Zaqar/bp/keystone-rbac

Marconi: Keystone RBAC
Create as WSGI middleware and install along with the keystone auth strategy when enabled. Read/write/delete permissions mapped to roles obtained from X-Role header. Mappings are per-resource; requested resource is derived from a regex.

Sample configuration:

[keystone] rbac = True

[keystone:rbac] resources = queues, messages, claims

[keystone:rbac:queues] path = /v1/queues(/[^/]+)? can_read = identity:user-admin, admin, queuing:admin, queuing:creator, creator, queuing:observer, observer can_write = identity:user-admin, admin, queuing:admin, queuing:creator, creator can_delete = identity:user-admin, admin, queuing:admin, queuing:creator, creator

[keystone:rbac:messages] path = /v1/queues/[^/]+/messages(/[^/]+)? can_read = identity:user-admin, admin, queuing:admin, queuing:creator, creator, queuing:observer, observer can_write = identity:user-admin, admin, queuing:admin, queuing:creator, creator can_delete = identity:user-admin, admin, queuing:admin

[keystone:rbac:claims] path = /v1/queues/[^/]+/claims(/[^/]+)? can_read = identity:user-admin, admin, queuing:admin, queuing:creator, creator, queuing:observer, observer can_write = identity:user-admin, admin, queuing:admin, queuing:creator, creator can_delete = identity:user-admin, admin, queuing:admin, queuing:creator, creator