From 2f89e7eb34b48efc5b828c816686197c4efb8d20 Mon Sep 17 00:00:00 2001 From: Matthieu Huin Date: Fri, 30 May 2014 15:50:28 +0200 Subject: [PATCH 1/4] Adds a CW policy file. It relies on the following keystone roles: * upload_disabled: the user can download, browse, share and remove content, but cannot upload anything * remove_only: the user can only list and remove content --- policies/CWpolicy.json | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 policies/CWpolicy.json diff --git a/policies/CWpolicy.json b/policies/CWpolicy.json new file mode 100644 index 0000000..c03e232 --- /dev/null +++ b/policies/CWpolicy.json @@ -0,0 +1,37 @@ +{ + "is_anonymous": "identity:None", + "is_authenticated": "not rule:is_anonymous", + "swift_reseller": "(role:%(reseller_admin)s)", + "swift_operator": "%(operators)s", + + "swift_owner": "rule:swift_reseller or rule:swift_operator or is_admin:True", + + "reseller_request": "rule:swift_reseller", + "same_tenant": "account:%%(account)s", + "tenant_mismatch": "not rule:same_tenant", + + "allowed_for_authenticated": "rule:swift_reseller or acl:check_cross_tenant or acl:check_is_public or (rule:same_tenant and rule:swift_operator) or (rule:same_tenant and acl:check_roles) or (rule:same_tenant and is_admin:True) or (rule:same_tenant and is_admin:False and acl:check_roles)", + + "allowed_for_anonymous": "is_authoritative:True and acl:check_is_public", + + "allowed_for_user": "(rule:is_authenticated and rule:allowed_for_authenticated) or rule:allowed_for_anonymous", + + "get_account": "rule:allowed_for_user and not role:remove_only", + "post_account": "rule:allowed_for_user and not role:remove_only", + "head_account": "rule:allowed_for_user", + "delete_account": "rule:swift_reseller", + "options_account": "", + "get_container": "rule:allowed_for_user and not role:remove_only", + "put_container": "rule:allowed_for_user and not role:remove_only and not role:upload_disabled", + "delete_container": "rule:allowed_for_user", + "post_container": "rule:allowed_for_user and not role:remove_only and not role:upload_disabled", + "head_container": "rule:allowed_for_user", + "options_container": "", + "get_object": "rule:allowed_for_user and not role:remove_only", + "put_object": "rule:allowed_for_user and not role:remove_only and not role:upload_disabled", + "copy_object": "rule:allowed_for_user and not role:remove_only and not role:upload_disabled", + "delete_object": "rule:allowed_for_user", + "head_object": "rule:allowed_for_user", + "post_object": "rule:allowed_for_user and not role:remove_only and not role:upload_disabled", + "options_object": "" +} From b6fbb228dcac68e2554c9ebceb829eaf699e68db Mon Sep 17 00:00:00 2001 From: Matthieu Huin Date: Fri, 30 May 2014 16:30:50 +0200 Subject: [PATCH 2/4] cleans some roles up --- policies/CWpolicy.json | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/policies/CWpolicy.json b/policies/CWpolicy.json index c03e232..924e6c9 100644 --- a/policies/CWpolicy.json +++ b/policies/CWpolicy.json @@ -1,8 +1,8 @@ { "is_anonymous": "identity:None", "is_authenticated": "not rule:is_anonymous", - "swift_reseller": "(role:%(reseller_admin)s)", - "swift_operator": "%(operators)s", + "swift_reseller": "role:ResellerAdmin", + "swift_operator": "role:swiftoperator or role:admin", "swift_owner": "rule:swift_reseller or rule:swift_operator or is_admin:True", @@ -16,22 +16,25 @@ "allowed_for_user": "(rule:is_authenticated and rule:allowed_for_authenticated) or rule:allowed_for_anonymous", - "get_account": "rule:allowed_for_user and not role:remove_only", - "post_account": "rule:allowed_for_user and not role:remove_only", + "remove_only": "role:remove_only", + "upload_disabled": "role:upload_disabled", + + "get_account": "rule:allowed_for_user and not rule:remove_only", + "post_account": "rule:allowed_for_user and not rule:remove_only", "head_account": "rule:allowed_for_user", "delete_account": "rule:swift_reseller", "options_account": "", - "get_container": "rule:allowed_for_user and not role:remove_only", - "put_container": "rule:allowed_for_user and not role:remove_only and not role:upload_disabled", + "get_container": "rule:allowed_for_user and not rule:remove_only", + "put_container": "rule:allowed_for_user and not rule:remove_only and not rule:upload_disabled", "delete_container": "rule:allowed_for_user", - "post_container": "rule:allowed_for_user and not role:remove_only and not role:upload_disabled", + "post_container": "rule:allowed_for_user and not rule:remove_only and not rule:upload_disabled", "head_container": "rule:allowed_for_user", "options_container": "", - "get_object": "rule:allowed_for_user and not role:remove_only", - "put_object": "rule:allowed_for_user and not role:remove_only and not role:upload_disabled", - "copy_object": "rule:allowed_for_user and not role:remove_only and not role:upload_disabled", + "get_object": "rule:allowed_for_user and not rule:remove_only", + "put_object": "rule:allowed_for_user and not rule:remove_only and not rule:upload_disabled", + "copy_object": "rule:allowed_for_user and not rule:remove_only and not rule:upload_disabled", "delete_object": "rule:allowed_for_user", "head_object": "rule:allowed_for_user", - "post_object": "rule:allowed_for_user and not role:remove_only and not role:upload_disabled", + "post_object": "rule:allowed_for_user and not rule:remove_only and not rule:upload_disabled", "options_object": "" } From 6cc93b622dbb0405d8378f92bb56d9cabb49a1c8 Mon Sep 17 00:00:00 2001 From: Matthieu Huin Date: Fri, 30 May 2014 16:58:37 +0200 Subject: [PATCH 3/4] Adds support role. Support team can list elements but cannot modify or download them. --- policies/CWpolicy.json | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/policies/CWpolicy.json b/policies/CWpolicy.json index 924e6c9..db207b9 100644 --- a/policies/CWpolicy.json +++ b/policies/CWpolicy.json @@ -18,23 +18,25 @@ "remove_only": "role:remove_only", "upload_disabled": "role:upload_disabled", + "support": "role:support", "get_account": "rule:allowed_for_user and not rule:remove_only", "post_account": "rule:allowed_for_user and not rule:remove_only", - "head_account": "rule:allowed_for_user", + "head_account": "rule:allowed_for_user or rule:support", "delete_account": "rule:swift_reseller", "options_account": "", "get_container": "rule:allowed_for_user and not rule:remove_only", "put_container": "rule:allowed_for_user and not rule:remove_only and not rule:upload_disabled", "delete_container": "rule:allowed_for_user", "post_container": "rule:allowed_for_user and not rule:remove_only and not rule:upload_disabled", - "head_container": "rule:allowed_for_user", + "head_container": "rule:allowed_for_user or rule:support", "options_container": "", "get_object": "rule:allowed_for_user and not rule:remove_only", "put_object": "rule:allowed_for_user and not rule:remove_only and not rule:upload_disabled", "copy_object": "rule:allowed_for_user and not rule:remove_only and not rule:upload_disabled", "delete_object": "rule:allowed_for_user", - "head_object": "rule:allowed_for_user", + "head_object": "rule:allowed_for_user or rule:support", "post_object": "rule:allowed_for_user and not rule:remove_only and not rule:upload_disabled", "options_object": "" -} +} + From d532a306744381a1bb0b1890b71d31224cf944a8 Mon Sep 17 00:00:00 2001 From: Matthieu Huin Date: Mon, 2 Jun 2014 14:33:22 +0200 Subject: [PATCH 4/4] fixes typo in doc --- swiftpolicy/swiftpolicy.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/swiftpolicy/swiftpolicy.py b/swiftpolicy/swiftpolicy.py index 7454a83..568b29d 100644 --- a/swiftpolicy/swiftpolicy.py +++ b/swiftpolicy/swiftpolicy.py @@ -54,8 +54,9 @@ class SwiftPolicy(object): And add a swift authorization filter section, such as:: [filter:swiftpolicy] - use = egg:swift#swiftpolicy + use = egg:swiftpolicy#swiftpolicy operator_roles = admin, swiftoperator + policy = /path/to/policy.json This maps tenants to account in Swift.