Initial draft of updated keystone policy

Change-Id: I1dfa3a01ed65070a89f7f075cc4db8c2a7f160dd
author: Sean Pryor <spryor@redhat.com> 2017-11-06 11:53:59 -0500
committer: Sean Pryor <spryor@redhat.com> 2017-11-06 11:53:59 -0500
commit: 6427e7e3fcff29ddc758fb847fab34c0c115ce7a (patch)
tree: f42b80503377271e21b7bd7b3ec9cc8933e0a791
parent: 671534358b384af53595419a62c12870fa3586fe (diff)
download: openstack-access-policy-6427e7e3fcff29ddc758fb847fab34c0c115ce7a.tar.gz
openstack-access-policy-6427e7e3fcff29ddc758fb847fab34c0c115ce7a.tar.xz
openstack-access-policy-6427e7e3fcff29ddc758fb847fab34c0c115ce7a.zip
1 files changed, 176 insertions, 174 deletions
diff --git a/etc/keystone/policy.json b/etc/keystone/policy.json
index 1e37bef..2c801c2 100644
--- a/etc/keystone/policy.json
+++ b/etc/keystone/policy.json
@@ -1,112 +1,114 @@
 {
-    "admin_required": "role:admin or is_admin:1",
-    "service_role": "role:service",
-    "service_or_admin": "rule:admin_required or rule:service_role",
-    "owner" : "user_id:%(user_id)s",
-    "admin_or_owner": "rule:admin_required or rule:owner",
+    "readonly": "(project_id:%(project_id)s and role:readonly)",
+    "global_readonly": "(role:global_readonly)",
+    "_member_role": "(role:member or role:_member_)",
+    "member": "(project_id:%(project_id)s and rule:_member_role)",
+    "admin": "(is_admin:True or role:admin)",
+    "owner": "(user_id:%(user_id)s and rule:_member_role)",
+
+    "service": "role:service",
     "token_subject": "user_id:%(target.token.user_id)s",
-    "admin_or_token_subject": "rule:admin_required or rule:token_subject",
-    "service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject",
 
-    "default": "rule:admin_required",
+
+    "default": "rule:admin",
 
     "identity:get_region": "",
     "identity:list_regions": "",
-    "identity:create_region": "rule:admin_required",
-    "identity:update_region": "rule:admin_required",
-    "identity:delete_region": "rule:admin_required",
-
-    "identity:get_service": "rule:admin_required",
-    "identity:list_services": "rule:admin_required",
-    "identity:create_service": "rule:admin_required",
-    "identity:update_service": "rule:admin_required",
-    "identity:delete_service": "rule:admin_required",
-
-    "identity:get_endpoint": "rule:admin_required",
-    "identity:list_endpoints": "rule:admin_required",
-    "identity:create_endpoint": "rule:admin_required",
-    "identity:update_endpoint": "rule:admin_required",
-    "identity:delete_endpoint": "rule:admin_required",
-
-    "identity:get_domain": "rule:admin_required or token.project.domain.id:%(target.domain.id)s",
-    "identity:list_domains": "rule:admin_required",
-    "identity:create_domain": "rule:admin_required",
-    "identity:update_domain": "rule:admin_required",
-    "identity:delete_domain": "rule:admin_required",
-
-    "identity:get_project": "rule:admin_required or project_id:%(target.project.id)s",
-    "identity:list_projects": "rule:admin_required",
-    "identity:list_user_projects": "rule:admin_or_owner",
-    "identity:create_project": "rule:admin_required",
-    "identity:update_project": "rule:admin_required",
-    "identity:delete_project": "rule:admin_required",
-
-    "identity:get_user": "rule:admin_or_owner",
-    "identity:list_users": "rule:admin_required",
-    "identity:create_user": "rule:admin_required",
-    "identity:update_user": "rule:admin_required",
-    "identity:delete_user": "rule:admin_required",
-    "identity:change_password": "rule:admin_or_owner",
-
-    "identity:get_group": "rule:admin_required",
-    "identity:list_groups": "rule:admin_required",
-    "identity:list_groups_for_user": "rule:admin_or_owner",
-    "identity:create_group": "rule:admin_required",
-    "identity:update_group": "rule:admin_required",
-    "identity:delete_group": "rule:admin_required",
-    "identity:list_users_in_group": "rule:admin_required",
-    "identity:remove_user_from_group": "rule:admin_required",
-    "identity:check_user_in_group": "rule:admin_required",
-    "identity:add_user_to_group": "rule:admin_required",
-
-    "identity:get_credential": "rule:admin_required",
-    "identity:list_credentials": "rule:admin_required",
-    "identity:create_credential": "rule:admin_required",
-    "identity:update_credential": "rule:admin_required",
-    "identity:delete_credential": "rule:admin_required",
-
-    "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
-    "identity:ec2_list_credentials": "rule:admin_or_owner",
-    "identity:ec2_create_credential": "rule:admin_or_owner",
-    "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
-
-    "identity:get_role": "rule:admin_required",
-    "identity:list_roles": "rule:admin_required",
-    "identity:create_role": "rule:admin_required",
-    "identity:update_role": "rule:admin_required",
-    "identity:delete_role": "rule:admin_required",
-    "identity:get_domain_role": "rule:admin_required",
-    "identity:list_domain_roles": "rule:admin_required",
-    "identity:create_domain_role": "rule:admin_required",
-    "identity:update_domain_role": "rule:admin_required",
-    "identity:delete_domain_role": "rule:admin_required",
-
-    "identity:get_implied_role": "rule:admin_required ",
-    "identity:list_implied_roles": "rule:admin_required",
-    "identity:create_implied_role": "rule:admin_required",
-    "identity:delete_implied_role": "rule:admin_required",
-    "identity:list_role_inference_rules": "rule:admin_required",
-    "identity:check_implied_role": "rule:admin_required",
-
-    "identity:check_grant": "rule:admin_required",
-    "identity:list_grants": "rule:admin_required",
-    "identity:create_grant": "rule:admin_required",
-    "identity:revoke_grant": "rule:admin_required",
-
-    "identity:list_role_assignments": "rule:admin_required",
-    "identity:list_role_assignments_for_tree": "rule:admin_required",
-
-    "identity:get_policy": "rule:admin_required",
-    "identity:list_policies": "rule:admin_required",
-    "identity:create_policy": "rule:admin_required",
-    "identity:update_policy": "rule:admin_required",
-    "identity:delete_policy": "rule:admin_required",
-
-    "identity:check_token": "rule:admin_or_token_subject",
-    "identity:validate_token": "rule:service_admin_or_token_subject",
-    "identity:validate_token_head": "rule:service_or_admin",
-    "identity:revocation_list": "rule:service_or_admin",
-    "identity:revoke_token": "rule:admin_or_token_subject",
+    "identity:create_region": "rule:admin",
+    "identity:update_region": "rule:admin",
+    "identity:delete_region": "rule:admin",
+
+    "identity:get_service": "rule:admin",
+    "identity:list_services": "rule:admin",
+    "identity:create_service": "rule:admin",
+    "identity:update_service": "rule:admin",
+    "identity:delete_service": "rule:admin",
+
+    "identity:get_endpoint": "rule:admin",
+    "identity:list_endpoints": "rule:admin or rule:readonly or rule:global_readonly",
+    "identity:create_endpoint": "rule:admin",
+    "identity:update_endpoint": "rule:admin",
+    "identity:delete_endpoint": "rule:admin",
+
+    "identity:get_domain": "rule:admin or token.project.domain.id:%(target.domain.id)s or rule:readonly or rule:global_readonly",
+    "identity:list_domains": "rule:admin or rule:readonly or rule:global_readonly",
+    "identity:create_domain": "rule:admin",
+    "identity:update_domain": "rule:admin",
+    "identity:delete_domain": "rule:admin",
+
+    "identity:get_project": "rule:admin or project_id:%(target.project.id)s",
+    "identity:list_projects": "rule:admin or rule:readonly or rule:global_readonly",
+    "identity:list_user_projects": "rule:admin or rule:owner or rule:readonly or rule:global_readonly",
+    "identity:create_project": "rule:admin",
+    "identity:update_project": "rule:admin",
+    "identity:delete_project": "rule:admin",
+
+    "identity:get_user": "rule:admin or rule:owner or rule:readonly or rule:global_readonly",
+    "identity:list_users": "rule:admin or rule:readonly or rule:global_readonly",
+    "identity:create_user": "rule:admin",
+    "identity:update_user": "rule:admin",
+    "identity:delete_user": "rule:admin",
+    "identity:change_password": "rule:admin or rule:owner",
+
+    "identity:get_group": "rule:admin",
+    "identity:list_groups": "rule:admin or rule:readonly or rule:global_readonly",
+    "identity:list_groups_for_user": "rule:admin or rule:owner or rule:readonly or rule:global_readonly",
+    "identity:create_group": "rule:admin",
+    "identity:update_group": "rule:admin",
+    "identity:delete_group": "rule:admin",
+    "identity:list_users_in_group": "rule:admin or rule:readonly or rule:global_readonly",
+    "identity:remove_user_from_group": "rule:admin",
+    "identity:check_user_in_group": "rule:admin",
+    "identity:add_user_to_group": "rule:admin",
+
+    "identity:get_credential": "rule:admin",
+    "identity:list_credentials": "rule:admin",
+    "identity:create_credential": "rule:admin",
+    "identity:update_credential": "rule:admin",
+    "identity:delete_credential": "rule:admin",
+
+    "identity:ec2_get_credential": "rule:admin or (rule:owner and user_id:%(target.credential.user_id)s)",
+    "identity:ec2_list_credentials": "rule:admin or rule:owner",
+    "identity:ec2_create_credential": "rule:admin or rule:owner",
+    "identity:ec2_delete_credential": "rule:admin or (rule:owner and user_id:%(target.credential.user_id)s)",
+
+    "identity:get_role": "rule:admin",
+    "identity:list_roles": "rule:admin",
+    "identity:create_role": "rule:admin",
+    "identity:update_role": "rule:admin",
+    "identity:delete_role": "rule:admin",
+    "identity:get_domain_role": "rule:admin",
+    "identity:list_domain_roles": "rule:admin",
+    "identity:create_domain_role": "rule:admin",
+    "identity:update_domain_role": "rule:admin",
+    "identity:delete_domain_role": "rule:admin",
+
+    "identity:get_implied_role": "rule:admin ",
+    "identity:list_implied_roles": "rule:admin",
+    "identity:create_implied_role": "rule:admin",
+    "identity:delete_implied_role": "rule:admin",
+    "identity:list_role_inference_rules": "rule:admin",
+    "identity:check_implied_role": "rule:admin",
+
+    "identity:check_grant": "rule:admin",
+    "identity:list_grants": "rule:admin or rule:readonly or rule:global_readonly",
+    "identity:create_grant": "rule:admin",
+    "identity:revoke_grant": "rule:admin",
+
+    "identity:list_role_assignments": "rule:admin",
+    "identity:list_role_assignments_for_tree": "rule:admin",
+
+    "identity:get_policy": "rule:admin",
+    "identity:list_policies": "rule:admin",
+    "identity:create_policy": "rule:admin",
+    "identity:update_policy": "rule:admin",
+    "identity:delete_policy": "rule:admin",
+
+    "identity:check_token": "rule:admin or rule:token_subject",
+    "identity:validate_token": "rule:service or rule:admin or rule:token_subject",
+    "identity:validate_token_head": "rule:service or rule:admin",
+    "identity:revocation_list": "rule:service or rule:admin",
+    "identity:revoke_token": "rule:admin or rule:token_subject",
 
     "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
     "identity:list_trusts": "",
@@ -114,60 +116,60 @@
     "identity:get_role_for_trust": "",
     "identity:delete_trust": "",
 
-    "identity:create_consumer": "rule:admin_required",
-    "identity:get_consumer": "rule:admin_required",
-    "identity:list_consumers": "rule:admin_required",
-    "identity:delete_consumer": "rule:admin_required",
-    "identity:update_consumer": "rule:admin_required",
-
-    "identity:authorize_request_token": "rule:admin_required",
-    "identity:list_access_token_roles": "rule:admin_required",
-    "identity:get_access_token_role": "rule:admin_required",
-    "identity:list_access_tokens": "rule:admin_required",
-    "identity:get_access_token": "rule:admin_required",
-    "identity:delete_access_token": "rule:admin_required",
-
-    "identity:list_projects_for_endpoint": "rule:admin_required",
-    "identity:add_endpoint_to_project": "rule:admin_required",
-    "identity:check_endpoint_in_project": "rule:admin_required",
-    "identity:list_endpoints_for_project": "rule:admin_required",
-    "identity:remove_endpoint_from_project": "rule:admin_required",
-
-    "identity:create_endpoint_group": "rule:admin_required",
-    "identity:list_endpoint_groups": "rule:admin_required",
-    "identity:get_endpoint_group": "rule:admin_required",
-    "identity:update_endpoint_group": "rule:admin_required",
-    "identity:delete_endpoint_group": "rule:admin_required",
-    "identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
-    "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
-    "identity:get_endpoint_group_in_project": "rule:admin_required",
-    "identity:list_endpoint_groups_for_project": "rule:admin_required",
-    "identity:add_endpoint_group_to_project": "rule:admin_required",
-    "identity:remove_endpoint_group_from_project": "rule:admin_required",
-
-    "identity:create_identity_provider": "rule:admin_required",
-    "identity:list_identity_providers": "rule:admin_required",
-    "identity:get_identity_providers": "rule:admin_required",
-    "identity:update_identity_provider": "rule:admin_required",
-    "identity:delete_identity_provider": "rule:admin_required",
-
-    "identity:create_protocol": "rule:admin_required",
-    "identity:update_protocol": "rule:admin_required",
-    "identity:get_protocol": "rule:admin_required",
-    "identity:list_protocols": "rule:admin_required",
-    "identity:delete_protocol": "rule:admin_required",
-
-    "identity:create_mapping": "rule:admin_required",
-    "identity:get_mapping": "rule:admin_required",
-    "identity:list_mappings": "rule:admin_required",
-    "identity:delete_mapping": "rule:admin_required",
-    "identity:update_mapping": "rule:admin_required",
-
-    "identity:create_service_provider": "rule:admin_required",
-    "identity:list_service_providers": "rule:admin_required",
-    "identity:get_service_provider": "rule:admin_required",
-    "identity:update_service_provider": "rule:admin_required",
-    "identity:delete_service_provider": "rule:admin_required",
+    "identity:create_consumer": "rule:admin",
+    "identity:get_consumer": "rule:admin",
+    "identity:list_consumers": "rule:admin",
+    "identity:delete_consumer": "rule:admin",
+    "identity:update_consumer": "rule:admin",
+
+    "identity:authorize_request_token": "rule:admin",
+    "identity:list_access_token_roles": "rule:admin",
+    "identity:get_access_token_role": "rule:admin",
+    "identity:list_access_tokens": "rule:admin",
+    "identity:get_access_token": "rule:admin",
+    "identity:delete_access_token": "rule:admin",
+
+    "identity:list_projects_for_endpoint": "rule:admin or rule:readonly or rule:global_readonly",
+    "identity:add_endpoint_to_project": "rule:admin",
+    "identity:check_endpoint_in_project": "rule:admin",
+    "identity:list_endpoints_for_project": "rule:admin or rule:readonly or rule:global_readonly",
+    "identity:remove_endpoint_from_project": "rule:admin",
+
+    "identity:create_endpoint_group": "rule:admin",
+    "identity:list_endpoint_groups": "rule:admin or rule:readonly or rule:global_readonly",
+    "identity:get_endpoint_group": "rule:admin",
+    "identity:update_endpoint_group": "rule:admin",
+    "identity:delete_endpoint_group": "rule:admin",
+    "identity:list_projects_associated_with_endpoint_group": "rule:admin",
+    "identity:list_endpoints_associated_with_endpoint_group": "rule:admin",
+    "identity:get_endpoint_group_in_project": "rule:admin",
+    "identity:list_endpoint_groups_for_project": "rule:admin",
+    "identity:add_endpoint_group_to_project": "rule:admin",
+    "identity:remove_endpoint_group_from_project": "rule:admin",
+
+    "identity:create_identity_provider": "rule:admin",
+    "identity:list_identity_providers": "rule:admin",
+    "identity:get_identity_providers": "rule:admin",
+    "identity:update_identity_provider": "rule:admin",
+    "identity:delete_identity_provider": "rule:admin",
+
+    "identity:create_protocol": "rule:admin",
+    "identity:update_protocol": "rule:admin",
+    "identity:get_protocol": "rule:admin",
+    "identity:list_protocols": "rule:admin",
+    "identity:delete_protocol": "rule:admin",
+
+    "identity:create_mapping": "rule:admin",
+    "identity:get_mapping": "rule:admin",
+    "identity:list_mappings": "rule:admin",
+    "identity:delete_mapping": "rule:admin",
+    "identity:update_mapping": "rule:admin",
+
+    "identity:create_service_provider": "rule:admin",
+    "identity:list_service_providers": "rule:admin",
+    "identity:get_service_provider": "rule:admin",
+    "identity:update_service_provider": "rule:admin",
+    "identity:delete_service_provider": "rule:admin",
 
     "identity:get_auth_catalog": "",
     "identity:get_auth_projects": "",
@@ -178,21 +180,21 @@
 
     "identity:list_revoke_events": "",
 
-    "identity:create_policy_association_for_endpoint": "rule:admin_required",
-    "identity:check_policy_association_for_endpoint": "rule:admin_required",
-    "identity:delete_policy_association_for_endpoint": "rule:admin_required",
-    "identity:create_policy_association_for_service": "rule:admin_required",
-    "identity:check_policy_association_for_service": "rule:admin_required",
-    "identity:delete_policy_association_for_service": "rule:admin_required",
-    "identity:create_policy_association_for_region_and_service": "rule:admin_required",
-    "identity:check_policy_association_for_region_and_service": "rule:admin_required",
-    "identity:delete_policy_association_for_region_and_service": "rule:admin_required",
-    "identity:get_policy_for_endpoint": "rule:admin_required",
-    "identity:list_endpoints_for_policy": "rule:admin_required",
-
-    "identity:create_domain_config": "rule:admin_required",
-    "identity:get_domain_config": "rule:admin_required",
-    "identity:update_domain_config": "rule:admin_required",
-    "identity:delete_domain_config": "rule:admin_required",
-    "identity:get_domain_config_default": "rule:admin_required"
+    "identity:create_policy_association_for_endpoint": "rule:admin",
+    "identity:check_policy_association_for_endpoint": "rule:admin",
+    "identity:delete_policy_association_for_endpoint": "rule:admin",
+    "identity:create_policy_association_for_service": "rule:admin",
+    "identity:check_policy_association_for_service": "rule:admin",
+    "identity:delete_policy_association_for_service": "rule:admin",
+    "identity:create_policy_association_for_region_and_service": "rule:admin",
+    "identity:check_policy_association_for_region_and_service": "rule:admin",
+    "identity:delete_policy_association_for_region_and_service": "rule:admin",
+    "identity:get_policy_for_endpoint": "rule:admin",
+    "identity:list_endpoints_for_policy": "rule:admin",
+
+    "identity:create_domain_config": "rule:admin",
+    "identity:get_domain_config": "rule:admin",
+    "identity:update_domain_config": "rule:admin",
+    "identity:delete_domain_config": "rule:admin",
+    "identity:get_domain_config_default": "rule:admin"
 }
author	Sean Pryor <spryor@redhat.com>	2017-11-06 11:53:59 -0500
committer	Sean Pryor <spryor@redhat.com>	2017-11-06 11:53:59 -0500
commit	6427e7e3fcff29ddc758fb847fab34c0c115ce7a (patch)
tree	f42b80503377271e21b7bd7b3ec9cc8933e0a791
parent	671534358b384af53595419a62c12870fa3586fe (diff)
download	openstack-access-policy-6427e7e3fcff29ddc758fb847fab34c0c115ce7a.tar.gz openstack-access-policy-6427e7e3fcff29ddc758fb847fab34c0c115ce7a.tar.xz openstack-access-policy-6427e7e3fcff29ddc758fb847fab34c0c115ce7a.zip