diff options
| -rw-r--r-- | etc/glance/policy.json | 96 |
1 files changed, 51 insertions, 45 deletions
diff --git a/etc/glance/policy.json b/etc/glance/policy.json index 0a058c1..161ee6c 100644 --- a/etc/glance/policy.json +++ b/etc/glance/policy.json @@ -1,27 +1,33 @@ { - "context_is_admin": "role:admin", + "readonly": "(project_id:%(project_id)s and role:readonly)", + "global_readonly": "(role:global_readonly)", + "_member_role": "(role:member or role:_member_)", + "member": "(project_id:%(project_id)s and rule:_member_role)", + "admin": "(is_admin:True or role:admin)", + "owner": "(user_id:%(user_id)s and rule:_member_role)", + "default": "role:admin", - "add_image": "", - "delete_image": "", - "get_image": "", - "get_images": "", - "modify_image": "", - "publicize_image": "role:admin", - "copy_from": "", + "add_image": "rule:admin or rule:member", + "delete_image": "rule:admin or rule:member or rule:owner", + "get_image": "rule:admin or rule:member or rule:readonly", + "get_images": "rule:admin or rule:member or rule:readonly", + "modify_image": "rule:admin or rule:member", + "publicize_image": "rule:admin", + "copy_from": "rule:admin or rule:member", - "download_image": "", - "upload_image": "", + "download_image": "rule:admin or rule:member", + "upload_image": "rule:admin or rule:member", - "delete_image_location": "", - "get_image_location": "", - "set_image_location": "", + "delete_image_location": "rule:admin or rule:member", + "get_image_location": "rule:admin or rule:member", + "set_image_location": "rule:admin or rule:member", - "add_member": "", - "delete_member": "", - "get_member": "", - "get_members": "", - "modify_member": "", + "add_member": "rule:admin or rule:member", + "delete_member": "rule:admin or rule:member", + "get_member": "rule:admin or rule:member or rule:readonly", + "get_members": "rule:admin or rule:member or rule:readonly", + "modify_member": "rule:admin or rule:member", "manage_image_cache": "role:admin", @@ -30,32 +36,32 @@ "add_task": "role:admin", "modify_task": "role:admin", - "deactivate": "", - "reactivate": "", - - "get_metadef_namespace": "", - "get_metadef_namespaces":"", - "modify_metadef_namespace":"", - "add_metadef_namespace":"", - - "get_metadef_object":"", - "get_metadef_objects":"", - "modify_metadef_object":"", - "add_metadef_object":"", - - "list_metadef_resource_types":"", - "get_metadef_resource_type":"", - "add_metadef_resource_type_association":"", - - "get_metadef_property":"", - "get_metadef_properties":"", - "modify_metadef_property":"", - "add_metadef_property":"", - - "get_metadef_tag":"", - "get_metadef_tags":"", - "modify_metadef_tag":"", - "add_metadef_tag":"", - "add_metadef_tags":"" + "deactivate": "rule:admin or rule:member", + "reactivate": "rule:admin or rule:member", + + "get_metadef_namespace": "rule:admin or rule:member or rule:readonly", + "get_metadef_namespaces":"rule:admin or rule:member or rule:readonly", + "modify_metadef_namespace":"rule:admin or rule:member", + "add_metadef_namespace":"rule:admin or rule:member", + + "get_metadef_object":"rule:admin or rule:member or rule:readonly", + "get_metadef_objects":"rule:admin or rule:member or rule:readonly", + "modify_metadef_object":"rule:admin or rule:member", + "add_metadef_object":"rule:admin or rule:member", + + "list_metadef_resource_types":"rule:admin or rule:member or rule:readonly", + "get_metadef_resource_type":"rule:admin or rule:member or rule:readonly", + "add_metadef_resource_type_association":"rule:admin or rule:member", + + "get_metadef_property":"rule:admin or rule:member or rule:readonly", + "get_metadef_properties":"rule:admin or rule:member or rule:readonly", + "modify_metadef_property":"rule:admin or rule:member", + "add_metadef_property":"rule:admin or rule:member", + + "get_metadef_tag":"rule:admin or rule:member or rule:readonly", + "get_metadef_tags":"rule:admin or rule:member or rule:readonly", + "modify_metadef_tag":"rule:admin or rule:member", + "add_metadef_tag":"rule:admin or rule:member", + "add_metadef_tags":"rule:admin or rule:member" } |