From 3c3f5dc8973a28fcded50bdb65b7cd77cd772cc6 Mon Sep 17 00:00:00 2001 From: Joe Gordon Date: Fri, 8 Mar 2013 15:34:25 -0800 Subject: Move auth_token middleware from admin user to an RBAC policy Before this patch auth_token middleware required admin user credentials stored in assorted config files. With this patch only non-admin user credentials are needed. The revocation_list and validate_token commands use an policy.json rule, to only allow these commands if you are in have the service role. Rule used: "service_role": [["role:service"]], "service_or_admin": [["rule:admin_required"], ["rule:service_role"]], Added the policy wrapper on the validate functions. Fixes bug 1153789 Change-Id: I43986e26b16aa5213ad2536a0d07d942bf3dbbbb --- etc/policy.json | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/etc/policy.json b/etc/policy.json index f53161ef..fcad7a93 100644 --- a/etc/policy.json +++ b/etc/policy.json @@ -1,5 +1,7 @@ { "admin_required": [["role:admin"], ["is_admin:1"]], + "service_role": [["role:service"]], + "service_or_admin": [["rule:admin_required"], ["rule:service_role"]], "owner" : [["user_id:%(user_id)s"]], "admin_or_owner": [["rule:admin_required"], ["rule:owner"]], @@ -71,8 +73,9 @@ "identity:delete_policy": [["rule:admin_required"]], "identity:check_token": [["rule:admin_required"]], - "identity:validate_token": [["rule:admin_required"]], - "identity:revocation_list": [["rule:admin_required"]], + "identity:validate_token": [["rule:service_or_admin"]], + "identity:validate_token_head": [["rule:service_or_admin"]], + "identity:revocation_list": [["rule:service_or_admin"]], "identity:revoke_token": [["rule:admin_required"], ["user_id:%(user_id)s"]], -- cgit