The keystone_policy.json
file defines additional access controls for
the dashboard that apply to the Identity service.
Note
The keystone_policy.json
file must match the Identity service
/etc/keystone/policy.json
policy file.
{
"admin_required": [
[
"role:admin"
],
[
"is_admin:1"
]
],
"service_role": [
[
"role:service"
]
],
"service_or_admin": [
[
"rule:admin_required"
],
[
"rule:service_role"
]
],
"owner": [
[
"user_id:%(user_id)s"
]
],
"admin_or_owner": [
[
"rule:admin_required"
],
[
"rule:owner"
]
],
"default": [
[
"rule:admin_required"
]
],
"identity:get_service": [
[
"rule:admin_required"
]
],
"identity:list_services": [
[
"rule:admin_required"
]
],
"identity:create_service": [
[
"rule:admin_required"
]
],
"identity:update_service": [
[
"rule:admin_required"
]
],
"identity:delete_service": [
[
"rule:admin_required"
]
],
"identity:get_endpoint": [
[
"rule:admin_required"
]
],
"identity:list_endpoints": [
[
"rule:admin_required"
]
],
"identity:create_endpoint": [
[
"rule:admin_required"
]
],
"identity:update_endpoint": [
[
"rule:admin_required"
]
],
"identity:delete_endpoint": [
[
"rule:admin_required"
]
],
"identity:get_domain": [
[
"rule:admin_required"
]
],
"identity:list_domains": [
[
"rule:admin_required"
]
],
"identity:create_domain": [
[
"rule:admin_required"
]
],
"identity:update_domain": [
[
"rule:admin_required"
]
],
"identity:delete_domain": [
[
"rule:admin_required"
]
],
"identity:get_project": [
[
"rule:admin_required"
]
],
"identity:list_projects": [
[
"rule:admin_required"
]
],
"identity:list_user_projects": [
[
"rule:admin_or_owner"
]
],
"identity:create_project": [
[
"rule:admin_required"
]
],
"identity:update_project": [
[
"rule:admin_required"
]
],
"identity:delete_project": [
[
"rule:admin_required"
]
],
"identity:get_user": [
[
"rule:admin_required"
]
],
"identity:list_users": [
[
"rule:admin_required"
]
],
"identity:create_user": [
[
"rule:admin_required"
]
],
"identity:update_user": [
[
"rule:admin_or_owner"
]
],
"identity:delete_user": [
[
"rule:admin_required"
]
],
"identity:get_group": [
[
"rule:admin_required"
]
],
"identity:list_groups": [
[
"rule:admin_required"
]
],
"identity:list_groups_for_user": [
[
"rule:admin_or_owner"
]
],
"identity:create_group": [
[
"rule:admin_required"
]
],
"identity:update_group": [
[
"rule:admin_required"
]
],
"identity:delete_group": [
[
"rule:admin_required"
]
],
"identity:list_users_in_group": [
[
"rule:admin_required"
]
],
"identity:remove_user_from_group": [
[
"rule:admin_required"
]
],
"identity:check_user_in_group": [
[
"rule:admin_required"
]
],
"identity:add_user_to_group": [
[
"rule:admin_required"
]
],
"identity:get_credential": [
[
"rule:admin_required"
]
],
"identity:list_credentials": [
[
"rule:admin_required"
]
],
"identity:create_credential": [
[
"rule:admin_required"
]
],
"identity:update_credential": [
[
"rule:admin_required"
]
],
"identity:delete_credential": [
[
"rule:admin_required"
]
],
"identity:get_role": [
[
"rule:admin_required"
]
],
"identity:list_roles": [
[
"rule:admin_required"
]
],
"identity:create_role": [
[
"rule:admin_required"
]
],
"identity:update_role": [
[
"rule:admin_required"
]
],
"identity:delete_role": [
[
"rule:admin_required"
]
],
"identity:check_grant": [
[
"rule:admin_required"
]
],
"identity:list_grants": [
[
"rule:admin_required"
]
],
"identity:create_grant": [
[
"rule:admin_required"
]
],
"identity:revoke_grant": [
[
"rule:admin_required"
]
],
"identity:list_role_assignments": [
[
"rule:admin_required"
]
],
"identity:get_policy": [
[
"rule:admin_required"
]
],
"identity:list_policies": [
[
"rule:admin_required"
]
],
"identity:create_policy": [
[
"rule:admin_required"
]
],
"identity:update_policy": [
[
"rule:admin_required"
]
],
"identity:delete_policy": [
[
"rule:admin_required"
]
],
"identity:check_token": [
[
"rule:admin_required"
]
],
"identity:validate_token": [
[
"rule:service_or_admin"
]
],
"identity:validate_token_head": [
[
"rule:service_or_admin"
]
],
"identity:revocation_list": [
[
"rule:service_or_admin"
]
],
"identity:revoke_token": [
[
"rule:admin_or_owner"
]
],
"identity:create_trust": [
[
"user_id:%(trust.trustor_user_id)s"
]
],
"identity:get_trust": [
[
"rule:admin_or_owner"
]
],
"identity:list_trusts": [
[
"@"
]
],
"identity:list_roles_for_trust": [
[
"@"
]
],
"identity:check_role_for_trust": [
[
"@"
]
],
"identity:get_role_for_trust": [
[
"@"
]
],
"identity:delete_trust": [
[
"@"
]
]
}
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.