How to create my own rule in Policy.json

318 ●30 ●37 ●51

Following is my requirement

1) I have an extension service (Keystone extension)

2) I have also created a role called CUSTOME_ROLE

I want users with only CUSTOME_ROLE can access the service.

How can I specify this in Policy.json?

lets say my service is list_custom_entities and the URL is v2.0/custom/listentities

jianzj
41 ●3 ●2

Hi ,

You will find your policy.json file in /etc/keystone/

This file is used to do the role based access control in Keystone service. And you will find all the actions, offered by Keystone.

This is a link about RBAC in Keystone, you could have a look if you like : Identity API protection with role-based access control (RBAC)

I have some suggestion about how to add a new role to a new action, wish this could have some help for you.

Create a new role in Keystone , using command : "openstack role create";
Open file "/etc/keystone/policy.json", add these lines , suppose your created new role name is "custome": 1) "custome_role": "role:custome", (this line could be added nearby ""service_role": "role:service",") Notice : You will see in the policy.json file , there are some other rules, combined some roles together, it is up to your usage, if you wanted , you could have try. 2) "identity:list_custom_entities": "rule: custome_role",

This is the basic way , to add a new action into Keystone policy file , and limited by a customized role.

1 answer