diff options
| author | Joe Gordon <jogo@cloudscaling.com> | 2013-03-08 15:34:25 -0800 |
|---|---|---|
| committer | Joe Gordon <jogo@cloudscaling.com> | 2013-05-16 18:45:52 +0000 |
| commit | 3c3f5dc8973a28fcded50bdb65b7cd77cd772cc6 (patch) | |
| tree | 4ba4f702a1a454c7d921450041377fa3755d143b /etc/policy.json | |
| parent | 96a816f50d2ab9fdf88af4489d51f24188a555a4 (diff) | |
| download | keystone-3c3f5dc8973a28fcded50bdb65b7cd77cd772cc6.tar.gz keystone-3c3f5dc8973a28fcded50bdb65b7cd77cd772cc6.tar.xz keystone-3c3f5dc8973a28fcded50bdb65b7cd77cd772cc6.zip | |
Move auth_token middleware from admin user to an RBAC policy
Before this patch auth_token middleware required admin user credentials
stored in assorted config files. With this patch only non-admin user
credentials are needed. The revocation_list and validate_token commands
use an policy.json rule, to only allow these commands if you are in have the
service role.
Rule used:
"service_role": [["role:service"]],
"service_or_admin": [["rule:admin_required"], ["rule:service_role"]],
Added the policy wrapper on the validate functions.
Fixes bug 1153789
Change-Id: I43986e26b16aa5213ad2536a0d07d942bf3dbbbb
Diffstat (limited to 'etc/policy.json')
| -rw-r--r-- | etc/policy.json | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/etc/policy.json b/etc/policy.json index f53161ef..fcad7a93 100644 --- a/etc/policy.json +++ b/etc/policy.json @@ -1,5 +1,7 @@ { "admin_required": [["role:admin"], ["is_admin:1"]], + "service_role": [["role:service"]], + "service_or_admin": [["rule:admin_required"], ["rule:service_role"]], "owner" : [["user_id:%(user_id)s"]], "admin_or_owner": [["rule:admin_required"], ["rule:owner"]], @@ -71,8 +73,9 @@ "identity:delete_policy": [["rule:admin_required"]], "identity:check_token": [["rule:admin_required"]], - "identity:validate_token": [["rule:admin_required"]], - "identity:revocation_list": [["rule:admin_required"]], + "identity:validate_token": [["rule:service_or_admin"]], + "identity:validate_token_head": [["rule:service_or_admin"]], + "identity:revocation_list": [["rule:service_or_admin"]], "identity:revoke_token": [["rule:admin_required"], ["user_id:%(user_id)s"]], |