stackforge/swiftpolicy
Code Issues Proposed changes

Adds a CW policy file. It relies on the following keystone roles:

Browse Source 
* upload_disabled: the user can download, browse, share and remove
  content, but cannot upload anything
* remove_only: the user can only list and remove content
This commit is contained in:
Matthieu Huin 2014-05-30 15:50:28 +02:00
parent b7fd668554
commit 2f89e7eb34
1 changed files with 37 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
policies/CWpolicy.json Normal file
View File

@ -0,0 +1,37 @@
{
"is_anonymous": "identity:None",
"is_authenticated": "not rule:is_anonymous",
"swift_reseller": "(role:%(reseller_admin)s)",
"swift_operator": "%(operators)s",
"swift_owner": "rule:swift_reseller or rule:swift_operator or is_admin:True",
"reseller_request": "rule:swift_reseller",
"same_tenant": "account:%%(account)s",
"tenant_mismatch": "not rule:same_tenant",
"allowed_for_authenticated": "rule:swift_reseller or acl:check_cross_tenant or acl:check_is_public or (rule:same_tenant and rule:swift_operator) or (rule:same_tenant and acl:check_roles) or (rule:same_tenant and is_admin:True) or (rule:same_tenant and is_admin:False and acl:check_roles)",
"allowed_for_anonymous": "is_authoritative:True and acl:check_is_public",
"allowed_for_user": "(rule:is_authenticated and rule:allowed_for_authenticated) or rule:allowed_for_anonymous",
"get_account": "rule:allowed_for_user and not role:remove_only",
"post_account": "rule:allowed_for_user and not role:remove_only",
"head_account": "rule:allowed_for_user",
"delete_account": "rule:swift_reseller",
"options_account": "",
"get_container": "rule:allowed_for_user and not role:remove_only",
"put_container": "rule:allowed_for_user and not role:remove_only and not role:upload_disabled",
"delete_container": "rule:allowed_for_user",
"post_container": "rule:allowed_for_user and not role:remove_only and not role:upload_disabled",
"head_container": "rule:allowed_for_user",
"options_container": "",
"get_object": "rule:allowed_for_user and not role:remove_only",
"put_object": "rule:allowed_for_user and not role:remove_only and not role:upload_disabled",
"copy_object": "rule:allowed_for_user and not role:remove_only and not role:upload_disabled",
"delete_object": "rule:allowed_for_user",
"head_object": "rule:allowed_for_user",
"post_object": "rule:allowed_for_user and not role:remove_only and not role:upload_disabled",
"options_object": ""
}