From 87a815f12a5b9a154be1f767f8f4b13c64ccee16 Mon Sep 17 00:00:00 2001
From: "Kevin L. Mitchell" <kevin.mitchell@rackspace.com>
Date: Thu, 14 Jun 2012 09:39:57 -0500
Subject: [PATCH] Add authZ through incorporation of policy checks.

Adds the policy openstack-common module and implements policy checks
for the v2 API.  Note that this cut only addresses whole objects (i.e.,
a subnet or a network or a port), not specific fields within objects.
(This means that attributes are not filtered out based on policies.)
Implements blueprint authorization-support-for-quantum.

Change-Id: I1b52b1791a1f14f0af6508a63a40a38e440f15fe
---
 etc/policy.json | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 etc/policy.json

diff --git a/etc/policy.json b/etc/policy.json
new file mode 100644
index 00000000..41a5cafb
--- /dev/null
+++ b/etc/policy.json
@@ -0,0 +1,19 @@
+{
+    "admin_or_owner": [["role:admin"], ["tenant_id:%(tenant_id)s"]],
+    "default": [["rule:admin_or_owner"]],
+
+    "create_subnet": [],
+    "get_subnet": [["rule:admin_or_owner"]],
+    "update_subnet": [["rule:admin_or_owner"]],
+    "delete_subnet": [["rule:admin_or_owner"]],
+
+    "create_network": [],
+    "get_network": [["rule:admin_or_owner"]],
+    "update_network": [["rule:admin_or_owner"]],
+    "delete_network": [["rule:admin_or_owner"]],
+
+    "create_port": [],
+    "get_port": [["rule:admin_or_owner"]],
+    "update_port": [["rule:admin_or_owner"]],
+    "delete_port": [["rule:admin_or_owner"]]
+}