From ab91ff350034a186fe7f1400c2ffece96efaeacf Mon Sep 17 00:00:00 2001
From: Sean Pryor <spryor@redhat.com>
Date: Mon, 5 Jun 2017 15:35:25 -0400
Subject: Created branch 'original' with unmodified policies

Change-Id: Ia0b0ae2786caabf70b16020bfdfe26c4b02fa0ea
---
 etc/keystone/policy.json | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

(limited to 'etc/keystone')

diff --git a/etc/keystone/policy.json b/etc/keystone/policy.json
index f0177fa..1e37bef 100644
--- a/etc/keystone/policy.json
+++ b/etc/keystone/policy.json
@@ -1,5 +1,4 @@
 {
-    "deny_readonly": "not role:readonly",
     "admin_required": "role:admin or is_admin:1",
     "service_role": "role:service",
     "service_or_admin": "rule:admin_required or rule:service_role",
@@ -37,21 +36,21 @@
 
     "identity:get_project": "rule:admin_required or project_id:%(target.project.id)s",
     "identity:list_projects": "rule:admin_required",
-    "identity:list_user_projects": "rule:admin_or_owner and rule:deny_readonly",
+    "identity:list_user_projects": "rule:admin_or_owner",
     "identity:create_project": "rule:admin_required",
     "identity:update_project": "rule:admin_required",
     "identity:delete_project": "rule:admin_required",
 
-    "identity:get_user": "rule:admin_or_owner and rule:deny_readonly",
+    "identity:get_user": "rule:admin_or_owner",
     "identity:list_users": "rule:admin_required",
     "identity:create_user": "rule:admin_required",
     "identity:update_user": "rule:admin_required",
     "identity:delete_user": "rule:admin_required",
-    "identity:change_password": "rule:admin_or_owner and rule:deny_readonly",
+    "identity:change_password": "rule:admin_or_owner",
 
     "identity:get_group": "rule:admin_required",
     "identity:list_groups": "rule:admin_required",
-    "identity:list_groups_for_user": "rule:admin_or_owner and rule:deny_readonly",
+    "identity:list_groups_for_user": "rule:admin_or_owner",
     "identity:create_group": "rule:admin_required",
     "identity:update_group": "rule:admin_required",
     "identity:delete_group": "rule:admin_required",
@@ -67,8 +66,8 @@
     "identity:delete_credential": "rule:admin_required",
 
     "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
-    "identity:ec2_list_credentials": "rule:admin_or_owner and rule:deny_readonly",
-    "identity:ec2_create_credential": "rule:admin_or_owner and rule:deny_readonly",
+    "identity:ec2_list_credentials": "rule:admin_or_owner",
+    "identity:ec2_create_credential": "rule:admin_or_owner",
     "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
 
     "identity:get_role": "rule:admin_required",
@@ -113,7 +112,7 @@
     "identity:list_trusts": "",
     "identity:list_roles_for_trust": "",
     "identity:get_role_for_trust": "",
-    "identity:delete_trust": "rule:deny_readonly",
+    "identity:delete_trust": "",
 
     "identity:create_consumer": "rule:admin_required",
     "identity:get_consumer": "rule:admin_required",
-- 
cgit