diff options
author | Sean Pryor <spryor@redhat.com> | 2017-05-25 17:43:27 -0400 |
---|---|---|
committer | Sean Pryor <spryor@redhat.com> | 2017-05-25 17:43:27 -0400 |
commit | 8da390dc08f48fbfaf3d35c0576d65b5085a0b8c (patch) | |
tree | f3d5fc6156a3ac3a1d5a05e1394f789dc0e78541 /etc/mistral/policy.json | |
parent | 310cf235864dc790f72e51804c2a8998510103e5 (diff) | |
download | openstack-access-policy-8da390dc08f48fbfaf3d35c0576d65b5085a0b8c.tar.gz openstack-access-policy-8da390dc08f48fbfaf3d35c0576d65b5085a0b8c.tar.xz openstack-access-policy-8da390dc08f48fbfaf3d35c0576d65b5085a0b8c.zip |
Updated with poking some holes in the policy to let readonly list things
Change-Id: I0ef6e4ec7ab271f2377035ab71a0faaaef9ce463
Diffstat (limited to 'etc/mistral/policy.json')
-rw-r--r-- | etc/mistral/policy.json | 98 |
1 files changed, 49 insertions, 49 deletions
diff --git a/etc/mistral/policy.json b/etc/mistral/policy.json index 3278023..a5787af 100644 --- a/etc/mistral/policy.json +++ b/etc/mistral/policy.json @@ -1,64 +1,64 @@ { "admin_only": "is_admin:True", "admin_or_owner": "is_admin:True or project_id:%(project_id)s", - "default": "rule:admin_or_owner", + "default": "rule:admin_or_owner and rule:deny_readonly", - "action_executions:delete": "rule:admin_or_owner", - "action_execution:create": "rule:admin_or_owner", - "action_executions:get": "rule:admin_or_owner", - "action_executions:list": "rule:admin_or_owner", - "action_executions:update": "rule:admin_or_owner", + "action_executions:delete": "rule:admin_or_owner and rule:deny_readonly", + "action_execution:create": "rule:admin_or_owner and rule:deny_readonly", + "action_executions:get": "rule:admin_or_owner and rule:deny_readonly", + "action_executions:list": "rule:admin_or_owner and rule:deny_readonly", + "action_executions:update": "rule:admin_or_owner and rule:deny_readonly", - "actions:create": "rule:admin_or_owner", - "actions:delete": "rule:admin_or_owner", - "actions:get": "rule:admin_or_owner", - "actions:list": "rule:admin_or_owner", - "actions:update": "rule:admin_or_owner", + "actions:create": "rule:admin_or_owner and rule:deny_readonly", + "actions:delete": "rule:admin_or_owner and rule:deny_readonly", + "actions:get": "rule:admin_or_owner and rule:deny_readonly", + "actions:list": "rule:admin_or_owner and rule:deny_readonly", + "actions:update": "rule:admin_or_owner and rule:deny_readonly", - "cron_triggers:create": "rule:admin_or_owner", - "cron_triggers:delete": "rule:admin_or_owner", - "cron_triggers:get": "rule:admin_or_owner", - "cron_triggers:list": "rule:admin_or_owner", + "cron_triggers:create": "rule:admin_or_owner and rule:deny_readonly", + "cron_triggers:delete": "rule:admin_or_owner and rule:deny_readonly", + "cron_triggers:get": "rule:admin_or_owner and rule:deny_readonly", + "cron_triggers:list": "rule:admin_or_owner and rule:deny_readonly", - "environments:create": "rule:admin_or_owner", - "environments:delete": "rule:admin_or_owner", - "environments:get": "rule:admin_or_owner", - "environments:list": "rule:admin_or_owner", - "environments:update": "rule:admin_or_owner", + "environments:create": "rule:admin_or_owner and rule:deny_readonly", + "environments:delete": "rule:admin_or_owner and rule:deny_readonly", + "environments:get": "rule:admin_or_owner and rule:deny_readonly", + "environments:list": "rule:admin_or_owner and rule:deny_readonly", + "environments:update": "rule:admin_or_owner and rule:deny_readonly", - "executions:create": "rule:admin_or_owner", - "executions:delete": "rule:admin_or_owner", - "executions:get": "rule:admin_or_owner", - "executions:list": "rule:admin_or_owner", - "executions:update": "rule:admin_or_owner", + "executions:create": "rule:admin_or_owner and rule:deny_readonly", + "executions:delete": "rule:admin_or_owner and rule:deny_readonly", + "executions:get": "rule:admin_or_owner and rule:deny_readonly", + "executions:list": "rule:admin_or_owner and rule:deny_readonly", + "executions:update": "rule:admin_or_owner and rule:deny_readonly", - "members:create": "rule:admin_or_owner", - "members:delete": "rule:admin_or_owner", - "members:get": "rule:admin_or_owner", - "members:list": "rule:admin_or_owner", - "members:update": "rule:admin_or_owner", + "members:create": "rule:admin_or_owner and rule:deny_readonly", + "members:delete": "rule:admin_or_owner and rule:deny_readonly", + "members:get": "rule:admin_or_owner and rule:deny_readonly", + "members:list": "rule:admin_or_owner and rule:deny_readonly", + "members:update": "rule:admin_or_owner and rule:deny_readonly", - "services:list": "rule:admin_or_owner", + "services:list": "rule:admin_or_owner and rule:deny_readonly", - "tasks:get": "rule:admin_or_owner", - "tasks:list": "rule:admin_or_owner", - "tasks:update": "rule:admin_or_owner", + "tasks:get": "rule:admin_or_owner and rule:deny_readonly", + "tasks:list": "rule:admin_or_owner and rule:deny_readonly", + "tasks:update": "rule:admin_or_owner and rule:deny_readonly", - "workbooks:create": "rule:admin_or_owner", - "workbooks:delete": "rule:admin_or_owner", - "workbooks:get": "rule:admin_or_owner", - "workbooks:list": "rule:admin_or_owner", - "workbooks:update": "rule:admin_or_owner", + "workbooks:create": "rule:admin_or_owner and rule:deny_readonly", + "workbooks:delete": "rule:admin_or_owner and rule:deny_readonly", + "workbooks:get": "rule:admin_or_owner and rule:deny_readonly", + "workbooks:list": "rule:admin_or_owner and rule:deny_readonly", + "workbooks:update": "rule:admin_or_owner and rule:deny_readonly", - "workflows:create": "rule:admin_or_owner", - "workflows:delete": "rule:admin_or_owner", - "workflows:get": "rule:admin_or_owner", - "workflows:list": "rule:admin_or_owner", - "workflows:update": "rule:admin_or_owner", + "workflows:create": "rule:admin_or_owner and rule:deny_readonly", + "workflows:delete": "rule:admin_or_owner and rule:deny_readonly", + "workflows:get": "rule:admin_or_owner and rule:deny_readonly", + "workflows:list": "rule:admin_or_owner and rule:deny_readonly", + "workflows:update": "rule:admin_or_owner and rule:deny_readonly", - "event_triggers:create": "rule:admin_or_owner", - "event_triggers:delete": "rule:admin_or_owner", - "event_triggers:get": "rule:admin_or_owner", - "event_triggers:list": "rule:admin_or_owner", - "event_triggers:update": "rule:admin_or_owner" + "event_triggers:create": "rule:admin_or_owner and rule:deny_readonly", + "event_triggers:delete": "rule:admin_or_owner and rule:deny_readonly", + "event_triggers:get": "rule:admin_or_owner and rule:deny_readonly", + "event_triggers:list": "rule:admin_or_owner and rule:deny_readonly", + "event_triggers:update": "rule:admin_or_owner and rule:deny_readonly" } |