Fugue.System.Policy

This module provides the basic system types for Fugue’s RBAC system, as well as convenience functions and values to make writing RBAC policies even easier.

RBAC policy answers questions concerning authorization like, “how does Fugue know who I’m talking to?” or “how do I prove who I am?” For example, if Alice issues fugue run, how does the Fugue conductor know that it’s really Alice and not Bob? Included in this policy are rules that help answer questions like “what is a user allowed to do?”

Some helpful terms and definitions with regards to RBAC policy include: A principal is a user, group, or role. It’s the “who” An action is an operation that a principal can perform A subject is the target of an action. It’s the direct object of the action A rule binds a principal, an action, and a subject together A policy is a collection of rules

A simple example of a Fugue RBAC Policy looks like this:

# Alice can manage the account table.
aliceAcctTable: accountTableRules {
  principals: [alice],
  actions: allAccountTableActions
}

# Alice and Bob can see what's running and process history in
# all accounts, but can't change them.
readOnlyAccountRules: accountRules {
  principals: [
    alice,
    bob,
  ],
  accounts: [AllAccounts],
  actions: [
    AccountStatusProcess,
    AccountHistoryProcess,
  ]
}

In this example, Alice is permitted to modify the Conductor’s account table, and both Bob and Alice are permitted “read only” access to all accounts.

Module Members

accountRules

(Function)

Given lists of principals, accounts, and account actions, return a list of rules.

Example:

# Alice can manage compositions in an account bound to the name 'fugueAcct'
aliceFugueAcct: accountRules {
  principals: [alice],
  accounts: [fugueAcct],
  actions: allAccountActions,
}

Type Signature

 fun { principals: List<Principal>,
       accounts: List<Account>,
       actions: List<AccountAction> } -> List<Rule>
Argument: principals

The list of principals for the generated rules.

Type: List<Principal>

Argument: accounts

The list of accounts to be subjects in the generated rules.

Type: List<Account>

Argument: actions

The list of actions to permit for each principal in each account.

Type: List<AccountAction>

Returns:

A list of rules, where the subjects are the given accounts, with each principal allowed each action in each account.

Type: List<Rule>

accountTableRules

(Function)

Given a list of principals and a list of account table actions, return a list of rules with the subject set to the AccountTable.

Example:

# Alice can manage the account table
aliceAcctTable: accountTableRules {
  principals: [alice],
  actions: allAccountTableActions
}

Type Signature

 fun { principals: List<Principal>,
       actions: List<AccountTableAction> } -> List<Rule>
Argument: principals

The list of principals for the generated rules.

Type: List<Principal>

Argument: actions

The list of actions each principal will be allowed in the generated rules.

Type: List<AccountTableAction>

Returns:

A list of rules, where the subject is the AccountTable, and the principals and actions are those given in the preceding arguments.

Type: List<Rule>

rbacRules

(Function)

Given a list of principals and a list of RBAC actions, return a list of rules with the subject set to the RbacMetadata.

Example:

# Alice can view users in the Conductor RBAC system.
aliceFugueAcct: accountRules {
  principals: [alice],
  actions: [RbacListUsers]
}

Type Signature

 fun { principals: List<Principal>,
       actions: List<RbacAction> } -> List<Rule>
Argument: principals

The list of principals for the generated rules.

Type: List<Principal>

Argument: actions

The list of actions to permit in the generated rules.

Type: List<RbacAction>

Returns:

A list of rules, where the subject is the Conductor’s RBAC rules (RbacMetadata), with each principal allowed the given actions against the RbacMetadata subject.

Type: List<Rule>

singleAccountRules

(Function)

Given a list of principals, an account, and a list of account actions, return a list of rules.

Example:

# Alice can manage compositions in an account bound to the name 'fugueAcct'
aliceFugueAcct: accountRules {
  principals: [alice],
  account: fugueAcct,
  actions: allAccountActions
}

Type Signature

 fun { principals: List<Principal>,
       account: Account,
       actions: List<AccountAction> } -> List<Rule>
Argument: principals

The list of principals for the generated rules.

Type: List<Principal>

Argument: account

The account to make the subject of the generated rules.

Type: Account

Argument: actions

The list of actions to permit for each principal in the given account.

Type: List<AccountAction>

Returns:

A list of rules, where the subject is the given account, with each principal allowed each action in the account.

Type: List<Rule>

Account

(Type)

type Account:
  | Account
      accountId: String
  | NamedAccount
      accountName: String
  | AllAccounts

Account

(Constructor)

An account in the Conductor’s account table. Argument:

Record {

Field: accountId

The account ID as it is known in the Conductor’s account table. This is not the provider account number, but instead the Account ID as assigned to the account when you registered it with fugue account add.

Type: String

}

AllAccounts

(Constructor)

A special global account subject.

NamedAccount

(Constructor)

An account in the account table referred to by a name instead of the account ID. Argument:

Record {

Field: accountName

The account name as defined by the user when the account was added.

Type: String

}

An Account is an IaaS provider account known to the Conductor. Such accounts are eligible to host Fugue processes.

AccountAction

(Type)

type AccountAction:
  | AccountRunProcess
  | AccountUpdateProcess
  | AccountKillProcess
  | AccountPropertyProcess
  | AccountResumeProcess
  | AccountSuspendProcess
  | AccountHistoryProcess
  | AccountStatusProcess
  | AccountReleaseProcess

AccountHistoryProcess

(Constructor)

Permits a principal to examine the history of a process in an account (fugue history).

AccountKillProcess

(Constructor)

Permits a principal to kill a process in an account (fugue kill).

AccountPropertyProcess

(Constructor)

Permits a principal to read and write process properties in an account (fugue property).

AccountReleaseProcess

(Constructor)

Permits a principal to release infrastructure in a process from Fugue management (fugue release).

AccountResumeProcess

(Constructor)

Permits a principal to resume a process in an account (fugue resume).

AccountRunProcess

(Constructor)

Permits a principal to run a process in an account (fugue run).

AccountStatusProcess

(Constructor)

Permits a principal to examine the status of a process in an account (fugue status).

AccountSuspendProcess

(Constructor)

Permits a principal to suspend a process in an account (fugue suspend).

AccountUpdateProcess

(Constructor)

Permits a principal to update a process in an account (fugue update).

Actions that can be performed on an Account subject, which is an IaaS account registered with the Conductor via fugue account add.

AccountTableAction

(Type)

type AccountTableAction:
  | AccountTableAdd
  | AccountTableList
  | AccountTableUpdate
  | AccountTableDelete

AccountTableAdd

(Constructor)

Permits a principal to add an account to the account table.

AccountTableDelete

(Constructor)

Permits a principal to delete an account from the account table.

AccountTableList

(Constructor)

Permits a principal to inspect the account table.

AccountTableUpdate

(Constructor)

Permits a principal to update (modify) an account in the account table.

Actions that can be used to manage the set of IaaS accounts registered with the Conductor via fugue account commands. Applicable to the AccountTable subject.

Action

(Type)

type Action:
  | AccountAction AccountAction
  | AccountTableAction AccountTableAction
  | RbacAction RbacAction

AccountAction

(Constructor)

A valid action for Account subjects. Argument:

AccountTableAction

(Constructor)

A valid action for the Conductor’s AccountTable subject. Argument:

RbacAction

(Constructor)

A valid action for the Conductor’s RBAC metadata subject. Argument:

An Action is a generic type for an operation that a principal can perform.

Principal

(Type)

type Principal:
  | User
      userId: String
  | AllUsers

AllUsers

(Constructor)

A special global principal that affects all users.

User

(Constructor)

A specific user to identify as a principal. When a user is present in a rule, that user is automatically created in the Conductor. Argument:

Record {

Field: userId

The name of the user being referenced.

Type: String

}

A Principal is an entity that can be authorized to perform an operation. They are one of the three key elements of a rule, the other two being an Action and a Subject.

RbacAction

(Type)

type RbacAction:
  | RbacListUsers
  | RbacAttachPolicy
  | RbacGetPolicy
  | RbacDetachPolicy
  | RbacRotateCredential

RbacAttachPolicy

(Constructor)

Permits a principal to attach a policy to the Conductor. Note: Fugue run will accept an RBAC policy composition or even a mixture of RBAC and standard library types but it will have no effect.

RbacDetachPolicy

(Constructor)

Permits a principal to detach a policy from the Conductor.

RbacGetPolicy

(Constructor)

Permits a principal to download and examine the policy attached to the Conductor.

RbacListUsers

(Constructor)

Permits a principal to list users defined by the attached RBAC policy.

RbacRotateCredential

(Constructor)

Permits a principal to rotate RBAC credentials.

Actions on the RBAC system itself. Applicable to the RbacMetadata subject.

Rule

(Type)

type Rule:
  | Rule
      principal: Principal
      subject: Subject
      action: Action

Rule

(Constructor)

Argument:

Record {

Field: principal

The Principal authorized to perform the Action on the Subject.

Type: Principal

Field: subject

The Subject to which the rule applies.

Type: Subject

Field: action

The Action which the rule permits.

Type: Action

}

A Rule is an authorization for a Principal to perform an Action on a Subject. It is the keystone type of the Fugue RBAC system.

Subject

(Type)

type Subject:
  | AccountTable
  | AccountType Account
  | RbacMetadata
  | AllSubjects

AccountTable

(Constructor)

The table of accounts in the Conductor (visible with fugue account list).

AccountType

(Constructor)

An Account value, either representing a single account (Account constructor) or all accounts (AllAccounts constructor). Argument:

AllSubjects

(Constructor)

A special global subject. Use with caution.

RbacMetadata

(Constructor)

The RBAC policy data on the Conductor.

A Subject is the target of a rule. It is one of the three key elements of a rule, the other two being an Action and a Principal.

allAccountActions

(Value)

allAccountActions:
  [AccountRunProcess
  ,AccountUpdateProcess
  ,AccountKillProcess
  ,AccountPropertyProcess
  ,AccountResumeProcess
  ,AccountSuspendProcess
  ,AccountHistoryProcess
  ,AccountStatusProcess
  ,AccountReleaseProcess]

This set of actions provides all account actions. It is essentially full read/write access to the Conductor process table. This is effectively a superuser.

allAccountTableActions

(Value)

allAccountTableActions:
  [AccountTableAdd
  ,AccountTableList
  ,AccountTableUpdate
  ,AccountTableDelete]

This set of actions provides all account table actions. With this set of actions, a user has full read/write access to the table of accounts known by the Conductor.

allRbacActions

(Value)

allRbacActions:
  [RbacListUsers
  ,RbacAttachPolicy
  ,RbacGetPolicy
  ,RbacDetachPolicy
  ,RbacRotateCredential]

This set of actions provides all RBAC policy management actions. With this set of actions, a user has full read/write access to the RBAC policy on the Conductor.