Add authZ through incorporation of policy checks.
Adds the policy openstack-common module and implements policy checks for the v2 API. Note that this cut only addresses whole objects (i.e., a subnet or a network or a port), not specific fields within objects. (This means that attributes are not filtered out based on policies.) Implements blueprint authorization-support-for-quantum. Change-Id: I1b52b1791a1f14f0af6508a63a40a38e440f15fe
This commit is contained in:
parent
49c71b935d
commit
87a815f12a
19
etc/policy.json
Normal file
19
etc/policy.json
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
{
|
||||||
|
"admin_or_owner": [["role:admin"], ["tenant_id:%(tenant_id)s"]],
|
||||||
|
"default": [["rule:admin_or_owner"]],
|
||||||
|
|
||||||
|
"create_subnet": [],
|
||||||
|
"get_subnet": [["rule:admin_or_owner"]],
|
||||||
|
"update_subnet": [["rule:admin_or_owner"]],
|
||||||
|
"delete_subnet": [["rule:admin_or_owner"]],
|
||||||
|
|
||||||
|
"create_network": [],
|
||||||
|
"get_network": [["rule:admin_or_owner"]],
|
||||||
|
"update_network": [["rule:admin_or_owner"]],
|
||||||
|
"delete_network": [["rule:admin_or_owner"]],
|
||||||
|
|
||||||
|
"create_port": [],
|
||||||
|
"get_port": [["rule:admin_or_owner"]],
|
||||||
|
"update_port": [["rule:admin_or_owner"]],
|
||||||
|
"delete_port": [["rule:admin_or_owner"]]
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user