Table of Contents
Overview
Seashell's permissions system is designed to control access to specific resources for Seashell users. Users are organized into groups, and each group can have rules to allow or deny access to specific resources. The default policy is to deny access unless explicitly allowed.
Configuration Structure
The permissions configuration is represented as a map, where each key is the name of a group, and the value is another map containing allow and deny lists. The items within the allow and deny lists are different for each backend. See the Backends page for more information.
Example
This example is a permission configuration for a docker route. In this case, members of group1 have access to containers 1 and 2, but not 3. Any other container that isn't explicitly allowed will be denied, so container4 would be denied even though it's not in the deny list.
permissions = {
group1 = {
allow = ["container1", "container2"]
deny = ["container3"]
}
}
Wildcards
The permissions system supports wildcards in allow/deny lists. For example, if you wanted to allow admins access to all containers, and allow group1 to access everything that doesn't start with admin, you could do something like this:
permissions = {
admins = {
allow = ["*"]
}
group1 = {
allow = ["*"]
deny = ["admin*"]
}
}