b6dd538569
When using roles to define protected properties, the first matching rule in the config file should be used to grant/deny access. This change enforces that behaviour. Fixes bug 1271426 Change-Id: I11ece25ae85ff868516bcd1839a4e430e9c51370
60 lines
923 B
Plaintext
60 lines
923 B
Plaintext
[spl_creator_policy]
|
|
create = glance_creator
|
|
read = glance_creator
|
|
update = context_is_admin
|
|
delete = context_is_admin
|
|
|
|
[spl_default_policy]
|
|
create = context_is_admin
|
|
read = default
|
|
update = context_is_admin
|
|
delete = context_is_admin
|
|
|
|
[^x_all_permitted.*]
|
|
create = @
|
|
read = @
|
|
update = @
|
|
delete = @
|
|
|
|
[^x_none_permitted.*]
|
|
create = !
|
|
read = !
|
|
update = !
|
|
delete = !
|
|
|
|
[x_none_read]
|
|
create = context_is_admin
|
|
read = !
|
|
update = !
|
|
delete = !
|
|
|
|
[x_none_update]
|
|
create = context_is_admin
|
|
read = context_is_admin
|
|
update = !
|
|
delete = context_is_admin
|
|
|
|
[x_none_delete]
|
|
create = context_is_admin
|
|
read = context_is_admin
|
|
update = context_is_admin
|
|
delete = !
|
|
|
|
[x_foo_matcher]
|
|
create = context_is_admin
|
|
read = context_is_admin
|
|
update = context_is_admin
|
|
delete = context_is_admin
|
|
|
|
[x_foo_*]
|
|
create = @
|
|
read = @
|
|
update = @
|
|
delete = @
|
|
|
|
[.*]
|
|
create = context_is_admin
|
|
read = context_is_admin
|
|
update = context_is_admin
|
|
delete = context_is_admin
|