Add group system grant policies
This commit introduces new policies that control RBAC for assigning groups roles on the system. Since the management of system roles is a system-level operation, each policy has `system` set for scope_types. bp system-scope Change-Id: Ide491be9563f74f758c5de55990916292228e0d9
This commit is contained in:
Lance Bragstad
parent
1486da0c24
commit
cd9064d2b9
|
|
@ -104,6 +104,11 @@ identity:check_system_grant_for_user GET /v3/system/users/
|
|||
identity:create_system_grant_for_user PUT /v3/system/users/{user_id}/roles/{role_id}
|
||||
identity:revoke_system_grant_for_user DELETE /v3/system/users/{user_id}/roles/{role_id}
|
||||
|
||||
identity:list_system_grants_for_group GET /v3/system/groups/{group_id}/roles
|
||||
identity:check_system_grant_for_group GET /v3/system/groups/{group_id}/roles/{role_id}
|
||||
identity:create_system_grant_for_group PUT /v3/system/groups/{group_id}/roles/{role_id}
|
||||
identity:revoke_system_grant_for_group DELETE /v3/system/groups/{group_id}/roles/{role_id}
|
||||
|
||||
identity:list_role_assignments GET /v3/role_assignments
|
||||
identity:list_role_assignments_for_tree GET /v3/role_assignments?include_subtree
|
||||
|
||||
|
|
|
|||
|
|
@ -114,6 +114,11 @@
|
|||
"identity:create_system_grant_for_user": "rule:admin_required",
|
||||
"identity:revoke_system_grant_for_user": "rule:admin_required",
|
||||
|
||||
"identity:list_system_grants_for_group": "rule:admin_required",
|
||||
"identity:check_system_grant_for_group": "rule:admin_required",
|
||||
"identity:create_system_grant_for_group": "rule:admin_required",
|
||||
"identity:revoke_system_grant_for_group": "rule:admin_required",
|
||||
|
||||
"identity:check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
|
||||
"identity:list_grants": "rule:cloud_admin or rule:domain_admin_for_list_grants or rule:project_admin_for_list_grants",
|
||||
"identity:create_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
|
||||
|
|
|
|||
|
|
@ -145,6 +145,54 @@ grant_policies = [
|
|||
'method': ['DELETE']
|
||||
}
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'list_system_grants_for_group',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
scope_types=['system'],
|
||||
description='List all grants a specific group has on the system.',
|
||||
operations=[
|
||||
{
|
||||
'path': '/v3/system/groups/{group_id}/roles',
|
||||
'method': ['HEAD', 'GET']
|
||||
}
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'check_system_grant_for_group',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
scope_types=['system'],
|
||||
description='Check if a group has a role on the system.',
|
||||
operations=[
|
||||
{
|
||||
'path': '/v3/system/groups/{group_id}/roles/{role_id}',
|
||||
'method': ['HEAD', 'GET']
|
||||
}
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'create_system_grant_for_group',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
scope_types=['system'],
|
||||
description='Grant a group a role on the system.',
|
||||
operations=[
|
||||
{
|
||||
'path': '/v3/system/groups/{group_id}/roles/{role_id}',
|
||||
'method': ['PUT']
|
||||
}
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'revoke_system_grant_for_group',
|
||||
check_str=base.RULE_ADMIN_REQUIRED,
|
||||
scope_types=['system'],
|
||||
description='Remove a role from a group on the system.',
|
||||
operations=[
|
||||
{
|
||||
'path': '/v3/system/groups/{group_id}/roles/{role_id}',
|
||||
'method': ['DELETE']
|
||||
}
|
||||
]
|
||||
)
|
||||
]
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue