43 lines
2.4 KiB
Plaintext
43 lines
2.4 KiB
Plaintext
{
|
|
"admin_required": "role:admin or is_admin:1",
|
|
"service_role": "role:service",
|
|
"service_or_admin": "rule:admin_required or rule:service_role",
|
|
"owner" : "user_id:%(user_id)s",
|
|
"admin_or_owner": "rule:admin_required or rule:owner",
|
|
"token_subject": "user_id:%(target.token.user_id)s",
|
|
"admin_or_token_subject": "rule:admin_required or rule:token_subject",
|
|
"service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject",
|
|
|
|
"protected_domains": "'heat':%(target.domain.name)s or 'magnum':%(target.domain.name)s",
|
|
"protected_projects": "'admin':%(target.project.name)s or 'services':%(target.project.name)s",
|
|
"protected_admins": "'admin':%(target.user.name)s or 'heat_admin':%(target.user.name)s or 'dcmanager':%(target.user.name)s",
|
|
"protected_roles": "'admin':%(target.role.name)s or 'heat_admin':%(target.user.name)s",
|
|
"protected_services": [["'aodh':%(target.user.name)s"],
|
|
["'barbican':%(target.user.name)s"],
|
|
["'ceilometer':%(target.user.name)s"],
|
|
["'cinder':%(target.user.name)s"],
|
|
["'glance':%(target.user.name)s"],
|
|
["'heat':%(target.user.name)s"],
|
|
["'neutron':%(target.user.name)s"],
|
|
["'nova':%(target.user.name)s"],
|
|
["'patching':%(target.user.name)s"],
|
|
["'sysinv':%(target.user.name)s"],
|
|
["'mtce':%(target.user.name)s"],
|
|
["'magnum':%(target.user.name)s"],
|
|
["'murano':%(target.user.name)s"],
|
|
["'panko':%(target.user.name)s"],
|
|
["'gnocchi':%(target.user.name)s"],
|
|
["'fm':%(target.user.name)s"]],
|
|
|
|
"identity:delete_service": "rule:admin_required and not rule:protected_services",
|
|
|
|
"identity:delete_domain": "rule:admin_required and not rule:protected_domains",
|
|
|
|
"identity:delete_project": "rule:admin_required and not rule:protected_projects",
|
|
|
|
"identity:delete_user": "rule:admin_required and not (rule:protected_admins or rule:protected_services)",
|
|
"identity:change_password": "rule:admin_or_owner and not rule:protected_services",
|
|
|
|
"identity:delete_role": "rule:admin_required and not rule:protected_roles",
|
|
}
|