Module: Legion::Rbac::Settings

Extended by:
Logging::Helper
Defined in:
lib/legion/rbac/settings.rb

Class Method Summary collapse

Class Method Details

.admin_roleObject 



104
105
106
107
108
109
110
111
112
113
114
115
116
 
# File 'lib/legion/rbac/settings.rb', line 104

def self.admin_role
  log.debug('RBAC admin role template requested')
  {
    description:        'Full access, cross-team capability',
    permissions:        [
      { resource: '*', actions: %w[read create update delete execute manage] }
    ],
    deny:               [],
    cross_team:         true,
    capability_grants:  %w[shell_execute code_eval network_outbound filesystem_write],
    capability_denials: []
  }
end

.capability_audit_defaultsObject 



28
29
30
31
32
33
34
35
 
# File 'lib/legion/rbac/settings.rb', line 28

def self.capability_audit_defaults
  log.debug('RBAC capability audit defaults requested')
  {
    enabled:           true,
    mode:              'enforce',
    undeclared_policy: 'block'
  }
end

.defaultObject 



10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
 
# File 'lib/legion/rbac/settings.rb', line 10

def self.default
  log.debug('RBAC default settings requested')
  {
    enabled:              true,
    enforce:              true,
    connected:            false,
    emit_events:          true,
    role_resolution_mode: 'merge',
    default_local_role:   'admin',
    static_assignments:   [],
    route_permissions:    {},
    group_role_map:       {},
    roles:                default_roles,
    entra:                entra_defaults,
    capability_audit:     capability_audit_defaults
  }
end

.default_rolesObject 



37
38
39
40
41
42
43
44
45
 
# File 'lib/legion/rbac/settings.rb', line 37

def self.default_roles
  log.debug('RBAC default roles requested')
  {
    worker:                worker_role,
    supervisor:            supervisor_role,
    admin:                 admin_role,
    'governance-observer': governance_observer_role
  }
end

.entra_defaultsObject 



47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
 
# File 'lib/legion/rbac/settings.rb', line 47

def self.entra_defaults
  log.debug('RBAC Entra defaults requested')
  {
    tenant_id:    nil,
    client_id:    nil,
    role_map:     {
      'Legion.Admin'      => 'admin',
      'Legion.Supervisor' => 'supervisor',
      'Legion.Worker'     => 'worker',
      'Legion.Observer'   => 'governance-observer'
    },
    group_map:    {},
    default_role: 'worker'
  }
end

.governance_observer_roleObject 



118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
 
# File 'lib/legion/rbac/settings.rb', line 118

def self.governance_observer_role
  log.debug('RBAC governance observer role template requested')
  {
    description:        'Read-only visibility across all teams for audit and compliance',
    permissions:        [
      { resource: 'workers/*', actions: %w[read] },
      { resource: 'tasks/*', actions: %w[read] },
      { resource: 'events/*', actions: %w[read] },
      { resource: 'schedules/*', actions: %w[read] },
      { resource: 'extensions/*', actions: %w[read] },
      { resource: 'runners/lex-governance/*', actions: %w[read execute] }
    ],
    deny:               [],
    cross_team:         true,
    capability_grants:  [],
    capability_denials: %w[shell_execute code_eval network_outbound filesystem_write]
  }
end

.supervisor_roleObject 



83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
 
# File 'lib/legion/rbac/settings.rb', line 83

def self.supervisor_role
  log.debug('RBAC supervisor role template requested')
  {
    description:        'Manage workers and schedules within team scope',
    permissions:        [
      { resource: 'runners/*', actions: %w[execute] },
      { resource: 'tasks/*', actions: %w[read create delete] },
      { resource: 'schedules/*', actions: %w[read create update delete] },
      { resource: 'workers/team', actions: %w[read create lifecycle] },
      { resource: 'extensions/*', actions: %w[read] },
      { resource: 'events/*', actions: %w[read] }
    ],
    deny:               [
      { resource: 'runners/lex-extinction/escalate', above_level: 2 },
      { resource: 'workers/*/lifecycle/terminated' }
    ],
    capability_grants:  %w[network_outbound filesystem_write shell_execute],
    capability_denials: %w[code_eval]
  }
end

.worker_roleObject 



63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
 
# File 'lib/legion/rbac/settings.rb', line 63

def self.worker_role
  log.debug('RBAC worker role template requested')
  {
    description:        'Execute assigned runners within team scope',
    permissions:        [
      { resource: 'runners/*', actions: %w[execute] },
      { resource: 'tasks/*', actions: %w[read create] },
      { resource: 'schedules/*', actions: %w[read] },
      { resource: 'workers/self', actions: %w[read] }
    ],
    deny:               [
      { resource: 'runners/lex-extinction/*' },
      { resource: 'runners/lex-governance/*' },
      { resource: 'workers/*/lifecycle' }
    ],
    capability_grants:  %w[network_outbound filesystem_write],
    capability_denials: %w[shell_execute code_eval]
  }
end