keystone/etc/policy.v3cloudsample.json
Arvind Tiwari f1f0bbc4b4 Validate token calls return 404 on invalid tokens
Invalid X-Subject-Token was resulting in HTTP 401 rather than 404
This is causing the auth_token middleware to re-authenticate
It expects a 404 on an invalid token.

Change-Id: Ieb4cbd4f69b4f3c5944eebc262e694e831d1ca6d
Fixed-Bug: #1221889
Fixed-Bug: #1186059
2013-09-26 15:12:21 -07:00

102 lines
5.7 KiB
JSON

{
"admin_required": [["role:admin"]],
"cloud_admin": [["rule:admin_required", "domain_id:admin_domain_id"]],
"service_role": [["role:service"]],
"service_or_admin": [["rule:admin_required"], ["rule:service_role"]],
"owner" : [["user_id:%(user_id)s"], ["user_id:%(target.entity.user_id)s"]],
"admin_or_owner": [["rule:admin_required"], ["rule:owner"]],
"admin_or_cloud_admin": [["rule:admin_required"], ["rule:cloud_admin"]],
"default": [["rule:admin_required"]],
"identity:get_service": [["rule:admin_or_cloud_admin"]],
"identity:list_services": [["rule:admin_or_cloud_admin"]],
"identity:create_service": [["rule:cloud_admin"]],
"identity:update_service": [["rule:cloud_admin"]],
"identity:delete_service": [["rule:cloud_admin"]],
"identity:get_endpoint": [["rule:admin_or_cloud_admin"]],
"identity:list_endpoints": [["rule:admin_or_cloud_admin"]],
"identity:create_endpoint": [["rule:cloud_admin"]],
"identity:update_endpoint": [["rule:cloud_admin"]],
"identity:delete_endpoint": [["rule:cloud_admin"]],
"identity:get_domain": [["rule:cloud_admin"]],
"identity:list_domains": [["rule:cloud_admin"]],
"identity:create_domain": [["rule:cloud_admin"]],
"identity:update_domain": [["rule:cloud_admin"]],
"identity:delete_domain": [["rule:cloud_admin"]],
"identity:get_project": [["rule:admin_required", "domain_id:%(target.project.domain_id)s"]],
"identity:list_projects": [["rule:admin_required", "domain_id:%(domain_id)s"]],
"identity:list_user_projects": [["rule:owner"], ["rule:admin_required", "domain_id:%(domain_id)s"]],
"identity:create_project": [["rule:admin_required", "domain_id:%(project.domain_id)s"]],
"identity:update_project": [["rule:admin_required", "domain_id:%(target.project.domain_id)s"]],
"identity:delete_project": [["rule:admin_required", "domain_id:%(target.project.domain_id)s"]],
"identity:get_user": [["rule:admin_required", "domain_id:%(target.user.domain_id)s"]],
"identity:list_users": [["rule:admin_required", "domain_id:%(domain_id)s"]],
"identity:create_user": [["rule:admin_required", "domain_id:%(user.domain_id)s"]],
"identity:update_user": [["rule:admin_required", "domain_id:%(target.user.domain_id)s"]],
"identity:delete_user": [["rule:admin_required", "domain_id:%(target.user.domain_id)s"]],
"identity:get_group": [["rule:admin_required", "domain_id:%(target.group.domain_id)s"]],
"identity:list_groups": [["rule:admin_required", "domain_id:%(domain_id)s"]],
"identity:list_groups_for_user": [["rule:owner"], ["rule:admin_required", "domain_id:%(domain_id)s"]],
"identity:create_group": [["rule:admin_required", "domain_id:%(group.domain_id)s"]],
"identity:update_group": [["rule:admin_required", "domain_id:%(target.group.domain_id)s"]],
"identity:delete_group": [["rule:admin_required", "domain_id:%(target.group.domain_id)s"]],
"identity:list_users_in_group": [["rule:admin_required", "domain_id:%(target.group.domain_id)s"]],
"identity:remove_user_from_group": [["rule:admin_required", "domain_id:%(target.group.domain_id)s"]],
"identity:check_user_in_group": [["rule:admin_required", "domain_id:%(target.group.domain_id)s"]],
"identity:add_user_to_group": [["rule:admin_required", "domain_id:%(target.group.domain_id)s"]],
"identity:get_credential": [["rule:admin_required"]],
"identity:list_credentials": [["rule:admin_required"]],
"identity:create_credential": [["rule:admin_required"]],
"identity:update_credential": [["rule:admin_required"]],
"identity:delete_credential": [["rule:admin_required"]],
"identity:get_role": [["rule:admin_or_cloud_admin"]],
"identity:list_roles": [["rule:admin_or_cloud_admin"]],
"identity:create_role": [["rule:cloud_admin"]],
"identity:update_role": [["rule:cloud_admin"]],
"identity:delete_role": [["rule:cloud_admin"]],
"admin_on_domain_target" : [["rule:admin_required", "domain_id:%(target.domain.id)s"]],
"admin_on_project_target" : [["rule:admin_required", "project_id:%(target.project.id)s"]],
"identity:check_grant": [["rule:admin_on_project_target"],
["rule:admin_on_domain_target"]],
"identity:list_grants": [["rule:admin_on_project_target"],
["rule:admin_on_domain_target"]],
"identity:create_grant": [["rule:admin_on_project_target"],
["rule:admin_on_domain_target"]],
"identity:revoke_grant": [["rule:admin_on_project_target"],
["rule:admin_on_domain_target"]],
"admin_on_domain_filter" : [["rule:admin_required", "domain_id:%(scope.domain.id)s"]],
"admin_on_project_filter" : [["rule:admin_required", "project_id:%(scope.project.id)s"]],
"identity:list_role_assignments": [["admin_on_domain_filter"],
["admin_on_project_filter"]],
"identity:get_policy": [["rule:cloud_admin"]],
"identity:list_policies": [["rule:cloud_admin"]],
"identity:create_policy": [["rule:cloud_admin"]],
"identity:update_policy": [["rule:cloud_admin"]],
"identity:delete_policy": [["rule:cloud_admin"]],
"identity:check_token": [["rule:admin_or_owner"]],
"identity:validate_token": [["rule:service_or_admin"]],
"identity:validate_token_head": [["rule:service_or_admin"]],
"identity:revocation_list": [["rule:service_or_admin"]],
"identity:revoke_token": [["rule:admin_or_owner"]],
"identity:create_trust": [["user_id:%(trust.trustor_user_id)s"]],
"identity:get_trust": [["rule:admin_or_owner"]],
"identity:list_trusts": [["@"]],
"identity:list_roles_for_trust": [["@"]],
"identity:check_role_for_trust": [["@"]],
"identity:get_role_for_trust": [["@"]],
"identity:delete_trust": [["@"]]
}