summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSean Pryor <spryor@redhat.com>2017-11-17 17:09:37 -0500
committerSean Pryor <spryor@redhat.com>2017-11-17 17:09:37 -0500
commit3c70bb60c1c30fbb4fce5ae4f9b87d1d6ff65593 (patch)
tree2845d5282af8c852acb8c4842a396f5867288004
parentcd1216c05a44a7819ee60c73ebd71899df7fbaf4 (diff)
downloadopenstack-access-policy-3c70bb60c1c30fbb4fce5ae4f9b87d1d6ff65593.zip
openstack-access-policy-3c70bb60c1c30fbb4fce5ae4f9b87d1d6ff65593.tar.gz
openstack-access-policy-3c70bb60c1c30fbb4fce5ae4f9b87d1d6ff65593.tar.xz
Untested drafts of modifications to all other policies
Change-Id: I150ddcf2d0d104c8e3e066b4adb25814b3bb0246
-rw-r--r--etc/aodh/policy.json34
-rw-r--r--etc/ceilometer/policy.json27
-rw-r--r--etc/heat/policy.json97
-rw-r--r--etc/keystone/policy.json2
-rw-r--r--etc/manila/policy.json125
-rw-r--r--etc/mistral/policy.json107
-rw-r--r--etc/sahara/policy.json126
-rw-r--r--etc/zaqar/policy.json93
8 files changed, 370 insertions, 241 deletions
diff --git a/etc/aodh/policy.json b/etc/aodh/policy.json
index 4fd873e..444f1d5 100644
--- a/etc/aodh/policy.json
+++ b/etc/aodh/policy.json
@@ -1,20 +1,26 @@
{
- "context_is_admin": "role:admin",
- "segregation": "rule:context_is_admin",
- "admin_or_owner": "rule:context_is_admin or project_id:%(project_id)s",
- "default": "rule:admin_or_owner",
+ "global_readonly": "(role:global_readonly)",
+ "readonly": "((project_id:%(project_id)s and role:readonly) or rule:global_readonly)",
+ "_member_role": "(role:member or role:_member_)",
+ "member": "(project_id:%(project_id)s and rule:_member_role)",
+ "admin": "(is_admin:True or role:admin)",
+ "owner": "(user_id:%(user_id)s and rule:_member_role)",
- "telemetry:get_alarm": "rule:admin_or_owner",
- "telemetry:get_alarms": "rule:admin_or_owner",
- "telemetry:query_alarm": "rule:admin_or_owner",
+ "segregation": "rule:admin",
- "telemetry:create_alarm": "",
- "telemetry:change_alarm": "rule:admin_or_owner",
- "telemetry:delete_alarm": "rule:admin_or_owner",
+ "default": "rule:admin or rule:member",
- "telemetry:get_alarm_state": "rule:admin_or_owner",
- "telemetry:change_alarm_state": "rule:admin_or_owner",
+ "telemetry:get_alarm": "rule:admin or rule:member",
+ "telemetry:get_alarms": "rule:admin or rule:member",
+ "telemetry:query_alarm": "rule:admin or rule:member",
- "telemetry:alarm_history": "rule:admin_or_owner",
- "telemetry:query_alarm_history": "rule:admin_or_owner"
+ "telemetry:create_alarm": "rule:admin or rule: member",
+ "telemetry:change_alarm": "rule:admin or rule:member",
+ "telemetry:delete_alarm": "rule:admin or rule:member",
+
+ "telemetry:get_alarm_state": "rule:admin or rule:member",
+ "telemetry:change_alarm_state": "rule:admin or rule:member",
+
+ "telemetry:alarm_history": "rule:admin or rule:member",
+ "telemetry:query_alarm_history": "rule:admin or rule:member"
}
diff --git a/etc/ceilometer/policy.json b/etc/ceilometer/policy.json
index a5e836a..2b13529 100644
--- a/etc/ceilometer/policy.json
+++ b/etc/ceilometer/policy.json
@@ -1,18 +1,25 @@
{
+ "global_readonly": "(role:global_readonly)",
+ "readonly": "((project_id:%(project_id)s and role:readonly) or rule:global_readonly)",
+ "_member_role": "(role:member or role:_member_)",
+ "member": "(project_id:%(project_id)s and rule:_member_role)",
+ "admin": "(is_admin:True or role:admin)",
+ "owner": "(user_id:%(user_id)s and rule:_member_role)",
+
"context_is_admin": "role:admin",
"segregation": "rule:context_is_admin",
- "telemetry:get_samples": "",
- "telemetry:get_sample": "",
- "telemetry:query_sample": "",
- "telemetry:create_samples": "",
+ "telemetry:get_samples": "rule:admin or rule: member",
+ "telemetry:get_sample": "rule:admin or rule: member",
+ "telemetry:query_sample": "rule:admin or rule: member",
+ "telemetry:create_samples": "rule:admin or rule: member",
- "telemetry:compute_statistics": "",
- "telemetry:get_meters": "",
+ "telemetry:compute_statistics": "rule:admin or rule: member",
+ "telemetry:get_meters": "rule:admin or rule: member",
- "telemetry:get_resource": "",
- "telemetry:get_resources": "",
+ "telemetry:get_resource": "rule:admin or rule: member",
+ "telemetry:get_resources": "rule:admin or rule: member",
- "telemetry:events:index": "",
- "telemetry:events:show": ""
+ "telemetry:events:index": "rule:admin or rule: member",
+ "telemetry:events:show": "rule:admin or rule: member"
}
diff --git a/etc/heat/policy.json b/etc/heat/policy.json
index c093f33..acb0d7e 100644
--- a/etc/heat/policy.json
+++ b/etc/heat/policy.json
@@ -1,3 +1,98 @@
{
- "context_is_admin": "role:admin","project_admin": "role:admin","deny_stack_user": "not role:heat_stack_user","deny_everybody": "!","cloudformation:ListStacks": "rule:deny_stack_user","cloudformation:CreateStack": "rule:deny_stack_user","cloudformation:DescribeStacks": "rule:deny_stack_user","cloudformation:DeleteStack": "rule:deny_stack_user","cloudformation:UpdateStack": "rule:deny_stack_user","cloudformation:CancelUpdateStack": "rule:deny_stack_user","cloudformation:DescribeStackEvents": "rule:deny_stack_user","cloudformation:ValidateTemplate": "rule:deny_stack_user","cloudformation:GetTemplate": "rule:deny_stack_user","cloudformation:EstimateTemplateCost": "rule:deny_stack_user","cloudformation:DescribeStackResource": "","cloudformation:DescribeStackResources": "rule:deny_stack_user","cloudformation:ListStackResources": "rule:deny_stack_user","cloudwatch:DeleteAlarms": "rule:deny_stack_user","cloudwatch:DescribeAlarmHistory": "rule:deny_stack_user","cloudwatch:DescribeAlarms": "rule:deny_stack_user","cloudwatch:DescribeAlarmsForMetric": "rule:deny_stack_user","cloudwatch:DisableAlarmActions": "rule:deny_stack_user","cloudwatch:EnableAlarmActions": "rule:deny_stack_user","cloudwatch:GetMetricStatistics": "rule:deny_stack_user","cloudwatch:ListMetrics": "rule:deny_stack_user","cloudwatch:PutMetricAlarm": "rule:deny_stack_user","cloudwatch:PutMetricData": "","cloudwatch:SetAlarmState": "rule:deny_stack_user","actions:action": "rule:deny_stack_user","build_info:build_info": "rule:deny_stack_user","events:index": "rule:deny_stack_user","events:show": "rule:deny_stack_user","resource:index": "rule:deny_stack_user","resource:metadata": "","resource:signal": "","resource:mark_unhealthy": "rule:deny_stack_user","resource:show": "rule:deny_stack_user","stacks:abandon": "rule:deny_stack_user","stacks:create": "rule:deny_stack_user","stacks:delete": "rule:deny_stack_user","stacks:detail": "rule:deny_stack_user","stacks:export": "rule:deny_stack_user","stacks:generate_template": "rule:deny_stack_user","stacks:global_index": "rule:deny_everybody","stacks:index": "rule:deny_stack_user","stacks:list_resource_types": "rule:deny_stack_user","stacks:list_template_versions": "rule:deny_stack_user","stacks:list_template_functions": "rule:deny_stack_user","stacks:lookup": "","stacks:preview": "rule:deny_stack_user","stacks:resource_schema": "rule:deny_stack_user","stacks:show": "rule:deny_stack_user","stacks:template": "rule:deny_stack_user","stacks:environment": "rule:deny_stack_user","stacks:files": "rule:deny_stack_user","stacks:update": "rule:deny_stack_user","stacks:update_patch": "rule:deny_stack_user","stacks:preview_update": "rule:deny_stack_user","stacks:preview_update_patch": "rule:deny_stack_user","stacks:validate_template": "rule:deny_stack_user","stacks:snapshot": "rule:deny_stack_user","stacks:show_snapshot": "rule:deny_stack_user","stacks:delete_snapshot": "rule:deny_stack_user","stacks:list_snapshots": "rule:deny_stack_user","stacks:restore_snapshot": "rule:deny_stack_user","stacks:list_outputs": "rule:deny_stack_user","stacks:show_output": "rule:deny_stack_user","software_configs:global_index": "rule:deny_everybody","software_configs:index": "rule:deny_stack_user","software_configs:create": "rule:deny_stack_user","software_configs:show": "rule:deny_stack_user","software_configs:delete": "rule:deny_stack_user","software_deployments:index": "rule:deny_stack_user","software_deployments:create": "rule:deny_stack_user","software_deployments:show": "rule:deny_stack_user","software_deployments:update": "rule:deny_stack_user","software_deployments:delete": "rule:deny_stack_user","software_deployments:metadata": "","service:index": "rule:context_is_admin","resource_types:OS::Nova::Flavor": "rule:project_admin","resource_types:OS::Cinder::EncryptedVolumeType": "rule:project_admin","resource_types:OS::Cinder::VolumeType": "rule:project_admin","resource_types:OS::Cinder::Quota": "rule:project_admin","resource_types:OS::Manila::ShareType": "rule:project_admin","resource_types:OS::Neutron::QoSPolicy": "rule:project_admin","resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:project_admin","resource_types:OS::Nova::HostAggregate": "rule:project_admin","resource_types:OS::Cinder::QoSSpecs": "rule:project_admin"
+ "global_readonly": "(role:global_readonly)",
+ "readonly": "((project_id:%(project_id)s and role:readonly) or rule:global_readonly)",
+ "_member_role": "(role:member or role:_member_)",
+ "member": "(project_id:%(project_id)s and rule:_member_role)",
+ "admin": "(is_admin:True or role:admin)",
+ "owner": "(user_id:%(user_id)s and rule:_member_role)",
+
+ "context_is_admin": "role:admin",
+ "project_admin": "role:admin",
+ "deny_stack_user": "not role:heat_stack_user",
+ "deny_everybody": "!",
+
+ "cloudformation:ListStacks": "rule:deny_stack_user",
+ "cloudformation:CreateStack": "rule:deny_stack_user",
+ "cloudformation:DescribeStacks": "rule:deny_stack_user",
+ "cloudformation:DeleteStack": "rule:deny_stack_user",
+ "cloudformation:UpdateStack": "rule:deny_stack_user",
+ "cloudformation:CancelUpdateStack": "rule:deny_stack_user",
+ "cloudformation:DescribeStackEvents": "rule:deny_stack_user",
+ "cloudformation:ValidateTemplate": "rule:deny_stack_user",
+ "cloudformation:GetTemplate": "rule:deny_stack_user",
+ "cloudformation:EstimateTemplateCost": "rule:deny_stack_user",
+ "cloudformation:DescribeStackResource": "",
+ "cloudformation:DescribeStackResources": "rule:deny_stack_user",
+ "cloudformation:ListStackResources": "rule:deny_stack_user",
+ "cloudwatch:DeleteAlarms": "rule:deny_stack_user",
+ "cloudwatch:DescribeAlarmHistory": "rule:deny_stack_user",
+ "cloudwatch:DescribeAlarms": "rule:deny_stack_user",
+ "cloudwatch:DescribeAlarmsForMetric": "rule:deny_stack_user",
+ "cloudwatch:DisableAlarmActions": "rule:deny_stack_user",
+ "cloudwatch:EnableAlarmActions": "rule:deny_stack_user",
+ "cloudwatch:GetMetricStatistics": "rule:deny_stack_user",
+ "cloudwatch:ListMetrics": "rule:deny_stack_user",
+ "cloudwatch:PutMetricAlarm": "rule:deny_stack_user",
+ "cloudwatch:PutMetricData": "",
+ "cloudwatch:SetAlarmState": "rule:deny_stack_user",
+ "actions:action": "rule:deny_stack_user",
+ "build_info:build_info": "rule:deny_stack_user",
+ "events:index": "rule:deny_stack_user",
+ "events:show": "rule:deny_stack_user",
+ "resource:index": "rule:deny_stack_user",
+ "resource:metadata": "",
+ "resource:signal": "",
+ "resource:mark_unhealthy": "rule:deny_stack_user",
+ "resource:show": "rule:deny_stack_user",
+ "stacks:abandon": "rule:deny_stack_user",
+ "stacks:create": "rule:deny_stack_user",
+ "stacks:delete": "rule:deny_stack_user",
+ "stacks:detail": "rule:deny_stack_user",
+ "stacks:export": "rule:deny_stack_user",
+ "stacks:generate_template": "rule:deny_stack_user",
+ "stacks:global_index": "rule:deny_everybody",
+ "stacks:index": "rule:deny_stack_user",
+ "stacks:list_resource_types": "rule:deny_stack_user",
+ "stacks:list_template_versions": "rule:deny_stack_user",
+ "stacks:list_template_functions": "rule:deny_stack_user",
+ "stacks:lookup": "",
+ "stacks:preview": "rule:deny_stack_user",
+ "stacks:resource_schema": "rule:deny_stack_user",
+ "stacks:show": "rule:deny_stack_user",
+ "stacks:template": "rule:deny_stack_user",
+ "stacks:environment": "rule:deny_stack_user",
+ "stacks:files": "rule:deny_stack_user",
+ "stacks:update": "rule:deny_stack_user",
+ "stacks:update_patch": "rule:deny_stack_user",
+ "stacks:preview_update": "rule:deny_stack_user",
+ "stacks:preview_update_patch": "rule:deny_stack_user",
+ "stacks:validate_template": "rule:deny_stack_user",
+ "stacks:snapshot": "rule:deny_stack_user",
+ "stacks:show_snapshot": "rule:deny_stack_user",
+ "stacks:delete_snapshot": "rule:deny_stack_user",
+ "stacks:list_snapshots": "rule:deny_stack_user",
+ "stacks:restore_snapshot": "rule:deny_stack_user",
+ "stacks:list_outputs": "rule:deny_stack_user",
+ "stacks:show_output": "rule:deny_stack_user",
+ "software_configs:global_index": "rule:deny_everybody",
+ "software_configs:index": "rule:deny_stack_user",
+ "software_configs:create": "rule:deny_stack_user",
+ "software_configs:show": "rule:deny_stack_user",
+ "software_configs:delete": "rule:deny_stack_user",
+ "software_deployments:index": "rule:deny_stack_user",
+ "software_deployments:create": "rule:deny_stack_user",
+ "software_deployments:show": "rule:deny_stack_user",
+ "software_deployments:update": "rule:deny_stack_user",
+ "software_deployments:delete": "rule:deny_stack_user",
+ "software_deployments:metadata": "",
+ "service:index": "rule:context_is_admin",
+ "resource_types:OS::Nova::Flavor": "rule:project_admin",
+ "resource_types:OS::Cinder::EncryptedVolumeType": "rule:project_admin",
+ "resource_types:OS::Cinder::VolumeType": "rule:project_admin",
+ "resource_types:OS::Cinder::Quota": "rule:project_admin",
+ "resource_types:OS::Manila::ShareType": "rule:project_admin",
+ "resource_types:OS::Neutron::QoSPolicy": "rule:project_admin",
+ "resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:project_admin",
+ "resource_types:OS::Nova::HostAggregate": "rule:project_admin",
+ "resource_types:OS::Cinder::QoSSpecs": "rule:project_admin"
}
diff --git a/etc/keystone/policy.json b/etc/keystone/policy.json
index 2c801c2..223a651 100644
--- a/etc/keystone/policy.json
+++ b/etc/keystone/policy.json
@@ -1,6 +1,6 @@
{
- "readonly": "(project_id:%(project_id)s and role:readonly)",
"global_readonly": "(role:global_readonly)",
+ "readonly": "((project_id:%(project_id)s and role:readonly) or rule:global_readonly)",
"_member_role": "(role:member or role:_member_)",
"member": "(project_id:%(project_id)s and rule:_member_role)",
"admin": "(is_admin:True or role:admin)",
diff --git a/etc/manila/policy.json b/etc/manila/policy.json
index d8188f6..a0b6df6 100644
--- a/etc/manila/policy.json
+++ b/etc/manila/policy.json
@@ -1,27 +1,30 @@
{
- "context_is_admin": "role:admin",
- "admin_or_owner": "is_admin:True or project_id:%(project_id)s",
- "default": "rule:admin_or_owner",
+ "global_readonly": "(role:global_readonly)",
+ "readonly": "((project_id:%(project_id)s and role:readonly) or rule:global_readonly)",
+ "_member_role": "(role:member or role:_member_)",
+ "member": "(project_id:%(project_id)s and rule:_member_role)",
+ "admin": "(is_admin:True or role:admin)",
+ "owner": "(user_id:%(user_id)s and rule:_member_role)",
- "admin_api": "is_admin:True",
+ "default": "rule:admin or rule:member",
"availability_zone:index": "rule:default",
- "quota_set:update": "rule:admin_api",
+ "quota_set:update": "rule:admin",
"quota_set:show": "rule:default",
- "quota_set:delete": "rule:admin_api",
+ "quota_set:delete": "rule:admin",
"quota_class_set:show": "rule:default",
- "quota_class_set:update": "rule:admin_api",
+ "quota_class_set:update": "rule:admin",
- "service:index": "rule:admin_api",
- "service:update": "rule:admin_api",
+ "service:index": "rule:admin",
+ "service:update": "rule:admin",
- "share:create": "",
+ "share:create": "rule:admin or rule: member",
"share:delete": "rule:default",
"share:get": "rule:default",
"share:get_all": "rule:default",
- "share:list_by_share_server_id": "rule:admin_api",
+ "share:list_by_share_server_id": "rule:admin",
"share:update": "rule:default",
"share:access_get": "rule:default",
"share:access_get_all": "rule:default",
@@ -32,54 +35,54 @@
"share:get_share_metadata": "rule:default",
"share:delete_share_metadata": "rule:default",
"share:update_share_metadata": "rule:default",
- "share:migration_start": "rule:admin_api",
- "share:migration_complete": "rule:admin_api",
- "share:migration_cancel": "rule:admin_api",
- "share:migration_get_progress": "rule:admin_api",
- "share:reset_task_state": "rule:admin_api",
- "share:manage": "rule:admin_api",
- "share:unmanage": "rule:admin_api",
- "share:force_delete": "rule:admin_api",
- "share:reset_status": "rule:admin_api",
+ "share:migration_start": "rule:admin",
+ "share:migration_complete": "rule:admin",
+ "share:migration_cancel": "rule:admin",
+ "share:migration_get_progress": "rule:admin",
+ "share:reset_task_state": "rule:admin",
+ "share:manage": "rule:admin",
+ "share:unmanage": "rule:admin",
+ "share:force_delete": "rule:admin",
+ "share:reset_status": "rule:admin",
"share_export_location:index": "rule:default",
"share_export_location:show": "rule:default",
- "share_instance:index": "rule:admin_api",
- "share_instance:show": "rule:admin_api",
- "share_instance:force_delete": "rule:admin_api",
- "share_instance:reset_status": "rule:admin_api",
- "share_instance_export_location:index": "rule:admin_api",
- "share_instance_export_location:show": "rule:admin_api",
+ "share_instance:index": "rule:admin",
+ "share_instance:show": "rule:admin",
+ "share_instance:force_delete": "rule:admin",
+ "share_instance:reset_status": "rule:admin",
+ "share_instance_export_location:index": "rule:admin",
+ "share_instance_export_location:show": "rule:admin",
"share_snapshot:create_snapshot": "rule:default",
"share_snapshot:delete_snapshot": "rule:default",
"share_snapshot:get_snapshot": "rule:default",
"share_snapshot:get_all_snapshots": "rule:default",
"share_snapshot:snapshot_update": "rule:default",
- "share_snapshot:manage_snapshot": "rule:admin_api",
- "share_snapshot:unmanage_snapshot": "rule:admin_api",
- "share_snapshot:force_delete": "rule:admin_api",
- "share_snapshot:reset_status": "rule:admin_api",
+ "share_snapshot:manage_snapshot": "rule:admin",
+ "share_snapshot:unmanage_snapshot": "rule:admin",
+ "share_snapshot:force_delete": "rule:admin",
+ "share_snapshot:reset_status": "rule:admin",
- "share_snapshot_instance:detail": "rule:admin_api",
- "share_snapshot_instance:index": "rule:admin_api",
- "share_snapshot_instance:show": "rule:admin_api",
- "share_snapshot_instance:reset_status": "rule:admin_api",
+ "share_snapshot_instance:detail": "rule:admin",
+ "share_snapshot_instance:index": "rule:admin",
+ "share_snapshot_instance:show": "rule:admin",
+ "share_snapshot_instance:reset_status": "rule:admin",
"share_type:index": "rule:default",
"share_type:show": "rule:default",
"share_type:default": "rule:default",
- "share_type:create": "rule:admin_api",
- "share_type:delete": "rule:admin_api",
- "share_type:add_project_access": "rule:admin_api",
- "share_type:list_project_access": "rule:admin_api",
- "share_type:remove_project_access": "rule:admin_api",
-
- "share_types_extra_spec:create": "rule:admin_api",
- "share_types_extra_spec:update": "rule:admin_api",
- "share_types_extra_spec:show": "rule:admin_api",
- "share_types_extra_spec:index": "rule:admin_api",
- "share_types_extra_spec:delete": "rule:admin_api",
+ "share_type:create": "rule:admin",
+ "share_type:delete": "rule:admin",
+ "share_type:add_project_access": "rule:admin",
+ "share_type:list_project_access": "rule:admin",
+ "share_type:remove_project_access": "rule:admin",
+
+ "share_types_extra_spec:create": "rule:admin",
+ "share_types_extra_spec:update": "rule:admin",
+ "share_types_extra_spec:show": "rule:admin",
+ "share_types_extra_spec:index": "rule:admin",
+ "share_types_extra_spec:delete": "rule:admin",
"security_service:create": "rule:default",
"security_service:delete": "rule:default",
@@ -87,12 +90,12 @@
"security_service:show": "rule:default",
"security_service:index": "rule:default",
"security_service:detail": "rule:default",
- "security_service:get_all_security_services": "rule:admin_api",
+ "security_service:get_all_security_services": "rule:admin",
- "share_server:index": "rule:admin_api",
- "share_server:show": "rule:admin_api",
- "share_server:details": "rule:admin_api",
- "share_server:delete": "rule:admin_api",
+ "share_server:index": "rule:admin",
+ "share_server:show": "rule:admin",
+ "share_server:details": "rule:admin",
+ "share_server:delete": "rule:admin",
"share_network:create": "rule:default",
"share_network:delete": "rule:default",
@@ -102,21 +105,21 @@
"share_network:show": "rule:default",
"share_network:add_security_service": "rule:default",
"share_network:remove_security_service": "rule:default",
- "share_network:get_all_share_networks": "rule:admin_api",
+ "share_network:get_all_share_networks": "rule:admin",
- "scheduler_stats:pools:index": "rule:admin_api",
- "scheduler_stats:pools:detail": "rule:admin_api",
+ "scheduler_stats:pools:index": "rule:admin",
+ "scheduler_stats:pools:detail": "rule:admin",
"consistency_group:create" : "rule:default",
"consistency_group:delete": "rule:default",
"consistency_group:update": "rule:default",
"consistency_group:get": "rule:default",
"consistency_group:get_all": "rule:default",
- "consistency_group:force_delete": "rule:admin_api",
- "consistency_group:reset_status": "rule:admin_api",
+ "consistency_group:force_delete": "rule:admin",
+ "consistency_group:reset_status": "rule:admin",
- "cgsnapshot:force_delete": "rule:admin_api",
- "cgsnapshot:reset_status": "rule:admin_api",
+ "cgsnapshot:force_delete": "rule:admin",
+ "cgsnapshot:reset_status": "rule:admin",
"cgsnapshot:create" : "rule:default",
"cgsnapshot:update" : "rule:default",
"cgsnapshot:delete": "rule:default",
@@ -128,8 +131,8 @@
"share_replica:create" : "rule:default",
"share_replica:delete": "rule:default",
"share_replica:promote": "rule:default",
- "share_replica:resync": "rule:admin_api",
- "share_replica:reset_status": "rule:admin_api",
- "share_replica:force_delete": "rule:admin_api",
- "share_replica:reset_replica_state": "rule:admin_api"
+ "share_replica:resync": "rule:admin",
+ "share_replica:reset_status": "rule:admin",
+ "share_replica:force_delete": "rule:admin",
+ "share_replica:reset_replica_state": "rule:admin"
}
diff --git a/etc/mistral/policy.json b/etc/mistral/policy.json
index 3278023..774d22a 100644
--- a/etc/mistral/policy.json
+++ b/etc/mistral/policy.json
@@ -1,64 +1,69 @@
{
- "admin_only": "is_admin:True",
- "admin_or_owner": "is_admin:True or project_id:%(project_id)s",
- "default": "rule:admin_or_owner",
+ "global_readonly": "(role:global_readonly)",
+ "readonly": "((project_id:%(project_id)s and role:readonly) or rule:global_readonly)",
+ "_member_role": "(role:member or role:_member_)",
+ "member": "(project_id:%(project_id)s and rule:_member_role)",
+ "admin": "(is_admin:True or role:admin)",
+ "owner": "(user_id:%(user_id)s and rule:_member_role)",
- "action_executions:delete": "rule:admin_or_owner",
- "action_execution:create": "rule:admin_or_owner",
- "action_executions:get": "rule:admin_or_owner",
- "action_executions:list": "rule:admin_or_owner",
- "action_executions:update": "rule:admin_or_owner",
+ "default": "rule:admin or rule:member",
- "actions:create": "rule:admin_or_owner",
- "actions:delete": "rule:admin_or_owner",
- "actions:get": "rule:admin_or_owner",
- "actions:list": "rule:admin_or_owner",
- "actions:update": "rule:admin_or_owner",
+ "action_executions:delete": "rule:admin or rule:member",
+ "action_execution:create": "rule:admin or rule:member",
+ "action_executions:get": "rule:admin or rule:member",
+ "action_executions:list": "rule:admin or rule:member",
+ "action_executions:update": "rule:admin or rule:member",
- "cron_triggers:create": "rule:admin_or_owner",
- "cron_triggers:delete": "rule:admin_or_owner",
- "cron_triggers:get": "rule:admin_or_owner",
- "cron_triggers:list": "rule:admin_or_owner",
+ "actions:create": "rule:admin or rule:member",
+ "actions:delete": "rule:admin or rule:member",
+ "actions:get": "rule:admin or rule:member",
+ "actions:list": "rule:admin or rule:member",
+ "actions:update": "rule:admin or rule:member",
- "environments:create": "rule:admin_or_owner",
- "environments:delete": "rule:admin_or_owner",
- "environments:get": "rule:admin_or_owner",
- "environments:list": "rule:admin_or_owner",
- "environments:update": "rule:admin_or_owner",
+ "cron_triggers:create": "rule:admin or rule:member",
+ "cron_triggers:delete": "rule:admin or rule:member",
+ "cron_triggers:get": "rule:admin or rule:member",
+ "cron_triggers:list": "rule:admin or rule:member",
- "executions:create": "rule:admin_or_owner",
- "executions:delete": "rule:admin_or_owner",
- "executions:get": "rule:admin_or_owner",
- "executions:list": "rule:admin_or_owner",
- "executions:update": "rule:admin_or_owner",
+ "environments:create": "rule:admin or rule:member",
+ "environments:delete": "rule:admin or rule:member",
+ "environments:get": "rule:admin or rule:member",
+ "environments:list": "rule:admin or rule:member",
+ "environments:update": "rule:admin or rule:member",
- "members:create": "rule:admin_or_owner",
- "members:delete": "rule:admin_or_owner",
- "members:get": "rule:admin_or_owner",
- "members:list": "rule:admin_or_owner",
- "members:update": "rule:admin_or_owner",
+ "executions:create": "rule:admin or rule:member",
+ "executions:delete": "rule:admin or rule:member",
+ "executions:get": "rule:admin or rule:member",
+ "executions:list": "rule:admin or rule:member",
+ "executions:update": "rule:admin or rule:member",
- "services:list": "rule:admin_or_owner",
+ "members:create": "rule:admin or rule:member",
+ "members:delete": "rule:admin or rule:member",
+ "members:get": "rule:admin or rule:member",
+ "members:list": "rule:admin or rule:member",
+ "members:update": "rule:admin or rule:member",
- "tasks:get": "rule:admin_or_owner",
- "tasks:list": "rule:admin_or_owner",
- "tasks:update": "rule:admin_or_owner",
+ "services:list": "rule:admin or rule:member",
- "workbooks:create": "rule:admin_or_owner",
- "workbooks:delete": "rule:admin_or_owner",
- "workbooks:get": "rule:admin_or_owner",
- "workbooks:list": "rule:admin_or_owner",
- "workbooks:update": "rule:admin_or_owner",
+ "tasks:get": "rule:admin or rule:member",
+ "tasks:list": "rule:admin or rule:member",
+ "tasks:update": "rule:admin or rule:member",
- "workflows:create": "rule:admin_or_owner",
- "workflows:delete": "rule:admin_or_owner",
- "workflows:get": "rule:admin_or_owner",
- "workflows:list": "rule:admin_or_owner",
- "workflows:update": "rule:admin_or_owner",
+ "workbooks:create": "rule:admin or rule:member",
+ "workbooks:delete": "rule:admin or rule:member",
+ "workbooks:get": "rule:admin or rule:member",
+ "workbooks:list": "rule:admin or rule:member",
+ "workbooks:update": "rule:admin or rule:member",
- "event_triggers:create": "rule:admin_or_owner",
- "event_triggers:delete": "rule:admin_or_owner",
- "event_triggers:get": "rule:admin_or_owner",
- "event_triggers:list": "rule:admin_or_owner",
- "event_triggers:update": "rule:admin_or_owner"
+ "workflows:create": "rule:admin or rule:member",
+ "workflows:delete": "rule:admin or rule:member",
+ "workflows:get": "rule:admin or rule:member",
+ "workflows:list": "rule:admin or rule:member",
+ "workflows:update": "rule:admin or rule:member",
+
+ "event_triggers:create": "rule:admin or rule:member",
+ "event_triggers:delete": "rule:admin or rule:member",
+ "event_triggers:get": "rule:admin or rule:member",
+ "event_triggers:list": "rule:admin or rule:member",
+ "event_triggers:update": "rule:admin or rule:member"
}
diff --git a/etc/sahara/policy.json b/etc/sahara/policy.json
index 789dafc..15eeb69 100644
--- a/etc/sahara/policy.json
+++ b/etc/sahara/policy.json
@@ -1,73 +1,79 @@
{
- "context_is_admin": "role:admin",
- "default": "",
+ "global_readonly": "(role:global_readonly)",
+ "readonly": "((project_id:%(project_id)s and role:readonly) or rule:global_readonly)",
+ "_member_role": "(role:member or role:_member_)",
+ "member": "(project_id:%(project_id)s and rule:_member_role)",
+ "admin": "(is_admin:True or role:admin)",
+ "owner": "(user_id:%(user_id)s and rule:_member_role)",
- "data-processing:clusters:get_all": "",
- "data-processing:clusters:create": "",
- "data-processing:clusters:scale": "",
- "data-processing:clusters:get": "",
- "data-processing:clusters:delete": "",
- "data-processing:clusters:modify": "",
+ "default": "rule:admin or rule:member",
- "data-processing:cluster-templates:get_all": "",
- "data-processing:cluster-templates:create": "",
- "data-processing:cluster-templates:get": "",
- "data-processing:cluster-templates:modify": "",
- "data-processing:cluster-templates:delete": "",
+ "data-processing:clusters:get_all": "rule:admin or rule:member",
+ "data-processing:clusters:create": "rule:admin or rule:member",
+ "data-processing:clusters:scale": "rule:admin or rule:member",
+ "data-processing:clusters:get": "rule:admin or rule:member",
+ "data-processing:clusters:delete": "rule:admin or rule:member",
+ "data-processing:clusters:modify": "rule:admin or rule:member",
- "data-processing:node-group-templates:get_all": "",
- "data-processing:node-group-templates:create": "",
- "data-processing:node-group-templates:get": "",
- "data-processing:node-group-templates:modify": "",
- "data-processing:node-group-templates:delete": "",
+ "data-processing:cluster-templates:get_all": "rule:admin or rule:member",
+ "data-processing:cluster-templates:create": "rule:admin or rule:member",
+ "data-processing:cluster-templates:get": "rule:admin or rule:member",
+ "data-processing:cluster-templates:modify": "rule:admin or rule:member",
+ "data-processing:cluster-templates:delete": "rule:admin or rule:member",
- "data-processing:plugins:get_all": "",
- "data-processing:plugins:get": "",
- "data-processing:plugins:get_version": "",
- "data-processing:plugins:convert_config": "",
- "data-processing:plugins:patch": "role:admin",
+ "data-processing:node-group-templates:get_all": "rule:admin or rule:member",
+ "data-processing:node-group-templates:create": "rule:admin or rule:member",
+ "data-processing:node-group-templates:get": "rule:admin or rule:member",
+ "data-processing:node-group-templates:modify": "rule:admin or rule:member",
+ "data-processing:node-group-templates:delete": "rule:admin or rule:member",
- "data-processing:images:get_all": "",
- "data-processing:images:get": "",
- "data-processing:images:register": "",
- "data-processing:images:unregister": "",
- "data-processing:images:add_tags": "",
- "data-processing:images:remove_tags": "",
+ "data-processing:plugins:get_all": "rule:admin or rule:member",
+ "data-processing:plugins:get": "rule:admin or rule:member",
+ "data-processing:plugins:get_version": "rule:admin or rule:member",
+ "data-processing:plugins:convert_config": "rule:admin or rule:member",
+ "data-processing:plugins:patch": "rule:admin",
- "data-processing:job-executions:get_all": "",
- "data-processing:job-executions:get": "",
- "data-processing:job-executions:refresh_status": "",
- "data-processing:job-executions:cancel": "",
- "data-processing:job-executions:delete": "",
- "data-processing:job-executions:modify": "",
+ "data-processing:images:get_all": "rule:admin or rule:member",
+ "data-processing:images:get": "rule:admin or rule:member",
+ "data-processing:images:register": "rule:admin or rule:member",
+ "data-processing:images:unregister": "rule:admin or rule:member",
+ "data-processing:images:add_tags": "rule:admin or rule:member",
+ "data-processing:images:remove_tags": "rule:admin or rule:member",
- "data-processing:data-sources:get_all": "",
- "data-processing:data-sources:get": "",
- "data-processing:data-sources:register": "",
- "data-processing:data-sources:delete": "",
- "data-processing:data-sources:modify": "",
+ "data-processing:job-executions:get_all": "rule:admin or rule:member",
+ "data-processing:job-executions:get": "rule:admin or rule:member",
+ "data-processing:job-executions:refresh_status": "rule:admin or rule:member",
+ "data-processing:job-executions:cancel": "rule:admin or rule:member",
+ "data-processing:job-executions:delete": "rule:admin or rule:member",
+ "data-processing:job-executions:modify": "rule:admin or rule:member",
- "data-processing:jobs:get_all": "",
- "data-processing:jobs:create": "",
- "data-processing:jobs:get": "",
- "data-processing:jobs:delete": "",
- "data-processing:jobs:get_config_hints": "",
- "data-processing:jobs:execute": "",
- "data-processing:jobs:modify": "",
+ "data-processing:data-sources:get_all": "rule:admin or rule:member",
+ "data-processing:data-sources:get": "rule:admin or rule:member",
+ "data-processing:data-sources:register": "rule:admin or rule:member",
+ "data-processing:data-sources:delete": "rule:admin or rule:member",
+ "data-processing:data-sources:modify": "rule:admin or rule:member",
- "data-processing:job-binaries:get_all": "",
- "data-processing:job-binaries:create": "",
- "data-processing:job-binaries:get": "",
- "data-processing:job-binaries:delete": "",
- "data-processing:job-binaries:get_data": "",
- "data-processing:job-binaries:modify": "",
+ "data-processing:jobs:get_all": "rule:admin or rule:member",
+ "data-processing:jobs:create": "rule:admin or rule:member",
+ "data-processing:jobs:get": "rule:admin or rule:member",
+ "data-processing:jobs:delete": "rule:admin or rule:member",
+ "data-processing:jobs:get_config_hints": "rule:admin or rule:member",
+ "data-processing:jobs:execute": "rule:admin or rule:member",
+ "data-processing:jobs:modify": "rule:admin or rule:member",
- "data-processing:job-binary-internals:get_all": "",
- "data-processing:job-binary-internals:create": "",
- "data-processing:job-binary-internals:get": "",
- "data-processing:job-binary-internals:delete": "",
- "data-processing:job-binary-internals:get_data": "",
- "data-processing:job-binary-internals:modify": "",
+ "data-processing:job-binaries:get_all": "rule:admin or rule:member",
+ "data-processing:job-binaries:create": "rule:admin or rule:member",
+ "data-processing:job-binaries:get": "rule:admin or rule:member",
+ "data-processing:job-binaries:delete": "rule:admin or rule:member",
+ "data-processing:job-binaries:get_data": "rule:admin or rule:member",
+ "data-processing:job-binaries:modify": "rule:admin or rule:member",
- "data-processing:job-types:get_all": ""
+ "data-processing:job-binary-internals:get_all": "rule:admin or rule:member",
+ "data-processing:job-binary-internals:create": "rule:admin or rule:member",
+ "data-processing:job-binary-internals:get": "rule:admin or rule:member",
+ "data-processing:job-binary-internals:delete": "rule:admin or rule:member",
+ "data-processing:job-binary-internals:get_data": "rule:admin or rule:member",
+ "data-processing:job-binary-internals:modify": "rule:admin or rule:member",
+
+ "data-processing:job-types:get_all": "rule:admin or rule:member"
}
diff --git a/etc/zaqar/policy.json b/etc/zaqar/policy.json
index 89d5076..1a6c49e 100644
--- a/etc/zaqar/policy.json
+++ b/etc/zaqar/policy.json
@@ -1,46 +1,53 @@
{
+ "global_readonly": "(role:global_readonly)",
+ "readonly": "((project_id:%(project_id)s and role:readonly) or rule:global_readonly)",
+ "_member_role": "(role:member or role:_member_)",
+ "member": "(project_id:%(project_id)s and rule:_member_role)",
+ "admin": "(is_admin:True or role:admin)",
+ "owner": "(user_id:%(user_id)s and rule:_member_role)",
+
"context_is_admin": "role:admin",
- "admin_or_owner": "is_admin:True or project_id:%(project_id)s",
- "default": "rule:admin_or_owner",
-
- "queues:get_all": "",
- "queues:create": "",
- "queues:get": "",
- "queues:delete": "",
- "queues:update": "",
- "queues:stats": "",
-
- "messages:get_all": "",
- "messages:create": "",
- "messages:get": "",
- "messages:delete": "",
- "messages:delete_all": "",
-
- "claims:get_all": "",
- "claims:create": "",
- "claims:get": "",
- "claims:delete": "",
- "claims:update": "",
-
- "subscription:get_all": "",
- "subscription:create": "",
- "subscription:get": "",
- "subscription:delete": "",
- "subscription:update": "",
- "subscription:confirm": "",
-
- "pools:get_all": "rule:context_is_admin",
- "pools:create": "rule:context_is_admin",
- "pools:get": "rule:context_is_admin",
- "pools:delete": "rule:context_is_admin",
- "pools:update": "rule:context_is_admin",
-
- "flavors:get_all": "",
- "flavors:create": "rule:context_is_admin",
- "flavors:get": "",
- "flavors:delete": "rule:context_is_admin",
- "flavors:update": "rule:context_is_admin",
-
- "ping:get": "",
- "health:get": "rule:context_is_admin"
+
+ "default": "rule:admin or rule:member",
+
+ "queues:get_all": "rule:admin or rule:member",
+ "queues:create": "rule:admin or rule:member",
+ "queues:get": "rule:admin or rule:member",
+ "queues:delete": "rule:admin or rule:member",
+ "queues:update": "rule:admin or rule:member",
+ "queues:stats": "rule:admin or rule:member",
+
+ "messages:get_all": "rule:admin or rule:member",
+ "messages:create": "rule:admin or rule:member",
+ "messages:get": "rule:admin or rule:member",
+ "messages:delete": "rule:admin or rule:member",
+ "messages:delete_all": "rule:admin or rule:member",
+
+ "claims:get_all": "rule:admin or rule:member",
+ "claims:create": "rule:admin or rule:member",
+ "claims:get": "rule:admin or rule:member",
+ "claims:delete": "rule:admin or rule:member",
+ "claims:update": "rule:admin or rule:member",
+
+ "subscription:get_all": "rule:admin or rule:member",
+ "subscription:create": "rule:admin or rule:member",
+ "subscription:get": "rule:admin or rule:member",
+ "subscription:delete": "rule:admin or rule:member",
+ "subscription:update": "rule:admin or rule:member",
+ "subscription:confirm": "rule:admin or rule:member",
+
+ "pools:get_all": "rule:admin or rule:member",
+ "pools:create": "rule:admin or rule:member",
+ "pools:get": "rule:admin or rule:member",
+ "pools:delete": "rule:admin or rule:member",
+ "pools:update": "rule:admin or rule:member",
+
+ "flavors:get_all": "rule:admin or rule:member",
+ "flavors:create": "rule:admin or rule:member",
+ "flavors:get": "rule:admin or rule:member",
+ "flavors:delete": "rule:admin or rule:member",
+ "flavors:update": "rule:admin or rule:member",
+
+ "ping:get": "rule:admin or rule:member",
+ "health:get": "rule:admin or rule:member"
}