policy.json - Checking resource field against constant
Keystone policy engine currently allows 4 kinds of rules:
* rule:<rulename> (class `RuleCheck`) allows making recursive rules,
by checking that <rulename> is True;
* role:<rolename> (class `RoleCheck`) checks that <rolename> belongs
to the roles associated with the token;
* http:<targeturl> (class `HttpCheck`) uses an external policy engine,
by calling <targeturl>;
* <credential>
credential (provided through the token) against a string or any
field of a resource being processed (user, role, domain, project,
...)
The feature proposed in this blueprint consists in allowing the
platform administrator to have resources' fields compared against
constants in its policy.json files, without using an external policy
engine.
For instance, to avoid deleting users by mistake, the platform
administrator may want to ensure that a user's `enabled` field is set
to `False`, prior to deleting it. To do that, he wishes to set the
following rule into its Keystone policy.json file:
"identity:
Class to update:
https:/
Blueprint information
- Status:
- Not started
- Approver:
- Ben Nemec
- Priority:
- Undefined
- Drafter:
- None
- Direction:
- Needs approval
- Assignee:
- Florent Flament
- Definition:
- Approved
- Series goal:
- None
- Implementation:
-
Unknown
- Milestone target:
- None
- Started by
- Completed by
Related branches
Related bugs
Sprints
Whiteboard
Gerrit topic: https:/
Addressed by: https:/
Allow policy.json resource vs constant check
Another user story:
I'd like to have 2 different roles:
* An `admin` role only allowing to grant the 'Member' role to users ;
* A `super-admin` role allowing to grant any role.
To implement that, one would use the following rules:
"role_allowed": "role:super_admin or (role:admin and 'Member'
"same_domain": "domain_
"same_dom_or_proj": "rule:same_domain or project_
"identity:
"identity:
