策略

每个 OpenStack 服务都在相关的策略文件中定义其资源的访问策略。资源例如可以是 API 访问权限、附加到卷的能力或启动实例的能力。策略规则以 JSON 格式指定，文件名为 policy.json。该文件的语法和格式在 配置参考 中讨论。

这些策略可以由云管理员修改或更新，以控制对各种资源的访问。确保对访问控制策略的任何更改都不会无意中削弱任何资源的安全性。另请注意，对 policy.json 文件所做的更改会立即生效，无需重新启动服务。

以下示例显示了服务如何限制对具有 cloud_admin 角色的用户才能创建、更新和删除资源，该角色被定义为 role = admin 和 domain_id = admin_domain_id 的合取，而获取和列出资源则向具有 cloud_admin 或 admin 角色的用户开放。

{
    "admin_required": "role:admin",
    "cloud_admin": "rule:admin_required and domain_id:admin_domain_id",
    "service_role": "role:service",
    "service_or_admin": "rule:admin_required or rule:service_role",
    "owner" : "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
    "admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",
    "admin_or_cloud_admin": "rule:admin_required or rule:cloud_admin",
    "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
    "service_admin_or_owner": "rule:service_or_admin or rule:owner",

    "default": "rule:admin_required",

    "identity:get_service": "rule:admin_or_cloud_admin",
    "identity:list_services": "rule:admin_or_cloud_admin",
    "identity:create_service": "rule:cloud_admin",
    "identity:update_service": "rule:cloud_admin",
    "identity:delete_service": "rule:cloud_admin",

    "identity:get_endpoint": "rule:admin_or_cloud_admin",
    "identity:list_endpoints": "rule:admin_or_cloud_admin",
    "identity:create_endpoint": "rule:cloud_admin",
    "identity:update_endpoint": "rule:cloud_admin",
    "identity:delete_endpoint": "rule:cloud_admin",

}