From cbc3364ba839f19f9e3cbea1987f5ca02c648534 Mon Sep 17 00:00:00 2001 From: Adam Young Date: Apr 29 2019 17:25:11 +0000 Subject: [PATCH 1/5] Record Values for Stock policy files Contains stock policies for nova and keystone --- diff --git a/.gitignore b/.gitignore index 10cc2d0..a763550 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ build/* *~ *current +tests/*/*stock diff --git a/services/keystone/policy.yaml b/services/keystone/policy.yaml index 14708c5..ea77039 100644 --- a/services/keystone/policy.yaml +++ b/services/keystone/policy.yaml @@ -22,7 +22,7 @@ # Authorize OAUTH1 request token. # PUT /v3/OS-OAUTH1/authorize/{request_token_id} # Intended scope(s): project -"identity:authorize_request_token": "rule:admin" +"identity:authorize_request_token": "rule:admin or rule:owner" # Get OAUTH1 access token for user by access token ID. # GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id} diff --git a/services/keystone/stock-policy.yaml b/services/keystone/stock-policy.yaml new file mode 100644 index 0000000..6605a80 --- /dev/null +++ b/services/keystone/stock-policy.yaml @@ -0,0 +1,1173 @@ +# +"admin_required": "role:admin or is_admin:1" + +# +"service_role": "role:service" + +# +"service_or_admin": "rule:admin_required or rule:service_role" + +# +"owner": "user_id:%(user_id)s" + +# +"admin_or_owner": "rule:admin_required or rule:owner" + +# +"token_subject": "user_id:%(target.token.user_id)s" + +# +"admin_or_token_subject": "rule:admin_required or rule:token_subject" + +# +"service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject" + +# Show application credential details. +# GET /v3/users/{user_id}/application_credentials/{application_credential_id} +# HEAD /v3/users/{user_id}/application_credentials/{application_credential_id} +"identity:get_application_credential": "rule:admin_or_owner" + +# List application credentials for a user. +# GET /v3/users/{user_id}/application_credentials +# HEAD /v3/users/{user_id}/application_credentials +"identity:list_application_credentials": "rule:admin_or_owner" + +# Create an application credential. +# POST /v3/users/{user_id}/application_credentials +"identity:create_application_credential": "rule:admin_or_owner" + +# Delete an application credential. +# DELETE /v3/users/{user_id}/application_credentials/{application_credential_id} +"identity:delete_application_credential": "rule:admin_or_owner" + +# Authorize OAUTH1 request token. +# PUT /v3/OS-OAUTH1/authorize/{request_token_id} +# Intended scope(s): project +"identity:authorize_request_token": "rule:admin_required" + +# Get OAUTH1 access token for user by access token ID. +# GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id} +# Intended scope(s): project +"identity:get_access_token": "rule:admin_required" + +# Get role for user OAUTH1 access token. +# GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id} +# Intended scope(s): project +"identity:get_access_token_role": "rule:admin_required" + +# List OAUTH1 access tokens for user. +# GET /v3/users/{user_id}/OS-OAUTH1/access_tokens +# Intended scope(s): project +"identity:list_access_tokens": "rule:admin_required" + +# List OAUTH1 access token roles. +# GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles +# Intended scope(s): project +"identity:list_access_token_roles": "rule:admin_required" + +# Delete OAUTH1 access token. +# DELETE /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id} +# Intended scope(s): project +"identity:delete_access_token": "rule:admin_required" + +# Get service catalog. +# GET /v3/auth/catalog +# HEAD /v3/auth/catalog +"identity:get_auth_catalog": "" + +# List all projects a user has access to via role assignments. +# GET /v3/auth/projects +# HEAD /v3/auth/projects +"identity:get_auth_projects": "" + +# List all domains a user has access to via role assignments. +# GET /v3/auth/domains +# HEAD /v3/auth/domains +"identity:get_auth_domains": "" + +# List systems a user has access to via role assignments. +# GET /v3/auth/system +# HEAD /v3/auth/system +"identity:get_auth_system": "" + +# Show OAUTH1 consumer details. +# GET /v3/OS-OAUTH1/consumers/{consumer_id} +# Intended scope(s): system +"identity:get_consumer": "rule:admin_required" + +# List OAUTH1 consumers. +# GET /v3/OS-OAUTH1/consumers +# Intended scope(s): system +"identity:list_consumers": "rule:admin_required" + +# Create OAUTH1 consumer. +# POST /v3/OS-OAUTH1/consumers +# Intended scope(s): system +"identity:create_consumer": "rule:admin_required" + +# Update OAUTH1 consumer. +# PATCH /v3/OS-OAUTH1/consumers/{consumer_id} +# Intended scope(s): system +"identity:update_consumer": "rule:admin_required" + +# Delete OAUTH1 consumer. +# DELETE /v3/OS-OAUTH1/consumers/{consumer_id} +# Intended scope(s): system +"identity:delete_consumer": "rule:admin_required" + +# Show credentials details. +# GET /v3/credentials/{credential_id} +# Intended scope(s): system, project +"identity:get_credential": "(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s" + +# DEPRECATED "identity:get_credential":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:get_credential":"(role:reader and system_scope:all) or +# user_id:%(target.credential.user_id)s". As of the Stein release, the +# credential API now understands how to handle system-scoped tokens in +# addition to project-scoped tokens, making the API more accessible to +# users without compromising security or manageability for +# administrators. The new default policies for this API account for +# these changes automatically. +#"identity:get_credential": "rule:identity:get_credential" +# List credentials. +# GET /v3/credentials +# Intended scope(s): system, project +"identity:list_credentials": "(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s" + +# DEPRECATED "identity:list_credentials":"rule:admin_required" has +# been deprecated since S in favor of +# "identity:list_credentials":"(role:reader and system_scope:all) or +# user_id:%(target.credential.user_id)s". As of the Stein release, the +# credential API now understands how to handle system-scoped tokens in +# addition to project-scoped tokens, making the API more accessible to +# users without compromising security or manageability for +# administrators. The new default policies for this API account for +# these changes automatically. +#"identity:list_credentials": "rule:identity:list_credentials" +# Create credential. +# POST /v3/credentials +# Intended scope(s): system, project +"identity:create_credential": "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s" + +# DEPRECATED "identity:create_credential":"rule:admin_required" has +# been deprecated since S in favor of +# "identity:create_credential":"(role:admin and system_scope:all) or +# user_id:%(target.credential.user_id)s". As of the Stein release, the +# credential API now understands how to handle system-scoped tokens in +# addition to project-scoped tokens, making the API more accessible to +# users without compromising security or manageability for +# administrators. The new default policies for this API account for +# these changes automatically. +#"identity:create_credential": "rule:identity:create_credential" +# Update credential. +# PATCH /v3/credentials/{credential_id} +# Intended scope(s): system, project +"identity:update_credential": "(role:member and system_scope:all) or user_id:%(target.credential.user_id)s" + +# DEPRECATED "identity:update_credential":"rule:admin_required" has +# been deprecated since S in favor of +# "identity:update_credential":"(role:member and system_scope:all) or +# user_id:%(target.credential.user_id)s". As of the Stein release, the +# credential API now understands how to handle system-scoped tokens in +# addition to project-scoped tokens, making the API more accessible to +# users without compromising security or manageability for +# administrators. The new default policies for this API account for +# these changes automatically. +#"identity:update_credential": "rule:identity:update_credential" +# Delete credential. +# DELETE /v3/credentials/{credential_id} +# Intended scope(s): system, project +"identity:delete_credential": "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s" + +# DEPRECATED "identity:delete_credential":"rule:admin_required" has +# been deprecated since S in favor of +# "identity:delete_credential":"(role:admin and system_scope:all) or +# user_id:%(target.credential.user_id)s". As of the Stein release, the +# credential API now understands how to handle system-scoped tokens in +# addition to project-scoped tokens, making the API more accessible to +# users without compromising security or manageability for +# administrators. The new default policies for this API account for +# these changes automatically. +#"identity:delete_credential": "rule:identity:delete_credential" +# Show domain details. +# GET /v3/domains/{domain_id} +# Intended scope(s): system, project +"identity:get_domain": "(role:reader and system_scope:all) or token.project.domain.id:%(target.domain.id)s" + +# DEPRECATED "identity:get_domain":"rule:admin_required or +# token.project.domain.id:%(target.domain.id)s" has been deprecated +# since S in favor of "identity:get_domain":"(role:reader and +# system_scope:all) or token.project.domain.id:%(target.domain.id)s". +# +# As of the Stein release, the domain API now understands how to +# handle system-scoped tokens in addition to project-scoped tokens, +# making the API more accessible to users without compromising +# security or manageability for administrators. The new default +# policies for this API account for these changes automatically +#"identity:get_domain": "rule:identity:get_domain" +# List domains. +# GET /v3/domains +# Intended scope(s): system +"identity:list_domains": "role:reader" + +# DEPRECATED "identity:list_domains":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:list_domains":"role:reader". +# +# As of the Stein release, the domain API now understands how to +# handle system-scoped tokens in addition to project-scoped tokens, +# making the API more accessible to users without compromising +# security or manageability for administrators. The new default +# policies for this API account for these changes automatically +#"identity:list_domains": "rule:identity:list_domains" +# Create domain. +# POST /v3/domains +# Intended scope(s): system +"identity:create_domain": "rule:admin_required" + +# Update domain. +# PATCH /v3/domains/{domain_id} +# Intended scope(s): system +"identity:update_domain": "rule:admin_required" + +# Delete domain. +# DELETE /v3/domains/{domain_id} +# Intended scope(s): system +"identity:delete_domain": "rule:admin_required" + +# Create domain configuration. +# PUT /v3/domains/{domain_id}/config +# Intended scope(s): system +"identity:create_domain_config": "rule:admin_required" + +# Get the entire domain configuration for a domain, an option group +# within a domain, or a specific configuration option within a group +# for a domain. +# GET /v3/domains/{domain_id}/config +# HEAD /v3/domains/{domain_id}/config +# GET /v3/domains/{domain_id}/config/{group} +# HEAD /v3/domains/{domain_id}/config/{group} +# GET /v3/domains/{domain_id}/config/{group}/{option} +# HEAD /v3/domains/{domain_id}/config/{group}/{option} +# Intended scope(s): system +"identity:get_domain_config": "rule:admin_required" + +# Get security compliance domain configuration for either a domain or +# a specific option in a domain. +# GET /v3/domains/{domain_id}/config/security_compliance +# HEAD /v3/domains/{domain_id}/config/security_compliance +# GET v3/domains/{domain_id}/config/security_compliance/{option} +# HEAD v3/domains/{domain_id}/config/security_compliance/{option} +# Intended scope(s): system, project +"identity:get_security_compliance_domain_config": "" + +# Update domain configuration for either a domain, specific group or a +# specific option in a group. +# PATCH /v3/domains/{domain_id}/config +# PATCH /v3/domains/{domain_id}/config/{group} +# PATCH /v3/domains/{domain_id}/config/{group}/{option} +# Intended scope(s): system +"identity:update_domain_config": "rule:admin_required" + +# Delete domain configuration for either a domain, specific group or a +# specific option in a group. +# DELETE /v3/domains/{domain_id}/config +# DELETE /v3/domains/{domain_id}/config/{group} +# DELETE /v3/domains/{domain_id}/config/{group}/{option} +# Intended scope(s): system +"identity:delete_domain_config": "rule:admin_required" + +# Get domain configuration default for either a domain, specific group +# or a specific option in a group. +# GET /v3/domains/config/default +# HEAD /v3/domains/config/default +# GET /v3/domains/config/{group}/default +# HEAD /v3/domains/config/{group}/default +# GET /v3/domains/config/{group}/{option}/default +# HEAD /v3/domains/config/{group}/{option}/default +# Intended scope(s): system +"identity:get_domain_config_default": "rule:admin_required" + +# Show ec2 credential details. +# GET /v3/users/{user_id}/credentials/OS-EC2/{credential_id} +"identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)" + +# List ec2 credentials. +# GET /v3/users/{user_id}/credentials/OS-EC2 +"identity:ec2_list_credentials": "rule:admin_or_owner" + +# Create ec2 credential. +# POST /v3/users/{user_id}/credentials/OS-EC2 +"identity:ec2_create_credential": "rule:admin_or_owner" + +# Delete ec2 credential. +# DELETE /v3/users/{user_id}/credentials/OS-EC2/{credential_id} +"identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)" + +# Show endpoint details. +# GET /v3/endpoints/{endpoint_id} +# Intended scope(s): system +"identity:get_endpoint": "rule:admin_required" + +# List endpoints. +# GET /v3/endpoints +# Intended scope(s): system +"identity:list_endpoints": "rule:admin_required" + +# Create endpoint. +# POST /v3/endpoints +# Intended scope(s): system +"identity:create_endpoint": "rule:admin_required" + +# Update endpoint. +# PATCH /v3/endpoints/{endpoint_id} +# Intended scope(s): system +"identity:update_endpoint": "rule:admin_required" + +# Delete endpoint. +# DELETE /v3/endpoints/{endpoint_id} +# Intended scope(s): system +"identity:delete_endpoint": "rule:admin_required" + +# Create endpoint group. +# POST /v3/OS-EP-FILTER/endpoint_groups +# Intended scope(s): system +"identity:create_endpoint_group": "rule:admin_required" + +# List endpoint groups. +# GET /v3/OS-EP-FILTER/endpoint_groups +# Intended scope(s): system +"identity:list_endpoint_groups": "rule:admin_required" + +# Get endpoint group. +# GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} +# HEAD /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} +# Intended scope(s): system +"identity:get_endpoint_group": "rule:admin_required" + +# Update endpoint group. +# PATCH /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} +# Intended scope(s): system +"identity:update_endpoint_group": "rule:admin_required" + +# Delete endpoint group. +# DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} +# Intended scope(s): system +"identity:delete_endpoint_group": "rule:admin_required" + +# List all projects associated with a specific endpoint group. +# GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects +# Intended scope(s): system +"identity:list_projects_associated_with_endpoint_group": "rule:admin_required" + +# List all endpoints associated with an endpoint group. +# GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints +# Intended scope(s): system +"identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required" + +# Check if an endpoint group is associated with a project. +# GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} +# HEAD /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} +# Intended scope(s): system +"identity:get_endpoint_group_in_project": "rule:admin_required" + +# List endpoint groups associated with a specific project. +# GET /v3/OS-EP-FILTER/projects/{project_id}/endpoint_groups +# Intended scope(s): system +"identity:list_endpoint_groups_for_project": "rule:admin_required" + +# Allow a project to access an endpoint group. +# PUT /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} +# Intended scope(s): system +"identity:add_endpoint_group_to_project": "rule:admin_required" + +# Remove endpoint group from project. +# DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} +# Intended scope(s): system +"identity:remove_endpoint_group_from_project": "rule:admin_required" + +# Check a role grant between a target and an actor. A target can be +# either a domain or a project. An actor can be either a user or a +# group. These terms also apply to the OS-INHERIT APIs, where grants +# on the target are inherited to all projects in the subtree, if +# applicable. +# HEAD /v3/projects/{project_id}/users/{user_id}/roles/{role_id} +# GET /v3/projects/{project_id}/users/{user_id}/roles/{role_id} +# HEAD /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} +# GET /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} +# HEAD /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} +# GET /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} +# HEAD /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} +# GET /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} +# HEAD /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects +# GET /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects +# HEAD /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects +# GET /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects +# HEAD /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects +# GET /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects +# HEAD /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects +# GET /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects +# Intended scope(s): system +"identity:check_grant": "rule:admin_required" + +# List roles granted to an actor on a target. A target can be either a +# domain or a project. An actor can be either a user or a group. For +# the OS-INHERIT APIs, it is possible to list inherited role grants +# for actors on domains, where grants are inherited to all projects in +# the specified domain. +# GET /v3/projects/{project_id}/users/{user_id}/roles +# HEAD /v3/projects/{project_id}/users/{user_id}/roles +# GET /v3/projects/{project_id}/groups/{group_id}/roles +# HEAD /v3/projects/{project_id}/groups/{group_id}/roles +# GET /v3/domains/{domain_id}/users/{user_id}/roles +# HEAD /v3/domains/{domain_id}/users/{user_id}/roles +# GET /v3/domains/{domain_id}/groups/{group_id}/roles +# HEAD /v3/domains/{domain_id}/groups/{group_id}/roles +# GET /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects +# GET /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects +# Intended scope(s): system +"identity:list_grants": "rule:admin_required" + +# Create a role grant between a target and an actor. A target can be +# either a domain or a project. An actor can be either a user or a +# group. These terms also apply to the OS-INHERIT APIs, where grants +# on the target are inherited to all projects in the subtree, if +# applicable. +# PUT /v3/projects/{project_id}/users/{user_id}/roles/{role_id} +# PUT /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} +# PUT /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} +# PUT /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} +# PUT /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects +# PUT /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects +# PUT /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects +# PUT /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects +# Intended scope(s): system +"identity:create_grant": "rule:admin_required" + +# Revoke a role grant between a target and an actor. A target can be +# either a domain or a project. An actor can be either a user or a +# group. These terms also apply to the OS-INHERIT APIs, where grants +# on the target are inherited to all projects in the subtree, if +# applicable. In that case, revoking the role grant in the target +# would remove the logical effect of inheriting it to the target's +# projects subtree. +# DELETE /v3/projects/{project_id}/users/{user_id}/roles/{role_id} +# DELETE /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} +# DELETE /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} +# DELETE /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} +# DELETE /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects +# DELETE /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects +# DELETE /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects +# DELETE /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects +# Intended scope(s): system +"identity:revoke_grant": "rule:admin_required" + +# List all grants a specific user has on the system. +# ['HEAD', 'GET'] /v3/system/users/{user_id}/roles +# Intended scope(s): system +"identity:list_system_grants_for_user": "rule:admin_required" + +# Check if a user has a role on the system. +# ['HEAD', 'GET'] /v3/system/users/{user_id}/roles/{role_id} +# Intended scope(s): system +"identity:check_system_grant_for_user": "rule:admin_required" + +# Grant a user a role on the system. +# ['PUT'] /v3/system/users/{user_id}/roles/{role_id} +# Intended scope(s): system +"identity:create_system_grant_for_user": "rule:admin_required" + +# Remove a role from a user on the system. +# ['DELETE'] /v3/system/users/{user_id}/roles/{role_id} +# Intended scope(s): system +"identity:revoke_system_grant_for_user": "rule:admin_required" + +# List all grants a specific group has on the system. +# ['HEAD', 'GET'] /v3/system/groups/{group_id}/roles +# Intended scope(s): system +"identity:list_system_grants_for_group": "rule:admin_required" + +# Check if a group has a role on the system. +# ['HEAD', 'GET'] /v3/system/groups/{group_id}/roles/{role_id} +# Intended scope(s): system +"identity:check_system_grant_for_group": "rule:admin_required" + +# Grant a group a role on the system. +# ['PUT'] /v3/system/groups/{group_id}/roles/{role_id} +# Intended scope(s): system +"identity:create_system_grant_for_group": "rule:admin_required" + +# Remove a role from a group on the system. +# ['DELETE'] /v3/system/groups/{group_id}/roles/{role_id} +# Intended scope(s): system +"identity:revoke_system_grant_for_group": "rule:admin_required" + +# Show group details. +# GET /v3/groups/{group_id} +# HEAD /v3/groups/{group_id} +# Intended scope(s): system +"identity:get_group": "rule:admin_required" + +# List groups. +# GET /v3/groups +# HEAD /v3/groups +# Intended scope(s): system +"identity:list_groups": "rule:admin_required" + +# List groups to which a user belongs. +# GET /v3/users/{user_id}/groups +# HEAD /v3/users/{user_id}/groups +# Intended scope(s): system +"identity:list_groups_for_user": "rule:admin_or_owner" + +# Create group. +# POST /v3/groups +# Intended scope(s): system +"identity:create_group": "rule:admin_required" + +# Update group. +# PATCH /v3/groups/{group_id} +# Intended scope(s): system +"identity:update_group": "rule:admin_required" + +# Delete group. +# DELETE /v3/groups/{group_id} +# Intended scope(s): system +"identity:delete_group": "rule:admin_required" + +# List members of a specific group. +# GET /v3/groups/{group_id}/users +# HEAD /v3/groups/{group_id}/users +# Intended scope(s): system +"identity:list_users_in_group": "rule:admin_required" + +# Remove user from group. +# DELETE /v3/groups/{group_id}/users/{user_id} +# Intended scope(s): system +"identity:remove_user_from_group": "rule:admin_required" + +# Check whether a user is a member of a group. +# HEAD /v3/groups/{group_id}/users/{user_id} +# GET /v3/groups/{group_id}/users/{user_id} +# Intended scope(s): system +"identity:check_user_in_group": "rule:admin_required" + +# Add user to group. +# PUT /v3/groups/{group_id}/users/{user_id} +# Intended scope(s): system +"identity:add_user_to_group": "rule:admin_required" + +# Create identity provider. +# PUT /v3/OS-FEDERATION/identity_providers/{idp_id} +# Intended scope(s): system +"identity:create_identity_provider": "rule:admin_required" + +# List identity providers. +# GET /v3/OS-FEDERATION/identity_providers +# HEAD /v3/OS-FEDERATION/identity_providers +# Intended scope(s): system +"identity:list_identity_providers": "rule:admin_required" + +# Get identity provider. +# GET /v3/OS-FEDERATION/identity_providers/{idp_id} +# HEAD /v3/OS-FEDERATION/identity_providers/{idp_id} +# Intended scope(s): system +"identity:get_identity_provider": "rule:admin_required" + +# Update identity provider. +# PATCH /v3/OS-FEDERATION/identity_providers/{idp_id} +# Intended scope(s): system +"identity:update_identity_provider": "rule:admin_required" + +# Delete identity provider. +# DELETE /v3/OS-FEDERATION/identity_providers/{idp_id} +# Intended scope(s): system +"identity:delete_identity_provider": "rule:admin_required" + +# Get information about an association between two roles. When a +# relationship exists between a prior role and an implied role and the +# prior role is assigned to a user, the user also assumes the implied +# role. +# GET /v3/roles/{prior_role_id}/implies/{implied_role_id} +# Intended scope(s): system +"identity:get_implied_role": "rule:admin_required" + +# List associations between two roles. When a relationship exists +# between a prior role and an implied role and the prior role is +# assigned to a user, the user also assumes the implied role. This +# will return all the implied roles that would be assumed by the user +# who gets the specified prior role. +# GET /v3/roles/{prior_role_id}/implies +# HEAD /v3/roles/{prior_role_id}/implies +# Intended scope(s): system +"identity:list_implied_roles": "rule:admin_required" + +# Create an association between two roles. When a relationship exists +# between a prior role and an implied role and the prior role is +# assigned to a user, the user also assumes the implied role. +# PUT /v3/roles/{prior_role_id}/implies/{implied_role_id} +# Intended scope(s): system +"identity:create_implied_role": "rule:admin_required" + +# Delete the association between two roles. When a relationship exists +# between a prior role and an implied role and the prior role is +# assigned to a user, the user also assumes the implied role. Removing +# the association will cause that effect to be eliminated. +# DELETE /v3/roles/{prior_role_id}/implies/{implied_role_id} +# Intended scope(s): system +"identity:delete_implied_role": "rule:admin_required" + +# List all associations between two roles in the system. When a +# relationship exists between a prior role and an implied role and the +# prior role is assigned to a user, the user also assumes the implied +# role. +# GET /v3/role_inferences +# HEAD /v3/role_inferences +# Intended scope(s): system +"identity:list_role_inference_rules": "rule:admin_required" + +# Check an association between two roles. When a relationship exists +# between a prior role and an implied role and the prior role is +# assigned to a user, the user also assumes the implied role. +# HEAD /v3/roles/{prior_role_id}/implies/{implied_role_id} +# Intended scope(s): system +"identity:check_implied_role": "rule:admin_required" + +# Get limit enforcement model. +# GET /v3/limits/model +# HEAD /v3/limits/model +# Intended scope(s): system, project +"identity:get_limit_model": "" + +# Show limit details. +# GET /v3/limits/{limit_id} +# HEAD /v3/limits/{limit_id} +# Intended scope(s): system, project +"identity:get_limit": "" + +# List limits. +# GET /v3/limits +# HEAD /v3/limits +# Intended scope(s): system, project +"identity:list_limits": "" + +# Create limits. +# POST /v3/limits +# Intended scope(s): system +"identity:create_limits": "rule:admin_required" + +# Update limit. +# PATCH /v3/limits/{limit_id} +# Intended scope(s): system +"identity:update_limit": "rule:admin_required" + +# Delete limit. +# DELETE /v3/limits/{limit_id} +# Intended scope(s): system +"identity:delete_limit": "rule:admin_required" + +# Create a new federated mapping containing one or more sets of rules. +# PUT /v3/OS-FEDERATION/mappings/{mapping_id} +# Intended scope(s): system +"identity:create_mapping": "rule:admin_required" + +# Get a federated mapping. +# GET /v3/OS-FEDERATION/mappings/{mapping_id} +# HEAD /v3/OS-FEDERATION/mappings/{mapping_id} +# Intended scope(s): system +"identity:get_mapping": "rule:admin_required" + +# List federated mappings. +# GET /v3/OS-FEDERATION/mappings +# HEAD /v3/OS-FEDERATION/mappings +# Intended scope(s): system +"identity:list_mappings": "rule:admin_required" + +# Delete a federated mapping. +# DELETE /v3/OS-FEDERATION/mappings/{mapping_id} +# Intended scope(s): system +"identity:delete_mapping": "rule:admin_required" + +# Update a federated mapping. +# PATCH /v3/OS-FEDERATION/mappings/{mapping_id} +# Intended scope(s): system +"identity:update_mapping": "rule:admin_required" + +# Show policy details. +# GET /v3/policy/{policy_id} +# Intended scope(s): system +"identity:get_policy": "rule:admin_required" + +# List policies. +# GET /v3/policies +# Intended scope(s): system +"identity:list_policies": "rule:admin_required" + +# Create policy. +# POST /v3/policies +# Intended scope(s): system +"identity:create_policy": "rule:admin_required" + +# Update policy. +# PATCH /v3/policies/{policy_id} +# Intended scope(s): system +"identity:update_policy": "rule:admin_required" + +# Delete policy. +# DELETE /v3/policies/{policy_id} +# Intended scope(s): system +"identity:delete_policy": "rule:admin_required" + +# Associate a policy to a specific endpoint. +# PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} +# Intended scope(s): system +"identity:create_policy_association_for_endpoint": "rule:admin_required" + +# Check policy association for endpoint. +# GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} +# HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} +# Intended scope(s): system +"identity:check_policy_association_for_endpoint": "rule:admin_required" + +# Delete policy association for endpoint. +# DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} +# Intended scope(s): system +"identity:delete_policy_association_for_endpoint": "rule:admin_required" + +# Associate a policy to a specific service. +# PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} +# Intended scope(s): system +"identity:create_policy_association_for_service": "rule:admin_required" + +# Check policy association for service. +# GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} +# HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} +# Intended scope(s): system +"identity:check_policy_association_for_service": "rule:admin_required" + +# Delete policy association for service. +# DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} +# Intended scope(s): system +"identity:delete_policy_association_for_service": "rule:admin_required" + +# Associate a policy to a specific region and service combination. +# PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} +# Intended scope(s): system +"identity:create_policy_association_for_region_and_service": "rule:admin_required" + +# Check policy association for region and service. +# GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} +# HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} +# Intended scope(s): system +"identity:check_policy_association_for_region_and_service": "rule:admin_required" + +# Delete policy association for region and service. +# DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} +# Intended scope(s): system +"identity:delete_policy_association_for_region_and_service": "rule:admin_required" + +# Get policy for endpoint. +# GET /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy +# HEAD /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy +# Intended scope(s): system +"identity:get_policy_for_endpoint": "rule:admin_required" + +# List endpoints for policy. +# GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints +# Intended scope(s): system +"identity:list_endpoints_for_policy": "rule:admin_required" + +# Show project details. +# GET /v3/projects/{project_id} +"identity:get_project": "rule:admin_required or project_id:%(target.project.id)s" + +# List projects. +# GET /v3/projects +# Intended scope(s): system +"identity:list_projects": "rule:admin_required" + +# List projects for user. +# GET /v3/users/{user_id}/projects +"identity:list_user_projects": "rule:admin_or_owner" + +# Create project. +# POST /v3/projects +# Intended scope(s): system +"identity:create_project": "rule:admin_required" + +# Update project. +# PATCH /v3/projects/{project_id} +# Intended scope(s): system +"identity:update_project": "rule:admin_required" + +# Delete project. +# DELETE /v3/projects/{project_id} +# Intended scope(s): system +"identity:delete_project": "rule:admin_required" + +# List tags for a project. +# GET /v3/projects/{project_id}/tags +# HEAD /v3/projects/{project_id}/tags +"identity:list_project_tags": "rule:admin_required or project_id:%(target.project.id)s" + +# Check if project contains a tag. +# GET /v3/projects/{project_id}/tags/{value} +# HEAD /v3/projects/{project_id}/tags/{value} +"identity:get_project_tag": "rule:admin_required or project_id:%(target.project.id)s" + +# Replace all tags on a project with the new set of tags. +# PUT /v3/projects/{project_id}/tags +# Intended scope(s): system +"identity:update_project_tags": "rule:admin_required" + +# Add a single tag to a project. +# PUT /v3/projects/{project_id}/tags/{value} +# Intended scope(s): system +"identity:create_project_tag": "rule:admin_required" + +# Remove all tags from a project. +# DELETE /v3/projects/{project_id}/tags +# Intended scope(s): system +"identity:delete_project_tags": "rule:admin_required" + +# Delete a specified tag from project. +# DELETE /v3/projects/{project_id}/tags/{value} +# Intended scope(s): system +"identity:delete_project_tag": "rule:admin_required" + +# List projects allowed to access an endpoint. +# GET /v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects +# Intended scope(s): system +"identity:list_projects_for_endpoint": "rule:admin_required" + +# Allow project to access an endpoint. +# PUT /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} +# Intended scope(s): system +"identity:add_endpoint_to_project": "rule:admin_required" + +# Check if a project is allowed to access an endpoint. +# GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} +# HEAD /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} +# Intended scope(s): system +"identity:check_endpoint_in_project": "rule:admin_required" + +# List the endpoints a project is allowed to access. +# GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints +# Intended scope(s): system +"identity:list_endpoints_for_project": "rule:admin_required" + +# Remove access to an endpoint from a project that has previously been +# given explicit access. +# DELETE /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} +# Intended scope(s): system +"identity:remove_endpoint_from_project": "rule:admin_required" + +# Create federated protocol. +# PUT /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} +# Intended scope(s): system +"identity:create_protocol": "rule:admin_required" + +# Update federated protocol. +# PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} +# Intended scope(s): system +"identity:update_protocol": "rule:admin_required" + +# Get federated protocol. +# GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} +# Intended scope(s): system +"identity:get_protocol": "rule:admin_required" + +# List federated protocols. +# GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols +# Intended scope(s): system +"identity:list_protocols": "rule:admin_required" + +# Delete federated protocol. +# DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} +# Intended scope(s): system +"identity:delete_protocol": "rule:admin_required" + +# Show region details. +# GET /v3/regions/{region_id} +# HEAD /v3/regions/{region_id} +# Intended scope(s): system, project +"identity:get_region": "" + +# List regions. +# GET /v3/regions +# HEAD /v3/regions +# Intended scope(s): system, project +"identity:list_regions": "" + +# Create region. +# POST /v3/regions +# PUT /v3/regions/{region_id} +# Intended scope(s): system +"identity:create_region": "rule:admin_required" + +# Update region. +# PATCH /v3/regions/{region_id} +# Intended scope(s): system +"identity:update_region": "rule:admin_required" + +# Delete region. +# DELETE /v3/regions/{region_id} +# Intended scope(s): system +"identity:delete_region": "rule:admin_required" + +# Show registered limit details. +# GET /v3/registered_limits/{registered_limit_id} +# HEAD /v3/registered_limits/{registered_limit_id} +# Intended scope(s): system, project +"identity:get_registered_limit": "" + +# List registered limits. +# GET /v3/registered_limits +# HEAD /v3/registered_limits +# Intended scope(s): system, project +"identity:list_registered_limits": "" + +# Create registered limits. +# POST /v3/registered_limits +# Intended scope(s): system +"identity:create_registered_limits": "rule:admin_required" + +# Update registered limit. +# PATCH /v3/registered_limits/{registered_limit_id} +# Intended scope(s): system +"identity:update_registered_limit": "rule:admin_required" + +# Delete registered limit. +# DELETE /v3/registered_limits/{registered_limit_id} +# Intended scope(s): system +"identity:delete_registered_limit": "rule:admin_required" + +# List revocation events. +# GET /v3/OS-REVOKE/events +# Intended scope(s): system +"identity:list_revoke_events": "rule:service_or_admin" + +# Show role details. +# GET /v3/roles/{role_id} +# HEAD /v3/roles/{role_id} +# Intended scope(s): system +"identity:get_role": "role:reader" + +# DEPRECATED "identity:get_role":"rule:admin_required" has been +# deprecated since S in favor of "identity:get_role":"role:reader". +# +# As of the Stein release, the role API now understands default roles +# and system-scoped tokens, making the API more granular by default +# without compromising security. The new policy defaults account for +# these changes automatically. Be sure to take these new defaults into +# consideration if you are relying on overrides in your deployment for +# the role API. +#"identity:get_role": "rule:identity:get_role" +# List roles. +# GET /v3/roles +# HEAD /v3/roles +# Intended scope(s): system +"identity:list_roles": "role:reader" + +# DEPRECATED "identity:list_roles":"rule:admin_required" has been +# deprecated since S in favor of "identity:list_roles":"role:reader". +# +# As of the Stein release, the role API now understands default roles +# and system-scoped tokens, making the API more granular by default +# without compromising security. The new policy defaults account for +# these changes automatically. Be sure to take these new defaults into +# consideration if you are relying on overrides in your deployment for +# the role API. +#"identity:list_roles": "rule:identity:list_roles" +# Create role. +# POST /v3/roles +# Intended scope(s): system +"identity:create_role": "rule:admin_required" + +# Update role. +# PATCH /v3/roles/{role_id} +# Intended scope(s): system +"identity:update_role": "rule:admin_required" + +# Delete role. +# DELETE /v3/roles/{role_id} +# Intended scope(s): system +"identity:delete_role": "rule:admin_required" + +# Show domain role. +# GET /v3/roles/{role_id} +# HEAD /v3/roles/{role_id} +# Intended scope(s): system +"identity:get_domain_role": "rule:admin_required" + +# List domain roles. +# GET /v3/roles?domain_id={domain_id} +# HEAD /v3/roles?domain_id={domain_id} +# Intended scope(s): system +"identity:list_domain_roles": "rule:admin_required" + +# Create domain role. +# POST /v3/roles +# Intended scope(s): system +"identity:create_domain_role": "rule:admin_required" + +# Update domain role. +# PATCH /v3/roles/{role_id} +# Intended scope(s): system +"identity:update_domain_role": "rule:admin_required" + +# Delete domain role. +# DELETE /v3/roles/{role_id} +# Intended scope(s): system +"identity:delete_domain_role": "rule:admin_required" + +# List role assignments. +# GET /v3/role_assignments +# HEAD /v3/role_assignments +# Intended scope(s): system +"identity:list_role_assignments": "rule:admin_required" + +# List all role assignments for a given tree of hierarchical projects. +# GET /v3/role_assignments?include_subtree +# HEAD /v3/role_assignments?include_subtree +# Intended scope(s): project +"identity:list_role_assignments_for_tree": "rule:admin_required" + +# Show service details. +# GET /v3/services/{service_id} +# Intended scope(s): system +"identity:get_service": "rule:admin_required" + +# List services. +# GET /v3/services +# Intended scope(s): system +"identity:list_services": "rule:admin_required" + +# Create service. +# POST /v3/services +# Intended scope(s): system +"identity:create_service": "rule:admin_required" + +# Update service. +# PATCH /v3/services/{service_id} +# Intended scope(s): system +"identity:update_service": "rule:admin_required" + +# Delete service. +# DELETE /v3/services/{service_id} +# Intended scope(s): system +"identity:delete_service": "rule:admin_required" + +# Create federated service provider. +# PUT /v3/OS-FEDERATION/service_providers/{service_provider_id} +# Intended scope(s): system +"identity:create_service_provider": "rule:admin_required" + +# List federated service providers. +# GET /v3/OS-FEDERATION/service_providers +# HEAD /v3/OS-FEDERATION/service_providers +# Intended scope(s): system +"identity:list_service_providers": "rule:admin_required" + +# Get federated service provider. +# GET /v3/OS-FEDERATION/service_providers/{service_provider_id} +# HEAD /v3/OS-FEDERATION/service_providers/{service_provider_id} +# Intended scope(s): system +"identity:get_service_provider": "rule:admin_required" + +# Update federated service provider. +# PATCH /v3/OS-FEDERATION/service_providers/{service_provider_id} +# Intended scope(s): system +"identity:update_service_provider": "rule:admin_required" + +# Delete federated service provider. +# DELETE /v3/OS-FEDERATION/service_providers/{service_provider_id} +# Intended scope(s): system +"identity:delete_service_provider": "rule:admin_required" + +# List revoked PKI tokens. +# GET /v3/auth/tokens/OS-PKI/revoked +# Intended scope(s): system, project +"identity:revocation_list": "rule:service_or_admin" + +# Check a token. +# HEAD /v3/auth/tokens +"identity:check_token": "rule:admin_or_token_subject" + +# Validate a token. +# GET /v3/auth/tokens +"identity:validate_token": "rule:service_admin_or_token_subject" + +# Revoke a token. +# DELETE /v3/auth/tokens +"identity:revoke_token": "rule:admin_or_token_subject" + +# Create trust. +# POST /v3/OS-TRUST/trusts +# Intended scope(s): project +"identity:create_trust": "user_id:%(trust.trustor_user_id)s" + +# List trusts. +# GET /v3/OS-TRUST/trusts +# HEAD /v3/OS-TRUST/trusts +# Intended scope(s): project +"identity:list_trusts": "" + +# List roles delegated by a trust. +# GET /v3/OS-TRUST/trusts/{trust_id}/roles +# HEAD /v3/OS-TRUST/trusts/{trust_id}/roles +# Intended scope(s): project +"identity:list_roles_for_trust": "" + +# Check if trust delegates a particular role. +# GET /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id} +# HEAD /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id} +# Intended scope(s): project +"identity:get_role_for_trust": "" + +# Revoke trust. +# DELETE /v3/OS-TRUST/trusts/{trust_id} +# Intended scope(s): project +"identity:delete_trust": "" + +# Get trust. +# GET /v3/OS-TRUST/trusts/{trust_id} +# HEAD /v3/OS-TRUST/trusts/{trust_id} +# Intended scope(s): project +"identity:get_trust": "" + +# Show user details. +# GET /v3/users/{user_id} +# HEAD /v3/users/{user_id} +"identity:get_user": "rule:admin_or_owner" + +# List users. +# GET /v3/users +# HEAD /v3/users +# Intended scope(s): system +"identity:list_users": "rule:admin_required" + +# List all projects a user has access to via role assignments. +# GET /v3/auth/projects +"identity:list_projects_for_user": "" + +# List all domains a user has access to via role assignments. +# GET /v3/auth/domains +"identity:list_domains_for_user": "" + +# Create a user. +# POST /v3/users +# Intended scope(s): system +"identity:create_user": "rule:admin_required" + +# Update a user, including administrative password resets. +# PATCH /v3/users/{user_id} +# Intended scope(s): system +"identity:update_user": "rule:admin_required" + +# Delete a user. +# DELETE /v3/users/{user_id} +# Intended scope(s): system +"identity:delete_user": "rule:admin_required" + diff --git a/services/nova/stock-policy.yaml b/services/nova/stock-policy.yaml new file mode 100644 index 0000000..df5ce12 --- /dev/null +++ b/services/nova/stock-policy.yaml @@ -0,0 +1,816 @@ +# Reset the state of a given server +#POST /servers/{server_id}/action +# (os-resetState) +"os_compute_api:os-admin-actions:reset_state": "rule:admin_api" +# Inject network information into the server +#POST +# /servers/{server_id}/action (injectNetworkInfo) +"os_compute_api:os-admin-actions:inject_network_info": "rule:admin_api" +# Reset networking on a server +#POST /servers/{server_id}/action +# (resetNetwork) +"os_compute_api:os-admin-actions:reset_network": "rule:admin_api" +# Change the administrative password for a server +#POST +# /servers/{server_id}/action (changePassword) +"os_compute_api:os-admin-password": "rule:admin_or_owner" +# Create, list, update, and delete guest agent builds +# +#This is XenAPI +# driver specific. It is used to force the upgrade of the +#XenAPI guest +# agent on instance boot. +# +#GET /os-agents +#POST /os-agents +#PUT /os- +# agents/{agent_build_id} +#DELETE /os-agents/{agent_build_id} +"os_compute_api:os-agents": "rule:admin_api" +# Create or replace metadata for an aggregate +#POST /os- +# aggregates/{aggregate_id}/action (set_metadata) +"os_compute_api:os-aggregates:set_metadata": "rule:admin_api" +# Add a host to an aggregate. +#POST /os- +# aggregates/{aggregate_id}/action (add_host) +"os_compute_api:os-aggregates:add_host": "rule:admin_api" +# Create an aggregate +#POST /os-aggregates +"os_compute_api:os-aggregates:create": "rule:admin_api" +# Remove a host from an aggregate +#POST /os- +# aggregates/{aggregate_id}/action (remove_host) +"os_compute_api:os-aggregates:remove_host": "rule:admin_api" +# Update name and/or availability zone for an aggregate +#PUT /os- +# aggregates/{aggregate_id} +"os_compute_api:os-aggregates:update": "rule:admin_api" +# List all aggregates +#GET /os-aggregates +"os_compute_api:os-aggregates:index": "rule:admin_api" +# Delete an aggregate +#DELETE /os-aggregates/{aggregate_id} +"os_compute_api:os-aggregates:delete": "rule:admin_api" +# Show details for an aggregate. +#GET /os-aggregates/{aggregate_id} +"os_compute_api:os-aggregates:show": "rule:admin_api" +# Create an assisted volume snapshot +#POST /os-assisted-volume- +# snapshots +"os_compute_api:os-assisted-volume-snapshots:create": "rule:admin_api" +# Delete an assisted volume snapshot +#DELETE /os-assisted-volume- +# snapshots/{snapshot_id} +"os_compute_api:os-assisted-volume-snapshots:delete": "rule:admin_api" +# List port interfaces or show details of a port interface attached to +# a server +#GET /servers/{server_id}/os-interface +#GET +# /servers/{server_id}/os-interface/{port_id} +"os_compute_api:os-attach-interfaces": "rule:admin_or_owner" +# Attach an interface to a server +#POST /servers/{server_id}/os- +# interface +"os_compute_api:os-attach-interfaces:create": "rule:admin_or_owner" +# Detach an interface from a server +#DELETE /servers/{server_id}/os- +# interface/{port_id} +"os_compute_api:os-attach-interfaces:delete": "rule:admin_or_owner" +# Lists availability zone information without host information +#GET os- +# availability-zone +"os_compute_api:os-availability-zone:list": "rule:admin_or_owner" +# Lists detailed availability zone information with host information +# GET /os-availability-zone/detail +"os_compute_api:os-availability-zone:detail": "rule:admin_api" +# List and show details of bare metal nodes. +# +#These APIs are proxy +# calls to the Ironic service and are deprecated. +# +#GET /os-baremetal- +# nodes +#GET /os-baremetal-nodes/{node_id} +"os_compute_api:os-baremetal-nodes": "rule:admin_api" +# +"context_is_admin": "role:admin" +# +"admin_or_owner": "is_admin:True or project_id:%(project_id)s" +# +"admin_api": "is_admin:True" +# +"network:attach_external_network": "is_admin:True" +# Update an existing cell +#PUT /os-cells/{cell_id} +"os_compute_api:os-cells:update": "rule:admin_api" +# Create a new cell +#POST /os-cells +"os_compute_api:os-cells:create": "rule:admin_api" +# List and get detailed info of a given cell or all cells +#GET /os- +# cells +#GET /os-cells/detail +#GET /os-cells/info +#GET /os- +# cells/capacities +#GET /os-cells/{cell_id} +"os_compute_api:os-cells": "rule:admin_api" +# Sync instances info in all cells +#POST /os-cells/sync_instances +"os_compute_api:os-cells:sync_instances": "rule:admin_api" +# Remove a cell +#DELETE /os-cells/{cell_id} +"os_compute_api:os-cells:delete": "rule:admin_api" +# Different cell filter to route a build away from a particular cell +# This policy is read by nova-scheduler process. +"cells_scheduler_filter:DifferentCellFilter": "is_admin:True" +# Target cell filter to route a build to a particular cell +# +#This +# policy is read by nova-scheduler process. +"cells_scheduler_filter:TargetCellFilter": "is_admin:True" +# Add 'config_drive' attribute in the server response. +#GET +# /servers/{id} +#GET /servers/detail +"os_compute_api:os-config-drive": "rule:admin_or_owner" +# Show console connection information for a given console +# authentication token +#GET /os-console-auth-tokens/{console_token} +"os_compute_api:os-console-auth-tokens": "rule:admin_api" +# Show console output for a server +#POST /servers/{server_id}/action +# (os-getConsoleOutput) +"os_compute_api:os-console-output": "rule:admin_or_owner" +# Create a console for a server instance +#POST +# /servers/{server_id}/consoles +"os_compute_api:os-consoles:create": "rule:admin_or_owner" +# Show console details for a server instance +#GET +# /servers/{server_id}/consoles/{console_id} +"os_compute_api:os-consoles:show": "rule:admin_or_owner" +# Delete a console for a server instance +#DELETE +# /servers/{server_id}/consoles/{console_id} +"os_compute_api:os-consoles:delete": "rule:admin_or_owner" +# List all consoles for a server instance +#GET +# /servers/{server_id}/consoles +"os_compute_api:os-consoles:index": "rule:admin_or_owner" +# Create a back up of a server +#POST /servers/{server_id}/action +# (createBackup) +"os_compute_api:os-create-backup": "rule:admin_or_owner" +# Restore a soft deleted server or force delete a server before +# deferred cleanup +#POST /servers/{server_id}/action (restore) +#POST +# /servers/{server_id}/action (forceDelete) +"os_compute_api:os-deferred-delete": "rule:admin_or_owner" +# Evacuate a server from a failed host to a new host +#POST +# /servers/{server_id}/action (evacuate) +"os_compute_api:os-evacuate": "rule:admin_api" +# Add `OS-EXT-AZ:availability_zone` into the server response. +#GET +# /servers/{id} +#GET /servers/detail +"os_compute_api:os-extended-availability-zone": "rule:admin_or_owner" +# Return extended attributes for server. +# +#This rule will control the +# visibility for a set of servers attributes: +# OS-EXT-SRV-ATTR:host +# OS-EXT-SRV-ATTR:instance_name +# OS-EXT-SRV-ATTR:reservation_id +# (since microversion 2.3) +# OS-EXT-SRV-ATTR:launch_index (since +# microversion 2.3) +# OS-EXT-SRV-ATTR:hostname (since microversion +# 2.3) +# OS-EXT-SRV-ATTR:kernel_id (since microversion 2.3) +# OS- +# EXT-SRV-ATTR:ramdisk_id (since microversion 2.3) +# OS-EXT-SRV- +# ATTR:root_device_name (since microversion 2.3) +# OS-EXT-SRV- +# ATTR:user_data (since microversion 2.3) +#GET /servers/{id} +#GET +# /servers/detail +"os_compute_api:os-extended-server-attributes": "rule:admin_api" +# Return extended status in the response of server. +# +#This policy will +# control the visibility for a set of attributes: +# OS-EXT- +# STS:task_state +# OS-EXT-STS:vm_state +# OS-EXT-STS:power_state +# GET /servers/{id} +#GET /servers/detail +"os_compute_api:os-extended-status": "rule:admin_or_owner" +# Return 'os-extended-volumes:volumes_attached' in the response of +# server. +#GET /servers/{id} +#GET /servers/detail +"os_compute_api:os-extended-volumes": "rule:admin_or_owner" +# Lists available extensions and shows information for an extension by +# alias. +#GET /extensions +#GET /extensions/{alias} +"os_compute_api:extensions": "rule:admin_or_owner" +# +"os_compute_api:os-fixed-ips": "rule:admin_api" +# Add flavor access to a tenant +#POST /flavors/{flavor_id}/action +# (addTenantAccess) +"os_compute_api:os-flavor-access:add_tenant_access": "rule:admin_api" +# Remove flavor access from a tenant +#POST /flavors/{flavor_id}/action +# (removeTenantAccess) +"os_compute_api:os-flavor-access:remove_tenant_access": "rule:admin_api" +# Allow the listing of flavor access information +# +#Adds the os-flavor- +# access:is_public key into several flavor APIs. +# +#It also allows +# access to the full list of tenants that have access +#to a flavor via +# an os-flavor-access API. +# +#GET /flavors/{flavor_id}/os-flavor-access +# GET /flavors/detail +#GET /flavors/{flavor_id} +#POST /flavors +"os_compute_api:os-flavor-access": "rule:admin_or_owner" +# Show an extra spec for a flavor +#GET /flavors/{flavor_id}/os- +# extra_specs/{flavor_extra_spec_key} +"os_compute_api:os-flavor-extra-specs:show": "rule:admin_or_owner" +# Create extra specs for a flavor +#POST /flavors/{flavor_id}/os- +# extra_specs/ +"os_compute_api:os-flavor-extra-specs:create": "rule:admin_api" +# Update an extra spec for a flavor +#PUT /flavors/{flavor_id}/os- +# extra_specs/{flavor_extra_spec_key} +"os_compute_api:os-flavor-extra-specs:update": "rule:admin_api" +# Delete an extra spec for a flavor +#DELETE /flavors/{flavor_id}/os- +# extra_specs/{flavor_extra_spec_key} +"os_compute_api:os-flavor-extra-specs:delete": "rule:admin_api" +# List extra specs for a flavor +#GET /flavors/{flavor_id}/os- +# extra_specs/ +"os_compute_api:os-flavor-extra-specs:index": "rule:admin_or_owner" +# Create and delete Flavors +#POST /flavors +#DELETE /flavors/{flavor_id} +"os_compute_api:os-flavor-manage": "rule:admin_api" +# Adds the rxtx_factor key into some Flavor APIs +#GET /flavors/detail +# GET /flavors/{flavor_id} +#POST /flavors +"os_compute_api:os-flavor-rxtx": "rule:admin_or_owner" +# +"os_compute_api:flavors": "rule:admin_or_owner" +# List registered DNS domains, and CRUD actions on domain names. +# +#Note +# this only works with nova-network and this API is deprecated. +#GET +# /os-floating-ip-dns +#GET /os-floating-ip-dns/{domain}/entries/{ip} +# GET /os-floating-ip-dns/{domain}/entries/{name} +#PUT /os-floating-ip- +# dns/{domain}/entries/{name} +#DELETE /os-floating-ip- +# dns/{domain}/entries/{name} +"os_compute_api:os-floating-ip-dns": "rule:admin_or_owner" +# Create or update a DNS domain. +#PUT /os-floating-ip-dns/{domain} +"os_compute_api:os-floating-ip-dns:domain:update": "rule:admin_api" +# Delete a DNS domain. +#DELETE /os-floating-ip-dns/{domain} +"os_compute_api:os-floating-ip-dns:domain:delete": "rule:admin_api" +# List floating IP pools. This API is deprecated. +#GET /os-floating-ip- +# pools +"os_compute_api:os-floating-ip-pools": "rule:admin_or_owner" +# Manage a project's floating IPs. These APIs are all deprecated. +#POST +# /servers/{server_id}/action (addFloatingIp) +#POST +# /servers/{server_id}/action (removeFloatingIp) +#GET /os-floating-ips +# POST /os-floating-ips +#GET /os-floating-ips/{floating_ip_id} +#DELETE +# /os-floating-ips/{floating_ip_id} +"os_compute_api:os-floating-ips": "rule:admin_or_owner" +# Bulk-create, delete, and list floating IPs. API is deprecated. +#GET +# /os-floating-ips-bulk +#POST /os-floating-ips-bulk +#PUT /os-floating- +# ips-bulk/delete +#GET /os-floating-ips-bulk/{host_name} +"os_compute_api:os-floating-ips-bulk": "rule:admin_api" +# Pings instances for all projects and reports which instances +#are +# alive. +# +#os-fping API is deprecated as this works only with nova- +# network +#which itself is deprecated. +#GET /os-fping?all_tenants=true +"os_compute_api:os-fping:all_tenants": "rule:admin_api" +# Pings instances, particular instance and reports which instances +#are +# alive. +# +#os-fping API is deprecated as this works only with nova- +# network +#which itself is deprecated. +#GET /os-fping +#GET /os- +# fping/{instance_id} +"os_compute_api:os-fping": "rule:admin_or_owner" +# +"os_compute_api:os-hide-server-addresses": "is_admin:False" +# +"os_compute_api:os-hosts": "rule:admin_api" +# Policy rule for hypervisor related APIs. +# +#This rule will be checked +# for the following APIs: +# +#List all hypervisors, list all hypervisors +# with details, show +#summary statistics for all hypervisors over all +# compute nodes, +#show details for a hypervisor, show the uptime of a +# hypervisor, +#search hypervisor by hypervisor_hostname pattern and +# list all +#servers on hypervisors that can match the provided +# hypervisor_hostname +#pattern. +#GET /os-hypervisors +#GET /os- +# hypervisors/details +#GET /os-hypervisors/statistics +#GET /os- +# hypervisors/{hypervisor_id} +#GET /os- +# hypervisors/{hypervisor_id}/uptime +#GET /os- +# hypervisors/{hypervisor_hostname_pattern}/search +#GET /os- +# hypervisors/{hypervisor_hostname_pattern}/servers +"os_compute_api:os-hypervisors": "rule:admin_api" +# Add 'OS-EXT-IMG-SIZE:size' attribute in the image response. +#GET +# /images/{id} +#GET /images/detail +"os_compute_api:image-size": "rule:admin_or_owner" +# Add events details in action details for a server. +# +#This check is +# performed only after the check +#os_compute_api:os-instance-actions +# passes +#GET /servers/{server_id}/os-instance-actions/{request_id} +"os_compute_api:os-instance-actions:events": "rule:admin_api" +# List actions and show action details for a server. +#GET +# /servers/{server_id}/os-instance-actions +#GET +# /servers/{server_id}/os-instance-actions/{request_id} +"os_compute_api:os-instance-actions": "rule:admin_or_owner" +# Lists all usage audits and that occurred before a specified time +#for +# all servers on all compute hosts where usage auditing is configured. +# GET /os-instance_usage_audit_log +#GET /os- +# instance_usage_audit_log/{before_timestamp} +"os_compute_api:os-instance-usage-audit-log": "rule:admin_api" +# Shows IP addresses details for a network label of a server. +#GET +# /servers/{server_id}/ips/{network_label} +"os_compute_api:ips:show": "rule:admin_or_owner" +# Lists IP addresses that are assigned to a server. +#GET +# /servers/{server_id}/ips +"os_compute_api:ips:index": "rule:admin_or_owner" +# List all keypairs +#GET /os-keypairs +"os_compute_api:os-keypairs:index": "rule:admin_api or user_id:%(user_id)s" +# Create a keypair +#POST /os-keypairs +"os_compute_api:os-keypairs:create": "rule:admin_api or user_id:%(user_id)s" +# Delete a keypair +#DELETE /os-keypairs/{keypair_name} +"os_compute_api:os-keypairs:delete": "rule:admin_api or user_id:%(user_id)s" +# Show details of a keypair +#GET /os-keypairs/{keypair_name} +"os_compute_api:os-keypairs:show": "rule:admin_api or user_id:%(user_id)s" +# Return 'key_name' in the response of server. +#GET /servers/{id} +#GET +# /servers/detail +"os_compute_api:os-keypairs": "rule:admin_or_owner" +# +"os_compute_api:limits": "rule:admin_or_owner" +# Lock a server +#POST /servers/{server_id}/action (lock) +"os_compute_api:os-lock-server:lock": "rule:admin_or_owner" +# Unlock a server +#POST /servers/{server_id}/action (unlock) +"os_compute_api:os-lock-server:unlock": "rule:admin_or_owner" +# Unlock a server, regardless who locked the server. +# +# This +# check is performed only after the check +# os_compute_api:os- +# lock-server:unlock passes +#POST /servers/{server_id}/action (unlock) +"os_compute_api:os-lock-server:unlock:unlock_override": "rule:admin_api" +# Cold migrate a server to a host +#POST /servers/{server_id}/action +# (migrate) +"os_compute_api:os-migrate-server:migrate": "rule:admin_api" +# Live migrate a server to a new host without a reboot +#POST +# /servers/{server_id}/action (os-migrateLive) +"os_compute_api:os-migrate-server:migrate_live": "rule:admin_api" +# List migrations +#GET /os-migrations +"os_compute_api:os-migrations:index": "rule:admin_api" +# +"os_compute_api:os-multinic": "rule:admin_or_owner" +# +"os_compute_api:os-networks": "rule:admin_api" +# +"os_compute_api:os-networks:view": "rule:admin_or_owner" +# +"os_compute_api:os-networks-associate": "rule:admin_api" +# Pause a server. +#POST /servers/{server_id}/action (pause) +"os_compute_api:os-pause-server:pause": "rule:admin_or_owner" +# Unpause a paused server. +#POST /servers/{server_id}/action (unpause) +"os_compute_api:os-pause-server:unpause": "rule:admin_or_owner" +# List quotas for specific quota classs +#GET /os-quota-class- +# sets/{quota_class} +"os_compute_api:os-quota-class-sets:show": "is_admin:True or quota_class:%(quota_class)s" +# Update quotas for specific quota class +#PUT /os-quota-class- +# sets/{quota_class} +"os_compute_api:os-quota-class-sets:update": "rule:admin_api" +# Update the quotas +#PUT /os-quota-sets/{tenant_id} +"os_compute_api:os-quota-sets:update": "rule:admin_api" +# List default quotas +#GET /os-quota-sets/{tenant_id}/defaults +"os_compute_api:os-quota-sets:defaults": "@" +# Show a quota +#GET /os-quota-sets/{tenant_id} +"os_compute_api:os-quota-sets:show": "rule:admin_or_owner" +# Revert quotas to defaults +#DELETE /os-quota-sets/{tenant_id} +"os_compute_api:os-quota-sets:delete": "rule:admin_api" +# Show the detail of quota +#GET /os-quota-sets/{tenant_id}/detail +"os_compute_api:os-quota-sets:detail": "rule:admin_api" +# Generates a URL to access remove server console +#POST +# /servers/{server_id}/action (os-getRDPConsole) +#POST +# /servers/{server_id}/action (os-getSerialConsole) +#POST +# /servers/{server_id}/action (os-getSPICEConsole) +#POST +# /servers/{server_id}/action (os-getVNCConsole) +#POST +# /servers/{server_id}/remote-consoles +"os_compute_api:os-remote-consoles": "rule:admin_or_owner" +# Rescue/unrescue a server +#POST /servers/{server_id}/action (rescue) +# POST /servers/{server_id}/action (unrescue) +"os_compute_api:os-rescue": "rule:admin_or_owner" +# Lists, shows information for, creates and deletes default security +# group rules. +# +#These API's are only available with nova-network which +# is now deprecated. +#GET /os-security-group-default-rules +#GET /os- +# security-group-default-rules/{security_group_default_rule_id} +#POST +# /os-security-group-default-rules +#DELETE /os-security-group-default- +# rules/{security_group_default_rule_id} +"os_compute_api:os-security-group-default-rules": "rule:admin_api" +# This policy checks permission on security groups related APIs. +# +#APIs +# which are directly related to security groups resource are +# deprecated: +#Lists, shows information for, creates, updates and +# deletes +#security groups. Creates and deletes security group rules. +# All these +#API's are deprecated. +# +#APIs which are related to server +# resource are not deprecated: +#Lists Security Groups for a server. Add +# Security Group to a server +#and remove security group from a server. +# Expand security_groups in +#server representation +#GET /os-security- +# groups +#GET /os-security-groups/{security_group_id} +#POST /os- +# security-groups +#PUT /os-security-groups/{security_group_id} +#DELETE +# /os-security-groups/{security_group_id} +#GET /servers/{server_id}/os- +# security-groups +#POST /servers/{server_id}/action (addSecurityGroup) +# POST /servers/{server_id}/action (removeSecurityGroup) +#POST /servers +# GET /servers/{server_id} +#GET /servers/detail +"os_compute_api:os-security-groups": "rule:admin_or_owner" +# Shows the usage data for a server +#GET +# /servers/{server_id}/diagnostics +"os_compute_api:os-server-diagnostics": "rule:admin_api" +# Creates one or more external events +#POST /os-server-external-events +"os_compute_api:os-server-external-events:create": "rule:admin_api" +# +"os_compute_api:os-server-groups": "rule:admin_or_owner" +# Create a new server group +#POST /os-server-groups +"os_compute_api:os-server-groups:create": "rule:os_compute_api:os-server-groups" +# Delete a server group +#DELETE /os-server-groups/{server_group_id} +"os_compute_api:os-server-groups:delete": "rule:os_compute_api:os-server-groups" +# List all server groups +#GET /os-server-groups +"os_compute_api:os-server-groups:index": "rule:os_compute_api:os-server-groups" +# Show details of a server group +#GET /os-server- +# groups/{server_group_id} +"os_compute_api:os-server-groups:show": "rule:os_compute_api:os-server-groups" +# List all metadata of a server +#GET /servers/server_id/metadata +"os_compute_api:server-metadata:index": "rule:admin_or_owner" +# Show metadata for a server +#GET /servers/server_id/metadata/{key} +"os_compute_api:server-metadata:show": "rule:admin_or_owner" +# Create metadata for a server +#POST /servers/server_id/metadata +"os_compute_api:server-metadata:create": "rule:admin_or_owner" +# Replace metadata for a server +#PUT /servers/server_id/metadata +"os_compute_api:server-metadata:update_all": "rule:admin_or_owner" +# Update metadata from a server +#PUT /servers/server_id/metadata/{key} +"os_compute_api:server-metadata:update": "rule:admin_or_owner" +# Delete metadata from a server +#DELETE +# /servers/server_id/metadata/{key} +"os_compute_api:server-metadata:delete": "rule:admin_or_owner" +# Show and clear the encrypted administrative password of a server +#GET +# /servers/{server_id}/os-server-password +#DELETE +# /servers/{server_id}/os-server-password +"os_compute_api:os-server-password": "rule:admin_or_owner" +# Delete all the server tags +#DELETE /servers/{server_id}/tags +"os_compute_api:os-server-tags:delete_all": "rule:admin_or_owner" +# List all tags for given server +#GET /servers/{server_id}/tags +"os_compute_api:os-server-tags:index": "rule:admin_or_owner" +# Replace all tags on specified server with the new set of tags. +#PUT +# /servers/{server_id}/tags +"os_compute_api:os-server-tags:update_all": "rule:admin_or_owner" +# Delete a single tag from the specified server +#DELETE +# /servers/{server_id}/tags/{tag} +"os_compute_api:os-server-tags:delete": "rule:admin_or_owner" +# Add a single tag to the server if server has no specified tag +#PUT +# /servers/{server_id}/tags/{tag} +"os_compute_api:os-server-tags:update": "rule:admin_or_owner" +# Check tag existence on the server. +#GET +# /servers/{server_id}/tags/{tag} +"os_compute_api:os-server-tags:show": "rule:admin_or_owner" +# +"os_compute_api:os-server-usage": "rule:admin_or_owner" +# List all servers +#GET /servers +"os_compute_api:servers:index": "rule:admin_or_owner" +# List all servers with detailed information +#GET /servers/detail +"os_compute_api:servers:detail": "rule:admin_or_owner" +# List all servers for all projects +#GET /servers +"os_compute_api:servers:index:get_all_tenants": "rule:admin_api" +# List all servers with detailed information for all projects +#GET +# /servers/detail +"os_compute_api:servers:detail:get_all_tenants": "rule:admin_api" +# Show a server +#GET /servers/{server_id} +"os_compute_api:servers:show": "rule:admin_or_owner" +# Show a server with additional host status information +#GET +# /servers/{server_id} +#GET /servers/detail +"os_compute_api:servers:show:host_status": "rule:admin_api" +# Create a server +#POST /servers +"os_compute_api:servers:create": "rule:admin_or_owner" +# Create a server on the specified host +#POST /servers +"os_compute_api:servers:create:forced_host": "rule:admin_api" +# Create a server with the requested volume attached to it +#POST +# /servers +"os_compute_api:servers:create:attach_volume": "rule:admin_or_owner" +# Create a server with the requested network attached to it +#POST +# /servers +"os_compute_api:servers:create:attach_network": "rule:admin_or_owner" +# Delete a server +#DELETE /servers/{server_id} +"os_compute_api:servers:delete": "rule:admin_or_owner" +# Update a server +#PUT /servers/{server_id} +"os_compute_api:servers:update": "rule:admin_or_owner" +# Confirm a server resize +#POST /servers/{server_id}/action +# (confirmResize) +"os_compute_api:servers:confirm_resize": "rule:admin_or_owner" +# Revert a server resize +#POST /servers/{server_id}/action +# (revertResize) +"os_compute_api:servers:revert_resize": "rule:admin_or_owner" +# Reboot a server +#POST /servers/{server_id}/action (reboot) +"os_compute_api:servers:reboot": "rule:admin_or_owner" +# Resize a server +#POST /servers/{server_id}/action (resize) +"os_compute_api:servers:resize": "rule:admin_or_owner" +# Rebuild a server +#POST /servers/{server_id}/action (rebuild) +"os_compute_api:servers:rebuild": "rule:admin_or_owner" +# Create an image from a server +#POST /servers/{server_id}/action +# (createImage) +"os_compute_api:servers:create_image": "rule:admin_or_owner" +# Create an image from a volume backed server +#POST +# /servers/{server_id}/action (createImage) +"os_compute_api:servers:create_image:allow_volume_backed": "rule:admin_or_owner" +# Start a server +#POST /servers/{server_id}/action (os-start) +"os_compute_api:servers:start": "rule:admin_or_owner" +# Stop a server +#POST /servers/{server_id}/action (os-stop) +"os_compute_api:servers:stop": "rule:admin_or_owner" +# Trigger crash dump in a server +#POST /servers/{server_id}/action +# (trigger_crash_dump) +"os_compute_api:servers:trigger_crash_dump": "rule:admin_or_owner" +# Show details for an in-progress live migration for a given server +# GET /servers/{server_id}/migrations/{migration_id} +"os_compute_api:servers:migrations:show": "rule:admin_api" +# Force an in-progress live migration for a given server to complete +# POST /servers/{server_id}/migrations/{migration_id}/action +# (force_complete) +"os_compute_api:servers:migrations:force_complete": "rule:admin_api" +# Delete(Abort) an in-progress live migration +#DELETE +# /servers/{server_id}/migrations/{migration_id} +"os_compute_api:servers:migrations:delete": "rule:admin_api" +# Lists in-progress live migrations for a given server +#GET +# /servers/{server_id}/migrations +"os_compute_api:servers:migrations:index": "rule:admin_api" +# Lists all running Compute services in a region, enables or disables +# scheduling for a Compute service, logs disabled Compute service +# information, set or unset forced_down flag for the compute service +# and deletes a Compute service. +#GET /os-services +#PUT /os- +# services/enable +#PUT /os-services/disable +#PUT /os-services/disable- +# log-reason +#PUT /os-services/force-down +#DELETE /os- +# services/{service_id} +"os_compute_api:os-services": "rule:admin_api" +# Shelve Server +#POST /servers/{server_id}/action (shelve) +"os_compute_api:os-shelve:shelve": "rule:admin_or_owner" +# Unshelve (Restore) Shelved Server +#POST /servers/{server_id}/action +# (unshelve) +"os_compute_api:os-shelve:unshelve": "rule:admin_or_owner" +# Shelf-Offload (Remove) Server +#POST /servers/{server_id}/action +# (shelveOffload) +"os_compute_api:os-shelve:shelve_offload": "rule:admin_api" +# Show usage statistics for a specific tenant. +#GET /os-simple-tenant- +# usage/{tenant_id} +"os_compute_api:os-simple-tenant-usage:show": "rule:admin_or_owner" +# List per tenant usage statistics for all tenants. +#GET /os-simple- +# tenant-usage +"os_compute_api:os-simple-tenant-usage:list": "rule:admin_api" +# Resume suspended server +#POST /servers/{server_id}/action (resume) +"os_compute_api:os-suspend-server:resume": "rule:admin_or_owner" +# Suspend server +#POST /servers/{server_id}/action (suspend) +"os_compute_api:os-suspend-server:suspend": "rule:admin_or_owner" +# Creates, lists, shows information for, and deletes +#project networks. +# These APIs are proxy calls to the Network service. These are all +# deprecated. +#GET /os-tenant-networks +#POST /os-tenant-networks +#GET +# /os-tenant-networks/{network_id} +#DELETE /os-tenant- +# networks/{network_id} +"os_compute_api:os-tenant-networks": "rule:admin_or_owner" +# Shows rate and absolute limits for the project. +# +#This policy only +# checks if the user has access to the requested +#project limits. And +# this check is performed only after the check +#os_compute_api:limits +# passes +#GET /limits +"os_compute_api:os-used-limits": "rule:admin_api" +# List Virtual Interfaces. +# +#This works only with the nova-network +# service, which is now deprecated +#GET /servers/{server_id}/os- +# virtual-interfaces +"os_compute_api:os-virtual-interfaces": "rule:admin_or_owner" +# Manages volumes for use with the Compute API. +# +#Lists, shows details, +# creates, and deletes volumes. These APIs are proxy calls +#to the +# Volume service. These are all deprecated. +#GET /os-volumes +#POST /os- +# volumes +#GET /os-volumes/detail +#GET /os-volumes/{volume_id} +#DELETE +# /os-volumes/{volume_id} +"os_compute_api:os-volumes": "rule:admin_or_owner" +# List volume attachments for an instance +#GET /servers/{server_id}/os- +# volume_attachments +"os_compute_api:os-volumes-attachments:index": "rule:admin_or_owner" +# Attach a volume to an instance +#POST /servers/{server_id}/os- +# volume_attachments +"os_compute_api:os-volumes-attachments:create": "rule:admin_or_owner" +# Show details of a volume attachment +#GET /servers/{server_id}/os- +# volume_attachments/{attachment_id} +"os_compute_api:os-volumes-attachments:show": "rule:admin_or_owner" +# Update a volume attachment +#PUT /servers/{server_id}/os- +# volume_attachments/{attachment_id} +"os_compute_api:os-volumes-attachments:update": "rule:admin_api" +# Detach a volume from an instance +#DELETE /servers/{server_id}/os- +# volume_attachments/{attachment_id} +"os_compute_api:os-volumes-attachments:delete": "rule:admin_or_owner" diff --git a/tests/functions b/tests/functions index 98aa5fc..c88543c 100755 --- a/tests/functions +++ b/tests/functions @@ -22,6 +22,22 @@ update_policy_origin(){ done } + +update_policy_stock(){ + REPO_DIR=/opt/stack/openstack-access-policy + for ACCESS in $( list_tokens ) + do + for SERVICE in $( ls $REPO_DIR/services) + do oslopolicy-checker \ + --policy $REPO_DIR/services/$SERVICE/stock-policy.yaml \ + --access $REPO_DIR/tests/$ACCESS/access.json | sort -k 2 \ + > $REPO_DIR/tests/$ACCESS/$SERVICE.stock ; + done + done +} + + + run_policy_current(){ REPO_DIR="$(dirname $(readlink -f $0))" From b80c0ab7083763f73b6a4e48f061a32f54005dd0 Mon Sep 17 00:00:00 2001 From: Adam Young Date: Apr 29 2019 17:25:11 +0000 Subject: [PATCH 2/5] Record Values of Stock policy files cinder glance neutron Contains stock policies for nova and keystone --- diff --git a/services/cinder/stock-policy.yaml b/services/cinder/stock-policy.yaml new file mode 100644 index 0000000..1660ac7 --- /dev/null +++ b/services/cinder/stock-policy.yaml @@ -0,0 +1,634 @@ +# Decides what is required for the 'is_admin:True' check to succeed. +"context_is_admin": "role:admin" + +# Default rule for most non-Admin APIs. +"admin_or_owner": "is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s" + +# Default rule for most Admin APIs. +"admin_api": "is_admin:True or (role:admin and is_admin_project:True)" + +# Create attachment. +# POST /attachments +"volume:attachment_create": "" + +# Update attachment. +# PUT /attachments/{attachment_id} +"volume:attachment_update": "rule:admin_or_owner" + +# Delete attachment. +# DELETE /attachments/{attachment_id} +"volume:attachment_delete": "rule:admin_or_owner" + +# Mark a volume attachment process as completed (in-use) +# POST /attachments/{attachment_id}/action (os-complete) +"volume:attachment_complete": "rule:admin_or_owner" + +# Allow multiattach of bootable volumes. +# POST /attachments +"volume:multiattach_bootable_volume": "rule:admin_or_owner" + +# List messages. +# GET /messages +"message:get_all": "rule:admin_or_owner" + +# Show message. +# GET /messages/{message_id} +"message:get": "rule:admin_or_owner" + +# Delete message. +# DELETE /messages/{message_id} +"message:delete": "rule:admin_or_owner" + +# List clusters. +# GET /clusters +# GET /clusters/detail +"clusters:get_all": "rule:admin_api" + +# Show cluster. +# GET /clusters/{cluster_id} +"clusters:get": "rule:admin_api" + +# Update cluster. +# PUT /clusters/{cluster_id} +"clusters:update": "rule:admin_api" + +# Clean up workers. +# POST /workers/cleanup +"workers:cleanup": "rule:admin_api" + +# Show snapshot's metadata or one specified metadata with a given key. +# GET /snapshots/{snapshot_id}/metadata +# GET /snapshots/{snapshot_id}/metadata/{key} +"volume:get_snapshot_metadata": "rule:admin_or_owner" + +# Update snapshot's metadata or one specified metadata with a given +# key. +# PUT /snapshots/{snapshot_id}/metadata +# PUT /snapshots/{snapshot_id}/metadata/{key} +"volume:update_snapshot_metadata": "rule:admin_or_owner" + +# Delete snapshot's specified metadata with a given key. +# DELETE /snapshots/{snapshot_id}/metadata/{key} +"volume:delete_snapshot_metadata": "rule:admin_or_owner" + +# List snapshots. +# GET /snapshots +# GET /snapshots/detail +"volume:get_all_snapshots": "rule:admin_or_owner" + +# List or show snapshots with extended attributes. +# GET /snapshots/{snapshot_id} +# GET /snapshots/detail +"volume_extension:extended_snapshot_attributes": "rule:admin_or_owner" + +# Create snapshot. +# POST /snapshots +"volume:create_snapshot": "rule:admin_or_owner" + +# Show snapshot. +# GET /snapshots/{snapshot_id} +"volume:get_snapshot": "rule:admin_or_owner" + +# Update snapshot. +# PUT /snapshots/{snapshot_id} +"volume:update_snapshot": "rule:admin_or_owner" + +# Delete snapshot. +# DELETE /snapshots/{snapshot_id} +"volume:delete_snapshot": "rule:admin_or_owner" + +# Reset status of a snapshot. +# POST /snapshots/{snapshot_id}/action (os-reset_status) +"volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api" + +# Update database fields of snapshot. +# POST /snapshots/{snapshot_id}/action (update_snapshot_status) +"snapshot_extension:snapshot_actions:update_snapshot_status": "" + +# Force delete a snapshot. +# POST /snapshots/{snapshot_id}/action (os-force_delete) +"volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api" + +# List (in detail) of snapshots which are available to manage. +# GET /manageable_snapshots +# GET /manageable_snapshots/detail +"snapshot_extension:list_manageable": "rule:admin_api" + +# Manage an existing snapshot. +# POST /manageable_snapshots +"snapshot_extension:snapshot_manage": "rule:admin_api" + +# Stop managing a snapshot. +# POST /snapshots/{snapshot_id}/action (os-unmanage) +"snapshot_extension:snapshot_unmanage": "rule:admin_api" + +# List backups. +# GET /backups +# GET /backups/detail +"backup:get_all": "rule:admin_or_owner" + +# List backups or show backup with project attributes. +# GET /backups/{backup_id} +# GET /backups/detail +"backup:backup_project_attribute": "rule:admin_api" + +# Create backup. +# POST /backups +"backup:create": "" + +# Show backup. +# GET /backups/{backup_id} +"backup:get": "rule:admin_or_owner" + +# Update backup. +# PUT /backups/{backup_id} +"backup:update": "rule:admin_or_owner" + +# Delete backup. +# DELETE /backups/{backup_id} +"backup:delete": "rule:admin_or_owner" + +# Restore backup. +# POST /backups/{backup_id}/restore +"backup:restore": "rule:admin_or_owner" + +# Import backup. +# POST /backups/{backup_id}/import_record +"backup:backup-import": "rule:admin_api" + +# Export backup. +# POST /backups/{backup_id}/export_record +"backup:export-import": "rule:admin_api" + +# Reset status of a backup. +# POST /backups/{backup_id}/action (os-reset_status) +"volume_extension:backup_admin_actions:reset_status": "rule:admin_api" + +# Force delete a backup. +# POST /backups/{backup_id}/action (os-force_delete) +"volume_extension:backup_admin_actions:force_delete": "rule:admin_api" + +# List groups. +# GET /groups +# GET /groups/detail +"group:get_all": "rule:admin_or_owner" + +# Create group. +# POST /groups +"group:create": "" + +# Show group. +# GET /groups/{group_id} +"group:get": "rule:admin_or_owner" + +# Update group. +# PUT /groups/{group_id} +"group:update": "rule:admin_or_owner" + +# Create, update or delete a group type. +# POST /group_types/ +# PUT /group_types/{group_type_id} +# DELETE /group_types/{group_type_id} +"group:group_types_manage": "rule:admin_api" + +# Show group type with type specs attributes. +# GET /group_types/{group_type_id} +"group:access_group_types_specs": "rule:admin_api" + +# Create, show, update and delete group type spec. +# GET /group_types/{group_type_id}/group_specs/{g_spec_id} +# GET /group_types/{group_type_id}/group_specs +# POST /group_types/{group_type_id}/group_specs +# PUT /group_types/{group_type_id}/group_specs/{g_spec_id} +# DELETE /group_types/{group_type_id}/group_specs/{g_spec_id} +"group:group_types_specs": "rule:admin_api" + +# List group snapshots. +# GET /group_snapshots +# GET /group_snapshots/detail +"group:get_all_group_snapshots": "rule:admin_or_owner" + +# Create group snapshot. +# POST /group_snapshots +"group:create_group_snapshot": "" + +# Show group snapshot. +# GET /group_snapshots/{group_snapshot_id} +"group:get_group_snapshot": "rule:admin_or_owner" + +# Delete group snapshot. +# DELETE /group_snapshots/{group_snapshot_id} +"group:delete_group_snapshot": "rule:admin_or_owner" + +# Update group snapshot. +# PUT /group_snapshots/{group_snapshot_id} +"group:update_group_snapshot": "rule:admin_or_owner" + +# Reset status of group snapshot. +# POST /group_snapshots/{g_snapshot_id}/action (reset_status) +"group:reset_group_snapshot_status": "rule:admin_or_owner" + +# Delete group. +# POST /groups/{group_id}/action (delete) +"group:delete": "rule:admin_or_owner" + +# Reset status of group. +# POST /groups/{group_id}/action (reset_status) +"group:reset_status": "rule:admin_api" + +# Enable replication. +# POST /groups/{group_id}/action (enable_replication) +"group:enable_replication": "rule:admin_or_owner" + +# Disable replication. +# POST /groups/{group_id}/action (disable_replication) +"group:disable_replication": "rule:admin_or_owner" + +# Fail over replication. +# POST /groups/{group_id}/action (failover_replication) +"group:failover_replication": "rule:admin_or_owner" + +# List failover replication. +# POST /groups/{group_id}/action (list_replication_targets) +"group:list_replication_targets": "rule:admin_or_owner" + +# List qos specs or list all associations. +# GET /qos-specs +# GET /qos-specs/{qos_id}/associations +"volume_extension:qos_specs_manage:get_all": "rule:admin_api" + +# Show qos specs. +# GET /qos-specs/{qos_id} +"volume_extension:qos_specs_manage:get": "rule:admin_api" + +# Create qos specs. +# POST /qos-specs +"volume_extension:qos_specs_manage:create": "rule:admin_api" + +# Update qos specs (including updating association). +# PUT /qos-specs/{qos_id} +# GET /qos-specs/{qos_id}/disassociate_all +# GET /qos-specs/{qos_id}/associate +# GET /qos-specs/{qos_id}/disassociate +"volume_extension:qos_specs_manage:update": "rule:admin_api" + +# delete qos specs or unset one specified qos key. +# DELETE /qos-specs/{qos_id} +# PUT /qos-specs/{qos_id}/delete_keys +"volume_extension:qos_specs_manage:delete": "rule:admin_api" + +# Show or update project quota class. +# GET /os-quota-class-sets/{project_id} +# PUT /os-quota-class-sets/{project_id} +"volume_extension:quota_classes": "rule:admin_api" + +# Show project quota (including usage and default). +# GET /os-quota-sets/{project_id} +# GET /os-quota-sets/{project_id}/default +# GET /os-quota-sets/{project_id}?usage=True +"volume_extension:quotas:show": "rule:admin_or_owner" + +# Update project quota. +# PUT /os-quota-sets/{project_id} +"volume_extension:quotas:update": "rule:admin_api" + +# Delete project quota. +# DELETE /os-quota-sets/{project_id} +"volume_extension:quotas:delete": "rule:admin_api" + +# Validate setup for nested quota. +# GET /os-quota-sets/validate_setup_for_nested_quota_use +"volume_extension:quota_classes:validate_setup_for_nested_quota_use": "rule:admin_api" + +# Show backend capabilities. +# GET /capabilities/{host_name} +"volume_extension:capabilities": "rule:admin_api" + +# List all services. +# GET /os-services +"volume_extension:services:index": "rule:admin_api" + +# Update service, including failover_host, thaw, freeze, disable, +# enable, set-log and get-log actions. +# PUT /os-services/{action} +"volume_extension:services:update": "rule:admin_api" + +# Freeze a backend host. +# PUT /os-services/freeze +"volume:freeze_host": "rule:admin_api" + +# Thaw a backend host. +# PUT /os-services/thaw +"volume:thaw_host": "rule:admin_api" + +# Failover a backend host. +# PUT /os-services/failover_host +"volume:failover_host": "rule:admin_api" + +# List all backend pools. +# GET /scheduler-stats/get_pools +"scheduler_extension:scheduler_stats:get_pools": "rule:admin_api" + +# List, update or show hosts for a project. +# GET /os-hosts +# PUT /os-hosts/{host_name} +# GET /os-hosts/{host_id} +"volume_extension:hosts": "rule:admin_api" + +# Show limits with used limit attributes. +# GET /limits +"limits_extension:used_limits": "rule:admin_or_owner" + +# List (in detail) of volumes which are available to manage. +# GET /manageable_volumes +# GET /manageable_volumes/detail +"volume_extension:list_manageable": "rule:admin_api" + +# Manage existing volumes. +# POST /manageable_volumes +"volume_extension:volume_manage": "rule:admin_api" + +# Stop managing a volume. +# POST /volumes/{volume_id}/action (os-unmanage) +"volume_extension:volume_unmanage": "rule:admin_api" + +# Create, update and delete volume type. +# POST /types +# PUT /types +# DELETE /types +"volume_extension:types_manage": "rule:admin_api" + +# Get one specific volume type. +# GET /types/{type_id} +"volume_extension:type_get": "" + +# List volume types. +# GET /types/ +"volume_extension:type_get_all": "" + +# List, show, create, update and delete volume type encryption. This +# is deprecated in the Stein release and will be removed in the +# future. +# POST /types/{type_id}/encryption +# PUT /types/{type_id}/encryption/{encryption_id} +# GET /types/{type_id}/encryption +# GET /types/{type_id}/encryption/{encryption_id} +# DELETE /types/{type_id}/encryption/{encryption_id} +"volume_extension:volume_type_encryption": "rule:admin_api" + +# Create volume type encryption. +# POST /types/{type_id}/encryption +"volume_extension:volume_type_encryption:create": "rule:volume_extension:volume_type_encryption" + +# Show, list volume type encryption. +# GET /types/{type_id}/encryption/{encryption_id} +# GET /types/{type_id}/encryption +"volume_extension:volume_type_encryption:get": "rule:volume_extension:volume_type_encryption" + +# Update volume type encryption. +# PUT /types/{type_id}/encryption/{encryption_id} +"volume_extension:volume_type_encryption:update": "rule:volume_extension:volume_type_encryption" + +# Delete volume type encryption. +# DELETE /types/{type_id}/encryption/{encryption_id} +"volume_extension:volume_type_encryption:delete": "rule:volume_extension:volume_type_encryption" + +# List or show volume type with access type extra specs attribute. +# GET /types/{type_id} +# GET /types +"volume_extension:access_types_extra_specs": "rule:admin_api" + +# List or show volume type with access type qos specs id attribute. +# GET /types/{type_id} +# GET /types +"volume_extension:access_types_qos_specs_id": "rule:admin_api" + +# Volume type access related APIs. +# GET /types +# GET /types/detail +# GET /types/{type_id} +# POST /types +"volume_extension:volume_type_access": "rule:admin_or_owner" + +# Add volume type access for project. +# POST /types/{type_id}/action (addProjectAccess) +"volume_extension:volume_type_access:addProjectAccess": "rule:admin_api" + +# Remove volume type access for project. +# POST /types/{type_id}/action (removeProjectAccess) +"volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api" + +# Extend a volume. +# POST /volumes/{volume_id}/action (os-extend) +"volume:extend": "rule:admin_or_owner" + +# Extend a attached volume. +# POST /volumes/{volume_id}/action (os-extend) +"volume:extend_attached_volume": "rule:admin_or_owner" + +# Revert a volume to a snapshot. +# POST /volumes/{volume_id}/action (revert) +"volume:revert_to_snapshot": "rule:admin_or_owner" + +# Reset status of a volume. +# POST /volumes/{volume_id}/action (os-reset_status) +"volume_extension:volume_admin_actions:reset_status": "rule:admin_api" + +# Retype a volume. +# POST /volumes/{volume_id}/action (os-retype) +"volume:retype": "rule:admin_or_owner" + +# Update a volume's readonly flag. +# POST /volumes/{volume_id}/action (os-update_readonly_flag) +"volume:update_readonly_flag": "rule:admin_or_owner" + +# Force delete a volume. +# POST /volumes/{volume_id}/action (os-force_delete) +"volume_extension:volume_admin_actions:force_delete": "rule:admin_api" + +# Upload a volume to image with public visibility. +# POST /volumes/{volume_id}/action (os-volume_upload_image) +"volume_extension:volume_actions:upload_public": "rule:admin_api" + +# Upload a volume to image. +# POST /volumes/{volume_id}/action (os-volume_upload_image) +"volume_extension:volume_actions:upload_image": "rule:admin_or_owner" + +# Force detach a volume. +# POST /volumes/{volume_id}/action (os-force_detach) +"volume_extension:volume_admin_actions:force_detach": "rule:admin_api" + +# migrate a volume to a specified host. +# POST /volumes/{volume_id}/action (os-migrate_volume) +"volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api" + +# Complete a volume migration. +# POST /volumes/{volume_id}/action (os-migrate_volume_completion) +"volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api" + +# Initialize volume attachment. +# POST /volumes/{volume_id}/action (os-initialize_connection) +"volume_extension:volume_actions:initialize_connection": "rule:admin_or_owner" + +# Terminate volume attachment. +# POST /volumes/{volume_id}/action (os-terminate_connection) +"volume_extension:volume_actions:terminate_connection": "rule:admin_or_owner" + +# Roll back volume status to 'in-use'. +# POST /volumes/{volume_id}/action (os-roll_detaching) +"volume_extension:volume_actions:roll_detaching": "rule:admin_or_owner" + +# Mark volume as reserved. +# POST /volumes/{volume_id}/action (os-reserve) +"volume_extension:volume_actions:reserve": "rule:admin_or_owner" + +# Unmark volume as reserved. +# POST /volumes/{volume_id}/action (os-unreserve) +"volume_extension:volume_actions:unreserve": "rule:admin_or_owner" + +# Begin detach volumes. +# POST /volumes/{volume_id}/action (os-begin_detaching) +"volume_extension:volume_actions:begin_detaching": "rule:admin_or_owner" + +# Add attachment metadata. +# POST /volumes/{volume_id}/action (os-attach) +"volume_extension:volume_actions:attach": "rule:admin_or_owner" + +# Clear attachment metadata. +# POST /volumes/{volume_id}/action (os-detach) +"volume_extension:volume_actions:detach": "rule:admin_or_owner" + +# List volume transfer. +# GET /os-volume-transfer +# GET /os-volume-transfer/detail +# GET /volume_transfers +# GET /volume-transfers/detail +"volume:get_all_transfers": "rule:admin_or_owner" + +# Create a volume transfer. +# POST /os-volume-transfer +# POST /volume_transfers +"volume:create_transfer": "rule:admin_or_owner" + +# Show one specified volume transfer. +# GET /os-volume-transfer/{transfer_id} +# GET /volume-transfers/{transfer_id} +"volume:get_transfer": "rule:admin_or_owner" + +# Accept a volume transfer. +# POST /os-volume-transfer/{transfer_id}/accept +# POST /volume-transfers/{transfer_id}/accept +"volume:accept_transfer": "" + +# Delete volume transfer. +# DELETE /os-volume-transfer/{transfer_id} +# DELETE /volume-transfers/{transfer_id} +"volume:delete_transfer": "rule:admin_or_owner" + +# Show volume's metadata or one specified metadata with a given key. +# GET /volumes/{volume_id}/metadata +# GET /volumes/{volume_id}/metadata/{key} +"volume:get_volume_metadata": "rule:admin_or_owner" + +# Create volume metadata. +# POST /volumes/{volume_id}/metadata +"volume:create_volume_metadata": "rule:admin_or_owner" + +# Update volume's metadata or one specified metadata with a given key. +# PUT /volumes/{volume_id}/metadata +# PUT /volumes/{volume_id}/metadata/{key} +"volume:update_volume_metadata": "rule:admin_or_owner" + +# Delete volume's specified metadata with a given key. +# DELETE /volumes/{volume_id}/metadata/{key} +"volume:delete_volume_metadata": "rule:admin_or_owner" + +# Volume's image metadata related operation, create, delete, show and +# list. +# GET /volumes/detail +# GET /volumes/{volume_id} +# POST /volumes/{volume_id}/action (os-set_image_metadata) +# POST /volumes/{volume_id}/action (os-unset_image_metadata) +"volume_extension:volume_image_metadata": "rule:admin_or_owner" + +# Update volume admin metadata. It's used in `attach` and `os- +# update_readonly_flag` APIs +# POST /volumes/{volume_id}/action (os-update_readonly_flag) +# POST /volumes/{volume_id}/action (os-attach) +"volume:update_volume_admin_metadata": "rule:admin_api" + +# List type extra specs. +# GET /types/{type_id}/extra_specs +"volume_extension:types_extra_specs:index": "rule:admin_api" + +# Create type extra specs. +# POST /types/{type_id}/extra_specs +"volume_extension:types_extra_specs:create": "rule:admin_api" + +# Show one specified type extra specs. +# GET /types/{type_id}/extra_specs/{extra_spec_key} +"volume_extension:types_extra_specs:show": "rule:admin_api" + +# Update type extra specs. +# PUT /types/{type_id}/extra_specs/{extra_spec_key} +"volume_extension:types_extra_specs:update": "rule:admin_api" + +# Delete type extra specs. +# DELETE /types/{type_id}/extra_specs/{extra_spec_key} +"volume_extension:types_extra_specs:delete": "rule:admin_api" + +# Create volume. +# POST /volumes +"volume:create": "" + +# Create volume from image. +# POST /volumes +"volume:create_from_image": "" + +# Show volume. +# GET /volumes/{volume_id} +"volume:get": "rule:admin_or_owner" + +# List volumes or get summary of volumes. +# GET /volumes +# GET /volumes/detail +# GET /volumes/summary +"volume:get_all": "rule:admin_or_owner" + +# Update volume or update a volume's bootable status. +# PUT /volumes +# POST /volumes/{volume_id}/action (os-set_bootable) +"volume:update": "rule:admin_or_owner" + +# Delete volume. +# DELETE /volumes/{volume_id} +"volume:delete": "rule:admin_or_owner" + +# Force Delete a volume. +# DELETE /volumes/{volume_id} +"volume:force_delete": "rule:admin_api" + +# List or show volume with host attribute. +# GET /volumes/{volume_id} +# GET /volumes/detail +"volume_extension:volume_host_attribute": "rule:admin_api" + +# List or show volume with tenant attribute. +# GET /volumes/{volume_id} +# GET /volumes/detail +"volume_extension:volume_tenant_attribute": "rule:admin_or_owner" + +# List or show volume with migration status attribute. +# GET /volumes/{volume_id} +# GET /volumes/detail +"volume_extension:volume_mig_status_attribute": "rule:admin_api" + +# Show volume's encryption metadata. +# GET /volumes/{volume_id}/encryption +# GET /volumes/{volume_id}/encryption/{encryption_key} +"volume_extension:volume_encryption_metadata": "rule:admin_or_owner" + +# Create multiattach capable volume. +# POST /volumes +"volume:multiattach": "rule:admin_or_owner" + diff --git a/services/glance/stock-policy.yaml b/services/glance/stock-policy.yaml new file mode 100644 index 0000000..08026b4 --- /dev/null +++ b/services/glance/stock-policy.yaml @@ -0,0 +1,50 @@ +--- +context_is_admin: role:admin +default: role:admin +add_image: '' +delete_image: '' +get_image: '' +get_images: '' +modify_image: '' +publicize_image: role:admin +communitize_image: '' +copy_from: '' +download_image: '' +upload_image: '' +delete_image_location: '' +get_image_location: '' +set_image_location: '' +add_member: '' +delete_member: '' +get_member: '' +get_members: '' +modify_member: '' +manage_image_cache: role:admin +get_task: '' +get_tasks: '' +add_task: '' +modify_task: '' +tasks_api_access: role:admin +deactivate: '' +reactivate: '' +get_metadef_namespace: '' +get_metadef_namespaces: '' +modify_metadef_namespace: '' +add_metadef_namespace: '' +get_metadef_object: '' +get_metadef_objects: '' +modify_metadef_object: '' +add_metadef_object: '' +list_metadef_resource_types: '' +get_metadef_resource_type: '' +add_metadef_resource_type_association: '' +get_metadef_property: '' +get_metadef_properties: '' +modify_metadef_property: '' +add_metadef_property: '' +get_metadef_tag: '' +get_metadef_tags: '' +modify_metadef_tag: '' +add_metadef_tag: '' +add_metadef_tags: '' + diff --git a/services/neutron/stock-policy.yaml b/services/neutron/stock-policy.yaml new file mode 100644 index 0000000..5f37c69 --- /dev/null +++ b/services/neutron/stock-policy.yaml @@ -0,0 +1,671 @@ +# Rule for cloud admin access +"context_is_admin": "role:admin" + +# Rule for resource owner access +"owner": "tenant_id:%(tenant_id)s" + +# Rule for admin or owner access +"admin_or_owner": "rule:context_is_admin or rule:owner" + +# Rule for advsvc role access +"context_is_advsvc": "role:advsvc" + +# Rule for admin or network owner access +"admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s" + +# Rule for resource owner, admin or network owner access +"admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner" + +# Rule only for admin access +"admin_only": "rule:context_is_admin" + +# Rule for regular user access +"regular_user": "" + +# Rule of shared network +"shared": "field:networks:shared=True" + +# Default access rule +"default": "rule:admin_or_owner" + +# Rule for common parent owner check +"admin_or_ext_parent_owner": "rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s" + +# Rule of shared address scope +"shared_address_scopes": "field:address_scopes:shared=True" + +# Access rule for creating address scope +"create_address_scope": "" + +# Access rule for creating shared address scope +"create_address_scope:shared": "rule:admin_only" + +# Access rule for getting address scope +"get_address_scope": "rule:admin_or_owner or rule:shared_address_scopes" + +# Access rule for updating address scope +"update_address_scope": "rule:admin_or_owner" + +# Access rule for updating shared attribute of address scope +"update_address_scope:shared": "rule:admin_only" + +# Access rule for deleting address scope +"delete_address_scope": "rule:admin_or_owner" + +# Access rule for getting agent +"get_agent": "rule:admin_only" + +# Access rule for updating agent +"update_agent": "rule:admin_only" + +# Access rule for deleting agent +"delete_agent": "rule:admin_only" + +# Access rule for adding network to dhcp agent +"create_dhcp-network": "rule:admin_only" + +# Access rule for listing networks on the dhcp agent +"get_dhcp-networks": "rule:admin_only" + +# Access rule for removing network from dhcp agent +"delete_dhcp-network": "rule:admin_only" + +# Access rule for adding router to l3 agent +"create_l3-router": "rule:admin_only" + +# Access rule for listing routers on the l3 agent +"get_l3-routers": "rule:admin_only" + +# Access rule for deleting router from l3 agent +"delete_l3-router": "rule:admin_only" + +# Access rule for listing dhcp agents hosting the network +"get_dhcp-agents": "rule:admin_only" + +# Access rule for listing l3 agents hosting the router +"get_l3-agents": "rule:admin_only" + +# Access rule for getting lbaas agent hosting the pool +"get_loadbalancer-agent": "rule:admin_only" + +# Access rule for listing pools on the lbaas agent +"get_loadbalancer-pools": "rule:admin_only" + +# Access rule for listing loadbalancers on the lbaasv2 agent +"get_agent-loadbalancers": "rule:admin_only" + +# Access rule for getting lbaasv2 agent hosting the loadbalancer +"get_loadbalancer-hosting-agent": "rule:admin_only" + +# Access rule for getting a project's auto-allocated topology +"get_auto_allocated_topology": "rule:admin_or_owner" + +# Access rule for deleting a project's auto-allocated topology +"delete_auto_allocated_topology": "rule:admin_or_owner" + +# Access rule for creating network profile +"create_network_profile": "rule:admin_only" + +# Access rule for listing network profiles +"get_network_profiles": "" + +# Access rule for getting network profile +"get_network_profile": "" + +# Access rule for updating network profile +"update_network_profile": "rule:admin_only" + +# Access rule for deleting network profile +"delete_network_profile": "rule:admin_only" + +# Access rule for listing policy profile +"get_policy_profiles": "" + +# Access rule for getting policy prodile +"get_policy_profile": "" + +# Access rule for updating policy profile +"update_policy_profiles": "rule:admin_only" + +# Access rule for creating flavor +"create_flavor": "rule:admin_only" + +# Access rule for listing flavors +"get_flavors": "rule:regular_user" + +# Access rule for getting flavor +"get_flavor": "rule:regular_user" + +# Access rule for updating flavor +"update_flavor": "rule:admin_only" + +# Access rule for deleting flavor +"delete_flavor": "rule:admin_only" + +# Access rule for creating service profile +"create_service_profile": "rule:admin_only" + +# Access rule for listing service profiles +"get_service_profiles": "rule:admin_only" + +# Access rule for getting service profile +"get_service_profile": "rule:admin_only" + +# Access rule for updating service profile +"update_service_profile": "rule:admin_only" + +# Access rule for deleting service profile +"delete_service_profile": "rule:admin_only" + +# Access rule for associating flavor with service profile +"create_flavor_service_profile": "rule:admin_only" + +# Access rule for disassociating flavor with service profile +"delete_flavor_service_profile": "rule:admin_only" + +# Access rule for getting flavor associatingwith the given service +# profiles +"get_flavor_service_profile": "rule:regular_user" + +# Access rule for creating floating IP +"create_floatingip": "rule:regular_user" + +# Access rule for creating floating IP with fixed floating IP address +"create_floatingip:floating_ip_address": "rule:admin_only" + +# Access rule for getting floating IP +"get_floatingip": "rule:admin_or_owner" + +# Access rule for updating floating IP +"update_floatingip": "rule:admin_or_owner" + +# Access rule for deleting floating IP +"delete_floatingip": "rule:admin_or_owner" + +# Access rule for creating floating IP port forwarding +"create_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner" + +# Access rule for getting floating IP port forwarding +"get_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner" + +# Access rule for getting floating IP port forwardings +"get_floatingip_port_forwardings": "rule:admin_or_ext_parent_owner" + +# Access rule for updating floating IP port forwarding +"update_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner" + +# Access rule for deleting floating IP port forwarding +"delete_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner" + +# Access rule for getting loggable resources +"get_loggable_resources": "rule:admin_only" + +# Access rule for creating network log +"create_log": "rule:admin_only" + +# Access rule for getting network log +"get_log": "rule:admin_only" + +# Access rule for getting network logs +"get_logs": "rule:admin_only" + +# Access rule for updating network log +"update_log": "rule:admin_only" + +# Access rule for deleting network log +"delete_log": "rule:admin_only" + +# Access rule for creating metering label +"create_metering_label": "rule:admin_only" + +# Access rule for getting metering label +"get_metering_label": "rule:admin_only" + +# Access rule for deleting metering label +"delete_metering_label": "rule:admin_only" + +# Access rule for creating metering label rule +"create_metering_label_rule": "rule:admin_only" + +# Access rule for getting metering label rule +"get_metering_label_rule": "rule:admin_only" + +# Access rule for deleting metering label rule +"delete_metering_label_rule": "rule:admin_only" + +# Rule of external network +"external": "field:networks:router:external=True" + +# Access rule for creating network +"create_network": "" + +# Access rule for creating shared network +"create_network:shared": "rule:admin_only" + +# Access rule for creating external network +"create_network:router:external": "rule:admin_only" + +# Access rule for creating network with is_default +"create_network:is_default": "rule:admin_only" + +# Access rule for creating network with segments +"create_network:segments": "rule:admin_only" + +# Access rule for creating network with provider network_type +"create_network:provider:network_type": "rule:admin_only" + +# Access rule for creating network with provider physical_network +"create_network:provider:physical_network": "rule:admin_only" + +# Access rule for creating networkwith provider segmentation_id +"create_network:provider:segmentation_id": "rule:admin_only" + +# Access rule for getting shared network +"get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc" + +# Access rule for getting external network +"get_network:router:external": "rule:regular_user" + +# Access rule for getting segments of network +"get_network:segments": "rule:admin_only" + +# Access rule for getting provider network_type of network +"get_network:provider:network_type": "rule:admin_only" + +# Access rule for getting provider physical_network of network +"get_network:provider:physical_network": "rule:admin_only" + +# Access rule for getting provider segmentation_id of network +"get_network:provider:segmentation_id": "rule:admin_only" + +# Access rule for getting queue_id of network +"get_network:queue_id": "rule:admin_only" + +# Access rule for updating network +"update_network": "rule:admin_or_owner" + +# Access rule for updating segments of network +"update_network:segments": "rule:admin_only" + +# Access rule for updating shared attribute of network +"update_network:shared": "rule:admin_only" + +# Access rule for updating provider network_type of network +"update_network:provider:network_type": "rule:admin_only" + +# Access rule for updating provider physical_network of network +"update_network:provider:physical_network": "rule:admin_only" + +# Access rule for updating provider segmentation_id of network +"update_network:provider:segmentation_id": "rule:admin_only" + +# Access rule for updating external attribute of network +"update_network:router:external": "rule:admin_only" + +# Access rule for deleting network +"delete_network": "rule:admin_or_owner" + +# Access rule for getting network IP availabilities +"get_network_ip_availabilities": "rule:admin_only" + +# Access rule for getting network IP availability +"get_network_ip_availability": "rule:admin_only" + +# Rule of port with network device_owner +"network_device": "field:port:device_owner=~^network:" + +# Rule for data plane integration +"admin_or_data_plane_int": "rule:context_is_admin or role:data_plane_integrator" + +# Access rule for creating port +"create_port": "" + +# Access rule for creating port with device_owner +"create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner" + +# Access rule for creating port with mac_address +"create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner" + +# Access rule for creating port with fixed_ips +"create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner" + +# Access rule for creating port specifying IP address in fixed_ips +"create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner" + +# Access rule for creating port specifying subnet ID in fixed_ips +"create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared" + +# Access rule for creating port with port_security_enabled +"create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner" + +# Access rule for creating port with binging host_id +"create_port:binding:host_id": "rule:admin_only" + +# Access rule for creating port with binding profile +"create_port:binding:profile": "rule:admin_only" + +# Access rule for creating portwith mac_learning_enabled attribute +"create_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner" + +# Access rule for creating port with allowed_address_pairs attribute +"create_port:allowed_address_pairs": "rule:admin_or_network_owner" + +# Access rule for getting port +"get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner" + +# Access rule for getting queue_id of port +"get_port:queue_id": "rule:admin_only" + +# Access rule for getting binding vif_type of port +"get_port:binding:vif_type": "rule:admin_only" + +# Access rule for getting binding vif_details of port +"get_port:binding:vif_details": "rule:admin_only" + +# Access rule for getting binding vnic_type of port +"get_port:binding:vnic_type": "rule:admin_or_owner" + +# Access rule for getting binding host_id of port +"get_port:binding:host_id": "rule:admin_only" + +# Access rule for getting binding profile of port +"get_port:binding:profile": "rule:admin_only" + +# Access rule for updating port +"update_port": "rule:admin_or_owner or rule:context_is_advsvc" + +# Access rule for updating device_owner of port +"update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner" + +# Access rule for updating mac_address of port +"update_port:mac_address": "rule:admin_only or rule:context_is_advsvc" + +# Access rule for updating fixed_ips of port +"update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner" + +# Access rule for updating port specifying IP address in fixed_ips +"update_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner" + +# Access rule for updating port specifying subnet ID in fixed_ips +"update_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared" + +# Access rule for updating port_security_enabled of port +"update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner" + +# Access rule for updating binding host_id of port +"update_port:binding:host_id": "rule:admin_only" + +# Access rule for updating binding profile of port +"update_port:binding:profile": "rule:admin_only" + +# Access rule for updating mac_learning_enabled of port +"update_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner" + +# Access rule for updating allowed_address_pairs of port +"update_port:allowed_address_pairs": "rule:admin_or_network_owner" + +# Access rule for updating data_plane_status of port +"update_port:data_plane_status": "rule:admin_or_data_plane_int" + +# Access rule for deleting port +"delete_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner" + +# Access rule for getting qos policy +"get_policy": "rule:regular_user" + +# Access rule for creating qos policy +"create_policy": "rule:admin_only" + +# Access rule for updating qos policy +"update_policy": "rule:admin_only" + +# Access rule for deleting qos policy +"delete_policy": "rule:admin_only" + +# Access rule for getting all available qos rule types +"get_rule_type": "rule:regular_user" + +# Access rule for getting qos bandwidth limit rule +"get_policy_bandwidth_limit_rule": "rule:regular_user" + +# Access rule for creating qos bandwidth limit rule +"create_policy_bandwidth_limit_rule": "rule:admin_only" + +# Access rule for updatingqos bandwidth limit rule +"update_policy_bandwidth_limit_rule": "rule:admin_only" + +# Access rule for deletingqos bandwidth limit rule +"delete_policy_bandwidth_limit_rule": "rule:admin_only" + +# Access rule for getting qos dscp marking rule +"get_policy_dscp_marking_rule": "rule:regular_user" + +# Access rule for creating qos dscp marking rule +"create_policy_dscp_marking_rule": "rule:admin_only" + +# Access rule for updating qos dscp marking rule +"update_policy_dscp_marking_rule": "rule:admin_only" + +# Access rule for deleting qos dscp marking rule +"delete_policy_dscp_marking_rule": "rule:admin_only" + +# Access rule for getting qos minimum bandwidth rule +"get_policy_minimum_bandwidth_rule": "rule:regular_user" + +# Access rule for creating qos minimum bandwidth rule +"create_policy_minimum_bandwidth_rule": "rule:admin_only" + +# Access rule for updating qos minimum bandwidth rule +"update_policy_minimum_bandwidth_rule": "rule:admin_only" + +# Access rule for deleting qos minimum bandwidth rule +"delete_policy_minimum_bandwidth_rule": "rule:admin_only" + +# Rule of restrict wildcard +"restrict_wildcard": "(not field:rbac_policy:target_tenant=*) or rule:admin_only" + +# Access rule for creating rbac policy +"create_rbac_policy": "" + +# Access rule for creating rbac policy with special target tenant +"create_rbac_policy:target_tenant": "rule:restrict_wildcard" + +# Access rule for updating rbac policy +"update_rbac_policy": "rule:admin_or_owner" + +# Access rule for updating target_tenant attribute of rbac policy +"update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner" + +# Access rule for getting rbac policy +"get_rbac_policy": "rule:admin_or_owner" + +# Access rule for deleting rbac policy +"delete_rbac_policy": "rule:admin_or_owner" + +# Access rule for creating router +"create_router": "rule:regular_user" + +# Access rule for creating router with distributed attribute +"create_router:distributed": "rule:admin_only" + +# Access rule for creating router with ha attribute +"create_router:ha": "rule:admin_only" + +# Access rule for creating router with external_gateway_info +# information +"create_router:external_gateway_info": "rule:admin_or_owner" + +# Access rule for creating router with external_gateway_info +# network_id attribute +"create_router:external_gateway_info:network_id": "rule:admin_or_owner" + +# Access rule for creating router with external_gateway_info +# enable_snat attribute +"create_router:external_gateway_info:enable_snat": "rule:admin_only" + +# Access rule for creating router with external_gateway_info +# external_fixed_ips attribute +"create_router:external_gateway_info:external_fixed_ips": "rule:admin_only" + +# Access rule for getting router +"get_router": "rule:admin_or_owner" + +# Access rule for getting ha attribute of router +"get_router:ha": "rule:admin_only" + +# Access rule for getting distributed attribute of router +"get_router:distributed": "rule:admin_only" + +# Access rule for updating router +"update_router": "rule:admin_or_owner" + +# Access rule for updating distributed attribute of router +"update_router:distributed": "rule:admin_only" + +# Access rule for updating ha attribute of router +"update_router:ha": "rule:admin_only" + +# Access rule for updating external_gateway_info information of router +"update_router:external_gateway_info": "rule:admin_or_owner" + +# Access rule for updating external_gateway_info network_id attribute +# of router +"update_router:external_gateway_info:network_id": "rule:admin_or_owner" + +# Access rule for updating external_gateway_info enable_snat attribute +# of router +"update_router:external_gateway_info:enable_snat": "rule:admin_only" + +# Access rule for updating external_gateway_info external_fixed_ips +# attribute of router +"update_router:external_gateway_info:external_fixed_ips": "rule:admin_only" + +# Access rule for deleting router +"delete_router": "rule:admin_or_owner" + +# Access rule for adding router interface +"add_router_interface": "rule:admin_or_owner" + +# Access rule for removing router interface +"remove_router_interface": "rule:admin_or_owner" + +# Access rule for creating security group +"create_security_group": "rule:admin_or_owner" + +# Access rule for getting security group +"get_security_group": "rule:admin_or_owner" + +# Access rule for getting security groups +"get_security_groups": "rule:admin_or_owner" + +# Access rule for updating security group +"update_security_group": "rule:admin_or_owner" + +# Access rule for deleting security group +"delete_security_group": "rule:admin_or_owner" + +# Access rule for creating security group rule +"create_security_group_rule": "rule:admin_or_owner" + +# Access rule for getting security group rule +"get_security_group_rule": "rule:admin_or_owner" + +# Access rule for getting security groups rules +"get_security_group_rules": "rule:admin_or_owner" + +# Access rule for deleting security group rule +"delete_security_group_rule": "rule:admin_or_owner" + +# Access rule for creating segment +"create_segment": "rule:admin_only" + +# Access rule for getting segment +"get_segment": "rule:admin_only" + +# Access rule for updating segment +"update_segment": "rule:admin_only" + +# Access rule for deleting segment +"delete_segment": "rule:admin_only" + +# Access rule for listing all service providers +"get_service_provider": "rule:regular_user" + +# Access rule for creating subnet +"create_subnet": "rule:admin_or_network_owner" + +# Access rule for creating subnet with segment_id +"create_subnet:segment_id": "rule:admin_only" + +# Access rule for creating subnet with service_type +"create_subnet:service_types": "rule:admin_only" + +# Access rule for getting subnet +"get_subnet": "rule:admin_or_owner or rule:shared" + +# Access rule for getting segment_id of subnet +"get_subnet:segment_id": "rule:admin_only" + +# Access rule for updating subnet +"update_subnet": "rule:admin_or_network_owner" + +# Access rule for updating service_types of subnet +"update_subnet:service_types": "rule:admin_only" + +# Access rule for deleting subnet +"delete_subnet": "rule:admin_or_network_owner" + +# Rule of shared subnetpool +"shared_subnetpools": "field:subnetpools:shared=True" + +# Access rule for creating subnetpool +"create_subnetpool": "" + +# Access rule for creating shared subnetpool +"create_subnetpool:shared": "rule:admin_only" + +# Access rule for creating subnetpool with is_default +"create_subnetpool:is_default": "rule:admin_only" + +# Access rule for getting subnetpool +"get_subnetpool": "rule:admin_or_owner or rule:shared_subnetpools" + +# Access rule for updating subnetpool +"update_subnetpool": "rule:admin_or_owner" + +# Access rule for updating is_default of subnetpool +"update_subnetpool:is_default": "rule:admin_only" + +# Access rule for deleting subnetpool +"delete_subnetpool": "rule:admin_or_owner" + +# Access rule for creating trunk port +"create_trunk": "rule:regular_user" + +# Access rule for getting trunk port +"get_trunk": "rule:admin_or_owner" + +# Access rule for deleting trunk port +"delete_trunk": "rule:admin_or_owner" + +# Access rule for listing subports attached to trunk +"get_subports": "" + +# Access rule for adding subports to the trunk +"add_subports": "rule:admin_or_owner" + +# Access rule for deleting subports from the trunk +"remove_subports": "rule:admin_or_owner" + +# Access rule for creating lsn +"create_lsn": "rule:admin_only" + +# Access rule for getting lsn +"get_lsn": "rule:admin_only" + +# Access rule for creating qos queue +"create_qos_queue": "rule:admin_only" + +# Access rule for getting qos queue +"get_qos_queue": "rule:admin_only" + From 119fd85234c5dd69b797ca6f7706b3af5960c900 Mon Sep 17 00:00:00 2001 From: Adam Young Date: Apr 29 2019 17:25:11 +0000 Subject: [PATCH 3/5] Stock files for heat, empty stock filesfor aodh, gnocchi manila and panko --- diff --git a/services/aodh/stock-policy.yaml b/services/aodh/stock-policy.yaml new file mode 100644 index 0000000..ed97d53 --- /dev/null +++ b/services/aodh/stock-policy.yaml @@ -0,0 +1 @@ +--- diff --git a/services/gnocchi/stock-policy.yaml b/services/gnocchi/stock-policy.yaml new file mode 100644 index 0000000..ed97d53 --- /dev/null +++ b/services/gnocchi/stock-policy.yaml @@ -0,0 +1 @@ +--- diff --git a/services/heat/stock-policy.yaml b/services/heat/stock-policy.yaml new file mode 100644 index 0000000..1835501 --- /dev/null +++ b/services/heat/stock-policy.yaml @@ -0,0 +1,75 @@ +--- +context_is_admin: role:admin +deny_stack_user: not role:heat_stack_user +deny_everybody: "!" +cloudformation:ListStacks: rule:deny_stack_user +cloudformation:CreateStack: rule:deny_stack_user +cloudformation:DescribeStacks: rule:deny_stack_user +cloudformation:DeleteStack: rule:deny_stack_user +cloudformation:UpdateStack: rule:deny_stack_user +cloudformation:CancelUpdateStack: rule:deny_stack_user +cloudformation:DescribeStackEvents: rule:deny_stack_user +cloudformation:ValidateTemplate: rule:deny_stack_user +cloudformation:GetTemplate: rule:deny_stack_user +cloudformation:EstimateTemplateCost: rule:deny_stack_user +cloudformation:DescribeStackResource: '' +cloudformation:DescribeStackResources: rule:deny_stack_user +cloudformation:ListStackResources: rule:deny_stack_user +cloudwatch:DeleteAlarms: rule:deny_stack_user +cloudwatch:DescribeAlarmHistory: rule:deny_stack_user +cloudwatch:DescribeAlarms: rule:deny_stack_user +cloudwatch:DescribeAlarmsForMetric: rule:deny_stack_user +cloudwatch:DisableAlarmActions: rule:deny_stack_user +cloudwatch:EnableAlarmActions: rule:deny_stack_user +cloudwatch:GetMetricStatistics: rule:deny_stack_user +cloudwatch:ListMetrics: rule:deny_stack_user +cloudwatch:PutMetricAlarm: rule:deny_stack_user +cloudwatch:PutMetricData: '' +cloudwatch:SetAlarmState: rule:deny_stack_user +actions:action: rule:deny_stack_user +build_info:build_info: rule:deny_stack_user +events:index: rule:deny_stack_user +events:show: rule:deny_stack_user +resource:index: rule:deny_stack_user +resource:metadata: '' +resource:signal: '' +resource:show: rule:deny_stack_user +stacks:abandon: rule:deny_stack_user +stacks:create: rule:deny_stack_user +stacks:delete: rule:deny_stack_user +stacks:detail: rule:deny_stack_user +stacks:generate_template: rule:deny_stack_user +stacks:global_index: rule:deny_everybody +stacks:index: rule:deny_stack_user +stacks:list_resource_types: rule:deny_stack_user +stacks:list_template_versions: rule:deny_stack_user +stacks:list_template_functions: rule:deny_stack_user +stacks:lookup: '' +stacks:preview: rule:deny_stack_user +stacks:resource_schema: rule:deny_stack_user +stacks:show: rule:deny_stack_user +stacks:template: rule:deny_stack_user +stacks:update: rule:deny_stack_user +stacks:update_patch: rule:deny_stack_user +stacks:preview_update: rule:deny_stack_user +stacks:preview_update_patch: rule:deny_stack_user +stacks:validate_template: rule:deny_stack_user +stacks:snapshot: rule:deny_stack_user +stacks:show_snapshot: rule:deny_stack_user +stacks:delete_snapshot: rule:deny_stack_user +stacks:list_snapshots: rule:deny_stack_user +stacks:restore_snapshot: rule:deny_stack_user +software_configs:global_index: rule:deny_everybody +software_configs:index: rule:deny_stack_user +software_configs:create: rule:deny_stack_user +software_configs:show: rule:deny_stack_user +software_configs:delete: rule:deny_stack_user +software_deployments:index: rule:deny_stack_user +software_deployments:create: rule:deny_stack_user +software_deployments:show: rule:deny_stack_user +software_deployments:update: rule:deny_stack_user +software_deployments:delete: rule:deny_stack_user +software_deployments:metadata: '' +service:index: rule:context_is_admin +resource_types:OS::Nova::Flavor: rule:context_is_admin + diff --git a/services/manila/stock-policy.yaml b/services/manila/stock-policy.yaml new file mode 100644 index 0000000..ed97d53 --- /dev/null +++ b/services/manila/stock-policy.yaml @@ -0,0 +1 @@ +--- diff --git a/services/panko/stock-policy.yaml b/services/panko/stock-policy.yaml new file mode 100644 index 0000000..ed97d53 --- /dev/null +++ b/services/panko/stock-policy.yaml @@ -0,0 +1 @@ +--- From 48de4cb6fefc0844f126a9f97c686a3c4b4120e7 Mon Sep 17 00:00:00 2001 From: Adam Young Date: Apr 29 2019 17:25:11 +0000 Subject: [PATCH 4/5] Function to show diff from stock --- diff --git a/tests/functions b/tests/functions index c88543c..69c7a75 100755 --- a/tests/functions +++ b/tests/functions @@ -72,6 +72,19 @@ show_diff(){ done } +show_diff_from_stock(){ + REPO_DIR=/opt/stack/openstack-access-policy + + for ACCESS in $( list_tokens ) + do + for SERVICE in $( ls $REPO_DIR/build/etc/ ) + do + diff -ud \ + $REPO_DIR/tests/$ACCESS/$SERVICE.stock \ + $REPO_DIR/tests/$ACCESS/$SERVICE.current; + done + done +} list_tokens(){ echo auth_token_admin auth_token_member auth_token_auditor } From 18a8afcef8c561c2d01fab10501c5decdd5a373c Mon Sep 17 00:00:00 2001 From: Adam Young Date: Apr 29 2019 17:25:11 +0000 Subject: [PATCH 5/5] Updated with stock values for gnocchi --- diff --git a/services/gnocchi/stock-policy.yaml b/services/gnocchi/stock-policy.yaml index ed97d53..456479d 100644 --- a/services/gnocchi/stock-policy.yaml +++ b/services/gnocchi/stock-policy.yaml @@ -1 +1,35 @@ --- +admin_or_creator: role:admin or user:%(creator)s or project_id:%(created_by_project_id)s +resource_owner: project_id:%(project_id)s +metric_owner: project_id:%(resource.project_id)s +get status: role:admin +create resource: '' +get resource: rule:admin_or_creator or rule:resource_owner +update resource: rule:admin_or_creator +delete resource: rule:admin_or_creator +delete resources: rule:admin_or_creator +list resource: rule:admin_or_creator or rule:resource_owner +search resource: rule:admin_or_creator or rule:resource_owner +create resource type: role:admin +delete resource type: role:admin +update resource type: role:admin +list resource type: '' +get resource type: '' +get archive policy: '' +list archive policy: '' +create archive policy: role:admin +update archive policy: role:admin +delete archive policy: role:admin +create archive policy rule: role:admin +get archive policy rule: '' +list archive policy rule: '' +update archive policy rule: role:admin +delete archive policy rule: role:admin +create metric: '' +delete metric: rule:admin_or_creator +get metric: rule:admin_or_creator or rule:metric_owner +search metric: rule:admin_or_creator or rule:metric_owner +list metric: rule:admin_or_creator or rule:metric_owner +get measures: rule:admin_or_creator or rule:metric_owner +post measures: rule:admin_or_creator +