Policy sample - Identity v3 resources management

Adds the following rules to ``etc/policy.v3cloudsample.json``,
providing an operational Identity v3 API enabled setting:

* The cloud_admin can manage users in any domain.

* The cloud_admin can manage roles on any domain.

* Domain administrators can manage roles on any project in their own
  domain.

Change-Id: Id6ea8f469d5d05c04042c1395c4eae85b982bb25
Closes-Bug: #1267187
This commit is contained in:
Florent Flament 2014-01-08 18:36:51 +01:00
parent e54a6a353c
commit 0496466821
2 changed files with 47 additions and 11 deletions

View File

@ -7,6 +7,14 @@
"admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",
"admin_or_cloud_admin": "rule:admin_required or rule:cloud_admin",
"user_domain_id": "domain_id:%(target.user.domain_id)s or domain_id:%(user.domain_id)s",
"project_domain_id": "domain_id:%(target.project.domain_id)s or domain_id:%(project.domain_id)s",
"groups_domain_id": "domain_id:%(group.domain_id)s or domain_id:%(target.group.domain_id)s",
"same_domain_id": "domain_id:%(domain_id)s or domain_id:%(target.domain.id)s",
"match_domain_id": "rule:same_domain_id or rule:user_domain_id or rule:project_domain_id or rule:groups_domain_id",
"domain_admin": "rule:admin_required and rule:match_domain_id",
"project_admin": "rule:admin_required and project_id:%(target.project.id)s",
"default": "rule:admin_required",
"identity:get_service": "rule:admin_or_cloud_admin",
@ -34,11 +42,11 @@
"identity:update_project": "rule:admin_required and domain_id:%(target.project.domain_id)s",
"identity:delete_project": "rule:admin_required and domain_id:%(target.project.domain_id)s",
"identity:get_user": "rule:admin_required and domain_id:%(target.user.domain_id)s",
"identity:list_users": "rule:admin_required and domain_id:%(domain_id)s",
"identity:create_user": "rule:admin_required and domain_id:%(user.domain_id)s",
"identity:update_user": "rule:admin_required and domain_id:%(target.user.domain_id)s",
"identity:delete_user": "rule:admin_required and domain_id:%(target.user.domain_id)s",
"identity:get_user": "rule:cloud_admin or rule:domain_admin",
"identity:list_users": "rule:cloud_admin or rule:domain_admin",
"identity:create_user": "rule:cloud_admin or rule:domain_admin",
"identity:update_user": "rule:cloud_admin or rule:domain_admin",
"identity:delete_user": "rule:cloud_admin or rule:domain_admin",
"identity:get_group": "rule:admin_required and domain_id:%(target.group.domain_id)s",
"identity:list_groups": "rule:admin_required and domain_id:%(domain_id)s",
@ -63,12 +71,10 @@
"identity:update_role": "rule:cloud_admin",
"identity:delete_role": "rule:cloud_admin",
"admin_on_domain_target" : "rule:admin_required and domain_id:%(target.domain.id)s",
"admin_on_project_target" : "rule:admin_required and project_id:%(target.project.id)s",
"identity:check_grant": "rule:admin_on_project_target or rule:admin_on_domain_target",
"identity:list_grants": "rule:admin_on_project_target or rule:admin_on_domain_target",
"identity:create_grant": "rule:admin_on_project_target or rule:admin_on_domain_target",
"identity:revoke_grant": "rule:admin_on_project_target or rule:admin_on_domain_target",
"identity:check_grant": "rule:cloud_admin or rule:domain_admin or rule:project_admin",
"identity:list_grants": "rule:cloud_admin or rule:domain_admin or rule:project_admin",
"identity:create_grant": "rule:cloud_admin or rule:domain_admin or rule:project_admin",
"identity:revoke_grant": "rule:cloud_admin or rule:domain_admin or rule:project_admin",
"admin_on_domain_filter" : "rule:admin_required and domain_id:%(scope.domain.id)s",
"admin_on_project_filter" : "rule:admin_required and project_id:%(scope.project.id)s",

View File

@ -595,6 +595,16 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase):
self._test_user_management(self.domainA['id'])
def test_user_management_by_cloud_admin(self):
# Test users management with a cloud admin. This user should
# be able to manage users in any domain.
self.auth = self.build_authentication_request(
user_id=self.cloud_admin_user['id'],
password=self.cloud_admin_user['password'],
domain_id=self.admin_domain['id'])
self._test_user_management(self.domainA['id'])
def test_project_management(self):
# First, authentication with a user that does not have the project
# admin role - houldn't be able to do much.
@ -636,6 +646,16 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase):
self._test_grants('domains', self.domainA['id'])
def test_domain_grants_by_cloud_admin(self):
# Test domain grants with a cloud admin. This user should be
# able to manage roles on any domain.
self.auth = self.build_authentication_request(
user_id=self.cloud_admin_user['id'],
password=self.cloud_admin_user['password'],
domain_id=self.admin_domain['id'])
self._test_grants('domains', self.domainA['id'])
def test_project_grants(self):
self.auth = self.build_authentication_request(
user_id=self.just_a_user['id'],
@ -653,6 +673,16 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase):
self._test_grants('projects', self.project['id'])
def test_project_grants_by_domain_admin(self):
# Test project grants with a domain admin. This user should be
# able to manage roles on any project in its own domain.
self.auth = self.build_authentication_request(
user_id=self.domain_admin_user['id'],
password=self.domain_admin_user['password'],
domain_id=self.domainA['id'])
self._test_grants('projects', self.project['id'])
def test_cloud_admin(self):
self.auth = self.build_authentication_request(
user_id=self.domain_admin_user['id'],