fa10d4945c
Add support for the GET /role_assignment call as a first step to making role_assignment a first class entity. This patch also enables v3 collection filtering to match against attributes of entities being returned in the list, using the same dot notation (e.g. user.id) that we already support for policy file checking against filters. Limitations: - The current implementation uses the standard v3 collections wrapper mechanism for filtering. Given the potential numbers of role assignments in a large system, this may have performance and resource impacts. A future improvement would pass the filters into the driver layer to keep the internal assignment processing to a minimum. - The LDAP backend is not currently supported Implements bp get-role-assignments Change-Id: I6ff2ea780e39d7097a88214fbb3ddee1b924c30c
91 lines
4.1 KiB
JSON
91 lines
4.1 KiB
JSON
{
|
|
"admin_required": [["role:admin"], ["is_admin:1"]],
|
|
"service_role": [["role:service"]],
|
|
"service_or_admin": [["rule:admin_required"], ["rule:service_role"]],
|
|
"owner" : [["user_id:%(user_id)s"]],
|
|
"admin_or_owner": [["rule:admin_required"], ["rule:owner"]],
|
|
|
|
"default": [["rule:admin_required"]],
|
|
|
|
"identity:get_service": [["rule:admin_required"]],
|
|
"identity:list_services": [["rule:admin_required"]],
|
|
"identity:create_service": [["rule:admin_required"]],
|
|
"identity:update_service": [["rule:admin_required"]],
|
|
"identity:delete_service": [["rule:admin_required"]],
|
|
|
|
"identity:get_endpoint": [["rule:admin_required"]],
|
|
"identity:list_endpoints": [["rule:admin_required"]],
|
|
"identity:create_endpoint": [["rule:admin_required"]],
|
|
"identity:update_endpoint": [["rule:admin_required"]],
|
|
"identity:delete_endpoint": [["rule:admin_required"]],
|
|
|
|
"identity:get_domain": [["rule:admin_required"]],
|
|
"identity:list_domains": [["rule:admin_required"]],
|
|
"identity:create_domain": [["rule:admin_required"]],
|
|
"identity:update_domain": [["rule:admin_required"]],
|
|
"identity:delete_domain": [["rule:admin_required"]],
|
|
|
|
"identity:get_project": [["rule:admin_required"]],
|
|
"identity:list_projects": [["rule:admin_required"]],
|
|
"identity:list_user_projects": [["rule:admin_or_owner"]],
|
|
"identity:create_project": [["rule:admin_required"]],
|
|
"identity:update_project": [["rule:admin_required"]],
|
|
"identity:delete_project": [["rule:admin_required"]],
|
|
|
|
"identity:get_user": [["rule:admin_required"]],
|
|
"identity:list_users": [["rule:admin_required"]],
|
|
"identity:create_user": [["rule:admin_required"]],
|
|
"identity:update_user": [["rule:admin_or_owner"]],
|
|
"identity:delete_user": [["rule:admin_required"]],
|
|
|
|
"identity:get_group": [["rule:admin_required"]],
|
|
"identity:list_groups": [["rule:admin_required"]],
|
|
"identity:list_groups_for_user": [["rule:admin_or_owner"]],
|
|
"identity:create_group": [["rule:admin_required"]],
|
|
"identity:update_group": [["rule:admin_required"]],
|
|
"identity:delete_group": [["rule:admin_required"]],
|
|
"identity:list_users_in_group": [["rule:admin_required"]],
|
|
"identity:remove_user_from_group": [["rule:admin_required"]],
|
|
"identity:check_user_in_group": [["rule:admin_required"]],
|
|
"identity:add_user_to_group": [["rule:admin_required"]],
|
|
|
|
"identity:get_credential": [["rule:admin_required"]],
|
|
"identity:list_credentials": [["rule:admin_required"]],
|
|
"identity:create_credential": [["rule:admin_required"]],
|
|
"identity:update_credential": [["rule:admin_required"]],
|
|
"identity:delete_credential": [["rule:admin_required"]],
|
|
|
|
"identity:get_role": [["rule:admin_required"]],
|
|
"identity:list_roles": [["rule:admin_required"]],
|
|
"identity:create_role": [["rule:admin_required"]],
|
|
"identity:update_role": [["rule:admin_required"]],
|
|
"identity:delete_role": [["rule:admin_required"]],
|
|
|
|
"identity:check_grant": [["rule:admin_required"]],
|
|
"identity:list_grants": [["rule:admin_required"]],
|
|
"identity:create_grant": [["rule:admin_required"]],
|
|
"identity:revoke_grant": [["rule:admin_required"]],
|
|
|
|
"identity:list_role_assignments": [["rule:admin_required"]],
|
|
|
|
"identity:get_policy": [["rule:admin_required"]],
|
|
"identity:list_policies": [["rule:admin_required"]],
|
|
"identity:create_policy": [["rule:admin_required"]],
|
|
"identity:update_policy": [["rule:admin_required"]],
|
|
"identity:delete_policy": [["rule:admin_required"]],
|
|
|
|
"identity:check_token": [["rule:admin_required"]],
|
|
"identity:validate_token": [["rule:service_or_admin"]],
|
|
"identity:validate_token_head": [["rule:service_or_admin"]],
|
|
"identity:revocation_list": [["rule:service_or_admin"]],
|
|
"identity:revoke_token": [["rule:admin_or_owner"]],
|
|
|
|
"identity:create_trust": [["user_id:%(trust.trustor_user_id)s"]],
|
|
"identity:get_trust": [["rule:admin_or_owner"]],
|
|
"identity:list_trusts": [["@"]],
|
|
"identity:list_roles_for_trust": [["@"]],
|
|
"identity:check_role_for_trust": [["@"]],
|
|
"identity:get_role_for_trust": [["@"]],
|
|
"identity:delete_trust": [["@"]]
|
|
}
|