Move authentication to new format
This commit is contained in:
Colin Hebert
47
authentication/configs/access.yml
Normal file
47
authentication/configs/access.yml
Normal file
@@ -0,0 +1,47 @@
|
||||
##
|
||||
## Access Control Configuration
|
||||
##
|
||||
## Access control is a list of rules defining the authorizations applied for one resource to users or group of users.
|
||||
##
|
||||
## If 'access_control' is not defined, ACL rules are disabled and the 'bypass' rule is applied, i.e., access is allowed
|
||||
## to anyone. Otherwise restrictions follow the rules defined.
|
||||
##
|
||||
## Note: One can use the wildcard * to match any subdomain.
|
||||
## It must stand at the beginning of the pattern. (example: *.example.com)
|
||||
##
|
||||
## Note: You must put patterns containing wildcards between simple quotes for the YAML to be syntactically correct.
|
||||
##
|
||||
## Definition: A 'rule' is an object with the following keys: 'domain', 'subject', 'policy' and 'resources'.
|
||||
##
|
||||
## - 'domain' defines which domain or set of domains the rule applies to.
|
||||
##
|
||||
## - 'subject' defines the subject to apply authorizations to. This parameter is optional and matching any user if not
|
||||
## provided. If provided, the parameter represents either a user or a group. It should be of the form
|
||||
## 'user:<username>' or 'group:<groupname>'.
|
||||
##
|
||||
## - 'policy' is the policy to apply to resources. It must be either 'bypass', 'one_factor', 'two_factor' or 'deny'.
|
||||
##
|
||||
## - 'resources' is a list of regular expressions that matches a set of resources to apply the policy to. This parameter
|
||||
## is optional and matches any resource if not provided.
|
||||
##
|
||||
## Note: the order of the rules is important. The first policy matching (domain, resource, subject) applies.
|
||||
access_control:
|
||||
default_policy: deny
|
||||
rules:
|
||||
# Support for one factor for transmission API
|
||||
# Only users in "transmission-basic" should be allowed to do so
|
||||
- domain_regex: '^transmission-api\..*'
|
||||
policy: one_factor
|
||||
subject:
|
||||
- 'group:transmission-basic'
|
||||
# Disable authentication on API protected by API keys
|
||||
- domain_regex: '^(bazarr|prowlarr|radarr|sonarr)\..*'
|
||||
policy: bypass
|
||||
resources:
|
||||
- '^/api$'
|
||||
- '^/api/'
|
||||
# Effective default policy, only allow admins with two-factor
|
||||
- domain_regex: '.*'
|
||||
policy: two_factor
|
||||
subject:
|
||||
- 'group:admins'
|
||||
Reference in New Issue
Block a user