Merge branch 'baserock/pedroalvarez/trove-ansible3'

Reviewed-by: Richard Maw
Reviewed-by: Lars Wirzenius

1 files changed, 32 insertions, 0 deletions

diff --git a/share/gitano/skel/gitano-admin/rules/siteadmin.lace b/share/gitano/skel/gitano-admin/rules/siteadmin.lace
new file mode 100644
index 0000000..06c71bb
--- /dev/null
+++ b/share/gitano/skel/gitano-admin/rules/siteadmin.lace
@@ -0,0 +1,32 @@
+#  _____                   
+# |_   _| __ _____   _____ 
+#   | || '__/ _ \ \ / / _ \
+#   | || | | (_) \ V /  __/
+#   |_||_|  \___/ \_/ \___|
+#
+# Copyright 2012 Codethink Limited
+#
+# Site administration rules
+
+# You must explicitly allow site administration here for anyone who
+# has the rights to do site admin but isn't an administrator.
+
+# trove_site_admin is a predicate which matches members of the trove-admin
+# group (The site-wide user/group administration group which is not the full
+# administration group)
+allow "Trove Site Admins can manage users" trove_site_admin op_user
+allow "Trove Site Admins can manage groups other than gitano-admin" trove_site_admin op_group !target_group_gitano_admin
+
+# XXX-managers members are permitted to edit XXX-* groups
+define trove_may_admin_target_group group ${targetgroup/prefix}-managers
+define target_group_has_hyphen targetgroup ~%-
+allow "Trove project managers can manage the groups for their projects" op_group target_group_has_hyphen trove_may_admin_target_group
+
+# Anyone is permitted to look at the people in trove-admin and *-managers
+define trove_target_group_is_trove_admin targetgroup trove-admin
+define trove_target_group_is_project_managers targetgroup ~^.+-managers$
+define trove_show_target_ok anyof trove_target_group_is_trove_admin trove_target_group_is_project_managers
+allow "Anyone may see admin groups" op_groupshow trove_show_target_ok
+
+# Otherwise we always deny site administration
+deny "You may not perform site administration"