diff --git a/openstack_dashboard/conf/cinder_policy.yaml b/openstack_dashboard/conf/cinder_policy.yaml index ab30bae09d..f4d54075d3 100644 --- a/openstack_dashboard/conf/cinder_policy.yaml +++ b/openstack_dashboard/conf/cinder_policy.yaml @@ -454,7 +454,16 @@ # since X in favor of "group:group_types:create":"rule:admin_api". # group:group_types_manage has been replaced by more granular policies # that separately govern POST, PUT, and DELETE operations. -#"group:group_types_manage": "rule:group:group_types:create" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "group:group_types_manage": "rule:group:group_types:create" # Update a group type. # PUT /group_types/{group_type_id} @@ -465,7 +474,16 @@ # since X in favor of "group:group_types:update":"rule:admin_api". # group:group_types_manage has been replaced by more granular policies # that separately govern POST, PUT, and DELETE operations. -#"group:group_types_manage": "rule:group:group_types:update" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "group:group_types_manage": "rule:group:group_types:update" # Delete a group type. # DELETE /group_types/{group_type_id} @@ -476,7 +494,16 @@ # since X in favor of "group:group_types:delete":"rule:admin_api". # group:group_types_manage has been replaced by more granular policies # that separately govern POST, PUT, and DELETE operations. -#"group:group_types_manage": "rule:group:group_types:delete" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "group:group_types_manage": "rule:group:group_types:delete" # Show group type with type specs attributes. # GET /group_types/{group_type_id} @@ -491,7 +518,16 @@ # X in favor of "group:group_types_specs:get":"rule:admin_api". # group:group_types_specs has been replaced by more granular policies # that separately govern GET, POST, PUT, and DELETE operations. -#"group:group_types_specs": "rule:group:group_types_specs:get" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "group:group_types_specs": "rule:group:group_types_specs:get" # List group type specs. # GET /group_types/{group_type_id}/group_specs @@ -502,7 +538,16 @@ # X in favor of "group:group_types_specs:get_all":"rule:admin_api". # group:group_types_specs has been replaced by more granular policies # that separately govern GET, POST, PUT, and DELETE operations. -#"group:group_types_specs": "rule:group:group_types_specs:get_all" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "group:group_types_specs": "rule:group:group_types_specs:get_all" # Create a group type spec. # POST /group_types/{group_type_id}/group_specs @@ -513,7 +558,16 @@ # X in favor of "group:group_types_specs:create":"rule:admin_api". # group:group_types_specs has been replaced by more granular policies # that separately govern GET, POST, PUT, and DELETE operations. -#"group:group_types_specs": "rule:group:group_types_specs:create" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "group:group_types_specs": "rule:group:group_types_specs:create" # Update a group type spec. # PUT /group_types/{group_type_id}/group_specs/{g_spec_id} @@ -524,7 +578,16 @@ # X in favor of "group:group_types_specs:update":"rule:admin_api". # group:group_types_specs has been replaced by more granular policies # that separately govern GET, POST, PUT, and DELETE operations. -#"group:group_types_specs": "rule:group:group_types_specs:update" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "group:group_types_specs": "rule:group:group_types_specs:update" # Delete a group type spec. # DELETE /group_types/{group_type_id}/group_specs/{g_spec_id} @@ -535,7 +598,16 @@ # X in favor of "group:group_types_specs:delete":"rule:admin_api". # group:group_types_specs has been replaced by more granular policies # that separately govern GET, POST, PUT, and DELETE operations. -#"group:group_types_specs": "rule:group:group_types_specs:delete" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "group:group_types_specs": "rule:group:group_types_specs:delete" # List group snapshots. # GET /group_snapshots @@ -715,7 +787,16 @@ # "volume_extension:quota_classes:get":"rule:admin_api". # volume_extension:quota_classes has been replaced by more granular # policies that separately govern GET and PUT operations. -#"volume_extension:quota_classes": "rule:volume_extension:quota_classes:get" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "volume_extension:quota_classes": "rule:volume_extension:quota_classes:get" # Update project quota class. # PUT /os-quota-class-sets/{project_id} @@ -727,7 +808,16 @@ # "volume_extension:quota_classes:update":"rule:admin_api". # volume_extension:quota_classes has been replaced by more granular # policies that separately govern GET and PUT operations. -#"volume_extension:quota_classes": "rule:volume_extension:quota_classes:update" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "volume_extension:quota_classes": "rule:volume_extension:quota_classes:update" # Show project quota (including usage and default). # GET /os-quota-sets/{project_id} @@ -819,7 +909,16 @@ # since X in favor of "volume_extension:type_create":"rule:admin_api". # volume_extension:types_manage has been replaced by more granular # policies that separately govern POST, PUT, and DELETE operations. -#"volume_extension:types_manage": "rule:volume_extension:type_create" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "volume_extension:types_manage": "rule:volume_extension:type_create" # Update volume type. # PUT /types @@ -830,7 +929,16 @@ # since X in favor of "volume_extension:type_update":"rule:admin_api". # volume_extension:types_manage has been replaced by more granular # policies that separately govern POST, PUT, and DELETE operations. -#"volume_extension:types_manage": "rule:volume_extension:type_update" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "volume_extension:types_manage": "rule:volume_extension:type_update" # Delete volume type. # DELETE /types @@ -841,7 +949,16 @@ # since X in favor of "volume_extension:type_delete":"rule:admin_api". # volume_extension:types_manage has been replaced by more granular # policies that separately govern POST, PUT, and DELETE operations. -#"volume_extension:types_manage": "rule:volume_extension:type_delete" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "volume_extension:types_manage": "rule:volume_extension:type_delete" # Get one specific volume type. # GET /types/{type_id} @@ -1351,7 +1468,16 @@ # volume_extension:volume_image_metadata has been replaced by more # granular policies that separately govern show, set, and remove # operations. -#"volume_extension:volume_image_metadata": "rule:volume_extension:volume_image_metadata:show" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "volume_extension:volume_image_metadata": "rule:volume_extension:volume_image_metadata:show" # Set image metadata for a volume # POST /volumes/{volume_id}/action (os-set_image_metadata) @@ -1364,7 +1490,16 @@ # volume_extension:volume_image_metadata has been replaced by more # granular policies that separately govern show, set, and remove # operations. -#"volume_extension:volume_image_metadata": "rule:volume_extension:volume_image_metadata:set" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "volume_extension:volume_image_metadata": "rule:volume_extension:volume_image_metadata:set" # Remove specific image metadata from a volume # POST /volumes/{volume_id}/action (os-unset_image_metadata) @@ -1377,7 +1512,16 @@ # volume_extension:volume_image_metadata has been replaced by more # granular policies that separately govern show, set, and remove # operations. -#"volume_extension:volume_image_metadata": "rule:volume_extension:volume_image_metadata:remove" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "volume_extension:volume_image_metadata": "rule:volume_extension:volume_image_metadata:remove" # Update volume admin metadata. This permission is required to # complete these API calls, though the ability to make these calls is diff --git a/openstack_dashboard/conf/default_policies/neutron.yaml b/openstack_dashboard/conf/default_policies/neutron.yaml index 403f359232..ca2d544b42 100644 --- a/openstack_dashboard/conf/default_policies/neutron.yaml +++ b/openstack_dashboard/conf/default_policies/neutron.yaml @@ -73,7 +73,7 @@ name: shared_address_groups operations: [] scope_types: null -- check_str: role:reader and project_id:%(project_id)s or rule:shared_address_groups +- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_address_groups deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner or rule:shared_address_groups @@ -93,7 +93,7 @@ name: shared_address_scopes operations: [] scope_types: null -- check_str: rule:admin_only or role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -134,7 +134,7 @@ path: /address-scopes/{id} scope_types: - project -- check_str: rule:admin_only or role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -160,7 +160,7 @@ path: /address-scopes/{id} scope_types: - project -- check_str: rule:admin_only or role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -318,7 +318,7 @@ path: /routers/{router_id}/l3-agents scope_types: - project -- check_str: role:reader and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -331,7 +331,7 @@ path: /auto-allocated-topology/{project_id} scope_types: - project -- check_str: role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -370,7 +370,7 @@ path: /flavors scope_types: - project -- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) +- check_str: role:reader deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -504,7 +504,7 @@ path: /flavors/{flavor_id}/service_profiles/{profile_id} scope_types: - project -- check_str: rule:admin_only or role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -530,7 +530,7 @@ path: /floatingips scope_types: - project -- check_str: rule:admin_only or role:reader and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -545,7 +545,7 @@ path: /floatingips/{id} scope_types: - project -- check_str: rule:admin_only or role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -558,7 +558,7 @@ path: /floatingips/{id} scope_types: - project -- check_str: rule:admin_only or role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -571,7 +571,7 @@ path: /floatingips/{id} scope_types: - project -- check_str: role:reader and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -584,7 +584,7 @@ path: /floatingip_pools scope_types: - project -- check_str: role:member and project_id:%(project_id)s or rule:ext_parent_owner +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_ext_parent_owner @@ -597,7 +597,7 @@ path: /floatingips/{floatingip_id}/port_forwardings scope_types: - project -- check_str: role:reader and project_id:%(project_id)s or rule:ext_parent_owner +- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_ext_parent_owner @@ -612,7 +612,7 @@ path: /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id} scope_types: - project -- check_str: role:member and project_id:%(project_id)s or rule:ext_parent_owner +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_ext_parent_owner @@ -625,7 +625,7 @@ path: /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id} scope_types: - project -- check_str: role:member and project_id:%(project_id)s or rule:ext_parent_owner +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_ext_parent_owner @@ -638,7 +638,7 @@ path: /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id} scope_types: - project -- check_str: role:member and project_id:%(project_id)s or rule:ext_parent_owner +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_ext_parent_owner @@ -651,7 +651,7 @@ path: /routers/{router_id}/conntrack_helpers scope_types: - project -- check_str: role:reader and project_id:%(project_id)s or rule:ext_parent_owner +- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_ext_parent_owner @@ -666,7 +666,7 @@ path: /routers/{router_id}/conntrack_helpers/{conntrack_helper_id} scope_types: - project -- check_str: role:member and project_id:%(project_id)s or rule:ext_parent_owner +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_ext_parent_owner @@ -679,7 +679,7 @@ path: /routers/{router_id}/conntrack_helpers/{conntrack_helper_id} scope_types: - project -- check_str: role:member and project_id:%(project_id)s or rule:ext_parent_owner +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_ext_parent_owner @@ -692,7 +692,7 @@ path: /routers/{router_id}/conntrack_helpers/{conntrack_helper_id} scope_types: - project -- check_str: role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -705,7 +705,7 @@ path: /local-ips scope_types: - project -- check_str: role:reader and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -720,7 +720,7 @@ path: /local-ips/{id} scope_types: - project -- check_str: role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -733,7 +733,7 @@ path: /local-ips/{id} scope_types: - project -- check_str: role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -746,7 +746,7 @@ path: /local-ips/{id} scope_types: - project -- check_str: role:member and project_id:%(project_id)s or rule:ext_parent_owner +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_ext_parent_owner @@ -759,7 +759,7 @@ path: /local_ips/{local_ip_id}/port_associations scope_types: - project -- check_str: role:reader and project_id:%(project_id)s or rule:ext_parent_owner +- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_ext_parent_owner @@ -774,7 +774,7 @@ path: /local_ips/{local_ip_id}/port_associations/{fixed_port_id} scope_types: - project -- check_str: role:member and project_id:%(project_id)s or rule:ext_parent_owner +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_ext_parent_owner @@ -867,7 +867,7 @@ path: /metering/metering-labels scope_types: - project -- check_str: rule:admin_only or role:reader and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -908,7 +908,7 @@ path: /metering/metering-label-rules scope_types: - project -- check_str: rule:admin_only or role:reader and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -936,7 +936,7 @@ path: /metering/metering-label-rules/{id} scope_types: - project -- check_str: role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -949,7 +949,7 @@ path: /ndp_proxies scope_types: - project -- check_str: role:reader and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -964,7 +964,7 @@ path: /ndp_proxies/{id} scope_types: - project -- check_str: role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -977,7 +977,7 @@ path: /ndp_proxies/{id} scope_types: - project -- check_str: role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -995,7 +995,7 @@ name: external operations: [] scope_types: null -- check_str: rule:admin_only or role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -1041,7 +1041,7 @@ operations: *id001 scope_types: - project -- check_str: rule:admin_only or role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -1096,7 +1096,7 @@ operations: *id001 scope_types: - project -- check_str: rule:admin_only or role:reader and project_id:%(project_id)s or rule:shared +- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared or rule:external or rule:context_is_advsvc deprecated_reason: null deprecated_rule: @@ -1112,17 +1112,6 @@ path: /networks/{id} scope_types: - project -- check_str: rule:admin_only or role:reader and project_id:%(project_id)s - deprecated_reason: null - deprecated_rule: - check_str: rule:regular_user - name: get_network:router:external - deprecated_since: null - description: Get ``router:external`` attribute of a network - name: get_network:router:external - operations: *id002 - scope_types: - - project - check_str: rule:admin_only deprecated_reason: null deprecated_rule: @@ -1167,7 +1156,7 @@ operations: *id002 scope_types: - project -- check_str: rule:admin_only or role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -1257,7 +1246,7 @@ operations: *id003 scope_types: - project -- check_str: rule:admin_only or role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -1268,7 +1257,7 @@ operations: *id003 scope_types: - project -- check_str: rule:admin_only or role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -1360,7 +1349,7 @@ name: admin_or_data_plane_int operations: [] scope_types: null -- check_str: rule:admin_only or role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -1462,7 +1451,7 @@ operations: *id004 scope_types: - project -- check_str: rule:admin_only or role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -1737,6 +1726,7 @@ scope_types: - project - check_str: rule:admin_only or rule:context_is_advsvc or role:member and project_id:%(project_id)s + or rule:network_owner deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_owner_or_network_owner @@ -1749,7 +1739,12 @@ path: /ports/{id} scope_types: - project -- check_str: rule:admin_only or role:reader and project_id:%(project_id)s +- check_str: field:policies:shared=True + description: Rule of shared qos policy + name: shared_qos_policy + operations: [] + scope_types: null +- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_qos_policy deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -1818,7 +1813,7 @@ path: /qos/rule-types/{rule_type} scope_types: - project -- check_str: rule:admin_only or role:reader and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -1872,7 +1867,7 @@ path: /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id} scope_types: - project -- check_str: rule:admin_only or role:reader and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) description: Get a QoS packet rate limit rule name: get_policy_packet_rate_limit_rule operations: @@ -1906,7 +1901,7 @@ path: /qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id} scope_types: - project -- check_str: rule:admin_only or role:reader and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -1960,7 +1955,7 @@ path: /qos/policies/{policy_id}/dscp_marking_rules/{rule_id} scope_types: - project -- check_str: rule:admin_only or role:reader and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -2014,7 +2009,7 @@ path: /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id} scope_types: - project -- check_str: rule:admin_only or role:reader and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) description: Get a QoS minimum packet rate rule name: get_policy_minimum_packet_rate_rule operations: @@ -2048,7 +2043,7 @@ path: /qos/policies/{policy_id}/minimum_packet_rate_rules/{rule_id} scope_types: - project -- check_str: rule:admin_only or role:reader and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -2087,7 +2082,7 @@ path: /qos/alias_bandwidth_limit_rules/{rule_id}/ scope_types: - project -- check_str: rule:admin_only or role:reader and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -2126,7 +2121,7 @@ path: /qos/alias_dscp_marking_rules/{rule_id}/ scope_types: - project -- check_str: rule:admin_only or role:reader and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -2236,7 +2231,7 @@ name: restrict_wildcard operations: [] scope_types: null -- check_str: rule:admin_only or role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -2262,7 +2257,7 @@ path: /rbac-policies scope_types: - project -- check_str: rule:admin_only or role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2288,7 +2283,7 @@ path: /rbac-policies/{id} scope_types: - project -- check_str: rule:admin_only or role:reader and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2303,7 +2298,7 @@ path: /rbac-policies/{id} scope_types: - project -- check_str: rule:admin_only or role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2316,7 +2311,7 @@ path: /rbac-policies/{id} scope_types: - project -- check_str: rule:admin_only or role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -2351,7 +2346,7 @@ operations: *id007 scope_types: - project -- check_str: rule:admin_only or role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2362,7 +2357,7 @@ operations: *id007 scope_types: - project -- check_str: rule:admin_only or role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2398,7 +2393,7 @@ operations: *id007 scope_types: - project -- check_str: rule:admin_only or role:reader and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2435,7 +2430,7 @@ operations: *id008 scope_types: - project -- check_str: rule:admin_only or role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2470,7 +2465,7 @@ operations: *id009 scope_types: - project -- check_str: rule:admin_only or role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2481,7 +2476,7 @@ operations: *id009 scope_types: - project -- check_str: rule:admin_only or role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2517,7 +2512,7 @@ operations: *id009 scope_types: - project -- check_str: rule:admin_only or role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2530,7 +2525,7 @@ path: /routers/{id} scope_types: - project -- check_str: rule:admin_only or role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2543,7 +2538,7 @@ path: /routers/{id}/add_router_interface scope_types: - project -- check_str: rule:admin_only or role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2556,7 +2551,7 @@ path: /routers/{id}/remove_router_interface scope_types: - project -- check_str: rule:admin_only or role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2569,7 +2564,7 @@ path: /routers/{id}/add_extraroutes scope_types: - project -- check_str: rule:admin_only or role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2592,7 +2587,12 @@ name: admin_owner_or_sg_owner operations: [] scope_types: null -- check_str: role:member and project_id:%(project_id)s +- check_str: field:security_groups:shared=True + description: Definition of a shared security group + name: shared_security_group + operations: [] + scope_types: null +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2605,7 +2605,7 @@ path: /security-groups scope_types: - project -- check_str: role:reader and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_security_group deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -2620,7 +2620,7 @@ path: /security-groups/{id} scope_types: - project -- check_str: role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2633,7 +2633,7 @@ path: /security-groups/{id} scope_types: - project -- check_str: role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2646,7 +2646,7 @@ path: /security-groups/{id} scope_types: - project -- check_str: role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2659,7 +2659,7 @@ path: /security-group-rules scope_types: - project -- check_str: role:reader and project_id:%(project_id)s or rule:sg_owner +- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:sg_owner deprecated_reason: null deprecated_rule: check_str: rule:admin_owner_or_sg_owner @@ -2674,7 +2674,7 @@ path: /security-group-rules/{id} scope_types: - project -- check_str: role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2754,7 +2754,7 @@ path: /service-providers scope_types: - project -- check_str: rule:admin_only or role:member and project_id:%(project_id)s or rule:network_owner +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:network_owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_network_owner @@ -2789,7 +2789,7 @@ operations: *id010 scope_types: - project -- check_str: rule:admin_only or role:reader and project_id:%(project_id)s or rule:shared +- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner or rule:shared @@ -2815,7 +2815,7 @@ operations: *id011 scope_types: - project -- check_str: rule:admin_only or role:member and project_id:%(project_id)s or rule:network_owner +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:network_owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_network_owner @@ -2850,7 +2850,7 @@ operations: *id012 scope_types: - project -- check_str: rule:admin_only or role:member and project_id:%(project_id)s or rule:network_owner +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:network_owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_network_owner @@ -2868,7 +2868,7 @@ name: shared_subnetpools operations: [] scope_types: null -- check_str: rule:admin_only or role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -2907,7 +2907,7 @@ path: /subnetpools scope_types: - project -- check_str: rule:admin_only or role:reader and project_id:%(project_id)s or rule:shared_subnetpools +- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_subnetpools deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner or rule:shared_subnetpools @@ -2922,7 +2922,7 @@ path: /subnetpools/{id} scope_types: - project -- check_str: rule:admin_only or role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2948,7 +2948,7 @@ path: /subnetpools/{id} scope_types: - project -- check_str: rule:admin_only or role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2961,7 +2961,7 @@ path: /subnetpools/{id} scope_types: - project -- check_str: rule:admin_only or role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2974,7 +2974,7 @@ path: /subnetpools/{id}/onboard_network_subnets scope_types: - project -- check_str: rule:admin_only or role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2987,7 +2987,7 @@ path: /subnetpools/{id}/add_prefixes scope_types: - project -- check_str: rule:admin_only or role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -3000,7 +3000,7 @@ path: /subnetpools/{id}/remove_prefixes scope_types: - project -- check_str: role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -3013,7 +3013,7 @@ path: /trunks scope_types: - project -- check_str: role:reader and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -3028,7 +3028,7 @@ path: /trunks/{id} scope_types: - project -- check_str: role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -3041,7 +3041,7 @@ path: /trunks/{id} scope_types: - project -- check_str: role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -3054,7 +3054,7 @@ path: /trunks/{id} scope_types: - project -- check_str: role:reader and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -3067,7 +3067,7 @@ path: /trunks/{id}/get_subports scope_types: - project -- check_str: role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -3080,7 +3080,7 @@ path: /trunks/{id}/add_subports scope_types: - project -- check_str: role:member and project_id:%(project_id)s +- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner diff --git a/openstack_dashboard/conf/default_policies/nova.yaml b/openstack_dashboard/conf/default_policies/nova.yaml index 016f30a4cc..5b0f4b21ca 100644 --- a/openstack_dashboard/conf/default_policies/nova.yaml +++ b/openstack_dashboard/conf/default_policies/nova.yaml @@ -2055,7 +2055,7 @@ path: /servers/{server_id}/action (suspend) scope_types: - project -- check_str: rule:project_reader_api +- check_str: rule:project_reader_or_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2071,7 +2071,7 @@ path: /os-tenant-networks scope_types: - project -- check_str: rule:project_reader_api +- check_str: rule:project_reader_or_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner diff --git a/openstack_dashboard/conf/neutron_policy.yaml b/openstack_dashboard/conf/neutron_policy.yaml index 92f13daa86..00f28fe365 100644 --- a/openstack_dashboard/conf/neutron_policy.yaml +++ b/openstack_dashboard/conf/neutron_policy.yaml @@ -47,13 +47,13 @@ # GET /address-groups # GET /address-groups/{id} # Intended scope(s): project -#"get_address_group": "role:reader and project_id:%(project_id)s or rule:shared_address_groups" +#"get_address_group": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_address_groups" # DEPRECATED # "get_address_group":"rule:admin_or_owner or # rule:shared_address_groups" has been deprecated since W in favor of -# "get_address_group":"role:reader and project_id:%(project_id)s or -# rule:shared_address_groups". +# "get_address_group":"(rule:admin_only) or (role:reader and +# project_id:%(project_id)s) or rule:shared_address_groups". # The Address scope API now supports system scope and default roles. # Definition of a shared address scope @@ -62,12 +62,12 @@ # Create an address scope # POST /address-scopes # Intended scope(s): project -#"create_address_scope": "rule:admin_only or role:member and project_id:%(project_id)s" +#"create_address_scope": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "create_address_scope":"rule:regular_user" has been deprecated since -# W in favor of "create_address_scope":"rule:admin_only or role:member -# and project_id:%(project_id)s". +# W in favor of "create_address_scope":"(rule:admin_only) or +# (role:member and project_id:%(project_id)s)". # The Address scope API now supports system scope and default roles. # Create a shared address scope @@ -96,12 +96,12 @@ # Update an address scope # PUT /address-scopes/{id} # Intended scope(s): project -#"update_address_scope": "rule:admin_only or role:member and project_id:%(project_id)s" +#"update_address_scope": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "update_address_scope":"rule:admin_or_owner" has been deprecated -# since W in favor of "update_address_scope":"rule:admin_only or -# role:member and project_id:%(project_id)s". +# since W in favor of "update_address_scope":"(rule:admin_only) or +# (role:member and project_id:%(project_id)s)". # The Address scope API now supports system scope and default roles. # Update ``shared`` attribute of an address scope @@ -117,12 +117,12 @@ # Delete an address scope # DELETE /address-scopes/{id} # Intended scope(s): project -#"delete_address_scope": "rule:admin_only or role:member and project_id:%(project_id)s" +#"delete_address_scope": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "delete_address_scope":"rule:admin_or_owner" has been deprecated -# since W in favor of "delete_address_scope":"rule:admin_only or -# role:member and project_id:%(project_id)s". +# since W in favor of "delete_address_scope":"(rule:admin_only) or +# (role:member and project_id:%(project_id)s)". # The Address scope API now supports system scope and default roles. # Get an agent @@ -239,26 +239,26 @@ # Get a project's auto-allocated topology # GET /auto-allocated-topology/{project_id} # Intended scope(s): project -#"get_auto_allocated_topology": "role:reader and project_id:%(project_id)s" +#"get_auto_allocated_topology": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "get_auto_allocated_topology":"rule:admin_or_owner" has been # deprecated since W in favor of -# "get_auto_allocated_topology":"role:reader and -# project_id:%(project_id)s". +# "get_auto_allocated_topology":"(rule:admin_only) or (role:reader and +# project_id:%(project_id)s)". # The Auto allocated topology API now supports system scope and # default roles. # Delete a project's auto-allocated topology # DELETE /auto-allocated-topology/{project_id} # Intended scope(s): project -#"delete_auto_allocated_topology": "role:member and project_id:%(project_id)s" +#"delete_auto_allocated_topology": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "delete_auto_allocated_topology":"rule:admin_or_owner" has been # deprecated since W in favor of -# "delete_auto_allocated_topology":"role:member and -# project_id:%(project_id)s". +# "delete_auto_allocated_topology":"(rule:admin_only) or (role:member +# and project_id:%(project_id)s)". # The Auto allocated topology API now supports system scope and # default roles. @@ -287,12 +287,11 @@ # GET /flavors # GET /flavors/{id} # Intended scope(s): project -#"get_flavor": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" +#"get_flavor": "role:reader" # DEPRECATED # "get_flavor":"rule:regular_user" has been deprecated since W in -# favor of "get_flavor":"(rule:admin_only) or (role:reader and -# project_id:%(project_id)s)". +# favor of "get_flavor":"role:reader". # The flavor API now supports project scope and default roles. # Update a flavor @@ -393,12 +392,12 @@ # Create a floating IP # POST /floatingips # Intended scope(s): project -#"create_floatingip": "rule:admin_only or role:member and project_id:%(project_id)s" +#"create_floatingip": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "create_floatingip":"rule:regular_user" has been deprecated since W -# in favor of "create_floatingip":"rule:admin_only or role:member and -# project_id:%(project_id)s". +# in favor of "create_floatingip":"(rule:admin_only) or (role:member +# and project_id:%(project_id)s)". # The Floating IP API now supports system scope and default roles. # Create a floating IP with a specific IP address @@ -416,58 +415,59 @@ # GET /floatingips # GET /floatingips/{id} # Intended scope(s): project -#"get_floatingip": "rule:admin_only or role:reader and project_id:%(project_id)s" +#"get_floatingip": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "get_floatingip":"rule:admin_or_owner" has been deprecated since W -# in favor of "get_floatingip":"rule:admin_only or role:reader and -# project_id:%(project_id)s". +# in favor of "get_floatingip":"(rule:admin_only) or (role:reader and +# project_id:%(project_id)s)". # The Floating IP API now supports system scope and default roles. # Update a floating IP # PUT /floatingips/{id} # Intended scope(s): project -#"update_floatingip": "rule:admin_only or role:member and project_id:%(project_id)s" +#"update_floatingip": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "update_floatingip":"rule:admin_or_owner" has been deprecated since -# W in favor of "update_floatingip":"rule:admin_only or role:member -# and project_id:%(project_id)s". +# W in favor of "update_floatingip":"(rule:admin_only) or (role:member +# and project_id:%(project_id)s)". # The Floating IP API now supports system scope and default roles. # Delete a floating IP # DELETE /floatingips/{id} # Intended scope(s): project -#"delete_floatingip": "rule:admin_only or role:member and project_id:%(project_id)s" +#"delete_floatingip": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "delete_floatingip":"rule:admin_or_owner" has been deprecated since -# W in favor of "delete_floatingip":"rule:admin_only or role:member -# and project_id:%(project_id)s". +# W in favor of "delete_floatingip":"(rule:admin_only) or (role:member +# and project_id:%(project_id)s)". # The Floating IP API now supports system scope and default roles. # Get floating IP pools # GET /floatingip_pools # Intended scope(s): project -#"get_floatingip_pool": "role:reader and project_id:%(project_id)s" +#"get_floatingip_pool": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "get_floatingip_pool":"rule:regular_user" has been deprecated since -# W in favor of "get_floatingip_pool":"role:reader and -# project_id:%(project_id)s". +# W in favor of "get_floatingip_pool":"(rule:admin_only) or +# (role:reader and project_id:%(project_id)s)". # The Floating IP Pool API now supports system scope and default # roles. # Create a floating IP port forwarding # POST /floatingips/{floatingip_id}/port_forwardings # Intended scope(s): project -#"create_floatingip_port_forwarding": "role:member and project_id:%(project_id)s or rule:ext_parent_owner" +#"create_floatingip_port_forwarding": "(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" # DEPRECATED # "create_floatingip_port_forwarding":"rule:admin_or_ext_parent_owner" # has been deprecated since W in favor of -# "create_floatingip_port_forwarding":"role:member and -# project_id:%(project_id)s or rule:ext_parent_owner". +# "create_floatingip_port_forwarding":"(rule:admin_only) or +# (role:member and project_id:%(project_id)s) or +# rule:ext_parent_owner". # The floating IP port forwarding API now supports system scope and # default roles. @@ -475,52 +475,54 @@ # GET /floatingips/{floatingip_id}/port_forwardings # GET /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id} # Intended scope(s): project -#"get_floatingip_port_forwarding": "role:reader and project_id:%(project_id)s or rule:ext_parent_owner" +#"get_floatingip_port_forwarding": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner" # DEPRECATED # "get_floatingip_port_forwarding":"rule:admin_or_ext_parent_owner" # has been deprecated since W in favor of -# "get_floatingip_port_forwarding":"role:reader and -# project_id:%(project_id)s or rule:ext_parent_owner". +# "get_floatingip_port_forwarding":"(rule:admin_only) or (role:reader +# and project_id:%(project_id)s) or rule:ext_parent_owner". # The floating IP port forwarding API now supports system scope and # default roles. # Update a floating IP port forwarding # PUT /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id} # Intended scope(s): project -#"update_floatingip_port_forwarding": "role:member and project_id:%(project_id)s or rule:ext_parent_owner" +#"update_floatingip_port_forwarding": "(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" # DEPRECATED # "update_floatingip_port_forwarding":"rule:admin_or_ext_parent_owner" # has been deprecated since W in favor of -# "update_floatingip_port_forwarding":"role:member and -# project_id:%(project_id)s or rule:ext_parent_owner". +# "update_floatingip_port_forwarding":"(rule:admin_only) or +# (role:member and project_id:%(project_id)s) or +# rule:ext_parent_owner". # The floating IP port forwarding API now supports system scope and # default roles. # Delete a floating IP port forwarding # DELETE /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id} # Intended scope(s): project -#"delete_floatingip_port_forwarding": "role:member and project_id:%(project_id)s or rule:ext_parent_owner" +#"delete_floatingip_port_forwarding": "(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" # DEPRECATED # "delete_floatingip_port_forwarding":"rule:admin_or_ext_parent_owner" # has been deprecated since W in favor of -# "delete_floatingip_port_forwarding":"role:member and -# project_id:%(project_id)s or rule:ext_parent_owner". +# "delete_floatingip_port_forwarding":"(rule:admin_only) or +# (role:member and project_id:%(project_id)s) or +# rule:ext_parent_owner". # The floating IP port forwarding API now supports system scope and # default roles. # Create a router conntrack helper # POST /routers/{router_id}/conntrack_helpers # Intended scope(s): project -#"create_router_conntrack_helper": "role:member and project_id:%(project_id)s or rule:ext_parent_owner" +#"create_router_conntrack_helper": "(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" # DEPRECATED # "create_router_conntrack_helper":"rule:admin_or_ext_parent_owner" # has been deprecated since W in favor of -# "create_router_conntrack_helper":"role:member and -# project_id:%(project_id)s or rule:ext_parent_owner". +# "create_router_conntrack_helper":"(rule:admin_only) or (role:member +# and project_id:%(project_id)s) or rule:ext_parent_owner". # The router conntrack API now supports system scope and default # roles. @@ -528,121 +530,124 @@ # GET /routers/{router_id}/conntrack_helpers # GET /routers/{router_id}/conntrack_helpers/{conntrack_helper_id} # Intended scope(s): project -#"get_router_conntrack_helper": "role:reader and project_id:%(project_id)s or rule:ext_parent_owner" +#"get_router_conntrack_helper": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner" # DEPRECATED # "get_router_conntrack_helper":"rule:admin_or_ext_parent_owner" has # been deprecated since W in favor of -# "get_router_conntrack_helper":"role:reader and -# project_id:%(project_id)s or rule:ext_parent_owner". +# "get_router_conntrack_helper":"(rule:admin_only) or (role:reader and +# project_id:%(project_id)s) or rule:ext_parent_owner". # The router conntrack API now supports system scope and default # roles. # Update a router conntrack helper # PUT /routers/{router_id}/conntrack_helpers/{conntrack_helper_id} # Intended scope(s): project -#"update_router_conntrack_helper": "role:member and project_id:%(project_id)s or rule:ext_parent_owner" +#"update_router_conntrack_helper": "(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" # DEPRECATED # "update_router_conntrack_helper":"rule:admin_or_ext_parent_owner" # has been deprecated since W in favor of -# "update_router_conntrack_helper":"role:member and -# project_id:%(project_id)s or rule:ext_parent_owner". +# "update_router_conntrack_helper":"(rule:admin_only) or (role:member +# and project_id:%(project_id)s) or rule:ext_parent_owner". # The router conntrack API now supports system scope and default # roles. # Delete a router conntrack helper # DELETE /routers/{router_id}/conntrack_helpers/{conntrack_helper_id} # Intended scope(s): project -#"delete_router_conntrack_helper": "role:member and project_id:%(project_id)s or rule:ext_parent_owner" +#"delete_router_conntrack_helper": "(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" # DEPRECATED # "delete_router_conntrack_helper":"rule:admin_or_ext_parent_owner" # has been deprecated since W in favor of -# "delete_router_conntrack_helper":"role:member and -# project_id:%(project_id)s or rule:ext_parent_owner". +# "delete_router_conntrack_helper":"(rule:admin_only) or (role:member +# and project_id:%(project_id)s) or rule:ext_parent_owner". # The router conntrack API now supports system scope and default # roles. # Create a Local IP # POST /local-ips # Intended scope(s): project -#"create_local_ip": "role:member and project_id:%(project_id)s" +#"create_local_ip": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "create_local_ip":"rule:regular_user" has been deprecated since W in -# favor of "create_local_ip":"role:member and -# project_id:%(project_id)s". +# favor of "create_local_ip":"(rule:admin_only) or (role:member and +# project_id:%(project_id)s)". # The Local IP API now supports system scope and default roles. # Get a Local IP # GET /local-ips # GET /local-ips/{id} # Intended scope(s): project -#"get_local_ip": "role:reader and project_id:%(project_id)s" +#"get_local_ip": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "get_local_ip":"rule:admin_or_owner" has been deprecated since W in -# favor of "get_local_ip":"role:reader and project_id:%(project_id)s". +# favor of "get_local_ip":"(rule:admin_only) or (role:reader and +# project_id:%(project_id)s)". # The Local IP API now supports system scope and default roles. # Update a Local IP # PUT /local-ips/{id} # Intended scope(s): project -#"update_local_ip": "role:member and project_id:%(project_id)s" +#"update_local_ip": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "update_local_ip":"rule:admin_or_owner" has been deprecated since W -# in favor of "update_local_ip":"role:member and -# project_id:%(project_id)s". +# in favor of "update_local_ip":"(rule:admin_only) or (role:member and +# project_id:%(project_id)s)". # The Local IP API now supports system scope and default roles. # Delete a Local IP # DELETE /local-ips/{id} # Intended scope(s): project -#"delete_local_ip": "role:member and project_id:%(project_id)s" +#"delete_local_ip": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "delete_local_ip":"rule:admin_or_owner" has been deprecated since W -# in favor of "delete_local_ip":"role:member and -# project_id:%(project_id)s". +# in favor of "delete_local_ip":"(rule:admin_only) or (role:member and +# project_id:%(project_id)s)". # The Local IP API now supports system scope and default roles. # Create a Local IP port association # POST /local_ips/{local_ip_id}/port_associations # Intended scope(s): project -#"create_local_ip_port_association": "role:member and project_id:%(project_id)s or rule:ext_parent_owner" +#"create_local_ip_port_association": "(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" # DEPRECATED # "create_local_ip_port_association":"rule:admin_or_ext_parent_owner" # has been deprecated since W in favor of -# "create_local_ip_port_association":"role:member and -# project_id:%(project_id)s or rule:ext_parent_owner". +# "create_local_ip_port_association":"(rule:admin_only) or +# (role:member and project_id:%(project_id)s) or +# rule:ext_parent_owner". # The Local IP API now supports system scope and default roles. # Get a Local IP port association # GET /local_ips/{local_ip_id}/port_associations # GET /local_ips/{local_ip_id}/port_associations/{fixed_port_id} # Intended scope(s): project -#"get_local_ip_port_association": "role:reader and project_id:%(project_id)s or rule:ext_parent_owner" +#"get_local_ip_port_association": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner" # DEPRECATED # "get_local_ip_port_association":"rule:admin_or_ext_parent_owner" has # been deprecated since W in favor of -# "get_local_ip_port_association":"role:reader and -# project_id:%(project_id)s or rule:ext_parent_owner". +# "get_local_ip_port_association":"(rule:admin_only) or (role:reader +# and project_id:%(project_id)s) or rule:ext_parent_owner". # The Local IP API now supports system scope and default roles. # Delete a Local IP port association # DELETE /local_ips/{local_ip_id}/port_associations/{fixed_port_id} # Intended scope(s): project -#"delete_local_ip_port_association": "role:member and project_id:%(project_id)s or rule:ext_parent_owner" +#"delete_local_ip_port_association": "(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" # DEPRECATED # "delete_local_ip_port_association":"rule:admin_or_ext_parent_owner" # has been deprecated since W in favor of -# "delete_local_ip_port_association":"role:member and -# project_id:%(project_id)s or rule:ext_parent_owner". +# "delete_local_ip_port_association":"(rule:admin_only) or +# (role:member and project_id:%(project_id)s) or +# rule:ext_parent_owner". # The Local IP API now supports system scope and default roles. # Get loggable resources @@ -710,12 +715,12 @@ # GET /metering/metering-labels # GET /metering/metering-labels/{id} # Intended scope(s): project -#"get_metering_label": "rule:admin_only or role:reader and project_id:%(project_id)s" +#"get_metering_label": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "get_metering_label":"rule:admin_only" has been deprecated since W -# in favor of "get_metering_label":"rule:admin_only or role:reader and -# project_id:%(project_id)s". +# in favor of "get_metering_label":"(rule:admin_only) or (role:reader +# and project_id:%(project_id)s)". # The metering API now supports system scope and default roles. # Delete a metering label @@ -742,12 +747,12 @@ # GET /metering/metering-label-rules # GET /metering/metering-label-rules/{id} # Intended scope(s): project -#"get_metering_label_rule": "rule:admin_only or role:reader and project_id:%(project_id)s" +#"get_metering_label_rule": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "get_metering_label_rule":"rule:admin_only" has been deprecated -# since W in favor of "get_metering_label_rule":"rule:admin_only or -# role:reader and project_id:%(project_id)s". +# since W in favor of "get_metering_label_rule":"(rule:admin_only) or +# (role:reader and project_id:%(project_id)s)". # The metering API now supports system scope and default roles. # Delete a metering label rule @@ -763,46 +768,46 @@ # Create a ndp proxy # POST /ndp_proxies # Intended scope(s): project -#"create_ndp_proxy": "role:member and project_id:%(project_id)s" +#"create_ndp_proxy": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "create_ndp_proxy":"rule:regular_user" has been deprecated since W -# in favor of "create_ndp_proxy":"role:member and -# project_id:%(project_id)s". +# in favor of "create_ndp_proxy":"(rule:admin_only) or (role:member +# and project_id:%(project_id)s)". # The ndp proxy API now supports system scope and default roles. # Get a ndp proxy # GET /ndp_proxies # GET /ndp_proxies/{id} # Intended scope(s): project -#"get_ndp_proxy": "role:reader and project_id:%(project_id)s" +#"get_ndp_proxy": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "get_ndp_proxy":"rule:admin_or_owner" has been deprecated since W in -# favor of "get_ndp_proxy":"role:reader and -# project_id:%(project_id)s". +# favor of "get_ndp_proxy":"(rule:admin_only) or (role:reader and +# project_id:%(project_id)s)". # The ndp proxy API now supports system scope and default roles. # Update a ndp proxy # PUT /ndp_proxies/{id} # Intended scope(s): project -#"update_ndp_proxy": "role:member and project_id:%(project_id)s" +#"update_ndp_proxy": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "update_ndp_proxy":"rule:admin_or_owner" has been deprecated since W -# in favor of "update_ndp_proxy":"role:member and -# project_id:%(project_id)s". +# in favor of "update_ndp_proxy":"(rule:admin_only) or (role:member +# and project_id:%(project_id)s)". # The ndp proxy API now supports system scope and default roles. # Delete a ndp proxy # DELETE /ndp_proxies/{id} # Intended scope(s): project -#"delete_ndp_proxy": "role:member and project_id:%(project_id)s" +#"delete_ndp_proxy": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "delete_ndp_proxy":"rule:admin_or_owner" has been deprecated since W -# in favor of "delete_ndp_proxy":"role:member and -# project_id:%(project_id)s". +# in favor of "delete_ndp_proxy":"(rule:admin_only) or (role:member +# and project_id:%(project_id)s)". # The ndp proxy API now supports system scope and default roles. # Definition of an external network @@ -811,12 +816,12 @@ # Create a network # POST /networks # Intended scope(s): project -#"create_network": "rule:admin_only or role:member and project_id:%(project_id)s" +#"create_network": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "create_network":"rule:regular_user" has been deprecated since W in -# favor of "create_network":"rule:admin_only or role:member and -# project_id:%(project_id)s". +# favor of "create_network":"(rule:admin_only) or (role:member and +# project_id:%(project_id)s)". # The network API now supports system scope and default roles. # Create a shared network @@ -853,13 +858,13 @@ # Specify ``port_security_enabled`` attribute when creating a network # POST /networks # Intended scope(s): project -#"create_network:port_security_enabled": "rule:admin_only or role:member and project_id:%(project_id)s" +#"create_network:port_security_enabled": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "create_network:port_security_enabled":"rule:regular_user" has been # deprecated since W in favor of -# "create_network:port_security_enabled":"rule:admin_only or -# role:member and project_id:%(project_id)s". +# "create_network:port_security_enabled":"(rule:admin_only) or +# (role:member and project_id:%(project_id)s)". # The network API now supports system scope and default roles. # Specify ``segments`` attribute when creating a network @@ -909,29 +914,16 @@ # GET /networks # GET /networks/{id} # Intended scope(s): project -#"get_network": "rule:admin_only or role:reader and project_id:%(project_id)s or rule:shared or rule:external or rule:context_is_advsvc" +#"get_network": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared or rule:external or rule:context_is_advsvc" # DEPRECATED # "get_network":"rule:admin_or_owner or rule:shared or rule:external # or rule:context_is_advsvc" has been deprecated since W in favor of -# "get_network":"rule:admin_only or role:reader and -# project_id:%(project_id)s or rule:shared or rule:external or +# "get_network":"(rule:admin_only) or (role:reader and +# project_id:%(project_id)s) or rule:shared or rule:external or # rule:context_is_advsvc". # The network API now supports system scope and default roles. -# Get ``router:external`` attribute of a network -# GET /networks -# GET /networks/{id} -# Intended scope(s): project -#"get_network:router:external": "rule:admin_only or role:reader and project_id:%(project_id)s" - -# DEPRECATED -# "get_network:router:external":"rule:regular_user" has been -# deprecated since W in favor of -# "get_network:router:external":"rule:admin_only or role:reader and -# project_id:%(project_id)s". -# The network API now supports system scope and default roles. - # Get ``segments`` attribute of a network # GET /networks # GET /networks/{id} @@ -982,12 +974,12 @@ # Update a network # PUT /networks/{id} # Intended scope(s): project -#"update_network": "rule:admin_only or role:member and project_id:%(project_id)s" +#"update_network": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "update_network":"rule:admin_or_owner" has been deprecated since W -# in favor of "update_network":"rule:admin_only or role:member and -# project_id:%(project_id)s". +# in favor of "update_network":"(rule:admin_only) or (role:member and +# project_id:%(project_id)s)". # The network API now supports system scope and default roles. # Update ``segments`` attribute of a network @@ -1067,24 +1059,24 @@ # Update ``port_security_enabled`` attribute of a network # PUT /networks/{id} # Intended scope(s): project -#"update_network:port_security_enabled": "rule:admin_only or role:member and project_id:%(project_id)s" +#"update_network:port_security_enabled": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "update_network:port_security_enabled":"rule:admin_or_owner" has # been deprecated since W in favor of -# "update_network:port_security_enabled":"rule:admin_only or -# role:member and project_id:%(project_id)s". +# "update_network:port_security_enabled":"(rule:admin_only) or +# (role:member and project_id:%(project_id)s)". # The network API now supports system scope and default roles. # Delete a network # DELETE /networks/{id} # Intended scope(s): project -#"delete_network": "rule:admin_only or role:member and project_id:%(project_id)s" +#"delete_network": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "delete_network":"rule:admin_or_owner" has been deprecated since W -# in favor of "delete_network":"rule:admin_only or role:member and -# project_id:%(project_id)s". +# in favor of "delete_network":"(rule:admin_only) or (role:member and +# project_id:%(project_id)s)". # The network API now supports system scope and default roles. # Get network IP availability @@ -1156,12 +1148,12 @@ # Create a port # POST /ports # Intended scope(s): project -#"create_port": "rule:admin_only or role:member and project_id:%(project_id)s" +#"create_port": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "create_port":"rule:regular_user" has been deprecated since W in -# favor of "create_port":"rule:admin_only or role:member and -# project_id:%(project_id)s". +# favor of "create_port":"(rule:admin_only) or (role:member and +# project_id:%(project_id)s)". # The port API now supports project scope and default roles. # Specify ``device_owner`` attribute when creating a port @@ -1261,13 +1253,13 @@ # Specify ``binding:vnic_type`` attribute when creating a port # POST /ports # Intended scope(s): project -#"create_port:binding:vnic_type": "rule:admin_only or role:member and project_id:%(project_id)s" +#"create_port:binding:vnic_type": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "create_port:binding:vnic_type":"rule:regular_user" has been # deprecated since W in favor of -# "create_port:binding:vnic_type":"rule:admin_only or role:member and -# project_id:%(project_id)s". +# "create_port:binding:vnic_type":"(rule:admin_only) or (role:member +# and project_id:%(project_id)s)". # The port API now supports project scope and default roles. # Specify ``allowed_address_pairs`` attribute when creating a port @@ -1548,25 +1540,28 @@ # Delete a port # DELETE /ports/{id} # Intended scope(s): project -#"delete_port": "rule:admin_only or rule:context_is_advsvc or role:member and project_id:%(project_id)s" +#"delete_port": "rule:admin_only or rule:context_is_advsvc or role:member and project_id:%(project_id)s or rule:network_owner" # DEPRECATED # "delete_port":"rule:context_is_advsvc or # rule:admin_owner_or_network_owner" has been deprecated since W in # favor of "delete_port":"rule:admin_only or rule:context_is_advsvc or -# role:member and project_id:%(project_id)s". +# role:member and project_id:%(project_id)s or rule:network_owner". # The port API now supports project scope and default roles. +# Rule of shared qos policy +#"shared_qos_policy": "field:policies:shared=True" + # Get QoS policies # GET /qos/policies # GET /qos/policies/{id} # Intended scope(s): project -#"get_policy": "rule:admin_only or role:reader and project_id:%(project_id)s" +#"get_policy": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_qos_policy" # DEPRECATED # "get_policy":"rule:regular_user" has been deprecated since W in -# favor of "get_policy":"rule:admin_only or role:reader and -# project_id:%(project_id)s". +# favor of "get_policy":"(rule:admin_only) or (role:reader and +# project_id:%(project_id)s) or rule:shared_qos_policy". # The QoS API now supports project scope and default roles. # Create a QoS policy @@ -1614,13 +1609,13 @@ # GET /qos/policies/{policy_id}/bandwidth_limit_rules # GET /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id} # Intended scope(s): project -#"get_policy_bandwidth_limit_rule": "rule:admin_only or role:reader and project_id:%(project_id)s" +#"get_policy_bandwidth_limit_rule": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "get_policy_bandwidth_limit_rule":"rule:regular_user" has been # deprecated since W in favor of -# "get_policy_bandwidth_limit_rule":"rule:admin_only or role:reader -# and project_id:%(project_id)s". +# "get_policy_bandwidth_limit_rule":"(rule:admin_only) or (role:reader +# and project_id:%(project_id)s)". # The QoS API now supports project scope and default roles. # Create a QoS bandwidth limit rule @@ -1660,7 +1655,7 @@ # GET /qos/policies/{policy_id}/packet_rate_limit_rules # GET /qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id} # Intended scope(s): project -#"get_policy_packet_rate_limit_rule": "rule:admin_only or role:reader and project_id:%(project_id)s" +#"get_policy_packet_rate_limit_rule": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" # Create a QoS packet rate limit rule # POST /qos/policies/{policy_id}/packet_rate_limit_rules @@ -1681,13 +1676,13 @@ # GET /qos/policies/{policy_id}/dscp_marking_rules # GET /qos/policies/{policy_id}/dscp_marking_rules/{rule_id} # Intended scope(s): project -#"get_policy_dscp_marking_rule": "rule:admin_only or role:reader and project_id:%(project_id)s" +#"get_policy_dscp_marking_rule": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "get_policy_dscp_marking_rule":"rule:regular_user" has been # deprecated since W in favor of -# "get_policy_dscp_marking_rule":"rule:admin_only or role:reader and -# project_id:%(project_id)s". +# "get_policy_dscp_marking_rule":"(rule:admin_only) or (role:reader +# and project_id:%(project_id)s)". # The QoS API now supports project scope and default roles. # Create a QoS DSCP marking rule @@ -1727,13 +1722,13 @@ # GET /qos/policies/{policy_id}/minimum_bandwidth_rules # GET /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id} # Intended scope(s): project -#"get_policy_minimum_bandwidth_rule": "rule:admin_only or role:reader and project_id:%(project_id)s" +#"get_policy_minimum_bandwidth_rule": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "get_policy_minimum_bandwidth_rule":"rule:regular_user" has been # deprecated since W in favor of -# "get_policy_minimum_bandwidth_rule":"rule:admin_only or role:reader -# and project_id:%(project_id)s". +# "get_policy_minimum_bandwidth_rule":"(rule:admin_only) or +# (role:reader and project_id:%(project_id)s)". # The QoS API now supports project scope and default roles. # Create a QoS minimum bandwidth rule @@ -1773,7 +1768,7 @@ # GET /qos/policies/{policy_id}/minimum_packet_rate_rules # GET /qos/policies/{policy_id}/minimum_packet_rate_rules/{rule_id} # Intended scope(s): project -#"get_policy_minimum_packet_rate_rule": "rule:admin_only or role:reader and project_id:%(project_id)s" +#"get_policy_minimum_packet_rate_rule": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" # Create a QoS minimum packet rate rule # POST /qos/policies/{policy_id}/minimum_packet_rate_rules @@ -1793,13 +1788,13 @@ # Get a QoS bandwidth limit rule through alias # GET /qos/alias_bandwidth_limit_rules/{rule_id}/ # Intended scope(s): project -#"get_alias_bandwidth_limit_rule": "rule:admin_only or role:reader and project_id:%(project_id)s" +#"get_alias_bandwidth_limit_rule": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "get_alias_bandwidth_limit_rule":"rule:regular_user" has been # deprecated since W in favor of -# "get_alias_bandwidth_limit_rule":"rule:admin_only or role:reader and -# project_id:%(project_id)s". +# "get_alias_bandwidth_limit_rule":"(rule:admin_only) or (role:reader +# and project_id:%(project_id)s)". # The QoS API now supports project scope and default roles. # Update a QoS bandwidth limit rule through alias @@ -1827,13 +1822,13 @@ # Get a QoS DSCP marking rule through alias # GET /qos/alias_dscp_marking_rules/{rule_id}/ # Intended scope(s): project -#"get_alias_dscp_marking_rule": "rule:admin_only or role:reader and project_id:%(project_id)s" +#"get_alias_dscp_marking_rule": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "get_alias_dscp_marking_rule":"rule:regular_user" has been # deprecated since W in favor of -# "get_alias_dscp_marking_rule":"rule:admin_only or role:reader and -# project_id:%(project_id)s". +# "get_alias_dscp_marking_rule":"(rule:admin_only) or (role:reader and +# project_id:%(project_id)s)". # The QoS API now supports project scope and default roles. # Update a QoS DSCP marking rule through alias @@ -1861,13 +1856,13 @@ # Get a QoS minimum bandwidth rule through alias # GET /qos/alias_minimum_bandwidth_rules/{rule_id}/ # Intended scope(s): project -#"get_alias_minimum_bandwidth_rule": "rule:admin_only or role:reader and project_id:%(project_id)s" +#"get_alias_minimum_bandwidth_rule": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "get_alias_minimum_bandwidth_rule":"rule:regular_user" has been # deprecated since W in favor of -# "get_alias_minimum_bandwidth_rule":"rule:admin_only or role:reader -# and project_id:%(project_id)s". +# "get_alias_minimum_bandwidth_rule":"(rule:admin_only) or +# (role:reader and project_id:%(project_id)s)". # The QoS API now supports project scope and default roles. # Update a QoS minimum bandwidth rule through alias @@ -1944,12 +1939,12 @@ # Create an RBAC policy # POST /rbac-policies # Intended scope(s): project -#"create_rbac_policy": "rule:admin_only or role:member and project_id:%(project_id)s" +#"create_rbac_policy": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "create_rbac_policy":"rule:regular_user" has been deprecated since W -# in favor of "create_rbac_policy":"rule:admin_only or role:member and -# project_id:%(project_id)s". +# in favor of "create_rbac_policy":"(rule:admin_only) or (role:member +# and project_id:%(project_id)s)". # The RBAC API now supports system scope and default roles. # Specify ``target_tenant`` when creating an RBAC policy @@ -1968,12 +1963,12 @@ # Update an RBAC policy # PUT /rbac-policies/{id} # Intended scope(s): project -#"update_rbac_policy": "rule:admin_only or role:member and project_id:%(project_id)s" +#"update_rbac_policy": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "update_rbac_policy":"rule:admin_or_owner" has been deprecated since -# W in favor of "update_rbac_policy":"rule:admin_only or role:member -# and project_id:%(project_id)s". +# W in favor of "update_rbac_policy":"(rule:admin_only) or +# (role:member and project_id:%(project_id)s)". # The RBAC API now supports system scope and default roles. # Update ``target_tenant`` attribute of an RBAC policy @@ -1993,34 +1988,34 @@ # GET /rbac-policies # GET /rbac-policies/{id} # Intended scope(s): project -#"get_rbac_policy": "rule:admin_only or role:reader and project_id:%(project_id)s" +#"get_rbac_policy": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "get_rbac_policy":"rule:admin_or_owner" has been deprecated since W -# in favor of "get_rbac_policy":"rule:admin_only or role:reader and -# project_id:%(project_id)s". +# in favor of "get_rbac_policy":"(rule:admin_only) or (role:reader and +# project_id:%(project_id)s)". # The RBAC API now supports system scope and default roles. # Delete an RBAC policy # DELETE /rbac-policies/{id} # Intended scope(s): project -#"delete_rbac_policy": "rule:admin_only or role:member and project_id:%(project_id)s" +#"delete_rbac_policy": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "delete_rbac_policy":"rule:admin_or_owner" has been deprecated since -# W in favor of "delete_rbac_policy":"rule:admin_only or role:member -# and project_id:%(project_id)s". +# W in favor of "delete_rbac_policy":"(rule:admin_only) or +# (role:member and project_id:%(project_id)s)". # The RBAC API now supports system scope and default roles. # Create a router # POST /routers # Intended scope(s): project -#"create_router": "rule:admin_only or role:member and project_id:%(project_id)s" +#"create_router": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "create_router":"rule:regular_user" has been deprecated since W in -# favor of "create_router":"rule:admin_only or role:member and -# project_id:%(project_id)s". +# favor of "create_router":"(rule:admin_only) or (role:member and +# project_id:%(project_id)s)". # The router API now supports system scope and default roles. # Specify ``distributed`` attribute when creating a router @@ -2046,26 +2041,26 @@ # Specify ``external_gateway_info`` information when creating a router # POST /routers # Intended scope(s): project -#"create_router:external_gateway_info": "rule:admin_only or role:member and project_id:%(project_id)s" +#"create_router:external_gateway_info": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "create_router:external_gateway_info":"rule:admin_or_owner" has been # deprecated since W in favor of -# "create_router:external_gateway_info":"rule:admin_only or -# role:member and project_id:%(project_id)s". +# "create_router:external_gateway_info":"(rule:admin_only) or +# (role:member and project_id:%(project_id)s)". # The router API now supports system scope and default roles. # Specify ``network_id`` in ``external_gateway_info`` information when # creating a router # POST /routers # Intended scope(s): project -#"create_router:external_gateway_info:network_id": "rule:admin_only or role:member and project_id:%(project_id)s" +#"create_router:external_gateway_info:network_id": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "create_router:external_gateway_info:network_id":"rule:admin_or_owne # r" has been deprecated since W in favor of -# "create_router:external_gateway_info:network_id":"rule:admin_only or -# role:member and project_id:%(project_id)s". +# "create_router:external_gateway_info:network_id":"(rule:admin_only) +# or (role:member and project_id:%(project_id)s)". # The router API now supports system scope and default roles. # Specify ``enable_snat`` in ``external_gateway_info`` information @@ -2096,12 +2091,12 @@ # GET /routers # GET /routers/{id} # Intended scope(s): project -#"get_router": "rule:admin_only or role:reader and project_id:%(project_id)s" +#"get_router": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "get_router":"rule:admin_or_owner" has been deprecated since W in -# favor of "get_router":"rule:admin_only or role:reader and -# project_id:%(project_id)s". +# favor of "get_router":"(rule:admin_only) or (role:reader and +# project_id:%(project_id)s)". # The router API now supports system scope and default roles. # Get ``distributed`` attribute of a router @@ -2129,12 +2124,12 @@ # Update a router # PUT /routers/{id} # Intended scope(s): project -#"update_router": "rule:admin_only or role:member and project_id:%(project_id)s" +#"update_router": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "update_router":"rule:admin_or_owner" has been deprecated since W in -# favor of "update_router":"rule:admin_only or role:member and -# project_id:%(project_id)s". +# favor of "update_router":"(rule:admin_only) or (role:member and +# project_id:%(project_id)s)". # The router API now supports system scope and default roles. # Update ``distributed`` attribute of a router @@ -2160,26 +2155,26 @@ # Update ``external_gateway_info`` information of a router # PUT /routers/{id} # Intended scope(s): project -#"update_router:external_gateway_info": "rule:admin_only or role:member and project_id:%(project_id)s" +#"update_router:external_gateway_info": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "update_router:external_gateway_info":"rule:admin_or_owner" has been # deprecated since W in favor of -# "update_router:external_gateway_info":"rule:admin_only or -# role:member and project_id:%(project_id)s". +# "update_router:external_gateway_info":"(rule:admin_only) or +# (role:member and project_id:%(project_id)s)". # The router API now supports system scope and default roles. # Update ``network_id`` attribute of ``external_gateway_info`` # information of a router # PUT /routers/{id} # Intended scope(s): project -#"update_router:external_gateway_info:network_id": "rule:admin_only or role:member and project_id:%(project_id)s" +#"update_router:external_gateway_info:network_id": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "update_router:external_gateway_info:network_id":"rule:admin_or_owne # r" has been deprecated since W in favor of -# "update_router:external_gateway_info:network_id":"rule:admin_only or -# role:member and project_id:%(project_id)s". +# "update_router:external_gateway_info:network_id":"(rule:admin_only) +# or (role:member and project_id:%(project_id)s)". # The router API now supports system scope and default roles. # Update ``enable_snat`` attribute of ``external_gateway_info`` @@ -2209,56 +2204,56 @@ # Delete a router # DELETE /routers/{id} # Intended scope(s): project -#"delete_router": "rule:admin_only or role:member and project_id:%(project_id)s" +#"delete_router": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "delete_router":"rule:admin_or_owner" has been deprecated since W in -# favor of "delete_router":"rule:admin_only or role:member and -# project_id:%(project_id)s". +# favor of "delete_router":"(rule:admin_only) or (role:member and +# project_id:%(project_id)s)". # The router API now supports system scope and default roles. # Add an interface to a router # PUT /routers/{id}/add_router_interface # Intended scope(s): project -#"add_router_interface": "rule:admin_only or role:member and project_id:%(project_id)s" +#"add_router_interface": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "add_router_interface":"rule:admin_or_owner" has been deprecated -# since W in favor of "add_router_interface":"rule:admin_only or -# role:member and project_id:%(project_id)s". +# since W in favor of "add_router_interface":"(rule:admin_only) or +# (role:member and project_id:%(project_id)s)". # The router API now supports system scope and default roles. # Remove an interface from a router # PUT /routers/{id}/remove_router_interface # Intended scope(s): project -#"remove_router_interface": "rule:admin_only or role:member and project_id:%(project_id)s" +#"remove_router_interface": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "remove_router_interface":"rule:admin_or_owner" has been deprecated -# since W in favor of "remove_router_interface":"rule:admin_only or -# role:member and project_id:%(project_id)s". +# since W in favor of "remove_router_interface":"(rule:admin_only) or +# (role:member and project_id:%(project_id)s)". # The router API now supports system scope and default roles. # Add extra route to a router # PUT /routers/{id}/add_extraroutes # Intended scope(s): project -#"add_extraroutes": "rule:admin_only or role:member and project_id:%(project_id)s" +#"add_extraroutes": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "add_extraroutes":"rule:admin_or_owner" has been deprecated since -# Xena in favor of "add_extraroutes":"rule:admin_only or role:member -# and project_id:%(project_id)s". +# Xena in favor of "add_extraroutes":"(rule:admin_only) or +# (role:member and project_id:%(project_id)s)". # The router API now supports system scope and default roles. # Remove extra route from a router # PUT /routers/{id}/remove_extraroutes # Intended scope(s): project -#"remove_extraroutes": "rule:admin_only or role:member and project_id:%(project_id)s" +#"remove_extraroutes": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "remove_extraroutes":"rule:admin_or_owner" has been deprecated since -# Xena in favor of "remove_extraroutes":"rule:admin_only or -# role:member and project_id:%(project_id)s". +# Xena in favor of "remove_extraroutes":"(rule:admin_only) or +# (role:member and project_id:%(project_id)s)". # The router API now supports system scope and default roles. # Rule for admin or security group owner access @@ -2267,86 +2262,89 @@ # Rule for resource owner, admin or security group owner access #"admin_owner_or_sg_owner": "rule:owner or rule:admin_or_sg_owner" +# Definition of a shared security group +#"shared_security_group": "field:security_groups:shared=True" + # Create a security group # POST /security-groups # Intended scope(s): project -#"create_security_group": "role:member and project_id:%(project_id)s" +#"create_security_group": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "create_security_group":"rule:admin_or_owner" has been deprecated -# since W in favor of "create_security_group":"role:member and -# project_id:%(project_id)s". +# since W in favor of "create_security_group":"(rule:admin_only) or +# (role:member and project_id:%(project_id)s)". # The security group API now supports system scope and default roles. # Get a security group # GET /security-groups # GET /security-groups/{id} # Intended scope(s): project -#"get_security_group": "role:reader and project_id:%(project_id)s" +#"get_security_group": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_security_group" # DEPRECATED # "get_security_group":"rule:regular_user" has been deprecated since W -# in favor of "get_security_group":"role:reader and -# project_id:%(project_id)s". +# in favor of "get_security_group":"(rule:admin_only) or (role:reader +# and project_id:%(project_id)s) or rule:shared_security_group". # The security group API now supports system scope and default roles. # Update a security group # PUT /security-groups/{id} # Intended scope(s): project -#"update_security_group": "role:member and project_id:%(project_id)s" +#"update_security_group": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "update_security_group":"rule:admin_or_owner" has been deprecated -# since W in favor of "update_security_group":"role:member and -# project_id:%(project_id)s". +# since W in favor of "update_security_group":"(rule:admin_only) or +# (role:member and project_id:%(project_id)s)". # The security group API now supports system scope and default roles. # Delete a security group # DELETE /security-groups/{id} # Intended scope(s): project -#"delete_security_group": "role:member and project_id:%(project_id)s" +#"delete_security_group": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "delete_security_group":"rule:admin_or_owner" has been deprecated -# since W in favor of "delete_security_group":"role:member and -# project_id:%(project_id)s". +# since W in favor of "delete_security_group":"(rule:admin_only) or +# (role:member and project_id:%(project_id)s)". # The security group API now supports system scope and default roles. # Create a security group rule # POST /security-group-rules # Intended scope(s): project -#"create_security_group_rule": "role:member and project_id:%(project_id)s" +#"create_security_group_rule": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "create_security_group_rule":"rule:admin_or_owner" has been # deprecated since W in favor of -# "create_security_group_rule":"role:member and -# project_id:%(project_id)s". +# "create_security_group_rule":"(rule:admin_only) or (role:member and +# project_id:%(project_id)s)". # The security group API now supports system scope and default roles. # Get a security group rule # GET /security-group-rules # GET /security-group-rules/{id} # Intended scope(s): project -#"get_security_group_rule": "role:reader and project_id:%(project_id)s or rule:sg_owner" +#"get_security_group_rule": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:sg_owner" # DEPRECATED # "get_security_group_rule":"rule:admin_owner_or_sg_owner" has been # deprecated since W in favor of -# "get_security_group_rule":"role:reader and project_id:%(project_id)s -# or rule:sg_owner". +# "get_security_group_rule":"(rule:admin_only) or (role:reader and +# project_id:%(project_id)s) or rule:sg_owner". # The security group API now supports system scope and default roles. # Delete a security group rule # DELETE /security-group-rules/{id} # Intended scope(s): project -#"delete_security_group_rule": "role:member and project_id:%(project_id)s" +#"delete_security_group_rule": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "delete_security_group_rule":"rule:admin_or_owner" has been # deprecated since W in favor of -# "delete_security_group_rule":"role:member and -# project_id:%(project_id)s". +# "delete_security_group_rule":"(rule:admin_only) or (role:member and +# project_id:%(project_id)s)". # The security group API now supports system scope and default roles. # Create a segment @@ -2404,12 +2402,12 @@ # Create a subnet # POST /subnets # Intended scope(s): project -#"create_subnet": "rule:admin_only or role:member and project_id:%(project_id)s or rule:network_owner" +#"create_subnet": "(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:network_owner" # DEPRECATED # "create_subnet":"rule:admin_or_network_owner" has been deprecated -# since W in favor of "create_subnet":"rule:admin_only or role:member -# and project_id:%(project_id)s or rule:network_owner". +# since W in favor of "create_subnet":"(rule:admin_only) or +# (role:member and project_id:%(project_id)s) or rule:network_owner". # The subnet API now supports system scope and default roles. # Specify ``segment_id`` attribute when creating a subnet @@ -2436,12 +2434,12 @@ # GET /subnets # GET /subnets/{id} # Intended scope(s): project -#"get_subnet": "rule:admin_only or role:reader and project_id:%(project_id)s or rule:shared" +#"get_subnet": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared" # DEPRECATED # "get_subnet":"rule:admin_or_owner or rule:shared" has been -# deprecated since W in favor of "get_subnet":"rule:admin_only or -# role:reader and project_id:%(project_id)s or rule:shared". +# deprecated since W in favor of "get_subnet":"(rule:admin_only) or +# (role:reader and project_id:%(project_id)s) or rule:shared". # The subnet API now supports system scope and default roles. # Get ``segment_id`` attribute of a subnet @@ -2458,12 +2456,12 @@ # Update a subnet # PUT /subnets/{id} # Intended scope(s): project -#"update_subnet": "rule:admin_only or role:member and project_id:%(project_id)s or rule:network_owner" +#"update_subnet": "(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:network_owner" # DEPRECATED # "update_subnet":"rule:admin_or_network_owner" has been deprecated -# since W in favor of "update_subnet":"rule:admin_only or role:member -# and project_id:%(project_id)s or rule:network_owner". +# since W in favor of "update_subnet":"(rule:admin_only) or +# (role:member and project_id:%(project_id)s) or rule:network_owner". # The subnet API now supports system scope and default roles. # Update ``segment_id`` attribute of a subnet @@ -2489,12 +2487,12 @@ # Delete a subnet # DELETE /subnets/{id} # Intended scope(s): project -#"delete_subnet": "rule:admin_only or role:member and project_id:%(project_id)s or rule:network_owner" +#"delete_subnet": "(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:network_owner" # DEPRECATED # "delete_subnet":"rule:admin_or_network_owner" has been deprecated -# since W in favor of "delete_subnet":"rule:admin_only or role:member -# and project_id:%(project_id)s or rule:network_owner". +# since W in favor of "delete_subnet":"(rule:admin_only) or +# (role:member and project_id:%(project_id)s) or rule:network_owner". # The subnet API now supports system scope and default roles. # Definition of a shared subnetpool @@ -2503,12 +2501,12 @@ # Create a subnetpool # POST /subnetpools # Intended scope(s): project -#"create_subnetpool": "rule:admin_only or role:member and project_id:%(project_id)s" +#"create_subnetpool": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "create_subnetpool":"rule:regular_user" has been deprecated since W -# in favor of "create_subnetpool":"rule:admin_only or role:member and -# project_id:%(project_id)s". +# in favor of "create_subnetpool":"(rule:admin_only) or (role:member +# and project_id:%(project_id)s)". # The subnet pool API now supports system scope and default roles. # Create a shared subnetpool @@ -2536,24 +2534,24 @@ # GET /subnetpools # GET /subnetpools/{id} # Intended scope(s): project -#"get_subnetpool": "rule:admin_only or role:reader and project_id:%(project_id)s or rule:shared_subnetpools" +#"get_subnetpool": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_subnetpools" # DEPRECATED # "get_subnetpool":"rule:admin_or_owner or rule:shared_subnetpools" # has been deprecated since W in favor of -# "get_subnetpool":"rule:admin_only or role:reader and -# project_id:%(project_id)s or rule:shared_subnetpools". +# "get_subnetpool":"(rule:admin_only) or (role:reader and +# project_id:%(project_id)s) or rule:shared_subnetpools". # The subnet pool API now supports system scope and default roles. # Update a subnetpool # PUT /subnetpools/{id} # Intended scope(s): project -#"update_subnetpool": "rule:admin_only or role:member and project_id:%(project_id)s" +#"update_subnetpool": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "update_subnetpool":"rule:admin_or_owner" has been deprecated since -# W in favor of "update_subnetpool":"rule:admin_only or role:member -# and project_id:%(project_id)s". +# W in favor of "update_subnetpool":"(rule:admin_only) or (role:member +# and project_id:%(project_id)s)". # The subnet pool API now supports system scope and default roles. # Update ``is_default`` attribute of a subnetpool @@ -2570,116 +2568,122 @@ # Delete a subnetpool # DELETE /subnetpools/{id} # Intended scope(s): project -#"delete_subnetpool": "rule:admin_only or role:member and project_id:%(project_id)s" +#"delete_subnetpool": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "delete_subnetpool":"rule:admin_or_owner" has been deprecated since -# W in favor of "delete_subnetpool":"rule:admin_only or role:member -# and project_id:%(project_id)s". +# W in favor of "delete_subnetpool":"(rule:admin_only) or (role:member +# and project_id:%(project_id)s)". # The subnet pool API now supports system scope and default roles. # Onboard existing subnet into a subnetpool # PUT /subnetpools/{id}/onboard_network_subnets # Intended scope(s): project -#"onboard_network_subnets": "rule:admin_only or role:member and project_id:%(project_id)s" +#"onboard_network_subnets": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "onboard_network_subnets":"rule:admin_or_owner" has been deprecated -# since W in favor of "onboard_network_subnets":"rule:admin_only or -# role:member and project_id:%(project_id)s". +# since W in favor of "onboard_network_subnets":"(rule:admin_only) or +# (role:member and project_id:%(project_id)s)". # The subnet pool API now supports system scope and default roles. # Add prefixes to a subnetpool # PUT /subnetpools/{id}/add_prefixes # Intended scope(s): project -#"add_prefixes": "rule:admin_only or role:member and project_id:%(project_id)s" +#"add_prefixes": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "add_prefixes":"rule:admin_or_owner" has been deprecated since W in -# favor of "add_prefixes":"rule:admin_only or role:member and -# project_id:%(project_id)s". +# favor of "add_prefixes":"(rule:admin_only) or (role:member and +# project_id:%(project_id)s)". # The subnet pool API now supports system scope and default roles. # Remove unallocated prefixes from a subnetpool # PUT /subnetpools/{id}/remove_prefixes # Intended scope(s): project -#"remove_prefixes": "rule:admin_only or role:member and project_id:%(project_id)s" +#"remove_prefixes": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "remove_prefixes":"rule:admin_or_owner" has been deprecated since W -# in favor of "remove_prefixes":"rule:admin_only or role:member and -# project_id:%(project_id)s". +# in favor of "remove_prefixes":"(rule:admin_only) or (role:member and +# project_id:%(project_id)s)". # The subnet pool API now supports system scope and default roles. # Create a trunk # POST /trunks # Intended scope(s): project -#"create_trunk": "role:member and project_id:%(project_id)s" +#"create_trunk": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "create_trunk":"rule:regular_user" has been deprecated since W in -# favor of "create_trunk":"role:member and project_id:%(project_id)s". +# favor of "create_trunk":"(rule:admin_only) or (role:member and +# project_id:%(project_id)s)". # The trunks API now supports system scope and default roles. # Get a trunk # GET /trunks # GET /trunks/{id} # Intended scope(s): project -#"get_trunk": "role:reader and project_id:%(project_id)s" +#"get_trunk": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "get_trunk":"rule:admin_or_owner" has been deprecated since W in -# favor of "get_trunk":"role:reader and project_id:%(project_id)s". +# favor of "get_trunk":"(rule:admin_only) or (role:reader and +# project_id:%(project_id)s)". # The trunks API now supports system scope and default roles. # Update a trunk # PUT /trunks/{id} # Intended scope(s): project -#"update_trunk": "role:member and project_id:%(project_id)s" +#"update_trunk": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "update_trunk":"rule:admin_or_owner" has been deprecated since W in -# favor of "update_trunk":"role:member and project_id:%(project_id)s". +# favor of "update_trunk":"(rule:admin_only) or (role:member and +# project_id:%(project_id)s)". # The trunks API now supports system scope and default roles. # Delete a trunk # DELETE /trunks/{id} # Intended scope(s): project -#"delete_trunk": "role:member and project_id:%(project_id)s" +#"delete_trunk": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "delete_trunk":"rule:admin_or_owner" has been deprecated since W in -# favor of "delete_trunk":"role:member and project_id:%(project_id)s". +# favor of "delete_trunk":"(rule:admin_only) or (role:member and +# project_id:%(project_id)s)". # The trunks API now supports system scope and default roles. # List subports attached to a trunk # GET /trunks/{id}/get_subports # Intended scope(s): project -#"get_subports": "role:reader and project_id:%(project_id)s" +#"get_subports": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "get_subports":"rule:regular_user" has been deprecated since W in -# favor of "get_subports":"role:reader and project_id:%(project_id)s". +# favor of "get_subports":"(rule:admin_only) or (role:reader and +# project_id:%(project_id)s)". # The trunks API now supports system scope and default roles. # Add subports to a trunk # PUT /trunks/{id}/add_subports # Intended scope(s): project -#"add_subports": "role:member and project_id:%(project_id)s" +#"add_subports": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "add_subports":"rule:admin_or_owner" has been deprecated since W in -# favor of "add_subports":"role:member and project_id:%(project_id)s". +# favor of "add_subports":"(rule:admin_only) or (role:member and +# project_id:%(project_id)s)". # The trunks API now supports system scope and default roles. # Delete subports from a trunk # PUT /trunks/{id}/remove_subports # Intended scope(s): project -#"remove_subports": "role:member and project_id:%(project_id)s" +#"remove_subports": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "remove_subports":"rule:admin_or_owner" has been deprecated since W -# in favor of "remove_subports":"role:member and -# project_id:%(project_id)s". +# in favor of "remove_subports":"(rule:admin_only) or (role:member and +# project_id:%(project_id)s)". # The trunks API now supports system scope and default roles. diff --git a/openstack_dashboard/conf/nova_policy.yaml b/openstack_dashboard/conf/nova_policy.yaml index 824854b543..46868868fa 100644 --- a/openstack_dashboard/conf/nova_policy.yaml +++ b/openstack_dashboard/conf/nova_policy.yaml @@ -2119,12 +2119,12 @@ # This API is proxy calls to the Network service. This is deprecated. # GET /os-tenant-networks # Intended scope(s): project -#"os_compute_api:os-tenant-networks:list": "rule:project_reader_api" +#"os_compute_api:os-tenant-networks:list": "rule:project_reader_or_admin" # DEPRECATED # "os_compute_api:os-tenant-networks":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-tenant- -# networks:list":"rule:project_reader_api". +# networks:list":"rule:project_reader_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -2144,12 +2144,12 @@ # This API is proxy calls to the Network service. This is deprecated. # GET /os-tenant-networks/{network_id} # Intended scope(s): project -#"os_compute_api:os-tenant-networks:show": "rule:project_reader_api" +#"os_compute_api:os-tenant-networks:show": "rule:project_reader_or_admin" # DEPRECATED # "os_compute_api:os-tenant-networks":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-tenant- -# networks:show":"rule:project_reader_api". +# networks:show":"rule:project_reader_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release.