summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorVincent S. Cojot <vcojot@redhat.com>2017-05-17 11:07:34 -0400
committerVincent S. Cojot <vcojot@redhat.com>2017-05-17 11:07:34 -0400
commitf525e60288c645b3fe13d600c456a53e45760249 (patch)
tree98a96fc83c1b1f948ebbd293a77e19505709d206
parentf3ac476a745952f5f8784c7ab48dc0d3075c8f1b (diff)
downloadopenstack-access-policy-f525e60288c645b3fe13d600c456a53e45760249.zip
openstack-access-policy-f525e60288c645b3fe13d600c456a53e45760249.tar.gz
openstack-access-policy-f525e60288c645b3fe13d600c456a53e45760249.tar.xz
Latest set of updates: deny readonly in context_is_admin
-rw-r--r--etc/aodh/policy.json2
-rw-r--r--etc/ceilometer/policy.json2
-rw-r--r--etc/cinder/policy.json4
-rw-r--r--etc/manila/policy.json8
-rw-r--r--etc/neutron/policy.json2
-rw-r--r--etc/nova/policy.json16
-rw-r--r--etc/sahara/policy.json2
-rw-r--r--etc/zaqar/policy.json2
8 files changed, 19 insertions, 19 deletions
diff --git a/etc/aodh/policy.json b/etc/aodh/policy.json
index 1b6715e..38bb14d 100644
--- a/etc/aodh/policy.json
+++ b/etc/aodh/policy.json
@@ -1,6 +1,6 @@
{
"deny_readonly": "not role:readonly",
- "context_is_admin": "role:admin",
+ "context_is_admin": "role:admin and rule:deny_readonly",
"segregation": "rule:context_is_admin",
"admin_or_owner": "rule:context_is_admin or project_id:%(project_id)s",
"default": "rule:admin_or_owner",
diff --git a/etc/ceilometer/policy.json b/etc/ceilometer/policy.json
index add3ee6..d74e528 100644
--- a/etc/ceilometer/policy.json
+++ b/etc/ceilometer/policy.json
@@ -1,6 +1,6 @@
{
"deny_readonly": "not role:readonly",
- "context_is_admin": "role:admin",
+ "context_is_admin": "role:admin and rule:deny_readonly",
"segregation": "rule:context_is_admin",
"telemetry:get_samples": "",
diff --git a/etc/cinder/policy.json b/etc/cinder/policy.json
index 5844cea..585b31a 100644
--- a/etc/cinder/policy.json
+++ b/etc/cinder/policy.json
@@ -34,8 +34,8 @@
"volume_extension:access_types_qos_specs_id": "rule:admin_api",
"volume_extension:access_types_extra_specs": "rule:admin_api",
"volume_extension:volume_type_access": "rule:admin_or_owner",
- "volume_extension:volume_type_access:addProjectAccess": "rule:admin_api",
- "volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api",
+ "volume_extension:volume_type_access:addProjectAccess": "rule:admin_api and rule:deny_readonly",
+ "volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api and rule:deny_readonly",
"volume_extension:volume_type_encryption": "rule:admin_api",
"volume_extension:volume_encryption_metadata": "rule:admin_or_owner",
"volume_extension:extended_snapshot_attributes": "rule:admin_or_owner",
diff --git a/etc/manila/policy.json b/etc/manila/policy.json
index c9c7c51..db1408f 100644
--- a/etc/manila/policy.json
+++ b/etc/manila/policy.json
@@ -1,6 +1,6 @@
{
"deny_readonly": "not role:readonly",
- "context_is_admin": "role:admin",
+ "context_is_admin": "role:admin and rule:deny_readonly",
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
"default": "rule:admin_or_owner",
@@ -72,9 +72,9 @@
"share_type:default": "rule:default",
"share_type:create": "rule:admin_api",
"share_type:delete": "rule:admin_api",
- "share_type:add_project_access": "rule:admin_api",
+ "share_type:add_project_access": "rule:admin_api and rule:deny_readonly",
"share_type:list_project_access": "rule:admin_api",
- "share_type:remove_project_access": "rule:admin_api",
+ "share_type:remove_project_access": "rule:admin_api and rule:deny_readonly",
"share_types_extra_spec:create": "rule:admin_api",
"share_types_extra_spec:update": "rule:admin_api",
@@ -102,7 +102,7 @@
"share_network:detail": "rule:default",
"share_network:show": "rule:default",
"share_network:add_security_service": "rule:default",
- "share_network:remove_security_service": "rule:default",
+ "share_network:remove_security_service": "rule:default and rule:deny_readonly",
"share_network:get_all_share_networks": "rule:admin_api",
"scheduler_stats:pools:index": "rule:admin_api",
diff --git a/etc/neutron/policy.json b/etc/neutron/policy.json
index 75b5a1f..e4ea2d7 100644
--- a/etc/neutron/policy.json
+++ b/etc/neutron/policy.json
@@ -1,6 +1,6 @@
{
"deny_readonly": "not role:readonly",
- "context_is_admin": "role:admin",
+ "context_is_admin": "role:admin and rule:deny_readonly",
"owner": "tenant_id:%(tenant_id)s and rule:deny_readonly",
"admin_or_owner": "rule:context_is_admin or rule:owner",
"context_is_advsvc": "role:advsvc and rule:deny_readonly",
diff --git a/etc/nova/policy.json b/etc/nova/policy.json
index c90baea..f0843d5 100644
--- a/etc/nova/policy.json
+++ b/etc/nova/policy.json
@@ -26,11 +26,11 @@
"os_compute_api:os-evacuate:discoverable": "@",
"os_compute_api:os-rescue:discoverable": "@",
"os_compute_api:os-volumes-attachments:index": "rule:admin_or_owner",
- "context_is_admin": "role:admin",
+ "context_is_admin": "role:admin and rule:deny_readonly",
"os_compute_api:server-metadata:index": "rule:admin_or_owner",
"os_compute_api:os-server-groups": "rule:admin_or_owner",
"os_compute_api:os-cells:discoverable": "@",
- "os_compute_api:os-aggregates:set_metadata": "rule:admin_api",
+ "os_compute_api:os-aggregates:set_metadata": "rule:admin_api and rule:deny_readonly",
"os_compute_api:os-deferred-delete:discoverable": "@",
"os_compute_api:os-certificates:discoverable": "@",
"os_compute_api:server-metadata:show": "rule:admin_or_owner",
@@ -59,7 +59,7 @@
"os_compute_api:os-instance-usage-audit-log": "rule:admin_api",
"os_compute_api:os-volumes-attachments:show": "rule:admin_or_owner",
"os_compute_api:os-block-device-mapping-v1:discoverable": "@",
- "os_compute_api:os-admin-actions:reset_state": "rule:admin_api",
+ "os_compute_api:os-admin-actions:reset_state": "rule:admin_api and rule:deny_readonly",
"os_compute_api:os-flavor-rxtx": "rule:admin_or_owner",
"os_compute_api:servers:show": "rule:admin_or_owner",
"os_compute_api:os-fping:all_tenants": "rule:admin_api",
@@ -111,7 +111,7 @@
"os_compute_api:os-admin-actions": "rule:admin_api",
"os_compute_api:os-server-tags:update_all": "@",
"os_compute_api:os-floating-ip-dns": "rule:admin_or_owner",
- "os_compute_api:os-quota-sets:update": "rule:admin_api",
+ "os_compute_api:os-quota-sets:update": "rule:admin_api and rule:deny_readonly",
"os_compute_api:os-floating-ip-pools:discoverable": "@",
"os_compute_api:os-console-output:discoverable": "@",
"os_compute_api:servers:show:host_status": "rule:admin_api",
@@ -145,7 +145,7 @@
"os_compute_api:os-shelve:shelve_offload": "rule:admin_api",
"os_compute_api:os-evacuate": "rule:admin_api",
"os_compute_api:servers:create": "rule:admin_or_owner and rule:deny_readonly",
- "os_compute_api:os-aggregates:remove_host": "rule:admin_api",
+ "os_compute_api:os-aggregates:remove_host": "rule:admin_api and rule:deny_readonly",
"os_compute_api:os-baremetal-nodes:discoverable": "@",
"os_compute_api:os-console-output": "rule:admin_or_owner",
"os_compute_api:os-aggregates:update": "rule:admin_api",
@@ -187,7 +187,7 @@
"os_compute_api:os-pci:pci_servers": "rule:admin_or_owner",
"os_compute_api:os-server-password:discoverable": "@",
"os_compute_api:os-cells": "rule:admin_api",
- "os_compute_api:os-admin-actions:reset_network": "rule:admin_api",
+ "os_compute_api:os-admin-actions:reset_network": "rule:admin_api and rule:deny_readonly",
"os_compute_api:image-size:discoverable": "@",
"os_compute_api:os-certificates:show": "rule:admin_or_owner",
"os_compute_api:os-config-drive": "rule:admin_or_owner",
@@ -216,7 +216,7 @@
"os_compute_api:os-server-tags:update": "@",
"os_compute_api:os-quota-class-sets:update": "rule:admin_api",
"os_compute_api:flavors": "rule:admin_or_owner",
- "os_compute_api:os-flavor-access:remove_tenant_access": "rule:admin_api",
+ "os_compute_api:os-flavor-access:remove_tenant_access": "rule:admin_api and rule:deny_readonly",
"os_compute_api:os-floating-ip-pools": "rule:admin_or_owner",
"os_compute_api:servers:discoverable": "@",
"os_compute_api:os-flavor-manage:discoverable": "@",
@@ -245,7 +245,7 @@
"os_compute_api:os-server-tags:discoverable": "@",
"os_compute_api:os-baremetal-nodes": "rule:admin_api",
"os_compute_api:os-virtual-interfaces": "rule:admin_or_owner",
- "os_compute_api:os-lock-server:unlock:unlock_override": "rule:admin_api",
+ "os_compute_api:os-lock-server:unlock:unlock_override": "rule:admin_api and rule:deny_readonly",
"os_compute_api:os-simple-tenant-usage:discoverable": "@",
"os_compute_api:os-networks": "rule:admin_api",
"os_compute_api:os-pci:discoverable": "@",
diff --git a/etc/sahara/policy.json b/etc/sahara/policy.json
index 06948c5..bfab46f 100644
--- a/etc/sahara/policy.json
+++ b/etc/sahara/policy.json
@@ -1,6 +1,6 @@
{
"deny_readonly": "not role:readonly",
- "context_is_admin": "role:admin",
+ "context_is_admin": "role:admin and rule:deny_readonly",
"default": "",
"data-processing:clusters:get_all": "",
diff --git a/etc/zaqar/policy.json b/etc/zaqar/policy.json
index a7645f7..259625e 100644
--- a/etc/zaqar/policy.json
+++ b/etc/zaqar/policy.json
@@ -1,6 +1,6 @@
{
"deny_readonly": "not role:readonly",
- "context_is_admin": "role:admin",
+ "context_is_admin": "role:admin and rule:deny_readonly",
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
"default": "rule:admin_or_owner",