Add user system grant policies
This commit introduces new policies that control RBAC for assigning users roles on the system. Since the management of system roles is a system-level operation, each policy has `system` set as scope_types. bp system-scope Change-Id: Ie606e769427a5ca422997efe92402e712f3cf45f
This commit is contained in:
parent
420f50e6c7
commit
616542a051
|
@ -99,6 +99,11 @@ identity:list_grants GET `grant_collection
|
|||
identity:create_grant PUT `grant_resources`_
|
||||
identity:revoke_grant DELETE `grant_resources`_
|
||||
|
||||
identity:list_system_grants_for_user GET /v3/system/users/{user_id}/roles
|
||||
identity:check_system_grant_for_user GET /v3/system/users/{user_id}/roles/{role_id}
|
||||
identity:create_system_grant_for_user PUT /v3/system/users/{user_id}/roles/{role_id}
|
||||
identity:revoke_system_grant_for_user DELETE /v3/system/users/{user_id}/roles/{role_id}
|
||||
|
||||
identity:list_role_assignments GET /v3/role_assignments
|
||||
identity:list_role_assignments_for_tree GET /v3/role_assignments?include_subtree
|
||||
|
||||
|
|
|
@ -109,6 +109,11 @@
|
|||
"identity:list_role_inference_rules": "rule:cloud_admin",
|
||||
"identity:check_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
|
||||
|
||||
"identity:list_system_grants_for_user": "rule:admin_required",
|
||||
"identity:check_system_grant_for_user": "rule:admin_required",
|
||||
"identity:create_system_grant_for_user": "rule:admin_required",
|
||||
"identity:revoke_system_grant_for_user": "rule:admin_required",
|
||||
|
||||
"identity:check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
|
||||
"identity:list_grants": "rule:cloud_admin or rule:domain_admin_for_list_grants or rule:project_admin_for_list_grants",
|
||||
"identity:create_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
|
||||
|
|
|
@ -97,7 +97,55 @@ grant_policies = [
|
|||
'applicable. In that case, revoking the role grant in '
|
||||
'the target would remove the logical effect of '
|
||||
'inheriting it to the target\'s projects subtree.'),
|
||||
operations=list_operations(resource_paths, ['DELETE']))
|
||||
operations=list_operations(resource_paths, ['DELETE'])),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'list_system_grants_for_user',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
scope_types=['system'],
|
||||
description='List all grants a specific user has on the system.',
|
||||
operations=[
|
||||
{
|
||||
'path': '/v3/system/users/{user_id}/roles',
|
||||
'method': ['HEAD', 'GET']
|
||||
}
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'check_system_grant_for_user',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
scope_types=['system'],
|
||||
description='Check if a user has a role on the system.',
|
||||
operations=[
|
||||
{
|
||||
'path': '/v3/system/users/{user_id}/roles/{role_id}',
|
||||
'method': ['HEAD', 'GET']
|
||||
}
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'create_system_grant_for_user',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
scope_types=['system'],
|
||||
description='Grant a user a role on the system.',
|
||||
operations=[
|
||||
{
|
||||
'path': '/v3/system/users/{user_id}/roles/{role_id}',
|
||||
'method': ['PUT']
|
||||
}
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'revoke_system_grant_for_user',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
scope_types=['system'],
|
||||
description='Remove a role from a user on the system.',
|
||||
operations=[
|
||||
{
|
||||
'path': '/v3/system/users/{user_id}/roles/{role_id}',
|
||||
'method': ['DELETE']
|
||||
}
|
||||
]
|
||||
)
|
||||
]
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue