-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
9 changed files
with
224 additions
and
22 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1,79 @@ | ||
# Access Control | ||
|
||
## Users & Credentials | ||
|
||
In pageship, users are mostly just ID for internal reference. For purpose | ||
of access control, each user/request is associated with a set of credentials, and | ||
credentials are matched with ACL for permission check. | ||
|
||
Pageship currently recognizes following credentials: | ||
|
||
### GitHub user | ||
|
||
The user/request is associated with a specific GitHub user. | ||
|
||
Users can be authenticated as GitHub user through SSH login with | ||
`pageship login` command: | ||
```sh | ||
$ pageship login | ||
GitHub user name: ***** | ||
SSH key file: ***** | ||
Logged in as *****. | ||
$ | ||
``` | ||
|
||
### [Github repository actions](./github-actions-integration.md) | ||
|
||
The user/request is originated from GitHub Actions running in a specific | ||
GitHub repository. | ||
|
||
`pageship` command would authenticate as GitHub repository actions automatically | ||
when it detected running in GitHub Actions environment. | ||
|
||
### IP address | ||
|
||
The user/request is originated from a specific IP address. All users/requests | ||
are automatically associated with an IP address credential. | ||
|
||
## Site Access | ||
|
||
Site access can be specified through ACL in the `access` field: | ||
```toml | ||
[site] | ||
access = [ | ||
{ ipRange="127.0.0.1/32" } | ||
] | ||
``` | ||
|
||
## App Management Access | ||
|
||
App management access can be specified through ACL in the `team` field: | ||
```toml | ||
[app] | ||
team = [ | ||
{ githubUser="...", access="admin" }, | ||
{ gitHubRepositoryActions="oursky/pageship", access="deployer" } | ||
] | ||
``` | ||
|
||
There are three levels of access for management: | ||
- `reader`: read-only access to app metadata (e.g. list of deployments/sites) | ||
- `deployer`: access neccessary for deploying sites | ||
- `admin`: full access to the app | ||
|
||
In addition, the creator user of an app is considered as the owner of the app, | ||
and always has full access to the app. | ||
|
||
## API Access Control | ||
|
||
The server API may be protected from unwanted access by specifying an ACL file | ||
in `PAGESHIP_API_ACL` environment variable. | ||
|
||
```toml | ||
[[access]] | ||
githubUser="..." | ||
|
||
[[access]] | ||
gitHubRepositoryActions="oursky/pageship" | ||
|
||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1,3 @@ | ||
# Automatic TLS | ||
|
||
Pageship supports automatic TLS through [certmagic](https://github.com/caddyserver/certmagic) library. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1,21 @@ | ||
# GitHub Actions Integration | ||
|
||
Pageship detects if it is running in GitHub Actions environment, and would | ||
authenticate with server automatically if possible. | ||
|
||
To deploy from GitHub Actions, first configure the app to accept GitHub Actions | ||
running in the repo as `deployer` permission. See [Access Control](./access-control.md) | ||
guide for details. | ||
|
||
After configuring access control, install `pageship` command in workflow and | ||
deploy directly. | ||
|
||
``` | ||
docker run --rm \ | ||
-e PAGESHIP_API="..." \ | ||
-e ACTIONS_ID_TOKEN_REQUEST_URL="$ACTIONS_ID_TOKEN_REQUEST_URL" \ | ||
-e ACTIONS_ID_TOKEN_REQUEST_TOKEN="$ACTIONS_ID_TOKEN_REQUEST_TOKEN" \ | ||
-v "$PWD:/var/pageship" \ | ||
ghcr.io/oursky/pageship:v0.3.1 \ | ||
deploy /var/pageship --site main -y | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters