openstack/octavia
Code Issues Proposed changes
c9b15db3db
octavia/etc/policy/README.rst
Michael Johnson 5ab6e3d30f Move system scoped secure-RBAC to separate file 
This patch moves the system scope configuration in the policy override example files out to a separate override file. This way the new default roles can be enabled independently of system scoped tokens. This helps us align to the changes in the secure-RBAC spec[1].

[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html

Change-Id: I1b41780f3ca84ceca563d668ae8bb40011a60bf4
2022-07-15 23:43:07 +00:00

41 lines
1.5 KiB
ReStructuredText
Raw Blame History

===========================
Octavia Sample Policy Files
===========================
The sample policy.yaml files described here can be copied into
/etc/octavia/policy.yaml to override the default RBAC policy for Octavia.
See the `Octavia Policy Guide <https://docs.openstack.org/octavia/latest/configuration/policy.html>`_ for more information about these policy override files.
admin_or_owner-policy.yaml
--------------------------
This policy file disables the requirement for load-balancer service users to
have one of the load-balancer:* roles. It provides a similar policy to
legacy OpenStack policies where any user or admin has access to load-balancer
resources that they own. Users with the admin role has access to all
load-balancer resources, whether they own them or not.
keystone_default_roles-policy.yaml
----------------------------------
This policy file disables the requirement for load-balancer service users to
have one of the load-balancer:* roles.
This policy will honor the following Keystone default roles in the Octavia API:
* Admin
* Project scoped - Reader
* Project scoped - Member
keystone_default_roles_scoped-policy.yaml
----------------------------------
This policy file disables the requirement for load-balancer service users to
have one of the load-balancer:* roles.
This policy will honor the following Keystone default roles and scopes in the
Octavia API:
* System scoped - Admin
* System scoped - Reader
* Project scoped - Reader
* Project scoped - Member
View Git Blame Copy Permalink