##
---
-roles_to_operations:
+roles:
##
-# This file defines the mapping between user roles and operation permission.
+# This file defines the mapping between user roles and operation permissions.
# It uses the following pattern:
#
-# - role: <ROLE_NAME>
-# operations:
+# - name: <ROLE_NAME>
+# permissions:
# "<OPERATION>": true | false
#
# <ROLE_NAME> defines the name of the role. This name will be matched with an
-# existing role in the RBAC system.
+# existing role in the RBAC system (e.g. keystone).
#
# NOTE: The role will only be used if there is an existing match. If there
# isn't a role in the system that can be matched, the operation permissions
# won't yield any result.
#
-# operations: is a list of operation permissions for the role. An operation
+# permissions: is a dictionary of operation permissions for the role. An operation
# permission is defined using the following pattern:
#
# "<OPERATION>": true | false
#
# The operations are defined using an hierarchical tree. For this purpose, an
# <OPERATION> tag can represents the path for the following:
-# - Root
-# - Node
-# - Leaf
+# - default: what action to be taken by default, allow or deny
+# - admin: allow or deny usin querey string ADMIN to act on behalf of other project
+# - colon separated hierarchical tree
#
-# The root <OPERATION> tag is defined using "." and the default value is false.
+# The default and admin <OPERATION> tag is considered false if missing.
# When you use this tag, all the operation permissions will be set to the value
# assigned.
# NOTE 1: The default value is false. So if a value isn't specified, it will
# default to false.
-# NOTE 2: The root <OPERATION> tag can be overridden by using more specific tags
+# NOTE 2: The default <OPERATION> tag can be overridden by using more specific tags
# with a different value.
#
+# The 'force', 'public' and 'set_project' operation tags (respectively allowing/denying
+# the use of the query-strings FORCE, PUBLIC and SET_PROJECT), take by default the
+# value specified by the tag 'default' (false if not specified).
+#
# The node <OPERATION> tag is defined by using an internal node of the tree, i.e.
-# "nsds", "users.id". A node <OPERATION> tag will affect all the nodes and leafs
-# beneath it. It can be used to override a root <OPERATION> tag.
+# "nsds", "users:id". A node <OPERATION> tag will affect all the nodes and leafs
+# beneath it. It can be used to override a default <OPERATION> tag.
# NOTE 1: It can be overridden by using a more specific tag, such as a node which
# is beneath it or a leaf.
#
-# The leaf <OPERATION> tag is defined by using a leaf of the tree, i.e. "users.post",
-# "ns_instances.get", "vim_accounts.id.get". A leaf <OPERATION> tag will override all
+# The leaf <OPERATION> tag is defined by using a leaf of the tree, i.e. "users:post",
+# "ns_instances:get", "vim_accounts:id:get". A leaf <OPERATION> tag will override all
# the values defined by the parent nodes, since it is the more specific tag that can
# exist.
#
# - In order to find which tags are in use, check the resources_to_operations.yml.
# - In order to find which roles are in use, check the RBAC system.
# - Non existing tags will be ignored.
-# - Tags finishing in a dot (excluding the root <OPERATION> tag) will be ignored.
+# - Tags finishing in a colon will be ignored.
# - The anonymous role allows to bypass the role definition for paths that
# shouldn't be verified.
##
- - role: "system_admin"
- operations:
- ".": true
+ - name: "system_admin"
+ permissions:
+ default: true
+ admin: true
- - role: "account_manager"
- operations:
- ".": false
- "tokens": true
- "users": true
- "projects": true
- "roles": true
+ - name: "account_manager"
+ permissions:
+ default: false
+ admin: false
+ force: true
+ tokens: true
+ users: true
+ projects: true
+ roles: true
- - role: "project_admin"
- operations:
- ".": true
- # Users
- "users.post": false
- "users.id.post": false
- "users.id.delete": false
- # Projects
- "projects": false
- # Roles
- "roles": false
+ - name: "project_admin"
+ permissions:
+ default: true
+ admin: false
+ users: false
+ projects: false
+ roles: false
- - role: "project_user"
- operations:
- ".": true
- # NS Instances
- "ns_instances": false
- "ns_instances.get": true
- # VNF Instances
- "vnf_instances": false
- # Users
- "users": false
- "users.id.get": true
- "users.id.put": true
- "users.id.patch": true
- # Projects
- "projects": false
- # VIMs
- "vims": false
- "vims.get": true
- "vims.id.get": true
- # VIM Accounts
- "vim_accounts": false
- "vim_accounts.get": true
- "vim_accounts.id.get": true
- # SDN Controllers
- "sdn_controllers": false
- "sdn_controllers.get": true
- "sdn_controllers.id.get": true
- # WIMs
- "wims": false
- "wims.get": true
- "wims.id.get": true
- # WIM Accounts
- "wim_accounts": false
- "wim_accounts.get": true
- "wim_accounts.id.get": true
+ - name: "project_user"
+ permissions:
+ default: false
+ admin: false
+ force: false
+ public: true
+ set_project: true
+ vnfds: true
+ nsds: true
+ slice_templates: true
+ ns_instances: true
+ vnf_instances: true
+ slice_instances: true
+ users: false
+ projects: false
+ roles: false
+ # VIMs
+ vims: false
+ vims:get: true
+ vims:id:get: true
+ # VIM Accounts
+ vim_accounts: false
+ vim_accounts:get: true
+ vim_accounts:id:get: true
+ # SDN Controllers
+ sdn_controllers: false
+ sdn_controllers:get: true
+ sdn_controllers:id:get: true
+ # WIMs
+ wims: false
+ wims:get: true
+ wims:id:get: true
+ # WIM Accounts
+ wim_accounts: false
+ wim_accounts:get: true
+ wim_accounts:id:get: true
+ # PDUs
+ pduds: false
+ pduds:get: true
+ pduds:id:get: true
- - role: "anonymous"
- operations:
+ - name: "anonymous"
+ permissions: