bb141b1fb4
The policies contained in policy.v3cloudsample.json pre-dated any of the work to move policy defaults into code. Since deploying a policy file is now optional, we can remove the redundant policies from this file and make it more maintainable by not repeating ourselves and violating the DRY principal. The only policies left are ones that are testing workarounds for bug 968696. Meanwhile, we're pursuing fixes for scope types and default roles: http://tinyurl.com/y5kj6fn9 These fixes are specific to certain resources to make reviews more understandable for reviewers. As fixes for those bugs land, we will be removing the remaining checks in this file, since the behavior will be captured in new default check strings or in code. Eventually, we will delete this file entirely since we will have defaults in code that work for `admins`, `members`, and `readers` on projects, domains, and the deployment system. Change-Id: Ibbabe8fdc7989f15aa0edda2bf7b550a0dc16f83 Partial-Bug: 1806762
91 lines
6.5 KiB
JSON
91 lines
6.5 KiB
JSON
{
|
|
"admin_required": "role:admin",
|
|
"cloud_admin": "role:admin and (is_admin_project:True or domain_id:admin_domain_id)",
|
|
"owner": "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
|
|
"admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",
|
|
"admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
|
|
"service_admin_or_owner": "rule:service_or_admin or rule:owner",
|
|
|
|
"default": "rule:admin_required",
|
|
|
|
"identity:get_limit": "",
|
|
"identity:create_limits": "rule:admin_required",
|
|
"identity:update_limit": "rule:admin_required",
|
|
"identity:delete_limit": "rule:admin_required",
|
|
|
|
"identity:get_project_tag": "rule:admin_required",
|
|
"identity:list_project_tags": "rule:admin_required",
|
|
|
|
"identity:ec2_list_credentials": "rule:admin_required or rule:owner",
|
|
"identity:ec2_create_credential": "rule:admin_required or rule:owner",
|
|
|
|
"identity:get_domain_role": "rule:cloud_admin or rule:get_domain_roles",
|
|
"identity:list_domain_roles": "rule:cloud_admin or rule:list_domain_roles",
|
|
"identity:create_domain_role": "rule:cloud_admin or rule:domain_admin_matches_domain_role",
|
|
"identity:update_domain_role": "rule:cloud_admin or rule:domain_admin_matches_target_domain_role",
|
|
"identity:delete_domain_role": "rule:cloud_admin or rule:domain_admin_matches_target_domain_role",
|
|
"domain_admin_matches_domain_role": "rule:admin_required and domain_id:%(role.domain_id)s",
|
|
"get_domain_roles": "rule:domain_admin_matches_target_domain_role or rule:project_admin_matches_target_domain_role",
|
|
"domain_admin_matches_target_domain_role": "rule:admin_required and domain_id:%(target.role.domain_id)s",
|
|
"project_admin_matches_target_domain_role": "rule:admin_required and project_domain_id:%(target.role.domain_id)s",
|
|
"list_domain_roles": "rule:domain_admin_matches_filter_on_list_domain_roles or rule:project_admin_matches_filter_on_list_domain_roles",
|
|
"domain_admin_matches_filter_on_list_domain_roles": "rule:admin_required and domain_id:%(domain_id)s",
|
|
"project_admin_matches_filter_on_list_domain_roles": "rule:admin_required and project_domain_id:%(domain_id)s",
|
|
"admin_and_matching_prior_role_domain_id": "rule:admin_required and domain_id:%(target.prior_role.domain_id)s",
|
|
"implied_role_matches_prior_role_domain_or_global": "(domain_id:%(target.implied_role.domain_id)s or None:%(target.implied_role.domain_id)s)",
|
|
|
|
"identity:get_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
|
|
"identity:list_implied_roles": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
|
|
"identity:create_implied_role": "rule:cloud_admin or (rule:admin_and_matching_prior_role_domain_id and rule:implied_role_matches_prior_role_domain_or_global)",
|
|
"identity:delete_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
|
|
"identity:list_role_inference_rules": "rule:cloud_admin",
|
|
"identity:check_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
|
|
|
|
"identity:check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
|
|
"identity:list_grants": "rule:cloud_admin or rule:domain_admin_for_list_grants or rule:project_admin_for_list_grants",
|
|
"identity:create_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
|
|
"identity:revoke_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
|
|
"domain_admin_for_grants": "rule:domain_admin_for_global_role_grants or rule:domain_admin_for_domain_role_grants",
|
|
"domain_admin_for_global_role_grants": "rule:admin_required and None:%(target.role.domain_id)s and rule:domain_admin_grant_match",
|
|
"domain_admin_for_domain_role_grants": "rule:admin_required and domain_id:%(target.role.domain_id)s and rule:domain_admin_grant_match",
|
|
"domain_admin_grant_match": "domain_id:%(domain_id)s or domain_id:%(target.project.domain_id)s",
|
|
"project_admin_for_grants": "rule:project_admin_for_global_role_grants or rule:project_admin_for_domain_role_grants",
|
|
"project_admin_for_global_role_grants": "rule:admin_required and None:%(target.role.domain_id)s and project_id:%(project_id)s",
|
|
"project_admin_for_domain_role_grants": "rule:admin_required and project_domain_id:%(target.role.domain_id)s and project_id:%(project_id)s",
|
|
"domain_admin_for_list_grants": "rule:admin_required and rule:domain_admin_grant_match",
|
|
"project_admin_for_list_grants": "rule:admin_required and project_id:%(project_id)s",
|
|
|
|
"admin_on_domain_filter": "rule:admin_required and domain_id:%(scope.domain.id)s",
|
|
"admin_on_project_filter": "rule:admin_required and project_id:%(scope.project.id)s",
|
|
"admin_on_domain_of_project_filter": "rule:admin_required and domain_id:%(target.project.domain_id)s",
|
|
"identity:list_role_assignments_for_tree": "rule:cloud_admin or rule:admin_on_domain_of_project_filter",
|
|
"identity:get_policy": "rule:cloud_admin",
|
|
"identity:list_policies": "rule:cloud_admin",
|
|
"identity:create_policy": "rule:cloud_admin",
|
|
"identity:update_policy": "rule:cloud_admin",
|
|
"identity:delete_policy": "rule:cloud_admin",
|
|
|
|
"identity:check_token": "rule:admin_or_owner",
|
|
"identity:validate_token": "rule:service_admin_or_owner",
|
|
"identity:validate_token_head": "rule:service_or_admin",
|
|
"identity:revoke_token": "rule:admin_or_owner",
|
|
|
|
"identity:create_policy_association_for_endpoint": "rule:cloud_admin",
|
|
"identity:check_policy_association_for_endpoint": "rule:cloud_admin",
|
|
"identity:delete_policy_association_for_endpoint": "rule:cloud_admin",
|
|
"identity:create_policy_association_for_service": "rule:cloud_admin",
|
|
"identity:check_policy_association_for_service": "rule:cloud_admin",
|
|
"identity:delete_policy_association_for_service": "rule:cloud_admin",
|
|
"identity:create_policy_association_for_region_and_service": "rule:cloud_admin",
|
|
"identity:check_policy_association_for_region_and_service": "rule:cloud_admin",
|
|
"identity:delete_policy_association_for_region_and_service": "rule:cloud_admin",
|
|
"identity:get_policy_for_endpoint": "rule:cloud_admin",
|
|
"identity:list_endpoints_for_policy": "rule:cloud_admin",
|
|
|
|
"identity:create_domain_config": "rule:cloud_admin",
|
|
"identity:get_domain_config": "rule:cloud_admin",
|
|
"identity:update_domain_config": "rule:cloud_admin",
|
|
"identity:delete_domain_config": "rule:cloud_admin",
|
|
"identity:get_domain_config_default": "rule:cloud_admin"
|
|
}
|