Difference between revisions of "Zaqar/bp/keystone-rbac"
< Zaqar
(→Implementation) |
m (Malini moved page Marconi/bp/keystone-rbac to Zaqar/bp/keystone-rbac: Project Rename) |
||
(2 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
− | == | + | == Marconi: Keystone RBAC == |
Create as WSGI middleware and install along with the keystone auth strategy when enabled. Read/write/delete permissions mapped to roles obtained from X-Role header. Mappings are per-resource; requested resource is derived from a regex. | Create as WSGI middleware and install along with the keystone auth strategy when enabled. Read/write/delete permissions mapped to roles obtained from X-Role header. Mappings are per-resource; requested resource is derived from a regex. | ||
Line 13: | Line 13: | ||
[keystone:rbac:queues] | [keystone:rbac:queues] | ||
− | + | path = /v1/queues(/[^/]+)? | |
can_read = identity:user-admin, admin, queuing:admin, queuing:creator, creator, queuing:observer, observer | can_read = identity:user-admin, admin, queuing:admin, queuing:creator, creator, queuing:observer, observer | ||
can_write = identity:user-admin, admin, queuing:admin, queuing:creator, creator | can_write = identity:user-admin, admin, queuing:admin, queuing:creator, creator | ||
Line 19: | Line 19: | ||
[keystone:rbac:messages] | [keystone:rbac:messages] | ||
− | + | path = /v1/queues/[^/]+/messages(/[^/]+)? | |
can_read = identity:user-admin, admin, queuing:admin, queuing:creator, creator, queuing:observer, observer | can_read = identity:user-admin, admin, queuing:admin, queuing:creator, creator, queuing:observer, observer | ||
can_write = identity:user-admin, admin, queuing:admin, queuing:creator, creator | can_write = identity:user-admin, admin, queuing:admin, queuing:creator, creator | ||
Line 25: | Line 25: | ||
[keystone:rbac:claims] | [keystone:rbac:claims] | ||
− | + | path = /v1/queues/[^/]+/claims(/[^/]+)? | |
can_read = identity:user-admin, admin, queuing:admin, queuing:creator, creator, queuing:observer, observer | can_read = identity:user-admin, admin, queuing:admin, queuing:creator, creator, queuing:observer, observer | ||
can_write = identity:user-admin, admin, queuing:admin, queuing:creator, creator | can_write = identity:user-admin, admin, queuing:admin, queuing:creator, creator | ||
can_delete = identity:user-admin, admin, queuing:admin, queuing:creator, creator | can_delete = identity:user-admin, admin, queuing:admin, queuing:creator, creator | ||
− | |||
</nowiki></pre> | </nowiki></pre> |
Latest revision as of 18:42, 7 August 2014
Marconi: Keystone RBAC
Create as WSGI middleware and install along with the keystone auth strategy when enabled. Read/write/delete permissions mapped to roles obtained from X-Role header. Mappings are per-resource; requested resource is derived from a regex.
Sample configuration:
[keystone] rbac = True [keystone:rbac] resources = queues, messages, claims [keystone:rbac:queues] path = /v1/queues(/[^/]+)? can_read = identity:user-admin, admin, queuing:admin, queuing:creator, creator, queuing:observer, observer can_write = identity:user-admin, admin, queuing:admin, queuing:creator, creator can_delete = identity:user-admin, admin, queuing:admin, queuing:creator, creator [keystone:rbac:messages] path = /v1/queues/[^/]+/messages(/[^/]+)? can_read = identity:user-admin, admin, queuing:admin, queuing:creator, creator, queuing:observer, observer can_write = identity:user-admin, admin, queuing:admin, queuing:creator, creator can_delete = identity:user-admin, admin, queuing:admin [keystone:rbac:claims] path = /v1/queues/[^/]+/claims(/[^/]+)? can_read = identity:user-admin, admin, queuing:admin, queuing:creator, creator, queuing:observer, observer can_write = identity:user-admin, admin, queuing:admin, queuing:creator, creator can_delete = identity:user-admin, admin, queuing:admin, queuing:creator, creator