Example 5: Server are manageable by admins, workstations by users¶
Here we want to give full access to the admins. Workstations are are restricted to authenticated users, bind mounts are limited to /home/$USER/ and can only manage containers and images. All other actions are read-only. Unauthenticated users cannot do anything on workstations. All other hosts are read-only even for admins.
---
- description: Servers are restricted to admin only.
hosts:
- +^srv\d\d.*
default: Deny
policies:
- members:
- administrators
rules:
any:
Allow:
- description: Workstations are restricted to connected users or admins.
Users from `users` group can only manage containers or images,
bind mounts are restricted to `/home/$USER/`. All other actions
are read-only.
All other or unauthenticated users cannot do anything
on workstations.
hosts:
- +^wks\d\d.*
default: Deny
policies:
- members:
- administrators
rules:
any:
Allow:
- members:
- users
rules:
containers:
BindMounts:
- -/
- +/home/$USER
images:
Allow:
all:
ReadOnly:
- description: All other hosts are read-only even for admins.
hosts:
- +.*
default: ReadOnly
...
---
users:
- jre
- sve
- cjo
- mgr
administrators:
- rda
- mal
...