diff options
author | Dolph Mathews <dolph.mathews@gmail.com> | 2012-05-02 08:23:40 -0500 |
---|---|---|
committer | Dolph Mathews <dolph.mathews@gmail.com> | 2012-05-03 09:46:00 -0500 |
commit | 422aeba0b4fbfc22a251cf86e553598ff1179046 (patch) | |
tree | 385718908e20879c527f9264426b651218fb91fa /README.rst | |
parent | b9311480dd758ef6c736f116ffbf2ddcd9c00fd0 (diff) | |
download | keystone-422aeba0b4fbfc22a251cf86e553598ff1179046.tar.gz keystone-422aeba0b4fbfc22a251cf86e553598ff1179046.tar.xz keystone-422aeba0b4fbfc22a251cf86e553598ff1179046.zip |
Removed SimpleMatch 'shim'; updated readme
Change-Id: I34fcc8d7233e58024c4e173867f8f41f9d2b9f4c
Diffstat (limited to 'README.rst')
-rw-r--r-- | README.rst | 15 |
1 files changed, 6 insertions, 9 deletions
@@ -172,8 +172,8 @@ of checks and will possibly write completely custom backends. Backends included in Keystone are: -Simple Match ------------- +Rules +----- Given a list of matches to check for, simply verify that the credentials contain the matches. For example:: @@ -181,16 +181,13 @@ contain the matches. For example:: credentials = {'user_id': 'foo', 'is_admin': 1, 'roles': ['nova:netadmin']} # An admin only call: - policy_api.can_haz(('is_admin:1',), credentials) + policy_api.enforce(('is_admin:1',), credentials) # An admin or owner call: - policy_api.can_haz(('is_admin:1', 'user_id:foo'), - credentials) + policy_api.enforce(('is_admin:1', 'user_id:foo'), credentials) # A netadmin call: - policy_api.can_haz(('roles:nova:netadmin',), - credentials) - + policy_api.enforce(('roles:nova:netadmin',), credentials) Credentials are generally built from the user metadata in the 'extras' part of the Identity API. So, adding a 'role' to the user just means adding the role @@ -210,7 +207,7 @@ to which capabilities are allowed for that role. For example:: # add a policy policy_api.add_policy('action:nova:add_network', ('roles:nova:netadmin',)) - policy_api.can_haz(('action:nova:add_network',), credentials) + policy_api.enforce(('action:nova:add_network',), credentials) In the backend this would look up the policy for 'action:nova:add_network' and |