add an example for capability rbac
This commit is contained in:
parent
e5d1050da9
commit
91f2097125
24
README.rst
24
README.rst
|
@ -146,6 +146,30 @@ contain the matches. For example::
|
|||
credentials)
|
||||
|
||||
|
||||
Credentials are generally built from the user metadata in the 'extras' part
|
||||
of the Identity API. So, adding a 'role' to the user just means adding the role
|
||||
to the user metadata.
|
||||
|
||||
|
||||
Capability RBAC
|
||||
---------------
|
||||
|
||||
(Not yet implemented.)
|
||||
|
||||
Another approach to authorization can be action-based, with a mapping of roles
|
||||
to which capabilities are allowed for that role. For example::
|
||||
|
||||
credentials = {'user_id': 'foo', 'is_admin': 1, 'roles': ['nova:netadmin']}
|
||||
|
||||
# add a policy
|
||||
policy_api.add_policy('action:nova:add_network', ('roles:nova:netadmin',))
|
||||
|
||||
policy_api.can_haz(('action:nova:add_network',), credentials)
|
||||
|
||||
|
||||
In the backend this would look up the policy for 'action:nova:add_network' and
|
||||
then do what is effectively a 'Simple Match' style match against the creds.
|
||||
|
||||
|
||||
-----------
|
||||
Still To Do
|
||||
|
|
Loading…
Reference in New Issue