diff options
Diffstat (limited to 'etc/keystone/policy.json')
-rw-r--r-- | etc/keystone/policy.json | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/etc/keystone/policy.json b/etc/keystone/policy.json index 77b4c17..f0177fa 100644 --- a/etc/keystone/policy.json +++ b/etc/keystone/policy.json @@ -37,21 +37,21 @@ "identity:get_project": "rule:admin_required or project_id:%(target.project.id)s", "identity:list_projects": "rule:admin_required", - "identity:list_user_projects": "rule:admin_or_owner", + "identity:list_user_projects": "rule:admin_or_owner and rule:deny_readonly", "identity:create_project": "rule:admin_required", "identity:update_project": "rule:admin_required", "identity:delete_project": "rule:admin_required", - "identity:get_user": "rule:admin_or_owner", + "identity:get_user": "rule:admin_or_owner and rule:deny_readonly", "identity:list_users": "rule:admin_required", "identity:create_user": "rule:admin_required", "identity:update_user": "rule:admin_required", "identity:delete_user": "rule:admin_required", - "identity:change_password": "rule:admin_or_owner", + "identity:change_password": "rule:admin_or_owner and rule:deny_readonly", "identity:get_group": "rule:admin_required", "identity:list_groups": "rule:admin_required", - "identity:list_groups_for_user": "rule:admin_or_owner", + "identity:list_groups_for_user": "rule:admin_or_owner and rule:deny_readonly", "identity:create_group": "rule:admin_required", "identity:update_group": "rule:admin_required", "identity:delete_group": "rule:admin_required", @@ -67,8 +67,8 @@ "identity:delete_credential": "rule:admin_required", "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)", - "identity:ec2_list_credentials": "rule:admin_or_owner", - "identity:ec2_create_credential": "rule:admin_or_owner", + "identity:ec2_list_credentials": "rule:admin_or_owner and rule:deny_readonly", + "identity:ec2_create_credential": "rule:admin_or_owner and rule:deny_readonly", "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)", "identity:get_role": "rule:admin_required", |