in the following steps, and recommend you to do the same.

    • Server Setup and configuring a backend service
    • Registering an organization in Shield
    • Registering a project under that organization
    • Registering a group under this organization
    • Adding users to the group
    • Checking permissions using Zed tool
    • Making a call to the backend service via Shield(proxy)
    - + \ No newline at end of file diff --git a/tour/setup-server/index.html b/tour/setup-server/index.html index 67f73a8dd..02321f29a 100644 --- a/tour/setup-server/index.html +++ b/tour/setup-server/index.html @@ -7,13 +7,13 @@ - +

    Setup Server

    Shield binary contains both the CLI client and the server itself. Each has it's own configuration in order to run. Server configuration contains information such as database credentials, log severity, etc. while CLI client configuration only has configuration about which server to connect.

    Server

    Pre-Requisites

    Dependencies:

    You need to prepare and run above dependencies first before running Shield. Shield also has a docker-compose.yaml file in its repo that has all required dependencies. If you are interested to use it, you just need to git clone the repo and run docker-compose up in the root project.

    Initialization

    This steps assumes all dependencies already up and running. Create a server config config.yaml file (shield server init) in the root folder of shield project or use --config flag to customize to a certain config file location or you can also use environment variables to provide the server config.

    Setup a database in postgres and provide the details in the DB field as given in the example below. For the purpose of this tutorial, we'll assume that the username is shield, password is 12345, database name is shield, host and port are localhost and 5432. Also, setup a SpiceDB database on localhost port 50051 and pre_shared_key value shield.

    version: 1
    proxy:
    services:
    - port: 5556
    host: 0.0.0.0
    name: base
    ruleset: file:///path/to/shield/rules
    log:
    level: info
    format: json
    new_relic:
    app_name: ""
    license: ""
    enabled: false
    app:
    port: 8000
    host: 127.0.0.1
    identity_proxy_header: X-Shield-Email
    resources_config_path: file:///path/to/shield/resources_config
    db:
    driver: postgres
    url: postgres://shield:12345@localhost:5432/shield?sslmode=disable
    max_idle_conns: 10
    max_open_conns: 10
    conn_max_life_time: 10ms
    max_query_timeout: 100ms
    spicedb:
    host: localhost
    port: 50051
    pre_shared_key: shield

    You need to define the policies in a YAML file and pass it's directory path to resources_config_path. The rules for each path shall be defined in another YAML file and pass it's path to ruleset.

    Next, let's look at a example policy configuration for a backend entropy with firehose and dagger resource types. Also, we have defined roles for organizations and project to demonstrate shield's flexibility to define policy for different category of namespaces.

    entropy:
    type: resource_group
    resource_types:
    - name: firehose
    roles:
    - name: viewer
    principals:
    - shield/user
    - shield/group
    - name: sink_editor
    principals:
    - shield/user
    - shield/group
    permissions:
    - name: view
    roles:
    - owner
    - organization/owner
    - viewer
    - name: sink_edit
    roles:
    - owner
    - sink_editor
    - organization/sink_editor

    shield/organization:
    type: system
    roles:
    - name: sink_editor
    principals:
    - shield/user
    - shield/group
    - name: database_editor
    principals:
    - shield/group

    shield/project:
    type: system
    roles:
    - name: viewer
    principals:
    - shield/user
    - shield/group
    - name: owner
    principals:
    - shield/group

    Finally, we'll have a look at an example rule configuration.

    rules:
    - backends:
    - name: entropy
    target: "http://entropy.io"
    prefix: "/api"
    frontends:
    - name: list_firehoses
    path: "/api/firehoses"
    method: "GET"
    - name: list_firehoses
    path: "/api/firehoses/{firehose_id}"
    method: "GET"
    - name: create_firehose
    path: "/api/firehoses"
    method: "POST"
    hooks:
    - name: authz
    config:
    action: authz_action
    attributes:
    resource:
    key: firehose.name
    type: json_payload
    project:
    key: X-Shield-Project
    type: header
    source: request
    organization:
    key: X-Shield-Org
    type: header
    source: request
    resource_type:
    value: "firehose"
    type: constant
    group_attribute:
    key: X-Shield-Group
    type: header
    source: request
    relations:
    - role: owner
    subject_principal: shield/group
    subject_id_attribute: group_attribute
    - name: update_firehose_status
    path: "/firehoses/{resource}/{action}"
    method: "PUT"
    middlewares:
    - name: authz
    config:
    actions:
    - odin_firehose_update
    - odin_firehose_all_actions
    attributes:
    resource_type:
    value: "firehose"
    type: constant
    project:
    key: X-Shield-Project
    type: header
    source: request
    - name: update_firehose
    path: "/api/firehoses/{resource}"
    method: "PUT"
    middlewares:
    - name: authz
    config:
    actions:
    - odin_firehose_update
    - odin_firehose_all_actions
    attributes:
    resource_type:
    value: "firehose"
    type: constant
    project:
    key: X-Shield-Project
    type: header
    source: request
    - name: firehose_history
    path: "/api/history/firehose/{firehose_name}"
    method: "GET"
    - name: dagger_history
    path: "/api/history/dagger/{dagger_name}"
    method: "GET"
    - name: update_firehose_alerts
    path: "/api/alerts/firehose/{resource}"
    method: "PUT"
    middlewares:
    - name: authz
    config:
    actions:
    - odin_firehose_update
    - odin_firehose_all_actions
    attributes:
    project:
    key: X-Shield-Project
    type: header
    source: request
    resource_type:
    value: "firehose"
    type: constant

    Migrating the server

    Database migration is required during the first server initialization. In addition, re-running the migration command might be needed in a new release to apply the new schema changes (if any). It's safer to always re-run the migration script before deploying/starting a new release.

    To initialize the database schema, Run Migrations with the following command:

    $ shield server migrate

    Using --config flag

    $ shield server migrate --config=<path-to-file>

    If migration command throws the following error, you need to create the databases first.

    pq: database "shield" does not exist
    pq: database "spicedb" does not exist

    Let's verify the migration by looking at the tables created in both the databases.

    We will use SQL Shell (psql) to connect to each instance.

    Shield connection config

    SpiceDB connection config

    Let's display all the tables in both the postgres databases

    $ \dt

    Shield tables

    SpiceDB tables

    Starting the server

    Now, it's time to start the server, but before that, let's open a browser tab and open localhost:8080 to have a look at the permission schema on SpiceDB.

    SpiceDB permission schema before

    To run the Shield server use command:

    $ shield server start
    $ shield server start --config=<path-to-file>

    You will see the similar logs as following, based on your configs

    Server start cmd output

    You can ping the server to verify

    curl --location --request GET 'http://localhost:8000/admin/ping'
    pong

    Let's verify in the browser, if the SpiceDB permission schema is updated

    SpiceDB permission schema after

    - + \ No newline at end of file diff --git a/tour/shield-as-proxy/index.html b/tour/shield-as-proxy/index.html index 5cd14697b..33aae1ed6 100644 --- a/tour/shield-as-proxy/index.html +++ b/tour/shield-as-proxy/index.html @@ -7,7 +7,7 @@ - + @@ -15,7 +15,7 @@

    Shield as a proxy

    Untill now, we were using Shield's admin APIs. Those were responsible for managing Shield's entities. Next, we are use Shield as a proxy.

    We had attached the backend service entropy to Shield earlier, and now we are going to create a firehose resource in it. Before, going ahead have a look at the configuration file below. Detailed explaining on this configuration file would be in resources/concepts.

    rules:
    - backends:
    - name: entropy
    target: "http://entropy.io"
    prefix: "/api"
    frontends:
    - name: list_firehoses
    path: "/api/firehoses"
    method: "GET"
    - name: list_firehoses
    path: "/api/firehoses/{firehose_id}"
    method: "GET"
    - name: create_firehose
    path: "/api/firehoses"
    method: "POST"
    hooks:
    - name: authz
    config:
    action: authz_action
    attributes:
    resource:
    key: firehose.name
    type: json_payload
    project:
    key: X-Shield-Project
    type: header
    source: request
    organization:
    key: X-Shield-Org
    type: header
    source: request
    resource_type:
    value: "firehose"
    type: constant
    group_attribute:
    key: X-Shield-Group
    type: header
    source: request
    relations:
    - role: owner
    subject_principal: group
    subject_id_attribute: group_attribute

    Let's make the following request.

    curl --location --request POST 'http://localhost:5556/api/firehoses'
    --header 'Content-Type: application/json'
    --header 'X-Shield-Email: admin@gotocompany.com'
    --header 'X-Shield-Org: 4eb3c3b4-962b-4b45-b55b-4c07d3810ca8'
    --header 'X-Shield-Project: 1b89026b-6713-4327-9d7e-ed03345da288'
    --header 'X-Shield-Group: 86e2f95d-92c7-4c59-8fed-b7686cccbf4f'
    --data-raw '{
    "created_by": "Shield Org Admin",
    "configuration": {
    "SOURCE_KAFKA_CONSUMER_CONFIG_AUTO_COMMIT_ENABLE": false,
    "SOURCE_KAFKA_CONSUMER_CONFIG_FETCH_MIN_BYTES": "1",
    "SOURCE_KAFKA_CONSUMER_CONFIG_MANUAL_COMMIT_MIN_INTERVAL_MS": "-1",
    "SOURCE_KAFKA_CONSUMER_CONFIG_AUTO_OFFSET_RESET": "latest",
    "SINK_TYPE": "log",
    "FILTER_ENGINE": "no_op",
    "RETRY_MAX_ATTEMPTS": "2147483647",
    "LOG_LEVEL": "INFO",
    "INPUT_SCHEMA_PROTO_CLASS": "xxxxx",
    "SOURCE_KAFKA_TOPIC": "delete-me-abcdef",
    "SCHEMA_REGISTRY_STENCIL_URLS": "xxxxx",
    "SOURCE_KAFKA_CONSUMER_CONFIG_MAX_POLL_RECORDS": "1000"
    },
    "replicas": 2,
    "title": "test-firehose-creation-xxxxx",
    "group_id": "5ea18244-8e7a-xxxx-xxxx-ddf4b3fe3698",
    "team": "data_engineering",
    "cluster": "g-xxxxx",
    "stream_name": "g-xxxxx",
    "description": "Creating this firehose for testing purpose.",
    "projectID": "g-xxxxx",
    "orgID": "26ab9a89-de8d-xxxx-xxxx-5ba3f84be7b2",
    "entity": "xxxxx"
    }'

    Now this request will produce a series of events.

    • It will hit Shield(proxy) at /api/firehoses path, since there are no middleware the request shall be forwarded to the backend. We expect that a resource will be created in entropy and we'll get a response.
    • Now, hooks will be engaged. We only have a single authz hook, which creates a resource inside Shield. It will use resource name, org, project and type from either of request, response or as a constant, to create a resource.
    • By deafult, no relation is created for this resource, but we can confire this. Here, we have configured to add the group with owner role.

    We'll get a firehose object sent by entropy as a response, though we don't have interest in that.

    201
    {
    "firehose": {
    "replicas": 2,
    "created_by": "Shield Org Admin",
    "title": "test-firehose-creation-xxxxx",
    "group_id": "5ea18244-8e7a-xxxx-xxxx-ddf4b3fe3698",
    "team": "data_engineering",
    "stream_name": "g-xxxxx",
    "description": "Creating this firehose for testing purpose.",
    "projectID": "g-xxxxx",
    "entity": "xxxxx",
    "environment": "integration",
    "name": "g-xxxxx-firehose-creation-xxxxx-firehose",
    "configuration": {
    "xxxxx": "xxxxx"
    },
    "state": "running",
    "stop_date": null,
    "status": {
    "xxxxx": "xxxxx"
    },
    "pods": ["xxxxx"]
    }
    }

    What we have interest in is going to the resource and relations tables and checking for the entries.

    Resource Table

    It got an entry for the resource we just created.

                                           urn                                       |                             name                             |              project_id              |                org_id                |   namespace_id   |          created_at           |          updated_at           | deleted_at |               user_id                |                  id                  
    ---------------------------------------------------------------------------------+--------------------------------------------------------------+--------------------------------------+--------------------------------------+------------------+-------------------------------+-------------------------------+------------+--------------------------------------+--------------------------------------
    r/entropy/firehose/g-xxxxx-firehose-creation-xxxxx-firehose | g-xxxxx-firehose-creation-xxxxx-firehose | 1b89026b-6713-4327-9d7e-ed03345da288 | 4eb3c3b4-962b-4b45-b55b-4c07d3810ca8 | entropy/firehose | 2022-12-08 13:25:37.335962+00 | 2022-12-08 13:25:37.335962+00 | | 2fd7f306-61db-4198-9623-6f5f1809df11 | 28105b9a-1717-47cf-a5d9-49249b6638df
    (1 row)

    Relations Table

    It got an entry for the role entropy/firehose:owner for the group 86e2f95d-92c7-4c59-8fed-b7686cccbf4f.

                      id                  | subject_namespace_id |              subject_id              | object_namespace_id |              object_id               |        role_id         |          created_at           |          updated_at           | deleted_at 
    --------------------------------------+----------------------+--------------------------------------+---------------------+--------------------------------------+------------------------+-------------------------------+-------------------------------+------------
    460c44a6-f074-4abe-8f8e-949e7a3f5ec2 | user | 2fd7f306-61db-4198-9623-6f5f1809df11 | organization | 4eb3c3b4-962b-4b45-b55b-4c07d3810ca8 | organization:owner | 2022-12-07 14:10:42.881572+00 | 2022-12-07 14:10:42.881572+00 |
    10797ec9-6744-4064-8408-c0919e71fbca | organization | 4eb3c3b4-962b-4b45-b55b-4c07d3810ca8 | project | 1b89026b-6713-4327-9d7e-ed03345da288 | project:organization | 2022-12-07 14:31:46.517828+00 | 2022-12-07 14:31:46.517828+00 |
    29b82d6e-b6fd-4009-9727-1e619c802e23 | organization | 4eb3c3b4-962b-4b45-b55b-4c07d3810ca8 | group | 86e2f95d-92c7-4c59-8fed-b7686cccbf4f | group:organization | 2022-12-07 17:03:59.537254+00 | 2022-12-07 17:03:59.537254+00 |
    0cec1f0a-68ef-4a70-aabd-f3dd1e0eacac | group | 86e2f95d-92c7-4c59-8fed-b7686cccbf4f | entropy/firehose | 28105b9a-1717-47cf-a5d9-49249b6638df | entropy/firehose:owner | 2022-12-08 13:25:37.550927+00 | 2022-12-08 13:25:37.550927+00 |
    (4 rows)
    - + \ No newline at end of file diff --git a/tour/what-is-in-shield/index.html b/tour/what-is-in-shield/index.html index 2503a6eef..dab70a735 100644 --- a/tour/what-is-in-shield/index.html +++ b/tour/what-is-in-shield/index.html @@ -7,13 +7,13 @@ - +

    What is in Shield?

    Now, with the initial setup done, let's go throuh the pre-polulated data in Shield's databases.

    Namespace Table

    SELECT * FROM namespaces;
            id        |       name       |          created_at           |          updated_at           | deleted_at | backend | resource_type 
    ------------------+------------------+-------------------------------+-------------------------------+------------+---------+---------------
    organization | organization | 2022-12-06 15:47:57.898578+00 | 2022-12-06 16:00:11.687748+00 | | |
    entropy/firehose | entropy/firehose | 2022-12-06 15:47:58.93294+00 | 2022-12-06 16:00:11.898179+00 | | entropy | firehose
    project | project | 2022-12-06 15:47:58.25897+00 | 2022-12-06 16:00:12.218625+00 | | |
    group | group | 2022-12-06 15:47:58.603929+00 | 2022-12-06 16:00:12.42399+00 | | |
    user | user | 2022-12-06 15:47:57.853201+00 | 2022-12-06 16:00:12.618185+00 | | |
    (5 rows)

    Roles Table

    SELECT * FROM roles;
                  id               |     name     |        types         | metadata |          created_at           |          updated_at           | deleted_at |   namespace_id   
    -------------------------------+--------------+----------------------+----------+-------------------------------+-------------------------------+------------+------------------
    organization:sink_editor | sink_editor | {user,group} | null | 2022-12-06 15:47:58.125789+00 | 2022-12-06 15:47:58.125789+00 | | organization
    organization:owner | owner | {user,group} | null | 2022-12-06 15:47:57.932181+00 | 2022-12-06 15:47:57.932181+00 | | organization
    organization:editor | editor | {user,group} | null | 2022-12-06 15:47:58.015648+00 | 2022-12-06 15:47:58.015648+00 | | organization
    organization:viewer | viewer | {user,group} | null | 2022-12-06 15:47:58.082954+00 | 2022-12-06 15:47:58.082954+00 | | organization
    entropy/firehose:viewer | viewer | {user,group} | null | 2022-12-06 15:47:58.960705+00 | 2022-12-06 15:47:58.960705+00 | | entropy/firehose
    entropy/firehose:sink_editor | sink_editor | {user,group} | null | 2022-12-06 15:47:59.027849+00 | 2022-12-06 15:47:59.027849+00 | | entropy/firehose
    entropy/firehose:owner | owner | {user,group} | null | 2022-12-06 15:47:59.091254+00 | 2022-12-06 15:47:59.091254+00 | | entropy/firehose
    entropy/firehose:editor | editor | {user,group} | null | 2022-12-06 15:47:59.150816+00 | 2022-12-06 15:47:59.150816+00 | | entropy/firehose
    entropy/firehose:organization | organization | {InheritedNamespace} | null | 2022-12-06 15:47:59.18893+00 | 2022-12-06 15:47:59.18893+00 | | entropy/firehose
    entropy/firehose:project | project | {InheritedNamespace} | null | 2022-12-06 15:47:59.250437+00 | 2022-12-06 15:47:59.250437+00 | | entropy/firehose
    project:owner | owner | {group,user} | null | 2022-12-06 15:47:58.267137+00 | 2022-12-06 15:47:58.267137+00 | | project
    project:editor | editor | {user,group} | null | 2022-12-06 15:47:58.324931+00 | 2022-12-06 15:47:58.324931+00 | | project
    project:viewer | viewer | {user,group} | null | 2022-12-06 15:47:58.387529+00 | 2022-12-06 15:47:58.387529+00 | | project
    project:organization | organization | {InheritedNamespace} | null | 2022-12-06 15:47:58.447548+00 | 2022-12-06 15:47:58.447548+00 | | project
    group:member | member | {user} | null | 2022-12-06 15:47:58.612887+00 | 2022-12-06 15:47:58.612887+00 | | group
    group:manager | manager | {user} | null | 2022-12-06 15:47:58.654405+00 | 2022-12-06 15:47:58.654405+00 | | group
    group:organization | organization | {InheritedNamespace} | null | 2022-12-06 15:47:58.711528+00 | 2022-12-06 15:47:58.711528+00 | | group
    (17 rows)

    Actions Table

    SELECT * FROM actions;
                 id             |    name    |          created_at           |          updated_at           | deleted_at |   namespace_id   
    ----------------------------+------------+-------------------------------+-------------------------------+------------+------------------
    edit.organization | edit | 2022-12-06 15:47:58.182569+00 | 2022-12-06 15:47:58.182569+00 | | organization
    view.organization | view | 2022-12-06 15:47:58.225102+00 | 2022-12-06 15:47:58.225102+00 | | organization
    view.entropy/firehose | view | 2022-12-06 15:47:59.316085+00 | 2022-12-06 15:47:59.316085+00 | | entropy/firehose
    sink_edit.entropy/firehose | sink_edit | 2022-12-06 15:47:59.347891+00 | 2022-12-06 15:47:59.347891+00 | | entropy/firehose
    edit.entropy/firehose | edit | 2022-12-06 15:47:59.377112+00 | 2022-12-06 15:47:59.377112+00 | | entropy/firehose
    delete.entropy/firehose | delete | 2022-12-06 15:47:59.407132+00 | 2022-12-06 15:47:59.407132+00 | | entropy/firehose
    delete.project | delete | 2022-12-06 15:47:58.571933+00 | 2022-12-06 15:47:58.571933+00 | | project
    edit.project | edit | 2022-12-06 15:47:58.507712+00 | 2022-12-06 15:47:58.507712+00 | | project
    view.project | view | 2022-12-06 15:47:58.539204+00 | 2022-12-06 15:47:58.539204+00 | | project
    edit.group | edit | 2022-12-06 15:47:58.758155+00 | 2022-12-06 15:47:58.758155+00 | | group
    view.group | view | 2022-12-06 15:47:58.788941+00 | 2022-12-06 15:47:58.788941+00 | | group
    delete.group | delete | 2022-12-06 15:47:58.850114+00 | 2022-12-06 15:47:58.850114+00 | | group
    membership.group | membership | 2022-12-06 15:47:58.90078+00 | 2022-12-06 15:47:58.90078+00 | | group
    (13 rows)

    Policies Table

    SELECT * FROM policies;
                      id                  |           role_id            |   namespace_id   |         action_id          |          created_at           |          updated_at           | deleted_at 
    --------------------------------------+------------------------------+------------------+----------------------------+-------------------------------+-------------------------------+------------
    b7612685-6aca-4f9a-bd95-db23b1711e65 | organization:owner | organization | view.organization | 2022-12-06 15:48:03.095428+00 | 2022-12-06 15:48:03.095428+00 |
    76823b4c-ad47-45dc-b36e-08c89c945151 | organization:editor | organization | view.organization | 2022-12-06 15:48:03.170675+00 | 2022-12-06 15:48:03.170675+00 |
    9464634e-84c7-4e53-81f1-6bec929fb0ee | organization:viewer | organization | view.organization | 2022-12-06 15:48:03.244282+00 | 2022-12-06 15:48:03.244282+00 |
    4d652f7e-5a18-4c5c-91b7-fb715679f0c8 | organization:owner | organization | edit.organization | 2022-12-06 15:48:02.938871+00 | 2022-12-06 15:48:02.938871+00 |
    13de9e96-1131-4bf1-b208-bd2c3b7fbc3e | organization:editor | organization | edit.organization | 2022-12-06 15:48:03.019583+00 | 2022-12-06 15:48:03.019583+00 |
    f4d3ee6d-7430-4db2-8020-84718d974b5a | entropy/firehose:owner | entropy/firehose | view.entropy/firehose | 2022-12-06 15:48:01.349746+00 | 2022-12-06 15:48:01.349746+00 |
    18d62e6c-9b08-4c09-afe2-3b33221f4bb7 | entropy/firehose:editor | entropy/firehose | view.entropy/firehose | 2022-12-06 15:48:01.426043+00 | 2022-12-06 15:48:01.426043+00 |
    32f70f7c-0d42-45a8-b89d-397dc5c6f071 | entropy/firehose:viewer | entropy/firehose | view.entropy/firehose | 2022-12-06 15:48:01.503689+00 | 2022-12-06 15:48:01.503689+00 |
    4886ee85-2139-45db-a65f-f0479ef410af | organization:owner | entropy/firehose | view.entropy/firehose | 2022-12-06 15:48:01.57801+00 | 2022-12-06 15:48:01.57801+00 |
    fb4ad469-d4fe-4a7b-9ccb-c2ff210b94ff | organization:editor | entropy/firehose | view.entropy/firehose | 2022-12-06 15:48:01.653929+00 | 2022-12-06 15:48:01.653929+00 |
    f8213e9c-38a5-4b0b-81ed-262d9eafaeec | organization:viewer | entropy/firehose | view.entropy/firehose | 2022-12-06 15:48:01.731061+00 | 2022-12-06 15:48:01.731061+00 |
    0c0f432b-7bfb-4ff6-a123-19894b69d1ce | project:owner | entropy/firehose | view.entropy/firehose | 2022-12-06 15:48:01.803733+00 | 2022-12-06 15:48:01.803733+00 |
    1e33316e-fef1-4b67-9fe4-9ae827778e42 | project:editor | entropy/firehose | view.entropy/firehose | 2022-12-06 15:48:01.881091+00 | 2022-12-06 15:48:01.881091+00 |
    1f5bcce5-ac2f-49dc-8e6e-58a01756ab51 | project:viewer | entropy/firehose | view.entropy/firehose | 2022-12-06 15:48:01.956207+00 | 2022-12-06 15:48:01.956207+00 |
    6bcbef6c-395b-4075-8c1a-59c745e09f3a | entropy/firehose:owner | entropy/firehose | sink_edit.entropy/firehose | 2022-12-06 15:48:02.032317+00 | 2022-12-06 15:48:02.032317+00 |
    904f4d75-8ba4-41c4-be6f-e462151ad1dd | entropy/firehose:sink_editor | entropy/firehose | sink_edit.entropy/firehose | 2022-12-06 15:48:02.109671+00 | 2022-12-06 15:48:02.109671+00 |
    4bc60718-1f9e-4592-a962-4d316f54f840 | organization:sink_editor | entropy/firehose | sink_edit.entropy/firehose | 2022-12-06 15:48:02.179724+00 | 2022-12-06 15:48:02.179724+00 |
    e50cde2a-5e09-4a2e-857e-57dac3bf2a41 | entropy/firehose:owner | entropy/firehose | edit.entropy/firehose | 2022-12-06 15:48:02.256486+00 | 2022-12-06 15:48:02.256486+00 |
    28aa10f8-359a-4474-a481-b6955ef6402e | entropy/firehose:editor | entropy/firehose | edit.entropy/firehose | 2022-12-06 15:48:02.330007+00 | 2022-12-06 15:48:02.330007+00 |
    be59cd7e-c6ef-4594-9e62-e14bf8bb3b3e | organization:owner | entropy/firehose | edit.entropy/firehose | 2022-12-06 15:48:02.404029+00 | 2022-12-06 15:48:02.404029+00 |
    edbeea61-8cf5-4f67-bcaf-847ba30cfd8c | organization:editor | entropy/firehose | edit.entropy/firehose | 2022-12-06 15:48:02.483747+00 | 2022-12-06 15:48:02.483747+00 |
    29f6f1c1-e45c-4eb3-8cc4-614b1faa4a62 | project:owner | entropy/firehose | edit.entropy/firehose | 2022-12-06 15:48:02.554789+00 | 2022-12-06 15:48:02.554789+00 |
    d6252544-0a4d-4c52-a6c0-dfd2276842d8 | project:editor | entropy/firehose | edit.entropy/firehose | 2022-12-06 15:48:02.627653+00 | 2022-12-06 15:48:02.627653+00 |
    a83c7eae-67da-4938-87c0-371f6734ec8d | entropy/firehose:owner | entropy/firehose | delete.entropy/firehose | 2022-12-06 15:48:02.704619+00 | 2022-12-06 15:48:02.704619+00 |
    fc06cbc5-2eee-4475-9a9e-f213e2a32eb3 | organization:owner | entropy/firehose | delete.entropy/firehose | 2022-12-06 15:48:02.780577+00 | 2022-12-06 15:48:02.780577+00 |
    54480a13-7855-4931-9114-ab122ffe6e87 | project:owner | entropy/firehose | delete.entropy/firehose | 2022-12-06 15:48:02.852104+00 | 2022-12-06 15:48:02.852104+00 |
    eeff8fa6-ce5f-4381-bbd1-551bdf2b2250 | project:owner | project | edit.project | 2022-12-06 15:48:00.076655+00 | 2022-12-06 15:48:00.076655+00 |
    a373d50e-6322-4e95-ac98-220ef8f2ffd5 | project:editor | project | edit.project | 2022-12-06 15:48:00.151133+00 | 2022-12-06 15:48:00.151133+00 |
    df6414f0-0eca-4ddf-bdba-56dc9413af27 | organization:owner | project | edit.project | 2022-12-06 15:48:00.225033+00 | 2022-12-06 15:48:00.225033+00 |
    9ab6f0f2-924e-4e14-9754-8bd7c362509e | organization:editor | project | edit.project | 2022-12-06 15:48:00.302639+00 | 2022-12-06 15:48:00.302639+00 |
    16aa9afa-dd29-453a-8b4c-f0dbe3b148bd | project:owner | project | view.project | 2022-12-06 15:47:59.443527+00 | 2022-12-06 15:47:59.443527+00 |
    2dd3f679-d326-4871-b9b6-4eacee560c96 | project:editor | project | view.project | 2022-12-06 15:47:59.534718+00 | 2022-12-06 15:47:59.534718+00 |
    f1ebf420-fb68-44a3-b7c0-04d5f6b6a4fa | project:viewer | project | view.project | 2022-12-06 15:47:59.620557+00 | 2022-12-06 15:47:59.620557+00 |
    012bbbd1-1a22-4200-8f90-8c388e06cddc | organization:owner | project | view.project | 2022-12-06 15:47:59.696618+00 | 2022-12-06 15:47:59.696618+00 |
    3105fbd3-284d-4fec-bb6e-12728e12bd25 | organization:editor | project | view.project | 2022-12-06 15:47:59.770896+00 | 2022-12-06 15:47:59.770896+00 |
    4a4a4a73-25a9-4a03-9afc-87aaf9bd33a1 | organization:viewer | project | view.project | 2022-12-06 15:47:59.846239+00 | 2022-12-06 15:47:59.846239+00 |
    d00de717-9fec-4798-b15e-123fbefc7510 | project:owner | project | delete.project | 2022-12-06 15:47:59.925547+00 | 2022-12-06 15:47:59.925547+00 |
    084c879f-ed1e-4536-8f33-9b1066ddabd9 | organization:owner | project | delete.project | 2022-12-06 15:47:59.996819+00 | 2022-12-06 15:47:59.996819+00 |
    05d76946-928e-47a4-9b75-6b0173b64a98 | group:manager | group | delete.group | 2022-12-06 15:48:01.048715+00 | 2022-12-06 15:48:01.048715+00 |
    2046b3db-5228-4e4b-9b90-114409418304 | organization:owner | group | delete.group | 2022-12-06 15:48:01.123014+00 | 2022-12-06 15:48:01.123014+00 |
    b0745565-d1d4-4de1-85c5-f00e9a92b47e | group:member | group | membership.group | 2022-12-06 15:48:01.196163+00 | 2022-12-06 15:48:01.196163+00 |
    bd37f1dc-6872-4538-a941-7432aef26ade | group:manager | group | membership.group | 2022-12-06 15:48:01.270635+00 | 2022-12-06 15:48:01.270635+00 |
    b1e4041e-5fdc-4d61-9eeb-a03491467a29 | group:manager | group | edit.group | 2022-12-06 15:48:00.385612+00 | 2022-12-06 15:48:00.385612+00 |
    31b889fb-802b-4e46-8d9a-8894906784a8 | organization:owner | group | edit.group | 2022-12-06 15:48:00.45974+00 | 2022-12-06 15:48:00.45974+00 |
    ceb8fd6a-199c-4442-aaf3-2be68a17bb57 | organization:editor | group | edit.group | 2022-12-06 15:48:00.533017+00 | 2022-12-06 15:48:00.533017+00 |
    322a85e1-09a1-451b-bf6e-66a575fdd94a | group:manager | group | view.group | 2022-12-06 15:48:00.625583+00 | 2022-12-06 15:48:00.625583+00 |
    0a039ee7-debe-4c08-9373-95724531b5fa | group:member | group | view.group | 2022-12-06 15:48:00.733941+00 | 2022-12-06 15:48:00.733941+00 |
    f11b898b-2ab5-44f4-8d4b-ef19722c35d3 | organization:owner | group | view.group | 2022-12-06 15:48:00.814642+00 | 2022-12-06 15:48:00.814642+00 |
    786dbe5f-7bc7-4e5b-b52a-a69780325b2f | organization:editor | group | view.group | 2022-12-06 15:48:00.893097+00 | 2022-12-06 15:48:00.893097+00 |
    33b7cae9-55f9-444f-b90d-539d7470fe00 | organization:viewer | group | view.group | 2022-12-06 15:48:00.971109+00 | 2022-12-06 15:48:00.971109+00 |
    (50 rows)
    - + \ No newline at end of file