Add authZ through incorporation of policy checks.
Adds the policy openstack-common module and implements policy checks for the v2 API. Note that this cut only addresses whole objects (i.e., a subnet or a network or a port), not specific fields within objects. (This means that attributes are not filtered out based on policies.) Implements blueprint authorization-support-for-quantum. Change-Id: I1b52b1791a1f14f0af6508a63a40a38e440f15fe
This commit is contained in:
parent
49c71b935d
commit
87a815f12a
|
@ -0,0 +1,19 @@
|
|||
{
|
||||
"admin_or_owner": [["role:admin"], ["tenant_id:%(tenant_id)s"]],
|
||||
"default": [["rule:admin_or_owner"]],
|
||||
|
||||
"create_subnet": [],
|
||||
"get_subnet": [["rule:admin_or_owner"]],
|
||||
"update_subnet": [["rule:admin_or_owner"]],
|
||||
"delete_subnet": [["rule:admin_or_owner"]],
|
||||
|
||||
"create_network": [],
|
||||
"get_network": [["rule:admin_or_owner"]],
|
||||
"update_network": [["rule:admin_or_owner"]],
|
||||
"delete_network": [["rule:admin_or_owner"]],
|
||||
|
||||
"create_port": [],
|
||||
"get_port": [["rule:admin_or_owner"]],
|
||||
"update_port": [["rule:admin_or_owner"]],
|
||||
"delete_port": [["rule:admin_or_owner"]]
|
||||
}
|
Loading…
Reference in New Issue