Add a project scope read-only role to keystoneauth

This patch continues work for more of the "Consistent and Secure Default Policies". We already have system scope personas implemented, but the architecture people are asking for project scope now. At least we don't need domain scope. Change-Id: If7d39ac0dfbe991d835b76eb79ae978fc2fd3520
author: Pete Zaitcev <zaitcev@kotori.zaitcev.us> 2021-07-23 21:31:17 -0500
committer: Pete Zaitcev <zaitcev@kotori.zaitcev.us> 2021-08-02 14:35:32 -0500
commit: 6198284839374faed6df884bc9246d72075a6b56 (patch)
tree: ba3f74284f2f124ea8b85c979388f60ea59ead35 /etc
parent: b53a9d811413840d03840c3d9d0287e2a8aff717 (diff)
download: swift-6198284839374faed6df884bc9246d72075a6b56.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/etc/proxy-server.conf-sample b/etc/proxy-server.conf-sample
index 99c284007..de51c7bcc 100644
--- a/etc/proxy-server.conf-sample
+++ b/etc/proxy-server.conf-sample
@@ -508,6 +508,11 @@ user_test5_tester5 = testing5 service
 # only do not modify the cluster.
 # By default the list of reader roles is empty.
 # system_reader_roles =
+#
+# This is a reader role scoped for a Keystone project.
+# An identity that has this role can read anything in a project, so it is
+# basically a swiftoperator, but read-only.
+# project_reader_roles =
 
 [filter:s3api]
 use = egg:swift#s3api
author	Pete Zaitcev <zaitcev@kotori.zaitcev.us>	2021-07-23 21:31:17 -0500
committer	Pete Zaitcev <zaitcev@kotori.zaitcev.us>	2021-08-02 14:35:32 -0500
commit	6198284839374faed6df884bc9246d72075a6b56 (patch)
tree	ba3f74284f2f124ea8b85c979388f60ea59ead35 /etc
parent	b53a9d811413840d03840c3d9d0287e2a8aff717 (diff)
download	swift-6198284839374faed6df884bc9246d72075a6b56.tar.gz