How to create my own rule in Policy.json

asked 2013-07-26 03:15:29 -0600

Sudheesh gravatar image

updated 2015-07-21 03:24:36 -0600

Following is my requirement

1) I have an extension service (Keystone extension)

2) I have also created a role called CUSTOME_ROLE

I want users with only CUSTOME_ROLE can access the service.

How can I specify this in Policy.json?

lets say my service is list_custom_entities and the URL is v2.0/custom/listentities

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2015-08-21 11:08:52 -0600

jianzj gravatar image

Hi ,

You will find your policy.json file in /etc/keystone/

This file is used to do the role based access control in Keystone service. And you will find all the actions, offered by Keystone.

This is a link about RBAC in Keystone, you could have a look if you like : Identity API protection with role-based access control (RBAC)

I have some suggestion about how to add a new role to a new action, wish this could have some help for you.

  1. Create a new role in Keystone , using command : "openstack role create";
  2. Open file "/etc/keystone/policy.json", add these lines , suppose your created new role name is "custome": 1) "custome_role": "role:custome", (this line could be added nearby ""service_role": "role:service",") Notice : You will see in the policy.json file , there are some other rules, combined some roles together, it is up to your usage, if you wanted , you could have try. 2) "identity:list_custom_entities": "rule: custome_role",

This is the basic way , to add a new action into Keystone policy file , and limited by a customized role.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2013-07-26 03:15:29 -0600

Seen: 1,031 times

Last updated: Aug 21 '15