summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSean Pryor <spryor@redhat.com>2017-11-15 13:07:37 -0500
committerSean Pryor <spryor@redhat.com>2017-11-15 13:07:37 -0500
commit00fd19b7012d837c555217fc1440b1207f8a1cbd (patch)
treef4ce7c2da526597451b2637467b1d708988a38c6
parent204b1f4c148f689145e859bb77b00f6e45ae8159 (diff)
downloadopenstack-access-policy-00fd19b7012d837c555217fc1440b1207f8a1cbd.zip
openstack-access-policy-00fd19b7012d837c555217fc1440b1207f8a1cbd.tar.gz
openstack-access-policy-00fd19b7012d837c555217fc1440b1207f8a1cbd.tar.xz
Draft of Glance policy
Change-Id: I97c1227e39b77705703a17d3928882c488f49c91
-rw-r--r--etc/glance/policy.json96
1 files changed, 51 insertions, 45 deletions
diff --git a/etc/glance/policy.json b/etc/glance/policy.json
index 0a058c1..161ee6c 100644
--- a/etc/glance/policy.json
+++ b/etc/glance/policy.json
@@ -1,27 +1,33 @@
{
- "context_is_admin": "role:admin",
+ "readonly": "(project_id:%(project_id)s and role:readonly)",
+ "global_readonly": "(role:global_readonly)",
+ "_member_role": "(role:member or role:_member_)",
+ "member": "(project_id:%(project_id)s and rule:_member_role)",
+ "admin": "(is_admin:True or role:admin)",
+ "owner": "(user_id:%(user_id)s and rule:_member_role)",
+
"default": "role:admin",
- "add_image": "",
- "delete_image": "",
- "get_image": "",
- "get_images": "",
- "modify_image": "",
- "publicize_image": "role:admin",
- "copy_from": "",
+ "add_image": "rule:admin or rule:member",
+ "delete_image": "rule:admin or rule:member or rule:owner",
+ "get_image": "rule:admin or rule:member or rule:readonly",
+ "get_images": "rule:admin or rule:member or rule:readonly",
+ "modify_image": "rule:admin or rule:member",
+ "publicize_image": "rule:admin",
+ "copy_from": "rule:admin or rule:member",
- "download_image": "",
- "upload_image": "",
+ "download_image": "rule:admin or rule:member",
+ "upload_image": "rule:admin or rule:member",
- "delete_image_location": "",
- "get_image_location": "",
- "set_image_location": "",
+ "delete_image_location": "rule:admin or rule:member",
+ "get_image_location": "rule:admin or rule:member",
+ "set_image_location": "rule:admin or rule:member",
- "add_member": "",
- "delete_member": "",
- "get_member": "",
- "get_members": "",
- "modify_member": "",
+ "add_member": "rule:admin or rule:member",
+ "delete_member": "rule:admin or rule:member",
+ "get_member": "rule:admin or rule:member or rule:readonly",
+ "get_members": "rule:admin or rule:member or rule:readonly",
+ "modify_member": "rule:admin or rule:member",
"manage_image_cache": "role:admin",
@@ -30,32 +36,32 @@
"add_task": "role:admin",
"modify_task": "role:admin",
- "deactivate": "",
- "reactivate": "",
-
- "get_metadef_namespace": "",
- "get_metadef_namespaces":"",
- "modify_metadef_namespace":"",
- "add_metadef_namespace":"",
-
- "get_metadef_object":"",
- "get_metadef_objects":"",
- "modify_metadef_object":"",
- "add_metadef_object":"",
-
- "list_metadef_resource_types":"",
- "get_metadef_resource_type":"",
- "add_metadef_resource_type_association":"",
-
- "get_metadef_property":"",
- "get_metadef_properties":"",
- "modify_metadef_property":"",
- "add_metadef_property":"",
-
- "get_metadef_tag":"",
- "get_metadef_tags":"",
- "modify_metadef_tag":"",
- "add_metadef_tag":"",
- "add_metadef_tags":""
+ "deactivate": "rule:admin or rule:member",
+ "reactivate": "rule:admin or rule:member",
+
+ "get_metadef_namespace": "rule:admin or rule:member or rule:readonly",
+ "get_metadef_namespaces":"rule:admin or rule:member or rule:readonly",
+ "modify_metadef_namespace":"rule:admin or rule:member",
+ "add_metadef_namespace":"rule:admin or rule:member",
+
+ "get_metadef_object":"rule:admin or rule:member or rule:readonly",
+ "get_metadef_objects":"rule:admin or rule:member or rule:readonly",
+ "modify_metadef_object":"rule:admin or rule:member",
+ "add_metadef_object":"rule:admin or rule:member",
+
+ "list_metadef_resource_types":"rule:admin or rule:member or rule:readonly",
+ "get_metadef_resource_type":"rule:admin or rule:member or rule:readonly",
+ "add_metadef_resource_type_association":"rule:admin or rule:member",
+
+ "get_metadef_property":"rule:admin or rule:member or rule:readonly",
+ "get_metadef_properties":"rule:admin or rule:member or rule:readonly",
+ "modify_metadef_property":"rule:admin or rule:member",
+ "add_metadef_property":"rule:admin or rule:member",
+
+ "get_metadef_tag":"rule:admin or rule:member or rule:readonly",
+ "get_metadef_tags":"rule:admin or rule:member or rule:readonly",
+ "modify_metadef_tag":"rule:admin or rule:member",
+ "add_metadef_tag":"rule:admin or rule:member",
+ "add_metadef_tags":"rule:admin or rule:member"
}