octavia/etc/policy
Michael Johnson a5f142c566 Add support for scoped tokens and default roles
This patch is the base patch to enable support for Keystone
scoped tokens[1] and default roles[2] in the Octavia API.

It strives to maintain backward compatibility and support for
Octavia Advanced RBAC roles.

[1] https://docs.openstack.org/keystone/latest/admin/tokens-overview.html#authorization-scopes
[2] https://docs.openstack.org/keystone/latest/admin/service-api-protection.html

Change-Id: I4443d4531dc97d14f8277024baa11ab43e87fb39
2021-03-08 19:33:35 +00:00
..
admin_or_owner-policy.yaml Switch oslo.policy over to yaml 2020-06-08 08:54:07 -07:00
keystone_default_roles-policy.yaml Add support for scoped tokens and default roles 2021-03-08 19:33:35 +00:00
octavia-policy-generator.conf Switch oslo.policy over to yaml 2020-06-08 08:54:07 -07:00
README.rst Add support for scoped tokens and default roles 2021-03-08 19:33:35 +00:00

Octavia Sample Policy Files

The sample policy.yaml files described here can be copied into /etc/octavia/policy.yaml to override the default RBAC policy for Octavia.

See the Octavia Policy Guide for more information about these policy override files.

admin_or_owner-policy.yaml

This policy file disables the requirement for load-balancer service users to have one of the load-balancer:* roles. It provides a similar policy to legacy OpenStack policies where any user or admin has access to load-balancer resources that they own. Users with the admin role has access to all load-balancer resources, whether they own them or not.

keystone_default_roles-policy.yaml

This policy file disables the requirement for load-balancer service users to have one of the load-balancer:* roles.

This policy will honor the following Keystone default roles in the Octavia API:

  • System scoped - Admin
  • System scoped - Reader
  • Project scoped - Reader
  • Project scoped - Member