@@ -5,33 +5,48 @@ import data.nifi_inp
55
66import data .nifi_global_policies.global_policies
77
8- # Global Rules Logic
9- global_policy_types := [okey | okey := object.keys (global_policies)[_]]
10- res_is_global_type := nifi_inp.resource_id in global_policy_types
11- has_key (obj, key) := true if _ = obj[key]
8+ # This rego file contains the logical rules in order to lookup
9+ # an entry in the nifi_global_policies abstraction layer
10+
11+
12+ global_policy_types := [okey | okey := object.keys (global_policies)[_]] # returns the available keys of the nifi_global_policies abstraction layer
13+ res_is_global_type := nifi_inp.resource_id in global_policy_types # returns a boolean wether the resource is a global resource
14+
15+
16+ has_key (obj, key) := true if _ = obj[key] # helper function
17+
18+ # Searches an entry in the nifi_global_policies abstraction layer
1219global_policy_user_has_permissions (res_id, user_name, action) := true if {
1320 has_key (global_policies, res_id)
1421 has_key (global_policies[res_id][" users"
1522 global_policies[res_id][" users" == action
1623}
24+
25+ # true, if user is allowed to read on a given global policy
1726global_policy_user_read := true if {
1827 global_policy_user_has_permissions (
1928 nifi_inp.inherit_resource_id,
2029 nifi_inp.user_name,
2130 " READ"
2231}
32+
33+ # true, if user is allowed to write on a given global policy
2334global_policy_user_write := true if {
2435 global_policy_user_has_permissions (
2536 nifi_inp.inherit_resource_id,
2637 nifi_inp.user_name,
2738 " WRITE"
2839}
40+
41+ # true, if user is allowed to read AND write on a given global policy
2942global_policy_user_full := true if {
3043 global_policy_user_has_permissions (
3144 nifi_inp.inherit_resource_id,
3245 nifi_inp.user_name,
3346 " FULL"
3447}
48+
49+ # true, if user is explicitly denied on a given global policy
3550global_policy_user_denied := true if {
3651 global_policy_user_has_permissions (
3752 nifi_inp.inherit_resource_id,
0 commit comments