#13 stock policy
Merged 4 years ago by nkinder. Opened 4 years ago by admiyo.

file modified
+1
@@ -1,3 +1,4 @@ 

  build/*

  *~

  *current

+ tests/*/*stock

@@ -0,0 +1,1 @@ 

+ ---

@@ -0,0 +1,634 @@ 

+ # Decides what is required for the 'is_admin:True' check to succeed.

+ "context_is_admin": "role:admin"

+ 

+ # Default rule for most non-Admin APIs.

+ "admin_or_owner": "is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s"

+ 

+ # Default rule for most Admin APIs.

+ "admin_api": "is_admin:True or (role:admin and is_admin_project:True)"

+ 

+ # Create attachment.

+ # POST  /attachments

+ "volume:attachment_create": ""

+ 

+ # Update attachment.

+ # PUT  /attachments/{attachment_id}

+ "volume:attachment_update": "rule:admin_or_owner"

+ 

+ # Delete attachment.

+ # DELETE  /attachments/{attachment_id}

+ "volume:attachment_delete": "rule:admin_or_owner"

+ 

+ # Mark a volume attachment process as completed (in-use)

+ # POST  /attachments/{attachment_id}/action (os-complete)

+ "volume:attachment_complete": "rule:admin_or_owner"

+ 

+ # Allow multiattach of bootable volumes.

+ # POST  /attachments

+ "volume:multiattach_bootable_volume": "rule:admin_or_owner"

+ 

+ # List messages.

+ # GET  /messages

+ "message:get_all": "rule:admin_or_owner"

+ 

+ # Show message.

+ # GET  /messages/{message_id}

+ "message:get": "rule:admin_or_owner"

+ 

+ # Delete message.

+ # DELETE  /messages/{message_id}

+ "message:delete": "rule:admin_or_owner"

+ 

+ # List clusters.

+ # GET  /clusters

+ # GET  /clusters/detail

+ "clusters:get_all": "rule:admin_api"

+ 

+ # Show cluster.

+ # GET  /clusters/{cluster_id}

+ "clusters:get": "rule:admin_api"

+ 

+ # Update cluster.

+ # PUT  /clusters/{cluster_id}

+ "clusters:update": "rule:admin_api"

+ 

+ # Clean up workers.

+ # POST  /workers/cleanup

+ "workers:cleanup": "rule:admin_api"

+ 

+ # Show snapshot's metadata or one specified metadata with a given key.

+ # GET  /snapshots/{snapshot_id}/metadata

+ # GET  /snapshots/{snapshot_id}/metadata/{key}

+ "volume:get_snapshot_metadata": "rule:admin_or_owner"

+ 

+ # Update snapshot's metadata or one specified metadata with a given

+ # key.

+ # PUT  /snapshots/{snapshot_id}/metadata

+ # PUT  /snapshots/{snapshot_id}/metadata/{key}

+ "volume:update_snapshot_metadata": "rule:admin_or_owner"

+ 

+ # Delete snapshot's specified metadata with a given key.

+ # DELETE  /snapshots/{snapshot_id}/metadata/{key}

+ "volume:delete_snapshot_metadata": "rule:admin_or_owner"

+ 

+ # List snapshots.

+ # GET  /snapshots

+ # GET  /snapshots/detail

+ "volume:get_all_snapshots": "rule:admin_or_owner"

+ 

+ # List or show snapshots with extended attributes.

+ # GET  /snapshots/{snapshot_id}

+ # GET  /snapshots/detail

+ "volume_extension:extended_snapshot_attributes": "rule:admin_or_owner"

+ 

+ # Create snapshot.

+ # POST  /snapshots

+ "volume:create_snapshot": "rule:admin_or_owner"

+ 

+ # Show snapshot.

+ # GET  /snapshots/{snapshot_id}

+ "volume:get_snapshot": "rule:admin_or_owner"

+ 

+ # Update snapshot.

+ # PUT  /snapshots/{snapshot_id}

+ "volume:update_snapshot": "rule:admin_or_owner"

+ 

+ # Delete snapshot.

+ # DELETE  /snapshots/{snapshot_id}

+ "volume:delete_snapshot": "rule:admin_or_owner"

+ 

+ # Reset status of a snapshot.

+ # POST  /snapshots/{snapshot_id}/action (os-reset_status)

+ "volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api"

+ 

+ # Update database fields of snapshot.

+ # POST  /snapshots/{snapshot_id}/action (update_snapshot_status)

+ "snapshot_extension:snapshot_actions:update_snapshot_status": ""

+ 

+ # Force delete a snapshot.

+ # POST  /snapshots/{snapshot_id}/action (os-force_delete)

+ "volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api"

+ 

+ # List (in detail) of snapshots which are available to manage.

+ # GET  /manageable_snapshots

+ # GET  /manageable_snapshots/detail

+ "snapshot_extension:list_manageable": "rule:admin_api"

+ 

+ # Manage an existing snapshot.

+ # POST  /manageable_snapshots

+ "snapshot_extension:snapshot_manage": "rule:admin_api"

+ 

+ # Stop managing a snapshot.

+ # POST  /snapshots/{snapshot_id}/action (os-unmanage)

+ "snapshot_extension:snapshot_unmanage": "rule:admin_api"

+ 

+ # List backups.

+ # GET  /backups

+ # GET  /backups/detail

+ "backup:get_all": "rule:admin_or_owner"

+ 

+ # List backups or show backup with project attributes.

+ # GET  /backups/{backup_id}

+ # GET  /backups/detail

+ "backup:backup_project_attribute": "rule:admin_api"

+ 

+ # Create backup.

+ # POST  /backups

+ "backup:create": ""

+ 

+ # Show backup.

+ # GET  /backups/{backup_id}

+ "backup:get": "rule:admin_or_owner"

+ 

+ # Update backup.

+ # PUT  /backups/{backup_id}

+ "backup:update": "rule:admin_or_owner"

+ 

+ # Delete backup.

+ # DELETE  /backups/{backup_id}

+ "backup:delete": "rule:admin_or_owner"

+ 

+ # Restore backup.

+ # POST  /backups/{backup_id}/restore

+ "backup:restore": "rule:admin_or_owner"

+ 

+ # Import backup.

+ # POST  /backups/{backup_id}/import_record

+ "backup:backup-import": "rule:admin_api"

+ 

+ # Export backup.

+ # POST  /backups/{backup_id}/export_record

+ "backup:export-import": "rule:admin_api"

+ 

+ # Reset status of a backup.

+ # POST  /backups/{backup_id}/action (os-reset_status)

+ "volume_extension:backup_admin_actions:reset_status": "rule:admin_api"

+ 

+ # Force delete a backup.

+ # POST  /backups/{backup_id}/action (os-force_delete)

+ "volume_extension:backup_admin_actions:force_delete": "rule:admin_api"

+ 

+ # List groups.

+ # GET  /groups

+ # GET  /groups/detail

+ "group:get_all": "rule:admin_or_owner"

+ 

+ # Create group.

+ # POST  /groups

+ "group:create": ""

+ 

+ # Show group.

+ # GET  /groups/{group_id}

+ "group:get": "rule:admin_or_owner"

+ 

+ # Update group.

+ # PUT  /groups/{group_id}

+ "group:update": "rule:admin_or_owner"

+ 

+ # Create, update or delete a group type.

+ # POST  /group_types/

+ # PUT  /group_types/{group_type_id}

+ # DELETE  /group_types/{group_type_id}

+ "group:group_types_manage": "rule:admin_api"

+ 

+ # Show group type with type specs attributes.

+ # GET  /group_types/{group_type_id}

+ "group:access_group_types_specs": "rule:admin_api"

+ 

+ # Create, show, update and delete group type spec.

+ # GET  /group_types/{group_type_id}/group_specs/{g_spec_id}

+ # GET  /group_types/{group_type_id}/group_specs

+ # POST  /group_types/{group_type_id}/group_specs

+ # PUT  /group_types/{group_type_id}/group_specs/{g_spec_id}

+ # DELETE  /group_types/{group_type_id}/group_specs/{g_spec_id}

+ "group:group_types_specs": "rule:admin_api"

+ 

+ # List group snapshots.

+ # GET  /group_snapshots

+ # GET  /group_snapshots/detail

+ "group:get_all_group_snapshots": "rule:admin_or_owner"

+ 

+ # Create group snapshot.

+ # POST  /group_snapshots

+ "group:create_group_snapshot": ""

+ 

+ # Show group snapshot.

+ # GET  /group_snapshots/{group_snapshot_id}

+ "group:get_group_snapshot": "rule:admin_or_owner"

+ 

+ # Delete group snapshot.

+ # DELETE  /group_snapshots/{group_snapshot_id}

+ "group:delete_group_snapshot": "rule:admin_or_owner"

+ 

+ # Update group snapshot.

+ # PUT  /group_snapshots/{group_snapshot_id}

+ "group:update_group_snapshot": "rule:admin_or_owner"

+ 

+ # Reset status of group snapshot.

+ # POST  /group_snapshots/{g_snapshot_id}/action (reset_status)

+ "group:reset_group_snapshot_status": "rule:admin_or_owner"

+ 

+ # Delete group.

+ # POST  /groups/{group_id}/action (delete)

+ "group:delete": "rule:admin_or_owner"

+ 

+ # Reset status of group.

+ # POST  /groups/{group_id}/action (reset_status)

+ "group:reset_status": "rule:admin_api"

+ 

+ # Enable replication.

+ # POST  /groups/{group_id}/action (enable_replication)

+ "group:enable_replication": "rule:admin_or_owner"

+ 

+ # Disable replication.

+ # POST  /groups/{group_id}/action (disable_replication)

+ "group:disable_replication": "rule:admin_or_owner"

+ 

+ # Fail over replication.

+ # POST  /groups/{group_id}/action (failover_replication)

+ "group:failover_replication": "rule:admin_or_owner"

+ 

+ # List failover replication.

+ # POST  /groups/{group_id}/action (list_replication_targets)

+ "group:list_replication_targets": "rule:admin_or_owner"

+ 

+ # List qos specs or list all associations.

+ # GET  /qos-specs

+ # GET  /qos-specs/{qos_id}/associations

+ "volume_extension:qos_specs_manage:get_all": "rule:admin_api"

+ 

+ # Show qos specs.

+ # GET  /qos-specs/{qos_id}

+ "volume_extension:qos_specs_manage:get": "rule:admin_api"

+ 

+ # Create qos specs.

+ # POST  /qos-specs

+ "volume_extension:qos_specs_manage:create": "rule:admin_api"

+ 

+ # Update qos specs (including updating association).

+ # PUT  /qos-specs/{qos_id}

+ # GET  /qos-specs/{qos_id}/disassociate_all

+ # GET  /qos-specs/{qos_id}/associate

+ # GET  /qos-specs/{qos_id}/disassociate

+ "volume_extension:qos_specs_manage:update": "rule:admin_api"

+ 

+ # delete qos specs or unset one specified qos key.

+ # DELETE  /qos-specs/{qos_id}

+ # PUT  /qos-specs/{qos_id}/delete_keys

+ "volume_extension:qos_specs_manage:delete": "rule:admin_api"

+ 

+ # Show or update project quota class.

+ # GET  /os-quota-class-sets/{project_id}

+ # PUT  /os-quota-class-sets/{project_id}

+ "volume_extension:quota_classes": "rule:admin_api"

+ 

+ # Show project quota (including usage and default).

+ # GET  /os-quota-sets/{project_id}

+ # GET  /os-quota-sets/{project_id}/default

+ # GET  /os-quota-sets/{project_id}?usage=True

+ "volume_extension:quotas:show": "rule:admin_or_owner"

+ 

+ # Update project quota.

+ # PUT  /os-quota-sets/{project_id}

+ "volume_extension:quotas:update": "rule:admin_api"

+ 

+ # Delete project quota.

+ # DELETE  /os-quota-sets/{project_id}

+ "volume_extension:quotas:delete": "rule:admin_api"

+ 

+ # Validate setup for nested quota.

+ # GET  /os-quota-sets/validate_setup_for_nested_quota_use

+ "volume_extension:quota_classes:validate_setup_for_nested_quota_use": "rule:admin_api"

+ 

+ # Show backend capabilities.

+ # GET  /capabilities/{host_name}

+ "volume_extension:capabilities": "rule:admin_api"

+ 

+ # List all services.

+ # GET  /os-services

+ "volume_extension:services:index": "rule:admin_api"

+ 

+ # Update service, including failover_host, thaw, freeze, disable,

+ # enable, set-log and get-log actions.

+ # PUT  /os-services/{action}

+ "volume_extension:services:update": "rule:admin_api"

+ 

+ # Freeze a backend host.

+ # PUT  /os-services/freeze

+ "volume:freeze_host": "rule:admin_api"

+ 

+ # Thaw a backend host.

+ # PUT  /os-services/thaw

+ "volume:thaw_host": "rule:admin_api"

+ 

+ # Failover a backend host.

+ # PUT  /os-services/failover_host

+ "volume:failover_host": "rule:admin_api"

+ 

+ # List all backend pools.

+ # GET  /scheduler-stats/get_pools

+ "scheduler_extension:scheduler_stats:get_pools": "rule:admin_api"

+ 

+ # List, update or show hosts for a project.

+ # GET  /os-hosts

+ # PUT  /os-hosts/{host_name}

+ # GET  /os-hosts/{host_id}

+ "volume_extension:hosts": "rule:admin_api"

+ 

+ # Show limits with used limit attributes.

+ # GET  /limits

+ "limits_extension:used_limits": "rule:admin_or_owner"

+ 

+ # List (in detail) of volumes which are available to manage.

+ # GET  /manageable_volumes

+ # GET  /manageable_volumes/detail

+ "volume_extension:list_manageable": "rule:admin_api"

+ 

+ # Manage existing volumes.

+ # POST  /manageable_volumes

+ "volume_extension:volume_manage": "rule:admin_api"

+ 

+ # Stop managing a volume.

+ # POST  /volumes/{volume_id}/action (os-unmanage)

+ "volume_extension:volume_unmanage": "rule:admin_api"

+ 

+ # Create, update and delete volume type.

+ # POST  /types

+ # PUT  /types

+ # DELETE  /types

+ "volume_extension:types_manage": "rule:admin_api"

+ 

+ # Get one specific volume type.

+ # GET  /types/{type_id}

+ "volume_extension:type_get": ""

+ 

+ # List volume types.

+ # GET  /types/

+ "volume_extension:type_get_all": ""

+ 

+ # List, show, create, update and delete volume type encryption. This

+ # is deprecated in the Stein release and will be removed in the

+ # future.

+ # POST  /types/{type_id}/encryption

+ # PUT  /types/{type_id}/encryption/{encryption_id}

+ # GET  /types/{type_id}/encryption

+ # GET  /types/{type_id}/encryption/{encryption_id}

+ # DELETE  /types/{type_id}/encryption/{encryption_id}

+ "volume_extension:volume_type_encryption": "rule:admin_api"

+ 

+ # Create volume type encryption.

+ # POST  /types/{type_id}/encryption

+ "volume_extension:volume_type_encryption:create": "rule:volume_extension:volume_type_encryption"

+ 

+ # Show, list volume type encryption.

+ # GET  /types/{type_id}/encryption/{encryption_id}

+ # GET  /types/{type_id}/encryption

+ "volume_extension:volume_type_encryption:get": "rule:volume_extension:volume_type_encryption"

+ 

+ # Update volume type encryption.

+ # PUT  /types/{type_id}/encryption/{encryption_id}

+ "volume_extension:volume_type_encryption:update": "rule:volume_extension:volume_type_encryption"

+ 

+ # Delete volume type encryption.

+ # DELETE  /types/{type_id}/encryption/{encryption_id}

+ "volume_extension:volume_type_encryption:delete": "rule:volume_extension:volume_type_encryption"

+ 

+ # List or show volume type with access type extra specs attribute.

+ # GET  /types/{type_id}

+ # GET  /types

+ "volume_extension:access_types_extra_specs": "rule:admin_api"

+ 

+ # List or show volume type with access type qos specs id attribute.

+ # GET  /types/{type_id}

+ # GET  /types

+ "volume_extension:access_types_qos_specs_id": "rule:admin_api"

+ 

+ # Volume type access related APIs.

+ # GET  /types

+ # GET  /types/detail

+ # GET  /types/{type_id}

+ # POST  /types

+ "volume_extension:volume_type_access": "rule:admin_or_owner"

+ 

+ # Add volume type access for project.

+ # POST  /types/{type_id}/action (addProjectAccess)

+ "volume_extension:volume_type_access:addProjectAccess": "rule:admin_api"

+ 

+ # Remove volume type access for project.

+ # POST  /types/{type_id}/action (removeProjectAccess)

+ "volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api"

+ 

+ # Extend a volume.

+ # POST  /volumes/{volume_id}/action (os-extend)

+ "volume:extend": "rule:admin_or_owner"

+ 

+ # Extend a attached volume.

+ # POST  /volumes/{volume_id}/action (os-extend)

+ "volume:extend_attached_volume": "rule:admin_or_owner"

+ 

+ # Revert a volume to a snapshot.

+ # POST  /volumes/{volume_id}/action (revert)

+ "volume:revert_to_snapshot": "rule:admin_or_owner"

+ 

+ # Reset status of a volume.

+ # POST  /volumes/{volume_id}/action (os-reset_status)

+ "volume_extension:volume_admin_actions:reset_status": "rule:admin_api"

+ 

+ # Retype a volume.

+ # POST  /volumes/{volume_id}/action (os-retype)

+ "volume:retype": "rule:admin_or_owner"

+ 

+ # Update a volume's readonly flag.

+ # POST  /volumes/{volume_id}/action (os-update_readonly_flag)

+ "volume:update_readonly_flag": "rule:admin_or_owner"

+ 

+ # Force delete a volume.

+ # POST  /volumes/{volume_id}/action (os-force_delete)

+ "volume_extension:volume_admin_actions:force_delete": "rule:admin_api"

+ 

+ # Upload a volume to image with public visibility.

+ # POST  /volumes/{volume_id}/action (os-volume_upload_image)

+ "volume_extension:volume_actions:upload_public": "rule:admin_api"

+ 

+ # Upload a volume to image.

+ # POST  /volumes/{volume_id}/action (os-volume_upload_image)

+ "volume_extension:volume_actions:upload_image": "rule:admin_or_owner"

+ 

+ # Force detach a volume.

+ # POST  /volumes/{volume_id}/action (os-force_detach)

+ "volume_extension:volume_admin_actions:force_detach": "rule:admin_api"

+ 

+ # migrate a volume to a specified host.

+ # POST  /volumes/{volume_id}/action (os-migrate_volume)

+ "volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api"

+ 

+ # Complete a volume migration.

+ # POST  /volumes/{volume_id}/action (os-migrate_volume_completion)

+ "volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api"

+ 

+ # Initialize volume attachment.

+ # POST  /volumes/{volume_id}/action (os-initialize_connection)

+ "volume_extension:volume_actions:initialize_connection": "rule:admin_or_owner"

+ 

+ # Terminate volume attachment.

+ # POST  /volumes/{volume_id}/action (os-terminate_connection)

+ "volume_extension:volume_actions:terminate_connection": "rule:admin_or_owner"

+ 

+ # Roll back volume status to 'in-use'.

+ # POST  /volumes/{volume_id}/action (os-roll_detaching)

+ "volume_extension:volume_actions:roll_detaching": "rule:admin_or_owner"

+ 

+ # Mark volume as reserved.

+ # POST  /volumes/{volume_id}/action (os-reserve)

+ "volume_extension:volume_actions:reserve": "rule:admin_or_owner"

+ 

+ # Unmark volume as reserved.

+ # POST  /volumes/{volume_id}/action (os-unreserve)

+ "volume_extension:volume_actions:unreserve": "rule:admin_or_owner"

+ 

+ # Begin detach volumes.

+ # POST  /volumes/{volume_id}/action (os-begin_detaching)

+ "volume_extension:volume_actions:begin_detaching": "rule:admin_or_owner"

+ 

+ # Add attachment metadata.

+ # POST  /volumes/{volume_id}/action (os-attach)

+ "volume_extension:volume_actions:attach": "rule:admin_or_owner"

+ 

+ # Clear attachment metadata.

+ # POST  /volumes/{volume_id}/action (os-detach)

+ "volume_extension:volume_actions:detach": "rule:admin_or_owner"

+ 

+ # List volume transfer.

+ # GET  /os-volume-transfer

+ # GET  /os-volume-transfer/detail

+ # GET  /volume_transfers

+ # GET  /volume-transfers/detail

+ "volume:get_all_transfers": "rule:admin_or_owner"

+ 

+ # Create a volume transfer.

+ # POST  /os-volume-transfer

+ # POST  /volume_transfers

+ "volume:create_transfer": "rule:admin_or_owner"

+ 

+ # Show one specified volume transfer.

+ # GET  /os-volume-transfer/{transfer_id}

+ # GET  /volume-transfers/{transfer_id}

+ "volume:get_transfer": "rule:admin_or_owner"

+ 

+ # Accept a volume transfer.

+ # POST  /os-volume-transfer/{transfer_id}/accept

+ # POST  /volume-transfers/{transfer_id}/accept

+ "volume:accept_transfer": ""

+ 

+ # Delete volume transfer.

+ # DELETE  /os-volume-transfer/{transfer_id}

+ # DELETE  /volume-transfers/{transfer_id}

+ "volume:delete_transfer": "rule:admin_or_owner"

+ 

+ # Show volume's metadata or one specified metadata with a given key.

+ # GET  /volumes/{volume_id}/metadata

+ # GET  /volumes/{volume_id}/metadata/{key}

+ "volume:get_volume_metadata": "rule:admin_or_owner"

+ 

+ # Create volume metadata.

+ # POST  /volumes/{volume_id}/metadata

+ "volume:create_volume_metadata": "rule:admin_or_owner"

+ 

+ # Update volume's metadata or one specified metadata with a given key.

+ # PUT  /volumes/{volume_id}/metadata

+ # PUT  /volumes/{volume_id}/metadata/{key}

+ "volume:update_volume_metadata": "rule:admin_or_owner"

+ 

+ # Delete volume's specified metadata with a given key.

+ # DELETE  /volumes/{volume_id}/metadata/{key}

+ "volume:delete_volume_metadata": "rule:admin_or_owner"

+ 

+ # Volume's image metadata related operation, create, delete, show and

+ # list.

+ # GET  /volumes/detail

+ # GET  /volumes/{volume_id}

+ # POST  /volumes/{volume_id}/action (os-set_image_metadata)

+ # POST  /volumes/{volume_id}/action (os-unset_image_metadata)

+ "volume_extension:volume_image_metadata": "rule:admin_or_owner"

+ 

+ # Update volume admin metadata. It's used in `attach` and `os-

+ # update_readonly_flag` APIs

+ # POST  /volumes/{volume_id}/action (os-update_readonly_flag)

+ # POST  /volumes/{volume_id}/action (os-attach)

+ "volume:update_volume_admin_metadata": "rule:admin_api"

+ 

+ # List type extra specs.

+ # GET  /types/{type_id}/extra_specs

+ "volume_extension:types_extra_specs:index": "rule:admin_api"

+ 

+ # Create type extra specs.

+ # POST  /types/{type_id}/extra_specs

+ "volume_extension:types_extra_specs:create": "rule:admin_api"

+ 

+ # Show one specified type extra specs.

+ # GET  /types/{type_id}/extra_specs/{extra_spec_key}

+ "volume_extension:types_extra_specs:show": "rule:admin_api"

+ 

+ # Update type extra specs.

+ # PUT  /types/{type_id}/extra_specs/{extra_spec_key}

+ "volume_extension:types_extra_specs:update": "rule:admin_api"

+ 

+ # Delete type extra specs.

+ # DELETE  /types/{type_id}/extra_specs/{extra_spec_key}

+ "volume_extension:types_extra_specs:delete": "rule:admin_api"

+ 

+ # Create volume.

+ # POST  /volumes

+ "volume:create": ""

+ 

+ # Create volume from image.

+ # POST  /volumes

+ "volume:create_from_image": ""

+ 

+ # Show volume.

+ # GET  /volumes/{volume_id}

+ "volume:get": "rule:admin_or_owner"

+ 

+ # List volumes or get summary of volumes.

+ # GET  /volumes

+ # GET  /volumes/detail

+ # GET  /volumes/summary

+ "volume:get_all": "rule:admin_or_owner"

+ 

+ # Update volume or update a volume's bootable status.

+ # PUT  /volumes

+ # POST  /volumes/{volume_id}/action (os-set_bootable)

+ "volume:update": "rule:admin_or_owner"

+ 

+ # Delete volume.

+ # DELETE  /volumes/{volume_id}

+ "volume:delete": "rule:admin_or_owner"

+ 

+ # Force Delete a volume.

+ # DELETE  /volumes/{volume_id}

+ "volume:force_delete": "rule:admin_api"

+ 

+ # List or show volume with host attribute.

+ # GET  /volumes/{volume_id}

+ # GET  /volumes/detail

+ "volume_extension:volume_host_attribute": "rule:admin_api"

+ 

+ # List or show volume with tenant attribute.

+ # GET  /volumes/{volume_id}

+ # GET  /volumes/detail

+ "volume_extension:volume_tenant_attribute": "rule:admin_or_owner"

+ 

+ # List or show volume with migration status attribute.

+ # GET  /volumes/{volume_id}

+ # GET  /volumes/detail

+ "volume_extension:volume_mig_status_attribute": "rule:admin_api"

+ 

+ # Show volume's encryption metadata.

+ # GET  /volumes/{volume_id}/encryption

+ # GET  /volumes/{volume_id}/encryption/{encryption_key}

+ "volume_extension:volume_encryption_metadata": "rule:admin_or_owner"

+ 

+ # Create multiattach capable volume.

+ # POST  /volumes

+ "volume:multiattach": "rule:admin_or_owner"

+ 

@@ -0,0 +1,50 @@ 

+ ---

+ context_is_admin: role:admin

+ default: role:admin

+ add_image: ''

+ delete_image: ''

+ get_image: ''

+ get_images: ''

+ modify_image: ''

+ publicize_image: role:admin

+ communitize_image: ''

+ copy_from: ''

+ download_image: ''

+ upload_image: ''

+ delete_image_location: ''

+ get_image_location: ''

+ set_image_location: ''

+ add_member: ''

+ delete_member: ''

+ get_member: ''

+ get_members: ''

+ modify_member: ''

+ manage_image_cache: role:admin

+ get_task: ''

+ get_tasks: ''

+ add_task: ''

+ modify_task: ''

+ tasks_api_access: role:admin

+ deactivate: ''

+ reactivate: ''

+ get_metadef_namespace: ''

+ get_metadef_namespaces: ''

+ modify_metadef_namespace: ''

+ add_metadef_namespace: ''

+ get_metadef_object: ''

+ get_metadef_objects: ''

+ modify_metadef_object: ''

+ add_metadef_object: ''

+ list_metadef_resource_types: ''

+ get_metadef_resource_type: ''

+ add_metadef_resource_type_association: ''

+ get_metadef_property: ''

+ get_metadef_properties: ''

+ modify_metadef_property: ''

+ add_metadef_property: ''

+ get_metadef_tag: ''

+ get_metadef_tags: ''

+ modify_metadef_tag: ''

+ add_metadef_tag: ''

+ add_metadef_tags: ''

+ 

@@ -0,0 +1,35 @@ 

+ ---

+ admin_or_creator: role:admin or user:%(creator)s or project_id:%(created_by_project_id)s

+ resource_owner: project_id:%(project_id)s

+ metric_owner: project_id:%(resource.project_id)s

+ get status: role:admin

+ create resource: ''

+ get resource: rule:admin_or_creator or rule:resource_owner

+ update resource: rule:admin_or_creator

+ delete resource: rule:admin_or_creator

+ delete resources: rule:admin_or_creator

+ list resource: rule:admin_or_creator or rule:resource_owner

+ search resource: rule:admin_or_creator or rule:resource_owner

+ create resource type: role:admin

+ delete resource type: role:admin

+ update resource type: role:admin

+ list resource type: ''

+ get resource type: ''

+ get archive policy: ''

+ list archive policy: ''

+ create archive policy: role:admin

+ update archive policy: role:admin

+ delete archive policy: role:admin

+ create archive policy rule: role:admin

+ get archive policy rule: ''

+ list archive policy rule: ''

+ update archive policy rule: role:admin

+ delete archive policy rule: role:admin

+ create metric: ''

+ delete metric: rule:admin_or_creator

+ get metric: rule:admin_or_creator or rule:metric_owner

+ search metric: rule:admin_or_creator or rule:metric_owner

+ list metric: rule:admin_or_creator or rule:metric_owner

+ get measures: rule:admin_or_creator or rule:metric_owner

+ post measures: rule:admin_or_creator

+ 

@@ -0,0 +1,75 @@ 

+ ---

+ context_is_admin: role:admin

+ deny_stack_user: not role:heat_stack_user

+ deny_everybody: "!"

+ cloudformation:ListStacks: rule:deny_stack_user

+ cloudformation:CreateStack: rule:deny_stack_user

+ cloudformation:DescribeStacks: rule:deny_stack_user

+ cloudformation:DeleteStack: rule:deny_stack_user

+ cloudformation:UpdateStack: rule:deny_stack_user

+ cloudformation:CancelUpdateStack: rule:deny_stack_user

+ cloudformation:DescribeStackEvents: rule:deny_stack_user

+ cloudformation:ValidateTemplate: rule:deny_stack_user

+ cloudformation:GetTemplate: rule:deny_stack_user

+ cloudformation:EstimateTemplateCost: rule:deny_stack_user

+ cloudformation:DescribeStackResource: ''

+ cloudformation:DescribeStackResources: rule:deny_stack_user

+ cloudformation:ListStackResources: rule:deny_stack_user

+ cloudwatch:DeleteAlarms: rule:deny_stack_user

+ cloudwatch:DescribeAlarmHistory: rule:deny_stack_user

+ cloudwatch:DescribeAlarms: rule:deny_stack_user

+ cloudwatch:DescribeAlarmsForMetric: rule:deny_stack_user

+ cloudwatch:DisableAlarmActions: rule:deny_stack_user

+ cloudwatch:EnableAlarmActions: rule:deny_stack_user

+ cloudwatch:GetMetricStatistics: rule:deny_stack_user

+ cloudwatch:ListMetrics: rule:deny_stack_user

+ cloudwatch:PutMetricAlarm: rule:deny_stack_user

+ cloudwatch:PutMetricData: ''

+ cloudwatch:SetAlarmState: rule:deny_stack_user

+ actions:action: rule:deny_stack_user

+ build_info:build_info: rule:deny_stack_user

+ events:index: rule:deny_stack_user

+ events:show: rule:deny_stack_user

+ resource:index: rule:deny_stack_user

+ resource:metadata: ''

+ resource:signal: ''

+ resource:show: rule:deny_stack_user

+ stacks:abandon: rule:deny_stack_user

+ stacks:create: rule:deny_stack_user

+ stacks:delete: rule:deny_stack_user

+ stacks:detail: rule:deny_stack_user

+ stacks:generate_template: rule:deny_stack_user

+ stacks:global_index: rule:deny_everybody

+ stacks:index: rule:deny_stack_user

+ stacks:list_resource_types: rule:deny_stack_user

+ stacks:list_template_versions: rule:deny_stack_user

+ stacks:list_template_functions: rule:deny_stack_user

+ stacks:lookup: ''

+ stacks:preview: rule:deny_stack_user

+ stacks:resource_schema: rule:deny_stack_user

+ stacks:show: rule:deny_stack_user

+ stacks:template: rule:deny_stack_user

+ stacks:update: rule:deny_stack_user

+ stacks:update_patch: rule:deny_stack_user

+ stacks:preview_update: rule:deny_stack_user

+ stacks:preview_update_patch: rule:deny_stack_user

+ stacks:validate_template: rule:deny_stack_user

+ stacks:snapshot: rule:deny_stack_user

+ stacks:show_snapshot: rule:deny_stack_user

+ stacks:delete_snapshot: rule:deny_stack_user

+ stacks:list_snapshots: rule:deny_stack_user

+ stacks:restore_snapshot: rule:deny_stack_user

+ software_configs:global_index: rule:deny_everybody

+ software_configs:index: rule:deny_stack_user

+ software_configs:create: rule:deny_stack_user

+ software_configs:show: rule:deny_stack_user

+ software_configs:delete: rule:deny_stack_user

+ software_deployments:index: rule:deny_stack_user

+ software_deployments:create: rule:deny_stack_user

+ software_deployments:show: rule:deny_stack_user

+ software_deployments:update: rule:deny_stack_user

+ software_deployments:delete: rule:deny_stack_user

+ software_deployments:metadata: ''

+ service:index: rule:context_is_admin

+ resource_types:OS::Nova::Flavor: rule:context_is_admin

+ 

@@ -22,7 +22,7 @@ 

  # Authorize OAUTH1 request token.

  # PUT  /v3/OS-OAUTH1/authorize/{request_token_id}

  # Intended scope(s): project

- "identity:authorize_request_token": "rule:admin"

+ "identity:authorize_request_token": "rule:admin or rule:owner"

  

  # Get OAUTH1 access token for user by access token ID.

  # GET  /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}

The added file is too large to be shown here, see it at: services/keystone/stock-policy.yaml
@@ -0,0 +1,1 @@ 

+ ---

@@ -0,0 +1,671 @@ 

+ # Rule for cloud admin access

+ "context_is_admin": "role:admin"

+ 

+ # Rule for resource owner access

+ "owner": "tenant_id:%(tenant_id)s"

+ 

+ # Rule for admin or owner access

+ "admin_or_owner": "rule:context_is_admin or rule:owner"

+ 

+ # Rule for advsvc role access

+ "context_is_advsvc": "role:advsvc"

+ 

+ # Rule for admin or network owner access

+ "admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s"

+ 

+ # Rule for resource owner, admin or network owner access

+ "admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner"

+ 

+ # Rule only for admin access

+ "admin_only": "rule:context_is_admin"

+ 

+ # Rule for regular user access

+ "regular_user": ""

+ 

+ # Rule of shared network

+ "shared": "field:networks:shared=True"

+ 

+ # Default access rule

+ "default": "rule:admin_or_owner"

+ 

+ # Rule for common parent owner check

+ "admin_or_ext_parent_owner": "rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s"

+ 

+ # Rule of shared address scope

+ "shared_address_scopes": "field:address_scopes:shared=True"

+ 

+ # Access rule for creating address scope

+ "create_address_scope": ""

+ 

+ # Access rule for creating shared address scope

+ "create_address_scope:shared": "rule:admin_only"

+ 

+ # Access rule for getting address scope

+ "get_address_scope": "rule:admin_or_owner or rule:shared_address_scopes"

+ 

+ # Access rule for updating address scope

+ "update_address_scope": "rule:admin_or_owner"

+ 

+ # Access rule for updating shared attribute of address scope

+ "update_address_scope:shared": "rule:admin_only"

+ 

+ # Access rule for deleting address scope

+ "delete_address_scope": "rule:admin_or_owner"

+ 

+ # Access rule for getting agent

+ "get_agent": "rule:admin_only"

+ 

+ # Access rule for updating agent

+ "update_agent": "rule:admin_only"

+ 

+ # Access rule for deleting agent

+ "delete_agent": "rule:admin_only"

+ 

+ # Access rule for adding network to dhcp agent

+ "create_dhcp-network": "rule:admin_only"

+ 

+ # Access rule for listing networks on the dhcp agent

+ "get_dhcp-networks": "rule:admin_only"

+ 

+ # Access rule for removing network from dhcp agent

+ "delete_dhcp-network": "rule:admin_only"

+ 

+ # Access rule for adding router to l3 agent

+ "create_l3-router": "rule:admin_only"

+ 

+ # Access rule for listing routers on the l3 agent

+ "get_l3-routers": "rule:admin_only"

+ 

+ # Access rule for deleting router from l3 agent

+ "delete_l3-router": "rule:admin_only"

+ 

+ # Access rule for listing dhcp agents hosting the network

+ "get_dhcp-agents": "rule:admin_only"

+ 

+ # Access rule for listing l3 agents hosting the router

+ "get_l3-agents": "rule:admin_only"

+ 

+ # Access rule for getting lbaas agent hosting the pool

+ "get_loadbalancer-agent": "rule:admin_only"

+ 

+ # Access rule for listing pools on the lbaas agent

+ "get_loadbalancer-pools": "rule:admin_only"

+ 

+ # Access rule for listing loadbalancers on the lbaasv2 agent

+ "get_agent-loadbalancers": "rule:admin_only"

+ 

+ # Access rule for getting lbaasv2 agent hosting the loadbalancer

+ "get_loadbalancer-hosting-agent": "rule:admin_only"

+ 

+ # Access rule for getting a project's auto-allocated topology

+ "get_auto_allocated_topology": "rule:admin_or_owner"

+ 

+ # Access rule for deleting a project's auto-allocated topology

+ "delete_auto_allocated_topology": "rule:admin_or_owner"

+ 

+ # Access rule for creating network profile

+ "create_network_profile": "rule:admin_only"

+ 

+ # Access rule for listing network profiles

+ "get_network_profiles": ""

+ 

+ # Access rule for getting network profile

+ "get_network_profile": ""

+ 

+ # Access rule for updating network profile

+ "update_network_profile": "rule:admin_only"

+ 

+ # Access rule for deleting network profile

+ "delete_network_profile": "rule:admin_only"

+ 

+ # Access rule for listing policy profile

+ "get_policy_profiles": ""

+ 

+ # Access rule for getting policy prodile

+ "get_policy_profile": ""

+ 

+ # Access rule for updating policy profile

+ "update_policy_profiles": "rule:admin_only"

+ 

+ # Access rule for creating flavor

+ "create_flavor": "rule:admin_only"

+ 

+ # Access rule for listing flavors

+ "get_flavors": "rule:regular_user"

+ 

+ # Access rule for getting flavor

+ "get_flavor": "rule:regular_user"

+ 

+ # Access rule for updating flavor

+ "update_flavor": "rule:admin_only"

+ 

+ # Access rule for deleting flavor

+ "delete_flavor": "rule:admin_only"

+ 

+ # Access rule for creating service profile

+ "create_service_profile": "rule:admin_only"

+ 

+ # Access rule for listing service profiles

+ "get_service_profiles": "rule:admin_only"

+ 

+ # Access rule for getting service profile

+ "get_service_profile": "rule:admin_only"

+ 

+ # Access rule for updating service profile

+ "update_service_profile": "rule:admin_only"

+ 

+ # Access rule for deleting service profile

+ "delete_service_profile": "rule:admin_only"

+ 

+ # Access rule for associating flavor with service profile

+ "create_flavor_service_profile": "rule:admin_only"

+ 

+ # Access rule for disassociating flavor with service profile

+ "delete_flavor_service_profile": "rule:admin_only"

+ 

+ # Access rule for getting flavor associatingwith the given service

+ # profiles

+ "get_flavor_service_profile": "rule:regular_user"

+ 

+ # Access rule for creating floating IP

+ "create_floatingip": "rule:regular_user"

+ 

+ # Access rule for creating floating IP with fixed floating IP address

+ "create_floatingip:floating_ip_address": "rule:admin_only"

+ 

+ # Access rule for getting floating IP

+ "get_floatingip": "rule:admin_or_owner"

+ 

+ # Access rule for updating floating IP

+ "update_floatingip": "rule:admin_or_owner"

+ 

+ # Access rule for deleting floating IP

+ "delete_floatingip": "rule:admin_or_owner"

+ 

+ # Access rule for creating floating IP port forwarding

+ "create_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner"

+ 

+ # Access rule for getting floating IP port forwarding

+ "get_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner"

+ 

+ # Access rule for getting floating IP port forwardings

+ "get_floatingip_port_forwardings": "rule:admin_or_ext_parent_owner"

+ 

+ # Access rule for updating floating IP port forwarding

+ "update_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner"

+ 

+ # Access rule for deleting floating IP port forwarding

+ "delete_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner"

+ 

+ # Access rule for getting loggable resources

+ "get_loggable_resources": "rule:admin_only"

+ 

+ # Access rule for creating network log

+ "create_log": "rule:admin_only"

+ 

+ # Access rule for getting network log

+ "get_log": "rule:admin_only"

+ 

+ # Access rule for getting network logs

+ "get_logs": "rule:admin_only"

+ 

+ # Access rule for updating network log

+ "update_log": "rule:admin_only"

+ 

+ # Access rule for deleting network log

+ "delete_log": "rule:admin_only"

+ 

+ # Access rule for creating metering label

+ "create_metering_label": "rule:admin_only"

+ 

+ # Access rule for getting metering label

+ "get_metering_label": "rule:admin_only"

+ 

+ # Access rule for deleting metering label

+ "delete_metering_label": "rule:admin_only"

+ 

+ # Access rule for creating metering label rule

+ "create_metering_label_rule": "rule:admin_only"

+ 

+ # Access rule for getting metering label rule

+ "get_metering_label_rule": "rule:admin_only"

+ 

+ # Access rule for deleting metering label rule

+ "delete_metering_label_rule": "rule:admin_only"

+ 

+ # Rule of external network

+ "external": "field:networks:router:external=True"

+ 

+ # Access rule for creating network

+ "create_network": ""

+ 

+ # Access rule for creating shared network

+ "create_network:shared": "rule:admin_only"

+ 

+ # Access rule for creating external network

+ "create_network:router:external": "rule:admin_only"

+ 

+ # Access rule for creating network with is_default

+ "create_network:is_default": "rule:admin_only"

+ 

+ # Access rule for creating network with segments

+ "create_network:segments": "rule:admin_only"

+ 

+ # Access rule for creating network with provider network_type

+ "create_network:provider:network_type": "rule:admin_only"

+ 

+ # Access rule for creating network with provider physical_network

+ "create_network:provider:physical_network": "rule:admin_only"

+ 

+ # Access rule for creating networkwith provider segmentation_id

+ "create_network:provider:segmentation_id": "rule:admin_only"

+ 

+ # Access rule for getting shared network

+ "get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc"

+ 

+ # Access rule for getting external network

+ "get_network:router:external": "rule:regular_user"

+ 

+ # Access rule for getting segments of network

+ "get_network:segments": "rule:admin_only"

+ 

+ # Access rule for getting provider network_type of network

+ "get_network:provider:network_type": "rule:admin_only"

+ 

+ # Access rule for getting provider physical_network of network

+ "get_network:provider:physical_network": "rule:admin_only"

+ 

+ # Access rule for getting provider segmentation_id of network

+ "get_network:provider:segmentation_id": "rule:admin_only"

+ 

+ # Access rule for getting queue_id of network

+ "get_network:queue_id": "rule:admin_only"

+ 

+ # Access rule for updating network

+ "update_network": "rule:admin_or_owner"

+ 

+ # Access rule for updating segments of network

+ "update_network:segments": "rule:admin_only"

+ 

+ # Access rule for updating shared attribute of network

+ "update_network:shared": "rule:admin_only"

+ 

+ # Access rule for updating provider network_type of network

+ "update_network:provider:network_type": "rule:admin_only"

+ 

+ # Access rule for updating provider physical_network of network

+ "update_network:provider:physical_network": "rule:admin_only"

+ 

+ # Access rule for updating provider segmentation_id of network

+ "update_network:provider:segmentation_id": "rule:admin_only"

+ 

+ # Access rule for updating external attribute of network

+ "update_network:router:external": "rule:admin_only"

+ 

+ # Access rule for deleting network

+ "delete_network": "rule:admin_or_owner"

+ 

+ # Access rule for getting network IP availabilities

+ "get_network_ip_availabilities": "rule:admin_only"

+ 

+ # Access rule for getting network IP availability

+ "get_network_ip_availability": "rule:admin_only"

+ 

+ # Rule of port with network device_owner

+ "network_device": "field:port:device_owner=~^network:"

+ 

+ # Rule for data plane integration

+ "admin_or_data_plane_int": "rule:context_is_admin or role:data_plane_integrator"

+ 

+ # Access rule for creating port

+ "create_port": ""

+ 

+ # Access rule for creating port with device_owner

+ "create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner"

+ 

+ # Access rule for creating port with mac_address

+ "create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner"

+ 

+ # Access rule for creating port with fixed_ips

+ "create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner"

+ 

+ # Access rule for creating port specifying IP address in fixed_ips

+ "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner"

+ 

+ # Access rule for creating port specifying subnet ID in fixed_ips

+ "create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared"

+ 

+ # Access rule for creating port with port_security_enabled

+ "create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner"

+ 

+ # Access rule for creating port with binging host_id

+ "create_port:binding:host_id": "rule:admin_only"

+ 

+ # Access rule for creating port with binding profile

+ "create_port:binding:profile": "rule:admin_only"

+ 

+ # Access rule for creating portwith mac_learning_enabled attribute

+ "create_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner"

+ 

+ # Access rule for creating port with allowed_address_pairs attribute

+ "create_port:allowed_address_pairs": "rule:admin_or_network_owner"

+ 

+ # Access rule for getting port

+ "get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner"

+ 

+ # Access rule for getting queue_id of port

+ "get_port:queue_id": "rule:admin_only"

+ 

+ # Access rule for getting binding vif_type of port

+ "get_port:binding:vif_type": "rule:admin_only"

+ 

+ # Access rule for getting binding vif_details of port

+ "get_port:binding:vif_details": "rule:admin_only"

+ 

+ # Access rule for getting binding vnic_type of port

+ "get_port:binding:vnic_type": "rule:admin_or_owner"

+ 

+ # Access rule for getting binding host_id of port

+ "get_port:binding:host_id": "rule:admin_only"

+ 

+ # Access rule for getting binding profile of port

+ "get_port:binding:profile": "rule:admin_only"

+ 

+ # Access rule for updating port

+ "update_port": "rule:admin_or_owner or rule:context_is_advsvc"

+ 

+ # Access rule for updating device_owner of port

+ "update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner"

+ 

+ # Access rule for updating mac_address of port

+ "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc"

+ 

+ # Access rule for updating fixed_ips of port

+ "update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner"

+ 

+ # Access rule for updating port specifying IP address in fixed_ips

+ "update_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner"

+ 

+ # Access rule for updating port specifying subnet ID in fixed_ips

+ "update_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared"

+ 

+ # Access rule for updating port_security_enabled of port

+ "update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner"

+ 

+ # Access rule for updating binding host_id of port

+ "update_port:binding:host_id": "rule:admin_only"

+ 

+ # Access rule for updating binding profile of port

+ "update_port:binding:profile": "rule:admin_only"

+ 

+ # Access rule for updating mac_learning_enabled of port

+ "update_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner"

+ 

+ # Access rule for updating allowed_address_pairs of port

+ "update_port:allowed_address_pairs": "rule:admin_or_network_owner"

+ 

+ # Access rule for updating data_plane_status of port

+ "update_port:data_plane_status": "rule:admin_or_data_plane_int"

+ 

+ # Access rule for deleting port

+ "delete_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner"

+ 

+ # Access rule for getting qos policy

+ "get_policy": "rule:regular_user"

+ 

+ # Access rule for creating qos policy

+ "create_policy": "rule:admin_only"

+ 

+ # Access rule for updating qos policy

+ "update_policy": "rule:admin_only"

+ 

+ # Access rule for deleting qos policy

+ "delete_policy": "rule:admin_only"

+ 

+ # Access rule for getting all available qos rule types

+ "get_rule_type": "rule:regular_user"

+ 

+ # Access rule for getting qos bandwidth limit rule

+ "get_policy_bandwidth_limit_rule": "rule:regular_user"

+ 

+ # Access rule for creating qos bandwidth limit rule

+ "create_policy_bandwidth_limit_rule": "rule:admin_only"

+ 

+ # Access rule for updatingqos bandwidth limit rule

+ "update_policy_bandwidth_limit_rule": "rule:admin_only"

+ 

+ # Access rule for deletingqos bandwidth limit rule

+ "delete_policy_bandwidth_limit_rule": "rule:admin_only"

+ 

+ # Access rule for getting qos dscp marking rule

+ "get_policy_dscp_marking_rule": "rule:regular_user"

+ 

+ # Access rule for creating qos dscp marking rule

+ "create_policy_dscp_marking_rule": "rule:admin_only"

+ 

+ # Access rule for updating qos dscp marking rule

+ "update_policy_dscp_marking_rule": "rule:admin_only"

+ 

+ # Access rule for deleting qos dscp marking rule

+ "delete_policy_dscp_marking_rule": "rule:admin_only"

+ 

+ # Access rule for getting qos minimum bandwidth rule

+ "get_policy_minimum_bandwidth_rule": "rule:regular_user"

+ 

+ # Access rule for creating qos minimum bandwidth rule

+ "create_policy_minimum_bandwidth_rule": "rule:admin_only"

+ 

+ # Access rule for updating qos minimum bandwidth rule

+ "update_policy_minimum_bandwidth_rule": "rule:admin_only"

+ 

+ # Access rule for deleting qos minimum bandwidth rule

+ "delete_policy_minimum_bandwidth_rule": "rule:admin_only"

+ 

+ # Rule of restrict wildcard

+ "restrict_wildcard": "(not field:rbac_policy:target_tenant=*) or rule:admin_only"

+ 

+ # Access rule for creating rbac policy

+ "create_rbac_policy": ""

+ 

+ # Access rule for creating rbac policy with special target tenant

+ "create_rbac_policy:target_tenant": "rule:restrict_wildcard"

+ 

+ # Access rule for updating rbac policy

+ "update_rbac_policy": "rule:admin_or_owner"

+ 

+ # Access rule for updating target_tenant attribute of rbac policy

+ "update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner"

+ 

+ # Access rule for getting rbac policy

+ "get_rbac_policy": "rule:admin_or_owner"

+ 

+ # Access rule for deleting rbac policy

+ "delete_rbac_policy": "rule:admin_or_owner"

+ 

+ # Access rule for creating router

+ "create_router": "rule:regular_user"

+ 

+ # Access rule for creating router with distributed attribute

+ "create_router:distributed": "rule:admin_only"

+ 

+ # Access rule for creating router with ha attribute

+ "create_router:ha": "rule:admin_only"

+ 

+ # Access rule for creating router with external_gateway_info

+ # information

+ "create_router:external_gateway_info": "rule:admin_or_owner"

+ 

+ # Access rule for creating router with external_gateway_info

+ # network_id attribute

+ "create_router:external_gateway_info:network_id": "rule:admin_or_owner"

+ 

+ # Access rule for creating router with external_gateway_info

+ # enable_snat attribute

+ "create_router:external_gateway_info:enable_snat": "rule:admin_only"

+ 

+ # Access rule for creating router with external_gateway_info

+ # external_fixed_ips attribute

+ "create_router:external_gateway_info:external_fixed_ips": "rule:admin_only"

+ 

+ # Access rule for getting router

+ "get_router": "rule:admin_or_owner"

+ 

+ # Access rule for getting ha attribute of router

+ "get_router:ha": "rule:admin_only"

+ 

+ # Access rule for getting distributed attribute of router

+ "get_router:distributed": "rule:admin_only"

+ 

+ # Access rule for updating router

+ "update_router": "rule:admin_or_owner"

+ 

+ # Access rule for updating distributed attribute of router

+ "update_router:distributed": "rule:admin_only"

+ 

+ # Access rule for updating ha attribute of router

+ "update_router:ha": "rule:admin_only"

+ 

+ # Access rule for updating external_gateway_info information of router

+ "update_router:external_gateway_info": "rule:admin_or_owner"

+ 

+ # Access rule for updating external_gateway_info network_id attribute

+ # of router

+ "update_router:external_gateway_info:network_id": "rule:admin_or_owner"

+ 

+ # Access rule for updating external_gateway_info enable_snat attribute

+ # of router

+ "update_router:external_gateway_info:enable_snat": "rule:admin_only"

+ 

+ # Access rule for updating external_gateway_info external_fixed_ips

+ # attribute of router

+ "update_router:external_gateway_info:external_fixed_ips": "rule:admin_only"

+ 

+ # Access rule for deleting router

+ "delete_router": "rule:admin_or_owner"

+ 

+ # Access rule for adding router interface

+ "add_router_interface": "rule:admin_or_owner"

+ 

+ # Access rule for removing router interface

+ "remove_router_interface": "rule:admin_or_owner"

+ 

+ # Access rule for creating security group

+ "create_security_group": "rule:admin_or_owner"

+ 

+ # Access rule for getting security group

+ "get_security_group": "rule:admin_or_owner"

+ 

+ # Access rule for getting security groups

+ "get_security_groups": "rule:admin_or_owner"

+ 

+ # Access rule for updating security group

+ "update_security_group": "rule:admin_or_owner"

+ 

+ # Access rule for deleting security group

+ "delete_security_group": "rule:admin_or_owner"

+ 

+ # Access rule for creating security group rule

+ "create_security_group_rule": "rule:admin_or_owner"

+ 

+ # Access rule for getting security group rule

+ "get_security_group_rule": "rule:admin_or_owner"

+ 

+ # Access rule for getting security groups rules

+ "get_security_group_rules": "rule:admin_or_owner"

+ 

+ # Access rule for deleting security group rule

+ "delete_security_group_rule": "rule:admin_or_owner"

+ 

+ # Access rule for creating segment

+ "create_segment": "rule:admin_only"

+ 

+ # Access rule for getting segment

+ "get_segment": "rule:admin_only"

+ 

+ # Access rule for updating segment

+ "update_segment": "rule:admin_only"

+ 

+ # Access rule for deleting segment

+ "delete_segment": "rule:admin_only"

+ 

+ # Access rule for listing all service providers

+ "get_service_provider": "rule:regular_user"

+ 

+ # Access rule for creating subnet

+ "create_subnet": "rule:admin_or_network_owner"

+ 

+ # Access rule for creating subnet with segment_id

+ "create_subnet:segment_id": "rule:admin_only"

+ 

+ # Access rule for creating subnet with service_type

+ "create_subnet:service_types": "rule:admin_only"

+ 

+ # Access rule for getting subnet

+ "get_subnet": "rule:admin_or_owner or rule:shared"

+ 

+ # Access rule for getting segment_id of subnet

+ "get_subnet:segment_id": "rule:admin_only"

+ 

+ # Access rule for updating subnet

+ "update_subnet": "rule:admin_or_network_owner"

+ 

+ # Access rule for updating service_types of subnet

+ "update_subnet:service_types": "rule:admin_only"

+ 

+ # Access rule for deleting subnet

+ "delete_subnet": "rule:admin_or_network_owner"

+ 

+ # Rule of shared subnetpool

+ "shared_subnetpools": "field:subnetpools:shared=True"

+ 

+ # Access rule for creating subnetpool

+ "create_subnetpool": ""

+ 

+ # Access rule for creating shared subnetpool

+ "create_subnetpool:shared": "rule:admin_only"

+ 

+ # Access rule for creating subnetpool with is_default

+ "create_subnetpool:is_default": "rule:admin_only"

+ 

+ # Access rule for getting subnetpool

+ "get_subnetpool": "rule:admin_or_owner or rule:shared_subnetpools"

+ 

+ # Access rule for updating subnetpool

+ "update_subnetpool": "rule:admin_or_owner"

+ 

+ # Access rule for updating is_default of subnetpool

+ "update_subnetpool:is_default": "rule:admin_only"

+ 

+ # Access rule for deleting subnetpool

+ "delete_subnetpool": "rule:admin_or_owner"

+ 

+ # Access rule for creating trunk port

+ "create_trunk": "rule:regular_user"

+ 

+ # Access rule for getting trunk port

+ "get_trunk": "rule:admin_or_owner"

+ 

+ # Access rule for deleting trunk port

+ "delete_trunk": "rule:admin_or_owner"

+ 

+ # Access rule for listing subports attached to trunk

+ "get_subports": ""

+ 

+ # Access rule for adding subports to the trunk

+ "add_subports": "rule:admin_or_owner"

+ 

+ # Access rule for deleting subports from the trunk

+ "remove_subports": "rule:admin_or_owner"

+ 

+ # Access rule for creating lsn

+ "create_lsn": "rule:admin_only"

+ 

+ # Access rule for getting lsn

+ "get_lsn": "rule:admin_only"

+ 

+ # Access rule for creating qos queue

+ "create_qos_queue": "rule:admin_only"

+ 

+ # Access rule for getting qos queue

+ "get_qos_queue": "rule:admin_only"

+ 

@@ -0,0 +1,816 @@ 

+ # Reset the state of a given server

+ #POST /servers/{server_id}/action

+ # (os-resetState)

+ "os_compute_api:os-admin-actions:reset_state": "rule:admin_api"

+ # Inject network information into the server

+ #POST

+ # /servers/{server_id}/action (injectNetworkInfo)

+ "os_compute_api:os-admin-actions:inject_network_info": "rule:admin_api"

+ # Reset networking on a server

+ #POST /servers/{server_id}/action

+ # (resetNetwork)

+ "os_compute_api:os-admin-actions:reset_network": "rule:admin_api"

+ # Change the administrative password for a server

+ #POST

+ # /servers/{server_id}/action (changePassword)

+ "os_compute_api:os-admin-password": "rule:admin_or_owner"

+ # Create, list, update, and delete guest agent builds

+ #

+ #This is XenAPI

+ # driver specific. It is used to force the upgrade of the

+ #XenAPI guest

+ # agent on instance boot.

+ #

+ #GET /os-agents

+ #POST /os-agents

+ #PUT /os-

+ # agents/{agent_build_id}

+ #DELETE /os-agents/{agent_build_id}

+ "os_compute_api:os-agents": "rule:admin_api"

+ # Create or replace metadata for an aggregate

+ #POST /os-

+ # aggregates/{aggregate_id}/action (set_metadata)

+ "os_compute_api:os-aggregates:set_metadata": "rule:admin_api"

+ # Add a host to an aggregate.

+ #POST /os-

+ # aggregates/{aggregate_id}/action (add_host)

+ "os_compute_api:os-aggregates:add_host": "rule:admin_api"

+ # Create an aggregate

+ #POST /os-aggregates

+ "os_compute_api:os-aggregates:create": "rule:admin_api"

+ # Remove a host from an aggregate

+ #POST /os-

+ # aggregates/{aggregate_id}/action (remove_host)

+ "os_compute_api:os-aggregates:remove_host": "rule:admin_api"

+ # Update name and/or availability zone for an aggregate

+ #PUT /os-

+ # aggregates/{aggregate_id}

+ "os_compute_api:os-aggregates:update": "rule:admin_api"

+ # List all aggregates

+ #GET /os-aggregates

+ "os_compute_api:os-aggregates:index": "rule:admin_api"

+ # Delete an aggregate

+ #DELETE /os-aggregates/{aggregate_id}

+ "os_compute_api:os-aggregates:delete": "rule:admin_api"

+ # Show details for an aggregate.

+ #GET /os-aggregates/{aggregate_id}

+ "os_compute_api:os-aggregates:show": "rule:admin_api"

+ # Create an assisted volume snapshot

+ #POST /os-assisted-volume-

+ # snapshots

+ "os_compute_api:os-assisted-volume-snapshots:create": "rule:admin_api"

+ # Delete an assisted volume snapshot

+ #DELETE /os-assisted-volume-

+ # snapshots/{snapshot_id}

+ "os_compute_api:os-assisted-volume-snapshots:delete": "rule:admin_api"

+ # List port interfaces or show details of a port interface attached to

+ # a server

+ #GET /servers/{server_id}/os-interface

+ #GET

+ # /servers/{server_id}/os-interface/{port_id}

+ "os_compute_api:os-attach-interfaces": "rule:admin_or_owner"

+ # Attach an interface to a server

+ #POST /servers/{server_id}/os-

+ # interface

+ "os_compute_api:os-attach-interfaces:create": "rule:admin_or_owner"

+ # Detach an interface from a server

+ #DELETE /servers/{server_id}/os-

+ # interface/{port_id}

+ "os_compute_api:os-attach-interfaces:delete": "rule:admin_or_owner"

+ # Lists availability zone information without host information

+ #GET os-

+ # availability-zone

+ "os_compute_api:os-availability-zone:list": "rule:admin_or_owner"

+ # Lists detailed availability zone information with host information

+ # GET /os-availability-zone/detail

+ "os_compute_api:os-availability-zone:detail": "rule:admin_api"

+ # List and show details of bare metal nodes.

+ #

+ #These APIs are proxy

+ # calls to the Ironic service and are deprecated.

+ #

+ #GET /os-baremetal-

+ # nodes

+ #GET /os-baremetal-nodes/{node_id}

+ "os_compute_api:os-baremetal-nodes": "rule:admin_api"

+ #

+ "context_is_admin": "role:admin"

+ #

+ "admin_or_owner": "is_admin:True or project_id:%(project_id)s"

+ #

+ "admin_api": "is_admin:True"

+ #

+ "network:attach_external_network": "is_admin:True"

+ # Update an existing cell

+ #PUT /os-cells/{cell_id}

+ "os_compute_api:os-cells:update": "rule:admin_api"

+ # Create a new cell

+ #POST /os-cells

+ "os_compute_api:os-cells:create": "rule:admin_api"

+ # List and get detailed info of a given cell or all cells

+ #GET /os-

+ # cells

+ #GET /os-cells/detail

+ #GET /os-cells/info

+ #GET /os-

+ # cells/capacities

+ #GET /os-cells/{cell_id}

+ "os_compute_api:os-cells": "rule:admin_api"

+ # Sync instances info in all cells

+ #POST /os-cells/sync_instances

+ "os_compute_api:os-cells:sync_instances": "rule:admin_api"

+ # Remove a cell

+ #DELETE /os-cells/{cell_id}

+ "os_compute_api:os-cells:delete": "rule:admin_api"

+ # Different cell filter to route a build away from a particular cell

+ # This policy is read by nova-scheduler process.

+ "cells_scheduler_filter:DifferentCellFilter": "is_admin:True"

+ # Target cell filter to route a build to a particular cell

+ #

+ #This

+ # policy is read by nova-scheduler process.

+ "cells_scheduler_filter:TargetCellFilter": "is_admin:True"

+ # Add 'config_drive' attribute in the server response.

+ #GET

+ # /servers/{id}

+ #GET /servers/detail

+ "os_compute_api:os-config-drive": "rule:admin_or_owner"

+ # Show console connection information for a given console

+ # authentication token

+ #GET /os-console-auth-tokens/{console_token}

+ "os_compute_api:os-console-auth-tokens": "rule:admin_api"

+ # Show console output for a server

+ #POST /servers/{server_id}/action

+ # (os-getConsoleOutput)

+ "os_compute_api:os-console-output": "rule:admin_or_owner"

+ # Create a console for a server instance

+ #POST

+ # /servers/{server_id}/consoles

+ "os_compute_api:os-consoles:create": "rule:admin_or_owner"

+ # Show console details for a server instance

+ #GET

+ # /servers/{server_id}/consoles/{console_id}

+ "os_compute_api:os-consoles:show": "rule:admin_or_owner"

+ # Delete a console for a server instance

+ #DELETE

+ # /servers/{server_id}/consoles/{console_id}

+ "os_compute_api:os-consoles:delete": "rule:admin_or_owner"

+ # List all consoles for a server instance

+ #GET

+ # /servers/{server_id}/consoles

+ "os_compute_api:os-consoles:index": "rule:admin_or_owner"

+ # Create a back up of a server

+ #POST /servers/{server_id}/action

+ # (createBackup)

+ "os_compute_api:os-create-backup": "rule:admin_or_owner"

+ # Restore a soft deleted server or force delete a server before

+ # deferred cleanup

+ #POST /servers/{server_id}/action (restore)

+ #POST

+ # /servers/{server_id}/action (forceDelete)

+ "os_compute_api:os-deferred-delete": "rule:admin_or_owner"

+ # Evacuate a server from a failed host to a new host

+ #POST

+ # /servers/{server_id}/action (evacuate)

+ "os_compute_api:os-evacuate": "rule:admin_api"

+ # Add `OS-EXT-AZ:availability_zone` into the server response.

+ #GET

+ # /servers/{id}

+ #GET /servers/detail

+ "os_compute_api:os-extended-availability-zone": "rule:admin_or_owner"

+ # Return extended attributes for server.

+ #

+ #This rule will control the

+ # visibility for a set of servers attributes:

+ #    OS-EXT-SRV-ATTR:host

+ # OS-EXT-SRV-ATTR:instance_name

+ #    OS-EXT-SRV-ATTR:reservation_id

+ # (since microversion 2.3)

+ #    OS-EXT-SRV-ATTR:launch_index (since

+ # microversion 2.3)

+ #    OS-EXT-SRV-ATTR:hostname (since microversion

+ # 2.3)

+ #    OS-EXT-SRV-ATTR:kernel_id (since microversion 2.3)

+ #    OS-

+ # EXT-SRV-ATTR:ramdisk_id (since microversion 2.3)

+ #    OS-EXT-SRV-

+ # ATTR:root_device_name (since microversion 2.3)

+ #    OS-EXT-SRV-

+ # ATTR:user_data (since microversion 2.3)

+ #GET /servers/{id}

+ #GET

+ # /servers/detail

+ "os_compute_api:os-extended-server-attributes": "rule:admin_api"

+ # Return extended status in the response of server.

+ #

+ #This policy will

+ # control the visibility for a set of attributes:

+ #    OS-EXT-

+ # STS:task_state

+ #    OS-EXT-STS:vm_state

+ #    OS-EXT-STS:power_state

+ # GET /servers/{id}

+ #GET /servers/detail

+ "os_compute_api:os-extended-status": "rule:admin_or_owner"

+ # Return 'os-extended-volumes:volumes_attached' in the response of

+ # server.

+ #GET /servers/{id}

+ #GET /servers/detail

+ "os_compute_api:os-extended-volumes": "rule:admin_or_owner"

+ # Lists available extensions and shows information for an extension by

+ # alias.

+ #GET /extensions

+ #GET /extensions/{alias}

+ "os_compute_api:extensions": "rule:admin_or_owner"

+ #

+ "os_compute_api:os-fixed-ips": "rule:admin_api"

+ # Add flavor access to a tenant

+ #POST /flavors/{flavor_id}/action

+ # (addTenantAccess)

+ "os_compute_api:os-flavor-access:add_tenant_access": "rule:admin_api"

+ # Remove flavor access from a tenant

+ #POST /flavors/{flavor_id}/action

+ # (removeTenantAccess)

+ "os_compute_api:os-flavor-access:remove_tenant_access": "rule:admin_api"

+ # Allow the listing of flavor access information

+ #

+ #Adds the os-flavor-

+ # access:is_public key into several flavor APIs.

+ #

+ #It also allows

+ # access to the full list of tenants that have access

+ #to a flavor via

+ # an os-flavor-access API.

+ #

+ #GET /flavors/{flavor_id}/os-flavor-access

+ # GET /flavors/detail

+ #GET /flavors/{flavor_id}

+ #POST /flavors

+ "os_compute_api:os-flavor-access": "rule:admin_or_owner"

+ # Show an extra spec for a flavor

+ #GET /flavors/{flavor_id}/os-

+ # extra_specs/{flavor_extra_spec_key}

+ "os_compute_api:os-flavor-extra-specs:show": "rule:admin_or_owner"

+ # Create extra specs for a flavor

+ #POST /flavors/{flavor_id}/os-

+ # extra_specs/

+ "os_compute_api:os-flavor-extra-specs:create": "rule:admin_api"

+ # Update an extra spec for a flavor

+ #PUT /flavors/{flavor_id}/os-

+ # extra_specs/{flavor_extra_spec_key}

+ "os_compute_api:os-flavor-extra-specs:update": "rule:admin_api"

+ # Delete an extra spec for a flavor

+ #DELETE /flavors/{flavor_id}/os-

+ # extra_specs/{flavor_extra_spec_key}

+ "os_compute_api:os-flavor-extra-specs:delete": "rule:admin_api"

+ # List extra specs for a flavor

+ #GET /flavors/{flavor_id}/os-

+ # extra_specs/

+ "os_compute_api:os-flavor-extra-specs:index": "rule:admin_or_owner"

+ # Create and delete Flavors

+ #POST /flavors

+ #DELETE /flavors/{flavor_id}

+ "os_compute_api:os-flavor-manage": "rule:admin_api"

+ # Adds the rxtx_factor key into some Flavor APIs

+ #GET /flavors/detail

+ # GET /flavors/{flavor_id}

+ #POST /flavors

+ "os_compute_api:os-flavor-rxtx": "rule:admin_or_owner"

+ #

+ "os_compute_api:flavors": "rule:admin_or_owner"

+ # List registered DNS domains, and CRUD actions on domain names.

+ #

+ #Note

+ # this only works with nova-network and this API is deprecated.

+ #GET

+ # /os-floating-ip-dns

+ #GET /os-floating-ip-dns/{domain}/entries/{ip}

+ # GET /os-floating-ip-dns/{domain}/entries/{name}

+ #PUT /os-floating-ip-

+ # dns/{domain}/entries/{name}

+ #DELETE /os-floating-ip-

+ # dns/{domain}/entries/{name}

+ "os_compute_api:os-floating-ip-dns": "rule:admin_or_owner"

+ # Create or update a DNS domain.

+ #PUT /os-floating-ip-dns/{domain}

+ "os_compute_api:os-floating-ip-dns:domain:update": "rule:admin_api"

+ # Delete a DNS domain.

+ #DELETE /os-floating-ip-dns/{domain}

+ "os_compute_api:os-floating-ip-dns:domain:delete": "rule:admin_api"

+ # List floating IP pools. This API is deprecated.

+ #GET /os-floating-ip-

+ # pools

+ "os_compute_api:os-floating-ip-pools": "rule:admin_or_owner"

+ # Manage a project's floating IPs. These APIs are all deprecated.

+ #POST

+ # /servers/{server_id}/action (addFloatingIp)

+ #POST

+ # /servers/{server_id}/action (removeFloatingIp)

+ #GET /os-floating-ips

+ # POST /os-floating-ips

+ #GET /os-floating-ips/{floating_ip_id}

+ #DELETE

+ # /os-floating-ips/{floating_ip_id}

+ "os_compute_api:os-floating-ips": "rule:admin_or_owner"

+ # Bulk-create, delete, and list floating IPs. API is deprecated.

+ #GET

+ # /os-floating-ips-bulk

+ #POST /os-floating-ips-bulk

+ #PUT /os-floating-

+ # ips-bulk/delete

+ #GET /os-floating-ips-bulk/{host_name}

+ "os_compute_api:os-floating-ips-bulk": "rule:admin_api"

+ # Pings instances for all projects and reports which instances

+ #are

+ # alive.

+ #

+ #os-fping API is deprecated as this works only with nova-

+ # network

+ #which itself is deprecated.

+ #GET /os-fping?all_tenants=true

+ "os_compute_api:os-fping:all_tenants": "rule:admin_api"

+ # Pings instances, particular instance and reports which instances

+ #are

+ # alive.

+ #

+ #os-fping API is deprecated as this works only with nova-

+ # network

+ #which itself is deprecated.

+ #GET /os-fping

+ #GET /os-

+ # fping/{instance_id}

+ "os_compute_api:os-fping": "rule:admin_or_owner"

+ #

+ "os_compute_api:os-hide-server-addresses": "is_admin:False"

+ #

+ "os_compute_api:os-hosts": "rule:admin_api"

+ # Policy rule for hypervisor related APIs.

+ #

+ #This rule will be checked

+ # for the following APIs:

+ #

+ #List all hypervisors, list all hypervisors

+ # with details, show

+ #summary statistics for all hypervisors over all

+ # compute nodes,

+ #show details for a hypervisor, show the uptime of a

+ # hypervisor,

+ #search hypervisor by hypervisor_hostname pattern and

+ # list all

+ #servers on hypervisors that can match the provided

+ # hypervisor_hostname

+ #pattern.

+ #GET /os-hypervisors

+ #GET /os-

+ # hypervisors/details

+ #GET /os-hypervisors/statistics

+ #GET /os-

+ # hypervisors/{hypervisor_id}

+ #GET /os-

+ # hypervisors/{hypervisor_id}/uptime

+ #GET /os-

+ # hypervisors/{hypervisor_hostname_pattern}/search

+ #GET /os-

+ # hypervisors/{hypervisor_hostname_pattern}/servers

+ "os_compute_api:os-hypervisors": "rule:admin_api"

+ # Add 'OS-EXT-IMG-SIZE:size' attribute in the image response.

+ #GET

+ # /images/{id}

+ #GET /images/detail

+ "os_compute_api:image-size": "rule:admin_or_owner"

+ # Add events details in action details for a server.

+ #

+ #This check is

+ # performed only after the check

+ #os_compute_api:os-instance-actions

+ # passes

+ #GET /servers/{server_id}/os-instance-actions/{request_id}

+ "os_compute_api:os-instance-actions:events": "rule:admin_api"

+ # List actions and show action details for a server.

+ #GET

+ # /servers/{server_id}/os-instance-actions

+ #GET

+ # /servers/{server_id}/os-instance-actions/{request_id}

+ "os_compute_api:os-instance-actions": "rule:admin_or_owner"

+ # Lists all usage audits and that occurred before a specified time

+ #for

+ # all servers on all compute hosts where usage auditing is configured.

+ # GET /os-instance_usage_audit_log

+ #GET /os-

+ # instance_usage_audit_log/{before_timestamp}

+ "os_compute_api:os-instance-usage-audit-log": "rule:admin_api"

+ # Shows IP addresses details for a network label of a server.

+ #GET

+ # /servers/{server_id}/ips/{network_label}

+ "os_compute_api:ips:show": "rule:admin_or_owner"

+ # Lists IP addresses that are assigned to a server.

+ #GET

+ # /servers/{server_id}/ips

+ "os_compute_api:ips:index": "rule:admin_or_owner"

+ # List all keypairs

+ #GET /os-keypairs

+ "os_compute_api:os-keypairs:index": "rule:admin_api or user_id:%(user_id)s"

+ # Create a keypair

+ #POST /os-keypairs

+ "os_compute_api:os-keypairs:create": "rule:admin_api or user_id:%(user_id)s"

+ # Delete a keypair

+ #DELETE /os-keypairs/{keypair_name}

+ "os_compute_api:os-keypairs:delete": "rule:admin_api or user_id:%(user_id)s"

+ # Show details of a keypair

+ #GET /os-keypairs/{keypair_name}

+ "os_compute_api:os-keypairs:show": "rule:admin_api or user_id:%(user_id)s"

+ # Return 'key_name' in the response of server.

+ #GET /servers/{id}

+ #GET

+ # /servers/detail

+ "os_compute_api:os-keypairs": "rule:admin_or_owner"

+ #

+ "os_compute_api:limits": "rule:admin_or_owner"

+ # Lock a server

+ #POST /servers/{server_id}/action (lock)

+ "os_compute_api:os-lock-server:lock": "rule:admin_or_owner"

+ # Unlock a server

+ #POST /servers/{server_id}/action (unlock)

+ "os_compute_api:os-lock-server:unlock": "rule:admin_or_owner"

+ # Unlock a server, regardless who locked the server.

+ #

+ #        This

+ # check is performed only after the check

+ #        os_compute_api:os-

+ # lock-server:unlock passes

+ #POST /servers/{server_id}/action (unlock)

+ "os_compute_api:os-lock-server:unlock:unlock_override": "rule:admin_api"

+ # Cold migrate a server to a host

+ #POST /servers/{server_id}/action

+ # (migrate)

+ "os_compute_api:os-migrate-server:migrate": "rule:admin_api"

+ # Live migrate a server to a new host without a reboot

+ #POST

+ # /servers/{server_id}/action (os-migrateLive)

+ "os_compute_api:os-migrate-server:migrate_live": "rule:admin_api"

+ # List migrations

+ #GET /os-migrations

+ "os_compute_api:os-migrations:index": "rule:admin_api"

+ #

+ "os_compute_api:os-multinic": "rule:admin_or_owner"

+ #

+ "os_compute_api:os-networks": "rule:admin_api"

+ #

+ "os_compute_api:os-networks:view": "rule:admin_or_owner"

+ #

+ "os_compute_api:os-networks-associate": "rule:admin_api"

+ # Pause a server.

+ #POST /servers/{server_id}/action (pause)

+ "os_compute_api:os-pause-server:pause": "rule:admin_or_owner"

+ # Unpause a paused server.

+ #POST /servers/{server_id}/action (unpause)

+ "os_compute_api:os-pause-server:unpause": "rule:admin_or_owner"

+ # List quotas for specific quota classs

+ #GET /os-quota-class-

+ # sets/{quota_class}

+ "os_compute_api:os-quota-class-sets:show": "is_admin:True or quota_class:%(quota_class)s"

+ # Update quotas for specific quota class

+ #PUT /os-quota-class-

+ # sets/{quota_class}

+ "os_compute_api:os-quota-class-sets:update": "rule:admin_api"

+ # Update the quotas

+ #PUT /os-quota-sets/{tenant_id}

+ "os_compute_api:os-quota-sets:update": "rule:admin_api"

+ # List default quotas

+ #GET /os-quota-sets/{tenant_id}/defaults

+ "os_compute_api:os-quota-sets:defaults": "@"

+ # Show a quota

+ #GET /os-quota-sets/{tenant_id}

+ "os_compute_api:os-quota-sets:show": "rule:admin_or_owner"

+ # Revert quotas to defaults

+ #DELETE /os-quota-sets/{tenant_id}

+ "os_compute_api:os-quota-sets:delete": "rule:admin_api"

+ # Show the detail of quota

+ #GET /os-quota-sets/{tenant_id}/detail

+ "os_compute_api:os-quota-sets:detail": "rule:admin_api"

+ # Generates a URL to access remove server console

+ #POST

+ # /servers/{server_id}/action (os-getRDPConsole)

+ #POST

+ # /servers/{server_id}/action (os-getSerialConsole)

+ #POST

+ # /servers/{server_id}/action (os-getSPICEConsole)

+ #POST

+ # /servers/{server_id}/action (os-getVNCConsole)

+ #POST

+ # /servers/{server_id}/remote-consoles

+ "os_compute_api:os-remote-consoles": "rule:admin_or_owner"

+ # Rescue/unrescue a server

+ #POST /servers/{server_id}/action (rescue)

+ # POST /servers/{server_id}/action (unrescue)

+ "os_compute_api:os-rescue": "rule:admin_or_owner"

+ # Lists, shows information for, creates and deletes default security

+ # group rules.

+ #

+ #These API's are only available with nova-network which

+ # is now deprecated.

+ #GET /os-security-group-default-rules

+ #GET /os-

+ # security-group-default-rules/{security_group_default_rule_id}

+ #POST

+ # /os-security-group-default-rules

+ #DELETE /os-security-group-default-

+ # rules/{security_group_default_rule_id}

+ "os_compute_api:os-security-group-default-rules": "rule:admin_api"

+ # This policy checks permission on security groups related APIs.

+ #

+ #APIs

+ # which are directly related to security groups resource are

+ # deprecated:

+ #Lists, shows information for, creates, updates and

+ # deletes

+ #security groups. Creates and deletes security group rules.

+ # All these

+ #API's are deprecated.

+ #

+ #APIs which are related to server

+ # resource are not deprecated:

+ #Lists Security Groups for a server. Add

+ # Security Group to a server

+ #and remove security group from a server.

+ # Expand security_groups in

+ #server representation

+ #GET /os-security-

+ # groups

+ #GET /os-security-groups/{security_group_id}

+ #POST /os-

+ # security-groups

+ #PUT /os-security-groups/{security_group_id}

+ #DELETE

+ # /os-security-groups/{security_group_id}

+ #GET /servers/{server_id}/os-

+ # security-groups

+ #POST /servers/{server_id}/action (addSecurityGroup)

+ # POST /servers/{server_id}/action (removeSecurityGroup)

+ #POST /servers

+ # GET /servers/{server_id}

+ #GET /servers/detail

+ "os_compute_api:os-security-groups": "rule:admin_or_owner"

+ # Shows the usage data for a server

+ #GET

+ # /servers/{server_id}/diagnostics

+ "os_compute_api:os-server-diagnostics": "rule:admin_api"

+ # Creates one or more external events

+ #POST /os-server-external-events

+ "os_compute_api:os-server-external-events:create": "rule:admin_api"

+ #

+ "os_compute_api:os-server-groups": "rule:admin_or_owner"

+ # Create a new server group

+ #POST /os-server-groups

+ "os_compute_api:os-server-groups:create": "rule:os_compute_api:os-server-groups"

+ # Delete a server group

+ #DELETE /os-server-groups/{server_group_id}

+ "os_compute_api:os-server-groups:delete": "rule:os_compute_api:os-server-groups"

+ # List all server groups

+ #GET /os-server-groups

+ "os_compute_api:os-server-groups:index": "rule:os_compute_api:os-server-groups"

+ # Show details of a server group

+ #GET /os-server-

+ # groups/{server_group_id}

+ "os_compute_api:os-server-groups:show": "rule:os_compute_api:os-server-groups"

+ # List all metadata of a server

+ #GET /servers/server_id/metadata

+ "os_compute_api:server-metadata:index": "rule:admin_or_owner"

+ # Show metadata for a server

+ #GET /servers/server_id/metadata/{key}

+ "os_compute_api:server-metadata:show": "rule:admin_or_owner"

+ # Create metadata for a server

+ #POST /servers/server_id/metadata

+ "os_compute_api:server-metadata:create": "rule:admin_or_owner"

+ # Replace metadata for a server

+ #PUT /servers/server_id/metadata

+ "os_compute_api:server-metadata:update_all": "rule:admin_or_owner"

+ # Update metadata from a server

+ #PUT /servers/server_id/metadata/{key}

+ "os_compute_api:server-metadata:update": "rule:admin_or_owner"

+ # Delete metadata from a server

+ #DELETE

+ # /servers/server_id/metadata/{key}

+ "os_compute_api:server-metadata:delete": "rule:admin_or_owner"

+ # Show and clear the encrypted administrative password of a server

+ #GET

+ # /servers/{server_id}/os-server-password

+ #DELETE

+ # /servers/{server_id}/os-server-password

+ "os_compute_api:os-server-password": "rule:admin_or_owner"

+ # Delete all the server tags

+ #DELETE /servers/{server_id}/tags

+ "os_compute_api:os-server-tags:delete_all": "rule:admin_or_owner"

+ # List all tags for given server

+ #GET /servers/{server_id}/tags

+ "os_compute_api:os-server-tags:index": "rule:admin_or_owner"

+ # Replace all tags on specified server with the new set of tags.

+ #PUT

+ # /servers/{server_id}/tags

+ "os_compute_api:os-server-tags:update_all": "rule:admin_or_owner"

+ # Delete a single tag from the specified server

+ #DELETE

+ # /servers/{server_id}/tags/{tag}

+ "os_compute_api:os-server-tags:delete": "rule:admin_or_owner"

+ # Add a single tag to the server if server has no specified tag

+ #PUT

+ # /servers/{server_id}/tags/{tag}

+ "os_compute_api:os-server-tags:update": "rule:admin_or_owner"

+ # Check tag existence on the server.

+ #GET

+ # /servers/{server_id}/tags/{tag}

+ "os_compute_api:os-server-tags:show": "rule:admin_or_owner"

+ #

+ "os_compute_api:os-server-usage": "rule:admin_or_owner"

+ # List all servers

+ #GET /servers

+ "os_compute_api:servers:index": "rule:admin_or_owner"

+ # List all servers with detailed information

+ #GET /servers/detail

+ "os_compute_api:servers:detail": "rule:admin_or_owner"

+ # List all servers for all projects

+ #GET /servers

+ "os_compute_api:servers:index:get_all_tenants": "rule:admin_api"

+ # List all servers with detailed information for all projects

+ #GET

+ # /servers/detail

+ "os_compute_api:servers:detail:get_all_tenants": "rule:admin_api"

+ # Show a server

+ #GET /servers/{server_id}

+ "os_compute_api:servers:show": "rule:admin_or_owner"

+ # Show a server with additional host status information

+ #GET

+ # /servers/{server_id}

+ #GET /servers/detail

+ "os_compute_api:servers:show:host_status": "rule:admin_api"

+ # Create a server

+ #POST /servers

+ "os_compute_api:servers:create": "rule:admin_or_owner"

+ # Create a server on the specified host

+ #POST /servers

+ "os_compute_api:servers:create:forced_host": "rule:admin_api"

+ # Create a server with the requested volume attached to it

+ #POST

+ # /servers

+ "os_compute_api:servers:create:attach_volume": "rule:admin_or_owner"

+ # Create a server with the requested network attached to it

+ #POST

+ # /servers

+ "os_compute_api:servers:create:attach_network": "rule:admin_or_owner"

+ # Delete a server

+ #DELETE /servers/{server_id}

+ "os_compute_api:servers:delete": "rule:admin_or_owner"

+ # Update a server

+ #PUT /servers/{server_id}

+ "os_compute_api:servers:update": "rule:admin_or_owner"

+ # Confirm a server resize

+ #POST /servers/{server_id}/action

+ # (confirmResize)

+ "os_compute_api:servers:confirm_resize": "rule:admin_or_owner"

+ # Revert a server resize

+ #POST /servers/{server_id}/action

+ # (revertResize)

+ "os_compute_api:servers:revert_resize": "rule:admin_or_owner"

+ # Reboot a server

+ #POST /servers/{server_id}/action (reboot)

+ "os_compute_api:servers:reboot": "rule:admin_or_owner"

+ # Resize a server

+ #POST /servers/{server_id}/action (resize)

+ "os_compute_api:servers:resize": "rule:admin_or_owner"

+ # Rebuild a server

+ #POST /servers/{server_id}/action (rebuild)

+ "os_compute_api:servers:rebuild": "rule:admin_or_owner"

+ # Create an image from a server

+ #POST /servers/{server_id}/action

+ # (createImage)

+ "os_compute_api:servers:create_image": "rule:admin_or_owner"

+ # Create an image from a volume backed server

+ #POST

+ # /servers/{server_id}/action (createImage)

+ "os_compute_api:servers:create_image:allow_volume_backed": "rule:admin_or_owner"

+ # Start a server

+ #POST /servers/{server_id}/action (os-start)

+ "os_compute_api:servers:start": "rule:admin_or_owner"

+ # Stop a server

+ #POST /servers/{server_id}/action (os-stop)

+ "os_compute_api:servers:stop": "rule:admin_or_owner"

+ # Trigger crash dump in a server

+ #POST /servers/{server_id}/action

+ # (trigger_crash_dump)

+ "os_compute_api:servers:trigger_crash_dump": "rule:admin_or_owner"

+ # Show details for an in-progress live migration for a given server

+ # GET /servers/{server_id}/migrations/{migration_id}

+ "os_compute_api:servers:migrations:show": "rule:admin_api"

+ # Force an in-progress live migration for a given server to complete

+ # POST /servers/{server_id}/migrations/{migration_id}/action

+ # (force_complete)

+ "os_compute_api:servers:migrations:force_complete": "rule:admin_api"

+ # Delete(Abort) an in-progress live migration

+ #DELETE

+ # /servers/{server_id}/migrations/{migration_id}

+ "os_compute_api:servers:migrations:delete": "rule:admin_api"

+ # Lists in-progress live migrations for a given server

+ #GET

+ # /servers/{server_id}/migrations

+ "os_compute_api:servers:migrations:index": "rule:admin_api"

+ # Lists all running Compute services in a region, enables or disables

+ # scheduling for a Compute service, logs disabled Compute service

+ # information, set or unset forced_down flag for the compute service

+ # and deletes a Compute service.

+ #GET /os-services

+ #PUT /os-

+ # services/enable

+ #PUT /os-services/disable

+ #PUT /os-services/disable-

+ # log-reason

+ #PUT /os-services/force-down

+ #DELETE /os-

+ # services/{service_id}

+ "os_compute_api:os-services": "rule:admin_api"

+ # Shelve Server

+ #POST /servers/{server_id}/action (shelve)

+ "os_compute_api:os-shelve:shelve": "rule:admin_or_owner"

+ # Unshelve (Restore) Shelved Server

+ #POST /servers/{server_id}/action

+ # (unshelve)

+ "os_compute_api:os-shelve:unshelve": "rule:admin_or_owner"

+ # Shelf-Offload (Remove) Server

+ #POST /servers/{server_id}/action

+ # (shelveOffload)

+ "os_compute_api:os-shelve:shelve_offload": "rule:admin_api"

+ # Show usage statistics for a specific tenant.

+ #GET /os-simple-tenant-

+ # usage/{tenant_id}

+ "os_compute_api:os-simple-tenant-usage:show": "rule:admin_or_owner"

+ # List per tenant usage statistics for all tenants.

+ #GET /os-simple-

+ # tenant-usage

+ "os_compute_api:os-simple-tenant-usage:list": "rule:admin_api"

+ # Resume suspended server

+ #POST /servers/{server_id}/action (resume)

+ "os_compute_api:os-suspend-server:resume": "rule:admin_or_owner"

+ # Suspend server

+ #POST /servers/{server_id}/action (suspend)

+ "os_compute_api:os-suspend-server:suspend": "rule:admin_or_owner"

+ # Creates, lists, shows information for, and deletes

+ #project networks.

+ # These APIs are proxy calls to the Network service. These are all

+ # deprecated.

+ #GET /os-tenant-networks

+ #POST /os-tenant-networks

+ #GET

+ # /os-tenant-networks/{network_id}

+ #DELETE /os-tenant-

+ # networks/{network_id}

+ "os_compute_api:os-tenant-networks": "rule:admin_or_owner"

+ # Shows rate and absolute limits for the project.

+ #

+ #This policy only

+ # checks if the user has access to the requested

+ #project limits. And

+ # this check is performed only after the check

+ #os_compute_api:limits

+ # passes

+ #GET /limits

+ "os_compute_api:os-used-limits": "rule:admin_api"

+ # List Virtual Interfaces.

+ #

+ #This works only with the nova-network

+ # service, which is now deprecated

+ #GET /servers/{server_id}/os-

+ # virtual-interfaces

+ "os_compute_api:os-virtual-interfaces": "rule:admin_or_owner"

+ # Manages volumes for use with the Compute API.

+ #

+ #Lists, shows details,

+ # creates, and deletes volumes. These APIs are proxy calls

+ #to the

+ # Volume service. These are all deprecated.

+ #GET /os-volumes

+ #POST /os-

+ # volumes

+ #GET /os-volumes/detail

+ #GET /os-volumes/{volume_id}

+ #DELETE

+ # /os-volumes/{volume_id}

+ "os_compute_api:os-volumes": "rule:admin_or_owner"

+ # List volume attachments for an instance

+ #GET /servers/{server_id}/os-

+ # volume_attachments

+ "os_compute_api:os-volumes-attachments:index": "rule:admin_or_owner"

+ # Attach a volume to an instance

+ #POST /servers/{server_id}/os-

+ # volume_attachments

+ "os_compute_api:os-volumes-attachments:create": "rule:admin_or_owner"

+ # Show details of a volume attachment

+ #GET /servers/{server_id}/os-

+ # volume_attachments/{attachment_id}

+ "os_compute_api:os-volumes-attachments:show": "rule:admin_or_owner"

+ # Update a volume attachment

+ #PUT /servers/{server_id}/os-

+ # volume_attachments/{attachment_id}

+ "os_compute_api:os-volumes-attachments:update": "rule:admin_api"

+ # Detach a volume from an instance

+ #DELETE /servers/{server_id}/os-

+ # volume_attachments/{attachment_id}

+ "os_compute_api:os-volumes-attachments:delete": "rule:admin_or_owner"

@@ -0,0 +1,1 @@ 

+ ---

file modified
+29
@@ -22,6 +22,22 @@ 

      done

  }

  

+ 

+ update_policy_stock(){

+     REPO_DIR=/opt/stack/openstack-access-policy

+     for ACCESS in $( list_tokens )

+     do

+ 	for SERVICE in $( ls $REPO_DIR/services)

+ 	do oslopolicy-checker \

+ 	    --policy $REPO_DIR/services/$SERVICE/stock-policy.yaml \

+ 	    --access $REPO_DIR/tests/$ACCESS/access.json | sort -k 2 \

+ 	    > $REPO_DIR/tests/$ACCESS/$SERVICE.stock ;

+ 	done

+     done

+ }

+ 

+ 

+ 

  run_policy_current(){

      REPO_DIR="$(dirname $(readlink -f $0))"

  
@@ -56,6 +72,19 @@ 

      done

  }

  

+ show_diff_from_stock(){

+     REPO_DIR=/opt/stack/openstack-access-policy

+ 

+     for ACCESS in $( list_tokens )

+     do

+ 	for SERVICE in $( ls $REPO_DIR/build/etc/ )

+ 	do

+ 	    diff -ud  \

+ 	      $REPO_DIR/tests/$ACCESS/$SERVICE.stock \

+ 	      $REPO_DIR/tests/$ACCESS/$SERVICE.current;

+ 	done

+     done

+ }

  list_tokens(){

     echo auth_token_admin auth_token_member auth_token_auditor

  }

Add stock policy from the services and show the difference in applying the policy whatn used with the different access data tokens

You can use this to extract some policies as well

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
#!/usr/bin/env python
import argparse
import importlib
import pkgutil

# Create an argparser for the service name.
parser = argparse.ArgumentParser(
    description="Generate a commented yaml file from the policy in code rules"
    " extracted from a given OpenStack Service")

# Create argument for the service name, this should be the name of the
# python module to import. It will import <service_name>.policies to get
# the python files where the policies are defined
parser.add_argument("service", type=str,
                    help="The name of the openstack services's python module"
                    " to import for policy extraction")

# Parse user supplied arguments
args = parser.parse_args()

# Import the <service_name>.policies module, which should contain
# submodules that contain the actual policy logic
try:
    policies = importlib.import_module(args.service + ".policies")
except Exception as e:
    policies = importlib.import_module(args.service + ".policy")

# Policy_files should be the list of all the python submodules defined
# inside the policy module. These contain the rule logic that is enforced
# by the service
policy_files = [submod.name for submod in pkgutil.walk_packages(
    path=policies.__path__)]

# "Base", if it's defined, will contain the base rule logic that other policy
# rules use for enforcement, for easy of use, move this to the front
if any("base" in value for value in policy_files):
    policy_files.insert(0, policy_files.pop(policy_files.index("base")))

# Iterate through the list of policy files, extract and print the actual rules
for f in policy_files:
    # Get the actual policy file from the policies module with getattr
    policy_file = getattr(policies, f)
    # Print the name of the module this was defined in
    print("### Policy Rules defined in {}".format(policy_file.__name__))
    # Newline for formatting
    print("")

    # The list containing the policy objects should be either
    # "<name>_policies" or "rules", try both, if neither exist, this is
    # probably not what we want, so continue on to next file
    try:
        # Attempt to get <policy_file_name>_policies via getattr
        policy_objects = getattr(policy_file, "{}_policies".format(f))
    except Exception as e:
        try:
            # Failing that, as it will in "Base" files, get the field "rules",
            # which should contain the role:rule mappings
            policy_objects = getattr(policy_file, "rules")
        except Exception as e2:
            continue

    # Now that we have our policy objects, iterate through them and print the
    # useful fields
    for policy in policy_objects:
        # Description is one of the most important, if it exists, print it,
        # commented
        if policy.description is not None:
            # Since the description can be a multi-line string, split it into
            # several commented lines
            desc = policy.description.splitlines()
            for line in desc:
                # Print commented either way
                print("# {}".format(line))
        # Get the operations this policy may have associated with it, this will
        # be in the form of stuff like GET and a url like /servers/{id}
        try:
            # If there's an operations field in the policy, it'll be a list,
            # for each element, print the URLs and verbs it is associated with
            for operation in policy.operations:
                # Print in the format VERB /url/path/
                print("# {} {}".format(operation["method"], operation["path"]))
        except Exception as e:
            # If we don't have anything here, just print a blank line
            print("#")
        # Finally print the policy rule and its default check_str, this will
        # turn into something of the form:
        # "rule_name": "rule:context_is_admin"
        # or something similar
        print('# "{}": "{}"'.format(policy.name, policy.check_str))
        # Finally print a newline to separate the block
        print("")

Worked for some like aodh

1 new commit added

  • Update path to use centos for Denver lab
4 years ago

rebased onto cbc3364

4 years ago

Pull-Request has been merged by nkinder

4 years ago