openstack/security-doc
Code Issues Proposed changes
d6780c5d48
security-doc/security-guide/source/identity/policies.rst
Chris MacNaughton 6a64a48682 Resolve Sphinx issues with syntax highlighting 
A new revision of Sphinx has introduced stricter requirements
in parsing console and json types

Change-Id: I99cb9fb64bc134a2a78e82d95028f744f40634b8
2019-03-29 08:52:15 +01:00

2.5 KiB
Raw Blame History

Policies

Each OpenStack service defines the access policies for its resources in an associated policy file. A resource, for example, could be API access, the ability to attach to a volume, or to fire up instances. The policy rules are specified in JSON format and the file is called policy.json. The syntax and format of this file is discussed in the Configuration Reference.

These policies can be modified or updated by the cloud administrator to control the access to the various resources. Ensure that any changes to the access control policies do not unintentionally weaken the security of any resource. Also note that changes to the policy.json file become effective immediately and do not require the service to be restarted.

The following example shows how the service can restrict access to create, update and delete resources to only those users which have the role of cloud_admin, which has been defined as being the conjunction of role = admin and domain_id = admin_domain_id, while the get and list resources are made available to users which have the role of cloud_admin or admin.

{
    "admin_required": "role:admin",
    "cloud_admin": "rule:admin_required and domain_id:admin_domain_id",
    "service_role": "role:service",
    "service_or_admin": "rule:admin_required or rule:service_role",
    "owner" : "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
    "admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",
    "admin_or_cloud_admin": "rule:admin_required or rule:cloud_admin",
    "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
    "service_admin_or_owner": "rule:service_or_admin or rule:owner",

    "default": "rule:admin_required",

    "identity:get_service": "rule:admin_or_cloud_admin",
    "identity:list_services": "rule:admin_or_cloud_admin",
    "identity:create_service": "rule:cloud_admin",
    "identity:update_service": "rule:cloud_admin",
    "identity:delete_service": "rule:cloud_admin",

    "identity:get_endpoint": "rule:admin_or_cloud_admin",
    "identity:list_endpoints": "rule:admin_or_cloud_admin",
    "identity:create_endpoint": "rule:cloud_admin",
    "identity:update_endpoint": "rule:cloud_admin",
    "identity:delete_endpoint": "rule:cloud_admin",

}