feat(authz): introduce conditional access control via CEL (#4040)

2026-06-17 12:58:02 +08:00 · 2026-05-09 20:43:00 +01:00
parent ddb6279a25
commit 8a6674f198
15 changed files with 1636 additions and 85 deletions
@@ -60,6 +60,22 @@
            }
          ],
          "defaultPolicy": ["read"]
+        },
+        "prod/**": {
+          "policies": [{
+              "users": ["alice"],
+              "actions": ["read", "create", "update"],
+              "conditions": [{
+                  "expression": "req.time < timestamp(\"2099-12-31T23:59:59Z\")",
+                  "message": "alice's prod access expires end of 2099"
+                },
+                {
+                  "expression": "req.referenceType == \"digest\"",
+                  "message": "prod pushes must use digest references, not mutable tags"
+                }
+              ]
+            }
+          ]
        }
      },
      "adminPolicy": {