diff options
| author | Vincent S. Cojot <vcojot@redhat.com> | 2017-05-17 11:07:34 -0400 |
|---|---|---|
| committer | Vincent S. Cojot <vcojot@redhat.com> | 2017-05-17 11:07:34 -0400 |
| commit | f525e60288c645b3fe13d600c456a53e45760249 (patch) | |
| tree | 98a96fc83c1b1f948ebbd293a77e19505709d206 | |
| parent | f3ac476a745952f5f8784c7ab48dc0d3075c8f1b (diff) | |
| download | openstack-access-policy-f525e60288c645b3fe13d600c456a53e45760249.tar.gz openstack-access-policy-f525e60288c645b3fe13d600c456a53e45760249.tar.xz openstack-access-policy-f525e60288c645b3fe13d600c456a53e45760249.zip | |
Latest set of updates: deny readonly in context_is_admin
| -rw-r--r-- | etc/aodh/policy.json | 2 | ||||
| -rw-r--r-- | etc/ceilometer/policy.json | 2 | ||||
| -rw-r--r-- | etc/cinder/policy.json | 4 | ||||
| -rw-r--r-- | etc/manila/policy.json | 8 | ||||
| -rw-r--r-- | etc/neutron/policy.json | 2 | ||||
| -rw-r--r-- | etc/nova/policy.json | 16 | ||||
| -rw-r--r-- | etc/sahara/policy.json | 2 | ||||
| -rw-r--r-- | etc/zaqar/policy.json | 2 |
8 files changed, 19 insertions, 19 deletions
diff --git a/etc/aodh/policy.json b/etc/aodh/policy.json index 1b6715e..38bb14d 100644 --- a/etc/aodh/policy.json +++ b/etc/aodh/policy.json @@ -1,6 +1,6 @@ { "deny_readonly": "not role:readonly", - "context_is_admin": "role:admin", + "context_is_admin": "role:admin and rule:deny_readonly", "segregation": "rule:context_is_admin", "admin_or_owner": "rule:context_is_admin or project_id:%(project_id)s", "default": "rule:admin_or_owner", diff --git a/etc/ceilometer/policy.json b/etc/ceilometer/policy.json index add3ee6..d74e528 100644 --- a/etc/ceilometer/policy.json +++ b/etc/ceilometer/policy.json @@ -1,6 +1,6 @@ { "deny_readonly": "not role:readonly", - "context_is_admin": "role:admin", + "context_is_admin": "role:admin and rule:deny_readonly", "segregation": "rule:context_is_admin", "telemetry:get_samples": "", diff --git a/etc/cinder/policy.json b/etc/cinder/policy.json index 5844cea..585b31a 100644 --- a/etc/cinder/policy.json +++ b/etc/cinder/policy.json @@ -34,8 +34,8 @@ "volume_extension:access_types_qos_specs_id": "rule:admin_api", "volume_extension:access_types_extra_specs": "rule:admin_api", "volume_extension:volume_type_access": "rule:admin_or_owner", - "volume_extension:volume_type_access:addProjectAccess": "rule:admin_api", - "volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api", + "volume_extension:volume_type_access:addProjectAccess": "rule:admin_api and rule:deny_readonly", + "volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api and rule:deny_readonly", "volume_extension:volume_type_encryption": "rule:admin_api", "volume_extension:volume_encryption_metadata": "rule:admin_or_owner", "volume_extension:extended_snapshot_attributes": "rule:admin_or_owner", diff --git a/etc/manila/policy.json b/etc/manila/policy.json index c9c7c51..db1408f 100644 --- a/etc/manila/policy.json +++ b/etc/manila/policy.json @@ -1,6 +1,6 @@ { "deny_readonly": "not role:readonly", - "context_is_admin": "role:admin", + "context_is_admin": "role:admin and rule:deny_readonly", "admin_or_owner": "is_admin:True or project_id:%(project_id)s", "default": "rule:admin_or_owner", @@ -72,9 +72,9 @@ "share_type:default": "rule:default", "share_type:create": "rule:admin_api", "share_type:delete": "rule:admin_api", - "share_type:add_project_access": "rule:admin_api", + "share_type:add_project_access": "rule:admin_api and rule:deny_readonly", "share_type:list_project_access": "rule:admin_api", - "share_type:remove_project_access": "rule:admin_api", + "share_type:remove_project_access": "rule:admin_api and rule:deny_readonly", "share_types_extra_spec:create": "rule:admin_api", "share_types_extra_spec:update": "rule:admin_api", @@ -102,7 +102,7 @@ "share_network:detail": "rule:default", "share_network:show": "rule:default", "share_network:add_security_service": "rule:default", - "share_network:remove_security_service": "rule:default", + "share_network:remove_security_service": "rule:default and rule:deny_readonly", "share_network:get_all_share_networks": "rule:admin_api", "scheduler_stats:pools:index": "rule:admin_api", diff --git a/etc/neutron/policy.json b/etc/neutron/policy.json index 75b5a1f..e4ea2d7 100644 --- a/etc/neutron/policy.json +++ b/etc/neutron/policy.json @@ -1,6 +1,6 @@ { "deny_readonly": "not role:readonly", - "context_is_admin": "role:admin", + "context_is_admin": "role:admin and rule:deny_readonly", "owner": "tenant_id:%(tenant_id)s and rule:deny_readonly", "admin_or_owner": "rule:context_is_admin or rule:owner", "context_is_advsvc": "role:advsvc and rule:deny_readonly", diff --git a/etc/nova/policy.json b/etc/nova/policy.json index c90baea..f0843d5 100644 --- a/etc/nova/policy.json +++ b/etc/nova/policy.json @@ -26,11 +26,11 @@ "os_compute_api:os-evacuate:discoverable": "@", "os_compute_api:os-rescue:discoverable": "@", "os_compute_api:os-volumes-attachments:index": "rule:admin_or_owner", - "context_is_admin": "role:admin", + "context_is_admin": "role:admin and rule:deny_readonly", "os_compute_api:server-metadata:index": "rule:admin_or_owner", "os_compute_api:os-server-groups": "rule:admin_or_owner", "os_compute_api:os-cells:discoverable": "@", - "os_compute_api:os-aggregates:set_metadata": "rule:admin_api", + "os_compute_api:os-aggregates:set_metadata": "rule:admin_api and rule:deny_readonly", "os_compute_api:os-deferred-delete:discoverable": "@", "os_compute_api:os-certificates:discoverable": "@", "os_compute_api:server-metadata:show": "rule:admin_or_owner", @@ -59,7 +59,7 @@ "os_compute_api:os-instance-usage-audit-log": "rule:admin_api", "os_compute_api:os-volumes-attachments:show": "rule:admin_or_owner", "os_compute_api:os-block-device-mapping-v1:discoverable": "@", - "os_compute_api:os-admin-actions:reset_state": "rule:admin_api", + "os_compute_api:os-admin-actions:reset_state": "rule:admin_api and rule:deny_readonly", "os_compute_api:os-flavor-rxtx": "rule:admin_or_owner", "os_compute_api:servers:show": "rule:admin_or_owner", "os_compute_api:os-fping:all_tenants": "rule:admin_api", @@ -111,7 +111,7 @@ "os_compute_api:os-admin-actions": "rule:admin_api", "os_compute_api:os-server-tags:update_all": "@", "os_compute_api:os-floating-ip-dns": "rule:admin_or_owner", - "os_compute_api:os-quota-sets:update": "rule:admin_api", + "os_compute_api:os-quota-sets:update": "rule:admin_api and rule:deny_readonly", "os_compute_api:os-floating-ip-pools:discoverable": "@", "os_compute_api:os-console-output:discoverable": "@", "os_compute_api:servers:show:host_status": "rule:admin_api", @@ -145,7 +145,7 @@ "os_compute_api:os-shelve:shelve_offload": "rule:admin_api", "os_compute_api:os-evacuate": "rule:admin_api", "os_compute_api:servers:create": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-aggregates:remove_host": "rule:admin_api", + "os_compute_api:os-aggregates:remove_host": "rule:admin_api and rule:deny_readonly", "os_compute_api:os-baremetal-nodes:discoverable": "@", "os_compute_api:os-console-output": "rule:admin_or_owner", "os_compute_api:os-aggregates:update": "rule:admin_api", @@ -187,7 +187,7 @@ "os_compute_api:os-pci:pci_servers": "rule:admin_or_owner", "os_compute_api:os-server-password:discoverable": "@", "os_compute_api:os-cells": "rule:admin_api", - "os_compute_api:os-admin-actions:reset_network": "rule:admin_api", + "os_compute_api:os-admin-actions:reset_network": "rule:admin_api and rule:deny_readonly", "os_compute_api:image-size:discoverable": "@", "os_compute_api:os-certificates:show": "rule:admin_or_owner", "os_compute_api:os-config-drive": "rule:admin_or_owner", @@ -216,7 +216,7 @@ "os_compute_api:os-server-tags:update": "@", "os_compute_api:os-quota-class-sets:update": "rule:admin_api", "os_compute_api:flavors": "rule:admin_or_owner", - "os_compute_api:os-flavor-access:remove_tenant_access": "rule:admin_api", + "os_compute_api:os-flavor-access:remove_tenant_access": "rule:admin_api and rule:deny_readonly", "os_compute_api:os-floating-ip-pools": "rule:admin_or_owner", "os_compute_api:servers:discoverable": "@", "os_compute_api:os-flavor-manage:discoverable": "@", @@ -245,7 +245,7 @@ "os_compute_api:os-server-tags:discoverable": "@", "os_compute_api:os-baremetal-nodes": "rule:admin_api", "os_compute_api:os-virtual-interfaces": "rule:admin_or_owner", - "os_compute_api:os-lock-server:unlock:unlock_override": "rule:admin_api", + "os_compute_api:os-lock-server:unlock:unlock_override": "rule:admin_api and rule:deny_readonly", "os_compute_api:os-simple-tenant-usage:discoverable": "@", "os_compute_api:os-networks": "rule:admin_api", "os_compute_api:os-pci:discoverable": "@", diff --git a/etc/sahara/policy.json b/etc/sahara/policy.json index 06948c5..bfab46f 100644 --- a/etc/sahara/policy.json +++ b/etc/sahara/policy.json @@ -1,6 +1,6 @@ { "deny_readonly": "not role:readonly", - "context_is_admin": "role:admin", + "context_is_admin": "role:admin and rule:deny_readonly", "default": "", "data-processing:clusters:get_all": "", diff --git a/etc/zaqar/policy.json b/etc/zaqar/policy.json index a7645f7..259625e 100644 --- a/etc/zaqar/policy.json +++ b/etc/zaqar/policy.json @@ -1,6 +1,6 @@ { "deny_readonly": "not role:readonly", - "context_is_admin": "role:admin", + "context_is_admin": "role:admin and rule:deny_readonly", "admin_or_owner": "is_admin:True or project_id:%(project_id)s", "default": "rule:admin_or_owner", |