add an example for capability rbac
This commit is contained in:
parent
e5d1050da9
commit
91f2097125
24
README.rst
24
README.rst
|
@ -146,6 +146,30 @@ contain the matches. For example::
|
||||||
credentials)
|
credentials)
|
||||||
|
|
||||||
|
|
||||||
|
Credentials are generally built from the user metadata in the 'extras' part
|
||||||
|
of the Identity API. So, adding a 'role' to the user just means adding the role
|
||||||
|
to the user metadata.
|
||||||
|
|
||||||
|
|
||||||
|
Capability RBAC
|
||||||
|
---------------
|
||||||
|
|
||||||
|
(Not yet implemented.)
|
||||||
|
|
||||||
|
Another approach to authorization can be action-based, with a mapping of roles
|
||||||
|
to which capabilities are allowed for that role. For example::
|
||||||
|
|
||||||
|
credentials = {'user_id': 'foo', 'is_admin': 1, 'roles': ['nova:netadmin']}
|
||||||
|
|
||||||
|
# add a policy
|
||||||
|
policy_api.add_policy('action:nova:add_network', ('roles:nova:netadmin',))
|
||||||
|
|
||||||
|
policy_api.can_haz(('action:nova:add_network',), credentials)
|
||||||
|
|
||||||
|
|
||||||
|
In the backend this would look up the policy for 'action:nova:add_network' and
|
||||||
|
then do what is effectively a 'Simple Match' style match against the creds.
|
||||||
|
|
||||||
|
|
||||||
-----------
|
-----------
|
||||||
Still To Do
|
Still To Do
|
||||||
|
|
Loading…
Reference in New Issue