summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSean Pryor <spryor@redhat.com>2017-11-29 09:41:51 -0500
committerSean Pryor <spryor@redhat.com>2017-11-29 09:41:51 -0500
commite188fe2390ecc3c3534fe9f40a3d68c49073308e (patch)
treeb8028824362c04fbc5836872d7889b257c76ebba
parentb8e32add7eeec18e53220a1eba0910d1ce737879 (diff)
downloadopenstack-access-policy-e188fe2390ecc3c3534fe9f40a3d68c49073308e.zip
openstack-access-policy-e188fe2390ecc3c3534fe9f40a3d68c49073308e.tar.gz
openstack-access-policy-e188fe2390ecc3c3534fe9f40a3d68c49073308e.tar.xz
Draft of heat policy, super unsure on this one
Change-Id: I388b7aed9717d8754ad94c160de73e2b5cad8a60
-rw-r--r--etc/heat/policy.json41
1 files changed, 19 insertions, 22 deletions
diff --git a/etc/heat/policy.json b/etc/heat/policy.json
index acb0d7e..4554918 100644
--- a/etc/heat/policy.json
+++ b/etc/heat/policy.json
@@ -6,10 +6,7 @@
"admin": "(is_admin:True or role:admin)",
"owner": "(user_id:%(user_id)s and rule:_member_role)",
- "context_is_admin": "role:admin",
- "project_admin": "role:admin",
- "deny_stack_user": "not role:heat_stack_user",
- "deny_everybody": "!",
+ "deny_stack_user": "(rule:admin or rule:member) and (not role:heat_stack_user)",
"cloudformation:ListStacks": "rule:deny_stack_user",
"cloudformation:CreateStack": "rule:deny_stack_user",
@@ -21,7 +18,7 @@
"cloudformation:ValidateTemplate": "rule:deny_stack_user",
"cloudformation:GetTemplate": "rule:deny_stack_user",
"cloudformation:EstimateTemplateCost": "rule:deny_stack_user",
- "cloudformation:DescribeStackResource": "",
+ "cloudformation:DescribeStackResource": "rule:admin or rule:member",
"cloudformation:DescribeStackResources": "rule:deny_stack_user",
"cloudformation:ListStackResources": "rule:deny_stack_user",
"cloudwatch:DeleteAlarms": "rule:deny_stack_user",
@@ -33,15 +30,15 @@
"cloudwatch:GetMetricStatistics": "rule:deny_stack_user",
"cloudwatch:ListMetrics": "rule:deny_stack_user",
"cloudwatch:PutMetricAlarm": "rule:deny_stack_user",
- "cloudwatch:PutMetricData": "",
+ "cloudwatch:PutMetricData": "rule:admin or rule:member",
"cloudwatch:SetAlarmState": "rule:deny_stack_user",
"actions:action": "rule:deny_stack_user",
"build_info:build_info": "rule:deny_stack_user",
"events:index": "rule:deny_stack_user",
"events:show": "rule:deny_stack_user",
"resource:index": "rule:deny_stack_user",
- "resource:metadata": "",
- "resource:signal": "",
+ "resource:metadata": "rule:admin or rule:member",
+ "resource:signal": "rule:admin or rule:member",
"resource:mark_unhealthy": "rule:deny_stack_user",
"resource:show": "rule:deny_stack_user",
"stacks:abandon": "rule:deny_stack_user",
@@ -50,12 +47,12 @@
"stacks:detail": "rule:deny_stack_user",
"stacks:export": "rule:deny_stack_user",
"stacks:generate_template": "rule:deny_stack_user",
- "stacks:global_index": "rule:deny_everybody",
+ "stacks:global_index": "rule:admin",
"stacks:index": "rule:deny_stack_user",
"stacks:list_resource_types": "rule:deny_stack_user",
"stacks:list_template_versions": "rule:deny_stack_user",
"stacks:list_template_functions": "rule:deny_stack_user",
- "stacks:lookup": "",
+ "stacks:lookup": "rule:admin or rule:member",
"stacks:preview": "rule:deny_stack_user",
"stacks:resource_schema": "rule:deny_stack_user",
"stacks:show": "rule:deny_stack_user",
@@ -74,7 +71,7 @@
"stacks:restore_snapshot": "rule:deny_stack_user",
"stacks:list_outputs": "rule:deny_stack_user",
"stacks:show_output": "rule:deny_stack_user",
- "software_configs:global_index": "rule:deny_everybody",
+ "software_configs:global_index": "rule:admin",
"software_configs:index": "rule:deny_stack_user",
"software_configs:create": "rule:deny_stack_user",
"software_configs:show": "rule:deny_stack_user",
@@ -84,15 +81,15 @@
"software_deployments:show": "rule:deny_stack_user",
"software_deployments:update": "rule:deny_stack_user",
"software_deployments:delete": "rule:deny_stack_user",
- "software_deployments:metadata": "",
- "service:index": "rule:context_is_admin",
- "resource_types:OS::Nova::Flavor": "rule:project_admin",
- "resource_types:OS::Cinder::EncryptedVolumeType": "rule:project_admin",
- "resource_types:OS::Cinder::VolumeType": "rule:project_admin",
- "resource_types:OS::Cinder::Quota": "rule:project_admin",
- "resource_types:OS::Manila::ShareType": "rule:project_admin",
- "resource_types:OS::Neutron::QoSPolicy": "rule:project_admin",
- "resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:project_admin",
- "resource_types:OS::Nova::HostAggregate": "rule:project_admin",
- "resource_types:OS::Cinder::QoSSpecs": "rule:project_admin"
+ "software_deployments:metadata": "rule:admin or rule:member",
+ "service:index": "rule:admin",
+ "resource_types:OS::Nova::Flavor": "rule:admin",
+ "resource_types:OS::Cinder::EncryptedVolumeType": "rule:admin",
+ "resource_types:OS::Cinder::VolumeType": "rule:admin",
+ "resource_types:OS::Cinder::Quota": "rule:admin",
+ "resource_types:OS::Manila::ShareType": "rule:admin",
+ "resource_types:OS::Neutron::QoSPolicy": "rule:admin",
+ "resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:admin",
+ "resource_types:OS::Nova::HostAggregate": "rule:admin",
+ "resource_types:OS::Cinder::QoSSpecs": "rule:admin"
}