diff options
| author | Vincent S. Cojot <vcojot@redhat.com> | 2017-02-08 16:42:22 -0500 |
|---|---|---|
| committer | Vincent S. Cojot <vcojot@redhat.com> | 2017-02-08 16:42:22 -0500 |
| commit | 76707f93fc6e67c6905b0f79c47130eb32d7ee14 (patch) | |
| tree | fe24acb8c05f1e7f9f8a4c1f770a36765fdc8daf /etc | |
| download | openstack-access-policy-76707f93fc6e67c6905b0f79c47130eb32d7ee14.tar.gz openstack-access-policy-76707f93fc6e67c6905b0f79c47130eb32d7ee14.tar.xz openstack-access-policy-76707f93fc6e67c6905b0f79c47130eb32d7ee14.zip | |
Initial commit
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/aodh/policy.json | 21 | ||||
| -rw-r--r-- | etc/ceilometer/policy.json | 19 | ||||
| -rw-r--r-- | etc/cinder/policy.json | 139 | ||||
| -rw-r--r-- | etc/glance/policy.json | 62 | ||||
| -rw-r--r-- | etc/gnocchi/policy.json | 43 | ||||
| -rw-r--r-- | etc/heat/policy.json | 90 | ||||
| -rw-r--r-- | etc/ironic/policy.json | 5 | ||||
| -rw-r--r-- | etc/keystone/policy.json | 199 | ||||
| -rw-r--r-- | etc/manila/policy.json | 136 | ||||
| -rw-r--r-- | etc/mistral/policy.json | 64 | ||||
| -rw-r--r-- | etc/neutron/policy.json | 215 | ||||
| -rw-r--r-- | etc/nova/policy.json | 2 | ||||
| -rw-r--r-- | etc/sahara/policy.json | 74 | ||||
| -rw-r--r-- | etc/zaqar/policy.json | 47 |
14 files changed, 1116 insertions, 0 deletions
diff --git a/etc/aodh/policy.json b/etc/aodh/policy.json new file mode 100644 index 0000000..b4ea233 --- /dev/null +++ b/etc/aodh/policy.json @@ -0,0 +1,21 @@ +{ + "deny_readonly": "not role:readonly", + "context_is_admin": "role:admin", + "segregation": "rule:context_is_admin", + "admin_or_owner": "rule:context_is_admin or project_id:%(project_id)s", + "default": "rule:admin_or_owner", + + "telemetry:get_alarm": "rule:admin_or_owner", + "telemetry:get_alarms": "rule:admin_or_owner", + "telemetry:query_alarm": "rule:admin_or_owner", + + "telemetry:create_alarm": "rule:deny_readonly", + "telemetry:change_alarm": "rule:admin_or_owner", + "telemetry:delete_alarm": "rule:admin_or_owner", + + "telemetry:get_alarm_state": "rule:admin_or_owner", + "telemetry:change_alarm_state": "rule:admin_or_owner", + + "telemetry:alarm_history": "rule:admin_or_owner", + "telemetry:query_alarm_history": "rule:admin_or_owner" +} diff --git a/etc/ceilometer/policy.json b/etc/ceilometer/policy.json new file mode 100644 index 0000000..add3ee6 --- /dev/null +++ b/etc/ceilometer/policy.json @@ -0,0 +1,19 @@ +{ + "deny_readonly": "not role:readonly", + "context_is_admin": "role:admin", + "segregation": "rule:context_is_admin", + + "telemetry:get_samples": "", + "telemetry:get_sample": "", + "telemetry:query_sample": "", + "telemetry:create_samples": "rule:deny_readonly", + + "telemetry:compute_statistics": "", + "telemetry:get_meters": "", + + "telemetry:get_resource": "", + "telemetry:get_resources": "", + + "telemetry:events:index": "", + "telemetry:events:show": "" +} diff --git a/etc/cinder/policy.json b/etc/cinder/policy.json new file mode 100644 index 0000000..c3f6ff6 --- /dev/null +++ b/etc/cinder/policy.json @@ -0,0 +1,139 @@ +{ + "deny_readonly": "not role:readonly", + "context_is_admin": "role:admin", + "admin_or_owner": "is_admin:True or project_id:%(project_id)s", + "default": "rule:admin_or_owner", + + "admin_api": "is_admin:True", + + "volume:create": "rule:deny_readonly", + "volume:delete": "rule:admin_or_owner", + "volume:get": "rule:admin_or_owner", + "volume:get_all": "rule:admin_or_owner", + "volume:get_volume_metadata": "rule:admin_or_owner", + "volume:create_volume_metadata": "rule:admin_or_owner", + "volume:delete_volume_metadata": "rule:admin_or_owner", + "volume:update_volume_metadata": "rule:admin_or_owner", + "volume:get_volume_admin_metadata": "rule:admin_api", + "volume:update_volume_admin_metadata": "rule:admin_api", + "volume:get_snapshot": "rule:admin_or_owner", + "volume:get_all_snapshots": "rule:admin_or_owner", + "volume:create_snapshot": "rule:admin_or_owner", + "volume:delete_snapshot": "rule:admin_or_owner", + "volume:update_snapshot": "rule:admin_or_owner", + "volume:get_snapshot_metadata": "rule:admin_or_owner", + "volume:delete_snapshot_metadata": "rule:admin_or_owner", + "volume:update_snapshot_metadata": "rule:admin_or_owner", + "volume:extend": "rule:admin_or_owner", + "volume:update_readonly_flag": "rule:admin_or_owner", + "volume:retype": "rule:admin_or_owner", + "volume:update": "rule:admin_or_owner", + + "volume_extension:types_manage": "rule:admin_api", + "volume_extension:types_extra_specs": "rule:admin_api", + "volume_extension:access_types_qos_specs_id": "rule:admin_api", + "volume_extension:access_types_extra_specs": "rule:admin_api", + "volume_extension:volume_type_access": "rule:admin_or_owner", + "volume_extension:volume_type_access:addProjectAccess": "rule:admin_api", + "volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api", + "volume_extension:volume_type_encryption": "rule:admin_api", + "volume_extension:volume_encryption_metadata": "rule:admin_or_owner", + "volume_extension:extended_snapshot_attributes": "rule:admin_or_owner", + "volume_extension:volume_image_metadata": "rule:admin_or_owner", + + "volume_extension:quotas:show": "", + "volume_extension:quotas:update": "rule:admin_api", + "volume_extension:quotas:delete": "rule:admin_api", + "volume_extension:quota_classes": "rule:admin_api", + "volume_extension:quota_classes:validate_setup_for_nested_quota_use": "rule:admin_api", + + "volume_extension:volume_admin_actions:reset_status": "rule:admin_api", + "volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api", + "volume_extension:backup_admin_actions:reset_status": "rule:admin_api", + "volume_extension:volume_admin_actions:force_delete": "rule:admin_api", + "volume_extension:volume_admin_actions:force_detach": "rule:admin_api", + "volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api", + "volume_extension:backup_admin_actions:force_delete": "rule:admin_api", + "volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api", + "volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api", + + "volume_extension:volume_actions:upload_public": "rule:admin_api", + "volume_extension:volume_actions:upload_image": "rule:admin_or_owner", + + "volume_extension:volume_host_attribute": "rule:admin_api", + "volume_extension:volume_tenant_attribute": "rule:admin_or_owner", + "volume_extension:volume_mig_status_attribute": "rule:admin_api", + "volume_extension:hosts": "rule:admin_api", + "volume_extension:services:index": "rule:admin_api", + "volume_extension:services:update" : "rule:admin_api", + + "volume_extension:volume_manage": "rule:admin_api", + "volume_extension:volume_unmanage": "rule:admin_api", + "volume_extension:list_manageable": "rule:admin_api", + + "volume_extension:capabilities": "rule:admin_api", + + "volume:create_transfer": "rule:admin_or_owner", + "volume:accept_transfer": "rule:deny_readonly", + "volume:delete_transfer": "rule:admin_or_owner", + "volume:get_transfer": "rule:admin_or_owner", + "volume:get_all_transfers": "rule:admin_or_owner", + + "volume_extension:replication:promote": "rule:admin_api", + "volume_extension:replication:reenable": "rule:admin_api", + + "volume:failover_host": "rule:admin_api", + "volume:freeze_host": "rule:admin_api", + "volume:thaw_host": "rule:admin_api", + + "backup:create" : "rule:deny_readonly", + "backup:delete": "rule:admin_or_owner", + "backup:get": "rule:admin_or_owner", + "backup:get_all": "rule:admin_or_owner", + "backup:restore": "rule:admin_or_owner", + "backup:backup-import": "rule:admin_api", + "backup:backup-export": "rule:admin_api", + "backup:update": "rule:admin_or_owner", + + "snapshot_extension:snapshot_actions:update_snapshot_status": "rule:deny_readonly", + "snapshot_extension:snapshot_manage": "rule:admin_api", + "snapshot_extension:snapshot_unmanage": "rule:admin_api", + "snapshot_extension:list_manageable": "rule:admin_api", + + "consistencygroup:create" : "group:nobody", + "consistencygroup:delete": "group:nobody", + "consistencygroup:update": "group:nobody", + "consistencygroup:get": "group:nobody", + "consistencygroup:get_all": "group:nobody", + + "consistencygroup:create_cgsnapshot" : "group:nobody", + "consistencygroup:delete_cgsnapshot": "group:nobody", + "consistencygroup:get_cgsnapshot": "group:nobody", + "consistencygroup:get_all_cgsnapshots": "group:nobody", + + "group:group_types_manage": "rule:admin_api", + "group:group_types_specs": "rule:admin_api", + "group:access_group_types_specs": "rule:admin_api", + "group:group_type_access": "rule:admin_or_owner", + + "group:create" : "rule:deny_readonly", + "group:delete": "rule:admin_or_owner", + "group:update": "rule:admin_or_owner", + "group:get": "rule:admin_or_owner", + "group:get_all": "rule:admin_or_owner", + + "group:create_group_snapshot": "rule:deny_readonly", + "group:delete_group_snapshot": "rule:admin_or_owner", + "group:update_group_snapshot": "rule:admin_or_owner", + "group:get_group_snapshot": "rule:admin_or_owner", + "group:get_all_group_snapshots": "rule:admin_or_owner", + + "scheduler_extension:scheduler_stats:get_pools" : "rule:admin_api", + "message:delete": "rule:admin_or_owner", + "message:get": "rule:admin_or_owner", + "message:get_all": "rule:admin_or_owner", + + "clusters:get": "rule:admin_api", + "clusters:get_all": "rule:admin_api", + "clusters:update": "rule:admin_api" +} diff --git a/etc/glance/policy.json b/etc/glance/policy.json new file mode 100644 index 0000000..e59a6b3 --- /dev/null +++ b/etc/glance/policy.json @@ -0,0 +1,62 @@ +{ + "deny_readonly": "not role:readonly", + "context_is_admin": "role:admin", + "default": "role:admin", + + "add_image": "rule:deny_readonly", + "delete_image": "rule:deny_readonly", + "get_image": "", + "get_images": "", + "modify_image": "rule:deny_readonly", + "publicize_image": "role:admin", + "copy_from": "rule:deny_readonly", + + "download_image": "rule:deny_readonly", + "upload_image": "rule:deny_readonly", + + "delete_image_location": "rule:deny_readonly", + "get_image_location": "", + "set_image_location": "rule:deny_readonly", + + "add_member": "rule:deny_readonly", + "delete_member": "rule:deny_readonly", + "get_member": "", + "get_members": "", + "modify_member": "rule:deny_readonly", + + "manage_image_cache": "role:admin", + + "get_task": "role:admin", + "get_tasks": "role:admin", + "add_task": "role:admin", + "modify_task": "role:admin", + + "deactivate": "rule:deny_readonly", + "reactivate": "rule:deny_readonly", + + "get_metadef_namespace": "", + "get_metadef_namespaces":"", + "modify_metadef_namespace":"rule:deny_readonly", + "add_metadef_namespace":"rule:deny_readonly", + + "get_metadef_object":"", + "get_metadef_objects":"", + "modify_metadef_object":"rule:deny_readonly", + "add_metadef_object":"rule:deny_readonly", + + "list_metadef_resource_types":"", + "get_metadef_resource_type":"", + "add_metadef_resource_type_association":"", + + "get_metadef_property":"", + "get_metadef_properties":"", + "modify_metadef_property":"rule:deny_readonly", + "add_metadef_property":"rule:deny_readonly", + + "get_metadef_tag":"", + "get_metadef_tags":"", + "modify_metadef_tag":"rule:deny_readonly", + "add_metadef_tag":"rule:deny_readonly", + "add_metadef_tags":"rule:deny_readonly" + +} diff --git a/etc/gnocchi/policy.json b/etc/gnocchi/policy.json new file mode 100644 index 0000000..98fe90d --- /dev/null +++ b/etc/gnocchi/policy.json @@ -0,0 +1,43 @@ +{ + "deny_readonly": "not role:readonly", + "admin_or_creator": "role:admin or project_id:%(created_by_project_id)s", + "resource_owner": "project_id:%(project_id)s", + "metric_owner": "project_id:%(resource.project_id)s", + + "get status": "role:admin", + + "create resource": "rule:deny_readonly", + "get resource": "rule:admin_or_creator or rule:resource_owner", + "update resource": "rule:admin_or_creator", + "delete resource": "rule:admin_or_creator", + "delete resources": "rule:admin_or_creator", + "list resource": "rule:admin_or_creator or rule:resource_owner", + "search resource": "rule:admin_or_creator or rule:resource_owner", + + "create resource type": "role:admin", + "delete resource type": "role:admin", + "update resource type": "role:admin", + "list resource type": "", + "get resource type": "", + + "get archive policy": "", + "list archive policy": "", + "create archive policy": "role:admin", + "update archive policy": "role:admin", + "delete archive policy": "role:admin", + + "create archive policy rule": "role:admin", + "get archive policy rule": "", + "list archive policy rule": "", + "delete archive policy rule": "role:admin", + + "create metric": "rule:deny_readonly", + "delete metric": "rule:admin_or_creator", + "get metric": "rule:admin_or_creator or rule:metric_owner", + "search metric": "rule:admin_or_creator or rule:metric_owner", + "list metric": "", + "list all metric": "role:admin", + + "get measures": "rule:admin_or_creator or rule:metric_owner", + "post measures": "rule:admin_or_creator" +} diff --git a/etc/heat/policy.json b/etc/heat/policy.json new file mode 100644 index 0000000..83e1713 --- /dev/null +++ b/etc/heat/policy.json @@ -0,0 +1,90 @@ +{ + "context_is_admin": "role:admin", + "project_admin": "role:admin", + "deny_stack_user": "not role:heat_stack_user and not role:readonly", + "deny_everybody": "!", + "cloudformation:ListStacks": "rule:deny_stack_user", + "cloudformation:CreateStack": "rule:deny_stack_user", + "cloudformation:DescribeStacks": "rule:deny_stack_user", + "cloudformation:DeleteStack": "rule:deny_stack_user", + "cloudformation:UpdateStack": "rule:deny_stack_user", + "cloudformation:CancelUpdateStack": "rule:deny_stack_user", + "cloudformation:DescribeStackEvents": "rule:deny_stack_user", + "cloudformation:ValidateTemplate": "rule:deny_stack_user", + "cloudformation:GetTemplate": "rule:deny_stack_user", + "cloudformation:EstimateTemplateCost": "rule:deny_stack_user", + "cloudformation:DescribeStackResource": "", + "cloudformation:DescribeStackResources": "rule:deny_stack_user", + "cloudformation:ListStackResources": "rule:deny_stack_user", + "cloudwatch:DeleteAlarms": "rule:deny_stack_user", + "cloudwatch:DescribeAlarmHistory": "rule:deny_stack_user", + "cloudwatch:DescribeAlarms": "rule:deny_stack_user", + "cloudwatch:DescribeAlarmsForMetric": "rule:deny_stack_user", + "cloudwatch:DisableAlarmActions": "rule:deny_stack_user", + "cloudwatch:EnableAlarmActions": "rule:deny_stack_user", + "cloudwatch:GetMetricStatistics": "rule:deny_stack_user", + "cloudwatch:ListMetrics": "rule:deny_stack_user", + "cloudwatch:PutMetricAlarm": "rule:deny_stack_user", + "cloudwatch:PutMetricData": "", + "cloudwatch:SetAlarmState": "rule:deny_stack_user", + "actions:action": "rule:deny_stack_user", + "build_info:build_info": "rule:deny_stack_user", + "events:index": "rule:deny_stack_user", + "events:show": "rule:deny_stack_user", + "resource:index": "rule:deny_stack_user", + "resource:metadata": "", + "resource:signal": "", + "resource:mark_unhealthy": "rule:deny_stack_user", + "resource:show": "rule:deny_stack_user", + "stacks:abandon": "rule:deny_stack_user", + "stacks:create": "rule:deny_stack_user", + "stacks:delete": "rule:deny_stack_user", + "stacks:detail": "rule:deny_stack_user", + "stacks:export": "rule:deny_stack_user", + "stacks:generate_template": "rule:deny_stack_user", + "stacks:global_index": "rule:deny_everybody", + "stacks:index": "rule:deny_stack_user", + "stacks:list_resource_types": "rule:deny_stack_user", + "stacks:list_template_versions": "rule:deny_stack_user", + "stacks:list_template_functions": "rule:deny_stack_user", + "stacks:lookup": "", + "stacks:preview": "rule:deny_stack_user", + "stacks:resource_schema": "rule:deny_stack_user", + "stacks:show": "rule:deny_stack_user", + "stacks:template": "rule:deny_stack_user", + "stacks:environment": "rule:deny_stack_user", + "stacks:files": "rule:deny_stack_user", + "stacks:update": "rule:deny_stack_user", + "stacks:update_patch": "rule:deny_stack_user", + "stacks:preview_update": "rule:deny_stack_user", + "stacks:preview_update_patch": "rule:deny_stack_user", + "stacks:validate_template": "rule:deny_stack_user", + "stacks:snapshot": "rule:deny_stack_user", + "stacks:show_snapshot": "rule:deny_stack_user", + "stacks:delete_snapshot": "rule:deny_stack_user", + "stacks:list_snapshots": "rule:deny_stack_user", + "stacks:restore_snapshot": "rule:deny_stack_user", + "stacks:list_outputs": "rule:deny_stack_user", + "stacks:show_output": "rule:deny_stack_user", + "software_configs:global_index": "rule:deny_everybody", + "software_configs:index": "rule:deny_stack_user", + "software_configs:create": "rule:deny_stack_user", + "software_configs:show": "rule:deny_stack_user", + "software_configs:delete": "rule:deny_stack_user", + "software_deployments:index": "rule:deny_stack_user", + "software_deployments:create": "rule:deny_stack_user", + "software_deployments:show": "rule:deny_stack_user", + "software_deployments:update": "rule:deny_stack_user", + "software_deployments:delete": "rule:deny_stack_user", + "software_deployments:metadata": "", + "service:index": "rule:context_is_admin", + "resource_types:OS::Nova::Flavor": "rule:project_admin", + "resource_types:OS::Cinder::EncryptedVolumeType": "rule:project_admin", + "resource_types:OS::Cinder::VolumeType": "rule:project_admin", + "resource_types:OS::Cinder::Quota": "rule:project_admin", + "resource_types:OS::Manila::ShareType": "rule:project_admin", + "resource_types:OS::Neutron::QoSPolicy": "rule:project_admin", + "resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:project_admin", + "resource_types:OS::Nova::HostAggregate": "rule:project_admin", + "resource_types:OS::Cinder::QoSSpecs": "rule:project_admin" +} diff --git a/etc/ironic/policy.json b/etc/ironic/policy.json new file mode 100644 index 0000000..1ae73ec --- /dev/null +++ b/etc/ironic/policy.json @@ -0,0 +1,5 @@ +# Beginning with the Newton release, you may leave this file empty +# to use default policy defined in code. +{ + +} diff --git a/etc/keystone/policy.json b/etc/keystone/policy.json new file mode 100644 index 0000000..77b4c17 --- /dev/null +++ b/etc/keystone/policy.json @@ -0,0 +1,199 @@ +{ + "deny_readonly": "not role:readonly", + "admin_required": "role:admin or is_admin:1", + "service_role": "role:service", + "service_or_admin": "rule:admin_required or rule:service_role", + "owner" : "user_id:%(user_id)s", + "admin_or_owner": "rule:admin_required or rule:owner", + "token_subject": "user_id:%(target.token.user_id)s", + "admin_or_token_subject": "rule:admin_required or rule:token_subject", + "service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject", + + "default": "rule:admin_required", + + "identity:get_region": "", + "identity:list_regions": "", + "identity:create_region": "rule:admin_required", + "identity:update_region": "rule:admin_required", + "identity:delete_region": "rule:admin_required", + + "identity:get_service": "rule:admin_required", + "identity:list_services": "rule:admin_required", + "identity:create_service": "rule:admin_required", + "identity:update_service": "rule:admin_required", + "identity:delete_service": "rule:admin_required", + + "identity:get_endpoint": "rule:admin_required", + "identity:list_endpoints": "rule:admin_required", + "identity:create_endpoint": "rule:admin_required", + "identity:update_endpoint": "rule:admin_required", + "identity:delete_endpoint": "rule:admin_required", + + "identity:get_domain": "rule:admin_required or token.project.domain.id:%(target.domain.id)s", + "identity:list_domains": "rule:admin_required", + "identity:create_domain": "rule:admin_required", + "identity:update_domain": "rule:admin_required", + "identity:delete_domain": "rule:admin_required", + + "identity:get_project": "rule:admin_required or project_id:%(target.project.id)s", + "identity:list_projects": "rule:admin_required", + "identity:list_user_projects": "rule:admin_or_owner", + "identity:create_project": "rule:admin_required", + "identity:update_project": "rule:admin_required", + "identity:delete_project": "rule:admin_required", + + "identity:get_user": "rule:admin_or_owner", + "identity:list_users": "rule:admin_required", + "identity:create_user": "rule:admin_required", + "identity:update_user": "rule:admin_required", + "identity:delete_user": "rule:admin_required", + "identity:change_password": "rule:admin_or_owner", + + "identity:get_group": "rule:admin_required", + "identity:list_groups": "rule:admin_required", + "identity:list_groups_for_user": "rule:admin_or_owner", + "identity:create_group": "rule:admin_required", + "identity:update_group": "rule:admin_required", + "identity:delete_group": "rule:admin_required", + "identity:list_users_in_group": "rule:admin_required", + "identity:remove_user_from_group": "rule:admin_required", + "identity:check_user_in_group": "rule:admin_required", + "identity:add_user_to_group": "rule:admin_required", + + "identity:get_credential": "rule:admin_required", + "identity:list_credentials": "rule:admin_required", + "identity:create_credential": "rule:admin_required", + "identity:update_credential": "rule:admin_required", + "identity:delete_credential": "rule:admin_required", + + "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)", + "identity:ec2_list_credentials": "rule:admin_or_owner", + "identity:ec2_create_credential": "rule:admin_or_owner", + "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)", + + "identity:get_role": "rule:admin_required", + "identity:list_roles": "rule:admin_required", + "identity:create_role": "rule:admin_required", + "identity:update_role": "rule:admin_required", + "identity:delete_role": "rule:admin_required", + "identity:get_domain_role": "rule:admin_required", + "identity:list_domain_roles": "rule:admin_required", + "identity:create_domain_role": "rule:admin_required", + "identity:update_domain_role": "rule:admin_required", + "identity:delete_domain_role": "rule:admin_required", + + "identity:get_implied_role": "rule:admin_required ", + "identity:list_implied_roles": "rule:admin_required", + "identity:create_implied_role": "rule:admin_required", + "identity:delete_implied_role": "rule:admin_required", + "identity:list_role_inference_rules": "rule:admin_required", + "identity:check_implied_role": "rule:admin_required", + + "identity:check_grant": "rule:admin_required", + "identity:list_grants": "rule:admin_required", + "identity:create_grant": "rule:admin_required", + "identity:revoke_grant": "rule:admin_required", + + "identity:list_role_assignments": "rule:admin_required", + "identity:list_role_assignments_for_tree": "rule:admin_required", + + "identity:get_policy": "rule:admin_required", + "identity:list_policies": "rule:admin_required", + "identity:create_policy": "rule:admin_required", + "identity:update_policy": "rule:admin_required", + "identity:delete_policy": "rule:admin_required", + + "identity:check_token": "rule:admin_or_token_subject", + "identity:validate_token": "rule:service_admin_or_token_subject", + "identity:validate_token_head": "rule:service_or_admin", + "identity:revocation_list": "rule:service_or_admin", + "identity:revoke_token": "rule:admin_or_token_subject", + + "identity:create_trust": "user_id:%(trust.trustor_user_id)s", + "identity:list_trusts": "", + "identity:list_roles_for_trust": "", + "identity:get_role_for_trust": "", + "identity:delete_trust": "rule:deny_readonly", + + "identity:create_consumer": "rule:admin_required", + "identity:get_consumer": "rule:admin_required", + "identity:list_consumers": "rule:admin_required", + "identity:delete_consumer": "rule:admin_required", + "identity:update_consumer": "rule:admin_required", + + "identity:authorize_request_token": "rule:admin_required", + "identity:list_access_token_roles": "rule:admin_required", + "identity:get_access_token_role": "rule:admin_required", + "identity:list_access_tokens": "rule:admin_required", + "identity:get_access_token": "rule:admin_required", + "identity:delete_access_token": "rule:admin_required", + + "identity:list_projects_for_endpoint": "rule:admin_required", + "identity:add_endpoint_to_project": "rule:admin_required", + "identity:check_endpoint_in_project": "rule:admin_required", + "identity:list_endpoints_for_project": "rule:admin_required", + "identity:remove_endpoint_from_project": "rule:admin_required", + + "identity:create_endpoint_group": "rule:admin_required", + "identity:list_endpoint_groups": "rule:admin_required", + "identity:get_endpoint_group": "rule:admin_required", + "identity:update_endpoint_group": "rule:admin_required", + "identity:delete_endpoint_group": "rule:admin_required", + "identity:list_projects_associated_with_endpoint_group": "rule:admin_required", + "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required", + "identity:get_endpoint_group_in_project": "rule:admin_required", + "identity:list_endpoint_groups_for_project": "rule:admin_required", + "identity:add_endpoint_group_to_project": "rule:admin_required", + "identity:remove_endpoint_group_from_project": "rule:admin_required", + + "identity:create_identity_provider": "rule:admin_required", + "identity:list_identity_providers": "rule:admin_required", + "identity:get_identity_providers": "rule:admin_required", + "identity:update_identity_provider": "rule:admin_required", + "identity:delete_identity_provider": "rule:admin_required", + + "identity:create_protocol": "rule:admin_required", + "identity:update_protocol": "rule:admin_required", + "identity:get_protocol": "rule:admin_required", + "identity:list_protocols": "rule:admin_required", + "identity:delete_protocol": "rule:admin_required", + + "identity:create_mapping": "rule:admin_required", + "identity:get_mapping": "rule:admin_required", + "identity:list_mappings": "rule:admin_required", + "identity:delete_mapping": "rule:admin_required", + "identity:update_mapping": "rule:admin_required", + + "identity:create_service_provider": "rule:admin_required", + "identity:list_service_providers": "rule:admin_required", + "identity:get_service_provider": "rule:admin_required", + "identity:update_service_provider": "rule:admin_required", + "identity:delete_service_provider": "rule:admin_required", + + "identity:get_auth_catalog": "", + "identity:get_auth_projects": "", + "identity:get_auth_domains": "", + + "identity:list_projects_for_user": "", + "identity:list_domains_for_user": "", + + "identity:list_revoke_events": "", + + "identity:create_policy_association_for_endpoint": "rule:admin_required", + "identity:check_policy_association_for_endpoint": "rule:admin_required", + "identity:delete_policy_association_for_endpoint": "rule:admin_required", + "identity:create_policy_association_for_service": "rule:admin_required", + "identity:check_policy_association_for_service": "rule:admin_required", + "identity:delete_policy_association_for_service": "rule:admin_required", + "identity:create_policy_association_for_region_and_service": "rule:admin_required", + "identity:check_policy_association_for_region_and_service": "rule:admin_required", + "identity:delete_policy_association_for_region_and_service": "rule:admin_required", + "identity:get_policy_for_endpoint": "rule:admin_required", + "identity:list_endpoints_for_policy": "rule:admin_required", + + "identity:create_domain_config": "rule:admin_required", + "identity:get_domain_config": "rule:admin_required", + "identity:update_domain_config": "rule:admin_required", + "identity:delete_domain_config": "rule:admin_required", + "identity:get_domain_config_default": "rule:admin_required" +} diff --git a/etc/manila/policy.json b/etc/manila/policy.json new file mode 100644 index 0000000..c9c7c51 --- /dev/null +++ b/etc/manila/policy.json @@ -0,0 +1,136 @@ +{ + "deny_readonly": "not role:readonly", + "context_is_admin": "role:admin", + "admin_or_owner": "is_admin:True or project_id:%(project_id)s", + "default": "rule:admin_or_owner", + + "admin_api": "is_admin:True", + + "availability_zone:index": "rule:default", + + "quota_set:update": "rule:admin_api", + "quota_set:show": "rule:default", + "quota_set:delete": "rule:admin_api", + + "quota_class_set:show": "rule:default", + "quota_class_set:update": "rule:admin_api", + + "service:index": "rule:admin_api", + "service:update": "rule:admin_api", + + "share:create": "rule:deny_readonly", + "share:delete": "rule:default", + "share:get": "rule:default", + "share:get_all": "rule:default", + "share:list_by_share_server_id": "rule:admin_api", + "share:update": "rule:default", + "share:access_get": "rule:default", + "share:access_get_all": "rule:default", + "share:allow_access": "rule:default", + "share:deny_access": "rule:default", + "share:extend": "rule:default", + "share:shrink": "rule:default", + "share:get_share_metadata": "rule:default", + "share:delete_share_metadata": "rule:default", + "share:update_share_metadata": "rule:default", + "share:migration_start": "rule:admin_api", + "share:migration_complete": "rule:admin_api", + "share:migration_cancel": "rule:admin_api", + "share:migration_get_progress": "rule:admin_api", + "share:reset_task_state": "rule:admin_api", + "share:manage": "rule:admin_api", + "share:unmanage": "rule:admin_api", + "share:force_delete": "rule:admin_api", + "share:reset_status": "rule:admin_api", + "share_export_location:index": "rule:default", + "share_export_location:show": "rule:default", + + "share_instance:index": "rule:admin_api", + "share_instance:show": "rule:admin_api", + "share_instance:force_delete": "rule:admin_api", + "share_instance:reset_status": "rule:admin_api", + "share_instance_export_location:index": "rule:admin_api", + "share_instance_export_location:show": "rule:admin_api", + + "share_snapshot:create_snapshot": "rule:default", + "share_snapshot:delete_snapshot": "rule:default", + "share_snapshot:get_snapshot": "rule:default", + "share_snapshot:get_all_snapshots": "rule:default", + "share_snapshot:snapshot_update": "rule:default", + "share_snapshot:manage_snapshot": "rule:admin_api", + "share_snapshot:unmanage_snapshot": "rule:admin_api", + "share_snapshot:force_delete": "rule:admin_api", + "share_snapshot:reset_status": "rule:admin_api", + + "share_snapshot_instance:detail": "rule:admin_api", + "share_snapshot_instance:index": "rule:admin_api", + "share_snapshot_instance:show": "rule:admin_api", + "share_snapshot_instance:reset_status": "rule:admin_api", + + "share_type:index": "rule:default", + "share_type:show": "rule:default", + "share_type:default": "rule:default", + "share_type:create": "rule:admin_api", + "share_type:delete": "rule:admin_api", + "share_type:add_project_access": "rule:admin_api", + "share_type:list_project_access": "rule:admin_api", + "share_type:remove_project_access": "rule:admin_api", + + "share_types_extra_spec:create": "rule:admin_api", + "share_types_extra_spec:update": "rule:admin_api", + "share_types_extra_spec:show": "rule:admin_api", + "share_types_extra_spec:index": "rule:admin_api", + "share_types_extra_spec:delete": "rule:admin_api", + + "security_service:create": "rule:default", + "security_service:delete": "rule:default", + "security_service:update": "rule:default", + "security_service:show": "rule:default", + "security_service:index": "rule:default", + "security_service:detail": "rule:default", + "security_service:get_all_security_services": "rule:admin_api", + + "share_server:index": "rule:admin_api", + "share_server:show": "rule:admin_api", + "share_server:details": "rule:admin_api", + "share_server:delete": "rule:admin_api", + + "share_network:create": "rule:default", + "share_network:delete": "rule:default", + "share_network:update": "rule:default", + "share_network:index": "rule:default", + "share_network:detail": "rule:default", + "share_network:show": "rule:default", + "share_network:add_security_service": "rule:default", + "share_network:remove_security_service": "rule:default", + "share_network:get_all_share_networks": "rule:admin_api", + + "scheduler_stats:pools:index": "rule:admin_api", + "scheduler_stats:pools:detail": "rule:admin_api", + + "consistency_group:create" : "rule:default", + "consistency_group:delete": "rule:default", + "consistency_group:update": "rule:default", + "consistency_group:get": "rule:default", + "consistency_group:get_all": "rule:default", + "consistency_group:force_delete": "rule:admin_api", + "consistency_group:reset_status": "rule:admin_api", + + "cgsnapshot:force_delete": "rule:admin_api", + "cgsnapshot:reset_status": "rule:admin_api", + "cgsnapshot:create" : "rule:default", + "cgsnapshot:update" : "rule:default", + "cgsnapshot:delete": "rule:default", + "cgsnapshot:get_cgsnapshot": "rule:default", + "cgsnapshot:get_all": "rule:default", + + "share_replica:get_all": "rule:default", + "share_replica:show": "rule:default", + "share_replica:create" : "rule:default", + "share_replica:delete": "rule:default", + "share_replica:promote": "rule:default", + "share_replica:resync": "rule:admin_api", + "share_replica:reset_status": "rule:admin_api", + "share_replica:force_delete": "rule:admin_api", + "share_replica:reset_replica_state": "rule:admin_api" +} diff --git a/etc/mistral/policy.json b/etc/mistral/policy.json new file mode 100644 index 0000000..3278023 --- /dev/null +++ b/etc/mistral/policy.json @@ -0,0 +1,64 @@ +{ + "admin_only": "is_admin:True", + "admin_or_owner": "is_admin:True or project_id:%(project_id)s", + "default": "rule:admin_or_owner", + + "action_executions:delete": "rule:admin_or_owner", + "action_execution:create": "rule:admin_or_owner", + "action_executions:get": "rule:admin_or_owner", + "action_executions:list": "rule:admin_or_owner", + "action_executions:update": "rule:admin_or_owner", + + "actions:create": "rule:admin_or_owner", + "actions:delete": "rule:admin_or_owner", + "actions:get": "rule:admin_or_owner", + "actions:list": "rule:admin_or_owner", + "actions:update": "rule:admin_or_owner", + + "cron_triggers:create": "rule:admin_or_owner", + "cron_triggers:delete": "rule:admin_or_owner", + "cron_triggers:get": "rule:admin_or_owner", + "cron_triggers:list": "rule:admin_or_owner", + + "environments:create": "rule:admin_or_owner", + "environments:delete": "rule:admin_or_owner", + "environments:get": "rule:admin_or_owner", + "environments:list": "rule:admin_or_owner", + "environments:update": "rule:admin_or_owner", + + "executions:create": "rule:admin_or_owner", + "executions:delete": "rule:admin_or_owner", + "executions:get": "rule:admin_or_owner", + "executions:list": "rule:admin_or_owner", + "executions:update": "rule:admin_or_owner", + + "members:create": "rule:admin_or_owner", + "members:delete": "rule:admin_or_owner", + "members:get": "rule:admin_or_owner", + "members:list": "rule:admin_or_owner", + "members:update": "rule:admin_or_owner", + + "services:list": "rule:admin_or_owner", + + "tasks:get": "rule:admin_or_owner", + "tasks:list": "rule:admin_or_owner", + "tasks:update": "rule:admin_or_owner", + + "workbooks:create": "rule:admin_or_owner", + "workbooks:delete": "rule:admin_or_owner", + "workbooks:get": "rule:admin_or_owner", + "workbooks:list": "rule:admin_or_owner", + "workbooks:update": "rule:admin_or_owner", + + "workflows:create": "rule:admin_or_owner", + "workflows:delete": "rule:admin_or_owner", + "workflows:get": "rule:admin_or_owner", + "workflows:list": "rule:admin_or_owner", + "workflows:update": "rule:admin_or_owner", + + "event_triggers:create": "rule:admin_or_owner", + "event_triggers:delete": "rule:admin_or_owner", + "event_triggers:get": "rule:admin_or_owner", + "event_triggers:list": "rule:admin_or_owner", + "event_triggers:update": "rule:admin_or_owner" +} diff --git a/etc/neutron/policy.json b/etc/neutron/policy.json new file mode 100644 index 0000000..77ba25f --- /dev/null +++ b/etc/neutron/policy.json @@ -0,0 +1,215 @@ +{ + "deny_readonly": "not role:readonly", + "context_is_admin": "role:admin", + "owner": "tenant_id:%(tenant_id)s", + "admin_or_owner": "rule:context_is_admin or rule:owner", + "context_is_advsvc": "role:advsvc", + "admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s or role:network_admin", + "admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner", + "admin_only": "rule:context_is_admin", + "regular_user": "rule:deny_readonly", + "shared": "field:networks:shared=True", + "shared_subnetpools": "field:subnetpools:shared=True", + "shared_address_scopes": "field:address_scopes:shared=True", + "external": "field:networks:router:external=True", + "default": "rule:admin_or_owner", + + "create_subnet": "rule:admin_or_network_owner", + "create_subnet:segment_id": "rule:admin_only", + "create_subnet:service_types": "rule:admin_only", + "get_subnet": "rule:admin_or_owner or rule:shared", + "get_subnet:segment_id": "rule:admin_only", + "update_subnet": "rule:admin_or_network_owner", + "update_subnet:service_types": "rule:admin_only", + "delete_subnet": "rule:admin_or_network_owner", + + "create_subnetpool": "rule:deny_readonly", + "create_subnetpool:shared": "rule:admin_only", + "create_subnetpool:is_default": "rule:admin_only", + "get_subnetpool": "rule:admin_or_owner or rule:shared_subnetpools", + "update_subnetpool": "rule:admin_or_owner", + "update_subnetpool:is_default": "rule:admin_only", + "delete_subnetpool": "rule:admin_or_owner", + + "create_address_scope": "rule:deny_readonly", + "create_address_scope:shared": "rule:admin_only", + "get_address_scope": "rule:admin_or_owner or rule:shared_address_scopes", + "update_address_scope": "rule:admin_or_owner", + "update_address_scope:shared": "rule:admin_only", + "delete_address_scope": "rule:admin_or_owner", + + "create_network": "rule:deny_readonly", + "get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc", + "get_network:router:external": "rule:regular_user", + "get_network:segments": "rule:admin_only", + "get_network:provider:network_type": "rule:admin_only", + "get_network:provider:physical_network": "rule:admin_only", + "get_network:provider:segmentation_id": "rule:admin_only", + "get_network:queue_id": "rule:admin_only", + "get_network_ip_availabilities": "rule:admin_only", + "get_network_ip_availability": "rule:admin_only", + "create_network:shared": "rule:admin_only", + "create_network:router:external": "rule:admin_only", + "create_network:is_default": "rule:admin_only", + "create_network:segments": "rule:admin_only", + "create_network:provider:network_type": "rule:admin_only", + "create_network:provider:physical_network": "rule:admin_only", + "create_network:provider:segmentation_id": "rule:admin_only", + "update_network": "rule:admin_or_owner", + "update_network:segments": "rule:admin_only", + "update_network:shared": "rule:admin_only", + "update_network:provider:network_type": "rule:admin_only", + "update_network:provider:physical_network": "rule:admin_only", + "update_network:provider:segmentation_id": "rule:admin_only", + "update_network:router:external": "rule:admin_only", + "delete_network": "rule:admin_or_owner", + + "create_segment": "rule:admin_only", + "get_segment": "rule:admin_only", + "update_segment": "rule:admin_only", + "delete_segment": "rule:admin_only", + + "network_device": "field:port:device_owner=~^network:", + "create_port": "rule:deny_readonly", + "create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner", + "create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner", + "create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner", + "create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner", + "create_port:binding:host_id": "rule:admin_only", + "create_port:binding:profile": "rule:admin_only", + "create_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner", + "create_port:allowed_address_pairs": "rule:admin_or_network_owner", + "get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner", + "get_port:queue_id": "rule:admin_only", + "get_port:binding:vif_type": "rule:admin_only", + "get_port:binding:vif_details": "rule:admin_only", + "get_port:binding:host_id": "rule:admin_only", + "get_port:binding:profile": "rule:admin_only", + "update_port": "rule:admin_or_owner or rule:context_is_advsvc", + "update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner", + "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc", + "update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner", + "update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner", + "update_port:binding:host_id": "rule:admin_only", + "update_port:binding:profile": "rule:admin_only", + "update_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner", + "update_port:allowed_address_pairs": "rule:admin_or_network_owner", + "delete_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner", + + "get_router:ha": "rule:admin_only", + "create_router": "rule:regular_user", + "create_router:external_gateway_info:enable_snat": "rule:admin_only", + "create_router:distributed": "rule:admin_only", + "create_router:ha": "rule:admin_only", + "get_router": "rule:admin_or_owner", + "get_router:distributed": "rule:admin_only", + "update_router:external_gateway_info:enable_snat": "rule:admin_only", + "update_router:distributed": "rule:admin_only", + "update_router:ha": "rule:admin_only", + "delete_router": "rule:admin_or_owner", + + "add_router_interface": "rule:admin_or_owner", + "remove_router_interface": "rule:admin_or_owner", + + "create_router:external_gateway_info:external_fixed_ips": "rule:admin_only", + "update_router:external_gateway_info:external_fixed_ips": "rule:admin_only", + + "insert_rule": "rule:admin_or_owner", + "remove_rule": "rule:admin_or_owner", + + "create_qos_queue": "rule:admin_only", + "get_qos_queue": "rule:admin_only", + + "update_agent": "rule:admin_only", + "delete_agent": "rule:admin_only", + "get_agent": "rule:admin_only", + + "create_dhcp-network": "rule:admin_only", + "delete_dhcp-network": "rule:admin_only", + "get_dhcp-networks": "rule:admin_only", + "create_l3-router": "rule:admin_only", + "delete_l3-router": "rule:admin_only", + "get_l3-routers": "rule:admin_only", + "get_dhcp-agents": "rule:admin_only", + "get_l3-agents": "rule:admin_only", + "get_loadbalancer-agent": "rule:admin_only", + "get_loadbalancer-pools": "rule:admin_only", + "get_agent-loadbalancers": "rule:admin_only", + "get_loadbalancer-hosting-agent": "rule:admin_only", + + "create_floatingip": "rule:regular_user", + "create_floatingip:floating_ip_address": "rule:admin_only", + "update_floatingip": "rule:admin_or_owner", + "delete_floatingip": "rule:admin_or_owner", + "get_floatingip": "rule:admin_or_owner", + + "create_network_profile": "rule:admin_only", + "update_network_profile": "rule:admin_only", + "delete_network_profile": "rule:admin_only", + "get_network_profiles": "", + "get_network_profile": "", + "update_policy_profiles": "rule:admin_only", + "get_policy_profiles": "", + "get_policy_profile": "", + + "create_metering_label": "rule:admin_only", + "delete_metering_label": "rule:admin_only", + "get_metering_label": "rule:admin_only", + + "create_metering_label_rule": "rule:admin_only", + "delete_metering_label_rule": "rule:admin_only", + "get_metering_label_rule": "rule:admin_only", + + "get_service_provider": "rule:regular_user", + "get_lsn": "rule:admin_only", + "create_lsn": "rule:admin_only", + + "create_flavor": "rule:admin_only", + "update_flavor": "rule:admin_only", + "delete_flavor": "rule:admin_only", + "get_flavors": "rule:regular_user", + "get_flavor": "rule:regular_user", + "create_service_profile": "rule:admin_only", + "update_service_profile": "rule:admin_only", + "delete_service_profile": "rule:admin_only", + "get_service_profiles": "rule:admin_only", + "get_service_profile": "rule:admin_only", + + "get_policy": "rule:regular_user", + "create_policy": "rule:admin_only", + "update_policy": "rule:admin_only", + "delete_policy": "rule:admin_only", + "get_policy_bandwidth_limit_rule": "rule:regular_user", + "create_policy_bandwidth_limit_rule": "rule:admin_only", + "delete_policy_bandwidth_limit_rule": "rule:admin_only", + "update_policy_bandwidth_limit_rule": "rule:admin_only", + "get_policy_dscp_marking_rule": "rule:regular_user", + "create_policy_dscp_marking_rule": "rule:admin_only", + "delete_policy_dscp_marking_rule": "rule:admin_only", + "update_policy_dscp_marking_rule": "rule:admin_only", + "get_rule_type": "rule:regular_user", + "get_policy_minimum_bandwidth_rule": "rule:regular_user", + "create_policy_minimum_bandwidth_rule": "rule:admin_only", + "delete_policy_minimum_bandwidth_rule": "rule:admin_only", + "update_policy_minimum_bandwidth_rule": "rule:admin_only", + + "restrict_wildcard": "(not field:rbac_policy:target_tenant=*) or rule:admin_only", + "create_rbac_policy": "rule:deny_readonly", + "create_rbac_policy:target_tenant": "rule:restrict_wildcard", + "update_rbac_policy": "rule:admin_or_owner", + "update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner", + "get_rbac_policy": "rule:admin_or_owner", + "delete_rbac_policy": "rule:admin_or_owner", + + "create_flavor_service_profile": "rule:admin_only", + "delete_flavor_service_profile": "rule:admin_only", + "get_flavor_service_profile": "rule:regular_user", + "get_auto_allocated_topology": "rule:admin_or_owner", + + "create_trunk": "rule:regular_user", + "get_trunk": "rule:admin_or_owner", + "delete_trunk": "rule:admin_or_owner", + "get_subports": "", + "add_subports": "rule:admin_or_owner", + "remove_subports": "rule:admin_or_owner" +} diff --git a/etc/nova/policy.json b/etc/nova/policy.json new file mode 100644 index 0000000..2c63c08 --- /dev/null +++ b/etc/nova/policy.json @@ -0,0 +1,2 @@ +{ +} diff --git a/etc/sahara/policy.json b/etc/sahara/policy.json new file mode 100644 index 0000000..06948c5 --- /dev/null +++ b/etc/sahara/policy.json @@ -0,0 +1,74 @@ +{ + "deny_readonly": "not role:readonly", + "context_is_admin": "role:admin", + "default": "", + + "data-processing:clusters:get_all": "", + "data-processing:clusters:create": "rule:deny_readonly", + "data-processing:clusters:scale": "rule:deny_readonly", + "data-processing:clusters:get": "", + "data-processing:clusters:delete": "rule:deny_readonly", + "data-processing:clusters:modify": "rule:deny_readonly", + + "data-processing:cluster-templates:get_all": "", + "data-processing:cluster-templates:create": "rule:deny_readonly", + "data-processing:cluster-templates:get": "", + "data-processing:cluster-templates:modify": "rule:deny_readonly", + "data-processing:cluster-templates:delete": "rule:deny_readonly", + + "data-processing:node-group-templates:get_all": "", + "data-processing:node-group-templates:create": "rule:deny_readonly", + "data-processing:node-group-templates:get": "", + "data-processing:node-group-templates:modify": "rule:deny_readonly", + "data-processing:node-group-templates:delete": "rule:deny_readonly", + + "data-processing:plugins:get_all": "", + "data-processing:plugins:get": "", + "data-processing:plugins:get_version": "", + "data-processing:plugins:convert_config": "rule:deny_readonly", + "data-processing:plugins:patch": "role:admin", + + "data-processing:images:get_all": "", + "data-processing:images:get": "", + "data-processing:images:register": "rule:deny_readonly", + "data-processing:images:unregister": "rule:deny_readonly", + "data-processing:images:add_tags": "rule:deny_readonly", + "data-processing:images:remove_tags": "rule:deny_readonly", + + "data-processing:job-executions:get_all": "", + "data-processing:job-executions:get": "", + "data-processing:job-executions:refresh_status": "", + "data-processing:job-executions:cancel": "rule:deny_readonly", + "data-processing:job-executions:delete": "rule:deny_readonly", + "data-processing:job-executions:modify": "rule:deny_readonly", + + "data-processing:data-sources:get_all": "", + "data-processing:data-sources:get": "", + "data-processing:data-sources:register": "rule:deny_readonly", + "data-processing:data-sources:delete": "rule:deny_readonly", + "data-processing:data-sources:modify": "rule:deny_readonly", + + "data-processing:jobs:get_all": "", + "data-processing:jobs:create": "rule:deny_readonly", + "data-processing:jobs:get": "", + "data-processing:jobs:delete": "rule:deny_readonly", + "data-processing:jobs:get_config_hints": "", + "data-processing:jobs:execute": "rule:deny_readonly", + "data-processing:jobs:modify": "rule:deny_readonly", + + "data-processing:job-binaries:get_all": "", + "data-processing:job-binaries:create": "rule:deny_readonly", + "data-processing:job-binaries:get": "", + "data-processing:job-binaries:delete": "rule:deny_readonly", + "data-processing:job-binaries:get_data": "", + "data-processing:job-binaries:modify": "rule:deny_readonly", + + "data-processing:job-binary-internals:get_all": "", + "data-processing:job-binary-internals:create": "rule:deny_readonly", + "data-processing:job-binary-internals:get": "", + "data-processing:job-binary-internals:delete": "rule:deny_readonly", + "data-processing:job-binary-internals:get_data": "", + "data-processing:job-binary-internals:modify": "rule:deny_readonly", + + "data-processing:job-types:get_all": "" +} diff --git a/etc/zaqar/policy.json b/etc/zaqar/policy.json new file mode 100644 index 0000000..a7645f7 --- /dev/null +++ b/etc/zaqar/policy.json @@ -0,0 +1,47 @@ +{ + "deny_readonly": "not role:readonly", + "context_is_admin": "role:admin", + "admin_or_owner": "is_admin:True or project_id:%(project_id)s", + "default": "rule:admin_or_owner", + + "queues:get_all": "", + "queues:create": "rule:deny_readonly", + "queues:get": "", + "queues:delete": "rule:deny_readonly", + "queues:update": "rule:deny_readonly", + "queues:stats": "", + + "messages:get_all": "", + "messages:create": "rule:deny_readonly", + "messages:get": "", + "messages:delete": "rule:deny_readonly", + "messages:delete_all": "rule:deny_readonly", + + "claims:get_all": "", + "claims:create": "rule:deny_readonly", + "claims:get": "", + "claims:delete": "rule:deny_readonly", + "claims:update": "rule:deny_readonly", + + "subscription:get_all": "", + "subscription:create": "rule:deny_readonly", + "subscription:get": "", + "subscription:delete": "rule:deny_readonly", + "subscription:update": "rule:deny_readonly", + "subscription:confirm": "rule:deny_readonly", + + "pools:get_all": "rule:context_is_admin", + "pools:create": "rule:context_is_admin", + "pools:get": "rule:context_is_admin", + "pools:delete": "rule:context_is_admin", + "pools:update": "rule:context_is_admin", + + "flavors:get_all": "", + "flavors:create": "rule:context_is_admin", + "flavors:get": "", + "flavors:delete": "rule:context_is_admin", + "flavors:update": "rule:context_is_admin", + + "ping:get": "", + "health:get": "rule:context_is_admin" +} |