62 lines
4.4 KiB
JSON
62 lines
4.4 KiB
JSON
{
|
|
"admin_required": "role:admin",
|
|
"cloud_admin": "role:admin and (is_admin_project:True or domain_id:admin_domain_id)",
|
|
"owner": "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
|
|
"admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",
|
|
"admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
|
|
"service_admin_or_owner": "rule:service_or_admin or rule:owner",
|
|
|
|
"default": "rule:admin_required",
|
|
|
|
"identity:get_limit": "",
|
|
"identity:create_limits": "rule:admin_required",
|
|
"identity:update_limit": "rule:admin_required",
|
|
"identity:delete_limit": "rule:admin_required",
|
|
|
|
"identity:get_project_tag": "rule:admin_required",
|
|
"identity:list_project_tags": "rule:admin_required",
|
|
|
|
"identity:ec2_list_credentials": "rule:admin_required or rule:owner",
|
|
"identity:ec2_create_credential": "rule:admin_required or rule:owner",
|
|
|
|
"domain_admin_matches_domain_role": "rule:admin_required and domain_id:%(role.domain_id)s",
|
|
"get_domain_roles": "rule:domain_admin_matches_target_domain_role or rule:project_admin_matches_target_domain_role",
|
|
"domain_admin_matches_target_domain_role": "rule:admin_required and domain_id:%(target.role.domain_id)s",
|
|
"project_admin_matches_target_domain_role": "rule:admin_required and project_domain_id:%(target.role.domain_id)s",
|
|
"list_domain_roles": "rule:domain_admin_matches_filter_on_list_domain_roles or rule:project_admin_matches_filter_on_list_domain_roles",
|
|
"domain_admin_matches_filter_on_list_domain_roles": "rule:admin_required and domain_id:%(domain_id)s",
|
|
"project_admin_matches_filter_on_list_domain_roles": "rule:admin_required and project_domain_id:%(domain_id)s",
|
|
"admin_and_matching_prior_role_domain_id": "rule:admin_required and domain_id:%(target.prior_role.domain_id)s",
|
|
"implied_role_matches_prior_role_domain_or_global": "(domain_id:%(target.implied_role.domain_id)s or None:%(target.implied_role.domain_id)s)",
|
|
|
|
"identity:check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
|
|
"identity:list_grants": "rule:cloud_admin or rule:domain_admin_for_list_grants or rule:project_admin_for_list_grants",
|
|
"identity:create_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
|
|
"identity:revoke_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
|
|
"domain_admin_for_grants": "rule:domain_admin_for_global_role_grants or rule:domain_admin_for_domain_role_grants",
|
|
"domain_admin_for_global_role_grants": "rule:admin_required and None:%(target.role.domain_id)s and rule:domain_admin_grant_match",
|
|
"domain_admin_for_domain_role_grants": "rule:admin_required and domain_id:%(target.role.domain_id)s and rule:domain_admin_grant_match",
|
|
"domain_admin_grant_match": "domain_id:%(domain_id)s or domain_id:%(target.project.domain_id)s",
|
|
"project_admin_for_grants": "rule:project_admin_for_global_role_grants or rule:project_admin_for_domain_role_grants",
|
|
"project_admin_for_global_role_grants": "rule:admin_required and None:%(target.role.domain_id)s and project_id:%(project_id)s",
|
|
"project_admin_for_domain_role_grants": "rule:admin_required and project_domain_id:%(target.role.domain_id)s and project_id:%(project_id)s",
|
|
"domain_admin_for_list_grants": "rule:admin_required and rule:domain_admin_grant_match",
|
|
"project_admin_for_list_grants": "rule:admin_required and project_id:%(project_id)s",
|
|
|
|
"admin_on_domain_filter": "rule:admin_required and domain_id:%(scope.domain.id)s",
|
|
"admin_on_project_filter": "rule:admin_required and project_id:%(scope.project.id)s",
|
|
"admin_on_domain_of_project_filter": "rule:admin_required and domain_id:%(target.project.domain_id)s",
|
|
"identity:list_role_assignments_for_tree": "rule:cloud_admin or rule:admin_on_domain_of_project_filter",
|
|
|
|
"identity:check_token": "rule:admin_or_owner",
|
|
"identity:validate_token": "rule:service_admin_or_owner",
|
|
"identity:validate_token_head": "rule:service_or_admin",
|
|
"identity:revoke_token": "rule:admin_or_owner",
|
|
|
|
"identity:create_domain_config": "rule:cloud_admin",
|
|
"identity:get_domain_config": "rule:cloud_admin",
|
|
"identity:update_domain_config": "rule:cloud_admin",
|
|
"identity:delete_domain_config": "rule:cloud_admin",
|
|
"identity:get_domain_config_default": "rule:cloud_admin"
|
|
}
|