Policy sample - Identity v3 resources management
Adds the following rules to ``etc/policy.v3cloudsample.json``, providing an operational Identity v3 API enabled setting: * The cloud_admin can manage users in any domain. * The cloud_admin can manage roles on any domain. * Domain administrators can manage roles on any project in their own domain. Change-Id: Id6ea8f469d5d05c04042c1395c4eae85b982bb25 Closes-Bug: #1267187
This commit is contained in:
parent
e54a6a353c
commit
0496466821
|
@ -7,6 +7,14 @@
|
|||
"admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",
|
||||
"admin_or_cloud_admin": "rule:admin_required or rule:cloud_admin",
|
||||
|
||||
"user_domain_id": "domain_id:%(target.user.domain_id)s or domain_id:%(user.domain_id)s",
|
||||
"project_domain_id": "domain_id:%(target.project.domain_id)s or domain_id:%(project.domain_id)s",
|
||||
"groups_domain_id": "domain_id:%(group.domain_id)s or domain_id:%(target.group.domain_id)s",
|
||||
"same_domain_id": "domain_id:%(domain_id)s or domain_id:%(target.domain.id)s",
|
||||
"match_domain_id": "rule:same_domain_id or rule:user_domain_id or rule:project_domain_id or rule:groups_domain_id",
|
||||
"domain_admin": "rule:admin_required and rule:match_domain_id",
|
||||
"project_admin": "rule:admin_required and project_id:%(target.project.id)s",
|
||||
|
||||
"default": "rule:admin_required",
|
||||
|
||||
"identity:get_service": "rule:admin_or_cloud_admin",
|
||||
|
@ -34,11 +42,11 @@
|
|||
"identity:update_project": "rule:admin_required and domain_id:%(target.project.domain_id)s",
|
||||
"identity:delete_project": "rule:admin_required and domain_id:%(target.project.domain_id)s",
|
||||
|
||||
"identity:get_user": "rule:admin_required and domain_id:%(target.user.domain_id)s",
|
||||
"identity:list_users": "rule:admin_required and domain_id:%(domain_id)s",
|
||||
"identity:create_user": "rule:admin_required and domain_id:%(user.domain_id)s",
|
||||
"identity:update_user": "rule:admin_required and domain_id:%(target.user.domain_id)s",
|
||||
"identity:delete_user": "rule:admin_required and domain_id:%(target.user.domain_id)s",
|
||||
"identity:get_user": "rule:cloud_admin or rule:domain_admin",
|
||||
"identity:list_users": "rule:cloud_admin or rule:domain_admin",
|
||||
"identity:create_user": "rule:cloud_admin or rule:domain_admin",
|
||||
"identity:update_user": "rule:cloud_admin or rule:domain_admin",
|
||||
"identity:delete_user": "rule:cloud_admin or rule:domain_admin",
|
||||
|
||||
"identity:get_group": "rule:admin_required and domain_id:%(target.group.domain_id)s",
|
||||
"identity:list_groups": "rule:admin_required and domain_id:%(domain_id)s",
|
||||
|
@ -63,12 +71,10 @@
|
|||
"identity:update_role": "rule:cloud_admin",
|
||||
"identity:delete_role": "rule:cloud_admin",
|
||||
|
||||
"admin_on_domain_target" : "rule:admin_required and domain_id:%(target.domain.id)s",
|
||||
"admin_on_project_target" : "rule:admin_required and project_id:%(target.project.id)s",
|
||||
"identity:check_grant": "rule:admin_on_project_target or rule:admin_on_domain_target",
|
||||
"identity:list_grants": "rule:admin_on_project_target or rule:admin_on_domain_target",
|
||||
"identity:create_grant": "rule:admin_on_project_target or rule:admin_on_domain_target",
|
||||
"identity:revoke_grant": "rule:admin_on_project_target or rule:admin_on_domain_target",
|
||||
"identity:check_grant": "rule:cloud_admin or rule:domain_admin or rule:project_admin",
|
||||
"identity:list_grants": "rule:cloud_admin or rule:domain_admin or rule:project_admin",
|
||||
"identity:create_grant": "rule:cloud_admin or rule:domain_admin or rule:project_admin",
|
||||
"identity:revoke_grant": "rule:cloud_admin or rule:domain_admin or rule:project_admin",
|
||||
|
||||
"admin_on_domain_filter" : "rule:admin_required and domain_id:%(scope.domain.id)s",
|
||||
"admin_on_project_filter" : "rule:admin_required and project_id:%(scope.project.id)s",
|
||||
|
|
|
@ -595,6 +595,16 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase):
|
|||
|
||||
self._test_user_management(self.domainA['id'])
|
||||
|
||||
def test_user_management_by_cloud_admin(self):
|
||||
# Test users management with a cloud admin. This user should
|
||||
# be able to manage users in any domain.
|
||||
self.auth = self.build_authentication_request(
|
||||
user_id=self.cloud_admin_user['id'],
|
||||
password=self.cloud_admin_user['password'],
|
||||
domain_id=self.admin_domain['id'])
|
||||
|
||||
self._test_user_management(self.domainA['id'])
|
||||
|
||||
def test_project_management(self):
|
||||
# First, authentication with a user that does not have the project
|
||||
# admin role - houldn't be able to do much.
|
||||
|
@ -636,6 +646,16 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase):
|
|||
|
||||
self._test_grants('domains', self.domainA['id'])
|
||||
|
||||
def test_domain_grants_by_cloud_admin(self):
|
||||
# Test domain grants with a cloud admin. This user should be
|
||||
# able to manage roles on any domain.
|
||||
self.auth = self.build_authentication_request(
|
||||
user_id=self.cloud_admin_user['id'],
|
||||
password=self.cloud_admin_user['password'],
|
||||
domain_id=self.admin_domain['id'])
|
||||
|
||||
self._test_grants('domains', self.domainA['id'])
|
||||
|
||||
def test_project_grants(self):
|
||||
self.auth = self.build_authentication_request(
|
||||
user_id=self.just_a_user['id'],
|
||||
|
@ -653,6 +673,16 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase):
|
|||
|
||||
self._test_grants('projects', self.project['id'])
|
||||
|
||||
def test_project_grants_by_domain_admin(self):
|
||||
# Test project grants with a domain admin. This user should be
|
||||
# able to manage roles on any project in its own domain.
|
||||
self.auth = self.build_authentication_request(
|
||||
user_id=self.domain_admin_user['id'],
|
||||
password=self.domain_admin_user['password'],
|
||||
domain_id=self.domainA['id'])
|
||||
|
||||
self._test_grants('projects', self.project['id'])
|
||||
|
||||
def test_cloud_admin(self):
|
||||
self.auth = self.build_authentication_request(
|
||||
user_id=self.domain_admin_user['id'],
|
||||
|
|
Loading…
Reference in New Issue