Added the explanation about using '*' at the end (#7152)

* Added the explanation about using '*' at the end * add rbac wildcards arn examples (#7155) * add rbac wildcards arn examples * add explanations of arn examples * highlight repo name --------- Co-authored-by: talSofer <[email protected]>
treeverse · Jan 3, 2024 · c2845a1 · c2845a1
1 parent ef54cbd
commit c2845a1
Showing 1 changed file with 14 additions and 14 deletions.
diff --git a/docs/reference/security/rbac.md b/docs/reference/security/rbac.md
@@ -65,24 +65,24 @@ This helps us compose policies together. For example, we could attach a very per
 
 ## Resource naming - ARNs
 
-lakeFS uses [ARN identifier](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns){:target="_blank"} - very similar in structure to those used by AWS.
-The resource segment of the ARN supports wildcards: use `*` to match 0 or more characters, or `?` to match exactly one character.
+lakeFS uses [ARN identifier](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns){:target="_blank"} - very similar in structure to those used by AWS. 
+The resource segment of the ARN supports wildcards: use `*` to match 0 or more characters, or `?` to match exactly one character.  
 
-Additionally, the current user's ID is interpolated in runtime into the ARN using the `${user}` placeholder.
+Here are a some **examples** of valid ARNs within lakeFS and their meaning:
 
-Here are a few examples of valid ARNs within lakeFS:
+| ARN                        | Meaning                             |
+|------------------------------------|---------------------------------------------|
+| `arn:lakefs:auth:::user/jane.doe`                  | A specific user                       
+| `arn:lakefs:auth:::user/*`                  | All users | 
+| `arn:lakefs:fs:::repository/myrepo/*`                  | All resources under `myrepo` | 
+| `arn:lakefs:fs:::repository/myrepo/object/foo/bar/baz`                  | A single object ARN | 
+| `arn:lakefs:fs:::repository/myrepo/object/*`                  | All objects in `myrepo` | 
+| `arn:lakefs:fs:::repository/*`                  | All repositories| 
+| `arn:lakefs:fs:::*`                  | All resources under the fs ARN prefix |
 
-```text
-arn:lakefs:auth:::user/jane.doe
-arn:lakefs:auth:::user/*
-arn:lakefs:fs:::repository/myrepo/*
-arn:lakefs:fs:::repository/myrepo/object/foo/bar/baz
-arn:lakefs:fs:::repository/myrepo/object/*
-arn:lakefs:fs:::repository/*
-arn:lakefs:fs:::*
-```
+Additionally, the current user's ID is interpolated in runtime into the ARN using the `${user}` placeholder.
 
-this allows us to create fine-grained policies affecting only a specific subset of resources.
+This allows us to create fine-grained policies affecting only a specific subset of resources.
 
 See below for a full reference of ARNs and actions.