fix: Remove invalid panko policy

1. remove invalid panko policy
2. remove install panko from post_install.sh
3. update policy

Change-Id: Icb23e4ff34ff47952294f711ddabd36cc9df706e
This commit is contained in:
Boxiang Zhu 2022-08-17 13:21:35 +08:00
parent cbabcbce89
commit eb59b2614d
5 changed files with 61 additions and 70 deletions

View File

@ -92,28 +92,28 @@ list_rules = (
base.APIRule(
name="baremetal:node:get:last_error",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"),
description="Governs if the node last_error field is masked from APIclients with insufficent privileges.",
description="Governs if the node last_error field is masked from API clients with insufficient privileges.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:get:reservation",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"),
description="Governs if the node reservation field is masked from APIclients with insufficent privileges.",
description="Governs if the node reservation field is masked from API clients with insufficient privileges.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:get:driver_internal_info",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"),
description="Governs if the node driver_internal_info field is masked from API clients with insufficent privileges.",
description="Governs if the node driver_internal_info field is masked from API clients with insufficient privileges.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:get:driver_info",
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"),
description="Governs if the driver_info field is masked from APIclients with insufficent privileges.",
description="Governs if the driver_info field is masked from API clients with insufficient privileges.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}"}],
),
@ -161,7 +161,7 @@ list_rules = (
),
base.APIRule(
name="baremetal:node:update:driver_interfaces",
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"),
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
description="Governs if node driver and driver interfaces field can be updated via the API clients.",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
@ -210,7 +210,7 @@ list_rules = (
),
base.APIRule(
name="baremetal:node:update_instance_info",
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"),
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
description="Update Node instance_info field",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
@ -231,35 +231,35 @@ list_rules = (
),
base.APIRule(
name="baremetal:node:validate",
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"),
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
description="Request active validation of Nodes",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}/validate"}],
),
base.APIRule(
name="baremetal:node:set_maintenance",
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"),
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
description="Set maintenance flag, taking a Node out of service",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/maintenance"}],
),
base.APIRule(
name="baremetal:node:clear_maintenance",
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"),
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
description="Clear maintenance flag, placing the Node into service again",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/nodes/{node_ident}/maintenance"}],
),
base.APIRule(
name="baremetal:node:get_boot_device",
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"),
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
description="Retrieve Node boot device metadata",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}/management/boot_device"}, {"method": "GET", "path": "/nodes/{node_ident}/management/boot_device/supported"}],
),
base.APIRule(
name="baremetal:node:set_boot_device",
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"),
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
description="Change Node boot device",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/management/boot_device"}],
@ -280,7 +280,7 @@ list_rules = (
),
base.APIRule(
name="baremetal:node:inject_nmi",
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"),
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
description="Inject NMI for a node",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/management/inject_nmi"}],
@ -315,7 +315,7 @@ list_rules = (
),
base.APIRule(
name="baremetal:node:set_provision_state",
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"),
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
description="Change Node provision status",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/provision"}],
@ -350,14 +350,14 @@ list_rules = (
),
base.APIRule(
name="baremetal:node:vif:attach",
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"),
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
description="Attach a VIF to a node",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/nodes/{node_ident}/vifs"}],
),
base.APIRule(
name="baremetal:node:vif:detach",
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"),
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
description="Detach a VIF from a node",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/nodes/{node_ident}/vifs/{node_vif_ident}"}],
@ -371,14 +371,14 @@ list_rules = (
),
base.APIRule(
name="baremetal:node:traits:set",
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"),
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
description="Add a trait to, or replace all traits of, a node",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/traits"}, {"method": "PUT", "path": "/nodes/{node_ident}/traits/{trait}"}],
),
base.APIRule(
name="baremetal:node:traits:delete",
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"),
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
description="Remove one or all traits from a node",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/nodes/{node_ident}/traits"}, {"method": "DELETE", "path": "/nodes/{node_ident}/traits/{trait}"}],
@ -427,21 +427,21 @@ list_rules = (
),
base.APIRule(
name="baremetal:port:create",
check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)"),
check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
description="Create Port records",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/ports"}],
),
base.APIRule(
name="baremetal:port:delete",
check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)"),
check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
description="Delete Port records",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/ports/{port_id}"}],
),
base.APIRule(
name="baremetal:port:update",
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"),
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
description="Update Port records",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/ports/{port_id}"}],
@ -455,21 +455,21 @@ list_rules = (
),
base.APIRule(
name="baremetal:portgroup:create",
check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)"),
check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
description="Create Portgroup records",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/portgroups"}],
),
base.APIRule(
name="baremetal:portgroup:delete",
check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)"),
check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
description="Delete Portgroup records",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/portgroups/{portgroup_ident}"}],
),
base.APIRule(
name="baremetal:portgroup:update",
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"),
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
description="Update Portgroup records",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/portgroups/{portgroup_ident}"}],
@ -588,21 +588,21 @@ list_rules = (
),
base.APIRule(
name="baremetal:volume:create",
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"),
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
description="Create Volume connector and target records",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/volume/connectors"}, {"method": "POST", "path": "/volume/targets"}],
),
base.APIRule(
name="baremetal:volume:delete",
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"),
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
description="Delete Volume connector and target records",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/volume/connectors/{volume_connector_id}"}, {"method": "DELETE", "path": "/volume/targets/{volume_target_id}"}],
),
base.APIRule(
name="baremetal:volume:update",
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"),
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
description="Update Volume connector and target records",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/volume/connectors/{volume_connector_id}"}, {"method": "PATCH", "path": "/volume/targets/{volume_target_id}"}],

View File

@ -1104,6 +1104,34 @@ list_rules = (
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}"}],
),
base.APIRule(
name="get_policy_packet_rate_limit_rule",
check_str=("role:reader and project_id:%(project_id)s"),
description="Get a QoS packet rate limit rule",
scope_types=["project"],
operations=[{"method": "GET", "path": "/qos/policies/{policy_id}/packet_rate_limit_rules"}, {"method": "GET", "path": "/qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id}"}],
),
base.APIRule(
name="create_policy_packet_rate_limit_rule",
check_str=("role:admin and project_id:%(project_id)s"),
description="Create a QoS packet rate limit rule",
scope_types=["project"],
operations=[{"method": "POST", "path": "/qos/policies/{policy_id}/packet_rate_limit_rules"}],
),
base.APIRule(
name="update_policy_packet_rate_limit_rule",
check_str=("role:admin and project_id:%(project_id)s"),
description="Update a QoS packet rate limit rule",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id}"}],
),
base.APIRule(
name="delete_policy_packet_rate_limit_rule",
check_str=("role:admin and project_id:%(project_id)s"),
description="Delete a QoS packet rate limit rule",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id}"}],
),
base.APIRule(
name="get_policy_dscp_marking_rule",
check_str=("role:reader and project_id:%(project_id)s"),

View File

@ -1229,6 +1229,13 @@ list_rules = (
scope_types=["project"],
operations=[{"method": "POST", "path": "/servers/{server_id}/action (unshelve)"}],
),
base.APIRule(
name="os_compute_api:os-shelve:unshelve_to_host",
check_str=("rule:project_admin_api"),
description="Unshelve (restore) shelve offloaded server to a specific host",
scope_types=["project"],
operations=[{"method": "POST", "path": "/servers/{server_id}/action (unshelve)"}],
),
base.APIRule(
name="os_compute_api:os-shelve:shelve_offload",
check_str=("rule:project_admin_api"),

View File

@ -1,35 +0,0 @@
# flake8: noqa
# fmt: off
from . import base
list_rules = (
base.Rule(
name="context_is_admin",
check_str=("role:admin"),
description="No description",
),
base.APIRule(
name="segregation",
check_str=("role:admin and system_scope:all"),
description="Return the user and project the requestshould be limited to",
scope_types=["system"],
operations=[{"method": "GET", "path": "/v2/events"}, {"method": "GET", "path": "/v2/events/{message_id}"}],
),
base.APIRule(
name="telemetry:events:index",
check_str=(""),
description="Return all events matching the query filters.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/events"}],
),
base.APIRule(
name="telemetry:events:show",
check_str=(""),
description="Return a single event with the given message id.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/events/{message_id}"}],
),
)
__all__ = ("list_rules",)

View File

@ -2,10 +2,6 @@
set -ex
# Some projects have been DEPRECATED.
# panko: https://opendev.org/openstack/panko
INSTALL_DEPRECATED_PROJECTS="panko"
INSTALL_PROJECTS="keystone \
placement \
nova \
@ -27,8 +23,3 @@ for project in ${INSTALL_PROJECTS}
do
pip install -U git+https://opendev.org/openstack/${project}@${BRANCH}
done
for deprecated_project in ${INSTALL_DEPRECATED_PROJECTS}
do
pip install -U ${deprecated_project}
done