REGO Permissions Reference

This reference documents the permissions defined in pdns_permissions.rego that control access to SPOG features. Each permission can be granted based on user roles, claims, or custom REGO rules.

For a comprehensive guide to writing REGO policies, see Authentication & Authorization.

Quick Reference

Permission	Scope	Default	UI Effect
`connect`	Global	`true`	Session establishment
`read`	Per-cluster	`true`	Cluster visibility
`read_logs`	Per-cluster	`false`	"View Log" links on tree nodes
`clear_cache`	Per-cluster	`false`	"Clear Cache" links; checkbox in DNS Query
`restart_instance_set`	Per-cluster	`false`	"Restart" button on Instance Set rows
`delete_pod`	Per-cluster	`false`	"Delete" button (red) on Pod rows
`dns_check`	Per-cluster	`false`	"DNS Query" links at multiple levels

Default Policy

The default pdns_permissions.rego shipped in the Helm chart (helm/glass-ui/values.yaml) is intentionally restrictive:

Rego
package pdns_permissions


connect if true
read if true

read_logs if false
clear_cache if false
restart_instance_set if false
delete_pod if false
dns_check if false

This allows all authenticated users to view clusters but denies all operational actions. Customize the policy via Helm values to enable features for specific roles.

Permission Details

connect

Property	Value
Scope	Global (not cluster-specific)
Default	`true`
Purpose	Allows authenticated users to establish a session

UI Effect: Required for initial application access. Without this permission, users cannot connect to the SPOG backend.

Enforcement: NATS connection authorization layer.

read

Property	Value
Scope	Per-cluster
Default	`true`
Purpose	View clusters in the state tree and access cluster data

UI Effect: Clusters with read permission are visible to the user. Clusters without this permission are hidden from the user's view.

Snapshots Controlled: This permission grants access to cluster snapshots via spog.cluster_snapshot_permissions:

cluster_discovery - Cluster discovery and topology data
cluster_services - List of services running in cluster
cc_state - CloudControl state snapshot (instances)

Enforcement: Service Multiplexer filters cluster responses; Middleware filters snapshot data.

read_logs

Property	Value
Scope	Per-cluster
Default	`false`
Purpose	Access log streaming functionality

UI Effect: Shows "View Log" action links in the cluster state tree at:

Node Type	Route
Product	`/log-streamer/product/{cluster}/{product}`
Instance Set	`/log-streamer/instance-set/{cluster}/{instanceSet}`
Pod	`/log-streamer/pod/{cluster}/{pod}`
Container	`/log-streamer/container/{cluster}/{pod}/{container}`

Endpoint Controlled: log_streamer.Stream - Stream logs from cluster services.

Enforcement: Frontend shows/hides UI links; Service Multiplexer authorizes the log_streamer.Stream endpoint call.

clear_cache

Property	Value
Scope	Per-cluster
Default	`false`
Purpose	Clear DNS cache entries

UI Effect:

Shows "Clear Cache" action links at Cluster, Product, Instance Set, and Pod levels in the tree
Enables the "Clear cache before query" checkbox in the DNS Query form
Shows a partial permissions warning when the user has permission on some but not all selected clusters

Performance Impact

Clearing DNS caches forces re-resolution of queries, which can significantly impact performance under high load. Grant this permission only to users who understand the operational impact.

Endpoints Controlled:

cc_api_adapter.FlushAuthCache - Clear authoritative nameserver cache
cc_api_adapter.FlushRecursorCache - Clear recursor resolver cache
cc_api_adapter.FlushDnsdistCache - Clear dnsdist load balancer cache
cc_api_adapter.FlushCache - Generic cache flush operation

Enforcement: Frontend shows/hides UI links; Service Multiplexer authorizes the cc_api_adapter.Flush* endpoint calls.

restart_instance_set

Property	Value
Scope	Per-cluster
Default	`false`
Purpose	Restart all pods in an instance set (rolling restart)

UI Effect: Shows a "Restart" button on Instance Set rows in the cluster state tree table. Clicking triggers a rolling restart of all pods in that instance set.

Service Disruption

Restarting an instance set causes temporary service disruption while pods are recycled. Grant this permission only to users who understand the operational impact.

Endpoint Controlled: k8s_manager.RestartInstanceSet - Restart DNS service instances.

Enforcement: Frontend shows/hides UI button; Service Multiplexer authorizes the k8s_manager.RestartInstanceSet endpoint call.

delete_pod

Property	Value
Scope	Per-cluster
Default	`false`
Purpose	Delete individual Kubernetes pods

UI Effect: Shows a red "Delete" button on Pod rows in the cluster state tree table. The button is disabled when the pod is already in "terminating" state.

Destructive Action

This permission allows users to delete running pods. Grant it only to users who understand the operational impact.

Endpoint Controlled: k8s_manager.DeletePod - Delete individual Kubernetes pods.

Enforcement: Frontend shows/hides UI button; Service Multiplexer authorizes the k8s_manager.DeletePod endpoint call.

dns_check

Property	Value
Scope	Per-cluster
Default	`false`
Purpose	Execute DNS queries against cluster DNS servers

UI Effect: Shows "DNS Query" action links in the cluster state tree at multiple levels:

Node Type	Route
Cluster	`/dns-query/{clusterId}`
Product	`/dns-query/{clusterId}?product={productName}`
Instance Set	`/dns-query/{clusterId}?product={product}&instanceSet={instanceSet}`
Pod	`/dns-query/{clusterId}?product={product}&instanceSet={instanceSet}&pod={podName}`

Endpoint Controlled: dns_check.Query - Execute DNS test queries.

Enforcement: Frontend shows/hides UI links; Service Multiplexer authorizes the dns_check.Query endpoint call.

Helper Rules Reference

Permissions depend on helper rules defined in user.rego. These rules evaluate user claims against cluster labels:

Helper Rule	Definition	Used By
`can_see_cluster`	has_matching_region AND has_matching_cluster_role AND has_matching_environment	`read`, base for other helpers
`can_observe_cluster`	`can_see_cluster` AND `observer` in roles (or admin)	`read_logs`, `dns_check`
`can_manage_dns_content`	`can_see_cluster` AND `content-manager` in roles (or admin)	`clear_cache`
`can_manage_instances`	`can_see_cluster` AND `operator` in roles (or admin)	`restart_instance_set`, `delete_pod`

Helper Rule Hierarchy

Text Only

can_see_cluster (base visibility)
├── can_observe_cluster (+observer role)
│   ├── read_logs
│   └── dns_check
├── can_manage_dns_content (+content-manager role)
│   └── clear_cache
└── can_manage_instances (+operator role)
    ├── restart_instance_set
    └── delete_pod

Service Enforcement Architecture

Permissions are enforced at multiple layers, each using a different policy package:

Layer	Component	Policy Package	What It Enforces
Policy Engine	`spog-center-policy`	All packages	Central evaluation via OPA engine
Service Multiplexer	`spog-center-service-multiplexer`	`pdns_endpoint_permissions`	Service endpoint authorization
Middleware	`spog-center-middleware`	`spog.cluster_snapshot_permissions`	Cluster snapshot access
Frontend	`ui/single-pane-of-glass`	`pdns_permissions`	UI element visibility

Policy Packages

Package	Purpose	Evaluated By
`pdns_permissions`	Core permission flags (read, read_logs, etc.)	Frontend, Policy Service
`pdns_endpoint_permissions`	Maps permissions to service.endpoint calls	Service Multiplexer
`spog.cluster_snapshot_permissions`	Maps permissions to snapshot types	Middleware

Permission Evaluation Flow

User authenticates and receives a JWT token with claims
Frontend requests permissions via usePolicy().getPermissions(clusterIds) → evaluates pdns_permissions
Frontend caches results in usePermissionManager store
UI components check usePermission(clusterId, 'permission_name') to show/hide elements
On service calls, the Multiplexer evaluates pdns_endpoint_permissions.{service}.{endpoint}
On snapshot requests, the Middleware evaluates spog.cluster_snapshot_permissions.{snapshot_name}

Customizing Permissions

Permissions are configured via Helm values at policy.policies:

YAML
policy:
  policies:
    pdns_permissions.rego: |
      package pdns_permissions

      connect if true
      read if user.can_see_cluster
      read_logs if user.can_observe_cluster
      clear_cache if user.can_manage_dns_content
      restart_instance_set if user.can_manage_instances
      delete_pod if user.can_manage_instances
      dns_check if user.can_observe_cluster

Production Example

See helm/glass-ui/examples/demo-policies.yaml for a complete production-ready policy configuration with group-based authorization.

Testing Policy Changes

Use the debug interface at /debug/policy to test REGO queries against your policies before deploying changes.