diff options
author | Pete Zaitcev <zaitcev@kotori.zaitcev.us> | 2021-07-23 21:31:17 -0500 |
---|---|---|
committer | Pete Zaitcev <zaitcev@kotori.zaitcev.us> | 2021-08-02 14:35:32 -0500 |
commit | 6198284839374faed6df884bc9246d72075a6b56 (patch) | |
tree | ba3f74284f2f124ea8b85c979388f60ea59ead35 /etc | |
parent | b53a9d811413840d03840c3d9d0287e2a8aff717 (diff) | |
download | swift-6198284839374faed6df884bc9246d72075a6b56.tar.gz |
Add a project scope read-only role to keystoneauth
This patch continues work for more of the "Consistent and
Secure Default Policies". We already have system scope
personas implemented, but the architecture people are asking
for project scope now. At least we don't need domain scope.
Change-Id: If7d39ac0dfbe991d835b76eb79ae978fc2fd3520
Diffstat (limited to 'etc')
-rw-r--r-- | etc/proxy-server.conf-sample | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/etc/proxy-server.conf-sample b/etc/proxy-server.conf-sample index 99c284007..de51c7bcc 100644 --- a/etc/proxy-server.conf-sample +++ b/etc/proxy-server.conf-sample @@ -508,6 +508,11 @@ user_test5_tester5 = testing5 service # only do not modify the cluster. # By default the list of reader roles is empty. # system_reader_roles = +# +# This is a reader role scoped for a Keystone project. +# An identity that has this role can read anything in a project, so it is +# basically a swiftoperator, but read-only. +# project_reader_roles = [filter:s3api] use = egg:swift#s3api |