openstack/horizon
Code Issues Proposed changes

Sync default policy rules

Browse Source 
Update default policy-in-code rules in horizon based on
nova/neutron/cinder/glance RC deliverables.
More precisely, they are based on the top of stable/wallaby
branch of these projects as of Apr 7 14UTC.

Change-Id: I2040201b533f1d16f1f629e31be8d7b9130b2e52
This commit is contained in:
Akihiro Motoki 2021-03-30 13:49:24 +09:00
parent 03e848b181
commit 4e195570e5
8 changed files with 4368 additions and 982 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
openstack_dashboard/conf/cinder_policy.yaml
View File

@ -7,6 +7,9 @@
# Default rule for most Admin APIs.
#"admin_api": "is_admin:True or (role:admin and is_admin_project:True)"
# Default rule for admins of cloud, domain or a project.
#"system_or_domain_or_project_admin": "(role:admin and system_scope:all) or (role:admin and domain_id:%(domain_id)s) or (role:admin and project_id:%(project_id)s)"
# Create attachment.
# POST /attachments
#"volume:attachment_create": ""
@ -236,7 +239,7 @@
# Reset status of group snapshot.
# POST /group_snapshots/{g_snapshot_id}/action (reset_status)
#"group:reset_group_snapshot_status": "rule:admin_or_owner"
#"group:reset_group_snapshot_status": "rule:admin_api"
# Delete group.
# POST /groups/{group_id}/action (delete)
@ -306,10 +309,6 @@
# DELETE /os-quota-sets/{project_id}
#"volume_extension:quotas:delete": "rule:admin_api"
# Validate setup for nested quota.
# GET /os-quota-sets/validate_setup_for_nested_quota_use
#"volume_extension:quota_classes:validate_setup_for_nested_quota_use": "rule:admin_api"
# Show backend capabilities.
# GET /capabilities/{host_name}
#"volume_extension:capabilities": "rule:admin_api"
@ -644,3 +643,24 @@
# POST /volumes
#"volume:multiattach": "rule:admin_or_owner"
# Set or update default volume type.
# PUT /default-types
# Intended scope(s): system
#"volume_extension:default_set_or_update": "rule:system_or_domain_or_project_admin"
# Get default types.
# GET /default-types/{project-id}
# Intended scope(s): system
#"volume_extension:default_get": "rule:system_or_domain_or_project_admin"
# Get all default types. WARNING: Changing this might open up too much
# information regarding cloud deployment.
# GET /default-types/
# Intended scope(s): system
#"volume_extension:default_get_all": "role:admin and system_scope:all"
# Unset default type.
# DELETE /default-types/{project-id}
# Intended scope(s): system
#"volume_extension:default_unset": "rule:system_or_domain_or_project_admin"

48
openstack_dashboard/conf/default_policies/cinder.yaml
View File

@ -13,6 +13,12 @@
name: admin_api
operations: []
scope_types: null
- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(domain_id)s)
or (role:admin and project_id:%(project_id)s)
description: Default rule for admins of cloud, domain or a project.
name: system_or_domain_or_project_admin
operations: []
scope_types: null
- check_str: ''
description: Create attachment.
name: volume:attachment_create
@ -413,7 +419,7 @@
- method: GET
path: /group_snapshots/detail
scope_types: null
- check_str: rule:admin_or_owner
- check_str: rule:admin_api
description: Reset status of group snapshot.
name: group:reset_group_snapshot_status
operations:
@ -541,13 +547,6 @@
- method: DELETE
path: /os-quota-sets/{project_id}
scope_types: null
- check_str: rule:admin_api
description: Validate setup for nested quota.
name: volume_extension:quota_classes:validate_setup_for_nested_quota_use
operations:
- method: GET
path: /os-quota-sets/validate_setup_for_nested_quota_use
scope_types: null
- check_str: rule:admin_api
description: Show backend capabilities.
name: volume_extension:capabilities
@ -1135,3 +1134,36 @@
- method: POST
path: /volumes
scope_types: null
- check_str: rule:system_or_domain_or_project_admin
description: Set or update default volume type.
name: volume_extension:default_set_or_update
operations:
- method: PUT
path: /default-types
scope_types:
- system
- check_str: rule:system_or_domain_or_project_admin
description: Get default types.
name: volume_extension:default_get
operations:
- method: GET
path: /default-types/{project-id}
scope_types:
- system
- check_str: role:admin and system_scope:all
description: 'Get all default types. WARNING: Changing this might open up too much
information regarding cloud deployment.'
name: volume_extension:default_get_all
operations:
- method: GET
path: /default-types/
scope_types:
- system
- check_str: rule:system_or_domain_or_project_admin
description: Unset default type.
name: volume_extension:default_unset
operations:
- method: DELETE
path: /default-types/{project-id}
scope_types:
- system

594
openstack_dashboard/conf/default_policies/glance.yaml
View File

@ -18,262 +18,606 @@
name: context_is_admin
operations: []
scope_types: null
- check_str: rule:default
description: null
- check_str: role:admin or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The image API now supports and default roles.
'
deprecated_rule:
check_str: rule:default
name: add_image
deprecated_since: W
description: Create new image
name: add_image
operations: []
scope_types: null
- check_str: rule:default
description: null
operations:
- method: POST
path: /v2/images
scope_types:
- system
- project
- check_str: role:admin or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The image API now supports and default roles.
'
deprecated_rule:
check_str: rule:default
name: delete_image
deprecated_since: W
description: Deletes the image
name: delete_image
operations: []
scope_types: null
- check_str: rule:default
description: null
operations:
- method: DELETE
path: /v2/images/{image_id}
scope_types:
- system
- project
- check_str: role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s
or "community":%(visibility)s or "public":%(visibility)s))
deprecated_reason: '
The image API now supports and default roles.
'
deprecated_rule:
check_str: rule:default
name: get_image
deprecated_since: W
description: Get specified image
name: get_image
operations: []
scope_types: null
- check_str: rule:default
description: null
operations:
- method: GET
path: /v2/images/{image_id}
scope_types:
- system
- project
- check_str: role:admin or (role:reader and project_id:%(project_id)s)
deprecated_reason: '
The image API now supports and default roles.
'
deprecated_rule:
check_str: rule:default
name: get_images
deprecated_since: W
description: Get all available images
name: get_images
operations: []
scope_types: null
- check_str: rule:default
description: null
operations:
- method: GET
path: /v2/images
scope_types:
- system
- project
- check_str: role:admin or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The image API now supports and default roles.
'
deprecated_rule:
check_str: rule:default
name: modify_image
deprecated_since: W
description: Updates given image
name: modify_image
operations: []
scope_types: null
operations:
- method: PATCH
path: /v2/images/{image_id}
scope_types:
- system
- project
- check_str: role:admin
description: null
description: Publicize given image
name: publicize_image
operations: []
scope_types: null
- check_str: rule:default
description: null
operations:
- method: PATCH
path: /v2/images/{image_id}
scope_types:
- system
- project
- check_str: role:admin or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The image API now supports and default roles.
'
deprecated_rule:
check_str: rule:default
name: communitize_image
deprecated_since: W
description: Communitize given image
name: communitize_image
operations: []
scope_types: null
- check_str: rule:default
description: null
operations:
- method: PATCH
path: /v2/images/{image_id}
scope_types:
- system
- project
- check_str: role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s
or "community":%(visibility)s or "public":%(visibility)s))
deprecated_reason: '
The image API now supports and default roles.
'
deprecated_rule:
check_str: rule:default
name: download_image
deprecated_since: W
description: Downloads given image
name: download_image
operations: []
scope_types: null
- check_str: rule:default
description: null
operations:
- method: GET
path: /v2/images/{image_id}/file
scope_types:
- system
- project
- check_str: role:admin or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The image API now supports and default roles.
'
deprecated_rule:
check_str: rule:default
name: upload_image
deprecated_since: W
description: Uploads data to specified image
name: upload_image
operations: []
scope_types: null
- check_str: rule:default
description: null
name: delete_image_location
operations: []
scope_types: null
- check_str: rule:default
description: null
name: get_image_location
operations: []
scope_types: null
- check_str: rule:default
description: null
name: set_image_location
operations: []
scope_types: null
- check_str: rule:default
description: null
name: add_member
operations: []
scope_types: null
- check_str: rule:default
description: null
name: delete_member
operations: []
scope_types: null
- check_str: rule:default
description: null
name: get_member
operations: []
scope_types: null
- check_str: rule:default
description: null
name: get_members
operations: []
scope_types: null
- check_str: rule:default
description: null
name: modify_member
operations: []
scope_types: null
operations:
- method: PUT
path: /v2/images/{image_id}/file
scope_types:
- system
- project
- check_str: role:admin
description: null
deprecated_reason: '
The image API now supports and default roles.
'
deprecated_rule:
check_str: rule:default
name: delete_image_location
deprecated_since: W
description: Deletes the location of given image
name: delete_image_location
operations:
- method: PATCH
path: /v2/images/{image_id}
scope_types:
- system
- project
- check_str: role:admin or (role:reader and project_id:%(project_id)s)
deprecated_reason: '
The image API now supports and default roles.
'
deprecated_rule:
check_str: rule:default
name: get_image_location
deprecated_since: W
description: Reads the location of the image
name: get_image_location
operations:
- method: GET
path: /v2/images/{image_id}
scope_types:
- system
- project
- check_str: role:admin or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The image API now supports and default roles.
'
deprecated_rule:
check_str: rule:default
name: set_image_location
deprecated_since: W
description: Sets location URI to given image
name: set_image_location
operations:
- method: PATCH
path: /v2/images/{image_id}
scope_types:
- system
- project
- check_str: role:admin or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The image API now supports and default roles.
'
deprecated_rule:
check_str: rule:default
name: add_member
deprecated_since: W
description: Create image member
name: add_member
operations:
- method: POST
path: /v2/images/{image_id}/members
scope_types:
- system
- project
- check_str: role:admin or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The image API now supports and default roles.
'
deprecated_rule:
check_str: rule:default
name: delete_member
deprecated_since: W
description: Delete image member
name: delete_member
operations:
- method: DELETE
path: /v2/images/{image_id}/members/{member_id}
scope_types:
- system
- project
- check_str: role:admin or (role:reader and project_id:%(project_id)s)
deprecated_reason: '
The image API now supports and default roles.
'
deprecated_rule:
check_str: rule:default
name: get_member
deprecated_since: W
description: Show image member details
name: get_member
operations:
- method: GET
path: /v2/images/{image_id}/members/{member_id}
scope_types:
- system
- project
- check_str: role:admin or (role:reader and project_id:%(project_id)s)
deprecated_reason: '
The image API now supports and default roles.
'
deprecated_rule:
check_str: rule:default
name: get_members
deprecated_since: W
description: List image members
name: get_members
operations:
- method: GET
path: /v2/images/{image_id}/members
scope_types:
- system
- project
- check_str: role:admin or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The image API now supports and default roles.
'
deprecated_rule:
check_str: rule:default
name: modify_member
deprecated_since: W
description: Update image member
name: modify_member
operations:
- method: PUT
path: /v2/images/{image_id}/members/{member_id}
scope_types:
- system
- project
- check_str: role:admin
description: Manage image cache
name: manage_image_cache
operations: []
scope_types: null
- check_str: rule:default
description: null
scope_types:
- system
- project
- check_str: role:admin or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The image API now supports and default roles.
'
deprecated_rule:
check_str: rule:default
name: deactivate
deprecated_since: W
description: Deactivate image
name: deactivate
operations: []
scope_types: null
- check_str: rule:default
description: null
operations:
- method: POST
path: /v2/images/{image_id}/actions/deactivate
scope_types:
- system
- project
- check_str: role:admin or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The image API now supports and default roles.
'
deprecated_rule:
check_str: rule:default
name: reactivate
deprecated_since: W
description: Reactivate image
name: reactivate
operations: []
scope_types: null
operations:
- method: POST
path: /v2/images/{image_id}/actions/reactivate
scope_types:
- system
- project
- check_str: role:admin
description: null
description: Copy existing image to other stores
name: copy_image
operations: []
scope_types: null
operations:
- method: POST
path: /v2/images/{image_id}/import
scope_types:
- system
- project
- check_str: rule:default
description: null
description: 'Get an image task.
This granular policy controls access to tasks, both from the tasks API as well
as internal locations in Glance that use tasks (like import). Practically this
cannot be more restrictive than the policy that controls import or things will
break, and changing it from the default is almost certainly not what you want.
Access to the external tasks API should be restricted as desired by the
tasks_api_access policy. This may change in the future.
'
name: get_task
operations: []
scope_types: null
operations:
- method: GET
path: /v2/tasks/{task_id}
scope_types:
- system
- project
- check_str: rule:default
description: null
description: 'List tasks for all images.
This granular policy controls access to tasks, both from the tasks API as well
as internal locations in Glance that use tasks (like import). Practically this
cannot be more restrictive than the policy that controls import or things will
break, and changing it from the default is almost certainly not what you want.
Access to the external tasks API should be restricted as desired by the
tasks_api_access policy. This may change in the future.
'
name: get_tasks
operations: []
scope_types: null
operations:
- method: GET
path: /v2/tasks
scope_types:
- system
- project
- check_str: rule:default
description: null
description: 'List tasks for all images.
This granular policy controls access to tasks, both from the tasks API as well
as internal locations in Glance that use tasks (like import). Practically this
cannot be more restrictive than the policy that controls import or things will
break, and changing it from the default is almost certainly not what you want.
Access to the external tasks API should be restricted as desired by the
tasks_api_access policy. This may change in the future.
'
name: add_task
operations: []
scope_types: null
operations:
- method: POST
path: /v2/tasks
scope_types:
- system
- project
- check_str: rule:default
description: null
deprecated_for_removal: true
deprecated_reason: '
This policy check has never been honored by the API. It will be removed in a
future release.
'
deprecated_since: W
description: This policy is not used.
name: modify_task
operations:
- method: DELETE
path: /v2/tasks/{task_id}
scope_types:
- system
- project
- check_str: role:admin
description: '
This is a generic blanket policy for protecting all task APIs. It is not
granular and will not allow you to separate writable and readable task
operations into different roles.
'
name: tasks_api_access
operations:
- method: GET
path: /v2/tasks/{task_id}
- method: GET
path: /v2/tasks
- method: POST
path: /v2/tasks
- method: DELETE
path: /v2/tasks/{task_id}
scope_types:
- system
- project
- check_str: ''
description: null
name: metadef_default
operations: []
scope_types: null
- check_str: role:admin
description: null
name: tasks_api_access
name: metadef_admin
operations: []
scope_types: null
- check_str: rule:default
- check_str: rule:metadef_default
description: null
name: get_metadef_namespace
operations: []
scope_types: null
- check_str: rule:default
- check_str: rule:metadef_default
description: null
name: get_metadef_namespaces
operations: []
scope_types: null
- check_str: rule:default
- check_str: rule:metadef_admin
description: null
name: modify_metadef_namespace
operations: []
scope_types: null
- check_str: rule:default
- check_str: rule:metadef_admin
description: null
name: add_metadef_namespace
operations: []
scope_types: null
- check_str: rule:default
- check_str: rule:metadef_admin
description: null
name: delete_metadef_namespace
operations: []
scope_types: null
- check_str: rule:default
- check_str: rule:metadef_default
description: null
name: get_metadef_object
operations: []
scope_types: null
- check_str: rule:default
- check_str: rule:metadef_default
description: null
name: get_metadef_objects
operations: []
scope_types: null
- check_str: rule:default
- check_str: rule:metadef_admin
description: null
name: modify_metadef_object
operations: []
scope_types: null
- check_str: rule:default
- check_str: rule:metadef_admin
description: null
name: add_metadef_object
operations: []
scope_types: null
- check_str: rule:default
- check_str: rule:metadef_admin
description: null
name: delete_metadef_object
operations: []
scope_types: null
- check_str: rule:default
- check_str: rule:metadef_default
description: null
name: list_metadef_resource_types
operations: []
scope_types: null
- check_str: rule:default
- check_str: rule:metadef_default
description: null
name: get_metadef_resource_type
operations: []
scope_types: null
- check_str: rule:default
- check_str: rule:metadef_admin
description: null
name: add_metadef_resource_type_association
operations: []
scope_types: null
- check_str: rule:default
- check_str: rule:metadef_admin
description: null
name: remove_metadef_resource_type_association
operations: []
scope_types: null
- check_str: rule:default
- check_str: rule:metadef_default
description: null
name: get_metadef_property
operations: []
scope_types: null
- check_str: rule:default
- check_str: rule:metadef_default
description: null
name: get_metadef_properties
operations: []
scope_types: null
- check_str: rule:default
- check_str: rule:metadef_admin
description: null
name: modify_metadef_property
operations: []
scope_types: null
- check_str: rule:default
- check_str: rule:metadef_admin
description: null
name: add_metadef_property
operations: []
scope_types: null
- check_str: rule:default
- check_str: rule:metadef_admin
description: null
name: remove_metadef_property
operations: []
scope_types: null
- check_str: rule:default
- check_str: rule:metadef_default
description: null
name: get_metadef_tag
operations: []
scope_types: null
- check_str: rule:default
- check_str: rule:metadef_default
description: null
name: get_metadef_tags
operations: []
scope_types: null
- check_str: rule:default
- check_str: rule:metadef_admin
description: null
name: modify_metadef_tag
operations: []
scope_types: null
- check_str: rule:default
- check_str: rule:metadef_admin
description: null
name: add_metadef_tag
operations: []
scope_types: null
- check_str: rule:default
- check_str: rule:metadef_admin
description: null
name: add_metadef_tags
operations: []
scope_types: null
- check_str: rule:default
- check_str: rule:metadef_admin
description: null
name: delete_metadef_tag
operations: []
scope_types: null
- check_str: rule:default
- check_str: rule:metadef_admin
description: null
name: delete_metadef_tags
operations: []

2223
openstack_dashboard/conf/default_policies/neutron.yaml
View File

File diff suppressed because it is too large Load Diff

117
openstack_dashboard/conf/default_policies/nova.yaml
View File

@ -166,15 +166,6 @@
scope_types:
- system
- project
- check_str: rule:system_admin_api
description: Reset networking on a server
name: os_compute_api:os-admin-actions:reset_network
operations:
- method: POST
path: /servers/{server_id}/action (resetNetwork)
scope_types:
- system
- project
- check_str: rule:system_admin_or_owner
description: Change the administrative password for a server
name: os_compute_api:os-admin-password
@ -184,114 +175,6 @@
scope_types:
- system
- project
- check_str: rule:system_reader_api
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_rule:
check_str: rule:admin_api
name: os_compute_api:os-agents
deprecated_since: 21.0.0
description: 'List guest agent builds
This is XenAPI driver specific.
It is used to force the upgrade of the XenAPI guest agent on instance boot.
'
name: os_compute_api:os-agents:list
operations:
- method: GET
path: /os-agents
scope_types:
- system
- check_str: rule:system_admin_api
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_rule:
check_str: rule:admin_api
name: os_compute_api:os-agents
deprecated_since: 21.0.0
description: 'Create guest agent builds
This is XenAPI driver specific.
It is used to force the upgrade of the XenAPI guest agent on instance boot.
'
name: os_compute_api:os-agents:create
operations:
- method: POST
path: /os-agents
scope_types:
- system
- check_str: rule:system_admin_api
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_rule:
check_str: rule:admin_api
name: os_compute_api:os-agents
deprecated_since: 21.0.0
description: 'Update guest agent builds
This is XenAPI driver specific.
It is used to force the upgrade of the XenAPI guest agent on instance boot.
'
name: os_compute_api:os-agents:update
operations:
- method: PUT
path: /os-agents/{agent_build_id}
scope_types:
- system
- check_str: rule:system_admin_api
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_rule:
check_str: rule:admin_api
name: os_compute_api:os-agents
deprecated_since: 21.0.0
description: 'Delete guest agent builds
This is XenAPI driver specific.
It is used to force the upgrade of the XenAPI guest agent on instance boot.
'
name: os_compute_api:os-agents:delete
operations:
- method: DELETE
path: /os-agents/{agent_build_id}
scope_types:
- system
- check_str: rule:system_admin_api
description: Create or replace metadata for an aggregate
name: os_compute_api:os-aggregates:set_metadata

311
openstack_dashboard/conf/glance_policy.yaml
View File

@ -15,107 +15,330 @@
# Defines the rule for the is_admin:True check.
#"context_is_admin": "role:admin"
#"add_image": "rule:default"
# Create new image
# POST /v2/images
# Intended scope(s): system, project
#"add_image": "role:admin or (role:member and project_id:%(project_id)s)"
#"delete_image": "rule:default"
# DEPRECATED
# "add_image":"rule:default" has been deprecated since W in favor of
# "add_image":"role:admin or (role:member and
# project_id:%(project_id)s)".
# The image API now supports and default roles.
#"get_image": "rule:default"
# Deletes the image
# DELETE /v2/images/{image_id}
# Intended scope(s): system, project
#"delete_image": "role:admin or (role:member and project_id:%(project_id)s)"
#"get_images": "rule:default"
# DEPRECATED
# "delete_image":"rule:default" has been deprecated since W in favor
# of "delete_image":"role:admin or (role:member and
# project_id:%(project_id)s)".
# The image API now supports and default roles.
#"modify_image": "rule:default"
# Get specified image
# GET /v2/images/{image_id}
# Intended scope(s): system, project
#"get_image": "role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or "community":%(visibility)s or "public":%(visibility)s))"
# DEPRECATED
# "get_image":"rule:default" has been deprecated since W in favor of
# "get_image":"role:admin or (role:reader and
# (project_id:%(project_id)s or project_id:%(member_id)s or
# "community":%(visibility)s or "public":%(visibility)s))".
# The image API now supports and default roles.
# Get all available images
# GET /v2/images
# Intended scope(s): system, project
#"get_images": "role:admin or (role:reader and project_id:%(project_id)s)"
# DEPRECATED
# "get_images":"rule:default" has been deprecated since W in favor of
# "get_images":"role:admin or (role:reader and
# project_id:%(project_id)s)".
# The image API now supports and default roles.
# Updates given image
# PATCH /v2/images/{image_id}
# Intended scope(s): system, project
#"modify_image": "role:admin or (role:member and project_id:%(project_id)s)"
# DEPRECATED
# "modify_image":"rule:default" has been deprecated since W in favor
# of "modify_image":"role:admin or (role:member and
# project_id:%(project_id)s)".
# The image API now supports and default roles.
# Publicize given image
# PATCH /v2/images/{image_id}
# Intended scope(s): system, project
#"publicize_image": "role:admin"
#"communitize_image": "rule:default"
# Communitize given image
# PATCH /v2/images/{image_id}
# Intended scope(s): system, project
#"communitize_image": "role:admin or (role:member and project_id:%(project_id)s)"
#"download_image": "rule:default"
# DEPRECATED
# "communitize_image":"rule:default" has been deprecated since W in
# favor of "communitize_image":"role:admin or (role:member and
# project_id:%(project_id)s)".
# The image API now supports and default roles.
#"upload_image": "rule:default"
# Downloads given image
# GET /v2/images/{image_id}/file
# Intended scope(s): system, project
#"download_image": "role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or "community":%(visibility)s or "public":%(visibility)s))"
#"delete_image_location": "rule:default"
# DEPRECATED
# "download_image":"rule:default" has been deprecated since W in favor
# of "download_image":"role:admin or (role:member and
# (project_id:%(project_id)s or project_id:%(member_id)s or
# "community":%(visibility)s or "public":%(visibility)s))".
# The image API now supports and default roles.
#"get_image_location": "rule:default"
# Uploads data to specified image
# PUT /v2/images/{image_id}/file
# Intended scope(s): system, project
#"upload_image": "role:admin or (role:member and project_id:%(project_id)s)"
#"set_image_location": "rule:default"
# DEPRECATED
# "upload_image":"rule:default" has been deprecated since W in favor
# of "upload_image":"role:admin or (role:member and
# project_id:%(project_id)s)".
# The image API now supports and default roles.
#"add_member": "rule:default"
# Deletes the location of given image
# PATCH /v2/images/{image_id}
# Intended scope(s): system, project
#"delete_image_location": "role:admin"
#"delete_member": "rule:default"
# DEPRECATED
# "delete_image_location":"rule:default" has been deprecated since W
# in favor of "delete_image_location":"role:admin".
# The image API now supports and default roles.
#"get_member": "rule:default"
# Reads the location of the image
# GET /v2/images/{image_id}
# Intended scope(s): system, project
#"get_image_location": "role:admin or (role:reader and project_id:%(project_id)s)"
#"get_members": "rule:default"
# DEPRECATED
# "get_image_location":"rule:default" has been deprecated since W in
# favor of "get_image_location":"role:admin or (role:reader and
# project_id:%(project_id)s)".
# The image API now supports and default roles.
#"modify_member": "rule:default"
# Sets location URI to given image
# PATCH /v2/images/{image_id}
# Intended scope(s): system, project
#"set_image_location": "role:admin or (role:member and project_id:%(project_id)s)"
# DEPRECATED
# "set_image_location":"rule:default" has been deprecated since W in
# favor of "set_image_location":"role:admin or (role:member and
# project_id:%(project_id)s)".
# The image API now supports and default roles.
# Create image member
# POST /v2/images/{image_id}/members
# Intended scope(s): system, project
#"add_member": "role:admin or (role:member and project_id:%(project_id)s)"
# DEPRECATED
# "add_member":"rule:default" has been deprecated since W in favor of
# "add_member":"role:admin or (role:member and
# project_id:%(project_id)s)".
# The image API now supports and default roles.
# Delete image member
# DELETE /v2/images/{image_id}/members/{member_id}
# Intended scope(s): system, project
#"delete_member": "role:admin or (role:member and project_id:%(project_id)s)"
# DEPRECATED
# "delete_member":"rule:default" has been deprecated since W in favor
# of "delete_member":"role:admin or (role:member and
# project_id:%(project_id)s)".
# The image API now supports and default roles.
# Show image member details
# GET /v2/images/{image_id}/members/{member_id}
# Intended scope(s): system, project
#"get_member": "role:admin or (role:reader and project_id:%(project_id)s)"
# DEPRECATED
# "get_member":"rule:default" has been deprecated since W in favor of
# "get_member":"role:admin or (role:reader and
# project_id:%(project_id)s)".
# The image API now supports and default roles.
# List image members
# GET /v2/images/{image_id}/members
# Intended scope(s): system, project
#"get_members": "role:admin or (role:reader and project_id:%(project_id)s)"
# DEPRECATED
# "get_members":"rule:default" has been deprecated since W in favor of
# "get_members":"role:admin or (role:reader and
# project_id:%(project_id)s)".
# The image API now supports and default roles.
# Update image member
# PUT /v2/images/{image_id}/members/{member_id}
# Intended scope(s): system, project
#"modify_member": "role:admin or (role:member and project_id:%(project_id)s)"
# DEPRECATED
# "modify_member":"rule:default" has been deprecated since W in favor
# of "modify_member":"role:admin or (role:member and
# project_id:%(project_id)s)".
# The image API now supports and default roles.
# Manage image cache
# Intended scope(s): system, project
#"manage_image_cache": "role:admin"
#"deactivate": "rule:default"
# Deactivate image
# POST /v2/images/{image_id}/actions/deactivate
# Intended scope(s): system, project
#"deactivate": "role:admin or (role:member and project_id:%(project_id)s)"
#"reactivate": "rule:default"
# DEPRECATED
# "deactivate":"rule:default" has been deprecated since W in favor of
# "deactivate":"role:admin or (role:member and
# project_id:%(project_id)s)".
# The image API now supports and default roles.
# Reactivate image
# POST /v2/images/{image_id}/actions/reactivate
# Intended scope(s): system, project
#"reactivate": "role:admin or (role:member and project_id:%(project_id)s)"
# DEPRECATED
# "reactivate":"rule:default" has been deprecated since W in favor of
# "reactivate":"role:admin or (role:member and
# project_id:%(project_id)s)".
# The image API now supports and default roles.
# Copy existing image to other stores
# POST /v2/images/{image_id}/import
# Intended scope(s): system, project
#"copy_image": "role:admin"
# Get an image task.
#
# This granular policy controls access to tasks, both from the tasks
# API as well as internal locations in Glance that use tasks (like
# import). Practically this cannot be more restrictive than the policy
# that controls import or things will break, and changing it from the
# default is almost certainly not what you want. Access to the
# external tasks API should be restricted as desired by the
# tasks_api_access policy. This may change in the future.
# GET /v2/tasks/{task_id}
# Intended scope(s): system, project
#"get_task": "rule:default"
# List tasks for all images.
#
# This granular policy controls access to tasks, both from the tasks
# API as well as internal locations in Glance that use tasks (like
# import). Practically this cannot be more restrictive than the policy
# that controls import or things will break, and changing it from the
# default is almost certainly not what you want. Access to the
# external tasks API should be restricted as desired by the
# tasks_api_access policy. This may change in the future.
# GET /v2/tasks
# Intended scope(s): system, project
#"get_tasks": "rule:default"
# List tasks for all images.
#
# This granular policy controls access to tasks, both from the tasks
# API as well as internal locations in Glance that use tasks (like
# import). Practically this cannot be more restrictive than the policy
# that controls import or things will break, and changing it from the
# default is almost certainly not what you want. Access to the
# external tasks API should be restricted as desired by the
# tasks_api_access policy. This may change in the future.
# POST /v2/tasks
# Intended scope(s): system, project
#"add_task": "rule:default"
# DEPRECATED
# "modify_task" has been deprecated since W.
# This policy check has never been honored by the API. It will be
# removed in a future release.
# This policy is not used.
# DELETE /v2/tasks/{task_id}
# Intended scope(s): system, project
#"modify_task": "rule:default"
# This is a generic blanket policy for protecting all task APIs. It is
# not granular and will not allow you to separate writable and
# readable task operations into different roles.
# GET /v2/tasks/{task_id}
# GET /v2/tasks
# POST /v2/tasks
# DELETE /v2/tasks/{task_id}
# Intended scope(s): system, project
#"tasks_api_access": "role:admin"
#"get_metadef_namespace": "rule:default"
#"metadef_default": ""
#"get_metadef_namespaces": "rule:default"
#"metadef_admin": "role:admin"
#"modify_metadef_namespace": "rule:default"
#"get_metadef_namespace": "rule:metadef_default"
#"add_metadef_namespace": "rule:default"
#"get_metadef_namespaces": "rule:metadef_default"
#"delete_metadef_namespace": "rule:default"
#"modify_metadef_namespace": "rule:metadef_admin"
#"get_metadef_object": "rule:default"
#"add_metadef_namespace": "rule:metadef_admin"
#"get_metadef_objects": "rule:default"
#"delete_metadef_namespace": "rule:metadef_admin"
#"modify_metadef_object": "rule:default"
#"get_metadef_object": "rule:metadef_default"
#"add_metadef_object": "rule:default"
#"get_metadef_objects": "rule:metadef_default"
#"delete_metadef_object": "rule:default"
#"modify_metadef_object": "rule:metadef_admin"
#"list_metadef_resource_types": "rule:default"
#"add_metadef_object": "rule:metadef_admin"
#"get_metadef_resource_type": "rule:default"
#"delete_metadef_object": "rule:metadef_admin"
#"add_metadef_resource_type_association": "rule:default"
#"list_metadef_resource_types": "rule:metadef_default"
#"remove_metadef_resource_type_association": "rule:default"
#"get_metadef_resource_type": "rule:metadef_default"
#"get_metadef_property": "rule:default"
#"add_metadef_resource_type_association": "rule:metadef_admin"
#"get_metadef_properties": "rule:default"
#"remove_metadef_resource_type_association": "rule:metadef_admin"
#"modify_metadef_property": "rule:default"
#"get_metadef_property": "rule:metadef_default"
#"add_metadef_property": "rule:default"
#"get_metadef_properties": "rule:metadef_default"
#"remove_metadef_property": "rule:default"
#"modify_metadef_property": "rule:metadef_admin"
#"get_metadef_tag": "rule:default"
#"add_metadef_property": "rule:metadef_admin"
#"get_metadef_tags": "rule:default"
#"remove_metadef_property": "rule:metadef_admin"
#"modify_metadef_tag": "rule:default"
#"get_metadef_tag": "rule:metadef_default"
#"add_metadef_tag": "rule:default"
#"get_metadef_tags": "rule:metadef_default"
#"add_metadef_tags": "rule:default"
#"modify_metadef_tag": "rule:metadef_admin"
#"delete_metadef_tag": "rule:default"
#"add_metadef_tag": "rule:metadef_admin"
#"delete_metadef_tags": "rule:default"
#"add_metadef_tags": "rule:metadef_admin"
#"delete_metadef_tag": "rule:metadef_admin"
#"delete_metadef_tags": "rule:metadef_admin"

1962
openstack_dashboard/conf/neutron_policy.yaml
View File

File diff suppressed because it is too large Load Diff

65
openstack_dashboard/conf/nova_policy.yaml
View File

@ -102,76 +102,11 @@
# Intended scope(s): system, project
#"os_compute_api:os-admin-actions:inject_network_info": "rule:system_admin_api"
# Reset networking on a server
# POST /servers/{server_id}/action (resetNetwork)
# Intended scope(s): system, project
#"os_compute_api:os-admin-actions:reset_network": "rule:system_admin_api"
# Change the administrative password for a server
# POST /servers/{server_id}/action (changePassword)
# Intended scope(s): system, project
#"os_compute_api:os-admin-password": "rule:system_admin_or_owner"
# List guest agent builds This is XenAPI driver specific. It is used
# to force the upgrade of the XenAPI guest agent on instance boot.
# GET /os-agents
# Intended scope(s): system
#"os_compute_api:os-agents:list": "rule:system_reader_api"
# DEPRECATED
# "os_compute_api:os-agents":"rule:admin_api" has been deprecated
# since 21.0.0 in favor of "os_compute_api:os-
# agents:list":"rule:system_reader_api".
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
#"os_compute_api:os-agents": "rule:os_compute_api:os-agents:list"
# Create guest agent builds This is XenAPI driver specific. It is used
# to force the upgrade of the XenAPI guest agent on instance boot.
# POST /os-agents
# Intended scope(s): system
#"os_compute_api:os-agents:create": "rule:system_admin_api"
# DEPRECATED
# "os_compute_api:os-agents":"rule:admin_api" has been deprecated
# since 21.0.0 in favor of "os_compute_api:os-
# agents:create":"rule:system_admin_api".
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
#"os_compute_api:os-agents": "rule:os_compute_api:os-agents:create"
# Update guest agent builds This is XenAPI driver specific. It is used
# to force the upgrade of the XenAPI guest agent on instance boot.
# PUT /os-agents/{agent_build_id}
# Intended scope(s): system
#"os_compute_api:os-agents:update": "rule:system_admin_api"
# DEPRECATED
# "os_compute_api:os-agents":"rule:admin_api" has been deprecated
# since 21.0.0 in favor of "os_compute_api:os-
# agents:update":"rule:system_admin_api".
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
#"os_compute_api:os-agents": "rule:os_compute_api:os-agents:update"
# Delete guest agent builds This is XenAPI driver specific. It is used
# to force the upgrade of the XenAPI guest agent on instance boot.
# DELETE /os-agents/{agent_build_id}
# Intended scope(s): system
#"os_compute_api:os-agents:delete": "rule:system_admin_api"
# DEPRECATED
# "os_compute_api:os-agents":"rule:admin_api" has been deprecated
# since 21.0.0 in favor of "os_compute_api:os-
# agents:delete":"rule:system_admin_api".
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
#"os_compute_api:os-agents": "rule:os_compute_api:os-agents:delete"
# Create or replace metadata for an aggregate
# POST /os-aggregates/{aggregate_id}/action (set_metadata)
# Intended scope(s): system