OpenStack Identity (Keystone)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

policy.v3cloudsample.json 6.5KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990
  1. {
  2. "admin_required": "role:admin",
  3. "cloud_admin": "role:admin and (is_admin_project:True or domain_id:admin_domain_id)",
  4. "owner": "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
  5. "admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",
  6. "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
  7. "service_admin_or_owner": "rule:service_or_admin or rule:owner",
  8. "default": "rule:admin_required",
  9. "identity:get_limit": "",
  10. "identity:create_limits": "rule:admin_required",
  11. "identity:update_limit": "rule:admin_required",
  12. "identity:delete_limit": "rule:admin_required",
  13. "identity:get_project_tag": "rule:admin_required",
  14. "identity:list_project_tags": "rule:admin_required",
  15. "identity:ec2_list_credentials": "rule:admin_required or rule:owner",
  16. "identity:ec2_create_credential": "rule:admin_required or rule:owner",
  17. "identity:get_domain_role": "rule:cloud_admin or rule:get_domain_roles",
  18. "identity:list_domain_roles": "rule:cloud_admin or rule:list_domain_roles",
  19. "identity:create_domain_role": "rule:cloud_admin or rule:domain_admin_matches_domain_role",
  20. "identity:update_domain_role": "rule:cloud_admin or rule:domain_admin_matches_target_domain_role",
  21. "identity:delete_domain_role": "rule:cloud_admin or rule:domain_admin_matches_target_domain_role",
  22. "domain_admin_matches_domain_role": "rule:admin_required and domain_id:%(role.domain_id)s",
  23. "get_domain_roles": "rule:domain_admin_matches_target_domain_role or rule:project_admin_matches_target_domain_role",
  24. "domain_admin_matches_target_domain_role": "rule:admin_required and domain_id:%(target.role.domain_id)s",
  25. "project_admin_matches_target_domain_role": "rule:admin_required and project_domain_id:%(target.role.domain_id)s",
  26. "list_domain_roles": "rule:domain_admin_matches_filter_on_list_domain_roles or rule:project_admin_matches_filter_on_list_domain_roles",
  27. "domain_admin_matches_filter_on_list_domain_roles": "rule:admin_required and domain_id:%(domain_id)s",
  28. "project_admin_matches_filter_on_list_domain_roles": "rule:admin_required and project_domain_id:%(domain_id)s",
  29. "admin_and_matching_prior_role_domain_id": "rule:admin_required and domain_id:%(target.prior_role.domain_id)s",
  30. "implied_role_matches_prior_role_domain_or_global": "(domain_id:%(target.implied_role.domain_id)s or None:%(target.implied_role.domain_id)s)",
  31. "identity:get_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
  32. "identity:list_implied_roles": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
  33. "identity:create_implied_role": "rule:cloud_admin or (rule:admin_and_matching_prior_role_domain_id and rule:implied_role_matches_prior_role_domain_or_global)",
  34. "identity:delete_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
  35. "identity:list_role_inference_rules": "rule:cloud_admin",
  36. "identity:check_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
  37. "identity:check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
  38. "identity:list_grants": "rule:cloud_admin or rule:domain_admin_for_list_grants or rule:project_admin_for_list_grants",
  39. "identity:create_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
  40. "identity:revoke_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
  41. "domain_admin_for_grants": "rule:domain_admin_for_global_role_grants or rule:domain_admin_for_domain_role_grants",
  42. "domain_admin_for_global_role_grants": "rule:admin_required and None:%(target.role.domain_id)s and rule:domain_admin_grant_match",
  43. "domain_admin_for_domain_role_grants": "rule:admin_required and domain_id:%(target.role.domain_id)s and rule:domain_admin_grant_match",
  44. "domain_admin_grant_match": "domain_id:%(domain_id)s or domain_id:%(target.project.domain_id)s",
  45. "project_admin_for_grants": "rule:project_admin_for_global_role_grants or rule:project_admin_for_domain_role_grants",
  46. "project_admin_for_global_role_grants": "rule:admin_required and None:%(target.role.domain_id)s and project_id:%(project_id)s",
  47. "project_admin_for_domain_role_grants": "rule:admin_required and project_domain_id:%(target.role.domain_id)s and project_id:%(project_id)s",
  48. "domain_admin_for_list_grants": "rule:admin_required and rule:domain_admin_grant_match",
  49. "project_admin_for_list_grants": "rule:admin_required and project_id:%(project_id)s",
  50. "admin_on_domain_filter": "rule:admin_required and domain_id:%(scope.domain.id)s",
  51. "admin_on_project_filter": "rule:admin_required and project_id:%(scope.project.id)s",
  52. "admin_on_domain_of_project_filter": "rule:admin_required and domain_id:%(target.project.domain_id)s",
  53. "identity:list_role_assignments_for_tree": "rule:cloud_admin or rule:admin_on_domain_of_project_filter",
  54. "identity:get_policy": "rule:cloud_admin",
  55. "identity:list_policies": "rule:cloud_admin",
  56. "identity:create_policy": "rule:cloud_admin",
  57. "identity:update_policy": "rule:cloud_admin",
  58. "identity:delete_policy": "rule:cloud_admin",
  59. "identity:check_token": "rule:admin_or_owner",
  60. "identity:validate_token": "rule:service_admin_or_owner",
  61. "identity:validate_token_head": "rule:service_or_admin",
  62. "identity:revoke_token": "rule:admin_or_owner",
  63. "identity:create_policy_association_for_endpoint": "rule:cloud_admin",
  64. "identity:check_policy_association_for_endpoint": "rule:cloud_admin",
  65. "identity:delete_policy_association_for_endpoint": "rule:cloud_admin",
  66. "identity:create_policy_association_for_service": "rule:cloud_admin",
  67. "identity:check_policy_association_for_service": "rule:cloud_admin",
  68. "identity:delete_policy_association_for_service": "rule:cloud_admin",
  69. "identity:create_policy_association_for_region_and_service": "rule:cloud_admin",
  70. "identity:check_policy_association_for_region_and_service": "rule:cloud_admin",
  71. "identity:delete_policy_association_for_region_and_service": "rule:cloud_admin",
  72. "identity:get_policy_for_endpoint": "rule:cloud_admin",
  73. "identity:list_endpoints_for_policy": "rule:cloud_admin",
  74. "identity:create_domain_config": "rule:cloud_admin",
  75. "identity:get_domain_config": "rule:cloud_admin",
  76. "identity:update_domain_config": "rule:cloud_admin",
  77. "identity:delete_domain_config": "rule:cloud_admin",
  78. "identity:get_domain_config_default": "rule:cloud_admin"
  79. }