{ // Declare static groups of users beyond those in the identity service. "groups": { "group:example": [ "user1@example.com", "user2@example.com", ], "group:example2": [ "user1@example.com", "user2@example.com", ], }, // Declare hostname aliases to use in place of IP addresses or subnets. "hosts": { "example-host-1": "100.100.100.100", "example-host-2": "100.100.101.100/24", }, // Define who is allowed to use which tags. "tagOwners": { // Everyone in the montreal-admins or global-admins group are // allowed to tag servers as montreal-webserver. "tag:montreal-webserver": [ "group:example", ], // Only a few admins are allowed to create API servers. "tag:production": [ "group:example", "president@example.com", ], }, // Access control lists. "acls": [ // Engineering users, plus the president, can access port 22 (ssh) // and port 3389 (remote desktop protocol) on all servers, and all // ports on git-server or ci-server. { "action": "accept", "protocol": "tcp", "src": [ "group:example2", "192.168.1.0/24" ], "dst": [ "*:22,3389", "git-server:*", "ci-server:*" ], }, // Allow engineer users to access any port on a device tagged with // tag:production. { "action": "accept", "src": [ "group:example" ], "dst": [ "tag:production:*" ], }, // Allow servers in the my-subnet host and 192.168.1.0/24 to access hosts // on both networks. { "action": "accept", "src": [ "example-host-2", ], "dst": [ "example-host-1:*", "192.168.1.0/24:*" ], }, // Allow every user of your network to access anything on the network. // Comment out this section if you want to define specific ACL // restrictions above. { "action": "accept", "src": [ "*" ], "dst": [ "*:*" ], }, // All users in Montreal are allowed to access the Montreal web // servers. { "action": "accept", "src": [ "example-host-1" ], "dst": [ "tag:montreal-webserver:80,443" ], }, // Montreal web servers are allowed to make outgoing connections to // the API servers, but only on https port 443. // In contrast, this doesn't grant API servers the right to initiate // any connections. { "action": "accept", "src": [ "tag:montreal-webserver" ], "dst": [ "tag:api-server:443" ], }, ], // Declare tests to check functionality of ACL rules "tests": [ { "src": "user1@example.com", "accept": [ "example-host-1:22", "example-host-2:80" ], "deny": [ "exapmle-host-2:100" ], }, { "src": "user2@example.com", "accept": [ "100.60.3.4:22" ], }, ], }