#10 Updated roles to global/project, also changed reader to auditor
Merged a year ago by xaenalt. Opened a year ago by xaenalt.
xaenalt/openstack-access-policy master  into  master

file modified
+3 -1

@@ -1,6 +1,8 @@ 

  #!/bin/sh

  

- . tests/functions

+ REPO_DIR="$(dirname $(readlink -f $0))"

+ 

+ source "${REPO_DIR}/tests/functions"

  

  build_policy

  run_policy_current

file modified
+16 -7

@@ -1,14 +1,23 @@ 

  # COMMON

  

- # A global reader role, that is able to read things that don't have a project_id associated

- global_reader: "(role:global_reader and is_admin_project:True)"

+ # A global auditor role, which is a read-only version of global_admin

+ global_auditor: "(role:auditor and is_admin_project:True)"

  

- # The specification for readers, who should only be able to read, never modify, data.

- # This rule incorporates other less strict reader specifications, so any reader

- reader: "((role:reader and project_id:%(project_id)s) or rule:global_reader)"

+ # The specification for project scoped auditors, who should be able to read

+ # data in a project, but never modify it

+ project_auditor: "(role:auditor and project_id:%(project_id)s)"

+ 

+ # A rule specifying that auditor role is required with either project or global scope

+ auditor: "(rule:global_auditor or rule:project_auditor)"

  

  # This is the default admin specification, able to control every part of the cloud without issue

- admin: "(is_admin:True or role:admin  and (is_admin_project:True or  project_id:%(project_id)s))"

+ global_admin: "(is_admin:True or (role:admin and is_admin_project:True))"

+ 

+ # A project-scoped version of admin

+ project_admin: "(role:admin and project_id:%(project_id)s)"

+ 

+ # A rule specifying that admin role is required with either project or global scope

+ admin: "(rule:project_admin or rule:global_admin)"

  

  # This is a helper role specification for members, since some deployers use "member", and some use "_member_"

  _member_role: "(role:Member or role:member or role:_member_)"

@@ -29,7 +38,7 @@ 

  

  

  # Decides what is required for the 'is_admin:True' check to succeed.

- "context_is_admin": "role:admin and (is_admin_project:True or project_id:%(project_id)s)"

+ "context_is_admin": "(role:admin and (is_admin_project:True or project_id:%(project_id)s))"

  

  

  # END COMMON

file modified
+4 -4

@@ -3,11 +3,11 @@ 

  

  # Get an alarm.

  # GET  /v2/alarms/{alarm_id}

- "telemetry:get_alarm": "rule:admin or rule:member or rule:reader"

+ "telemetry:get_alarm": "rule:admin or rule:member or rule:auditor"

  

  # Get all alarms, based on the query provided.

  # GET  /v2/alarms

- "telemetry:get_alarms": "rule:admin or rule:member or rule:reader"

+ "telemetry:get_alarms": "rule:admin or rule:member or rule:auditor"

  

  # Get all alarms, based on the query provided.

  # POST  /v2/query/alarms

@@ -27,7 +27,7 @@ 

  

  # Get the state of this alarm.

  # GET  /v2/alarms/{alarm_id}/state

- "telemetry:get_alarm_state": "rule:admin or rule:member or rule:reader"

+ "telemetry:get_alarm_state": "rule:admin or rule:member or rule:auditor"

  

  # Set the state of this alarm.

  # PUT  /v2/alarms/{alarm_id}/state

@@ -35,7 +35,7 @@ 

  

  # Assembles the alarm history requested.

  # GET  /v2/alarms/{alarm_id}/history

- "telemetry:alarm_history": "rule:admin or rule:member or rule:reader"

+ "telemetry:alarm_history": "rule:admin or rule:member or rule:auditor"

  

  # Define query for retrieving AlarmChange data.

  # POST  /v2/query/alarms/history

file modified
+41 -41

@@ -24,11 +24,11 @@ 

  

  # List messages.

  # GET  /messages

- "message:get_all": "rule:admin or rule:member or rule:reader"

+ "message:get_all": "rule:admin or rule:member or rule:auditor"

  

  # Show message.

  # GET  /messages/{message_id}

- "message:get": "rule:admin or rule:member or rule:reader"

+ "message:get": "rule:admin or rule:member or rule:auditor"

  

  # Delete message.

  # DELETE  /messages/{message_id}

@@ -37,11 +37,11 @@ 

  # List clusters.

  # GET  /clusters

  # GET  /clusters/detail

- "clusters:get_all": "rule:admin or rule:reader"

+ "clusters:get_all": "rule:admin or rule:auditor"

  

  # Show cluster.

  # GET  /clusters/{cluster_id}

- "clusters:get": "rule:admin or rule:reader"

+ "clusters:get": "rule:admin or rule:auditor"

  

  # Update cluster.

  # PUT  /clusters/{cluster_id}

@@ -54,7 +54,7 @@ 

  # Show snapshot's metadata or one specified metadata with a given key.

  # GET  /snapshots/{snapshot_id}/metadata

  # GET  /snapshots/{snapshot_id}/metadata/{key}

- "volume:get_snapshot_metadata": "rule:admin or rule:member or rule:reader"

+ "volume:get_snapshot_metadata": "rule:admin or rule:member or rule:auditor"

  

  # Update snapshot's metadata or one specified metadata with a given

  # key.

@@ -69,12 +69,12 @@ 

  # List snapshots.

  # GET  /snapshots

  # GET  /snapshots/detail

- "volume:get_all_snapshots": "rule:admin or rule:member or rule:reader"

+ "volume:get_all_snapshots": "rule:admin or rule:member or rule:auditor"

  

  # List or show snapshots with extended attributes.

  # GET  /snapshots/{snapshot_id}

  # GET  /snapshots/detail

- "volume_extension:extended_snapshot_attributes": "rule:admin or rule:member or rule:reader"

+ "volume_extension:extended_snapshot_attributes": "rule:admin or rule:member or rule:auditor"

  

  # Create snapshot.

  # POST  /snapshots

@@ -82,7 +82,7 @@ 

  

  # Show snapshot.

  # GET  /snapshots/{snapshot_id}

- "volume:get_snapshot": "rule:admin or rule:member or rule:reader"

+ "volume:get_snapshot": "rule:admin or rule:member or rule:auditor"

  

  # Update snapshot.

  # PUT  /snapshots/{snapshot_id}

@@ -107,7 +107,7 @@ 

  # List (in detail) of snapshots which are available to manage.

  # GET  /manageable_snapshots

  # GET  /manageable_snapshots/detail

- "snapshot_extension:list_manageable": "rule:admin or rule:reader"

+ "snapshot_extension:list_manageable": "rule:admin or rule:auditor"

  

  # Manage an existing snapshot.

  # POST  /manageable_snapshots

@@ -120,12 +120,12 @@ 

  # List backups.

  # GET  /backups

  # GET  /backups/detail

- "backup:get_all": "rule:admin or rule:member or rule:reader"

+ "backup:get_all": "rule:admin or rule:member or rule:auditor"

  

  # List backups or show backup with project attributes.

  # GET  /backups/{backup_id}

  # GET  /backups/detail

- "backup:backup_project_attribute": "rule:admin or rule:reader"

+ "backup:backup_project_attribute": "rule:admin or rule:auditor"

  

  # Create backup.

  # POST  /backups

@@ -133,7 +133,7 @@ 

  

  # Show backup.

  # GET  /backups/{backup_id}

- "backup:get": "rule:admin or rule:member or rule:reader"

+ "backup:get": "rule:admin or rule:member or rule:auditor"

  

  # Update backup.

  # PUT  /backups/{backup_id}

@@ -166,7 +166,7 @@ 

  # List groups.

  # GET  /groups

  # GET  /groups/detail

- "group:get_all": "rule:admin or rule:member or rule:reader"

+ "group:get_all": "rule:admin or rule:member or rule:auditor"

  

  # Create group.

  # POST  /groups

@@ -174,7 +174,7 @@ 

  

  # Show group.

  # GET  /groups/{group_id}

- "group:get": "rule:admin or rule:member or rule:reader"

+ "group:get": "rule:admin or rule:member or rule:auditor"

  

  # Update group.

  # PUT  /groups/{group_id}

@@ -188,7 +188,7 @@ 

  

  # Show group type with type specs attributes.

  # GET  /group_types/{group_type_id}

- "group:access_group_types_specs": "rule:admin or rule:reader"

+ "group:access_group_types_specs": "rule:admin or rule:auditor"

  

  # Create, show, update and delete group type spec.

  # GET  /group_types/{group_type_id}/group_specs/{g_spec_id}

@@ -201,7 +201,7 @@ 

  # List group snapshots.

  # GET  /group_snapshots

  # GET  /group_snapshots/detail

- "group:get_all_group_snapshots": "rule:admin or rule:member or rule:reader"

+ "group:get_all_group_snapshots": "rule:admin or rule:member or rule:auditor"

  

  # Create group snapshot.

  # POST  /group_snapshots

@@ -209,7 +209,7 @@ 

  

  # Show group snapshot.

  # GET  /group_snapshots/{group_snapshot_id}

- "group:get_group_snapshot": "rule:admin or rule:member or rule:reader"

+ "group:get_group_snapshot": "rule:admin or rule:member or rule:auditor"

  

  # Delete group snapshot.

  # DELETE  /group_snapshots/{group_snapshot_id}

@@ -217,7 +217,7 @@ 

  

  # Update group snapshot.

  # PUT  /group_snapshots/{group_snapshot_id}

- "group:update_group_snapshot": "rule:admin or rule:member or rule:reader"

+ "group:update_group_snapshot": "rule:admin or rule:member or rule:auditor"

  

  # Reset status of group snapshot.

  # POST  /group_snapshots/{g_snapshot_id}/action (reset_status)

@@ -250,11 +250,11 @@ 

  # List qos specs or list all associations.

  # GET  /qos-specs

  # GET  /qos-specs/{qos_id}/associations

- "volume_extension:qos_specs_manage:get_all": "rule:admin or rule:reader"

+ "volume_extension:qos_specs_manage:get_all": "rule:admin or rule:auditor"

  

  # Show qos specs.

  # GET  /qos-specs/{qos_id}

- "volume_extension:qos_specs_manage:get": "rule:admin or rule:reader"

+ "volume_extension:qos_specs_manage:get": "rule:admin or rule:auditor"

  

  # Create qos specs.

  # POST  /qos-specs

@@ -265,7 +265,7 @@ 

  # GET  /qos-specs/{qos_id}/disassociate_all

  # GET  /qos-specs/{qos_id}/associate

  # GET  /qos-specs/{qos_id}/disassociate

- "volume_extension:qos_specs_manage:update": "rule:admin or rule:reader"

+ "volume_extension:qos_specs_manage:update": "rule:admin or rule:auditor"

  

  # delete qos specs or unset one specified qos key.

  # DELETE  /qos-specs/{qos_id}

@@ -281,7 +281,7 @@ 

  # GET  /os-quota-sets/{project_id}

  # GET  /os-quota-sets/{project_id}/default

  # GET  /os-quota-sets/{project_id}?usage=True

- "volume_extension:quotas:show": "rule:admin or rule:member or rule:reader"

+ "volume_extension:quotas:show": "rule:admin or rule:member or rule:auditor"

  

  # Update project quota.

  # PUT  /os-quota-sets/{project_id}

@@ -293,15 +293,15 @@ 

  

  # Validate setup for nested quota.

  # GET  /os-quota-sets/validate_setup_for_nested_quota_use

- "volume_extension:quota_classes:validate_setup_for_nested_quota_use": "rule:admin or rule:reader"

+ "volume_extension:quota_classes:validate_setup_for_nested_quota_use": "rule:admin or rule:auditor"

  

  # Show backend capabilities.

  # GET  /capabilities/{host_name}

- "volume_extension:capabilities": "rule:admin or rule:reader"

+ "volume_extension:capabilities": "rule:admin or rule:auditor"

  

  # List all services.

  # GET  /os-services

- "volume_extension:services:index": "rule:admin or rule:reader"

+ "volume_extension:services:index": "rule:admin or rule:auditor"

  

  # Update service, including failover_host, thaw, freeze, disable,

  # enable, set-log and get-log actions.

@@ -322,7 +322,7 @@ 

  

  # List all backend pools.

  # GET  /scheduler-stats/get_pools

- "scheduler_extension:scheduler_stats:get_pools": "rule:admin or rule:reader"

+ "scheduler_extension:scheduler_stats:get_pools": "rule:admin or rule:auditor"

  

  # List, update or show hosts for a project.

  # GET  /os-hosts

@@ -332,12 +332,12 @@ 

  

  # Show limits with used limit attributes.

  # GET  /limits

- "limits_extension:used_limits": "rule:admin or rule:member or rule:reader"

+ "limits_extension:used_limits": "rule:admin or rule:member or rule:auditor"

  

  # List (in detail) of volumes which are available to manage.

  # GET  /manageable_volumes

  # GET  /manageable_volumes/detail

- "volume_extension:list_manageable": "rule:admin or rule:reader"

+ "volume_extension:list_manageable": "rule:admin or rule:auditor"

  

  # Manage existing volumes.

  # POST  /manageable_volumes

@@ -364,12 +364,12 @@ 

  # List or show volume type with access type extra specs attribute.

  # GET  /types/{type_id}

  # GET  /types

- "volume_extension:access_types_extra_specs": "rule:admin or rule:reader"

+ "volume_extension:access_types_extra_specs": "rule:admin or rule:auditor"

  

  # List or show volume type with access type qos specs id attribute.

  # GET  /types/{type_id}

  # GET  /types

- "volume_extension:access_types_qos_specs_id": "rule:admin or rule:reader"

+ "volume_extension:access_types_qos_specs_id": "rule:admin or rule:auditor"

  

  # Volume type access related APIs.

  # GET  /types

@@ -471,7 +471,7 @@ 

  # GET  /os-volume-transfer/detail

  # GET  /volume_transfers

  # GET  /volume_transfers/detail

- "volume:get_all_transfers": "rule:admin or rule:member or rule:reader"

+ "volume:get_all_transfers": "rule:admin or rule:member or rule:auditor"

  

  # Create a volume transfer.

  # POST  /os-volume-transfer

@@ -481,7 +481,7 @@ 

  # Show one specified volume transfer.

  # GET  /os-volume-transfer/{transfer_id}

  # GET  /volume_transfers/{transfer_id}

- "volume:get_transfer": "rule:admin or rule:member or rule:reader"

+ "volume:get_transfer": "rule:admin or rule:member or rule:auditor"

  

  # Accept a volume transfer.

  # POST  /os-volume-transfer/{transfer_id}/accept

@@ -496,7 +496,7 @@ 

  # Show volume's metadata or one specified metadata with a given key.

  # GET  /volumes/{volume_id}/metadata

  # GET  /volumes/{volume_id}/metadata/{key}

- "volume:get_volume_metadata": "rule:admin or rule:member or rule:reader"

+ "volume:get_volume_metadata": "rule:admin or rule:member or rule:auditor"

  

  # Create volume metadata.

  # POST  /volumes/{volume_id}/metadata

@@ -527,7 +527,7 @@ 

  

  # List type extra specs.

  # GET  /types/{type_id}/extra_specs

- "volume_extension:types_extra_specs:index": "rule:admin or rule:reader"

+ "volume_extension:types_extra_specs:index": "rule:admin or rule:auditor"

  

  # Create type extra specs.

  # POST  /types/{type_id}/extra_specs

@@ -535,7 +535,7 @@ 

  

  # Show one specified type extra specs.

  # GET  /types/{type_id}/extra_specs/{extra_spec_key}

- "volume_extension:types_extra_specs:show": "rule:admin or rule:reader"

+ "volume_extension:types_extra_specs:show": "rule:admin or rule:auditor"

  

  # Update type extra specs.

  # PUT  /types/{type_id}/extra_specs/{extra_spec_key}

@@ -555,13 +555,13 @@ 

  

  # Show volume.

  # GET  /volumes/{volume_id}

- "volume:get": "rule:admin or rule:member or rule:reader"

+ "volume:get": "rule:admin or rule:member or rule:auditor"

  

  # List volumes or get summary of volumes.

  # GET  /volumes

  # GET  /volumes/detail

  # GET  /volumes/summary

- "volume:get_all": "rule:admin or rule:member or rule:reader"

+ "volume:get_all": "rule:admin or rule:member or rule:auditor"

  

  # Update volume.

  # PUT  /volumes

@@ -578,22 +578,22 @@ 

  # List or show volume with host attribute.

  # GET  /volumes/{volume_id}

  # GET  /volumes/detail

- "volume_extension:volume_host_attribute": "rule:admin or rule:reader"

+ "volume_extension:volume_host_attribute": "rule:admin or rule:auditor"

  

  # List or show volume with tenant attribute.

  # GET  /volumes/{volume_id}

  # GET  /volumes/detail

- "volume_extension:volume_tenant_attribute": "rule:admin or rule:member or rule:reader"

+ "volume_extension:volume_tenant_attribute": "rule:admin or rule:member or rule:auditor"

  

  # List or show volume with migration status attribute.

  # GET  /volumes/{volume_id}

  # GET  /volumes/detail

- "volume_extension:volume_mig_status_attribute": "rule:admin or rule:reader"

+ "volume_extension:volume_mig_status_attribute": "rule:admin or rule:auditor"

  

  # Show volume's encryption metadata.

  # GET  /volumes/{volume_id}/encryption

  # GET  /volumes/{volume_id}/encryption/{encryption_key}

- "volume_extension:volume_encryption_metadata": "rule:admin or rule:member or rule:reader"

+ "volume_extension:volume_encryption_metadata": "rule:admin or rule:member or rule:auditor"

  

  # Create multiattach capable volume.

  # POST  /volumes

file modified
+4 -4

@@ -14,18 +14,18 @@ 

  # GET /v1/images

  # GET /v1/images/detail

  # GET /v2/images

- "get_images": "rule:admin or rule:member_or_public or rule:reader"

+ "get_images": "rule:admin or rule:member_or_public or rule:auditor"

  

  # Retrieve a specific image entity

  # HEAD /v1/images/<IMAGE_ID>

  # GET /v1/images/<IMAGE_ID>

  # GET /v2/images/<IMAGE_ID>

- "get_image": "rule:admin or rule:member_or_public or rule:reader"

+ "get_image": "rule:admin or rule:member_or_public or rule:auditor"

  

  # Download binary image data

  # GET /v1/images/<IMAGE_ID>

  # GET /v2/images/<IMAGE_ID>/file

- "download_image": "rule:admin or rule:member_or_public or rule:reader"

+ "download_image": "rule:admin or rule:member_or_public or rule:auditor"

  

  # Upload binary image data

  # POST /v1/images

@@ -72,7 +72,7 @@ 

  # List the members of an image

  # GET /v1/images/<IMAGE_ID>/members

  # GET /v2/images/<IMAGE_ID>/members

- "get_members": "rule:admin or rule:member_or_public or rule:reader"

+ "get_members": "rule:admin or rule:member_or_public or rule:auditor"

  

  # Delete a membership of an image

  # DELETE /v1/images/<IMAGE_ID>/members/<MEMBER_ID>

file modified
+14 -14

@@ -11,39 +11,39 @@ 

  

  # RULES:

  

- "get status": "rule:admin or rule:reader"

+ "get status": "rule:admin or rule:auditor"

  

  "create resource": "rule:admin or rule:member_or_creator"

- "get resource": "rule:admin or rule:member_or_creator or rule:reader"

+ "get resource": "rule:admin or rule:member_or_creator or rule:auditor"

  "update resource": "rule:admin or rule:member_or_creator"

  "delete resource": "rule:admin or rule:member_or_creator"

  "delete resources": "rule:admin or rule:member_or_creator"

- "list resource": "rule:admin or rule:member_or_creator or rule:reader"

- "search resource": "rule:admin or rule:member_or_creator or rule:reader"

+ "list resource": "rule:admin or rule:member_or_creator or rule:auditor"

+ "search resource": "rule:admin or rule:member_or_creator or rule:auditor"

  

  "create resource type": "rule:admin"

  "delete resource type": "rule:admin"

  "update resource type": "rule:admin"

- "list resource type": "rule:admin or rule:member_or_creator or rule:reader"

- "get resource type": "rule:admin or rule:member_or_creator or rule:reader"

+ "list resource type": "rule:admin or rule:member_or_creator or rule:auditor"

+ "get resource type": "rule:admin or rule:member_or_creator or rule:auditor"

  

- "get archive policy": "rule:admin or rule:member_or_creator or rule:reader"

- "list archive policy": "rule:admin or rule:member_or_creator or rule:reader"

+ "get archive policy": "rule:admin or rule:member_or_creator or rule:auditor"

+ "list archive policy": "rule:admin or rule:member_or_creator or rule:auditor"

  "create archive policy": "rule:admin"

  "update archive policy": "rule:admin"

  "delete archive policy": "rule:admin"

  

  "create archive policy rule": "rule:admin"

- "get archive policy rule": "rule:admin or rule:member_or_creator or rule:reader"

- "list archive policy rule": "rule:admin or rule:member_or_creator or rule:reader"

+ "get archive policy rule": "rule:admin or rule:member_or_creator or rule:auditor"

+ "list archive policy rule": "rule:admin or rule:member_or_creator or rule:auditor"

  "update archive policy rule": "rule:admin"

  "delete archive policy rule": "rule:admin"

  

  "create metric": "rule:admin or rule:member_or_creator"

  "delete metric": "rule:admin or rule:member_or_creator"

- "get metric": "rule:admin or rule:member_or_creator or rule:reader"

- "search metric": "rule:admin or rule:member_or_creator or rule:reader"

- "list metric": "rule:admin or rule:member_or_creator or rule:reader"

+ "get metric": "rule:admin or rule:member_or_creator or rule:auditor"

+ "search metric": "rule:admin or rule:member_or_creator or rule:auditor"

+ "list metric": "rule:admin or rule:member_or_creator or rule:auditor"

  

- "get measures":  "rule:admin or rule:member_or_creator or rule:reader"

+ "get measures":  "rule:admin or rule:member_or_creator or rule:auditor"

  "post measures":  "rule:admin or rule:member_or_creator"

file modified
+32 -32

@@ -19,18 +19,18 @@ 

  

  # Show build information.

  # GET /v1/{tenant_id}/build_info

- "build_info:build_info": "rule:admin or rule:member or rule:reader"

+ "build_info:build_info": "rule:admin or rule:member or rule:auditor"

  

  ### Policy Rules defined in heat.policies.cloudformation

  

  #

- "cloudformation:ListStacks": "rule:admin or rule:member or rule:reader"

+ "cloudformation:ListStacks": "rule:admin or rule:member or rule:auditor"

  

  #

  "cloudformation:CreateStack": "rule:admin or rule:member"

  

  #

- "cloudformation:DescribeStacks": "rule:admin or rule:member or rule:reader"

+ "cloudformation:DescribeStacks": "rule:admin or rule:member or rule:auditor"

  

  #

  "cloudformation:DeleteStack": "rule:admin or rule:member"

@@ -42,7 +42,7 @@ 

  "cloudformation:CancelUpdateStack": "rule:admin or rule:member"

  

  #

- "cloudformation:DescribeStackEvents": "rule:admin or rule:member or rule:reader"

+ "cloudformation:DescribeStackEvents": "rule:admin or rule:member or rule:auditor"

  

  #

  "cloudformation:ValidateTemplate": "rule:admin or rule:member"

@@ -51,40 +51,40 @@ 

  "cloudformation:GetTemplate": "rule:admin or rule:member"

  

  #

- "cloudformation:EstimateTemplateCost": "rule:admin or rule:member or rule:reader"

+ "cloudformation:EstimateTemplateCost": "rule:admin or rule:member or rule:auditor"

  

  #

- "cloudformation:DescribeStackResource": "rule:admin or rule:member or rule:reader"

+ "cloudformation:DescribeStackResource": "rule:admin or rule:member or rule:auditor"

  

  #

- "cloudformation:DescribeStackResources": "rule:admin or rule:member or rule:reader"

+ "cloudformation:DescribeStackResources": "rule:admin or rule:member or rule:auditor"

  

  #

- "cloudformation:ListStackResources": "rule:admin or rule:member or rule:reader"

+ "cloudformation:ListStackResources": "rule:admin or rule:member or rule:auditor"

  

  ### Policy Rules defined in heat.policies.events

  

  # List events.

  # GET /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/events

- "events:index": "rule:admin or rule:member or rule:reader"

+ "events:index": "rule:admin or rule:member or rule:auditor"

  

  # Show event.

  # GET /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/events/{event_id}

- "events:show": "rule:admin or rule:member or rule:reader"

+ "events:show": "rule:admin or rule:member or rule:auditor"

  

  ### Policy Rules defined in heat.policies.resource

  

  # List resources.

  # GET /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources

- "resource:index": "rule:admin or rule:member or rule:reader"

+ "resource:index": "rule:admin or rule:member or rule:auditor"

  

  # Show resource metadata.

  # GET /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/metadata

- "resource:metadata": "rule:admin or rule:member or rule:reader"

+ "resource:metadata": "rule:admin or rule:member or rule:auditor"

  

  # Signal resource.

  # POST /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/signal

- "resource:signal": "rule:admin or rule:member or rule:reader"

+ "resource:signal": "rule:admin or rule:member or rule:auditor"

  

  # Mark resource as unhealthy.

  # PATCH /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name_or_physical_id}

@@ -92,7 +92,7 @@ 

  

  # Show resource.

  # GET /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}

- "resource:show": "rule:admin or rule:member or rule:reader"

+ "resource:show": "rule:admin or rule:member or rule:auditor"

  

  ### Policy Rules defined in heat.policies.resource_types

  

@@ -144,7 +144,7 @@ 

  ### Policy Rules defined in heat.policies.service

  

  #

- "service:index": "rule:admin or rule:reader"

+ "service:index": "rule:admin or rule:auditor"

  

  ### Policy Rules defined in heat.policies.software_configs

  

@@ -154,7 +154,7 @@ 

  

  # List configs.

  # GET /v1/{tenant_id}/software_configs

- "software_configs:index": "rule:admin or rule:member or rule:reader"

+ "software_configs:index": "rule:admin or rule:member or rule:auditor"

  

  # Create config.

  # POST /v1/{tenant_id}/software_configs

@@ -162,7 +162,7 @@ 

  

  # Show config details.

  # GET /v1/{tenant_id}/software_configs/{config_id}

- "software_configs:show": "rule:admin or rule:member or rule:reader"

+ "software_configs:show": "rule:admin or rule:member or rule:auditor"

  

  # Delete config.

  # DELETE /v1/{tenant_id}/software_configs/{config_id}

@@ -172,7 +172,7 @@ 

  

  # List deployments.

  # GET /v1/{tenant_id}/software_deployments

- "software_deployments:index": "rule:admin or rule:member or rule:reader"

+ "software_deployments:index": "rule:admin or rule:member or rule:auditor"

  

  # Create deployment.

  # POST /v1/{tenant_id}/software_deployments

@@ -180,7 +180,7 @@ 

  

  # Show deployment details.

  # GET /v1/{tenant_id}/software_deployments/{deployment_id}

- "software_deployments:show": "rule:admin or rule:member or rule:reader"

+ "software_deployments:show": "rule:admin or rule:member or rule:auditor"

  

  # Update deployment.

  # PUT /v1/{tenant_id}/software_deployments/{deployment_id}

@@ -192,7 +192,7 @@ 

  

  # Show server configuration metadata.

  # GET /v1/{tenant_id}/software_deployments/metadata/{server_id}

- "software_deployments:metadata": "rule:admin or rule:member or rule:reader"

+ "software_deployments:metadata": "rule:admin or rule:member or rule:auditor"

  

  ### Policy Rules defined in heat.policies.stacks

  

@@ -210,15 +210,15 @@ 

  

  # List stacks in detail.

  # GET /v1/{tenant_id}/stacks

- "stacks:detail": "rule:admin or rule:member or rule:reader"

+ "stacks:detail": "rule:admin or rule:member or rule:auditor"

  

  # Export stack.

  # GET /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/export

- "stacks:export": "rule:admin or rule:member or rule:reader"

+ "stacks:export": "rule:admin or rule:member or rule:auditor"

  

  # Generate stack template.

  # GET /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/template

- "stacks:generate_template": "rule:admin or rule:member or rule:reader"

+ "stacks:generate_template": "rule:admin or rule:member or rule:auditor"

  

  # List stacks globally.

  # GET /v1/{tenant_id}/stacks

@@ -226,23 +226,23 @@ 

  

  # List stacks.

  # GET /v1/{tenant_id}/stacks

- "stacks:index": "rule:admin or rule:member or rule:reader"

+ "stacks:index": "rule:admin or rule:member or rule:auditor"

  

  # List resource types.

  # GET /v1/{tenant_id}/resource_types

- "stacks:list_resource_types": "rule:admin or rule:member or rule:reader"

+ "stacks:list_resource_types": "rule:admin or rule:member or rule:auditor"

  

  # List template versions.

  # GET /v1/{tenant_id}/template_versions

- "stacks:list_template_versions": "rule:admin or rule:member or rule:reader"

+ "stacks:list_template_versions": "rule:admin or rule:member or rule:auditor"

  

  # List template functions.

  # GET /v1/{tenant_id}/template_versions/{template_version}/functions

- "stacks:list_template_functions": "rule:admin or rule:member or rule:reader"

+ "stacks:list_template_functions": "rule:admin or rule:member or rule:auditor"

  

  # Find stack.

  # GET /v1/{tenant_id}/stacks/{stack_identity}

- "stacks:lookup": "rule:admin or rule:member or rule:reader"

+ "stacks:lookup": "rule:admin or rule:member or rule:auditor"

  

  # Preview stack.

  # POST /v1/{tenant_id}/stacks/preview

@@ -250,11 +250,11 @@ 

  

  # Show resource type schema.

  # GET /v1/{tenant_id}/resource_types/{type_name}

- "stacks:resource_schema": "rule:admin or rule:member or rule:reader"

+ "stacks:resource_schema": "rule:admin or rule:member or rule:auditor"

  

  # Show stack.

  # GET /v1/{tenant_id}/stacks/{stack_identity}

- "stacks:show": "rule:admin or rule:member or rule:reader"

+ "stacks:show": "rule:admin or rule:member or rule:auditor"

  

  # Get stack template.

  # GET /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/template

@@ -294,7 +294,7 @@ 

  

  # Show snapshot.

  # GET /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}

- "stacks:show_snapshot": "rule:admin or rule:member or rule:reader"

+ "stacks:show_snapshot": "rule:admin or rule:member or rule:auditor"

  

  # Delete snapshot.

  # DELETE /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}

@@ -302,7 +302,7 @@ 

  

  # List snapshots.

  # GET /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots

- "stacks:list_snapshots": "rule:admin or rule:member or rule:reader"

+ "stacks:list_snapshots": "rule:admin or rule:member or rule:auditor"

  

  # Restore snapshot.

  # POST /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}/restore

file modified
+66 -66

@@ -4,12 +4,12 @@ 

  # Show application credential details.

  # GET  /v3/users/{user_id}/application_credentials/{application_credential_id}

  # HEAD  /v3/users/{user_id}/application_credentials/{application_credential_id}

- "identity:get_application_credential": "rule:admin or rule:owner or rule:reader"

+ "identity:get_application_credential": "rule:admin or rule:owner or rule:auditor"

  

  # List application credentials for a user.

  # GET  /v3/users/{user_id}/application_credentials

  # HEAD  /v3/users/{user_id}/application_credentials

- "identity:list_application_credentials": "rule:admin or rule:owner or rule:reader"

+ "identity:list_application_credentials": "rule:admin or rule:owner or rule:auditor"

  

  # Create an application credential.

  # POST  /v3/users/{user_id}/application_credentials

@@ -117,12 +117,12 @@ 

  # Show domain details.

  # GET  /v3/domains/{domain_id}

  # Intended scope(s): system

- "identity:get_domain": "rule:admin or token.project.domain.id:%(target.domain.id)s or rule:reader"

+ "identity:get_domain": "rule:admin or token.project.domain.id:%(target.domain.id)s or rule:auditor"

  

  # List domains.

  # GET  /v3/domains

  # Intended scope(s): system

- "identity:list_domains": "rule:admin or rule:reader"

+ "identity:list_domains": "rule:admin or rule:auditor"

  

  # Create domain.

  # POST  /v3/domains

@@ -154,7 +154,7 @@ 

  # GET  /v3/domains/{domain_id}/config/{group}/{option}

  # HEAD  /v3/domains/{domain_id}/config/{group}/{option}

  # Intended scope(s): system

- "identity:get_domain_config": "rule:admin or rule:reader"

+ "identity:get_domain_config": "rule:admin or rule:auditor"

  

  # Get security compliance domain configuration for either a domain or

  # a specific option in a domain.

@@ -190,11 +190,11 @@ 

  # GET  /v3/domains/config/{group}/{option}/default

  # HEAD  /v3/domains/config/{group}/{option}/default

  # Intended scope(s): system

- "identity:get_domain_config_default": "rule:admin or rule:reader"

+ "identity:get_domain_config_default": "rule:admin or rule:auditor"

  

  # Show ec2 credential details.

  # GET  /v3/users/{user_id}/credentials/OS-EC2/{credential_id}

- "identity:ec2_get_credential": "rule:admin or (rule:owner and user_id:%(target.credential.user_id)s) or rule:reader"

+ "identity:ec2_get_credential": "rule:admin or (rule:owner and user_id:%(target.credential.user_id)s) or rule:auditor"

  

  # List ec2 credentials.

  # GET  /v3/users/{user_id}/credentials/OS-EC2

@@ -211,12 +211,12 @@ 

  # Show endpoint details.

  # GET  /v3/endpoints/{endpoint_id}

  # Intended scope(s): system

- "identity:get_endpoint": "rule:admin or rule:reader"

+ "identity:get_endpoint": "rule:admin or rule:auditor"

  

  # List endpoints.

  # GET  /v3/endpoints

  # Intended scope(s): system

- "identity:list_endpoints": "rule:admin or rule:reader"

+ "identity:list_endpoints": "rule:admin or rule:auditor"

  

  # Create endpoint.

  # POST  /v3/endpoints

@@ -241,13 +241,13 @@ 

  # List endpoint groups.

  # GET  /v3/OS-EP-FILTER/endpoint_groups

  # Intended scope(s): system

- "identity:list_endpoint_groups": "rule:admin or rule:reader"

+ "identity:list_endpoint_groups": "rule:admin or rule:auditor"

  

  # Get endpoint group.

  # GET  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}

  # HEAD  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}

  # Intended scope(s): system

- "identity:get_endpoint_group": "rule:admin or rule:reader"

+ "identity:get_endpoint_group": "rule:admin or rule:auditor"

  

  # Update endpoint group.

  # PATCH  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}

@@ -262,23 +262,23 @@ 

  # List all projects associated with a specific endpoint group.

  # GET  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects

  # Intended scope(s): system

- "identity:list_projects_associated_with_endpoint_group": "rule:admin or rule:reader"

+ "identity:list_projects_associated_with_endpoint_group": "rule:admin or rule:auditor"

  

  # List all endpoints associated with an endpoint group.

  # GET  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints

  # Intended scope(s): system

- "identity:list_endpoints_associated_with_endpoint_group": "rule:admin or rule:reader"

+ "identity:list_endpoints_associated_with_endpoint_group": "rule:admin or rule:auditor"

  

  # Check if an endpoint group is associated with a project.

  # GET  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}

  # HEAD  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}

  # Intended scope(s): system

- "identity:get_endpoint_group_in_project": "rule:admin or rule:reader"

+ "identity:get_endpoint_group_in_project": "rule:admin or rule:auditor"

  

  # List endpoint groups associated with a specific project.

  # GET  /v3/OS-EP-FILTER/projects/{project_id}/endpoint_groups

  # Intended scope(s): system

- "identity:list_endpoint_groups_for_project": "rule:admin or rule:reader"

+ "identity:list_endpoint_groups_for_project": "rule:admin or rule:auditor"

  

  # Allow a project to access an endpoint group.

  # PUT  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}

@@ -312,7 +312,7 @@ 

  # HEAD  /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects

  # GET  /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects

  # Intended scope(s): system

- "identity:check_grant": "rule:admin or rule:reader"

+ "identity:check_grant": "rule:admin or rule:auditor"

  

  # List roles granted to an actor on a target. A target can be either a

  # domain or a project. An actor can be either a user or a group. For

@@ -330,7 +330,7 @@ 

  # GET  /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects

  # GET  /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects

  # Intended scope(s): system

- "identity:list_grants": "rule:admin or rule:reader"

+ "identity:list_grants": "rule:admin or rule:auditor"

  

  # Create a role grant between a target and an actor. A target can be

  # either a domain or a project. An actor can be either a user or a

@@ -369,12 +369,12 @@ 

  # List all grants a specific user has on the system.

  # ['HEAD', 'GET']  /v3/system/users/{user_id}/roles

  # Intended scope(s): system

- "identity:list_system_grants_for_user": "rule:admin or rule:reader"

+ "identity:list_system_grants_for_user": "rule:admin or rule:auditor"

  

  # Check if a user has a role on the system.

  # ['HEAD', 'GET']  /v3/system/users/{user_id}/roles/{role_id}

  # Intended scope(s): system

- "identity:check_system_grant_for_user": "rule:admin or rule:reader"

+ "identity:check_system_grant_for_user": "rule:admin or rule:auditor"

  

  # Grant a user a role on the system.

  # ['PUT']  /v3/system/users/{user_id}/roles/{role_id}

@@ -389,12 +389,12 @@ 

  # List all grants a specific group has on the system.

  # ['HEAD', 'GET']  /v3/system/groups/{group_id}/roles

  # Intended scope(s): system

- "identity:list_system_grants_for_group": "rule:admin or rule:reader"

+ "identity:list_system_grants_for_group": "rule:admin or rule:auditor"

  

  # Check if a group has a role on the system.

  # ['HEAD', 'GET']  /v3/system/groups/{group_id}/roles/{role_id}

  # Intended scope(s): system

- "identity:check_system_grant_for_group": "rule:admin or rule:reader"

+ "identity:check_system_grant_for_group": "rule:admin or rule:auditor"

  

  # Grant a group a role on the system.

  # ['PUT']  /v3/system/groups/{group_id}/roles/{role_id}

@@ -410,19 +410,19 @@ 

  # GET  /v3/groups/{group_id}

  # HEAD  /v3/groups/{group_id}

  # Intended scope(s): system

- "identity:get_group": "rule:admin or rule:reader"

+ "identity:get_group": "rule:admin or rule:auditor"

  

  # List groups.

  # GET  /v3/groups

  # HEAD  /v3/groups

  # Intended scope(s): system

- "identity:list_groups": "rule:admin or rule:reader"

+ "identity:list_groups": "rule:admin or rule:auditor"

  

  # List groups to which a user belongs.

  # GET  /v3/users/{user_id}/groups

  # HEAD  /v3/users/{user_id}/groups

  # Intended scope(s): system

- "identity:list_groups_for_user": "rule:admin or rule:owner or rule:reader"

+ "identity:list_groups_for_user": "rule:admin or rule:owner or rule:auditor"

  

  # Create group.

  # POST  /v3/groups

@@ -443,7 +443,7 @@ 

  # GET  /v3/groups/{group_id}/users

  # HEAD  /v3/groups/{group_id}/users

  # Intended scope(s): system

- "identity:list_users_in_group": "rule:admin or rule:reader"

+ "identity:list_users_in_group": "rule:admin or rule:auditor"

  

  # Remove user from group.

  # DELETE  /v3/groups/{group_id}/users/{user_id}

@@ -454,7 +454,7 @@ 

  # HEAD  /v3/groups/{group_id}/users/{user_id}

  # GET  /v3/groups/{group_id}/users/{user_id}

  # Intended scope(s): system

- "identity:check_user_in_group": "rule:admin or rule:reader"

+ "identity:check_user_in_group": "rule:admin or rule:auditor"

  

  # Add user to group.

  # PUT  /v3/groups/{group_id}/users/{user_id}

@@ -470,13 +470,13 @@ 

  # GET  /v3/OS-FEDERATION/identity_providers

  # HEAD  /v3/OS-FEDERATION/identity_providers

  # Intended scope(s): system

- "identity:list_identity_providers": "rule:admin or rule:reader"

+ "identity:list_identity_providers": "rule:admin or rule:auditor"

  

  # Get identity provider.

  # GET  /v3/OS-FEDERATION/identity_providers/{idp_id}

  # HEAD  /v3/OS-FEDERATION/identity_providers/{idp_id}

  # Intended scope(s): system

- "identity:get_identity_provider": "rule:admin or rule:reader"

+ "identity:get_identity_provider": "rule:admin or rule:auditor"

  

  # Update identity provider.

  # PATCH  /v3/OS-FEDERATION/identity_providers/{idp_id}

@@ -494,7 +494,7 @@ 

  # role.

  # GET  /v3/roles/{prior_role_id}/implies/{implied_role_id}

  # Intended scope(s): system

- "identity:get_implied_role": "rule:admin or rule:reader"

+ "identity:get_implied_role": "rule:admin or rule:auditor"

  

  # List associations between two roles. When a relationship exists

  # between a prior role and an implied role and the prior role is

@@ -504,7 +504,7 @@ 

  # GET  /v3/roles/{prior_role_id}/implies

  # HEAD  /v3/roles/{prior_role_id}/implies

  # Intended scope(s): system

- "identity:list_implied_roles": "rule:admin or rule:reader"

+ "identity:list_implied_roles": "rule:admin or rule:auditor"

  

  # Create an association between two roles. When a relationship exists

  # between a prior role and an implied role and the prior role is

@@ -528,14 +528,14 @@ 

  # GET  /v3/role_inferences

  # HEAD  /v3/role_inferences

  # Intended scope(s): system

- "identity:list_role_inference_rules": "rule:admin or rule:reader"

+ "identity:list_role_inference_rules": "rule:admin or rule:auditor"

  

  # Check an association between two roles. When a relationship exists

  # between a prior role and an implied role and the prior role is

  # assigned to a user, the user also assumes the implied role.

  # HEAD  /v3/roles/{prior_role_id}/implies/{implied_role_id}

  # Intended scope(s): system

- "identity:check_implied_role": "rule:admin or rule:reader"

+ "identity:check_implied_role": "rule:admin or rule:auditor"

  

  # Get limit enforcement model.

  # GET  /v3/limits/model

@@ -579,13 +579,13 @@ 

  # GET  /v3/OS-FEDERATION/mappings/{mapping_id}

  # HEAD  /v3/OS-FEDERATION/mappings/{mapping_id}

  # Intended scope(s): system

- "identity:get_mapping": "rule:admin or rule:reader"

+ "identity:get_mapping": "rule:admin or rule:auditor"

  

  # List federated mappings.

  # GET  /v3/OS-FEDERATION/mappings

  # HEAD  /v3/OS-FEDERATION/mappings

  # Intended scope(s): system

- "identity:list_mappings": "rule:admin or rule:reader"

+ "identity:list_mappings": "rule:admin or rule:auditor"

  

  # Delete a federated mapping.

  # DELETE  /v3/OS-FEDERATION/mappings/{mapping_id}

@@ -600,12 +600,12 @@ 

  # Show policy details.

  # GET  /v3/policy/{policy_id}

  # Intended scope(s): system

- "identity:get_policy": "rule:admin or rule:reader"

+ "identity:get_policy": "rule:admin or rule:auditor"

  

  # List policies.

  # GET  /v3/policies

  # Intended scope(s): system

- "identity:list_policies": "rule:admin or rule:reader"

+ "identity:list_policies": "rule:admin or rule:auditor"

  

  # Create policy.

  # POST  /v3/policies

@@ -631,7 +631,7 @@ 

  # GET  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}

  # HEAD  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}

  # Intended scope(s): system

- "identity:check_policy_association_for_endpoint": "rule:admin or rule:reader"

+ "identity:check_policy_association_for_endpoint": "rule:admin or rule:auditor"

  

  # Delete policy association for endpoint.

  # DELETE  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}

@@ -647,7 +647,7 @@ 

  # GET  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}

  # HEAD  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}

  # Intended scope(s): system

- "identity:check_policy_association_for_service": "rule:admin or rule:reader"

+ "identity:check_policy_association_for_service": "rule:admin or rule:auditor"

  

  # Delete policy association for service.

  # DELETE  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}

@@ -663,7 +663,7 @@ 

  # GET  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}

  # HEAD  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}

  # Intended scope(s): system

- "identity:check_policy_association_for_region_and_service": "rule:admin or rule:reader"

+ "identity:check_policy_association_for_region_and_service": "rule:admin or rule:auditor"

  

  # Delete policy association for region and service.

  # DELETE  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}

@@ -674,25 +674,25 @@ 

  # GET  /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy

  # HEAD  /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy

  # Intended scope(s): system

- "identity:get_policy_for_endpoint": "rule:admin or rule:reader"

+ "identity:get_policy_for_endpoint": "rule:admin or rule:auditor"

  

  # List endpoints for policy.

  # GET  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints

  # Intended scope(s): system

- "identity:list_endpoints_for_policy": "rule:admin or rule:reader"

+ "identity:list_endpoints_for_policy": "rule:admin or rule:auditor"

  

  # Show project details.

  # GET  /v3/projects/{project_id}

- "identity:get_project": "rule:admin or project_id:%(target.project.id)s or rule:reader"

+ "identity:get_project": "rule:admin or project_id:%(target.project.id)s or rule:auditor"

  

  # List projects.

  # GET  /v3/projects

  # Intended scope(s): system

- "identity:list_projects": "rule:admin or rule:reader"

+ "identity:list_projects": "rule:admin or rule:auditor"

  

  # List projects for user.

  # GET  /v3/users/{user_id}/projects

- "identity:list_user_projects": "rule:admin or rule:owner or rule:reader"

+ "identity:list_user_projects": "rule:admin or rule:owner or rule:auditor"

  

  # Create project.

  # POST  /v3/projects

@@ -712,12 +712,12 @@ 

  # List tags for a project.

  # GET  /v3/projects/{project_id}/tags

  # HEAD  /v3/projects/{project_id}/tags

- "identity:list_project_tags": "rule:admin or project_id:%(target.project.id)s or rule:reader"

+ "identity:list_project_tags": "rule:admin or project_id:%(target.project.id)s or rule:auditor"

  

  # Check if project contains a tag.

  # GET  /v3/projects/{project_id}/tags/{value}

  # HEAD  /v3/projects/{project_id}/tags/{value}

- "identity:get_project_tag": "rule:admin or project_id:%(target.project.id)s or rule:reader"

+ "identity:get_project_tag": "rule:admin or project_id:%(target.project.id)s or rule:auditor"

  

  # Replace all tags on a project with the new set of tags.

  # PUT  /v3/projects/{project_id}/tags

@@ -742,7 +742,7 @@ 

  # List projects allowed to access an endpoint.

  # GET  /v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects

  # Intended scope(s): system

- "identity:list_projects_for_endpoint": "rule:admin or rule:reader"

+ "identity:list_projects_for_endpoint": "rule:admin or rule:auditor"

  

  # Allow project to access an endpoint.

  # PUT  /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}

@@ -753,12 +753,12 @@ 

  # GET  /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}

  # HEAD  /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}

  # Intended scope(s): system

- "identity:check_endpoint_in_project": "rule:admin or rule:reader"

+ "identity:check_endpoint_in_project": "rule:admin or rule:auditor"

  

  # List the endpoints a project is allowed to access.

  # GET  /v3/OS-EP-FILTER/projects/{project_id}/endpoints

  # Intended scope(s): system

- "identity:list_endpoints_for_project": "rule:admin or rule:reader"

+ "identity:list_endpoints_for_project": "rule:admin or rule:auditor"

  

  # Remove access to an endpoint from a project that has previously been

  # given explicit access.

@@ -779,12 +779,12 @@ 

  # Get federated protocol.

  # GET  /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}

  # Intended scope(s): system

- "identity:get_protocol": "rule:admin or rule:reader"

+ "identity:get_protocol": "rule:admin or rule:auditor"

  

  # List federated protocols.

  # GET  /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols

  # Intended scope(s): system

- "identity:list_protocols": "rule:admin or rule:reader"

+ "identity:list_protocols": "rule:admin or rule:auditor"

  

  # Delete federated protocol.

  # DELETE  /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}

@@ -849,19 +849,19 @@ 

  # List revocation events.

  # GET  /v3/OS-REVOKE/events

  # Intended scope(s): system

- "identity:list_revoke_events": "rule:admin or rule:service_role or rule:reader"

+ "identity:list_revoke_events": "rule:admin or rule:service_role or rule:auditor"

  

  # Show role details.

  # GET  /v3/roles/{role_id}

  # HEAD  /v3/roles/{role_id}

  # Intended scope(s): system

- "identity:get_role": "rule:admin or rule:reader"

+ "identity:get_role": "rule:admin or rule:auditor"

  

  # List roles.

  # GET  /v3/roles

  # HEAD  /v3/roles

  # Intended scope(s): system

- "identity:list_roles": "rule:admin or rule:reader"

+ "identity:list_roles": "rule:admin or rule:auditor"

  

  # Create role.

  # POST  /v3/roles

@@ -882,13 +882,13 @@ 

  # GET  /v3/roles/{role_id}

  # HEAD  /v3/roles/{role_id}

  # Intended scope(s): system

- "identity:get_domain_role": "rule:admin or rule:reader"

+ "identity:get_domain_role": "rule:admin or rule:auditor"

  

  # List domain roles.

  # GET  /v3/roles?domain_id={domain_id}

  # HEAD  /v3/roles?domain_id={domain_id}

  # Intended scope(s): system

- "identity:list_domain_roles": "rule:admin or rule:reader"

+ "identity:list_domain_roles": "rule:admin or rule:auditor"

  

  # Create domain role.

  # POST  /v3/roles

@@ -909,23 +909,23 @@ 

  # GET  /v3/role_assignments

  # HEAD  /v3/role_assignments

  # Intended scope(s): system

- "identity:list_role_assignments": "rule:admin or rule:reader"

+ "identity:list_role_assignments": "rule:admin or rule:auditor"

  

  # List all role assignments for a given tree of hierarchical projects.

  # GET  /v3/role_assignments?include_subtree

  # HEAD  /v3/role_assignments?include_subtree

  # Intended scope(s): project

- "identity:list_role_assignments_for_tree": "rule:admin or rule:reader"

+ "identity:list_role_assignments_for_tree": "rule:admin or rule:auditor"

  

  # Show service details.

  # GET  /v3/services/{service_id}

  # Intended scope(s): system

- "identity:get_service": "rule:admin or rule:reader"

+ "identity:get_service": "rule:admin or rule:auditor"

  

  # List services.

  # GET  /v3/services

  # Intended scope(s): system

- "identity:list_services": "rule:admin or rule:reader"

+ "identity:list_services": "rule:admin or rule:auditor"

  

  # Create service.

  # POST  /v3/services

@@ -951,13 +951,13 @@ 

  # GET  /v3/OS-FEDERATION/service_providers

  # HEAD  /v3/OS-FEDERATION/service_providers

  # Intended scope(s): system

- "identity:list_service_providers": "rule:admin or rule:reader"

+ "identity:list_service_providers": "rule:admin or rule:auditor"

  

  # Get federated service provider.

  # GET  /v3/OS-FEDERATION/service_providers/{service_provider_id}

  # HEAD  /v3/OS-FEDERATION/service_providers/{service_provider_id}

  # Intended scope(s): system

- "identity:get_service_provider": "rule:admin or rule:reader"

+ "identity:get_service_provider": "rule:admin or rule:auditor"

  

  # Update federated service provider.

  # PATCH  /v3/OS-FEDERATION/service_providers/{service_provider_id}

@@ -972,7 +972,7 @@ 

  # List revoked PKI tokens.

  # GET  /v3/auth/tokens/OS-PKI/revoked

  # Intended scope(s): system, project

- "identity:revocation_list": "rule:admin or rule:service_role or rule:reader"

+ "identity:revocation_list": "rule:admin or rule:service_role or rule:auditor"

  

  # Check a token.

  # HEAD  /v3/auth/tokens

@@ -980,7 +980,7 @@ 

  

  # Validate a token.

  # GET  /v3/auth/tokens

- "identity:validate_token": "rule:admin or rule:service_role or rule:token_subject or rule:reader"

+ "identity:validate_token": "rule:admin or rule:service_role or rule:token_subject or rule:auditor"

  

  # Revoke a token.

  # DELETE  /v3/auth/tokens

@@ -1023,13 +1023,13 @@ 

  # Show user details.

  # GET  /v3/users/{user_id}

  # HEAD  /v3/users/{user_id}

- "identity:get_user": "rule:admin or rule:owner or rule:reader"

+ "identity:get_user": "rule:admin or rule:owner or rule:auditor"

  

  # List users.

  # GET  /v3/users

  # HEAD  /v3/users

  # Intended scope(s): system

- "identity:list_users": "rule:admin or rule:reader"

+ "identity:list_users": "rule:admin or rule:auditor"

  

  # List all projects a user has access to via role assignments.

  # GET   /v3/auth/projects

file modified
+57 -57

@@ -7,7 +7,7 @@ 

  # GET /os-availability-zone

  # GET /availability-zone

  #

- "availability_zone:index": "rule:default or rule:reader"

+ "availability_zone:index": "rule:default or rule:auditor"

  

  ### Policy Rules defined in manila.policies.base

  

@@ -16,13 +16,13 @@ 

  # Get details of a given message.

  # GET /messages/{message_id}

  #

- "message:get": "rule:default or rule:reader"

+ "message:get": "rule:default or rule:auditor"

  

  # Get all messages.

  # GET /messages

  # GET /messages?{query}

  #

- "message:get_all": "rule:default or rule:reader"

+ "message:get_all": "rule:default or rule:auditor"

  

  # Delete a message.

  # DELETE /messages/{message_id}

@@ -41,7 +41,7 @@ 

  # GET /quota-class-sets/{class_name}

  # GET /os-quota-class-sets/{class_name}

  #

- "quota_class_set:show": "rule:defaul or rule:readert"

+ "quota_class_set:show": "rule:defaul or rule:auditort"

  

  ### Policy Rules defined in manila.policies.quota_set

  

@@ -58,7 +58,7 @@ 

  # GET /quota-sets/{tenant_id}/defaults

  # GET /os-quota-sets/{tenant_id}/defaults

  #

- "quota_set:show": "rule:default or rule:reader"

+ "quota_set:show": "rule:default or rule:auditor"

  

  # Delete quota for a tenant/user or tenant/share-type. The quota will revert back to default (Admin only).

  # DELETE /quota-sets/{tenant_id}

@@ -75,13 +75,13 @@ 

  # GET /scheduler-stats/pools

  # GET /scheduler-stats/pools?{query}

  #

- "scheduler_stats:pools:index": "rule:admin or rule:reader"

+ "scheduler_stats:pools:index": "rule:admin or rule:auditor"

  

  # Get detailed information regarding backends (and storage pools) known to the scheduler.

  # GET /scheduler-stats/pools/detail?{query}

  # GET /scheduler-stats/pools/detail

  #

- "scheduler_stats:pools:detail": "rule:admin or rule:reader"

+ "scheduler_stats:pools:detail": "rule:admin or rule:auditor"

  

  ### Policy Rules defined in manila.policies.security_service

  

@@ -93,19 +93,19 @@ 

  # Get details of a security service.

  # GET /security-services/{security_service_id}

  #

- "security_service:show": "rule:default or rule:reader"

+ "security_service:show": "rule:default or rule:auditor"

  

  # Get details of all security services.

  # GET /security-services/detail?{query}

  # GET /security-services/detail

  #

- "security_service:detail": "rule:default or rule:reader"

+ "security_service:detail": "rule:default or rule:auditor"

  

  # Get all security services.

  # GET /security-services

  # GET /security-services?{query}

  #

- "security_service:index": "rule:default or rule:reader"

+ "security_service:index": "rule:default or rule:auditor"

  

  # Update a security service.

  # PUT /security-services/{security_service_id}

@@ -121,7 +121,7 @@ 

  # GET /security-services?all_tenants=1

  # GET /security-services/detail?all_tenants=1

  #

- "security_service:get_all_security_services": "rule:admin or rule:reader"

+ "security_service:get_all_security_services": "rule:admin or rule:auditor"

  

  ### Policy Rules defined in manila.policies.service

  

@@ -131,7 +131,7 @@ 

  # GET /services

  # GET /services?{query}

  #

- "service:index": "rule:admin or rule:reader"

+ "service:index": "rule:admin or rule:auditor"

  

  # Enable/Disable scheduling for a service.

  # PUT /os-services/disable

@@ -150,12 +150,12 @@ 

  # Get all export locations of a given share.

  # GET /shares/{share_id}/export_locations

  #

- "share_export_location:index": "rule:default or rule:reader"

+ "share_export_location:index": "rule:default or rule:auditor"

  

  # Get details about the requested export location.

  # GET /shares/{share_id}/export_locations/{export_location_id}

  #

- "share_export_location:show": "rule:default or rule:reader"

+ "share_export_location:show": "rule:default or rule:auditor"

  

  ### Policy Rules defined in manila.policies.share_group

  

@@ -167,7 +167,7 @@ 

  # Get details of a share group.

  # GET /share-groups/{share_group_id}

  #

- "share_group:get": "rule:default or rule:reader"

+ "share_group:get": "rule:default or rule:auditor"

  

  # Get all share groups.

  # GET /share-groups

@@ -175,7 +175,7 @@ 

  # GET /share-groups?{query}

  # GET /share-groups/detail?{query}

  #

- "share_group:get_all": "rule:default or rule:reader"

+ "share_group:get_all": "rule:default or rule:auditor"

  

  # Update share group.

  # PUT /share-groups/{share_group_id}

@@ -207,7 +207,7 @@ 

  # Get details of a share group snapshot.

  # GET /share-group-snapshots/{share_group_snapshot_id}

  #

- "share_group_snapshot:get": "rule:default or rule:reader"

+ "share_group_snapshot:get": "rule:default or rule:auditor"

  

  # Get all share group snapshots.

  # GET /share-group-snapshots

@@ -215,7 +215,7 @@ 

  # GET /share-group-snapshots/{query}

  # GET /share-group-snapshots/detail?{query}

  #

- "share_group_snapshot:get_all": "rule:default or rule:reader"

+ "share_group_snapshot:get_all": "rule:default or rule:auditor"

  

  # Update a share group snapshot.

  # PUT /share-group-snapshots/{share_group_snapshot_id}

@@ -248,17 +248,17 @@ 

  # GET /share-group-types

  # GET /share-group-types?is_public=all

  #

- "share_group_type:index": "rule:default or rule:reader"

+ "share_group_type:index": "rule:default or rule:auditor"

  

  # Get details regarding the specified share group type.

  # GET /share-group-types/{share_group_type_id}

  #

- "share_group_type:show": "rule:default or rule:reader"

+ "share_group_type:show": "rule:default or rule:auditor"

  

  # Get the default share group type.

  # GET /share-group-types/default

  #

- "share_group_type:default": "rule:default or rule:reader"

+ "share_group_type:default": "rule:default or rule:auditor"

  

  # Delete an existing group type.

  # DELETE /share-group-types/{share_group_type_id}

@@ -268,7 +268,7 @@ 

  # Get project access by share group type.

  # POST /share-group-types/{share_group_type_id}/access

  #

- "share_group_type:list_project_access": "rule:admin or rule:reader"

+ "share_group_type:list_project_access": "rule:admin or rule:auditor"

  

  # Allow project to use the share group type.

  # POST /share-group-types/{share_group_type_id}/action

@@ -290,12 +290,12 @@ 

  # Get share group type specs.

  # GET /share-group-types/{share_group_type_id}/group-specs

  #

- "share_group_types_spec:index": "rule:admin or rule:reader"

+ "share_group_types_spec:index": "rule:admin or rule:auditor"

  

  # Get details of a share group type spec.

  # GET /share-group-types/{share_group_type_id}/group-specs/{key}

  #

- "share_group_types_spec:show": "rule:admin or rule:reader"

+ "share_group_types_spec:show": "rule:admin or rule:auditor"

  

  # Update a share group type spec.

  # PUT /share-group-types/{share_group_type_id}/group-specs/{key}

@@ -321,19 +321,19 @@ 

  # Get details of a share network.

  # GET /share-networks/{share_network_id}

  #

- "share_network:show": "rule:default or rule:reader"

+ "share_network:show": "rule:default or rule:auditor"

  

  # Get all share networks.

  # GET /share-networks

  # GET /share-networks?{query}

  #

- "share_network:index": "rule:default or rule:reader"

+ "share_network:index": "rule:default or rule:auditor"

  

  # Get details of share networks .

  # GET /share-networks/detail?{query}

  # GET /share-networks/detail

  #

- "share_network:detail": "rule:default or rule:reader"

+ "share_network:detail": "rule:default or rule:auditor"

  

  # Update a share network.

  # PUT /share-networks/{share_network_id}

@@ -359,7 +359,7 @@ 

  # GET /share-networks?all_tenants=1

  # GET /share-networks/detail?all_tenants=1

  #

- "share_network:get_all_share_networks": "rule:admin or rule:reader"

+ "share_network:get_all_share_networks": "rule:admin or rule:auditor"

  

  ### Policy Rules defined in manila.policies.share_replica

  

@@ -373,12 +373,12 @@ 

  # GET /share-replicas/detail

  # GET /share-replicas/detail?share_id={share_id}

  #

- "share_replica:get_all": "rule:default or rule:reader"

+ "share_replica:get_all": "rule:default or rule:auditor"

  

  # Get details of a share replica.

  # GET /share-replicas/{share_replica_id}

  #

- "share_replica:show": "rule:default or rule:reader"

+ "share_replica:show": "rule:default or rule:auditor"

  

  # Delete a share replica.

  # DELETE /share-replicas/{share_replica_id}

@@ -416,17 +416,17 @@ 

  # GET /share-servers

  # GET /share-servers?{query}

  #

- "share_server:index": "rule:admin or rule:reader"

+ "share_server:index": "rule:admin or rule:auditor"

  

  # Show share server.

  # GET /share-servers/{server_id}

  #

- "share_server:show": "rule:admin or rule:reader"

+ "share_server:show": "rule:admin or rule:auditor"

  

  # Get share server details.

  # GET /share-servers/{server_id}/details

  #

- "share_server:details": "rule:admin or rule:reader"

+ "share_server:details": "rule:admin or rule:auditor"

  

  # Delete share server.

  # DELETE /share-servers/{server_id}

@@ -438,7 +438,7 @@ 

  # Get share snapshot.

  # GET /snapshots/{snapshot_id}

  #

- "share_snapshot:get_snapshot": "rule:default or rule:reader"

+ "share_snapshot:get_snapshot": "rule:default or rule:auditor"

  

  # Get all share snapshots.

  # GET /snapshots

@@ -446,7 +446,7 @@ 

  # GET /snapshots?{query}

  # GET /snapshots/detail?{query}

  #

- "share_snapshot:get_all_snapshots": "rule:default or rule:reader"

+ "share_snapshot:get_all_snapshots": "rule:default or rule:auditor"

  

  # Force Delete a share snapshot.

  # DELETE /snapshots/{snapshot_id}

@@ -471,7 +471,7 @@ 

  # List access rules of a share snapshot.

  # GET /snapshots/{snapshot_id}/access-list

  #

- "share_snapshot:access_list": "rule:default or rule:reader"

+ "share_snapshot:access_list": "rule:default or rule:auditor"

  

  # Allow access to a share snapshot.

  # POST /snapshots/{snapshot_id}/action

@@ -488,31 +488,31 @@ 

  # List export locations of a share snapshot.

  # GET /snapshots/{snapshot_id}/export-locations/

  #

- "share_snapshot_export_location:index": "rule:default or rule:reader"

+ "share_snapshot_export_location:index": "rule:default or rule:auditor"

  

  # Get details of a specified export location of a share snapshot.

  # GET /snapshots/{snapshot_id}/export-locations/{export_location_id}

  #

- "share_snapshot_export_location:show": "rule:default or rule:reader"

+ "share_snapshot_export_location:show": "rule:default or rule:auditor"

  

  ### Policy Rules defined in manila.policies.share_snapshot_instance

  

  # Get share snapshot instance.

  # GET /snapshot-instances/{snapshot_instance_id}

  #

- "share_snapshot_instance:show": "rule:admin or rule:reader"

+ "share_snapshot_instance:show": "rule:admin or rule:auditor"

  

  # Get all share snapshot instances.

  # GET /snapshot-instances

  # GET /snapshot-instances?{query}

  #

- "share_snapshot_instance:index": "rule:admin or rule:reader"

+ "share_snapshot_instance:index": "rule:admin or rule:auditor"

  

  # Get details of share snapshot instances.

  # GET /snapshot-instances/detail

  # GET /snapshot-instances/detail?{query}

  #

- "share_snapshot_instance:detail": "rule:admin or rule:reader"

+ "share_snapshot_instance:detail": "rule:admin or rule:auditor"

  

  # Reset share snapshot instance's status.

  # POST /snapshot-instances/{snapshot_instance_id}/action

@@ -524,12 +524,12 @@ 

  # List export locations of a share snapshot instance.

  # GET /snapshot-instances/{snapshot_instance_id}/export-locations

  #

- "share_snapshot_instance_export_location:index": "rule:admin or rule:reader"

+ "share_snapshot_instance_export_location:index": "rule:admin or rule:auditor"

  

  # Show details of a specified export location of a share snapshot instance.

  # GET /snapshot-instances/{snapshot_instance_id}/export-locations/{export_location_id}

  #

- "share_snapshot_instance_export_location:show": "rule:admin or rule:reader"

+ "share_snapshot_instance_export_location:show": "rule:admin or rule:auditor"

  

  ### Policy Rules defined in manila.policies.share_type

  

@@ -541,18 +541,18 @@ 

  # Get share type.

  # GET /types/{share_type_id}

  #

- "share_type:show": "rule:default or rule:reader"

+ "share_type:show": "rule:default or rule:auditor"

  

  # List share types.

  # GET /types

  # GET /types?is_public=all

  #

- "share_type:index": "rule:default or rule:reader"

+ "share_type:index": "rule:default or rule:auditor"

  

  # Get default share type.

  # GET /types/default

  #

- "share_type:default": "rule:default or rule:reader"

+ "share_type:default": "rule:default or rule:auditor"

  

  # Delete share type.

  # DELETE /types/{share_type_id}

@@ -562,7 +562,7 @@ 

  # List share type project access.

  # GET /types/{share_type_id}

  #

- "share_type:list_project_access": "rule:admin or rule:reader"

+ "share_type:list_project_access": "rule:admin or rule:auditor"

  

  # Add share type to project.

  # POST /types/{share_type_id}/action

@@ -584,12 +584,12 @@ 

  # Get share type extra specs of a given share type.

  # GET /types/{share_type_id}/extra_specs

  #

- "share_types_extra_spec:show": "rule:admin or rule:reader"

+ "share_types_extra_spec:show": "rule:admin or rule:auditor"

  

  # Get details of a share type extra spec.

  # GET /types/{share_type_id}/extra_specs/{extra_spec_id}

  #

- "share_types_extra_spec:index": "rule:admin or rule:reader"

+ "share_types_extra_spec:index": "rule:admin or rule:auditor"

  

  # Update share type extra spec.

  # PUT /types/{share_type_id}/extra_specs

@@ -611,13 +611,13 @@ 

  # Get share.

  # GET /shares/{share_id}

  #

- "share:get": "rule:default or rule:reader"

+ "share:get": "rule:default or rule:auditor"

  

  # List shares.

  # GET /shares

  # GET /shares/detail

  #

- "share:get_all": "rule:default or rule:reader"

+ "share:get_all": "rule:default or rule:auditor"

  

  # Update share.

  # PUT /shares

@@ -653,23 +653,23 @@ 

  # GET /shares

  # GET /shares/detail

  #

- "share:list_by_host": "rule:admin or rule:reader"

+ "share:list_by_host": "rule:admin or rule:auditor"

  

  # List share by server id.

  # GET /shares

  # GET /shares/detail

  #

- "share:list_by_share_server_id": "rule:admin or rule:reader"

+ "share:list_by_share_server_id": "rule:admin or rule:auditor"

  

  # Get share access rule, it under deny access operation.

  # POST /shares/{share_id}/action

  #

- "share:access_get": "rule:default or rule:reader"

+ "share:access_get": "rule:default or rule:auditor"

  

  # List share access rules.

  # GET /shares/{share_id}/action

  #

- "share:access_get_all": "rule:default or rule:reader"

+ "share:access_get_all": "rule:default or rule:auditor"

  

  # Extend share.

  # POST /shares/{share_id}/action

@@ -699,7 +699,7 @@ 

  # Retrieve share migration progress for a given share.

  # POST /shares/{share_id}/action

  #

- "share:migration_get_progress": "rule:admin or rule:reader"

+ "share:migration_get_progress": "rule:admin or rule:auditor"

  

  # Reset task state.

  # POST /shares/{share_id}/action