Merge branch 'master' of git.corp.cloudwatt.com:nassim.babaci/swiftpolicy
This commit is contained in:
Nassim Babaci
commit
63dc008310
42
policies/CWpolicy.json
Normal file
42
policies/CWpolicy.json
Normal file
@ -0,0 +1,42 @@
|
||||
{
|
||||
"is_anonymous": "identity:None",
|
||||
"is_authenticated": "not rule:is_anonymous",
|
||||
"swift_reseller": "role:ResellerAdmin",
|
||||
"swift_operator": "role:swiftoperator or role:admin",
|
||||
|
||||
"swift_owner": "rule:swift_reseller or rule:swift_operator or is_admin:True",
|
||||
|
||||
"reseller_request": "rule:swift_reseller",
|
||||
"same_tenant": "account:%%(account)s",
|
||||
"tenant_mismatch": "not rule:same_tenant",
|
||||
|
||||
"allowed_for_authenticated": "rule:swift_reseller or acl:check_cross_tenant or acl:check_is_public or (rule:same_tenant and rule:swift_operator) or (rule:same_tenant and acl:check_roles) or (rule:same_tenant and is_admin:True) or (rule:same_tenant and is_admin:False and acl:check_roles)",
|
||||
|
||||
"allowed_for_anonymous": "is_authoritative:True and acl:check_is_public",
|
||||
|
||||
"allowed_for_user": "(rule:is_authenticated and rule:allowed_for_authenticated) or rule:allowed_for_anonymous",
|
||||
|
||||
"remove_only": "role:remove_only",
|
||||
"upload_disabled": "role:upload_disabled",
|
||||
"support": "role:support",
|
||||
|
||||
"get_account": "rule:allowed_for_user and not rule:remove_only",
|
||||
"post_account": "rule:allowed_for_user and not rule:remove_only",
|
||||
"head_account": "rule:allowed_for_user or rule:support",
|
||||
"delete_account": "rule:swift_reseller",
|
||||
"options_account": "",
|
||||
"get_container": "rule:allowed_for_user and not rule:remove_only",
|
||||
"put_container": "rule:allowed_for_user and not rule:remove_only and not rule:upload_disabled",
|
||||
"delete_container": "rule:allowed_for_user",
|
||||
"post_container": "rule:allowed_for_user and not rule:remove_only and not rule:upload_disabled",
|
||||
"head_container": "rule:allowed_for_user or rule:support",
|
||||
"options_container": "",
|
||||
"get_object": "rule:allowed_for_user and not rule:remove_only",
|
||||
"put_object": "rule:allowed_for_user and not rule:remove_only and not rule:upload_disabled",
|
||||
"copy_object": "rule:allowed_for_user and not rule:remove_only and not rule:upload_disabled",
|
||||
"delete_object": "rule:allowed_for_user",
|
||||
"head_object": "rule:allowed_for_user or rule:support",
|
||||
"post_object": "rule:allowed_for_user and not rule:remove_only and not rule:upload_disabled",
|
||||
"options_object": ""
|
||||
}
|
||||
|
||||
@ -55,8 +55,9 @@ class SwiftPolicy(object):
|
||||
And add a swift authorization filter section, such as::
|
||||
|
||||
[filter:swiftpolicy]
|
||||
use = egg:swift#swiftpolicy
|
||||
use = egg:swiftpolicy#swiftpolicy
|
||||
operator_roles = admin, swiftoperator
|
||||
policy = /path/to/policy.json
|
||||
|
||||
This maps tenants to account in Swift.
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user