9577735242
The order of the admin_owner_or_network_owner alias in the policy.json file can trigger DB queries for the network resource in order to complete the policy checks, even in cases where those checw aren't needed. This changes the order of the policy rule to ensure that checks for the tenant ID owner are made before looking at the tenant ID of the network. Change-Id: Ic3a7c99ff69c652bd1df4d43a98f298da876b4ba
300 lines
14 KiB
JSON
300 lines
14 KiB
JSON
{
|
|
"context_is_admin": "role:admin",
|
|
"owner": "tenant_id:%(tenant_id)s",
|
|
"admin_or_owner": "rule:context_is_admin or rule:owner",
|
|
"context_is_advsvc": "role:advsvc",
|
|
"admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
|
|
"admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner",
|
|
"admin_only": "rule:context_is_admin",
|
|
"regular_user": "",
|
|
"shared": "field:networks:shared=True",
|
|
"shared_firewalls": "field:firewalls:shared=True",
|
|
"shared_firewall_policies": "field:firewall_policies:shared=True",
|
|
"shared_subnetpools": "field:subnetpools:shared=True",
|
|
"shared_address_scopes": "field:address_scopes:shared=True",
|
|
"external": "field:networks:router:external=True",
|
|
"default": "rule:admin_or_owner",
|
|
|
|
"create_subnet": "rule:admin_or_network_owner",
|
|
"get_subnet": "rule:admin_or_owner or rule:shared",
|
|
"update_subnet": "rule:admin_or_network_owner",
|
|
"delete_subnet": "rule:admin_or_network_owner",
|
|
|
|
"create_subnetpool": "",
|
|
"create_subnetpool:shared": "rule:admin_only",
|
|
"get_subnetpool": "rule:admin_or_owner or rule:shared_subnetpools",
|
|
"update_subnetpool": "rule:admin_or_owner",
|
|
"delete_subnetpool": "rule:admin_or_owner",
|
|
|
|
"create_address_scope": "",
|
|
"create_address_scope:shared": "rule:admin_only",
|
|
"get_address_scope": "rule:admin_or_owner or rule:shared_address_scopes",
|
|
"update_address_scope": "rule:admin_or_owner",
|
|
"update_address_scope:shared": "rule:admin_only",
|
|
"delete_address_scope": "rule:admin_or_owner",
|
|
|
|
"create_network": "",
|
|
"get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc",
|
|
"get_network:router:external": "rule:regular_user",
|
|
"get_network:segments": "rule:admin_only",
|
|
"get_network:provider:network_type": "rule:admin_only",
|
|
"get_network:provider:physical_network": "rule:admin_only",
|
|
"get_network:provider:segmentation_id": "rule:admin_only",
|
|
"get_network:queue_id": "rule:admin_only",
|
|
"get_network:apic:distinguished_names": "rule:admin_only",
|
|
"get_network:apic:synchronization_state": "rule:admin_only",
|
|
"create_network:shared": "rule:admin_only",
|
|
"create_network:router:external": "rule:admin_only",
|
|
"create_network:segments": "rule:admin_only",
|
|
"create_network:provider:network_type": "rule:admin_only",
|
|
"create_network:provider:physical_network": "rule:admin_only",
|
|
"create_network:provider:segmentation_id": "rule:admin_only",
|
|
"update_network": "rule:admin_or_owner",
|
|
"update_network:segments": "rule:admin_only",
|
|
"update_network:shared": "rule:admin_only",
|
|
"update_network:provider:network_type": "rule:admin_only",
|
|
"update_network:provider:physical_network": "rule:admin_only",
|
|
"update_network:provider:segmentation_id": "rule:admin_only",
|
|
"update_network:router:external": "rule:admin_only",
|
|
"delete_network": "rule:admin_or_owner",
|
|
|
|
"network_device": "field:port:device_owner=~^network:",
|
|
"create_port": "",
|
|
"create_port:apic:erspan_config": "rule:admin_only",
|
|
"create_port:device_owner": "not rule:network_device or rule:admin_or_network_owner or rule:context_is_advsvc",
|
|
"create_port:mac_address": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
|
"create_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
|
"create_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
|
"create_port:binding:host_id": "rule:admin_only",
|
|
"create_port:binding:profile": "rule:admin_only",
|
|
"create_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
|
"create_port:allowed_address_pairs": "rule:admin_or_network_owner",
|
|
"get_port": "rule:admin_owner_or_network_owner or rule:context_is_advsvc",
|
|
"get_port:queue_id": "rule:admin_only",
|
|
"get_port:binding:vif_type": "rule:admin_only",
|
|
"get_port:binding:vif_details": "rule:admin_only",
|
|
"get_port:binding:host_id": "rule:admin_only",
|
|
"get_port:binding:profile": "rule:admin_only",
|
|
"update_port": "rule:admin_or_owner or rule:context_is_advsvc",
|
|
"update_port:apic:erspan_config": "rule:admin_only",
|
|
"update_port:device_owner": "not rule:network_device or rule:admin_or_network_owner or rule:context_is_advsvc",
|
|
"update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",
|
|
"update_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
|
"update_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
|
"update_port:binding:host_id": "rule:admin_only",
|
|
"update_port:binding:profile": "rule:admin_only",
|
|
"update_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
|
"update_port:allowed_address_pairs": "rule:admin_or_network_owner",
|
|
"delete_port": "rule:admin_owner_or_network_owner or rule:context_is_advsvc",
|
|
|
|
"get_router:ha": "rule:admin_only",
|
|
"create_router": "rule:regular_user",
|
|
"create_router:external_gateway_info:enable_snat": "rule:admin_only",
|
|
"create_router:distributed": "rule:admin_only",
|
|
"create_router:ha": "rule:admin_only",
|
|
"get_router": "rule:admin_or_owner",
|
|
"get_router:distributed": "rule:admin_only",
|
|
"update_router:external_gateway_info:enable_snat": "rule:admin_only",
|
|
"update_router:distributed": "rule:admin_only",
|
|
"update_router:ha": "rule:admin_only",
|
|
"delete_router": "rule:admin_or_owner",
|
|
|
|
"add_router_interface": "rule:admin_or_owner",
|
|
"remove_router_interface": "rule:admin_or_owner",
|
|
|
|
"create_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
|
|
"update_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
|
|
|
|
"create_firewall": "",
|
|
"get_firewall": "rule:admin_or_owner",
|
|
"create_firewall:shared": "rule:admin_only",
|
|
"get_firewall:shared": "rule:admin_only",
|
|
"update_firewall": "rule:admin_or_owner",
|
|
"update_firewall:shared": "rule:admin_only",
|
|
"delete_firewall": "rule:admin_or_owner",
|
|
|
|
"create_firewall_policy": "",
|
|
"get_firewall_policy": "rule:admin_or_owner or rule:shared_firewall_policies",
|
|
"create_firewall_policy:shared": "rule:admin_or_owner",
|
|
"update_firewall_policy": "rule:admin_or_owner",
|
|
"delete_firewall_policy": "rule:admin_or_owner",
|
|
|
|
"insert_rule": "rule:admin_or_owner",
|
|
"remove_rule": "rule:admin_or_owner",
|
|
|
|
"create_firewall_rule": "",
|
|
"get_firewall_rule": "rule:admin_or_owner or rule:shared_firewalls",
|
|
"update_firewall_rule": "rule:admin_or_owner",
|
|
"delete_firewall_rule": "rule:admin_or_owner",
|
|
|
|
"create_qos_queue": "rule:admin_only",
|
|
"get_qos_queue": "rule:admin_only",
|
|
|
|
"update_agent": "rule:admin_only",
|
|
"delete_agent": "rule:admin_only",
|
|
"get_agent": "rule:admin_only",
|
|
|
|
"create_dhcp-network": "rule:admin_only",
|
|
"delete_dhcp-network": "rule:admin_only",
|
|
"get_dhcp-networks": "rule:admin_only",
|
|
"create_l3-router": "rule:admin_only",
|
|
"delete_l3-router": "rule:admin_only",
|
|
"get_l3-routers": "rule:admin_only",
|
|
"get_dhcp-agents": "rule:admin_only",
|
|
"get_l3-agents": "rule:admin_only",
|
|
"get_loadbalancer-agent": "rule:admin_only",
|
|
"get_loadbalancer-pools": "rule:admin_only",
|
|
"get_agent-loadbalancers": "rule:admin_only",
|
|
"get_loadbalancer-hosting-agent": "rule:admin_only",
|
|
|
|
"create_floatingip": "rule:regular_user",
|
|
"create_floatingip:floating_ip_address": "rule:admin_only",
|
|
"update_floatingip": "rule:admin_or_owner",
|
|
"delete_floatingip": "rule:admin_or_owner",
|
|
"get_floatingip": "rule:admin_or_owner",
|
|
|
|
"create_network_profile": "rule:admin_only",
|
|
"update_network_profile": "rule:admin_only",
|
|
"delete_network_profile": "rule:admin_only",
|
|
"get_network_profiles": "",
|
|
"get_network_profile": "",
|
|
"update_policy_profiles": "rule:admin_only",
|
|
"get_policy_profiles": "",
|
|
"get_policy_profile": "",
|
|
|
|
"create_metering_label": "rule:admin_only",
|
|
"delete_metering_label": "rule:admin_only",
|
|
"get_metering_label": "rule:admin_only",
|
|
|
|
"create_metering_label_rule": "rule:admin_only",
|
|
"delete_metering_label_rule": "rule:admin_only",
|
|
"get_metering_label_rule": "rule:admin_only",
|
|
|
|
"get_service_provider": "rule:regular_user",
|
|
"get_lsn": "rule:admin_only",
|
|
"create_lsn": "rule:admin_only",
|
|
|
|
"create_flavor": "rule:admin_only",
|
|
"update_flavor": "rule:admin_only",
|
|
"delete_flavor": "rule:admin_only",
|
|
"get_flavors": "rule:regular_user",
|
|
"get_flavor": "rule:regular_user",
|
|
|
|
"get_policy": "rule:regular_user",
|
|
"create_policy": "rule:admin_only",
|
|
"update_policy": "rule:admin_only",
|
|
"delete_policy": "rule:admin_only",
|
|
"get_policy_bandwidth_limit_rule": "rule:regular_user",
|
|
"create_policy_bandwidth_limit_rule": "rule:admin_only",
|
|
"delete_policy_bandwidth_limit_rule": "rule:admin_only",
|
|
"update_policy_bandwidth_limit_rule": "rule:admin_only",
|
|
"get_rule_type": "rule:regular_user",
|
|
|
|
"restrict_wildcard": "(not field:rbac_policy:target_tenant=*) or rule:admin_only",
|
|
"create_rbac_policy": "",
|
|
"create_rbac_policy:target_tenant": "rule:restrict_wildcard",
|
|
"update_rbac_policy": "rule:admin_or_owner",
|
|
"update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner",
|
|
"get_rbac_policy": "rule:admin_or_owner",
|
|
"delete_rbac_policy": "rule:admin_or_owner",
|
|
|
|
"shared_ptg": "field:policy_target_groups:shared=True",
|
|
"shared_pt": "field:policy_targets:shared=True",
|
|
"shared_prs": "field:policy_rule_sets:shared=True",
|
|
"shared_l3p": "field:l3_policies:shared=True",
|
|
"shared_l2p": "field:l2_policies:shared=True",
|
|
"shared_es": "field:external_segments:shared=True",
|
|
"shared_ep": "field:external_policies:shared=True",
|
|
"shared_pc": "field:policy_classifiers:shared=True",
|
|
"shared_pa": "field:policy_actions:shared=True",
|
|
"shared_pr": "field:policy_rules:shared=True",
|
|
"shared_np": "field:nat_pools:shared=True",
|
|
"shared_nsp": "field:network_service_policies:shared=True",
|
|
"shared_scn": "field:servicechain_nodes:shared=True",
|
|
"shared_scs": "field:servicechain_specs:shared=True",
|
|
"shared_sp": "field:service_profiles:shared=True",
|
|
|
|
"auto_ptg": "field:policy_target_groups:is_auto_ptg=True",
|
|
"non_auto_ptg_shared": "rule:admin_or_owner or rule:shared_ptg",
|
|
"non_auto_ptg": "rule:non_auto_ptg_shared and not rule:auto_ptg",
|
|
"admin_auto_ptg_shared": "rule:admin_only or rule:shared_ptg",
|
|
"admin_auto_ptg": "rule:admin_auto_ptg_shared and rule:auto_ptg",
|
|
|
|
"create_policy_target_group": "",
|
|
"create_policy_target_group:shared": "rule:admin_only",
|
|
"create_policy_target_group:service_management": "rule:admin_only",
|
|
"create_policy_target_group:enforce_service_chains": "rule:admin_only",
|
|
"get_policy_target_group": "rule:admin_auto_ptg or rule:non_auto_ptg",
|
|
"update_policy_target_group": "rule:admin_auto_ptg or rule:non_auto_ptg",
|
|
"update_policy_target_group:shared": "rule:admin_only",
|
|
|
|
"create_l2_policy": "",
|
|
"create_l2_policy:shared": "rule:admin_only",
|
|
"get_l2_policy": "rule:admin_or_owner or rule:shared_l2p",
|
|
"update_l2_policy:shared": "rule:admin_only",
|
|
|
|
"create_l3_policy": "",
|
|
"create_l3_policy:shared": "rule:admin_only",
|
|
"get_l3_policy": "rule:admin_or_owner or rule:shared_l3p",
|
|
"update_l3_policy:shared": "rule:admin_only",
|
|
|
|
"create_policy_classifier": "",
|
|
"create_policy_classifier:shared": "rule:admin_only",
|
|
"get_policy_classifier": "rule:admin_or_owner or rule:shared_pc",
|
|
"update_policy_classifier:shared": "rule:admin_only",
|
|
|
|
"create_policy_action": "",
|
|
"create_policy_action:shared": "rule:admin_only",
|
|
"get_policy_action": "rule:admin_or_owner or rule:shared_pa",
|
|
"update_policy_action:shared": "rule:admin_only",
|
|
|
|
"create_policy_rule": "",
|
|
"create_policy_rule:shared": "rule:admin_only",
|
|
"get_policy_rule": "rule:admin_or_owner or rule:shared_pr",
|
|
"update_policy_rule:shared": "rule:admin_only",
|
|
|
|
"create_policy_rule_set": "",
|
|
"create_policy_rule_set:shared": "rule:admin_only",
|
|
"get_policy_rule_set": "rule:admin_or_owner or rule:shared_prs",
|
|
"update_policy_rule_set:shared": "rule:admin_only",
|
|
|
|
"create_network_service_policy": "",
|
|
"create_network_service_policy:shared": "rule:admin_only",
|
|
"get_network_service_policy": "rule:admin_or_owner or rule:shared_nsp",
|
|
"update_network_service_policy:shared": "rule:admin_only",
|
|
|
|
"create_external_segment": "",
|
|
"create_external_segment:shared": "rule:admin_only",
|
|
"get_external_segment": "rule:admin_or_owner or rule:shared_es",
|
|
"update_external_segment:shared": "rule:admin_only",
|
|
|
|
"create_external_policy": "",
|
|
"create_external_policy:shared": "rule:admin_only",
|
|
"get_external_policy": "rule:admin_or_owner or rule:shared_ep",
|
|
"update_external_policy:shared": "rule:admin_only",
|
|
|
|
"create_nat_pool": "",
|
|
"create_nat_pool:shared": "rule:admin_only",
|
|
"get_nat_pool": "rule:admin_or_owner or rule:shared_np",
|
|
"update_nat_pool:shared": "rule:admin_only",
|
|
|
|
"create_servicechain_node": "",
|
|
"create_servicechain_node:shared": "rule:admin_only",
|
|
"get_servicechain_node": "rule:admin_or_owner or rule:shared_scn",
|
|
"update_servicechain_node:shared": "rule:admin_only",
|
|
|
|
"create_servicechain_spec": "",
|
|
"create_servicechain_spec:shared": "rule:admin_only",
|
|
"get_servicechain_spec": "rule:admin_or_owner or rule:shared_scs",
|
|
"update_servicechain_spec:shared": "rule:admin_only",
|
|
|
|
"create_servicechain_instance": "",
|
|
"get_servicechain_instance": "rule:admin_or_owner",
|
|
"update_servicechain_instance:shared": "rule:admin_only",
|
|
|
|
"create_service_profile": "",
|
|
"create_service_profile:shared": "rule:admin_only",
|
|
"get_service_profile": "rule:admin_or_owner or rule:shared_sp",
|
|
"update_service_profile:shared": "rule:admin_only"
|
|
}
|