fix: Remove invalid panko policy
1. remove invalid panko policy 2. remove install panko from post_install.sh 3. update policy Change-Id: Icb23e4ff34ff47952294f711ddabd36cc9df706e
This commit is contained in:
parent
cbabcbce89
commit
eb59b2614d
@ -92,28 +92,28 @@ list_rules = (
|
||||
base.APIRule(
|
||||
name="baremetal:node:get:last_error",
|
||||
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"),
|
||||
description="Governs if the node last_error field is masked from APIclients with insufficent privileges.",
|
||||
description="Governs if the node last_error field is masked from API clients with insufficient privileges.",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "GET", "path": "/nodes/{node_ident}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:get:reservation",
|
||||
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"),
|
||||
description="Governs if the node reservation field is masked from APIclients with insufficent privileges.",
|
||||
description="Governs if the node reservation field is masked from API clients with insufficient privileges.",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "GET", "path": "/nodes/{node_ident}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:get:driver_internal_info",
|
||||
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"),
|
||||
description="Governs if the node driver_internal_info field is masked from API clients with insufficent privileges.",
|
||||
description="Governs if the node driver_internal_info field is masked from API clients with insufficient privileges.",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "GET", "path": "/nodes/{node_ident}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:get:driver_info",
|
||||
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"),
|
||||
description="Governs if the driver_info field is masked from APIclients with insufficent privileges.",
|
||||
description="Governs if the driver_info field is masked from API clients with insufficient privileges.",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "GET", "path": "/nodes/{node_ident}"}],
|
||||
),
|
||||
@ -161,7 +161,7 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:update:driver_interfaces",
|
||||
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"),
|
||||
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
||||
description="Governs if node driver and driver interfaces field can be updated via the API clients.",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
|
||||
@ -210,7 +210,7 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:update_instance_info",
|
||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"),
|
||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
||||
description="Update Node instance_info field",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
|
||||
@ -231,35 +231,35 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:validate",
|
||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"),
|
||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
||||
description="Request active validation of Nodes",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "GET", "path": "/nodes/{node_ident}/validate"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:set_maintenance",
|
||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"),
|
||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
||||
description="Set maintenance flag, taking a Node out of service",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/maintenance"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:clear_maintenance",
|
||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"),
|
||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
||||
description="Clear maintenance flag, placing the Node into service again",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "DELETE", "path": "/nodes/{node_ident}/maintenance"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:get_boot_device",
|
||||
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"),
|
||||
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
||||
description="Retrieve Node boot device metadata",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "GET", "path": "/nodes/{node_ident}/management/boot_device"}, {"method": "GET", "path": "/nodes/{node_ident}/management/boot_device/supported"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:set_boot_device",
|
||||
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"),
|
||||
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
||||
description="Change Node boot device",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/management/boot_device"}],
|
||||
@ -280,7 +280,7 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:inject_nmi",
|
||||
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"),
|
||||
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
||||
description="Inject NMI for a node",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/management/inject_nmi"}],
|
||||
@ -315,7 +315,7 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:set_provision_state",
|
||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"),
|
||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
||||
description="Change Node provision status",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/provision"}],
|
||||
@ -350,14 +350,14 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:vif:attach",
|
||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"),
|
||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
||||
description="Attach a VIF to a node",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "POST", "path": "/nodes/{node_ident}/vifs"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:vif:detach",
|
||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"),
|
||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
||||
description="Detach a VIF from a node",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "DELETE", "path": "/nodes/{node_ident}/vifs/{node_vif_ident}"}],
|
||||
@ -371,14 +371,14 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:traits:set",
|
||||
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"),
|
||||
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
||||
description="Add a trait to, or replace all traits of, a node",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/traits"}, {"method": "PUT", "path": "/nodes/{node_ident}/traits/{trait}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:traits:delete",
|
||||
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"),
|
||||
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
||||
description="Remove one or all traits from a node",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "DELETE", "path": "/nodes/{node_ident}/traits"}, {"method": "DELETE", "path": "/nodes/{node_ident}/traits/{trait}"}],
|
||||
@ -427,21 +427,21 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:port:create",
|
||||
check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)"),
|
||||
check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
||||
description="Create Port records",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "POST", "path": "/ports"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:port:delete",
|
||||
check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)"),
|
||||
check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
||||
description="Delete Port records",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "DELETE", "path": "/ports/{port_id}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:port:update",
|
||||
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"),
|
||||
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
||||
description="Update Port records",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PATCH", "path": "/ports/{port_id}"}],
|
||||
@ -455,21 +455,21 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:portgroup:create",
|
||||
check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)"),
|
||||
check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
||||
description="Create Portgroup records",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "POST", "path": "/portgroups"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:portgroup:delete",
|
||||
check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)"),
|
||||
check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
||||
description="Delete Portgroup records",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "DELETE", "path": "/portgroups/{portgroup_ident}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:portgroup:update",
|
||||
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"),
|
||||
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
||||
description="Update Portgroup records",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PATCH", "path": "/portgroups/{portgroup_ident}"}],
|
||||
@ -588,21 +588,21 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:volume:create",
|
||||
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"),
|
||||
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
||||
description="Create Volume connector and target records",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "POST", "path": "/volume/connectors"}, {"method": "POST", "path": "/volume/targets"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:volume:delete",
|
||||
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"),
|
||||
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
||||
description="Delete Volume connector and target records",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "DELETE", "path": "/volume/connectors/{volume_connector_id}"}, {"method": "DELETE", "path": "/volume/targets/{volume_target_id}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:volume:update",
|
||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"),
|
||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
||||
description="Update Volume connector and target records",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PATCH", "path": "/volume/connectors/{volume_connector_id}"}, {"method": "PATCH", "path": "/volume/targets/{volume_target_id}"}],
|
||||
|
@ -1104,6 +1104,34 @@ list_rules = (
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "DELETE", "path": "/qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="get_policy_packet_rate_limit_rule",
|
||||
check_str=("role:reader and project_id:%(project_id)s"),
|
||||
description="Get a QoS packet rate limit rule",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "GET", "path": "/qos/policies/{policy_id}/packet_rate_limit_rules"}, {"method": "GET", "path": "/qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="create_policy_packet_rate_limit_rule",
|
||||
check_str=("role:admin and project_id:%(project_id)s"),
|
||||
description="Create a QoS packet rate limit rule",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "POST", "path": "/qos/policies/{policy_id}/packet_rate_limit_rules"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="update_policy_packet_rate_limit_rule",
|
||||
check_str=("role:admin and project_id:%(project_id)s"),
|
||||
description="Update a QoS packet rate limit rule",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "PUT", "path": "/qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="delete_policy_packet_rate_limit_rule",
|
||||
check_str=("role:admin and project_id:%(project_id)s"),
|
||||
description="Delete a QoS packet rate limit rule",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "DELETE", "path": "/qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="get_policy_dscp_marking_rule",
|
||||
check_str=("role:reader and project_id:%(project_id)s"),
|
||||
|
@ -1229,6 +1229,13 @@ list_rules = (
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "POST", "path": "/servers/{server_id}/action (unshelve)"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="os_compute_api:os-shelve:unshelve_to_host",
|
||||
check_str=("rule:project_admin_api"),
|
||||
description="Unshelve (restore) shelve offloaded server to a specific host",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "POST", "path": "/servers/{server_id}/action (unshelve)"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="os_compute_api:os-shelve:shelve_offload",
|
||||
check_str=("rule:project_admin_api"),
|
||||
|
@ -1,35 +0,0 @@
|
||||
# flake8: noqa
|
||||
# fmt: off
|
||||
|
||||
from . import base
|
||||
|
||||
list_rules = (
|
||||
base.Rule(
|
||||
name="context_is_admin",
|
||||
check_str=("role:admin"),
|
||||
description="No description",
|
||||
),
|
||||
base.APIRule(
|
||||
name="segregation",
|
||||
check_str=("role:admin and system_scope:all"),
|
||||
description="Return the user and project the requestshould be limited to",
|
||||
scope_types=["system"],
|
||||
operations=[{"method": "GET", "path": "/v2/events"}, {"method": "GET", "path": "/v2/events/{message_id}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="telemetry:events:index",
|
||||
check_str=(""),
|
||||
description="Return all events matching the query filters.",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "GET", "path": "/v2/events"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="telemetry:events:show",
|
||||
check_str=(""),
|
||||
description="Return a single event with the given message id.",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "GET", "path": "/v2/events/{message_id}"}],
|
||||
),
|
||||
)
|
||||
|
||||
__all__ = ("list_rules",)
|
@ -2,10 +2,6 @@
|
||||
|
||||
set -ex
|
||||
|
||||
# Some projects have been DEPRECATED.
|
||||
# panko: https://opendev.org/openstack/panko
|
||||
INSTALL_DEPRECATED_PROJECTS="panko"
|
||||
|
||||
INSTALL_PROJECTS="keystone \
|
||||
placement \
|
||||
nova \
|
||||
@ -27,8 +23,3 @@ for project in ${INSTALL_PROJECTS}
|
||||
do
|
||||
pip install -U git+https://opendev.org/openstack/${project}@${BRANCH}
|
||||
done
|
||||
|
||||
for deprecated_project in ${INSTALL_DEPRECATED_PROJECTS}
|
||||
do
|
||||
pip install -U ${deprecated_project}
|
||||
done
|
||||
|
Loading…
x
Reference in New Issue
Block a user