diff options
author | termie <github@anarkystic.com> | 2011-11-17 11:40:52 -0800 |
---|---|---|
committer | termie <github@anarkystic.com> | 2011-11-17 11:40:52 -0800 |
commit | 63943c98c6ed74d42398bda38b4ddfbc3ddd4283 (patch) | |
tree | ebf5f0606973e7e999b43a20bcfcc356e1450ed5 /README.rst | |
parent | d820917da0d57fe18bb7ab85b1bf8129d25c2208 (diff) | |
download | keystone-63943c98c6ed74d42398bda38b4ddfbc3ddd4283.tar.gz keystone-63943c98c6ed74d42398bda38b4ddfbc3ddd4283.tar.xz keystone-63943c98c6ed74d42398bda38b4ddfbc3ddd4283.zip |
describe and add a policy backend
Diffstat (limited to 'README.rst')
-rw-r--r-- | README.rst | 45 |
1 files changed, 45 insertions, 0 deletions
@@ -102,6 +102,51 @@ CRUD is treated as an extension or additional feature to the core feature set in that it is not required that a backend support it. +---------------------------------- +Approach to Authorization (Policy) +---------------------------------- + +Various components in the system require that different actions are allowed +based on whether the user is authorized to perform that action. + +For the purposes of Keystone Light there are only a couple levels of +authorization being checked for: + + * Require that the performing user is considered an admin. + * Require that the performing user matches the user being referenced. + +Other systems wishing to use the policy engine will require additional styles +of checks and will possibly write completely custom backends. Backends included +in Keystone Light are: + + +Trivial True +------------ + +Allows all actions. + + +Simple Match +------------ + +Given a list of matches to check for, simply verify that the credentials +contain the matches. For example: + + credentials = {'user_id': 'foo', 'is_admin': 1, 'roles': ['nova:netadmin']} + + # An admin only call: + policy_api.can_haz(('is_admin:1',), credentials) + + # An admin or owner call: + policy_api.can_haz(('is_admin:1', 'user_id:foo'), + credentials) + + # A netadmin call: + policy_api.can_haz(('roles:nova:netadmin',), + credentials) + + + ----------- Still To Do ----------- |