Keystone Sample PolicyΒΆ

The following is a sample keystone policy file that has been auto-generated from default policy values in code. If you’re using the default policies, then the maintenance of this file is not necessary, and it should not be copied into a deployment. Doing so will result in duplicate policy definitions. It is here to help explain which policy operations protect specific keystone APIs, but it is not suggested to copy and paste into a deployment unless you’re planning on providing a different policy for an operation that is not the default.

The sample policy file can also be viewed in file form.

#
#"admin_required": "role:admin or is_admin:1"

#
#"service_role": "role:service"

#
#"service_or_admin": "rule:admin_required or rule:service_role"

#
#"owner": "user_id:%(user_id)s"

#
#"admin_or_owner": "rule:admin_required or rule:owner"

#
#"token_subject": "user_id:%(target.token.user_id)s"

#
#"admin_or_token_subject": "rule:admin_required or rule:token_subject"

#
#"service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject"

#
#"default": "rule:admin_required"

# Authorize OAUTH1 request token.
# PUT  /v3/OS-OAUTH1/authorize/{request_token_id}
#"identity:authorize_request_token": "rule:admin_required"

# Get OAUTH1 access token for user by access token ID.
# GET  /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
#"identity:get_access_token": "rule:admin_required"

# Get role for user OAUTH1 access token.
# GET  /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id}
#"identity:get_access_token_role": "rule:admin_required"

# List OAUTH1 access tokens for user.
# GET  /v3/users/{user_id}/OS-OAUTH1/access_tokens
#"identity:list_access_tokens": "rule:admin_required"

# List OAUTH1 access token roles.
# GET  /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles
#"identity:list_access_token_roles": "rule:admin_required"

# Delete OAUTH1 access token.
# DELETE  /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
#"identity:delete_access_token": "rule:admin_required"

# Get service catalog.
# GET  /v3/auth/catalog
#"identity:get_auth_catalog": ""

# List all projects a user has access to via role assignments.
# GET  /v3/auth/projects
#"identity:get_auth_projects": ""

# List all domains a user has access to via role assignments.
# GET  /v3/auth/domains
#"identity:get_auth_domains": ""

# Show OAUTH1 consumer details.
# GET  /v3/OS-OAUTH1/consumers/{consumer_id}
#"identity:get_consumer": "rule:admin_required"

# List OAUTH1 consumers.
# GET  /v3/OS-OAUTH1/consumers
#"identity:list_consumers": "rule:admin_required"

# Create OAUTH1 consumer.
# POST  /v3/OS-OAUTH1/consumers
#"identity:create_consumer": "rule:admin_required"

# Update OAUTH1 consumer.
# PATCH  /v3/OS-OAUTH1/consumers/{consumer_id}
#"identity:update_consumer": "rule:admin_required"

# Delete OAUTH1 consumer.
# DELETE  /v3/OS-OAUTH1/consumers/{consumer_id}
#"identity:delete_consumer": "rule:admin_required"

# Show credentials details.
# GET  /v3/credentials/{credential_id}
#"identity:get_credential": "rule:admin_required"

# List credentials.
# GET  /v3/credentials
#"identity:list_credentials": "rule:admin_required"

# Create credential.
# POST  /v3/credentials
#"identity:create_credential": "rule:admin_required"

# Update credential.
# PATCH  /v3/credentials/{credential_id}
#"identity:update_credential": "rule:admin_required"

# Delete credential.
# DELETE  /v3/credentials/{credential_id}
#"identity:delete_credential": "rule:admin_required"

# Show domain details.
# GET  /v3/domains/{domain_id}
#"identity:get_domain": "rule:admin_required or token.project.domain.id:%(target.domain.id)s"

# List domains.
# GET  /v3/domains
#"identity:list_domains": "rule:admin_required"

# Create domain.
# POST  /v3/domains
#"identity:create_domain": "rule:admin_required"

# Update domain.
# PATCH  /v3/domains/{domain_id}
#"identity:update_domain": "rule:admin_required"

# Delete domain.
# DELETE  /v3/domains/{domain_id}
#"identity:delete_domain": "rule:admin_required"

#
#"identity:create_domain_config": "rule:admin_required"

#
#"identity:get_domain_config": "rule:admin_required"

#
#"identity:get_security_compliance_domain_config": ""

#
#"identity:update_domain_config": "rule:admin_required"

#
#"identity:delete_domain_config": "rule:admin_required"

#
#"identity:get_domain_config_default": "rule:admin_required"

#
#"identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)"

#
#"identity:ec2_list_credentials": "rule:admin_or_owner"

#
#"identity:ec2_create_credential": "rule:admin_or_owner"

#
#"identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)"

# Show endpoint details.
# GET  /v3/endpoints/{endpoint_id}
#"identity:get_endpoint": "rule:admin_required"

# List endpoints.
# GET  /v3/endpoints
#"identity:list_endpoints": "rule:admin_required"

# Create endpoint.
# POST  /v3/endpoints
#"identity:create_endpoint": "rule:admin_required"

# Update endpoint.
# PATCH  /v3/endpoints/{endpoint_id}
#"identity:update_endpoint": "rule:admin_required"

# Delete endpoint.
# DELETE  /v3/endpoints/{endpoint_id}
#"identity:delete_endpoint": "rule:admin_required"

# Create endpoint group.
# POST  /v3/OS-EP-FILTER/endpoint_groups
#"identity:create_endpoint_group": "rule:admin_required"

# List endpoint groups.
# GET  /v3/OS-EP-FILTER/endpoint_groups
#"identity:list_endpoint_groups": "rule:admin_required"

# Get endpoint group.
# GET  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
# HEAD  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
#"identity:get_endpoint_group": "rule:admin_required"

# Update endpoint group.
# PATCH  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
#"identity:update_endpoint_group": "rule:admin_required"

# Delete endpoint group.
# DELETE  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
#"identity:delete_endpoint_group": "rule:admin_required"

# List all projects associated with a specific endpoint group.
# GET  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects
#"identity:list_projects_associated_with_endpoint_group": "rule:admin_required"

# List all endpoints associated with an endpoint group.
# GET  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints
#"identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required"

# Check if an endpoint group is associated with a project.
# GET  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
# HEAD  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
#"identity:get_endpoint_group_in_project": "rule:admin_required"

# List endpoint groups associated with a specific project.
# GET  /v3/OS-EP-FILTER/projects/{project_id}/endpoint_groups
#"identity:list_endpoint_groups_for_project": "rule:admin_required"

# Allow a project to access an endpoint group.
# PUT  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
#"identity:add_endpoint_group_to_project": "rule:admin_required"

# Remove endpoint group from project.
# DELETE  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
#"identity:remove_endpoint_group_from_project": "rule:admin_required"

#
#"identity:check_grant": "rule:admin_required"

#
#"identity:list_grants": "rule:admin_required"

#
#"identity:create_grant": "rule:admin_required"

#
#"identity:revoke_grant": "rule:admin_required"

# Show group details.
# GET  /v3/groups/{group_id}
# HEAD  /v3/groups/{group_id}
#"identity:get_group": "rule:admin_required"

# List groups.
# GET  /v3/groups
# HEAD  /v3/groups
#"identity:list_groups": "rule:admin_required"

# List groups to which a user belongs.
# GET  /v3/users/{user_id}/groups
# HEAD  /v3/users/{user_id}/groups
#"identity:list_groups_for_user": "rule:admin_or_owner"

# Create group.
# POST  /v3/groups
#"identity:create_group": "rule:admin_required"

# Update group.
# PATCH  /v3/groups/{group_id}
#"identity:update_group": "rule:admin_required"

# Delete group.
# DELETE  /v3/groups/{group_id}
#"identity:delete_group": "rule:admin_required"

# List members of a specific group.
# GET  /v3/groups/{group_id}/users
# HEAD  /v3/groups/{group_id}/users
#"identity:list_users_in_group": "rule:admin_required"

# Remove user from group.
# DELETE  /v3/groups/{group_id}/users/{user_id}
#"identity:remove_user_from_group": "rule:admin_required"

# Check whether a user is a member of a group.
# HEAD  /v3/groups/{group_id}/users/{user_id}
# GET  /v3/groups/{group_id}/users/{user_id}
#"identity:check_user_in_group": "rule:admin_required"

# Add user to group.
# PUT  /v3/groups/{group_id}/users/{user_id}
#"identity:add_user_to_group": "rule:admin_required"

# Create identity provider.
# PUT  /v3/OS-FEDERATION/identity_providers/{idp_id}
#"identity:create_identity_provider": "rule:admin_required"

# List identity providers.
# GET  /v3/OS-FEDERATION/identity_providers
#"identity:list_identity_providers": "rule:admin_required"

# Get identity provider.
# GET  /v3/OS-FEDERATION/identity_providers/{idp_id}
#"identity:get_identity_providers": "rule:admin_required"

# Update identity provider.
# PATCH  /v3/OS-FEDERATION/identity_providers/{idp_id}
#"identity:update_identity_provider": "rule:admin_required"

# Delete identity provider.
# DELETE  /v3/OS-FEDERATION/identity_providers/{idp_id}
#"identity:delete_identity_provider": "rule:admin_required"

#
#"identity:get_implied_role": "rule:admin_required"

#
#"identity:list_implied_roles": "rule:admin_required"

#
#"identity:create_implied_role": "rule:admin_required"

#
#"identity:delete_implied_role": "rule:admin_required"

#
#"identity:list_role_inference_rules": "rule:admin_required"

#
#"identity:check_implied_role": "rule:admin_required"

# Create a new federated mapping containing one or more sets of rules.
# PUT  /v3/OS-FEDERATION/mappings/{mapping_id}
#"identity:create_mapping": "rule:admin_required"

# Get a federated mapping.
# GET  /v3/OS-FEDERATION/mappings/{mapping_id}
#"identity:get_mapping": "rule:admin_required"

# List federated mappings.
# GET  /v3/OS-FEDERATION/mappings
#"identity:list_mappings": "rule:admin_required"

# Delete a federated mapping.
# DELETE  /v3/OS-FEDERATION/mappings/{mapping_id}
#"identity:delete_mapping": "rule:admin_required"

# Update a federated mapping.
# PATCH  /v3/OS-FEDERATION/mappings/{mapping_id}
#"identity:update_mapping": "rule:admin_required"

# Show policy details.
# GET  /v3/policy/{policy_id}
#"identity:get_policy": "rule:admin_required"

# List policies.
# GET  /v3/policies
#"identity:list_policies": "rule:admin_required"

# Create policy.
# POST  /v3/policies
#"identity:create_policy": "rule:admin_required"

# Update policy.
# PATCH  /v3/policies/{policy_id}
#"identity:update_policy": "rule:admin_required"

# Delete policy.
# DELETE  /v3/policies/{policy_id}
#"identity:delete_policy": "rule:admin_required"

# Associate a policy to a specific endpoint.
# PUT  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
#"identity:create_policy_association_for_endpoint": "rule:admin_required"

# Check policy association for endpoint.
# GET  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
# HEAD  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
#"identity:check_policy_association_for_endpoint": "rule:admin_required"

# Delete policy association for endpoint.
# DELETE  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
#"identity:delete_policy_association_for_endpoint": "rule:admin_required"

# Associate a policy to a specific service.
# PUT  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
#"identity:create_policy_association_for_service": "rule:admin_required"

# Check policy association for service.
# GET  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
# HEAD  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
#"identity:check_policy_association_for_service": "rule:admin_required"

# Delete policy association for service.
# DELETE  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
#"identity:delete_policy_association_for_service": "rule:admin_required"

# Associate a policy to a specific region and service combination.
# PUT  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
#"identity:create_policy_association_for_region_and_service": "rule:admin_required"

# Check policy association for region and service.
# GET  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
# HEAD  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
#"identity:check_policy_association_for_region_and_service": "rule:admin_required"

# Delete policy association for region and service.
# DELETE  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
#"identity:delete_policy_association_for_region_and_service": "rule:admin_required"

# Get policy for endpoint.
# GET  /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy
# HEAD  /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy
#"identity:get_policy_for_endpoint": "rule:admin_required"

# List endpoints for policy.
# GET  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints
#"identity:list_endpoints_for_policy": "rule:admin_required"

# Show project details.
# GET  /v3/projects/{project_id}
#"identity:get_project": "rule:admin_required or project_id:%(target.project.id)s"

# List projects.
# GET  /v3/projects
#"identity:list_projects": "rule:admin_required"

# List projects for user.
# GET  /v3/users/{user_id}/projects
#"identity:list_user_projects": "rule:admin_or_owner"

# Create project.
# POST  /v3/projects
#"identity:create_project": "rule:admin_required"

# Update project.
# PATCH  /v3/projects/{project_id}
#"identity:update_project": "rule:admin_required"

# Delete project.
# DELETE  /v3/projects/{project_id}
#"identity:delete_project": "rule:admin_required"

# List projects allowed to access an endpoint.
# GET  /v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects
#"identity:list_projects_for_endpoint": "rule:admin_required"

# Allow project to access an endpoint.
# PUT  /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
#"identity:add_endpoint_to_project": "rule:admin_required"

# Check if a project is allowed to access an endpoint.
# GET  /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
# HEAD  /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
#"identity:check_endpoint_in_project": "rule:admin_required"

# List the endpoints a project is allowed to access.
# GET  /v3/OS-EP-FILTER/projects/{project_id}/endpoints
#"identity:list_endpoints_for_project": "rule:admin_required"

# Remove access to an endpoint from a project that has previously been
# given explicit access.
# DELETE  /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
#"identity:remove_endpoint_from_project": "rule:admin_required"

# Create federated protocol.
# PUT  /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
#"identity:create_protocol": "rule:admin_required"

# Update federated protocol.
# PATCH  /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
#"identity:update_protocol": "rule:admin_required"

# Get federated protocol.
# GET  /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
#"identity:get_protocol": "rule:admin_required"

# List federated protocols.
# GET  /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols
#"identity:list_protocols": "rule:admin_required"

# Delete federated protocol.
# DELETE  /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
#"identity:delete_protocol": "rule:admin_required"

# Show region details.
# GET  /v3/regions/{region_id}
# HEAD  /v3/regions/{region_id}
#"identity:get_region": ""

# List regions.
# GET  /v3/regions
# HEAD  /v3/regions
#"identity:list_regions": ""

# Create region.
# POST  /v3/regions
# PUT  /v3/regions/{region_id}
#"identity:create_region": "rule:admin_required"

# Update region.
# PATCH  /v3/regions/{region_id}
#"identity:update_region": "rule:admin_required"

# Delete region.
# DELETE  /v3/regions/{region_id}
#"identity:delete_region": "rule:admin_required"

# List revocation events.
# GET  /v3/OS-REVOKE/events
#"identity:list_revoke_events": "rule:service_or_admin"

#
#"identity:get_role": "rule:admin_required"

#
#"identity:list_roles": "rule:admin_required"

#
#"identity:create_role": "rule:admin_required"

#
#"identity:update_role": "rule:admin_required"

#
#"identity:delete_role": "rule:admin_required"

#
#"identity:get_domain_role": "rule:admin_required"

#
#"identity:list_domain_roles": "rule:admin_required"

#
#"identity:create_domain_role": "rule:admin_required"

#
#"identity:update_domain_role": "rule:admin_required"

#
#"identity:delete_domain_role": "rule:admin_required"

# List role assignments.
# GET  /v3/role_assignments
# HEAD  /v3/role_assignments
#"identity:list_role_assignments": "rule:admin_required"

# List all role assignments for a given tree of hierarchical projects.
# GET  /v3/role_assignments?include_subtree
# HEAD  /v3/role_assignments?include_subtree
#"identity:list_role_assignments_for_tree": "rule:admin_required"

# Show service details.
# GET  /v3/services/{service_id}
#"identity:get_service": "rule:admin_required"

# List services.
# GET  /v3/services
#"identity:list_services": "rule:admin_required"

# Create service.
# POST  /v3/services
#"identity:create_service": "rule:admin_required"

# Update service.
# PATCH  /v3/services/{service_id}
#"identity:update_service": "rule:admin_required"

# Delete service.
# DELETE  /v3/services/{service_id}
#"identity:delete_service": "rule:admin_required"

# Create federated service provider.
# PUT  /v3/OS-FEDERATION/service_providers/{service_provider_id}
#"identity:create_service_provider": "rule:admin_required"

# List federated service providers.
# GET  /v3/OS-FEDERATION/service_providers
#"identity:list_service_providers": "rule:admin_required"

# Get federated service provider.
# GET  /v3/OS-FEDERATION/service_providers/{service_provider_id}
#"identity:get_service_provider": "rule:admin_required"

# Update federated service provider.
# PATCH  /v3/OS-FEDERATION/service_providers/{service_provider_id}
#"identity:update_service_provider": "rule:admin_required"

# Delete federated service provider.
# DELETE  /v3/OS-FEDERATION/service_providers/{service_provider_id}
#"identity:delete_service_provider": "rule:admin_required"

#
#"identity:check_token": "rule:admin_or_token_subject"

#
#"identity:validate_token": "rule:service_admin_or_token_subject"

#
#"identity:validate_token_head": "rule:service_or_admin"

#
#"identity:revocation_list": "rule:service_or_admin"

#
#"identity:revoke_token": "rule:admin_or_token_subject"

#
#"identity:create_trust": "user_id:%(trust.trustor_user_id)s"

#
#"identity:list_trusts": ""

#
#"identity:list_roles_for_trust": ""

#
#"identity:get_role_for_trust": ""

#
#"identity:delete_trust": ""

#
#"identity:get_user": "rule:admin_or_owner"

#
#"identity:list_users": "rule:admin_required"

#
#"identity:list_projects_for_user": ""

#
#"identity:list_domains_for_user": ""

#
#"identity:create_user": "rule:admin_required"

#
#"identity:update_user": "rule:admin_required"

#
#"identity:delete_user": "rule:admin_required"

#
#"identity:change_password": "rule:admin_or_owner"