github.com/jbking/gohan@v0.0.0-20151217002006-b41ccf1c2a96/docs/source/policy.rst

github.com/jbking/gohan@v0.0.0-20151217002006-b41ccf1c2a96/docs/source/policy.rst (about)

     1  ==============
     2  Policy
     3  ==============
     4  
     5  You can configure API access policy using this resource.
     6  Policy has following properties.
     7  
     8  - id : Identitfy of the policy
     9  - principal : Keystone Role
    10  - action: one of `create`, `read`, `update`, `delete` for CRUD operations
    11    on resource or any custom actions defined by schema performed on a
    12    resource or `*` for all actions
    13  - effect : Allow api access or not
    14  - resource : target resource
    15    you can specify target resource using "path" and "properties"
    16  - condition : addtional condition (see below)
    17  - tenant_id : regexp matching the tenant, defaults to ``.*``
    18  
    19  ----------
    20  Conditions
    21  ----------
    22  
    23  Gohan supports two types of conditions
    24  
    25  - :code:`is_owner` - Gohan will enforce access privileges for the resources
    26    specified in the policy. By default access to resources of all other tenants
    27    will be blocked.
    28  
    29  - :code:`type: belongs_to` - Gohan will apply the policy if the user tries
    30    to access resources belonging to the tenant specified in condition (see the
    31    example below). The condition has no effect if the access privileges are not
    32    enforced by specifying the :code:`is_owner` condition. The full condition
    33    looks like:
    34  
    35    - :code:`action: (*|create|read|update|delete)`
    36  
    37      :code:`tenant_id: 8bab8453-1bc9-45af-8c70-f83aa9b50453`
    38  
    39      :code:`type: belongs_to`
    40  
    41  Example policy
    42  
    43  .. code-block:: yaml
    44  
    45    policies:
    46    - action: '*'
    47      effect: allow
    48      id: admin_statement
    49      principal: admin
    50      resource:
    51        path: .*
    52    - action: 'read'
    53      condition:
    54      - is_owner
    55      - type: belongs_to
    56        action: '*'
    57        tenant_id: 8bab8453-1bc9-45af-8c70-f83aa9b50453
    58      effect: allow
    59      id: member_statement
    60      principal: _member_
    61      resource:
    62        path: /v2.0/network/[^/]+/?$
    63        properties:
    64        - id
    65        - description
    66        - name
    67    - action: '*'
    68      condition:
    69      - is_owner
    70      effect: allow
    71      id: member_statement2
    72      principal: _member_
    73      resource:
    74        path: /v2.0/networks/?$
    75        properties:
    76        - id
    77        - description
    78        - name
    79    - action: 'reboot'
    80      condition:
    81      - is_owner
    82      effect: allow
    83      id: member_statement2
    84      principal: _member_
    85      resource:
    86        path: /v2.0/server/?$
    87