[DOCS] Clarify use of multiple subjects in ACLs and their logical evaluation (#1454)
* Clarify use of multiple subjects and their logical evaluation * Update docs/configuration/access-control.md Co-authored-by: Amir Zarrinkafsh <nightah@me.com>pull/1452/head^2
Lukas Klass
GitHub
parent
f392f51df6
commit
518bc67ef9
|
|
@ -55,11 +55,14 @@ protected by Authelia or the protected domain itself. In order to match multiple
|
||||||
subdomains, the wildcard matcher character `*.` can be used as prefix of the domain.
|
subdomains, the wildcard matcher character `*.` can be used as prefix of the domain.
|
||||||
For instance, to define a rule for all subdomains of *example.com*, one would use
|
For instance, to define a rule for all subdomains of *example.com*, one would use
|
||||||
`*.example.com` in the rule. A single rule can define multiple domains for matching.
|
`*.example.com` in the rule. A single rule can define multiple domains for matching.
|
||||||
|
These domains can be either listed in YAML-short form `["example1.com", "example2.com"]`
|
||||||
|
or in YAML long-form as dashed list.
|
||||||
|
|
||||||
## Resources
|
## Resources
|
||||||
|
|
||||||
A rule can define multiple regular expressions for matching the path of the resource. If
|
A rule can define multiple regular expressions for matching the path of the resource
|
||||||
any one of them matches, the resource criteria of the rule matches.
|
similar to the list of domains. If any one of them matches, the resource criteria of
|
||||||
|
the rule matches.
|
||||||
|
|
||||||
|
|
||||||
## Subjects
|
## Subjects
|
||||||
|
|
@ -70,10 +73,11 @@ For a user with unique identifier `john`, the subject should be `user:john` and
|
||||||
uniquely identified by `developers`, the subject should be `group:developers`. Similar to resources
|
uniquely identified by `developers`, the subject should be `group:developers`. Similar to resources
|
||||||
and domains you can define multiple subjects in a single rule.
|
and domains you can define multiple subjects in a single rule.
|
||||||
|
|
||||||
If you want a combination of subjects to be matched at once, you can specify a list of subjects like
|
If you want a combination of subjects to be matched at once using a logical `AND`, you can
|
||||||
`- ["group:developers", "group:admins"]`. Make sure to preceed it by a list key `-`.
|
specify a nested list of subjects like `- ["group:developers", "group:admins"]`.
|
||||||
In summary, the first level of subjects are evaluated using a logical `OR`, whereas the second level
|
In summary, the first list level of subjects are evaluated using a logical `OR`, whereas the
|
||||||
by a logical `AND`.
|
second level by a logical `AND`. The last example below reads as: the group is `dev` AND the
|
||||||
|
username is `john` OR the group is `admins`.
|
||||||
|
|
||||||
## Networks
|
## Networks
|
||||||
|
|
||||||
|
|
@ -135,5 +139,6 @@ access_control:
|
||||||
- "^/users/john/.*$"
|
- "^/users/john/.*$"
|
||||||
subject:
|
subject:
|
||||||
- ["group:dev", "user:john"]
|
- ["group:dev", "user:john"]
|
||||||
|
- "group:admins"
|
||||||
policy: two_factor
|
policy: two_factor
|
||||||
```
|
```
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue