From 712dbd26d1111c63996ca06c5b41a3050b9b7e5d Mon Sep 17 00:00:00 2001 From: manchandavishal Date: Tue, 12 Mar 2024 09:16:55 +0530 Subject: [PATCH] Sync default policy rules This patch updates default policy-in-code rules in horizon based on nova/neutron/cinder/keystone RC deliverables. It doesn't update policy rules for glance as I have found no changes in their policy rules. Horizon needs to update default policy-in-code rules for all backend services before releasing the horizon[1]. [1] https://docs.openstack.org/horizon/latest/contributor/policies/releasing.html#things-to-do-before-releasing Change-Id: I7437b3a46377c18f026db103237b4d107dc787cb --- openstack_dashboard/conf/cinder_policy.yaml | 4 + .../conf/default_policies/cinder.yaml | 7 + .../conf/default_policies/keystone.yaml | 489 +++++--- .../conf/default_policies/neutron.yaml | 394 +++++- .../conf/default_policies/nova.yaml | 8 +- openstack_dashboard/conf/keystone_policy.yaml | 1103 ++++++++--------- openstack_dashboard/conf/neutron_policy.yaml | 362 ++++-- openstack_dashboard/conf/nova_policy.yaml | 9 +- 8 files changed, 1490 insertions(+), 886 deletions(-) diff --git a/openstack_dashboard/conf/cinder_policy.yaml b/openstack_dashboard/conf/cinder_policy.yaml index f4d54075d3..8f3a145ec6 100644 --- a/openstack_dashboard/conf/cinder_policy.yaml +++ b/openstack_dashboard/conf/cinder_policy.yaml @@ -1138,6 +1138,10 @@ # "personas". See "Policy Personas and Permissions" in the "Cinder # Service Configuration" documentation (Xena release) for details. +# Complete a volume extend operation. +# POST /volumes/{volume_id}/action (os-extend_volume_completion) +#"volume_extension:volume_admin_actions:extend_volume_completion": "rule:admin_api" + # Revert a volume to a snapshot. # POST /volumes/{volume_id}/action (revert) #"volume:revert_to_snapshot": "rule:xena_system_admin_or_project_member" diff --git a/openstack_dashboard/conf/default_policies/cinder.yaml b/openstack_dashboard/conf/default_policies/cinder.yaml index 0d9d461c0e..1badc61387 100644 --- a/openstack_dashboard/conf/default_policies/cinder.yaml +++ b/openstack_dashboard/conf/default_policies/cinder.yaml @@ -1144,6 +1144,13 @@ - method: POST path: /volumes/{volume_id}/action (os-extend) scope_types: null +- check_str: rule:admin_api + description: Complete a volume extend operation. + name: volume_extension:volume_admin_actions:extend_volume_completion + operations: + - method: POST + path: /volumes/{volume_id}/action (os-extend_volume_completion) + scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_reason: null deprecated_rule: diff --git a/openstack_dashboard/conf/default_policies/keystone.yaml b/openstack_dashboard/conf/default_policies/keystone.yaml index 47b0f8fa04..aa3a3af971 100644 --- a/openstack_dashboard/conf/default_policies/keystone.yaml +++ b/openstack_dashboard/conf/default_policies/keystone.yaml @@ -207,7 +207,7 @@ - method: HEAD path: /v3/auth/system scope_types: null -- check_str: role:reader and system_scope:all +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -220,7 +220,8 @@ path: /v3/OS-OAUTH1/consumers/{consumer_id} scope_types: - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -233,7 +234,8 @@ path: /v3/OS-OAUTH1/consumers scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -246,7 +248,8 @@ path: /v3/OS-OAUTH1/consumers scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -259,7 +262,8 @@ path: /v3/OS-OAUTH1/consumers/{consumer_id} scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -272,6 +276,7 @@ path: /v3/OS-OAUTH1/consumers/{consumer_id} scope_types: - system + - project - check_str: (role:reader and system_scope:all) or user_id:%(target.credential.user_id)s deprecated_reason: null deprecated_rule: @@ -342,7 +347,7 @@ scope_types: - system - project -- check_str: (role:reader and system_scope:all) or token.domain.id:%(target.domain.id)s +- check_str: rule:admin_required or (role:reader and system_scope:all) or token.domain.id:%(target.domain.id)s or token.project.domain.id:%(target.domain.id)s deprecated_reason: null deprecated_rule: @@ -358,7 +363,8 @@ - system - domain - project -- check_str: role:reader and system_scope:all +- check_str: rule:admin_required or (role:reader and system_scope:all) or (role:reader + and domain_id:%(target.domain.id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -371,7 +377,9 @@ path: /v3/domains scope_types: - system -- check_str: role:admin and system_scope:all + - domain + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -384,7 +392,8 @@ path: /v3/domains scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -397,7 +406,8 @@ path: /v3/domains/{domain_id} scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -410,7 +420,8 @@ path: /v3/domains/{domain_id} scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -423,7 +434,8 @@ path: /v3/domains/{domain_id}/config scope_types: - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -447,6 +459,7 @@ path: /v3/domains/{domain_id}/config/{group}/{option} scope_types: - system + - project - check_str: '' description: Get security compliance domain configuration for either a domain or a specific option in a domain. @@ -464,7 +477,7 @@ - system - domain - project -- check_str: role:admin and system_scope:all +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -482,7 +495,8 @@ path: /v3/domains/{domain_id}/config/{group}/{option} scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -500,7 +514,8 @@ path: /v3/domains/{domain_id}/config/{group}/{option} scope_types: - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -524,6 +539,7 @@ path: /v3/domains/config/{group}/{option}/default scope_types: - system + - project - check_str: (role:reader and system_scope:all) or user_id:%(target.credential.user_id)s deprecated_reason: null deprecated_rule: @@ -580,7 +596,7 @@ scope_types: - system - project -- check_str: role:reader and system_scope:all +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -593,7 +609,8 @@ path: /v3/endpoints/{endpoint_id} scope_types: - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -606,7 +623,8 @@ path: /v3/endpoints scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -619,7 +637,8 @@ path: /v3/endpoints scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -632,7 +651,8 @@ path: /v3/endpoints/{endpoint_id} scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -645,7 +665,8 @@ path: /v3/endpoints/{endpoint_id} scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -658,7 +679,8 @@ path: /v3/OS-EP-FILTER/endpoint_groups scope_types: - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -671,7 +693,8 @@ path: /v3/OS-EP-FILTER/endpoint_groups scope_types: - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -686,7 +709,8 @@ path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -699,7 +723,8 @@ path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -712,7 +737,8 @@ path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} scope_types: - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -725,7 +751,8 @@ path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects scope_types: - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -738,7 +765,8 @@ path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints scope_types: - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -753,7 +781,8 @@ path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} scope_types: - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -766,7 +795,8 @@ path: /v3/OS-EP-FILTER/projects/{project_id}/endpoint_groups scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -779,7 +809,8 @@ path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -792,12 +823,13 @@ path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} scope_types: - system -- check_str: (role:reader and system_scope:all) or ((role:reader and domain_id:%(target.user.domain_id)s - and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s - and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s - and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s - and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s - or None:%(target.role.domain_id)s) + - project +- check_str: (rule:admin_required) or ((role:reader and system_scope:all) or ((role:reader + and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) + or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) + or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) + or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) + and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -844,11 +876,12 @@ scope_types: - system - domain -- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s - and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s - and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s - and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s - and domain_id:%(target.domain.id)s) + - project +- check_str: (rule:admin_required) or ((role:reader and system_scope:all) or (role:reader + and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) + or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) + or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) + or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -883,7 +916,8 @@ scope_types: - system - domain -- check_str: (role:admin and system_scope:all) or ((role:admin and domain_id:%(target.user.domain_id)s + - project +- check_str: (rule:admin_required) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s @@ -919,7 +953,8 @@ scope_types: - system - domain -- check_str: (role:admin and system_scope:all) or ((role:admin and domain_id:%(target.user.domain_id)s + - project +- check_str: (rule:admin_required) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s @@ -957,7 +992,8 @@ scope_types: - system - domain -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -972,7 +1008,8 @@ path: /v3/system/users/{user_id}/roles scope_types: - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -987,7 +1024,8 @@ path: /v3/system/users/{user_id}/roles/{role_id} scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1001,7 +1039,8 @@ path: /v3/system/users/{user_id}/roles/{role_id} scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1015,7 +1054,8 @@ path: /v3/system/users/{user_id}/roles/{role_id} scope_types: - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1030,7 +1070,8 @@ path: /v3/system/groups/{group_id}/roles scope_types: - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1045,7 +1086,8 @@ path: /v3/system/groups/{group_id}/roles/{role_id} scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1059,7 +1101,8 @@ path: /v3/system/groups/{group_id}/roles/{role_id} scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1073,7 +1116,9 @@ path: /v3/system/groups/{group_id}/roles/{role_id} scope_types: - system -- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s) + - project +- check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader + and domain_id:%(target.group.domain_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1089,7 +1134,9 @@ scope_types: - system - domain -- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s) + - project +- check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader + and domain_id:%(target.group.domain_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1105,8 +1152,9 @@ scope_types: - system - domain -- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) - or user_id:%(user_id)s + - project +- check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader + and domain_id:%(target.user.domain_id)s) or user_id:%(user_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -1123,7 +1171,7 @@ - system - domain - project -- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s) +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1137,7 +1185,8 @@ scope_types: - system - domain -- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s) + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1151,7 +1200,8 @@ scope_types: - system - domain -- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s) + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1165,7 +1215,9 @@ scope_types: - system - domain -- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s) + - project +- check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader + and domain_id:%(target.group.domain_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1181,8 +1233,8 @@ scope_types: - system - domain -- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s - and domain_id:%(target.user.domain_id)s) + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1196,8 +1248,9 @@ scope_types: - system - domain -- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s - and domain_id:%(target.user.domain_id)s) + - project +- check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader + and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1213,8 +1266,8 @@ scope_types: - system - domain -- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s - and domain_id:%(target.user.domain_id)s) + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1228,7 +1281,8 @@ scope_types: - system - domain -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1241,7 +1295,8 @@ path: /v3/OS-FEDERATION/identity_providers/{idp_id} scope_types: - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1256,7 +1311,8 @@ path: /v3/OS-FEDERATION/identity_providers scope_types: - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1271,7 +1327,8 @@ path: /v3/OS-FEDERATION/identity_providers/{idp_id} scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1284,7 +1341,8 @@ path: /v3/OS-FEDERATION/identity_providers/{idp_id} scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1297,7 +1355,8 @@ path: /v3/OS-FEDERATION/identity_providers/{idp_id} scope_types: - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1312,7 +1371,8 @@ path: /v3/roles/{prior_role_id}/implies/{implied_role_id} scope_types: - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1330,7 +1390,8 @@ path: /v3/roles/{prior_role_id}/implies scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1345,7 +1406,8 @@ path: /v3/roles/{prior_role_id}/implies/{implied_role_id} scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1361,7 +1423,8 @@ path: /v3/roles/{prior_role_id}/implies/{implied_role_id} scope_types: - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1378,7 +1441,8 @@ path: /v3/role_inferences scope_types: - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1393,6 +1457,7 @@ path: /v3/roles/{prior_role_id}/implies/{implied_role_id} scope_types: - system + - project - check_str: '' description: Get limit enforcement model. name: identity:get_limit_model @@ -1405,7 +1470,7 @@ - system - domain - project -- check_str: (role:reader and system_scope:all) or (domain_id:%(target.limit.domain.id)s +- check_str: rule:admin_required or (role:reader and system_scope:all) or (domain_id:%(target.limit.domain.id)s or domain_id:%(target.limit.project.domain_id)s) or (project_id:%(target.limit.project_id)s and not None:%(target.limit.project_id)s) description: Show limit details. @@ -1431,7 +1496,7 @@ - system - domain - project -- check_str: role:admin and system_scope:all +- check_str: rule:admin_required description: Create limits. name: identity:create_limits operations: @@ -1439,7 +1504,8 @@ path: /v3/limits scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required description: Update limit. name: identity:update_limit operations: @@ -1447,7 +1513,8 @@ path: /v3/limits/{limit_id} scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required description: Delete limit. name: identity:delete_limit operations: @@ -1455,7 +1522,8 @@ path: /v3/limits/{limit_id} scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1468,7 +1536,8 @@ path: /v3/OS-FEDERATION/mappings/{mapping_id} scope_types: - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1483,7 +1552,8 @@ path: /v3/OS-FEDERATION/mappings/{mapping_id} scope_types: - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1498,7 +1568,8 @@ path: /v3/OS-FEDERATION/mappings scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1511,7 +1582,8 @@ path: /v3/OS-FEDERATION/mappings/{mapping_id} scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1524,7 +1596,8 @@ path: /v3/OS-FEDERATION/mappings/{mapping_id} scope_types: - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1537,7 +1610,8 @@ path: /v3/policies/{policy_id} scope_types: - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1550,7 +1624,8 @@ path: /v3/policies scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1563,7 +1638,8 @@ path: /v3/policies scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1576,7 +1652,8 @@ path: /v3/policies/{policy_id} scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1589,7 +1666,8 @@ path: /v3/policies/{policy_id} scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1602,7 +1680,8 @@ path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} scope_types: - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1617,7 +1696,8 @@ path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1630,7 +1710,8 @@ path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1643,7 +1724,8 @@ path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} scope_types: - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1658,7 +1740,8 @@ path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1671,7 +1754,8 @@ path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1684,7 +1768,8 @@ path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} scope_types: - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1699,7 +1784,8 @@ path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1712,7 +1798,8 @@ path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} scope_types: - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1727,7 +1814,8 @@ path: /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy scope_types: - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1740,8 +1828,9 @@ path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints scope_types: - system -- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) - or project_id:%(target.project.id)s + - project +- check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader + and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_required or project_id:%(target.project.id)s @@ -1756,7 +1845,8 @@ - system - domain - project -- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s) +- check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader + and domain_id:%(target.domain_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1770,8 +1860,9 @@ scope_types: - system - domain -- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) - or user_id:%(target.user.id)s + - project +- check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader + and domain_id:%(target.user.domain_id)s) or user_id:%(target.user.id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -1786,7 +1877,7 @@ - system - domain - project -- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1800,7 +1891,8 @@ scope_types: - system - domain -- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1814,7 +1906,8 @@ scope_types: - system - domain -- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1828,8 +1921,9 @@ scope_types: - system - domain -- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) - or project_id:%(target.project.id)s + - project +- check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader + and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_required or project_id:%(target.project.id)s @@ -1846,8 +1940,8 @@ - system - domain - project -- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) - or project_id:%(target.project.id)s +- check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader + and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_required or project_id:%(target.project.id)s @@ -1864,8 +1958,7 @@ - system - domain - project -- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) - or (role:admin and project_id:%(target.project.id)s) +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1880,8 +1973,7 @@ - system - domain - project -- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) - or (role:admin and project_id:%(target.project.id)s) +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1896,8 +1988,7 @@ - system - domain - project -- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) - or (role:admin and project_id:%(target.project.id)s) +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1912,8 +2003,7 @@ - system - domain - project -- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) - or (role:admin and project_id:%(target.project.id)s) +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1928,7 +2018,7 @@ - system - domain - project -- check_str: role:reader and system_scope:all +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1941,7 +2031,8 @@ path: /v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1954,7 +2045,8 @@ path: /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} scope_types: - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1969,7 +2061,8 @@ path: /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} scope_types: - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1982,7 +2075,8 @@ path: /v3/OS-EP-FILTER/projects/{project_id}/endpoints scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -1996,7 +2090,8 @@ path: /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -2009,7 +2104,8 @@ path: /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -2022,7 +2118,8 @@ path: /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} scope_types: - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -2035,7 +2132,8 @@ path: /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} scope_types: - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -2048,7 +2146,8 @@ path: /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -2061,6 +2160,7 @@ path: /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} scope_types: - system + - project - check_str: '' description: Show region details. name: identity:get_region @@ -2085,7 +2185,7 @@ - system - domain - project -- check_str: role:admin and system_scope:all +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -2100,7 +2200,8 @@ path: /v3/regions/{region_id} scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -2113,7 +2214,8 @@ path: /v3/regions/{region_id} scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -2126,6 +2228,7 @@ path: /v3/regions/{region_id} scope_types: - system + - project - check_str: '' description: Show registered limit details. name: identity:get_registered_limit @@ -2150,7 +2253,7 @@ - system - domain - project -- check_str: role:admin and system_scope:all +- check_str: rule:admin_required description: Create registered limits. name: identity:create_registered_limits operations: @@ -2158,7 +2261,8 @@ path: /v3/registered_limits scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required description: Update registered limit. name: identity:update_registered_limit operations: @@ -2166,7 +2270,8 @@ path: /v3/registered_limits/{registered_limit_id} scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required description: Delete registered limit. name: identity:delete_registered_limit operations: @@ -2174,6 +2279,7 @@ path: /v3/registered_limits/{registered_limit_id} scope_types: - system + - project - check_str: rule:service_or_admin description: List revocation events. name: identity:list_revoke_events @@ -2182,7 +2288,8 @@ path: /v3/OS-REVOKE/events scope_types: - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -2197,7 +2304,8 @@ path: /v3/roles/{role_id} scope_types: - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -2212,7 +2320,8 @@ path: /v3/roles scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -2225,7 +2334,8 @@ path: /v3/roles scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -2238,7 +2348,8 @@ path: /v3/roles/{role_id} scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -2251,7 +2362,8 @@ path: /v3/roles/{role_id} scope_types: - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -2266,7 +2378,8 @@ path: /v3/roles/{role_id} scope_types: - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -2281,7 +2394,8 @@ path: /v3/roles?domain_id={domain_id} scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -2294,7 +2408,8 @@ path: /v3/roles scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -2307,7 +2422,8 @@ path: /v3/roles/{role_id} scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -2320,7 +2436,9 @@ path: /v3/roles/{role_id} scope_types: - system -- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s) + - project +- check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader + and domain_id:%(target.domain_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -2336,8 +2454,9 @@ scope_types: - system - domain -- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) - or (role:admin and project_id:%(target.project.id)s) + - project +- check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader + and domain_id:%(target.domain_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -2354,7 +2473,7 @@ - system - domain - project -- check_str: role:reader and system_scope:all +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -2367,7 +2486,8 @@ path: /v3/services/{service_id} scope_types: - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -2380,7 +2500,8 @@ path: /v3/services scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -2393,7 +2514,8 @@ path: /v3/services scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -2406,7 +2528,8 @@ path: /v3/services/{service_id} scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -2419,7 +2542,8 @@ path: /v3/services/{service_id} scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -2432,7 +2556,8 @@ path: /v3/OS-FEDERATION/service_providers/{service_provider_id} scope_types: - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -2447,7 +2572,8 @@ path: /v3/OS-FEDERATION/service_providers scope_types: - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -2462,7 +2588,8 @@ path: /v3/OS-FEDERATION/service_providers/{service_provider_id} scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -2475,7 +2602,8 @@ path: /v3/OS-FEDERATION/service_providers/{service_provider_id} scope_types: - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -2488,6 +2616,7 @@ path: /v3/OS-FEDERATION/service_providers/{service_provider_id} scope_types: - system + - project - check_str: rule:service_or_admin deprecated_for_removal: true deprecated_reason: ' @@ -2563,7 +2692,7 @@ path: /v3/OS-TRUST/trusts scope_types: - project -- check_str: role:reader and system_scope:all +- check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -2578,7 +2707,8 @@ path: /v3/OS-TRUST/trusts scope_types: - system -- check_str: role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s + - project +- check_str: (rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s) description: List trusts for trustor. name: identity:list_trusts_for_trustor operations: @@ -2589,7 +2719,7 @@ scope_types: - system - project -- check_str: role:reader and system_scope:all or user_id:%(target.trust.trustee_user_id)s +- check_str: (rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustee_user_id)s) description: List trusts for trustee. name: identity:list_trusts_for_trustee operations: @@ -2600,8 +2730,8 @@ scope_types: - system - project -- check_str: role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s - or user_id:%(target.trust.trustee_user_id)s +- check_str: (rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s + or user_id:%(target.trust.trustee_user_id)s) deprecated_reason: null deprecated_rule: check_str: user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s @@ -2617,8 +2747,8 @@ scope_types: - system - project -- check_str: role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s - or user_id:%(target.trust.trustee_user_id)s +- check_str: (rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s + or user_id:%(target.trust.trustee_user_id)s) deprecated_reason: null deprecated_rule: check_str: user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s @@ -2634,7 +2764,7 @@ scope_types: - system - project -- check_str: role:admin and system_scope:all or user_id:%(target.trust.trustor_user_id)s +- check_str: rule:admin_required or user_id:%(target.trust.trustor_user_id)s deprecated_reason: null deprecated_rule: check_str: user_id:%(target.trust.trustor_user_id)s @@ -2648,8 +2778,8 @@ scope_types: - system - project -- check_str: role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s - or user_id:%(target.trust.trustee_user_id)s +- check_str: (rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s + or user_id:%(target.trust.trustee_user_id)s) deprecated_reason: null deprecated_rule: check_str: user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s @@ -2665,8 +2795,8 @@ scope_types: - system - project -- check_str: (role:reader and system_scope:all) or (role:reader and token.domain.id:%(target.user.domain_id)s) - or user_id:%(target.user.id)s +- check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader + and token.domain.id:%(target.user.domain_id)s) or user_id:%(target.user.id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2683,7 +2813,8 @@ - system - domain - project -- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s) +- check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader + and domain_id:%(target.domain_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -2699,6 +2830,7 @@ scope_types: - system - domain + - project - check_str: '' description: List all projects a user has access to via role assignments. name: identity:list_projects_for_user @@ -2713,7 +2845,7 @@ - method: GET path: /v3/auth/domains scope_types: null -- check_str: (role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s) +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -2727,7 +2859,8 @@ scope_types: - system - domain -- check_str: (role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s) + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -2741,7 +2874,8 @@ scope_types: - system - domain -- check_str: (role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s) + - project +- check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required @@ -2755,3 +2889,4 @@ scope_types: - system - domain + - project diff --git a/openstack_dashboard/conf/default_policies/neutron.yaml b/openstack_dashboard/conf/default_policies/neutron.yaml index a3124db87c..48157cc62f 100644 --- a/openstack_dashboard/conf/default_policies/neutron.yaml +++ b/openstack_dashboard/conf/default_policies/neutron.yaml @@ -3,6 +3,11 @@ name: context_is_admin operations: [] scope_types: null +- check_str: role:service + description: Default rule for the service-to-service APIs. + name: service_api + operations: [] + scope_types: null - check_str: tenant_id:%(tenant_id)s description: Rule for resource owner access name: owner @@ -586,6 +591,16 @@ path: /floatingips/{id} scope_types: - project +- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) + description: Get the floating IP tags + name: get_floatingips_tags + operations: + - method: GET + path: /floatingips/{id}/tags + - method: GET + path: /floatingips/{id}/tags/{tag_id} + scope_types: + - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: @@ -599,6 +614,16 @@ path: /floatingips/{id} scope_types: - project +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) + description: Update the floating IP tags + name: update_floatingips_tags + operations: + - method: PUT + path: /floatingips/{id}/tags + - method: PUT + path: /floatingips/{id}/tags/{tag_id} + scope_types: + - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: @@ -612,6 +637,16 @@ path: /floatingips/{id} scope_types: - project +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) + description: Delete the floating IP tags + name: delete_floatingips_tags + operations: + - method: DELETE + path: /floatingips/{id}/tags + - method: DELETE + path: /floatingips/{id}/tags/{tag_id} + scope_types: + - project - check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: @@ -1137,8 +1172,8 @@ operations: *id001 scope_types: - project -- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared - or rule:external or rule:context_is_advsvc +- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:service_api + or rule:shared or rule:external or rule:context_is_advsvc deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc @@ -1197,6 +1232,17 @@ operations: *id002 scope_types: - project +- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared + or rule:external or rule:context_is_advsvc + description: Get the network tags + name: get_networks_tags + operations: + - method: GET + path: /networks/{id}/tags + - method: GET + path: /networks/{id}/tags/{tag_id} + scope_types: + - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: @@ -1298,6 +1344,16 @@ operations: *id003 scope_types: - project +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) + description: Update the network tags + name: update_networks_tags + operations: + - method: PUT + path: /networks/{id}/tags + - method: PUT + path: /networks/{id}/tags/{tag_id} + scope_types: + - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: @@ -1311,6 +1367,16 @@ path: /networks/{id} scope_types: - project +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) + description: Delete the network tags + name: delete_networks_tags + operations: + - method: DELETE + path: /networks/{id}/tags + - method: DELETE + path: /networks/{id}/tags/{tag_id} + scope_types: + - project - check_str: rule:admin_only deprecated_reason: null deprecated_rule: @@ -1354,6 +1420,16 @@ path: /network_segment_ranges/{id} scope_types: - project +- check_str: rule:admin_only + description: Get the network segment range tags + name: get_network_segment_ranges_tags + operations: + - method: GET + path: /network_segment_ranges/{id}/tags + - method: GET + path: /network_segment_ranges/{id}/tags/{tag_id} + scope_types: + - project - check_str: rule:admin_only deprecated_reason: null deprecated_rule: @@ -1367,6 +1443,16 @@ path: /network_segment_ranges/{id} scope_types: - project +- check_str: rule:admin_only + description: Update the network segment range tags + name: update_network_segment_ranges_tags + operations: + - method: PUT + path: /network_segment_ranges/{id}/tags + - method: PUT + path: /network_segment_ranges/{id}/tags/{tag_id} + scope_types: + - project - check_str: rule:admin_only deprecated_reason: null deprecated_rule: @@ -1381,6 +1467,16 @@ scope_types: - project - check_str: rule:admin_only + description: Delete the network segment range tags + name: delete_network_segment_ranges_tags + operations: + - method: DELETE + path: /network_segment_ranges/{id}/tags + - method: DELETE + path: /network_segment_ranges/{id}/tags/{tag_id} + scope_types: + - project +- check_str: (rule:admin_only) or (rule:service_api) description: Get port binding information name: get_port_binding operations: @@ -1388,7 +1484,7 @@ path: /ports/{port_id}/bindings/ scope_types: - project -- check_str: rule:admin_only +- check_str: rule:service_api description: Create port binding on the host name: create_port_binding operations: @@ -1396,7 +1492,7 @@ path: /ports/{port_id}/bindings/ scope_types: - project -- check_str: rule:admin_only +- check_str: rule:service_api description: Delete port binding on the host name: delete_port_binding operations: @@ -1404,7 +1500,7 @@ path: /ports/{port_id}/bindings/ scope_types: - project -- check_str: rule:admin_only +- check_str: rule:service_api description: Activate port binding on the host name: activate operations: @@ -1422,7 +1518,7 @@ name: admin_or_data_plane_int operations: [] scope_types: null -- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:service_api deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -1435,8 +1531,8 @@ path: /ports scope_types: - project -- check_str: not rule:network_device or rule:context_is_advsvc or (rule:admin_only) - or (role:member and rule:network_owner) +- check_str: not rule:network_device or (rule:admin_only) or (rule:service_api) or + role:member and rule:network_owner deprecated_reason: null deprecated_rule: check_str: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner @@ -1447,7 +1543,7 @@ operations: *id004 scope_types: - project -- check_str: rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner) +- check_str: (rule:admin_only) or (rule:service_api) or role:member and rule:network_owner deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_or_network_owner @@ -1458,7 +1554,7 @@ operations: *id004 scope_types: - project -- check_str: rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner) +- check_str: (rule:admin_only) or (rule:service_api) or role:member and rule:network_owner or rule:shared deprecated_reason: null deprecated_rule: @@ -1470,7 +1566,7 @@ operations: *id004 scope_types: - project -- check_str: rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner) +- check_str: (rule:admin_only) or (rule:service_api) or role:member and rule:network_owner deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_or_network_owner @@ -1481,7 +1577,7 @@ operations: *id004 scope_types: - project -- check_str: rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner) +- check_str: (rule:admin_only) or (rule:service_api) or role:member and rule:network_owner or rule:shared deprecated_reason: null deprecated_rule: @@ -1493,7 +1589,7 @@ operations: *id004 scope_types: - project -- check_str: rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner) +- check_str: (rule:admin_only) or (rule:service_api) or role:member and rule:network_owner deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_or_network_owner @@ -1504,7 +1600,7 @@ operations: *id004 scope_types: - project -- check_str: rule:admin_only +- check_str: (rule:admin_only) or (rule:service_api) deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1515,7 +1611,7 @@ operations: *id004 scope_types: - project -- check_str: rule:admin_only +- check_str: rule:service_api deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1526,7 +1622,7 @@ operations: *id004 scope_types: - project -- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:service_api deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -1578,7 +1674,7 @@ operations: *id004 scope_types: - project -- check_str: rule:context_is_advsvc or (rule:admin_only) or (role:reader and rule:network_owner) +- check_str: (rule:admin_only) or (rule:service_api) or role:reader and rule:network_owner or role:reader and project_id:%(project_id)s deprecated_reason: null deprecated_rule: @@ -1594,7 +1690,7 @@ path: /ports/{id} scope_types: - project -- check_str: rule:admin_only +- check_str: (rule:admin_only) or (rule:service_api) deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1605,7 +1701,7 @@ operations: *id005 scope_types: - project -- check_str: rule:admin_only +- check_str: (rule:admin_only) or (rule:service_api) deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1616,7 +1712,7 @@ operations: *id005 scope_types: - project -- check_str: rule:admin_only +- check_str: (rule:admin_only) or (rule:service_api) deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1627,7 +1723,7 @@ operations: *id005 scope_types: - project -- check_str: rule:admin_only +- check_str: (rule:admin_only) or (rule:service_api) deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1655,7 +1751,18 @@ operations: *id005 scope_types: - project -- check_str: rule:admin_only or role:member and project_id:%(project_id)s or rule:context_is_advsvc +- check_str: rule:context_is_advsvc or (rule:admin_only) or (role:reader and rule:network_owner) + or role:reader and project_id:%(project_id)s + description: Get the port tags + name: get_ports_tags + operations: + - method: GET + path: /ports/{id}/tags + - method: GET + path: /ports/{id}/tags/{tag_id} + scope_types: + - project +- check_str: (rule:admin_only) or (rule:service_api) or role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner or rule:context_is_advsvc @@ -1668,8 +1775,8 @@ path: /ports/{id} scope_types: - project -- check_str: not rule:network_device or rule:context_is_advsvc or (rule:admin_only) - or (role:member and rule:network_owner) +- check_str: not rule:network_device or (rule:admin_only) or (rule:service_api) or + role:member and rule:network_owner deprecated_reason: null deprecated_rule: check_str: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner @@ -1680,7 +1787,7 @@ operations: *id006 scope_types: - project -- check_str: rule:admin_only or rule:context_is_advsvc +- check_str: (rule:admin_only) or (rule:service_api) deprecated_reason: null deprecated_rule: check_str: rule:admin_only or rule:context_is_advsvc @@ -1691,7 +1798,7 @@ operations: *id006 scope_types: - project -- check_str: rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner) +- check_str: (rule:admin_only) or (rule:service_api) or role:member and rule:network_owner deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_or_network_owner @@ -1702,7 +1809,7 @@ operations: *id006 scope_types: - project -- check_str: rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner) +- check_str: (rule:admin_only) or (rule:service_api) or role:member and rule:network_owner deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_or_network_owner @@ -1713,7 +1820,7 @@ operations: *id006 scope_types: - project -- check_str: rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner) +- check_str: (rule:admin_only) or (rule:service_api) or role:member and rule:network_owner or rule:shared deprecated_reason: null deprecated_rule: @@ -1725,7 +1832,7 @@ operations: *id006 scope_types: - project -- check_str: rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner) +- check_str: (rule:admin_only) or (rule:service_api) or role:member and rule:network_owner deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_or_network_owner @@ -1736,7 +1843,7 @@ operations: *id006 scope_types: - project -- check_str: rule:admin_only +- check_str: (rule:admin_only) or (rule:service_api) deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1747,7 +1854,7 @@ operations: *id006 scope_types: - project -- check_str: rule:admin_only +- check_str: rule:service_api deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1758,7 +1865,7 @@ operations: *id006 scope_types: - project -- check_str: rule:admin_only or role:member and project_id:%(project_id)s or rule:context_is_advsvc +- check_str: (rule:admin_only) or (rule:service_api) or role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner or rule:context_is_advsvc @@ -1820,8 +1927,18 @@ operations: *id006 scope_types: - project -- check_str: rule:context_is_advsvc or role:member and project_id:%(project_id)s or - (rule:admin_only) or (role:member and rule:network_owner) +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc + description: Update the port tags + name: update_ports_tags + operations: + - method: PUT + path: /ports/{id}/tags + - method: PUT + path: /ports/{id}/tags/{tag_id} + scope_types: + - project +- check_str: (rule:admin_only) or (rule:service_api) or role:member and rule:network_owner + or role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_owner_or_network_owner @@ -1834,6 +1951,17 @@ path: /ports/{id} scope_types: - project +- check_str: rule:context_is_advsvc or role:member and project_id:%(project_id)s or + (rule:admin_only) or (role:member and rule:network_owner) + description: Delete the port tags + name: delete_ports_tags + operations: + - method: DELETE + path: /ports/{id}/tags + - method: DELETE + path: /ports/{id}/tags/{tag_id} + scope_types: + - project - check_str: field:policies:shared=True description: Rule of shared qos policy name: shared_qos_policy @@ -2537,6 +2665,16 @@ operations: *id008 scope_types: - project +- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) + description: Get the router tags + name: get_routers_tags + operations: + - method: GET + path: /routers/{id}/tags + - method: GET + path: /routers/{id}/tags/{tag_id} + scope_types: + - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: @@ -2631,6 +2769,16 @@ operations: *id007 scope_types: - project +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) + description: Update the router tags + name: update_routers_tags + operations: + - method: PUT + path: /routers/{id}/tags + - method: PUT + path: /routers/{id}/tags/{tag_id} + scope_types: + - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: @@ -2644,6 +2792,16 @@ path: /routers/{id} scope_types: - project +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) + description: Delete the router tags + name: delete_routers_tags + operations: + - method: DELETE + path: /routers/{id}/tags + - method: DELETE + path: /routers/{id}/tags/{tag_id} + scope_types: + - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: @@ -2711,6 +2869,12 @@ name: shared_security_group operations: [] scope_types: null +- check_str: field:security_group_rules:belongs_to_default_sg=True + description: Definition of a security group rule that belongs to the project default + security group + name: rule_default_sg + operations: [] + scope_types: null - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: @@ -2739,6 +2903,16 @@ path: /security-groups/{id} scope_types: - project +- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_security_group + description: Get the security group tags + name: get_security_groups_tags + operations: + - method: GET + path: /security-groups/{id}/tags + - method: GET + path: /security-groups/{id}/tags/{tag_id} + scope_types: + - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: @@ -2752,6 +2926,16 @@ path: /security-groups/{id} scope_types: - project +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) + description: Update the security group tags + name: update_security_groups_tags + operations: + - method: PUT + path: /security-groups/{id}/tags + - method: PUT + path: /security-groups/{id}/tags/{tag_id} + scope_types: + - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: @@ -2765,6 +2949,16 @@ path: /security-groups/{id} scope_types: - project +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) + description: Delete the security group tags + name: delete_security_groups_tags + operations: + - method: DELETE + path: /security-groups/{id}/tags + - method: DELETE + path: /security-groups/{id}/tags/{tag_id} + scope_types: + - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: @@ -2834,6 +3028,16 @@ path: /segments/{id} scope_types: - project +- check_str: rule:admin_only + description: Get the segment tags + name: get_segments_tags + operations: + - method: GET + path: /segments/{id}/tags + - method: GET + path: /segments/{id}/tags/{tag_id} + scope_types: + - project - check_str: rule:admin_only deprecated_reason: null deprecated_rule: @@ -2847,6 +3051,16 @@ path: /segments/{id} scope_types: - project +- check_str: rule:admin_only + description: Update the segment tags + name: update_segments_tags + operations: + - method: PUT + path: /segments/{id}/tags + - method: PUT + path: /segments/{id}/tags/{tag_id} + scope_types: + - project - check_str: rule:admin_only deprecated_reason: null deprecated_rule: @@ -2860,6 +3074,16 @@ path: /segments/{id} scope_types: - project +- check_str: rule:admin_only + description: Delete the segment tags + name: delete_segments_tags + operations: + - method: DELETE + path: /segments/{id}/tags + - method: DELETE + path: /segments/{id}/tags/{tag_id} + scope_types: + - project - check_str: role:reader deprecated_reason: null deprecated_rule: @@ -2908,7 +3132,8 @@ operations: *id010 scope_types: - project -- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared +- check_str: (rule:admin_only) or (role:member and rule:network_owner) or role:reader + and project_id:%(project_id)s or rule:shared deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner or rule:shared @@ -2934,7 +3159,19 @@ operations: *id011 scope_types: - project -- check_str: (rule:admin_only) or (role:member and rule:network_owner) +- check_str: (rule:admin_only) or (role:member and rule:network_owner) or role:reader + and project_id:%(project_id)s or rule:shared + description: Get the subnet tags + name: get_subnets_tags + operations: + - method: GET + path: /subnets/{id}/tags + - method: GET + path: /subnets/{id}/tags/{tag_id} + scope_types: + - project +- check_str: (rule:admin_only) or (role:member and rule:network_owner) or role:member + and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_network_owner @@ -2969,7 +3206,19 @@ operations: *id012 scope_types: - project -- check_str: (rule:admin_only) or (role:member and rule:network_owner) +- check_str: (rule:admin_only) or (role:member and rule:network_owner) or role:member + and project_id:%(project_id)s + description: Update the subnet tags + name: update_subnets_tags + operations: + - method: PUT + path: /subnets/{id}/tags + - method: PUT + path: /subnets/{id}/tags/{tag_id} + scope_types: + - project +- check_str: (rule:admin_only) or (role:member and rule:network_owner) or role:member + and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_network_owner @@ -2982,6 +3231,17 @@ path: /subnets/{id} scope_types: - project +- check_str: (rule:admin_only) or (role:member and rule:network_owner) or role:member + and project_id:%(project_id)s + description: Delete the subnet tags + name: delete_subnets_tags + operations: + - method: DELETE + path: /subnets/{id}/tags + - method: DELETE + path: /subnets/{id}/tags/{tag_id} + scope_types: + - project - check_str: field:subnetpools:shared=True description: Definition of a shared subnetpool name: shared_subnetpools @@ -3041,6 +3301,16 @@ path: /subnetpools/{id} scope_types: - project +- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_subnetpools + description: Get the subnetpool tags + name: get_subnetpools_tags + operations: + - method: GET + path: /subnetpools/{id}/tags + - method: GET + path: /subnetpools/{id}/tags/{tag_id} + scope_types: + - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: @@ -3067,6 +3337,16 @@ path: /subnetpools/{id} scope_types: - project +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) + description: Update the subnetpool tags + name: update_subnetpools_tags + operations: + - method: PUT + path: /subnetpools/{id}/tags + - method: PUT + path: /subnetpools/{id}/tags/{tag_id} + scope_types: + - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: @@ -3080,6 +3360,16 @@ path: /subnetpools/{id} scope_types: - project +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) + description: Delete the subnetpool tags + name: delete_subnetpools_tags + operations: + - method: DELETE + path: /subnetpools/{id}/tags + - method: DELETE + path: /subnetpools/{id}/tags/{tag_id} + scope_types: + - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: @@ -3147,6 +3437,16 @@ path: /trunks/{id} scope_types: - project +- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) + description: Get the trunk tags + name: get_trunks_tags + operations: + - method: GET + path: /trunks/{id}/tags + - method: GET + path: /trunks/{id}/tags/{tag_id} + scope_types: + - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: @@ -3160,6 +3460,16 @@ path: /trunks/{id} scope_types: - project +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) + description: Update the trunk tags + name: update_trunks_tags + operations: + - method: PUT + path: /trunks/{id}/tags + - method: PUT + path: /trunks/{id}/tags/{tag_id} + scope_types: + - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: @@ -3173,6 +3483,16 @@ path: /trunks/{id} scope_types: - project +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) + description: Delete a trunk + name: delete_trunks_tags + operations: + - method: DELETE + path: /trunks/{id}/tags + - method: DELETE + path: /trunks/{id}/tags/{tag_id} + scope_types: + - project - check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: diff --git a/openstack_dashboard/conf/default_policies/nova.yaml b/openstack_dashboard/conf/default_policies/nova.yaml index 05019f863f..f7eea48d80 100644 --- a/openstack_dashboard/conf/default_policies/nova.yaml +++ b/openstack_dashboard/conf/default_policies/nova.yaml @@ -1120,7 +1120,7 @@ scope_types: - project - check_str: rule:context_is_admin - description: List quotas for specific quota classs + description: List quotas for specific quota classes name: os_compute_api:os-quota-class-sets:show operations: - method: GET @@ -1184,8 +1184,6 @@ are deprecated: - - ``os-getRDPConsole`` - - ``os-getSerialConsole`` - ``os-getSPICEConsole`` @@ -1193,8 +1191,6 @@ - ``os-getVNCConsole``.' name: os_compute_api:os-remote-consoles operations: - - method: POST - path: /servers/{server_id}/action (os-getRDPConsole) - method: POST path: /servers/{server_id}/action (os-getSerialConsole) - method: POST @@ -1606,7 +1602,7 @@ Policies for showing flavor extra specs in server APIs response is - seprated as new policy. This policy is deprecated only for that but + separated as new policy. This policy is deprecated only for that but not for list extra specs and showing it in flavor API response. diff --git a/openstack_dashboard/conf/keystone_policy.yaml b/openstack_dashboard/conf/keystone_policy.yaml index 1ff8d9f7ce..06142e4b88 100644 --- a/openstack_dashboard/conf/keystone_policy.yaml +++ b/openstack_dashboard/conf/keystone_policy.yaml @@ -129,61 +129,61 @@ # Show OAUTH1 consumer details. # GET /v3/OS-OAUTH1/consumers/{consumer_id} -# Intended scope(s): system -#"identity:get_consumer": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:get_consumer": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:get_consumer":"rule:admin_required" has been deprecated -# since T in favor of "identity:get_consumer":"role:reader and -# system_scope:all". +# since T in favor of "identity:get_consumer":"rule:admin_required or +# (role:reader and system_scope:all)". # The OAUTH1 consumer API is now aware of system scope and default # roles. # List OAUTH1 consumers. # GET /v3/OS-OAUTH1/consumers -# Intended scope(s): system -#"identity:list_consumers": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:list_consumers": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_consumers":"rule:admin_required" has been deprecated -# since T in favor of "identity:list_consumers":"role:reader and -# system_scope:all". +# since T in favor of "identity:list_consumers":"rule:admin_required +# or (role:reader and system_scope:all)". # The OAUTH1 consumer API is now aware of system scope and default # roles. # Create OAUTH1 consumer. # POST /v3/OS-OAUTH1/consumers -# Intended scope(s): system -#"identity:create_consumer": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:create_consumer": "rule:admin_required" # DEPRECATED # "identity:create_consumer":"rule:admin_required" has been deprecated -# since T in favor of "identity:create_consumer":"role:admin and -# system_scope:all". +# since T in favor of +# "identity:create_consumer":"rule:admin_required". # The OAUTH1 consumer API is now aware of system scope and default # roles. # Update OAUTH1 consumer. # PATCH /v3/OS-OAUTH1/consumers/{consumer_id} -# Intended scope(s): system -#"identity:update_consumer": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:update_consumer": "rule:admin_required" # DEPRECATED # "identity:update_consumer":"rule:admin_required" has been deprecated -# since T in favor of "identity:update_consumer":"role:admin and -# system_scope:all". +# since T in favor of +# "identity:update_consumer":"rule:admin_required". # The OAUTH1 consumer API is now aware of system scope and default # roles. # Delete OAUTH1 consumer. # DELETE /v3/OS-OAUTH1/consumers/{consumer_id} -# Intended scope(s): system -#"identity:delete_consumer": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:delete_consumer": "rule:admin_required" # DEPRECATED # "identity:delete_consumer":"rule:admin_required" has been deprecated -# since T in favor of "identity:delete_consumer":"role:admin and -# system_scope:all". +# since T in favor of +# "identity:delete_consumer":"rule:admin_required". # The OAUTH1 consumer API is now aware of system scope and default # roles. @@ -249,69 +249,68 @@ # Show domain details. # GET /v3/domains/{domain_id} # Intended scope(s): system, domain, project -#"identity:get_domain": "(role:reader and system_scope:all) or token.domain.id:%(target.domain.id)s or token.project.domain.id:%(target.domain.id)s" +#"identity:get_domain": "rule:admin_required or (role:reader and system_scope:all) or token.domain.id:%(target.domain.id)s or token.project.domain.id:%(target.domain.id)s" # DEPRECATED # "identity:get_domain":"rule:admin_required or # token.project.domain.id:%(target.domain.id)s" has been deprecated -# since S in favor of "identity:get_domain":"(role:reader and -# system_scope:all) or token.domain.id:%(target.domain.id)s or +# since S in favor of "identity:get_domain":"rule:admin_required or +# (role:reader and system_scope:all) or +# token.domain.id:%(target.domain.id)s or # token.project.domain.id:%(target.domain.id)s". # The domain API is now aware of system scope and default roles. # List domains. # GET /v3/domains -# Intended scope(s): system -#"identity:list_domains": "role:reader and system_scope:all" +# Intended scope(s): system, domain, project +#"identity:list_domains": "rule:admin_required or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain.id)s)" # DEPRECATED # "identity:list_domains":"rule:admin_required" has been deprecated -# since S in favor of "identity:list_domains":"role:reader and -# system_scope:all". +# since S in favor of "identity:list_domains":"rule:admin_required or +# (role:reader and system_scope:all) or (role:reader and +# domain_id:%(target.domain.id)s)". # The domain API is now aware of system scope and default roles. # Create domain. # POST /v3/domains -# Intended scope(s): system -#"identity:create_domain": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:create_domain": "rule:admin_required" # DEPRECATED # "identity:create_domain":"rule:admin_required" has been deprecated -# since S in favor of "identity:create_domain":"role:admin and -# system_scope:all". +# since S in favor of "identity:create_domain":"rule:admin_required". # The domain API is now aware of system scope and default roles. # Update domain. # PATCH /v3/domains/{domain_id} -# Intended scope(s): system -#"identity:update_domain": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:update_domain": "rule:admin_required" # DEPRECATED # "identity:update_domain":"rule:admin_required" has been deprecated -# since S in favor of "identity:update_domain":"role:admin and -# system_scope:all". +# since S in favor of "identity:update_domain":"rule:admin_required". # The domain API is now aware of system scope and default roles. # Delete domain. # DELETE /v3/domains/{domain_id} -# Intended scope(s): system -#"identity:delete_domain": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:delete_domain": "rule:admin_required" # DEPRECATED # "identity:delete_domain":"rule:admin_required" has been deprecated -# since S in favor of "identity:delete_domain":"role:admin and -# system_scope:all". +# since S in favor of "identity:delete_domain":"rule:admin_required". # The domain API is now aware of system scope and default roles. # Create domain configuration. # PUT /v3/domains/{domain_id}/config -# Intended scope(s): system -#"identity:create_domain_config": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:create_domain_config": "rule:admin_required" # DEPRECATED # "identity:create_domain_config":"rule:admin_required" has been # deprecated since T in favor of -# "identity:create_domain_config":"role:admin and system_scope:all". +# "identity:create_domain_config":"rule:admin_required". # The domain config API is now aware of system scope and default # roles. @@ -324,13 +323,14 @@ # HEAD /v3/domains/{domain_id}/config/{group} # GET /v3/domains/{domain_id}/config/{group}/{option} # HEAD /v3/domains/{domain_id}/config/{group}/{option} -# Intended scope(s): system -#"identity:get_domain_config": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:get_domain_config": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:get_domain_config":"rule:admin_required" has been # deprecated since T in favor of -# "identity:get_domain_config":"role:reader and system_scope:all". +# "identity:get_domain_config":"rule:admin_required or (role:reader +# and system_scope:all)". # The domain config API is now aware of system scope and default # roles. @@ -348,13 +348,13 @@ # PATCH /v3/domains/{domain_id}/config # PATCH /v3/domains/{domain_id}/config/{group} # PATCH /v3/domains/{domain_id}/config/{group}/{option} -# Intended scope(s): system -#"identity:update_domain_config": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:update_domain_config": "rule:admin_required" # DEPRECATED # "identity:update_domain_config":"rule:admin_required" has been # deprecated since T in favor of -# "identity:update_domain_config":"role:admin and system_scope:all". +# "identity:update_domain_config":"rule:admin_required". # The domain config API is now aware of system scope and default # roles. @@ -363,13 +363,13 @@ # DELETE /v3/domains/{domain_id}/config # DELETE /v3/domains/{domain_id}/config/{group} # DELETE /v3/domains/{domain_id}/config/{group}/{option} -# Intended scope(s): system -#"identity:delete_domain_config": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:delete_domain_config": "rule:admin_required" # DEPRECATED # "identity:delete_domain_config":"rule:admin_required" has been # deprecated since T in favor of -# "identity:delete_domain_config":"role:admin and system_scope:all". +# "identity:delete_domain_config":"rule:admin_required". # The domain config API is now aware of system scope and default # roles. @@ -381,14 +381,14 @@ # HEAD /v3/domains/config/{group}/default # GET /v3/domains/config/{group}/{option}/default # HEAD /v3/domains/config/{group}/{option}/default -# Intended scope(s): system -#"identity:get_domain_config_default": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:get_domain_config_default": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:get_domain_config_default":"rule:admin_required" has been # deprecated since T in favor of -# "identity:get_domain_config_default":"role:reader and -# system_scope:all". +# "identity:get_domain_config_default":"rule:admin_required or +# (role:reader and system_scope:all)". # The domain config API is now aware of system scope and default # roles. @@ -446,196 +446,196 @@ # Show endpoint details. # GET /v3/endpoints/{endpoint_id} -# Intended scope(s): system -#"identity:get_endpoint": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:get_endpoint": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:get_endpoint":"rule:admin_required" has been deprecated -# since S in favor of "identity:get_endpoint":"role:reader and -# system_scope:all". +# since S in favor of "identity:get_endpoint":"rule:admin_required or +# (role:reader and system_scope:all)". # The endpoint API is now aware of system scope and default roles. # List endpoints. # GET /v3/endpoints -# Intended scope(s): system -#"identity:list_endpoints": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:list_endpoints": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_endpoints":"rule:admin_required" has been deprecated -# since S in favor of "identity:list_endpoints":"role:reader and -# system_scope:all". +# since S in favor of "identity:list_endpoints":"rule:admin_required +# or (role:reader and system_scope:all)". # The endpoint API is now aware of system scope and default roles. # Create endpoint. # POST /v3/endpoints -# Intended scope(s): system -#"identity:create_endpoint": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:create_endpoint": "rule:admin_required" # DEPRECATED # "identity:create_endpoint":"rule:admin_required" has been deprecated -# since S in favor of "identity:create_endpoint":"role:admin and -# system_scope:all". +# since S in favor of +# "identity:create_endpoint":"rule:admin_required". # The endpoint API is now aware of system scope and default roles. # Update endpoint. # PATCH /v3/endpoints/{endpoint_id} -# Intended scope(s): system -#"identity:update_endpoint": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:update_endpoint": "rule:admin_required" # DEPRECATED # "identity:update_endpoint":"rule:admin_required" has been deprecated -# since S in favor of "identity:update_endpoint":"role:admin and -# system_scope:all". +# since S in favor of +# "identity:update_endpoint":"rule:admin_required". # The endpoint API is now aware of system scope and default roles. # Delete endpoint. # DELETE /v3/endpoints/{endpoint_id} -# Intended scope(s): system -#"identity:delete_endpoint": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:delete_endpoint": "rule:admin_required" # DEPRECATED # "identity:delete_endpoint":"rule:admin_required" has been deprecated -# since S in favor of "identity:delete_endpoint":"role:admin and -# system_scope:all". +# since S in favor of +# "identity:delete_endpoint":"rule:admin_required". # The endpoint API is now aware of system scope and default roles. # Create endpoint group. # POST /v3/OS-EP-FILTER/endpoint_groups -# Intended scope(s): system -#"identity:create_endpoint_group": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:create_endpoint_group": "rule:admin_required" # DEPRECATED # "identity:create_endpoint_group":"rule:admin_required" has been # deprecated since T in favor of -# "identity:create_endpoint_group":"role:admin and system_scope:all". +# "identity:create_endpoint_group":"rule:admin_required". # The endpoint groups API is now aware of system scope and default # roles. # List endpoint groups. # GET /v3/OS-EP-FILTER/endpoint_groups -# Intended scope(s): system -#"identity:list_endpoint_groups": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:list_endpoint_groups": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_endpoint_groups":"rule:admin_required" has been # deprecated since T in favor of -# "identity:list_endpoint_groups":"role:reader and system_scope:all". +# "identity:list_endpoint_groups":"rule:admin_required or (role:reader +# and system_scope:all)". # The endpoint groups API is now aware of system scope and default # roles. # Get endpoint group. # GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} # HEAD /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} -# Intended scope(s): system -#"identity:get_endpoint_group": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:get_endpoint_group": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:get_endpoint_group":"rule:admin_required" has been # deprecated since T in favor of -# "identity:get_endpoint_group":"role:reader and system_scope:all". +# "identity:get_endpoint_group":"rule:admin_required or (role:reader +# and system_scope:all)". # The endpoint groups API is now aware of system scope and default # roles. # Update endpoint group. # PATCH /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} -# Intended scope(s): system -#"identity:update_endpoint_group": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:update_endpoint_group": "rule:admin_required" # DEPRECATED # "identity:update_endpoint_group":"rule:admin_required" has been # deprecated since T in favor of -# "identity:update_endpoint_group":"role:admin and system_scope:all". +# "identity:update_endpoint_group":"rule:admin_required". # The endpoint groups API is now aware of system scope and default # roles. # Delete endpoint group. # DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} -# Intended scope(s): system -#"identity:delete_endpoint_group": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:delete_endpoint_group": "rule:admin_required" # DEPRECATED # "identity:delete_endpoint_group":"rule:admin_required" has been # deprecated since T in favor of -# "identity:delete_endpoint_group":"role:admin and system_scope:all". +# "identity:delete_endpoint_group":"rule:admin_required". # The endpoint groups API is now aware of system scope and default # roles. # List all projects associated with a specific endpoint group. # GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects -# Intended scope(s): system -#"identity:list_projects_associated_with_endpoint_group": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:list_projects_associated_with_endpoint_group": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_projects_associated_with_endpoint_group":"rule:admin_ -# required" has been deprecated since T in favor of -# "identity:list_projects_associated_with_endpoint_group":"role:reader -# and system_scope:all". +# required" has been deprecated since T in favor of "identity:list_pro +# jects_associated_with_endpoint_group":"rule:admin_required or +# (role:reader and system_scope:all)". # The endpoint groups API is now aware of system scope and default # roles. # List all endpoints associated with an endpoint group. # GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints -# Intended scope(s): system -#"identity:list_endpoints_associated_with_endpoint_group": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_endpoints_associated_with_endpoint_group":"rule:admin # _required" has been deprecated since T in favor of "identity:list_en -# dpoints_associated_with_endpoint_group":"role:reader and -# system_scope:all". +# dpoints_associated_with_endpoint_group":"rule:admin_required or +# (role:reader and system_scope:all)". # The endpoint groups API is now aware of system scope and default # roles. # Check if an endpoint group is associated with a project. # GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} # HEAD /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} -# Intended scope(s): system -#"identity:get_endpoint_group_in_project": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:get_endpoint_group_in_project": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:get_endpoint_group_in_project":"rule:admin_required" has # been deprecated since T in favor of -# "identity:get_endpoint_group_in_project":"role:reader and -# system_scope:all". +# "identity:get_endpoint_group_in_project":"rule:admin_required or +# (role:reader and system_scope:all)". # The endpoint groups API is now aware of system scope and default # roles. # List endpoint groups associated with a specific project. # GET /v3/OS-EP-FILTER/projects/{project_id}/endpoint_groups -# Intended scope(s): system -#"identity:list_endpoint_groups_for_project": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:list_endpoint_groups_for_project": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_endpoint_groups_for_project":"rule:admin_required" # has been deprecated since T in favor of -# "identity:list_endpoint_groups_for_project":"role:reader and -# system_scope:all". +# "identity:list_endpoint_groups_for_project":"rule:admin_required or +# (role:reader and system_scope:all)". # The endpoint groups API is now aware of system scope and default # roles. # Allow a project to access an endpoint group. # PUT /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} -# Intended scope(s): system -#"identity:add_endpoint_group_to_project": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:add_endpoint_group_to_project": "rule:admin_required" # DEPRECATED # "identity:add_endpoint_group_to_project":"rule:admin_required" has # been deprecated since T in favor of -# "identity:add_endpoint_group_to_project":"role:admin and -# system_scope:all". +# "identity:add_endpoint_group_to_project":"rule:admin_required". # The endpoint groups API is now aware of system scope and default # roles. # Remove endpoint group from project. # DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} -# Intended scope(s): system -#"identity:remove_endpoint_group_from_project": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:remove_endpoint_group_from_project": "rule:admin_required" # DEPRECATED # "identity:remove_endpoint_group_from_project":"rule:admin_required" # has been deprecated since T in favor of -# "identity:remove_endpoint_group_from_project":"role:admin and -# system_scope:all". +# "identity:remove_endpoint_group_from_project":"rule:admin_required". # The endpoint groups API is now aware of system scope and default # roles. @@ -660,13 +660,13 @@ # GET /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects # HEAD /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects # GET /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects -# Intended scope(s): system, domain -#"identity:check_grant": "(role:reader and system_scope:all) or ((role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)" +# Intended scope(s): system, domain, project +#"identity:check_grant": "(rule:admin_required) or ((role:reader and system_scope:all) or ((role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s))" # DEPRECATED # "identity:check_grant":"rule:admin_required" has been deprecated -# since S in favor of "identity:check_grant":"(role:reader and -# system_scope:all) or ((role:reader and +# since S in favor of "identity:check_grant":"(rule:admin_required) or +# ((role:reader and system_scope:all) or ((role:reader and # domain_id:%(target.user.domain_id)s and # domain_id:%(target.project.domain_id)s) or (role:reader and # domain_id:%(target.user.domain_id)s and @@ -676,7 +676,7 @@ # domain_id:%(target.group.domain_id)s and # domain_id:%(target.domain.id)s)) and # (domain_id:%(target.role.domain_id)s or -# None:%(target.role.domain_id)s)". +# None:%(target.role.domain_id)s))". # The assignment API is now aware of system scope and default roles. # List roles granted to an actor on a target. A target can be either a @@ -694,13 +694,13 @@ # HEAD /v3/domains/{domain_id}/groups/{group_id}/roles # GET /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects # GET /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects -# Intended scope(s): system, domain -#"identity:list_grants": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)" +# Intended scope(s): system, domain, project +#"identity:list_grants": "(rule:admin_required) or ((role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s))" # DEPRECATED # "identity:list_grants":"rule:admin_required" has been deprecated -# since S in favor of "identity:list_grants":"(role:reader and -# system_scope:all) or (role:reader and +# since S in favor of "identity:list_grants":"(rule:admin_required) or +# ((role:reader and system_scope:all) or (role:reader and # domain_id:%(target.user.domain_id)s and # domain_id:%(target.project.domain_id)s) or (role:reader and # domain_id:%(target.user.domain_id)s and @@ -708,7 +708,7 @@ # domain_id:%(target.group.domain_id)s and # domain_id:%(target.project.domain_id)s) or (role:reader and # domain_id:%(target.group.domain_id)s and -# domain_id:%(target.domain.id)s)". +# domain_id:%(target.domain.id)s))". # The assignment API is now aware of system scope and default roles. # Create a role grant between a target and an actor. A target can be @@ -724,14 +724,13 @@ # PUT /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects # PUT /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects # PUT /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects -# Intended scope(s): system, domain -#"identity:create_grant": "(role:admin and system_scope:all) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)" +# Intended scope(s): system, domain, project +#"identity:create_grant": "(rule:admin_required) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)" # DEPRECATED # "identity:create_grant":"rule:admin_required" has been deprecated -# since S in favor of "identity:create_grant":"(role:admin and -# system_scope:all) or ((role:admin and -# domain_id:%(target.user.domain_id)s and +# since S in favor of "identity:create_grant":"(rule:admin_required) +# or ((role:admin and domain_id:%(target.user.domain_id)s and # domain_id:%(target.project.domain_id)s) or (role:admin and # domain_id:%(target.user.domain_id)s and # domain_id:%(target.domain.id)s) or (role:admin and @@ -758,14 +757,13 @@ # DELETE /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects # DELETE /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects # DELETE /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects -# Intended scope(s): system, domain -#"identity:revoke_grant": "(role:admin and system_scope:all) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)" +# Intended scope(s): system, domain, project +#"identity:revoke_grant": "(rule:admin_required) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)" # DEPRECATED # "identity:revoke_grant":"rule:admin_required" has been deprecated -# since S in favor of "identity:revoke_grant":"(role:admin and -# system_scope:all) or ((role:admin and -# domain_id:%(target.user.domain_id)s and +# since S in favor of "identity:revoke_grant":"(rule:admin_required) +# or ((role:admin and domain_id:%(target.user.domain_id)s and # domain_id:%(target.project.domain_id)s) or (role:admin and # domain_id:%(target.user.domain_id)s and # domain_id:%(target.domain.id)s) or (role:admin and @@ -779,123 +777,119 @@ # List all grants a specific user has on the system. # ['HEAD', 'GET'] /v3/system/users/{user_id}/roles -# Intended scope(s): system -#"identity:list_system_grants_for_user": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:list_system_grants_for_user": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_system_grants_for_user":"rule:admin_required" has # been deprecated since S in favor of -# "identity:list_system_grants_for_user":"role:reader and -# system_scope:all". +# "identity:list_system_grants_for_user":"rule:admin_required or +# (role:reader and system_scope:all)". # The assignment API is now aware of system scope and default roles. # Check if a user has a role on the system. # ['HEAD', 'GET'] /v3/system/users/{user_id}/roles/{role_id} -# Intended scope(s): system -#"identity:check_system_grant_for_user": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:check_system_grant_for_user": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:check_system_grant_for_user":"rule:admin_required" has # been deprecated since S in favor of -# "identity:check_system_grant_for_user":"role:reader and -# system_scope:all". +# "identity:check_system_grant_for_user":"rule:admin_required or +# (role:reader and system_scope:all)". # The assignment API is now aware of system scope and default roles. # Grant a user a role on the system. # ['PUT'] /v3/system/users/{user_id}/roles/{role_id} -# Intended scope(s): system -#"identity:create_system_grant_for_user": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:create_system_grant_for_user": "rule:admin_required" # DEPRECATED # "identity:create_system_grant_for_user":"rule:admin_required" has # been deprecated since S in favor of -# "identity:create_system_grant_for_user":"role:admin and -# system_scope:all". +# "identity:create_system_grant_for_user":"rule:admin_required". # The assignment API is now aware of system scope and default roles. # Remove a role from a user on the system. # ['DELETE'] /v3/system/users/{user_id}/roles/{role_id} -# Intended scope(s): system -#"identity:revoke_system_grant_for_user": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:revoke_system_grant_for_user": "rule:admin_required" # DEPRECATED # "identity:revoke_system_grant_for_user":"rule:admin_required" has # been deprecated since S in favor of -# "identity:revoke_system_grant_for_user":"role:admin and -# system_scope:all". +# "identity:revoke_system_grant_for_user":"rule:admin_required". # The assignment API is now aware of system scope and default roles. # List all grants a specific group has on the system. # ['HEAD', 'GET'] /v3/system/groups/{group_id}/roles -# Intended scope(s): system -#"identity:list_system_grants_for_group": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:list_system_grants_for_group": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_system_grants_for_group":"rule:admin_required" has # been deprecated since S in favor of -# "identity:list_system_grants_for_group":"role:reader and -# system_scope:all". +# "identity:list_system_grants_for_group":"rule:admin_required or +# (role:reader and system_scope:all)". # The assignment API is now aware of system scope and default roles. # Check if a group has a role on the system. # ['HEAD', 'GET'] /v3/system/groups/{group_id}/roles/{role_id} -# Intended scope(s): system -#"identity:check_system_grant_for_group": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:check_system_grant_for_group": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:check_system_grant_for_group":"rule:admin_required" has # been deprecated since S in favor of -# "identity:check_system_grant_for_group":"role:reader and -# system_scope:all". +# "identity:check_system_grant_for_group":"rule:admin_required or +# (role:reader and system_scope:all)". # The assignment API is now aware of system scope and default roles. # Grant a group a role on the system. # ['PUT'] /v3/system/groups/{group_id}/roles/{role_id} -# Intended scope(s): system -#"identity:create_system_grant_for_group": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:create_system_grant_for_group": "rule:admin_required" # DEPRECATED # "identity:create_system_grant_for_group":"rule:admin_required" has # been deprecated since S in favor of -# "identity:create_system_grant_for_group":"role:admin and -# system_scope:all". +# "identity:create_system_grant_for_group":"rule:admin_required". # The assignment API is now aware of system scope and default roles. # Remove a role from a group on the system. # ['DELETE'] /v3/system/groups/{group_id}/roles/{role_id} -# Intended scope(s): system -#"identity:revoke_system_grant_for_group": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:revoke_system_grant_for_group": "rule:admin_required" # DEPRECATED # "identity:revoke_system_grant_for_group":"rule:admin_required" has # been deprecated since S in favor of -# "identity:revoke_system_grant_for_group":"role:admin and -# system_scope:all". +# "identity:revoke_system_grant_for_group":"rule:admin_required". # The assignment API is now aware of system scope and default roles. # Show group details. # GET /v3/groups/{group_id} # HEAD /v3/groups/{group_id} -# Intended scope(s): system, domain -#"identity:get_group": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)" +# Intended scope(s): system, domain, project +#"identity:get_group": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)" # DEPRECATED # "identity:get_group":"rule:admin_required" has been deprecated since -# S in favor of "identity:get_group":"(role:reader and -# system_scope:all) or (role:reader and +# S in favor of "identity:get_group":"(rule:admin_required) or +# (role:reader and system_scope:all) or (role:reader and # domain_id:%(target.group.domain_id)s)". # The group API is now aware of system scope and default roles. # List groups. # GET /v3/groups # HEAD /v3/groups -# Intended scope(s): system, domain -#"identity:list_groups": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)" +# Intended scope(s): system, domain, project +#"identity:list_groups": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)" # DEPRECATED # "identity:list_groups":"rule:admin_required" has been deprecated -# since S in favor of "identity:list_groups":"(role:reader and -# system_scope:all) or (role:reader and +# since S in favor of "identity:list_groups":"(rule:admin_required) or +# (role:reader and system_scope:all) or (role:reader and # domain_id:%(target.group.domain_id)s)". # The group API is now aware of system scope and default roles. @@ -903,168 +897,158 @@ # GET /v3/users/{user_id}/groups # HEAD /v3/users/{user_id}/groups # Intended scope(s): system, domain, project -#"identity:list_groups_for_user": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(user_id)s" +#"identity:list_groups_for_user": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(user_id)s" # DEPRECATED # "identity:list_groups_for_user":"rule:admin_or_owner" has been # deprecated since S in favor of -# "identity:list_groups_for_user":"(role:reader and system_scope:all) -# or (role:reader and domain_id:%(target.user.domain_id)s) or -# user_id:%(user_id)s". +# "identity:list_groups_for_user":"(rule:admin_required) or +# (role:reader and system_scope:all) or (role:reader and +# domain_id:%(target.user.domain_id)s) or user_id:%(user_id)s". # The group API is now aware of system scope and default roles. # Create group. # POST /v3/groups -# Intended scope(s): system, domain -#"identity:create_group": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)" +# Intended scope(s): system, domain, project +#"identity:create_group": "rule:admin_required" # DEPRECATED # "identity:create_group":"rule:admin_required" has been deprecated -# since S in favor of "identity:create_group":"(role:admin and -# system_scope:all) or (role:admin and -# domain_id:%(target.group.domain_id)s)". +# since S in favor of "identity:create_group":"rule:admin_required". # The group API is now aware of system scope and default roles. # Update group. # PATCH /v3/groups/{group_id} -# Intended scope(s): system, domain -#"identity:update_group": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)" +# Intended scope(s): system, domain, project +#"identity:update_group": "rule:admin_required" # DEPRECATED # "identity:update_group":"rule:admin_required" has been deprecated -# since S in favor of "identity:update_group":"(role:admin and -# system_scope:all) or (role:admin and -# domain_id:%(target.group.domain_id)s)". +# since S in favor of "identity:update_group":"rule:admin_required". # The group API is now aware of system scope and default roles. # Delete group. # DELETE /v3/groups/{group_id} -# Intended scope(s): system, domain -#"identity:delete_group": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)" +# Intended scope(s): system, domain, project +#"identity:delete_group": "rule:admin_required" # DEPRECATED # "identity:delete_group":"rule:admin_required" has been deprecated -# since S in favor of "identity:delete_group":"(role:admin and -# system_scope:all) or (role:admin and -# domain_id:%(target.group.domain_id)s)". +# since S in favor of "identity:delete_group":"rule:admin_required". # The group API is now aware of system scope and default roles. # List members of a specific group. # GET /v3/groups/{group_id}/users # HEAD /v3/groups/{group_id}/users -# Intended scope(s): system, domain -#"identity:list_users_in_group": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)" +# Intended scope(s): system, domain, project +#"identity:list_users_in_group": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)" # DEPRECATED # "identity:list_users_in_group":"rule:admin_required" has been # deprecated since S in favor of -# "identity:list_users_in_group":"(role:reader and system_scope:all) -# or (role:reader and domain_id:%(target.group.domain_id)s)". +# "identity:list_users_in_group":"(rule:admin_required) or +# (role:reader and system_scope:all) or (role:reader and +# domain_id:%(target.group.domain_id)s)". # The group API is now aware of system scope and default roles. # Remove user from group. # DELETE /v3/groups/{group_id}/users/{user_id} -# Intended scope(s): system, domain -#"identity:remove_user_from_group": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)" +# Intended scope(s): system, domain, project +#"identity:remove_user_from_group": "rule:admin_required" # DEPRECATED # "identity:remove_user_from_group":"rule:admin_required" has been # deprecated since S in favor of -# "identity:remove_user_from_group":"(role:admin and system_scope:all) -# or (role:admin and domain_id:%(target.group.domain_id)s and -# domain_id:%(target.user.domain_id)s)". +# "identity:remove_user_from_group":"rule:admin_required". # The group API is now aware of system scope and default roles. # Check whether a user is a member of a group. # HEAD /v3/groups/{group_id}/users/{user_id} # GET /v3/groups/{group_id}/users/{user_id} -# Intended scope(s): system, domain -#"identity:check_user_in_group": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)" +# Intended scope(s): system, domain, project +#"identity:check_user_in_group": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)" # DEPRECATED # "identity:check_user_in_group":"rule:admin_required" has been # deprecated since S in favor of -# "identity:check_user_in_group":"(role:reader and system_scope:all) -# or (role:reader and domain_id:%(target.group.domain_id)s and +# "identity:check_user_in_group":"(rule:admin_required) or +# (role:reader and system_scope:all) or (role:reader and +# domain_id:%(target.group.domain_id)s and # domain_id:%(target.user.domain_id)s)". # The group API is now aware of system scope and default roles. # Add user to group. # PUT /v3/groups/{group_id}/users/{user_id} -# Intended scope(s): system, domain -#"identity:add_user_to_group": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)" +# Intended scope(s): system, domain, project +#"identity:add_user_to_group": "rule:admin_required" # DEPRECATED # "identity:add_user_to_group":"rule:admin_required" has been # deprecated since S in favor of -# "identity:add_user_to_group":"(role:admin and system_scope:all) or -# (role:admin and domain_id:%(target.group.domain_id)s and -# domain_id:%(target.user.domain_id)s)". +# "identity:add_user_to_group":"rule:admin_required". # The group API is now aware of system scope and default roles. # Create identity provider. # PUT /v3/OS-FEDERATION/identity_providers/{idp_id} -# Intended scope(s): system -#"identity:create_identity_provider": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:create_identity_provider": "rule:admin_required" # DEPRECATED # "identity:create_identity_provider":"rule:admin_required" has been # deprecated since S in favor of -# "identity:create_identity_provider":"role:admin and -# system_scope:all". +# "identity:create_identity_provider":"rule:admin_required". # The identity provider API is now aware of system scope and default # roles. # List identity providers. # GET /v3/OS-FEDERATION/identity_providers # HEAD /v3/OS-FEDERATION/identity_providers -# Intended scope(s): system -#"identity:list_identity_providers": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:list_identity_providers": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_identity_providers":"rule:admin_required" has been # deprecated since S in favor of -# "identity:list_identity_providers":"role:reader and -# system_scope:all". +# "identity:list_identity_providers":"rule:admin_required or +# (role:reader and system_scope:all)". # The identity provider API is now aware of system scope and default # roles. # Get identity provider. # GET /v3/OS-FEDERATION/identity_providers/{idp_id} # HEAD /v3/OS-FEDERATION/identity_providers/{idp_id} -# Intended scope(s): system -#"identity:get_identity_provider": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:get_identity_provider": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:get_identity_provider":"rule:admin_required" has been # deprecated since S in favor of -# "identity:get_identity_provider":"role:reader and system_scope:all". +# "identity:get_identity_provider":"rule:admin_required or +# (role:reader and system_scope:all)". # The identity provider API is now aware of system scope and default # roles. # Update identity provider. # PATCH /v3/OS-FEDERATION/identity_providers/{idp_id} -# Intended scope(s): system -#"identity:update_identity_provider": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:update_identity_provider": "rule:admin_required" # DEPRECATED # "identity:update_identity_provider":"rule:admin_required" has been # deprecated since S in favor of -# "identity:update_identity_provider":"role:admin and -# system_scope:all". +# "identity:update_identity_provider":"rule:admin_required". # The identity provider API is now aware of system scope and default # roles. # Delete identity provider. # DELETE /v3/OS-FEDERATION/identity_providers/{idp_id} -# Intended scope(s): system -#"identity:delete_identity_provider": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:delete_identity_provider": "rule:admin_required" # DEPRECATED # "identity:delete_identity_provider":"rule:admin_required" has been # deprecated since S in favor of -# "identity:delete_identity_provider":"role:admin and -# system_scope:all". +# "identity:delete_identity_provider":"rule:admin_required". # The identity provider API is now aware of system scope and default # roles. @@ -1073,13 +1057,14 @@ # prior role is assigned to a user, the user also assumes the implied # role. # GET /v3/roles/{prior_role_id}/implies/{implied_role_id} -# Intended scope(s): system -#"identity:get_implied_role": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:get_implied_role": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:get_implied_role":"rule:admin_required" has been # deprecated since T in favor of -# "identity:get_implied_role":"role:reader and system_scope:all". +# "identity:get_implied_role":"rule:admin_required or (role:reader and +# system_scope:all)". # The implied role API is now aware of system scope and default roles. # List associations between two roles. When a relationship exists @@ -1089,26 +1074,27 @@ # who gets the specified prior role. # GET /v3/roles/{prior_role_id}/implies # HEAD /v3/roles/{prior_role_id}/implies -# Intended scope(s): system -#"identity:list_implied_roles": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:list_implied_roles": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_implied_roles":"rule:admin_required" has been # deprecated since T in favor of -# "identity:list_implied_roles":"role:reader and system_scope:all". +# "identity:list_implied_roles":"rule:admin_required or (role:reader +# and system_scope:all)". # The implied role API is now aware of system scope and default roles. # Create an association between two roles. When a relationship exists # between a prior role and an implied role and the prior role is # assigned to a user, the user also assumes the implied role. # PUT /v3/roles/{prior_role_id}/implies/{implied_role_id} -# Intended scope(s): system -#"identity:create_implied_role": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:create_implied_role": "rule:admin_required" # DEPRECATED # "identity:create_implied_role":"rule:admin_required" has been # deprecated since T in favor of -# "identity:create_implied_role":"role:admin and system_scope:all". +# "identity:create_implied_role":"rule:admin_required". # The implied role API is now aware of system scope and default roles. # Delete the association between two roles. When a relationship exists @@ -1116,13 +1102,13 @@ # assigned to a user, the user also assumes the implied role. Removing # the association will cause that effect to be eliminated. # DELETE /v3/roles/{prior_role_id}/implies/{implied_role_id} -# Intended scope(s): system -#"identity:delete_implied_role": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:delete_implied_role": "rule:admin_required" # DEPRECATED # "identity:delete_implied_role":"rule:admin_required" has been # deprecated since T in favor of -# "identity:delete_implied_role":"role:admin and system_scope:all". +# "identity:delete_implied_role":"rule:admin_required". # The implied role API is now aware of system scope and default roles. # List all associations between two roles in the system. When a @@ -1131,27 +1117,28 @@ # role. # GET /v3/role_inferences # HEAD /v3/role_inferences -# Intended scope(s): system -#"identity:list_role_inference_rules": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:list_role_inference_rules": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_role_inference_rules":"rule:admin_required" has been # deprecated since T in favor of -# "identity:list_role_inference_rules":"role:reader and -# system_scope:all". +# "identity:list_role_inference_rules":"rule:admin_required or +# (role:reader and system_scope:all)". # The implied role API is now aware of system scope and default roles. # Check an association between two roles. When a relationship exists # between a prior role and an implied role and the prior role is # assigned to a user, the user also assumes the implied role. # HEAD /v3/roles/{prior_role_id}/implies/{implied_role_id} -# Intended scope(s): system -#"identity:check_implied_role": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:check_implied_role": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:check_implied_role":"rule:admin_required" has been # deprecated since T in favor of -# "identity:check_implied_role":"role:reader and system_scope:all". +# "identity:check_implied_role":"rule:admin_required or (role:reader +# and system_scope:all)". # The implied role API is now aware of system scope and default roles. # Get limit enforcement model. @@ -1164,7 +1151,7 @@ # GET /v3/limits/{limit_id} # HEAD /v3/limits/{limit_id} # Intended scope(s): system, domain, project -#"identity:get_limit": "(role:reader and system_scope:all) or (domain_id:%(target.limit.domain.id)s or domain_id:%(target.limit.project.domain_id)s) or (project_id:%(target.limit.project_id)s and not None:%(target.limit.project_id)s)" +#"identity:get_limit": "rule:admin_required or (role:reader and system_scope:all) or (domain_id:%(target.limit.domain.id)s or domain_id:%(target.limit.project.domain_id)s) or (project_id:%(target.limit.project_id)s and not None:%(target.limit.project_id)s)" # List limits. # GET /v3/limits @@ -1174,368 +1161,351 @@ # Create limits. # POST /v3/limits -# Intended scope(s): system -#"identity:create_limits": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:create_limits": "rule:admin_required" # Update limit. # PATCH /v3/limits/{limit_id} -# Intended scope(s): system -#"identity:update_limit": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:update_limit": "rule:admin_required" # Delete limit. # DELETE /v3/limits/{limit_id} -# Intended scope(s): system -#"identity:delete_limit": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:delete_limit": "rule:admin_required" # Create a new federated mapping containing one or more sets of rules. # PUT /v3/OS-FEDERATION/mappings/{mapping_id} -# Intended scope(s): system -#"identity:create_mapping": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:create_mapping": "rule:admin_required" # DEPRECATED # "identity:create_mapping":"rule:admin_required" has been deprecated -# since S in favor of "identity:create_mapping":"role:admin and -# system_scope:all". +# since S in favor of "identity:create_mapping":"rule:admin_required". # The federated mapping API is now aware of system scope and default # roles. # Get a federated mapping. # GET /v3/OS-FEDERATION/mappings/{mapping_id} # HEAD /v3/OS-FEDERATION/mappings/{mapping_id} -# Intended scope(s): system -#"identity:get_mapping": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:get_mapping": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:get_mapping":"rule:admin_required" has been deprecated -# since S in favor of "identity:get_mapping":"role:reader and -# system_scope:all". +# since S in favor of "identity:get_mapping":"rule:admin_required or +# (role:reader and system_scope:all)". # The federated mapping API is now aware of system scope and default # roles. # List federated mappings. # GET /v3/OS-FEDERATION/mappings # HEAD /v3/OS-FEDERATION/mappings -# Intended scope(s): system -#"identity:list_mappings": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:list_mappings": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_mappings":"rule:admin_required" has been deprecated -# since S in favor of "identity:list_mappings":"role:reader and -# system_scope:all". +# since S in favor of "identity:list_mappings":"rule:admin_required or +# (role:reader and system_scope:all)". # The federated mapping API is now aware of system scope and default # roles. # Delete a federated mapping. # DELETE /v3/OS-FEDERATION/mappings/{mapping_id} -# Intended scope(s): system -#"identity:delete_mapping": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:delete_mapping": "rule:admin_required" # DEPRECATED # "identity:delete_mapping":"rule:admin_required" has been deprecated -# since S in favor of "identity:delete_mapping":"role:admin and -# system_scope:all". +# since S in favor of "identity:delete_mapping":"rule:admin_required". # The federated mapping API is now aware of system scope and default # roles. # Update a federated mapping. # PATCH /v3/OS-FEDERATION/mappings/{mapping_id} -# Intended scope(s): system -#"identity:update_mapping": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:update_mapping": "rule:admin_required" # DEPRECATED # "identity:update_mapping":"rule:admin_required" has been deprecated -# since S in favor of "identity:update_mapping":"role:admin and -# system_scope:all". +# since S in favor of "identity:update_mapping":"rule:admin_required". # The federated mapping API is now aware of system scope and default # roles. # Show policy details. # GET /v3/policies/{policy_id} -# Intended scope(s): system -#"identity:get_policy": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:get_policy": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:get_policy":"rule:admin_required" has been deprecated -# since T in favor of "identity:get_policy":"role:reader and -# system_scope:all". +# since T in favor of "identity:get_policy":"rule:admin_required or +# (role:reader and system_scope:all)". # The policy API is now aware of system scope and default roles. # List policies. # GET /v3/policies -# Intended scope(s): system -#"identity:list_policies": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:list_policies": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_policies":"rule:admin_required" has been deprecated -# since T in favor of "identity:list_policies":"role:reader and -# system_scope:all". +# since T in favor of "identity:list_policies":"rule:admin_required or +# (role:reader and system_scope:all)". # The policy API is now aware of system scope and default roles. # Create policy. # POST /v3/policies -# Intended scope(s): system -#"identity:create_policy": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:create_policy": "rule:admin_required" # DEPRECATED # "identity:create_policy":"rule:admin_required" has been deprecated -# since T in favor of "identity:create_policy":"role:admin and -# system_scope:all". +# since T in favor of "identity:create_policy":"rule:admin_required". # The policy API is now aware of system scope and default roles. # Update policy. # PATCH /v3/policies/{policy_id} -# Intended scope(s): system -#"identity:update_policy": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:update_policy": "rule:admin_required" # DEPRECATED # "identity:update_policy":"rule:admin_required" has been deprecated -# since T in favor of "identity:update_policy":"role:admin and -# system_scope:all". +# since T in favor of "identity:update_policy":"rule:admin_required". # The policy API is now aware of system scope and default roles. # Delete policy. # DELETE /v3/policies/{policy_id} -# Intended scope(s): system -#"identity:delete_policy": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:delete_policy": "rule:admin_required" # DEPRECATED # "identity:delete_policy":"rule:admin_required" has been deprecated -# since T in favor of "identity:delete_policy":"role:admin and -# system_scope:all". +# since T in favor of "identity:delete_policy":"rule:admin_required". # The policy API is now aware of system scope and default roles. # Associate a policy to a specific endpoint. # PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} -# Intended scope(s): system -#"identity:create_policy_association_for_endpoint": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:create_policy_association_for_endpoint": "rule:admin_required" # DEPRECATED # "identity:create_policy_association_for_endpoint":"rule:admin_requir -# ed" has been deprecated since T in favor of -# "identity:create_policy_association_for_endpoint":"role:admin and -# system_scope:all". +# ed" has been deprecated since T in favor of "identity:create_policy_ +# association_for_endpoint":"rule:admin_required". # The policy association API is now aware of system scope and default # roles. # Check policy association for endpoint. # GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} # HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} -# Intended scope(s): system -#"identity:check_policy_association_for_endpoint": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:check_policy_association_for_endpoint": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:check_policy_association_for_endpoint":"rule:admin_require -# d" has been deprecated since T in favor of -# "identity:check_policy_association_for_endpoint":"role:reader and -# system_scope:all". +# d" has been deprecated since T in favor of "identity:check_policy_as +# sociation_for_endpoint":"rule:admin_required or (role:reader and +# system_scope:all)". # The policy association API is now aware of system scope and default # roles. # Delete policy association for endpoint. # DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} -# Intended scope(s): system -#"identity:delete_policy_association_for_endpoint": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:delete_policy_association_for_endpoint": "rule:admin_required" # DEPRECATED # "identity:delete_policy_association_for_endpoint":"rule:admin_requir -# ed" has been deprecated since T in favor of -# "identity:delete_policy_association_for_endpoint":"role:admin and -# system_scope:all". +# ed" has been deprecated since T in favor of "identity:delete_policy_ +# association_for_endpoint":"rule:admin_required". # The policy association API is now aware of system scope and default # roles. # Associate a policy to a specific service. # PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} -# Intended scope(s): system -#"identity:create_policy_association_for_service": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:create_policy_association_for_service": "rule:admin_required" # DEPRECATED # "identity:create_policy_association_for_service":"rule:admin_require -# d" has been deprecated since T in favor of -# "identity:create_policy_association_for_service":"role:admin and -# system_scope:all". +# d" has been deprecated since T in favor of "identity:create_policy_a +# ssociation_for_service":"rule:admin_required". # The policy association API is now aware of system scope and default # roles. # Check policy association for service. # GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} # HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} -# Intended scope(s): system -#"identity:check_policy_association_for_service": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:check_policy_association_for_service": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:check_policy_association_for_service":"rule:admin_required # " has been deprecated since T in favor of -# "identity:check_policy_association_for_service":"role:reader and -# system_scope:all". +# "identity:check_policy_association_for_service":"rule:admin_required +# or (role:reader and system_scope:all)". # The policy association API is now aware of system scope and default # roles. # Delete policy association for service. # DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} -# Intended scope(s): system -#"identity:delete_policy_association_for_service": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:delete_policy_association_for_service": "rule:admin_required" # DEPRECATED # "identity:delete_policy_association_for_service":"rule:admin_require -# d" has been deprecated since T in favor of -# "identity:delete_policy_association_for_service":"role:admin and -# system_scope:all". +# d" has been deprecated since T in favor of "identity:delete_policy_a +# ssociation_for_service":"rule:admin_required". # The policy association API is now aware of system scope and default # roles. # Associate a policy to a specific region and service combination. # PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} -# Intended scope(s): system -#"identity:create_policy_association_for_region_and_service": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:create_policy_association_for_region_and_service": "rule:admin_required" # DEPRECATED # "identity:create_policy_association_for_region_and_service":"rule:ad # min_required" has been deprecated since T in favor of "identity:crea -# te_policy_association_for_region_and_service":"role:admin and -# system_scope:all". +# te_policy_association_for_region_and_service":"rule:admin_required". # The policy association API is now aware of system scope and default # roles. # Check policy association for region and service. # GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} # HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} -# Intended scope(s): system -#"identity:check_policy_association_for_region_and_service": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:check_policy_association_for_region_and_service": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:check_policy_association_for_region_and_service":"rule:adm # in_required" has been deprecated since T in favor of "identity:check -# _policy_association_for_region_and_service":"role:reader and -# system_scope:all". +# _policy_association_for_region_and_service":"rule:admin_required or +# (role:reader and system_scope:all)". # The policy association API is now aware of system scope and default # roles. # Delete policy association for region and service. # DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} -# Intended scope(s): system -#"identity:delete_policy_association_for_region_and_service": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:delete_policy_association_for_region_and_service": "rule:admin_required" # DEPRECATED # "identity:delete_policy_association_for_region_and_service":"rule:ad # min_required" has been deprecated since T in favor of "identity:dele -# te_policy_association_for_region_and_service":"role:admin and -# system_scope:all". +# te_policy_association_for_region_and_service":"rule:admin_required". # The policy association API is now aware of system scope and default # roles. # Get policy for endpoint. # GET /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy # HEAD /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy -# Intended scope(s): system -#"identity:get_policy_for_endpoint": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:get_policy_for_endpoint": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:get_policy_for_endpoint":"rule:admin_required" has been # deprecated since T in favor of -# "identity:get_policy_for_endpoint":"role:reader and -# system_scope:all". +# "identity:get_policy_for_endpoint":"rule:admin_required or +# (role:reader and system_scope:all)". # The policy association API is now aware of system scope and default # roles. # List endpoints for policy. # GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints -# Intended scope(s): system -#"identity:list_endpoints_for_policy": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:list_endpoints_for_policy": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_endpoints_for_policy":"rule:admin_required" has been # deprecated since T in favor of -# "identity:list_endpoints_for_policy":"role:reader and -# system_scope:all". +# "identity:list_endpoints_for_policy":"rule:admin_required or +# (role:reader and system_scope:all)". # The policy association API is now aware of system scope and default # roles. # Show project details. # GET /v3/projects/{project_id} # Intended scope(s): system, domain, project -#"identity:get_project": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s" +#"identity:get_project": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s" # DEPRECATED # "identity:get_project":"rule:admin_required or # project_id:%(target.project.id)s" has been deprecated since S in -# favor of "identity:get_project":"(role:reader and system_scope:all) -# or (role:reader and domain_id:%(target.project.domain_id)s) or +# favor of "identity:get_project":"(rule:admin_required) or +# (role:reader and system_scope:all) or (role:reader and +# domain_id:%(target.project.domain_id)s) or # project_id:%(target.project.id)s". # The project API is now aware of system scope and default roles. # List projects. # GET /v3/projects -# Intended scope(s): system, domain -#"identity:list_projects": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)" +# Intended scope(s): system, domain, project +#"identity:list_projects": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)" # DEPRECATED # "identity:list_projects":"rule:admin_required" has been deprecated -# since S in favor of "identity:list_projects":"(role:reader and -# system_scope:all) or (role:reader and +# since S in favor of "identity:list_projects":"(rule:admin_required) +# or (role:reader and system_scope:all) or (role:reader and # domain_id:%(target.domain_id)s)". # The project API is now aware of system scope and default roles. # List projects for user. # GET /v3/users/{user_id}/projects # Intended scope(s): system, domain, project -#"identity:list_user_projects": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(target.user.id)s" +#"identity:list_user_projects": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(target.user.id)s" # DEPRECATED # "identity:list_user_projects":"rule:admin_or_owner" has been # deprecated since S in favor of -# "identity:list_user_projects":"(role:reader and system_scope:all) or -# (role:reader and domain_id:%(target.user.domain_id)s) or -# user_id:%(target.user.id)s". +# "identity:list_user_projects":"(rule:admin_required) or (role:reader +# and system_scope:all) or (role:reader and +# domain_id:%(target.user.domain_id)s) or user_id:%(target.user.id)s". # The project API is now aware of system scope and default roles. # Create project. # POST /v3/projects -# Intended scope(s): system, domain -#"identity:create_project": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)" +# Intended scope(s): system, domain, project +#"identity:create_project": "rule:admin_required" # DEPRECATED # "identity:create_project":"rule:admin_required" has been deprecated -# since S in favor of "identity:create_project":"(role:admin and -# system_scope:all) or (role:admin and -# domain_id:%(target.project.domain_id)s)". +# since S in favor of "identity:create_project":"rule:admin_required". # The project API is now aware of system scope and default roles. # Update project. # PATCH /v3/projects/{project_id} -# Intended scope(s): system, domain -#"identity:update_project": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)" +# Intended scope(s): system, domain, project +#"identity:update_project": "rule:admin_required" # DEPRECATED # "identity:update_project":"rule:admin_required" has been deprecated -# since S in favor of "identity:update_project":"(role:admin and -# system_scope:all) or (role:admin and -# domain_id:%(target.project.domain_id)s)". +# since S in favor of "identity:update_project":"rule:admin_required". # The project API is now aware of system scope and default roles. # Delete project. # DELETE /v3/projects/{project_id} -# Intended scope(s): system, domain -#"identity:delete_project": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)" +# Intended scope(s): system, domain, project +#"identity:delete_project": "rule:admin_required" # DEPRECATED # "identity:delete_project":"rule:admin_required" has been deprecated -# since S in favor of "identity:delete_project":"(role:admin and -# system_scope:all) or (role:admin and -# domain_id:%(target.project.domain_id)s)". +# since S in favor of "identity:delete_project":"rule:admin_required". # The project API is now aware of system scope and default roles. # List tags for a project. # GET /v3/projects/{project_id}/tags # HEAD /v3/projects/{project_id}/tags # Intended scope(s): system, domain, project -#"identity:list_project_tags": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s" +#"identity:list_project_tags": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s" # DEPRECATED # "identity:list_project_tags":"rule:admin_required or # project_id:%(target.project.id)s" has been deprecated since T in -# favor of "identity:list_project_tags":"(role:reader and -# system_scope:all) or (role:reader and +# favor of "identity:list_project_tags":"(rule:admin_required) or +# (role:reader and system_scope:all) or (role:reader and # domain_id:%(target.project.domain_id)s) or # project_id:%(target.project.id)s". # The project API is now aware of system scope and default roles. @@ -1544,13 +1514,13 @@ # GET /v3/projects/{project_id}/tags/{value} # HEAD /v3/projects/{project_id}/tags/{value} # Intended scope(s): system, domain, project -#"identity:get_project_tag": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s" +#"identity:get_project_tag": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s" # DEPRECATED # "identity:get_project_tag":"rule:admin_required or # project_id:%(target.project.id)s" has been deprecated since T in -# favor of "identity:get_project_tag":"(role:reader and -# system_scope:all) or (role:reader and +# favor of "identity:get_project_tag":"(rule:admin_required) or +# (role:reader and system_scope:all) or (role:reader and # domain_id:%(target.project.domain_id)s) or # project_id:%(target.project.id)s". # The project API is now aware of system scope and default roles. @@ -1558,65 +1528,57 @@ # Replace all tags on a project with the new set of tags. # PUT /v3/projects/{project_id}/tags # Intended scope(s): system, domain, project -#"identity:update_project_tags": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" +#"identity:update_project_tags": "rule:admin_required" # DEPRECATED # "identity:update_project_tags":"rule:admin_required" has been # deprecated since T in favor of -# "identity:update_project_tags":"(role:admin and system_scope:all) or -# (role:admin and domain_id:%(target.project.domain_id)s) or -# (role:admin and project_id:%(target.project.id)s)". +# "identity:update_project_tags":"rule:admin_required". # The project API is now aware of system scope and default roles. # Add a single tag to a project. # PUT /v3/projects/{project_id}/tags/{value} # Intended scope(s): system, domain, project -#"identity:create_project_tag": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" +#"identity:create_project_tag": "rule:admin_required" # DEPRECATED # "identity:create_project_tag":"rule:admin_required" has been # deprecated since T in favor of -# "identity:create_project_tag":"(role:admin and system_scope:all) or -# (role:admin and domain_id:%(target.project.domain_id)s) or -# (role:admin and project_id:%(target.project.id)s)". +# "identity:create_project_tag":"rule:admin_required". # The project API is now aware of system scope and default roles. # Remove all tags from a project. # DELETE /v3/projects/{project_id}/tags # Intended scope(s): system, domain, project -#"identity:delete_project_tags": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" +#"identity:delete_project_tags": "rule:admin_required" # DEPRECATED # "identity:delete_project_tags":"rule:admin_required" has been # deprecated since T in favor of -# "identity:delete_project_tags":"(role:admin and system_scope:all) or -# (role:admin and domain_id:%(target.project.domain_id)s) or -# (role:admin and project_id:%(target.project.id)s)". +# "identity:delete_project_tags":"rule:admin_required". # The project API is now aware of system scope and default roles. # Delete a specified tag from project. # DELETE /v3/projects/{project_id}/tags/{value} # Intended scope(s): system, domain, project -#"identity:delete_project_tag": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" +#"identity:delete_project_tag": "rule:admin_required" # DEPRECATED # "identity:delete_project_tag":"rule:admin_required" has been # deprecated since T in favor of -# "identity:delete_project_tag":"(role:admin and system_scope:all) or -# (role:admin and domain_id:%(target.project.domain_id)s) or -# (role:admin and project_id:%(target.project.id)s)". +# "identity:delete_project_tag":"rule:admin_required". # The project API is now aware of system scope and default roles. # List projects allowed to access an endpoint. # GET /v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects -# Intended scope(s): system -#"identity:list_projects_for_endpoint": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:list_projects_for_endpoint": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_projects_for_endpoint":"rule:admin_required" has been # deprecated since T in favor of -# "identity:list_projects_for_endpoint":"role:reader and -# system_scope:all". +# "identity:list_projects_for_endpoint":"rule:admin_required or +# (role:reader and system_scope:all)". # As of the Train release, the project endpoint API now understands # default roles and system-scoped tokens, making the API more granular # by default without compromising security. The new policy defaults @@ -1626,14 +1588,13 @@ # Allow project to access an endpoint. # PUT /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} -# Intended scope(s): system -#"identity:add_endpoint_to_project": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:add_endpoint_to_project": "rule:admin_required" # DEPRECATED # "identity:add_endpoint_to_project":"rule:admin_required" has been # deprecated since T in favor of -# "identity:add_endpoint_to_project":"role:admin and -# system_scope:all". +# "identity:add_endpoint_to_project":"rule:admin_required". # As of the Train release, the project endpoint API now understands # default roles and system-scoped tokens, making the API more granular # by default without compromising security. The new policy defaults @@ -1644,14 +1605,14 @@ # Check if a project is allowed to access an endpoint. # GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} # HEAD /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} -# Intended scope(s): system -#"identity:check_endpoint_in_project": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:check_endpoint_in_project": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:check_endpoint_in_project":"rule:admin_required" has been # deprecated since T in favor of -# "identity:check_endpoint_in_project":"role:reader and -# system_scope:all". +# "identity:check_endpoint_in_project":"rule:admin_required or +# (role:reader and system_scope:all)". # As of the Train release, the project endpoint API now understands # default roles and system-scoped tokens, making the API more granular # by default without compromising security. The new policy defaults @@ -1661,14 +1622,14 @@ # List the endpoints a project is allowed to access. # GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints -# Intended scope(s): system -#"identity:list_endpoints_for_project": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:list_endpoints_for_project": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_endpoints_for_project":"rule:admin_required" has been # deprecated since T in favor of -# "identity:list_endpoints_for_project":"role:reader and -# system_scope:all". +# "identity:list_endpoints_for_project":"rule:admin_required or +# (role:reader and system_scope:all)". # As of the Train release, the project endpoint API now understands # default roles and system-scoped tokens, making the API more granular # by default without compromising security. The new policy defaults @@ -1679,14 +1640,13 @@ # Remove access to an endpoint from a project that has previously been # given explicit access. # DELETE /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} -# Intended scope(s): system -#"identity:remove_endpoint_from_project": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:remove_endpoint_from_project": "rule:admin_required" # DEPRECATED # "identity:remove_endpoint_from_project":"rule:admin_required" has # been deprecated since T in favor of -# "identity:remove_endpoint_from_project":"role:admin and -# system_scope:all". +# "identity:remove_endpoint_from_project":"rule:admin_required". # As of the Train release, the project endpoint API now understands # default roles and system-scoped tokens, making the API more granular # by default without compromising security. The new policy defaults @@ -1696,61 +1656,61 @@ # Create federated protocol. # PUT /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} -# Intended scope(s): system -#"identity:create_protocol": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:create_protocol": "rule:admin_required" # DEPRECATED # "identity:create_protocol":"rule:admin_required" has been deprecated -# since S in favor of "identity:create_protocol":"role:admin and -# system_scope:all". +# since S in favor of +# "identity:create_protocol":"rule:admin_required". # The federated protocol API is now aware of system scope and default # roles. # Update federated protocol. # PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} -# Intended scope(s): system -#"identity:update_protocol": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:update_protocol": "rule:admin_required" # DEPRECATED # "identity:update_protocol":"rule:admin_required" has been deprecated -# since S in favor of "identity:update_protocol":"role:admin and -# system_scope:all". +# since S in favor of +# "identity:update_protocol":"rule:admin_required". # The federated protocol API is now aware of system scope and default # roles. # Get federated protocol. # GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} -# Intended scope(s): system -#"identity:get_protocol": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:get_protocol": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:get_protocol":"rule:admin_required" has been deprecated -# since S in favor of "identity:get_protocol":"role:reader and -# system_scope:all". +# since S in favor of "identity:get_protocol":"rule:admin_required or +# (role:reader and system_scope:all)". # The federated protocol API is now aware of system scope and default # roles. # List federated protocols. # GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols -# Intended scope(s): system -#"identity:list_protocols": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:list_protocols": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_protocols":"rule:admin_required" has been deprecated -# since S in favor of "identity:list_protocols":"role:reader and -# system_scope:all". +# since S in favor of "identity:list_protocols":"rule:admin_required +# or (role:reader and system_scope:all)". # The federated protocol API is now aware of system scope and default # roles. # Delete federated protocol. # DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} -# Intended scope(s): system -#"identity:delete_protocol": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:delete_protocol": "rule:admin_required" # DEPRECATED # "identity:delete_protocol":"rule:admin_required" has been deprecated -# since S in favor of "identity:delete_protocol":"role:admin and -# system_scope:all". +# since S in favor of +# "identity:delete_protocol":"rule:admin_required". # The federated protocol API is now aware of system scope and default # roles. @@ -1769,35 +1729,32 @@ # Create region. # POST /v3/regions # PUT /v3/regions/{region_id} -# Intended scope(s): system -#"identity:create_region": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:create_region": "rule:admin_required" # DEPRECATED # "identity:create_region":"rule:admin_required" has been deprecated -# since S in favor of "identity:create_region":"role:admin and -# system_scope:all". +# since S in favor of "identity:create_region":"rule:admin_required". # The region API is now aware of system scope and default roles. # Update region. # PATCH /v3/regions/{region_id} -# Intended scope(s): system -#"identity:update_region": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:update_region": "rule:admin_required" # DEPRECATED # "identity:update_region":"rule:admin_required" has been deprecated -# since S in favor of "identity:update_region":"role:admin and -# system_scope:all". +# since S in favor of "identity:update_region":"rule:admin_required". # The region API is now aware of system scope and default roles. # Delete region. # DELETE /v3/regions/{region_id} -# Intended scope(s): system -#"identity:delete_region": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:delete_region": "rule:admin_required" # DEPRECATED # "identity:delete_region":"rule:admin_required" has been deprecated -# since S in favor of "identity:delete_region":"role:admin and -# system_scope:all". +# since S in favor of "identity:delete_region":"rule:admin_required". # The region API is now aware of system scope and default roles. # Show registered limit details. @@ -1814,284 +1771,277 @@ # Create registered limits. # POST /v3/registered_limits -# Intended scope(s): system -#"identity:create_registered_limits": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:create_registered_limits": "rule:admin_required" # Update registered limit. # PATCH /v3/registered_limits/{registered_limit_id} -# Intended scope(s): system -#"identity:update_registered_limit": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:update_registered_limit": "rule:admin_required" # Delete registered limit. # DELETE /v3/registered_limits/{registered_limit_id} -# Intended scope(s): system -#"identity:delete_registered_limit": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:delete_registered_limit": "rule:admin_required" # List revocation events. # GET /v3/OS-REVOKE/events -# Intended scope(s): system +# Intended scope(s): system, project #"identity:list_revoke_events": "rule:service_or_admin" # Show role details. # GET /v3/roles/{role_id} # HEAD /v3/roles/{role_id} -# Intended scope(s): system -#"identity:get_role": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:get_role": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:get_role":"rule:admin_required" has been deprecated since -# S in favor of "identity:get_role":"role:reader and -# system_scope:all". +# S in favor of "identity:get_role":"rule:admin_required or +# (role:reader and system_scope:all)". # The role API is now aware of system scope and default roles. # List roles. # GET /v3/roles # HEAD /v3/roles -# Intended scope(s): system -#"identity:list_roles": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:list_roles": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_roles":"rule:admin_required" has been deprecated -# since S in favor of "identity:list_roles":"role:reader and -# system_scope:all". +# since S in favor of "identity:list_roles":"rule:admin_required or +# (role:reader and system_scope:all)". # The role API is now aware of system scope and default roles. # Create role. # POST /v3/roles -# Intended scope(s): system -#"identity:create_role": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:create_role": "rule:admin_required" # DEPRECATED # "identity:create_role":"rule:admin_required" has been deprecated -# since S in favor of "identity:create_role":"role:admin and -# system_scope:all". +# since S in favor of "identity:create_role":"rule:admin_required". # The role API is now aware of system scope and default roles. # Update role. # PATCH /v3/roles/{role_id} -# Intended scope(s): system -#"identity:update_role": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:update_role": "rule:admin_required" # DEPRECATED # "identity:update_role":"rule:admin_required" has been deprecated -# since S in favor of "identity:update_role":"role:admin and -# system_scope:all". +# since S in favor of "identity:update_role":"rule:admin_required". # The role API is now aware of system scope and default roles. # Delete role. # DELETE /v3/roles/{role_id} -# Intended scope(s): system -#"identity:delete_role": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:delete_role": "rule:admin_required" # DEPRECATED # "identity:delete_role":"rule:admin_required" has been deprecated -# since S in favor of "identity:delete_role":"role:admin and -# system_scope:all". +# since S in favor of "identity:delete_role":"rule:admin_required". # The role API is now aware of system scope and default roles. # Show domain role. # GET /v3/roles/{role_id} # HEAD /v3/roles/{role_id} -# Intended scope(s): system -#"identity:get_domain_role": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:get_domain_role": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:get_domain_role":"rule:admin_required" has been deprecated -# since T in favor of "identity:get_domain_role":"role:reader and -# system_scope:all". +# since T in favor of "identity:get_domain_role":"rule:admin_required +# or (role:reader and system_scope:all)". # The role API is now aware of system scope and default roles. # List domain roles. # GET /v3/roles?domain_id={domain_id} # HEAD /v3/roles?domain_id={domain_id} -# Intended scope(s): system -#"identity:list_domain_roles": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:list_domain_roles": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_domain_roles":"rule:admin_required" has been # deprecated since T in favor of -# "identity:list_domain_roles":"role:reader and system_scope:all". +# "identity:list_domain_roles":"rule:admin_required or (role:reader +# and system_scope:all)". # The role API is now aware of system scope and default roles. # Create domain role. # POST /v3/roles -# Intended scope(s): system -#"identity:create_domain_role": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:create_domain_role": "rule:admin_required" # DEPRECATED # "identity:create_domain_role":"rule:admin_required" has been # deprecated since T in favor of -# "identity:create_domain_role":"role:admin and system_scope:all". +# "identity:create_domain_role":"rule:admin_required". # The role API is now aware of system scope and default roles. # Update domain role. # PATCH /v3/roles/{role_id} -# Intended scope(s): system -#"identity:update_domain_role": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:update_domain_role": "rule:admin_required" # DEPRECATED # "identity:update_domain_role":"rule:admin_required" has been # deprecated since T in favor of -# "identity:update_domain_role":"role:admin and system_scope:all". +# "identity:update_domain_role":"rule:admin_required". # The role API is now aware of system scope and default roles. # Delete domain role. # DELETE /v3/roles/{role_id} -# Intended scope(s): system -#"identity:delete_domain_role": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:delete_domain_role": "rule:admin_required" # DEPRECATED # "identity:delete_domain_role":"rule:admin_required" has been # deprecated since T in favor of -# "identity:delete_domain_role":"role:admin and system_scope:all". +# "identity:delete_domain_role":"rule:admin_required". # The role API is now aware of system scope and default roles. # List role assignments. # GET /v3/role_assignments # HEAD /v3/role_assignments -# Intended scope(s): system, domain -#"identity:list_role_assignments": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)" +# Intended scope(s): system, domain, project +#"identity:list_role_assignments": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)" # DEPRECATED # "identity:list_role_assignments":"rule:admin_required" has been # deprecated since S in favor of -# "identity:list_role_assignments":"(role:reader and system_scope:all) -# or (role:reader and domain_id:%(target.domain_id)s)". +# "identity:list_role_assignments":"(rule:admin_required) or +# (role:reader and system_scope:all) or (role:reader and +# domain_id:%(target.domain_id)s)". # The assignment API is now aware of system scope and default roles. # List all role assignments for a given tree of hierarchical projects. # GET /v3/role_assignments?include_subtree # HEAD /v3/role_assignments?include_subtree # Intended scope(s): system, domain, project -#"identity:list_role_assignments_for_tree": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" +#"identity:list_role_assignments_for_tree": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)" # DEPRECATED # "identity:list_role_assignments_for_tree":"rule:admin_required" has # been deprecated since T in favor of -# "identity:list_role_assignments_for_tree":"(role:reader and -# system_scope:all) or (role:reader and -# domain_id:%(target.project.domain_id)s) or (role:admin and -# project_id:%(target.project.id)s)". +# "identity:list_role_assignments_for_tree":"(rule:admin_required) or +# (role:reader and system_scope:all) or (role:reader and +# domain_id:%(target.domain_id)s)". # The assignment API is now aware of system scope and default roles. # Show service details. # GET /v3/services/{service_id} -# Intended scope(s): system -#"identity:get_service": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:get_service": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:get_service":"rule:admin_required" has been deprecated -# since S in favor of "identity:get_service":"role:reader and -# system_scope:all". +# since S in favor of "identity:get_service":"rule:admin_required or +# (role:reader and system_scope:all)". # The service API is now aware of system scope and default roles. # List services. # GET /v3/services -# Intended scope(s): system -#"identity:list_services": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:list_services": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_services":"rule:admin_required" has been deprecated -# since S in favor of "identity:list_services":"role:reader and -# system_scope:all". +# since S in favor of "identity:list_services":"rule:admin_required or +# (role:reader and system_scope:all)". # The service API is now aware of system scope and default roles. # Create service. # POST /v3/services -# Intended scope(s): system -#"identity:create_service": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:create_service": "rule:admin_required" # DEPRECATED # "identity:create_service":"rule:admin_required" has been deprecated -# since S in favor of "identity:create_service":"role:admin and -# system_scope:all". +# since S in favor of "identity:create_service":"rule:admin_required". # The service API is now aware of system scope and default roles. # Update service. # PATCH /v3/services/{service_id} -# Intended scope(s): system -#"identity:update_service": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:update_service": "rule:admin_required" # DEPRECATED # "identity:update_service":"rule:admin_required" has been deprecated -# since S in favor of "identity:update_service":"role:admin and -# system_scope:all". +# since S in favor of "identity:update_service":"rule:admin_required". # The service API is now aware of system scope and default roles. # Delete service. # DELETE /v3/services/{service_id} -# Intended scope(s): system -#"identity:delete_service": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:delete_service": "rule:admin_required" # DEPRECATED # "identity:delete_service":"rule:admin_required" has been deprecated -# since S in favor of "identity:delete_service":"role:admin and -# system_scope:all". +# since S in favor of "identity:delete_service":"rule:admin_required". # The service API is now aware of system scope and default roles. # Create federated service provider. # PUT /v3/OS-FEDERATION/service_providers/{service_provider_id} -# Intended scope(s): system -#"identity:create_service_provider": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:create_service_provider": "rule:admin_required" # DEPRECATED # "identity:create_service_provider":"rule:admin_required" has been # deprecated since S in favor of -# "identity:create_service_provider":"role:admin and -# system_scope:all". +# "identity:create_service_provider":"rule:admin_required". # The service provider API is now aware of system scope and default # roles. # List federated service providers. # GET /v3/OS-FEDERATION/service_providers # HEAD /v3/OS-FEDERATION/service_providers -# Intended scope(s): system -#"identity:list_service_providers": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:list_service_providers": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_service_providers":"rule:admin_required" has been # deprecated since S in favor of -# "identity:list_service_providers":"role:reader and -# system_scope:all". +# "identity:list_service_providers":"rule:admin_required or +# (role:reader and system_scope:all)". # The service provider API is now aware of system scope and default # roles. # Get federated service provider. # GET /v3/OS-FEDERATION/service_providers/{service_provider_id} # HEAD /v3/OS-FEDERATION/service_providers/{service_provider_id} -# Intended scope(s): system -#"identity:get_service_provider": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:get_service_provider": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:get_service_provider":"rule:admin_required" has been # deprecated since S in favor of -# "identity:get_service_provider":"role:reader and system_scope:all". +# "identity:get_service_provider":"rule:admin_required or (role:reader +# and system_scope:all)". # The service provider API is now aware of system scope and default # roles. # Update federated service provider. # PATCH /v3/OS-FEDERATION/service_providers/{service_provider_id} -# Intended scope(s): system -#"identity:update_service_provider": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:update_service_provider": "rule:admin_required" # DEPRECATED # "identity:update_service_provider":"rule:admin_required" has been # deprecated since S in favor of -# "identity:update_service_provider":"role:admin and -# system_scope:all". +# "identity:update_service_provider":"rule:admin_required". # The service provider API is now aware of system scope and default # roles. # Delete federated service provider. # DELETE /v3/OS-FEDERATION/service_providers/{service_provider_id} -# Intended scope(s): system -#"identity:delete_service_provider": "role:admin and system_scope:all" +# Intended scope(s): system, project +#"identity:delete_service_provider": "rule:admin_required" # DEPRECATED # "identity:delete_service_provider":"rule:admin_required" has been # deprecated since S in favor of -# "identity:delete_service_provider":"role:admin and -# system_scope:all". +# "identity:delete_service_provider":"rule:admin_required". # The service provider API is now aware of system scope and default # roles. @@ -2148,65 +2098,67 @@ # List trusts. # GET /v3/OS-TRUST/trusts # HEAD /v3/OS-TRUST/trusts -# Intended scope(s): system -#"identity:list_trusts": "role:reader and system_scope:all" +# Intended scope(s): system, project +#"identity:list_trusts": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_trusts":"rule:admin_required" has been deprecated -# since T in favor of "identity:list_trusts":"role:reader and -# system_scope:all". +# since T in favor of "identity:list_trusts":"rule:admin_required or +# (role:reader and system_scope:all)". # The trust API is now aware of system scope and default roles. # List trusts for trustor. # GET /v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id} # HEAD /v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id} # Intended scope(s): system, project -#"identity:list_trusts_for_trustor": "role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s" +#"identity:list_trusts_for_trustor": "(rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s)" # List trusts for trustee. # GET /v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id} # HEAD /v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id} # Intended scope(s): system, project -#"identity:list_trusts_for_trustee": "role:reader and system_scope:all or user_id:%(target.trust.trustee_user_id)s" +#"identity:list_trusts_for_trustee": "(rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustee_user_id)s)" # List roles delegated by a trust. # GET /v3/OS-TRUST/trusts/{trust_id}/roles # HEAD /v3/OS-TRUST/trusts/{trust_id}/roles # Intended scope(s): system, project -#"identity:list_roles_for_trust": "role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s" +#"identity:list_roles_for_trust": "(rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s)" # DEPRECATED # "identity:list_roles_for_trust":"user_id:%(target.trust.trustor_user # _id)s or user_id:%(target.trust.trustee_user_id)s" has been # deprecated since T in favor of -# "identity:list_roles_for_trust":"role:reader and system_scope:all or +# "identity:list_roles_for_trust":"(rule:admin_required) or +# (role:reader and system_scope:all or # user_id:%(target.trust.trustor_user_id)s or -# user_id:%(target.trust.trustee_user_id)s". +# user_id:%(target.trust.trustee_user_id)s)". # The trust API is now aware of system scope and default roles. # Check if trust delegates a particular role. # GET /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id} # HEAD /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id} # Intended scope(s): system, project -#"identity:get_role_for_trust": "role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s" +#"identity:get_role_for_trust": "(rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s)" # DEPRECATED # "identity:get_role_for_trust":"user_id:%(target.trust.trustor_user_i # d)s or user_id:%(target.trust.trustee_user_id)s" has been deprecated -# since T in favor of "identity:get_role_for_trust":"role:reader and -# system_scope:all or user_id:%(target.trust.trustor_user_id)s or -# user_id:%(target.trust.trustee_user_id)s". +# since T in favor of +# "identity:get_role_for_trust":"(rule:admin_required) or (role:reader +# and system_scope:all or user_id:%(target.trust.trustor_user_id)s or +# user_id:%(target.trust.trustee_user_id)s)". # The trust API is now aware of system scope and default roles. # Revoke trust. # DELETE /v3/OS-TRUST/trusts/{trust_id} # Intended scope(s): system, project -#"identity:delete_trust": "role:admin and system_scope:all or user_id:%(target.trust.trustor_user_id)s" +#"identity:delete_trust": "rule:admin_required or user_id:%(target.trust.trustor_user_id)s" # DEPRECATED # "identity:delete_trust":"user_id:%(target.trust.trustor_user_id)s" # has been deprecated since T in favor of -# "identity:delete_trust":"role:admin and system_scope:all or +# "identity:delete_trust":"rule:admin_required or # user_id:%(target.trust.trustor_user_id)s". # The trust API is now aware of system scope and default roles. @@ -2214,26 +2166,27 @@ # GET /v3/OS-TRUST/trusts/{trust_id} # HEAD /v3/OS-TRUST/trusts/{trust_id} # Intended scope(s): system, project -#"identity:get_trust": "role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s" +#"identity:get_trust": "(rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s)" # DEPRECATED # "identity:get_trust":"user_id:%(target.trust.trustor_user_id)s or # user_id:%(target.trust.trustee_user_id)s" has been deprecated since -# T in favor of "identity:get_trust":"role:reader and system_scope:all -# or user_id:%(target.trust.trustor_user_id)s or -# user_id:%(target.trust.trustee_user_id)s". +# T in favor of "identity:get_trust":"(rule:admin_required) or +# (role:reader and system_scope:all or +# user_id:%(target.trust.trustor_user_id)s or +# user_id:%(target.trust.trustee_user_id)s)". # The trust API is now aware of system scope and default roles. # Show user details. # GET /v3/users/{user_id} # HEAD /v3/users/{user_id} # Intended scope(s): system, domain, project -#"identity:get_user": "(role:reader and system_scope:all) or (role:reader and token.domain.id:%(target.user.domain_id)s) or user_id:%(target.user.id)s" +#"identity:get_user": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and token.domain.id:%(target.user.domain_id)s) or user_id:%(target.user.id)s" # DEPRECATED # "identity:get_user":"rule:admin_or_owner" has been deprecated since -# S in favor of "identity:get_user":"(role:reader and -# system_scope:all) or (role:reader and +# S in favor of "identity:get_user":"(rule:admin_required) or +# (role:reader and system_scope:all) or (role:reader and # token.domain.id:%(target.user.domain_id)s) or # user_id:%(target.user.id)s". # The user API is now aware of system scope and default roles. @@ -2241,13 +2194,13 @@ # List users. # GET /v3/users # HEAD /v3/users -# Intended scope(s): system, domain -#"identity:list_users": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)" +# Intended scope(s): system, domain, project +#"identity:list_users": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)" # DEPRECATED # "identity:list_users":"rule:admin_required" has been deprecated -# since S in favor of "identity:list_users":"(role:reader and -# system_scope:all) or (role:reader and +# since S in favor of "identity:list_users":"(rule:admin_required) or +# (role:reader and system_scope:all) or (role:reader and # domain_id:%(target.domain_id)s)". # The user API is now aware of system scope and default roles. @@ -2261,37 +2214,31 @@ # Create a user. # POST /v3/users -# Intended scope(s): system, domain -#"identity:create_user": "(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)" +# Intended scope(s): system, domain, project +#"identity:create_user": "rule:admin_required" # DEPRECATED # "identity:create_user":"rule:admin_required" has been deprecated -# since S in favor of "identity:create_user":"(role:admin and -# system_scope:all) or (role:admin and -# token.domain.id:%(target.user.domain_id)s)". +# since S in favor of "identity:create_user":"rule:admin_required". # The user API is now aware of system scope and default roles. # Update a user, including administrative password resets. # PATCH /v3/users/{user_id} -# Intended scope(s): system, domain -#"identity:update_user": "(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)" +# Intended scope(s): system, domain, project +#"identity:update_user": "rule:admin_required" # DEPRECATED # "identity:update_user":"rule:admin_required" has been deprecated -# since S in favor of "identity:update_user":"(role:admin and -# system_scope:all) or (role:admin and -# token.domain.id:%(target.user.domain_id)s)". +# since S in favor of "identity:update_user":"rule:admin_required". # The user API is now aware of system scope and default roles. # Delete a user. # DELETE /v3/users/{user_id} -# Intended scope(s): system, domain -#"identity:delete_user": "(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)" +# Intended scope(s): system, domain, project +#"identity:delete_user": "rule:admin_required" # DEPRECATED # "identity:delete_user":"rule:admin_required" has been deprecated -# since S in favor of "identity:delete_user":"(role:admin and -# system_scope:all) or (role:admin and -# token.domain.id:%(target.user.domain_id)s)". +# since S in favor of "identity:delete_user":"rule:admin_required". # The user API is now aware of system scope and default roles. diff --git a/openstack_dashboard/conf/neutron_policy.yaml b/openstack_dashboard/conf/neutron_policy.yaml index 583f0da4a5..2705eb3882 100644 --- a/openstack_dashboard/conf/neutron_policy.yaml +++ b/openstack_dashboard/conf/neutron_policy.yaml @@ -1,6 +1,9 @@ # Rule for cloud admin access #"context_is_admin": "role:admin" +# Default rule for the service-to-service APIs. +#"service_api": "role:service" + # Rule for resource owner access #"owner": "tenant_id:%(tenant_id)s" @@ -460,6 +463,12 @@ # project_id:%(project_id)s)". # The Floating IP API now supports system scope and default roles. +# Get the floating IP tags +# GET /floatingips/{id}/tags +# GET /floatingips/{id}/tags/{tag_id} +# Intended scope(s): project +#"get_floatingips_tags": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" + # Update a floating IP # PUT /floatingips/{id} # Intended scope(s): project @@ -471,6 +480,12 @@ # and project_id:%(project_id)s)". # The Floating IP API now supports system scope and default roles. +# Update the floating IP tags +# PUT /floatingips/{id}/tags +# PUT /floatingips/{id}/tags/{tag_id} +# Intended scope(s): project +#"update_floatingips_tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" + # Delete a floating IP # DELETE /floatingips/{id} # Intended scope(s): project @@ -482,6 +497,12 @@ # and project_id:%(project_id)s)". # The Floating IP API now supports system scope and default roles. +# Delete the floating IP tags +# DELETE /floatingips/{id}/tags +# DELETE /floatingips/{id}/tags/{tag_id} +# Intended scope(s): project +#"delete_floatingips_tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" + # Get floating IP pools # GET /floatingip_pools # Intended scope(s): project @@ -948,14 +969,14 @@ # GET /networks # GET /networks/{id} # Intended scope(s): project -#"get_network": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared or rule:external or rule:context_is_advsvc" +#"get_network": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:service_api or rule:shared or rule:external or rule:context_is_advsvc" # DEPRECATED # "get_network":"rule:admin_or_owner or rule:shared or rule:external # or rule:context_is_advsvc" has been deprecated since W in favor of # "get_network":"(rule:admin_only) or (role:reader and -# project_id:%(project_id)s) or rule:shared or rule:external or -# rule:context_is_advsvc". +# project_id:%(project_id)s) or rule:service_api or rule:shared or +# rule:external or rule:context_is_advsvc". # The network API now supports system scope and default roles. # Get ``segments`` attribute of a network @@ -1005,6 +1026,12 @@ # "get_network:provider:segmentation_id":"rule:admin_only". # The network API now supports system scope and default roles. +# Get the network tags +# GET /networks/{id}/tags +# GET /networks/{id}/tags/{tag_id} +# Intended scope(s): project +#"get_networks_tags": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared or rule:external or rule:context_is_advsvc" + # Update a network # PUT /networks/{id} # Intended scope(s): project @@ -1102,6 +1129,12 @@ # (role:member and project_id:%(project_id)s)". # The network API now supports system scope and default roles. +# Update the network tags +# PUT /networks/{id}/tags +# PUT /networks/{id}/tags/{tag_id} +# Intended scope(s): project +#"update_networks_tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" + # Delete a network # DELETE /networks/{id} # Intended scope(s): project @@ -1113,6 +1146,12 @@ # project_id:%(project_id)s)". # The network API now supports system scope and default roles. +# Delete the network tags +# DELETE /networks/{id}/tags +# DELETE /networks/{id}/tags/{tag_id} +# Intended scope(s): project +#"delete_networks_tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" + # Get network IP availability # GET /network-ip-availabilities # GET /network-ip-availabilities/{network_id} @@ -1149,6 +1188,12 @@ # The network segment range API now supports project scope and default # roles. +# Get the network segment range tags +# GET /network_segment_ranges/{id}/tags +# GET /network_segment_ranges/{id}/tags/{tag_id} +# Intended scope(s): project +#"get_network_segment_ranges_tags": "rule:admin_only" + # Update a network segment range # PUT /network_segment_ranges/{id} # Intended scope(s): project @@ -1161,6 +1206,12 @@ # The network segment range API now supports project scope and default # roles. +# Update the network segment range tags +# PUT /network_segment_ranges/{id}/tags +# PUT /network_segment_ranges/{id}/tags/{tag_id} +# Intended scope(s): project +#"update_network_segment_ranges_tags": "rule:admin_only" + # Delete a network segment range # DELETE /network_segment_ranges/{id} # Intended scope(s): project @@ -1173,25 +1224,31 @@ # The network segment range API now supports project scope and default # roles. +# Delete the network segment range tags +# DELETE /network_segment_ranges/{id}/tags +# DELETE /network_segment_ranges/{id}/tags/{tag_id} +# Intended scope(s): project +#"delete_network_segment_ranges_tags": "rule:admin_only" + # Get port binding information # GET /ports/{port_id}/bindings/ # Intended scope(s): project -#"get_port_binding": "rule:admin_only" +#"get_port_binding": "(rule:admin_only) or (rule:service_api)" # Create port binding on the host # POST /ports/{port_id}/bindings/ # Intended scope(s): project -#"create_port_binding": "rule:admin_only" +#"create_port_binding": "rule:service_api" # Delete port binding on the host # DELETE /ports/{port_id}/bindings/ # Intended scope(s): project -#"delete_port_binding": "rule:admin_only" +#"delete_port_binding": "rule:service_api" # Activate port binding on the host # PUT /ports/{port_id}/bindings/{host} # Intended scope(s): project -#"activate": "rule:admin_only" +#"activate": "rule:service_api" # Definition of port with network device_owner #"network_device": "field:port:device_owner=~^network:" @@ -1202,120 +1259,122 @@ # Create a port # POST /ports # Intended scope(s): project -#"create_port": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" +#"create_port": "(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:service_api" # DEPRECATED # "create_port":"rule:regular_user" has been deprecated since W in # favor of "create_port":"(rule:admin_only) or (role:member and -# project_id:%(project_id)s)". +# project_id:%(project_id)s) or rule:service_api". # The port API now supports project scope and default roles. # Specify ``device_owner`` attribute when creating a port # POST /ports # Intended scope(s): project -#"create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner)" +#"create_port:device_owner": "not rule:network_device or (rule:admin_only) or (rule:service_api) or role:member and rule:network_owner" # DEPRECATED # "create_port:device_owner":"not rule:network_device or # rule:context_is_advsvc or rule:admin_or_network_owner" has been # deprecated since W in favor of "create_port:device_owner":"not -# rule:network_device or rule:context_is_advsvc or (rule:admin_only) -# or (role:member and rule:network_owner)". +# rule:network_device or (rule:admin_only) or (rule:service_api) or +# role:member and rule:network_owner". # The port API now supports project scope and default roles. # Specify ``mac_address`` attribute when creating a port # POST /ports # Intended scope(s): project -#"create_port:mac_address": "rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner)" +#"create_port:mac_address": "(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner" # DEPRECATED # "create_port:mac_address":"rule:context_is_advsvc or # rule:admin_or_network_owner" has been deprecated since W in favor of -# "create_port:mac_address":"rule:context_is_advsvc or -# (rule:admin_only) or (role:member and rule:network_owner)". +# "create_port:mac_address":"(rule:admin_only) or (rule:service_api) +# or role:member and rule:network_owner". # The port API now supports project scope and default roles. # Specify ``fixed_ips`` information when creating a port # POST /ports # Intended scope(s): project -#"create_port:fixed_ips": "rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner) or rule:shared" +#"create_port:fixed_ips": "(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner or rule:shared" # DEPRECATED # "create_port:fixed_ips":"rule:context_is_advsvc or # rule:admin_or_network_owner or rule:shared" has been deprecated -# since W in favor of "create_port:fixed_ips":"rule:context_is_advsvc -# or (rule:admin_only) or (role:member and rule:network_owner) or +# since W in favor of "create_port:fixed_ips":"(rule:admin_only) or +# (rule:service_api) or role:member and rule:network_owner or # rule:shared". # The port API now supports project scope and default roles. # Specify IP address in ``fixed_ips`` when creating a port # POST /ports # Intended scope(s): project -#"create_port:fixed_ips:ip_address": "rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner)" +#"create_port:fixed_ips:ip_address": "(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner" # DEPRECATED # "create_port:fixed_ips:ip_address":"rule:context_is_advsvc or # rule:admin_or_network_owner" has been deprecated since W in favor of -# "create_port:fixed_ips:ip_address":"rule:context_is_advsvc or -# (rule:admin_only) or (role:member and rule:network_owner)". +# "create_port:fixed_ips:ip_address":"(rule:admin_only) or +# (rule:service_api) or role:member and rule:network_owner". # The port API now supports project scope and default roles. # Specify subnet ID in ``fixed_ips`` when creating a port # POST /ports # Intended scope(s): project -#"create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner) or rule:shared" +#"create_port:fixed_ips:subnet_id": "(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner or rule:shared" # DEPRECATED # "create_port:fixed_ips:subnet_id":"rule:context_is_advsvc or # rule:admin_or_network_owner or rule:shared" has been deprecated # since W in favor of -# "create_port:fixed_ips:subnet_id":"rule:context_is_advsvc or -# (rule:admin_only) or (role:member and rule:network_owner) or +# "create_port:fixed_ips:subnet_id":"(rule:admin_only) or +# (rule:service_api) or role:member and rule:network_owner or # rule:shared". # The port API now supports project scope and default roles. # Specify ``port_security_enabled`` attribute when creating a port # POST /ports # Intended scope(s): project -#"create_port:port_security_enabled": "rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner)" +#"create_port:port_security_enabled": "(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner" # DEPRECATED # "create_port:port_security_enabled":"rule:context_is_advsvc or # rule:admin_or_network_owner" has been deprecated since W in favor of -# "create_port:port_security_enabled":"rule:context_is_advsvc or -# (rule:admin_only) or (role:member and rule:network_owner)". +# "create_port:port_security_enabled":"(rule:admin_only) or +# (rule:service_api) or role:member and rule:network_owner". # The port API now supports project scope and default roles. # Specify ``binding:host_id`` attribute when creating a port # POST /ports # Intended scope(s): project -#"create_port:binding:host_id": "rule:admin_only" +#"create_port:binding:host_id": "(rule:admin_only) or (rule:service_api)" # DEPRECATED # "create_port:binding:host_id":"rule:admin_only" has been deprecated -# since W in favor of "create_port:binding:host_id":"rule:admin_only". +# since W in favor of "create_port:binding:host_id":"(rule:admin_only) +# or (rule:service_api)". # The port API now supports project scope and default roles. # Specify ``binding:profile`` attribute when creating a port # POST /ports # Intended scope(s): project -#"create_port:binding:profile": "rule:admin_only" +#"create_port:binding:profile": "rule:service_api" # DEPRECATED # "create_port:binding:profile":"rule:admin_only" has been deprecated -# since W in favor of "create_port:binding:profile":"rule:admin_only". +# since W in favor of +# "create_port:binding:profile":"rule:service_api". # The port API now supports project scope and default roles. # Specify ``binding:vnic_type`` attribute when creating a port # POST /ports # Intended scope(s): project -#"create_port:binding:vnic_type": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" +#"create_port:binding:vnic_type": "(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:service_api" # DEPRECATED # "create_port:binding:vnic_type":"rule:regular_user" has been # deprecated since W in favor of # "create_port:binding:vnic_type":"(rule:admin_only) or (role:member -# and project_id:%(project_id)s)". +# and project_id:%(project_id)s) or rule:service_api". # The port API now supports project scope and default roles. # Specify ``allowed_address_pairs`` attribute when creating a port @@ -1365,13 +1424,13 @@ # GET /ports # GET /ports/{id} # Intended scope(s): project -#"get_port": "rule:context_is_advsvc or (rule:admin_only) or (role:reader and rule:network_owner) or role:reader and project_id:%(project_id)s" +#"get_port": "(rule:admin_only) or (rule:service_api) or role:reader and rule:network_owner or role:reader and project_id:%(project_id)s" # DEPRECATED # "get_port":"rule:context_is_advsvc or # rule:admin_owner_or_network_owner" has been deprecated since W in -# favor of "get_port":"rule:context_is_advsvc or (rule:admin_only) or -# (role:reader and rule:network_owner) or role:reader and +# favor of "get_port":"(rule:admin_only) or (rule:service_api) or +# role:reader and rule:network_owner or role:reader and # project_id:%(project_id)s". # The port API now supports project scope and default roles. @@ -1379,45 +1438,49 @@ # GET /ports # GET /ports/{id} # Intended scope(s): project -#"get_port:binding:vif_type": "rule:admin_only" +#"get_port:binding:vif_type": "(rule:admin_only) or (rule:service_api)" # DEPRECATED # "get_port:binding:vif_type":"rule:admin_only" has been deprecated -# since W in favor of "get_port:binding:vif_type":"rule:admin_only". +# since W in favor of "get_port:binding:vif_type":"(rule:admin_only) +# or (rule:service_api)". # The port API now supports project scope and default roles. # Get ``binding:vif_details`` attribute of a port # GET /ports # GET /ports/{id} # Intended scope(s): project -#"get_port:binding:vif_details": "rule:admin_only" +#"get_port:binding:vif_details": "(rule:admin_only) or (rule:service_api)" # DEPRECATED # "get_port:binding:vif_details":"rule:admin_only" has been deprecated # since W in favor of -# "get_port:binding:vif_details":"rule:admin_only". +# "get_port:binding:vif_details":"(rule:admin_only) or +# (rule:service_api)". # The port API now supports project scope and default roles. # Get ``binding:host_id`` attribute of a port # GET /ports # GET /ports/{id} # Intended scope(s): project -#"get_port:binding:host_id": "rule:admin_only" +#"get_port:binding:host_id": "(rule:admin_only) or (rule:service_api)" # DEPRECATED # "get_port:binding:host_id":"rule:admin_only" has been deprecated -# since W in favor of "get_port:binding:host_id":"rule:admin_only". +# since W in favor of "get_port:binding:host_id":"(rule:admin_only) or +# (rule:service_api)". # The port API now supports project scope and default roles. # Get ``binding:profile`` attribute of a port # GET /ports # GET /ports/{id} # Intended scope(s): project -#"get_port:binding:profile": "rule:admin_only" +#"get_port:binding:profile": "(rule:admin_only) or (rule:service_api)" # DEPRECATED # "get_port:binding:profile":"rule:admin_only" has been deprecated -# since W in favor of "get_port:binding:profile":"rule:admin_only". +# since W in favor of "get_port:binding:profile":"(rule:admin_only) or +# (rule:service_api)". # The port API now supports project scope and default roles. # Get ``resource_request`` attribute of a port @@ -1437,123 +1500,129 @@ # Intended scope(s): project #"get_port:hints": "rule:admin_only" +# Get the port tags +# GET /ports/{id}/tags +# GET /ports/{id}/tags/{tag_id} +# Intended scope(s): project +#"get_ports_tags": "rule:context_is_advsvc or (rule:admin_only) or (role:reader and rule:network_owner) or role:reader and project_id:%(project_id)s" + # Update a port # PUT /ports/{id} # Intended scope(s): project -#"update_port": "rule:admin_only or role:member and project_id:%(project_id)s or rule:context_is_advsvc" +#"update_port": "(rule:admin_only) or (rule:service_api) or role:member and project_id:%(project_id)s" # DEPRECATED # "update_port":"rule:admin_or_owner or rule:context_is_advsvc" has -# been deprecated since W in favor of "update_port":"rule:admin_only -# or role:member and project_id:%(project_id)s or -# rule:context_is_advsvc". +# been deprecated since W in favor of "update_port":"(rule:admin_only) +# or (rule:service_api) or role:member and project_id:%(project_id)s". # The port API now supports project scope and default roles. # Update ``device_owner`` attribute of a port # PUT /ports/{id} # Intended scope(s): project -#"update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner)" +#"update_port:device_owner": "not rule:network_device or (rule:admin_only) or (rule:service_api) or role:member and rule:network_owner" # DEPRECATED # "update_port:device_owner":"not rule:network_device or # rule:context_is_advsvc or rule:admin_or_network_owner" has been # deprecated since W in favor of "update_port:device_owner":"not -# rule:network_device or rule:context_is_advsvc or (rule:admin_only) -# or (role:member and rule:network_owner)". +# rule:network_device or (rule:admin_only) or (rule:service_api) or +# role:member and rule:network_owner". # The port API now supports project scope and default roles. # Update ``mac_address`` attribute of a port # PUT /ports/{id} # Intended scope(s): project -#"update_port:mac_address": "rule:admin_only or rule:context_is_advsvc" +#"update_port:mac_address": "(rule:admin_only) or (rule:service_api)" # DEPRECATED # "update_port:mac_address":"rule:admin_only or # rule:context_is_advsvc" has been deprecated since W in favor of -# "update_port:mac_address":"rule:admin_only or -# rule:context_is_advsvc". +# "update_port:mac_address":"(rule:admin_only) or (rule:service_api)". # The port API now supports project scope and default roles. # Specify ``fixed_ips`` information when updating a port # PUT /ports/{id} # Intended scope(s): project -#"update_port:fixed_ips": "rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner)" +#"update_port:fixed_ips": "(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner" # DEPRECATED # "update_port:fixed_ips":"rule:context_is_advsvc or # rule:admin_or_network_owner" has been deprecated since W in favor of -# "update_port:fixed_ips":"rule:context_is_advsvc or (rule:admin_only) -# or (role:member and rule:network_owner)". +# "update_port:fixed_ips":"(rule:admin_only) or (rule:service_api) or +# role:member and rule:network_owner". # The port API now supports project scope and default roles. # Specify IP address in ``fixed_ips`` information when updating a port # PUT /ports/{id} # Intended scope(s): project -#"update_port:fixed_ips:ip_address": "rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner)" +#"update_port:fixed_ips:ip_address": "(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner" # DEPRECATED # "update_port:fixed_ips:ip_address":"rule:context_is_advsvc or # rule:admin_or_network_owner" has been deprecated since W in favor of -# "update_port:fixed_ips:ip_address":"rule:context_is_advsvc or -# (rule:admin_only) or (role:member and rule:network_owner)". +# "update_port:fixed_ips:ip_address":"(rule:admin_only) or +# (rule:service_api) or role:member and rule:network_owner". # The port API now supports project scope and default roles. # Specify subnet ID in ``fixed_ips`` information when updating a port # PUT /ports/{id} # Intended scope(s): project -#"update_port:fixed_ips:subnet_id": "rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner) or rule:shared" +#"update_port:fixed_ips:subnet_id": "(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner or rule:shared" # DEPRECATED # "update_port:fixed_ips:subnet_id":"rule:context_is_advsvc or # rule:admin_or_network_owner or rule:shared" has been deprecated # since W in favor of -# "update_port:fixed_ips:subnet_id":"rule:context_is_advsvc or -# (rule:admin_only) or (role:member and rule:network_owner) or +# "update_port:fixed_ips:subnet_id":"(rule:admin_only) or +# (rule:service_api) or role:member and rule:network_owner or # rule:shared". # The port API now supports project scope and default roles. # Update ``port_security_enabled`` attribute of a port # PUT /ports/{id} # Intended scope(s): project -#"update_port:port_security_enabled": "rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner)" +#"update_port:port_security_enabled": "(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner" # DEPRECATED # "update_port:port_security_enabled":"rule:context_is_advsvc or # rule:admin_or_network_owner" has been deprecated since W in favor of -# "update_port:port_security_enabled":"rule:context_is_advsvc or -# (rule:admin_only) or (role:member and rule:network_owner)". +# "update_port:port_security_enabled":"(rule:admin_only) or +# (rule:service_api) or role:member and rule:network_owner". # The port API now supports project scope and default roles. # Update ``binding:host_id`` attribute of a port # PUT /ports/{id} # Intended scope(s): project -#"update_port:binding:host_id": "rule:admin_only" +#"update_port:binding:host_id": "(rule:admin_only) or (rule:service_api)" # DEPRECATED # "update_port:binding:host_id":"rule:admin_only" has been deprecated -# since W in favor of "update_port:binding:host_id":"rule:admin_only". +# since W in favor of "update_port:binding:host_id":"(rule:admin_only) +# or (rule:service_api)". # The port API now supports project scope and default roles. # Update ``binding:profile`` attribute of a port # PUT /ports/{id} # Intended scope(s): project -#"update_port:binding:profile": "rule:admin_only" +#"update_port:binding:profile": "rule:service_api" # DEPRECATED # "update_port:binding:profile":"rule:admin_only" has been deprecated -# since W in favor of "update_port:binding:profile":"rule:admin_only". +# since W in favor of +# "update_port:binding:profile":"rule:service_api". # The port API now supports project scope and default roles. # Update ``binding:vnic_type`` attribute of a port # PUT /ports/{id} # Intended scope(s): project -#"update_port:binding:vnic_type": "rule:admin_only or role:member and project_id:%(project_id)s or rule:context_is_advsvc" +#"update_port:binding:vnic_type": "(rule:admin_only) or (rule:service_api) or role:member and project_id:%(project_id)s" # DEPRECATED # "update_port:binding:vnic_type":"rule:admin_or_owner or # rule:context_is_advsvc" has been deprecated since W in favor of -# "update_port:binding:vnic_type":"rule:admin_only or role:member and -# project_id:%(project_id)s or rule:context_is_advsvc". +# "update_port:binding:vnic_type":"(rule:admin_only) or +# (rule:service_api) or role:member and project_id:%(project_id)s". # The port API now supports project scope and default roles. # Update ``allowed_address_pairs`` attribute of a port @@ -1611,19 +1680,31 @@ # Intended scope(s): project #"update_port:hints": "rule:admin_only" +# Update the port tags +# PUT /ports/{id}/tags +# PUT /ports/{id}/tags/{tag_id} +# Intended scope(s): project +#"update_ports_tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc" + # Delete a port # DELETE /ports/{id} # Intended scope(s): project -#"delete_port": "rule:context_is_advsvc or role:member and project_id:%(project_id)s or (rule:admin_only) or (role:member and rule:network_owner)" +#"delete_port": "(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner or role:member and project_id:%(project_id)s" # DEPRECATED # "delete_port":"rule:context_is_advsvc or # rule:admin_owner_or_network_owner" has been deprecated since W in -# favor of "delete_port":"rule:context_is_advsvc or role:member and -# project_id:%(project_id)s or (rule:admin_only) or (role:member and -# rule:network_owner)". +# favor of "delete_port":"(rule:admin_only) or (rule:service_api) or +# role:member and rule:network_owner or role:member and +# project_id:%(project_id)s". # The port API now supports project scope and default roles. +# Delete the port tags +# DELETE /ports/{id}/tags +# DELETE /ports/{id}/tags/{tag_id} +# Intended scope(s): project +#"delete_ports_tags": "rule:context_is_advsvc or role:member and project_id:%(project_id)s or (rule:admin_only) or (role:member and rule:network_owner)" + # Rule of shared qos policy #"shared_qos_policy": "field:policies:shared=True" @@ -2208,6 +2289,12 @@ # favor of "get_router:ha":"rule:admin_only". # The router API now supports system scope and default roles. +# Get the router tags +# GET /routers/{id}/tags +# GET /routers/{id}/tags/{tag_id} +# Intended scope(s): project +#"get_routers_tags": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" + # Update a router # PUT /routers/{id} # Intended scope(s): project @@ -2300,6 +2387,12 @@ # Intended scope(s): project #"update_router:enable_default_route_ecmp": "rule:admin_only" +# Update the router tags +# PUT /routers/{id}/tags +# PUT /routers/{id}/tags/{tag_id} +# Intended scope(s): project +#"update_routers_tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" + # Delete a router # DELETE /routers/{id} # Intended scope(s): project @@ -2311,6 +2404,12 @@ # project_id:%(project_id)s)". # The router API now supports system scope and default roles. +# Delete the router tags +# DELETE /routers/{id}/tags +# DELETE /routers/{id}/tags/{tag_id} +# Intended scope(s): project +#"delete_routers_tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" + # Add an interface to a router # PUT /routers/{id}/add_router_interface # Intended scope(s): project @@ -2364,6 +2463,10 @@ # Definition of a shared security group #"shared_security_group": "field:security_groups:shared=True" +# Definition of a security group rule that belongs to the project +# default security group +#"rule_default_sg": "field:security_group_rules:belongs_to_default_sg=True" + # Create a security group # POST /security-groups # Intended scope(s): project @@ -2387,6 +2490,12 @@ # and project_id:%(project_id)s) or rule:shared_security_group". # The security group API now supports system scope and default roles. +# Get the security group tags +# GET /security-groups/{id}/tags +# GET /security-groups/{id}/tags/{tag_id} +# Intended scope(s): project +#"get_security_groups_tags": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_security_group" + # Update a security group # PUT /security-groups/{id} # Intended scope(s): project @@ -2398,6 +2507,12 @@ # (role:member and project_id:%(project_id)s)". # The security group API now supports system scope and default roles. +# Update the security group tags +# PUT /security-groups/{id}/tags +# PUT /security-groups/{id}/tags/{tag_id} +# Intended scope(s): project +#"update_security_groups_tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" + # Delete a security group # DELETE /security-groups/{id} # Intended scope(s): project @@ -2409,6 +2524,12 @@ # (role:member and project_id:%(project_id)s)". # The security group API now supports system scope and default roles. +# Delete the security group tags +# DELETE /security-groups/{id}/tags +# DELETE /security-groups/{id}/tags/{tag_id} +# Intended scope(s): project +#"delete_security_groups_tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" + # Create a security group rule # POST /security-group-rules # Intended scope(s): project @@ -2467,6 +2588,12 @@ # of "get_segment":"rule:admin_only". # The segment API now supports project scope and default roles. +# Get the segment tags +# GET /segments/{id}/tags +# GET /segments/{id}/tags/{tag_id} +# Intended scope(s): project +#"get_segments_tags": "rule:admin_only" + # Update a segment # PUT /segments/{id} # Intended scope(s): project @@ -2477,6 +2604,12 @@ # favor of "update_segment":"rule:admin_only". # The segment API now supports project scope and default roles. +# Update the segment tags +# PUT /segments/{id}/tags +# PUT /segments/{id}/tags/{tag_id} +# Intended scope(s): project +#"update_segments_tags": "rule:admin_only" + # Delete a segment # DELETE /segments/{id} # Intended scope(s): project @@ -2487,6 +2620,12 @@ # favor of "delete_segment":"rule:admin_only". # The segment API now supports project scope and default roles. +# Delete the segment tags +# DELETE /segments/{id}/tags +# DELETE /segments/{id}/tags/{tag_id} +# Intended scope(s): project +#"delete_segments_tags": "rule:admin_only" + # Get service providers # GET /service-providers # Intended scope(s): project @@ -2533,12 +2672,13 @@ # GET /subnets # GET /subnets/{id} # Intended scope(s): project -#"get_subnet": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared" +#"get_subnet": "(rule:admin_only) or (role:member and rule:network_owner) or role:reader and project_id:%(project_id)s or rule:shared" # DEPRECATED # "get_subnet":"rule:admin_or_owner or rule:shared" has been # deprecated since W in favor of "get_subnet":"(rule:admin_only) or -# (role:reader and project_id:%(project_id)s) or rule:shared". +# (role:member and rule:network_owner) or role:reader and +# project_id:%(project_id)s or rule:shared". # The subnet API now supports system scope and default roles. # Get ``segment_id`` attribute of a subnet @@ -2552,15 +2692,22 @@ # W in favor of "get_subnet:segment_id":"rule:admin_only". # The subnet API now supports system scope and default roles. +# Get the subnet tags +# GET /subnets/{id}/tags +# GET /subnets/{id}/tags/{tag_id} +# Intended scope(s): project +#"get_subnets_tags": "(rule:admin_only) or (role:member and rule:network_owner) or role:reader and project_id:%(project_id)s or rule:shared" + # Update a subnet # PUT /subnets/{id} # Intended scope(s): project -#"update_subnet": "(rule:admin_only) or (role:member and rule:network_owner)" +#"update_subnet": "(rule:admin_only) or (role:member and rule:network_owner) or role:member and project_id:%(project_id)s" # DEPRECATED # "update_subnet":"rule:admin_or_network_owner" has been deprecated # since W in favor of "update_subnet":"(rule:admin_only) or -# (role:member and rule:network_owner)". +# (role:member and rule:network_owner) or role:member and +# project_id:%(project_id)s". # The subnet API now supports system scope and default roles. # Update ``segment_id`` attribute of a subnet @@ -2583,17 +2730,30 @@ # since W in favor of "update_subnet:service_types":"rule:admin_only". # The subnet API now supports system scope and default roles. +# Update the subnet tags +# PUT /subnets/{id}/tags +# PUT /subnets/{id}/tags/{tag_id} +# Intended scope(s): project +#"update_subnets_tags": "(rule:admin_only) or (role:member and rule:network_owner) or role:member and project_id:%(project_id)s" + # Delete a subnet # DELETE /subnets/{id} # Intended scope(s): project -#"delete_subnet": "(rule:admin_only) or (role:member and rule:network_owner)" +#"delete_subnet": "(rule:admin_only) or (role:member and rule:network_owner) or role:member and project_id:%(project_id)s" # DEPRECATED # "delete_subnet":"rule:admin_or_network_owner" has been deprecated # since W in favor of "delete_subnet":"(rule:admin_only) or -# (role:member and rule:network_owner)". +# (role:member and rule:network_owner) or role:member and +# project_id:%(project_id)s". # The subnet API now supports system scope and default roles. +# Delete the subnet tags +# DELETE /subnets/{id}/tags +# DELETE /subnets/{id}/tags/{tag_id} +# Intended scope(s): project +#"delete_subnets_tags": "(rule:admin_only) or (role:member and rule:network_owner) or role:member and project_id:%(project_id)s" + # Definition of a shared subnetpool #"shared_subnetpools": "field:subnetpools:shared=True" @@ -2642,6 +2802,12 @@ # project_id:%(project_id)s) or rule:shared_subnetpools". # The subnet pool API now supports system scope and default roles. +# Get the subnetpool tags +# GET /subnetpools/{id}/tags +# GET /subnetpools/{id}/tags/{tag_id} +# Intended scope(s): project +#"get_subnetpools_tags": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_subnetpools" + # Update a subnetpool # PUT /subnetpools/{id} # Intended scope(s): project @@ -2664,6 +2830,12 @@ # "update_subnetpool:is_default":"rule:admin_only". # The subnet pool API now supports system scope and default roles. +# Update the subnetpool tags +# PUT /subnetpools/{id}/tags +# PUT /subnetpools/{id}/tags/{tag_id} +# Intended scope(s): project +#"update_subnetpools_tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" + # Delete a subnetpool # DELETE /subnetpools/{id} # Intended scope(s): project @@ -2675,6 +2847,12 @@ # and project_id:%(project_id)s)". # The subnet pool API now supports system scope and default roles. +# Delete the subnetpool tags +# DELETE /subnetpools/{id}/tags +# DELETE /subnetpools/{id}/tags/{tag_id} +# Intended scope(s): project +#"delete_subnetpools_tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" + # Onboard existing subnet into a subnetpool # PUT /subnetpools/{id}/onboard_network_subnets # Intended scope(s): project @@ -2731,6 +2909,12 @@ # project_id:%(project_id)s)". # The trunks API now supports system scope and default roles. +# Get the trunk tags +# GET /trunks/{id}/tags +# GET /trunks/{id}/tags/{tag_id} +# Intended scope(s): project +#"get_trunks_tags": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" + # Update a trunk # PUT /trunks/{id} # Intended scope(s): project @@ -2742,6 +2926,12 @@ # project_id:%(project_id)s)". # The trunks API now supports system scope and default roles. +# Update the trunk tags +# PUT /trunks/{id}/tags +# PUT /trunks/{id}/tags/{tag_id} +# Intended scope(s): project +#"update_trunks_tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" + # Delete a trunk # DELETE /trunks/{id} # Intended scope(s): project @@ -2753,6 +2943,12 @@ # project_id:%(project_id)s)". # The trunks API now supports system scope and default roles. +# Delete a trunk +# DELETE /trunks/{id}/tags +# DELETE /trunks/{id}/tags/{tag_id} +# Intended scope(s): project +#"delete_trunks_tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" + # List subports attached to a trunk # GET /trunks/{id}/get_subports # Intended scope(s): project diff --git a/openstack_dashboard/conf/nova_policy.yaml b/openstack_dashboard/conf/nova_policy.yaml index 82c55b845d..7e8c2766ee 100644 --- a/openstack_dashboard/conf/nova_policy.yaml +++ b/openstack_dashboard/conf/nova_policy.yaml @@ -1299,7 +1299,7 @@ # Intended scope(s): project #"os_compute_api:os-pause-server:unpause": "rule:project_member_or_admin" -# List quotas for specific quota classs +# List quotas for specific quota classes # GET /os-quota-class-sets/{quota_class} # Intended scope(s): project #"os_compute_api:os-quota-class-sets:show": "rule:context_is_admin" @@ -1339,9 +1339,8 @@ # This policy is for ``POST /remote-consoles`` API and below Server # actions APIs are deprecated: # -# - ``os-getRDPConsole`` - ``os-getSerialConsole`` - ``os- -# getSPICEConsole`` - ``os-getVNCConsole``. -# POST /servers/{server_id}/action (os-getRDPConsole) +# - ``os-getSerialConsole`` - ``os-getSPICEConsole`` - ``os- +# getVNCConsole``. # POST /servers/{server_id}/action (os-getSerialConsole) # POST /servers/{server_id}/action (os-getSPICEConsole) # POST /servers/{server_id}/action (os-getVNCConsole) @@ -1805,7 +1804,7 @@ # "os_compute_api:servers:show:flavor-extra- # specs":"rule:project_reader_or_admin". # Policies for showing flavor extra specs in server APIs response is -# seprated as new policy. This policy is deprecated only for that but +# separated as new policy. This policy is deprecated only for that but # not for list extra specs and showing it in flavor API response. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being