| Sergey Vilgelm | 19e3bec | 2019-01-07 11:59:41 -0600 | [diff] [blame] | 1 | --- |
| 2 | features: |
| 3 | - | |
| 4 | Supporting the role inference rules API gives Patrole an ability of testing |
| 5 | role chains, when one role implies the second which can also imply the |
| 6 | third: |
| 7 | |
| 8 | ``admin`` implies ``member`` implies ``reader`` |
| 9 | |
| 10 | Now in a case of testing against an ``admin`` role (``[patole] |
| 11 | rbac_test_roles`` = ``admin``) the ``rbac_rule_validation.action`` calls |
| 12 | the ``rbac_utils.get_all_needed_roles`` function to extend the roles |
| 13 | and validates a policy rule against the full list of possible roles: |
| 14 | |
| 15 | ["admin", "member", "reader"] |
| 16 | |
| 17 | Here is few examples: |
| 18 | ["admin"] >> ["admin", "member", "reader"] |
| 19 | ["member"] >> ["member", "reader"] |
| 20 | ["reader"] >> ["reader"] |
| 21 | ["custom_role"] >> ["custom_role"] |
| 22 | ["custom_role", "member"] >> ["custom_role", "member", "reader"] |