openstack/deb-keystone
Code Issues Proposed changes
aa7a110247
deb-keystone/etc/policy.json
Steve Martinelli 65f292144f Protect oauth controller calls and update policy.json 
We need to call controller.protected for most of the oauth_calls.
With the exception of the public ones (create_request_token,
create_access_token, and authenticate_access_token).
Also need to update the policy.json accordingly.

fixes bug 1231709

Change-Id: Ica111aa3ed82499d2de50d472754a0b5b3c5cc71
2013-09-26 17:08:31 -05:00

110 lines
5.1 KiB
JSON
Raw Blame History

{
"admin_required": [["role:admin"], ["is_admin:1"]],
"service_role": [["role:service"]],
"service_or_admin": [["rule:admin_required"], ["rule:service_role"]],
"owner" : [["user_id:%(user_id)s"]],
"admin_or_owner": [["rule:admin_required"], ["rule:owner"]],
"default": [["rule:admin_required"]],
"identity:get_service": [["rule:admin_required"]],
"identity:list_services": [["rule:admin_required"]],
"identity:create_service": [["rule:admin_required"]],
"identity:update_service": [["rule:admin_required"]],
"identity:delete_service": [["rule:admin_required"]],
"identity:get_endpoint": [["rule:admin_required"]],
"identity:list_endpoints": [["rule:admin_required"]],
"identity:create_endpoint": [["rule:admin_required"]],
"identity:update_endpoint": [["rule:admin_required"]],
"identity:delete_endpoint": [["rule:admin_required"]],
"identity:get_domain": [["rule:admin_required"]],
"identity:list_domains": [["rule:admin_required"]],
"identity:create_domain": [["rule:admin_required"]],
"identity:update_domain": [["rule:admin_required"]],
"identity:delete_domain": [["rule:admin_required"]],
"identity:get_project": [["rule:admin_required"]],
"identity:list_projects": [["rule:admin_required"]],
"identity:list_user_projects": [["rule:admin_or_owner"]],
"identity:create_project": [["rule:admin_required"]],
"identity:update_project": [["rule:admin_required"]],
"identity:delete_project": [["rule:admin_required"]],
"identity:get_user": [["rule:admin_required"]],
"identity:list_users": [["rule:admin_required"]],
"identity:create_user": [["rule:admin_required"]],
"identity:update_user": [["rule:admin_or_owner"]],
"identity:delete_user": [["rule:admin_required"]],
"identity:get_group": [["rule:admin_required"]],
"identity:list_groups": [["rule:admin_required"]],
"identity:list_groups_for_user": [["rule:admin_or_owner"]],
"identity:create_group": [["rule:admin_required"]],
"identity:update_group": [["rule:admin_required"]],
"identity:delete_group": [["rule:admin_required"]],
"identity:list_users_in_group": [["rule:admin_required"]],
"identity:remove_user_from_group": [["rule:admin_required"]],
"identity:check_user_in_group": [["rule:admin_required"]],
"identity:add_user_to_group": [["rule:admin_required"]],
"identity:get_credential": [["rule:admin_required"]],
"identity:list_credentials": [["rule:admin_required"]],
"identity:create_credential": [["rule:admin_required"]],
"identity:update_credential": [["rule:admin_required"]],
"identity:delete_credential": [["rule:admin_required"]],
"identity:get_role": [["rule:admin_required"]],
"identity:list_roles": [["rule:admin_required"]],
"identity:create_role": [["rule:admin_required"]],
"identity:update_role": [["rule:admin_required"]],
"identity:delete_role": [["rule:admin_required"]],
"identity:check_grant": [["rule:admin_required"]],
"identity:list_grants": [["rule:admin_required"]],
"identity:create_grant": [["rule:admin_required"]],
"identity:revoke_grant": [["rule:admin_required"]],
"identity:list_role_assignments": [["rule:admin_required"]],
"identity:get_policy": [["rule:admin_required"]],
"identity:list_policies": [["rule:admin_required"]],
"identity:create_policy": [["rule:admin_required"]],
"identity:update_policy": [["rule:admin_required"]],
"identity:delete_policy": [["rule:admin_required"]],
"identity:check_token": [["rule:admin_required"]],
"identity:validate_token": [["rule:service_or_admin"]],
"identity:validate_token_head": [["rule:service_or_admin"]],
"identity:revocation_list": [["rule:service_or_admin"]],
"identity:revoke_token": [["rule:admin_or_owner"]],
"identity:create_trust": [["user_id:%(trust.trustor_user_id)s"]],
"identity:get_trust": [["rule:admin_or_owner"]],
"identity:list_trusts": [["@"]],
"identity:list_roles_for_trust": [["@"]],
"identity:check_role_for_trust": [["@"]],
"identity:get_role_for_trust": [["@"]],
"identity:delete_trust": [["@"]],
"identity:create_consumer": [["rule:admin_required"]],
"identity:get_consumer": [["rule:admin_required"]],
"identity:list_consumers": [["rule:admin_required"]],
"identity:delete_consumer": [["rule:admin_required"]],
"identity:update_consumer": [["rule:admin_required"]],
"identity:authorize_request_token": [["rule:admin_required"]],
"identity:list_access_token_roles": [["rule:admin_required"]],
"identity:get_access_token_role": [["rule:admin_required"]],
"identity:list_access_tokens": [["rule:admin_required"]],
"identity:get_access_token": [["rule:admin_required"]],
"identity:delete_access_token": [["rule:admin_required"]],
"identity:list_projects_for_endpoint": [["rule:admin_required"]],
"identity:add_endpoint_to_project": [["rule:admin_required"]],
"identity:check_endpoint_in_project": [["rule:admin_required"]],
"identity:list_endpoints_for_project": [["rule:admin_required"]],
"identity:remove_endpoint_from_project": [["rule:admin_required"]]
}
View Git Blame Copy Permalink