diff options
| author | Adam Young <ayoung@redhat.com> | 2013-02-26 14:54:32 -0500 |
|---|---|---|
| committer | Gerrit Code Review <review@openstack.org> | 2013-03-05 19:35:38 +0000 |
| commit | 601eeb50b60a2e99041690fe19238202bc203503 (patch) | |
| tree | f1be4ab425ba9150b61c1e1c6c5bd1a67f180021 /etc | |
| parent | ab6e5529513af656db512b888fed9b320391afbd (diff) | |
| download | keystone-601eeb50b60a2e99041690fe19238202bc203503.tar.gz keystone-601eeb50b60a2e99041690fe19238202bc203503.tar.xz keystone-601eeb50b60a2e99041690fe19238202bc203503.zip | |
Trusts
Blueprint trusts
creates a trust. Using a trust, one user (the trustee), can then
create tokens with a subset of another user's (the trustor) roles and
projects.
If the impersonate flag in the trust is set, the token user_id is set
to the trustor's user ID
If the impersonate flag is not set, the token's user_is is set to the
trustee's user ID
check that both trustor and trustee are enabled prior to creating
the trust token.
sql and kvs backends
sql upgrade scripts
unit tests for backends, auth and v3 api
modifications to the trust controller for creating tokens
Authenticates that only user can be trustor in create
Deleting a trust invalidates all tokens created from that trust
Adds the trust id and the id of the trustee to the header of the token
policy rules for trust
This version has a workaround for testing against the KVS version
of the Service catalog
Change-Id: I5745f4d9a4180b59671a143a55ed87019e98ec76
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/policy.json | 20 |
1 files changed, 17 insertions, 3 deletions
diff --git a/etc/policy.json b/etc/policy.json index a0e77fc2..89365e5e 100644 --- a/etc/policy.json +++ b/etc/policy.json @@ -1,5 +1,9 @@ { "admin_required": [["role:admin"], ["is_admin:1"]], + "owner" : [["user_id:%(user_id)s"]], + "admin_or_owner": [["rule:admin_required"], ["rule:owner"]], + + "default": [["rule:admin_required"]], "identity:get_service": [["rule:admin_required"]], "identity:list_services": [["rule:admin_required"]], @@ -21,8 +25,9 @@ "identity:get_project": [["rule:admin_required"]], "identity:list_projects": [["rule:admin_required"]], - "identity:list_user_projects": [["rule:admin_required"], ["user_id:%(user_id)s"]], - "identity:create_project": [["rule:admin_required"]], + "identity:list_user_projects": [["rule:admin_required"], + ["user_id:%(user_id)s"]], + "identity:create_project": [["rule:admin_or_owner"]], "identity:update_project": [["rule:admin_required"]], "identity:delete_project": [["rule:admin_required"]], @@ -68,5 +73,14 @@ "identity:check_token": [["rule:admin_required"]], "identity:validate_token": [["rule:admin_required"]], "identity:revocation_list": [["rule:admin_required"]], - "identity:revoke_token": [["rule:admin_required"], ["user_id:%(user_id)s"]] + "identity:revoke_token": [["rule:admin_required"], + ["user_id:%(user_id)s"]], + + "identity:create_trust": [["user_id:%(trust.trustor_user_id)s"]], + "identity:get_trust": [["rule:admin_or_owner"]], + "identity:list_trusts": [["@"]], + "identity:list_roles_for_trust": [["@"]], + "identity:check_role_for_trust": [["@"]], + "identity:get_role_for_trust": [["@"]], + "identity:delete_trust": [["@"]] } |