openstack/keystone
Code Issues Proposed changes
keystone/etc/policy.v3cloudsample.json
Henry Nash c7a5c6cf27 Implement API protection on target entities 
API policy protection is currently limited to using the parameters
passed into the call. However, there are many cases where you want
to also check attributes of the entities an API is operating upon.  The
classic example is ensuring a domain administrator cannot get, update or
delete users, groups or projects outside of their domain.

This patch enables lines in the policy file to also refer to any field
in the target object of the API call. In addition, it includes a separate
sample policy file that shows how to use domains and the new protection
ability to provide domain segregation and administration delegation.
This sample file is also tested to ensure that such protection works
correctly.

DocImpact

Implements bp policy-on-api-target

Change-Id: Ie1a4e14a86d27e8b60e6c17e33dd6b9fa889660c
2013-08-28 13:57:03 +01:00

102 lines
5.7 KiB
JSON
Raw Blame History

{
"admin_required": [["role:admin"]],
"cloud_admin": [["rule:admin_required", "domain_id:admin_domain_id"]],
"service_role": [["role:service"]],
"service_or_admin": [["rule:admin_required"], ["rule:service_role"]],
"owner" : [["user_id:%(user_id)s"]],
"admin_or_owner": [["rule:admin_required"], ["rule:owner"]],
"admin_or_cloud_admin": [["rule:admin_required"], ["rule:cloud_admin"]],
"default": [["rule:admin_required"]],
"identity:get_service": [["rule:admin_or_cloud_admin"]],
"identity:list_services": [["rule:admin_or_cloud_admin"]],
"identity:create_service": [["rule:cloud_admin"]],
"identity:update_service": [["rule:cloud_admin"]],
"identity:delete_service": [["rule:cloud_admin"]],
"identity:get_endpoint": [["rule:admin_or_cloud_admin"]],
"identity:list_endpoints": [["rule:admin_or_cloud_admin"]],
"identity:create_endpoint": [["rule:cloud_admin"]],
"identity:update_endpoint": [["rule:cloud_admin"]],
"identity:delete_endpoint": [["rule:cloud_admin"]],
"identity:get_domain": [["rule:cloud_admin"]],
"identity:list_domains": [["rule:cloud_admin"]],
"identity:create_domain": [["rule:cloud_admin"]],
"identity:update_domain": [["rule:cloud_admin"]],
"identity:delete_domain": [["rule:cloud_admin"]],
"identity:get_project": [["rule:admin_required", "domain_id:%(target.project.domain_id)s"]],
"identity:list_projects": [["rule:admin_required", "domain_id:%(domain_id)s"]],
"identity:list_user_projects": [["rule:owner"], ["rule:admin_required", "domain_id:%(domain_id)s"]],
"identity:create_project": [["rule:admin_required", "domain_id:%(project.domain_id)s"]],
"identity:update_project": [["rule:admin_required", "domain_id:%(target.project.domain_id)s"]],
"identity:delete_project": [["rule:admin_required", "domain_id:%(target.project.domain_id)s"]],
"identity:get_user": [["rule:admin_required", "domain_id:%(target.user.domain_id)s"]],
"identity:list_users": [["rule:admin_required", "domain_id:%(domain_id)s"]],
"identity:create_user": [["rule:admin_required", "domain_id:%(user.domain_id)s"]],
"identity:update_user": [["rule:admin_required", "domain_id:%(target.user.domain_id)s"]],
"identity:delete_user": [["rule:admin_required", "domain_id:%(target.user.domain_id)s"]],
"identity:get_group": [["rule:admin_required", "domain_id:%(target.group.domain_id)s"]],
"identity:list_groups": [["rule:admin_required", "domain_id:%(domain_id)s"]],
"identity:list_groups_for_user": [["rule:owner"], ["rule:admin_required", "domain_id:%(domain_id)s"]],
"identity:create_group": [["rule:admin_required", "domain_id:%(group.domain_id)s"]],
"identity:update_group": [["rule:admin_required", "domain_id:%(target.group.domain_id)s"]],
"identity:delete_group": [["rule:admin_required", "domain_id:%(target.group.domain_id)s"]],
"identity:list_users_in_group": [["rule:admin_required", "domain_id:%(target.group.domain_id)s"]],
"identity:remove_user_from_group": [["rule:admin_required", "domain_id:%(target.group.domain_id)s"]],
"identity:check_user_in_group": [["rule:admin_required", "domain_id:%(target.group.domain_id)s"]],
"identity:add_user_to_group": [["rule:admin_required", "domain_id:%(target.group.domain_id)s"]],
"identity:get_credential": [["rule:admin_required"]],
"identity:list_credentials": [["rule:admin_required"]],
"identity:create_credential": [["rule:admin_required"]],
"identity:update_credential": [["rule:admin_required"]],
"identity:delete_credential": [["rule:admin_required"]],
"identity:get_role": [["rule:admin_or_cloud_admin"]],
"identity:list_roles": [["rule:admin_or_cloud_admin"]],
"identity:create_role": [["rule:cloud_admin"]],
"identity:update_role": [["rule:cloud_admin"]],
"identity:delete_role": [["rule:cloud_admin"]],
"admin_on_domain_target" : [["rule:admin_required", "domain_id:%(target.domain.id)s"]],
"admin_on_project_target" : [["rule:admin_required", "project_id:%(target.project.id)s"]],
"identity:check_grant": [["rule:admin_on_project_target"],
["rule:admin_on_domain_target"]],
"identity:list_grants": [["rule:admin_on_project_target"],
["rule:admin_on_domain_target"]],
"identity:create_grant": [["rule:admin_on_project_target"],
["rule:admin_on_domain_target"]],
"identity:revoke_grant": [["rule:admin_on_project_target"],
["rule:admin_on_domain_target"]],
"admin_on_domain_filter" : [["rule:admin_required", "domain_id:%(scope.domain.id)s"]],
"admin_on_project_filter" : [["rule:admin_required", "project_id:%(scope.project.id)s"]],
"identity:list_role_assignments": [["admin_on_domain_filter"],
["admin_on_project_filter"]],
"identity:get_policy": [["rule:cloud_admin"]],
"identity:list_policies": [["rule:cloud_admin"]],
"identity:create_policy": [["rule:cloud_admin"]],
"identity:update_policy": [["rule:cloud_admin"]],
"identity:delete_policy": [["rule:cloud_admin"]],
"identity:check_token": [["rule:admin_required"]],
"identity:validate_token": [["rule:service_or_admin"]],
"identity:validate_token_head": [["rule:service_or_admin"]],
"identity:revocation_list": [["rule:service_or_admin"]],
"identity:revoke_token": [["rule:admin_or_owner"]],
"identity:create_trust": [["user_id:%(trust.trustor_user_id)s"]],
"identity:get_trust": [["rule:admin_or_owner"]],
"identity:list_trusts": [["@"]],
"identity:list_roles_for_trust": [["@"]],
"identity:check_role_for_trust": [["@"]],
"identity:get_role_for_trust": [["@"]],
"identity:delete_trust": [["@"]]
}
View Git Blame Copy Permalink