755a150318
The cross project effort around establishing secure default RBAC policies has transformed over the last release reacting to operator feedback. The intended change to use system scope breaks established workflows and requires a large effort to transition deployments: - https://etherpad.opendev.org/p/BER-2022-OPS-SRBAC - https://etherpad.opendev.org/p/rbac-operator-feedback So for now, all services are going to revert to only supporting project scoped users by default. This allows a legacy admin behavior to continue working as intended; and does not prevent operators overriding these defaults and using system scoped personas. https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html Signed-off-by: Goutham Pacha Ravi <gouthampravi@gmail.com> Change-Id: I5d3c1041738214ec8382edfd5494c10ff0be351a Signed-off-by: Goutham Pacha Ravi <gouthampravi@gmail.com>
75 lines
2.3 KiB
Python
75 lines
2.3 KiB
Python
# Copyright 2018 Huawei Corporation.
|
|
# All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
from oslo_log import versionutils
|
|
from oslo_policy import policy
|
|
|
|
from manila.policies import base
|
|
|
|
|
|
BASE_POLICY_NAME = 'share_access_rule:%s'
|
|
|
|
DEPRECATED_REASON = """
|
|
The share access rule API now supports scope and default roles.
|
|
"""
|
|
|
|
deprecated_access_rule_get = policy.DeprecatedRule(
|
|
name=BASE_POLICY_NAME % 'get',
|
|
check_str=base.RULE_DEFAULT,
|
|
deprecated_reason=DEPRECATED_REASON,
|
|
deprecated_since=versionutils.deprecated.WALLABY
|
|
)
|
|
deprecated_access_rule_index = policy.DeprecatedRule(
|
|
name=BASE_POLICY_NAME % 'index',
|
|
check_str=base.RULE_DEFAULT,
|
|
deprecated_reason=DEPRECATED_REASON,
|
|
deprecated_since=versionutils.deprecated.WALLABY
|
|
)
|
|
|
|
|
|
share_access_rule_policies = [
|
|
policy.DocumentedRuleDefault(
|
|
name=BASE_POLICY_NAME % 'get',
|
|
check_str=base.ADMIN_OR_PROJECT_READER,
|
|
scope_types=['project'],
|
|
description="Get details of a share access rule.",
|
|
operations=[
|
|
{
|
|
'method': 'GET',
|
|
'path': '/share-access-rules/{share_access_id}'
|
|
}
|
|
],
|
|
deprecated_rule=deprecated_access_rule_get
|
|
),
|
|
policy.DocumentedRuleDefault(
|
|
name=BASE_POLICY_NAME % 'index',
|
|
check_str=base.ADMIN_OR_PROJECT_READER,
|
|
scope_types=['project'],
|
|
description="List access rules of a given share.",
|
|
operations=[
|
|
{
|
|
'method': 'GET',
|
|
'path': ('/share-access-rules?share_id={share_id}'
|
|
'&key1=value1&key2=value2')
|
|
}
|
|
],
|
|
deprecated_rule=deprecated_access_rule_index
|
|
),
|
|
]
|
|
|
|
|
|
def list_rules():
|
|
return share_access_rule_policies
|