diff options
| author | Vincent S. Cojot <vcojot@redhat.com> | 2017-04-16 17:04:27 -0400 |
|---|---|---|
| committer | Vincent S. Cojot <vcojot@redhat.com> | 2017-04-16 17:04:27 -0400 |
| commit | 1f0a9a0b18eefa76f7e36a486ae8e0f40580fb23 (patch) | |
| tree | 23b6d09797de44f4ba38b503946a75c1ee19c83f /etc | |
| parent | 70c2379249d6bede8a33ff5617f87e07ee3fe9c7 (diff) | |
| download | openstack-access-policy-1f0a9a0b18eefa76f7e36a486ae8e0f40580fb23.tar.gz openstack-access-policy-1f0a9a0b18eefa76f7e36a486ae8e0f40580fb23.tar.xz openstack-access-policy-1f0a9a0b18eefa76f7e36a486ae8e0f40580fb23.zip | |
Made readonly more explicit...
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/cinder/policy.json | 114 | ||||
| -rw-r--r-- | etc/glance/policy.json | 2 | ||||
| -rw-r--r-- | etc/neutron/policy.json | 58 |
3 files changed, 87 insertions, 87 deletions
diff --git a/etc/cinder/policy.json b/etc/cinder/policy.json index c3f6ff6..c25148c 100644 --- a/etc/cinder/policy.json +++ b/etc/cinder/policy.json @@ -1,33 +1,33 @@ { "deny_readonly": "not role:readonly", - "context_is_admin": "role:admin", + "context_is_admin": "role:admin and rule:deny_readonly", "admin_or_owner": "is_admin:True or project_id:%(project_id)s", "default": "rule:admin_or_owner", "admin_api": "is_admin:True", "volume:create": "rule:deny_readonly", - "volume:delete": "rule:admin_or_owner", + "volume:delete": "rule:admin_or_owner and rule:deny_readonly", "volume:get": "rule:admin_or_owner", "volume:get_all": "rule:admin_or_owner", "volume:get_volume_metadata": "rule:admin_or_owner", - "volume:create_volume_metadata": "rule:admin_or_owner", - "volume:delete_volume_metadata": "rule:admin_or_owner", - "volume:update_volume_metadata": "rule:admin_or_owner", + "volume:create_volume_metadata": "rule:admin_or_owner and rule:deny_readonly", + "volume:delete_volume_metadata": "rule:admin_or_owner and rule:deny_readonly", + "volume:update_volume_metadata": "rule:admin_or_owner and rule:deny_readonly", "volume:get_volume_admin_metadata": "rule:admin_api", - "volume:update_volume_admin_metadata": "rule:admin_api", + "volume:update_volume_admin_metadata": "rule:admin_api and rule:deny_readonly", "volume:get_snapshot": "rule:admin_or_owner", "volume:get_all_snapshots": "rule:admin_or_owner", - "volume:create_snapshot": "rule:admin_or_owner", - "volume:delete_snapshot": "rule:admin_or_owner", - "volume:update_snapshot": "rule:admin_or_owner", + "volume:create_snapshot": "rule:admin_or_owner and rule:deny_readonly", + "volume:delete_snapshot": "rule:admin_or_owner and rule:deny_readonly", + "volume:update_snapshot": "rule:admin_or_owner and rule:deny_readonly", "volume:get_snapshot_metadata": "rule:admin_or_owner", - "volume:delete_snapshot_metadata": "rule:admin_or_owner", - "volume:update_snapshot_metadata": "rule:admin_or_owner", - "volume:extend": "rule:admin_or_owner", - "volume:update_readonly_flag": "rule:admin_or_owner", - "volume:retype": "rule:admin_or_owner", - "volume:update": "rule:admin_or_owner", + "volume:delete_snapshot_metadata": "rule:admin_or_owner and rule:deny_readonly", + "volume:update_snapshot_metadata": "rule:admin_or_owner and rule:deny_readonly", + "volume:extend": "rule:admin_or_owner and rule:deny_readonly", + "volume:update_readonly_flag": "rule:admin_or_owner and rule:deny_readonly", + "volume:retype": "rule:admin_or_owner and rule:deny_readonly", + "volume:update": "rule:admin_or_owner and rule:deny_readonly", "volume_extension:types_manage": "rule:admin_api", "volume_extension:types_extra_specs": "rule:admin_api", @@ -42,23 +42,23 @@ "volume_extension:volume_image_metadata": "rule:admin_or_owner", "volume_extension:quotas:show": "", - "volume_extension:quotas:update": "rule:admin_api", - "volume_extension:quotas:delete": "rule:admin_api", + "volume_extension:quotas:update": "rule:admin_api and rule:deny_readonly", + "volume_extension:quotas:delete": "rule:admin_api and rule:deny_readonly", "volume_extension:quota_classes": "rule:admin_api", - "volume_extension:quota_classes:validate_setup_for_nested_quota_use": "rule:admin_api", + "volume_extension:quota_classes:validate_setup_for_nested_quota_use": "rule:admin_api and rule:deny_readonly", - "volume_extension:volume_admin_actions:reset_status": "rule:admin_api", - "volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api", - "volume_extension:backup_admin_actions:reset_status": "rule:admin_api", - "volume_extension:volume_admin_actions:force_delete": "rule:admin_api", - "volume_extension:volume_admin_actions:force_detach": "rule:admin_api", - "volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api", - "volume_extension:backup_admin_actions:force_delete": "rule:admin_api", - "volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api", - "volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api", + "volume_extension:volume_admin_actions:reset_status": "rule:admin_api and rule:deny_readonly", + "volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api and rule:deny_readonly", + "volume_extension:backup_admin_actions:reset_status": "rule:admin_api and rule:deny_readonly", + "volume_extension:volume_admin_actions:force_delete": "rule:admin_api and rule:deny_readonly", + "volume_extension:volume_admin_actions:force_detach": "rule:admin_api and rule:deny_readonly", + "volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api and rule:deny_readonly", + "volume_extension:backup_admin_actions:force_delete": "rule:admin_api and rule:deny_readonly", + "volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api and rule:deny_readonly", + "volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api and rule:deny_readonly", - "volume_extension:volume_actions:upload_public": "rule:admin_api", - "volume_extension:volume_actions:upload_image": "rule:admin_or_owner", + "volume_extension:volume_actions:upload_public": "rule:admin_api and rule:deny_readonly", + "volume_extension:volume_actions:upload_image": "rule:admin_or_owner and rule:deny_readonly", "volume_extension:volume_host_attribute": "rule:admin_api", "volume_extension:volume_tenant_attribute": "rule:admin_or_owner", @@ -67,47 +67,47 @@ "volume_extension:services:index": "rule:admin_api", "volume_extension:services:update" : "rule:admin_api", - "volume_extension:volume_manage": "rule:admin_api", - "volume_extension:volume_unmanage": "rule:admin_api", - "volume_extension:list_manageable": "rule:admin_api", + "volume_extension:volume_manage": "rule:admin_api and rule:deny_readonly", + "volume_extension:volume_unmanage": "rule:admin_api and rule:deny_readonly", + "volume_extension:list_manageable": "rule:admin_api and rule:deny_readonly", "volume_extension:capabilities": "rule:admin_api", - "volume:create_transfer": "rule:admin_or_owner", + "volume:create_transfer": "rule:admin_or_owner and rule:deny_readonly", "volume:accept_transfer": "rule:deny_readonly", - "volume:delete_transfer": "rule:admin_or_owner", - "volume:get_transfer": "rule:admin_or_owner", - "volume:get_all_transfers": "rule:admin_or_owner", + "volume:delete_transfer": "rule:admin_or_owner and rule:deny_readonly", + "volume:get_transfer": "rule:admin_or_owner and rule:deny_readonly", + "volume:get_all_transfers": "rule:admin_or_owner and rule:deny_readonly", - "volume_extension:replication:promote": "rule:admin_api", - "volume_extension:replication:reenable": "rule:admin_api", + "volume_extension:replication:promote": "rule:admin_api and rule:deny_readonly", + "volume_extension:replication:reenable": "rule:admin_api and rule:deny_readonly", - "volume:failover_host": "rule:admin_api", - "volume:freeze_host": "rule:admin_api", - "volume:thaw_host": "rule:admin_api", + "volume:failover_host": "rule:admin_api and rule:deny_readonly", + "volume:freeze_host": "rule:admin_api and rule:deny_readonly", + "volume:thaw_host": "rule:admin_api and rule:deny_readonly", "backup:create" : "rule:deny_readonly", - "backup:delete": "rule:admin_or_owner", + "backup:delete": "rule:admin_or_owner and rule:deny_readonly", "backup:get": "rule:admin_or_owner", "backup:get_all": "rule:admin_or_owner", - "backup:restore": "rule:admin_or_owner", + "backup:restore": "rule:admin_or_owner and rule:deny_readonly", "backup:backup-import": "rule:admin_api", "backup:backup-export": "rule:admin_api", - "backup:update": "rule:admin_or_owner", + "backup:update": "rule:admin_or_owner and rule:deny_readonly", "snapshot_extension:snapshot_actions:update_snapshot_status": "rule:deny_readonly", - "snapshot_extension:snapshot_manage": "rule:admin_api", - "snapshot_extension:snapshot_unmanage": "rule:admin_api", + "snapshot_extension:snapshot_manage": "rule:admin_api and rule:deny_readonly", + "snapshot_extension:snapshot_unmanage": "rule:admin_api and rule:deny_readonly", "snapshot_extension:list_manageable": "rule:admin_api", - "consistencygroup:create" : "group:nobody", - "consistencygroup:delete": "group:nobody", - "consistencygroup:update": "group:nobody", + "consistencygroup:create" : "group:nobody and rule:deny_readonly", + "consistencygroup:delete": "group:nobody and rule:deny_readonly", + "consistencygroup:update": "group:nobody and rule:deny_readonly", "consistencygroup:get": "group:nobody", "consistencygroup:get_all": "group:nobody", - "consistencygroup:create_cgsnapshot" : "group:nobody", - "consistencygroup:delete_cgsnapshot": "group:nobody", + "consistencygroup:create_cgsnapshot" : "group:nobody and rule:deny_readonly", + "consistencygroup:delete_cgsnapshot": "group:nobody and rule:deny_readonly", "consistencygroup:get_cgsnapshot": "group:nobody", "consistencygroup:get_all_cgsnapshots": "group:nobody", @@ -117,23 +117,23 @@ "group:group_type_access": "rule:admin_or_owner", "group:create" : "rule:deny_readonly", - "group:delete": "rule:admin_or_owner", - "group:update": "rule:admin_or_owner", + "group:delete": "rule:admin_or_owner and rule:deny_readonly", + "group:update": "rule:admin_or_owner and rule:deny_readonly", "group:get": "rule:admin_or_owner", "group:get_all": "rule:admin_or_owner", "group:create_group_snapshot": "rule:deny_readonly", - "group:delete_group_snapshot": "rule:admin_or_owner", - "group:update_group_snapshot": "rule:admin_or_owner", + "group:delete_group_snapshot": "rule:admin_or_owner and rule:deny_readonly", + "group:update_group_snapshot": "rule:admin_or_owner and rule:deny_readonly", "group:get_group_snapshot": "rule:admin_or_owner", "group:get_all_group_snapshots": "rule:admin_or_owner", "scheduler_extension:scheduler_stats:get_pools" : "rule:admin_api", - "message:delete": "rule:admin_or_owner", + "message:delete": "rule:admin_or_owner and rule:deny_readonly", "message:get": "rule:admin_or_owner", "message:get_all": "rule:admin_or_owner", "clusters:get": "rule:admin_api", "clusters:get_all": "rule:admin_api", - "clusters:update": "rule:admin_api" + "clusters:update": "rule:admin_api and rule:deny_readonly" } diff --git a/etc/glance/policy.json b/etc/glance/policy.json index e59a6b3..22d3fa4 100644 --- a/etc/glance/policy.json +++ b/etc/glance/policy.json @@ -1,6 +1,6 @@ { "deny_readonly": "not role:readonly", - "context_is_admin": "role:admin", + "context_is_admin": "role:admin and rule:deny_readonly", "default": "role:admin", "add_image": "rule:deny_readonly", diff --git a/etc/neutron/policy.json b/etc/neutron/policy.json index 77ba25f..ccdb827 100644 --- a/etc/neutron/policy.json +++ b/etc/neutron/policy.json @@ -1,12 +1,12 @@ { "deny_readonly": "not role:readonly", "context_is_admin": "role:admin", - "owner": "tenant_id:%(tenant_id)s", + "owner": "tenant_id:%(tenant_id)s and rule:deny_readonly", "admin_or_owner": "rule:context_is_admin or rule:owner", - "context_is_advsvc": "role:advsvc", + "context_is_advsvc": "role:advsvc and rule:deny_readonly", "admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s or role:network_admin", "admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner", - "admin_only": "rule:context_is_admin", + "admin_only": "rule:context_is_admin and rule:deny_readonly", "regular_user": "rule:deny_readonly", "shared": "field:networks:shared=True", "shared_subnetpools": "field:subnetpools:shared=True", @@ -14,29 +14,29 @@ "external": "field:networks:router:external=True", "default": "rule:admin_or_owner", - "create_subnet": "rule:admin_or_network_owner", + "create_subnet": "rule:admin_or_network_owner and rule:deny_readonly", "create_subnet:segment_id": "rule:admin_only", "create_subnet:service_types": "rule:admin_only", "get_subnet": "rule:admin_or_owner or rule:shared", "get_subnet:segment_id": "rule:admin_only", - "update_subnet": "rule:admin_or_network_owner", + "update_subnet": "rule:admin_or_network_owner and rule:deny_readonly", "update_subnet:service_types": "rule:admin_only", - "delete_subnet": "rule:admin_or_network_owner", + "delete_subnet": "rule:admin_or_network_owner and rule:deny_readonly", "create_subnetpool": "rule:deny_readonly", "create_subnetpool:shared": "rule:admin_only", "create_subnetpool:is_default": "rule:admin_only", "get_subnetpool": "rule:admin_or_owner or rule:shared_subnetpools", - "update_subnetpool": "rule:admin_or_owner", + "update_subnetpool": "rule:admin_or_owner and rule:deny_readonly", "update_subnetpool:is_default": "rule:admin_only", - "delete_subnetpool": "rule:admin_or_owner", + "delete_subnetpool": "rule:admin_or_owner and rule:deny_readonly", "create_address_scope": "rule:deny_readonly", "create_address_scope:shared": "rule:admin_only", "get_address_scope": "rule:admin_or_owner or rule:shared_address_scopes", - "update_address_scope": "rule:admin_or_owner", + "update_address_scope": "rule:admin_or_owner and rule:deny_readonly", "update_address_scope:shared": "rule:admin_only", - "delete_address_scope": "rule:admin_or_owner", + "delete_address_scope": "rule:admin_or_owner and rule:deny_readonly", "create_network": "rule:deny_readonly", "get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc", @@ -55,14 +55,14 @@ "create_network:provider:network_type": "rule:admin_only", "create_network:provider:physical_network": "rule:admin_only", "create_network:provider:segmentation_id": "rule:admin_only", - "update_network": "rule:admin_or_owner", + "update_network": "rule:admin_or_owner and rule:deny_readonly", "update_network:segments": "rule:admin_only", "update_network:shared": "rule:admin_only", "update_network:provider:network_type": "rule:admin_only", "update_network:provider:physical_network": "rule:admin_only", "update_network:provider:segmentation_id": "rule:admin_only", "update_network:router:external": "rule:admin_only", - "delete_network": "rule:admin_or_owner", + "delete_network": "rule:admin_or_owner and rule:deny_readonly", "create_segment": "rule:admin_only", "get_segment": "rule:admin_only", @@ -78,7 +78,7 @@ "create_port:binding:host_id": "rule:admin_only", "create_port:binding:profile": "rule:admin_only", "create_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner", - "create_port:allowed_address_pairs": "rule:admin_or_network_owner", + "create_port:allowed_address_pairs": "rule:admin_or_network_owner and rule:deny_readonly", "get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner", "get_port:queue_id": "rule:admin_only", "get_port:binding:vif_type": "rule:admin_only", @@ -90,14 +90,14 @@ "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc", "update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner", "update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner", - "update_port:binding:host_id": "rule:admin_only", - "update_port:binding:profile": "rule:admin_only", + "update_port:binding:host_id": "rule:admin_only and rule:deny_readonly", + "update_port:binding:profile": "rule:admin_only and rule:deny_readonly", "update_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner", - "update_port:allowed_address_pairs": "rule:admin_or_network_owner", + "update_port:allowed_address_pairs": "rule:admin_or_network_owner and rule:deny_readonly", "delete_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner", "get_router:ha": "rule:admin_only", - "create_router": "rule:regular_user", + "create_router": "rule:regular_user and rule:deny_readonly", "create_router:external_gateway_info:enable_snat": "rule:admin_only", "create_router:distributed": "rule:admin_only", "create_router:ha": "rule:admin_only", @@ -106,16 +106,16 @@ "update_router:external_gateway_info:enable_snat": "rule:admin_only", "update_router:distributed": "rule:admin_only", "update_router:ha": "rule:admin_only", - "delete_router": "rule:admin_or_owner", + "delete_router": "rule:admin_or_owner and rule:deny_readonly", - "add_router_interface": "rule:admin_or_owner", - "remove_router_interface": "rule:admin_or_owner", + "add_router_interface": "rule:admin_or_owner and rule:deny_readonly", + "remove_router_interface": "rule:admin_or_owner and rule:deny_readonly", "create_router:external_gateway_info:external_fixed_ips": "rule:admin_only", "update_router:external_gateway_info:external_fixed_ips": "rule:admin_only", - "insert_rule": "rule:admin_or_owner", - "remove_rule": "rule:admin_or_owner", + "insert_rule": "rule:admin_or_owner and rule:deny_readonly", + "remove_rule": "rule:admin_or_owner and rule:deny_readonly", "create_qos_queue": "rule:admin_only", "get_qos_queue": "rule:admin_only", @@ -137,10 +137,10 @@ "get_agent-loadbalancers": "rule:admin_only", "get_loadbalancer-hosting-agent": "rule:admin_only", - "create_floatingip": "rule:regular_user", + "create_floatingip": "rule:regular_user and rule:deny_readonly", "create_floatingip:floating_ip_address": "rule:admin_only", - "update_floatingip": "rule:admin_or_owner", - "delete_floatingip": "rule:admin_or_owner", + "update_floatingip": "rule:admin_or_owner and rule:deny_readonly", + "delete_floatingip": "rule:admin_or_owner and rule:deny_readonly", "get_floatingip": "rule:admin_or_owner", "create_network_profile": "rule:admin_only", @@ -206,10 +206,10 @@ "get_flavor_service_profile": "rule:regular_user", "get_auto_allocated_topology": "rule:admin_or_owner", - "create_trunk": "rule:regular_user", + "create_trunk": "rule:regular_user and rule:deny_readonly", "get_trunk": "rule:admin_or_owner", - "delete_trunk": "rule:admin_or_owner", + "delete_trunk": "rule:admin_or_owner and rule:deny_readonly", "get_subports": "", - "add_subports": "rule:admin_or_owner", - "remove_subports": "rule:admin_or_owner" + "add_subports": "rule:admin_or_owner and rule:deny_readonly", + "remove_subports": "rule:admin_or_owner and rule:deny_readonly" } |