Atom feed of this document
  
 

 keystone_policy.json

The keystone_policy.json file defines additional access controls for the dashboard that apply to the Identity service.

[Note]Note

The keystone_policy.json file must match the Identity service /etc/keystone/policy.json policy file.

{
   "admin_required":[
      [
         "role:admin"
      ],
      [
         "is_admin:1"
      ]
   ],
   "service_role":[
      [
         "role:service"
      ]
   ],
   "service_or_admin":[
      [
         "rule:admin_required"
      ],
      [
         "rule:service_role"
      ]
   ],
   "owner":[
      [
         "user_id:%(user_id)s"
      ]
   ],
   "admin_or_owner":[
      [
         "rule:admin_required"
      ],
      [
         "rule:owner"
      ]
   ],
   "default":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:get_service":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:list_services":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:create_service":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:update_service":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:delete_service":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:get_endpoint":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:list_endpoints":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:create_endpoint":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:update_endpoint":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:delete_endpoint":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:get_domain":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:list_domains":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:create_domain":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:update_domain":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:delete_domain":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:get_project":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:list_projects":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:list_user_projects":[
      [
         "rule:admin_or_owner"
      ]
   ],
   "identity:create_project":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:update_project":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:delete_project":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:get_user":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:list_users":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:create_user":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:update_user":[
      [
         "rule:admin_or_owner"
      ]
   ],
   "identity:delete_user":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:get_group":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:list_groups":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:list_groups_for_user":[
      [
         "rule:admin_or_owner"
      ]
   ],
   "identity:create_group":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:update_group":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:delete_group":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:list_users_in_group":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:remove_user_from_group":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:check_user_in_group":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:add_user_to_group":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:get_credential":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:list_credentials":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:create_credential":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:update_credential":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:delete_credential":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:get_role":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:list_roles":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:create_role":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:update_role":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:delete_role":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:check_grant":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:list_grants":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:create_grant":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:revoke_grant":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:list_role_assignments":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:get_policy":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:list_policies":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:create_policy":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:update_policy":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:delete_policy":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:check_token":[
      [
         "rule:admin_required"
      ]
   ],
   "identity:validate_token":[
      [
         "rule:service_or_admin"
      ]
   ],
   "identity:validate_token_head":[
      [
         "rule:service_or_admin"
      ]
   ],
   "identity:revocation_list":[
      [
         "rule:service_or_admin"
      ]
   ],
   "identity:revoke_token":[
      [
         "rule:admin_or_owner"
      ]
   ],
   "identity:create_trust":[
      [
         "user_id:%(trust.trustor_user_id)s"
      ]
   ],
   "identity:get_trust":[
      [
         "rule:admin_or_owner"
      ]
   ],
   "identity:list_trusts":[
      [
         "@"
      ]
   ],
   "identity:list_roles_for_trust":[
      [
         "@"
      ]
   ],
   "identity:check_role_for_trust":[
      [
         "@"
      ]
   ],
   "identity:get_role_for_trust":[
      [
         "@"
      ]
   ],
   "identity:delete_trust":[
      [
         "@"
      ]
   ]
}
Questions? Discuss on ask.openstack.org
Found an error? Report a bug against this page

loading table of contents...