207ee7e017
This commit aims to suggest a set of default policies for user management on stx-openstack. We suggest the creation of the project_admin and project_readonly roles and provide some policies to fine tune the access control over the Openstack services to those roles, as described on README.md. Also, we provide a set of tests to ensure the policies and permissions are all working as expected on site for the cloud administrators. Story: 2008910 Task: 42501 Signed-off-by: Heitor Matsui <heitorvieira.matsui@windriver.com> Signed-off-by: Thiago Brito <thiago.brito@windriver.com> Co-authored-by: Miriam Yumi Peixoto <miriam.yumipeixoto@windriver.com> Co-authored-by: Leonardo Zaccarias <leonardo.zaccarias@windriver.com> Co-authored-by: Rogerio Oliveira Ferraz <rogeriooliveira.ferraz@windriver.com> Change-Id: I4040fe9f7be94ea7e0eb208579b2d5aa7579a8b1
175 lines
9.7 KiB
YAML
175 lines
9.7 KiB
YAML
conf:
|
|
policy:
|
|
admin_or_owner: rule:admin_required or rule:owner
|
|
admin_or_token_subject: rule:admin_required or rule:token_subject
|
|
admin_required: role:admin or is_admin:1
|
|
default: rule:admin_required
|
|
identity:add_endpoint_group_to_project: rule:admin_required
|
|
identity:add_endpoint_to_project: rule:admin_required
|
|
identity:add_user_to_group: rule:admin_required
|
|
identity:authorize_request_token: rule:admin_required
|
|
identity:change_password: rule:admin_or_owner
|
|
identity:check_endpoint_in_project: rule:admin_required
|
|
identity:check_grant: rule:admin_required
|
|
identity:check_implied_role: rule:admin_required
|
|
identity:check_policy_association_for_endpoint: rule:admin_required
|
|
identity:check_policy_association_for_region_and_service: rule:admin_required
|
|
identity:check_policy_association_for_service: rule:admin_required
|
|
identity:check_token: rule:admin_or_token_subject
|
|
identity:check_user_in_group: rule:admin_required
|
|
identity:create_consumer: rule:admin_required
|
|
identity:create_credential: rule:admin_required
|
|
identity:create_domain: rule:admin_required
|
|
identity:create_domain_config: rule:admin_required
|
|
identity:create_domain_role: rule:admin_required
|
|
identity:create_endpoint: rule:admin_required
|
|
identity:create_endpoint_group: rule:admin_required
|
|
identity:create_grant: rule:admin_required
|
|
identity:create_group: rule:admin_required
|
|
identity:create_identity_provider: rule:admin_required
|
|
identity:create_implied_role: rule:admin_required
|
|
identity:create_mapping: rule:admin_required
|
|
identity:create_policy: rule:admin_required
|
|
identity:create_policy_association_for_endpoint: rule:admin_required
|
|
identity:create_policy_association_for_region_and_service: rule:admin_required
|
|
identity:create_policy_association_for_service: rule:admin_required
|
|
identity:create_project: rule:admin_required
|
|
identity:create_protocol: rule:admin_required
|
|
identity:create_region: rule:admin_required
|
|
identity:create_role: rule:admin_required
|
|
identity:create_service: rule:admin_required
|
|
identity:create_service_provider: rule:admin_required
|
|
identity:create_trust: user_id:%(trust.trustor_user_id)s
|
|
identity:create_user: rule:admin_required
|
|
identity:delete_access_token: rule:admin_required
|
|
identity:delete_consumer: rule:admin_required
|
|
identity:delete_credential: rule:admin_required
|
|
identity:delete_domain: rule:admin_required
|
|
identity:delete_domain_config: rule:admin_required
|
|
identity:delete_domain_role: rule:admin_required
|
|
identity:delete_endpoint: rule:admin_required
|
|
identity:delete_endpoint_group: rule:admin_required
|
|
identity:delete_group: rule:admin_required
|
|
identity:delete_identity_provider: rule:admin_required
|
|
identity:delete_implied_role: rule:admin_required
|
|
identity:delete_mapping: rule:admin_required
|
|
identity:delete_policy: rule:admin_required
|
|
identity:delete_policy_association_for_endpoint: rule:admin_required
|
|
identity:delete_policy_association_for_region_and_service: rule:admin_required
|
|
identity:delete_policy_association_for_service: rule:admin_required
|
|
identity:delete_project: rule:admin_required
|
|
identity:delete_protocol: rule:admin_required
|
|
identity:delete_region: rule:admin_required
|
|
identity:delete_role: rule:admin_required
|
|
identity:delete_service: rule:admin_required
|
|
identity:delete_service_provider: rule:admin_required
|
|
identity:delete_trust: ""
|
|
identity:delete_user: rule:admin_required
|
|
identity:ec2_create_credential: rule:admin_or_owner
|
|
identity:ec2_delete_credential: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)
|
|
identity:ec2_get_credential: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)
|
|
identity:ec2_list_credentials: rule:admin_or_owner
|
|
identity:get_access_token: rule:admin_required
|
|
identity:get_access_token_role: rule:admin_required
|
|
identity:get_auth_catalog: ""
|
|
identity:get_auth_domains: ""
|
|
identity:get_auth_projects: ""
|
|
identity:get_consumer: rule:admin_required
|
|
identity:get_credential: rule:admin_required
|
|
identity:get_domain: rule:admin_required or token.project.domain.id:%(target.domain.id)s
|
|
identity:get_domain_config: rule:admin_required
|
|
identity:get_domain_config_default: rule:admin_required
|
|
identity:get_domain_role: rule:admin_required
|
|
identity:get_endpoint: rule:admin_required
|
|
identity:get_endpoint_group: rule:admin_required
|
|
identity:get_endpoint_group_in_project: rule:admin_required
|
|
identity:get_group: rule:admin_required
|
|
identity:get_identity_providers: rule:admin_required
|
|
identity:get_implied_role: 'rule:admin_required '
|
|
identity:get_mapping: rule:admin_required
|
|
identity:get_policy: rule:admin_required
|
|
identity:get_policy_for_endpoint: rule:admin_required
|
|
identity:get_project: rule:admin_required or project_id:%(target.project.id)s
|
|
identity:get_protocol: rule:admin_required
|
|
identity:get_region: ""
|
|
identity:get_role: rule:admin_required
|
|
identity:get_role_for_trust: ""
|
|
identity:get_security_compliance_domain_config: ""
|
|
identity:get_service: rule:admin_required
|
|
identity:get_service_provider: rule:admin_required
|
|
identity:get_user: rule:admin_or_owner
|
|
identity:list_access_token_roles: rule:admin_required
|
|
identity:list_access_tokens: rule:admin_required
|
|
identity:list_consumers: rule:admin_required
|
|
identity:list_credentials: rule:admin_required
|
|
identity:list_domain_roles: rule:admin_required
|
|
identity:list_domains: rule:admin_required
|
|
identity:list_domains_for_user: ""
|
|
identity:list_endpoint_groups: rule:admin_required
|
|
identity:list_endpoint_groups_for_project: rule:admin_required
|
|
identity:list_endpoints: rule:admin_required
|
|
identity:list_endpoints_associated_with_endpoint_group: rule:admin_required
|
|
identity:list_endpoints_for_policy: rule:admin_required
|
|
identity:list_endpoints_for_project: rule:admin_required
|
|
identity:list_grants: rule:admin_required
|
|
identity:list_groups: rule:admin_required
|
|
identity:list_groups_for_user: rule:admin_or_owner
|
|
identity:list_identity_providers: rule:admin_required
|
|
identity:list_implied_roles: rule:admin_required
|
|
identity:list_mappings: rule:admin_required
|
|
identity:list_policies: rule:admin_required
|
|
identity:list_projects: rule:admin_required
|
|
identity:list_projects_associated_with_endpoint_group: rule:admin_required
|
|
identity:list_projects_for_endpoint: rule:admin_required
|
|
identity:list_projects_for_user: ""
|
|
identity:list_protocols: rule:admin_required
|
|
identity:list_regions: ""
|
|
identity:list_revoke_events: rule:service_or_admin
|
|
identity:list_role_assignments: rule:admin_required
|
|
identity:list_role_assignments_for_tree: rule:admin_required
|
|
identity:list_role_inference_rules: rule:admin_required
|
|
identity:list_roles: rule:admin_required
|
|
identity:list_roles_for_trust: ""
|
|
identity:list_service_providers: rule:admin_required
|
|
identity:list_services: rule:admin_required
|
|
identity:list_trusts: ""
|
|
identity:list_user_projects: rule:admin_or_owner
|
|
identity:list_users: rule:admin_required
|
|
identity:list_users_in_group: rule:admin_required
|
|
identity:project_users_access: rule:project_mod_or_admin
|
|
identity:remove_endpoint_from_project: rule:admin_required
|
|
identity:remove_endpoint_group_from_project: rule:admin_required
|
|
identity:remove_user_from_group: rule:admin_required
|
|
identity:revocation_list: rule:service_or_admin
|
|
identity:revoke_grant: rule:admin_required
|
|
identity:revoke_token: rule:admin_or_token_subject
|
|
identity:update_consumer: rule:admin_required
|
|
identity:update_credential: rule:admin_required
|
|
identity:update_domain: rule:admin_required
|
|
identity:update_domain_config: rule:admin_required
|
|
identity:update_domain_role: rule:admin_required
|
|
identity:update_endpoint: rule:admin_required
|
|
identity:update_endpoint_group: rule:admin_required
|
|
identity:update_group: rule:admin_required
|
|
identity:update_identity_provider: rule:admin_required
|
|
identity:update_mapping: rule:admin_required
|
|
identity:update_policy: rule:admin_required
|
|
identity:update_project: rule:admin_required
|
|
identity:update_protocol: rule:admin_required
|
|
identity:update_region: rule:admin_required
|
|
identity:update_role: rule:admin_required
|
|
identity:update_service: rule:admin_required
|
|
identity:update_service_provider: rule:admin_required
|
|
identity:update_user: rule:admin_required
|
|
identity:validate_token: rule:service_admin_or_token_subject
|
|
identity:validate_token_head: rule:service_or_admin
|
|
owner: user_id:%(user_id)s
|
|
project_admin: role:project_admin
|
|
project_admin_only: rule:admin_required or rule:project_admin
|
|
project_mod: role:project_mod
|
|
project_mod_or_admin: rule:admin_required or rule:project_mod or rule:project_admin
|
|
service_admin_or_token_subject: rule:service_or_admin or rule:token_subject
|
|
service_or_admin: rule:admin_required or rule:service_role
|
|
service_role: role:service
|
|
token_subject: user_id:%(target.token.user_id)s
|