Switch to new style policy language
New style policy language is much more human readable and the prefered way to describe policies. Change-Id: Ib741e2222ad36fa481ca8003387ecc1d9e8231e6 Implements: blueprint switch-to-new-style-policy-lang
This commit is contained in:
parent
5208abfddb
commit
f4efdb7721
@ -1,74 +1,74 @@
|
|||||||
{
|
{
|
||||||
"context_is_admin": [["role:admin"]],
|
"context_is_admin": "role:admin",
|
||||||
"admin_or_owner": [["is_admin:True"], ["project_id:%(project_id)s"]],
|
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
|
||||||
"default": [["rule:admin_or_owner"]],
|
"default": "rule:admin_or_owner",
|
||||||
|
|
||||||
"admin_api": [["is_admin:True"]],
|
"admin_api": "is_admin:True",
|
||||||
|
|
||||||
"share:create": [],
|
"share:create": "",
|
||||||
"share:delete": [["rule:default"]],
|
"share:delete": "rule:default",
|
||||||
"share:get": [["rule:default"]],
|
"share:get": "rule:default",
|
||||||
"share:get_all": [["rule:default"]],
|
"share:get_all": "rule:default",
|
||||||
"share:list_by_share_server_id": [["rule:admin_api"]],
|
"share:list_by_share_server_id": "rule:admin_api",
|
||||||
"share:update": [["rule:default"]],
|
"share:update": "rule:default",
|
||||||
"share:snapshot_update": [["rule:default"]],
|
"share:snapshot_update": "rule:default",
|
||||||
"share:create_snapshot": [["rule:default"]],
|
"share:create_snapshot": "rule:default",
|
||||||
"share:delete_snapshot": [["rule:default"]],
|
"share:delete_snapshot": "rule:default",
|
||||||
"share:get_snapshot": [["rule:default"]],
|
"share:get_snapshot": "rule:default",
|
||||||
"share:get_all_snapshots": [["rule:default"]],
|
"share:get_all_snapshots": "rule:default",
|
||||||
"share:access_get": [["rule:default"]],
|
"share:access_get": "rule:default",
|
||||||
"share:access_get_all": [["rule:default"]],
|
"share:access_get_all": "rule:default",
|
||||||
"share:allow_access": [["rule:default"]],
|
"share:allow_access": "rule:default",
|
||||||
"share:deny_access": [["rule:default"]],
|
"share:deny_access": "rule:default",
|
||||||
"share:get_share_metadata": [["rule:default"]],
|
"share:get_share_metadata": "rule:default",
|
||||||
"share:delete_share_metadata": [["rule:default"]],
|
"share:delete_share_metadata": "rule:default",
|
||||||
"share:update_share_metadata": [["rule:default"]],
|
"share:update_share_metadata": "rule:default",
|
||||||
|
|
||||||
"share_extension:quotas:show": [],
|
"share_extension:quotas:show": "",
|
||||||
"share_extension:quotas:update": [["rule:admin_api"]],
|
"share_extension:quotas:update": "rule:admin_api",
|
||||||
"share_extension:quotas:delete": [["rule:admin_api"]],
|
"share_extension:quotas:delete": "rule:admin_api",
|
||||||
"share_extension:quota_classes": [],
|
"share_extension:quota_classes": "",
|
||||||
|
|
||||||
"share_extension:share_admin_actions:force_delete": [["rule:admin_api"]],
|
"share_extension:share_admin_actions:force_delete": "rule:admin_api",
|
||||||
"share_extension:share_admin_actions:reset_status": [["rule:admin_api"]],
|
"share_extension:share_admin_actions:reset_status": "rule:admin_api",
|
||||||
"share_extension:snapshot_admin_actions:force_delete": [["rule:admin_api"]],
|
"share_extension:snapshot_admin_actions:force_delete": "rule:admin_api",
|
||||||
"share_extension:snapshot_admin_actions:reset_status": [["rule:admin_api"]],
|
"share_extension:snapshot_admin_actions:reset_status": "rule:admin_api",
|
||||||
|
|
||||||
"share_extension:services": [["rule:admin_api"]],
|
"share_extension:services": "rule:admin_api",
|
||||||
|
|
||||||
"share_extension:types_manage": [["rule:admin_api"]],
|
"share_extension:types_manage": "rule:admin_api",
|
||||||
"share_extension:types_extra_specs": [["rule:admin_api"]],
|
"share_extension:types_extra_specs": "rule:admin_api",
|
||||||
|
|
||||||
"share_extension:share_type_access": [],
|
"share_extension:share_type_access": "",
|
||||||
"share_extension:share_type_access:addProjectAccess": [["rule:admin_api"]],
|
"share_extension:share_type_access:addProjectAccess": "rule:admin_api",
|
||||||
"share_extension:share_type_access:removeProjectAccess": [["rule:admin_api"]],
|
"share_extension:share_type_access:removeProjectAccess": "rule:admin_api",
|
||||||
|
|
||||||
"share_extension:manage": [["rule:admin_api"]],
|
"share_extension:manage": "rule:admin_api",
|
||||||
"share_extension:unmanage": [["rule:admin_api"]],
|
"share_extension:unmanage": "rule:admin_api",
|
||||||
|
|
||||||
"security_service:create": [["rule:default"]],
|
"security_service:create": "rule:default",
|
||||||
"security_service:delete": [["rule:default"]],
|
"security_service:delete": "rule:default",
|
||||||
"security_service:update": [["rule:default"]],
|
"security_service:update": "rule:default",
|
||||||
"security_service:show": [["rule:default"]],
|
"security_service:show": "rule:default",
|
||||||
"security_service:index": [["rule:default"]],
|
"security_service:index": "rule:default",
|
||||||
"security_service:detail": [["rule:default"]],
|
"security_service:detail": "rule:default",
|
||||||
"security_service:get_all_security_services": [["rule:admin_api"]],
|
"security_service:get_all_security_services": "rule:admin_api",
|
||||||
|
|
||||||
"share_server:index": [["rule:admin_api"]],
|
"share_server:index": "rule:admin_api",
|
||||||
"share_server:show": [["rule:admin_api"]],
|
"share_server:show": "rule:admin_api",
|
||||||
"share_server:details": [["rule:admin_api"]],
|
"share_server:details": "rule:admin_api",
|
||||||
"share_server:delete": [["rule:admin_api"]],
|
"share_server:delete": "rule:admin_api",
|
||||||
|
|
||||||
"share_network:create": [["rule:default"]],
|
"share_network:create": "rule:default",
|
||||||
"share_network:delete": [["rule:default"]],
|
"share_network:delete": "rule:default",
|
||||||
"share_network:update": [["rule:default"]],
|
"share_network:update": "rule:default",
|
||||||
"share_network:index": [["rule:default"]],
|
"share_network:index": "rule:default",
|
||||||
"share_network:detail": [["rule:default"]],
|
"share_network:detail": "rule:default",
|
||||||
"share_network:show": [["rule:default"]],
|
"share_network:show": "rule:default",
|
||||||
"share_network:add_security_service": [["rule:default"]],
|
"share_network:add_security_service": "rule:default",
|
||||||
"share_network:remove_security_service": [["rule:default"]],
|
"share_network:remove_security_service": "rule:default",
|
||||||
"share_network:get_all_share_networks": [["rule:admin_api"]],
|
"share_network:get_all_share_networks": "rule:admin_api",
|
||||||
|
|
||||||
"scheduler_stats:pools:index": [["rule:admin_api"]],
|
"scheduler_stats:pools:index": "rule:admin_api",
|
||||||
"scheduler_stats:pools:detail": [["rule:admin_api"]]
|
"scheduler_stats:pools:detail": "rule:admin_api"
|
||||||
}
|
}
|
||||||
|
@ -169,7 +169,7 @@ class DefaultPolicyTestCase(test.TestCase):
|
|||||||
|
|
||||||
self.rules = {
|
self.rules = {
|
||||||
"default": [],
|
"default": [],
|
||||||
"example:exist": [["false:false"]]
|
"example:exist": "false:false"
|
||||||
}
|
}
|
||||||
self._set_rules('default')
|
self._set_rules('default')
|
||||||
self.context = context.RequestContext('fake', 'fake')
|
self.context = context.RequestContext('fake', 'fake')
|
||||||
@ -238,8 +238,8 @@ class ContextIsAdminPolicyTestCase(test.TestCase):
|
|||||||
|
|
||||||
def test_context_is_admin_undefined(self):
|
def test_context_is_admin_undefined(self):
|
||||||
rules = {
|
rules = {
|
||||||
"admin_or_owner": [["role:admin"], ["project_id:%(project_id)s"]],
|
"admin_or_owner": "role:admin or project_id:%(project_id)s",
|
||||||
"default": [["rule:admin_or_owner"]],
|
"default": "rule:admin_or_owner",
|
||||||
}
|
}
|
||||||
self._set_rules(rules, CONF.policy_default_rule)
|
self._set_rules(rules, CONF.policy_default_rule)
|
||||||
ctx = context.RequestContext('fake', 'fake')
|
ctx = context.RequestContext('fake', 'fake')
|
||||||
|
Loading…
x
Reference in New Issue
Block a user