#13 stock policy
Merged 9 months ago by nkinder. Opened 9 months ago by admiyo.

file modified
+1

@@ -1,3 +1,4 @@ 

  build/*

  *~

  *current

+ tests/*/*stock

@@ -0,0 +1,1 @@ 

+ ---

@@ -0,0 +1,634 @@ 

+ # Decides what is required for the 'is_admin:True' check to succeed.

+ "context_is_admin": "role:admin"

+ 

+ # Default rule for most non-Admin APIs.

+ "admin_or_owner": "is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s"

+ 

+ # Default rule for most Admin APIs.

+ "admin_api": "is_admin:True or (role:admin and is_admin_project:True)"

+ 

+ # Create attachment.

+ # POST  /attachments

+ "volume:attachment_create": ""

+ 

+ # Update attachment.

+ # PUT  /attachments/{attachment_id}

+ "volume:attachment_update": "rule:admin_or_owner"

+ 

+ # Delete attachment.

+ # DELETE  /attachments/{attachment_id}

+ "volume:attachment_delete": "rule:admin_or_owner"

+ 

+ # Mark a volume attachment process as completed (in-use)

+ # POST  /attachments/{attachment_id}/action (os-complete)

+ "volume:attachment_complete": "rule:admin_or_owner"

+ 

+ # Allow multiattach of bootable volumes.

+ # POST  /attachments

+ "volume:multiattach_bootable_volume": "rule:admin_or_owner"

+ 

+ # List messages.

+ # GET  /messages

+ "message:get_all": "rule:admin_or_owner"

+ 

+ # Show message.

+ # GET  /messages/{message_id}

+ "message:get": "rule:admin_or_owner"

+ 

+ # Delete message.

+ # DELETE  /messages/{message_id}

+ "message:delete": "rule:admin_or_owner"

+ 

+ # List clusters.

+ # GET  /clusters

+ # GET  /clusters/detail

+ "clusters:get_all": "rule:admin_api"

+ 

+ # Show cluster.

+ # GET  /clusters/{cluster_id}

+ "clusters:get": "rule:admin_api"

+ 

+ # Update cluster.

+ # PUT  /clusters/{cluster_id}

+ "clusters:update": "rule:admin_api"

+ 

+ # Clean up workers.

+ # POST  /workers/cleanup

+ "workers:cleanup": "rule:admin_api"

+ 

+ # Show snapshot's metadata or one specified metadata with a given key.

+ # GET  /snapshots/{snapshot_id}/metadata

+ # GET  /snapshots/{snapshot_id}/metadata/{key}

+ "volume:get_snapshot_metadata": "rule:admin_or_owner"

+ 

+ # Update snapshot's metadata or one specified metadata with a given

+ # key.

+ # PUT  /snapshots/{snapshot_id}/metadata

+ # PUT  /snapshots/{snapshot_id}/metadata/{key}

+ "volume:update_snapshot_metadata": "rule:admin_or_owner"

+ 

+ # Delete snapshot's specified metadata with a given key.

+ # DELETE  /snapshots/{snapshot_id}/metadata/{key}

+ "volume:delete_snapshot_metadata": "rule:admin_or_owner"

+ 

+ # List snapshots.

+ # GET  /snapshots

+ # GET  /snapshots/detail

+ "volume:get_all_snapshots": "rule:admin_or_owner"

+ 

+ # List or show snapshots with extended attributes.

+ # GET  /snapshots/{snapshot_id}

+ # GET  /snapshots/detail

+ "volume_extension:extended_snapshot_attributes": "rule:admin_or_owner"

+ 

+ # Create snapshot.

+ # POST  /snapshots

+ "volume:create_snapshot": "rule:admin_or_owner"

+ 

+ # Show snapshot.

+ # GET  /snapshots/{snapshot_id}

+ "volume:get_snapshot": "rule:admin_or_owner"

+ 

+ # Update snapshot.

+ # PUT  /snapshots/{snapshot_id}

+ "volume:update_snapshot": "rule:admin_or_owner"

+ 

+ # Delete snapshot.

+ # DELETE  /snapshots/{snapshot_id}

+ "volume:delete_snapshot": "rule:admin_or_owner"

+ 

+ # Reset status of a snapshot.

+ # POST  /snapshots/{snapshot_id}/action (os-reset_status)

+ "volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api"

+ 

+ # Update database fields of snapshot.

+ # POST  /snapshots/{snapshot_id}/action (update_snapshot_status)

+ "snapshot_extension:snapshot_actions:update_snapshot_status": ""

+ 

+ # Force delete a snapshot.

+ # POST  /snapshots/{snapshot_id}/action (os-force_delete)

+ "volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api"

+ 

+ # List (in detail) of snapshots which are available to manage.

+ # GET  /manageable_snapshots

+ # GET  /manageable_snapshots/detail

+ "snapshot_extension:list_manageable": "rule:admin_api"

+ 

+ # Manage an existing snapshot.

+ # POST  /manageable_snapshots

+ "snapshot_extension:snapshot_manage": "rule:admin_api"

+ 

+ # Stop managing a snapshot.

+ # POST  /snapshots/{snapshot_id}/action (os-unmanage)

+ "snapshot_extension:snapshot_unmanage": "rule:admin_api"

+ 

+ # List backups.

+ # GET  /backups

+ # GET  /backups/detail

+ "backup:get_all": "rule:admin_or_owner"

+ 

+ # List backups or show backup with project attributes.

+ # GET  /backups/{backup_id}

+ # GET  /backups/detail

+ "backup:backup_project_attribute": "rule:admin_api"

+ 

+ # Create backup.

+ # POST  /backups

+ "backup:create": ""

+ 

+ # Show backup.

+ # GET  /backups/{backup_id}

+ "backup:get": "rule:admin_or_owner"

+ 

+ # Update backup.

+ # PUT  /backups/{backup_id}

+ "backup:update": "rule:admin_or_owner"

+ 

+ # Delete backup.

+ # DELETE  /backups/{backup_id}

+ "backup:delete": "rule:admin_or_owner"

+ 

+ # Restore backup.

+ # POST  /backups/{backup_id}/restore

+ "backup:restore": "rule:admin_or_owner"

+ 

+ # Import backup.

+ # POST  /backups/{backup_id}/import_record

+ "backup:backup-import": "rule:admin_api"

+ 

+ # Export backup.

+ # POST  /backups/{backup_id}/export_record

+ "backup:export-import": "rule:admin_api"

+ 

+ # Reset status of a backup.

+ # POST  /backups/{backup_id}/action (os-reset_status)

+ "volume_extension:backup_admin_actions:reset_status": "rule:admin_api"

+ 

+ # Force delete a backup.

+ # POST  /backups/{backup_id}/action (os-force_delete)

+ "volume_extension:backup_admin_actions:force_delete": "rule:admin_api"

+ 

+ # List groups.

+ # GET  /groups

+ # GET  /groups/detail

+ "group:get_all": "rule:admin_or_owner"

+ 

+ # Create group.

+ # POST  /groups

+ "group:create": ""

+ 

+ # Show group.

+ # GET  /groups/{group_id}

+ "group:get": "rule:admin_or_owner"

+ 

+ # Update group.

+ # PUT  /groups/{group_id}

+ "group:update": "rule:admin_or_owner"

+ 

+ # Create, update or delete a group type.

+ # POST  /group_types/

+ # PUT  /group_types/{group_type_id}

+ # DELETE  /group_types/{group_type_id}

+ "group:group_types_manage": "rule:admin_api"

+ 

+ # Show group type with type specs attributes.

+ # GET  /group_types/{group_type_id}

+ "group:access_group_types_specs": "rule:admin_api"

+ 

+ # Create, show, update and delete group type spec.

+ # GET  /group_types/{group_type_id}/group_specs/{g_spec_id}

+ # GET  /group_types/{group_type_id}/group_specs

+ # POST  /group_types/{group_type_id}/group_specs

+ # PUT  /group_types/{group_type_id}/group_specs/{g_spec_id}

+ # DELETE  /group_types/{group_type_id}/group_specs/{g_spec_id}

+ "group:group_types_specs": "rule:admin_api"

+ 

+ # List group snapshots.

+ # GET  /group_snapshots

+ # GET  /group_snapshots/detail

+ "group:get_all_group_snapshots": "rule:admin_or_owner"

+ 

+ # Create group snapshot.

+ # POST  /group_snapshots

+ "group:create_group_snapshot": ""

+ 

+ # Show group snapshot.

+ # GET  /group_snapshots/{group_snapshot_id}

+ "group:get_group_snapshot": "rule:admin_or_owner"

+ 

+ # Delete group snapshot.

+ # DELETE  /group_snapshots/{group_snapshot_id}

+ "group:delete_group_snapshot": "rule:admin_or_owner"

+ 

+ # Update group snapshot.

+ # PUT  /group_snapshots/{group_snapshot_id}

+ "group:update_group_snapshot": "rule:admin_or_owner"

+ 

+ # Reset status of group snapshot.

+ # POST  /group_snapshots/{g_snapshot_id}/action (reset_status)

+ "group:reset_group_snapshot_status": "rule:admin_or_owner"

+ 

+ # Delete group.

+ # POST  /groups/{group_id}/action (delete)

+ "group:delete": "rule:admin_or_owner"

+ 

+ # Reset status of group.

+ # POST  /groups/{group_id}/action (reset_status)

+ "group:reset_status": "rule:admin_api"

+ 

+ # Enable replication.

+ # POST  /groups/{group_id}/action (enable_replication)

+ "group:enable_replication": "rule:admin_or_owner"

+ 

+ # Disable replication.

+ # POST  /groups/{group_id}/action (disable_replication)

+ "group:disable_replication": "rule:admin_or_owner"

+ 

+ # Fail over replication.

+ # POST  /groups/{group_id}/action (failover_replication)

+ "group:failover_replication": "rule:admin_or_owner"

+ 

+ # List failover replication.

+ # POST  /groups/{group_id}/action (list_replication_targets)

+ "group:list_replication_targets": "rule:admin_or_owner"

+ 

+ # List qos specs or list all associations.

+ # GET  /qos-specs

+ # GET  /qos-specs/{qos_id}/associations

+ "volume_extension:qos_specs_manage:get_all": "rule:admin_api"

+ 

+ # Show qos specs.

+ # GET  /qos-specs/{qos_id}

+ "volume_extension:qos_specs_manage:get": "rule:admin_api"

+ 

+ # Create qos specs.

+ # POST  /qos-specs

+ "volume_extension:qos_specs_manage:create": "rule:admin_api"

+ 

+ # Update qos specs (including updating association).

+ # PUT  /qos-specs/{qos_id}

+ # GET  /qos-specs/{qos_id}/disassociate_all

+ # GET  /qos-specs/{qos_id}/associate

+ # GET  /qos-specs/{qos_id}/disassociate

+ "volume_extension:qos_specs_manage:update": "rule:admin_api"

+ 

+ # delete qos specs or unset one specified qos key.

+ # DELETE  /qos-specs/{qos_id}

+ # PUT  /qos-specs/{qos_id}/delete_keys

+ "volume_extension:qos_specs_manage:delete": "rule:admin_api"

+ 

+ # Show or update project quota class.

+ # GET  /os-quota-class-sets/{project_id}

+ # PUT  /os-quota-class-sets/{project_id}

+ "volume_extension:quota_classes": "rule:admin_api"

+ 

+ # Show project quota (including usage and default).

+ # GET  /os-quota-sets/{project_id}

+ # GET  /os-quota-sets/{project_id}/default

+ # GET  /os-quota-sets/{project_id}?usage=True

+ "volume_extension:quotas:show": "rule:admin_or_owner"

+ 

+ # Update project quota.

+ # PUT  /os-quota-sets/{project_id}

+ "volume_extension:quotas:update": "rule:admin_api"

+ 

+ # Delete project quota.

+ # DELETE  /os-quota-sets/{project_id}

+ "volume_extension:quotas:delete": "rule:admin_api"

+ 

+ # Validate setup for nested quota.

+ # GET  /os-quota-sets/validate_setup_for_nested_quota_use

+ "volume_extension:quota_classes:validate_setup_for_nested_quota_use": "rule:admin_api"

+ 

+ # Show backend capabilities.

+ # GET  /capabilities/{host_name}

+ "volume_extension:capabilities": "rule:admin_api"

+ 

+ # List all services.

+ # GET  /os-services

+ "volume_extension:services:index": "rule:admin_api"

+ 

+ # Update service, including failover_host, thaw, freeze, disable,

+ # enable, set-log and get-log actions.

+ # PUT  /os-services/{action}

+ "volume_extension:services:update": "rule:admin_api"

+ 

+ # Freeze a backend host.

+ # PUT  /os-services/freeze

+ "volume:freeze_host": "rule:admin_api"

+ 

+ # Thaw a backend host.

+ # PUT  /os-services/thaw

+ "volume:thaw_host": "rule:admin_api"

+ 

+ # Failover a backend host.

+ # PUT  /os-services/failover_host

+ "volume:failover_host": "rule:admin_api"

+ 

+ # List all backend pools.

+ # GET  /scheduler-stats/get_pools

+ "scheduler_extension:scheduler_stats:get_pools": "rule:admin_api"

+ 

+ # List, update or show hosts for a project.

+ # GET  /os-hosts

+ # PUT  /os-hosts/{host_name}

+ # GET  /os-hosts/{host_id}

+ "volume_extension:hosts": "rule:admin_api"

+ 

+ # Show limits with used limit attributes.

+ # GET  /limits

+ "limits_extension:used_limits": "rule:admin_or_owner"

+ 

+ # List (in detail) of volumes which are available to manage.

+ # GET  /manageable_volumes

+ # GET  /manageable_volumes/detail

+ "volume_extension:list_manageable": "rule:admin_api"

+ 

+ # Manage existing volumes.

+ # POST  /manageable_volumes

+ "volume_extension:volume_manage": "rule:admin_api"

+ 

+ # Stop managing a volume.

+ # POST  /volumes/{volume_id}/action (os-unmanage)

+ "volume_extension:volume_unmanage": "rule:admin_api"

+ 

+ # Create, update and delete volume type.

+ # POST  /types

+ # PUT  /types

+ # DELETE  /types

+ "volume_extension:types_manage": "rule:admin_api"

+ 

+ # Get one specific volume type.

+ # GET  /types/{type_id}

+ "volume_extension:type_get": ""

+ 

+ # List volume types.

+ # GET  /types/

+ "volume_extension:type_get_all": ""

+ 

+ # List, show, create, update and delete volume type encryption. This

+ # is deprecated in the Stein release and will be removed in the

+ # future.

+ # POST  /types/{type_id}/encryption

+ # PUT  /types/{type_id}/encryption/{encryption_id}

+ # GET  /types/{type_id}/encryption

+ # GET  /types/{type_id}/encryption/{encryption_id}

+ # DELETE  /types/{type_id}/encryption/{encryption_id}

+ "volume_extension:volume_type_encryption": "rule:admin_api"

+ 

+ # Create volume type encryption.

+ # POST  /types/{type_id}/encryption

+ "volume_extension:volume_type_encryption:create": "rule:volume_extension:volume_type_encryption"

+ 

+ # Show, list volume type encryption.

+ # GET  /types/{type_id}/encryption/{encryption_id}

+ # GET  /types/{type_id}/encryption

+ "volume_extension:volume_type_encryption:get": "rule:volume_extension:volume_type_encryption"

+ 

+ # Update volume type encryption.

+ # PUT  /types/{type_id}/encryption/{encryption_id}

+ "volume_extension:volume_type_encryption:update": "rule:volume_extension:volume_type_encryption"

+ 

+ # Delete volume type encryption.

+ # DELETE  /types/{type_id}/encryption/{encryption_id}

+ "volume_extension:volume_type_encryption:delete": "rule:volume_extension:volume_type_encryption"

+ 

+ # List or show volume type with access type extra specs attribute.

+ # GET  /types/{type_id}

+ # GET  /types

+ "volume_extension:access_types_extra_specs": "rule:admin_api"

+ 

+ # List or show volume type with access type qos specs id attribute.

+ # GET  /types/{type_id}

+ # GET  /types

+ "volume_extension:access_types_qos_specs_id": "rule:admin_api"

+ 

+ # Volume type access related APIs.

+ # GET  /types

+ # GET  /types/detail

+ # GET  /types/{type_id}

+ # POST  /types

+ "volume_extension:volume_type_access": "rule:admin_or_owner"

+ 

+ # Add volume type access for project.

+ # POST  /types/{type_id}/action (addProjectAccess)

+ "volume_extension:volume_type_access:addProjectAccess": "rule:admin_api"

+ 

+ # Remove volume type access for project.

+ # POST  /types/{type_id}/action (removeProjectAccess)

+ "volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api"

+ 

+ # Extend a volume.

+ # POST  /volumes/{volume_id}/action (os-extend)

+ "volume:extend": "rule:admin_or_owner"

+ 

+ # Extend a attached volume.

+ # POST  /volumes/{volume_id}/action (os-extend)

+ "volume:extend_attached_volume": "rule:admin_or_owner"

+ 

+ # Revert a volume to a snapshot.

+ # POST  /volumes/{volume_id}/action (revert)

+ "volume:revert_to_snapshot": "rule:admin_or_owner"

+ 

+ # Reset status of a volume.

+ # POST  /volumes/{volume_id}/action (os-reset_status)

+ "volume_extension:volume_admin_actions:reset_status": "rule:admin_api"

+ 

+ # Retype a volume.

+ # POST  /volumes/{volume_id}/action (os-retype)

+ "volume:retype": "rule:admin_or_owner"

+ 

+ # Update a volume's readonly flag.

+ # POST  /volumes/{volume_id}/action (os-update_readonly_flag)

+ "volume:update_readonly_flag": "rule:admin_or_owner"

+ 

+ # Force delete a volume.

+ # POST  /volumes/{volume_id}/action (os-force_delete)

+ "volume_extension:volume_admin_actions:force_delete": "rule:admin_api"

+ 

+ # Upload a volume to image with public visibility.

+ # POST  /volumes/{volume_id}/action (os-volume_upload_image)

+ "volume_extension:volume_actions:upload_public": "rule:admin_api"

+ 

+ # Upload a volume to image.

+ # POST  /volumes/{volume_id}/action (os-volume_upload_image)

+ "volume_extension:volume_actions:upload_image": "rule:admin_or_owner"

+ 

+ # Force detach a volume.

+ # POST  /volumes/{volume_id}/action (os-force_detach)

+ "volume_extension:volume_admin_actions:force_detach": "rule:admin_api"

+ 

+ # migrate a volume to a specified host.

+ # POST  /volumes/{volume_id}/action (os-migrate_volume)

+ "volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api"

+ 

+ # Complete a volume migration.

+ # POST  /volumes/{volume_id}/action (os-migrate_volume_completion)

+ "volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api"

+ 

+ # Initialize volume attachment.

+ # POST  /volumes/{volume_id}/action (os-initialize_connection)

+ "volume_extension:volume_actions:initialize_connection": "rule:admin_or_owner"

+ 

+ # Terminate volume attachment.

+ # POST  /volumes/{volume_id}/action (os-terminate_connection)

+ "volume_extension:volume_actions:terminate_connection": "rule:admin_or_owner"

+ 

+ # Roll back volume status to 'in-use'.

+ # POST  /volumes/{volume_id}/action (os-roll_detaching)

+ "volume_extension:volume_actions:roll_detaching": "rule:admin_or_owner"

+ 

+ # Mark volume as reserved.

+ # POST  /volumes/{volume_id}/action (os-reserve)

+ "volume_extension:volume_actions:reserve": "rule:admin_or_owner"

+ 

+ # Unmark volume as reserved.

+ # POST  /volumes/{volume_id}/action (os-unreserve)

+ "volume_extension:volume_actions:unreserve": "rule:admin_or_owner"

+ 

+ # Begin detach volumes.

+ # POST  /volumes/{volume_id}/action (os-begin_detaching)

+ "volume_extension:volume_actions:begin_detaching": "rule:admin_or_owner"

+ 

+ # Add attachment metadata.

+ # POST  /volumes/{volume_id}/action (os-attach)

+ "volume_extension:volume_actions:attach": "rule:admin_or_owner"

+ 

+ # Clear attachment metadata.

+ # POST  /volumes/{volume_id}/action (os-detach)

+ "volume_extension:volume_actions:detach": "rule:admin_or_owner"

+ 

+ # List volume transfer.

+ # GET  /os-volume-transfer

+ # GET  /os-volume-transfer/detail

+ # GET  /volume_transfers

+ # GET  /volume-transfers/detail

+ "volume:get_all_transfers": "rule:admin_or_owner"

+ 

+ # Create a volume transfer.

+ # POST  /os-volume-transfer

+ # POST  /volume_transfers

+ "volume:create_transfer": "rule:admin_or_owner"

+ 

+ # Show one specified volume transfer.

+ # GET  /os-volume-transfer/{transfer_id}

+ # GET  /volume-transfers/{transfer_id}

+ "volume:get_transfer": "rule:admin_or_owner"

+ 

+ # Accept a volume transfer.

+ # POST  /os-volume-transfer/{transfer_id}/accept

+ # POST  /volume-transfers/{transfer_id}/accept

+ "volume:accept_transfer": ""

+ 

+ # Delete volume transfer.

+ # DELETE  /os-volume-transfer/{transfer_id}

+ # DELETE  /volume-transfers/{transfer_id}

+ "volume:delete_transfer": "rule:admin_or_owner"

+ 

+ # Show volume's metadata or one specified metadata with a given key.

+ # GET  /volumes/{volume_id}/metadata

+ # GET  /volumes/{volume_id}/metadata/{key}

+ "volume:get_volume_metadata": "rule:admin_or_owner"

+ 

+ # Create volume metadata.

+ # POST  /volumes/{volume_id}/metadata

+ "volume:create_volume_metadata": "rule:admin_or_owner"

+ 

+ # Update volume's metadata or one specified metadata with a given key.

+ # PUT  /volumes/{volume_id}/metadata

+ # PUT  /volumes/{volume_id}/metadata/{key}

+ "volume:update_volume_metadata": "rule:admin_or_owner"

+ 

+ # Delete volume's specified metadata with a given key.

+ # DELETE  /volumes/{volume_id}/metadata/{key}

+ "volume:delete_volume_metadata": "rule:admin_or_owner"

+ 

+ # Volume's image metadata related operation, create, delete, show and

+ # list.

+ # GET  /volumes/detail

+ # GET  /volumes/{volume_id}

+ # POST  /volumes/{volume_id}/action (os-set_image_metadata)

+ # POST  /volumes/{volume_id}/action (os-unset_image_metadata)

+ "volume_extension:volume_image_metadata": "rule:admin_or_owner"

+ 

+ # Update volume admin metadata. It's used in `attach` and `os-

+ # update_readonly_flag` APIs

+ # POST  /volumes/{volume_id}/action (os-update_readonly_flag)

+ # POST  /volumes/{volume_id}/action (os-attach)

+ "volume:update_volume_admin_metadata": "rule:admin_api"

+ 

+ # List type extra specs.

+ # GET  /types/{type_id}/extra_specs

+ "volume_extension:types_extra_specs:index": "rule:admin_api"

+ 

+ # Create type extra specs.

+ # POST  /types/{type_id}/extra_specs

+ "volume_extension:types_extra_specs:create": "rule:admin_api"

+ 

+ # Show one specified type extra specs.

+ # GET  /types/{type_id}/extra_specs/{extra_spec_key}

+ "volume_extension:types_extra_specs:show": "rule:admin_api"

+ 

+ # Update type extra specs.

+ # PUT  /types/{type_id}/extra_specs/{extra_spec_key}

+ "volume_extension:types_extra_specs:update": "rule:admin_api"

+ 

+ # Delete type extra specs.

+ # DELETE  /types/{type_id}/extra_specs/{extra_spec_key}

+ "volume_extension:types_extra_specs:delete": "rule:admin_api"

+ 

+ # Create volume.

+ # POST  /volumes

+ "volume:create": ""

+ 

+ # Create volume from image.

+ # POST  /volumes

+ "volume:create_from_image": ""

+ 

+ # Show volume.

+ # GET  /volumes/{volume_id}

+ "volume:get": "rule:admin_or_owner"

+ 

+ # List volumes or get summary of volumes.

+ # GET  /volumes

+ # GET  /volumes/detail

+ # GET  /volumes/summary

+ "volume:get_all": "rule:admin_or_owner"

+ 

+ # Update volume or update a volume's bootable status.

+ # PUT  /volumes

+ # POST  /volumes/{volume_id}/action (os-set_bootable)

+ "volume:update": "rule:admin_or_owner"

+ 

+ # Delete volume.

+ # DELETE  /volumes/{volume_id}

+ "volume:delete": "rule:admin_or_owner"

+ 

+ # Force Delete a volume.

+ # DELETE  /volumes/{volume_id}

+ "volume:force_delete": "rule:admin_api"

+ 

+ # List or show volume with host attribute.

+ # GET  /volumes/{volume_id}

+ # GET  /volumes/detail

+ "volume_extension:volume_host_attribute": "rule:admin_api"

+ 

+ # List or show volume with tenant attribute.

+ # GET  /volumes/{volume_id}

+ # GET  /volumes/detail

+ "volume_extension:volume_tenant_attribute": "rule:admin_or_owner"

+ 

+ # List or show volume with migration status attribute.

+ # GET  /volumes/{volume_id}

+ # GET  /volumes/detail

+ "volume_extension:volume_mig_status_attribute": "rule:admin_api"

+ 

+ # Show volume's encryption metadata.

+ # GET  /volumes/{volume_id}/encryption

+ # GET  /volumes/{volume_id}/encryption/{encryption_key}

+ "volume_extension:volume_encryption_metadata": "rule:admin_or_owner"

+ 

+ # Create multiattach capable volume.

+ # POST  /volumes

+ "volume:multiattach": "rule:admin_or_owner"

+ 

@@ -0,0 +1,50 @@ 

+ ---

+ context_is_admin: role:admin

+ default: role:admin

+ add_image: ''

+ delete_image: ''

+ get_image: ''

+ get_images: ''

+ modify_image: ''

+ publicize_image: role:admin

+ communitize_image: ''

+ copy_from: ''

+ download_image: ''

+ upload_image: ''

+ delete_image_location: ''

+ get_image_location: ''

+ set_image_location: ''

+ add_member: ''

+ delete_member: ''

+ get_member: ''

+ get_members: ''

+ modify_member: ''

+ manage_image_cache: role:admin

+ get_task: ''

+ get_tasks: ''

+ add_task: ''

+ modify_task: ''

+ tasks_api_access: role:admin

+ deactivate: ''

+ reactivate: ''

+ get_metadef_namespace: ''

+ get_metadef_namespaces: ''

+ modify_metadef_namespace: ''

+ add_metadef_namespace: ''

+ get_metadef_object: ''

+ get_metadef_objects: ''

+ modify_metadef_object: ''

+ add_metadef_object: ''

+ list_metadef_resource_types: ''

+ get_metadef_resource_type: ''

+ add_metadef_resource_type_association: ''

+ get_metadef_property: ''

+ get_metadef_properties: ''

+ modify_metadef_property: ''

+ add_metadef_property: ''

+ get_metadef_tag: ''

+ get_metadef_tags: ''

+ modify_metadef_tag: ''

+ add_metadef_tag: ''

+ add_metadef_tags: ''

+ 

@@ -0,0 +1,35 @@ 

+ ---

+ admin_or_creator: role:admin or user:%(creator)s or project_id:%(created_by_project_id)s

+ resource_owner: project_id:%(project_id)s

+ metric_owner: project_id:%(resource.project_id)s

+ get status: role:admin

+ create resource: ''

+ get resource: rule:admin_or_creator or rule:resource_owner

+ update resource: rule:admin_or_creator

+ delete resource: rule:admin_or_creator

+ delete resources: rule:admin_or_creator

+ list resource: rule:admin_or_creator or rule:resource_owner

+ search resource: rule:admin_or_creator or rule:resource_owner

+ create resource type: role:admin

+ delete resource type: role:admin

+ update resource type: role:admin

+ list resource type: ''

+ get resource type: ''

+ get archive policy: ''

+ list archive policy: ''

+ create archive policy: role:admin

+ update archive policy: role:admin

+ delete archive policy: role:admin

+ create archive policy rule: role:admin

+ get archive policy rule: ''

+ list archive policy rule: ''

+ update archive policy rule: role:admin

+ delete archive policy rule: role:admin

+ create metric: ''

+ delete metric: rule:admin_or_creator

+ get metric: rule:admin_or_creator or rule:metric_owner

+ search metric: rule:admin_or_creator or rule:metric_owner

+ list metric: rule:admin_or_creator or rule:metric_owner

+ get measures: rule:admin_or_creator or rule:metric_owner

+ post measures: rule:admin_or_creator

+ 

@@ -0,0 +1,75 @@ 

+ ---

+ context_is_admin: role:admin

+ deny_stack_user: not role:heat_stack_user

+ deny_everybody: "!"

+ cloudformation:ListStacks: rule:deny_stack_user

+ cloudformation:CreateStack: rule:deny_stack_user

+ cloudformation:DescribeStacks: rule:deny_stack_user

+ cloudformation:DeleteStack: rule:deny_stack_user

+ cloudformation:UpdateStack: rule:deny_stack_user

+ cloudformation:CancelUpdateStack: rule:deny_stack_user

+ cloudformation:DescribeStackEvents: rule:deny_stack_user

+ cloudformation:ValidateTemplate: rule:deny_stack_user

+ cloudformation:GetTemplate: rule:deny_stack_user

+ cloudformation:EstimateTemplateCost: rule:deny_stack_user

+ cloudformation:DescribeStackResource: ''

+ cloudformation:DescribeStackResources: rule:deny_stack_user

+ cloudformation:ListStackResources: rule:deny_stack_user

+ cloudwatch:DeleteAlarms: rule:deny_stack_user

+ cloudwatch:DescribeAlarmHistory: rule:deny_stack_user

+ cloudwatch:DescribeAlarms: rule:deny_stack_user

+ cloudwatch:DescribeAlarmsForMetric: rule:deny_stack_user

+ cloudwatch:DisableAlarmActions: rule:deny_stack_user

+ cloudwatch:EnableAlarmActions: rule:deny_stack_user

+ cloudwatch:GetMetricStatistics: rule:deny_stack_user

+ cloudwatch:ListMetrics: rule:deny_stack_user

+ cloudwatch:PutMetricAlarm: rule:deny_stack_user

+ cloudwatch:PutMetricData: ''

+ cloudwatch:SetAlarmState: rule:deny_stack_user

+ actions:action: rule:deny_stack_user

+ build_info:build_info: rule:deny_stack_user

+ events:index: rule:deny_stack_user

+ events:show: rule:deny_stack_user

+ resource:index: rule:deny_stack_user

+ resource:metadata: ''

+ resource:signal: ''

+ resource:show: rule:deny_stack_user

+ stacks:abandon: rule:deny_stack_user

+ stacks:create: rule:deny_stack_user

+ stacks:delete: rule:deny_stack_user

+ stacks:detail: rule:deny_stack_user

+ stacks:generate_template: rule:deny_stack_user

+ stacks:global_index: rule:deny_everybody

+ stacks:index: rule:deny_stack_user

+ stacks:list_resource_types: rule:deny_stack_user

+ stacks:list_template_versions: rule:deny_stack_user

+ stacks:list_template_functions: rule:deny_stack_user

+ stacks:lookup: ''

+ stacks:preview: rule:deny_stack_user

+ stacks:resource_schema: rule:deny_stack_user

+ stacks:show: rule:deny_stack_user

+ stacks:template: rule:deny_stack_user

+ stacks:update: rule:deny_stack_user

+ stacks:update_patch: rule:deny_stack_user

+ stacks:preview_update: rule:deny_stack_user

+ stacks:preview_update_patch: rule:deny_stack_user

+ stacks:validate_template: rule:deny_stack_user

+ stacks:snapshot: rule:deny_stack_user

+ stacks:show_snapshot: rule:deny_stack_user

+ stacks:delete_snapshot: rule:deny_stack_user

+ stacks:list_snapshots: rule:deny_stack_user

+ stacks:restore_snapshot: rule:deny_stack_user

+ software_configs:global_index: rule:deny_everybody

+ software_configs:index: rule:deny_stack_user

+ software_configs:create: rule:deny_stack_user

+ software_configs:show: rule:deny_stack_user

+ software_configs:delete: rule:deny_stack_user

+ software_deployments:index: rule:deny_stack_user

+ software_deployments:create: rule:deny_stack_user

+ software_deployments:show: rule:deny_stack_user

+ software_deployments:update: rule:deny_stack_user

+ software_deployments:delete: rule:deny_stack_user

+ software_deployments:metadata: ''

+ service:index: rule:context_is_admin

+ resource_types:OS::Nova::Flavor: rule:context_is_admin

+ 

@@ -22,7 +22,7 @@ 

  # Authorize OAUTH1 request token.

  # PUT  /v3/OS-OAUTH1/authorize/{request_token_id}

  # Intended scope(s): project

- "identity:authorize_request_token": "rule:admin"

+ "identity:authorize_request_token": "rule:admin or rule:owner"

  

  # Get OAUTH1 access token for user by access token ID.

  # GET  /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}

The added file is too large to be shown here, see it at: services/keystone/stock-policy.yaml

@@ -0,0 +1,1 @@ 

+ ---

@@ -0,0 +1,671 @@ 

+ # Rule for cloud admin access

+ "context_is_admin": "role:admin"

+ 

+ # Rule for resource owner access

+ "owner": "tenant_id:%(tenant_id)s"

+ 

+ # Rule for admin or owner access

+ "admin_or_owner": "rule:context_is_admin or rule:owner"

+ 

+ # Rule for advsvc role access

+ "context_is_advsvc": "role:advsvc"

+ 

+ # Rule for admin or network owner access

+ "admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s"

+ 

+ # Rule for resource owner, admin or network owner access

+ "admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner"

+ 

+ # Rule only for admin access

+ "admin_only": "rule:context_is_admin"

+ 

+ # Rule for regular user access

+ "regular_user": ""

+ 

+ # Rule of shared network

+ "shared": "field:networks:shared=True"

+ 

+ # Default access rule

+ "default": "rule:admin_or_owner"

+ 

+ # Rule for common parent owner check

+ "admin_or_ext_parent_owner": "rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s"

+ 

+ # Rule of shared address scope

+ "shared_address_scopes": "field:address_scopes:shared=True"

+ 

+ # Access rule for creating address scope

+ "create_address_scope": ""

+ 

+ # Access rule for creating shared address scope

+ "create_address_scope:shared": "rule:admin_only"

+ 

+ # Access rule for getting address scope

+ "get_address_scope": "rule:admin_or_owner or rule:shared_address_scopes"

+ 

+ # Access rule for updating address scope

+ "update_address_scope": "rule:admin_or_owner"

+ 

+ # Access rule for updating shared attribute of address scope

+ "update_address_scope:shared": "rule:admin_only"

+ 

+ # Access rule for deleting address scope

+ "delete_address_scope": "rule:admin_or_owner"

+ 

+ # Access rule for getting agent

+ "get_agent": "rule:admin_only"

+ 

+ # Access rule for updating agent

+ "update_agent": "rule:admin_only"

+ 

+ # Access rule for deleting agent

+ "delete_agent": "rule:admin_only"

+ 

+ # Access rule for adding network to dhcp agent

+ "create_dhcp-network": "rule:admin_only"

+ 

+ # Access rule for listing networks on the dhcp agent

+ "get_dhcp-networks": "rule:admin_only"

+ 

+ # Access rule for removing network from dhcp agent

+ "delete_dhcp-network": "rule:admin_only"

+ 

+ # Access rule for adding router to l3 agent

+ "create_l3-router": "rule:admin_only"

+ 

+ # Access rule for listing routers on the l3 agent

+ "get_l3-routers": "rule:admin_only"

+ 

+ # Access rule for deleting router from l3 agent

+ "delete_l3-router": "rule:admin_only"

+ 

+ # Access rule for listing dhcp agents hosting the network

+ "get_dhcp-agents": "rule:admin_only"

+ 

+ # Access rule for listing l3 agents hosting the router

+ "get_l3-agents": "rule:admin_only"

+ 

+ # Access rule for getting lbaas agent hosting the pool

+ "get_loadbalancer-agent": "rule:admin_only"

+ 

+ # Access rule for listing pools on the lbaas agent

+ "get_loadbalancer-pools": "rule:admin_only"

+ 

+ # Access rule for listing loadbalancers on the lbaasv2 agent

+ "get_agent-loadbalancers": "rule:admin_only"

+ 

+ # Access rule for getting lbaasv2 agent hosting the loadbalancer

+ "get_loadbalancer-hosting-agent": "rule:admin_only"

+ 

+ # Access rule for getting a project's auto-allocated topology

+ "get_auto_allocated_topology": "rule:admin_or_owner"

+ 

+ # Access rule for deleting a project's auto-allocated topology

+ "delete_auto_allocated_topology": "rule:admin_or_owner"

+ 

+ # Access rule for creating network profile

+ "create_network_profile": "rule:admin_only"

+ 

+ # Access rule for listing network profiles

+ "get_network_profiles": ""

+ 

+ # Access rule for getting network profile

+ "get_network_profile": ""

+ 

+ # Access rule for updating network profile

+ "update_network_profile": "rule:admin_only"

+ 

+ # Access rule for deleting network profile

+ "delete_network_profile": "rule:admin_only"

+ 

+ # Access rule for listing policy profile

+ "get_policy_profiles": ""

+ 

+ # Access rule for getting policy prodile

+ "get_policy_profile": ""

+ 

+ # Access rule for updating policy profile

+ "update_policy_profiles": "rule:admin_only"

+ 

+ # Access rule for creating flavor

+ "create_flavor": "rule:admin_only"

+ 

+ # Access rule for listing flavors

+ "get_flavors": "rule:regular_user"

+ 

+ # Access rule for getting flavor

+ "get_flavor": "rule:regular_user"

+ 

+ # Access rule for updating flavor

+ "update_flavor": "rule:admin_only"

+ 

+ # Access rule for deleting flavor

+ "delete_flavor": "rule:admin_only"

+ 

+ # Access rule for creating service profile

+ "create_service_profile": "rule:admin_only"

+ 

+ # Access rule for listing service profiles

+ "get_service_profiles": "rule:admin_only"

+ 

+ # Access rule for getting service profile

+ "get_service_profile": "rule:admin_only"

+ 

+ # Access rule for updating service profile

+ "update_service_profile": "rule:admin_only"

+ 

+ # Access rule for deleting service profile

+ "delete_service_profile": "rule:admin_only"

+ 

+ # Access rule for associating flavor with service profile

+ "create_flavor_service_profile": "rule:admin_only"

+ 

+ # Access rule for disassociating flavor with service profile

+ "delete_flavor_service_profile": "rule:admin_only"

+ 

+ # Access rule for getting flavor associatingwith the given service

+ # profiles

+ "get_flavor_service_profile": "rule:regular_user"

+ 

+ # Access rule for creating floating IP

+ "create_floatingip": "rule:regular_user"

+ 

+ # Access rule for creating floating IP with fixed floating IP address

+ "create_floatingip:floating_ip_address": "rule:admin_only"

+ 

+ # Access rule for getting floating IP

+ "get_floatingip": "rule:admin_or_owner"

+ 

+ # Access rule for updating floating IP

+ "update_floatingip": "rule:admin_or_owner"

+ 

+ # Access rule for deleting floating IP

+ "delete_floatingip": "rule:admin_or_owner"

+ 

+ # Access rule for creating floating IP port forwarding

+ "create_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner"

+ 

+ # Access rule for getting floating IP port forwarding

+ "get_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner"

+ 

+ # Access rule for getting floating IP port forwardings

+ "get_floatingip_port_forwardings": "rule:admin_or_ext_parent_owner"

+ 

+ # Access rule for updating floating IP port forwarding

+ "update_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner"

+ 

+ # Access rule for deleting floating IP port forwarding

+ "delete_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner"

+ 

+ # Access rule for getting loggable resources

+ "get_loggable_resources": "rule:admin_only"

+ 

+ # Access rule for creating network log

+ "create_log": "rule:admin_only"

+ 

+ # Access rule for getting network log

+ "get_log": "rule:admin_only"

+ 

+ # Access rule for getting network logs

+ "get_logs": "rule:admin_only"

+ 

+ # Access rule for updating network log

+ "update_log": "rule:admin_only"

+ 

+ # Access rule for deleting network log

+ "delete_log": "rule:admin_only"

+ 

+ # Access rule for creating metering label

+ "create_metering_label": "rule:admin_only"

+ 

+ # Access rule for getting metering label

+ "get_metering_label": "rule:admin_only"

+ 

+ # Access rule for deleting metering label

+ "delete_metering_label": "rule:admin_only"

+ 

+ # Access rule for creating metering label rule

+ "create_metering_label_rule": "rule:admin_only"

+ 

+ # Access rule for getting metering label rule

+ "get_metering_label_rule": "rule:admin_only"

+ 

+ # Access rule for deleting metering label rule

+ "delete_metering_label_rule": "rule:admin_only"

+ 

+ # Rule of external network

+ "external": "field:networks:router:external=True"

+ 

+ # Access rule for creating network

+ "create_network": ""

+ 

+ # Access rule for creating shared network

+ "create_network:shared": "rule:admin_only"

+ 

+ # Access rule for creating external network

+ "create_network:router:external": "rule:admin_only"

+ 

+ # Access rule for creating network with is_default

+ "create_network:is_default": "rule:admin_only"

+ 

+ # Access rule for creating network with segments

+ "create_network:segments": "rule:admin_only"

+ 

+ # Access rule for creating network with provider network_type

+ "create_network:provider:network_type": "rule:admin_only"

+ 

+ # Access rule for creating network with provider physical_network

+ "create_network:provider:physical_network": "rule:admin_only"

+ 

+ # Access rule for creating networkwith provider segmentation_id

+ "create_network:provider:segmentation_id": "rule:admin_only"

+ 

+ # Access rule for getting shared network

+ "get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc"

+ 

+ # Access rule for getting external network

+ "get_network:router:external": "rule:regular_user"

+ 

+ # Access rule for getting segments of network

+ "get_network:segments": "rule:admin_only"

+ 

+ # Access rule for getting provider network_type of network

+ "get_network:provider:network_type": "rule:admin_only"

+ 

+ # Access rule for getting provider physical_network of network

+ "get_network:provider:physical_network": "rule:admin_only"

+ 

+ # Access rule for getting provider segmentation_id of network

+ "get_network:provider:segmentation_id": "rule:admin_only"

+ 

+ # Access rule for getting queue_id of network

+ "get_network:queue_id": "rule:admin_only"

+ 

+ # Access rule for updating network

+ "update_network": "rule:admin_or_owner"

+ 

+ # Access rule for updating segments of network

+ "update_network:segments": "rule:admin_only"

+ 

+ # Access rule for updating shared attribute of network

+ "update_network:shared": "rule:admin_only"

+ 

+ # Access rule for updating provider network_type of network

+ "update_network:provider:network_type": "rule:admin_only"

+ 

+ # Access rule for updating provider physical_network of network

+ "update_network:provider:physical_network": "rule:admin_only"

+ 

+ # Access rule for updating provider segmentation_id of network

+ "update_network:provider:segmentation_id": "rule:admin_only"

+ 

+ # Access rule for updating external attribute of network

+ "update_network:router:external": "rule:admin_only"

+ 

+ # Access rule for deleting network

+ "delete_network": "rule:admin_or_owner"

+ 

+ # Access rule for getting network IP availabilities

+ "get_network_ip_availabilities": "rule:admin_only"

+ 

+ # Access rule for getting network IP availability

+ "get_network_ip_availability": "rule:admin_only"

+ 

+ # Rule of port with network device_owner

+ "network_device": "field:port:device_owner=~^network:"

+ 

+ # Rule for data plane integration

+ "admin_or_data_plane_int": "rule:context_is_admin or role:data_plane_integrator"

+ 

+ # Access rule for creating port

+ "create_port": ""

+ 

+ # Access rule for creating port with device_owner

+ "create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner"

+ 

+ # Access rule for creating port with mac_address

+ "create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner"

+ 

+ # Access rule for creating port with fixed_ips

+ "create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner"

+ 

+ # Access rule for creating port specifying IP address in fixed_ips

+ "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner"

+ 

+ # Access rule for creating port specifying subnet ID in fixed_ips

+ "create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared"

+ 

+ # Access rule for creating port with port_security_enabled

+ "create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner"

+ 

+ # Access rule for creating port with binging host_id

+ "create_port:binding:host_id": "rule:admin_only"

+ 

+ # Access rule for creating port with binding profile

+ "create_port:binding:profile": "rule:admin_only"

+ 

+ # Access rule for creating portwith mac_learning_enabled attribute

+ "create_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner"

+ 

+ # Access rule for creating port with allowed_address_pairs attribute

+ "create_port:allowed_address_pairs": "rule:admin_or_network_owner"

+ 

+ # Access rule for getting port

+ "get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner"

+ 

+ # Access rule for getting queue_id of port

+ "get_port:queue_id": "rule:admin_only"

+ 

+ # Access rule for getting binding vif_type of port

+ "get_port:binding:vif_type": "rule:admin_only"

+ 

+ # Access rule for getting binding vif_details of port

+ "get_port:binding:vif_details": "rule:admin_only"

+ 

+ # Access rule for getting binding vnic_type of port

+ "get_port:binding:vnic_type": "rule:admin_or_owner"

+ 

+ # Access rule for getting binding host_id of port

+ "get_port:binding:host_id": "rule:admin_only"

+ 

+ # Access rule for getting binding profile of port

+ "get_port:binding:profile": "rule:admin_only"

+ 

+ # Access rule for updating port

+ "update_port": "rule:admin_or_owner or rule:context_is_advsvc"

+ 

+ # Access rule for updating device_owner of port

+ "update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner"

+ 

+ # Access rule for updating mac_address of port

+ "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc"

+ 

+ # Access rule for updating fixed_ips of port

+ "update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner"

+ 

+ # Access rule for updating port specifying IP address in fixed_ips

+ "update_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner"

+ 

+ # Access rule for updating port specifying subnet ID in fixed_ips

+ "update_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared"

+ 

+ # Access rule for updating port_security_enabled of port

+ "update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner"

+ 

+ # Access rule for updating binding host_id of port

+ "update_port:binding:host_id": "rule:admin_only"

+ 

+ # Access rule for updating binding profile of port

+ "update_port:binding:profile": "rule:admin_only"

+ 

+ # Access rule for updating mac_learning_enabled of port

+ "update_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner"

+ 

+ # Access rule for updating allowed_address_pairs of port

+ "update_port:allowed_address_pairs": "rule:admin_or_network_owner"

+ 

+ # Access rule for updating data_plane_status of port

+ "update_port:data_plane_status": "rule:admin_or_data_plane_int"

+ 

+ # Access rule for deleting port

+ "delete_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner"

+ 

+ # Access rule for getting qos policy

+ "get_policy": "rule:regular_user"

+ 

+ # Access rule for creating qos policy

+ "create_policy": "rule:admin_only"

+ 

+ # Access rule for updating qos policy

+ "update_policy": "rule:admin_only"

+ 

+ # Access rule for deleting qos policy

+ "delete_policy": "rule:admin_only"

+ 

+ # Access rule for getting all available qos rule types

+ "get_rule_type": "rule:regular_user"

+ 

+ # Access rule for getting qos bandwidth limit rule

+ "get_policy_bandwidth_limit_rule": "rule:regular_user"

+ 

+ # Access rule for creating qos bandwidth limit rule

+ "create_policy_bandwidth_limit_rule": "rule:admin_only"

+ 

+ # Access rule for updatingqos bandwidth limit rule

+ "update_policy_bandwidth_limit_rule": "rule:admin_only"

+ 

+ # Access rule for deletingqos bandwidth limit rule

+ "delete_policy_bandwidth_limit_rule": "rule:admin_only"

+ 

+ # Access rule for getting qos dscp marking rule

+ "get_policy_dscp_marking_rule": "rule:regular_user"

+ 

+ # Access rule for creating qos dscp marking rule

+ "create_policy_dscp_marking_rule": "rule:admin_only"

+ 

+ # Access rule for updating qos dscp marking rule

+ "update_policy_dscp_marking_rule": "rule:admin_only"

+ 

+ # Access rule for deleting qos dscp marking rule

+ "delete_policy_dscp_marking_rule": "rule:admin_only"

+ 

+ # Access rule for getting qos minimum bandwidth rule

+ "get_policy_minimum_bandwidth_rule": "rule:regular_user"

+ 

+ # Access rule for creating qos minimum bandwidth rule

+ "create_policy_minimum_bandwidth_rule": "rule:admin_only"

+ 

+ # Access rule for updating qos minimum bandwidth rule

+ "update_policy_minimum_bandwidth_rule": "rule:admin_only"

+ 

+ # Access rule for deleting qos minimum bandwidth rule

+ "delete_policy_minimum_bandwidth_rule": "rule:admin_only"

+ 

+ # Rule of restrict wildcard

+ "restrict_wildcard": "(not field:rbac_policy:target_tenant=*) or rule:admin_only"

+ 

+ # Access rule for creating rbac policy

+ "create_rbac_policy": ""

+ 

+ # Access rule for creating rbac policy with special target tenant

+ "create_rbac_policy:target_tenant": "rule:restrict_wildcard"

+ 

+ # Access rule for updating rbac policy

+ "update_rbac_policy": "rule:admin_or_owner"

+ 

+ # Access rule for updating target_tenant attribute of rbac policy

+ "update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner"

+ 

+ # Access rule for getting rbac policy

+ "get_rbac_policy": "rule:admin_or_owner"

+ 

+ # Access rule for deleting rbac policy

+ "delete_rbac_policy": "rule:admin_or_owner"

+ 

+ # Access rule for creating router

+ "create_router": "rule:regular_user"

+ 

+ # Access rule for creating router with distributed attribute

+ "create_router:distributed": "rule:admin_only"

+ 

+ # Access rule for creating router with ha attribute

+ "create_router:ha": "rule:admin_only"

+ 

+ # Access rule for creating router with external_gateway_info

+ # information

+ "create_router:external_gateway_info": "rule:admin_or_owner"

+ 

+ # Access rule for creating router with external_gateway_info

+ # network_id attribute

+ "create_router:external_gateway_info:network_id": "rule:admin_or_owner"

+ 

+ # Access rule for creating router with external_gateway_info

+ # enable_snat attribute

+ "create_router:external_gateway_info:enable_snat": "rule:admin_only"

+ 

+ # Access rule for creating router with external_gateway_info

+ # external_fixed_ips attribute

+ "create_router:external_gateway_info:external_fixed_ips": "rule:admin_only"

+ 

+ # Access rule for getting router

+ "get_router": "rule:admin_or_owner"

+ 

+ # Access rule for getting ha attribute of router

+ "get_router:ha": "rule:admin_only"

+ 

+ # Access rule for getting distributed attribute of router

+ "get_router:distributed": "rule:admin_only"

+ 

+ # Access rule for updating router

+ "update_router": "rule:admin_or_owner"

+ 

+ # Access rule for updating distributed attribute of router

+ "update_router:distributed": "rule:admin_only"

+ 

+ # Access rule for updating ha attribute of router

+ "update_router:ha": "rule:admin_only"

+ 

+ # Access rule for updating external_gateway_info information of router

+ "update_router:external_gateway_info": "rule:admin_or_owner"

+ 

+ # Access rule for updating external_gateway_info network_id attribute

+ # of router

+ "update_router:external_gateway_info:network_id": "rule:admin_or_owner"

+ 

+ # Access rule for updating external_gateway_info enable_snat attribute

+ # of router

+ "update_router:external_gateway_info:enable_snat": "rule:admin_only"

+ 

+ # Access rule for updating external_gateway_info external_fixed_ips

+ # attribute of router

+ "update_router:external_gateway_info:external_fixed_ips": "rule:admin_only"

+ 

+ # Access rule for deleting router

+ "delete_router": "rule:admin_or_owner"

+ 

+ # Access rule for adding router interface

+ "add_router_interface": "rule:admin_or_owner"

+ 

+ # Access rule for removing router interface

+ "remove_router_interface": "rule:admin_or_owner"

+ 

+ # Access rule for creating security group

+ "create_security_group": "rule:admin_or_owner"

+ 

+ # Access rule for getting security group

+ "get_security_group": "rule:admin_or_owner"

+ 

+ # Access rule for getting security groups

+ "get_security_groups": "rule:admin_or_owner"

+ 

+ # Access rule for updating security group

+ "update_security_group": "rule:admin_or_owner"

+ 

+ # Access rule for deleting security group

+ "delete_security_group": "rule:admin_or_owner"

+ 

+ # Access rule for creating security group rule

+ "create_security_group_rule": "rule:admin_or_owner"

+ 

+ # Access rule for getting security group rule

+ "get_security_group_rule": "rule:admin_or_owner"

+ 

+ # Access rule for getting security groups rules

+ "get_security_group_rules": "rule:admin_or_owner"

+ 

+ # Access rule for deleting security group rule

+ "delete_security_group_rule": "rule:admin_or_owner"

+ 

+ # Access rule for creating segment

+ "create_segment": "rule:admin_only"

+ 

+ # Access rule for getting segment

+ "get_segment": "rule:admin_only"

+ 

+ # Access rule for updating segment

+ "update_segment": "rule:admin_only"

+ 

+ # Access rule for deleting segment

+ "delete_segment": "rule:admin_only"

+ 

+ # Access rule for listing all service providers

+ "get_service_provider": "rule:regular_user"

+ 

+ # Access rule for creating subnet

+ "create_subnet": "rule:admin_or_network_owner"

+ 

+ # Access rule for creating subnet with segment_id

+ "create_subnet:segment_id": "rule:admin_only"

+ 

+ # Access rule for creating subnet with service_type

+ "create_subnet:service_types": "rule:admin_only"

+ 

+ # Access rule for getting subnet

+ "get_subnet": "rule:admin_or_owner or rule:shared"

+ 

+ # Access rule for getting segment_id of subnet

+ "get_subnet:segment_id": "rule:admin_only"

+ 

+ # Access rule for updating subnet

+ "update_subnet": "rule:admin_or_network_owner"

+ 

+ # Access rule for updating service_types of subnet

+ "update_subnet:service_types": "rule:admin_only"

+ 

+ # Access rule for deleting subnet

+ "delete_subnet": "rule:admin_or_network_owner"

+ 

+ # Rule of shared subnetpool

+ "shared_subnetpools": "field:subnetpools:shared=True"

+ 

+ # Access rule for creating subnetpool

+ "create_subnetpool": ""

+ 

+ # Access rule for creating shared subnetpool

+ "create_subnetpool:shared": "rule:admin_only"

+ 

+ # Access rule for creating subnetpool with is_default

+ "create_subnetpool:is_default": "rule:admin_only"

+ 

+ # Access rule for getting subnetpool

+ "get_subnetpool": "rule:admin_or_owner or rule:shared_subnetpools"

+ 

+ # Access rule for updating subnetpool

+ "update_subnetpool": "rule:admin_or_owner"

+ 

+ # Access rule for updating is_default of subnetpool

+ "update_subnetpool:is_default": "rule:admin_only"

+ 

+ # Access rule for deleting subnetpool

+ "delete_subnetpool": "rule:admin_or_owner"

+ 

+ # Access rule for creating trunk port

+ "create_trunk": "rule:regular_user"

+ 

+ # Access rule for getting trunk port

+ "get_trunk": "rule:admin_or_owner"

+ 

+ # Access rule for deleting trunk port

+ "delete_trunk": "rule:admin_or_owner"

+ 

+ # Access rule for listing subports attached to trunk

+ "get_subports": ""

+ 

+ # Access rule for adding subports to the trunk

+ "add_subports": "rule:admin_or_owner"

+ 

+ # Access rule for deleting subports from the trunk

+ "remove_subports": "rule:admin_or_owner"

+ 

+ # Access rule for creating lsn

+ "create_lsn": "rule:admin_only"

+ 

+ # Access rule for getting lsn

+ "get_lsn": "rule:admin_only"

+ 

+ # Access rule for creating qos queue

+ "create_qos_queue": "rule:admin_only"

+ 

+ # Access rule for getting qos queue

+ "get_qos_queue": "rule:admin_only"

+