diff options
author | Sean Pryor <spryor@redhat.com> | 2017-11-17 17:09:37 -0500 |
---|---|---|
committer | Sean Pryor <spryor@redhat.com> | 2017-11-17 17:09:37 -0500 |
commit | 3c70bb60c1c30fbb4fce5ae4f9b87d1d6ff65593 (patch) | |
tree | 2845d5282af8c852acb8c4842a396f5867288004 /etc/zaqar/policy.json | |
parent | cd1216c05a44a7819ee60c73ebd71899df7fbaf4 (diff) | |
download | openstack-access-policy-3c70bb60c1c30fbb4fce5ae4f9b87d1d6ff65593.tar.gz openstack-access-policy-3c70bb60c1c30fbb4fce5ae4f9b87d1d6ff65593.tar.xz openstack-access-policy-3c70bb60c1c30fbb4fce5ae4f9b87d1d6ff65593.zip |
Untested drafts of modifications to all other policies
Change-Id: I150ddcf2d0d104c8e3e066b4adb25814b3bb0246
Diffstat (limited to 'etc/zaqar/policy.json')
-rw-r--r-- | etc/zaqar/policy.json | 93 |
1 files changed, 50 insertions, 43 deletions
diff --git a/etc/zaqar/policy.json b/etc/zaqar/policy.json index 89d5076..1a6c49e 100644 --- a/etc/zaqar/policy.json +++ b/etc/zaqar/policy.json @@ -1,46 +1,53 @@ { + "global_readonly": "(role:global_readonly)", + "readonly": "((project_id:%(project_id)s and role:readonly) or rule:global_readonly)", + "_member_role": "(role:member or role:_member_)", + "member": "(project_id:%(project_id)s and rule:_member_role)", + "admin": "(is_admin:True or role:admin)", + "owner": "(user_id:%(user_id)s and rule:_member_role)", + "context_is_admin": "role:admin", - "admin_or_owner": "is_admin:True or project_id:%(project_id)s", - "default": "rule:admin_or_owner", - - "queues:get_all": "", - "queues:create": "", - "queues:get": "", - "queues:delete": "", - "queues:update": "", - "queues:stats": "", - - "messages:get_all": "", - "messages:create": "", - "messages:get": "", - "messages:delete": "", - "messages:delete_all": "", - - "claims:get_all": "", - "claims:create": "", - "claims:get": "", - "claims:delete": "", - "claims:update": "", - - "subscription:get_all": "", - "subscription:create": "", - "subscription:get": "", - "subscription:delete": "", - "subscription:update": "", - "subscription:confirm": "", - - "pools:get_all": "rule:context_is_admin", - "pools:create": "rule:context_is_admin", - "pools:get": "rule:context_is_admin", - "pools:delete": "rule:context_is_admin", - "pools:update": "rule:context_is_admin", - - "flavors:get_all": "", - "flavors:create": "rule:context_is_admin", - "flavors:get": "", - "flavors:delete": "rule:context_is_admin", - "flavors:update": "rule:context_is_admin", - - "ping:get": "", - "health:get": "rule:context_is_admin" + + "default": "rule:admin or rule:member", + + "queues:get_all": "rule:admin or rule:member", + "queues:create": "rule:admin or rule:member", + "queues:get": "rule:admin or rule:member", + "queues:delete": "rule:admin or rule:member", + "queues:update": "rule:admin or rule:member", + "queues:stats": "rule:admin or rule:member", + + "messages:get_all": "rule:admin or rule:member", + "messages:create": "rule:admin or rule:member", + "messages:get": "rule:admin or rule:member", + "messages:delete": "rule:admin or rule:member", + "messages:delete_all": "rule:admin or rule:member", + + "claims:get_all": "rule:admin or rule:member", + "claims:create": "rule:admin or rule:member", + "claims:get": "rule:admin or rule:member", + "claims:delete": "rule:admin or rule:member", + "claims:update": "rule:admin or rule:member", + + "subscription:get_all": "rule:admin or rule:member", + "subscription:create": "rule:admin or rule:member", + "subscription:get": "rule:admin or rule:member", + "subscription:delete": "rule:admin or rule:member", + "subscription:update": "rule:admin or rule:member", + "subscription:confirm": "rule:admin or rule:member", + + "pools:get_all": "rule:admin or rule:member", + "pools:create": "rule:admin or rule:member", + "pools:get": "rule:admin or rule:member", + "pools:delete": "rule:admin or rule:member", + "pools:update": "rule:admin or rule:member", + + "flavors:get_all": "rule:admin or rule:member", + "flavors:create": "rule:admin or rule:member", + "flavors:get": "rule:admin or rule:member", + "flavors:delete": "rule:admin or rule:member", + "flavors:update": "rule:admin or rule:member", + + "ping:get": "rule:admin or rule:member", + "health:get": "rule:admin or rule:member" } |