Untested drafts of modifications to all other policies

Change-Id: I150ddcf2d0d104c8e3e066b4adb25814b3bb0246

1 files changed, 56 insertions, 51 deletions

diff --git a/etc/mistral/policy.json b/etc/mistral/policy.json
index 3278023..774d22a 100644
--- a/etc/mistral/policy.json
+++ b/etc/mistral/policy.json
@@ -1,64 +1,69 @@
 {
-    "admin_only": "is_admin:True",
-    "admin_or_owner":  "is_admin:True or project_id:%(project_id)s",
-    "default": "rule:admin_or_owner",
+    "global_readonly": "(role:global_readonly)",
+    "readonly": "((project_id:%(project_id)s and role:readonly) or rule:global_readonly)",
+    "_member_role": "(role:member or role:_member_)",
+    "member": "(project_id:%(project_id)s and rule:_member_role)",
+    "admin": "(is_admin:True or role:admin)",
+    "owner": "(user_id:%(user_id)s and rule:_member_role)",
 
-    "action_executions:delete": "rule:admin_or_owner",
-    "action_execution:create": "rule:admin_or_owner",
-    "action_executions:get": "rule:admin_or_owner",
-    "action_executions:list": "rule:admin_or_owner",
-    "action_executions:update": "rule:admin_or_owner",
+    "default": "rule:admin or rule:member",
 
-    "actions:create": "rule:admin_or_owner",
-    "actions:delete": "rule:admin_or_owner",
-    "actions:get": "rule:admin_or_owner",
-    "actions:list": "rule:admin_or_owner",
-    "actions:update": "rule:admin_or_owner",
+    "action_executions:delete": "rule:admin or rule:member",
+    "action_execution:create": "rule:admin or rule:member",
+    "action_executions:get": "rule:admin or rule:member",
+    "action_executions:list": "rule:admin or rule:member",
+    "action_executions:update": "rule:admin or rule:member",
 
-    "cron_triggers:create": "rule:admin_or_owner",
-    "cron_triggers:delete": "rule:admin_or_owner",
-    "cron_triggers:get": "rule:admin_or_owner",
-    "cron_triggers:list": "rule:admin_or_owner",
+    "actions:create": "rule:admin or rule:member",
+    "actions:delete": "rule:admin or rule:member",
+    "actions:get": "rule:admin or rule:member",
+    "actions:list": "rule:admin or rule:member",
+    "actions:update": "rule:admin or rule:member",
 
-    "environments:create": "rule:admin_or_owner",
-    "environments:delete": "rule:admin_or_owner",
-    "environments:get": "rule:admin_or_owner",
-    "environments:list": "rule:admin_or_owner",
-    "environments:update": "rule:admin_or_owner",
+    "cron_triggers:create": "rule:admin or rule:member",
+    "cron_triggers:delete": "rule:admin or rule:member",
+    "cron_triggers:get": "rule:admin or rule:member",
+    "cron_triggers:list": "rule:admin or rule:member",
 
-    "executions:create": "rule:admin_or_owner",
-    "executions:delete": "rule:admin_or_owner",
-    "executions:get": "rule:admin_or_owner",
-    "executions:list": "rule:admin_or_owner",
-    "executions:update": "rule:admin_or_owner",
+    "environments:create": "rule:admin or rule:member",
+    "environments:delete": "rule:admin or rule:member",
+    "environments:get": "rule:admin or rule:member",
+    "environments:list": "rule:admin or rule:member",
+    "environments:update": "rule:admin or rule:member",
 
-    "members:create": "rule:admin_or_owner",
-    "members:delete": "rule:admin_or_owner",
-    "members:get": "rule:admin_or_owner",
-    "members:list": "rule:admin_or_owner",
-    "members:update": "rule:admin_or_owner",
+    "executions:create": "rule:admin or rule:member",
+    "executions:delete": "rule:admin or rule:member",
+    "executions:get": "rule:admin or rule:member",
+    "executions:list": "rule:admin or rule:member",
+    "executions:update": "rule:admin or rule:member",
 
-    "services:list": "rule:admin_or_owner",
+    "members:create": "rule:admin or rule:member",
+    "members:delete": "rule:admin or rule:member",
+    "members:get": "rule:admin or rule:member",
+    "members:list": "rule:admin or rule:member",
+    "members:update": "rule:admin or rule:member",
 
-    "tasks:get": "rule:admin_or_owner",
-    "tasks:list": "rule:admin_or_owner",
-    "tasks:update": "rule:admin_or_owner",
+    "services:list": "rule:admin or rule:member",
 
-    "workbooks:create": "rule:admin_or_owner",
-    "workbooks:delete": "rule:admin_or_owner",
-    "workbooks:get": "rule:admin_or_owner",
-    "workbooks:list": "rule:admin_or_owner",
-    "workbooks:update": "rule:admin_or_owner",
+    "tasks:get": "rule:admin or rule:member",
+    "tasks:list": "rule:admin or rule:member",
+    "tasks:update": "rule:admin or rule:member",
 
-    "workflows:create": "rule:admin_or_owner",
-    "workflows:delete": "rule:admin_or_owner",
-    "workflows:get": "rule:admin_or_owner",
-    "workflows:list": "rule:admin_or_owner",
-    "workflows:update": "rule:admin_or_owner",
+    "workbooks:create": "rule:admin or rule:member",
+    "workbooks:delete": "rule:admin or rule:member",
+    "workbooks:get": "rule:admin or rule:member",
+    "workbooks:list": "rule:admin or rule:member",
+    "workbooks:update": "rule:admin or rule:member",
 
-    "event_triggers:create": "rule:admin_or_owner",
-    "event_triggers:delete": "rule:admin_or_owner",
-    "event_triggers:get": "rule:admin_or_owner",
-    "event_triggers:list": "rule:admin_or_owner",
-    "event_triggers:update": "rule:admin_or_owner"
+    "workflows:create": "rule:admin or rule:member",
+    "workflows:delete": "rule:admin or rule:member",
+    "workflows:get": "rule:admin or rule:member",
+    "workflows:list": "rule:admin or rule:member",
+    "workflows:update": "rule:admin or rule:member",
+
+    "event_triggers:create": "rule:admin or rule:member",
+    "event_triggers:delete": "rule:admin or rule:member",
+    "event_triggers:get": "rule:admin or rule:member",
+    "event_triggers:list": "rule:admin or rule:member",
+    "event_triggers:update": "rule:admin or rule:member"
 }