summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSean Pryor <spryor@redhat.com>2017-11-17 16:02:21 -0500
committerSean Pryor <spryor@redhat.com>2017-11-17 16:02:21 -0500
commitcd1216c05a44a7819ee60c73ebd71899df7fbaf4 (patch)
tree9217f9218a09d0fcdbc5ddaaa81dd8e3a95da834
parent00fd19b7012d837c555217fc1440b1207f8a1cbd (diff)
downloadopenstack-access-policy-cd1216c05a44a7819ee60c73ebd71899df7fbaf4.zip
openstack-access-policy-cd1216c05a44a7819ee60c73ebd71899df7fbaf4.tar.gz
openstack-access-policy-cd1216c05a44a7819ee60c73ebd71899df7fbaf4.tar.xz
Untested draft of gnocchi readonly policy
Change-Id: I52bd17655046e48d55bd1cce257583db3ca0eaac
-rw-r--r--etc/gnocchi/policy.json87
1 files changed, 47 insertions, 40 deletions
diff --git a/etc/gnocchi/policy.json b/etc/gnocchi/policy.json
index 00aaedd..d0689b7 100644
--- a/etc/gnocchi/policy.json
+++ b/etc/gnocchi/policy.json
@@ -1,42 +1,49 @@
{
- "admin_or_creator": "role:admin or project_id:%(created_by_project_id)s",
- "resource_owner": "project_id:%(project_id)s",
- "metric_owner": "project_id:%(resource.project_id)s",
-
- "get status": "role:admin",
-
- "create resource": "",
- "get resource": "rule:admin_or_creator or rule:resource_owner",
- "update resource": "rule:admin_or_creator",
- "delete resource": "rule:admin_or_creator",
- "delete resources": "rule:admin_or_creator",
- "list resource": "rule:admin_or_creator or rule:resource_owner",
- "search resource": "rule:admin_or_creator or rule:resource_owner",
-
- "create resource type": "role:admin",
- "delete resource type": "role:admin",
- "update resource type": "role:admin",
- "list resource type": "",
- "get resource type": "",
-
- "get archive policy": "",
- "list archive policy": "",
- "create archive policy": "role:admin",
- "update archive policy": "role:admin",
- "delete archive policy": "role:admin",
-
- "create archive policy rule": "role:admin",
- "get archive policy rule": "",
- "list archive policy rule": "",
- "delete archive policy rule": "role:admin",
-
- "create metric": "",
- "delete metric": "rule:admin_or_creator",
- "get metric": "rule:admin_or_creator or rule:metric_owner",
- "search metric": "rule:admin_or_creator or rule:metric_owner",
- "list metric": "",
- "list all metric": "role:admin",
-
- "get measures": "rule:admin_or_creator or rule:metric_owner",
- "post measures": "rule:admin_or_creator"
+ "global_readonly": "(role:global_readonly)",
+ "readonly": "((project_id:%(project_id)s and role:readonly) or rule:global_readonly)",
+ "_member_role": "(role:member or role:_member_)",
+ "member": "(project_id:%(project_id)s and rule:_member_role)",
+ "admin": "(is_admin:True or role:admin)",
+ "owner": "(user_id:%(user_id)s and rule:_member_role)",
+
+ "creator": "(project_id:%(created_by_project_id)s and (rule:_member_role or role:service))",
+ "resource_owner": "(project_id:%(project_id)s and (rule:_member_role or role:service))",
+ "metric_owner": "(project_id:%(resource.project_id)s and (rule:_member_role or role:service))",
+
+ "get status": "rule:admin or rule:readonly",
+
+ "create resource": "rule:admin or rule:member or rule:resource_owner",
+ "get resource": "rule:creator or rule:resource_owner or rule:readonly",
+ "update resource": "rule:admin or rule:creator",
+ "delete resource": "rule:admin or rule:creator",
+ "delete resources": "rule:admin or rule:creator",
+ "list resource": "rule:admin or rule:creator or rule:resource_owner or rule:readonly",
+ "search resource": "rule:admin or rule:creator or rule:resource_owner or rule:readonly",
+
+ "create resource type": "rule:admin",
+ "delete resource type": "rule:admin",
+ "update resource type": "rule:admin",
+ "list resource type": "rule:admin or rule:member or rule:readonly",
+ "get resource type": "rule:admin or rule:member or rule:readonly",
+
+ "get archive policy": "rule:admin or rule:member or rule:readonly",
+ "list archive policy": "rule:admin or rule:member or rule:readonly",
+ "create archive policy": "rule:admin",
+ "update archive policy": "rule:admin",
+ "delete archive policy": "rule:admin",
+
+ "create archive policy rule": "rule:admin",
+ "get archive policy rule": "rule:admin or rule:member or rule:readonly",
+ "list archive policy rule": "rule:admin or rule:member or rule:readonly",
+ "delete archive policy rule": "rule:admin",
+
+ "create metric": "rule:admin or rule:member or rule:metric_owner",
+ "delete metric": "rule:admin or rule:creator",
+ "get metric": "rule:admin or rule:creator or rule:metric_owner or rule:readonly",
+ "search metric": "rule:admin or rule:creator or rule:metric_owner or rule:readonly",
+ "list metric": "rule:admin or rule:member or rule:readonly",
+ "list all metric": "rule:admin or rule:readonly",
+
+ "get measures": "rule:creator or rule:metric_owner or rule:readonly",
+ "post measures": "rule:creator"
}