Merge "[S-RBAC] Allow admin user to do all API requests by default"
This commit is contained in:
commit
22bd1b04a0
@ -32,7 +32,7 @@ rules = [
|
|||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='get_address_group',
|
name='get_address_group',
|
||||||
check_str=base.policy_or(
|
check_str=base.policy_or(
|
||||||
base.PROJECT_READER,
|
base.ADMIN_OR_PROJECT_READER,
|
||||||
'rule:shared_address_groups'),
|
'rule:shared_address_groups'),
|
||||||
description='Get an address group',
|
description='Get an address group',
|
||||||
operations=[
|
operations=[
|
||||||
|
@ -31,9 +31,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='create_address_scope',
|
name='create_address_scope',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_MEMBER),
|
|
||||||
description='Create an address scope',
|
description='Create an address scope',
|
||||||
operations=[
|
operations=[
|
||||||
{
|
{
|
||||||
@ -92,9 +90,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='update_address_scope',
|
name='update_address_scope',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_MEMBER),
|
|
||||||
description='Update an address scope',
|
description='Update an address scope',
|
||||||
operations=[
|
operations=[
|
||||||
{
|
{
|
||||||
@ -128,9 +124,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='delete_address_scope',
|
name='delete_address_scope',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_MEMBER),
|
|
||||||
description='Delete an address scope',
|
description='Delete an address scope',
|
||||||
operations=[
|
operations=[
|
||||||
{
|
{
|
||||||
|
@ -25,7 +25,7 @@ DEPRECATION_REASON = (
|
|||||||
rules = [
|
rules = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='get_auto_allocated_topology',
|
name='get_auto_allocated_topology',
|
||||||
check_str=base.PROJECT_READER,
|
check_str=base.ADMIN_OR_PROJECT_READER,
|
||||||
description="Get a project's auto-allocated topology",
|
description="Get a project's auto-allocated topology",
|
||||||
operations=[
|
operations=[
|
||||||
{
|
{
|
||||||
@ -42,7 +42,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='delete_auto_allocated_topology',
|
name='delete_auto_allocated_topology',
|
||||||
check_str=base.PROJECT_MEMBER,
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
description="Delete a project's auto-allocated topology",
|
description="Delete a project's auto-allocated topology",
|
||||||
operations=[
|
operations=[
|
||||||
{
|
{
|
||||||
|
@ -49,9 +49,11 @@ PROJECT_MEMBER = 'role:member and project_id:%(project_id)s'
|
|||||||
PROJECT_READER = 'role:reader and project_id:%(project_id)s'
|
PROJECT_READER = 'role:reader and project_id:%(project_id)s'
|
||||||
|
|
||||||
# The following are common composite check strings that are useful for
|
# The following are common composite check strings that are useful for
|
||||||
# protecting APIs designed to operate with multiple scopes (e.g., a system
|
# protecting APIs designed to operate with multiple scopes (e.g.,
|
||||||
# administrator should be able to delete any router in the deployment, a
|
# an administrator should be able to delete any router in the deployment, a
|
||||||
# project member should only be able to delete routers in their project).
|
# project member should only be able to delete routers in their project).
|
||||||
|
ADMIN_OR_PROJECT_MEMBER = (
|
||||||
|
'(' + ADMIN + ') or (' + PROJECT_MEMBER + ')')
|
||||||
ADMIN_OR_PROJECT_READER = (
|
ADMIN_OR_PROJECT_READER = (
|
||||||
'(' + ADMIN + ') or (' + PROJECT_READER + ')')
|
'(' + ADMIN + ') or (' + PROJECT_READER + ')')
|
||||||
|
|
||||||
|
@ -25,9 +25,7 @@ DEPRECATION_REASON = (
|
|||||||
rules = [
|
rules = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='create_floatingip',
|
name='create_floatingip',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_MEMBER),
|
|
||||||
description='Create a floating IP',
|
description='Create a floating IP',
|
||||||
operations=[
|
operations=[
|
||||||
{
|
{
|
||||||
@ -61,9 +59,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='get_floatingip',
|
name='get_floatingip',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_READER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_READER),
|
|
||||||
description='Get a floating IP',
|
description='Get a floating IP',
|
||||||
operations=[
|
operations=[
|
||||||
{
|
{
|
||||||
@ -84,9 +80,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='update_floatingip',
|
name='update_floatingip',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_MEMBER),
|
|
||||||
description='Update a floating IP',
|
description='Update a floating IP',
|
||||||
operations=[
|
operations=[
|
||||||
{
|
{
|
||||||
@ -103,9 +97,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='delete_floatingip',
|
name='delete_floatingip',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_MEMBER),
|
|
||||||
description='Delete a floating IP',
|
description='Delete a floating IP',
|
||||||
operations=[
|
operations=[
|
||||||
{
|
{
|
||||||
|
@ -21,7 +21,7 @@ DEPRECATED_REASON = (
|
|||||||
rules = [
|
rules = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='get_floatingip_pool',
|
name='get_floatingip_pool',
|
||||||
check_str=base.PROJECT_READER,
|
check_str=base.ADMIN_OR_PROJECT_READER,
|
||||||
description='Get floating IP pools',
|
description='Get floating IP pools',
|
||||||
operations=[
|
operations=[
|
||||||
{
|
{
|
||||||
|
@ -30,7 +30,7 @@ rules = [
|
|||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='create_floatingip_port_forwarding',
|
name='create_floatingip_port_forwarding',
|
||||||
check_str=base.policy_or(
|
check_str=base.policy_or(
|
||||||
base.PROJECT_MEMBER,
|
base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.RULE_PARENT_OWNER),
|
base.RULE_PARENT_OWNER),
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Create a floating IP port forwarding',
|
description='Create a floating IP port forwarding',
|
||||||
@ -49,7 +49,7 @@ rules = [
|
|||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='get_floatingip_port_forwarding',
|
name='get_floatingip_port_forwarding',
|
||||||
check_str=base.policy_or(
|
check_str=base.policy_or(
|
||||||
base.PROJECT_READER,
|
base.ADMIN_OR_PROJECT_READER,
|
||||||
base.RULE_PARENT_OWNER),
|
base.RULE_PARENT_OWNER),
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Get a floating IP port forwarding',
|
description='Get a floating IP port forwarding',
|
||||||
@ -72,7 +72,7 @@ rules = [
|
|||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='update_floatingip_port_forwarding',
|
name='update_floatingip_port_forwarding',
|
||||||
check_str=base.policy_or(
|
check_str=base.policy_or(
|
||||||
base.PROJECT_MEMBER,
|
base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.RULE_PARENT_OWNER),
|
base.RULE_PARENT_OWNER),
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Update a floating IP port forwarding',
|
description='Update a floating IP port forwarding',
|
||||||
@ -91,7 +91,7 @@ rules = [
|
|||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='delete_floatingip_port_forwarding',
|
name='delete_floatingip_port_forwarding',
|
||||||
check_str=base.policy_or(
|
check_str=base.policy_or(
|
||||||
base.PROJECT_MEMBER,
|
base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.RULE_PARENT_OWNER),
|
base.RULE_PARENT_OWNER),
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Delete a floating IP port forwarding',
|
description='Delete a floating IP port forwarding',
|
||||||
|
@ -30,7 +30,7 @@ rules = [
|
|||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='create_router_conntrack_helper',
|
name='create_router_conntrack_helper',
|
||||||
check_str=base.policy_or(
|
check_str=base.policy_or(
|
||||||
base.PROJECT_MEMBER,
|
base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.RULE_PARENT_OWNER),
|
base.RULE_PARENT_OWNER),
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Create a router conntrack helper',
|
description='Create a router conntrack helper',
|
||||||
@ -49,7 +49,7 @@ rules = [
|
|||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='get_router_conntrack_helper',
|
name='get_router_conntrack_helper',
|
||||||
check_str=base.policy_or(
|
check_str=base.policy_or(
|
||||||
base.PROJECT_READER,
|
base.ADMIN_OR_PROJECT_READER,
|
||||||
base.RULE_PARENT_OWNER),
|
base.RULE_PARENT_OWNER),
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Get a router conntrack helper',
|
description='Get a router conntrack helper',
|
||||||
@ -72,7 +72,7 @@ rules = [
|
|||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='update_router_conntrack_helper',
|
name='update_router_conntrack_helper',
|
||||||
check_str=base.policy_or(
|
check_str=base.policy_or(
|
||||||
base.PROJECT_MEMBER,
|
base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.RULE_PARENT_OWNER),
|
base.RULE_PARENT_OWNER),
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Update a router conntrack helper',
|
description='Update a router conntrack helper',
|
||||||
@ -91,7 +91,7 @@ rules = [
|
|||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='delete_router_conntrack_helper',
|
name='delete_router_conntrack_helper',
|
||||||
check_str=base.policy_or(
|
check_str=base.policy_or(
|
||||||
base.PROJECT_MEMBER,
|
base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.RULE_PARENT_OWNER),
|
base.RULE_PARENT_OWNER),
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Delete a router conntrack helper',
|
description='Delete a router conntrack helper',
|
||||||
|
@ -25,7 +25,7 @@ DEPRECATION_REASON = (
|
|||||||
rules = [
|
rules = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='create_local_ip',
|
name='create_local_ip',
|
||||||
check_str=base.PROJECT_MEMBER,
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
description='Create a Local IP',
|
description='Create a Local IP',
|
||||||
operations=[
|
operations=[
|
||||||
{
|
{
|
||||||
@ -42,7 +42,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='get_local_ip',
|
name='get_local_ip',
|
||||||
check_str=base.PROJECT_READER,
|
check_str=base.ADMIN_OR_PROJECT_READER,
|
||||||
description='Get a Local IP',
|
description='Get a Local IP',
|
||||||
operations=[
|
operations=[
|
||||||
{
|
{
|
||||||
@ -63,7 +63,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='update_local_ip',
|
name='update_local_ip',
|
||||||
check_str=base.PROJECT_MEMBER,
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
description='Update a Local IP',
|
description='Update a Local IP',
|
||||||
operations=[
|
operations=[
|
||||||
{
|
{
|
||||||
@ -80,7 +80,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='delete_local_ip',
|
name='delete_local_ip',
|
||||||
check_str=base.PROJECT_MEMBER,
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
description='Delete a Local IP',
|
description='Delete a Local IP',
|
||||||
operations=[
|
operations=[
|
||||||
{
|
{
|
||||||
|
@ -27,7 +27,7 @@ rules = [
|
|||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='create_local_ip_port_association',
|
name='create_local_ip_port_association',
|
||||||
check_str=base.policy_or(
|
check_str=base.policy_or(
|
||||||
base.PROJECT_MEMBER,
|
base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.RULE_PARENT_OWNER),
|
base.RULE_PARENT_OWNER),
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Create a Local IP port association',
|
description='Create a Local IP port association',
|
||||||
@ -46,7 +46,7 @@ rules = [
|
|||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='get_local_ip_port_association',
|
name='get_local_ip_port_association',
|
||||||
check_str=base.policy_or(
|
check_str=base.policy_or(
|
||||||
base.PROJECT_READER,
|
base.ADMIN_OR_PROJECT_READER,
|
||||||
base.RULE_PARENT_OWNER),
|
base.RULE_PARENT_OWNER),
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Get a Local IP port association',
|
description='Get a Local IP port association',
|
||||||
@ -69,7 +69,7 @@ rules = [
|
|||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='delete_local_ip_port_association',
|
name='delete_local_ip_port_association',
|
||||||
check_str=base.policy_or(
|
check_str=base.policy_or(
|
||||||
base.PROJECT_MEMBER,
|
base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.RULE_PARENT_OWNER),
|
base.RULE_PARENT_OWNER),
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Delete a Local IP port association',
|
description='Delete a Local IP port association',
|
||||||
|
@ -46,9 +46,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='get_metering_label',
|
name='get_metering_label',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_READER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_READER),
|
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Get a metering label',
|
description='Get a metering label',
|
||||||
operations=[
|
operations=[
|
||||||
@ -103,9 +101,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='get_metering_label_rule',
|
name='get_metering_label_rule',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_READER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_READER),
|
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Get a metering label rule',
|
description='Get a metering label rule',
|
||||||
operations=[
|
operations=[
|
||||||
|
@ -25,7 +25,7 @@ DEPRECATION_REASON = (
|
|||||||
rules = [
|
rules = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='create_ndp_proxy',
|
name='create_ndp_proxy',
|
||||||
check_str=base.PROJECT_MEMBER,
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
description='Create a ndp proxy',
|
description='Create a ndp proxy',
|
||||||
operations=[
|
operations=[
|
||||||
{
|
{
|
||||||
@ -42,7 +42,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='get_ndp_proxy',
|
name='get_ndp_proxy',
|
||||||
check_str=base.PROJECT_READER,
|
check_str=base.ADMIN_OR_PROJECT_READER,
|
||||||
description='Get a ndp proxy',
|
description='Get a ndp proxy',
|
||||||
operations=[
|
operations=[
|
||||||
{
|
{
|
||||||
@ -63,7 +63,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='update_ndp_proxy',
|
name='update_ndp_proxy',
|
||||||
check_str=base.PROJECT_MEMBER,
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
description='Update a ndp proxy',
|
description='Update a ndp proxy',
|
||||||
operations=[
|
operations=[
|
||||||
{
|
{
|
||||||
@ -80,7 +80,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='delete_ndp_proxy',
|
name='delete_ndp_proxy',
|
||||||
check_str=base.PROJECT_MEMBER,
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
description='Delete a ndp proxy',
|
description='Delete a ndp proxy',
|
||||||
operations=[
|
operations=[
|
||||||
{
|
{
|
||||||
|
@ -45,9 +45,7 @@ rules = [
|
|||||||
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='create_network',
|
name='create_network',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_MEMBER),
|
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Create a network',
|
description='Create a network',
|
||||||
operations=ACTION_POST,
|
operations=ACTION_POST,
|
||||||
@ -95,9 +93,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='create_network:port_security_enabled',
|
name='create_network:port_security_enabled',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_MEMBER),
|
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description=(
|
description=(
|
||||||
'Specify ``port_security_enabled`` '
|
'Specify ``port_security_enabled`` '
|
||||||
@ -170,8 +166,7 @@ rules = [
|
|||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='get_network',
|
name='get_network',
|
||||||
check_str=base.policy_or(
|
check_str=base.policy_or(
|
||||||
base.ADMIN,
|
base.ADMIN_OR_PROJECT_READER,
|
||||||
base.PROJECT_READER,
|
|
||||||
'rule:shared',
|
'rule:shared',
|
||||||
'rule:external',
|
'rule:external',
|
||||||
base.RULE_ADVSVC
|
base.RULE_ADVSVC
|
||||||
@ -240,9 +235,7 @@ rules = [
|
|||||||
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='update_network',
|
name='update_network',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_MEMBER),
|
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Update a network',
|
description='Update a network',
|
||||||
operations=ACTION_PUT,
|
operations=ACTION_PUT,
|
||||||
@ -344,9 +337,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='update_network:port_security_enabled',
|
name='update_network:port_security_enabled',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_MEMBER),
|
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Update ``port_security_enabled`` attribute of a network',
|
description='Update ``port_security_enabled`` attribute of a network',
|
||||||
operations=ACTION_PUT,
|
operations=ACTION_PUT,
|
||||||
@ -359,9 +350,7 @@ rules = [
|
|||||||
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='delete_network',
|
name='delete_network',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_MEMBER),
|
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Delete a network',
|
description='Delete a network',
|
||||||
operations=ACTION_DELETE,
|
operations=ACTION_DELETE,
|
||||||
|
@ -51,9 +51,7 @@ rules = [
|
|||||||
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='create_port',
|
name='create_port',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_MEMBER),
|
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Create a port',
|
description='Create a port',
|
||||||
operations=ACTION_POST,
|
operations=ACTION_POST,
|
||||||
@ -207,9 +205,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='create_port:binding:vnic_type',
|
name='create_port:binding:vnic_type',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_MEMBER),
|
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description=(
|
description=(
|
||||||
'Specify ``binding:vnic_type`` '
|
'Specify ``binding:vnic_type`` '
|
||||||
|
@ -23,9 +23,7 @@ The QoS API now supports project scope and default roles.
|
|||||||
rules = [
|
rules = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='get_policy',
|
name='get_policy',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_READER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_READER),
|
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Get QoS policies',
|
description='Get QoS policies',
|
||||||
operations=[
|
operations=[
|
||||||
@ -120,9 +118,7 @@ rules = [
|
|||||||
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='get_policy_bandwidth_limit_rule',
|
name='get_policy_bandwidth_limit_rule',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_READER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_READER),
|
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Get a QoS bandwidth limit rule',
|
description='Get a QoS bandwidth limit rule',
|
||||||
operations=[
|
operations=[
|
||||||
@ -198,9 +194,7 @@ rules = [
|
|||||||
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='get_policy_packet_rate_limit_rule',
|
name='get_policy_packet_rate_limit_rule',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_READER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_READER),
|
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Get a QoS packet rate limit rule',
|
description='Get a QoS packet rate limit rule',
|
||||||
operations=[
|
operations=[
|
||||||
@ -256,9 +250,7 @@ rules = [
|
|||||||
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='get_policy_dscp_marking_rule',
|
name='get_policy_dscp_marking_rule',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_READER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_READER),
|
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Get a QoS DSCP marking rule',
|
description='Get a QoS DSCP marking rule',
|
||||||
operations=[
|
operations=[
|
||||||
@ -334,9 +326,7 @@ rules = [
|
|||||||
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='get_policy_minimum_bandwidth_rule',
|
name='get_policy_minimum_bandwidth_rule',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_READER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_READER),
|
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Get a QoS minimum bandwidth rule',
|
description='Get a QoS minimum bandwidth rule',
|
||||||
operations=[
|
operations=[
|
||||||
@ -411,9 +401,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='get_policy_minimum_packet_rate_rule',
|
name='get_policy_minimum_packet_rate_rule',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_READER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_READER),
|
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Get a QoS minimum packet rate rule',
|
description='Get a QoS minimum packet rate rule',
|
||||||
operations=[
|
operations=[
|
||||||
@ -468,9 +456,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='get_alias_bandwidth_limit_rule',
|
name='get_alias_bandwidth_limit_rule',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_READER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_READER),
|
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Get a QoS bandwidth limit rule through alias',
|
description='Get a QoS bandwidth limit rule through alias',
|
||||||
operations=[
|
operations=[
|
||||||
@ -521,9 +507,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='get_alias_dscp_marking_rule',
|
name='get_alias_dscp_marking_rule',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_READER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_READER),
|
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Get a QoS DSCP marking rule through alias',
|
description='Get a QoS DSCP marking rule through alias',
|
||||||
operations=[
|
operations=[
|
||||||
@ -574,9 +558,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='get_alias_minimum_bandwidth_rule',
|
name='get_alias_minimum_bandwidth_rule',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_READER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_READER),
|
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Get a QoS minimum bandwidth rule through alias',
|
description='Get a QoS minimum bandwidth rule through alias',
|
||||||
operations=[
|
operations=[
|
||||||
|
@ -36,9 +36,7 @@ rules = [
|
|||||||
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='create_rbac_policy',
|
name='create_rbac_policy',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_MEMBER),
|
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Create an RBAC policy',
|
description='Create an RBAC policy',
|
||||||
operations=[
|
operations=[
|
||||||
@ -77,9 +75,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='update_rbac_policy',
|
name='update_rbac_policy',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_MEMBER),
|
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Update an RBAC policy',
|
description='Update an RBAC policy',
|
||||||
operations=[
|
operations=[
|
||||||
@ -120,9 +116,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='get_rbac_policy',
|
name='get_rbac_policy',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_READER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_READER),
|
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Get an RBAC policy',
|
description='Get an RBAC policy',
|
||||||
operations=[
|
operations=[
|
||||||
@ -143,9 +137,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='delete_rbac_policy',
|
name='delete_rbac_policy',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_MEMBER),
|
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Delete an RBAC policy',
|
description='Delete an RBAC policy',
|
||||||
operations=[
|
operations=[
|
||||||
|
@ -39,9 +39,7 @@ ACTION_GET = [
|
|||||||
rules = [
|
rules = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='create_router',
|
name='create_router',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_MEMBER),
|
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Create a router',
|
description='Create a router',
|
||||||
operations=ACTION_POST,
|
operations=ACTION_POST,
|
||||||
@ -77,9 +75,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='create_router:external_gateway_info',
|
name='create_router:external_gateway_info',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_MEMBER),
|
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description=('Specify ``external_gateway_info`` '
|
description=('Specify ``external_gateway_info`` '
|
||||||
'information when creating a router'),
|
'information when creating a router'),
|
||||||
@ -92,9 +88,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='create_router:external_gateway_info:network_id',
|
name='create_router:external_gateway_info:network_id',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_MEMBER),
|
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description=('Specify ``network_id`` in ``external_gateway_info`` '
|
description=('Specify ``network_id`` in ``external_gateway_info`` '
|
||||||
'information when creating a router'),
|
'information when creating a router'),
|
||||||
@ -135,9 +129,7 @@ rules = [
|
|||||||
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='get_router',
|
name='get_router',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_READER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_READER),
|
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Get a router',
|
description='Get a router',
|
||||||
operations=ACTION_GET,
|
operations=ACTION_GET,
|
||||||
@ -174,9 +166,7 @@ rules = [
|
|||||||
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='update_router',
|
name='update_router',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_MEMBER),
|
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Update a router',
|
description='Update a router',
|
||||||
operations=ACTION_PUT,
|
operations=ACTION_PUT,
|
||||||
@ -212,9 +202,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='update_router:external_gateway_info',
|
name='update_router:external_gateway_info',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_MEMBER),
|
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Update ``external_gateway_info`` information of a router',
|
description='Update ``external_gateway_info`` information of a router',
|
||||||
operations=ACTION_PUT,
|
operations=ACTION_PUT,
|
||||||
@ -226,9 +214,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='update_router:external_gateway_info:network_id',
|
name='update_router:external_gateway_info:network_id',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_MEMBER),
|
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description=('Update ``network_id`` attribute of '
|
description=('Update ``network_id`` attribute of '
|
||||||
'``external_gateway_info`` information of a router'),
|
'``external_gateway_info`` information of a router'),
|
||||||
@ -268,9 +254,7 @@ rules = [
|
|||||||
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='delete_router',
|
name='delete_router',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_MEMBER),
|
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Delete a router',
|
description='Delete a router',
|
||||||
operations=ACTION_DELETE,
|
operations=ACTION_DELETE,
|
||||||
@ -283,9 +267,7 @@ rules = [
|
|||||||
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='add_router_interface',
|
name='add_router_interface',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_MEMBER),
|
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Add an interface to a router',
|
description='Add an interface to a router',
|
||||||
operations=[
|
operations=[
|
||||||
@ -302,9 +284,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='remove_router_interface',
|
name='remove_router_interface',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_MEMBER),
|
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Remove an interface from a router',
|
description='Remove an interface from a router',
|
||||||
operations=[
|
operations=[
|
||||||
@ -321,9 +301,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='add_extraroutes',
|
name='add_extraroutes',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_MEMBER),
|
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Add extra route to a router',
|
description='Add extra route to a router',
|
||||||
operations=[
|
operations=[
|
||||||
@ -340,9 +318,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='remove_extraroutes',
|
name='remove_extraroutes',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_MEMBER),
|
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Remove extra route from a router',
|
description='Remove extra route from a router',
|
||||||
operations=[
|
operations=[
|
||||||
|
@ -46,7 +46,7 @@ rules = [
|
|||||||
# Does an empty string make more sense for create_security_group?
|
# Does an empty string make more sense for create_security_group?
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='create_security_group',
|
name='create_security_group',
|
||||||
check_str=base.PROJECT_MEMBER,
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Create a security group',
|
description='Create a security group',
|
||||||
operations=[
|
operations=[
|
||||||
@ -63,7 +63,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='get_security_group',
|
name='get_security_group',
|
||||||
check_str=base.PROJECT_READER,
|
check_str=base.ADMIN_OR_PROJECT_READER,
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Get a security group',
|
description='Get a security group',
|
||||||
operations=[
|
operations=[
|
||||||
@ -84,7 +84,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='update_security_group',
|
name='update_security_group',
|
||||||
check_str=base.PROJECT_MEMBER,
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Update a security group',
|
description='Update a security group',
|
||||||
operations=[
|
operations=[
|
||||||
@ -101,7 +101,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='delete_security_group',
|
name='delete_security_group',
|
||||||
check_str=base.PROJECT_MEMBER,
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Delete a security group',
|
description='Delete a security group',
|
||||||
operations=[
|
operations=[
|
||||||
@ -121,7 +121,7 @@ rules = [
|
|||||||
# Does an empty string make more sense for create_security_group_rule?
|
# Does an empty string make more sense for create_security_group_rule?
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='create_security_group_rule',
|
name='create_security_group_rule',
|
||||||
check_str=base.PROJECT_MEMBER,
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Create a security group rule',
|
description='Create a security group rule',
|
||||||
operations=[
|
operations=[
|
||||||
@ -139,7 +139,7 @@ rules = [
|
|||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='get_security_group_rule',
|
name='get_security_group_rule',
|
||||||
check_str=base.policy_or(
|
check_str=base.policy_or(
|
||||||
base.PROJECT_READER,
|
base.ADMIN_OR_PROJECT_READER,
|
||||||
base.RULE_SG_OWNER),
|
base.RULE_SG_OWNER),
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Get a security group rule',
|
description='Get a security group rule',
|
||||||
@ -161,7 +161,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='delete_security_group_rule',
|
name='delete_security_group_rule',
|
||||||
check_str=base.PROJECT_MEMBER,
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Delete a security group rule',
|
description='Delete a security group rule',
|
||||||
operations=[
|
operations=[
|
||||||
|
@ -40,8 +40,7 @@ rules = [
|
|||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='create_subnet',
|
name='create_subnet',
|
||||||
check_str=base.policy_or(
|
check_str=base.policy_or(
|
||||||
base.ADMIN,
|
base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.PROJECT_MEMBER,
|
|
||||||
base.RULE_NET_OWNER),
|
base.RULE_NET_OWNER),
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Create a subnet',
|
description='Create a subnet',
|
||||||
@ -83,8 +82,7 @@ rules = [
|
|||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='get_subnet',
|
name='get_subnet',
|
||||||
check_str=base.policy_or(
|
check_str=base.policy_or(
|
||||||
base.ADMIN,
|
base.ADMIN_OR_PROJECT_READER,
|
||||||
base.PROJECT_READER,
|
|
||||||
'rule:shared'),
|
'rule:shared'),
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Get a subnet',
|
description='Get a subnet',
|
||||||
@ -112,8 +110,7 @@ rules = [
|
|||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='update_subnet',
|
name='update_subnet',
|
||||||
check_str=base.policy_or(
|
check_str=base.policy_or(
|
||||||
base.ADMIN,
|
base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.PROJECT_MEMBER,
|
|
||||||
base.RULE_NET_OWNER),
|
base.RULE_NET_OWNER),
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Update a subnet',
|
description='Update a subnet',
|
||||||
@ -151,8 +148,7 @@ rules = [
|
|||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='delete_subnet',
|
name='delete_subnet',
|
||||||
check_str=base.policy_or(
|
check_str=base.policy_or(
|
||||||
base.ADMIN,
|
base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.PROJECT_MEMBER,
|
|
||||||
base.RULE_NET_OWNER),
|
base.RULE_NET_OWNER),
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Delete a subnet',
|
description='Delete a subnet',
|
||||||
|
@ -33,9 +33,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='create_subnetpool',
|
name='create_subnetpool',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_MEMBER),
|
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Create a subnetpool',
|
description='Create a subnetpool',
|
||||||
operations=[
|
operations=[
|
||||||
@ -89,8 +87,7 @@ rules = [
|
|||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='get_subnetpool',
|
name='get_subnetpool',
|
||||||
check_str=base.policy_or(
|
check_str=base.policy_or(
|
||||||
base.ADMIN,
|
base.ADMIN_OR_PROJECT_READER,
|
||||||
base.PROJECT_READER,
|
|
||||||
'rule:shared_subnetpools'
|
'rule:shared_subnetpools'
|
||||||
),
|
),
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
@ -115,9 +112,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='update_subnetpool',
|
name='update_subnetpool',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_MEMBER),
|
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Update a subnetpool',
|
description='Update a subnetpool',
|
||||||
operations=[
|
operations=[
|
||||||
@ -151,9 +146,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='delete_subnetpool',
|
name='delete_subnetpool',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_MEMBER),
|
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Delete a subnetpool',
|
description='Delete a subnetpool',
|
||||||
operations=[
|
operations=[
|
||||||
@ -170,9 +163,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='onboard_network_subnets',
|
name='onboard_network_subnets',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_MEMBER),
|
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Onboard existing subnet into a subnetpool',
|
description='Onboard existing subnet into a subnetpool',
|
||||||
operations=[
|
operations=[
|
||||||
@ -189,9 +180,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='add_prefixes',
|
name='add_prefixes',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_MEMBER),
|
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Add prefixes to a subnetpool',
|
description='Add prefixes to a subnetpool',
|
||||||
operations=[
|
operations=[
|
||||||
@ -208,9 +197,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='remove_prefixes',
|
name='remove_prefixes',
|
||||||
check_str=base.policy_or(
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
base.ADMIN,
|
|
||||||
base.PROJECT_MEMBER),
|
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Remove unallocated prefixes from a subnetpool',
|
description='Remove unallocated prefixes from a subnetpool',
|
||||||
operations=[
|
operations=[
|
||||||
|
@ -26,7 +26,7 @@ DEPRECATED_REASON = (
|
|||||||
rules = [
|
rules = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='create_trunk',
|
name='create_trunk',
|
||||||
check_str=base.PROJECT_MEMBER,
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Create a trunk',
|
description='Create a trunk',
|
||||||
operations=[
|
operations=[
|
||||||
@ -43,7 +43,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='get_trunk',
|
name='get_trunk',
|
||||||
check_str=base.PROJECT_READER,
|
check_str=base.ADMIN_OR_PROJECT_READER,
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Get a trunk',
|
description='Get a trunk',
|
||||||
operations=[
|
operations=[
|
||||||
@ -64,7 +64,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='update_trunk',
|
name='update_trunk',
|
||||||
check_str=base.PROJECT_MEMBER,
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Update a trunk',
|
description='Update a trunk',
|
||||||
operations=[
|
operations=[
|
||||||
@ -81,7 +81,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='delete_trunk',
|
name='delete_trunk',
|
||||||
check_str=base.PROJECT_MEMBER,
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Delete a trunk',
|
description='Delete a trunk',
|
||||||
operations=[
|
operations=[
|
||||||
@ -98,7 +98,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='get_subports',
|
name='get_subports',
|
||||||
check_str=base.PROJECT_READER,
|
check_str=base.ADMIN_OR_PROJECT_READER,
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='List subports attached to a trunk',
|
description='List subports attached to a trunk',
|
||||||
operations=[
|
operations=[
|
||||||
@ -115,7 +115,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='add_subports',
|
name='add_subports',
|
||||||
check_str=base.PROJECT_MEMBER,
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Add subports to a trunk',
|
description='Add subports to a trunk',
|
||||||
operations=[
|
operations=[
|
||||||
@ -132,7 +132,7 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='remove_subports',
|
name='remove_subports',
|
||||||
check_str=base.PROJECT_MEMBER,
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Delete subports from a trunk',
|
description='Delete subports from a trunk',
|
||||||
operations=[
|
operations=[
|
||||||
|
@ -67,10 +67,8 @@ class AdminTests(AddressGroupAPITestCase):
|
|||||||
def test_get_address_group(self):
|
def test_get_address_group(self):
|
||||||
self.assertTrue(
|
self.assertTrue(
|
||||||
policy.enforce(self.context, "get_address_group", self.target))
|
policy.enforce(self.context, "get_address_group", self.target))
|
||||||
self.assertRaises(
|
self.assertTrue(
|
||||||
base_policy.PolicyNotAuthorized,
|
policy.enforce(self.context, "get_address_group", self.alt_target))
|
||||||
policy.enforce,
|
|
||||||
self.context, "get_address_group", self.alt_target)
|
|
||||||
|
|
||||||
|
|
||||||
class ProjectMemberTests(AdminTests):
|
class ProjectMemberTests(AdminTests):
|
||||||
@ -79,6 +77,14 @@ class ProjectMemberTests(AdminTests):
|
|||||||
super(ProjectMemberTests, self).setUp()
|
super(ProjectMemberTests, self).setUp()
|
||||||
self.context = self.project_member_ctx
|
self.context = self.project_member_ctx
|
||||||
|
|
||||||
|
def test_get_address_group(self):
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context, "get_address_group", self.target))
|
||||||
|
self.assertRaises(
|
||||||
|
base_policy.PolicyNotAuthorized,
|
||||||
|
policy.enforce,
|
||||||
|
self.context, "get_address_group", self.alt_target)
|
||||||
|
|
||||||
|
|
||||||
class ProjectReaderTests(ProjectMemberTests):
|
class ProjectReaderTests(ProjectMemberTests):
|
||||||
|
|
||||||
|
@ -94,6 +94,25 @@ class AdminTests(AutoAllocatedTopologyAPITestCase):
|
|||||||
super(AdminTests, self).setUp()
|
super(AdminTests, self).setUp()
|
||||||
self.context = self.project_admin_ctx
|
self.context = self.project_admin_ctx
|
||||||
|
|
||||||
|
def test_get_topology(self):
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context, GET_POLICY, self.target))
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context, GET_POLICY, self.alt_target))
|
||||||
|
|
||||||
|
def test_delete_topology(self):
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context, DELETE_POLICY, self.target))
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context, DELETE_POLICY, self.alt_target))
|
||||||
|
|
||||||
|
|
||||||
|
class ProjectMemberTests(AdminTests):
|
||||||
|
|
||||||
|
def setUp(self):
|
||||||
|
super(ProjectMemberTests, self).setUp()
|
||||||
|
self.context = self.project_member_ctx
|
||||||
|
|
||||||
def test_get_topology(self):
|
def test_get_topology(self):
|
||||||
self.assertTrue(policy.enforce(self.context, GET_POLICY, self.target))
|
self.assertTrue(policy.enforce(self.context, GET_POLICY, self.target))
|
||||||
self.assertRaises(
|
self.assertRaises(
|
||||||
@ -115,13 +134,6 @@ class AdminTests(AutoAllocatedTopologyAPITestCase):
|
|||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
class ProjectMemberTests(AdminTests):
|
|
||||||
|
|
||||||
def setUp(self):
|
|
||||||
super(ProjectMemberTests, self).setUp()
|
|
||||||
self.context = self.project_member_ctx
|
|
||||||
|
|
||||||
|
|
||||||
class ProjectReaderTests(ProjectMemberTests):
|
class ProjectReaderTests(ProjectMemberTests):
|
||||||
|
|
||||||
def setUp(self):
|
def setUp(self):
|
||||||
|
@ -64,12 +64,9 @@ class AdminTests(FloatingipPoolsAPITestCase):
|
|||||||
self.assertTrue(
|
self.assertTrue(
|
||||||
policy.enforce(self.context, 'get_floatingip_pool',
|
policy.enforce(self.context, 'get_floatingip_pool',
|
||||||
self.target))
|
self.target))
|
||||||
|
self.assertTrue(
|
||||||
def test_get_floatingip_pool_other_project(self):
|
policy.enforce(self.context, 'get_floatingip_pool',
|
||||||
self.assertRaises(
|
self.alt_target))
|
||||||
base_policy.PolicyNotAuthorized,
|
|
||||||
policy.enforce,
|
|
||||||
self.context, 'get_floatingip_pool', self.alt_target)
|
|
||||||
|
|
||||||
|
|
||||||
class ProjectMemberTests(AdminTests):
|
class ProjectMemberTests(AdminTests):
|
||||||
@ -78,8 +75,17 @@ class ProjectMemberTests(AdminTests):
|
|||||||
super(ProjectMemberTests, self).setUp()
|
super(ProjectMemberTests, self).setUp()
|
||||||
self.context = self.project_member_ctx
|
self.context = self.project_member_ctx
|
||||||
|
|
||||||
|
def test_get_floatingip_pool(self):
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context, 'get_floatingip_pool',
|
||||||
|
self.target))
|
||||||
|
self.assertRaises(
|
||||||
|
base_policy.PolicyNotAuthorized,
|
||||||
|
policy.enforce,
|
||||||
|
self.context, 'get_floatingip_pool', self.alt_target)
|
||||||
|
|
||||||
class ProjectReaderTests(AdminTests):
|
|
||||||
|
class ProjectReaderTests(ProjectMemberTests):
|
||||||
|
|
||||||
def setUp(self):
|
def setUp(self):
|
||||||
super(ProjectReaderTests, self).setUp()
|
super(ProjectReaderTests, self).setUp()
|
||||||
|
@ -121,6 +121,53 @@ class AdminTests(FloatingipPortForwardingAPITestCase):
|
|||||||
super(AdminTests, self).setUp()
|
super(AdminTests, self).setUp()
|
||||||
self.context = self.project_admin_ctx
|
self.context = self.project_admin_ctx
|
||||||
|
|
||||||
|
def test_create_fip_pf(self):
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context,
|
||||||
|
'create_floatingip_port_forwarding',
|
||||||
|
self.target))
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context,
|
||||||
|
'create_floatingip_port_forwarding',
|
||||||
|
self.alt_target))
|
||||||
|
|
||||||
|
def test_get_fip_pf(self):
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context,
|
||||||
|
'get_floatingip_port_forwarding',
|
||||||
|
self.target))
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context,
|
||||||
|
'get_floatingip_port_forwarding',
|
||||||
|
self.alt_target))
|
||||||
|
|
||||||
|
def test_update_fip_pf(self):
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context,
|
||||||
|
'update_floatingip_port_forwarding',
|
||||||
|
self.target))
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context,
|
||||||
|
'update_floatingip_port_forwarding',
|
||||||
|
self.alt_target))
|
||||||
|
|
||||||
|
def test_delete_fip_pf(self):
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context,
|
||||||
|
'delete_floatingip_port_forwarding',
|
||||||
|
self.target))
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context,
|
||||||
|
'delete_floatingip_port_forwarding',
|
||||||
|
self.alt_target))
|
||||||
|
|
||||||
|
|
||||||
|
class ProjectMemberTests(AdminTests):
|
||||||
|
|
||||||
|
def setUp(self):
|
||||||
|
super(ProjectMemberTests, self).setUp()
|
||||||
|
self.context = self.project_member_ctx
|
||||||
|
|
||||||
def test_create_fip_pf(self):
|
def test_create_fip_pf(self):
|
||||||
self.assertTrue(
|
self.assertTrue(
|
||||||
policy.enforce(self.context,
|
policy.enforce(self.context,
|
||||||
@ -166,13 +213,6 @@ class AdminTests(FloatingipPortForwardingAPITestCase):
|
|||||||
self.alt_target)
|
self.alt_target)
|
||||||
|
|
||||||
|
|
||||||
class ProjectMemberTests(AdminTests):
|
|
||||||
|
|
||||||
def setUp(self):
|
|
||||||
super(ProjectMemberTests, self).setUp()
|
|
||||||
self.context = self.project_member_ctx
|
|
||||||
|
|
||||||
|
|
||||||
class ProjectReaderTests(ProjectMemberTests):
|
class ProjectReaderTests(ProjectMemberTests):
|
||||||
|
|
||||||
def setUp(self):
|
def setUp(self):
|
||||||
|
@ -113,6 +113,45 @@ class AdminTests(L3ConntrackHelperAPITestCase):
|
|||||||
super(AdminTests, self).setUp()
|
super(AdminTests, self).setUp()
|
||||||
self.context = self.project_admin_ctx
|
self.context = self.project_admin_ctx
|
||||||
|
|
||||||
|
def test_create_router_conntrack_helper(self):
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context,
|
||||||
|
'create_router_conntrack_helper', self.target))
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context,
|
||||||
|
'create_router_conntrack_helper', self.alt_target))
|
||||||
|
|
||||||
|
def test_get_router_conntrack_helper(self):
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context,
|
||||||
|
'get_router_conntrack_helper', self.target))
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context,
|
||||||
|
'get_router_conntrack_helper', self.alt_target))
|
||||||
|
|
||||||
|
def test_update_router_conntrack_helper(self):
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context,
|
||||||
|
'update_router_conntrack_helper', self.target))
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context,
|
||||||
|
'update_router_conntrack_helper', self.alt_target))
|
||||||
|
|
||||||
|
def test_delete_router_conntrack_helper(self):
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context,
|
||||||
|
'delete_router_conntrack_helper', self.target))
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context,
|
||||||
|
'delete_router_conntrack_helper', self.alt_target))
|
||||||
|
|
||||||
|
|
||||||
|
class ProjectMemberTests(AdminTests):
|
||||||
|
|
||||||
|
def setUp(self):
|
||||||
|
super(ProjectMemberTests, self).setUp()
|
||||||
|
self.context = self.project_member_ctx
|
||||||
|
|
||||||
def test_create_router_conntrack_helper(self):
|
def test_create_router_conntrack_helper(self):
|
||||||
self.assertTrue(
|
self.assertTrue(
|
||||||
policy.enforce(self.context,
|
policy.enforce(self.context,
|
||||||
@ -150,13 +189,6 @@ class AdminTests(L3ConntrackHelperAPITestCase):
|
|||||||
self.context, 'delete_router_conntrack_helper', self.alt_target)
|
self.context, 'delete_router_conntrack_helper', self.alt_target)
|
||||||
|
|
||||||
|
|
||||||
class ProjectMemberTests(AdminTests):
|
|
||||||
|
|
||||||
def setUp(self):
|
|
||||||
super(ProjectMemberTests, self).setUp()
|
|
||||||
self.context = self.project_member_ctx
|
|
||||||
|
|
||||||
|
|
||||||
class ProjectReaderTests(ProjectMemberTests):
|
class ProjectReaderTests(ProjectMemberTests):
|
||||||
|
|
||||||
def setUp(self):
|
def setUp(self):
|
||||||
|
@ -81,38 +81,26 @@ class AdminTests(LocalIPAPITestCase):
|
|||||||
def test_create_local_ip(self):
|
def test_create_local_ip(self):
|
||||||
self.assertTrue(
|
self.assertTrue(
|
||||||
policy.enforce(self.context, "create_local_ip", self.target))
|
policy.enforce(self.context, "create_local_ip", self.target))
|
||||||
|
self.assertTrue(
|
||||||
def test_create_local_ip_other_project(self):
|
policy.enforce(self.context, "create_local_ip", self.alt_target))
|
||||||
self.assertRaises(
|
|
||||||
base_policy.PolicyNotAuthorized,
|
|
||||||
policy.enforce, self.context, "create_local_ip", self.alt_target)
|
|
||||||
|
|
||||||
def test_get_local_ip(self):
|
def test_get_local_ip(self):
|
||||||
self.assertTrue(
|
self.assertTrue(
|
||||||
policy.enforce(self.context, "get_local_ip", self.target))
|
policy.enforce(self.context, "get_local_ip", self.target))
|
||||||
|
self.assertTrue(
|
||||||
def test_get_local_ip_other_project(self):
|
policy.enforce(self.context, "get_local_ip", self.alt_target))
|
||||||
self.assertRaises(
|
|
||||||
base_policy.PolicyNotAuthorized,
|
|
||||||
policy.enforce, self.context, "get_local_ip", self.alt_target)
|
|
||||||
|
|
||||||
def test_update_local_ip(self):
|
def test_update_local_ip(self):
|
||||||
self.assertTrue(
|
self.assertTrue(
|
||||||
policy.enforce(self.context, "update_local_ip", self.target))
|
policy.enforce(self.context, "update_local_ip", self.target))
|
||||||
|
self.assertTrue(
|
||||||
def test_update_local_ip_other_project(self):
|
policy.enforce(self.context, "update_local_ip", self.alt_target))
|
||||||
self.assertRaises(
|
|
||||||
base_policy.PolicyNotAuthorized,
|
|
||||||
policy.enforce, self.context, "update_local_ip", self.alt_target)
|
|
||||||
|
|
||||||
def test_delete_local_ip(self):
|
def test_delete_local_ip(self):
|
||||||
self.assertTrue(
|
self.assertTrue(
|
||||||
policy.enforce(self.context, "delete_local_ip", self.target))
|
policy.enforce(self.context, "delete_local_ip", self.target))
|
||||||
|
self.assertTrue(
|
||||||
def test_delete_local_ip_other_project(self):
|
policy.enforce(self.context, "delete_local_ip", self.alt_target))
|
||||||
self.assertRaises(
|
|
||||||
base_policy.PolicyNotAuthorized,
|
|
||||||
policy.enforce, self.context, "delete_local_ip", self.alt_target)
|
|
||||||
|
|
||||||
|
|
||||||
class ProjectMemberTests(AdminTests):
|
class ProjectMemberTests(AdminTests):
|
||||||
@ -121,6 +109,34 @@ class ProjectMemberTests(AdminTests):
|
|||||||
super(ProjectMemberTests, self).setUp()
|
super(ProjectMemberTests, self).setUp()
|
||||||
self.context = self.project_member_ctx
|
self.context = self.project_member_ctx
|
||||||
|
|
||||||
|
def test_create_local_ip(self):
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context, "create_local_ip", self.target))
|
||||||
|
self.assertRaises(
|
||||||
|
base_policy.PolicyNotAuthorized,
|
||||||
|
policy.enforce, self.context, "create_local_ip", self.alt_target)
|
||||||
|
|
||||||
|
def test_get_local_ip(self):
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context, "get_local_ip", self.target))
|
||||||
|
self.assertRaises(
|
||||||
|
base_policy.PolicyNotAuthorized,
|
||||||
|
policy.enforce, self.context, "get_local_ip", self.alt_target)
|
||||||
|
|
||||||
|
def test_update_local_ip(self):
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context, "update_local_ip", self.target))
|
||||||
|
self.assertRaises(
|
||||||
|
base_policy.PolicyNotAuthorized,
|
||||||
|
policy.enforce, self.context, "update_local_ip", self.alt_target)
|
||||||
|
|
||||||
|
def test_delete_local_ip(self):
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context, "delete_local_ip", self.target))
|
||||||
|
self.assertRaises(
|
||||||
|
base_policy.PolicyNotAuthorized,
|
||||||
|
policy.enforce, self.context, "delete_local_ip", self.alt_target)
|
||||||
|
|
||||||
|
|
||||||
class ProjectReaderTests(LocalIPAPITestCase):
|
class ProjectReaderTests(LocalIPAPITestCase):
|
||||||
|
|
||||||
|
@ -109,6 +109,43 @@ class AdminTests(LocalIPAssociationAPITestCase):
|
|||||||
super(AdminTests, self).setUp()
|
super(AdminTests, self).setUp()
|
||||||
self.context = self.project_admin_ctx
|
self.context = self.project_admin_ctx
|
||||||
|
|
||||||
|
def test_create_local_ip_port_association(self):
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context,
|
||||||
|
'create_local_ip_port_association',
|
||||||
|
self.target))
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context,
|
||||||
|
'create_local_ip_port_association',
|
||||||
|
self.alt_target))
|
||||||
|
|
||||||
|
def test_get_local_ip_port_association(self):
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context,
|
||||||
|
'get_local_ip_port_association',
|
||||||
|
self.target))
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context,
|
||||||
|
'get_local_ip_port_association',
|
||||||
|
self.alt_target))
|
||||||
|
|
||||||
|
def test_delete_local_ip_port_association(self):
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context,
|
||||||
|
'delete_local_ip_port_association',
|
||||||
|
self.target))
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context,
|
||||||
|
'delete_local_ip_port_association',
|
||||||
|
self.alt_target))
|
||||||
|
|
||||||
|
|
||||||
|
class ProjectMemberTests(AdminTests):
|
||||||
|
|
||||||
|
def setUp(self):
|
||||||
|
super(ProjectMemberTests, self).setUp()
|
||||||
|
self.context = self.project_member_ctx
|
||||||
|
|
||||||
def test_create_local_ip_port_association(self):
|
def test_create_local_ip_port_association(self):
|
||||||
self.assertTrue(
|
self.assertTrue(
|
||||||
policy.enforce(self.context,
|
policy.enforce(self.context,
|
||||||
@ -143,13 +180,6 @@ class AdminTests(LocalIPAssociationAPITestCase):
|
|||||||
self.alt_target)
|
self.alt_target)
|
||||||
|
|
||||||
|
|
||||||
class ProjectMemberTests(AdminTests):
|
|
||||||
|
|
||||||
def setUp(self):
|
|
||||||
super(ProjectMemberTests, self).setUp()
|
|
||||||
self.context = self.project_member_ctx
|
|
||||||
|
|
||||||
|
|
||||||
class ProjectReaderTests(ProjectMemberTests):
|
class ProjectReaderTests(ProjectMemberTests):
|
||||||
|
|
||||||
def setUp(self):
|
def setUp(self):
|
||||||
|
@ -94,6 +94,37 @@ class AdminTests(NDPProxyAPITestCase):
|
|||||||
super(AdminTests, self).setUp()
|
super(AdminTests, self).setUp()
|
||||||
self.context = self.project_admin_ctx
|
self.context = self.project_admin_ctx
|
||||||
|
|
||||||
|
def test_create_ndp_proxy(self):
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context, "create_ndp_proxy", self.target))
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context, "create_ndp_proxy", self.alt_target))
|
||||||
|
|
||||||
|
def test_get_ndp_proxy(self):
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context, "get_ndp_proxy", self.target))
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context, "get_ndp_proxy", self.alt_target))
|
||||||
|
|
||||||
|
def test_update_ndp_proxy(self):
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context, "update_ndp_proxy", self.target))
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context, "update_ndp_proxy", self.alt_target))
|
||||||
|
|
||||||
|
def test_delete_ndp_proxy(self):
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context, "delete_ndp_proxy", self.target))
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context, "delete_ndp_proxy", self.alt_target))
|
||||||
|
|
||||||
|
|
||||||
|
class ProjectMemberTests(AdminTests):
|
||||||
|
|
||||||
|
def setUp(self):
|
||||||
|
super(ProjectMemberTests, self).setUp()
|
||||||
|
self.context = self.project_member_ctx
|
||||||
|
|
||||||
def test_create_ndp_proxy(self):
|
def test_create_ndp_proxy(self):
|
||||||
self.assertTrue(
|
self.assertTrue(
|
||||||
policy.enforce(self.context, "create_ndp_proxy", self.target))
|
policy.enforce(self.context, "create_ndp_proxy", self.target))
|
||||||
@ -124,13 +155,6 @@ class AdminTests(NDPProxyAPITestCase):
|
|||||||
policy.enforce, self.context, "delete_ndp_proxy", self.alt_target)
|
policy.enforce, self.context, "delete_ndp_proxy", self.alt_target)
|
||||||
|
|
||||||
|
|
||||||
class ProjectMemberTests(AdminTests):
|
|
||||||
|
|
||||||
def setUp(self):
|
|
||||||
super(ProjectMemberTests, self).setUp()
|
|
||||||
self.context = self.project_member_ctx
|
|
||||||
|
|
||||||
|
|
||||||
class ProjectReaderTests(ProjectMemberTests):
|
class ProjectReaderTests(ProjectMemberTests):
|
||||||
|
|
||||||
def setUp(self):
|
def setUp(self):
|
||||||
|
@ -97,6 +97,41 @@ class AdminSecurityGroupTests(SecurityGroupAPITestCase):
|
|||||||
super(AdminSecurityGroupTests, self).setUp()
|
super(AdminSecurityGroupTests, self).setUp()
|
||||||
self.context = self.project_admin_ctx
|
self.context = self.project_admin_ctx
|
||||||
|
|
||||||
|
def test_create_security_group(self):
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context, 'create_security_group', self.target))
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(
|
||||||
|
self.context, 'create_security_group', self.alt_target))
|
||||||
|
|
||||||
|
def test_get_security_group(self):
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context, 'get_security_group', self.target))
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(
|
||||||
|
self.context, 'get_security_group', self.alt_target))
|
||||||
|
|
||||||
|
def test_update_security_group(self):
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context, 'update_security_group', self.target))
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(
|
||||||
|
self.context, 'update_security_group', self.alt_target))
|
||||||
|
|
||||||
|
def test_delete_security_group(self):
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context, 'delete_security_group', self.target))
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(
|
||||||
|
self.context, 'delete_security_group', self.alt_target))
|
||||||
|
|
||||||
|
|
||||||
|
class ProjectMemberSecurityGroupTests(AdminSecurityGroupTests):
|
||||||
|
|
||||||
|
def setUp(self):
|
||||||
|
super(ProjectMemberSecurityGroupTests, self).setUp()
|
||||||
|
self.context = self.project_member_ctx
|
||||||
|
|
||||||
def test_create_security_group(self):
|
def test_create_security_group(self):
|
||||||
self.assertTrue(
|
self.assertTrue(
|
||||||
policy.enforce(self.context, 'create_security_group', self.target))
|
policy.enforce(self.context, 'create_security_group', self.target))
|
||||||
@ -130,13 +165,6 @@ class AdminSecurityGroupTests(SecurityGroupAPITestCase):
|
|||||||
self.context, 'delete_security_group', self.alt_target)
|
self.context, 'delete_security_group', self.alt_target)
|
||||||
|
|
||||||
|
|
||||||
class ProjectMemberSecurityGroupTests(AdminSecurityGroupTests):
|
|
||||||
|
|
||||||
def setUp(self):
|
|
||||||
super(ProjectMemberSecurityGroupTests, self).setUp()
|
|
||||||
self.context = self.project_member_ctx
|
|
||||||
|
|
||||||
|
|
||||||
class ProjectReaderSecurityGroupTests(ProjectMemberSecurityGroupTests):
|
class ProjectReaderSecurityGroupTests(ProjectMemberSecurityGroupTests):
|
||||||
|
|
||||||
def setUp(self):
|
def setUp(self):
|
||||||
@ -255,6 +283,37 @@ class AdminSecurityGroupRuleTests(SecurityGroupRuleAPITestCase):
|
|||||||
super(AdminSecurityGroupRuleTests, self).setUp()
|
super(AdminSecurityGroupRuleTests, self).setUp()
|
||||||
self.context = self.project_admin_ctx
|
self.context = self.project_admin_ctx
|
||||||
|
|
||||||
|
def test_create_security_group_rule(self):
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context,
|
||||||
|
'create_security_group_rule', self.target))
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context,
|
||||||
|
'create_security_group_rule', self.alt_target))
|
||||||
|
|
||||||
|
def test_get_security_group_rule(self):
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context,
|
||||||
|
'get_security_group_rule', self.target))
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context,
|
||||||
|
'get_security_group_rule', self.alt_target))
|
||||||
|
|
||||||
|
def test_delete_security_group_rule(self):
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context,
|
||||||
|
'delete_security_group_rule', self.target))
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context,
|
||||||
|
'delete_security_group_rule', self.alt_target))
|
||||||
|
|
||||||
|
|
||||||
|
class ProjectMemberSecurityGroupRuleTests(AdminSecurityGroupRuleTests):
|
||||||
|
|
||||||
|
def setUp(self):
|
||||||
|
super(ProjectMemberSecurityGroupRuleTests, self).setUp()
|
||||||
|
self.context = self.project_member_ctx
|
||||||
|
|
||||||
def test_create_security_group_rule(self):
|
def test_create_security_group_rule(self):
|
||||||
self.assertTrue(
|
self.assertTrue(
|
||||||
policy.enforce(self.context,
|
policy.enforce(self.context,
|
||||||
@ -294,13 +353,6 @@ class AdminSecurityGroupRuleTests(SecurityGroupRuleAPITestCase):
|
|||||||
self.context, 'delete_security_group_rule', self.alt_target)
|
self.context, 'delete_security_group_rule', self.alt_target)
|
||||||
|
|
||||||
|
|
||||||
class ProjectMemberSecurityGroupRuleTests(AdminSecurityGroupRuleTests):
|
|
||||||
|
|
||||||
def setUp(self):
|
|
||||||
super(ProjectMemberSecurityGroupRuleTests, self).setUp()
|
|
||||||
self.context = self.project_member_ctx
|
|
||||||
|
|
||||||
|
|
||||||
class ProjectReaderSecurityGroupRuleTests(ProjectMemberSecurityGroupRuleTests):
|
class ProjectReaderSecurityGroupRuleTests(ProjectMemberSecurityGroupRuleTests):
|
||||||
|
|
||||||
def setUp(self):
|
def setUp(self):
|
||||||
|
@ -124,6 +124,55 @@ class AdminTests(TrunkAPITestCase):
|
|||||||
super(AdminTests, self).setUp()
|
super(AdminTests, self).setUp()
|
||||||
self.context = self.project_admin_ctx
|
self.context = self.project_admin_ctx
|
||||||
|
|
||||||
|
def test_create_trunk(self):
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context, 'create_trunk', self.target))
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context, 'create_trunk', self.alt_target))
|
||||||
|
|
||||||
|
def test_get_trunk(self):
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context, 'get_trunk', self.target))
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context, 'get_trunk', self.alt_target))
|
||||||
|
|
||||||
|
def test_update_trunk(self):
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context, 'update_trunk', self.target))
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context, 'update_trunk', self.alt_target))
|
||||||
|
|
||||||
|
def test_delete_trunk(self):
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context, 'delete_trunk', self.target))
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context, 'delete_trunk', self.alt_target))
|
||||||
|
|
||||||
|
def test_get_subports(self):
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context, 'get_subports', self.target))
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context, 'get_subports', self.alt_target))
|
||||||
|
|
||||||
|
def test_add_subports(self):
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context, 'add_subports', self.target))
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context, 'add_subports', self.alt_target))
|
||||||
|
|
||||||
|
def test_remove_subports(self):
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context, 'remove_subports', self.target))
|
||||||
|
self.assertTrue(
|
||||||
|
policy.enforce(self.context, 'remove_subports', self.alt_target))
|
||||||
|
|
||||||
|
|
||||||
|
class ProjectMemberTests(AdminTests):
|
||||||
|
|
||||||
|
def setUp(self):
|
||||||
|
super(ProjectMemberTests, self).setUp()
|
||||||
|
self.context = self.project_member_ctx
|
||||||
|
|
||||||
def test_create_trunk(self):
|
def test_create_trunk(self):
|
||||||
self.assertTrue(
|
self.assertTrue(
|
||||||
policy.enforce(self.context, 'create_trunk', self.target))
|
policy.enforce(self.context, 'create_trunk', self.target))
|
||||||
@ -181,13 +230,6 @@ class AdminTests(TrunkAPITestCase):
|
|||||||
self.context, 'remove_subports', self.alt_target)
|
self.context, 'remove_subports', self.alt_target)
|
||||||
|
|
||||||
|
|
||||||
class ProjectMemberTests(AdminTests):
|
|
||||||
|
|
||||||
def setUp(self):
|
|
||||||
super(ProjectMemberTests, self).setUp()
|
|
||||||
self.context = self.project_member_ctx
|
|
||||||
|
|
||||||
|
|
||||||
class ProjectReaderTests(ProjectMemberTests):
|
class ProjectReaderTests(ProjectMemberTests):
|
||||||
|
|
||||||
def setUp(self):
|
def setUp(self):
|
||||||
|
Loading…
Reference in New Issue
Block a user