-
Notifications
You must be signed in to change notification settings - Fork 1
/
actions.yaml
128 lines (122 loc) · 3.72 KB
/
actions.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
# Copyright 2024 Canonical Ltd.
# See LICENSE file for licensing details.
restart:
description: Restart the Temporal server.
create-authorization-model:
description: |
Creates the authorization model using the content of the
specified file and returns the authorization model ID.
params:
model:
type: string
description: |
The JSON string containing the authorization model.
required: [model]
add-auth-rule:
description: |
Adds an authorization rule to the OpenFGA store using
the specified authorization model. This can be triggered
using one of two parameter combinations:
- user, group: adds a user as a member of a group.
- group, namespace, role: assigns 'role' access to
all members of a group to a namespace.
params:
user:
type: string
description: |
The user's email.
group:
type: string
description: |
The group to add a user to, or assign access to a
namespace depending on the parameter combination.
namespace:
type: string
description: |
The Temporal namespace to assign access to.
role:
type: string
description: |
One of "reader", "writer" or "admin".
remove-auth-rule:
description: |
Removes an authorization rule from the OpenFGA store using
the specified authorization model. This can be triggered
using one of two parameter combinations:
- user, group: removes a user as a member from a group.
- group, namespace, role: revokes 'role' access to
all members of a group the to a namespace.
params:
user:
type: string
description: |
The user's email.
group:
type: string
description: |
The group to remove a user from, or remove access
to a namespace from depending on the parameter
combination.
namespace:
type: string
description: |
The Temporal namespace to remove access from.
role:
type: string
description: |
One of "reader", "writer" or "admin".
list-auth-rule:
description: |
Lists all authorization rules associated with a given
parameter. This can be triggered using one of three
parameter combinations:
- user: lists all groups a user is a member of
and all namespaces a user has access to as a result
of group memberships.
- group: lists all namespaces a given group has
access to.
- namespace: for a given namespace, lists all groups
that has access to it.
params:
user:
type: string
description: |
The user's email to list access for.
group:
type: string
description: |
The group to list access for.
namespace:
type: string
description: |
The Temporal namespace to list access for.
check-auth-rule:
description: |
Checks for an authorization rule. This can be triggered
using one of three parameter combinations:
- user, group: checks if a user is a member of a group.
- user, namespace, role: checks if a user has 'role' access
to a namespace.
- group, namespace, role: checks if a group has 'role' access
to a namespace.
params:
user:
type: string
description: |
The user's email to check access for.
group:
type: string
description: |
The group to check access for.
namespace:
type: string
description: |
The Temporal namespace to check access for.
role:
type: string
description: |
One of "reader", "writer" or "admin".
list-system-admins:
description: |
Lists all system admins who are members of any group listed in
the "auth-admin-groups" config parameters.