95 lines
3.0 KiB
YAML
95 lines
3.0 KiB
YAML
############################################
|
||
# Cloudron users
|
||
#
|
||
# Add additional customizations in this file.
|
||
# Certain features, such as Access Control *must* be done in this file.
|
||
############################################
|
||
|
||
|
||
# Access Control
|
||
#
|
||
# Access control is a list of rules defining the authorizations applied for one
|
||
# resource to users or group of users.
|
||
#
|
||
# If 'access_control' is not defined, ACL rules are disabled and the `bypass`
|
||
# rule is applied, i.e., access is allowed to anyone. Otherwise restrictions follow
|
||
# the rules defined.
|
||
#
|
||
# Note: One can use the wildcard * to match any subdomain.
|
||
# It must stand at the beginning of the pattern. (example: *.mydomain.com)
|
||
#
|
||
# Note: You must put patterns containing wildcards between simple quotes for the YAML
|
||
# to be syntaxically correct.
|
||
#
|
||
# Definition: A `rule` is an object with the following keys: `domain`, `subject`,
|
||
# `policy` and `resources`.
|
||
#
|
||
# - `domain` defines which domain or set of domains the rule applies to.
|
||
#
|
||
# - `subject` defines the subject to apply authorizations to. This parameter is
|
||
# optional and matching any user if not provided. If provided, the parameter
|
||
# represents either a user or a group. It should be of the form 'user:<username>'
|
||
# or 'group:<groupname>'.
|
||
#
|
||
# - `policy` is the policy to apply to resources. It must be either `bypass`,
|
||
# `one_factor`, `two_factor` or `deny`.
|
||
#
|
||
# - `resources` is a list of regular expressions that matches a set of resources to
|
||
# apply the policy to. This parameter is optional and matches any resource if not
|
||
# provided.
|
||
#
|
||
# Note: the order of the rules is important. The first policy matching
|
||
# (domain, resource, subject) applies.
|
||
access_control:
|
||
# Default policy can either be `bypass`, `one_factor`, `two_factor` or `deny`.
|
||
# It is the policy applied to any resource if there is no policy to be applied
|
||
# to the user.
|
||
default_policy: deny
|
||
|
||
rules:
|
||
# Rules applied to everyone
|
||
- domain: public.example.com
|
||
policy: two_factor
|
||
- domain: single_factor.example.com
|
||
policy: one_factor
|
||
|
||
# Rules applied to 'admin' group
|
||
- domain: 'mx2.mail.example.com'
|
||
subject: 'group:admin'
|
||
policy: deny
|
||
- domain: '*.example.com'
|
||
subject: 'group:admin'
|
||
policy: two_factor
|
||
|
||
# Rules applied to 'dev' group
|
||
- domain: dev.example.com
|
||
resources:
|
||
- '^/groups/dev/.*$'
|
||
subject: 'group:dev'
|
||
policy: two_factor
|
||
|
||
# Rules applied to user 'john'
|
||
- domain: dev.example.com
|
||
resources:
|
||
- '^/users/john/.*$'
|
||
subject: 'user:john'
|
||
policy: two_factor
|
||
|
||
|
||
# Rules applied to user 'harry'
|
||
- domain: dev.example.com
|
||
resources:
|
||
- '^/users/harry/.*$'
|
||
subject: 'user:harry'
|
||
policy: two_factor
|
||
|
||
# Rules applied to user 'bob'
|
||
- domain: '*.mail.example.com'
|
||
subject: 'user:bob'
|
||
policy: two_factor
|
||
- domain: 'dev.example.com'
|
||
resources:
|
||
- '^/users/bob/.*$'
|
||
subject: 'user:bob'
|
||
policy: two_factor
|