OpenStack Identity (Keystone)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

256 lines
16KB

  1. {
  2. "admin_required": "role:admin",
  3. "cloud_admin": "role:admin and (is_admin_project:True or domain_id:admin_domain_id)",
  4. "service_role": "role:service",
  5. "service_or_admin": "rule:admin_required or rule:service_role",
  6. "owner": "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
  7. "admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",
  8. "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
  9. "service_admin_or_owner": "rule:service_or_admin or rule:owner",
  10. "default": "rule:admin_required",
  11. "identity:get_region": "",
  12. "identity:list_regions": "",
  13. "identity:create_region": "rule:cloud_admin",
  14. "identity:update_region": "rule:cloud_admin",
  15. "identity:delete_region": "rule:cloud_admin",
  16. "identity:get_service": "rule:admin_required",
  17. "identity:list_services": "rule:admin_required",
  18. "identity:create_service": "rule:cloud_admin",
  19. "identity:update_service": "rule:cloud_admin",
  20. "identity:delete_service": "rule:cloud_admin",
  21. "identity:get_endpoint": "rule:admin_required",
  22. "identity:list_endpoints": "rule:admin_required",
  23. "identity:create_endpoint": "rule:cloud_admin",
  24. "identity:update_endpoint": "rule:cloud_admin",
  25. "identity:delete_endpoint": "rule:cloud_admin",
  26. "identity:get_registered_limit": "",
  27. "identity:list_registered_limits": "",
  28. "identity:create_registered_limits": "rule:admin_required",
  29. "identity:update_registered_limit": "rule:admin_required",
  30. "identity:delete_registered_limit": "rule:admin_required",
  31. "identity:get_limit_model": "",
  32. "identity:get_limit": "",
  33. "identity:list_limits": "",
  34. "identity:create_limits": "rule:admin_required",
  35. "identity:update_limit": "rule:admin_required",
  36. "identity:delete_limit": "rule:admin_required",
  37. "identity:get_domain": "rule:cloud_admin or rule:admin_and_matching_domain_id or token.project.domain.id:%(target.domain.id)s",
  38. "identity:list_domains": "rule:cloud_admin",
  39. "identity:create_domain": "rule:cloud_admin",
  40. "identity:update_domain": "rule:cloud_admin",
  41. "identity:delete_domain": "rule:cloud_admin",
  42. "admin_and_matching_target_project_domain_id": "rule:admin_required and domain_id:%(target.project.domain_id)s",
  43. "admin_and_matching_project_domain_id": "rule:admin_required and domain_id:%(project.domain_id)s",
  44. "identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s",
  45. "identity:list_projects": "rule:cloud_admin or rule:admin_and_matching_domain_id",
  46. "identity:list_user_projects": "rule:owner or rule:admin_and_matching_domain_id",
  47. "identity:create_project": "rule:cloud_admin or rule:admin_and_matching_project_domain_id",
  48. "identity:update_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
  49. "identity:delete_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
  50. "identity:create_project_tag": "rule:admin_required",
  51. "identity:delete_project_tag": "rule:admin_required",
  52. "identity:get_project_tag": "rule:admin_required",
  53. "identity:list_project_tags": "rule:admin_required",
  54. "identity:delete_project_tags": "rule:admin_required",
  55. "identity:update_project_tags": "rule:admin_required",
  56. "admin_and_matching_target_user_domain_id": "rule:admin_required and domain_id:%(target.user.domain_id)s",
  57. "admin_and_matching_user_domain_id": "rule:admin_required and domain_id:%(user.domain_id)s",
  58. "identity:get_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id or rule:owner",
  59. "identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id",
  60. "identity:create_user": "rule:cloud_admin or rule:admin_and_matching_user_domain_id",
  61. "identity:update_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",
  62. "identity:delete_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",
  63. "admin_and_matching_target_group_domain_id": "rule:admin_required and domain_id:%(target.group.domain_id)s",
  64. "admin_and_matching_group_domain_id": "rule:admin_required and domain_id:%(group.domain_id)s",
  65. "identity:get_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
  66. "identity:list_groups": "rule:cloud_admin or rule:admin_and_matching_domain_id",
  67. "identity:list_groups_for_user": "rule:owner or rule:admin_and_matching_target_user_domain_id",
  68. "identity:create_group": "rule:cloud_admin or rule:admin_and_matching_group_domain_id",
  69. "identity:update_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
  70. "identity:delete_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
  71. "identity:list_users_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
  72. "identity:remove_user_from_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
  73. "identity:check_user_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
  74. "identity:add_user_to_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
  75. "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
  76. "identity:ec2_list_credentials": "rule:admin_required or rule:owner",
  77. "identity:ec2_create_credential": "rule:admin_required or rule:owner",
  78. "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
  79. "identity:get_role": "rule:admin_required",
  80. "identity:list_roles": "rule:admin_required",
  81. "identity:create_role": "rule:cloud_admin",
  82. "identity:update_role": "rule:cloud_admin",
  83. "identity:delete_role": "rule:cloud_admin",
  84. "identity:get_domain_role": "rule:cloud_admin or rule:get_domain_roles",
  85. "identity:list_domain_roles": "rule:cloud_admin or rule:list_domain_roles",
  86. "identity:create_domain_role": "rule:cloud_admin or rule:domain_admin_matches_domain_role",
  87. "identity:update_domain_role": "rule:cloud_admin or rule:domain_admin_matches_target_domain_role",
  88. "identity:delete_domain_role": "rule:cloud_admin or rule:domain_admin_matches_target_domain_role",
  89. "domain_admin_matches_domain_role": "rule:admin_required and domain_id:%(role.domain_id)s",
  90. "get_domain_roles": "rule:domain_admin_matches_target_domain_role or rule:project_admin_matches_target_domain_role",
  91. "domain_admin_matches_target_domain_role": "rule:admin_required and domain_id:%(target.role.domain_id)s",
  92. "project_admin_matches_target_domain_role": "rule:admin_required and project_domain_id:%(target.role.domain_id)s",
  93. "list_domain_roles": "rule:domain_admin_matches_filter_on_list_domain_roles or rule:project_admin_matches_filter_on_list_domain_roles",
  94. "domain_admin_matches_filter_on_list_domain_roles": "rule:admin_required and domain_id:%(domain_id)s",
  95. "project_admin_matches_filter_on_list_domain_roles": "rule:admin_required and project_domain_id:%(domain_id)s",
  96. "admin_and_matching_prior_role_domain_id": "rule:admin_required and domain_id:%(target.prior_role.domain_id)s",
  97. "implied_role_matches_prior_role_domain_or_global": "(domain_id:%(target.implied_role.domain_id)s or None:%(target.implied_role.domain_id)s)",
  98. "identity:get_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
  99. "identity:list_implied_roles": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
  100. "identity:create_implied_role": "rule:cloud_admin or (rule:admin_and_matching_prior_role_domain_id and rule:implied_role_matches_prior_role_domain_or_global)",
  101. "identity:delete_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
  102. "identity:list_role_inference_rules": "rule:cloud_admin",
  103. "identity:check_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
  104. "identity:list_system_grants_for_user": "rule:admin_required",
  105. "identity:check_system_grant_for_user": "rule:admin_required",
  106. "identity:create_system_grant_for_user": "rule:admin_required",
  107. "identity:revoke_system_grant_for_user": "rule:admin_required",
  108. "identity:list_system_grants_for_group": "rule:admin_required",
  109. "identity:check_system_grant_for_group": "rule:admin_required",
  110. "identity:create_system_grant_for_group": "rule:admin_required",
  111. "identity:revoke_system_grant_for_group": "rule:admin_required",
  112. "identity:check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
  113. "identity:list_grants": "rule:cloud_admin or rule:domain_admin_for_list_grants or rule:project_admin_for_list_grants",
  114. "identity:create_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
  115. "identity:revoke_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
  116. "domain_admin_for_grants": "rule:domain_admin_for_global_role_grants or rule:domain_admin_for_domain_role_grants",
  117. "domain_admin_for_global_role_grants": "rule:admin_required and None:%(target.role.domain_id)s and rule:domain_admin_grant_match",
  118. "domain_admin_for_domain_role_grants": "rule:admin_required and domain_id:%(target.role.domain_id)s and rule:domain_admin_grant_match",
  119. "domain_admin_grant_match": "domain_id:%(domain_id)s or domain_id:%(target.project.domain_id)s",
  120. "project_admin_for_grants": "rule:project_admin_for_global_role_grants or rule:project_admin_for_domain_role_grants",
  121. "project_admin_for_global_role_grants": "rule:admin_required and None:%(target.role.domain_id)s and project_id:%(project_id)s",
  122. "project_admin_for_domain_role_grants": "rule:admin_required and project_domain_id:%(target.role.domain_id)s and project_id:%(project_id)s",
  123. "domain_admin_for_list_grants": "rule:admin_required and rule:domain_admin_grant_match",
  124. "project_admin_for_list_grants": "rule:admin_required and project_id:%(project_id)s",
  125. "admin_on_domain_filter": "rule:admin_required and domain_id:%(scope.domain.id)s",
  126. "admin_on_project_filter": "rule:admin_required and project_id:%(scope.project.id)s",
  127. "admin_on_domain_of_project_filter": "rule:admin_required and domain_id:%(target.project.domain_id)s",
  128. "identity:list_role_assignments": "rule:cloud_admin or rule:admin_on_domain_filter or rule:admin_on_project_filter",
  129. "identity:list_role_assignments_for_tree": "rule:cloud_admin or rule:admin_on_domain_of_project_filter",
  130. "identity:get_policy": "rule:cloud_admin",
  131. "identity:list_policies": "rule:cloud_admin",
  132. "identity:create_policy": "rule:cloud_admin",
  133. "identity:update_policy": "rule:cloud_admin",
  134. "identity:delete_policy": "rule:cloud_admin",
  135. "identity:check_token": "rule:admin_or_owner",
  136. "identity:validate_token": "rule:service_admin_or_owner",
  137. "identity:validate_token_head": "rule:service_or_admin",
  138. "identity:revocation_list": "rule:service_or_admin",
  139. "identity:revoke_token": "rule:admin_or_owner",
  140. "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
  141. "identity:list_trusts": "",
  142. "identity:list_roles_for_trust": "",
  143. "identity:get_role_for_trust": "",
  144. "identity:delete_trust": "",
  145. "identity:get_trust": "",
  146. "identity:create_consumer": "rule:admin_required",
  147. "identity:get_consumer": "rule:admin_required",
  148. "identity:list_consumers": "rule:admin_required",
  149. "identity:delete_consumer": "rule:admin_required",
  150. "identity:update_consumer": "rule:admin_required",
  151. "identity:authorize_request_token": "rule:admin_required",
  152. "identity:list_access_token_roles": "rule:admin_required",
  153. "identity:get_access_token_role": "rule:admin_required",
  154. "identity:list_access_tokens": "rule:admin_required",
  155. "identity:get_access_token": "rule:admin_required",
  156. "identity:delete_access_token": "rule:admin_required",
  157. "identity:list_projects_for_endpoint": "rule:admin_required",
  158. "identity:add_endpoint_to_project": "rule:admin_required",
  159. "identity:check_endpoint_in_project": "rule:admin_required",
  160. "identity:list_endpoints_for_project": "rule:admin_required",
  161. "identity:remove_endpoint_from_project": "rule:admin_required",
  162. "identity:create_endpoint_group": "rule:admin_required",
  163. "identity:list_endpoint_groups": "rule:admin_required",
  164. "identity:get_endpoint_group": "rule:admin_required",
  165. "identity:update_endpoint_group": "rule:admin_required",
  166. "identity:delete_endpoint_group": "rule:admin_required",
  167. "identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
  168. "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
  169. "identity:get_endpoint_group_in_project": "rule:admin_required",
  170. "identity:list_endpoint_groups_for_project": "rule:admin_required",
  171. "identity:add_endpoint_group_to_project": "rule:admin_required",
  172. "identity:remove_endpoint_group_from_project": "rule:admin_required",
  173. "identity:create_identity_provider": "rule:cloud_admin",
  174. "identity:list_identity_providers": "rule:cloud_admin",
  175. "identity:get_identity_provider": "rule:cloud_admin",
  176. "identity:update_identity_provider": "rule:cloud_admin",
  177. "identity:delete_identity_provider": "rule:cloud_admin",
  178. "identity:create_protocol": "rule:cloud_admin",
  179. "identity:update_protocol": "rule:cloud_admin",
  180. "identity:get_protocol": "rule:cloud_admin",
  181. "identity:list_protocols": "rule:cloud_admin",
  182. "identity:delete_protocol": "rule:cloud_admin",
  183. "identity:create_mapping": "rule:cloud_admin",
  184. "identity:get_mapping": "rule:cloud_admin",
  185. "identity:list_mappings": "rule:cloud_admin",
  186. "identity:delete_mapping": "rule:cloud_admin",
  187. "identity:update_mapping": "rule:cloud_admin",
  188. "identity:create_service_provider": "rule:cloud_admin",
  189. "identity:list_service_providers": "rule:cloud_admin",
  190. "identity:get_service_provider": "rule:cloud_admin",
  191. "identity:update_service_provider": "rule:cloud_admin",
  192. "identity:delete_service_provider": "rule:cloud_admin",
  193. "identity:get_auth_catalog": "",
  194. "identity:get_auth_projects": "",
  195. "identity:get_auth_domains": "",
  196. "identity:get_auth_system": "",
  197. "identity:list_projects_for_user": "",
  198. "identity:list_domains_for_user": "",
  199. "identity:list_revoke_events": "rule:service_or_admin",
  200. "identity:create_policy_association_for_endpoint": "rule:cloud_admin",
  201. "identity:check_policy_association_for_endpoint": "rule:cloud_admin",
  202. "identity:delete_policy_association_for_endpoint": "rule:cloud_admin",
  203. "identity:create_policy_association_for_service": "rule:cloud_admin",
  204. "identity:check_policy_association_for_service": "rule:cloud_admin",
  205. "identity:delete_policy_association_for_service": "rule:cloud_admin",
  206. "identity:create_policy_association_for_region_and_service": "rule:cloud_admin",
  207. "identity:check_policy_association_for_region_and_service": "rule:cloud_admin",
  208. "identity:delete_policy_association_for_region_and_service": "rule:cloud_admin",
  209. "identity:get_policy_for_endpoint": "rule:cloud_admin",
  210. "identity:list_endpoints_for_policy": "rule:cloud_admin",
  211. "identity:create_domain_config": "rule:cloud_admin",
  212. "identity:get_domain_config": "rule:cloud_admin",
  213. "identity:get_security_compliance_domain_config": "",
  214. "identity:update_domain_config": "rule:cloud_admin",
  215. "identity:delete_domain_config": "rule:cloud_admin",
  216. "identity:get_domain_config_default": "rule:cloud_admin",
  217. "identity:get_application_credential": "rule:admin_or_owner",
  218. "identity:list_application_credentials": "rule:admin_or_owner",
  219. "identity:create_application_credential": "rule:admin_or_owner",
  220. "identity:delete_application_credential": "rule:admin_or_owner"
  221. }