Restrict certain APIs to cloud admin in domain-aware policy

Some of the APIs in the domain-aware policy file are currently allowed by any "admin" user, when they should really be locked down to the cloud admin. Without this, users who are a project admin will be allowed to do things like manage regions, IdPs, and other objects that they should not be allowed to touch. Change-Id: Ifca8bc2fffd2d8c1bf02373d1fadd459a77f836c Closes-bug: #1381809
2014-10-15 16:21:01 -07:00 · 2014-10-15 16:21:01 -07:00 · fdbad9f530
parent 61ccca516c
commit fdbad9f530
1 changed files with 18 additions and 18 deletions
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@ -12,9 +12,9 @@

    "identity:get_region": "",
    "identity:list_regions": "",
-    "identity:create_region": "rule:admin_or_cloud_admin",
-    "identity:update_region": "rule:admin_or_cloud_admin",
-    "identity:delete_region": "rule:admin_or_cloud_admin",
+    "identity:create_region": "rule:cloud_admin",
+    "identity:update_region": "rule:cloud_admin",
+    "identity:delete_region": "rule:cloud_admin",

    "identity:get_service": "rule:admin_or_cloud_admin",
    "identity:list_services": "rule:admin_or_cloud_admin",
@ -143,23 +143,23 @@
    "identity:add_endpoint_group_to_project": "rule:admin_required",
    "identity:remove_endpoint_group_from_project": "rule:admin_required",

-    "identity:create_identity_provider": "rule:admin_required",
-    "identity:list_identity_providers": "rule:admin_required",
-    "identity:get_identity_providers": "rule:admin_required",
-    "identity:update_identity_provider": "rule:admin_required",
-    "identity:delete_identity_provider": "rule:admin_required",
+    "identity:create_identity_provider": "rule:cloud_admin",
+    "identity:list_identity_providers": "rule:cloud_admin",
+    "identity:get_identity_providers": "rule:cloud_admin",
+    "identity:update_identity_provider": "rule:cloud_admin",
+    "identity:delete_identity_provider": "rule:cloud_admin",

-    "identity:create_protocol": "rule:admin_required",
-    "identity:update_protocol": "rule:admin_required",
-    "identity:get_protocol": "rule:admin_required",
-    "identity:list_protocols": "rule:admin_required",
-    "identity:delete_protocol": "rule:admin_required",
+    "identity:create_protocol": "rule:cloud_admin",
+    "identity:update_protocol": "rule:cloud_admin",
+    "identity:get_protocol": "rule:cloud_admin",
+    "identity:list_protocols": "rule:cloud_admin",
+    "identity:delete_protocol": "rule:cloud_admin",

-    "identity:create_mapping": "rule:admin_required",
-    "identity:get_mapping": "rule:admin_required",
-    "identity:list_mappings": "rule:admin_required",
-    "identity:delete_mapping": "rule:admin_required",
-    "identity:update_mapping": "rule:admin_required",
+    "identity:create_mapping": "rule:cloud_admin",
+    "identity:get_mapping": "rule:cloud_admin",
+    "identity:list_mappings": "rule:cloud_admin",
+    "identity:delete_mapping": "rule:cloud_admin",
+    "identity:update_mapping": "rule:cloud_admin",

    "identity:get_auth_catalog": "",
    "identity:get_auth_projects": "",