openstack/horizon
Code Issues Proposed changes

Support policy-in-code and deprecated policy

Browse Source 
This commit allows horizon to handle deprecated policy rules.
The approach is explained in the document updated by this change.

oslo.policy requirement is updated. oslo.policy 3.2.0 is chosen
just because it is the first release in Victoria cycle.
requirements.txt and lower-constraints.txt are updated accordingly
including oslo.policy dependencies.

Change-Id: If5059d03f6bd7e94796065aa1b51c0c23ac85f5e
This commit is contained in:
Akihiro Motoki 2020-09-07 12:12:37 +09:00
parent 29260bbf13
commit b7bb76eb20
25 changed files with 15237 additions and 792 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
doc/source/configuration/settings.rst
View File

@ -136,6 +136,30 @@ the GUI. For example themes, see: /horizon/openstack_dashboard/themes/
Horizon ships with two themes configured. 'default' is the default theme,
and 'material' is based on Google's Material Design.
DEFAULT_POLICY_FILES
--------------------
.. versionadded:: 19.1.0(Wallaby)
Default:
.. code-block:: python
{
'identity': 'default_policies/keystone.yaml',
'compute': 'default_policies/nova.yaml',
'volume': 'default_policies/cinder.yaml',
'image': 'default_policies/glance.yaml',
'network': 'default_policies/neutron.yaml',
}
This is a mapping from service types to YAML files including default
policy definitions. Values of this mapping should be relative paths to
`POLICY_FILES_PATH`_ or absolute paths. Policy files specified in this
setting are generated from default policies of back-end services,
so you rarely need to configure it. If you would like to override the
default policies, consider customizing files under `POLICY_FILES`_.
DEFAULT_THEME
-------------
@ -792,20 +816,25 @@ POLICY_FILES
.. versionadded:: 2013.2(Havana)
.. versionchanged:: 19.1.0(Wallaby)
The default files are changed to YAML format.
JSON format still continues to be supported.
Default:
.. code-block:: python
{
'compute': 'nova_policy.json',
'identity': 'keystone_policy.json',
'image': 'glance_policy.json',
'network': 'neutron_policy.json',
'volume': 'cinder_policy.json',
'compute': 'nova_policy.yaml',
'identity': 'keystone_policy.yaml',
'image': 'glance_policy.yaml',
'network': 'neutron_policy.yaml',
'volume': 'cinder_policy.yaml',
}
This should essentially be the mapping of the contents of `POLICY_FILES_PATH`_
to service types. When policy.json files are added to `POLICY_FILES_PATH`_,
to service types. When policy files are added to `POLICY_FILES_PATH`_,
they should be included here too.
POLICY_FILES_PATH

114
doc/source/contributor/topics/policy.rst
View File

@ -29,6 +29,7 @@ engine to work.
* ``POLICY_DIRS``
* ``POLICY_FILES_PATH``
* ``POLICY_FILES``
* ``DEFAULT_POLICY_FILES``
For more detail, see :doc:`/configuration/settings`.
@ -154,32 +155,117 @@ override the :meth:`horizon.tables.Action.get_policy_target` method. This
allows a programmatic way to specify the target based on the current datum. The
value returned should be the target dictionary.
Policy-in-Code and deprecated rules
===================================
As the effort of
`policy-in-code <https://governance.openstack.org/tc/goals/queens/policy-in-code.html>`__,
most OpenStack projects define their default policies in their codes.
All projects (except swift) covered by horizon supports "policy-in-code".
(Note that swift is an exception as it has its own mechanism to control RBAC.)
"oslo.policy" provides a way to deprecate existing policy rules like
renaming rule definitions ("check_str") and renaming rule names.
They are defined as part of python codes in back-end services.
horizon cannot import python codes of back-end services, so we need a way
to restore policies defined by "policy-in-code" including deprecated rules.
To address the above issue, horizon adopts the following two-step approach:
* The first step scans policy-in-code of back-end services and
and dump the loaded default policies into YAML files per service
including information of deprecated rules.
This step is executed as part of the development process per release cycle
and these YAML files are shipped per release.
Note that `oslopolicy-sample-generator` does not output deprecated rules
in a structured way, so we prepare a dedicated script for this purpose
in the horizon repo.
* The horizon policy implementation loads the above YAML file into a list of
RuleDefault and registers the list as the default rules to the policy
enforcer. The default rules and operator-defined rules are maintained
separately, so operators still can edit the policy files as oslo.policy
does in back-end services.
This approach has the following merits:
* All features supported by oslo.policy can be supported in horizon
as default rules in back-end services are restored as-is.
Horizon can evaluate deprecated rules.
* The default rules and operator defined rules are maintained separately.
Operators can use the same way to maintain policy files of back-end services.
The related files in the horizon codebase are:
* `openstack_dashboard/conf/<service>_policy.yaml`:
operator-defined policies.
These files are generated by `oslopolicy-sample-generator`.
* `openstack_dashboard/conf/default_policies/<service>.yaml`
YAML files contain default policies.
* `openstack_dashboard/management/commands/dump_default_policies.py`:
This script scans policy-in-code of a specified namespace under
`oslo.policy.policies` entrypoints and dump them into the YAML file
under `openstack_dashboard/conf/default_policies`.
* `openstack_auth/policy.py`: `_load_default_rules` function loads
the YAML files with default rules and call `register_defautls` method
of the policy enforcer per service.
Policy file maintenance
=======================
The policy implementation uses the copies of policies defined in
back-end services.
* YAML files for default policies
As of Queens, the OpenStack community are in the process of
`policy-in-code <https://governance.openstack.org/tc/goals/queens/policy-in-code.html>`__.
Some projects already define their policies in the code,
and some still have their policies in ``policy.json`` files.
Run the following command after installing a corresponding project.
You need to run it for keystone, nova, cinder, neutron, glance.
For project with the legacy ``policy.json`` files,
what we need to do is just to copy ``policy.json`` into the horizon tree.
.. code-block:: console
For projects with "policy-in-code", all policies are defined as python codes,
so we first need to generate policy files with its default rules.
To do this, run the following command after install a corresponding project.
python3 manage.py dump_default_policies \
--namespace $PROJECT \
--output-file openstack_dashboard/conf/default_policies/${PROJECT}.yaml
.. code-block:: console
* Sample policy files
oslopolicy-sample-generator --namespace $PROJECT --format json \
--output-file $HORIZON_REPO/openstack_dashboard/conf/$PROJECT_policy.json
Run the following commands after installing a corresponding project.
You need to run it for keystone, nova, cinder, neutron, glance.
.. code-block:: console
oslopolicy-sample-generator --namespace keystone \
--output-file openstack_dashboard/conf/${PROJECT}_policy.yaml
sed -i 's/^"/#"/' openstack_dashboard/conf/${PROJECT}_policy.yaml
.. note::
We now use YAML format for sample policy files now.
"oslo.policy" can accept both YAML and JSON files.
We now support default policies so there is no need to define all
policies using JSON files. YAML files also allows us to use comments,
so we can provide good sample policy files.
This is the same motivation as the Wallaby community goal
`Migrate RBAC Policy Format from JSON to YAML
<https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html>`__.
.. note::
The second "sed" command is to comment out rules for rule renames.
`oslopolicy-sample-generator` does not comment out them, but they
are unnecessary in horizon usage. A single renaming rule can map
to multiple rules, so it does not work as-is. In addition,
they trigger deprecation warnings in horizon log if these sample
files are used in horizon as-is.
Thus, we comment them out by default.
After syncing policies from back-end services, you need to check what are
changed. If a policy referred by horizon has been changed, you need to check
and modify the horizon code base accordingly.
.. note::
After the support of default policies, the following tool does not work.
It is a future work to make it work again or evaluate the need itself.
To summarize which policies are removed or added, a convenient tool is
provided:

6
lower-constraints.txt
View File

@ -56,16 +56,16 @@ os-service-types==1.2.0
osc-lib==1.8.0
oslo.concurrency==3.26.0
oslo.config==5.2.0
oslo.context==2.19.2
oslo.context==2.22.0
oslo.i18n==3.15.3
oslo.log==3.36.0
oslo.messaging==5.29.0
oslo.middleware==3.31.0
oslo.policy==1.30.0
oslo.policy==3.2.0
oslo.serialization==2.18.0
oslo.service==1.24.0
oslo.upgradecheck==0.1.1
oslo.utils==3.33.0
oslo.utils==3.40.0
osprofiler==2.3.0
Paste==2.0.2
PasteDeploy==1.5.0

1
openstack_auth/defaults.py
View File

@ -170,3 +170,4 @@ KEYSTONE_PROVIDER_IDP_ID = 'localkeystone'
POLICY_FILES_PATH = ''
POLICY_FILES = {}
POLICY_DIRS = {}
DEFAULT_POLICY_FILES = {}

48
openstack_auth/policy.py
View File

@ -20,6 +20,7 @@ from django.conf import settings
from oslo_config import cfg
from oslo_policy import opts as policy_opts
from oslo_policy import policy
import yaml
from openstack_auth import user as auth_user
from openstack_auth import utils as auth_utils
@ -55,6 +56,51 @@ def _get_policy_file_with_full_path(service):
return policy_file, policy_dirs
def _convert_to_ruledefault(p):
deprecated = p.get('deprecated_rule')
if deprecated:
deprecated_rule = policy.DeprecatedRule(deprecated['name'],
deprecated['check_str'])
else:
deprecated_rule = None
return policy.RuleDefault(
p['name'], p['check_str'],
description=p['description'],
scope_types=p['scope_types'],
deprecated_rule=deprecated_rule,
deprecated_for_removal=p.get('deprecated_for_removal', False),
deprecated_reason=p.get('deprecated_reason'),
deprecated_since=p.get('deprecated_since'),
)
def _load_default_rules(service, enforcer):
policy_files = settings.DEFAULT_POLICY_FILES
try:
policy_file = os.path.join(_BASE_PATH, policy_files[service])
except KeyError:
LOG.error('Default policy file for %s is not defined. '
'Check DEFAULT_POLICY_FILES setting.', service)
return
try:
with open(policy_file) as f:
policies = yaml.safe_load(f)
except IOError as e:
LOG.error('Failed to open the policy file for %(service)s %(path)s: '
'%(reason)s',
{'service': service, 'path': policy_file, 'reason': e})
return
except yaml.YAMLError as e:
LOG.error('Failed to load the default policies for %(service)s: '
'%(reason)s', {'service': service, 'reason': e})
return
defaults = [_convert_to_ruledefault(p) for p in policies]
enforcer.register_defaults(defaults)
def _get_enforcer():
global _ENFORCER
if not _ENFORCER:
@ -64,6 +110,8 @@ def _get_enforcer():
policy_file, policy_dirs = _get_policy_file_with_full_path(service)
conf = _get_policy_conf(policy_file, policy_dirs)
enforcer = policy.Enforcer(conf)
enforcer.suppress_default_change_warnings = True
_load_default_rules(service, enforcer)
try:
enforcer.load_rules()
except IOError:

147
openstack_dashboard/conf/cinder_policy.json
View File

@ -1,147 +0,0 @@
{
"context_is_admin": "role:admin",
"admin_or_owner": "is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s",
"admin_api": "is_admin:True or (role:admin and is_admin_project:True)",
"volume:attachment_create": "",
"volume:attachment_update": "rule:admin_or_owner",
"volume:attachment_delete": "rule:admin_or_owner",
"volume:attachment_complete": "rule:admin_or_owner",
"volume:multiattach_bootable_volume": "rule:admin_or_owner",
"message:get_all": "rule:admin_or_owner",
"message:get": "rule:admin_or_owner",
"message:delete": "rule:admin_or_owner",
"clusters:get_all": "rule:admin_api",
"clusters:get": "rule:admin_api",
"clusters:update": "rule:admin_api",
"workers:cleanup": "rule:admin_api",
"volume:get_snapshot_metadata": "rule:admin_or_owner",
"volume:update_snapshot_metadata": "rule:admin_or_owner",
"volume:delete_snapshot_metadata": "rule:admin_or_owner",
"volume:get_all_snapshots": "rule:admin_or_owner",
"volume_extension:extended_snapshot_attributes": "rule:admin_or_owner",
"volume:create_snapshot": "rule:admin_or_owner",
"volume:get_snapshot": "rule:admin_or_owner",
"volume:update_snapshot": "rule:admin_or_owner",
"volume:delete_snapshot": "rule:admin_or_owner",
"volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api",
"snapshot_extension:snapshot_actions:update_snapshot_status": "",
"volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api",
"snapshot_extension:list_manageable": "rule:admin_api",
"snapshot_extension:snapshot_manage": "rule:admin_api",
"snapshot_extension:snapshot_unmanage": "rule:admin_api",
"backup:get_all": "rule:admin_or_owner",
"backup:backup_project_attribute": "rule:admin_api",
"backup:create": "",
"backup:get": "rule:admin_or_owner",
"backup:update": "rule:admin_or_owner",
"backup:delete": "rule:admin_or_owner",
"backup:restore": "rule:admin_or_owner",
"backup:backup-import": "rule:admin_api",
"backup:export-import": "rule:admin_api",
"volume_extension:backup_admin_actions:reset_status": "rule:admin_api",
"volume_extension:backup_admin_actions:force_delete": "rule:admin_api",
"group:get_all": "rule:admin_or_owner",
"group:create": "",
"group:get": "rule:admin_or_owner",
"group:update": "rule:admin_or_owner",
"group:group_project_attribute": "rule:admin_api",
"group:group_types_manage": "rule:admin_api",
"group:access_group_types_specs": "rule:admin_api",
"group:group_types_specs": "rule:admin_api",
"group:get_all_group_snapshots": "rule:admin_or_owner",
"group:create_group_snapshot": "",
"group:get_group_snapshot": "rule:admin_or_owner",
"group:delete_group_snapshot": "rule:admin_or_owner",
"group:update_group_snapshot": "rule:admin_or_owner",
"group:group_snapshot_project_attribute": "rule:admin_api",
"group:reset_group_snapshot_status": "rule:admin_or_owner",
"group:delete": "rule:admin_or_owner",
"group:reset_status": "rule:admin_api",
"group:enable_replication": "rule:admin_or_owner",
"group:disable_replication": "rule:admin_or_owner",
"group:failover_replication": "rule:admin_or_owner",
"group:list_replication_targets": "rule:admin_or_owner",
"volume_extension:qos_specs_manage:get_all": "rule:admin_api",
"volume_extension:qos_specs_manage:get": "rule:admin_api",
"volume_extension:qos_specs_manage:create": "rule:admin_api",
"volume_extension:qos_specs_manage:update": "rule:admin_api",
"volume_extension:qos_specs_manage:delete": "rule:admin_api",
"volume_extension:quota_classes": "rule:admin_api",
"volume_extension:quotas:show": "rule:admin_or_owner",
"volume_extension:quotas:update": "rule:admin_api",
"volume_extension:quotas:delete": "rule:admin_api",
"volume_extension:quota_classes:validate_setup_for_nested_quota_use": "rule:admin_api",
"volume_extension:capabilities": "rule:admin_api",
"volume_extension:services:index": "rule:admin_api",
"volume_extension:services:update": "rule:admin_api",
"volume:freeze_host": "rule:admin_api",
"volume:thaw_host": "rule:admin_api",
"volume:failover_host": "rule:admin_api",
"scheduler_extension:scheduler_stats:get_pools": "rule:admin_api",
"volume_extension:hosts": "rule:admin_api",
"limits_extension:used_limits": "rule:admin_or_owner",
"volume_extension:list_manageable": "rule:admin_api",
"volume_extension:volume_manage": "rule:admin_api",
"volume_extension:volume_unmanage": "rule:admin_api",
"volume_extension:types_manage": "rule:admin_api",
"volume_extension:type_get": "",
"volume_extension:type_get_all": "",
"volume_extension:volume_type_encryption": "rule:admin_api",
"volume_extension:volume_type_encryption:create": "rule:volume_extension:volume_type_encryption",
"volume_extension:volume_type_encryption:get": "rule:volume_extension:volume_type_encryption",
"volume_extension:volume_type_encryption:update": "rule:volume_extension:volume_type_encryption",
"volume_extension:volume_type_encryption:delete": "rule:volume_extension:volume_type_encryption",
"volume_extension:access_types_extra_specs": "rule:admin_api",
"volume_extension:access_types_qos_specs_id": "rule:admin_api",
"volume_extension:volume_type_access": "rule:admin_or_owner",
"volume_extension:volume_type_access:addProjectAccess": "rule:admin_api",
"volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api",
"volume:extend": "rule:admin_or_owner",
"volume:extend_attached_volume": "rule:admin_or_owner",
"volume:revert_to_snapshot": "rule:admin_or_owner",
"volume_extension:volume_admin_actions:reset_status": "rule:admin_api",
"volume:retype": "rule:admin_or_owner",
"volume:update_readonly_flag": "rule:admin_or_owner",
"volume_extension:volume_admin_actions:force_delete": "rule:admin_api",
"volume_extension:volume_actions:upload_public": "rule:admin_api",
"volume_extension:volume_actions:upload_image": "rule:admin_or_owner",
"volume_extension:volume_admin_actions:force_detach": "rule:admin_api",
"volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api",
"volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api",
"volume_extension:volume_actions:initialize_connection": "rule:admin_or_owner",
"volume_extension:volume_actions:terminate_connection": "rule:admin_or_owner",
"volume_extension:volume_actions:roll_detaching": "rule:admin_or_owner",
"volume_extension:volume_actions:reserve": "rule:admin_or_owner",
"volume_extension:volume_actions:unreserve": "rule:admin_or_owner",
"volume_extension:volume_actions:begin_detaching": "rule:admin_or_owner",
"volume_extension:volume_actions:attach": "rule:admin_or_owner",
"volume_extension:volume_actions:detach": "rule:admin_or_owner",
"volume:get_all_transfers": "rule:admin_or_owner",
"volume:create_transfer": "rule:admin_or_owner",
"volume:get_transfer": "rule:admin_or_owner",
"volume:accept_transfer": "",
"volume:delete_transfer": "rule:admin_or_owner",
"volume:get_volume_metadata": "rule:admin_or_owner",
"volume:create_volume_metadata": "rule:admin_or_owner",
"volume:update_volume_metadata": "rule:admin_or_owner",
"volume:delete_volume_metadata": "rule:admin_or_owner",
"volume_extension:volume_image_metadata": "rule:admin_or_owner",
"volume:update_volume_admin_metadata": "rule:admin_api",
"volume_extension:types_extra_specs:index": "rule:admin_api",
"volume_extension:types_extra_specs:create": "rule:admin_api",
"volume_extension:types_extra_specs:show": "rule:admin_api",
"volume_extension:types_extra_specs:update": "rule:admin_api",
"volume_extension:types_extra_specs:delete": "rule:admin_api",
"volume:create": "",
"volume:create_from_image": "",
"volume:get": "rule:admin_or_owner",
"volume:get_all": "rule:admin_or_owner",
"volume:update": "rule:admin_or_owner",
"volume:delete": "rule:admin_or_owner",
"volume:force_delete": "rule:admin_api",
"volume_extension:volume_host_attribute": "rule:admin_api",
"volume_extension:volume_tenant_attribute": "rule:admin_or_owner",
"volume_extension:volume_mig_status_attribute": "rule:admin_api",
"volume_extension:volume_encryption_metadata": "rule:admin_or_owner",
"volume:multiattach": "rule:admin_or_owner"
}

646
openstack_dashboard/conf/cinder_policy.yaml Normal file
View File

@ -0,0 +1,646 @@
# Decides what is required for the 'is_admin:True' check to succeed.
#"context_is_admin": "role:admin"
# Default rule for most non-Admin APIs.
#"admin_or_owner": "is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s"
# Default rule for most Admin APIs.
#"admin_api": "is_admin:True or (role:admin and is_admin_project:True)"
# Create attachment.
# POST /attachments
#"volume:attachment_create": ""
# Update attachment.
# PUT /attachments/{attachment_id}
#"volume:attachment_update": "rule:admin_or_owner"
# Delete attachment.
# DELETE /attachments/{attachment_id}
#"volume:attachment_delete": "rule:admin_or_owner"
# Mark a volume attachment process as completed (in-use)
# POST /attachments/{attachment_id}/action (os-complete)
#"volume:attachment_complete": "rule:admin_or_owner"
# Allow multiattach of bootable volumes.
# POST /attachments
#"volume:multiattach_bootable_volume": "rule:admin_or_owner"
# List messages.
# GET /messages
#"message:get_all": "rule:admin_or_owner"
# Show message.
# GET /messages/{message_id}
#"message:get": "rule:admin_or_owner"
# Delete message.
# DELETE /messages/{message_id}
#"message:delete": "rule:admin_or_owner"
# List clusters.
# GET /clusters
# GET /clusters/detail
#"clusters:get_all": "rule:admin_api"
# Show cluster.
# GET /clusters/{cluster_id}
#"clusters:get": "rule:admin_api"
# Update cluster.
# PUT /clusters/{cluster_id}
#"clusters:update": "rule:admin_api"
# Clean up workers.
# POST /workers/cleanup
#"workers:cleanup": "rule:admin_api"
# Show snapshot's metadata or one specified metadata with a given key.
# GET /snapshots/{snapshot_id}/metadata
# GET /snapshots/{snapshot_id}/metadata/{key}
#"volume:get_snapshot_metadata": "rule:admin_or_owner"
# Update snapshot's metadata or one specified metadata with a given
# key.
# PUT /snapshots/{snapshot_id}/metadata
# PUT /snapshots/{snapshot_id}/metadata/{key}
#"volume:update_snapshot_metadata": "rule:admin_or_owner"
# Delete snapshot's specified metadata with a given key.
# DELETE /snapshots/{snapshot_id}/metadata/{key}
#"volume:delete_snapshot_metadata": "rule:admin_or_owner"
# List snapshots.
# GET /snapshots
# GET /snapshots/detail
#"volume:get_all_snapshots": "rule:admin_or_owner"
# List or show snapshots with extended attributes.
# GET /snapshots/{snapshot_id}
# GET /snapshots/detail
#"volume_extension:extended_snapshot_attributes": "rule:admin_or_owner"
# Create snapshot.
# POST /snapshots
#"volume:create_snapshot": "rule:admin_or_owner"
# Show snapshot.
# GET /snapshots/{snapshot_id}
#"volume:get_snapshot": "rule:admin_or_owner"
# Update snapshot.
# PUT /snapshots/{snapshot_id}
#"volume:update_snapshot": "rule:admin_or_owner"
# Delete snapshot.
# DELETE /snapshots/{snapshot_id}
#"volume:delete_snapshot": "rule:admin_or_owner"
# Reset status of a snapshot.
# POST /snapshots/{snapshot_id}/action (os-reset_status)
#"volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api"
# Update database fields of snapshot.
# POST /snapshots/{snapshot_id}/action (update_snapshot_status)
#"snapshot_extension:snapshot_actions:update_snapshot_status": ""
# Force delete a snapshot.
# POST /snapshots/{snapshot_id}/action (os-force_delete)
#"volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api"
# List (in detail) of snapshots which are available to manage.
# GET /manageable_snapshots
# GET /manageable_snapshots/detail
#"snapshot_extension:list_manageable": "rule:admin_api"
# Manage an existing snapshot.
# POST /manageable_snapshots
#"snapshot_extension:snapshot_manage": "rule:admin_api"
# Stop managing a snapshot.
# POST /snapshots/{snapshot_id}/action (os-unmanage)
#"snapshot_extension:snapshot_unmanage": "rule:admin_api"
# List backups.
# GET /backups
# GET /backups/detail
#"backup:get_all": "rule:admin_or_owner"
# List backups or show backup with project attributes.
# GET /backups/{backup_id}
# GET /backups/detail
#"backup:backup_project_attribute": "rule:admin_api"
# Create backup.
# POST /backups
#"backup:create": ""
# Show backup.
# GET /backups/{backup_id}
#"backup:get": "rule:admin_or_owner"
# Update backup.
# PUT /backups/{backup_id}
#"backup:update": "rule:admin_or_owner"
# Delete backup.
# DELETE /backups/{backup_id}
#"backup:delete": "rule:admin_or_owner"
# Restore backup.
# POST /backups/{backup_id}/restore
#"backup:restore": "rule:admin_or_owner"
# Import backup.
# POST /backups/{backup_id}/import_record
#"backup:backup-import": "rule:admin_api"
# Export backup.
# POST /backups/{backup_id}/export_record
#"backup:export-import": "rule:admin_api"
# Reset status of a backup.
# POST /backups/{backup_id}/action (os-reset_status)
#"volume_extension:backup_admin_actions:reset_status": "rule:admin_api"
# Force delete a backup.
# POST /backups/{backup_id}/action (os-force_delete)
#"volume_extension:backup_admin_actions:force_delete": "rule:admin_api"
# List groups.
# GET /groups
# GET /groups/detail
#"group:get_all": "rule:admin_or_owner"
# Create group.
# POST /groups
#"group:create": ""
# Show group.
# GET /groups/{group_id}
#"group:get": "rule:admin_or_owner"
# Update group.
# PUT /groups/{group_id}
#"group:update": "rule:admin_or_owner"
# List groups or show group with project attributes.
# GET /groups/{group_id}
# GET /groups/detail
#"group:group_project_attribute": "rule:admin_api"
# Create, update or delete a group type.
# POST /group_types/
# PUT /group_types/{group_type_id}
# DELETE /group_types/{group_type_id}
#"group:group_types_manage": "rule:admin_api"
# Show group type with type specs attributes.
# GET /group_types/{group_type_id}
#"group:access_group_types_specs": "rule:admin_api"
# Create, show, update and delete group type spec.
# GET /group_types/{group_type_id}/group_specs/{g_spec_id}
# GET /group_types/{group_type_id}/group_specs
# POST /group_types/{group_type_id}/group_specs
# PUT /group_types/{group_type_id}/group_specs/{g_spec_id}
# DELETE /group_types/{group_type_id}/group_specs/{g_spec_id}
#"group:group_types_specs": "rule:admin_api"
# List group snapshots.
# GET /group_snapshots
# GET /group_snapshots/detail
#"group:get_all_group_snapshots": "rule:admin_or_owner"
# Create group snapshot.
# POST /group_snapshots
#"group:create_group_snapshot": ""
# Show group snapshot.
# GET /group_snapshots/{group_snapshot_id}
#"group:get_group_snapshot": "rule:admin_or_owner"
# Delete group snapshot.
# DELETE /group_snapshots/{group_snapshot_id}
#"group:delete_group_snapshot": "rule:admin_or_owner"
# Update group snapshot.
# PUT /group_snapshots/{group_snapshot_id}
#"group:update_group_snapshot": "rule:admin_or_owner"
# List group snapshots or show group snapshot with project attributes.
# GET /group_snapshots/{group_snapshot_id}
# GET /group_snapshots/detail
#"group:group_snapshot_project_attribute": "rule:admin_api"
# Reset status of group snapshot.
# POST /group_snapshots/{g_snapshot_id}/action (reset_status)
#"group:reset_group_snapshot_status": "rule:admin_or_owner"
# Delete group.
# POST /groups/{group_id}/action (delete)
#"group:delete": "rule:admin_or_owner"
# Reset status of group.
# POST /groups/{group_id}/action (reset_status)
#"group:reset_status": "rule:admin_api"
# Enable replication.
# POST /groups/{group_id}/action (enable_replication)
#"group:enable_replication": "rule:admin_or_owner"
# Disable replication.
# POST /groups/{group_id}/action (disable_replication)
#"group:disable_replication": "rule:admin_or_owner"
# Fail over replication.
# POST /groups/{group_id}/action (failover_replication)
#"group:failover_replication": "rule:admin_or_owner"
# List failover replication.
# POST /groups/{group_id}/action (list_replication_targets)
#"group:list_replication_targets": "rule:admin_or_owner"
# List qos specs or list all associations.
# GET /qos-specs
# GET /qos-specs/{qos_id}/associations
#"volume_extension:qos_specs_manage:get_all": "rule:admin_api"
# Show qos specs.
# GET /qos-specs/{qos_id}
#"volume_extension:qos_specs_manage:get": "rule:admin_api"
# Create qos specs.
# POST /qos-specs
#"volume_extension:qos_specs_manage:create": "rule:admin_api"
# Update qos specs (including updating association).
# PUT /qos-specs/{qos_id}
# GET /qos-specs/{qos_id}/disassociate_all
# GET /qos-specs/{qos_id}/associate
# GET /qos-specs/{qos_id}/disassociate
#"volume_extension:qos_specs_manage:update": "rule:admin_api"
# delete qos specs or unset one specified qos key.
# DELETE /qos-specs/{qos_id}
# PUT /qos-specs/{qos_id}/delete_keys
#"volume_extension:qos_specs_manage:delete": "rule:admin_api"
# Show or update project quota class.
# GET /os-quota-class-sets/{project_id}
# PUT /os-quota-class-sets/{project_id}
#"volume_extension:quota_classes": "rule:admin_api"
# Show project quota (including usage and default).
# GET /os-quota-sets/{project_id}
# GET /os-quota-sets/{project_id}/default
# GET /os-quota-sets/{project_id}?usage=True
#"volume_extension:quotas:show": "rule:admin_or_owner"
# Update project quota.
# PUT /os-quota-sets/{project_id}
#"volume_extension:quotas:update": "rule:admin_api"
# Delete project quota.
# DELETE /os-quota-sets/{project_id}
#"volume_extension:quotas:delete": "rule:admin_api"
# Validate setup for nested quota.
# GET /os-quota-sets/validate_setup_for_nested_quota_use
#"volume_extension:quota_classes:validate_setup_for_nested_quota_use": "rule:admin_api"
# Show backend capabilities.
# GET /capabilities/{host_name}
#"volume_extension:capabilities": "rule:admin_api"
# List all services.
# GET /os-services
#"volume_extension:services:index": "rule:admin_api"
# Update service, including failover_host, thaw, freeze, disable,
# enable, set-log and get-log actions.
# PUT /os-services/{action}
#"volume_extension:services:update": "rule:admin_api"
# Freeze a backend host.
# PUT /os-services/freeze
#"volume:freeze_host": "rule:admin_api"
# Thaw a backend host.
# PUT /os-services/thaw
#"volume:thaw_host": "rule:admin_api"
# Failover a backend host.
# PUT /os-services/failover_host
#"volume:failover_host": "rule:admin_api"
# List all backend pools.
# GET /scheduler-stats/get_pools
#"scheduler_extension:scheduler_stats:get_pools": "rule:admin_api"
# List, update or show hosts for a project.
# GET /os-hosts
# PUT /os-hosts/{host_name}
# GET /os-hosts/{host_id}
#"volume_extension:hosts": "rule:admin_api"
# Show limits with used limit attributes.
# GET /limits
#"limits_extension:used_limits": "rule:admin_or_owner"
# List (in detail) of volumes which are available to manage.
# GET /manageable_volumes
# GET /manageable_volumes/detail
#"volume_extension:list_manageable": "rule:admin_api"
# Manage existing volumes.
# POST /manageable_volumes
#"volume_extension:volume_manage": "rule:admin_api"
# Stop managing a volume.
# POST /volumes/{volume_id}/action (os-unmanage)
#"volume_extension:volume_unmanage": "rule:admin_api"
# Create, update and delete volume type.
# POST /types
# PUT /types
# DELETE /types
#"volume_extension:types_manage": "rule:admin_api"
# Get one specific volume type.
# GET /types/{type_id}
#"volume_extension:type_get": ""
# List volume types.
# GET /types/
#"volume_extension:type_get_all": ""
# Base policy for all volume type encryption type operations. This
# can be used to set the policies for a volume type's encryption type
# create, show, update, and delete actions in one place, or any of
# those may be set individually using the following policy targets for
# finer grained control.
# POST /types/{type_id}/encryption
# PUT /types/{type_id}/encryption/{encryption_id}
# GET /types/{type_id}/encryption
# GET /types/{type_id}/encryption/{key}
# DELETE /types/{type_id}/encryption/{encryption_id}
#"volume_extension:volume_type_encryption": "rule:admin_api"
# Create volume type encryption.
# POST /types/{type_id}/encryption
#"volume_extension:volume_type_encryption:create": "rule:volume_extension:volume_type_encryption"
# Show a volume type's encryption type, show an encryption specs item.
# GET /types/{type_id}/encryption
# GET /types/{type_id}/encryption/{key}
#"volume_extension:volume_type_encryption:get": "rule:volume_extension:volume_type_encryption"
# Update volume type encryption.
# PUT /types/{type_id}/encryption/{encryption_id}
#"volume_extension:volume_type_encryption:update": "rule:volume_extension:volume_type_encryption"
# Delete volume type encryption.
# DELETE /types/{type_id}/encryption/{encryption_id}
#"volume_extension:volume_type_encryption:delete": "rule:volume_extension:volume_type_encryption"
# List or show volume type with access type extra specs attribute.
# GET /types/{type_id}
# GET /types
#"volume_extension:access_types_extra_specs": "rule:admin_api"
# List or show volume type with access type qos specs id attribute.
# GET /types/{type_id}
# GET /types
#"volume_extension:access_types_qos_specs_id": "rule:admin_api"
# Volume type access related APIs.
# GET /types
# GET /types/detail
# GET /types/{type_id}
# POST /types
#"volume_extension:volume_type_access": "rule:admin_or_owner"
# Add volume type access for project.
# POST /types/{type_id}/action (addProjectAccess)
#"volume_extension:volume_type_access:addProjectAccess": "rule:admin_api"
# Remove volume type access for project.
# POST /types/{type_id}/action (removeProjectAccess)
#"volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api"
# Extend a volume.
# POST /volumes/{volume_id}/action (os-extend)
#"volume:extend": "rule:admin_or_owner"
# Extend a attached volume.
# POST /volumes/{volume_id}/action (os-extend)
#"volume:extend_attached_volume": "rule:admin_or_owner"
# Revert a volume to a snapshot.
# POST /volumes/{volume_id}/action (revert)
#"volume:revert_to_snapshot": "rule:admin_or_owner"
# Reset status of a volume.
# POST /volumes/{volume_id}/action (os-reset_status)
#"volume_extension:volume_admin_actions:reset_status": "rule:admin_api"
# Retype a volume.
# POST /volumes/{volume_id}/action (os-retype)
#"volume:retype": "rule:admin_or_owner"
# Update a volume's readonly flag.
# POST /volumes/{volume_id}/action (os-update_readonly_flag)
#"volume:update_readonly_flag": "rule:admin_or_owner"
# Force delete a volume.
# POST /volumes/{volume_id}/action (os-force_delete)
#"volume_extension:volume_admin_actions:force_delete": "rule:admin_api"
# Upload a volume to image with public visibility.
# POST /volumes/{volume_id}/action (os-volume_upload_image)
#"volume_extension:volume_actions:upload_public": "rule:admin_api"
# Upload a volume to image.
# POST /volumes/{volume_id}/action (os-volume_upload_image)
#"volume_extension:volume_actions:upload_image": "rule:admin_or_owner"
# Force detach a volume.
# POST /volumes/{volume_id}/action (os-force_detach)
#"volume_extension:volume_admin_actions:force_detach": "rule:admin_api"
# migrate a volume to a specified host.
# POST /volumes/{volume_id}/action (os-migrate_volume)
#"volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api"
# Complete a volume migration.
# POST /volumes/{volume_id}/action (os-migrate_volume_completion)
#"volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api"
# Initialize volume attachment.
# POST /volumes/{volume_id}/action (os-initialize_connection)
#"volume_extension:volume_actions:initialize_connection": "rule:admin_or_owner"
# Terminate volume attachment.
# POST /volumes/{volume_id}/action (os-terminate_connection)
#"volume_extension:volume_actions:terminate_connection": "rule:admin_or_owner"
# Roll back volume status to 'in-use'.
# POST /volumes/{volume_id}/action (os-roll_detaching)
#"volume_extension:volume_actions:roll_detaching": "rule:admin_or_owner"
# Mark volume as reserved.
# POST /volumes/{volume_id}/action (os-reserve)
#"volume_extension:volume_actions:reserve": "rule:admin_or_owner"
# Unmark volume as reserved.
# POST /volumes/{volume_id}/action (os-unreserve)
#"volume_extension:volume_actions:unreserve": "rule:admin_or_owner"
# Begin detach volumes.
# POST /volumes/{volume_id}/action (os-begin_detaching)
#"volume_extension:volume_actions:begin_detaching": "rule:admin_or_owner"
# Add attachment metadata.
# POST /volumes/{volume_id}/action (os-attach)
#"volume_extension:volume_actions:attach": "rule:admin_or_owner"
# Clear attachment metadata.
# POST /volumes/{volume_id}/action (os-detach)
#"volume_extension:volume_actions:detach": "rule:admin_or_owner"
# List volume transfer.
# GET /os-volume-transfer
# GET /os-volume-transfer/detail
# GET /volume_transfers
# GET /volume-transfers/detail
#"volume:get_all_transfers": "rule:admin_or_owner"
# Create a volume transfer.
# POST /os-volume-transfer
# POST /volume_transfers
#"volume:create_transfer": "rule:admin_or_owner"
# Show one specified volume transfer.
# GET /os-volume-transfer/{transfer_id}
# GET /volume-transfers/{transfer_id}
#"volume:get_transfer": "rule:admin_or_owner"
# Accept a volume transfer.
# POST /os-volume-transfer/{transfer_id}/accept
# POST /volume-transfers/{transfer_id}/accept
#"volume:accept_transfer": ""
# Delete volume transfer.
# DELETE /os-volume-transfer/{transfer_id}
# DELETE /volume-transfers/{transfer_id}
#"volume:delete_transfer": "rule:admin_or_owner"
# Show volume's metadata or one specified metadata with a given key.
# GET /volumes/{volume_id}/metadata
# GET /volumes/{volume_id}/metadata/{key}
#"volume:get_volume_metadata": "rule:admin_or_owner"
# Create volume metadata.
# POST /volumes/{volume_id}/metadata
#"volume:create_volume_metadata": "rule:admin_or_owner"
# Update volume's metadata or one specified metadata with a given key.
# PUT /volumes/{volume_id}/metadata
# PUT /volumes/{volume_id}/metadata/{key}
#"volume:update_volume_metadata": "rule:admin_or_owner"
# Delete volume's specified metadata with a given key.
# DELETE /volumes/{volume_id}/metadata/{key}
#"volume:delete_volume_metadata": "rule:admin_or_owner"
# Volume's image metadata related operation, create, delete, show and
# list.
# GET /volumes/detail
# GET /volumes/{volume_id}
# POST /volumes/{volume_id}/action (os-set_image_metadata)
# POST /volumes/{volume_id}/action (os-unset_image_metadata)
#"volume_extension:volume_image_metadata": "rule:admin_or_owner"
# Update volume admin metadata. It's used in `attach` and `os-
# update_readonly_flag` APIs
# POST /volumes/{volume_id}/action (os-update_readonly_flag)
# POST /volumes/{volume_id}/action (os-attach)
#"volume:update_volume_admin_metadata": "rule:admin_api"
# List type extra specs.
# GET /types/{type_id}/extra_specs
#"volume_extension:types_extra_specs:index": "rule:admin_api"
# Create type extra specs.
# POST /types/{type_id}/extra_specs
#"volume_extension:types_extra_specs:create": "rule:admin_api"
# Show one specified type extra specs.
# GET /types/{type_id}/extra_specs/{extra_spec_key}
#"volume_extension:types_extra_specs:show": "rule:admin_api"
# Update type extra specs.
# PUT /types/{type_id}/extra_specs/{extra_spec_key}
#"volume_extension:types_extra_specs:update": "rule:admin_api"
# Delete type extra specs.
# DELETE /types/{type_id}/extra_specs/{extra_spec_key}
#"volume_extension:types_extra_specs:delete": "rule:admin_api"
# Create volume.
# POST /volumes
#"volume:create": ""
# Create volume from image.
# POST /volumes
#"volume:create_from_image": ""
# Show volume.
# GET /volumes/{volume_id}
#"volume:get": "rule:admin_or_owner"
# List volumes or get summary of volumes.
# GET /volumes
# GET /volumes/detail
# GET /volumes/summary
#"volume:get_all": "rule:admin_or_owner"
# Update volume or update a volume's bootable status.
# PUT /volumes
# POST /volumes/{volume_id}/action (os-set_bootable)
#"volume:update": "rule:admin_or_owner"
# Delete volume.
# DELETE /volumes/{volume_id}
#"volume:delete": "rule:admin_or_owner"
# Force Delete a volume.
# DELETE /volumes/{volume_id}
#"volume:force_delete": "rule:admin_api"
# List or show volume with host attribute.
# GET /volumes/{volume_id}
# GET /volumes/detail
#"volume_extension:volume_host_attribute": "rule:admin_api"
# List or show volume with tenant attribute.
# GET /volumes/{volume_id}
# GET /volumes/detail
#"volume_extension:volume_tenant_attribute": "rule:admin_or_owner"
# List or show volume with migration status attribute.
# GET /volumes/{volume_id}
# GET /volumes/detail
#"volume_extension:volume_mig_status_attribute": "rule:admin_api"
# Show volume's encryption metadata.
# GET /volumes/{volume_id}/encryption
# GET /volumes/{volume_id}/encryption/{encryption_key}
#"volume_extension:volume_encryption_metadata": "rule:admin_or_owner"
# Create multiattach capable volume.
# POST /volumes
#"volume:multiattach": "rule:admin_or_owner"

12
openstack_dashboard/conf/default_policies/README.txt Normal file
View File

@ -0,0 +1,12 @@
This folder contains default policies of back-end services.
They are generated based on policy-in-code in back-end services.
Operators are not expected to edit them.
To update these files, run the following command:
python manage.py dump_default_policies \
--namespace <service> \
--output-file openstack_dashboard/conf/default_policies/<service>.yaml
<service> must be a namespace under oslo.policy.policies to query and
we use "keystone", "nova", "cinder", "neutron" and "glance".

1137
openstack_dashboard/conf/default_policies/cinder.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

280
openstack_dashboard/conf/default_policies/glance.yaml Normal file
View File

@ -0,0 +1,280 @@
- check_str: ''
deprecated_reason: In order to allow operators to accept the default policies from
code by not defining them in the policy file, while still working with old policy
files that rely on the ``default`` rule for policies that are not specified in
the policy file, the ``default`` rule must now be explicitly set to ``"role:admin"``
when that is the desired default for unspecified rules.
deprecated_rule:
check_str: role:admin
name: default
deprecated_since: Ussuri
description: Defines the default rule used for policies that historically had an
empty policy in the supplied policy.json file.
name: default
operations: []
scope_types: null
- check_str: role:admin
description: Defines the rule for the is_admin:True check.
name: context_is_admin
operations: []
scope_types: null
- check_str: rule:default
description: null
name: add_image
operations: []
scope_types: null
- check_str: rule:default
description: null
name: delete_image
operations: []
scope_types: null
- check_str: rule:default
description: null
name: get_image
operations: []
scope_types: null
- check_str: rule:default
description: null
name: get_images
operations: []
scope_types: null
- check_str: rule:default
description: null
name: modify_image
operations: []
scope_types: null
- check_str: role:admin
description: null
name: publicize_image
operations: []
scope_types: null
- check_str: rule:default
description: null
name: communitize_image
operations: []
scope_types: null
- check_str: rule:default
description: null
name: download_image
operations: []
scope_types: null
- check_str: rule:default
description: null
name: upload_image
operations: []
scope_types: null
- check_str: rule:default
description: null
name: delete_image_location
operations: []
scope_types: null
- check_str: rule:default
description: null
name: get_image_location
operations: []
scope_types: null
- check_str: rule:default
description: null
name: set_image_location
operations: []
scope_types: null
- check_str: rule:default
description: null
name: add_member
operations: []
scope_types: null
- check_str: rule:default
description: null
name: delete_member
operations: []
scope_types: null
- check_str: rule:default
description: null
name: get_member
operations: []
scope_types: null
- check_str: rule:default
description: null
name: get_members
operations: []
scope_types: null
- check_str: rule:default
description: null
name: modify_member
operations: []
scope_types: null
- check_str: role:admin
description: null
name: manage_image_cache
operations: []
scope_types: null
- check_str: rule:default
description: null
name: deactivate
operations: []
scope_types: null
- check_str: rule:default
description: null
name: reactivate
operations: []
scope_types: null
- check_str: role:admin
description: null
name: copy_image
operations: []
scope_types: null
- check_str: rule:default
description: null
name: get_task
operations: []
scope_types: null
- check_str: rule:default
description: null
name: get_tasks
operations: []
scope_types: null
- check_str: rule:default
description: null
name: add_task
operations: []
scope_types: null
- check_str: rule:default
description: null
name: modify_task
operations: []
scope_types: null
- check_str: role:admin
description: null
name: tasks_api_access
operations: []
scope_types: null
- check_str: rule:default
description: null
name: get_metadef_namespace
operations: []
scope_types: null
- check_str: rule:default
description: null
name: get_metadef_namespaces
operations: []
scope_types: null
- check_str: rule:default
description: null
name: modify_metadef_namespace
operations: []
scope_types: null
- check_str: rule:default
description: null
name: add_metadef_namespace
operations: []
scope_types: null
- check_str: rule:default
description: null
name: delete_metadef_namespace
operations: []
scope_types: null
- check_str: rule:default
description: null
name: get_metadef_object
operations: []
scope_types: null
- check_str: rule:default
description: null
name: get_metadef_objects
operations: []
scope_types: null
- check_str: rule:default
description: null
name: modify_metadef_object
operations: []
scope_types: null
- check_str: rule:default
description: null
name: add_metadef_object
operations: []
scope_types: null
- check_str: rule:default
description: null
name: delete_metadef_object
operations: []
scope_types: null
- check_str: rule:default
description: null
name: list_metadef_resource_types
operations: []
scope_types: null
- check_str: rule:default
description: null
name: get_metadef_resource_type
operations: []
scope_types: null
- check_str: rule:default
description: null
name: add_metadef_resource_type_association
operations: []
scope_types: null
- check_str: rule:default
description: null
name: remove_metadef_resource_type_association
operations: []
scope_types: null
- check_str: rule:default
description: null
name: get_metadef_property
operations: []
scope_types: null
- check_str: rule:default
description: null
name: get_metadef_properties
operations: []
scope_types: null
- check_str: rule:default
description: null
name: modify_metadef_property
operations: []
scope_types: null
- check_str: rule:default
description: null
name: add_metadef_property
operations: []
scope_types: null
- check_str: rule:default
description: null
name: remove_metadef_property
operations: []
scope_types: null
- check_str: rule:default
description: null
name: get_metadef_tag
operations: []
scope_types: null
- check_str: rule:default
description: null
name: get_metadef_tags
operations: []
scope_types: null
- check_str: rule:default
description: null
name: modify_metadef_tag
operations: []
scope_types: null
- check_str: rule:default
description: null
name: add_metadef_tag
operations: []
scope_types: null
- check_str: rule:default
description: null
name: add_metadef_tags
operations: []
scope_types: null
- check_str: rule:default
description: null
name: delete_metadef_tag
operations: []
scope_types: null
- check_str: rule:default
description: null
name: delete_metadef_tags
operations: []
scope_types: null

2954
openstack_dashboard/conf/default_policies/keystone.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

1511
openstack_dashboard/conf/default_policies/neutron.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

3103
openstack_dashboard/conf/default_policies/nova.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

63
openstack_dashboard/conf/glance_policy.json
View File

@ -1,63 +0,0 @@
{
"context_is_admin": "role:admin",
"default": "role:admin",
"add_image": "",
"delete_image": "",
"get_image": "",
"get_images": "",
"modify_image": "",
"publicize_image": "role:admin",
"communitize_image": "",
"copy_from": "",
"download_image": "",
"upload_image": "",
"delete_image_location": "",
"get_image_location": "",
"set_image_location": "",
"add_member": "",
"delete_member": "",
"get_member": "",
"get_members": "",
"modify_member": "",
"manage_image_cache": "role:admin",
"get_task": "",
"get_tasks": "",
"add_task": "",
"modify_task": "",
"tasks_api_access": "role:admin",
"deactivate": "",
"reactivate": "",
"get_metadef_namespace": "",
"get_metadef_namespaces":"",
"modify_metadef_namespace":"",
"add_metadef_namespace":"",
"get_metadef_object":"",
"get_metadef_objects":"",
"modify_metadef_object":"",
"add_metadef_object":"",
"list_metadef_resource_types":"",
"get_metadef_resource_type":"",
"add_metadef_resource_type_association":"",
"get_metadef_property":"",
"get_metadef_properties":"",
"modify_metadef_property":"",
"add_metadef_property":"",
"get_metadef_tag":"",
"get_metadef_tags":"",
"modify_metadef_tag":"",
"add_metadef_tag":"",
"add_metadef_tags":""
}

121
openstack_dashboard/conf/glance_policy.yaml Normal file
View File

@ -0,0 +1,121 @@
# Defines the default rule used for policies that historically had an
# empty policy in the supplied policy.json file.
#"default": ""
# DEPRECATED
# "default":"role:admin" has been deprecated since Ussuri in favor of
# "default":"".
# In order to allow operators to accept the default policies from code
# by not defining them in the policy file, while still working with
# old policy files that rely on the ``default`` rule for policies that
# are not specified in the policy file, the ``default`` rule must now
# be explicitly set to ``"role:admin"`` when that is the desired
# default for unspecified rules.
# Defines the rule for the is_admin:True check.
#"context_is_admin": "role:admin"
#"add_image": "rule:default"
#"delete_image": "rule:default"
#"get_image": "rule:default"
#"get_images": "rule:default"
#"modify_image": "rule:default"
#"publicize_image": "role:admin"
#"communitize_image": "rule:default"
#"download_image": "rule:default"
#"upload_image": "rule:default"
#"delete_image_location": "rule:default"
#"get_image_location": "rule:default"
#"set_image_location": "rule:default"
#"add_member": "rule:default"
#"delete_member": "rule:default"
#"get_member": "rule:default"
#"get_members": "rule:default"
#"modify_member": "rule:default"
#"manage_image_cache": "role:admin"
#"deactivate": "rule:default"
#"reactivate": "rule:default"
#"copy_image": "role:admin"
#"get_task": "rule:default"
#"get_tasks": "rule:default"
#"add_task": "rule:default"
#"modify_task": "rule:default"
#"tasks_api_access": "role:admin"
#"get_metadef_namespace": "rule:default"
#"get_metadef_namespaces": "rule:default"
#"modify_metadef_namespace": "rule:default"
#"add_metadef_namespace": "rule:default"
#"delete_metadef_namespace": "rule:default"
#"get_metadef_object": "rule:default"
#"get_metadef_objects": "rule:default"
#"modify_metadef_object": "rule:default"
#"add_metadef_object": "rule:default"
#"delete_metadef_object": "rule:default"
#"list_metadef_resource_types": "rule:default"
#"get_metadef_resource_type": "rule:default"
#"add_metadef_resource_type_association": "rule:default"
#"remove_metadef_resource_type_association": "rule:default"
#"get_metadef_property": "rule:default"
#"get_metadef_properties": "rule:default"
#"modify_metadef_property": "rule:default"
#"add_metadef_property": "rule:default"
#"remove_metadef_property": "rule:default"
#"get_metadef_tag": "rule:default"
#"get_metadef_tags": "rule:default"
#"modify_metadef_tag": "rule:default"
#"add_metadef_tag": "rule:default"
#"add_metadef_tags": "rule:default"
#"delete_metadef_tag": "rule:default"
#"delete_metadef_tags": "rule:default"

174
openstack_dashboard/conf/keystone_policy.json
View File

@ -1,174 +0,0 @@
{
"admin_required": "role:admin or is_admin:1",
"service_role": "role:service",
"service_or_admin": "rule:admin_required or rule:service_role",
"owner": "user_id:%(user_id)s",
"admin_or_owner": "rule:admin_required or rule:owner",
"token_subject": "user_id:%(target.token.user_id)s",
"admin_or_token_subject": "rule:admin_required or rule:token_subject",
"service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject",
"identity:authorize_request_token": "rule:admin_required",
"identity:get_access_token": "rule:admin_required",
"identity:get_access_token_role": "rule:admin_required",
"identity:list_access_tokens": "rule:admin_required",
"identity:list_access_token_roles": "rule:admin_required",
"identity:delete_access_token": "rule:admin_required",
"identity:get_auth_catalog": "",
"identity:get_auth_projects": "",
"identity:get_auth_domains": "",
"identity:get_consumer": "rule:admin_required",
"identity:list_consumers": "rule:admin_required",
"identity:create_consumer": "rule:admin_required",
"identity:update_consumer": "rule:admin_required",
"identity:delete_consumer": "rule:admin_required",
"identity:get_credential": "rule:admin_required",
"identity:list_credentials": "rule:admin_required",
"identity:create_credential": "rule:admin_required",
"identity:update_credential": "rule:admin_required",
"identity:delete_credential": "rule:admin_required",
"identity:get_domain": "rule:admin_required or token.project.domain.id:%(target.domain.id)s",
"identity:list_domains": "rule:admin_required",
"identity:create_domain": "rule:admin_required",
"identity:update_domain": "rule:admin_required",
"identity:delete_domain": "rule:admin_required",
"identity:create_domain_config": "rule:admin_required",
"identity:get_domain_config": "rule:admin_required",
"identity:get_security_compliance_domain_config": "",
"identity:update_domain_config": "rule:admin_required",
"identity:delete_domain_config": "rule:admin_required",
"identity:get_domain_config_default": "rule:admin_required",
"identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
"identity:ec2_list_credentials": "rule:admin_or_owner",
"identity:ec2_create_credential": "rule:admin_or_owner",
"identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
"identity:get_endpoint": "rule:admin_required",
"identity:list_endpoints": "rule:admin_required",
"identity:create_endpoint": "rule:admin_required",
"identity:update_endpoint": "rule:admin_required",
"identity:delete_endpoint": "rule:admin_required",
"identity:create_endpoint_group": "rule:admin_required",
"identity:list_endpoint_groups": "rule:admin_required",
"identity:get_endpoint_group": "rule:admin_required",
"identity:update_endpoint_group": "rule:admin_required",
"identity:delete_endpoint_group": "rule:admin_required",
"identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
"identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
"identity:get_endpoint_group_in_project": "rule:admin_required",
"identity:list_endpoint_groups_for_project": "rule:admin_required",
"identity:add_endpoint_group_to_project": "rule:admin_required",
"identity:remove_endpoint_group_from_project": "rule:admin_required",
"identity:check_grant": "rule:admin_required",
"identity:list_grants": "rule:admin_required",
"identity:create_grant": "rule:admin_required",
"identity:revoke_grant": "rule:admin_required",
"identity:get_group": "rule:admin_required",
"identity:list_groups": "rule:admin_required",
"identity:list_groups_for_user": "rule:admin_or_owner",
"identity:create_group": "rule:admin_required",
"identity:update_group": "rule:admin_required",
"identity:delete_group": "rule:admin_required",
"identity:list_users_in_group": "rule:admin_required",
"identity:remove_user_from_group": "rule:admin_required",
"identity:check_user_in_group": "rule:admin_required",
"identity:add_user_to_group": "rule:admin_required",
"identity:create_identity_provider": "rule:admin_required",
"identity:list_identity_providers": "rule:admin_required",
"identity:get_identity_provider": "rule:admin_required",
"identity:update_identity_provider": "rule:admin_required",
"identity:delete_identity_provider": "rule:admin_required",
"identity:get_implied_role": "rule:admin_required",
"identity:list_implied_roles": "rule:admin_required",
"identity:create_implied_role": "rule:admin_required",
"identity:delete_implied_role": "rule:admin_required",
"identity:list_role_inference_rules": "rule:admin_required",
"identity:check_implied_role": "rule:admin_required",
"identity:create_mapping": "rule:admin_required",
"identity:get_mapping": "rule:admin_required",
"identity:list_mappings": "rule:admin_required",
"identity:delete_mapping": "rule:admin_required",
"identity:update_mapping": "rule:admin_required",
"identity:get_policy": "rule:admin_required",
"identity:list_policies": "rule:admin_required",
"identity:create_policy": "rule:admin_required",
"identity:update_policy": "rule:admin_required",
"identity:delete_policy": "rule:admin_required",
"identity:create_policy_association_for_endpoint": "rule:admin_required",
"identity:check_policy_association_for_endpoint": "rule:admin_required",
"identity:delete_policy_association_for_endpoint": "rule:admin_required",
"identity:create_policy_association_for_service": "rule:admin_required",
"identity:check_policy_association_for_service": "rule:admin_required",
"identity:delete_policy_association_for_service": "rule:admin_required",
"identity:create_policy_association_for_region_and_service": "rule:admin_required",
"identity:check_policy_association_for_region_and_service": "rule:admin_required",
"identity:delete_policy_association_for_region_and_service": "rule:admin_required",
"identity:get_policy_for_endpoint": "rule:admin_required",
"identity:list_endpoints_for_policy": "rule:admin_required",
"identity:get_project": "rule:admin_required or project_id:%(target.project.id)s",
"identity:list_projects": "rule:admin_required",
"identity:list_user_projects": "rule:admin_or_owner",
"identity:create_project": "rule:admin_required",
"identity:update_project": "rule:admin_required",
"identity:delete_project": "rule:admin_required",
"identity:list_project_tags": "rule:admin_required or project_id:%(target.project.id)s",
"identity:get_project_tag": "rule:admin_required or project_id:%(target.project.id)s",
"identity:update_project_tags": "rule:admin_required",
"identity:create_project_tag": "rule:admin_required",
"identity:delete_project_tags": "rule:admin_required",
"identity:delete_project_tag": "rule:admin_required",
"identity:list_projects_for_endpoint": "rule:admin_required",
"identity:add_endpoint_to_project": "rule:admin_required",
"identity:check_endpoint_in_project": "rule:admin_required",
"identity:list_endpoints_for_project": "rule:admin_required",
"identity:remove_endpoint_from_project": "rule:admin_required",
"identity:create_protocol": "rule:admin_required",
"identity:update_protocol": "rule:admin_required",
"identity:get_protocol": "rule:admin_required",
"identity:list_protocols": "rule:admin_required",
"identity:delete_protocol": "rule:admin_required",
"identity:get_region": "",
"identity:list_regions": "",
"identity:create_region": "rule:admin_required",
"identity:update_region": "rule:admin_required",
"identity:delete_region": "rule:admin_required",
"identity:list_revoke_events": "rule:service_or_admin",
"identity:get_role": "rule:admin_required",
"identity:list_roles": "rule:admin_required",
"identity:create_role": "rule:admin_required",
"identity:update_role": "rule:admin_required",
"identity:delete_role": "rule:admin_required",
"identity:get_domain_role": "rule:admin_required",
"identity:list_domain_roles": "rule:admin_required",
"identity:create_domain_role": "rule:admin_required",
"identity:update_domain_role": "rule:admin_required",
"identity:delete_domain_role": "rule:admin_required",
"identity:list_role_assignments": "rule:admin_required",
"identity:list_role_assignments_for_tree": "rule:admin_required",
"identity:get_service": "rule:admin_required",
"identity:list_services": "rule:admin_required",
"identity:create_service": "rule:admin_required",
"identity:update_service": "rule:admin_required",
"identity:delete_service": "rule:admin_required",
"identity:create_service_provider": "rule:admin_required",
"identity:list_service_providers": "rule:admin_required",
"identity:get_service_provider": "rule:admin_required",
"identity:update_service_provider": "rule:admin_required",
"identity:delete_service_provider": "rule:admin_required",
"identity:revocation_list": "rule:service_or_admin",
"identity:check_token": "rule:admin_or_token_subject",
"identity:validate_token": "rule:service_admin_or_token_subject",
"identity:validate_token_head": "rule:service_or_admin",
"identity:revoke_token": "rule:admin_or_token_subject",
"identity:create_trust": "user_id:%(trust.trustor_user_id)s",
"identity:list_trusts": "",
"identity:list_roles_for_trust": "",
"identity:get_role_for_trust": "",
"identity:delete_trust": "",
"identity:get_trust": "",
"identity:get_user": "rule:admin_or_owner",
"identity:list_users": "rule:admin_required",
"identity:list_projects_for_user": "",
"identity:list_domains_for_user": "",
"identity:create_user": "rule:admin_required",
"identity:update_user": "rule:admin_required",
"identity:delete_user": "rule:admin_required"
}

2330
openstack_dashboard/conf/keystone_policy.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

220
openstack_dashboard/conf/neutron_policy.json
View File

@ -1,220 +0,0 @@
{
"context_is_admin": "role:admin",
"owner": "tenant_id:%(tenant_id)s",
"admin_or_owner": "rule:context_is_admin or rule:owner",
"context_is_advsvc": "role:advsvc",
"admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
"admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner",
"admin_only": "rule:context_is_admin",
"regular_user": "",
"shared": "field:networks:shared=True",
"default": "rule:admin_or_owner",
"admin_or_ext_parent_owner": "rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s",
"shared_address_scopes": "field:address_scopes:shared=True",
"create_address_scope": "rule:regular_user",
"create_address_scope:shared": "rule:admin_only",
"get_address_scope": "rule:admin_or_owner or rule:shared_address_scopes",
"update_address_scope": "rule:admin_or_owner",
"update_address_scope:shared": "rule:admin_only",
"delete_address_scope": "rule:admin_or_owner",
"get_agent": "rule:admin_only",
"update_agent": "rule:admin_only",
"delete_agent": "rule:admin_only",
"create_dhcp-network": "rule:admin_only",
"get_dhcp-networks": "rule:admin_only",
"delete_dhcp-network": "rule:admin_only",
"create_l3-router": "rule:admin_only",
"get_l3-routers": "rule:admin_only",
"delete_l3-router": "rule:admin_only",
"get_dhcp-agents": "rule:admin_only",
"get_l3-agents": "rule:admin_only",
"get_agent-loadbalancers": "rule:admin_only",
"get_loadbalancer-hosting-agent": "rule:admin_only",
"get_auto_allocated_topology": "rule:admin_or_owner",
"delete_auto_allocated_topology": "rule:admin_or_owner",
"get_availability_zone": "rule:regular_user",
"create_flavor": "rule:admin_only",
"get_flavor": "rule:regular_user",
"update_flavor": "rule:admin_only",
"delete_flavor": "rule:admin_only",
"create_service_profile": "rule:admin_only",
"get_service_profile": "rule:admin_only",
"update_service_profile": "rule:admin_only",
"delete_service_profile": "rule:admin_only",
"create_flavor_service_profile": "rule:admin_only",
"delete_flavor_service_profile": "rule:admin_only",
"create_floatingip": "rule:regular_user",
"create_floatingip:floating_ip_address": "rule:admin_only",
"get_floatingip": "rule:admin_or_owner",
"update_floatingip": "rule:admin_or_owner",
"delete_floatingip": "rule:admin_or_owner",
"get_floatingip_pool": "rule:regular_user",
"create_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner",
"get_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner",
"update_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner",
"delete_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner",
"get_loggable_resource": "rule:admin_only",
"create_log": "rule:admin_only",
"get_log": "rule:admin_only",
"update_log": "rule:admin_only",
"delete_log": "rule:admin_only",
"create_metering_label": "rule:admin_only",
"get_metering_label": "rule:admin_only",
"delete_metering_label": "rule:admin_only",
"create_metering_label_rule": "rule:admin_only",
"get_metering_label_rule": "rule:admin_only",
"delete_metering_label_rule": "rule:admin_only",
"external": "field:networks:router:external=True",
"create_network": "rule:regular_user",
"create_network:shared": "rule:admin_only",
"create_network:router:external": "rule:admin_only",
"create_network:is_default": "rule:admin_only",
"create_network:port_security_enabled": "rule:regular_user",
"create_network:segments": "rule:admin_only",
"create_network:provider:network_type": "rule:admin_only",
"create_network:provider:physical_network": "rule:admin_only",
"create_network:provider:segmentation_id": "rule:admin_only",
"get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc",
"get_network:router:external": "rule:regular_user",
"get_network:segments": "rule:admin_only",
"get_network:provider:network_type": "rule:admin_only",
"get_network:provider:physical_network": "rule:admin_only",
"get_network:provider:segmentation_id": "rule:admin_only",
"update_network": "rule:admin_or_owner",
"update_network:segments": "rule:admin_only",
"update_network:shared": "rule:admin_only",
"update_network:provider:network_type": "rule:admin_only",
"update_network:provider:physical_network": "rule:admin_only",
"update_network:provider:segmentation_id": "rule:admin_only",
"update_network:router:external": "rule:admin_only",
"update_network:is_default": "rule:admin_only",
"update_network:port_security_enabled": "rule:admin_or_owner",
"delete_network": "rule:admin_or_owner",
"get_network_ip_availability": "rule:admin_only",
"create_network_segment_range": "rule:admin_only",
"get_network_segment_range": "rule:admin_only",
"update_network_segment_range": "rule:admin_only",
"delete_network_segment_range": "rule:admin_only",
"network_device": "field:port:device_owner=~^network:",
"admin_or_data_plane_int": "rule:context_is_admin or role:data_plane_integrator",
"create_port": "rule:regular_user",
"create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
"create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
"create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
"create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
"create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
"create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
"create_port:binding:host_id": "rule:admin_only",
"create_port:binding:profile": "rule:admin_only",
"create_port:binding:vnic_type": "rule:regular_user",
"create_port:allowed_address_pairs": "rule:admin_or_network_owner",
"get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner",
"get_port:binding:vif_type": "rule:admin_only",
"get_port:binding:vif_details": "rule:admin_only",
"get_port:binding:host_id": "rule:admin_only",
"get_port:binding:profile": "rule:admin_only",
"get_port:resource_request": "rule:admin_only",
"update_port": "rule:admin_or_owner or rule:context_is_advsvc",
"update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
"update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",
"update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
"update_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
"update_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
"update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
"update_port:binding:host_id": "rule:admin_only",
"update_port:binding:profile": "rule:admin_only",
"update_port:binding:vnic_type": "rule:admin_or_owner or rule:context_is_advsvc",
"update_port:allowed_address_pairs": "rule:admin_or_network_owner",
"update_port:data_plane_status": "rule:admin_or_data_plane_int",
"delete_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner",
"get_policy": "rule:regular_user",
"create_policy": "rule:admin_only",
"update_policy": "rule:admin_only",
"delete_policy": "rule:admin_only",
"get_rule_type": "rule:regular_user",
"get_policy_bandwidth_limit_rule": "rule:regular_user",
"create_policy_bandwidth_limit_rule": "rule:admin_only",
"update_policy_bandwidth_limit_rule": "rule:admin_only",
"delete_policy_bandwidth_limit_rule": "rule:admin_only",
"get_policy_dscp_marking_rule": "rule:regular_user",
"create_policy_dscp_marking_rule": "rule:admin_only",
"update_policy_dscp_marking_rule": "rule:admin_only",
"delete_policy_dscp_marking_rule": "rule:admin_only",
"get_policy_minimum_bandwidth_rule": "rule:regular_user",
"create_policy_minimum_bandwidth_rule": "rule:admin_only",
"update_policy_minimum_bandwidth_rule": "rule:admin_only",
"delete_policy_minimum_bandwidth_rule": "rule:admin_only",
"get_alias_bandwidth_limit_rule": "rule:get_policy_bandwidth_limit_rule",
"update_alias_bandwidth_limit_rule": "rule:update_policy_bandwidth_limit_rule",
"delete_alias_bandwidth_limit_rule": "rule:delete_policy_bandwidth_limit_rule",
"get_alias_dscp_marking_rule": "rule:get_policy_dscp_marking_rule",
"update_alias_dscp_marking_rule": "rule:update_policy_dscp_marking_rule",
"delete_alias_dscp_marking_rule": "rule:delete_policy_dscp_marking_rule",
"get_alias_minimum_bandwidth_rule": "rule:get_policy_minimum_bandwidth_rule",
"update_alias_minimum_bandwidth_rule": "rule:update_policy_minimum_bandwidth_rule",
"delete_alias_minimum_bandwidth_rule": "rule:delete_policy_minimum_bandwidth_rule",
"restrict_wildcard": "(not field:rbac_policy:target_tenant=*) or rule:admin_only",
"create_rbac_policy": "rule:regular_user",
"create_rbac_policy:target_tenant": "rule:restrict_wildcard",
"update_rbac_policy": "rule:admin_or_owner",
"update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner",
"get_rbac_policy": "rule:admin_or_owner",
"delete_rbac_policy": "rule:admin_or_owner",
"create_router": "rule:regular_user",
"create_router:distributed": "rule:admin_only",
"create_router:ha": "rule:admin_only",
"create_router:external_gateway_info": "rule:admin_or_owner",
"create_router:external_gateway_info:network_id": "rule:admin_or_owner",
"create_router:external_gateway_info:enable_snat": "rule:admin_only",
"create_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
"get_router": "rule:admin_or_owner",
"get_router:distributed": "rule:admin_only",
"get_router:ha": "rule:admin_only",
"update_router": "rule:admin_or_owner",
"update_router:distributed": "rule:admin_only",
"update_router:ha": "rule:admin_only",
"update_router:external_gateway_info": "rule:admin_or_owner",
"update_router:external_gateway_info:network_id": "rule:admin_or_owner",
"update_router:external_gateway_info:enable_snat": "rule:admin_only",
"update_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
"delete_router": "rule:admin_or_owner",
"add_router_interface": "rule:admin_or_owner",
"remove_router_interface": "rule:admin_or_owner",
"create_security_group": "rule:admin_or_owner",
"get_security_group": "rule:regular_user",
"update_security_group": "rule:admin_or_owner",
"delete_security_group": "rule:admin_or_owner",
"create_security_group_rule": "rule:admin_or_owner",
"get_security_group_rule": "rule:admin_or_owner",
"delete_security_group_rule": "rule:admin_or_owner",
"create_segment": "rule:admin_only",
"get_segment": "rule:admin_only",
"update_segment": "rule:admin_only",
"delete_segment": "rule:admin_only",
"get_service_provider": "rule:regular_user",
"create_subnet": "rule:admin_or_network_owner",
"create_subnet:segment_id": "rule:admin_only",
"create_subnet:service_types": "rule:admin_only",
"get_subnet": "rule:admin_or_owner or rule:shared",
"get_subnet:segment_id": "rule:admin_only",
"update_subnet": "rule:admin_or_network_owner",
"update_subnet:segment_id": "rule:admin_only",
"update_subnet:service_types": "rule:admin_only",
"delete_subnet": "rule:admin_or_network_owner",
"shared_subnetpools": "field:subnetpools:shared=True",
"create_subnetpool": "rule:regular_user",
"create_subnetpool:shared": "rule:admin_only",
"create_subnetpool:is_default": "rule:admin_only",
"get_subnetpool": "rule:admin_or_owner or rule:shared_subnetpools",
"update_subnetpool": "rule:admin_or_owner",
"update_subnetpool:is_default": "rule:admin_only",
"delete_subnetpool": "rule:admin_or_owner",
"onboard_network_subnets": "rule:admin_or_owner",
"create_trunk": "rule:regular_user",
"get_trunk": "rule:admin_or_owner",
"update_trunk": "rule:admin_or_owner",
"delete_trunk": "rule:admin_or_owner",
"get_subports": "rule:regular_user",
"add_subports": "rule:admin_or_owner",
"remove_subports": "rule:admin_or_owner"
}

961
openstack_dashboard/conf/neutron_policy.yaml Normal file
View File

@ -0,0 +1,961 @@
# Rule for cloud admin access
#"context_is_admin": "role:admin"
# Rule for resource owner access
#"owner": "tenant_id:%(tenant_id)s"
# Rule for admin or owner access
#"admin_or_owner": "rule:context_is_admin or rule:owner"
# Rule for advsvc role access
#"context_is_advsvc": "role:advsvc"
# Rule for admin or network owner access
#"admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s"
# Rule for resource owner, admin or network owner access
#"admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner"
# Rule for admin-only access
#"admin_only": "rule:context_is_admin"
# Rule for regular user access
#"regular_user": ""
# Rule of shared network
#"shared": "field:networks:shared=True"
# Default access rule
#"default": "rule:admin_or_owner"
# Rule for common parent owner check
#"admin_or_ext_parent_owner": "rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s"
# Definition of a shared address scope
#"shared_address_scopes": "field:address_scopes:shared=True"
# Create an address scope
# POST /address-scopes
#"create_address_scope": "rule:regular_user"
# Create a shared address scope
# POST /address-scopes
#"create_address_scope:shared": "rule:admin_only"
# Get an address scope
# GET /address-scopes
# GET /address-scopes/{id}
#"get_address_scope": "rule:admin_or_owner or rule:shared_address_scopes"
# Update an address scope
# PUT /address-scopes/{id}
#"update_address_scope": "rule:admin_or_owner"
# Update ``shared`` attribute of an address scope
# PUT /address-scopes/{id}
#"update_address_scope:shared": "rule:admin_only"
# Delete an address scope
# DELETE /address-scopes/{id}
#"delete_address_scope": "rule:admin_or_owner"
# Get an agent
# GET /agents
# GET /agents/{id}
#"get_agent": "rule:admin_only"
# Update an agent
# PUT /agents/{id}
#"update_agent": "rule:admin_only"
# Delete an agent
# DELETE /agents/{id}
#"delete_agent": "rule:admin_only"
# Add a network to a DHCP agent
# POST /agents/{agent_id}/dhcp-networks
#"create_dhcp-network": "rule:admin_only"
# List networks on a DHCP agent
# GET /agents/{agent_id}/dhcp-networks
#"get_dhcp-networks": "rule:admin_only"
# Remove a network from a DHCP agent
# DELETE /agents/{agent_id}/dhcp-networks/{network_id}
#"delete_dhcp-network": "rule:admin_only"
# Add a router to an L3 agent
# POST /agents/{agent_id}/l3-routers
#"create_l3-router": "rule:admin_only"
# List routers on an L3 agent
# GET /agents/{agent_id}/l3-routers
#"get_l3-routers": "rule:admin_only"
# Remove a router from an L3 agent
# DELETE /agents/{agent_id}/l3-routers/{router_id}
#"delete_l3-router": "rule:admin_only"
# List DHCP agents hosting a network
# GET /networks/{network_id}/dhcp-agents
#"get_dhcp-agents": "rule:admin_only"
# List L3 agents hosting a router
# GET /routers/{router_id}/l3-agents
#"get_l3-agents": "rule:admin_only"
# Get a project's auto-allocated topology
# GET /auto-allocated-topology/{project_id}
#"get_auto_allocated_topology": "rule:admin_or_owner"
# Delete a project's auto-allocated topology
# DELETE /auto-allocated-topology/{project_id}
#"delete_auto_allocated_topology": "rule:admin_or_owner"
# List availability zones
# GET /availability_zones
#"get_availability_zone": "rule:regular_user"
# Create a flavor
# POST /flavors
#"create_flavor": "rule:admin_only"
# Get a flavor
# GET /flavors
# GET /flavors/{id}
#"get_flavor": "rule:regular_user"
# Update a flavor
# PUT /flavors/{id}
#"update_flavor": "rule:admin_only"
# Delete a flavor
# DELETE /flavors/{id}
#"delete_flavor": "rule:admin_only"
# Create a service profile
# POST /service_profiles
#"create_service_profile": "rule:admin_only"
# Get a service profile
# GET /service_profiles
# GET /service_profiles/{id}
#"get_service_profile": "rule:admin_only"
# Update a service profile
# PUT /service_profiles/{id}
#"update_service_profile": "rule:admin_only"
# Delete a service profile
# DELETE /service_profiles/{id}
#"delete_service_profile": "rule:admin_only"
# Get a flavor associated with a given service profiles. There is no
# corresponding GET operations in API currently. This rule is
# currently referred only in the DELETE of flavor_service_profile.
#"get_flavor_service_profile": "rule:regular_user"
# Associate a flavor with a service profile
# POST /flavors/{flavor_id}/service_profiles
#"create_flavor_service_profile": "rule:admin_only"
# Disassociate a flavor with a service profile
# DELETE /flavors/{flavor_id}/service_profiles/{profile_id}
#"delete_flavor_service_profile": "rule:admin_only"
# Create a floating IP
# POST /floatingips
#"create_floatingip": "rule:regular_user"
# Create a floating IP with a specific IP address
# POST /floatingips
#"create_floatingip:floating_ip_address": "rule:admin_only"
# Get a floating IP
# GET /floatingips
# GET /floatingips/{id}
#"get_floatingip": "rule:admin_or_owner"
# Update a floating IP
# PUT /floatingips/{id}
#"update_floatingip": "rule:admin_or_owner"
# Delete a floating IP
# DELETE /floatingips/{id}
#"delete_floatingip": "rule:admin_or_owner"
# Get floating IP pools
# GET /floatingip_pools
#"get_floatingip_pool": "rule:regular_user"
# Create a floating IP port forwarding
# POST /floatingips/{floatingip_id}/port_forwardings
#"create_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner"
# Get a floating IP port forwarding
# GET /floatingips/{floatingip_id}/port_forwardings
# GET /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}
#"get_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner"
# Update a floating IP port forwarding
# PUT /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}
#"update_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner"
# Delete a floating IP port forwarding
# DELETE /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}
#"delete_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner"
# Create a router conntrack helper
# POST /routers/{router_id}/conntrack_helpers
#"create_router_conntrack_helper": "rule:admin_or_ext_parent_owner"
# Get a router conntrack helper
# GET /routers/{router_id}/conntrack_helpers
# GET /routers/{router_id}/conntrack_helpers/{conntrack_helper_id}
#"get_router_conntrack_helper": "rule:admin_or_ext_parent_owner"
# Update a router conntrack helper
# PUT /routers/{router_id}/conntrack_helpers/{conntrack_helper_id}
#"update_router_conntrack_helper": "rule:admin_or_ext_parent_owner"
# Delete a router conntrack helper
# DELETE /routers/{router_id}/conntrack_helpers/{conntrack_helper_id}
#"delete_router_conntrack_helper": "rule:admin_or_ext_parent_owner"
# Get loggable resources
# GET /log/loggable-resources
#"get_loggable_resource": "rule:admin_only"
# Create a network log
# POST /log/logs
#"create_log": "rule:admin_only"
# Get a network log
# GET /log/logs
# GET /log/logs/{id}
#"get_log": "rule:admin_only"
# Update a network log
# PUT /log/logs/{id}
#"update_log": "rule:admin_only"
# Delete a network log
# DELETE /log/logs/{id}
#"delete_log": "rule:admin_only"
# Create a metering label
# POST /metering/metering-labels
#"create_metering_label": "rule:admin_only"
# Get a metering label
# GET /metering/metering-labels
# GET /metering/metering-labels/{id}
#"get_metering_label": "rule:admin_only"
# Delete a metering label
# DELETE /metering/metering-labels/{id}
#"delete_metering_label": "rule:admin_only"
# Create a metering label rule
# POST /metering/metering-label-rules
#"create_metering_label_rule": "rule:admin_only"
# Get a metering label rule
# GET /metering/metering-label-rules
# GET /metering/metering-label-rules/{id}
#"get_metering_label_rule": "rule:admin_only"
# Delete a metering label rule
# DELETE /metering/metering-label-rules/{id}
#"delete_metering_label_rule": "rule:admin_only"
# Definition of an external network
#"external": "field:networks:router:external=True"
# Create a network
# POST /networks
#"create_network": "rule:regular_user"
# Create a shared network
# POST /networks
#"create_network:shared": "rule:admin_only"
# Create an external network
# POST /networks
#"create_network:router:external": "rule:admin_only"
# Specify ``is_default`` attribute when creating a network
# POST /networks
#"create_network:is_default": "rule:admin_only"
# Specify ``port_security_enabled`` attribute when creating a network
# POST /networks
#"create_network:port_security_enabled": "rule:regular_user"
# Specify ``segments`` attribute when creating a network
# POST /networks
#"create_network:segments": "rule:admin_only"
# Specify ``provider:network_type`` when creating a network
# POST /networks
#"create_network:provider:network_type": "rule:admin_only"
# Specify ``provider:physical_network`` when creating a network
# POST /networks
#"create_network:provider:physical_network": "rule:admin_only"
# Specify ``provider:segmentation_id`` when creating a network
# POST /networks
#"create_network:provider:segmentation_id": "rule:admin_only"
# Get a network
# GET /networks
# GET /networks/{id}
#"get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc"
# Get ``router:external`` attribute of a network
# GET /networks
# GET /networks/{id}
#"get_network:router:external": "rule:regular_user"
# Get ``segments`` attribute of a network
# GET /networks
# GET /networks/{id}
#"get_network:segments": "rule:admin_only"
# Get ``provider:network_type`` attribute of a network
# GET /networks
# GET /networks/{id}
#"get_network:provider:network_type": "rule:admin_only"
# Get ``provider:physical_network`` attribute of a network
# GET /networks
# GET /networks/{id}
#"get_network:provider:physical_network": "rule:admin_only"
# Get ``provider:segmentation_id`` attribute of a network
# GET /networks
# GET /networks/{id}
#"get_network:provider:segmentation_id": "rule:admin_only"
# Update a network
# PUT /networks/{id}
#"update_network": "rule:admin_or_owner"
# Update ``segments`` attribute of a network
# PUT /networks/{id}
#"update_network:segments": "rule:admin_only"
# Update ``shared`` attribute of a network
# PUT /networks/{id}
#"update_network:shared": "rule:admin_only"
# Update ``provider:network_type`` attribute of a network
# PUT /networks/{id}
#"update_network:provider:network_type": "rule:admin_only"
# Update ``provider:physical_network`` attribute of a network
# PUT /networks/{id}
#"update_network:provider:physical_network": "rule:admin_only"
# Update ``provider:segmentation_id`` attribute of a network
# PUT /networks/{id}
#"update_network:provider:segmentation_id": "rule:admin_only"
# Update ``router:external`` attribute of a network
# PUT /networks/{id}
#"update_network:router:external": "rule:admin_only"
# Update ``is_default`` attribute of a network
# PUT /networks/{id}
#"update_network:is_default": "rule:admin_only"
# Update ``port_security_enabled`` attribute of a network
# PUT /networks/{id}
#"update_network:port_security_enabled": "rule:admin_or_owner"
# Delete a network
# DELETE /networks/{id}
#"delete_network": "rule:admin_or_owner"
# Get network IP availability
# GET /network-ip-availabilities
# GET /network-ip-availabilities/{network_id}
#"get_network_ip_availability": "rule:admin_only"
# Create a network segment range
# POST /network_segment_ranges
#"create_network_segment_range": "rule:admin_only"
# Get a network segment range
# GET /network_segment_ranges
# GET /network_segment_ranges/{id}
#"get_network_segment_range": "rule:admin_only"
# Update a network segment range
# PUT /network_segment_ranges/{id}
#"update_network_segment_range": "rule:admin_only"
# Delete a network segment range
# DELETE /network_segment_ranges/{id}
#"delete_network_segment_range": "rule:admin_only"
# Definition of port with network device_owner
#"network_device": "field:port:device_owner=~^network:"
# Rule for data plane integration
#"admin_or_data_plane_int": "rule:context_is_admin or role:data_plane_integrator"
# Create a port
# POST /ports
#"create_port": "rule:regular_user"
# Specify ``device_owner`` attribute when creting a port
# POST /ports
#"create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner"
# Specify ``mac_address`` attribute when creating a port
# POST /ports
#"create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner"
# Specify ``fixed_ips`` information when creating a port
# POST /ports
#"create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared"
# Specify IP address in ``fixed_ips`` when creating a port
# POST /ports
#"create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner"
# Specify subnet ID in ``fixed_ips`` when creating a port
# POST /ports
#"create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared"
# Specify ``port_security_enabled`` attribute when creating a port
# POST /ports
#"create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner"
# Specify ``binding:host_id`` attribute when creating a port
# POST /ports
#"create_port:binding:host_id": "rule:admin_only"
# Specify ``binding:profile`` attribute when creating a port
# POST /ports
#"create_port:binding:profile": "rule:admin_only"
# Specify ``binding:vnic_type`` attribute when creating a port
# POST /ports
#"create_port:binding:vnic_type": "rule:regular_user"
# Specify ``allowed_address_pairs`` attribute when creating a port
# POST /ports
#"create_port:allowed_address_pairs": "rule:admin_or_network_owner"
# Specify ``mac_address` of `allowed_address_pairs`` attribute when
# creating a port
# POST /ports
#"create_port:allowed_address_pairs:mac_address": "rule:admin_or_network_owner"
# Specify ``ip_address`` of ``allowed_address_pairs`` attribute when
# creating a port
# POST /ports
#"create_port:allowed_address_pairs:ip_address": "rule:admin_or_network_owner"
# Get a port
# GET /ports
# GET /ports/{id}
#"get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner"
# Get ``binding:vif_type`` attribute of a port
# GET /ports
# GET /ports/{id}
#"get_port:binding:vif_type": "rule:admin_only"
# Get ``binding:vif_details`` attribute of a port
# GET /ports
# GET /ports/{id}
#"get_port:binding:vif_details": "rule:admin_only"
# Get ``binding:host_id`` attribute of a port
# GET /ports
# GET /ports/{id}
#"get_port:binding:host_id": "rule:admin_only"
# Get ``binding:profile`` attribute of a port
# GET /ports
# GET /ports/{id}
#"get_port:binding:profile": "rule:admin_only"
# Get ``resource_request`` attribute of a port
# GET /ports
# GET /ports/{id}
#"get_port:resource_request": "rule:admin_only"
# Update a port
# PUT /ports/{id}
#"update_port": "rule:admin_or_owner or rule:context_is_advsvc"
# Update ``device_owner`` attribute of a port
# PUT /ports/{id}
#"update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner"
# Update ``mac_address`` attribute of a port
# PUT /ports/{id}
#"update_port:mac_address": "rule:admin_only or rule:context_is_advsvc"
# Specify ``fixed_ips`` information when updating a port
# PUT /ports/{id}
#"update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner"
# Specify IP address in ``fixed_ips`` information when updating a port
# PUT /ports/{id}
#"update_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner"
# Specify subnet ID in ``fixed_ips`` information when updating a port
# PUT /ports/{id}
#"update_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared"
# Update ``port_security_enabled`` attribute of a port
# PUT /ports/{id}
#"update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner"
# Update ``binding:host_id`` attribute of a port
# PUT /ports/{id}
#"update_port:binding:host_id": "rule:admin_only"
# Update ``binding:profile`` attribute of a port
# PUT /ports/{id}
#"update_port:binding:profile": "rule:admin_only"
# Update ``binding:vnic_type`` attribute of a port
# PUT /ports/{id}
#"update_port:binding:vnic_type": "rule:admin_or_owner or rule:context_is_advsvc"
# Update ``allowed_address_pairs`` attribute of a port
# PUT /ports/{id}
#"update_port:allowed_address_pairs": "rule:admin_or_network_owner"
# Update ``mac_address`` of ``allowed_address_pairs`` attribute of a
# port
# PUT /ports/{id}
#"update_port:allowed_address_pairs:mac_address": "rule:admin_or_network_owner"
# Update ``ip_address`` of ``allowed_address_pairs`` attribute of a
# port
# PUT /ports/{id}
#"update_port:allowed_address_pairs:ip_address": "rule:admin_or_network_owner"
# Update ``data_plane_status`` attribute of a port
# PUT /ports/{id}
#"update_port:data_plane_status": "rule:admin_or_data_plane_int"
# Delete a port
# DELETE /ports/{id}
#"delete_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner"
# Get QoS policies
# GET /qos/policies
# GET /qos/policies/{id}
#"get_policy": "rule:regular_user"
# Create a QoS policy
# POST /qos/policies
#"create_policy": "rule:admin_only"
# Update a QoS policy
# PUT /qos/policies/{id}
#"update_policy": "rule:admin_only"
# Delete a QoS policy
# DELETE /qos/policies/{id}
#"delete_policy": "rule:admin_only"
# Get available QoS rule types
# GET /qos/rule-types
# GET /qos/rule-types/{rule_type}
#"get_rule_type": "rule:regular_user"
# Get a QoS bandwidth limit rule
# GET /qos/policies/{policy_id}/bandwidth_limit_rules
# GET /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}
#"get_policy_bandwidth_limit_rule": "rule:regular_user"
# Create a QoS bandwidth limit rule
# POST /qos/policies/{policy_id}/bandwidth_limit_rules
#"create_policy_bandwidth_limit_rule": "rule:admin_only"
# Update a QoS bandwidth limit rule
# PUT /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}
#"update_policy_bandwidth_limit_rule": "rule:admin_only"
# Delete a QoS bandwidth limit rule
# DELETE /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}
#"delete_policy_bandwidth_limit_rule": "rule:admin_only"
# Get a QoS DSCP marking rule
# GET /qos/policies/{policy_id}/dscp_marking_rules
# GET /qos/policies/{policy_id}/dscp_marking_rules/{rule_id}
#"get_policy_dscp_marking_rule": "rule:regular_user"
# Create a QoS DSCP marking rule
# POST /qos/policies/{policy_id}/dscp_marking_rules
#"create_policy_dscp_marking_rule": "rule:admin_only"
# Update a QoS DSCP marking rule
# PUT /qos/policies/{policy_id}/dscp_marking_rules/{rule_id}
#"update_policy_dscp_marking_rule": "rule:admin_only"
# Delete a QoS DSCP marking rule
# DELETE /qos/policies/{policy_id}/dscp_marking_rules/{rule_id}
#"delete_policy_dscp_marking_rule": "rule:admin_only"
# Get a QoS minimum bandwidth rule
# GET /qos/policies/{policy_id}/minimum_bandwidth_rules
# GET /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}
#"get_policy_minimum_bandwidth_rule": "rule:regular_user"
# Create a QoS minimum bandwidth rule
# POST /qos/policies/{policy_id}/minimum_bandwidth_rules
#"create_policy_minimum_bandwidth_rule": "rule:admin_only"
# Update a QoS minimum bandwidth rule
# PUT /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}
#"update_policy_minimum_bandwidth_rule": "rule:admin_only"
# Delete a QoS minimum bandwidth rule
# DELETE /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}
#"delete_policy_minimum_bandwidth_rule": "rule:admin_only"
# Get a QoS bandwidth limit rule through alias
# GET /qos/alias_bandwidth_limit_rules/{rule_id}/
#"get_alias_bandwidth_limit_rule": "rule:get_policy_bandwidth_limit_rule"
# Update a QoS bandwidth limit rule through alias
# PUT /qos/alias_bandwidth_limit_rules/{rule_id}/
#"update_alias_bandwidth_limit_rule": "rule:update_policy_bandwidth_limit_rule"
# Delete a QoS bandwidth limit rule through alias
# DELETE /qos/alias_bandwidth_limit_rules/{rule_id}/
#"delete_alias_bandwidth_limit_rule": "rule:delete_policy_bandwidth_limit_rule"
# Get a QoS DSCP marking rule through alias
# GET /qos/alias_dscp_marking_rules/{rule_id}/
#"get_alias_dscp_marking_rule": "rule:get_policy_dscp_marking_rule"
# Update a QoS DSCP marking rule through alias
# PUT /qos/alias_dscp_marking_rules/{rule_id}/
#"update_alias_dscp_marking_rule": "rule:update_policy_dscp_marking_rule"
# Delete a QoS DSCP marking rule through alias
# DELETE /qos/alias_dscp_marking_rules/{rule_id}/
#"delete_alias_dscp_marking_rule": "rule:delete_policy_dscp_marking_rule"
# Get a QoS minimum bandwidth rule through alias
# GET /qos/alias_minimum_bandwidth_rules/{rule_id}/
#"get_alias_minimum_bandwidth_rule": "rule:get_policy_minimum_bandwidth_rule"
# Update a QoS minimum bandwidth rule through alias
# PUT /qos/alias_minimum_bandwidth_rules/{rule_id}/
#"update_alias_minimum_bandwidth_rule": "rule:update_policy_minimum_bandwidth_rule"
# Delete a QoS minimum bandwidth rule through alias
# DELETE /qos/alias_minimum_bandwidth_rules/{rule_id}/
#"delete_alias_minimum_bandwidth_rule": "rule:delete_policy_minimum_bandwidth_rule"
# Get a resource quota
# GET /quota
# GET /quota/{id}
#"get_quota": "rule:admin_only"
# Update a resource quota
# PUT /quota/{id}
#"update_quota": "rule:admin_only"
# Delete a resource quota
# DELETE /quota/{id}
#"delete_quota": "rule:admin_only"
# Definition of a wildcard target_tenant
#"restrict_wildcard": "(not field:rbac_policy:target_tenant=*) or rule:admin_only"
# Create an RBAC policy
# POST /rbac-policies
#"create_rbac_policy": "rule:regular_user"
# Specify ``target_tenant`` when creating an RBAC policy
# POST /rbac-policies
#"create_rbac_policy:target_tenant": "rule:restrict_wildcard"
# Update an RBAC policy
# PUT /rbac-policies/{id}
#"update_rbac_policy": "rule:admin_or_owner"
# Update ``target_tenant`` attribute of an RBAC policy
# PUT /rbac-policies/{id}
#"update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner"
# Get an RBAC policy
# GET /rbac-policies
# GET /rbac-policies/{id}
#"get_rbac_policy": "rule:admin_or_owner"
# Delete an RBAC policy
# DELETE /rbac-policies/{id}
#"delete_rbac_policy": "rule:admin_or_owner"
# Create a router
# POST /routers
#"create_router": "rule:regular_user"
# Specify ``distributed`` attribute when creating a router
# POST /routers
#"create_router:distributed": "rule:admin_only"
# Specify ``ha`` attribute when creating a router
# POST /routers
#"create_router:ha": "rule:admin_only"
# Specify ``external_gateway_info`` information when creating a router
# POST /routers
#"create_router:external_gateway_info": "rule:admin_or_owner"
# Specify ``network_id`` in ``external_gateway_info`` information when
# creating a router
# POST /routers
#"create_router:external_gateway_info:network_id": "rule:admin_or_owner"
# Specify ``enable_snat`` in ``external_gateway_info`` information
# when creating a router
# POST /routers
#"create_router:external_gateway_info:enable_snat": "rule:admin_only"
# Specify ``external_fixed_ips`` in ``external_gateway_info``
# information when creating a router
# POST /routers
#"create_router:external_gateway_info:external_fixed_ips": "rule:admin_only"
# Get a router
# GET /routers
# GET /routers/{id}
#"get_router": "rule:admin_or_owner"
# Get ``distributed`` attribute of a router
# GET /routers
# GET /routers/{id}
#"get_router:distributed": "rule:admin_only"
# Get ``ha`` attribute of a router
# GET /routers
# GET /routers/{id}
#"get_router:ha": "rule:admin_only"
# Update a router
# PUT /routers/{id}
#"update_router": "rule:admin_or_owner"
# Update ``distributed`` attribute of a router
# PUT /routers/{id}
#"update_router:distributed": "rule:admin_only"
# Update ``ha`` attribute of a router
# PUT /routers/{id}
#"update_router:ha": "rule:admin_only"
# Update ``external_gateway_info`` information of a router
# PUT /routers/{id}
#"update_router:external_gateway_info": "rule:admin_or_owner"
# Update ``network_id`` attribute of ``external_gateway_info``
# information of a router
# PUT /routers/{id}
#"update_router:external_gateway_info:network_id": "rule:admin_or_owner"
# Update ``enable_snat`` attribute of ``external_gateway_info``
# information of a router
# PUT /routers/{id}
#"update_router:external_gateway_info:enable_snat": "rule:admin_only"
# Update ``external_fixed_ips`` attribute of ``external_gateway_info``
# information of a router
# PUT /routers/{id}
#"update_router:external_gateway_info:external_fixed_ips": "rule:admin_only"
# Delete a router
# DELETE /routers/{id}
#"delete_router": "rule:admin_or_owner"
# Add an interface to a router
# PUT /routers/{id}/add_router_interface
#"add_router_interface": "rule:admin_or_owner"
# Remove an interface from a router
# PUT /routers/{id}/remove_router_interface
#"remove_router_interface": "rule:admin_or_owner"
# Rule for admin or security group owner access
#"admin_or_sg_owner": "rule:context_is_admin or tenant_id:%(security_group:tenant_id)s"
# Rule for resource owner, admin or security group owner access
#"admin_owner_or_sg_owner": "rule:owner or rule:admin_or_sg_owner"
# Create a security group
# POST /security-groups
#"create_security_group": "rule:admin_or_owner"
# Get a security group
# GET /security-groups
# GET /security-groups/{id}
#"get_security_group": "rule:regular_user"
# Update a security group
# PUT /security-groups/{id}
#"update_security_group": "rule:admin_or_owner"
# Delete a security group
# DELETE /security-groups/{id}
#"delete_security_group": "rule:admin_or_owner"
# Create a security group rule
# POST /security-group-rules
#"create_security_group_rule": "rule:admin_or_owner"
# Get a security group rule
# GET /security-group-rules
# GET /security-group-rules/{id}
#"get_security_group_rule": "rule:admin_owner_or_sg_owner"
# Delete a security group rule
# DELETE /security-group-rules/{id}
#"delete_security_group_rule": "rule:admin_or_owner"
# Create a segment
# POST /segments
#"create_segment": "rule:admin_only"
# Get a segment
# GET /segments
# GET /segments/{id}
#"get_segment": "rule:admin_only"
# Update a segment
# PUT /segments/{id}
#"update_segment": "rule:admin_only"
# Delete a segment
# DELETE /segments/{id}
#"delete_segment": "rule:admin_only"
# Get service providers
# GET /service-providers
#"get_service_provider": "rule:regular_user"
# Create a subnet
# POST /subnets
#"create_subnet": "rule:admin_or_network_owner"
# Specify ``segment_id`` attribute when creating a subnet
# POST /subnets
#"create_subnet:segment_id": "rule:admin_only"
# Specify ``service_types`` attribute when creating a subnet
# POST /subnets
#"create_subnet:service_types": "rule:admin_only"
# Get a subnet
# GET /subnets
# GET /subnets/{id}
#"get_subnet": "rule:admin_or_owner or rule:shared"
# Get ``segment_id`` attribute of a subnet
# GET /subnets
# GET /subnets/{id}
#"get_subnet:segment_id": "rule:admin_only"
# Update a subnet
# PUT /subnets/{id}
#"update_subnet": "rule:admin_or_network_owner"
# Update ``segment_id`` attribute of a subnet
# PUT /subnets/{id}
#"update_subnet:segment_id": "rule:admin_only"
# Update ``service_types`` attribute of a subnet
# PUT /subnets/{id}
#"update_subnet:service_types": "rule:admin_only"
# Delete a subnet
# DELETE /subnets/{id}
#"delete_subnet": "rule:admin_or_network_owner"
# Definition of a shared subnetpool
#"shared_subnetpools": "field:subnetpools:shared=True"
# Create a subnetpool
# POST /subnetpools
#"create_subnetpool": "rule:regular_user"
# Create a shared subnetpool
# POST /subnetpools
#"create_subnetpool:shared": "rule:admin_only"
# Specify ``is_default`` attribute when creating a subnetpool
# POST /subnetpools
#"create_subnetpool:is_default": "rule:admin_only"
# Get a subnetpool
# GET /subnetpools
# GET /subnetpools/{id}
#"get_subnetpool": "rule:admin_or_owner or rule:shared_subnetpools"
# Update a subnetpool
# PUT /subnetpools/{id}
#"update_subnetpool": "rule:admin_or_owner"
# Update ``is_default`` attribute of a subnetpool
# PUT /subnetpools/{id}
#"update_subnetpool:is_default": "rule:admin_only"
# Delete a subnetpool
# DELETE /subnetpools/{id}
#"delete_subnetpool": "rule:admin_or_owner"
# Onboard existing subnet into a subnetpool
# Put /subnetpools/{id}/onboard_network_subnets
#"onboard_network_subnets": "rule:admin_or_owner"
# Add prefixes to a subnetpool
# Put /subnetpools/{id}/add_prefixes
#"add_prefixes": "rule:admin_or_owner"
# Remove unallocated prefixes from a subnetpool
# Put /subnetpools/{id}/remove_prefixes
#"remove_prefixes": "rule:admin_or_owner"
# Create a trunk
# POST /trunks
#"create_trunk": "rule:regular_user"
# Get a trunk
# GET /trunks
# GET /trunks/{id}
#"get_trunk": "rule:admin_or_owner"
# Update a trunk
# PUT /trunks/{id}
#"update_trunk": "rule:admin_or_owner"
# Delete a trunk
# DELETE /trunks/{id}
#"delete_trunk": "rule:admin_or_owner"
# List subports attached to a trunk
# GET /trunks/{id}/get_subports
#"get_subports": "rule:regular_user"
# Add subports to a trunk
# PUT /trunks/{id}/add_subports
#"add_subports": "rule:admin_or_owner"
# Delete subports from a trunk
# PUT /trunks/{id}/remove_subports
#"remove_subports": "rule:admin_or_owner"

158
openstack_dashboard/conf/nova_policy.json
View File

@ -1,158 +0,0 @@
{
"context_is_admin": "role:admin",
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
"admin_api": "is_admin:True",
"os_compute_api:os-admin-actions:reset_state": "rule:admin_api",
"os_compute_api:os-admin-actions:inject_network_info": "rule:admin_api",
"os_compute_api:os-admin-actions:reset_network": "rule:admin_api",
"os_compute_api:os-admin-password": "rule:admin_or_owner",
"os_compute_api:os-agents": "rule:admin_api",
"os_compute_api:os-aggregates:set_metadata": "rule:admin_api",
"os_compute_api:os-aggregates:add_host": "rule:admin_api",
"os_compute_api:os-aggregates:create": "rule:admin_api",
"os_compute_api:os-aggregates:remove_host": "rule:admin_api",
"os_compute_api:os-aggregates:update": "rule:admin_api",
"os_compute_api:os-aggregates:index": "rule:admin_api",
"os_compute_api:os-aggregates:delete": "rule:admin_api",
"os_compute_api:os-aggregates:show": "rule:admin_api",
"os_compute_api:os-assisted-volume-snapshots:create": "rule:admin_api",
"os_compute_api:os-assisted-volume-snapshots:delete": "rule:admin_api",
"os_compute_api:os-attach-interfaces": "rule:admin_or_owner",
"os_compute_api:os-attach-interfaces:create": "rule:admin_or_owner",
"os_compute_api:os-attach-interfaces:delete": "rule:admin_or_owner",
"os_compute_api:os-availability-zone:list": "rule:admin_or_owner",
"os_compute_api:os-availability-zone:detail": "rule:admin_api",
"os_compute_api:os-baremetal-nodes": "rule:admin_api",
"os_compute_api:os-cells:update": "rule:admin_api",
"os_compute_api:os-cells:create": "rule:admin_api",
"os_compute_api:os-cells": "rule:admin_api",
"os_compute_api:os-cells:sync_instances": "rule:admin_api",
"os_compute_api:os-cells:delete": "rule:admin_api",
"cells_scheduler_filter:DifferentCellFilter": "is_admin:True",
"cells_scheduler_filter:TargetCellFilter": "is_admin:True",
"os_compute_api:os-console-auth-tokens": "rule:admin_api",
"os_compute_api:os-console-output": "rule:admin_or_owner",
"os_compute_api:os-consoles:create": "rule:admin_or_owner",
"os_compute_api:os-consoles:show": "rule:admin_or_owner",
"os_compute_api:os-consoles:delete": "rule:admin_or_owner",
"os_compute_api:os-consoles:index": "rule:admin_or_owner",
"os_compute_api:os-create-backup": "rule:admin_or_owner",
"os_compute_api:os-deferred-delete": "rule:admin_or_owner",
"os_compute_api:os-evacuate": "rule:admin_api",
"os_compute_api:os-extended-server-attributes": "rule:admin_api",
"os_compute_api:extensions": "rule:admin_or_owner",
"os_compute_api:os-flavor-access:add_tenant_access": "rule:admin_api",
"os_compute_api:os-flavor-access:remove_tenant_access": "rule:admin_api",
"os_compute_api:os-flavor-access": "rule:admin_or_owner",
"os_compute_api:os-flavor-extra-specs:show": "rule:admin_or_owner",
"os_compute_api:os-flavor-extra-specs:create": "rule:admin_api",
"os_compute_api:os-flavor-extra-specs:update": "rule:admin_api",
"os_compute_api:os-flavor-extra-specs:delete": "rule:admin_api",
"os_compute_api:os-flavor-extra-specs:index": "rule:admin_or_owner",
"os_compute_api:os-flavor-manage:create": "rule:admin_api",
"os_compute_api:os-flavor-manage:update": "rule:admin_api",
"os_compute_api:os-flavor-manage:delete": "rule:admin_api",
"os_compute_api:os-floating-ip-pools": "rule:admin_or_owner",
"os_compute_api:os-floating-ips": "rule:admin_or_owner",
"os_compute_api:os-hosts": "rule:admin_api",
"os_compute_api:os-hypervisors": "rule:admin_api",
"os_compute_api:os-instance-actions:events": "rule:admin_api",
"os_compute_api:os-instance-actions": "rule:admin_or_owner",
"os_compute_api:os-instance-usage-audit-log": "rule:admin_api",
"os_compute_api:ips:show": "rule:admin_or_owner",
"os_compute_api:ips:index": "rule:admin_or_owner",
"os_compute_api:os-keypairs:index": "rule:admin_api or user_id:%(user_id)s",
"os_compute_api:os-keypairs:create": "rule:admin_api or user_id:%(user_id)s",
"os_compute_api:os-keypairs:delete": "rule:admin_api or user_id:%(user_id)s",
"os_compute_api:os-keypairs:show": "rule:admin_api or user_id:%(user_id)s",
"os_compute_api:limits": "rule:admin_or_owner",
"os_compute_api:os-lock-server:lock": "rule:admin_or_owner",
"os_compute_api:os-lock-server:unlock": "rule:admin_or_owner",
"os_compute_api:os-lock-server:unlock:unlock_override": "rule:admin_api",
"os_compute_api:os-migrate-server:migrate": "rule:admin_api",
"os_compute_api:os-migrate-server:migrate_live": "rule:admin_api",
"os_compute_api:os-migrations:index": "rule:admin_api",
"os_compute_api:os-multinic": "rule:admin_or_owner",
"os_compute_api:os-networks": "rule:admin_api",
"os_compute_api:os-networks:view": "rule:admin_or_owner",
"os_compute_api:os-networks-associate": "rule:admin_api",
"os_compute_api:os-pause-server:pause": "rule:admin_or_owner",
"os_compute_api:os-pause-server:unpause": "rule:admin_or_owner",
"os_compute_api:os-quota-class-sets:show": "is_admin:True or quota_class:%(quota_class)s",
"os_compute_api:os-quota-class-sets:update": "rule:admin_api",
"os_compute_api:os-quota-sets:update": "rule:admin_api",
"os_compute_api:os-quota-sets:defaults": "@",
"os_compute_api:os-quota-sets:show": "rule:admin_or_owner",
"os_compute_api:os-quota-sets:delete": "rule:admin_api",
"os_compute_api:os-quota-sets:detail": "rule:admin_or_owner",
"os_compute_api:os-remote-consoles": "rule:admin_or_owner",
"os_compute_api:os-rescue": "rule:admin_or_owner",
"os_compute_api:os-security-group-default-rules": "rule:admin_api",
"os_compute_api:os-security-groups": "rule:admin_or_owner",
"os_compute_api:os-server-diagnostics": "rule:admin_api",
"os_compute_api:os-server-external-events:create": "rule:admin_api",
"os_compute_api:os-server-groups:create": "rule:admin_or_owner",
"os_compute_api:os-server-groups:delete": "rule:admin_or_owner",
"os_compute_api:os-server-groups:index": "rule:admin_or_owner",
"os_compute_api:os-server-groups:show": "rule:admin_or_owner",
"os_compute_api:server-metadata:index": "rule:admin_or_owner",
"os_compute_api:server-metadata:show": "rule:admin_or_owner",
"os_compute_api:server-metadata:create": "rule:admin_or_owner",
"os_compute_api:server-metadata:update_all": "rule:admin_or_owner",
"os_compute_api:server-metadata:update": "rule:admin_or_owner",
"os_compute_api:server-metadata:delete": "rule:admin_or_owner",
"os_compute_api:os-server-password": "rule:admin_or_owner",
"os_compute_api:os-server-tags:delete_all": "rule:admin_or_owner",
"os_compute_api:os-server-tags:index": "rule:admin_or_owner",
"os_compute_api:os-server-tags:update_all": "rule:admin_or_owner",
"os_compute_api:os-server-tags:delete": "rule:admin_or_owner",
"os_compute_api:os-server-tags:update": "rule:admin_or_owner",
"os_compute_api:os-server-tags:show": "rule:admin_or_owner",
"os_compute_api:servers:index": "rule:admin_or_owner",
"os_compute_api:servers:detail": "rule:admin_or_owner",
"os_compute_api:servers:index:get_all_tenants": "rule:admin_api",
"os_compute_api:servers:detail:get_all_tenants": "rule:admin_api",
"os_compute_api:servers:allow_all_filters": "rule:admin_api",
"os_compute_api:servers:show": "rule:admin_or_owner",
"os_compute_api:servers:show:host_status": "rule:admin_api",
"os_compute_api:servers:create": "rule:admin_or_owner",
"os_compute_api:servers:create:forced_host": "rule:admin_api",
"os_compute_api:servers:create:attach_volume": "rule:admin_or_owner",
"os_compute_api:servers:create:attach_network": "rule:admin_or_owner",
"os_compute_api:servers:create:trusted_certs": "rule:admin_or_owner",
"os_compute_api:servers:create:zero_disk_flavor": "rule:admin_api",
"network:attach_external_network": "is_admin:True",
"os_compute_api:servers:delete": "rule:admin_or_owner",
"os_compute_api:servers:update": "rule:admin_or_owner",
"os_compute_api:servers:confirm_resize": "rule:admin_or_owner",
"os_compute_api:servers:revert_resize": "rule:admin_or_owner",
"os_compute_api:servers:reboot": "rule:admin_or_owner",
"os_compute_api:servers:resize": "rule:admin_or_owner",
"os_compute_api:servers:rebuild": "rule:admin_or_owner",
"os_compute_api:servers:rebuild:trusted_certs": "rule:admin_or_owner",
"os_compute_api:servers:create_image": "rule:admin_or_owner",
"os_compute_api:servers:create_image:allow_volume_backed": "rule:admin_or_owner",
"os_compute_api:servers:start": "rule:admin_or_owner",
"os_compute_api:servers:stop": "rule:admin_or_owner",
"os_compute_api:servers:trigger_crash_dump": "rule:admin_or_owner",
"os_compute_api:servers:migrations:show": "rule:admin_api",
"os_compute_api:servers:migrations:force_complete": "rule:admin_api",
"os_compute_api:servers:migrations:delete": "rule:admin_api",
"os_compute_api:servers:migrations:index": "rule:admin_api",
"os_compute_api:os-services": "rule:admin_api",
"os_compute_api:os-shelve:shelve": "rule:admin_or_owner",
"os_compute_api:os-shelve:unshelve": "rule:admin_or_owner",
"os_compute_api:os-shelve:shelve_offload": "rule:admin_api",
"os_compute_api:os-simple-tenant-usage:show": "rule:admin_or_owner",
"os_compute_api:os-simple-tenant-usage:list": "rule:admin_api",
"os_compute_api:os-suspend-server:resume": "rule:admin_or_owner",
"os_compute_api:os-suspend-server:suspend": "rule:admin_or_owner",
"os_compute_api:os-tenant-networks": "rule:admin_or_owner",
"os_compute_api:os-used-limits": "rule:admin_api",
"os_compute_api:os-volumes": "rule:admin_or_owner",
"os_compute_api:os-volumes-attachments:index": "rule:admin_or_owner",
"os_compute_api:os-volumes-attachments:create": "rule:admin_or_owner",
"os_compute_api:os-volumes-attachments:show": "rule:admin_or_owner",
"os_compute_api:os-volumes-attachments:update": "rule:admin_api",
"os_compute_api:os-volumes-attachments:delete": "rule:admin_or_owner"
}

1877
openstack_dashboard/conf/nova_policy.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

17
openstack_dashboard/defaults.py
View File

@ -73,11 +73,11 @@ POLICY_FILES_PATH = os.path.join(_get_root_path(), "conf")
# Having matching policy files on the Horizon and Keystone servers is essential
# for normal operation. This holds true for all services and their policy files.
POLICY_FILES = {
'identity': 'keystone_policy.json',
'compute': 'nova_policy.json',
'volume': 'cinder_policy.json',
'image': 'glance_policy.json',
'network': 'neutron_policy.json',
'identity': 'keystone_policy.yaml',
'compute': 'nova_policy.yaml',
'volume': 'cinder_policy.yaml',
'image': 'glance_policy.yaml',
'network': 'neutron_policy.yaml',
}
# Services for which horizon has extra policies are defined
# in POLICY_DIRS by default.
@ -85,6 +85,13 @@ POLICY_DIRS = {
'compute': ['nova_policy.d'],
'volume': ['cinder_policy.d'],
}
DEFAULT_POLICY_FILES = {
'identity': 'default_policies/keystone.yaml',
'compute': 'default_policies/nova.yaml',
'volume': 'default_policies/cinder.yaml',
'image': 'default_policies/glance.yaml',
'network': 'default_policies/neutron.yaml',
}
POLICY_CHECK_FUNCTION = 'openstack_auth.policy.check'
SITE_BRANDING = 'OpenStack Dashboard'

82
openstack_dashboard/management/commands/dump_default_policies.py Normal file
View File

@ -0,0 +1,82 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import logging
import sys
from django.core.management.base import BaseCommand
from oslo_policy import generator
import yaml
LOG = logging.getLogger(__name__)
def _load_default_policies(namespace):
defaults = generator.get_policies_dict([namespace])
return defaults.get(namespace)
def _format_default_policy(default):
data = {
'name': default.name,
'check_str': default.check_str,
'description': default.description,
}
data['operations'] = getattr(default, 'operations', [])
data['scope_types'] = getattr(default, 'scope_types', None)
if default.deprecated_for_removal:
data['deprecated_for_removal'] = True
data['deprecated_since'] = default.deprecated_since
data['deprecated_reason'] = default.deprecated_reason
if default.deprecated_rule:
data['deprecated_rule'] = {
'name': default.deprecated_rule.name,
'check_str': default.deprecated_rule.check_str,
}
data['deprecated_since'] = default.deprecated_since
data['deprecated_reason'] = default.deprecated_reason
return data
def _write_yaml_file(policies, output_file):
stream = open(output_file, 'w') if output_file else sys.stdout
yaml.dump(policies, stream=stream)
if output_file:
stream.close()
class Command(BaseCommand):
help = ("Dump default policies of back-end services defined in codes "
"as YAML file so that horizon can load default policies.")
def add_arguments(self, parser):
parser.add_argument(
'--namespace',
required=True,
help='Namespace under "oslo.policy.policies" to query.')
parser.add_argument(
'--output-file',
help='Path of the file to write to. Defaults to stdout.')
def handle(self, *args, **options):
namespace = options['namespace']
defaults = _load_default_policies(namespace)
if defaults is None:
LOG.error('The requested namespace "%s" is not found.', namespace)
sys.exit(1)
policies = [_format_default_policy(default) for default in defaults]
_write_yaml_file(policies, options['output_file'])

22
releasenotes/notes/policy-in-code-support-f79d559c25976215.yaml Normal file
View File

@ -0,0 +1,22 @@
---
features:
- |
Horizon supports the registered default policies and operators now
only need to define policies which they would like to override in policy
files in ``POLICY_FILES`` setting. (Previously the policy files need to
contain all defined policies including default policies.)
The registered default policies are defined in files under
``DEFAULT_POLICY_FILES`` and they are synced with registered defaults
of back-end services before the horizon release.
issues:
- |
Policies with the system scoped token (``system_scope:all``) are not
supported in horizon yet. The horizon team recognizes it as an important
feature gap and would like to support it in near future.
upgrade:
- |
The format of the policy files under ``POLICY_FILES`` is changed to YAML
and all contents of these files are commented out now. You only need to
define policies which you would like to modify from the default.
You can still use policy files with JSON format. If you continue to use
JSON format, configure ``POLICY_FILES`` setting to point JSON files.

4
requirements.txt
View File

@ -23,10 +23,10 @@ netaddr>=0.7.18 # BSD
oslo.concurrency>=3.26.0 # Apache-2.0
oslo.config>=5.2.0 # Apache-2.0
oslo.i18n>=3.15.3 # Apache-2.0
oslo.policy>=1.30.0 # Apache-2.0
oslo.policy>=3.2.0 # Apache-2.0
oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0
oslo.upgradecheck>=0.1.1 # Apache-2.0
oslo.utils>=3.33.0 # Apache-2.0
oslo.utils>=3.40.0 # Apache-2.0
osprofiler>=2.3.0 # Apache-2.0
pymongo!=3.1,>=3.0.2 # Apache-2.0
pyScss>=1.3.7 # MIT License