601eeb50b6
Blueprint trusts creates a trust. Using a trust, one user (the trustee), can then create tokens with a subset of another user's (the trustor) roles and projects. If the impersonate flag in the trust is set, the token user_id is set to the trustor's user ID If the impersonate flag is not set, the token's user_is is set to the trustee's user ID check that both trustor and trustee are enabled prior to creating the trust token. sql and kvs backends sql upgrade scripts unit tests for backends, auth and v3 api modifications to the trust controller for creating tokens Authenticates that only user can be trustor in create Deleting a trust invalidates all tokens created from that trust Adds the trust id and the id of the trustee to the header of the token policy rules for trust This version has a workaround for testing against the KVS version of the Service catalog Change-Id: I5745f4d9a4180b59671a143a55ed87019e98ec76
87 lines
3.9 KiB
JSON
87 lines
3.9 KiB
JSON
{
|
|
"admin_required": [["role:admin"], ["is_admin:1"]],
|
|
"owner" : [["user_id:%(user_id)s"]],
|
|
"admin_or_owner": [["rule:admin_required"], ["rule:owner"]],
|
|
|
|
"default": [["rule:admin_required"]],
|
|
|
|
"identity:get_service": [["rule:admin_required"]],
|
|
"identity:list_services": [["rule:admin_required"]],
|
|
"identity:create_service": [["rule:admin_required"]],
|
|
"identity:update_service": [["rule:admin_required"]],
|
|
"identity:delete_service": [["rule:admin_required"]],
|
|
|
|
"identity:get_endpoint": [["rule:admin_required"]],
|
|
"identity:list_endpoints": [["rule:admin_required"]],
|
|
"identity:create_endpoint": [["rule:admin_required"]],
|
|
"identity:update_endpoint": [["rule:admin_required"]],
|
|
"identity:delete_endpoint": [["rule:admin_required"]],
|
|
|
|
"identity:get_domain": [["rule:admin_required"]],
|
|
"identity:list_domains": [["rule:admin_required"]],
|
|
"identity:create_domain": [["rule:admin_required"]],
|
|
"identity:update_domain": [["rule:admin_required"]],
|
|
"identity:delete_domain": [["rule:admin_required"]],
|
|
|
|
"identity:get_project": [["rule:admin_required"]],
|
|
"identity:list_projects": [["rule:admin_required"]],
|
|
"identity:list_user_projects": [["rule:admin_required"],
|
|
["user_id:%(user_id)s"]],
|
|
"identity:create_project": [["rule:admin_or_owner"]],
|
|
"identity:update_project": [["rule:admin_required"]],
|
|
"identity:delete_project": [["rule:admin_required"]],
|
|
|
|
"identity:get_user": [["rule:admin_required"]],
|
|
"identity:list_users": [["rule:admin_required"]],
|
|
"identity:create_user": [["rule:admin_required"]],
|
|
"identity:update_user": [["rule:admin_required"]],
|
|
"identity:delete_user": [["rule:admin_required"]],
|
|
|
|
"identity:get_group": [["rule:admin_required"]],
|
|
"identity:list_groups": [["rule:admin_required"]],
|
|
"identity:create_group": [["rule:admin_required"]],
|
|
"identity:update_group": [["rule:admin_required"]],
|
|
"identity:delete_group": [["rule:admin_required"]],
|
|
"identity:list_users_in_group": [["rule:admin_required"]],
|
|
"identity:remove_user_from_group": [["rule:admin_required"]],
|
|
"identity:check_user_in_group": [["rule:admin_required"]],
|
|
"identity:add_user_to_group": [["rule:admin_required"]],
|
|
|
|
"identity:get_credential": [["rule:admin_required"]],
|
|
"identity:list_credentials": [["rule:admin_required"]],
|
|
"identity:create_credential": [["rule:admin_required"]],
|
|
"identity:update_credential": [["rule:admin_required"]],
|
|
"identity:delete_credential": [["rule:admin_required"]],
|
|
|
|
"identity:get_role": [["rule:admin_required"]],
|
|
"identity:list_roles": [["rule:admin_required"]],
|
|
"identity:create_role": [["rule:admin_required"]],
|
|
"identity:update_role": [["rule:admin_required"]],
|
|
"identity:delete_role": [["rule:admin_required"]],
|
|
|
|
"identity:check_grant": [["rule:admin_required"]],
|
|
"identity:list_grants": [["rule:admin_required"]],
|
|
"identity:create_grant": [["rule:admin_required"]],
|
|
"identity:revoke_grant": [["rule:admin_required"]],
|
|
|
|
"identity:get_policy": [["rule:admin_required"]],
|
|
"identity:list_policies": [["rule:admin_required"]],
|
|
"identity:create_policy": [["rule:admin_required"]],
|
|
"identity:update_policy": [["rule:admin_required"]],
|
|
"identity:delete_policy": [["rule:admin_required"]],
|
|
|
|
"identity:check_token": [["rule:admin_required"]],
|
|
"identity:validate_token": [["rule:admin_required"]],
|
|
"identity:revocation_list": [["rule:admin_required"]],
|
|
"identity:revoke_token": [["rule:admin_required"],
|
|
["user_id:%(user_id)s"]],
|
|
|
|
"identity:create_trust": [["user_id:%(trust.trustor_user_id)s"]],
|
|
"identity:get_trust": [["rule:admin_or_owner"]],
|
|
"identity:list_trusts": [["@"]],
|
|
"identity:list_roles_for_trust": [["@"]],
|
|
"identity:check_role_for_trust": [["@"]],
|
|
"identity:get_role_for_trust": [["@"]],
|
|
"identity:delete_trust": [["@"]]
|
|
}
|