Jump to: navigation, search

Difference between revisions of "Zaqar/bp/keystone-rbac"

(Implementation)
m (Malini moved page Marconi/bp/keystone-rbac to Zaqar/bp/keystone-rbac: Project Rename)
 
(2 intermediate revisions by one other user not shown)
Line 1: Line 1:
== Implementation ==
+
== Marconi: Keystone RBAC ==
  
 
Create as WSGI middleware and install along with the keystone auth strategy when enabled. Read/write/delete permissions mapped to roles obtained from X-Role header. Mappings are per-resource; requested resource is derived from a regex.
 
Create as WSGI middleware and install along with the keystone auth strategy when enabled. Read/write/delete permissions mapped to roles obtained from X-Role header. Mappings are per-resource; requested resource is derived from a regex.
Line 13: Line 13:
  
 
[keystone:rbac:queues]
 
[keystone:rbac:queues]
match = /v1/queues/?[^/]*
+
path = /v1/queues(/[^/]+)?
 
can_read = identity:user-admin, admin, queuing:admin, queuing:creator, creator, queuing:observer, observer
 
can_read = identity:user-admin, admin, queuing:admin, queuing:creator, creator, queuing:observer, observer
 
can_write = identity:user-admin, admin, queuing:admin, queuing:creator, creator
 
can_write = identity:user-admin, admin, queuing:admin, queuing:creator, creator
Line 19: Line 19:
  
 
[keystone:rbac:messages]
 
[keystone:rbac:messages]
match = /v1/queues/?[^/]/messages/?[^/]*
+
path = /v1/queues/[^/]+/messages(/[^/]+)?
 
can_read = identity:user-admin, admin, queuing:admin, queuing:creator, creator, queuing:observer, observer
 
can_read = identity:user-admin, admin, queuing:admin, queuing:creator, creator, queuing:observer, observer
 
can_write = identity:user-admin, admin, queuing:admin, queuing:creator, creator
 
can_write = identity:user-admin, admin, queuing:admin, queuing:creator, creator
Line 25: Line 25:
  
 
[keystone:rbac:claims]
 
[keystone:rbac:claims]
match = /v1/queues/?[^/]/claims*
+
path = /v1/queues/[^/]+/claims(/[^/]+)?
 
can_read = identity:user-admin, admin, queuing:admin, queuing:creator, creator, queuing:observer, observer
 
can_read = identity:user-admin, admin, queuing:admin, queuing:creator, creator, queuing:observer, observer
 
can_write = identity:user-admin, admin, queuing:admin, queuing:creator, creator
 
can_write = identity:user-admin, admin, queuing:admin, queuing:creator, creator
 
can_delete = identity:user-admin, admin, queuing:admin, queuing:creator, creator
 
can_delete = identity:user-admin, admin, queuing:admin, queuing:creator, creator
 
 
</nowiki></pre>
 
</nowiki></pre>

Latest revision as of 18:42, 7 August 2014

Marconi: Keystone RBAC

Create as WSGI middleware and install along with the keystone auth strategy when enabled. Read/write/delete permissions mapped to roles obtained from X-Role header. Mappings are per-resource; requested resource is derived from a regex.

Sample configuration:

[keystone]
rbac = True

[keystone:rbac]
resources = queues, messages, claims

[keystone:rbac:queues]
path = /v1/queues(/[^/]+)?
can_read = identity:user-admin, admin, queuing:admin, queuing:creator, creator, queuing:observer, observer
can_write = identity:user-admin, admin, queuing:admin, queuing:creator, creator
can_delete = identity:user-admin, admin, queuing:admin, queuing:creator, creator

[keystone:rbac:messages]
path = /v1/queues/[^/]+/messages(/[^/]+)?
can_read = identity:user-admin, admin, queuing:admin, queuing:creator, creator, queuing:observer, observer
can_write = identity:user-admin, admin, queuing:admin, queuing:creator, creator
can_delete = identity:user-admin, admin, queuing:admin

[keystone:rbac:claims]
path = /v1/queues/[^/]+/claims(/[^/]+)?
can_read = identity:user-admin, admin, queuing:admin, queuing:creator, creator, queuing:observer, observer
can_write = identity:user-admin, admin, queuing:admin, queuing:creator, creator
can_delete = identity:user-admin, admin, queuing:admin, queuing:creator, creator