From 55b25ab4407f08cc6c1bf9c708eb10c50d763f64 Mon Sep 17 00:00:00 2001 From: Gwendolynne Barr <31074572+gbarr01@users.noreply.github.com> Date: Fri, 1 Dec 2017 21:20:07 -0800 Subject: [PATCH] rbac upgrade cont (#313) --- deploy/images/custom-role-30.png | Bin 0 -> 63498 bytes deploy/rbac/index.md | 16 +-- deploy/rbac/rbac-basics-create-subjects.md | 4 +- deploy/rbac/rbac-basics-define-roles.md | 4 +- deploy/rbac/rbac-basics-grant-permissions.md | 111 +++++++++--------- deploy/rbac/rbac-basics-group-resources.md | 40 +++---- .../rbac/rbac-howto-deploy-stateless-app.md | 48 +++++++- deploy/rbac/rbac-howto-orcabank1-standard.md | 4 +- 8 files changed, 133 insertions(+), 94 deletions(-) create mode 100644 deploy/images/custom-role-30.png diff --git a/deploy/images/custom-role-30.png b/deploy/images/custom-role-30.png new file mode 100644 index 0000000000000000000000000000000000000000..59f9973872eb6dfcb2871f2ff203961e2589a1d8 GIT binary patch literal 63498 zcmZ6y1ymc`_XbMQ;>8_`6u06|Tio3xxVuA;TPW`C&_Z!{*PzASNpW{4$V-3k-+SMB zSu0GEnPJY^XY04W6RxZ%g^ogu0s{ksE+Z|j3Il_H2?GO%{1y@VO9gv(81w+|`b9?l zE%fF4*6h#scWx5eZfcGeZl1<2<}hkj?rv`8E~bH#$S^SPVPwQVt9vaUuX+38-aK?) zOpG4KuhBqX+kxMx-@SFA$AVW;DK5r4?`|xfo7X$iz-!R0Xu2t;C;vUsNZzmcnWn6*cq#qtVs!Kid1q*?{R$5b z<+pcV-u~Yoz6b=P0a48JL2HKM)^XPf;n0b_#G$`uq1RndZ{GNLAJ+^jYv5^UTs-*F zuQb|ooEB{aB=Z(HG+QRg<-xBoioZscSYG^G?GJOc%PBNsApnAjqRURh-adTk@SnJ*J|rZlEp|R1ooQsQIq-Uf;=m|XkQB`L>WvZBF^% z6^9nQ$o}5ZR70DlXaBCAqpGg)HBayuZ=0)9hOb`ng=mHZxxs&Pa^`SqbNBT}eTLla z9hOz?CaEd*nA9li>yPG1L~38>2IQXeFhqoumckHH(yVhSz`+g+fbL%~X9W|4lH&ir zgNsZ{JK2R!4YLT1Y`ktlWF!KQ$!j}a%Be;F`gDy1rprP3fCHww7)F5H(FhY$1EK5# zT5J;rOdAUt=z8mhsJJx3n2?_E8-G?>>*tEWphD|tY7&K+ZU=5Bfoyg4c_Wk08guw3 z+zL2NE8RzTyf5VP$C@OHMa#$fRhWzhowO%6d6^zhBAA6GMqkS8|EcC#(K6VwZvbEb z^?1Acw)rHTSM7E#<=7JB^Zzr1w=!a<4B9WlCmum28{>j!W;cg(LU*gK z#VFd$nwMQ;Vl!O6BBGcg_v{gQ=TBD?ri3V6ou`P?)6-t}8=+It0+lVhT4oj&9Hs+k zn_F8gH}iT#A5Gwslat%;)`84AweTQzuhW*j{go!R`1p8rEv>5;$l2A!AcfjiB^5&p z0rXjzMOiK==H}-6t>g0*dT)x0%PCudq<3o`Bte2Hh$!A_GYqpmj zuJlH``PYTU5w?y=A(zhoB=GJByS3n}86`h|`g#ZO>K9Yh_Y%f)Px73a9V6=5A(Yc76`R ztTP?NKtVwvyc+QO?A2k2&#J#z9#CjqYct1q+HtquO)tq6f=Quh zXh@EShgZ?K0o8bmz47eND^0+=)9=rWjH8a!ohSXGiw4%mXq4!BNhM?dACm&fbH=rz zBQj&)jUk}2}%F1fh z^(4Y(k@lRnNiiC~ZT$SYymjGKQgO3+^T2-niB3bK-=Xf^?pu&U6Zt~WwI3Vczra+l zE_%vt^)lQiWo%5@-`}4V@bX{>?#yOPMbfC_5>&c_=ydpSTV^>U78DfNEmnX1^-H$0 zc@rfeA>khU`VwkP2#rK0gouAu2x^dNh2f>8_s=f_+xn&>hf>=mrLxx63>cw7NN9fg*XR~CP_ z0#Hgo?$iv%WOV%7*ut!NUX#H#}hW|v-;c~%Q!eVWU3Y29WRL~Dq?V2j2hh@FR81mPgdyh+Su4kx@S9fJ*TX$ z>i>!5yQAr1`ue1zuMZOszk@KL;m%;8q@?6W!0QWi>BwRSm7r^RG+(i`o9Va9`iaFW5SRFWUoyOrS4?MUNdV2&#VaGiGBM+-RhHaoK{N zCJppyg~MW)!hQBlYXeskqDtD@gitrM>JK@&_wD@T7Xh0V-9iP;)OXLqOM`y6Nr%Iy_?Q#(25&rkvF^G?M4DsT~fbAUC8ob>c(AtIw89IM54u= z8PsTZqlh^77wFQV4z7`}=WL;bPrv^r$j3#d%7GH^al%idy<_n`}*ZbV6rk%-W8hTOnh6Z=}j%|+0)+}xRAGhIU zPi^M?DiPuSW+f`kFEr4nvWbg(Kf@<~HcdSv$%?VUjT^7eQ-^GK-|6w?XYpkO(I^y) zDr)rK(%icl3|h=o>wF(Lk>o93w9|wp1Xx&DizgobSD9dCP0fMhr8?)uAFTtJH_x_H zA+$58u`i<*Gv^S!v(&;zXMyaB0dChJ2H%T*0=LMhw+H@nv&8M!({c(6LUw+$Cdp+X zbvSJw3yRP|dIYK)YCg-08brex*t}C~)GOXjHv7p5@>NN=Zfg{(4;`wi#q?FbyT1m3 zy&ry@L!PzEd1#e7)jJvbFb8JkSWTyjUI+H>JRi9N{;Hp-5V{~s6YuHRl+C5w8?Nqf z3>vk=!Dj>Yg2s8;G$TJ4HY+HsiLM!Z=HZLBl(-1wc8%*yH z1=P>8{d%>5)x=eUByNvYgGXXLG}Nx|S}Q$^pFXDtEdumcH!ekAeRVQ-ay-{tC{rmI zyCx>?FZQM@^nUuPg;7K~tWgnpLNyT3Sw17VkMe(Wx_`qde|y4WB)!WZn!&o~mpGxo zyY|hRP`e!8r_ZBE$}abNK3rRbb;j{ZCZ^{G#&~xsSL5Ie{>E*jddwQ1n zO+v%V#}lhd(2pjhsdmZRQYyn&DnP}V&njJE z!oKP$jvTEkH(p1FhK6>i>DzsejI_LwnI=BKzXe%C?Zf-Oc~IaqGci{D26ot)w$zor zLLtkH$#mV1%K~*-h9&uqcHHCi9%l|{-itizL|{}ud@Kz zV3v>@U-o|M(#GXVY1M({Nivw+VBsTrV(zn@&pFAw*_%-|Id_p?yi3|9PD41w^`Qoo zOoltPT){J&x~v%teV!+lqM74`(IitVgnm|ph^-D;aks@85rwi;YJbD`KH3Y- z+7Rv6d}#xZ>{vTNjFO#>hLiZpjYc4jH8j2`cM3A8yoXZ7fUcK6{|B1y@tl5{TL!xC zt=%OgrOg)D>$I5gN8&%D_6O1|2LGSO3fscIZ)qK~9w{xXF2YcB=Td6infLK-tPTv7 z%#P6rrt4hn?vR;6g9g*95ngwEbqRC!?W4< zt>3mWaHpxC9nB47^y@<^g76^Mj{!#)uz={1O{?)?vNkRzEv*QSkpJ5{LTxupk(uqF zO$S_cjf*EM)D8ULL~34DF@Fc12WtXfOmZK#58f@uO@*97CvD`k*%MD-;fYkDg$oEE zC*lhD;?A*?FyeKaPB(?#F$bS#d^p>(X0RSpH$kK{eru1ry=Pi8L>%>3t@>&N8NH>M zND8&Nqjy+QsqMy!sM&<{2hSvPe!cf(NTcl{@n+1m1CKKpj|FH0R8BtC=?1d)S39Yzi>$&+Y;2|IEGS_1&iPDLe*lL!-t#@s+otAxIaaW zVq27AtE}b$(_{>?s57Zss$Q})=u97m4k`{hwwGs#MLU+J6kdg3b0(1@N0NLe!4V}| zd6V(XDpSJJD3O0Lff%*KZR3&SA9FSvOidI3PaL_#=M)NJXOzc{pnYx)7_&4)%xJ>E zD)y=iQc=dtGCVsBmVNw5&9Yz+9^TJ;wV09%yig`&)H?U(Clx^$ye_S(d<*I$2L3%e=A;_u~d<^ri&m=9Po=MRo^0unc zE-q8^u2}6Mo02L-1>QM0dgPokN_lcqe7v`j@O0DYH%1n5nJ}sOl${#bf$)>YlliN* zx;DJ*_o$d8QJ-rf`xHGL9W0lJo_k;ay!^a};fKU!AxFc`aO0Y<6JjzA<5BTgQ8Lw= z-0~O;MCv~1Hok~>4Fb=meJ59o-pD zO)}$uS>vJk$PjP8(m8N+!QubJ4+9O_f!S>y&c7JMzA$dl?I~?K1^@|C%TUT19=v2V z=9F=>`y*dK*GyHXmu!u>Puq09_ZysSf3VNQH{Ql<+izId9P7#69E);|LT&JyDK3r1FNW$arJ3)>Ow6VXeL9RsM zju+q=j^=QkiTD-w>I0v3^VKA=aB8B(#oME77mp3(gBDXEkfidIE3>#wRb& zNwCA~(NBA#2z^Svfo;T+5Oa(Hoku;xS2JV@(?V{+y-sWE&nT5-$p)+$IF*gw!FzsQ^8+ndJ~ZnlhcIz;F*O$t%QP1AO(!JA>bqsx+iC8d_k0t5)>}8M zPAJh)vnnoFd(qI?xD=Eon+!EX#(2LmWSQgZ;-NXSRUeL~4he&B(u-L=kxt2cJ(S}29T1K>Ak%-ziqXGoJYr|0`FC%w z$3v>#{LqX}?RM9q9ml2e-)xId(_T@};kz~Qh9VNlAs5daEj!id2%jGMb43Hp@h!jh z4yvVG1q-_d|7c8MDdpZ8@vkZmjjhsBDj}-Cp>yfunC@9Ar3%c{6^Vv2VhIhWZ^7B> zJG?u0B>G+(G`+pO%fe0bjtN+{J0&0Ez1$Pis;SkO@nC}nv>Y{C}#}=raa9T!K_4J$J#;oXTXth`%GIWVwBygQkdq+5Wwf<5!134jaMw#e&B%kDz8IUfWpA z%od!k_dGL37M8J9gv*zrlaS!xi^N=clZ{>_D;7XW2{Dsq`F7UDp2x#J$aNrh@K-X^ zlsiEBNaSw`^DeKzqlkr9SsfvCCI(z}m8@iHYCsr*#Rt%ULl%fM069z%j~s;+?kvo= zmQ+?+t8}h8fLsz%FuxxB3bA&2sJEufrXWCc50R{rM$cT1V-*sZnwi81hAgOG^u*}4 zhU&?@<%~Ir0bVU?z>jap^to>aZOc=D&LbMiz4ur`iq>Q`uM8B1T3@gV3wXN*h{>cP z58CWCv88l%iGQ5o*~2mYz6ngZ%+&`Bi3ugd%Wo&GyLV}>yEB3x{twHuB3eD%Oa_Zzr>sHxux3Ot@)TF=~@^$gy- ziKgUpgq0R5@0FOZwYo=91URJnxA2o>oUgqgJdwECJ zKqGE*&&@;)e2n=K42`3?6Ox{!ds)KFP-sVAzOyBJ_Q~PbN5V?;T@d3|!RwsM^ubIuR(=~oYv2A!ocs8q2{grAf z+G2{Q{$ZK#9*aS=Cr9gdT(q~s(P~|3BW;sqJ1N`uAYMvMyJVh0dyYeG17XC&oE35#A?DI=36^V#J#B|MMx<8j@DGOm~; z#lIRvrjna$<2fdVMcf4#g(TOQ{q8}hleSNDNd(h8_NxbGggVG3)e>KL$Xsqb!h@0lSP?*g43tE zj7&Sd^DTBeFI+~bVIMEYk^={6(D+6})tGE_k#^*MDKFF&)Y0{Q zbHmg7q=GA_l{@l$z!tEJaI_;&iXS?oHT!ki%xu|5QIIfZymM=3RPb>5j zc5^@R*sN#Z!I#gABYj?0w&Ize?&^M7JN}A+g4LPx{jjXWZPDo3+w_GjvM__GGjD^YzA=~h4)szN#Wu^+N~8j3n*_uFA6Y$=kcBOKJKF(oIG3<6O+1we8fZ0 zun!pA*nIBKa`_c!A=7)YHPK_yq|)Bi3_1fPcQt32%cXAKJ&;IU@hIaZgLZbx0Zl0? z`Gal;Kq4HRk)imai@DTHW%C8|zcG!&4e7U$KeN1a zh)+DoCEpFKXXh~GE-(EOJV;ZtI*~zz2`qD?vSY;8_>388rmI9i?NiVFGAi3V6Yl=1 zY8YU_VAM~PDxQ1I*?c>N%1_tfUCLs=9JEUCf^n77-hWjfQZ924)p7H=FxEQly&bjR zBlO&}$W_Wyb~@_n?8U`*@OE?uhN{ z@SjSg>oxDs0KY~pQ^@D$j8_Hr3m7{XH%iY+wb%BZvxe{Mm%m^kG3|2oo^qiLVNOlYH^Tz=pf{IuZy z!TlTHb+%uqhz^fn60ozqxz(jptkgJP)R7)D>x5PF#zMR3$Daq~fCUjFsL zPI5+Tf)@sin~9+mMl#EA?H+!G-?r%aTliOj6KmScEU75$^5+k}tKNeKKZ`K;FB?a5 zt^@=d_d@EA>iWYTR53FCF546N|UO{f9z6%e8imt15-oc}KLVTU}9d5)`odT!| zoO;KP<)y?CE+*JM5qU$NS$}0a^;yb8FXh-c^uS+qjfxtY{Y5~Z`kq!Pr?>6wDLEs9 zm>FL#azbelCFk<_UuuEdVtjn)%`4828T4!hHMZnWZ>M6Q#~ouz#Sb@jNqB6g=UQA^rEU zc_ZQy67lKjG7lRdY&0xv8S)$&AwxD}V`J>U>;LYHTS;*-y$*-MH~EBrBmAHFXv+Nm z=Ci~u5%!M7pfw2@hgSOi-{E9&LEDKit-cIgGh8aT2>-YT&$Yk0^8;{O8C<;INXOJW zOGYFfh?x*(V^3{nY+c;7xO%@vFL^OB{c-&oD%=${b~Ehkhp#j0c)8XbF1_#$9Y=~j z1wTnWNlx33PPbZLcGB7Ws&Z>s<;dq}o4qef=-znk9uz4_TmI?iN=r+BnyF_!TG*Vx zud|+^MM1fRjmuch{2YV`HK0^1@>BTV(Mzt)JG+^!^<5eOdzkMlB}F4mJ2D&ZLPeiA z=MI`CZN-}sYlHE?W@<(<=Gr!HnS*`9-c>&xT_(D^^nL3r$aYFB&aI z4;Xge`*YTcKUk%oKx`H3M%9w}y#`YuIMgHq=D6hg!d`)e!eL@h3uNlOJ?cd|KR!G* z>UZLP%D~#EqJvx-IKf`>@rUu8WE(8jKc)0(|BP+?z6p4ae1Mi%Gs#-mzSc6c4Qz>>h_kQFx|6{T+jGy{$dCt0&fssD1??%kWBCu})FjR`UZo096cWLm) zq{DDbc77#8pIIw+#IE23ar196VtZ{`3vwXTcE=<}EX*@uWF-D-+G>0r&_e#_q(iQv zpToud%dUn-aDHuqjf8QRgX(+{+nQs0dJ^!IdM5|s^kgR>p)!?3LdzWy*nd<|^dqs$ zlMP8u)_?Nu70N@fcudy%GjmTJvg{loy9_>g1%;iBP;vp|H*(U_-40FeGO*4&zcfa@ zuM})-R-;IGV~TQpBJTEHqW`@Ae0JU%P*K~m7|(RfiR;^V!CdcmH4@E%gDk!Fw2`&9 zhCKnY2MF$b10lsqQ3amWyX_Eq^pdQKZ7`4m;v#fu@27tu@X`4?bysCSI^VIh?#2|s zwHcZX^0y5Kh-M})$jY$tOti*?TLK1G1Lp(2v)=pS-x+u!f7G|7O#s>xa}BuS!wC$={9NbNJkXvUP7I%wpW-0+?K4P= z_e(Cda!+(x`d_S4g*XSXMUhlgRKx|j{%4V`y8iwmP}YOGre;EJF4+8r9!03;@%@M# zZg~zP?o3~i?nf>XEY0AzWr07I&Pz0*KOL5sc!&3Hm0?UG*QLOzC2zH+0W@K#oS_xQYXL9i{~~gz-9X^jcktw~8;w>e3c{ahlaN6`CEvX;-&qW^ z?qFO%T=xf}VkJ6k55Ig&dOfo@^t&-OJbA_>C)E%&s9_FO0{bWP66~rfo_((np>z*k zJi8sajN`OLoM4UIxCDy~I-PN>Kh1!Ia?V-Vlw^)Sb?LQfiEi&HOY8d^)ztKH*iD`@rlmEAqa@_~CHLzHYe!P7 z$V(dZSby{qv7&?Ew-63OG>HGC-|pqS6$Z-32}NH|6W;qqgYo8e)R(y9acGgTW4S*k zT`BPeVkxK`fo^}U9EHHSC~QJbv=#V)Jd)mT2l-NTEo_h^eCxXG0C?u^7HfaMD%WpH z{Qx$Fp+2}82FS$N`}pA{Q;3Y7w%8W4AhA$JCJ|W7FyWp1j`Z*c{5-#kp4E`T<~bF3 z1iNyp#48-;Ji`M;*QD(m$ZXFT(9--w*G^uk@7e`FlIxGeA%BIB_naED%S!C~jSxGT zEtb@I$qv+VEI9oK)kJa{lH4`T^rPcZASm^)MXT0--ru)xlkeH)@%6No)*U`l%XTo5 z@BSKu>##1f_J+Vh9D5_blIrBP>}ZRErqQ`g`)Sz6hLdeO!T5$31o)Nnh3%u58ef8- z(4n?F_j(xoV^L8e`A^TBEPkPv#%NoL^zluiNIg*o7t+{H-qWEoDT%nY4b4WoCDeS_ z4|`*;IF4szqtUTw7B6)qohz+h_C14mMlS7)UpC>cyDs=01lX_$Klh!otUkW@UKXw@ z`h-0@_yhEhbvv^v`jgcce5SaOoc%%*9GENybKunH4;M`yIc%PEuFC)@mCQiOTzi(H zdDO-*zQ-7m$eNP)Nm(5g>fKNqM{en;4 z2%kvvE7L~fhTfm$fhBqhx$Q;;KNVoa6r+u|dT}wN%s=v^8)MlIcAh|pe;Sa*T$qJO zG~ZjyF!JmrtCp;U$x2&Z>*)N1hm?Ji%1wV1qc6>@ZAJIf#U92*byf z5A8Yt3AlJb7|efHUyK;cCrp%ivEw*B7h!egTV6CN(!#$-{#ukq+r) z!)2p47)tkzi;IK#XU)O!>E^=c?#RV$EMyK43O1pm*4@fYEt&#Z+Y9X_L|Kg=lJz8c zgKMv<$s#v;ib5_<=P$Pu$$4mCli3C5A8%0Y` zxaNy3Y131v~w9X0A6u(0Jx>BY}nT zY5-4oxKyr6{|15o*!V=Ebn~;hiRqoI)2+PAS;c13lIP4Ax%3ywb&*v6{NsP3tMdcW zhJir_bspIM6L!;_)Ki$pQjy3>2Dh7I$Kyn@XW-{xhhsA^YJk~bxk%P+8)psI{94d` zW=@e~DY|1inUwU=F@Z{p54z+oj@eTsX6Ztt@E`Mwt$5Y=sW8^Pxh%U;p1wU!EUjru z*0VXcd?D7%*Uu^x9$){q!IINaq%CT_%P*Uu<8`oB8E%uYsC`-T%NccmRRQ?gQUr!RZRAOl zGnB5f(gU(4o@suv*6ZL1Yl$IpNoAfRk`@-+Hp~)qz4-2NZL>2;SyvT>VJj_;92rkg zyUAbpi29MkW!B4th1H{6Z{(2MnZ}UoE!}Tv(t$;75{yhmopFJAHh|bF8|}w#LlSx> zXHpyvsvZsL+d>6q1ClYefg%&@D_zmxGW?qQZpp`?i>T;%r?aJ@h<20GXR)vbFM9p9 zu(^KcC{iHhg)Z`v?R=e^J(pIL691(?_mQ6W%3ZA)=Ll~y4yOgIW&g?~lTD2TJT`;< zg2u?#UO2CfUoEJqI2MI5uN|$wMn}bO z5s@L2H$~HG`zm%cmw2T1Psq(tEun`QeTiAArmg z@<8`lRbBmv9KI0bgZTYZlSaq&QOjKKmix`}cR4fjj|hzzgH<=3jZ3GE>to-~0{@tm zzdV$Zcn@WT@j+>ebz4wc7?gGj^EEy+*Y8%RZUT6FJUrol%bAxS>$ug@04eRMGW~93 z;_|xB=fhXw^^B;=!p^o-l-Vc1vMMSN17Kks`1EFNaJe^Q>$J-{gPu{_R@g3Am_$k* z%^8~9k9EDGck>=CT+JOXk*;?}pH}FvXk?sj9^d#t*#wIxw-l>a3k>{;bh$pI&T#R8 zfv^tE7XuzuG72YtqiyU2cz7EZUSc9$lwZ@bvV7%l@NnVr_2lH_>~F6096C!zJT)Cg zZ6?sj>l^|8A(U0_X3t`RSXx3d%a2UM0gqyN76zZ|qSv7OyZe&JVqi|uYp^iP{`v}N zw`~2p6Q}~MlH$Ce|C*Aj;U*PC@43-*^WH@re+~QVb<{xZUBD^jX)xUZcP|DS^;4mF zd4TiBG{4X z)W?6E8}Yi|L%mqWCKP$#6>@^`VIKwDj{zY{%twCIj?s|?bHPu#6T3Apb6QIYPW+q` z=A;pJr={+^$_`FGaenq<5vQ{af9wUE+>DpS;^+{uFQ6Tisj;b5B*wif+!Gu~-- zjY^}Pw+dXWJAm1NPf#DfS10Z)*~|~AEi%F>*kONP(^=jeQi~m4%CZg0f|Zr|P*Y)> ze;e0Pl=4l5z;*unC&tmU^_cl;i+mvF67c)k!xmA3)tgOzTXD(&K=Imqt~Itx|EqPE=1-KxQ-+Z^45 zLH*IiHxdQ+9t>A{TYuQv6YUVvQditQklc7#KV30ulGVJ zmW48QfeR|&N?f|QFE&C?SNUXiEW|zc&8FTS|HKTOSy46$?za&g|6g>Gb#vod(04^Y zYrn!k!X&rTuj(kVt!zQ$tNkhqrE0e9X4t+(MHM`Kj4bsvO1sAkcJj@dVj`X4s?mwD zD=@D6Ln|cepnALTqz?J?(LJIxN-_Ma!#`?Yg|A+FUTQh8kuYd(MmY~Y`tm(XM(2Tx zRqXiBgm?fDIov}j3J>GWNiGG_m~Nkijg5^z)lX}y05l0z+OPXxy{M>nT8b40-ca?7 zXn!UfQz+M!)wnJEo~vcQB>hlY(3i#i1FnEJ@xBeh0J*{0_Dhqnm?_w~b?8^1NFc^` zf(h3V|1i4kG~UEs`8++hp%uUQx`6xiXu`D(P}-D zs0Cohj(XPC8^HR)W= zggD76;NA-)_k~q_ovdNd{NB9F>Kka`D4tAbV;H@$0fz_F~b)5!wbNtPd?$cJ zu3e5qEG^|wRw5zpmn7`;O@B_5dxNw|MhrTjVTC9GE4RIv zDrQ-tUq{1s*=)8{;VQ1j@*1*?1GYh4wX}fGU`LN?_aj>TlOf8jr${0aSp!Nd&KSy@ zrma6Z=4lrn&9gbRVM)~oS^CkX;l9o}b0H8@2N)#n+KN_4^yFM@i@OJ9Vo?79XC~#- zISQP=tvu}Ig86EzHx{9Fx1g|d+Ul63e=-FsqC>fFO;t!FlH}Hm0x=@RBYL$B$`Puq z6A3F37rPIx(P924Yg#PkO{mND`5PQ0MMtQ@_9Or(u#-V!FJy0LmZn` zT4g!CL84^6ZUuCE&9{IBrRE!WK2&Ux%VOuvxx>dpX{#AHY;c_Vl6>Q@kQB^ zpFh9JWi?zqz25c&17j63JNq{FS3A#uM;by%x4eS$Zet+CKbXwjeA#vD3ojWXnCH}g zIs`C&+SU4xD;yFKvwzrx(Y16xSz8pg+KZ_Y&Vw}F4~C!=-FJ@FigRNzI?Q?Dqt`0U z?V3n>2Zcl4SqIU#C46N){BT$G*p$@k@%P93tt2`c>~^;l zi^3-hv+@Da#%gfxghyvvkzjA>>}M2bJF~&0%!{Yv@Wm1iyaya?dgI z^X9^jY$$y^n}}$i>{Bx7fATN}b;jFM2fi9x2+^_(~c$FzLUU1Vlbc_`B(CaG@NeS+E z2oVpN?D8-H@A{$7R~DOwIjfVZER#n>3ZvPErI)28=#r>7t9-J)vRkSV;yjt3`X!K2 zi7jixooA94Qvw*o?ZOx=6#AA@f5}R7D>m@ICaI_)6n%!G(pb6lFwdV4mAjMrfh6NrP_JmE{Jo&iL1G z(x>C&KFaQ&GKu$Y7bbuB)4x9l1)esyyX=$>M5_sKZXGeOn!L78E^w@ho*8ViwZa2U zq~^VjKTiP9^0rICY6teCn{jUIBzC#(bin51(|C!b7jxP<&8bAkSF z0wY(lFJ#W26SLF42AbnSVJGRcuc{qzS}g=}HZ*-PG}fy}$64-lZS4zKsl?$bw=C;@ zGBg$*L5nh9p#Wg8!5n&STXl?Js>7{FU$pFIcc5r(+nswK?efJgc`r>#bkyw6#v?(> z!2YrdJ|E`*fkZ#7#IP_S@dJRxW<p z-jS8A9(l52Ej6Y_N^0{QKd$3~q<+@QPJL^x$Gd$&^7aF@H)q)bn>jT|x~7d`lu3e) z)v2bA4W!Cj=Qd+mJ{>yEJCA&dvO3<0CS8wopodn%fZ^g%ZmclN{wQhFEN44KGG0vo z`v^OF(F!S}>D#m}nO;3kBxgZ(tH5XA^GP+~rU}>W@#1LZP$!=-Ykl7v8UejxlL)3ZFhtrj?DaB(Ts*pK&W>2X4Pu;izJ!M6RXytlXj zL80zH-67P$2taxnvM*2n(|IguMa^CNOgNw8SB^} zE;s#;FQ#Y+i8dxFWPn2>;VE~%S{%O}`SH=Wx&xLBum8+gDmYtich7aAm~Y@FqMO}# ztkcGD*(;0;PoVVlvz9s+2sBqjL+1Gmg^8z1OK1IRLSD1tC1zVhdzQ)wO8dVk_>1hw z5#Su$m^Kyf7lvD87-bmnTq@7h4`9WMx@A9lPMisRUBn9qh4>rz&HWD<-)(=OUGcQD zoPJ0oE@I!?b+DW})F{`*lO|nv+luZR9CX+1y6xmf?O2}M^s=2vd2?+;00d`9Jf7vA zXiLhXDqzAs=Nb?$eCVc_P->wQ` zVoN4Gxm|7lP{~mk2JBs&ydhXLanAB5fb&ldM(Gp2*NXas09M_psGdrM6Gwm1 zuMvxaAqxNK;uS!l(hUf=(+d@;ohK=crdJB>gV%VMp5RUPTPUvJ zL8=i!pYBeFFz0a`L>K?k`|Q@#gtua#aH#^MFOH$2=59SP&9V9AO2GO0+(B9#687yS z%l{6#D=O6OU4$(Ds`_Y+l*ePSq9 zC$CS6(GAcW%~9|!ueu4`ea~o2ZyAl&S3A}!AOY2KFYkkVDb;3QPFvBHH!*x1bZGBu zS{s_V!gmUHj?V*GsM6!ZOZp@mUsfB4Vm(f6%T8RDV<`tbR0s5j_?L-!Dgd%El~~Df zJ>P0{ZUk8d6FyR9_cmlcl(J{bz{TvOTUW(|bZNIP*7!3dHxOev`|gwE&gnNSZ6a;zAj>7ke;BQ z_EBl~o-wc``bd<8Rv&$owPcE0`O^*XHMc_$v#M0!TI9uDT9J4NhPE$+QvOSE>hC#m z5-b%NIdN3&NNs1>iU?i%eLSL4Dva-q$}K4KWyS9ev6#e|zM#S~sv@*w8_GEuCC$ct zr$heDFT-?3A@lwl&f7rzbBK42kp1lv@T6nj5dP8?J8}(HiK7W8xr9D zbOCQ-8jelX+x?ddP*%PT7^J`ioaCAG_`b-@;qDYFbF0xDig&^iOGsVp@Cw;`KVBak zFV<{<*C{%q(bZz~I(%*_e~5)n)3PMTiadrHSrefWu!{Wr;(5H-vOpXL@YLD~(x^kd z+Camw)vGc2p!BqXdA!=fd07=&qd{rvM~!o5+0(nwvYjAz%WrtQ-uBc5FuZEWxf6YX z@NX)K&g7Pd4*w|(hKC>U&$NZ@y}O?TX3|LCE3k9Ex0cdqiU{!%Nzr4|be zww+w@suu%mkEpp5-Wf#x7hLs_|7j;%v{Foq1; zwxA0S*LXESK@1wr70qq1U2wUX)0$~@KYC8#blsJA@zJ0B4m@2(0K8lQ^f`ezkr6Rl z&B{b{aDD|D~*Rj9sUEcsr1+B+qA`G43zZG@u!PrRH*1-Ebe99MYpNMX$^ za(eQ!{U_SJue57iK9KM_(D3l2)Yo(QPnO`cw6ui!C7DAJ?o-1RWq~0;*MrrT2ljG~ z>QU;M^q`wrXBqXd=+dpsn-xW&@V>L`?yg_FwTG_}4~Dw<3bBu^WT%hhOlPa2mS>;+0pr+#%|mRe*=I~OX) zkCq67Cyyxq1dw?O0kYqXg|{)bG^%mkxyfw+RYK`9ANpCE*da-3_hws&ovRP#9kxW| zT36L=9`Wf(eL9v|iixxeF$XVBvvz6NGWn7C`PEc_13ZUS5coSK_P#5cY0>b4P4V6kcG!At-+TTJ^C@*mWoZxNN9W+E;N3(J zjm&iXA#?}u%GsW~SU<>oq0+#Y?GS#zFisYXanXMM+WG&m_m)9%HBs0g1Og$!HMm1? zcZUGMgF6I=;I0F~-3E7p26wj*+#P}k9oz;V26pnk-@CQ7KX$9O>Z@~Q@%{kj^I}*kwGRW3eOM)r@_Kku2#Zgu>vmA_>K(|)X@kR@P z=f})uzs?D&f9hx$u=}L`Ey-aKl95ps6c#>Qjj`Fk`KR(amXU>pmXUEZ>~rvY*xl|I zXp(Nz*Az6$e{Oek^nOWzB@pamrdZU(w{4FwiE;YHJk9Kt4*<9of{VyVlQAZd!B!YqB#`G@2uqBcK*M48mDmbKd%Mi zCT@NIw^S5?ib4DDL!`~UKKxr^p!z>@NdEtd!2ee~k`!oL)0GPIi12P({rwOZ0U5n9 zF;4A2HVV?f0&vJ+m233kl_==2&-5LrNsE;mQT}Ct+lT6|TfJ}V)Tp*HROqmez+kBu zEbl;qkMGI;?fPND0y<_Iv+ggLkJ{GB3zhwUuyNMJ`Lt;X7C&K{3$s(hQb!O4_nCdO z{rf9`Y^WHU<$4K)1#c*goS@?02D!dx0)HF9{sm{#wCBnuTwr(~b0*s9765XXG ztbvNFsbYV!tE=P$^^UCJ*c--f&+e<6(hQ>@BdQR+WyjTc^25F_pugipYtfZ%~>0@*c^;(Z9LKuktf{8tcXIcPhN0tj17 z=^Hx}#1vb@SZ5ZrG0zIP+Uto@v*oW90q(C~$GUj^iEF5M)jG9d zHF{0UylJ4=>g+l@)sb*KWoyXfwbt9d=g4Jy$@n%ZD0wb|_jGdqsG>b-<2}W2M~(16 z|6U4aS5O@WE{+N}$Uro``?OsCgYJ!X?&BEaTi$aTR@zuHF(@HGh)3`XX<-)KT(c&% z^+M*gavkn9`PhkyR$X}k!G!IRzUufdZA-A8KP4?*9ZbKH+9xp*=1R%c-$e6fp z5wnEeegNuuY}Hrz@ca>k@z=1qrwOeFCV9bqh3Uj4FqW8&miKf{@lqTEMSX+%-i-3G zftqM*INWD-SV;v!%f`eC{zS`ff4j(Be)7A}A=B$jyc!%q6!pz3CGU(@AlFrvQ-a4M z&Ujoc^=9Zvj~a}m(Zs!48JBx{>M_cP`!eTZq-XF+j`p*voSZ5Lt+d2wIY_kz0)FrB zGc>0-g@K)htsvL?3g*`fF@7$-&p$TMG(X98$7t!9>Ix2bTHU4X)YOphg2))^q1mgOR{ic~8PMyoPRLGgc3WO)^>4DGU2sk^pe}TeP1$4%o&QjF zeWV;+L0busnZ~O)WMt{u}#8|7crj*z`Xf{_@Y9p-f4(M~K@^MOWm%+O&64%B^Ij(5Wt$)gy^cgv+je!@ZU&gE#gIls>>p z#A9@qgZJ6Oqv-+_}FXc~y0ZsKJKDMp6)wB~=|A*Tgaq4?J z0kZ(1(8C8!AwgNbDB90;I1wU$M8=|nG~iY@{4)a`m!OTn`cbIyW(j1ftr7?KY0tv4 zMuFydTXE$KT_HHx5B($Uv|r6P_Qd(*55EmYAKAVEe)YYTkMekx!ki@bW;!7Uv8aAcS3mFU3{tL}+729YyBM1$!&UovHePPZbOj8c zJ2D9dE@K0yJhiH7T7@(!i~M|PF%{G_`b(*%-%zB!lZ`Rc zky-bMav!aSfgaCSNU7wX|1)`agqAyAu&hEKP z-Oi0UFuZXnH2lxj^LzHpY7H>*)*<_WW9J3tTAG@qsxaidG{#l0^+w3PGk&@qf-Ec2 zJ|Y_|^oZ1mTzZ~$?X*;O?Ao<+2VND#dmY;!K>qM#c4CljJ{ucBPOS_0Ku(rBrW=_L zL<&rW!>vVpp!p;OUa@m41AYK=gVl4YZOh&F04>fLJc+kUl?D0hQxB&D6Q{;7EVIe+ z7Z@DA$C=0oKHphRRevuA257P9iu>QphR!I>9{8%x!z)-r<~qE;AL7cW=>3|*(b6D~ zrQ+GKGQdM~dds)zL0LiO7h60>Uzhx0B^$t_BC0bSu&(Nx)4yl{m<#Q^`D4orTO`LK zw}Y_O4`)~tji||}*xj+sUY>{w$^EJx@lnhTvL_^BFKzvZq>!wx9)p?Qi*40h-=D@? zZ&YKbh`zZ~PM7yW$R3@Z#QsEA08@kiReH2gVIv=~NU*W5Z^g;y3(azt)RFPojN%aM|DV2!EPM#6=qISMe_Z z{o2}^YVP*Qg<#|S&42im6v?>$CJ7BUy!(}hgd*2Uv+dyBv+ktWqWv~l{&&;yM{ND( zVrj|b3HRjx9kqR5H5y<1OmeDh-+OmYzo*}FIVJ!5IX>2pY%W!q)YJqbcHesN?ib1g zIz(^k(eghOShh7Pw)e6}aQ5(gucIc^OwZ7a5;;@@N@_CM#>q;U=MMe-1GZW{C8f`& zm)lIn_Nasp@@~!a{|D>Q2$q6gB3k!NNLU1+$Rn!?3{XGf<3-#gKl#=2`0o1UIIU`X zhJOHfk<{(NZIz!MHdVPZPG-|rrLW^@$pPN4Vol>gWA!?wIZ|MR_EYJD|**O8~RmzV4PoG zCoC~h@nr>hu_pO%iC*KE{-|VwYP-5b(B`+bZo^OI?jw)1Y{0xL^~WOFK6=NCi?w(Z zgunwGHT`CKaCk-$UzMQeSUo{Tvnl=7x;DLQ@3*|^CYyxfhUfm{EGCqXvWdw+8PEwi zFa^5{0*gYYj`BySx54QGZRn>$Bk?BuCG$K^+|LR?uCB~1cSv|WIYQUvoD;O*(sd2l5gDf059S4SR&mw4fM1n=TIPb3G zqvA7Ep$`A3uQR#e4$lH_?%JNmrEXTi)cNL|gUt0%-q^djv%H$^2WZ!MRC_>me$f{~ zaB3yxOSC*tZDp=Wo3Fj(S88|P`XqQm(@?$5JAiPR}Q6akUpubnR*FoVVrK1{<1 zSAuUK_fHSE?WPkRacuxK6j9utiu?*YL?z@5^psq988^Pc#@Vl=Js3-LCD8mJeIetj4rUfB{XkVDk}P;vi3A~ z+4<~!)5i2XI6KPSZfU6z&_u;U^o8D*pwe7_43_F=#Z^sOG#-_3;M`WNtBNUuV@K{R zyUDr6*HOPNK{{_y(2B+Ul(hq=O1&V$b~$o<9JSrDzkVy0N25p^kh@G3`13Y)T>k=N zo0HQ+Oxu}ZjEKUg zTw>;)aVWG{Yi;XtpgWhEL1^9> zVG6Chye9360j{*X_|Ya=c8=h1T`^PuI!&p$&PYZk8hB@g3yGnR&k5tn@^5(wwDUgC zZRFg}3yGw(zA-c%172Q}-@bidAiO^Gg(oPIRn=)sg8STRN(o-nTwKk$vVumYSt(jg z?jto4Vov6byPLfr5u`!I=G*)ez3$8%qtCUdsrMw*VX`x z!g%4kL(V-V96a7!r%{BCa0I>Ans(CSs zV8C;$B)?)gU9*HSVqKpo=NY%%jpzH^^tp9gsRX*kK{i>F^Xbg|CWud`!|dhsuWdsF zwuho;sV!FPDIC;S9C~wx1WEAP84R4Hm9Te=Evz}|tIV1a8Le1>$u0dyKUWK!Qjk&B zy%Xt31LE(jCb+q+*6+%lJ=r4NiOieT%=jZ?ThHcJXBfVj4t?kEh9u`*sMCnf`hyIR zp6riAU`{X7%9*;D!_}5gnvkP3MCzGvx1{vM*d+pIKY1#1v^JtBx?_aYQ~}zU5OntU zu&hed6PKqWfWsUppckX$5=wgaRVERD&MjYHd#6}`%g8W%lu~St{{CancsaFU1N9nA zql{iG<~-;&a4Cdu*VufQX;rG#WHytR-r0uJwtQ;KYI^wFN@wOl%Mx0ze$(JV#UvD* zbVf2t?aJlV?s%2kTv@H+aEJI7xpQ)Ms^L(b3kZ%4O$J?qPAqB~4#4BUW!bIkq`!s}p49n3?KQs9hgY#hmqr|Y;k#Vh6Wd)V$C%L9EX#7#%X9?dy`}LW$Ar6Vko35& z_EWBbb|qzumC9#grlT(5DDnB;MGN}9l)8SNC{ghaKE;uv6uX19qz$DzQL;}{#VR{I zolhUdqvr6XUMs$ji0EOkiyLdu@=%y+$?lh}~a^IZt4uTA=V zl7k}rv@3**h43AY)OYizJyeA{5pA68lAWyztvBSjl@;lgq5nw#s&X(IID>tQc7q`( zBptK(JMLurse^-1g%9pT80bA`ee(01!%pR!_<9qV-#EQKsv!OS8zjnNp%xJ@Vk_Fm zOd3+cU&qh=6By87r^!#8L;YH#HV?y96b<0FFQukr{-UeA^H*t;QN zhzR_Ed6pP#H+6<%no^Pj>Ve+JoUPF6`Sm?54N34BpVM5B>Ke~6YVLU!(bmS4)7Cdo zMUTSv=*&&L+S+M!Pa+>hUb*#$s5k@}&N6LILIiLt6k{sEb0^Ol;1CdoK3v^!Mk>yz zz2S~PyF*@hzGgm2KApE3FyB4d9^$TnxZEs~7()l~$NeNnaTaYV|BZ&ClP6EW)$`Y_ zWGdTOIDE@&6I~yp&TxSY=*n%(8t9WF@gVh1ck|9=MFUs;UYZKj@`J%0`5^$1gJ-PK zG_nk6kc&rReC};DX<;vI?-U0yWr#BS)>yGUHKw;(mO*M%K1$$Eu+X@Q)4z&kI$Spu z9f#VU2acGVn&a8|2@fGS+o-;BbWX+eNMsu^HH}fgsa%w}zYK0RsNB)dW z7AWLIT{D$FIlcL`PMwwE!3uFGR^2O0s*C%+-X0 zFWP7Lj^at0HrlePh^E7b+q}zuG2+^Y@5--+;z8lLzt9ui;`XPi@LHEgKqQqQ5u=9& z+zh1A`1Q<3Sp>YFx03r^-0|~tD2;MG*=2klRAu`>gn2Oo7{%6T(NTgN&m(r3 z_n<;m+&$xudi3?csHhJG#0zEWJFIKYJ6YEOCwM;bLU+@TxiFu{R{?w7M=cs4HbU>` zH*e~W*v>J*I~5f{Qs4R;4%S5iH5E3NU-s!Zs^nBQ!3v7ox>hqBxJ5rGg$nxn;Uswd z@zQG9GBfHi5^IJvgLTMBQ?Q`N$yvnC^@zvV}2|Pr- zY>A%kHdG=HS}Ty)RFO(KPVXsGhHAoKzAYQY-5NPCYc8p`%M>=L@Jv>c7H-KqpIb6} zY>5(c*Mt4L>JPmV)IHQ!OC+ApSm)Em3+uyq-$N<)q`fzHT zt@+NPNiTYxLLX29IP(azgc4WVay2X=L*qtmN%J0?Vn2NO&V6Y`T9iREc!{!IJm>BR z!S^`v)oTxE3*ABWr%l)mQIfoVdU9$>zXd_3`IR2Ew+}K`Ekm;s0902l@D26biT8Zz~!bpG^ZbZDr7wUIz~NfsxFgH*XQ@A}3}CrAS;Ob~PCU zk3T<&pZa6k6G7?j#2PGBKIo|qcMchuoDveuHQ4NeTK_CQ7qO;K##DvR-ob1vGovjOw;*fxfal*H*GrZfuJY=r^m8`q)&iRpiY6yLWM z^~O89+^xP}68Y5ol;(9fqMr`9vRLD7oRTJIzg)9@EJlJRO}cf1n) z%ZLO-Q6M zXz;U|hFn&5pzwUxB<|Uiw#yw`X+yK>E9YdjR_aKwV{4*61Ej~o?-otbLeO(FWvFll zrN1ue>fjcYNW^W^W`>7l0VP8HBE(o`Y1|+3v z15fn54+n3tHbHx03j3$2>#beN#6@?4X$Kwnz|B&Tq+^?gC$X4qZAXpJ#yx4;kEJgm zGoBvHo9 z%(05CBr_p^bWWu^I+AamPt*iqEi2L2^wyneO*_t@F_Fi$6)JwDA zOXS0hVNv1|L{R*nR8OC)`}K9X7^iqpSd6(@UTIrL$KiK38r|A!5tsH{2dVi|Q)COg z*a%0zlcff8p?)6w#!YwJzSZDl9GEyA)GVcPQ;9xq>W3rYeq6ql-zFx{4ai$uwZs$p zuxf;&ghSl=FoZtZOkM@3gH3bHP5#G=mO>i2$Cl+b@bOffK%C+Afiqbo%4L5);yq_) z^ySWwkiD+pn&fxP5J^O_RqhEadxmQTiX#TZmxOP8y1{ifd+I%SSVQiuy zl`iN(=rwT{Ng~2*e@#U1551s!Bt}KYC_qR1a8Ua?9Ae*aAk)vs&yUET2{FBtOX z_IJ*z_QB??NmHT#H8MMLgq$KJ?Vh=wXJ<@D*lp3GD1Cpn2QkLREeTF8ga?6co#d=8^AY zMv^!KeDUdwDVCCw4n}fdoY?c;Mu)(^aVrbkjTVQSEVwl9qbNBzX5ak8?EMmv-ruj+ zL4}NhR3Sr0_6&h(L;Uu-e+{`ymr9EI9=qSK&+(H!K?RJ863#J$`Vcl${;`wVU@ZMF z3{WY+v43S_EaY+4h*d=Wap*9`7w~fU6OmZ@FKykl|5@4pr^L?8MDhl@rN0(4heb@^ zAN0lAF@}a{*<{bQArrVOQ18D9xGs2Y_P*nhL}t&Ox|i=CFTt#5E;UARpUqAlVG3WE zwpfVzWLr8@b!)n-AmaT&eBpahOZcp~S}W2QP^>ShJU?x8_P7=d(f&25qd4t;cYANY z8!8t-v&Isy8qE3iwUchPt1^C)Y^=#_qxyR;3j0k3DG7Nw8WS-o9I0Lk8oIN9Yts-H z$zF=B{(iu#UM0t_ffA?iuDF4sJttK?SaynF32bZ}jAI|WlDjY-!~Ba-p^)2owa|Yp&<6=Hnq7(v>2JsI8RA%&PE;F@qyF~-yP6A0X zN~SIi9J}rn-Ky3&HOhM8i^YZM!hTZ|`Z=yx-f8Hiny8qM2?R2+CRahsGJ8eS-qSir z;YeHpl<}7cw=ts3Rr;kiW*Lp`2;Mv4a{^dz_QAh?U&iF{W^*)E>vNpO7ww{%nHo`H znm_cbD*Bkf>-M>R`a)f!XdwRU+oj^9JfdW>19K2=@V^0bac!|WSm=qkrOx42$ZoRKk z8$3m-hkpaGbp;6fVM%4rc*qbqD5H2&u*-ekW6#ds3Q6n#%XmVPzvOXnh^Mp9H?W#4 z(4z#3$f~Jjo&x0Mxzs+GsxydVk>g3I&X~*WEio21zA=?&2tCT@4AUw->G*77z2mas zW6MKs&r-mRTi~Y7;D*lADJrec@Ro=0*&cYtUkVNf>XU6zCJZ z-D84M(KL1OVjY5oH>LH$sTz{SV&sY`wsjLE3ocOb!RYWRGA7gDBS?X5uOM5C2JufH zK^SYBonw?{$Z{bA3@`8`J&pTXd zJpuJFC)w=MAJ{_89x1R#A{egK@Mq#nh)OWCack!1K>@ewlm$BxoyJHQO^mO9 zJa5j#_ZY^*TGnQ#XG@@tj^t~~Q=vq1geXWsEK|0ixJkdGlGCf~Ry086 zO62vCTHFc(2l!O9)Zx8%aaK+hv7HxRyK`h_u`09UHz%xI*YlF}Eu9QsWFO$ZH3|FQ zOen5nZ(Y?(Zs@D)fIto??z$->3Z2QZ6>ez5PDlo^E>Ii`-o{FjbpE!(y?-rigEeCy%|c&b!WglxXCl zU~X7J1MG%YQ*kCO6|%9S*W_w?P-3$W_muDG;w)yvtKM_7+tx5lY(0rx$@?q)*69x# zsZpC}3?Ik+_MVe%G>DI$%f@>qH#&&;!D;6?jF}FIiBO!ydul{b=k{Q31a&%Zz}BPv z-0nQp9s)V~DJ_7){Ic_oxyHNyizr)XZFWdDNj=dTy96&lN8^~_K<(ESI|{4Mhr>_J z4oG~)0FlD|)DwWP!Q>+F>geSb+wwToK3RISV^N9DaTrx}8IT|1EmckLxX=3vjd0me zb+VKePxfAp@Z$nIZFm{OF0DUdKeSol@J)h!650dE#RhGF=nSTevKFBH)pjG}KS7}NV* zt}}rzL5_n1^X)Vx$TDnU#pdCsye@R8?&-1*69t7MIW_FlNNaL$nn!KlCqdJ$yKNF| zpPZ@v4Dhnw2%H|7n#~@w?*;x~2=e7qE7)dndhAtrDJ$iXe)JthWkz3XhW&8&hn+v8 zZ_i7~j`!Ie9Eb;*NmLx3y6v0q+eSL?qBpWPpN@r{(lG;(#EvPORF~CcpxaoYr#Jl3 z0XcQ&ncc_Ti#xIoEl%lS#Z#NLVZuYAfD-B@F`nmIF?p%Y^@^I#;m|Y#nU@M=PQVdY zqkT@Z5WnAjFJu_1iV<)j2h_lTDaz~$BSb%IE8)c>W+`ZB7GG3WobnOU&|gH-uwg3| zjx+LhNamGfZ@KF&BU^Cq)RX8hsoexV-tf=tZz3ZXUVcoP`YBhrVmG`Oz9mFL3J$@+ zsqkMOX-gYvnxagsgzp<6`fO}y%5Qbgm92jFY=iK=!8dS#o0Uj3GFp;SUW)QnN1iM& z?(fFs8^AIrX$K*U$x@7jJFHC8y%?Jm5->ZpF> z>ODqvM)>>z+@c}QpE(!6k;$=So=|Ivw6rc5+e0uk1Nk+AD7fAa-f^+f+I$Fk_%qNk z;(KC0`f5fTyY$7B8HdfW!EfpjTL?s}26`V?8tMU;(q-?bNxiN1Z{OuR;p- z=Y0FEW!w~A<-1vuE!98>`NH!|=GSiejX4v=*59hEyU?ptG16mVY_)<3Z@k=vU@Euo znfY2d+{7zdzs?fOOivm}*i1}M5nA!NvgNP{8`$}^=3TodH}$0A3dp8~)h|rI86g9Q zfj{QUaS)`hfQ#j}fwSi!88)rRWw*eqC zFXe$x7nKbwW6ACsS-Qt4UfR(ea_F z^N42C?hzQFS@+iNq8mEGqVy1nXblcsi@A&ZJ7n+rJUo3_G$ z?ROc1PgtT|yA1foKzYSwwXhrV!B%Ciw!3kEVG+OAF9O9(t|iyi=)L0`Hcl%e`7I_7>b0lCRw%@Eg1)sc9zi_f!FEw&VT{^g0*KHrP1FT6+T){M)$UH#iMB!2dM z5jmaDb5j*a-r1IlzkZevK=74rV1>Tt*+W;hC;P?%I}7R#W#51^aqQJilRk>;V3*=k zMB9^b3*6_)eN(EKFD&Lq2^|l_e^3T-cR9_x z7dqbIrD4W7{*D;;Zm>)MC*^TEJ`0oiU-P=i?tnfq$_7+lNk?}(*A7s zRy15n+%U}dQlQKlQy)3QwY&^!N+fp(03oZ{BsQjk$SXETs6`_!FB9L&QF*Sp<@Qjf z-1&R*EQ?fwabk3j{jv*0}Mjm}<(^T|yvL8NKr? zhHVy}&?NqsMSt!rq1XYQbvD){CeMJ}Q479omE~U#PhElTapxQf`pOmV=i-c|9`aOl ze}RrQFiXmLLWTpkU;l7g%Q+Op|9vl6AuA3_RCx9l~vn#)N zdi@m~7k;wqv$Qj^rUpeDpIPZk*e*d$>1F~-w&*dsvRFDfM9z7Bat)ZILiKdU`zu-9 z0DFIq1?PP?ozE0>(oV`n=~HsH{Meg7!-jqOQ)tYLMpcb=ci?t?ld#y4zvT&QJ$0!^ z87NTU*3(~BMv-tz;RTGycb6$XX4JxQv}mv*i;B6!e*;|2@ETFF^9Q4Zp|*u`jQm|K z+CeGm24r*sWw&5t>r`CXnCW(b7$TmGfdS`6$1Hij5uaZR!4z5U z#}kKBuyA8U2)VtiIu;=n_Sl=}npUQYx7!X(jeThvHS{$RoL z5jU56)W3#(TMWsiRUK5T58 zm5M7V6kGKXGARutb#<{z&v+W$|5aQuRM4sG8#i}>NSm2;gd z8ec_lV|#B&4>#l7kDL$XF(bTj2)L5TnaJiataud%SGz>B=Mr^{{+p4ZG)5##0++y% z8k1c18{DNF{7RlcCa5M7Q%5t+_4A82;~5Qbhl}t^tZ)RKBn+Iy)oR!Ok+s8}rD14I zu4k+E{&Ec(A_TAJ(UFtY(KX)6v-&0Pf<11x6>flb^*7FJC<7A%efQ*#9+5)yci#T@ z)P6n>iq9T$n(|E#Z528OT=i8C4+a7IBxJ_g!=?5~2Ye2Upq45|rZ#Vqz-xHnXN@y> zgtED*6UECUus2(_^G_%K>wV~&Fjq<`D6U4-lc8_JuL%A$_2cbc4<+O(%j@jIEe=>_VIXI~vWBHW z(h&v+%mxOpte;9F_v%f}pW-%n)(*O)kb8d9@*ch01KHblf$`-l_jk$#Q|UA2Jpr)1 zhb-_EZQj^hJWThkf?}w!h2n(Aoy=;2#ImwX^gDB2nXAI^S&AI0bGGNmvR&>KVsw;e z-ozpc?TzAt{Ws;Vw#o;!!LC*h6+(+pyDGvud~(@*FX)Ta`EzhV`&HLwz#ZeELRb0drYvO@PEDoMeXVMc9mgD)ZoC!M^*h!c?9D`O)obi?JxfjW&fANtO^mW&`B zuw2@Cy1s0NM{}3m9w2F(uvN-vPqT+QIOHxO5y5;|OEcM5#hm{7*ex zJ`ffx$JqLg1zWUt=o(GZ%^TSEY|V^^Wi+&HrPc;I z`fmirQwmx~NmpD-SZ3^h-2Ld?W$Zn(;#PS*IzGCz>~ZJ1dVDNM7G@k~@k7sO%5yIm zD!65HT;si-N!I3&p|G>2j%(xPRt!$MC@lFfV^na8e5AK31aS!bN=Mri8uQF~`W3oS zD0NPjW?>5ScL~2+b7KqZtRG!8XkJ~A9(8=t@dOFX^}e6TJy=R?i9ePH(`(1=9Y$dD zc-oQgSG1fyBggoBY#7p8m@XYEhKCamsJ+63gA<=UReumPRZ;T?<)qlhTX)+Q8f~Z- z54b)qx3U-sw8_bP`=o3{FIPV#<*F{`Di*iK*@moBg-(3lrm2{07TTkC#a_5r)ljnac!b{;{dJ(K=Po;~6R@snC?M&*8RddfQBM<0=bz!!l`Dm05{8&}FX~ zu~*LOEyZ(w+U4_H3LGr4uCuRGGsrvmUS~5pp>*_ouWB)x)1X|u_<1>|qWn(m$3u_d z#-l@rR!T=o9k=lfeuo{tlu=)KYbl=%lqQ-cn#_=0TEBiRvztr4A#b(1cuwoM>L~5n zr@GG`wyZKI{8&ey9iveS||oC{I2 z4DtKuWA%P`-j?v$KhN0xEDF_o^e6$+;afMZ7yJpI;|?%&O$VJ;JBXf+>E^G=SHMoI zIue;}1@T&kRUN-)9W|`Z%tloTSfY9mRL&=V`Rr!`4e7kfCNRodK1@*^X}vRS## zF0`3k8xc`Z`&7WWf1;hbT6OoU5(o&}pNdqI7`rpv9}hl_E^(f6oZUWg&*XEhV7@Bb z;FQsAdzo#Kg;aQ2Z`AJq0Y8|#1s7Ivn*3dH1N!0M?&F>g*4kV*VMirPVo^)o3=kL} z_ylVY4A5W4BLx3Ie;#Z1KE{`ZJHt}-B^G*u%>Me*1MwBra?zUG9^$wc`Q7f?ldF3H zK8LP3<}4K=DX?XUcmcjz`!_aL>}%RI3$3yj$cD*kcj7NgRvHEkml)a$8CGQNIQoiQ zjh35;oCVqb=siv{(cvDq!@=w;W!ex&JHGy48@yEdMW1|A!sgy>;LXW=eDn%1yNqe7 zt5ln=sc}brX4d>Pvr)Svw{dd|(0HuhrGlTdQl@Sn<1pB@dh9LIZkiq+y)42vyix}} z5}xpBSFXXWS>*34Md~a6qJIZH28;NLd`;+rG>`8qrU_8IUOjVr#Ww-yn_UkRhJ%A% zDVF{h3-Gk$cFcMeLw-oyW)T0?sa6RAN#{CmkPmk3Hx3g9JRF=qJFoBgdD<~Ae=<#U zkW}~HL<_SA+B=Syui_D1woVHZmk4&ZqLo37*Ca%`l_mCf0{nJ1g=4fwZr>Nn!)2Om zhkneZk&RfkTGZewrnn+00KZI11sRpdL3WXtn-6h-;BNz*OD=kgQbtq zTaYLm9J{pFoAftC{0UTWcM%Hj%HY2_>UY+=#C=oQM$n0VcgyGdA%hM%~;FH%>Jm!lbVM>YT?ftpkkQ1yK)<3PLMZlAiYjc9m( zw~*lH$E%`^51kZJKw77K$v*167_H6JI<|jAuOCvTLb~Intj)qOlp3EFMozlTaDSJsyj-500 z)Yq+pl$Z@i~G@<|%2gKlXH*+`Uy7^D`2sajj)h!RN=@=^7Jcq`ytj-CC6!rMR|bMoWAEjXSmS4sP9Q-+qy! z&fL6EtM$0Zj?P}yz1Whj03@(%SOs1!gx@Y`#6QOkZB8Cf*Kww3@_mw$871VCYak8Q zU%k}Aw|(IWpWTsMao=y3zs=Fg7gEK6MFwZQ!sQqKI1{HsD}&+S*=gKlQJQS*W8}U> zGj@>}mB*_YSs3h-zDgH7r(o<$(&4c09Yy^E1DfX6rqKiO%HN-`eL~`{w$b6B2)&Hj~9mTb>XLDV)*X;q&IZY8AdlXJHK^GRLP)ebn~g0K13cUoI>AJ zQ7h@rM`P<%RHB?!et#kUjD!F;ji&W?lKb|hxSX<8*`i}Vwd>pqRS6Ro+#mGLHh~%W zJ&d}QOXpMa)KrzsjvpQt;G^P+*+4&fuQbTC25a~Z3wwCT^*!`xW2y1Z-MC-wRNkT` z7wMM^YE@Tkp$m{E5*^h{4_1;ut7)a%)vBMK?Df1aj?tI8^|UH?(pE^-X_c()g=8?$ zF%o!$Wt2;$F5?0pk9NHu3bVRBh1XY~G>#I% zsEknk_$B9Rsd~C5u36~Taqm&;nZbUdCZT1HWViu}xa*-pg{fzJu8a%qajY&$(6b8q6q7thSa=|@q?rr}!Y8#O z>^)|D$YZm9ZU)y&tEfc@X-!ftX?j-GrM0cA8b7Y={C4MpkXbg1u*nnT^!RpWcL zwyUwMv)&)Wa|KH(3TCD$+hjG?3l(Q{0sioC2Pl7cv!5cRw>z+*n*ZKJY(T07xf$f7 zQM;V1tGBK!5#=?y9Va2JNiE^6F{qb~Uz%_2rL#hx4>rrr6x35Q$S!bT)!v^8SaK|& zrj^4=qGxDiSMlC4R((8hs1{+CQQywCuh^uqX;oLJm4g@TK2;Fd$pxjJs;RDW3?(SV~rcwe}8$$`> z->qc&>S3_@N;&p7RaVBRKHZbs4gkd%9j|1dmTsG}Kgmw5bMq#6R<)|5N4~#hSuG|Q zqi!+*V=Gw`nw2)pwXIK_3Z2`km{|!<`5p#@&^(B#`+G;^D%ooIZ@n&Ni#+j0_l)R< zGA=huS(v3B{;4s`tRXE#aYjcoY?CB@N9sf0W}|8K=ZBp975QR&Av$!cE`b$L$<#wJ zz+z*#CEQCm1k0rg=hHh1+jgB)E>rdxxWshEmL`wxhYv}w7PGaNClX!a+QF_+J|YWJ z?%JD8na|m&Y^Z9_`+e>AIoe-p3uMqVbWQ3Q9iN{O-@6)oBQ^HkO9I+%NB7BX6KUBUSR&>SdcwDBTu zUnsrxeIK96nPStawjCtsFFIV7{96W~X0&wvNX$oUfryr@>7PPc@!9$c$G+Dj;JTyc zbf{Vk>i8^@>R%M4s-D7a50o5>z9D$YX}m2K73BNOFv5`|Io2!hHuR&sQL^e-kXR}u zIpxF48L6N-c0qU?N=i@XC+RdO45tA4{^7}W>i&mj+UjKv@1JK{*Ok2Yh=#|l6PD; zC*+fY{N`F~HmIR2nA6nIzBARnZbA<4N%@Vy5*6 zQ_}ZO+PF3&CmGfKa`Y#N;C!$LS-)rAGEyN@)ya(Kc>DFPHSif@begQ7PU#w;_oMU!Mxw9lxcqovsL&x5HSv46^5V zvM3u++r=iUC;2q%dR0)c!YlQ4H}Cd*zk`^Uj;I^i@=BSjGWqG&o@8qvGvRLk#aT2& zRoz0q4s_xx+hQG3a5fscp~QBhT#wvPJmOH3bWtt!5YL>_v<(VNX*XxlQ8FgsMfrG6 zHYd+|$tNEg4!pIuq*lD^LS@*PZgV`}wJB0qRvLzbzSYokmK8JGVMe#_YK5oX5yE1! zXoDq)Zx*~h8ks;(P`vf`TS_K0Sk5$#1O@#?LUZXJB(9t2dH5LcIT5c3__o73bKi{R zPPUKi{C)jnS43^^F<%KJH83szm3(GxDvf&R(|T`W#m4bvTd!Y-AD!ajU7j1_ zX?kuk_@(oe?9)~rj~CFgqiz+u5^rqy+L?Ft#1NKHOmcM(HNCj6FKvlZQQ>}7J5f}} zz?b-UpSY&WFy-Clz&&ZEdIj(!*Dn{nrq>ul4;Nd<>g2z;S#{)4>Zm<-Dk0Cr2vURk z>Yku=^s$*Kk2hwF1QI7+bnt=#GV4P2G+`!R1MNPla7hKs(Nw;##1`z5whryXDpcaw znB@FL9w)fgGWlGH^(Gs8Rah1>UAsB;9m=+ds=8CQZ>J0Rz3_}jKdZp5nR@NzoJ*zr zrlm%_xwdcNusM2!i>Y-#M)a8U(yf%^&aM2xxdYp!XAx5}EQt(au`OWRWsyLoFSg49 ztc*;j4qC>~AHNF4dV(hbhb{1#>q%0jmCgnIl&8)usn19@Z4B|++ZK#c3#3PWi<|g7FJYLXZ?R%tB?eqV5Bs+9X5+C zGfX3hG$?TUND5P9)qUyBu>WY<~sWh?hP3 zB$AL)Zn|AM8V1xZ_s#j$Dm+mZ7 zRMW}#lOzc4>Ir6>aij8nngSk9Frc3urVn??iPK+4iTt$0@znVJ#`pBJK#nWgyP*6+ zit47VO!Nf@i&{5s@!To1JH4;*Gm8kbw+c@0NiO-PL@297t@i-@x33)X8bvrM3S2($ z>440{D&lRL*tGy}z&je-P_-cJ6_nD`U29L%&bp|{kN@l|nze&y<9FHhwvydbF2=k? zt@e-F1{SX-bT6%$8osnK5tsJ}7UMJ1a+onc`-#_H-`AH9`L0mHytMM+`?J%6M#}@W zm;;An8IGIbIYm0yV4@|Ml#rg#Pz@yb1N(=#~{xlhPFW6N(XEg(bMWLQh6 zugt0((o%grog1q>Q)b`e3gb%08`07=xP7IHI~zIF$ddN3U!-g=O#{<_ZQlqS^z=gX zaX2e|Z~hEGc@P>-S)}_cTmKDb{0qAIzXjr)y}m(#e~!@< zkZEh}#O2mW_Wg6nDD3gezbQzB&M7U`mh{WNUTvx2$jFL8vQoAx1w->zXt+*AH5g^U z+;3Xiy|VA)fxK0MEF0j_0!-H2RolX3W^Y!GOzZ`;;O5j4m1IC8PdcatrA`-<+VP~Z zP)o?Lgfkhis%=p30biWBq)wU+als0qw8vm38Zz^^&{KnQ3fzWuTSscn$mMK|GM^Ya z7?r3|qx=`CoBR)YL8-eDXlz#%8MlAj2PjW{IPa5lx_)Q=FRH`->T}3EzjiIuNoX9l zO^6D1NkDA)QLsvmyv*OcYUaQyZD$M9fL!s~%3!>~z#66cpr*P-Tq-EYtd(Q4gK(;3 zvwOHz@W$G7h+0XJ)TDL^nR=igfNQnVY)iVHsHD7?>aH9hFfE|vQ1@tZBFuwF%RJy9 zlB*_OZ&a-TX@|jACSxVNg-kYorrr&B>u)aetL@o?@i(uNE%qEB!?74gFW!w%z7xpU<`M8<-K4Tzsu3!ik z_QZ9Qq?akEC1AAFSsCnl`asx|c2dA})S<)3vMtO+1}n*}qa5qg!9FqDuyRdmLe2Dd~Gu*P0K9K{{ zO{fAcIf$G+yF`U#{+Bq;MeL`$+Ev?V4V2)ANEew*X8{hRP^)M&z=PGC>Ef|}YL;+a z+Ao_ca6U@xmTSh{)E+t;LNhcTc5-$jE-g&*Vis`?fYJioPTrP9nT1H>4QmmeVz`M> zFBh`DRmy9}Gw1Xd58AhRf8`Ah_Q_vC-Xde`mMi9sqh8+X*uaAaf(`>+4LyFKMEv6A zpRoZ_Hlp*mC49~Rw$Q1SfR*qPaC5GKxG+g6c2D4T#P^SKQ!|x(lI(FJT`k6`)ywwn zu)xJp4T^C#=AW)pEg?~NI+8{*U8!FTQaMAim-_fj8LA&&8`%fI1t&5abPOPaa)=keS(Q5&zoQx>Z|i z^d4V5P5}ttcq3E4)yRTwzmyIUMQ?341rzHZZtbNy;8T8Q7U${t3xW%+;$|ubJ+!1a zD@F^^P9*%4j#QX)&8>}QKFp>Ws_%o`6v=P1ESf1;Sk`2UUJ^a=SEG)ypOfn`6gkra zp;o8fJFn_g(r;DjL~b$GR91iyKz5%(x*bj`uTX`0JqtQtJxYC#8ti!QC#A68Dj~@Z z7b-GYlG=(mg^vKWye6{LcY;A)nfIrvRK>5emNeS23>6u-oS?>&-_~VO3=BA4u#8+{^6`OaHNu+G)F=WZf1912a!juq=on7Vk zX}`|(1-F0l1n;*oxeqRwp>fN+G?ixyB`*f+@Pak?pGAAJQL1C@q03XsT~h26)H@c2 z3QEdQl%km(Ip+Ff%>07*cN$(wrGeqV)HbGI4;4twMhIbS{s1zWJ5hBJtIu@8uX@Q8 z8Wy)K=;xP0lN;#z*r5JP2Ek%@oN;m88Xogq$k+pEoYV+=-fxw8e0T*BzLafCH&xit z9`7pGKx*wl0^?a@;9L*8%FwlZ^MG0M!#8E3sC z-B>!bDXHg1XLP0WkyO7KREI+gqaIu(r>*5sLYkDr9I7%gJFIk83+(k1{M&d;xz+)b z_02(QH?wRyNCY^tAalpm7_azNd42TVBn*=J>VZ2v%5u_Jl!fvLx^o7QMkMdUm&Tb( z8vByZnE@YL^+jE(Mhiz}E&YM+EURSgKX^kd-Tf<{3I@6Wdd$fO73y$B{THc?z;MQH!Ifkj4^UEE&KL73@XZ849 zr|=0%K>SkA9-~;Dlp?qx_0bihHMA|jg+CwxpQ*K!@ zw9$=T8XSfe`rB{qH0Wtp=%Yi#3y;KR4bi8Ij6rdUD^&>0_lkie#v3IR`Dnr20VX!s z01!~oz}a-x%svZ))HTe=_&yp*+}$U097d#^3`iVF&{7@F{L83O-(Wxxm&-|b7td26 ztEB5eVYe1J_uNqPWAZ@Mjih2M5pMP)w@dpc3DM1N4fhG$6;NsgY)CYI{8%8~Z=HHC zZ%r{;1aoFPu{>oKZNZUX_*6%O!u^E6QOoxGgc)wviOwQNyiip z)+xOhMMZYblI1|pVPs>YK*woFR4Z9sw)X~8P|t-zo4E~UA;l0u-f=Kb7$Ju3GKr-zWoDVk1wFR_BcjhddbKwOomBH z4l8H+sb~^SJpc%*RBOEgiPlVC3xiEG>rZ%$nD~eth*VKgiu(V!35}ZB)5)1{X=|hr~vLD$#%+$hf7GCK8l4j4dQDPoe0kZj(22l zc)F7gK`)>Gc&_-+@nJ;K1uEsg&!eobob$GRrppAh_A4=CSp7$tt4xPy?%M>N^h@^} z<^!bT7>`ErDA{CKU$&;{7bPUW(3hv|MJ#!1VLAQ8!v(-pHw}Sc?o@5z^hsU1Rs9ov z)es!2+G^X_oFhLe-YI8#Pa0Y?V_Wp7x6wQFotj@>gpOZ2V0Dm`s{J!f-(73n&(N1B zRAW&RoL6PTbAns1oBj^>fj{8^U%id56AUR5Q4D$v%`zur+T`tc`~8vjUWJmBUNlQg zX0D#kC|noCk&exuX0+F?0bV|f^-W_pGVTvYk7q%iYTbKbW>Gj&=hPac80m1M-e0Hi z7Jw5=TGtgmKtfNT>oiw)O1rtr2xo9uHz-xOxMVqc^vozYPt!K);1RVuvK*GqI8pEq zIBGl^=zm}ptOQw(efxG|vGTxw{P6-9p*izW%mcS?3s5^oYo4<_ESRQaEd9a9qjFAn z{>I2hW!Weuzx@v`KxX90jY_%t>O>QmsMLDK(fHfl7-kA&Hh+$sQE7>z>Z%3{n+;@{ z+-rf4_af%tj9mcc()@;Y+9|1!Q`W99Qc{hwYp{|ycb~|7s0IGPjmCjx{NRy3PS!5} zWDiaKQgGk4K-0$)dgTX9b6KGLq2XTp^Z zM&9|_8lu?7iO?3)DKQ4RKq%ktDBa>M(!MJ&G!HyY8{yl0i_I$4FJC`N^4|of%8lq? zgOLYZwux}bK=-eunvx+E0NQ#bEeFYvLOabF&yYKZsA>gvqr#p@Sd*C&Iv$`0n+Cx6oU|ZM)76|D zKy22?rjKVt23Tsgm9m!xCiaSpX(_K(-h#AKcH>^d`ZnM;iuyR95XaTq@UVPMbSz*` zeyuVZu>y9d`1`~^3hv)Tr?XOhyK#=8P^<=`4XPctykF~M)#mG)oU*$wfMBk*+2d6# zs!+_(_F>2V-KtKLRnVz5)?j19bLyyH$QqsnTjhwmo~YR|4XSgp9C3huJEs^;rq=-z zbY#uS<0s|ZhJj4(T5BeEF@U$Xmf>c4X3@WA8U#9h0qJc8nZyHIMY4&OgGt?Z!!v%k z!T#X5gU#4-ZtVRS8 zf5|hH6hm_|(>Kh%FBw|w=PxN|lrlhr<$B3b?Rwf|1XG5#t5~&H1_m$HK!d+*-UOJAuCIopM`kxK)Bx) z8YIz(x}Ucu?2wXrEQ%J~zMrx?&B)}`nz{`xb&m#6s_&@J!$MZgH)~ryO4%iPHlXYe z9eun8V+Q1U(B;t+8gy+{|3(jWJL_y2 z+v4Ih7*Q+B2=;eQ;RyDvpUD_KbJwA)P<46-3g(2^)Lib*Id<-fWs1Gc0ux0Zs$$vN z1VoeyBJSLN5Yn$j0*c?)-T{8VJKfoGMB)yD9sQ46@jA4@uosCp z3)8DFQ2pA(wFH#UE}uP}{jnHq8X4)q`tWNZSrRz}(aZYdd~8QnPlQC6TQzB8pl>6Pxv!<2<1&O99w_Mai z1sk1h=VzAQmc-nx&)X}Tk_B#nMFJ4ac$*LNIem?}i5oh!LZ{b@+9PKLsi&JA+8H>i2ZeJo^NZ1Xs_1b2L&a-M$izgbEDpWNaThMo3 z8xlb}^yTj3LTCHd~$PFWkuVoPEg(8JelhFGi8E7I$8Nt(xav@Yf2KS zP$ttGnW_|6v5xKu5{yd?l+|e0`a6|7NI(a$zY_$o2Bn0(EdGs4W>i-AVv~1p&R){G zKy!zq&{ebIMiF)6OwWI?qLfJgW<~j3-wd9OkgrnfL7AH2?$WaGyG(PVJtM5~iqt>k z6rL~?-O2oYJyj2f_2aY(t5l0ns2Z$$qIa8{CABMfZv|_!R{Hg6iIC6A+P9J6 zg(qFg`3)h0iY0|L*I=!(h6O`(Xt4ZL_dtZok$gYMbyrA_eFl!mG+qQGng)Xq20-%{ zQEQ%0$F`s9h{g;9ZZcqd;5ZyJVZP5mp|Xk zs$rYNf5ob~E#!4{EKus{hOUZL+Y*c*9t*TgA51h;I8oE+*GVU^X(DW?JzP82h_0l` zVe$5E{n;0BO;9hq@t}-CqS0pMTJ-Pc3myz$T14inQ{ydUE z7qwoAnTaJz60t#)N~772P`|3{XKGBw3i4!QgPxFuGOU(R&69skm)H0j1# zK-)n z%wN&*74Ufy>Fg=~8M zdMv9K5>Z)gM(u9!*G^B1f9L2Cvu`t3*a<5XCb8+GH{l#>I-FjV_$by_B)b?^1O?#r zO({;w64RUTqidHI{5su$);b{eNX>yEo5`2x5~B0~u+=5TBq3}7G{mVx_@U!dqeXK^ zN=xgk!!mHRKw06|a7kjoB6D#QPo*)&1C<5j)i*|6n16$h46EugvtvZH+vO5>W z=fAFLIPNn~gZ7;~7q*kvp{wQf2BAzLJKAovbXl~%0z3^yc`4WcKg|nC7j-+nbAYCr z6VnX@$u(-V(B_oVWE6Q<-*T_KaQ{u=bh6yrk|ahkbjdqEC}6DZndyfDZIpIO1d)!N zWQ9#r?Rkr`vn?*{4G*XM8Y<%5^KHp{U|UA}#ntvviO5*OZ&LXKF3%|Z)91QqtT22_a8ZzMfC-JkD3GYW`XC5!yhZM%Sfc z0IKgO@T0fE+@C;yB1^?YZ?2)y7~KYIyLE#8tYx?8Xr65>{utG&A{NV8ZO)TQXtA8( zTNYI-dE5$lvSm2bjHeMQHyL#h)AOLd{3Eb(sQ8n{(dh-6>p&~j6|5dhcp0osbu7g^ zl>_H_`Ni|%w5l-G%c7oREjv}fN{LcX^6LvVhh8WbU#WTLA|aIv9%Q5`#D*I0$bO?@ zC53svLZX;(76Q{GhPCCNd?$ZoI78a@(SG!t9>w@|30T}HDhr#0azB3kI*AOiGlt$g z`LHW!Ncl9m`09U0bkM(QTo>{l++0=ud%h#sZ;^)G@^g{QjVpU5ly~1m{U-@xIwaa) zY)#UQxRhuLebwsj{v~^!8U{P5(}s7sqFl9TQY1W!VcG^|3&y38CsHLA1w|U#sd;5J zem7R_!r^WAUBzQy3s#vRF=qXdj-6pt3 zC*Rs+P)_UgQCx6NxvQb+e&W<*oc8D>KxhAV5^w6T$fI=&VwfZ?PAMZ_l{w#Z4Q_%typC~Rk~RvC@ao%f)#QEuxL^XlHui76j_-PbdFJ)G1Zz2Qs+@FDC@6| z4NL&Ejg-|f#=sJCHYW!>pYZYu)P+{fxHev^KRd{nIc%g+{G3#};z_E0P+;q|i5w(- z@+k^?zKZQa1zSY_HM=9veu0W=`+ss(5^0Q3H5PJp?p`s5@KyGR)=V)o)EflSs!3 zcgP27;CE4DrX9S(M(#o8uzVQXr|dEpLEk!GyW*J)`5GI(Tcuaq`-d{wr|NtyK1sUf z`_HEd6F9r?tXKHPEaJvS$UAOyb} zTU>HoTB5SJ#J0FcjsFxSx)O*}^1V~KQs>W;iiDk_^GrAThrINqQA&>aq3Mb=@wp{Z zf;~4Vj9sc}u5ka&>1Hppif0AyJ{6FD$BFtQzLo#}eUsGlTE&!_^47mrC)H-&Qch4k z`E{~8^U*!>VtaZyC7!NLX@Wa4xK0V2zj0(6oi(1N#MO)Tzy9*PXh~TW`(2e*rxCzq zO_GKPwutqP`^c*cw@#ruAEZ4dJI`r!RDQ2d={rc@#8<-4lszLi;byN@Y81c5QzWg4 zd8hw;#QE{xZ2$l3?142-K8jQ~&AQ{7$?*ON=Whf2_bF33Nc}d3is~0~be3w{Gg333 zH-Nm;&P19g>rGC$2W+C=YMP5o%{=q{d8+I`Bfu_a=xltvWlM>E6ZXg)$4wP=NJNJK{QVHK`|p`~l$co-W5tMjt7_PO*S>lpmXqweJ>2UuS`( z1hpFyx)LtfFTpUR?T#W#LX`z8(S*8PjIvwJ-aVhsm4)@(i1#M%o*x?3JfXSkS{XrC>*C!8&2=MmqCHPG>0AuX>BU2KyVAvmmRh_&d0edu^X}`8VV8;Y@#F&*IQto2+hkocfz&C`nZ%xY8!4?rN3#@n@x)=-z8t7Qn z1QP$DBK?W4F8T_7TQpW(lVieYiwo2(uBNBh9l!T=egF#IrPP&lLEf+x8QNHqsJioG zaNq$Y)xNQ0wkLHJHHah~Y_z2O@)ZO-N88F{8sxTKf@{p!1xF6LD4|{S5X>a!7ywnX zDAPXjh+5?uqjlM>bA{+si%>eOK?LS;4fCvYj=-_rqe-MB;7@dUs8W3jHCaD`R@6xn z*tgu(W+zG7vHbMxYRTN(LRAN7`{)f1JdkcAdPaHbz>c1m-0~0^v75Dptx6=B8>WnbEo0d^J_mD?khq21}ml`jNj#iPStTZXHbW%VSr7g_r3G!TkV*UtF zPPD^u!2SDLS}%+;z1y*4|Zp|#hHTcK>jAbsM#2ZQO@RSG>vyBx zz#{RPdOnarwUUU)==$rTRa>DT;y3iO$g`3%(Jsi!JBkK9(Os1NX{5lRF$k0yZh)pz0mZmRF6 z+=^IEs|}-+h~6~MB!dg|$wA4^Q^hYFOj2t1KA&Opt_1{deW&!hJx+wx={ZGh_UG?&qQk^}-F zs=a~bzl{SASU+XjNt$f1+10+Rjx9s6Gu1$K$GjuTGp+P{Z_C><#0XZHH+ChMC$;MX zgp)!!%hpY^Z=v6tc?7xqGv@t8L&N@!#!pjB0!`GCh#{=D7U;cx9jzlXsQmx2ol!-^X;bVkKPby_je8QedjQNj+ar z0ZLH{$hjcFi$0U#kqrr0iyvF@R@+cYoLm@udhFJ$82Op(AmZVnHC8zN^s-LU9qlkV zs{)=Wz{IHxJLIRIIMWON@YtuigWd*3(@EK4FLv3dMa%=rC!P4Xrx{#bysfQdKxD5# z(BvrpNgZX01mMje6n%d;zeLwcS)tM((Q&0GD#;PGEVCf@%Y4mrs-&Jp-bBzPoxf_Z zuYP0mrHArUl6kF0S8Cp;Ey% zQLsMOFbiBkvCBMn(858MuUs?%USSxchctomP@3S~FZ|xm2D3n@s6*@yreCaiz0PUv z;tFXh8i?)u=pD1ZY1Yg`o6en8X%GhW``ia?@4Kd0%gwJ_R2ZyG$-DLv9@@?MAl^|V zB{yvvIbhoP{Gtun?Z~}jVI7z4@Od3#=b6V1<(6ffTTui=zrh5dUaX9!`c5>0&}$Z! zUJqP{;s*HTeYP+B&QXh5>n~6{vbjL@3eS3Oy*_^2L6;sXn`L_J?jHzV7KyOUkk`RT zOHKLm%tW!UD!ODWr3;zP3qrr;506>Irr z$+*4`@;$tg%3krQ)hWKF2RyS}$Ko5Jud@ckrVPxd<9uFINv>UOHj}TrPrS^;vpI@N z+1m;13ziM!X712%0>qaQ#7es6<4HYZIWTRyR_)g0# z>7G_}5+u=lFJVK`>a`WBZuR+Rjw}wv?MEJTQF12r_UbU;wRG3KE{Pb3uGz__jo{;F zzf}4(5Qq{Ztr3&f4gjU8vbD`3Qf;zsq^LOlugi8T8Ny@{cJU7{YN%DQ4X3Su2~cm1 z;`9SznHipBRHhwxXBeVb`TANo25D8Xl+yRrnzjOmlM+!Yc)yzY&nD+I*p1?Jif zmzKMp)4#0m6TkVW?B#=<%+v;Loj^(88KuFE^2_OqmD#oh>+FhH)d$E58LPCFs8u(C znhD2-I&FT@@|R(dHy{2&XChVhYQ*aVfo(L>$coYJzfPZ(*9kkrAN=*bYB0q#im}r8 z=?hh&+3%0ezAJq@evSzXs?Sd{(Nd+(W$!!_kv%roQM!NLzm zsJ8ZJTYr0_XImVk7MFnaLeiI4N3)hfdi^M>_5h!coUvHJKNUEynHy>rD3y|Yh-21 z*2Fe2<~p>Jy!W?Wds_`HtjZ5xf27M2d54#x!Z7{^>k~TgkT@j3a`G=)+G@c^!pFxjpB4823UL{vLoS6(fC4r;5I^8TaR1IBfYciIZn!I=A*Nf;R$B!a@()z*oi;o@? z9ufG6Njfyem@^*m@*{W7PywQSBm_O{FXJ-JP`=Ka#5e)E-p#JB-recuYaBU%q5w#D zskEM`m{x%=4Oli38|9=PXpU%H(TY$k^ne@q!{(<|X5b4I){3J$ufs8ts^qg|1{_cB zJU}3f{CVx{;KLo|+a(L}j6CFgP>ozqpuif#Vi)ZOp^vw|Y5~OK@*$P$A@x>jO8M_5 zO=rV*_T38keR=U~LKHXqEA5BWbBAzp@Zh~Qym9|zMwDc&WMcx46>S}^G21vk(m~DQ z&0ea;)=2zjJW3ZA4h_!HCf{gUEEhE;eIo;2epl2^xR$(w5%V}a(#a(DiyZ|MF?_hJ zf1nF*AMx;ZuE8n#`0VqUWl^5;Y33RJ(6CGKBV_$8!`jP;9N%zT_&obEG5w!_Rym~! zn1z8Cz$S(}2QdHIz+djZ^q@iZ4g2qocviI$4{iN-Cezzf{=h9uC*krWr~x@|rQMpk z{u=-*dmx`3n}B!cUBWxST>Y-(-ZOg<2ySR@g-QJr3tl;dV+TXOrc#31+EjqnEpXk0JBO#%!6{+PQ}xhkG6^9#3W1 zexrmQsXQJ3#7nU8Kd6lv&1x*Nwu03CG;{4XkCdnC*1X&%TQ(Wg!8Y+ahSP9nsjc>M z$#5;>WfWrS4r{Wc8ByDK_!6rBQDL4kLcgl}#JF8|&DzHGZMT3FzluhC(duA9m3eU5zneynTFm=gv;){G`(1UFa_S*2i*d~2Abr-&&#z)Q zS;K<9{YVk9mb7$6w0DYV2f-dxTZSXK-6}YKms3m)?~&(!aw42Rt0nDE-&9+$B+BQ=Rn@5l0C<^lJ`LZz zbLEM?u8HGm4{UV>Iw#)^R7q3gL`1CLH|q<75ZAoS!Dj2S7v>F1TsmRZF!+|hHzm(x zAFIJG#S`<{AEO&JxS@c#Yt3{|S8tl6ge6*aaW;vPt=&RLeEkpIdNQ#)tj3%Q~ZJHjmZkUm;FVh_c6=pMeC0O_+Xj&T+lR+C5v?zt?} zEye3cNSStQDzppFQ{SsOMdNOAgwJD^dkoeRr2xLC%W@v(EzaEm^?MQZr%~|mTW%;6 zZ1bOf_i_^-t!C@i2H=ipI4}C7EU8tzXMPcOd-v5a*Bi!UpTrYtl<-B&Swb<&LC!R8Lc53T3T13SX$K6E;N^IQc2%L(FbN3+tip|>a4dyCK3jX7T2$PzVZVH8 zC}A#wZBJZ><|KHH`n2g27=k9Vr0ze=rDLBwey<;~fnfvbYqQ&CpeudZ2Qa@se?u3F zEl3}c4?d{>lv!J8(o<0*^%pQC7uikkCFMro-+`6F^;5SJG415v=A`r`E?*C_ms6@j zzKmVO6ET(0bGyaU|6fZnms24>-9>u}i-4L1AbvQ$D=bnSJ^XoOm56SUlbVq=9tzyY z{$c@ydK(AgB-TzOPDxU#J{^j3rV(dmGxK@bDGXBDb2iMI@t8L}26$$&oQ_|_u;8OM zDu+WwRKGTMnt4|e>6vwguYGKMgyHpN=PYPWR4(49-ZUX~{v@TxPXUa49S5i29fcZC zdlFX;n=jk3j}$a8w8*SYzq#9W>JIPbjL`HN&8z3|>U_3{_*m8ErDW)H(~hF~Uu9kR zgQ!1^Enb*mp zlA^>=5CfODz+Uw;3}P=qJ1ZoOla#PE2)on>at5!bhK%P|lhS#=n>N68q1-`AFAboZ zK~E%Zb_>XEi-tM36eUoe{2K!U9_FZ!O55FMEmSf5c2fHuZF$Ym&I%pNj!2KOM;u^cpD# z#Y#HiJZdh7aYbmp>sH=L3MV|Ts{Mz2P@Nlb@;TlM`6>DlW0*n9jBRr94_m>T@&gK# z`U3u0znziAc24`W%o|z;ZslO$&w)LHhT%JRIl+iQKD154vk8XC(D<(zF})3H$a%^34*imwr`D%%iyLJjI{kc7vJtwP1 z3)#fH)QyCx1+sRFAiqIYxOBrT)8~V?3c?8?TG#Lwna@b?(@yaEQgl~8>DktYZy2tb zD4QJ6A4Z=8=GQ&Ts;bD~o!?!tcNicydG%M~vC!RJ?Xazbdwq0NROa7atJPa z;W2@??`RtjevEr0x?_3Mf5OjcTC9$o-b>MIzoP$>aeJN=`seua}H({;QYic33#){aPQ(cZL zi+jp4csQBi+mrJJ%=*VKAT45luE|MdEn9o~xY_oz0Y7p}0Z-SXCMWHUa9G&nnnt}v zeaK--TeO85&~R3N@ugmMbUq?B)&@mt~NeTB7sLpQG$gUN76s5J@fw z;Ua>xPu98SGGK1>9=a7UQYD>emy=Og){r)`n_)(f0nM#jWD?EhWiLxv?kz-=qS{7z z#TP-c!n1_47&qDCFbrb(pbkh(FB|g z;|+2D?NqedBw*8Usn$>Gn@z=U9a{38iQq*ox3D>I&N}fyJ1bbBN^^L4|G8!KW>$@1 zFa3dK_;UFOMBSog>+HJXBOc8?GwctSeGWYThG2FH^@#ZXuTz%b;{0d4$Ja(I>D-Ri zg>cxgs&bbs?_TgCI$W*QOmwuEpM`R{q@Lx%TJ48%D}==!#Bo2qHe~U6PMV8iRalIT z<>%CbX%K2ZTYy{gM0tCt$7HQ`kcCC?LoPjKeXDW7cy|o4q}G2H;g;zg zk-6DxS*jO9tuI;Yq6FvCq-0{tgqPG^rGJ_f8|Y!~t{d;naFNs0mw76_&0DQ2|Ms!*?ks=Wd~8W)06; zG~#kC>+7GtSJJa8M}0+H?gk56+l(~J4M;9l&Q#j>_z9e;y;nN(E?>%GOKFEoY$vyx zMn!S*yPR(Ex$%n@zgyoeVKSv8G(-W9C(}YK1!<)J z>d#EkjffiKd^Z-G6G8|NYL3lI8LQ&ku;#Hus0b!NdkH)7!w58~ziJ~#}qW-LXY(>L;J5O)E{}tLi zz$bZMs@)YbDT8$0v1c*?$O|xLwmvTF?-%@5Eg>non9{JR%u{B2jEYP-a%@rM(USg< ztEi@>VnYDcm3LMZ*STg0R{}j(2Uk*D!@%2vM}q8$&2{xW7ID5@OhQ_|e1ui^s5EzT zCv5G+jTEd62c#!gJGH7!H%}WVI9rL@HszTxC~qzSc)Gm#?I9&lzPWne?Vz3i=R~=I zOPxjx8;}?@`XEMQ(x6wdRDu>?ACM?{wCW##*m`77x~M1JTUXxN{vuO>*M#A_9uUTLf4*Y!y5WQ}dh`s@4j>r}3-yx8c3z`aUT4tmY4(mp z%APlE>ghzW2)+{5GSsh)4tkrmPY{ncg@2}V-q8l~kBre9;77PvNInJJ8M{Zc&2)#U zau~2%8#Lhux^MmrWN*+sOt&#If$}D98w=-gI>;4T2UXUj?OX)Iz z6JgUfw2v5vTBjc}R(#!wF_Nfvn}6tGMa&d8r*_+|9VmMqoUKY)^?dTA^Hs;y>M2J1 z#+@RHOD)6x$G@=I4IWro848xVQ;97a;TZEeIJHGbob4@A$0V_Wn-+Q}iYHx)S}#2c zJlaD|TfiF1CSEhWV(uMWk?oaicPyYG3av2xnppT3o=kJiT4HhU&?#`7yCVg+`DuWw z45XenFuMnK>9_|C`>b&bS;p)j`tYxR1H^Dp?#M2SwCqOGNm3|uQL1EK+W{;_JGXVX1V^_a* zt6Y}HM9U_~TJu9gKzc~s7LJC6=(6UiRp2(EEq9hMW=?FoH-SI!PsE=zuYYvAj<@BR zXov{Rt7YAolWsPsKiHFA5X%Hd#Gs_jN`<{kHoiKi^4lbSVDGd(RsdepRq-BusmBIN zZtNPMr>1Ob_y2_^Hnv>s3mC0>V~j_1DupgH}vn=V_*B2*{jgB5!^ z(+SQaH-ynYldk{VXmnGZ!=vJoxU-C}rIoF%E=$Rx??Lrww6ZJuek5M3r|nX1HM^`X z$|vs;xh`#D*YI>_z;n1k_S5n{M_CXk*Tio~RWBI(@q~ll89rnEX|guyp@K>vr$wQb z{7KR*mxM25Oox*n1Qfxr$6w=nfjCX!EcG=(s%C|u&1@x4~-Kp zP`W48@Q=#=NQl2y=QMsLRNm(c&S&nGuOX3@rui33v_|{ArOS9(+VHy+Ycu_|#5paU zc247OI*Jwe3Pk&dTN?1QK2SN?yF?v5IwdbBvg0vK8QaA0$3(>U*M~aK5zvNwQ=ybg z2Cx197pDFiu>7^alKqisFU6vzq9Q;4f5y-87d+NU&n246;QpENFJ!J$|u|b$3R@09sapCpkqT}r#xGpC}JZJMg zQ;6~}MJPkE6VEUFMI&oz$6H10`z0vJ1UgzX&XN2d-Fx=mI%;@990Cxuu^jbhVOo|hdAWAn(U&~_A?;J zy!V$Kvldf zw(Oi`M@*LG7QAoFDheC*>RUn!BvNe&dbu(he5*Xwr)-4|p9tzytEhWW=NyVrRZWDT zPGo*zKxc_LLVW=o^2WU9X6o2oDrVncW_#hdN(;(Uy;zF7OuF?$dv5I*S%2Qcz6wsQ z?!KqGfE=trP{@}3-`(;H-72W(e+DecRo_3Wl7q&nfNh}!Js&$=T2$biFd^nsleMI? zf$ln6qNYgEurAs0OcAAWje9Vo@>oDL=@?@sLmBCOmSxB&PP>tcxU`$rk)errk+b2> zz2m8-Y&V!-S(LB!1ssx;?+a6lFA$f)IrJ>6t=7eolJg5sSVf79ez1ou@}z**mA+Z33TpZ?!YS}UOIo_WdyS@EfnsV&nI}mo z7dl7AM&@k}w*ZY9)M8t}8~SLos$uBoNB@`}M&_dNm|Us-Q%=sPr8~R9lib(Lg58Ew zmHN#L-%gJZP>vn`k!$r61tcSEJ?4nJ*p;niiXqG)`{ccNq;&+w_h zLannI{=(fSYokAJbUMq<(qWJ3tMb-k8gK=ZA*WsF$RkY#_{ep?5>j#gn02pgL#E4qHBta9={5Fx|Z11a)G~gKn_qxEG zk4|QD6EPOT*6S#qB4ksqzr5_K#lG$2`rzII)coU=*flx0vi2n~(Z2GORgDP6`Z71w zYooq5UPuXjokJy>(p@ilXYs)La!IQ~R%N9%*i+}I7;8*YK4w{CPE!=V3O;T9Udc9m zvrfE_z=hU~Gat*xyj)=2RvZ+~Z2tCzbr<8<+E%VXTQ00ln2=C6wt$;0 zsN=*XY|d*jM4fR##hN3Qq6wo*Yrb&S|M3xT=ZLV`UXZuQYr1X+&sKo1+ZBJa{P55E z%>IS#n$~u^($324Nm$>;13Q!6sSofZTefb5`w-VSQe{pAe!thTqjLoRr{91rKh9p+ zf1!Z*`4~v8i~OnZl(O`VFu|J&pbw_Q8HMi#BSAOQ@G!cCxLncWRyjWMPNOmAXzd^_ z-q2GO-E@81c&;K6`7vcdwo;2^h*b_#kC(A2RXp2JTTE&z=e1}Qyo@1g9BWOyd3TjN zOjZL@shaFaUuym=X2Y(KRSxC%{;wwyA4T!+H!Yw5|I*QuLfNmb-aef>=0iAG42KT1LLMA1T&57sPur5JLbGqr zLC%Ifbl!&SQ#));1@gxiVo=gM!igGw;2R7-w?d%r7canT3BqcWCqcr_p=k6l+ZCs8>+_XHL~miHtvn9qwS0aq zc<%v#c&bj-aqWj&ql*@Dg)W7zM$wMc(kR~Nq8m-$?ngM6PELL2-L3ilOaI)N`lnna z`w`GX7B?>@Z~hSrzHT=eNI$WRl`(7QJMK25Ta0r&)QQ1JWjr4Je^6?#!3Y6&@}a__ zbFH(W;Sv3ezy;u(3}JfV->mI4>vH@VqF{7ZH`!u_Rc=R7KD&d#<*ie+Hb-hD@Q<}e#PgSM zg^NU^8gfBLx{a)#*3|HX{&nQ`!eL{uCPFv_u^SlZ16&l|CXLaE#x1!fR0%M4eGlwz z@>_qq=6D?Ct5TupQ(vHYvC<(}A6i+xtZ!sSAZetoX~7T<@kM!EvU~SaM@61B(L+`zo0@s%QLt}&~c8C zl)GUl?vIojG%?L8uqvVoY5d^Gf91pJfSbT?-hhs>xLA)>AiC4bL zkRm5@_mLZi|A}y!>chf2L#|ctcd)_;Z24qi2`SF;%hZ|@Zt$(nBm>^)W)nVpCstWPLhMc44R|Y!9dJtiYw}Ul7!+7*dQk!9k zp-nLr3Le~_yKjJ?mH^9hfEh9Y}1Ip&6PCrU2_vzijE7qv9PN6~oExSWwc;x6Qd} zWBr&=LX?zMlmD7U(A|}CLH>v_NWQOU9G8F6pjBpva}(9M05XgS;?s4w5y;pumVS5v>b!I3+%gAceEId|&+a?`&%( zIL{JAMkINhiPO(q?yn{a*a9Ng76 zS{1|b@qgw0LCnFv(H|N_JBf#Cb+Sv>>#Br`U*sxxCgo>%aA?x{dh7w0(8$K@!2IO& zw^M)S?af{f@}@rLN9|-w;O*Upg)~ZE%@;^7N3MahA1CI&{RWwvb3(q5bC8Hdl=0Si z9D6iqlG~jZ(8i9i>z1KhAW)34SJVU*jTm5{JUZt83xr>88MDQSl*ot)Xjqt zGNi%nrFg$VJ4#}frv5{_9?$l&E`g;5o$t4O%f?4_;!=Z(Jkem}YivCJQ|OyAH}3?K zujhomiR???)^LI8mGPuH_t%cdfFerT-CmQQ|80EjkI132v7VBS;yA>IU_6$sE(dK# zgZPDOdY2;1z4;xRGi;tpTmayj8)Qt+-28BLx;cVPhF3#SEA0yhL3?fvvoo=(l*A2K z-O!`q4v^b28853EufTS~N&RSHA|@SDzU$#ZV^^zQH{0(&AM*ZBj>4NN}uD-9HzTQLyt(}>v!8Qp2$0&$!ZB*XlcT2Or;QKDX~R5ndYnBsi7x~ zw-je2_NggSVZ*y-juOvU9qbMPdO>5ebO7CH;jo@tLGGLEOp8~2`r4%+Tv^#kPEJdt z+lQ=%)Jca`N;$Jof4LAyipc)_ah2`D?P<`4%f{6Mj*5&#?884Q?%w)TAG}lb1qAJ! z`hLXg1ZSqj1rVoHSS%OA&s~(JF=Aj|lk}{!0E^GU@^7tsj(4y!2LUp`QSLJ>ro|OZtIT-q-%xt} zRjqtd4rIs74fc$zvH-E~~LG3c>6PMT$iq^7k3=qB@oOO-fE@MZ{! z1^EXvq+)vvfPcVid_>xVhNy$NvM74pSm2{lZ*F4zg#mlzH5!P1mVRJ>sV_H0ta*r} zMpDXa9-g&Lmtu1=C~BX)#E>`elQDp*9=lRR=w~FlfrBUT$*_KwGgsox!|@h{#PJgm zh@lNre(xshGzuOvm!W_hJ?}DBWdF}^`Uiwid2I`?>_qRoP)m(1QSYm^b&gL1h2+)dH6}bwJW2)~R9U#UjfBW; zZ_#+ox6ZD|Sl74uW7fcRFVzchbG?rlBcMQ^S`!c608DDZ!^-<9rEstZcWlnapQO((wfZBiOL)}{d?&K|!Vm0_Gc zE!i>C2g|hP*)_RfmCe?NxD=eILU|^8xce}jQ*P5J1y0@``KPcw*uS9blO;qB0zbRU zg^5q4^xGx|k46|cOrwgR)4FErVVv*u%7vTs&0vufD=l1K;@i-N^+3{#g$(|Mx&cvo zZrImxMhz|ZqRuY^$pykZ^lsh!d?dHe43DdDb^+}e>+$&fdiKXjiuchard ziZTi*pB7W%CDh;KSiYa?3V)7qlSGeBG2ZRa?FAw~gfj^1nABmTA zPjWaPj#7LVDGGRlMz58Got+(5c2Tp!whI=r?$ghEe1kxugn=!WtDjZ?k+NNp*2leU z|Do~u*t}{VG%y1odKaw}=8tElrZ(tw1Z^#42LDtFGV!o(tN}u<@<;U7U};XcS-;MU z!Ge4Jq6DWQn^;N^Pck}tk{aQaI|=~pMvVJ^P0;CK@F)IvCpW}VK{I#jQwNg%%9ZEL z7wLfNxvg33`$}rVh(}e2TruTimVCgG{Td zccZMxS?6F%7yr^D9aFsc8N`cL`yy4rtLt8hQ2Jo{WfPqRdvVvlSgRljl!YP=cQmUs z3uM7mRh2ZBjXwTi5iKkS^fUVF8lMyF%9-HTq+(K&NSY4Mf!}3C)3{nQI! zN$C$VSz0|`XBBw@{1l+UmB~spSW#XZ#4&){7};6kY)BS8*h)_BbUjp(*cz8ln%v37 z-yJ+tIFZ!rm1tvcC_IkJ)y?dA=`+!F;FH(CS8Kj{8X(Kh$WZV1Pp&L@A7h{*=~5NG z^9qpEbfvoO($Nzo&hNpS$<1;J#!-l5?F1p_=kgz1wWAcljhPUMchd3!{-9h6MwG7GRV(5_45yP9;cpv;^a>4;~9^sb8-ql|;i0~3#e zoQ-oEvl*+V)zgvQ^-27T)_dPg)!uZlF;Q-i6&4`%;QR`S>*8tHs|^BA_k3j2qUbCB(|(8PNB#D{d+rb@vEAl{xext< zf}N)xnGN4b&XT}4ZBu`3wXqxM=*eC+DX*tnNbl*C-yLl*>ckqw0)m#WjE*tq?!Xh# zrH%nU^n+28j3ihrui?Y49s}2d9r{N(zXhrZR3WoLjsolJvVz`C4suLf*bYFKF4Nbp zj6hPaYI*8G#S@{!gYDc6x0ARhd3yTEg3yC@r{JL~F#+Tme3#Dc^z7E9Ov)YT52%c| zyZ9>q>V~!bBN4*7?{(rEDYz*lg-}G8|Ar${$D-J&)YR3&I)6zV4(6{SE+w1R^3ilV zF(gQVw3gb_h}PVumUv^&t&)rdjg$SBq13(lExj~n?w&(gPKN$8CYMQ!tEwbq@?{P9 z(-s=;#D|kbxyeNAU9!HcjAuz{S%Y4;GnY03=WqkL-_uP6!d-k%c47a$xJG&{!GK((W5;L|WuF zT`cmtfwBwCiu;jWTK#oAGty-lCDq&4}G{cHN= zr4wAo_Godhc#~J~0z!{Rb~HzPM@sY~;H^IFGG>p*d+MVeB$5)Dme5TF<7A4Q{c@n< zJ@F;o`Kqu`ce7k^b_^R?lq5XkvE5YHzO{b2qw;u7tS#Tx;rLi};`(BTs%&zKwm7iS zMx(o|?_0ig4grh|wDI#E8=x)HY=gH2$r-XS?evF3c+&*FaP8ndX98#UaO2CBkmb0^ zS7TaM7Plj3cBw1%ThPHPI2@sK9@73aWD>(CI10NRTXe@26tGze=(9(r0Aq>`oj8|C zTY2-LaOR40lD+ntk+H)uPkep#?yU$UE!}w6W45|_Y-89- z&u}MU{)B;7?wwBB9dh^l$B?~ila4p?S*z!E4xEbSj`%HAq$f8K=5kwFUgNnsBe@(F zdn`Ex1wA|`!7^^s)_R3M2MoJsPEZ{t?OQ4UYt0J_xPEc{O55&f7;QLYt^pZoyR6xS zl4KX(?n#w#v%H0T)eWD{4KyNH2toXn{k=8X+)Sp+~x3e$$?cxtgd1xKW0pbvOtA}}K@R!>X zy2)no>qXVWZAF#Ad`i#2eWS*mf!T2nc>F$FF=*B-_hkMLI#xY5;5yLXIe?+Xo~tJ@ zmx0N~L_KcuPlac~sRYP#^|V&zw!?p~o9Azzo_+^o+#btSxcq)oV32}xuBxl6Fs#qS z2>>R*!-UsAz)=WvHAH8-$yZt)f>G1WsWj-k)3BYIPiCS3mMYc_`cR)SE?19r(Np%S z%Q~ghPTS7Xk{9~(V^7Ug~lzzRpU9mLIz%id)Aa6}BEhR;*bfjx~+L9;urv;p8%hbOF uZSCuVFlseKVySKSQm(K4EyiUx3hs+uTBLU?NxvOtoWqp0{>Cdl3jGhQpr3C5 literal 0 HcmV?d00001 diff --git a/deploy/rbac/index.md b/deploy/rbac/index.md index ff412c952d..b63de07c27 100644 --- a/deploy/rbac/index.md +++ b/deploy/rbac/index.md @@ -36,9 +36,9 @@ administrators might take the following high-level steps: - Define custom **roles** (or use defaults) by adding permitted operations per resource types. - Group cluster **resources** into Swarm collections or Kubernetes namespaces. -- Create **grants** by marrying subject + role + resource. +- Create **grants** by marrying subject + role + resource group. -For a simple example, see [Deploy stateless app with RBAC](./deploy/rbac/rbac-howto-deploy-stateless-app/). +For an example, see [Deploy stateless app with RBAC](./deploy/rbac/rbac-howto-deploy-stateless-app). ## Subjects @@ -61,8 +61,8 @@ operations against a *resource type* (such as an image, container, volume) that is assigned to a user or team with a grant. For example, the built-in role, **Restricted Control**, includes permission to -view and schedule a node but not update. A custom **DBA** role might include -permissions to create, attach, view, and remove volumes. +view and schedule nodes but not to update nodes. A custom **DBA** role might +include permissions to r-w-x volumes and secrets. Most organizations use multiple roles to fine-tune the approprate access. A given team or user may have different roles provided to them depending on what @@ -125,7 +125,9 @@ administrators might take the following high-level steps: - Define custom **roles** (or use defaults) by adding permitted operations per resource types. - Group cluster **resources** into Swarm collections. -- Create **grants** by marrying subject + role + resource. +- Create **grants** by marrying subject + role + resource group. + +For an example, see [Deploy stateless app with RBAC](./deploy/rbac/rbac-howto-deploy-stateless-app). ## Subjects @@ -148,8 +150,8 @@ operations against a *resource type* (such as an image, container, volume) that is assigned to a user or team with a grant. For example, the built-in role, **Restricted Control**, includes permission to -view and schedule a node but not update. A custom **DBA** role might include -permissions to create, attach, view, and remove volumes. +view and schedule nodes but not to update nodes. A custom **DBA** role might +include permissions to r-w-x volumes and secrets. Most organizations use different roles to fine-tune the approprate access. A given team or user may have different roles provided to them depending on what diff --git a/deploy/rbac/rbac-basics-create-subjects.md b/deploy/rbac/rbac-basics-create-subjects.md index 5b55ad2a7c..eed3c9c683 100644 --- a/deploy/rbac/rbac-basics-create-subjects.md +++ b/deploy/rbac/rbac-basics-create-subjects.md @@ -56,7 +56,7 @@ To use Docker EE's built-in authentication, you must [create users manually](#cr The general flow of designing an organization with teams in UCP is: 1. Create an organization. -2. Add users or enable LDAP. +2. Add users or enable LDAD (for syncing users). 3. Create teams under the organization. 4. Add users to teams manually or sync with LDAP. @@ -75,7 +75,7 @@ To create teams in the organization: 2. Click **Create Team**. 3. Input a team name (and description). 4. Click **Create**. -5. Add existing users to the team. If they don't exist, see [Integrate with an LDAP Directory](../../datacenter/ucp/2.2/guides/admin/configure/external-auth/index.md). +5. Add existing users to the team. To sync LDAP users, see: [Integrate with an LDAP Directory](../../datacenter/ucp/2.2/guides/admin/configure/external-auth/index.md). - Click the team name and select **Actions** > **Add Users**. - Check the users to include and click **Add Users**. diff --git a/deploy/rbac/rbac-basics-define-roles.md b/deploy/rbac/rbac-basics-define-roles.md index b134500ee3..bf229a2c1a 100644 --- a/deploy/rbac/rbac-basics-define-roles.md +++ b/deploy/rbac/rbac-basics-define-roles.md @@ -32,7 +32,7 @@ You can define custom roles or use the following built-in roles: | Built-in role | Description | | ---------------------| ------------------------------------------------------------------------------- | -| `None` | Users have no access to Swarm resources. Maps to `No Access` role in UCP 2.1.x. | +| `None` | Users have no access to Swarm or Kubernetes resources. Maps to `No Access` role in UCP 2.1.x. | | `View Only` | Users can view resources but can't create them. | | `Restricted Control` | Users can view and edit resources but can't run a service or container in a way that affects the node where it's running. Users _cannot_ mount a node directory, `exec` into containers, or run containers in privileged mode or with additional kernel capabilities. | | `Scheduler` | Users can view nodes (worker and manager) and schedule (not view) workloads on these nodes. By default, all users are granted the `Scheduler` role against the `/Shared` collection. (To view workloads, users need permissions such as `Container View`). | @@ -55,7 +55,7 @@ the same name to different collections or namespaces. 5. Select the permitted operations per resource type. 6. Click **Create**. -![](../images/custom-role.png){: .with-border} +![](../images/custom-role-30.png){: .with-border} > **Some important rules regarding roles**: > - Roles are always enabled. diff --git a/deploy/rbac/rbac-basics-grant-permissions.md b/deploy/rbac/rbac-basics-grant-permissions.md index 510d409387..e50b884557 100644 --- a/deploy/rbac/rbac-basics-grant-permissions.md +++ b/deploy/rbac/rbac-basics-grant-permissions.md @@ -10,42 +10,20 @@ ui_tabs: - version: ucp-2.2 orlower: true next_steps: -- path: /deploy/rbac/usermgmt-create-subjects/ - title: Create and configure users and teams -- path: /deploy/rbac/usermgmt-define-roles/ - title: Create roles to authorize access -- path: /deploy/rbac/resources-isolate-volumes/ - title: Isolate volumes +- path: /deploy/rbac/rbac-howto-deploy-stateless-app/ + title: Deploy a simple stateless app with RBAC --- {% if include.ui %} -Docker EE administrators can create *grants* to control how users and -organizations access resources. - -A grant is made up of *subject*, *role*, and *resource group*. - - {% if include.version=="ucp-3.0" %} -## Kubernetes grants +Docker EE administrators can create _grants_ to control how users and +organizations access resources. -With Kubernetes orchestration, a grant is made up of *subject*, *role*, and -*namespace*. - - - - -## Swarm grants - -With Swarm orchestration, a grant is made up of *subject*, *role*, and -*collection*. - -![](../images/ucp-grant-model-0.svg){: .with-border} - -A grant defines who (subject) has how much access (role) to a set of resources -(collection). Each grant is a 1:1:1 mapping of subject, role, collection. For -example, you can grant the "Prod Team" "Restricted Control"of the "/Production" +A grant defines _who_ has _how much_ access to _what_ resources. Each grant is a +1:1:1 mapping of _subject_, _role_, and _resource group_. For example, you can +grant the "Prod Team" "Restricted Control" of services in the "/Production" collection. A common workflow for creating grants has four steps: @@ -54,24 +32,50 @@ A common workflow for creating grants has four steps: - Define custom **roles** (or use defaults) by adding permitted API operations per resource type. - Group cluster **resources** into Swarm collections or Kubernetes namespaces. -- Create **grants** by marrying subject + role + resource. +- Create **grants** by marrying subject + role + resource group. +## Kubernetes grants + +With Kubernetes orchestration, a grant is made up of *subject*, *role*, and +*namespace*. + +> This section assumes that you have created objects to grant (subject, role, +> namespace). + +To create a Kubernetes grant in UCP: + +1. Click **Grants** under **User Management**. +2. Click **Create Grant**. +3. Click **Namespaces** under **Kubernetes**. +4. Click **View Children** until you get to the desired resource group and **Select**. +5. On the Roles tab, select a role. +6. On the Subjects tab, select a user, team, or organization to authorize. +7. Click **Create**. + +> By default, all new users are placed in the `docker-datacenter` organization. +> To apply permissions to all Docker EE users, create a grant with the +> `docker-datacenter` org as a subject. + +## Swarm grants + +With Swarm orchestration, a grant is made up of *subject*, *role*, and +*collection*. + +> This section assumes that you have created objects to grant: teams/users, +> roles (built-in or custom), and a collection. + +![](../images/ucp-grant-model-0.svg){: .with-border} ![](../images/ucp-grant-model.svg){: .with-border} -### Create a Swarm grant - -You can create grants after creating users, collections, and roles (if using -custom roles). - To create a grant in UCP: 1. Click **Grants** under **User Management**. 2. Click **Create Grant**. -3. On the Collections tab, click **Collections** (for Swarm) or **Namespaces** (for Kubernetes). +3. On the Collections tab, click **Collections** (for Swarm). 4. Click **View Children** until you get to the desired resource group and **Select**. 5. On the Roles tab, select a role. 6. On the Subjects tab, select a user, team, or organization to authorize. -4. Click **Create**. +7. Click **Create**. > By default, all new users are placed in the `docker-datacenter` organization. > To apply permissions to all Docker EE users, create a grant with the @@ -80,16 +84,12 @@ To create a grant in UCP: {% elsif include.version=="ucp-2.2" %} -## Swarm grants +Docker EE administrators can create _grants_ to control how users and +organizations access resources. -With Swarm orchestration, a grant is made up of *subject*, *role*, and -*collection*. - -![](../images/ucp-grant-model-0.svg){: .with-border} - -A grant defines who (subject) has how much access (role) to a set of resources -(collection). Each grant is a 1:1:1 mapping of subject, role, collection. For -example, you can grant the "Prod Team" "Restricted Control"of the "/Production" +A grant defines _who_ has _how much_ access to _what_ resources. Each grant is a +1:1:1 mapping of _subject_, _role_, and _resource group_. For example, you can +grant the "Prod Team" "Restricted Control" of services in the "/Production" collection. A common workflow for creating grants has four steps: @@ -98,23 +98,28 @@ A common workflow for creating grants has four steps: - Define custom **roles** (or use defaults) by adding permitted API operations per resource type. - Group cluster **resources** into Swarm collections. -- Create **grants** by marrying subject + role + resource. +- Create **grants** by marrying subject + role + resource group. +## Swarm grants + +With Swarm orchestration, a grant is made up of *subject*, *role*, and +*collection*. + +> This section assumes that you have created objects to grant: teams/users, +> roles (built-in or custom), and a collection. + +![](../images/ucp-grant-model-0.svg){: .with-border} ![](../images/ucp-grant-model.svg){: .with-border} -### Create a Swarm grant - -You can create grants after creating users, collections, and roles (if using custom roles). - To create a grant in UCP: 1. Click **Grants** under **User Management**. 2. Click **Create Grant**. -3. On the Collections tab, click **Collections**. +3. On the Collections tab, click **Collections** (for Swarm). 4. Click **View Children** until you get to the desired resource group and **Select**. 5. On the Roles tab, select a role. 6. On the Subjects tab, select a user, team, or organization to authorize. -4. Click **Create**. +7. Click **Create**. > By default, all new users are placed in the `docker-datacenter` organization. > To apply permissions to all Docker EE users, create a grant with the diff --git a/deploy/rbac/rbac-basics-group-resources.md b/deploy/rbac/rbac-basics-group-resources.md index bd1ede47ed..ec0bfcffd1 100644 --- a/deploy/rbac/rbac-basics-group-resources.md +++ b/deploy/rbac/rbac-basics-group-resources.md @@ -34,14 +34,14 @@ namespaces _cannot be nested_. > Resource types that can be placed into a Kubernetes namespace include: Pods, > Deployments, NetworkPolcies, Nodes, Services, Secrets, and many more. -Resources are placed into a namespace when creating a kubernetes object. A drop -down displays with all available namespaces and one must be selected. +Resources are placed into a namespace when you create a kubernetes object. A +drop down displays all available namespaces and one must be selected. ## Swarm collection A collection is a directory of grouped resources, such as services, containers, volumes, networks, and secrets. To authorize access, administrators create -grants against directory branches. +grants against these directory branches. ![](../images/collections-and-resources.svg){: .with-border} @@ -50,13 +50,13 @@ grants against directory branches. Access to a collection is granted with a path defined in an access label. For example, each user has a private collection with the path, -`/Shared/Private/`. The private collection for user "hans" would have -the access label: `com.docker.ucp.access.label = /Shared/Private/hans`. +`/Shared/Private/`. The private collection for user "molly" would have +the access label: `com.docker.ucp.access.label = /Shared/Private/molly`. To deploy applications into a custom collection, you must define the collection -first. For an example, see [Deploy stateless app with RBAC](./deploy/rbac/rbac-howto-deploy-stateless-app/#swarm-stack). When a user -deploys a resource without an access label, Docker EE automatically places the -resource in the user's default collection. +first. For an example, see [Deploy stateless app with RBAC](./deploy/rbac/rbac-howto-deploy-stateless-app). +When a user deploys a resource without an access label, Docker EE automatically +places the resource in the user's default collection. ### Nested collections @@ -75,7 +75,7 @@ Docker EE provides a number of built-in collections. | ------------------ | --------------------------------------------------------------------------------------- | | `/` | Path to all resources in the Swarm cluster. Resources not in a collection are put here. | | `/System` | Path to UCP managers, DTR nodes, and UCP/DTR system services. By default, only admins have access, but this is configurable. | -| `/Shared` | Default path to all worker nodes for scheduling. In Docker EE Standard, all worker nodes are located here. In [Docker EE Advanced](https://www.docker.com/enterprise-edition), worker nodes can be moved and [isolated](./howto-isolate-nodes/). | +| `/Shared` | Default path to all worker nodes for scheduling. In Docker EE Standard, all worker nodes are located here. In [Docker EE Advanced](https://www.docker.com/enterprise-edition), worker nodes can be moved and [isolated](./rbac-howto-isolate-nodes/). | | `/Shared/Private/` | Path to a user's private collection. | | `/Shared/Legacy` | Path to the access control labels of legacy versions (UCP 2.1 and lower). | @@ -92,9 +92,7 @@ Each user has a default collection which can be changed in UCP preferences. Users can't deploy a resource without a collection. When a user deploys a resource without an access label, Docker EE automatically places the resource in -the user's default collection. - -[Learn how to add labels to nodes](../../datacenter/ucp/2.2/guides/admin/configure/add-labels-to-cluster-nodes/). +the user's default collection. [Learn how to add labels to nodes](../../datacenter/ucp/2.2/guides/admin/configure/add-labels-to-cluster-nodes/). With Docker Compose, the system applies default collection labels across all resources in the stack unless `com.docker.ucp.access.label` has been explicitly @@ -153,12 +151,12 @@ default, all users have the `Scheduler` role against the `/Shared` collection. When deploying a resource that isn't global, like local volumes, bridge networks, containers, and services, the system identifies a set of "schedulable nodes" for the user. The system identifies the target collection of the -resource, like `/Shared/Private/hans`, and it tries to find the parent that's +resource, like `/Shared/Private/molly`, and it tries to find the parent that's closest to the root that the user has the `Node Schedule` permission on. For example, when a user with a default configuration runs `docker container run nginx`, the system interprets this to mean, "Create an NGINX container under the -user's default collection, which is at `/Shared/Private/hans`, and deploy it on +user's default collection, which is at `/Shared/Private/molly`, and deploy it on one of the nodes under `/Shared`. If you want to isolate nodes against other teams, place these nodes in new @@ -181,8 +179,8 @@ grants against directory branches. Access to a collection is granted with a path defined in an access label. For example, each user has a private collection with the path, -`/Shared/Private/`. The private collection for user "hans" would have -the access label: `com.docker.ucp.access.label = /Shared/Private/hans`. +`/Shared/Private/`. The private collection for user "molly" would have +the access label: `com.docker.ucp.access.label = /Shared/Private/molly`. To deploy applications into a custom collection, you must define the collection first. For an example, see [Deploy stateless app with RBAC](./deploy/rbac/rbac-howto-deploy-stateless-app/#swarm-stack). When a user @@ -206,7 +204,7 @@ Docker EE provides a number of built-in collections. | ------------------ | --------------------------------------------------------------------------------------- | | `/` | Path to all resources in the Swarm cluster. Resources not in a collection are put here. | | `/System` | Path to UCP managers, DTR nodes, and UCP/DTR system services. By default, only admins have access, but this is configurable. | -| `/Shared` | Default path to all worker nodes for scheduling. In Docker EE Standard, all worker nodes are located here. In [Docker EE Advanced](https://www.docker.com/enterprise-edition), worker nodes can be moved and [isolated](./howto-isolate-nodes/). | +| `/Shared` | Default path to all worker nodes for scheduling. In Docker EE Standard, all worker nodes are located here. In [Docker EE Advanced](https://www.docker.com/enterprise-edition), worker nodes can be moved and [isolated](./rbac-howto-isolate-nodes/). | | `/Shared/Private/` | Path to a user's private collection. | | `/Shared/Legacy` | Path to the access control labels of legacy versions (UCP 2.1 and lower). | @@ -223,9 +221,7 @@ Each user has a default collection which can be changed in UCP preferences. Users can't deploy a resource without a collection. When a user deploys a resource without an access label, Docker EE automatically places the resource in -the user's default collection. - -[Learn how to add labels to nodes](../../datacenter/ucp/2.2/guides/admin/configure/add-labels-to-cluster-nodes/). +the user's default collection. [Learn how to add labels to nodes](../../datacenter/ucp/2.2/guides/admin/configure/add-labels-to-cluster-nodes/). With Docker Compose, the system applies default collection labels across all resources in the stack unless `com.docker.ucp.access.label` has been explicitly @@ -284,12 +280,12 @@ default, all users have the `Scheduler` role against the `/Shared` collection. When deploying a resource that isn't global, like local volumes, bridge networks, containers, and services, the system identifies a set of "schedulable nodes" for the user. The system identifies the target collection of the -resource, like `/Shared/Private/hans`, and it tries to find the parent that's +resource, like `/Shared/Private/molly`, and it tries to find the parent that's closest to the root that the user has the `Node Schedule` permission on. For example, when a user with a default configuration runs `docker container run nginx`, the system interprets this to mean, "Create an NGINX container under the -user's default collection, which is at `/Shared/Private/hans`, and deploy it on +user's default collection, which is at `/Shared/Private/molly`, and deploy it on one of the nodes under `/Shared`. If you want to isolate nodes against other teams, place these nodes in new diff --git a/deploy/rbac/rbac-howto-deploy-stateless-app.md b/deploy/rbac/rbac-howto-deploy-stateless-app.md index b11a4c3329..a390394a45 100644 --- a/deploy/rbac/rbac-howto-deploy-stateless-app.md +++ b/deploy/rbac/rbac-howto-deploy-stateless-app.md @@ -158,17 +158,53 @@ service. 4. On the Details tab, enter: - Name: `nginx-service` - Image: nginx:latest -4. On the Collections tab: +5. On the Collections tab: - Click `/Shared` in the breadcrumbs. - Select `nginx-collection`. -5. Click **Create**. -6. Log on to UCP as each user and ensure that: +6. Click **Create**. +7. Log on to UCP as each user and ensure that: - `dba` (alex) cannot see `nginx-collection`. - `dev` (bett) cannot see `nginx-collection`. {% elsif include.version=="ucp-2.2" %} +This tutorial explains how to deploy a nginx web server and limit access to one +team with role-based access control (RBAC). + +## Scenario + +You are the Docker EE admin at Acme Company and need to configure permissions to +company resources. The best way to do this is to: + +- Build the organization with teams and users +- Create collections for storing resources. +- Create grants that specify which team can do what operations on which + collection. +- Give the `ops` team the all-clear to deploy nginx. + +## Build the organization + +Add the organization, `acme-datacenter`, and create three teams according to the +following structure: + +``` +acme-datacenter +├── dba +│   └── Alex Alutin +├── dev +│   └── Bett Bhatia +└── ops +   └── Chad Chavez +``` + +> Easy username / passwords: +> - alex / alexalutin +> - bett / bettbhatia +> - chad / chadchavez + +See: [Create and configure users and teams](./usermgmt-create-subjects.md). + ## Swarm Stack In this section, we deploy `nginx` as a Swarm service. See [Kubernetes Deployment](#kubernetes-deployment) @@ -211,11 +247,11 @@ service. 4. On the Details tab, enter: - Name: `nginx-service` - Image: nginx:latest -4. On the Collections tab: +5. On the Collections tab: - Click `/Shared` in the breadcrumbs. - Select `nginx-collection`. -5. Click **Create**. -6. Log on to UCP as each user and ensure that: +6. Click **Create**. +7. Log on to UCP as each user and ensure that: - `dba` (alex) cannot see `nginx-collection`. - `dev` (bett) cannot see `nginx-collection`. diff --git a/deploy/rbac/rbac-howto-orcabank1-standard.md b/deploy/rbac/rbac-howto-orcabank1-standard.md index 59e4bd729e..4ca030f2c0 100644 --- a/deploy/rbac/rbac-howto-orcabank1-standard.md +++ b/deploy/rbac/rbac-howto-orcabank1-standard.md @@ -122,7 +122,7 @@ a secure and controlled interface, leveraging Database networks and secrets. > **Note:** In Docker Enterprise Standard, all resources are deployed across the > same group of UCP worker nodes. Node segmentation is provided in Docker -> Enterprise Advanced and discussed in the [next tutorial](#). +> Enterprise Advanced and discussed in the [next tutorial](./deploy/rbac/rbac-howto-orcabank1-advanced). ![image](../images/design-access-control-adv-2.png){: .with-border} @@ -241,7 +241,7 @@ a secure and controlled interface, leveraging Database networks and secrets. > **Note:** In Docker Enterprise Standard, all resources are deployed across the > same group of UCP worker nodes. Node segmentation is provided in Docker -> Enterprise Advanced and discussed in the [next tutorial](#). +> Enterprise Advanced and discussed in the [next tutorial](./deploy/rbac/rbac-howto-orcabank1-advanced). ![image](../images/design-access-control-adv-2.png){: .with-border}