summaryrefslogtreecommitdiffstats
path: root/etc/keystone/policy.json
diff options
context:
space:
mode:
Diffstat (limited to 'etc/keystone/policy.json')
-rw-r--r--etc/keystone/policy.json12
1 files changed, 6 insertions, 6 deletions
diff --git a/etc/keystone/policy.json b/etc/keystone/policy.json
index 77b4c17..f0177fa 100644
--- a/etc/keystone/policy.json
+++ b/etc/keystone/policy.json
@@ -37,21 +37,21 @@
"identity:get_project": "rule:admin_required or project_id:%(target.project.id)s",
"identity:list_projects": "rule:admin_required",
- "identity:list_user_projects": "rule:admin_or_owner",
+ "identity:list_user_projects": "rule:admin_or_owner and rule:deny_readonly",
"identity:create_project": "rule:admin_required",
"identity:update_project": "rule:admin_required",
"identity:delete_project": "rule:admin_required",
- "identity:get_user": "rule:admin_or_owner",
+ "identity:get_user": "rule:admin_or_owner and rule:deny_readonly",
"identity:list_users": "rule:admin_required",
"identity:create_user": "rule:admin_required",
"identity:update_user": "rule:admin_required",
"identity:delete_user": "rule:admin_required",
- "identity:change_password": "rule:admin_or_owner",
+ "identity:change_password": "rule:admin_or_owner and rule:deny_readonly",
"identity:get_group": "rule:admin_required",
"identity:list_groups": "rule:admin_required",
- "identity:list_groups_for_user": "rule:admin_or_owner",
+ "identity:list_groups_for_user": "rule:admin_or_owner and rule:deny_readonly",
"identity:create_group": "rule:admin_required",
"identity:update_group": "rule:admin_required",
"identity:delete_group": "rule:admin_required",
@@ -67,8 +67,8 @@
"identity:delete_credential": "rule:admin_required",
"identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
- "identity:ec2_list_credentials": "rule:admin_or_owner",
- "identity:ec2_create_credential": "rule:admin_or_owner",
+ "identity:ec2_list_credentials": "rule:admin_or_owner and rule:deny_readonly",
+ "identity:ec2_create_credential": "rule:admin_or_owner and rule:deny_readonly",
"identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
"identity:get_role": "rule:admin_required",
generated by cgit (git 2.34.1) at 2024-04-25 07:14:21 +0000