Difference between revisions of "Zaqar/bp/keystone-rbac"

Revision as of 22:03, 1 July 2013

Marconi: Keystone RBAC

Create as WSGI middleware and install along with the keystone auth strategy when enabled. Read/write/delete permissions mapped to roles obtained from X-Role header. Mappings are per-resource; requested resource is derived from a regex.

Sample configuration:

[keystone]
rbac = True

[keystone:rbac]
resources = queues, messages, claims

[keystone:rbac:queues]
path = /v1/queues(/[^/]+)?
can_read = identity:user-admin, admin, queuing:admin, queuing:creator, creator, queuing:observer, observer
can_write = identity:user-admin, admin, queuing:admin, queuing:creator, creator
can_delete = identity:user-admin, admin, queuing:admin, queuing:creator, creator

[keystone:rbac:messages]
path = /v1/queues/[^/]+/messages(/[^/]+)?
can_read = identity:user-admin, admin, queuing:admin, queuing:creator, creator, queuing:observer, observer
can_write = identity:user-admin, admin, queuing:admin, queuing:creator, creator
can_delete = identity:user-admin, admin, queuing:admin

[keystone:rbac:claims]
path = /v1/queues/[^/]+/claims(/[^/]+)?
can_read = identity:user-admin, admin, queuing:admin, queuing:creator, creator, queuing:observer, observer
can_write = identity:user-admin, admin, queuing:admin, queuing:creator, creator
can_delete = identity:user-admin, admin, queuing:admin, queuing:creator, creator

Revision as of 21:49, 1 July 2013 (view source) Kgriffs (talk \| contribs) (→‎Implementation: Fixed regexes) ← Older edit		Revision as of 22:03, 1 July 2013 (view source) Kgriffs (talk \| contribs) m (→‎Implementation) Newer edit →
Line 1:		Line 1:
−	== ~~Implementation~~ ==	+	== Marconi: Keystone RBAC ==

	Create as WSGI middleware and install along with the keystone auth strategy when enabled. Read/write/delete permissions mapped to roles obtained from X-Role header. Mappings are per-resource; requested resource is derived from a regex.		Create as WSGI middleware and install along with the keystone auth strategy when enabled. Read/write/delete permissions mapped to roles obtained from X-Role header. Mappings are per-resource; requested resource is derived from a regex.