Created
November 29, 2018 20:56
-
-
Save nikosmeds/d53e014365e444b62fcf08486b8f58a6 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
root@os1-keystone-container-4044b189:/# cat /etc/keystone/policy.json | |
{ | |
"admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s", | |
"admin_and_matching_group_domain_id": "rule:admin_required and domain_id:%(group.domain_id)s", | |
"admin_and_matching_prior_role_domain_id": "rule:admin_required and domain_id:%(target.prior_role.domain_id)s", | |
"admin_and_matching_project_domain_id": "rule:admin_required and domain_id:%(project.domain_id)s", | |
"admin_and_matching_target_group_domain_id": "rule:admin_required and domain_id:%(target.group.domain_id)s", | |
"admin_and_matching_target_project_domain_id": "rule:admin_required and domain_id:%(target.project.domain_id)s", | |
"admin_and_matching_target_user_domain_id": "rule:admin_required and domain_id:%(target.user.domain_id)s", | |
"admin_and_matching_user_domain_id": "rule:admin_required and domain_id:%(user.domain_id)s", | |
"admin_on_domain_filter": "rule:admin_required and domain_id:%(scope.domain.id)s", | |
"admin_on_domain_of_project_filter": "rule:admin_required and domain_id:%(target.project.domain_id)s", | |
"admin_on_project_filter": "rule:admin_required and project_id:%(scope.project.id)s", | |
"admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner", | |
"admin_required": "role:admin", | |
"cloud_admin": "role:admin and (is_admin_project:True or domain_id:default)", | |
"default": "rule:admin_required", | |
"domain_admin_for_domain_role_grants": "rule:admin_required and domain_id:%(target.role.domain_id)s and rule:domain_admin_grant_match", | |
"domain_admin_for_global_role_grants": "rule:admin_required and None:%(target.role.domain_id)s and rule:domain_admin_grant_match", | |
"domain_admin_for_grants": "rule:domain_admin_for_global_role_grants or rule:domain_admin_for_domain_role_grants", | |
"domain_admin_for_list_grants": "rule:admin_required and rule:domain_admin_grant_match", | |
"domain_admin_grant_match": "domain_id:%(domain_id)s or domain_id:%(target.project.domain_id)s", | |
"domain_admin_matches_domain_role": "rule:admin_required and domain_id:%(role.domain_id)s", | |
"domain_admin_matches_filter_on_list_domain_roles": "rule:admin_required and domain_id:%(domain_id)s", | |
"domain_admin_matches_target_domain_role": "rule:admin_required and domain_id:%(target.role.domain_id)s", | |
"get_domain_roles": "rule:domain_admin_matches_target_domain_role or rule:project_admin_matches_target_domain_role", | |
"identity:add_endpoint_group_to_project": "rule:admin_required", | |
"identity:add_endpoint_to_project": "rule:admin_required", | |
"identity:add_user_to_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id", | |
"identity:authorize_request_token": "rule:admin_required", | |
"identity:check_endpoint_in_project": "rule:admin_required", | |
"identity:check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants", | |
"identity:check_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id", | |
"identity:check_policy_association_for_endpoint": "rule:cloud_admin", | |
"identity:check_policy_association_for_region_and_service": "rule:cloud_admin", | |
"identity:check_policy_association_for_service": "rule:cloud_admin", | |
"identity:check_system_grant_for_group": "rule:admin_required", | |
"identity:check_system_grant_for_user": "rule:admin_required", | |
"identity:check_token": "rule:admin_or_owner or rule:token_subject", | |
"identity:check_user_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id", | |
"identity:create_application_credential": "rule:admin_or_owner", | |
"identity:create_consumer": "rule:admin_required", | |
"identity:create_domain": "rule:cloud_admin", | |
"identity:create_domain_config": "rule:cloud_admin", | |
"identity:create_domain_role": "rule:cloud_admin or rule:domain_admin_matches_domain_role", | |
"identity:create_endpoint": "rule:cloud_admin", | |
"identity:create_endpoint_group": "rule:admin_required", | |
"identity:create_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants", | |
"identity:create_group": "rule:cloud_admin or rule:admin_and_matching_group_domain_id", | |
"identity:create_identity_provider": "rule:cloud_admin", | |
"identity:create_implied_role": "rule:cloud_admin or (rule:admin_and_matching_prior_role_domain_id and rule:implied_role_matches_prior_role_domain_or_global)", | |
"identity:create_limits": "rule:admin_required", | |
"identity:create_mapping": "rule:cloud_admin", | |
"identity:create_policy": "rule:cloud_admin", | |
"identity:create_policy_association_for_endpoint": "rule:cloud_admin", | |
"identity:create_policy_association_for_region_and_service": "rule:cloud_admin", | |
"identity:create_policy_association_for_service": "rule:cloud_admin", | |
"identity:create_project": "rule:cloud_admin or rule:admin_and_matching_project_domain_id", | |
"identity:create_project_tag": "rule:admin_required", | |
"identity:create_protocol": "rule:cloud_admin", | |
"identity:create_region": "rule:cloud_admin", | |
"identity:create_registered_limits": "rule:admin_required", | |
"identity:create_role": "rule:cloud_admin", | |
"identity:create_service": "rule:cloud_admin", | |
"identity:create_service_provider": "rule:cloud_admin", | |
"identity:create_system_grant_for_group": "rule:admin_required", | |
"identity:create_system_grant_for_user": "rule:admin_required", | |
"identity:create_trust": "user_id:%(trust.trustor_user_id)s", | |
"identity:create_user": "rule:cloud_admin", | |
"identity:delete_access_token": "rule:admin_required", | |
"identity:delete_application_credential": "rule:admin_or_owner", | |
"identity:delete_consumer": "rule:admin_required", | |
"identity:delete_domain\"": "rule:cloud_admin", | |
"identity:delete_domain_config": "rule:cloud_admin", | |
"identity:delete_domain_role": "rule:cloud_admin or rule:domain_admin_matches_target_domain_role", | |
"identity:delete_endpoint": "rule:cloud_admin", | |
"identity:delete_endpoint_group": "rule:admin_required", | |
"identity:delete_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id", | |
"identity:delete_identity_provider": "rule:cloud_admin", | |
"identity:delete_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id", | |
"identity:delete_limit": "rule:admin_required", | |
"identity:delete_mapping": "rule:cloud_admin", | |
"identity:delete_policy": "rule:cloud_admin", | |
"identity:delete_policy_association_for_endpoint": "rule:cloud_admin", | |
"identity:delete_policy_association_for_region_and_service": "rule:cloud_admin", | |
"identity:delete_policy_association_for_service": "rule:cloud_admin", | |
"identity:delete_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id", | |
"identity:delete_project_tag": "rule:admin_required", | |
"identity:delete_project_tags": "rule:admin_required", | |
"identity:delete_protocol": "rule:cloud_admin", | |
"identity:delete_region": "rule:cloud_admin", | |
"identity:delete_registered_limit": "rule:admin_required", | |
"identity:delete_role": "rule:cloud_admin", | |
"identity:delete_service": "rule:cloud_admin", | |
"identity:delete_service_provider": "rule:cloud_admin", | |
"identity:delete_trust": "", | |
"identity:delete_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id", | |
"identity:ec2_create_credential": "rule:admin_required or rule:owner", | |
"identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)", | |
"identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)", | |
"identity:ec2_list_credentials": "rule:admin_required or rule:owner", | |
"identity:get_access_token": "rule:admin_required", | |
"identity:get_access_token_role": "rule:admin_required", | |
"identity:get_application_credential": "rule:admin_or_owner", | |
"identity:get_auth_catalog": "", | |
"identity:get_auth_domains": "", | |
"identity:get_auth_projects": "", | |
"identity:get_auth_system": "", | |
"identity:get_consumer": "rule:admin_required", | |
"identity:get_domain": "rule:cloud_admin or rule:admin_and_matching_domain_id or token.project.domain.id:%(target.domain.id)s", | |
"identity:get_domain_config": "rule:cloud_admin", | |
"identity:get_domain_config_default": "rule:cloud_admin", | |
"identity:get_domain_role": "rule:cloud_admin or rule:get_domain_roles", | |
"identity:get_endpoint": "rule:admin_required", | |
"identity:get_endpoint_group": "rule:admin_required", | |
"identity:get_endpoint_group_in_project": "rule:admin_required", | |
"identity:get_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id", | |
"identity:get_identity_provider": "rule:cloud_admin", | |
"identity:get_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id", | |
"identity:get_limit": "", | |
"identity:get_limit_model": "", | |
"identity:get_mapping": "rule:cloud_admin", | |
"identity:get_policy": "rule:cloud_admin", | |
"identity:get_policy_for_endpoint": "rule:cloud_admin", | |
"identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s", | |
"identity:get_project_tag": "rule:admin_required", | |
"identity:get_protocol": "rule:cloud_admin", | |
"identity:get_region": "", | |
"identity:get_registered_limit": "", | |
"identity:get_role": "rule:admin_required", | |
"identity:get_role_for_trust": "", | |
"identity:get_security_compliance_domain_config": "", | |
"identity:get_service": "rule:admin_required", | |
"identity:get_service_provider": "rule:cloud_admin", | |
"identity:get_trust": "", | |
"identity:get_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id or rule:owner", | |
"identity:list_access_token_roles": "rule:admin_required", | |
"identity:list_access_tokens": "rule:admin_required", | |
"identity:list_application_credentials": "rule:admin_or_owner", | |
"identity:list_consumers": "rule:admin_required", | |
"identity:list_domain_roles": "rule:cloud_admin or rule:list_domain_roles", | |
"identity:list_domains": "rule:cloud_admin or rule:admin_and_matching_domain_id or token.project.domain.id:%(target.domain.id)s", | |
"identity:list_domains_for_user": "", | |
"identity:list_endpoint_groups": "rule:admin_required", | |
"identity:list_endpoint_groups_for_project": "rule:admin_required", | |
"identity:list_endpoints": "rule:admin_required", | |
"identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required", | |
"identity:list_endpoints_for_policy": "rule:cloud_admin", | |
"identity:list_endpoints_for_project": "rule:admin_required", | |
"identity:list_grants": "rule:cloud_admin or rule:domain_admin_for_list_grants or rule:project_admin_for_list_grants", | |
"identity:list_groups": "rule:cloud_admin or rule:admin_and_matching_domain_id", | |
"identity:list_groups_for_user": "rule:owner or rule:admin_and_matching_target_user_domain_id", | |
"identity:list_identity_providers": "rule:cloud_admin", | |
"identity:list_implied_roles": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id", | |
"identity:list_limits": "", | |
"identity:list_mappings": "rule:cloud_admin", | |
"identity:list_policies": "rule:cloud_admin", | |
"identity:list_project_tags": "rule:admin_required", | |
"identity:list_projects": "rule:cloud_admin or rule:admin_and_matching_domain_id", | |
"identity:list_projects_associated_with_endpoint_group": "rule:admin_required", | |
"identity:list_projects_for_endpoint": "rule:admin_required", | |
"identity:list_projects_for_user": "", | |
"identity:list_protocols": "rule:cloud_admin", | |
"identity:list_regions": "", | |
"identity:list_registered_limits": "", | |
"identity:list_revoke_events": "rule:admin_required", | |
"identity:list_role_assignments": "rule:cloud_admin or rule:admin_on_domain_filter or rule:admin_on_project_filter", | |
"identity:list_role_assignments_for_tree": "rule:cloud_admin or rule:admin_on_domain_of_project_filter", | |
"identity:list_role_inference_rules": "rule:cloud_admin", | |
"identity:list_roles": "rule:admin_required", | |
"identity:list_roles_for_trust": "", | |
"identity:list_service_providers": "rule:cloud_admin", | |
"identity:list_services": "rule:admin_required", | |
"identity:list_system_grants_for_group": "rule:admin_required", | |
"identity:list_system_grants_for_user": "rule:admin_required", | |
"identity:list_trusts": "", | |
"identity:list_user_projects": "rule:owner or rule:admin_and_matching_domain_id", | |
"identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id", | |
"identity:list_users_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id", | |
"identity:remove_endpoint_from_project": "rule:admin_required", | |
"identity:remove_endpoint_group_from_project": "rule:admin_required", | |
"identity:remove_user_from_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id", | |
"identity:revocation_list": "rule:admin_required", | |
"identity:revoke_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants", | |
"identity:revoke_system_grant_for_group": "rule:admin_required", | |
"identity:revoke_system_grant_for_user": "rule:admin_required", | |
"identity:revoke_token": "rule:admin_or_owner", | |
"identity:update_consumer": "rule:admin_required", | |
"identity:update_domain": "rule:cloud_admin", | |
"identity:update_domain_config": "rule:cloud_admin", | |
"identity:update_domain_role": "rule:cloud_admin or rule:domain_admin_matches_target_domain_role", | |
"identity:update_endpoint": "rule:cloud_admin", | |
"identity:update_endpoint_group": "rule:admin_required", | |
"identity:update_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id", | |
"identity:update_identity_provider": "rule:cloud_admin", | |
"identity:update_limit": "rule:admin_required", | |
"identity:update_mapping": "rule:cloud_admin", | |
"identity:update_policy": "rule:cloud_admin", | |
"identity:update_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id", | |
"identity:update_project_tags": "rule:admin_required", | |
"identity:update_protocol": "rule:cloud_admin", | |
"identity:update_region": "rule:cloud_admin", | |
"identity:update_registered_limit": "rule:admin_required", | |
"identity:update_role": "rule:cloud_admin", | |
"identity:update_service": "rule:cloud_admin", | |
"identity:update_service_provider": "rule:cloud_admin", | |
"identity:update_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id", | |
"identity:validate_token": "", | |
"identity:validate_token_head": "rule:admin_required", | |
"implied_role_matches_prior_role_domain_or_global": "(domain_id:%(target.implied_role.domain_id)s or None:%(target.implied_role.domain_id)s)", | |
"list_domain_roles": "rule:domain_admin_matches_filter_on_list_domain_roles or rule:project_admin_matches_filter_on_list_domain_roles", | |
"owner": "user_id:%(user_id)s or user_id:%(target.token.user_id)s", | |
"project_admin_for_domain_role_grants": "rule:admin_required and project_domain_id:%(target.role.domain_id)s and project_id:%(project_id)s", | |
"project_admin_for_global_role_grants": "rule:admin_required and None:%(target.role.domain_id)s and project_id:%(project_id)s", | |
"project_admin_for_grants": "rule:project_admin_for_global_role_grants or rule:project_admin_for_domain_role_grants", | |
"project_admin_for_list_grants": "rule:admin_required and project_id:%(project_id)s", | |
"project_admin_matches_filter_on_list_domain_roles": "rule:admin_required and project_domain_id:%(domain_id)s", | |
"project_admin_matches_target_domain_role": "rule:admin_required and project_domain_id:%(target.role.domain_id)s", | |
"token_subject": "user_id:%(target.token.user_id)s" | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment