baileytownsend.dev / pds-gatekeeper
Microservice to bring 2FA to self hosted PDSes
fork atom
pds-gatekeeper / examples / admin_rbac.yaml
at feature/admin-rbac 67 lines 2.3 kB view raw
Clinton Bowen get rid of send_email funtionality
dac7bffc
1# PDS Admin Team — Role-Based Access Control 2# 3# This file defines which ATProto identities can perform admin operations 4# through pds-gatekeeper's admin portal. Each member authenticates via 5# ATProto OAuth (using their Bluesky/AT Protocol identity) and is granted 6# access only to the endpoints their roles permit. 7# 8# Endpoint patterns: 9# - Exact match: "com.atproto.admin.getAccountInfo" 10# - Wildcard: "com.atproto.admin.*" (matches all admin endpoints) 11# 12# Usage: 13# 1. Copy this file and customize for your team 14# 2. Set GATEKEEPER_ADMIN_RBAC_CONFIG=/path/to/your/admin_rbac.yaml 15# 3. Set PDS_ADMIN_PASSWORD=your-pds-admin-password 16# 4. Restart pds-gatekeeper 17# 5. Navigate to https://your-pds.example.com/admin/login 18 19roles: 20 pds-admin: 21 description: "Full PDS administrator — all admin endpoints + account/invite creation" 22 endpoints: 23 - "com.atproto.admin.*" 24 - "com.atproto.server.createInviteCode" 25 - "com.atproto.server.createInviteCodes" 26 - "com.atproto.server.createAccount" 27 - "com.atproto.sync.requestCrawl" 28 29 moderator: 30 description: "Content moderation — view accounts, manage takedowns and subject status" 31 endpoints: 32 - "com.atproto.admin.getAccountInfo" 33 - "com.atproto.admin.getAccountInfos" 34 - "com.atproto.admin.getSubjectStatus" 35 - "com.atproto.admin.updateSubjectStatus" 36 - "com.atproto.admin.sendEmail" 37 - "com.atproto.admin.getInviteCodes" 38 39 invite-manager: 40 description: "Invite code management — create and manage invite codes" 41 endpoints: 42 - "com.atproto.admin.getInviteCodes" 43 - "com.atproto.admin.disableInviteCodes" 44 - "com.atproto.admin.enableAccountInvites" 45 - "com.atproto.admin.disableAccountInvites" 46 - "com.atproto.server.createInviteCode" 47 - "com.atproto.server.createInviteCodes" 48 49members: 50 # Replace these with your team members' DIDs. 51 # Resolve a handle to its DID with: goat resolve {handle} 52 53 # Example: Full admin 54 - did: "did:plc:your-admin-did-here" 55 roles: 56 - pds-admin 57 58 # Example: Moderator only 59 - did: "did:plc:your-moderator-did-here" 60 roles: 61 - moderator 62 63 # Example: Someone with both moderator and invite manager roles 64 - did: "did:plc:your-team-member-did-here" 65 roles: 66 - moderator 67 - invite-manager