Jump to: navigation, search

Zaqar/bp/keystone-rbac

< Zaqar
Revision as of 20:22, 1 July 2013 by Kgriffs (talk | contribs) (Implementation)

Implementation

Create as WSGI middleware and install along with the keystone auth strategy when enabled. Read/write/delete permissions mapped to roles obtained from X-Role header. Mappings are per-resource; requested resource is derived from a regex.

Sample configuration: 

[keystone]
rbac = True

[keystone:rbac]
resources = queues, messages, claims

[keystone:rbac:queues]
match = /v1/queues/?[^/]*
can_read = identity:user-admin, admin, queuing:admin, queuing:creator, creator, queuing:observer, observer
can_write = identity:user-admin, admin, queuing:admin, queuing:creator, creator
can_delete = identity:user-admin, admin, queuing:admin, queuing:creator, creator

[keystone:rbac:messages]
match = /v1/queues/?[^/]/messages/?[^/]*
can_read = identity:user-admin, admin, queuing:admin, queuing:creator, creator, queuing:observer, observer
can_write = identity:user-admin, admin, queuing:admin, queuing:creator, creator
can_delete = identity:user-admin, admin, queuing:admin

[keystone:rbac:claims]
match = /v1/queues/?[^/]/claims*
can_read = identity:user-admin, admin, queuing:admin, queuing:creator, creator, queuing:observer, observer
can_write = identity:user-admin, admin, queuing:admin, queuing:creator, creator
can_delete = identity:user-admin, admin, queuing:admin, queuing:creator, creator
Retrieved from "https://wiki.openstack.org/w/index.php?title=Zaqar/bp/keystone-rbac&oldid=25212"