Simplify admin_required policy
The admin_required rule as currently defined is equivalent to the admin_or_cloud_admin rule. If you have the admin role, both wil pass. If you do not have the admin role, neither will pass. This makes the policy file simpler and more consistent by removing admin_or_cloud_admin. Change-Id: I5c9a96aaf114611ce141f0074ec055ca167c1b63
This commit is contained in:
parent
720b83ffd1
commit
33893f7755
|
@ -1,11 +1,10 @@
|
|||
{
|
||||
"admin_required": "role:admin",
|
||||
"cloud_admin": "(role:admin and token.is_admin_project:True) or ( rule:admin_required and domain_id:admin_domain_id)",
|
||||
"cloud_admin": "role:admin and (token.is_admin_project:True or domain_id:admin_domain_id)",
|
||||
"service_role": "role:service",
|
||||
"service_or_admin": "rule:admin_required or rule:service_role",
|
||||
"owner" : "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
|
||||
"admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",
|
||||
"admin_or_cloud_admin": "rule:admin_required or rule:cloud_admin",
|
||||
"admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
|
||||
"service_admin_or_owner": "rule:service_or_admin or rule:owner",
|
||||
|
||||
|
@ -17,14 +16,14 @@
|
|||
"identity:update_region": "rule:cloud_admin",
|
||||
"identity:delete_region": "rule:cloud_admin",
|
||||
|
||||
"identity:get_service": "rule:admin_or_cloud_admin",
|
||||
"identity:list_services": "rule:admin_or_cloud_admin",
|
||||
"identity:get_service": "rule:admin_required",
|
||||
"identity:list_services": "rule:admin_required",
|
||||
"identity:create_service": "rule:cloud_admin",
|
||||
"identity:update_service": "rule:cloud_admin",
|
||||
"identity:delete_service": "rule:cloud_admin",
|
||||
|
||||
"identity:get_endpoint": "rule:admin_or_cloud_admin",
|
||||
"identity:list_endpoints": "rule:admin_or_cloud_admin",
|
||||
"identity:get_endpoint": "rule:admin_required",
|
||||
"identity:list_endpoints": "rule:admin_required",
|
||||
"identity:create_endpoint": "rule:cloud_admin",
|
||||
"identity:update_endpoint": "rule:cloud_admin",
|
||||
"identity:delete_endpoint": "rule:cloud_admin",
|
||||
|
@ -72,13 +71,13 @@
|
|||
"identity:update_credential": "rule:admin_required",
|
||||
"identity:delete_credential": "rule:admin_required",
|
||||
|
||||
"identity:ec2_get_credential": "rule:admin_or_cloud_admin or (rule:owner and user_id:%(target.credential.user_id)s)",
|
||||
"identity:ec2_list_credentials": "rule:admin_or_cloud_admin or rule:owner",
|
||||
"identity:ec2_create_credential": "rule:admin_or_cloud_admin or rule:owner",
|
||||
"identity:ec2_delete_credential": "rule:admin_or_cloud_admin or (rule:owner and user_id:%(target.credential.user_id)s)",
|
||||
"identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
|
||||
"identity:ec2_list_credentials": "rule:admin_required or rule:owner",
|
||||
"identity:ec2_create_credential": "rule:admin_required or rule:owner",
|
||||
"identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
|
||||
|
||||
"identity:get_role": "rule:admin_or_cloud_admin",
|
||||
"identity:list_roles": "rule:admin_or_cloud_admin",
|
||||
"identity:get_role": "rule:admin_required",
|
||||
"identity:list_roles": "rule:admin_required",
|
||||
"identity:create_role": "rule:cloud_admin",
|
||||
"identity:update_role": "rule:cloud_admin",
|
||||
"identity:delete_role": "rule:cloud_admin",
|
||||
|
|
Loading…
Reference in New Issue