aa5b2808a8
This patch adds short document with description of the roles supported by the default Neutron's API policies. Change-Id: Id8106478fc32cd2da283fa4b5763d535372127a6
2.7 KiB
2.7 KiB
Neutron API policies and supported roles
As part of the Consistent and Secure Default RBAC
community goal1 Neutron implemented support for
various scopes and personas in all of the API policies which are defined
in the Neutron code.
Roles supported by the default Neutron API policies
Roles supported by the default Neutron API policies are:
- PROJECT_READER - this role is intented to have read only access to the project owned resources.
- PROJECT_MEMBER - this role inherits all of the privileges from the
PROJECT_READER role and also has access to
create,updateanddeleteproject owned resources. - PROJECT_MANAGER - this role inherits all of the privileges from the PROJECT_MEMBER role and additionally is allowed to do more operations on the project owned resources.
- ADMIN - this role is the same as it was in the "old" default policies. A user with granted ADMIN role is allowed to do almost every possible modifications on all resources, even those which belong to different projects.
- SERVICE - this is a special role designed to be used for the service to service communication only (like e.g. between nova and neutron), it doesn't inherit any privileges from any other roles mentioned above.
Default API policies defined in Neutron
By default all of the existing API policies can be used with the
project scoped tokens only. Tokens with
service scope are not supported by any of the policies
defined in Neutron code.
Default API policies
Default API policies defined in the Neutron code can be found in the
Policy Reference
document.