Difference between revisions of "Zaqar/bp/keystone-rbac"
< Zaqar
(Created page with "== Implementation == Create as WSGI middleware and install along with the keystone auth strategy when enabled. Read/write/delete permissions mapped to roles obtained from X-R...") |
(→Implementation) |
||
Line 13: | Line 13: | ||
[keystone:rbac:queues] | [keystone:rbac:queues] | ||
− | + | match = /v1/queues/?[^/]* | |
+ | can_read = identity:user-admin, admin, queuing:admin, queuing:creator, creator, queuing:observer, observer | ||
+ | can_write = identity:user-admin, admin, queuing:admin, queuing:creator, creator | ||
+ | can_delete = identity:user-admin, admin, queuing:admin, queuing:creator, creator | ||
+ | |||
+ | [keystone:rbac:messages] | ||
+ | match = /v1/queues/?[^/]/messages/?[^/]* | ||
can_read = identity:user-admin, admin, queuing:admin, queuing:creator, creator, queuing:observer, observer | can_read = identity:user-admin, admin, queuing:admin, queuing:creator, creator, queuing:observer, observer | ||
can_write = identity:user-admin, admin, queuing:admin, queuing:creator, creator | can_write = identity:user-admin, admin, queuing:admin, queuing:creator, creator | ||
can_delete = identity:user-admin, admin, queuing:admin | can_delete = identity:user-admin, admin, queuing:admin | ||
+ | |||
+ | [keystone:rbac:claims] | ||
+ | match = /v1/queues/?[^/]/claims* | ||
+ | can_read = identity:user-admin, admin, queuing:admin, queuing:creator, creator, queuing:observer, observer | ||
+ | can_write = identity:user-admin, admin, queuing:admin, queuing:creator, creator | ||
+ | can_delete = identity:user-admin, admin, queuing:admin, queuing:creator, creator | ||
+ | |||
</nowiki></pre> | </nowiki></pre> |
Revision as of 20:22, 1 July 2013
Implementation
Create as WSGI middleware and install along with the keystone auth strategy when enabled. Read/write/delete permissions mapped to roles obtained from X-Role header. Mappings are per-resource; requested resource is derived from a regex.
Sample configuration:
[keystone] rbac = True [keystone:rbac] resources = queues, messages, claims [keystone:rbac:queues] match = /v1/queues/?[^/]* can_read = identity:user-admin, admin, queuing:admin, queuing:creator, creator, queuing:observer, observer can_write = identity:user-admin, admin, queuing:admin, queuing:creator, creator can_delete = identity:user-admin, admin, queuing:admin, queuing:creator, creator [keystone:rbac:messages] match = /v1/queues/?[^/]/messages/?[^/]* can_read = identity:user-admin, admin, queuing:admin, queuing:creator, creator, queuing:observer, observer can_write = identity:user-admin, admin, queuing:admin, queuing:creator, creator can_delete = identity:user-admin, admin, queuing:admin [keystone:rbac:claims] match = /v1/queues/?[^/]/claims* can_read = identity:user-admin, admin, queuing:admin, queuing:creator, creator, queuing:observer, observer can_write = identity:user-admin, admin, queuing:admin, queuing:creator, creator can_delete = identity:user-admin, admin, queuing:admin, queuing:creator, creator