Merge "Implement policy in code (4)"

This commit is contained in:
Zuul 2017-10-25 16:43:24 +00:00 committed by Gerrit Code Review
commit 65e79f11f0
12 changed files with 927 additions and 51 deletions

View File

@ -29,6 +29,11 @@ from designate.common.policies import service_status
from designate.common.policies import tenant from designate.common.policies import tenant
from designate.common.policies import tld from designate.common.policies import tld
from designate.common.policies import tsigkey from designate.common.policies import tsigkey
from designate.common.policies import zone
from designate.common.policies import zone_export
from designate.common.policies import zone_import
from designate.common.policies import zone_transfer_accept
from designate.common.policies import zone_transfer_request
def list_rules(): def list_rules():
@ -45,4 +50,9 @@ def list_rules():
tenant.list_rules(), tenant.list_rules(),
tld.list_rules(), tld.list_rules(),
tsigkey.list_rules(), tsigkey.list_rules(),
zone.list_rules(),
zone_export.list_rules(),
zone_import.list_rules(),
zone_transfer_accept.list_rules(),
zone_transfer_request.list_rules(),
) )

View File

@ -20,6 +20,8 @@ RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
RULE_ADMIN = 'rule:admin' RULE_ADMIN = 'rule:admin'
RULE_ZONE_PRIMARY_OR_ADMIN = "('PRIMARY':%(zone_type)s and rule:admin_or_owner)\ RULE_ZONE_PRIMARY_OR_ADMIN = "('PRIMARY':%(zone_type)s and rule:admin_or_owner)\
OR ('SECONDARY':%(zone_type)s AND is_admin:True)" OR ('SECONDARY':%(zone_type)s AND is_admin:True)"
RULE_ZONE_TRANSFER = "rule:admin_or_owner or tenant:%(target_tenant_id)s \
or None:%(target_tenant_id)s"
RULE_ANY = "@" RULE_ANY = "@"
rules = [ rules = [

View File

@ -0,0 +1,170 @@
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from designate.common.policies import base
rules = [
policy.DocumentedRuleDefault(
name="create_zone",
check_str=base.RULE_ADMIN_OR_OWNER,
description="Create Zone",
operations=[
{
'path': '/v1//domains',
'method': 'POST'
}, {
'path': '/v2/zones',
'method': 'POST'
}
]
),
policy.RuleDefault(
name="get_zones",
check_str=base.RULE_ADMIN_OR_OWNER
),
policy.DocumentedRuleDefault(
name="get_zone",
check_str=base.RULE_ADMIN_OR_OWNER,
description="Get Zone",
operations=[
{
'path': '/v1/domains/<uuid:domain_id>/records/<uuid:record_id>', # noqa
'method': 'GET'
}, {
'path': '/v1/domains/<uuid:domain_id>/records',
'method': 'GET'
}, {
'path': '/v2/zones/{zone_id}',
'method': 'GET'
}, {
'path': '/v2/zones/{zone_id}',
'method': 'PATCH'
}, {
'path': '/v2/zones/{zone_id}/recordsets/{recordset_id}',
'method': 'PUT'
}
]
),
policy.RuleDefault(
name="get_zone_servers",
check_str=base.RULE_ADMIN_OR_OWNER
),
policy.DocumentedRuleDefault(
name="find_zones",
check_str=base.RULE_ADMIN_OR_OWNER,
description="List existing zones",
operations=[
{
'path': '/v1/domains',
'method': 'GET'
}, {
'path': '/v2/zones',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name="find_zone",
check_str=base.RULE_ADMIN_OR_OWNER,
description="Find Zone",
operations=[
{
'path': '/v1/domains/<uuid:domain_id>',
'method': 'GET'
}, {
'path': '/v1/domains/<uuid:domain_id>/servers',
'method': 'GET'
}, {
'path': '/v1/domains/<uuid:domain_id>',
'method': 'PUT'
}, {
'path': '/v1/domains/<uuid:domain_id>',
'method': 'DELETE'
}
]
),
policy.DocumentedRuleDefault(
name="update_zone",
check_str=base.RULE_ADMIN_OR_OWNER,
description="Update Zone",
operations=[
{
'path': '/v1/domains/<uuid:domain_id>',
'method': 'PUT'
}, {
'path': '/v2/zones/{zone_id}',
'method': 'PATCH'
}
]
),
policy.DocumentedRuleDefault(
name="delete_zone",
check_str=base.RULE_ADMIN_OR_OWNER,
description="Delete Zone",
operations=[
{
'path': '/v1/domains/<uuid:domain_id>',
'method': 'DELETE'
}, {
'path': '/v2/zones/{zone_id}',
'method': 'DELETE'
}
]
),
policy.DocumentedRuleDefault(
name="xfr_zone",
check_str=base.RULE_ADMIN_OR_OWNER,
description="Manually Trigger an Update of a Secondary Zone",
operations=[
{
'path': '/v2/zones/{zone_id}/tasks/xfr',
'method': 'POST'
}
]
),
policy.DocumentedRuleDefault(
name="abandon_zone",
check_str=base.RULE_ADMIN,
description="Abandon Zone",
operations=[
{
'path': '/v2/zones/{zone_id}/tasks/abandon',
'method': 'POST'
}
]
),
policy.RuleDefault(
name="count_zones",
check_str=base.RULE_ADMIN_OR_OWNER
),
policy.RuleDefault(
name="count_zones_pending_notify",
check_str=base.RULE_ADMIN_OR_OWNER
),
policy.RuleDefault(
name="purge_zones",
check_str=base.RULE_ADMIN
),
policy.RuleDefault(
name="touch_zone",
check_str=base.RULE_ADMIN_OR_OWNER
)
]
def list_rules():
return rules

View File

@ -0,0 +1,83 @@
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from designate.common.policies import base
rules = [
policy.DocumentedRuleDefault(
name="zone_export",
check_str=base.RULE_ADMIN_OR_OWNER,
description="Retrive a Zone Export from the Designate Datastore",
operations=[
{
'path': '/v2/zones/tasks/exports/{zone_export_id}/export',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name="create_zone_export",
check_str=base.RULE_ADMIN_OR_OWNER,
description="Create Zone Export",
operations=[
{
'path': '/v2/zones/{zone_id}/tasks/export',
'method': 'POST'
}
]
),
policy.DocumentedRuleDefault(
name="find_zone_exports",
check_str=base.RULE_ADMIN_OR_OWNER,
description="List Zone Exports",
operations=[
{
'path': '/v2/zones/tasks/exports',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name="get_zone_export",
check_str=base.RULE_ADMIN_OR_OWNER,
description="Get Zone Exports",
operations=[
{
'path': '/v2/zones/tasks/exports/{zone_export_id}',
'method': 'GET'
}, {
'path': '/v2/zones/tasks/exports/{zone_export_id}/export',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name="update_zone_export",
check_str=base.RULE_ADMIN_OR_OWNER,
description="Update Zone Exports",
operations=[
{
'path': '/v2/zones/{zone_id}/tasks/export',
'method': 'POST'
}
]
)
]
def list_rules():
return rules

View File

@ -0,0 +1,81 @@
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from designate.common.policies import base
rules = [
policy.DocumentedRuleDefault(
name="create_zone_import",
check_str=base.RULE_ADMIN_OR_OWNER,
description="Create Zone Import",
operations=[
{
'path': '/v2/zones/tasks/imports',
'method': 'POST'
}
]
),
policy.DocumentedRuleDefault(
name="find_zone_imports",
check_str=base.RULE_ADMIN_OR_OWNER,
description="List all Zone Imports",
operations=[
{
'path': '/v2/zones/tasks/imports',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name="get_zone_import",
check_str=base.RULE_ADMIN_OR_OWNER,
description="Get Zone Imports",
operations=[
{
'path': '/v2/zones/tasks/imports/{zone_import_id}',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name="update_zone_import",
check_str=base.RULE_ADMIN_OR_OWNER,
description="Update Zone Imports",
operations=[
{
'path': '/v2/zones/tasks/imports',
'method': 'POST'
}
]
),
policy.DocumentedRuleDefault(
name="delete_zone_import",
check_str=base.RULE_ADMIN_OR_OWNER,
description="Delete a Zone Import",
operations=[
{
'path': '/v2/zones/tasks/imports/{zone_import_id}',
'method': 'GET'
}
]
)
]
def list_rules():
return rules

View File

@ -0,0 +1,77 @@
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from designate.common.policies import base
rules = [
policy.DocumentedRuleDefault(
name="create_zone_transfer_accept",
check_str=base.RULE_ZONE_TRANSFER,
description="Create Zone Transfer Accept",
operations=[
{
'path': '/v2/zones/tasks/transfer_accepts',
'method': 'POST'
}
]
),
policy.DocumentedRuleDefault(
name="get_zone_transfer_accept",
check_str=base.RULE_ADMIN_OR_OWNER,
description="Get Zone Transfer Accept",
operations=[
{
'path': '/v2/zones/tasks/transfer_requests/{zone_transfer_accept_id}', # noqa
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name="find_zone_transfer_accepts",
check_str=base.RULE_ADMIN,
description="List Zone Transfer Accepts",
operations=[
{
'path': '/v2/zones/tasks/transfer_accepts',
'method': 'GET'
}
]
),
policy.RuleDefault(
name="find_zone_transfer_accept",
check_str=base.RULE_ADMIN
),
policy.DocumentedRuleDefault(
name="update_zone_transfer_accept",
check_str=base.RULE_ADMIN,
description="Update a Zone Transfer Accept",
operations=[
{
'path': '/v2/zones/tasks/transfer_accepts',
'method': 'POST'
}
]
),
policy.RuleDefault(
name="delete_zone_transfer_accept",
check_str=base.RULE_ADMIN
)
]
def list_rules():
return rules

View File

@ -0,0 +1,91 @@
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from designate.common.policies import base
rules = [
policy.DocumentedRuleDefault(
name="create_zone_transfer_request",
check_str=base.RULE_ADMIN_OR_OWNER,
description="Create Zone Transfer Accept",
operations=[
{
'path': '/v2/zones/{zone_id}/tasks/transfer_requests',
'method': 'POST'
}
]
),
policy.DocumentedRuleDefault(
name="get_zone_transfer_request",
check_str=base.RULE_ZONE_TRANSFER,
description="Show a Zone Transfer Request",
operations=[
{
'path': '/v2/zones/tasks/transfer_requests/{zone_transfer_request_id}', # noqa
'method': 'GET'
}, {
'path': '/v2/zones/tasks/transfer_requests/{zone_transfer_request_id}', # noqa
'method': 'PATCH'
}
]
),
policy.RuleDefault(
name="get_zone_transfer_request_detailed",
check_str=base.RULE_ADMIN_OR_OWNER
),
policy.DocumentedRuleDefault(
name="find_zone_transfer_requests",
check_str=base.RULE_ANY,
description="List Zone Transfer Requests",
operations=[
{
'path': '/v2/zones/tasks/transfer_requests',
'method': 'GET'
}
]
),
policy.RuleDefault(
name="find_zone_transfer_request",
check_str=base.RULE_ANY
),
policy.DocumentedRuleDefault(
name="update_zone_transfer_request",
check_str=base.RULE_ADMIN_OR_OWNER,
description="Update a Zone Transfer Request",
operations=[
{
'path': '/v2/zones/tasks/transfer_requests/{zone_transfer_request_id}', # noqa
'method': 'PATCH'
}
]
),
policy.DocumentedRuleDefault(
name="delete_zone_transfer_request",
check_str=base.RULE_ADMIN_OR_OWNER,
description="Delete a Zone Transfer Request",
operations=[
{
'path': '/v2/zones/tasks/transfer_requests/{zone_transfer_request_id}', # noqa
'method': 'DELETE'
}
]
)
]
def list_rules():
return rules

View File

@ -32,7 +32,6 @@ from designate import policy
from designate import network_api from designate import network_api
from designate import rpc from designate import rpc
from designate.network_api import fake as fake_network_api from designate.network_api import fake as fake_network_api
from designate import utils
from designate.sqlalchemy import utils as sqlalchemy_utils from designate.sqlalchemy import utils as sqlalchemy_utils
"""Test fixtures """Test fixtures
@ -105,8 +104,6 @@ class ServiceFixture(fixtures.Fixture):
class PolicyFixture(fixtures.Fixture): class PolicyFixture(fixtures.Fixture):
def setUp(self): def setUp(self):
super(PolicyFixture, self).setUp() super(PolicyFixture, self).setUp()
policy.init(policy_file=utils.find_config(
cfg.CONF.oslo_policy.policy_file)[0])
self.addCleanup(policy.reset) self.addCleanup(policy.reset)

View File

@ -68,10 +68,6 @@ function configure_designate {
iniset $DESIGNATE_CONF coordination backend_url $DESIGNATE_COORDINATION_URL iniset $DESIGNATE_CONF coordination backend_url $DESIGNATE_COORDINATION_URL
fi fi
# Install the policy file for the API server
cp $DESIGNATE_DIR/etc/designate/policy.json $DESIGNATE_CONF_DIR/policy.json
iniset $DESIGNATE_CONF DEFAULT policy_file $DESIGNATE_CONF_DIR/policy.json
# Pool Manager Configuration # Pool Manager Configuration
iniset $DESIGNATE_CONF service:pool_manager pool_id $DESIGNATE_POOL_ID iniset $DESIGNATE_CONF service:pool_manager pool_id $DESIGNATE_POOL_ID
iniset $DESIGNATE_CONF service:pool_manager cache_driver $DESIGNATE_POOL_MANAGER_CACHE_DRIVER iniset $DESIGNATE_CONF service:pool_manager cache_driver $DESIGNATE_POOL_MANAGER_CACHE_DRIVER

View File

@ -1,43 +0,0 @@
{
"create_zone": "rule:admin_or_owner",
"get_zones": "rule:admin_or_owner",
"get_zone": "rule:admin_or_owner",
"get_zone_servers": "rule:admin_or_owner",
"find_zones": "rule:admin_or_owner",
"find_zone": "rule:admin_or_owner",
"update_zone": "rule:admin_or_owner",
"delete_zone": "rule:admin_or_owner",
"xfr_zone": "rule:admin_or_owner",
"abandon_zone": "rule:admin",
"count_zones": "rule:admin_or_owner",
"count_zones_pending_notify": "rule:admin_or_owner",
"purge_zones": "rule:admin",
"touch_zone": "rule:admin_or_owner",
"create_zone_transfer_request": "rule:admin_or_owner",
"get_zone_transfer_request": "rule:admin_or_owner or tenant:%(target_tenant_id)s or None:%(target_tenant_id)s",
"get_zone_transfer_request_detailed": "rule:admin_or_owner",
"find_zone_transfer_requests": "@",
"find_zone_transfer_request": "@",
"update_zone_transfer_request": "rule:admin_or_owner",
"delete_zone_transfer_request": "rule:admin_or_owner",
"create_zone_transfer_accept": "rule:admin_or_owner or tenant:%(target_tenant_id)s or None:%(target_tenant_id)s",
"get_zone_transfer_accept": "rule:admin_or_owner",
"find_zone_transfer_accepts": "rule:admin",
"find_zone_transfer_accept": "rule:admin",
"update_zone_transfer_accept": "rule:admin",
"delete_zone_transfer_accept": "rule:admin",
"create_zone_import": "rule:admin_or_owner",
"find_zone_imports": "rule:admin_or_owner",
"get_zone_import": "rule:admin_or_owner",
"update_zone_import": "rule:admin_or_owner",
"delete_zone_import": "rule:admin_or_owner",
"zone_export": "rule:admin_or_owner",
"create_zone_export": "rule:admin_or_owner",
"find_zone_exports": "rule:admin_or_owner",
"get_zone_export": "rule:admin_or_owner",
"update_zone_export": "rule:admin_or_owner",
}

View File

@ -0,0 +1,413 @@
#
#"admin": "role:admin or is_admin:True"
#
#"primary_zone": "target.zone_type:SECONDARY"
#
#"owner": "tenant:%(tenant_id)s"
#
#"admin_or_owner": "rule:admin or rule:owner"
#
#"default": "rule:admin_or_owner"
#
#"target": "tenant:%(target_tenant_id)s"
#
#"owner_or_target": "rule:target or rule:owner"
#
#"admin_or_owner_or_target": "rule:owner_or_target or rule:admin"
#
#"admin_or_target": "rule:admin or rule:target"
#
#"zone_primary_or_admin": "('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)"
# Create blacklist.
# POST /v2/blacklists
#"create_blacklist": "rule:admin"
# Find blacklist.
# GET /v2/blacklists
#"find_blacklist": "rule:admin"
# Find blacklists.
# GET /v2/blacklists
#"find_blacklists": "rule:admin"
# Get blacklist.
# GET /v2/blacklists/{blacklist_id}
#"get_blacklist": "rule:admin"
# Update blacklist.
# PATCH /v2/blacklists/{blacklist_id}
#"update_blacklist": "rule:admin"
# Delete blacklist.
# DELETE /v2/blacklists/{blacklist_id}
#"delete_blacklist": "rule:admin"
# Allowed bypass the blacklist.
# POST /v2/zones
#"use_blacklisted_zone": "rule:admin"
# Action on all tenants.
#"all_tenants": "rule:admin"
# Edit managed records.
#"edit_managed_records": "rule:admin"
# Use low TTL.
#"use_low_ttl": "rule:admin"
# Accept sudo from user to tenant.
#"use_sudo": "rule:admin"
# Diagnose ping.
#"diagnostics_ping": "rule:admin"
# Diagnose sync zones.
#"diagnostics_sync_zones": "rule:admin"
# Diagnose sync zone.
#"diagnostics_sync_zone": "rule:admin"
# Diagnose sync record.
#"diagnostics_sync_record": "rule:admin"
# Create pool.
#"create_pool": "rule:admin"
# Find pool.
# GET /v2/pools
#"find_pools": "rule:admin"
# Find pools.
# GET /v2/pools
#"find_pool": "rule:admin"
# Get pool.
# GET /v2/pools/{pool_id}
#"get_pool": "rule:admin"
# Update pool.
#"update_pool": "rule:admin"
# Delete pool.
#"delete_pool": "rule:admin"
# load and set the pool to the one provided in the Zone attributes.
# POST /v2/zones
#"zone_create_forced_pool": "rule:admin"
# View Current Project's Quotas.
# GET /v2/quotas
#"get_quotas": "rule:admin_or_owner"
#
#"get_quota": "rule:admin_or_owner"
# Set Quotas.
# PATCH /v2/quotas/{project_id}
#"set_quota": "rule:admin"
# Reset Quotas.
# DELETE /v2/quotas/{project_id}
#"reset_quotas": "rule:admin"
# Create record.
# POST /v1/domains/<uuid:domain_id>/records
#"create_record": "rule:admin_or_owner"
# Get records.
# GET /v1/domains/<uuid:domain_id>/records
#"get_records": "rule:admin_or_owner"
# Get record.
# GET /v1/domains/<uuid:domain_id>/records/<uuid:record_id>
#"get_record": "rule:admin_or_owner"
# Find records.
# GET /v2/reverse/floatingips/{region}:{floatingip_id}
# GET /v2/reverse/floatingips
#"find_records": "rule:admin_or_owner"
# Find record.
# GET /v1/domains/<uuid:domain_id>/records/<uuid:record_id>
# DELETE /v1/domains/<uuid:domain_id>/records/<uuid:record_id>
# PUT /v1/domains/<uuid:domain_id>/records/<uuid:record_id>
#"find_record": "rule:admin_or_owner"
# Update record.
# PUT /v1/domains/<uuid:domain_id>/records/<uuid:record_id>
#"update_record": "rule:admin_or_owner"
# Delete record.
# DELETE /v1/domains/<uuid:domain_id>/records/<uuid:record_id>
#"delete_record": "rule:admin_or_owner"
#
#"count_records": "rule:admin_or_owner"
# Create Recordset
# POST /v2/zones/{zone_id}/recordsets
# PATCH /v2/reverse/floatingips/{region}:{floatingip_id}
#"create_recordset": "('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)"
#
#"get_recordsets": "rule:admin_or_owner"
# Get recordset
# GET /v1/domains/<uuid:domain_id>/records/<uuid:record_id>
# PUT /v1/domains/<uuid:domain_id>/records/<uuid:record_id>
# GET /v2/zones/{zone_id}/recordsets/{recordset_id}
# DELETE /v2/zones/{zone_id}/recordsets/{recordset_id}
# PUT /v2/zones/{zone_id}/recordsets/{recordset_id}
#"get_recordset": "rule:admin_or_owner"
# Find recordsets
# GET /v1/domains/<uuid:domain_id>/records
#"find_recordsets": "rule:admin_or_owner"
# Find recordset
# POST /v1/domains/<uuid:domain_id>/records
# DELETE /v1/domains/<uuid:domain_id>/records/<uuid:record_id>
#"find_recordset": "rule:admin_or_owner"
# Update recordset
# PUT /v1/domains/<uuid:domain_id>/records/<uuid:record_id>
# PUT /v2/zones/{zone_id}/recordsets/{recordset_id}
# PATCH /v2/reverse/floatingips/{region}:{floatingip_id}
#"update_recordset": "('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)"
# Delete RecordSet
# DELETE /v1/domains/<uuid:domain_id>/records/<uuid:record_id>
# DELETE /v2/zones/{zone_id}/recordsets/{recordset_id}
#"delete_recordset": "('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)"
# Count recordsets
#"count_recordset": "rule:admin_or_owner"
# Find a single Service Status
# GET /v2/service_status/{service_id}
#"find_service_status": "rule:admin"
# List service statuses.
# GET /v2/service_status
#"find_service_statuses": "rule:admin"
#
#"update_service_service_status": "rule:admin"
# Find all Tenants.
#"find_tenants": "rule:admin"
# Get all Tenants.
#"get_tenant": "rule:admin"
# Count tenants
#"count_tenants": "rule:admin"
# Create Tld
# POST /v2/tlds
#"create_tld": "rule:admin"
# List Tlds
# GET /v2/tlds
#"find_tlds": "rule:admin"
# Show Tld
# GET /v2/tlds/{tld_id}
#"get_tld": "rule:admin"
# Update Tld
# PATCH /v2/tlds/{tld_id}
#"update_tld": "rule:admin"
# Delete Tld
# DELETE /v2/tlds/{tld_id}
#"delete_tld": "rule:admin"
# Create Tsigkey
# POST /v1/tsigkeys
# POST /v2/tsigkeys
#"create_tsigkey": "rule:admin"
# List Tsigkeys
# GET /v1/tsigkeys
# GET /v1/tsigkeys/<uuid:tsigkey_id>
# DELETE /v1/tsigkeys/<uuid:tsigkey_id>
# GET /v2/tsigkeys
#"find_tsigkeys": "rule:admin"
# Show a Tsigkey
# PATCH /v2/tsigkeys/{tsigkey_id}
# GET /v2/tsigkeys/{tsigkey_id}
#"get_tsigkey": "rule:admin"
# Update Tsigkey
# PATCH /v1/tsigkeys/{tsigkey_id}
# PATCH /v2/tsigkeys/{tsigkey_id}
#"update_tsigkey": "rule:admin"
# Delete a Tsigkey
# DELETE /v1/tsigkeys/{tsigkey_id}
# DELETE /v2/tsigkeys/{tsigkey_id}
#"delete_tsigkey": "rule:admin"
# Create Zone
# POST /v1//domains
# POST /v2/zones
#"create_zone": "rule:admin_or_owner"
#
#"get_zones": "rule:admin_or_owner"
# Get Zone
# GET /v1/domains/<uuid:domain_id>/records/<uuid:record_id>
# GET /v1/domains/<uuid:domain_id>/records
# GET /v2/zones/{zone_id}
# PATCH /v2/zones/{zone_id}
# PUT /v2/zones/{zone_id}/recordsets/{recordset_id}
#"get_zone": "rule:admin_or_owner"
#
#"get_zone_servers": "rule:admin_or_owner"
# List existing zones
# GET /v1/domains
# GET /v2/zones
#"find_zones": "rule:admin_or_owner"
# Find Zone
# GET /v1/domains/<uuid:domain_id>
# GET /v1/domains/<uuid:domain_id>/servers
# PUT /v1/domains/<uuid:domain_id>
# DELETE /v1/domains/<uuid:domain_id>
#"find_zone": "rule:admin_or_owner"
# Update Zone
# PUT /v1/domains/<uuid:domain_id>
# PATCH /v2/zones/{zone_id}
#"update_zone": "rule:admin_or_owner"
# Delete Zone
# DELETE /v1/domains/<uuid:domain_id>
# DELETE /v2/zones/{zone_id}
#"delete_zone": "rule:admin_or_owner"
# Manually Trigger an Update of a Secondary Zone
# POST /v2/zones/{zone_id}/tasks/xfr
#"xfr_zone": "rule:admin_or_owner"
# Abandon Zone
# POST /v2/zones/{zone_id}/tasks/abandon
#"abandon_zone": "rule:admin"
#
#"count_zones": "rule:admin_or_owner"
#
#"count_zones_pending_notify": "rule:admin_or_owner"
#
#"purge_zones": "rule:admin"
#
#"touch_zone": "rule:admin_or_owner"
# Retrive a Zone Export from the Designate Datastore
# GET /v2/zones/tasks/exports/{zone_export_id}/export
#"zone_export": "rule:admin_or_owner"
# Create Zone Export
# POST /v2/zones/{zone_id}/tasks/export
#"create_zone_export": "rule:admin_or_owner"
# List Zone Exports
# GET /v2/zones/tasks/exports
#"find_zone_exports": "rule:admin_or_owner"
# Get Zone Exports
# GET /v2/zones/tasks/exports/{zone_export_id}
# GET /v2/zones/tasks/exports/{zone_export_id}/export
#"get_zone_export": "rule:admin_or_owner"
# Update Zone Exports
# POST /v2/zones/{zone_id}/tasks/export
#"update_zone_export": "rule:admin_or_owner"
# Create Zone Import
# POST /v2/zones/tasks/imports
#"create_zone_import": "rule:admin_or_owner"
# List all Zone Imports
# GET /v2/zones/tasks/imports
#"find_zone_imports": "rule:admin_or_owner"
# Get Zone Imports
# GET /v2/zones/tasks/imports/{zone_import_id}
#"get_zone_import": "rule:admin_or_owner"
# Update Zone Imports
# POST /v2/zones/tasks/imports
#"update_zone_import": "rule:admin_or_owner"
# Delete a Zone Import
# GET /v2/zones/tasks/imports/{zone_import_id}
#"delete_zone_import": "rule:admin_or_owner"
# Create Zone Transfer Accept
# POST /v2/zones/tasks/transfer_accepts
#"create_zone_transfer_accept": "rule:admin_or_owner or tenant:%(target_tenant_id)s or None:%(target_tenant_id)s"
# Get Zone Transfer Accept
# GET /v2/zones/tasks/transfer_requests/{zone_transfer_accept_id}
#"get_zone_transfer_accept": "rule:admin_or_owner"
# List Zone Transfer Accepts
# GET /v2/zones/tasks/transfer_accepts
#"find_zone_transfer_accepts": "rule:admin"
#
#"find_zone_transfer_accept": "rule:admin"
# Update a Zone Transfer Accept
# POST /v2/zones/tasks/transfer_accepts
#"update_zone_transfer_accept": "rule:admin"
#
#"delete_zone_transfer_accept": "rule:admin"
# Create Zone Transfer Accept
# POST /v2/zones/{zone_id}/tasks/transfer_requests
#"create_zone_transfer_request": "rule:admin_or_owner"
# Show a Zone Transfer Request
# GET /v2/zones/tasks/transfer_requests/{zone_transfer_request_id}
# PATCH /v2/zones/tasks/transfer_requests/{zone_transfer_request_id}
#"get_zone_transfer_request": "rule:admin_or_owner or tenant:%(target_tenant_id)s or None:%(target_tenant_id)s"
#
#"get_zone_transfer_request_detailed": "rule:admin_or_owner"
# List Zone Transfer Requests
# GET /v2/zones/tasks/transfer_requests
#"find_zone_transfer_requests": "@"
#
#"find_zone_transfer_request": "@"
# Update a Zone Transfer Request
# PATCH /v2/zones/tasks/transfer_requests/{zone_transfer_request_id}
#"update_zone_transfer_request": "rule:admin_or_owner"
# Delete a Zone Transfer Request
# DELETE /v2/zones/tasks/transfer_requests/{zone_transfer_request_id}
#"delete_zone_transfer_request": "rule:admin_or_owner"

View File

@ -30,7 +30,6 @@ packages =
data_files = data_files =
etc/designate = etc/designate =
etc/designate/api-paste.ini etc/designate/api-paste.ini
etc/designate/policy.json
etc/designate/designate.conf.sample etc/designate/designate.conf.sample
etc/designate/rootwrap.conf.sample etc/designate/rootwrap.conf.sample
etc/designate/rootwrap.d = etc/designate/rootwrap.d/* etc/designate/rootwrap.d = etc/designate/rootwrap.d/*