osc identity access-rule
Application Credentials - Access Rules
Users have the option of delegating more fine-grained access control to their application credentials by using access rules. For example, to create an application credential that is constricted to creating servers in nova, the user can add the following access rules:
{ "access_rules": [{ "path": "/v2.1/servers", "method": "POST", "service": "compute" }] }
The "path" attribute of application credential access rules uses a wildcard syntax to make it more flexible. For example, to create an application credential that is constricted to listing server IP addresses, you could use either of the following access rules:
{ "access_rules": [ { "path": "/v2.1/servers/*/ips", "method": "GET", "service": "compute" } ] }
or equivalently:
{ "access_rules": [ { "path": "/v2.1/servers/{server_id}/ips", "method": "GET", "service": "compute" } ] }
In both cases, a request path containing any server ID will match the access rule. For even more flexibility, the recursive wildcard ** indicates that request paths containing any number of / will be matched. For example:
{ "access_rules": [ { "path": "/v2.1/**", "method": "GET", "service": "compute" } ] }
will match any nova API for version 2.1.
An access rule created for one application credential can be re-used by providing its ID to another application credential, for example:
{ "access_rules": [ { "id": "abcdef" } ] }
Usage: osc identity access-rule <COMMAND>
Available subcommands:
osc identity access-rule delete— Delete access ruleosc identity access-rule list— List access rulesosc identity access-rule show— Show access rule details