7c129f1c70
The policy.v3cloudsample.json policy file attempted to solve admin-ness issues with elaborate policy checks. These checks are no longer needed with advent of system scope and incorporating system scope into keystone APIs. This commit removes the credential policies from the policy.v3cloudsample.conf policy file since the new defaults introduce more flexibility by consuming scope, rendering the policies in policy.v3cloudsample.conf obsolete. More specific test coverage has also been added for each new case in keystone.tests.unit.protection.v3.test_credentials. Change-Id: I6c74f40640da23375574f4a26ee60779ef08d120 Related-Bug: 1788415
256 lines
16 KiB
JSON
256 lines
16 KiB
JSON
{
|
|
"admin_required": "role:admin",
|
|
"cloud_admin": "role:admin and (is_admin_project:True or domain_id:admin_domain_id)",
|
|
"service_role": "role:service",
|
|
"service_or_admin": "rule:admin_required or rule:service_role",
|
|
"owner": "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
|
|
"admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",
|
|
"admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
|
|
"service_admin_or_owner": "rule:service_or_admin or rule:owner",
|
|
|
|
"default": "rule:admin_required",
|
|
|
|
"identity:get_region": "",
|
|
"identity:list_regions": "",
|
|
"identity:create_region": "rule:cloud_admin",
|
|
"identity:update_region": "rule:cloud_admin",
|
|
"identity:delete_region": "rule:cloud_admin",
|
|
|
|
"identity:get_service": "rule:admin_required",
|
|
"identity:list_services": "rule:admin_required",
|
|
"identity:create_service": "rule:cloud_admin",
|
|
"identity:update_service": "rule:cloud_admin",
|
|
"identity:delete_service": "rule:cloud_admin",
|
|
|
|
"identity:get_endpoint": "rule:admin_required",
|
|
"identity:list_endpoints": "rule:admin_required",
|
|
"identity:create_endpoint": "rule:cloud_admin",
|
|
"identity:update_endpoint": "rule:cloud_admin",
|
|
"identity:delete_endpoint": "rule:cloud_admin",
|
|
|
|
"identity:get_registered_limit": "",
|
|
"identity:list_registered_limits": "",
|
|
"identity:create_registered_limits": "rule:admin_required",
|
|
"identity:update_registered_limit": "rule:admin_required",
|
|
"identity:delete_registered_limit": "rule:admin_required",
|
|
|
|
"identity:get_limit_model": "",
|
|
"identity:get_limit": "",
|
|
"identity:list_limits": "",
|
|
"identity:create_limits": "rule:admin_required",
|
|
"identity:update_limit": "rule:admin_required",
|
|
"identity:delete_limit": "rule:admin_required",
|
|
|
|
"identity:get_domain": "rule:cloud_admin or rule:admin_and_matching_domain_id or token.project.domain.id:%(target.domain.id)s",
|
|
"identity:list_domains": "rule:cloud_admin",
|
|
"identity:create_domain": "rule:cloud_admin",
|
|
"identity:update_domain": "rule:cloud_admin",
|
|
"identity:delete_domain": "rule:cloud_admin",
|
|
|
|
"admin_and_matching_target_project_domain_id": "rule:admin_required and domain_id:%(target.project.domain_id)s",
|
|
"admin_and_matching_project_domain_id": "rule:admin_required and domain_id:%(project.domain_id)s",
|
|
"identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s",
|
|
"identity:list_projects": "rule:cloud_admin or rule:admin_and_matching_domain_id",
|
|
"identity:list_user_projects": "rule:owner or rule:admin_and_matching_domain_id",
|
|
"identity:create_project": "rule:cloud_admin or rule:admin_and_matching_project_domain_id",
|
|
"identity:update_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
|
|
"identity:delete_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
|
|
"identity:create_project_tag": "rule:admin_required",
|
|
"identity:delete_project_tag": "rule:admin_required",
|
|
"identity:get_project_tag": "rule:admin_required",
|
|
"identity:list_project_tags": "rule:admin_required",
|
|
"identity:delete_project_tags": "rule:admin_required",
|
|
"identity:update_project_tags": "rule:admin_required",
|
|
|
|
"admin_and_matching_target_user_domain_id": "rule:admin_required and domain_id:%(target.user.domain_id)s",
|
|
"admin_and_matching_user_domain_id": "rule:admin_required and domain_id:%(user.domain_id)s",
|
|
"identity:get_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id or rule:owner",
|
|
"identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id",
|
|
"identity:create_user": "rule:cloud_admin or rule:admin_and_matching_user_domain_id",
|
|
"identity:update_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",
|
|
"identity:delete_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",
|
|
|
|
"admin_and_matching_target_group_domain_id": "rule:admin_required and domain_id:%(target.group.domain_id)s",
|
|
"admin_and_matching_group_domain_id": "rule:admin_required and domain_id:%(group.domain_id)s",
|
|
"identity:get_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
|
|
"identity:list_groups": "rule:cloud_admin or rule:admin_and_matching_domain_id",
|
|
"identity:list_groups_for_user": "rule:owner or rule:admin_and_matching_target_user_domain_id",
|
|
"identity:create_group": "rule:cloud_admin or rule:admin_and_matching_group_domain_id",
|
|
"identity:update_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
|
|
"identity:delete_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
|
|
"identity:list_users_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
|
|
"identity:remove_user_from_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
|
|
"identity:check_user_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
|
|
"identity:add_user_to_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
|
|
|
|
"identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
|
|
"identity:ec2_list_credentials": "rule:admin_required or rule:owner",
|
|
"identity:ec2_create_credential": "rule:admin_required or rule:owner",
|
|
"identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
|
|
|
|
"identity:get_role": "rule:admin_required",
|
|
"identity:list_roles": "rule:admin_required",
|
|
"identity:create_role": "rule:cloud_admin",
|
|
"identity:update_role": "rule:cloud_admin",
|
|
"identity:delete_role": "rule:cloud_admin",
|
|
|
|
"identity:get_domain_role": "rule:cloud_admin or rule:get_domain_roles",
|
|
"identity:list_domain_roles": "rule:cloud_admin or rule:list_domain_roles",
|
|
"identity:create_domain_role": "rule:cloud_admin or rule:domain_admin_matches_domain_role",
|
|
"identity:update_domain_role": "rule:cloud_admin or rule:domain_admin_matches_target_domain_role",
|
|
"identity:delete_domain_role": "rule:cloud_admin or rule:domain_admin_matches_target_domain_role",
|
|
"domain_admin_matches_domain_role": "rule:admin_required and domain_id:%(role.domain_id)s",
|
|
"get_domain_roles": "rule:domain_admin_matches_target_domain_role or rule:project_admin_matches_target_domain_role",
|
|
"domain_admin_matches_target_domain_role": "rule:admin_required and domain_id:%(target.role.domain_id)s",
|
|
"project_admin_matches_target_domain_role": "rule:admin_required and project_domain_id:%(target.role.domain_id)s",
|
|
"list_domain_roles": "rule:domain_admin_matches_filter_on_list_domain_roles or rule:project_admin_matches_filter_on_list_domain_roles",
|
|
"domain_admin_matches_filter_on_list_domain_roles": "rule:admin_required and domain_id:%(domain_id)s",
|
|
"project_admin_matches_filter_on_list_domain_roles": "rule:admin_required and project_domain_id:%(domain_id)s",
|
|
"admin_and_matching_prior_role_domain_id": "rule:admin_required and domain_id:%(target.prior_role.domain_id)s",
|
|
"implied_role_matches_prior_role_domain_or_global": "(domain_id:%(target.implied_role.domain_id)s or None:%(target.implied_role.domain_id)s)",
|
|
|
|
"identity:get_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
|
|
"identity:list_implied_roles": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
|
|
"identity:create_implied_role": "rule:cloud_admin or (rule:admin_and_matching_prior_role_domain_id and rule:implied_role_matches_prior_role_domain_or_global)",
|
|
"identity:delete_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
|
|
"identity:list_role_inference_rules": "rule:cloud_admin",
|
|
"identity:check_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
|
|
|
|
"identity:list_system_grants_for_user": "rule:admin_required",
|
|
"identity:check_system_grant_for_user": "rule:admin_required",
|
|
"identity:create_system_grant_for_user": "rule:admin_required",
|
|
"identity:revoke_system_grant_for_user": "rule:admin_required",
|
|
|
|
"identity:list_system_grants_for_group": "rule:admin_required",
|
|
"identity:check_system_grant_for_group": "rule:admin_required",
|
|
"identity:create_system_grant_for_group": "rule:admin_required",
|
|
"identity:revoke_system_grant_for_group": "rule:admin_required",
|
|
|
|
"identity:check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
|
|
"identity:list_grants": "rule:cloud_admin or rule:domain_admin_for_list_grants or rule:project_admin_for_list_grants",
|
|
"identity:create_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
|
|
"identity:revoke_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
|
|
"domain_admin_for_grants": "rule:domain_admin_for_global_role_grants or rule:domain_admin_for_domain_role_grants",
|
|
"domain_admin_for_global_role_grants": "rule:admin_required and None:%(target.role.domain_id)s and rule:domain_admin_grant_match",
|
|
"domain_admin_for_domain_role_grants": "rule:admin_required and domain_id:%(target.role.domain_id)s and rule:domain_admin_grant_match",
|
|
"domain_admin_grant_match": "domain_id:%(domain_id)s or domain_id:%(target.project.domain_id)s",
|
|
"project_admin_for_grants": "rule:project_admin_for_global_role_grants or rule:project_admin_for_domain_role_grants",
|
|
"project_admin_for_global_role_grants": "rule:admin_required and None:%(target.role.domain_id)s and project_id:%(project_id)s",
|
|
"project_admin_for_domain_role_grants": "rule:admin_required and project_domain_id:%(target.role.domain_id)s and project_id:%(project_id)s",
|
|
"domain_admin_for_list_grants": "rule:admin_required and rule:domain_admin_grant_match",
|
|
"project_admin_for_list_grants": "rule:admin_required and project_id:%(project_id)s",
|
|
|
|
"admin_on_domain_filter": "rule:admin_required and domain_id:%(scope.domain.id)s",
|
|
"admin_on_project_filter": "rule:admin_required and project_id:%(scope.project.id)s",
|
|
"admin_on_domain_of_project_filter": "rule:admin_required and domain_id:%(target.project.domain_id)s",
|
|
"identity:list_role_assignments": "rule:cloud_admin or rule:admin_on_domain_filter or rule:admin_on_project_filter",
|
|
"identity:list_role_assignments_for_tree": "rule:cloud_admin or rule:admin_on_domain_of_project_filter",
|
|
"identity:get_policy": "rule:cloud_admin",
|
|
"identity:list_policies": "rule:cloud_admin",
|
|
"identity:create_policy": "rule:cloud_admin",
|
|
"identity:update_policy": "rule:cloud_admin",
|
|
"identity:delete_policy": "rule:cloud_admin",
|
|
|
|
"identity:check_token": "rule:admin_or_owner",
|
|
"identity:validate_token": "rule:service_admin_or_owner",
|
|
"identity:validate_token_head": "rule:service_or_admin",
|
|
"identity:revocation_list": "rule:service_or_admin",
|
|
"identity:revoke_token": "rule:admin_or_owner",
|
|
|
|
"identity:create_trust": "user_id:%(trust.trustor_user_id)s",
|
|
"identity:list_trusts": "",
|
|
"identity:list_roles_for_trust": "",
|
|
"identity:get_role_for_trust": "",
|
|
"identity:delete_trust": "",
|
|
"identity:get_trust": "",
|
|
|
|
"identity:create_consumer": "rule:admin_required",
|
|
"identity:get_consumer": "rule:admin_required",
|
|
"identity:list_consumers": "rule:admin_required",
|
|
"identity:delete_consumer": "rule:admin_required",
|
|
"identity:update_consumer": "rule:admin_required",
|
|
|
|
"identity:authorize_request_token": "rule:admin_required",
|
|
"identity:list_access_token_roles": "rule:admin_required",
|
|
"identity:get_access_token_role": "rule:admin_required",
|
|
"identity:list_access_tokens": "rule:admin_required",
|
|
"identity:get_access_token": "rule:admin_required",
|
|
"identity:delete_access_token": "rule:admin_required",
|
|
|
|
"identity:list_projects_for_endpoint": "rule:admin_required",
|
|
"identity:add_endpoint_to_project": "rule:admin_required",
|
|
"identity:check_endpoint_in_project": "rule:admin_required",
|
|
"identity:list_endpoints_for_project": "rule:admin_required",
|
|
"identity:remove_endpoint_from_project": "rule:admin_required",
|
|
|
|
"identity:create_endpoint_group": "rule:admin_required",
|
|
"identity:list_endpoint_groups": "rule:admin_required",
|
|
"identity:get_endpoint_group": "rule:admin_required",
|
|
"identity:update_endpoint_group": "rule:admin_required",
|
|
"identity:delete_endpoint_group": "rule:admin_required",
|
|
"identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
|
|
"identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
|
|
"identity:get_endpoint_group_in_project": "rule:admin_required",
|
|
"identity:list_endpoint_groups_for_project": "rule:admin_required",
|
|
"identity:add_endpoint_group_to_project": "rule:admin_required",
|
|
"identity:remove_endpoint_group_from_project": "rule:admin_required",
|
|
|
|
"identity:create_identity_provider": "rule:cloud_admin",
|
|
"identity:list_identity_providers": "rule:cloud_admin",
|
|
"identity:get_identity_provider": "rule:cloud_admin",
|
|
"identity:update_identity_provider": "rule:cloud_admin",
|
|
"identity:delete_identity_provider": "rule:cloud_admin",
|
|
|
|
"identity:create_protocol": "rule:cloud_admin",
|
|
"identity:update_protocol": "rule:cloud_admin",
|
|
"identity:get_protocol": "rule:cloud_admin",
|
|
"identity:list_protocols": "rule:cloud_admin",
|
|
"identity:delete_protocol": "rule:cloud_admin",
|
|
|
|
"identity:create_mapping": "rule:cloud_admin",
|
|
"identity:get_mapping": "rule:cloud_admin",
|
|
"identity:list_mappings": "rule:cloud_admin",
|
|
"identity:delete_mapping": "rule:cloud_admin",
|
|
"identity:update_mapping": "rule:cloud_admin",
|
|
|
|
"identity:create_service_provider": "rule:cloud_admin",
|
|
"identity:list_service_providers": "rule:cloud_admin",
|
|
"identity:get_service_provider": "rule:cloud_admin",
|
|
"identity:update_service_provider": "rule:cloud_admin",
|
|
"identity:delete_service_provider": "rule:cloud_admin",
|
|
|
|
"identity:get_auth_catalog": "",
|
|
"identity:get_auth_projects": "",
|
|
"identity:get_auth_domains": "",
|
|
"identity:get_auth_system": "",
|
|
|
|
"identity:list_projects_for_user": "",
|
|
"identity:list_domains_for_user": "",
|
|
|
|
"identity:list_revoke_events": "rule:service_or_admin",
|
|
|
|
"identity:create_policy_association_for_endpoint": "rule:cloud_admin",
|
|
"identity:check_policy_association_for_endpoint": "rule:cloud_admin",
|
|
"identity:delete_policy_association_for_endpoint": "rule:cloud_admin",
|
|
"identity:create_policy_association_for_service": "rule:cloud_admin",
|
|
"identity:check_policy_association_for_service": "rule:cloud_admin",
|
|
"identity:delete_policy_association_for_service": "rule:cloud_admin",
|
|
"identity:create_policy_association_for_region_and_service": "rule:cloud_admin",
|
|
"identity:check_policy_association_for_region_and_service": "rule:cloud_admin",
|
|
"identity:delete_policy_association_for_region_and_service": "rule:cloud_admin",
|
|
"identity:get_policy_for_endpoint": "rule:cloud_admin",
|
|
"identity:list_endpoints_for_policy": "rule:cloud_admin",
|
|
|
|
"identity:create_domain_config": "rule:cloud_admin",
|
|
"identity:get_domain_config": "rule:cloud_admin",
|
|
"identity:get_security_compliance_domain_config": "",
|
|
"identity:update_domain_config": "rule:cloud_admin",
|
|
"identity:delete_domain_config": "rule:cloud_admin",
|
|
"identity:get_domain_config_default": "rule:cloud_admin",
|
|
|
|
"identity:get_application_credential": "rule:admin_or_owner",
|
|
"identity:list_application_credentials": "rule:admin_or_owner",
|
|
"identity:create_application_credential": "rule:admin_or_owner",
|
|
"identity:delete_application_credential": "rule:admin_or_owner"
|
|
}
|