github.com/jbking/gohan@v0.0.0-20151217002006-b41ccf1c2a96/docs/source/policy.rst (about) 1 ============== 2 Policy 3 ============== 4 5 You can configure API access policy using this resource. 6 Policy has following properties. 7 8 - id : Identitfy of the policy 9 - principal : Keystone Role 10 - action: one of `create`, `read`, `update`, `delete` for CRUD operations 11 on resource or any custom actions defined by schema performed on a 12 resource or `*` for all actions 13 - effect : Allow api access or not 14 - resource : target resource 15 you can specify target resource using "path" and "properties" 16 - condition : addtional condition (see below) 17 - tenant_id : regexp matching the tenant, defaults to ``.*`` 18 19 ---------- 20 Conditions 21 ---------- 22 23 Gohan supports two types of conditions 24 25 - :code:`is_owner` - Gohan will enforce access privileges for the resources 26 specified in the policy. By default access to resources of all other tenants 27 will be blocked. 28 29 - :code:`type: belongs_to` - Gohan will apply the policy if the user tries 30 to access resources belonging to the tenant specified in condition (see the 31 example below). The condition has no effect if the access privileges are not 32 enforced by specifying the :code:`is_owner` condition. The full condition 33 looks like: 34 35 - :code:`action: (*|create|read|update|delete)` 36 37 :code:`tenant_id: 8bab8453-1bc9-45af-8c70-f83aa9b50453` 38 39 :code:`type: belongs_to` 40 41 Example policy 42 43 .. code-block:: yaml 44 45 policies: 46 - action: '*' 47 effect: allow 48 id: admin_statement 49 principal: admin 50 resource: 51 path: .* 52 - action: 'read' 53 condition: 54 - is_owner 55 - type: belongs_to 56 action: '*' 57 tenant_id: 8bab8453-1bc9-45af-8c70-f83aa9b50453 58 effect: allow 59 id: member_statement 60 principal: _member_ 61 resource: 62 path: /v2.0/network/[^/]+/?$ 63 properties: 64 - id 65 - description 66 - name 67 - action: '*' 68 condition: 69 - is_owner 70 effect: allow 71 id: member_statement2 72 principal: _member_ 73 resource: 74 path: /v2.0/networks/?$ 75 properties: 76 - id 77 - description 78 - name 79 - action: 'reboot' 80 condition: 81 - is_owner 82 effect: allow 83 id: member_statement2 84 principal: _member_ 85 resource: 86 path: /v2.0/server/?$ 87