The keystone_policy.json file
defines additional access controls for the dashboard that
apply to the Identity service.
![[Note]](../common/images/admon/note.png) | Note |
|---|---|
The |
{
"admin_required":[
[
"role:admin"
],
[
"is_admin:1"
]
],
"service_role":[
[
"role:service"
]
],
"service_or_admin":[
[
"rule:admin_required"
],
[
"rule:service_role"
]
],
"owner":[
[
"user_id:%(user_id)s"
]
],
"admin_or_owner":[
[
"rule:admin_required"
],
[
"rule:owner"
]
],
"default":[
[
"rule:admin_required"
]
],
"identity:get_service":[
[
"rule:admin_required"
]
],
"identity:list_services":[
[
"rule:admin_required"
]
],
"identity:create_service":[
[
"rule:admin_required"
]
],
"identity:update_service":[
[
"rule:admin_required"
]
],
"identity:delete_service":[
[
"rule:admin_required"
]
],
"identity:get_endpoint":[
[
"rule:admin_required"
]
],
"identity:list_endpoints":[
[
"rule:admin_required"
]
],
"identity:create_endpoint":[
[
"rule:admin_required"
]
],
"identity:update_endpoint":[
[
"rule:admin_required"
]
],
"identity:delete_endpoint":[
[
"rule:admin_required"
]
],
"identity:get_domain":[
[
"rule:admin_required"
]
],
"identity:list_domains":[
[
"rule:admin_required"
]
],
"identity:create_domain":[
[
"rule:admin_required"
]
],
"identity:update_domain":[
[
"rule:admin_required"
]
],
"identity:delete_domain":[
[
"rule:admin_required"
]
],
"identity:get_project":[
[
"rule:admin_required"
]
],
"identity:list_projects":[
[
"rule:admin_required"
]
],
"identity:list_user_projects":[
[
"rule:admin_or_owner"
]
],
"identity:create_project":[
[
"rule:admin_required"
]
],
"identity:update_project":[
[
"rule:admin_required"
]
],
"identity:delete_project":[
[
"rule:admin_required"
]
],
"identity:get_user":[
[
"rule:admin_required"
]
],
"identity:list_users":[
[
"rule:admin_required"
]
],
"identity:create_user":[
[
"rule:admin_required"
]
],
"identity:update_user":[
[
"rule:admin_or_owner"
]
],
"identity:delete_user":[
[
"rule:admin_required"
]
],
"identity:get_group":[
[
"rule:admin_required"
]
],
"identity:list_groups":[
[
"rule:admin_required"
]
],
"identity:list_groups_for_user":[
[
"rule:admin_or_owner"
]
],
"identity:create_group":[
[
"rule:admin_required"
]
],
"identity:update_group":[
[
"rule:admin_required"
]
],
"identity:delete_group":[
[
"rule:admin_required"
]
],
"identity:list_users_in_group":[
[
"rule:admin_required"
]
],
"identity:remove_user_from_group":[
[
"rule:admin_required"
]
],
"identity:check_user_in_group":[
[
"rule:admin_required"
]
],
"identity:add_user_to_group":[
[
"rule:admin_required"
]
],
"identity:get_credential":[
[
"rule:admin_required"
]
],
"identity:list_credentials":[
[
"rule:admin_required"
]
],
"identity:create_credential":[
[
"rule:admin_required"
]
],
"identity:update_credential":[
[
"rule:admin_required"
]
],
"identity:delete_credential":[
[
"rule:admin_required"
]
],
"identity:get_role":[
[
"rule:admin_required"
]
],
"identity:list_roles":[
[
"rule:admin_required"
]
],
"identity:create_role":[
[
"rule:admin_required"
]
],
"identity:update_role":[
[
"rule:admin_required"
]
],
"identity:delete_role":[
[
"rule:admin_required"
]
],
"identity:check_grant":[
[
"rule:admin_required"
]
],
"identity:list_grants":[
[
"rule:admin_required"
]
],
"identity:create_grant":[
[
"rule:admin_required"
]
],
"identity:revoke_grant":[
[
"rule:admin_required"
]
],
"identity:list_role_assignments":[
[
"rule:admin_required"
]
],
"identity:get_policy":[
[
"rule:admin_required"
]
],
"identity:list_policies":[
[
"rule:admin_required"
]
],
"identity:create_policy":[
[
"rule:admin_required"
]
],
"identity:update_policy":[
[
"rule:admin_required"
]
],
"identity:delete_policy":[
[
"rule:admin_required"
]
],
"identity:check_token":[
[
"rule:admin_required"
]
],
"identity:validate_token":[
[
"rule:service_or_admin"
]
],
"identity:validate_token_head":[
[
"rule:service_or_admin"
]
],
"identity:revocation_list":[
[
"rule:service_or_admin"
]
],
"identity:revoke_token":[
[
"rule:admin_or_owner"
]
],
"identity:create_trust":[
[
"user_id:%(trust.trustor_user_id)s"
]
],
"identity:get_trust":[
[
"rule:admin_or_owner"
]
],
"identity:list_trusts":[
[
"@"
]
],
"identity:list_roles_for_trust":[
[
"@"
]
],
"identity:check_role_for_trust":[
[
"@"
]
],
"identity:get_role_for_trust":[
[
"@"
]
],
"identity:delete_trust":[
[
"@"
]
]
}
