diff options
author | Vincent S. Cojot <vcojot@redhat.com> | 2017-04-17 23:56:09 -0400 |
---|---|---|
committer | Vincent S. Cojot <vcojot@redhat.com> | 2017-04-17 23:56:09 -0400 |
commit | 7b3342c62b9bb753d9dd09028e0fa80ceafc571c (patch) | |
tree | f352179370e837ae8ae74c26dcfe03899dd89f3c | |
parent | ef7979106116b32e6d325a91ced3597645b0d78e (diff) | |
download | openstack-access-policy-7b3342c62b9bb753d9dd09028e0fa80ceafc571c.tar.gz openstack-access-policy-7b3342c62b9bb753d9dd09028e0fa80ceafc571c.tar.xz openstack-access-policy-7b3342c62b9bb753d9dd09028e0fa80ceafc571c.zip |
Update as per SCoombs request...
-rw-r--r-- | etc/heat/policy.json | 50 |
1 files changed, 26 insertions, 24 deletions
diff --git a/etc/heat/policy.json b/etc/heat/policy.json index 83e1713..0f5dd61 100644 --- a/etc/heat/policy.json +++ b/etc/heat/policy.json @@ -1,14 +1,16 @@ { - "context_is_admin": "role:admin", + "deny_readonly": "not role:readonly", + "context_is_admin": "role:admin and rule:deny_readonly", "project_admin": "role:admin", - "deny_stack_user": "not role:heat_stack_user and not role:readonly", + "deny_stack_user": "not role:heat_stack_user", "deny_everybody": "!", + "cloudformation:ListStacks": "rule:deny_stack_user", - "cloudformation:CreateStack": "rule:deny_stack_user", + "cloudformation:CreateStack": "rule:deny_stack_user and rule:deny_readonly", "cloudformation:DescribeStacks": "rule:deny_stack_user", - "cloudformation:DeleteStack": "rule:deny_stack_user", - "cloudformation:UpdateStack": "rule:deny_stack_user", - "cloudformation:CancelUpdateStack": "rule:deny_stack_user", + "cloudformation:DeleteStack": "rule:deny_stack_user and rule:deny_readonly", + "cloudformation:UpdateStack": "rule:deny_stack_user and rule:deny_readonly", + "cloudformation:CancelUpdateStack": "rule:deny_stack_user and rule:deny_readonly", "cloudformation:DescribeStackEvents": "rule:deny_stack_user", "cloudformation:ValidateTemplate": "rule:deny_stack_user", "cloudformation:GetTemplate": "rule:deny_stack_user", @@ -16,17 +18,17 @@ "cloudformation:DescribeStackResource": "", "cloudformation:DescribeStackResources": "rule:deny_stack_user", "cloudformation:ListStackResources": "rule:deny_stack_user", - "cloudwatch:DeleteAlarms": "rule:deny_stack_user", + "cloudwatch:DeleteAlarms": "rule:deny_stack_user and rule:deny_readonly", "cloudwatch:DescribeAlarmHistory": "rule:deny_stack_user", "cloudwatch:DescribeAlarms": "rule:deny_stack_user", "cloudwatch:DescribeAlarmsForMetric": "rule:deny_stack_user", - "cloudwatch:DisableAlarmActions": "rule:deny_stack_user", - "cloudwatch:EnableAlarmActions": "rule:deny_stack_user", + "cloudwatch:DisableAlarmActions": "rule:deny_stack_user and rule:deny_readonly", + "cloudwatch:EnableAlarmActions": "rule:deny_stack_user and rule:deny_readonly", "cloudwatch:GetMetricStatistics": "rule:deny_stack_user", "cloudwatch:ListMetrics": "rule:deny_stack_user", "cloudwatch:PutMetricAlarm": "rule:deny_stack_user", "cloudwatch:PutMetricData": "", - "cloudwatch:SetAlarmState": "rule:deny_stack_user", + "cloudwatch:SetAlarmState": "rule:deny_stack_user and rule:deny_readonly", "actions:action": "rule:deny_stack_user", "build_info:build_info": "rule:deny_stack_user", "events:index": "rule:deny_stack_user", @@ -36,9 +38,9 @@ "resource:signal": "", "resource:mark_unhealthy": "rule:deny_stack_user", "resource:show": "rule:deny_stack_user", - "stacks:abandon": "rule:deny_stack_user", - "stacks:create": "rule:deny_stack_user", - "stacks:delete": "rule:deny_stack_user", + "stacks:abandon": "rule:deny_stack_user and rule:deny_readonly", + "stacks:create": "rule:deny_stack_user and rule:deny_readonly", + "stacks:delete": "rule:deny_stack_user and rule:deny_readonly", "stacks:detail": "rule:deny_stack_user", "stacks:export": "rule:deny_stack_user", "stacks:generate_template": "rule:deny_stack_user", @@ -54,28 +56,28 @@ "stacks:template": "rule:deny_stack_user", "stacks:environment": "rule:deny_stack_user", "stacks:files": "rule:deny_stack_user", - "stacks:update": "rule:deny_stack_user", - "stacks:update_patch": "rule:deny_stack_user", - "stacks:preview_update": "rule:deny_stack_user", - "stacks:preview_update_patch": "rule:deny_stack_user", + "stacks:update": "rule:deny_stack_user and rule:deny_readonly", + "stacks:update_patch": "rule:deny_stack_user and rule:deny_readonly", + "stacks:preview_update": "rule:deny_stack_user and rule:deny_readonly", + "stacks:preview_update_patch": "rule:deny_stack_user and rule:deny_readonly", "stacks:validate_template": "rule:deny_stack_user", "stacks:snapshot": "rule:deny_stack_user", "stacks:show_snapshot": "rule:deny_stack_user", - "stacks:delete_snapshot": "rule:deny_stack_user", + "stacks:delete_snapshot": "rule:deny_stack_user and rule:deny_readonly", "stacks:list_snapshots": "rule:deny_stack_user", - "stacks:restore_snapshot": "rule:deny_stack_user", + "stacks:restore_snapshot": "rule:deny_stack_user and rule:deny_readonly", "stacks:list_outputs": "rule:deny_stack_user", "stacks:show_output": "rule:deny_stack_user", "software_configs:global_index": "rule:deny_everybody", "software_configs:index": "rule:deny_stack_user", - "software_configs:create": "rule:deny_stack_user", + "software_configs:create": "rule:deny_stack_user and rule:deny_readonly", "software_configs:show": "rule:deny_stack_user", - "software_configs:delete": "rule:deny_stack_user", + "software_configs:delete": "rule:deny_stack_user and rule:deny_readonly", "software_deployments:index": "rule:deny_stack_user", - "software_deployments:create": "rule:deny_stack_user", + "software_deployments:create": "rule:deny_stack_user and rule:deny_readonly", "software_deployments:show": "rule:deny_stack_user", - "software_deployments:update": "rule:deny_stack_user", - "software_deployments:delete": "rule:deny_stack_user", + "software_deployments:update": "rule:deny_stack_user and rule:deny_readonly", + "software_deployments:delete": "rule:deny_stack_user and rule:deny_readonly", "software_deployments:metadata": "", "service:index": "rule:context_is_admin", "resource_types:OS::Nova::Flavor": "rule:project_admin", |