go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/lucicfg/testdata/realms/success.star (about) 1 luci.project( 2 name = "proj", 3 buildbucket = "cr-buildbucket.appspot.com", 4 bindings = [ 5 luci.binding( 6 roles = "role/a", 7 groups = "root", 8 ), 9 ], 10 enforce_realms_in = ["cr-buildbucket"], 11 ) 12 13 luci.bucket( 14 name = "bucket", 15 bindings = [ 16 luci.binding( 17 roles = "role/a", 18 groups = "bucket", 19 ), 20 luci.binding( 21 roles = "role/empty-binding-is-skipped", 22 groups = [], 23 ), 24 ], 25 ) 26 27 luci.realm( 28 name = "realm1", 29 extends = "bucket", 30 bindings = [ 31 luci.binding( 32 roles = "role/a", 33 groups = "group-a", 34 users = "a@example.com", 35 projects = "proj-a", 36 ), 37 ], 38 ) 39 40 luci.bucket( 41 name = "bucket2", 42 extends = "realm1", 43 bindings = [ 44 luci.binding( 45 roles = "role/a", 46 groups = "bucket", 47 ), 48 ], 49 ) 50 51 luci.bucket( 52 name = "bucket3", 53 extends = luci.bucket(name = "bucket4"), 54 ) 55 56 luci.binding( 57 realm = ["realm1", "realm2"], 58 roles = ["role/a", "role/b"], 59 groups = ["group-a", "group-b"], 60 users = ["a@example.com", "b@example.com"], 61 projects = ["proj-a", "proj-b"], 62 ) 63 64 luci.realm( 65 name = "realm2", 66 extends = ["bucket", "realm1", "@root"], 67 bindings = [ 68 luci.binding(roles = "role/c", groups = "group-c"), 69 luci.binding(roles = "role/c", users = "c@example.com"), 70 luci.binding(roles = "role/c", projects = "proj-c"), 71 ], 72 ) 73 74 luci.realm( 75 name = "@legacy", 76 extends = "@root", 77 ) 78 79 # Empty binding is fine. 80 luci.binding( 81 realm = "@legacy", 82 roles = "role/a", 83 ) 84 85 luci.binding( 86 realm = "@legacy", 87 roles = "role/a", 88 users = "a@example.com", 89 ) 90 91 luci.custom_role( 92 name = "customRole/r1", 93 extends = [ 94 "role/a", 95 luci.custom_role( 96 name = "customRole/r2", 97 extends = ["customRole/r3"], 98 permissions = ["luci.dev.testing2"], 99 ), 100 ], 101 permissions = ["luci.dev.testing1"], 102 ) 103 104 luci.custom_role( 105 name = "customRole/r3", 106 permissions = ["luci.dev.testing3"], 107 ) 108 109 luci.realm( 110 name = "custom_roles", 111 bindings = [ 112 luci.binding( 113 roles = "customRole/r1", 114 users = "a@example.com", 115 ), 116 luci.binding( 117 roles = ["role/a", "customRole/r1"], 118 users = "b@example.com", 119 ), 120 luci.binding( 121 roles = luci.custom_role( 122 name = "customRole/r3", 123 permissions = ["luci.dev.testing3"], 124 ), 125 users = "c@example.com", 126 ), 127 luci.binding( 128 roles = [ 129 luci.custom_role( 130 name = "customRole/r3", 131 permissions = ["luci.dev.testing3"], 132 ), 133 "role/a", 134 ], 135 users = "d@example.com", 136 ), 137 ], 138 ) 139 140 # Expect configs: 141 # 142 # === cr-buildbucket.cfg 143 # buckets { 144 # name: "bucket" 145 # } 146 # buckets { 147 # name: "bucket2" 148 # } 149 # buckets { 150 # name: "bucket3" 151 # } 152 # buckets { 153 # name: "bucket4" 154 # } 155 # === 156 # 157 # === project.cfg 158 # name: "proj" 159 # === 160 # 161 # === realms.cfg 162 # realms { 163 # name: "@legacy" 164 # bindings { 165 # role: "role/a" 166 # principals: "user:a@example.com" 167 # } 168 # } 169 # realms { 170 # name: "@root" 171 # bindings { 172 # role: "role/a" 173 # principals: "group:root" 174 # } 175 # enforce_in_service: "cr-buildbucket" 176 # } 177 # realms { 178 # name: "bucket" 179 # bindings { 180 # role: "role/a" 181 # principals: "group:bucket" 182 # } 183 # } 184 # realms { 185 # name: "bucket2" 186 # extends: "realm1" 187 # bindings { 188 # role: "role/a" 189 # principals: "group:bucket" 190 # } 191 # } 192 # realms { 193 # name: "bucket3" 194 # extends: "bucket4" 195 # } 196 # realms { 197 # name: "bucket4" 198 # } 199 # realms { 200 # name: "custom_roles" 201 # bindings { 202 # role: "customRole/r1" 203 # principals: "user:a@example.com" 204 # principals: "user:b@example.com" 205 # } 206 # bindings { 207 # role: "customRole/r3" 208 # principals: "user:c@example.com" 209 # principals: "user:d@example.com" 210 # } 211 # bindings { 212 # role: "role/a" 213 # principals: "user:b@example.com" 214 # principals: "user:d@example.com" 215 # } 216 # } 217 # realms { 218 # name: "realm1" 219 # extends: "bucket" 220 # bindings { 221 # role: "role/a" 222 # principals: "group:group-a" 223 # principals: "group:group-b" 224 # principals: "project:proj-a" 225 # principals: "project:proj-b" 226 # principals: "user:a@example.com" 227 # principals: "user:b@example.com" 228 # } 229 # bindings { 230 # role: "role/b" 231 # principals: "group:group-a" 232 # principals: "group:group-b" 233 # principals: "project:proj-a" 234 # principals: "project:proj-b" 235 # principals: "user:a@example.com" 236 # principals: "user:b@example.com" 237 # } 238 # } 239 # realms { 240 # name: "realm2" 241 # extends: "bucket" 242 # extends: "realm1" 243 # bindings { 244 # role: "role/a" 245 # principals: "group:group-a" 246 # principals: "group:group-b" 247 # principals: "project:proj-a" 248 # principals: "project:proj-b" 249 # principals: "user:a@example.com" 250 # principals: "user:b@example.com" 251 # } 252 # bindings { 253 # role: "role/b" 254 # principals: "group:group-a" 255 # principals: "group:group-b" 256 # principals: "project:proj-a" 257 # principals: "project:proj-b" 258 # principals: "user:a@example.com" 259 # principals: "user:b@example.com" 260 # } 261 # bindings { 262 # role: "role/c" 263 # principals: "group:group-c" 264 # principals: "project:proj-c" 265 # principals: "user:c@example.com" 266 # } 267 # } 268 # custom_roles { 269 # name: "customRole/r1" 270 # extends: "customRole/r2" 271 # extends: "role/a" 272 # permissions: "luci.dev.testing1" 273 # } 274 # custom_roles { 275 # name: "customRole/r2" 276 # extends: "customRole/r3" 277 # permissions: "luci.dev.testing2" 278 # } 279 # custom_roles { 280 # name: "customRole/r3" 281 # permissions: "luci.dev.testing3" 282 # } 283 # ===