From c07dc2887f0ccab9372014790cda130781f28a09 Mon Sep 17 00:00:00 2001 From: WuKong Date: Wed, 22 Jul 2015 15:36:11 +0200 Subject: finish review code Change-Id: Ic5c9dcff1efe48f39cdb3f614675c0f945fe9a27 Signed-off-by: WuKong --- .../moon/policies/policy_admin/assignment.json | 66 ++++++++++-------- .../moon/policies/policy_admin/metadata.json | 9 ++- .../moon/policies/policy_admin/metarule.json | 6 +- .../moon/policies/policy_admin/perimeter.json | 53 ++++++++------ .../examples/moon/policies/policy_admin/rule.json | 80 +++++++++++++++++----- .../examples/moon/policies/policy_admin/scope.json | 80 ++++++++++++---------- .../moon/policies/policy_authz/assignment.json | 2 +- .../moon/policies/policy_authz/metadata.json | 8 +-- .../moon/policies/policy_authz/metarule.json | 2 +- .../examples/moon/policies/policy_authz/scope.json | 2 +- .../moon/policies/policy_root/assignment.json | 39 +++++++++++ .../moon/policies/policy_root/metadata.json | 18 +++++ .../moon/policies/policy_root/metarule.json | 12 ++++ .../moon/policies/policy_root/perimeter.json | 31 +++++++++ .../examples/moon/policies/policy_root/rule.json | 44 ++++++++++++ .../examples/moon/policies/policy_root/scope.json | 39 +++++++++++ .../moon/policies/policy_super/assignment.json | 24 ------- .../moon/policies/policy_super/metadata.json | 18 ----- .../moon/policies/policy_super/metarule.json | 12 ---- .../moon/policies/policy_super/perimeter.json | 16 ----- .../examples/moon/policies/policy_super/rule.json | 14 ---- .../examples/moon/policies/policy_super/scope.json | 24 ------- .../moon/super_extension/policy/assignment.json | 26 ------- .../moon/super_extension/policy/configuration.json | 43 ------------ .../moon/super_extension/policy/metadata.json | 26 ------- .../moon/super_extension/policy/perimeter.json | 10 --- 26 files changed, 370 insertions(+), 334 deletions(-) create mode 100644 keystone-moon/examples/moon/policies/policy_root/assignment.json create mode 100644 keystone-moon/examples/moon/policies/policy_root/metadata.json create mode 100644 keystone-moon/examples/moon/policies/policy_root/metarule.json create mode 100644 keystone-moon/examples/moon/policies/policy_root/perimeter.json create mode 100644 keystone-moon/examples/moon/policies/policy_root/rule.json create mode 100644 keystone-moon/examples/moon/policies/policy_root/scope.json delete mode 100644 keystone-moon/examples/moon/policies/policy_super/assignment.json delete mode 100644 keystone-moon/examples/moon/policies/policy_super/metadata.json delete mode 100644 keystone-moon/examples/moon/policies/policy_super/metarule.json delete mode 100644 keystone-moon/examples/moon/policies/policy_super/perimeter.json delete mode 100644 keystone-moon/examples/moon/policies/policy_super/rule.json delete mode 100644 keystone-moon/examples/moon/policies/policy_super/scope.json delete mode 100644 keystone-moon/examples/moon/super_extension/policy/assignment.json delete mode 100644 keystone-moon/examples/moon/super_extension/policy/configuration.json delete mode 100644 keystone-moon/examples/moon/super_extension/policy/metadata.json delete mode 100644 keystone-moon/examples/moon/super_extension/policy/perimeter.json (limited to 'keystone-moon/examples') diff --git a/keystone-moon/examples/moon/policies/policy_admin/assignment.json b/keystone-moon/examples/moon/policies/policy_admin/assignment.json index 9b183a3c..b77bd810 100644 --- a/keystone-moon/examples/moon/policies/policy_admin/assignment.json +++ b/keystone-moon/examples/moon/policies/policy_admin/assignment.json @@ -1,41 +1,47 @@ { "subject_assignments": { - "domain":{ - "admin": ["ft"], - "demo": ["xx"] - }, - "role": { - "admin": ["admin"] + "role": { + "admin": ["root_role"] } }, - "action_assignments": { - "access": { - "read": ["admin", "user"], - "write": ["admin"], - "create": ["admin"], - "delete": ["admin"] + "action_id": { + "read": ["read"], + "write": ["write"] } }, - "object_assignments": { - "id": { - "subjects": ["subjects"], - "objects": ["objects"], - "actions": ["actions"], - "subject_categories": ["subject_categories"], - "object_categories": ["object_categories"], - "action_categories": ["action_categories"], - "subject_category_scope": ["subject_category_scope"], - "object_category_scope": ["object_category_scope"], - "action_category_scope": ["action_category_scope"], - "sub_rules": ["sub_rules"], - "sub_meta_rule": ["sub_meta_rule"], - "subject_assignments": ["subject_assignments"], - "object_assignments": ["object_assignments"], - "action_assignments": ["action_assignments"], - "sub_meta_rule_relations": ["sub_meta_rule_relations"], - "aggregation_algorithms": ["aggregation_algorithms"] + "object_id": { + "authz.subjects": ["authz.subjects"], + "authz.objects": ["authz.objects"], + "authz.actions": ["authz.actions"], + "authz.subject_categories": ["authz.subject_categories"], + "authz.object_categories": ["authz.object_categories"], + "authz.action_categories": ["authz.action_categories"], + "authz.subject_category_scopes": ["authz.subject_category_scopes"], + "authz.object_category_scopes": ["authz.object_category_scopes"], + "authz.action_category_scopes": ["authz.action_category_scopes"], + "authz.subject_assignments": ["authz.subject_assignments"], + "authz.object_assignments": ["authz.object_assignments"], + "authz.action_assignments": ["authz.action_assignments"], + "authz.aggregation_algorithm": ["authz.aggregation_algorithm"], + "authz.sub_meta_rules": ["authz.sub_meta_rules"], + "authz.rules": ["authz.rules"], + "admin.subjects": ["admin.subjects"], + "admin.objects": ["admin.objects"], + "admin.actions": ["admin.actions"], + "admin.subject_categories": ["admin.subject_categories"], + "admin.object_categories": ["admin.object_categories"], + "admin.action_categories": ["admin.action_categories"], + "admin.subject_category_scopes": ["admin.subject_category_scopes"], + "admin.object_category_scopes": ["admin.object_category_scopes"], + "admin.action_category_scopes": ["admin.action_category_scopes"], + "admin.subject_assignments": ["admin.subject_assignments"], + "admin.object_assignments": ["admin.object_assignments"], + "admin.action_assignments": ["admin.action_assignments"], + "admin.aggregation_algorithm": ["admin.aggregation_algorithm"], + "admin.sub_meta_rules": ["admin.sub_meta_rules"], + "admin.rules": ["admin.rules"] } } } diff --git a/keystone-moon/examples/moon/policies/policy_admin/metadata.json b/keystone-moon/examples/moon/policies/policy_admin/metadata.json index 29770673..9ee8a11d 100644 --- a/keystone-moon/examples/moon/policies/policy_admin/metadata.json +++ b/keystone-moon/examples/moon/policies/policy_admin/metadata.json @@ -1,19 +1,18 @@ { - "name": "MLS_metadata", + "name": "RBAC Admin Policy", "model": "RBAC", "genre": "admin", "description": "", "subject_categories": [ - "domain", - "role" + "role" ], "action_categories": [ - "access" + "action_id" ], "object_categories": [ - "id" + "object_id" ] } diff --git a/keystone-moon/examples/moon/policies/policy_admin/metarule.json b/keystone-moon/examples/moon/policies/policy_admin/metarule.json index 1cb06eb5..86dbfad2 100644 --- a/keystone-moon/examples/moon/policies/policy_admin/metarule.json +++ b/keystone-moon/examples/moon/policies/policy_admin/metarule.json @@ -1,9 +1,9 @@ { "sub_meta_rules": { "rbac_rule": { - "subject_categories": ["role", "domain"], - "action_categories": ["access"], - "object_categories": ["id"], + "subject_categories": ["role"], + "action_categories": ["action_id"], + "object_categories": ["object_id"], "algorithm": "inclusion" } }, diff --git a/keystone-moon/examples/moon/policies/policy_admin/perimeter.json b/keystone-moon/examples/moon/policies/policy_admin/perimeter.json index 7716986d..a796dae9 100644 --- a/keystone-moon/examples/moon/policies/policy_admin/perimeter.json +++ b/keystone-moon/examples/moon/policies/policy_admin/perimeter.json @@ -1,30 +1,41 @@ { "subjects": [ - "admin", - "demo" + "admin" ], "actions": [ "read", - "write", - "create", - "delete" + "write" ], "objects": [ - "subjects", - "objects", - "actions", - "subject_categories", - "object_categories", - "action_categories", - "subject_category_scope", - "object_category_scope", - "action_category_scope", - "rules", - "subject_assignments", - "object_assignments", - "action_assignments", - "sub_meta_rule_algorithm", - "aggregation_algorithm", - "sub_meta_rules" + "authz.subjects", + "authz.objects", + "authz.actions", + "authz.subject_categories", + "authz.object_categories", + "authz.action_categories", + "authz.subject_category_scopes", + "authz.object_category_scopes", + "authz.action_category_scopes", + "authz.subject_assignments", + "authz.object_assignments", + "authz.action_assignments", + "authz.aggregation_algorithm", + "authz.sub_meta_rules", + "authz.rules", + "admin.subjects", + "admin.objects", + "admin.actions", + "admin.subject_categories", + "admin.object_categories", + "admin.action_categories", + "admin.subject_category_scopes", + "admin.object_category_scopes", + "admin.action_category_scopes", + "admin.subject_assignments", + "admin.object_assignments", + "admin.action_assignments", + "admin.aggregation_algorithm", + "admin.sub_meta_rules", + "admin.rules" ] } diff --git a/keystone-moon/examples/moon/policies/policy_admin/rule.json b/keystone-moon/examples/moon/policies/policy_admin/rule.json index 650405a9..e80c61c1 100644 --- a/keystone-moon/examples/moon/policies/policy_admin/rule.json +++ b/keystone-moon/examples/moon/policies/policy_admin/rule.json @@ -1,22 +1,64 @@ { - "rbac_rule":[ - - ["admin" , "ft", "admin", "subjects"], - ["admin" , "ft", "admin", "objects"], - ["admin" , "ft", "admin", "actions"], - ["admin" , "ft", "admin", "subject_categories"], - ["admin" , "ft", "admin", "object_categories"], - ["admin" , "ft", "admin", "action_categories"], - ["admin" , "ft", "admin", "subject_category_scope"], - ["admin" , "ft", "admin", "object_category_scope"], - ["admin" , "ft", "admin", "action_category_scope"], - ["admin" , "ft", "admin", "sub_rules"], - ["admin" , "ft", "admin", "sub_meta_rule"], - ["admin" , "ft", "admin", "subject_assignments"], - ["admin" , "ft", "admin", "object_assignments"], - ["admin" , "ft", "admin", "action_assignments"], - ["admin" , "ft", "admin", "sub_meta_rule_relations"], - ["admin" , "ft", "admin", "aggregation_algorithms"] - + "rbac_rule":[ + ["root_role" , "read", "authz.subjects"], + ["root_role" , "read", "authz.objects"], + ["root_role" , "read", "authz.actions"], + ["root_role" , "read", "authz.subject_categories"], + ["root_role" , "read", "authz.object_categories"], + ["root_role" , "read", "authz.action_categories"], + ["root_role" , "read", "authz.subject_category_scopes"], + ["root_role" , "read", "authz.object_category_scopes"], + ["root_role" , "read", "authz.action_category_scopes"], + ["root_role" , "read", "authz.subject_assignments"], + ["root_role" , "read", "authz.object_assignments"], + ["root_role" , "read", "authz.action_assignments"], + ["root_role" , "read", "authz.aggregation_algorithm"], + ["root_role" , "read", "authz.sub_meta_rules"], + ["root_role" , "read", "authz.rules"], + ["root_role" , "write", "authz.subjects"], + ["root_role" , "write", "authz.objects"], + ["root_role" , "write", "authz.actions"], + ["root_role" , "write", "authz.subject_categories"], + ["root_role" , "write", "authz.object_categories"], + ["root_role" , "write", "authz.action_categories"], + ["root_role" , "write", "authz.subject_category_scopes"], + ["root_role" , "write", "authz.object_category_scopes"], + ["root_role" , "write", "authz.action_category_scopes"], + ["root_role" , "write", "authz.subject_assignments"], + ["root_role" , "write", "authz.object_assignments"], + ["root_role" , "write", "authz.action_assignments"], + ["root_role" , "write", "authz.aggregation_algorithm"], + ["root_role" , "write", "authz.sub_meta_rules"], + ["root_role" , "write", "authz.rules"], + ["root_role" , "read", "admin.subjects"], + ["root_role" , "read", "admin.objects"], + ["root_role" , "read", "admin.actions"], + ["root_role" , "read", "admin.subject_categories"], + ["root_role" , "read", "admin.object_categories"], + ["root_role" , "read", "admin.action_categories"], + ["root_role" , "read", "admin.subject_category_scopes"], + ["root_role" , "read", "admin.object_category_scopes"], + ["root_role" , "read", "admin.action_category_scopes"], + ["root_role" , "read", "admin.subject_assignments"], + ["root_role" , "read", "admin.object_assignments"], + ["root_role" , "read", "admin.action_assignments"], + ["root_role" , "read", "admin.aggregation_algorithm"], + ["root_role" , "read", "admin.sub_meta_rules"], + ["root_role" , "read", "admin.rules"], + ["root_role" , "write", "admin.subjects"], + ["root_role" , "write", "admin.objects"], + ["root_role" , "write", "admin.actions"], + ["root_role" , "write", "admin.subject_categories"], + ["root_role" , "write", "admin.object_categories"], + ["root_role" , "write", "admin.action_categories"], + ["root_role" , "write", "admin.subject_category_scopes"], + ["root_role" , "write", "admin.object_category_scopes"], + ["root_role" , "write", "admin.action_category_scopes"], + ["root_role" , "write", "admin.subject_assignments"], + ["root_role" , "write", "admin.object_assignments"], + ["root_role" , "write", "admin.action_assignments"], + ["root_role" , "write", "admin.aggregation_algorithm"], + ["root_role" , "write", "admin.sub_meta_rules"], + ["root_role" , "write", "admin.rules"] ] } diff --git a/keystone-moon/examples/moon/policies/policy_admin/scope.json b/keystone-moon/examples/moon/policies/policy_admin/scope.json index 3742a5e4..74b1d019 100644 --- a/keystone-moon/examples/moon/policies/policy_admin/scope.json +++ b/keystone-moon/examples/moon/policies/policy_admin/scope.json @@ -1,39 +1,47 @@ { - "subject_scopes": { - "role": [ - "admin" - ], - "domain": [ - "ft", - "xx" - ] - }, - - "action_scopes": { - "access": [ - "admin", - "user" - ] - }, - - "object_scopes": { - "id": [ - "subjects", - "objects", - "actions", - "subject_categories", - "object_categories", - "action_categories", - "subject_category_scope", - "object_category_scope", - "action_category_scope", - "sub_rules", - "sub_meta_rule", - "subject_assignments", - "object_assignments", - "action_assignments", - "sub_meta_rule_relations", - "aggregation_algorithms" - ] + "subject_scopes": { + "role": [ + "root_role" + ] + }, + "action_scopes": { + "action_id": [ + "read", + "write" + ] + }, + "object_scopes": { + "action_id": [ + "authz.subjects", + "authz.objects", + "authz.actions", + "authz.subject_categories", + "authz.object_categories", + "authz.action_categories", + "authz.subject_category_scopes", + "authz.object_category_scopes", + "authz.action_category_scopes", + "authz.subject_assignments", + "authz.object_assignments", + "authz.action_assignments", + "authz.aggregation_algorithm", + "authz.sub_meta_rules", + "authz.rules", + "admin.subjects", + "admin.objects", + "admin.actions", + "admin.subject_categories", + "admin.object_categories", + "admin.action_categories", + "admin.subject_category_scopes", + "admin.object_category_scopes", + "admin.action_category_scopes", + "admin.subject_assignments", + "admin.object_assignments", + "admin.action_assignments", + "admin.aggregation_algorithm", + "admin.sub_meta_rules", + "admin.rules" + ] } } diff --git a/keystone-moon/examples/moon/policies/policy_authz/assignment.json b/keystone-moon/examples/moon/policies/policy_authz/assignment.json index ebab0ec6..6482830c 100644 --- a/keystone-moon/examples/moon/policies/policy_authz/assignment.json +++ b/keystone-moon/examples/moon/policies/policy_authz/assignment.json @@ -56,7 +56,7 @@ "file1": ["storage"], "file2": ["storage"] }, - "id": { + "object_id": { "servers": ["servers"], "vm1": ["vm1"], "vm2": ["vm2"], diff --git a/keystone-moon/examples/moon/policies/policy_authz/metadata.json b/keystone-moon/examples/moon/policies/policy_authz/metadata.json index 4a5a5a1a..d0db90db 100644 --- a/keystone-moon/examples/moon/policies/policy_authz/metadata.json +++ b/keystone-moon/examples/moon/policies/policy_authz/metadata.json @@ -1,8 +1,8 @@ { - "name": "MLS_metadata", - "model": "MLS", + "name": "Multiple_Policy", + "model": "Multiple", "genre": "authz", - "description": "Multi Layer Security authorization policy", + "description": "Multiple Security Policies", "subject_categories": [ "subject_security_level", @@ -18,6 +18,6 @@ "object_categories": [ "object_security_level", "type", - "id" + "object_id" ] } diff --git a/keystone-moon/examples/moon/policies/policy_authz/metarule.json b/keystone-moon/examples/moon/policies/policy_authz/metarule.json index df683ca9..c9afd6c2 100644 --- a/keystone-moon/examples/moon/policies/policy_authz/metarule.json +++ b/keystone-moon/examples/moon/policies/policy_authz/metarule.json @@ -15,7 +15,7 @@ "rbac_rule": { "subject_categories": ["role", "domain"], "action_categories": ["access"], - "object_categories": ["id"], + "object_categories": ["object_id"], "algorithm": "inclusion" } }, diff --git a/keystone-moon/examples/moon/policies/policy_authz/scope.json b/keystone-moon/examples/moon/policies/policy_authz/scope.json index 4b69e469..9b313daf 100644 --- a/keystone-moon/examples/moon/policies/policy_authz/scope.json +++ b/keystone-moon/examples/moon/policies/policy_authz/scope.json @@ -38,7 +38,7 @@ "computing", "storage" ], - "id": [ + "object_id": [ "servers", "vm1", "vm2", diff --git a/keystone-moon/examples/moon/policies/policy_root/assignment.json b/keystone-moon/examples/moon/policies/policy_root/assignment.json new file mode 100644 index 00000000..2852de0c --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_root/assignment.json @@ -0,0 +1,39 @@ +{ + "subject_assignments": { + "role": { + "admin": ["root_role"] + } + }, + + "action_assignments": { + "action_id": { + "read": ["read"], + "write": ["write"] + } + }, + + "object_assignments": { + "object_id": { + "templates": ["templates"], + "sub_meta_rule_algorithm": ["sub_meta_rule_relations"], + "aggregation_algorithms": ["aggregation_algorithms"], + "tenants": ["tenants"], + "intra_extensions": ["intra_extensions"], + "admin.subjects": ["admin.subjects"], + "admin.objects": ["admin.objects"], + "admin.actions": ["admin.actions"], + "admin.subject_categories": ["admin.subject_categories"], + "admin.object_categories": ["admin.object_categories"], + "admin.action_categories": ["admin.action_categories"], + "admin.subject_category_scopes": ["admin.subject_category_scopes"], + "admin.object_category_scopes": ["admin.object_category_scopes"], + "admin.action_category_scopes": ["admin.action_category_scopes"], + "admin.subject_assignments": ["admin.subject_assignments"], + "admin.object_assignments": ["admin.object_assignments"], + "admin.action_assignments": ["admin.action_assignments"], + "admin.aggregation_algorithm": ["admin.aggregation_algorithm"], + "admin.sub_meta_rules": ["admin.sub_meta_rules"], + "admin.rules": ["admin.rules"] + } + } +} diff --git a/keystone-moon/examples/moon/policies/policy_root/metadata.json b/keystone-moon/examples/moon/policies/policy_root/metadata.json new file mode 100644 index 00000000..3e4b0f28 --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_root/metadata.json @@ -0,0 +1,18 @@ +{ + "name": "Root Policy", + "model": "RBAC", + "genre": "admin", + "description": "root extension", + + "subject_categories": [ + "role" + ], + + "action_categories": [ + "action_id" + ], + + "object_categories": [ + "object_id" + ] +} diff --git a/keystone-moon/examples/moon/policies/policy_root/metarule.json b/keystone-moon/examples/moon/policies/policy_root/metarule.json new file mode 100644 index 00000000..86dbfad2 --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_root/metarule.json @@ -0,0 +1,12 @@ +{ + "sub_meta_rules": { + "rbac_rule": { + "subject_categories": ["role"], + "action_categories": ["action_id"], + "object_categories": ["object_id"], + "algorithm": "inclusion" + } + }, + "aggregation": "all_true" +} + diff --git a/keystone-moon/examples/moon/policies/policy_root/perimeter.json b/keystone-moon/examples/moon/policies/policy_root/perimeter.json new file mode 100644 index 00000000..788a27f2 --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_root/perimeter.json @@ -0,0 +1,31 @@ +{ + "subjects": [ + "admin" + ], + "actions": [ + "read", + "write" + ], + "objects": [ + "templates", + "aggregation_algorithms", + "sub_meta_rule_algorithms", + "tenants", + "intra_extensions", + "admin.subjects", + "admin.objects", + "admin.actions", + "admin.subject_categories", + "admin.object_categories", + "admin.action_categories", + "admin.subject_category_scopes", + "admin.object_category_scopes", + "admin.action_category_scopes", + "admin.subject_assignments", + "admin.object_assignments", + "admin.action_assignments", + "admin.aggregation_algorithm", + "admin.sub_meta_rules", + "admin.rules" + ] +} diff --git a/keystone-moon/examples/moon/policies/policy_root/rule.json b/keystone-moon/examples/moon/policies/policy_root/rule.json new file mode 100644 index 00000000..9bbd5e4c --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_root/rule.json @@ -0,0 +1,44 @@ +{ + "rbac_rule":[ + ["root_role" , "read", "templates"], + ["root_role" , "read", "aggregation_algorithms"], + ["root_role" , "read", "sub_meta_rule_algorithms"], + ["root_role" , "read", "tenants"], + ["root_role" , "read", "intra_extensions"], + ["root_role" , "write", "templates"], + ["root_role" , "write", "aggregation_algorithms"], + ["root_role" , "write", "sub_meta_rule_algorithms"], + ["root_role" , "write", "tenants"], + ["root_role" , "write", "intra_extensions"], + ["root_role" , "read", "admin.subjects"], + ["root_role" , "read", "admin.objects"], + ["root_role" , "read", "admin.actions"], + ["root_role" , "read", "admin.subject_categories"], + ["root_role" , "read", "admin.object_categories"], + ["root_role" , "read", "admin.action_categories"], + ["root_role" , "read", "admin.subject_category_scopes"], + ["root_role" , "read", "admin.object_category_scopes"], + ["root_role" , "read", "admin.action_category_scopes"], + ["root_role" , "read", "admin.subject_assignments"], + ["root_role" , "read", "admin.object_assignments"], + ["root_role" , "read", "admin.action_assignments"], + ["root_role" , "read", "admin.aggregation_algorithm"], + ["root_role" , "read", "admin.sub_meta_rules"], + ["root_role" , "read", "admin.rules"], + ["root_role" , "write", "admin.subjects"], + ["root_role" , "write", "admin.objects"], + ["root_role" , "write", "admin.actions"], + ["root_role" , "write", "admin.subject_categories"], + ["root_role" , "write", "admin.object_categories"], + ["root_role" , "write", "admin.action_categories"], + ["root_role" , "write", "admin.subject_category_scopes"], + ["root_role" , "write", "admin.object_category_scopes"], + ["root_role" , "write", "admin.action_category_scopes"], + ["root_role" , "write", "admin.subject_assignments"], + ["root_role" , "write", "admin.object_assignments"], + ["root_role" , "write", "admin.action_assignments"], + ["root_role" , "write", "admin.aggregation_algorithm"], + ["root_role" , "write", "admin.sub_meta_rules"], + ["root_role" , "write", "admin.rules"] + ] +} diff --git a/keystone-moon/examples/moon/policies/policy_root/scope.json b/keystone-moon/examples/moon/policies/policy_root/scope.json new file mode 100644 index 00000000..43f9ced8 --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_root/scope.json @@ -0,0 +1,39 @@ +{ + "subject_scopes": { + "role": [ + "root_role" + ] + }, + + "action_scopes": { + "action_id": [ + "read", + "write" + ] + }, + + "object_scopes": { + "object_id": [ + "templates", + "aggregation_algorithms", + "sub_meta_rule_algorithms", + "tenants", + "intra_extensions", + "admin.subjects", + "admin.objects", + "admin.actions", + "admin.subject_categories", + "admin.object_categories", + "admin.action_categories", + "admin.subject_category_scopes", + "admin.object_category_scopes", + "admin.action_category_scopes", + "admin.subject_assignments", + "admin.object_assignments", + "admin.action_assignments", + "admin.aggregation_algorithm", + "admin.sub_meta_rules", + "admin.rules" + ] + } +} diff --git a/keystone-moon/examples/moon/policies/policy_super/assignment.json b/keystone-moon/examples/moon/policies/policy_super/assignment.json deleted file mode 100644 index 352575aa..00000000 --- a/keystone-moon/examples/moon/policies/policy_super/assignment.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "subject_assignments": { - "role": { - "super_admin": ["admin"] - } - }, - - "action_assignments": { - "action_id": { - "read": ["read"], - "write": ["write"] - } - }, - - "object_assignments": { - "object_id": { - "templates": ["templates"], - "sub_meta_rule_algorithm": ["sub_meta_rule_relations"], - "aggregation_algorithms": ["aggregation_algorithms"], - "tenants": ["tenants"], - "intra_extensions": ["intra_extensions"] - } - } -} diff --git a/keystone-moon/examples/moon/policies/policy_super/metadata.json b/keystone-moon/examples/moon/policies/policy_super/metadata.json deleted file mode 100644 index a67670e9..00000000 --- a/keystone-moon/examples/moon/policies/policy_super/metadata.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "name": "Super_Extension", - "model": "RBAC", - "genre": "authz", - "description": "", - - "subject_categories": [ - "role" - ], - - "action_categories": [ - "action_id" - ], - - "object_categories": [ - "object_id" - ] -} diff --git a/keystone-moon/examples/moon/policies/policy_super/metarule.json b/keystone-moon/examples/moon/policies/policy_super/metarule.json deleted file mode 100644 index 86dbfad2..00000000 --- a/keystone-moon/examples/moon/policies/policy_super/metarule.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "sub_meta_rules": { - "rbac_rule": { - "subject_categories": ["role"], - "action_categories": ["action_id"], - "object_categories": ["object_id"], - "algorithm": "inclusion" - } - }, - "aggregation": "all_true" -} - diff --git a/keystone-moon/examples/moon/policies/policy_super/perimeter.json b/keystone-moon/examples/moon/policies/policy_super/perimeter.json deleted file mode 100644 index 3a7364bc..00000000 --- a/keystone-moon/examples/moon/policies/policy_super/perimeter.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "subjects": [ - "super_admin" - ], - "actions": [ - "read", - "write" - ], - "objects": [ - "templates", - "aggregation_algorithms", - "sub_meta_rule_algorithms", - "tenants", - "intra_extensions" - ] -} diff --git a/keystone-moon/examples/moon/policies/policy_super/rule.json b/keystone-moon/examples/moon/policies/policy_super/rule.json deleted file mode 100644 index b3115a90..00000000 --- a/keystone-moon/examples/moon/policies/policy_super/rule.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "rbac_rule":[ - ["admin" , "read", "templates"], - ["admin" , "read", "aggregation_algorithms"], - ["admin" , "read", "sub_meta_rule_algorithms"], - ["admin" , "read", "tenants"], - ["admin" , "read", "intra_extensions"], - ["admin" , "write", "templates"], - ["admin" , "write", "aggregation_algorithms"], - ["admin" , "write", "sub_meta_rule_algorithms"], - ["admin" , "write", "tenants"], - ["admin" , "write", "intra_extensions"] - ] -} diff --git a/keystone-moon/examples/moon/policies/policy_super/scope.json b/keystone-moon/examples/moon/policies/policy_super/scope.json deleted file mode 100644 index d581c747..00000000 --- a/keystone-moon/examples/moon/policies/policy_super/scope.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "subject_scopes": { - "role": [ - "admin" - ] - }, - - "action_scopes": { - "action_id": [ - "read", - "write" - ] - }, - - "object_scopes": { - "object_id": [ - "templates", - "aggregation_algorithms", - "sub_meta_rule_algorithms", - "tenants", - "intra_extensions" - ] - } -} diff --git a/keystone-moon/examples/moon/super_extension/policy/assignment.json b/keystone-moon/examples/moon/super_extension/policy/assignment.json deleted file mode 100644 index 352d3928..00000000 --- a/keystone-moon/examples/moon/super_extension/policy/assignment.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "subject_category_assignments": { - "role":{ - "admin": [ - "super_user", - "super_admin", - "super_root", - "inter_extension_user", - "inter_extension_admin", - "inter_extension_root" - ] - } - }, - "object_category_assignments": { - "action": { - "intra_extension": [], - "mapping": [], - "inter_extension": [] - }, - "object_id": { - "intra_extension": ["intra_extension"], - "mapping": ["mapping"], - "inter_extension": ["inter_extension"] - } - } -} diff --git a/keystone-moon/examples/moon/super_extension/policy/configuration.json b/keystone-moon/examples/moon/super_extension/policy/configuration.json deleted file mode 100644 index 18918e7f..00000000 --- a/keystone-moon/examples/moon/super_extension/policy/configuration.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "subject_category_values": { - "role": [ - "super_user", - "super_admin", - "super_root", - "inter_extension_user", - "inter_extension_admin", - "inter_extension_root" - ] - }, - - "object_category_values": { - "action": [ - "list", - "create", - "destroy", - "delegate" - ], - "object_id": [ - "intra_extension", - "mapping", - "inter_extension" - ] - }, - - "rules":{ - "permission": [ - ["super_user", "intra_extension", "list"], - ["super_admin", "intra_extension", "create"], - ["super_admin", "intra_extension", "destroy"], - ["super_root", "intra_extension", "delegate"], - ["super_user", "mapping", "list"], - ["super_admin", "mapping", "create"], - ["super_admin", "mapping", "destroy"], - ["super_root", "mapping", "delegate"], - ["inter_extension_user", "inter_extension", "list"], - ["inter_extension_admin", "inter_extension", "create"], - ["inter_extension_admin", "inter_extension", "destroy"], - ["inter_extension_root", "inter_extension", "delegate"] - ] - } -} \ No newline at end of file diff --git a/keystone-moon/examples/moon/super_extension/policy/metadata.json b/keystone-moon/examples/moon/super_extension/policy/metadata.json deleted file mode 100644 index 316bfcb7..00000000 --- a/keystone-moon/examples/moon/super_extension/policy/metadata.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "name": "RBAC_metadata", - "model": "RBAC", - "genre": "super", - "description": "", - - "subject_categories": [ - "role" - ], - - "object_categories": [ - "object_id", - "action" - ], - - "meta_rule": { - "sub_meta_rules": { - "permission": { - "subject_categories": ["role"], - "object_categories": ["object_id", "action"], - "relation": "permission" - } - }, - "aggregation": "and_true_aggregation" - } -} diff --git a/keystone-moon/examples/moon/super_extension/policy/perimeter.json b/keystone-moon/examples/moon/super_extension/policy/perimeter.json deleted file mode 100644 index 5d511654..00000000 --- a/keystone-moon/examples/moon/super_extension/policy/perimeter.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "subjects": [ - "admin" - ], - "objects": [ - "intra_extension", - "mapping", - "inter_extension" - ] -} \ No newline at end of file -- cgit 1.2.3-korg