From fa10d4945ca9658eff02b1d8e917fde50d6576ce Mon Sep 17 00:00:00 2001 From: Henry Nash Date: Fri, 21 Jun 2013 22:50:40 +0100 Subject: Implement GET /role_assignment API call Add support for the GET /role_assignment call as a first step to making role_assignment a first class entity. This patch also enables v3 collection filtering to match against attributes of entities being returned in the list, using the same dot notation (e.g. user.id) that we already support for policy file checking against filters. Limitations: - The current implementation uses the standard v3 collections wrapper mechanism for filtering. Given the potential numbers of role assignments in a large system, this may have performance and resource impacts. A future improvement would pass the filters into the driver layer to keep the internal assignment processing to a minimum. - The LDAP backend is not currently supported Implements bp get-role-assignments Change-Id: I6ff2ea780e39d7097a88214fbb3ddee1b924c30c --- etc/policy.json | 2 ++ 1 file changed, 2 insertions(+) (limited to 'etc') diff --git a/etc/policy.json b/etc/policy.json index 4aad4e8c..2c82f994 100644 --- a/etc/policy.json +++ b/etc/policy.json @@ -66,6 +66,8 @@ "identity:create_grant": [["rule:admin_required"]], "identity:revoke_grant": [["rule:admin_required"]], + "identity:list_role_assignments": [["rule:admin_required"]], + "identity:get_policy": [["rule:admin_required"]], "identity:list_policies": [["rule:admin_required"]], "identity:create_policy": [["rule:admin_required"]], -- cgit