diff options
-rw-r--r-- | etc/aodh/policy.json | 6 | ||||
-rw-r--r-- | etc/glance/policy.json | 6 | ||||
-rw-r--r-- | etc/neutron/policy.json | 6 |
3 files changed, 9 insertions, 9 deletions
diff --git a/etc/aodh/policy.json b/etc/aodh/policy.json index b4ea233..1b6715e 100644 --- a/etc/aodh/policy.json +++ b/etc/aodh/policy.json @@ -10,11 +10,11 @@ "telemetry:query_alarm": "rule:admin_or_owner", "telemetry:create_alarm": "rule:deny_readonly", - "telemetry:change_alarm": "rule:admin_or_owner", - "telemetry:delete_alarm": "rule:admin_or_owner", + "telemetry:change_alarm": "rule:admin_or_owner and rule:deny_readonly", + "telemetry:delete_alarm": "rule:admin_or_owner and rule:deny_readonly", "telemetry:get_alarm_state": "rule:admin_or_owner", - "telemetry:change_alarm_state": "rule:admin_or_owner", + "telemetry:change_alarm_state": "rule:admin_or_owner and rule:deny_readonly", "telemetry:alarm_history": "rule:admin_or_owner", "telemetry:query_alarm_history": "rule:admin_or_owner" diff --git a/etc/glance/policy.json b/etc/glance/policy.json index 22d3fa4..7913cf1 100644 --- a/etc/glance/policy.json +++ b/etc/glance/policy.json @@ -28,8 +28,8 @@ "get_task": "role:admin", "get_tasks": "role:admin", - "add_task": "role:admin", - "modify_task": "role:admin", + "add_task": "role:admin and rule:deny_readonly", + "modify_task": "role:admin and rule:deny_readonly", "deactivate": "rule:deny_readonly", "reactivate": "rule:deny_readonly", @@ -46,7 +46,7 @@ "list_metadef_resource_types":"", "get_metadef_resource_type":"", - "add_metadef_resource_type_association":"", + "add_metadef_resource_type_association":"rule:deny_readonly", "get_metadef_property":"", "get_metadef_properties":"", diff --git a/etc/neutron/policy.json b/etc/neutron/policy.json index ccdb827..75b5a1f 100644 --- a/etc/neutron/policy.json +++ b/etc/neutron/policy.json @@ -64,10 +64,10 @@ "update_network:router:external": "rule:admin_only", "delete_network": "rule:admin_or_owner and rule:deny_readonly", - "create_segment": "rule:admin_only", + "create_segment": "rule:admin_only and rule:deny_readonly", "get_segment": "rule:admin_only", - "update_segment": "rule:admin_only", - "delete_segment": "rule:admin_only", + "update_segment": "rule:admin_only and rule:deny_readonly", + "delete_segment": "rule:admin_only and rule:deny_readonly", "network_device": "field:port:device_owner=~^network:", "create_port": "rule:deny_readonly", |