Updated with poking some holes in the policy to let readonly list things

Change-Id: I0ef6e4ec7ab271f2377035ab71a0faaaef9ce463
author: Sean Pryor <spryor@redhat.com> 2017-05-25 17:43:27 -0400
committer: Sean Pryor <spryor@redhat.com> 2017-05-25 17:43:27 -0400
commit: 8da390dc08f48fbfaf3d35c0576d65b5085a0b8c (patch)
tree: f3d5fc6156a3ac3a1d5a05e1394f789dc0e78541 /etc/mistral/policy.json
parent: 310cf235864dc790f72e51804c2a8998510103e5 (diff)
download: openstack-access-policy-8da390dc08f48fbfaf3d35c0576d65b5085a0b8c.tar.gz
openstack-access-policy-8da390dc08f48fbfaf3d35c0576d65b5085a0b8c.tar.xz
openstack-access-policy-8da390dc08f48fbfaf3d35c0576d65b5085a0b8c.zip
1 files changed, 49 insertions, 49 deletions
diff --git a/etc/mistral/policy.json b/etc/mistral/policy.json
index 3278023..a5787af 100644
--- a/etc/mistral/policy.json
+++ b/etc/mistral/policy.json
@@ -1,64 +1,64 @@
 {
     "admin_only": "is_admin:True",
     "admin_or_owner":  "is_admin:True or project_id:%(project_id)s",
-    "default": "rule:admin_or_owner",
+    "default": "rule:admin_or_owner and rule:deny_readonly",
 
-    "action_executions:delete": "rule:admin_or_owner",
-    "action_execution:create": "rule:admin_or_owner",
-    "action_executions:get": "rule:admin_or_owner",
-    "action_executions:list": "rule:admin_or_owner",
-    "action_executions:update": "rule:admin_or_owner",
+    "action_executions:delete": "rule:admin_or_owner and rule:deny_readonly",
+    "action_execution:create": "rule:admin_or_owner and rule:deny_readonly",
+    "action_executions:get": "rule:admin_or_owner and rule:deny_readonly",
+    "action_executions:list": "rule:admin_or_owner and rule:deny_readonly",
+    "action_executions:update": "rule:admin_or_owner and rule:deny_readonly",
 
-    "actions:create": "rule:admin_or_owner",
-    "actions:delete": "rule:admin_or_owner",
-    "actions:get": "rule:admin_or_owner",
-    "actions:list": "rule:admin_or_owner",
-    "actions:update": "rule:admin_or_owner",
+    "actions:create": "rule:admin_or_owner and rule:deny_readonly",
+    "actions:delete": "rule:admin_or_owner and rule:deny_readonly",
+    "actions:get": "rule:admin_or_owner and rule:deny_readonly",
+    "actions:list": "rule:admin_or_owner and rule:deny_readonly",
+    "actions:update": "rule:admin_or_owner and rule:deny_readonly",
 
-    "cron_triggers:create": "rule:admin_or_owner",
-    "cron_triggers:delete": "rule:admin_or_owner",
-    "cron_triggers:get": "rule:admin_or_owner",
-    "cron_triggers:list": "rule:admin_or_owner",
+    "cron_triggers:create": "rule:admin_or_owner and rule:deny_readonly",
+    "cron_triggers:delete": "rule:admin_or_owner and rule:deny_readonly",
+    "cron_triggers:get": "rule:admin_or_owner and rule:deny_readonly",
+    "cron_triggers:list": "rule:admin_or_owner and rule:deny_readonly",
 
-    "environments:create": "rule:admin_or_owner",
-    "environments:delete": "rule:admin_or_owner",
-    "environments:get": "rule:admin_or_owner",
-    "environments:list": "rule:admin_or_owner",
-    "environments:update": "rule:admin_or_owner",
+    "environments:create": "rule:admin_or_owner and rule:deny_readonly",
+    "environments:delete": "rule:admin_or_owner and rule:deny_readonly",
+    "environments:get": "rule:admin_or_owner and rule:deny_readonly",
+    "environments:list": "rule:admin_or_owner and rule:deny_readonly",
+    "environments:update": "rule:admin_or_owner and rule:deny_readonly",
 
-    "executions:create": "rule:admin_or_owner",
-    "executions:delete": "rule:admin_or_owner",
-    "executions:get": "rule:admin_or_owner",
-    "executions:list": "rule:admin_or_owner",
-    "executions:update": "rule:admin_or_owner",
+    "executions:create": "rule:admin_or_owner and rule:deny_readonly",
+    "executions:delete": "rule:admin_or_owner and rule:deny_readonly",
+    "executions:get": "rule:admin_or_owner and rule:deny_readonly",
+    "executions:list": "rule:admin_or_owner and rule:deny_readonly",
+    "executions:update": "rule:admin_or_owner and rule:deny_readonly",
 
-    "members:create": "rule:admin_or_owner",
-    "members:delete": "rule:admin_or_owner",
-    "members:get": "rule:admin_or_owner",
-    "members:list": "rule:admin_or_owner",
-    "members:update": "rule:admin_or_owner",
+    "members:create": "rule:admin_or_owner and rule:deny_readonly",
+    "members:delete": "rule:admin_or_owner and rule:deny_readonly",
+    "members:get": "rule:admin_or_owner and rule:deny_readonly",
+    "members:list": "rule:admin_or_owner and rule:deny_readonly",
+    "members:update": "rule:admin_or_owner and rule:deny_readonly",
 
-    "services:list": "rule:admin_or_owner",
+    "services:list": "rule:admin_or_owner and rule:deny_readonly",
 
-    "tasks:get": "rule:admin_or_owner",
-    "tasks:list": "rule:admin_or_owner",
-    "tasks:update": "rule:admin_or_owner",
+    "tasks:get": "rule:admin_or_owner and rule:deny_readonly",
+    "tasks:list": "rule:admin_or_owner and rule:deny_readonly",
+    "tasks:update": "rule:admin_or_owner and rule:deny_readonly",
 
-    "workbooks:create": "rule:admin_or_owner",
-    "workbooks:delete": "rule:admin_or_owner",
-    "workbooks:get": "rule:admin_or_owner",
-    "workbooks:list": "rule:admin_or_owner",
-    "workbooks:update": "rule:admin_or_owner",
+    "workbooks:create": "rule:admin_or_owner and rule:deny_readonly",
+    "workbooks:delete": "rule:admin_or_owner and rule:deny_readonly",
+    "workbooks:get": "rule:admin_or_owner and rule:deny_readonly",
+    "workbooks:list": "rule:admin_or_owner and rule:deny_readonly",
+    "workbooks:update": "rule:admin_or_owner and rule:deny_readonly",
 
-    "workflows:create": "rule:admin_or_owner",
-    "workflows:delete": "rule:admin_or_owner",
-    "workflows:get": "rule:admin_or_owner",
-    "workflows:list": "rule:admin_or_owner",
-    "workflows:update": "rule:admin_or_owner",
+    "workflows:create": "rule:admin_or_owner and rule:deny_readonly",
+    "workflows:delete": "rule:admin_or_owner and rule:deny_readonly",
+    "workflows:get": "rule:admin_or_owner and rule:deny_readonly",
+    "workflows:list": "rule:admin_or_owner and rule:deny_readonly",
+    "workflows:update": "rule:admin_or_owner and rule:deny_readonly",
 
-    "event_triggers:create": "rule:admin_or_owner",
-    "event_triggers:delete": "rule:admin_or_owner",
-    "event_triggers:get": "rule:admin_or_owner",
-    "event_triggers:list": "rule:admin_or_owner",
-    "event_triggers:update": "rule:admin_or_owner"
+    "event_triggers:create": "rule:admin_or_owner and rule:deny_readonly",
+    "event_triggers:delete": "rule:admin_or_owner and rule:deny_readonly",
+    "event_triggers:get": "rule:admin_or_owner and rule:deny_readonly",
+    "event_triggers:list": "rule:admin_or_owner and rule:deny_readonly",
+    "event_triggers:update": "rule:admin_or_owner and rule:deny_readonly"
 }
author	Sean Pryor <spryor@redhat.com>	2017-05-25 17:43:27 -0400
committer	Sean Pryor <spryor@redhat.com>	2017-05-25 17:43:27 -0400
commit	8da390dc08f48fbfaf3d35c0576d65b5085a0b8c (patch)
tree	f3d5fc6156a3ac3a1d5a05e1394f789dc0e78541 /etc/mistral/policy.json
parent	310cf235864dc790f72e51804c2a8998510103e5 (diff)
download	openstack-access-policy-8da390dc08f48fbfaf3d35c0576d65b5085a0b8c.tar.gz openstack-access-policy-8da390dc08f48fbfaf3d35c0576d65b5085a0b8c.tar.xz openstack-access-policy-8da390dc08f48fbfaf3d35c0576d65b5085a0b8c.zip