Made readonly more explicit...

author: Vincent S. Cojot <vcojot@redhat.com> 2017-04-16 17:04:27 -0400
committer: Vincent S. Cojot <vcojot@redhat.com> 2017-04-16 17:04:27 -0400
commit: 1f0a9a0b18eefa76f7e36a486ae8e0f40580fb23 (patch)
tree: 23b6d09797de44f4ba38b503946a75c1ee19c83f /etc/cinder
parent: 70c2379249d6bede8a33ff5617f87e07ee3fe9c7 (diff)
download: openstack-access-policy-1f0a9a0b18eefa76f7e36a486ae8e0f40580fb23.tar.gz
openstack-access-policy-1f0a9a0b18eefa76f7e36a486ae8e0f40580fb23.tar.xz
openstack-access-policy-1f0a9a0b18eefa76f7e36a486ae8e0f40580fb23.zip
1 files changed, 57 insertions, 57 deletions
diff --git a/etc/cinder/policy.json b/etc/cinder/policy.json
index c3f6ff6..c25148c 100644
--- a/etc/cinder/policy.json
+++ b/etc/cinder/policy.json
@@ -1,33 +1,33 @@
 {
     "deny_readonly": "not role:readonly",
-    "context_is_admin": "role:admin",
+    "context_is_admin": "role:admin and rule:deny_readonly",
     "admin_or_owner":  "is_admin:True or project_id:%(project_id)s",
     "default": "rule:admin_or_owner",
 
     "admin_api": "is_admin:True",
 
     "volume:create": "rule:deny_readonly",
-    "volume:delete": "rule:admin_or_owner",
+    "volume:delete": "rule:admin_or_owner and rule:deny_readonly",
     "volume:get": "rule:admin_or_owner",
     "volume:get_all": "rule:admin_or_owner",
     "volume:get_volume_metadata": "rule:admin_or_owner",
-    "volume:create_volume_metadata": "rule:admin_or_owner",
-    "volume:delete_volume_metadata": "rule:admin_or_owner",
-    "volume:update_volume_metadata": "rule:admin_or_owner",
+    "volume:create_volume_metadata": "rule:admin_or_owner and rule:deny_readonly",
+    "volume:delete_volume_metadata": "rule:admin_or_owner and rule:deny_readonly",
+    "volume:update_volume_metadata": "rule:admin_or_owner and rule:deny_readonly",
     "volume:get_volume_admin_metadata": "rule:admin_api",
-    "volume:update_volume_admin_metadata": "rule:admin_api",
+    "volume:update_volume_admin_metadata": "rule:admin_api and rule:deny_readonly",
     "volume:get_snapshot": "rule:admin_or_owner",
     "volume:get_all_snapshots": "rule:admin_or_owner",
-    "volume:create_snapshot": "rule:admin_or_owner",
-    "volume:delete_snapshot": "rule:admin_or_owner",
-    "volume:update_snapshot": "rule:admin_or_owner",
+    "volume:create_snapshot": "rule:admin_or_owner and rule:deny_readonly",
+    "volume:delete_snapshot": "rule:admin_or_owner and rule:deny_readonly",
+    "volume:update_snapshot": "rule:admin_or_owner and rule:deny_readonly",
     "volume:get_snapshot_metadata": "rule:admin_or_owner",
-    "volume:delete_snapshot_metadata": "rule:admin_or_owner",
-    "volume:update_snapshot_metadata": "rule:admin_or_owner",
-    "volume:extend": "rule:admin_or_owner",
-    "volume:update_readonly_flag": "rule:admin_or_owner",
-    "volume:retype": "rule:admin_or_owner",
-    "volume:update": "rule:admin_or_owner",
+    "volume:delete_snapshot_metadata": "rule:admin_or_owner and rule:deny_readonly",
+    "volume:update_snapshot_metadata": "rule:admin_or_owner and rule:deny_readonly",
+    "volume:extend": "rule:admin_or_owner and rule:deny_readonly",
+    "volume:update_readonly_flag": "rule:admin_or_owner and rule:deny_readonly",
+    "volume:retype": "rule:admin_or_owner and rule:deny_readonly",
+    "volume:update": "rule:admin_or_owner and rule:deny_readonly",
 
     "volume_extension:types_manage": "rule:admin_api",
     "volume_extension:types_extra_specs": "rule:admin_api",
@@ -42,23 +42,23 @@
     "volume_extension:volume_image_metadata": "rule:admin_or_owner",
 
     "volume_extension:quotas:show": "",
-    "volume_extension:quotas:update": "rule:admin_api",
-    "volume_extension:quotas:delete": "rule:admin_api",
+    "volume_extension:quotas:update": "rule:admin_api and rule:deny_readonly",
+    "volume_extension:quotas:delete": "rule:admin_api and rule:deny_readonly",
     "volume_extension:quota_classes": "rule:admin_api",
-    "volume_extension:quota_classes:validate_setup_for_nested_quota_use": "rule:admin_api",
+    "volume_extension:quota_classes:validate_setup_for_nested_quota_use": "rule:admin_api and rule:deny_readonly",
 
-    "volume_extension:volume_admin_actions:reset_status": "rule:admin_api",
-    "volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api",
-    "volume_extension:backup_admin_actions:reset_status": "rule:admin_api",
-    "volume_extension:volume_admin_actions:force_delete": "rule:admin_api",
-    "volume_extension:volume_admin_actions:force_detach": "rule:admin_api",
-    "volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api",
-    "volume_extension:backup_admin_actions:force_delete": "rule:admin_api",
-    "volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api",
-    "volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api",
+    "volume_extension:volume_admin_actions:reset_status": "rule:admin_api and rule:deny_readonly",
+    "volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api and rule:deny_readonly",
+    "volume_extension:backup_admin_actions:reset_status": "rule:admin_api and rule:deny_readonly",
+    "volume_extension:volume_admin_actions:force_delete": "rule:admin_api and rule:deny_readonly",
+    "volume_extension:volume_admin_actions:force_detach": "rule:admin_api and rule:deny_readonly",
+    "volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api and rule:deny_readonly",
+    "volume_extension:backup_admin_actions:force_delete": "rule:admin_api and rule:deny_readonly",
+    "volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api and rule:deny_readonly",
+    "volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api and rule:deny_readonly",
 
-    "volume_extension:volume_actions:upload_public": "rule:admin_api",
-    "volume_extension:volume_actions:upload_image": "rule:admin_or_owner",
+    "volume_extension:volume_actions:upload_public": "rule:admin_api and rule:deny_readonly",
+    "volume_extension:volume_actions:upload_image": "rule:admin_or_owner and rule:deny_readonly",
 
     "volume_extension:volume_host_attribute": "rule:admin_api",
     "volume_extension:volume_tenant_attribute": "rule:admin_or_owner",
@@ -67,47 +67,47 @@
     "volume_extension:services:index": "rule:admin_api",
     "volume_extension:services:update" : "rule:admin_api",
 
-    "volume_extension:volume_manage": "rule:admin_api",
-    "volume_extension:volume_unmanage": "rule:admin_api",
-    "volume_extension:list_manageable": "rule:admin_api",
+    "volume_extension:volume_manage": "rule:admin_api and rule:deny_readonly",
+    "volume_extension:volume_unmanage": "rule:admin_api and rule:deny_readonly",
+    "volume_extension:list_manageable": "rule:admin_api and rule:deny_readonly",
 
     "volume_extension:capabilities": "rule:admin_api",
 
-    "volume:create_transfer": "rule:admin_or_owner",
+    "volume:create_transfer": "rule:admin_or_owner and rule:deny_readonly",
     "volume:accept_transfer": "rule:deny_readonly",
-    "volume:delete_transfer": "rule:admin_or_owner",
-    "volume:get_transfer": "rule:admin_or_owner",
-    "volume:get_all_transfers": "rule:admin_or_owner",
+    "volume:delete_transfer": "rule:admin_or_owner and rule:deny_readonly",
+    "volume:get_transfer": "rule:admin_or_owner and rule:deny_readonly",
+    "volume:get_all_transfers": "rule:admin_or_owner and rule:deny_readonly",
 
-    "volume_extension:replication:promote": "rule:admin_api",
-    "volume_extension:replication:reenable": "rule:admin_api",
+    "volume_extension:replication:promote": "rule:admin_api and rule:deny_readonly",
+    "volume_extension:replication:reenable": "rule:admin_api and rule:deny_readonly",
 
-    "volume:failover_host": "rule:admin_api",
-    "volume:freeze_host": "rule:admin_api",
-    "volume:thaw_host": "rule:admin_api",
+    "volume:failover_host": "rule:admin_api and rule:deny_readonly",
+    "volume:freeze_host": "rule:admin_api and rule:deny_readonly",
+    "volume:thaw_host": "rule:admin_api and rule:deny_readonly",
 
     "backup:create" : "rule:deny_readonly",
-    "backup:delete": "rule:admin_or_owner",
+    "backup:delete": "rule:admin_or_owner and rule:deny_readonly",
     "backup:get": "rule:admin_or_owner",
     "backup:get_all": "rule:admin_or_owner",
-    "backup:restore": "rule:admin_or_owner",
+    "backup:restore": "rule:admin_or_owner and rule:deny_readonly",
     "backup:backup-import": "rule:admin_api",
     "backup:backup-export": "rule:admin_api",
-    "backup:update": "rule:admin_or_owner",
+    "backup:update": "rule:admin_or_owner and rule:deny_readonly",
 
     "snapshot_extension:snapshot_actions:update_snapshot_status": "rule:deny_readonly",
-    "snapshot_extension:snapshot_manage": "rule:admin_api",
-    "snapshot_extension:snapshot_unmanage": "rule:admin_api",
+    "snapshot_extension:snapshot_manage": "rule:admin_api and rule:deny_readonly",
+    "snapshot_extension:snapshot_unmanage": "rule:admin_api and rule:deny_readonly",
     "snapshot_extension:list_manageable": "rule:admin_api",
 
-    "consistencygroup:create" : "group:nobody",
-    "consistencygroup:delete": "group:nobody",
-    "consistencygroup:update": "group:nobody",
+    "consistencygroup:create" : "group:nobody and rule:deny_readonly",
+    "consistencygroup:delete": "group:nobody and rule:deny_readonly",
+    "consistencygroup:update": "group:nobody and rule:deny_readonly",
     "consistencygroup:get": "group:nobody",
     "consistencygroup:get_all": "group:nobody",
 
-    "consistencygroup:create_cgsnapshot" : "group:nobody",
-    "consistencygroup:delete_cgsnapshot": "group:nobody",
+    "consistencygroup:create_cgsnapshot" : "group:nobody and rule:deny_readonly",
+    "consistencygroup:delete_cgsnapshot": "group:nobody and rule:deny_readonly",
     "consistencygroup:get_cgsnapshot": "group:nobody",
     "consistencygroup:get_all_cgsnapshots": "group:nobody",
 
@@ -117,23 +117,23 @@
     "group:group_type_access": "rule:admin_or_owner",
 
     "group:create" : "rule:deny_readonly",
-    "group:delete": "rule:admin_or_owner",
-    "group:update": "rule:admin_or_owner",
+    "group:delete": "rule:admin_or_owner and rule:deny_readonly",
+    "group:update": "rule:admin_or_owner and rule:deny_readonly",
     "group:get": "rule:admin_or_owner",
     "group:get_all": "rule:admin_or_owner",
 
     "group:create_group_snapshot": "rule:deny_readonly",
-    "group:delete_group_snapshot": "rule:admin_or_owner",
-    "group:update_group_snapshot": "rule:admin_or_owner",
+    "group:delete_group_snapshot": "rule:admin_or_owner and rule:deny_readonly",
+    "group:update_group_snapshot": "rule:admin_or_owner and rule:deny_readonly",
     "group:get_group_snapshot": "rule:admin_or_owner",
     "group:get_all_group_snapshots": "rule:admin_or_owner",
 
     "scheduler_extension:scheduler_stats:get_pools" : "rule:admin_api",
-    "message:delete": "rule:admin_or_owner",
+    "message:delete": "rule:admin_or_owner and rule:deny_readonly",
     "message:get": "rule:admin_or_owner",
     "message:get_all": "rule:admin_or_owner",
 
     "clusters:get": "rule:admin_api",
     "clusters:get_all": "rule:admin_api",
-    "clusters:update": "rule:admin_api"
+    "clusters:update": "rule:admin_api and rule:deny_readonly"
 }
author	Vincent S. Cojot <vcojot@redhat.com>	2017-04-16 17:04:27 -0400
committer	Vincent S. Cojot <vcojot@redhat.com>	2017-04-16 17:04:27 -0400
commit	1f0a9a0b18eefa76f7e36a486ae8e0f40580fb23 (patch)
tree	23b6d09797de44f4ba38b503946a75c1ee19c83f /etc/cinder
parent	70c2379249d6bede8a33ff5617f87e07ee3fe9c7 (diff)
download	openstack-access-policy-1f0a9a0b18eefa76f7e36a486ae8e0f40580fb23.tar.gz openstack-access-policy-1f0a9a0b18eefa76f7e36a486ae8e0f40580fb23.tar.xz openstack-access-policy-1f0a9a0b18eefa76f7e36a486ae8e0f40580fb23.zip