OpenStack Identity (Keystone)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

policy.v3cloudsample.json 2.4KB

1234567891011121314151617181920212223242526272829303132333435363738
  1. {
  2. "admin_required": "role:admin",
  3. "cloud_admin": "role:admin and (is_admin_project:True or domain_id:admin_domain_id)",
  4. "owner": "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
  5. "admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",
  6. "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
  7. "service_admin_or_owner": "rule:service_or_admin or rule:owner",
  8. "default": "rule:admin_required",
  9. "identity:get_limit": "",
  10. "identity:create_limits": "rule:admin_required",
  11. "identity:update_limit": "rule:admin_required",
  12. "identity:delete_limit": "rule:admin_required",
  13. "identity:get_project_tag": "rule:admin_required",
  14. "identity:list_project_tags": "rule:admin_required",
  15. "domain_admin_matches_domain_role": "rule:admin_required and domain_id:%(role.domain_id)s",
  16. "get_domain_roles": "rule:domain_admin_matches_target_domain_role or rule:project_admin_matches_target_domain_role",
  17. "domain_admin_matches_target_domain_role": "rule:admin_required and domain_id:%(target.role.domain_id)s",
  18. "project_admin_matches_target_domain_role": "rule:admin_required and project_domain_id:%(target.role.domain_id)s",
  19. "list_domain_roles": "rule:domain_admin_matches_filter_on_list_domain_roles or rule:project_admin_matches_filter_on_list_domain_roles",
  20. "domain_admin_matches_filter_on_list_domain_roles": "rule:admin_required and domain_id:%(domain_id)s",
  21. "project_admin_matches_filter_on_list_domain_roles": "rule:admin_required and project_domain_id:%(domain_id)s",
  22. "admin_and_matching_prior_role_domain_id": "rule:admin_required and domain_id:%(target.prior_role.domain_id)s",
  23. "implied_role_matches_prior_role_domain_or_global": "(domain_id:%(target.implied_role.domain_id)s or None:%(target.implied_role.domain_id)s)",
  24. "admin_on_domain_filter": "rule:admin_required and domain_id:%(scope.domain.id)s",
  25. "admin_on_project_filter": "rule:admin_required and project_id:%(scope.project.id)s",
  26. "admin_on_domain_of_project_filter": "rule:admin_required and domain_id:%(target.project.domain_id)s",
  27. "identity:list_role_assignments_for_tree": "rule:cloud_admin or rule:admin_on_domain_of_project_filter",
  28. "identity:check_token": "rule:admin_or_owner",
  29. "identity:validate_token": "rule:service_admin_or_owner",
  30. "identity:validate_token_head": "rule:service_or_admin",
  31. "identity:revoke_token": "rule:admin_or_owner"
  32. }