a5f142c566
This patch is the base patch to enable support for Keystone scoped tokens[1] and default roles[2] in the Octavia API. It strives to maintain backward compatibility and support for Octavia Advanced RBAC roles. [1] https://docs.openstack.org/keystone/latest/admin/tokens-overview.html#authorization-scopes [2] https://docs.openstack.org/keystone/latest/admin/service-api-protection.html Change-Id: I4443d4531dc97d14f8277024baa11ab43e87fb39
29 lines
1.1 KiB
ReStructuredText
29 lines
1.1 KiB
ReStructuredText
===========================
|
|
Octavia Sample Policy Files
|
|
===========================
|
|
|
|
The sample policy.yaml files described here can be copied into
|
|
/etc/octavia/policy.yaml to override the default RBAC policy for Octavia.
|
|
|
|
See the `Octavia Policy Guide <https://docs.openstack.org/octavia/latest/configuration/policy.html>`_ for more information about these policy override files.
|
|
|
|
admin_or_owner-policy.yaml
|
|
--------------------------
|
|
This policy file disables the requirement for load-balancer service users to
|
|
have one of the load-balancer:* roles. It provides a similar policy to
|
|
legacy OpenStack policies where any user or admin has access to load-balancer
|
|
resources that they own. Users with the admin role has access to all
|
|
load-balancer resources, whether they own them or not.
|
|
|
|
keystone_default_roles-policy.yaml
|
|
----------------------------------
|
|
This policy file disables the requirement for load-balancer service users to
|
|
have one of the load-balancer:* roles.
|
|
|
|
This policy will honor the following Keystone default roles in the Octavia API:
|
|
|
|
* System scoped - Admin
|
|
* System scoped - Reader
|
|
* Project scoped - Reader
|
|
* Project scoped - Member
|