{ // Declare static groups of users beyond those in the identity service. "Groups": { "group:example": [ "user1@example.com", "user2@example.com", ], "group:example2": [ "user1@example.com", "user2@example.com", ], }, // Declare hostname aliases to use in place of IP addresses or subnets. "Hosts": { "example-host-1": "100.100.100.100", "example-host-2": "100.100.101.100/24", }, // Define who is allowed to use which tags. "TagOwners": { // Everyone in the montreal-admins or global-admins group are // allowed to tag servers as montreal-webserver. "tag:montreal-webserver": [ "group:montreal-admins", "group:global-admins", ], // Only a few admins are allowed to create API servers. "tag:api-server": [ "group:global-admins", "president@example.com", ], }, // Access control lists. "ACLs": [ // Engineering users, plus the president, can access port 22 (ssh) // and port 3389 (remote desktop protocol) on all servers, and all // ports on git-server or ci-server. { "Action": "accept", "Users": [ "group:example2", "192.168.1.1" ], "Ports": [ "*:22,3389", "git-server:*", "ci-server:*" ], }, // Allow engineer users to access any port on a device tagged with // tag:production. { "Action": "accept", "Users": [ "group:example" ], "Ports": [ "tag:production:*" ], }, // Allow servers in the my-subnet host and 192.168.1.0/24 to access hosts // on both networks. { "Action": "accept", "Users": [ "example-host-2", "192.168.1.0/24" ], "Ports": [ "example-host-1:*", "192.168.1.0/24:*" ], }, // Allow every user of your network to access anything on the network. // Comment out this section if you want to define specific ACL // restrictions above. { "Action": "accept", "Users": [ "*" ], "Ports": [ "*:*" ], }, // All users in Montreal are allowed to access the Montreal web // servers. { "Action": "accept", "Users": [ "example-host-1" ], "Ports": [ "tag:montreal-webserver:80,443" ], }, // Montreal web servers are allowed to make outgoing connections to // the API servers, but only on https port 443. // In contrast, this doesn't grant API servers the right to initiate // any connections. { "Action": "accept", "Users": [ "tag:montreal-webserver" ], "Ports": [ "tag:api-server:443" ], }, ], // Declare tests to check functionality of ACL rules "Tests": [ { "User": "user1@example.com", "Allow": [ "example-host-1:22", "example-host-2:80" ], "Deny": [ "exapmle-host-2:100" ], }, { "User": "user2@example.com", "Allow": [ "100.60.3.4:22" ], }, ], }