9614a0c45b
In Barbican, the admin role specifies a user that has complete
authority over resources within a project. An admin for one
project should not have access to resources in a different project.
A project admin should not be able to affect service-wide resources.
With the implementation of the quotas blueprint, there is a need for
a new limited purpose role. This role will be able to manage project
quotas, but will not have access to projects' stored keys and secrets.
This change request proposes the new role ("key-manager:service-admin")
that can be used for this purpose.
The changes are implemented in the default policy and will
give this new role access to set, read, and delete project quotas. It
will also have access to the resources and actions available to "all_users".
The default policy grants no other permissions to this role.
Partially-implements: blueprint quota-support-on-barbican-resources
Change-Id: I67be5de62b508fdc88f5d29e69bfa6341d0487d1
|
||
|---|---|---|
| .. | ||
| barbican-all | ||
| barbican-api | ||
| barbican-keystone-listener.sh | ||
| barbican-worker | ||
| barbican.sh | ||
| demo_requests.py | ||
| keystone_data.sh | ||
| pkcs11-key-generation | ||
| versionbuild.py | ||