in reading the docs I keep seeing a pattern in the examples that I can't quite get my head around.
The following is an example from the RD docs and my confusion is the following; let's just look at resource type "job" here.
Regarding "job" I read this, top to bottom, basically as:
First, for "all" or "any" job, any resource that is of type "job"... allow "all actions"
and that's because we're using the generic resource declaration.
okay great but then...
a few lines later, and this is where I get confused....
we call out a specific resource type "job" (but with no matching or anything so I guess it still means "all" jobs) and we list 4 specific allowed actions.
but didn't we already allow "all" actions on any jobs already?
description: Project-level ACL for a specific Group
for:
resource:
- equals:
kind: node
allow: [read,refresh] # allow refresh node sources
- equals:
kind: event
allow: [read,create] # allows access to execution history
- equals:
kind: job
allow: '*' #Project-level Access to Create and Delete Jobs
job:
- allow: [read,run,kill,killAs] # allow read/run/run/kill of all jobs
node:
- allow: [read,run] # allow read/run for nodes
by:
group: 'grp-sandbox-exec'