summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--etc/aodh/policy.json2
-rw-r--r--etc/ceilometer/policy.json2
-rw-r--r--etc/cinder/policy.json4
-rw-r--r--etc/manila/policy.json8
-rw-r--r--etc/neutron/policy.json2
-rw-r--r--etc/nova/policy.json34
-rw-r--r--etc/sahara/policy.json2
-rw-r--r--etc/zaqar/policy.json2
-rw-r--r--files/SevoneOSPprereqs_MOPV_1.11.txt (renamed from files/SevoneOSPprereqs_MOPV_1.10.txt)6
-rwxr-xr-xfiles/push_readonly_policies_to_overcloud.sh2
10 files changed, 32 insertions, 32 deletions
diff --git a/etc/aodh/policy.json b/etc/aodh/policy.json
index 1b6715e..38bb14d 100644
--- a/etc/aodh/policy.json
+++ b/etc/aodh/policy.json
@@ -1,6 +1,6 @@
{
"deny_readonly": "not role:readonly",
- "context_is_admin": "role:admin",
+ "context_is_admin": "role:admin and rule:deny_readonly",
"segregation": "rule:context_is_admin",
"admin_or_owner": "rule:context_is_admin or project_id:%(project_id)s",
"default": "rule:admin_or_owner",
diff --git a/etc/ceilometer/policy.json b/etc/ceilometer/policy.json
index add3ee6..d74e528 100644
--- a/etc/ceilometer/policy.json
+++ b/etc/ceilometer/policy.json
@@ -1,6 +1,6 @@
{
"deny_readonly": "not role:readonly",
- "context_is_admin": "role:admin",
+ "context_is_admin": "role:admin and rule:deny_readonly",
"segregation": "rule:context_is_admin",
"telemetry:get_samples": "",
diff --git a/etc/cinder/policy.json b/etc/cinder/policy.json
index 5844cea..585b31a 100644
--- a/etc/cinder/policy.json
+++ b/etc/cinder/policy.json
@@ -34,8 +34,8 @@
"volume_extension:access_types_qos_specs_id": "rule:admin_api",
"volume_extension:access_types_extra_specs": "rule:admin_api",
"volume_extension:volume_type_access": "rule:admin_or_owner",
- "volume_extension:volume_type_access:addProjectAccess": "rule:admin_api",
- "volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api",
+ "volume_extension:volume_type_access:addProjectAccess": "rule:admin_api and rule:deny_readonly",
+ "volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api and rule:deny_readonly",
"volume_extension:volume_type_encryption": "rule:admin_api",
"volume_extension:volume_encryption_metadata": "rule:admin_or_owner",
"volume_extension:extended_snapshot_attributes": "rule:admin_or_owner",
diff --git a/etc/manila/policy.json b/etc/manila/policy.json
index c9c7c51..db1408f 100644
--- a/etc/manila/policy.json
+++ b/etc/manila/policy.json
@@ -1,6 +1,6 @@
{
"deny_readonly": "not role:readonly",
- "context_is_admin": "role:admin",
+ "context_is_admin": "role:admin and rule:deny_readonly",
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
"default": "rule:admin_or_owner",
@@ -72,9 +72,9 @@
"share_type:default": "rule:default",
"share_type:create": "rule:admin_api",
"share_type:delete": "rule:admin_api",
- "share_type:add_project_access": "rule:admin_api",
+ "share_type:add_project_access": "rule:admin_api and rule:deny_readonly",
"share_type:list_project_access": "rule:admin_api",
- "share_type:remove_project_access": "rule:admin_api",
+ "share_type:remove_project_access": "rule:admin_api and rule:deny_readonly",
"share_types_extra_spec:create": "rule:admin_api",
"share_types_extra_spec:update": "rule:admin_api",
@@ -102,7 +102,7 @@
"share_network:detail": "rule:default",
"share_network:show": "rule:default",
"share_network:add_security_service": "rule:default",
- "share_network:remove_security_service": "rule:default",
+ "share_network:remove_security_service": "rule:default and rule:deny_readonly",
"share_network:get_all_share_networks": "rule:admin_api",
"scheduler_stats:pools:index": "rule:admin_api",
diff --git a/etc/neutron/policy.json b/etc/neutron/policy.json
index 75b5a1f..e4ea2d7 100644
--- a/etc/neutron/policy.json
+++ b/etc/neutron/policy.json
@@ -1,6 +1,6 @@
{
"deny_readonly": "not role:readonly",
- "context_is_admin": "role:admin",
+ "context_is_admin": "role:admin and rule:deny_readonly",
"owner": "tenant_id:%(tenant_id)s and rule:deny_readonly",
"admin_or_owner": "rule:context_is_admin or rule:owner",
"context_is_advsvc": "role:advsvc and rule:deny_readonly",
diff --git a/etc/nova/policy.json b/etc/nova/policy.json
index d1257c8..f0843d5 100644
--- a/etc/nova/policy.json
+++ b/etc/nova/policy.json
@@ -15,7 +15,7 @@
"os_compute_api:os-volumes:discoverable": "@",
"os_compute_api:os-fping": "rule:admin_or_owner",
"os_compute_api:os-floating-ips": "rule:admin_or_owner",
- "os_compute_api:servers:start": "rule:admin_or_owner",
+ "os_compute_api:servers:start": "rule:admin_or_owner and rule:deny_readonly",
"os_compute_api:os-hosts:discoverable": "@",
"os_compute_api:os-server-tags:delete_all": "@",
"os_compute_api:servers:index:get_all_tenants": "rule:admin_api",
@@ -26,11 +26,11 @@
"os_compute_api:os-evacuate:discoverable": "@",
"os_compute_api:os-rescue:discoverable": "@",
"os_compute_api:os-volumes-attachments:index": "rule:admin_or_owner",
- "context_is_admin": "role:admin",
+ "context_is_admin": "role:admin and rule:deny_readonly",
"os_compute_api:server-metadata:index": "rule:admin_or_owner",
"os_compute_api:os-server-groups": "rule:admin_or_owner",
"os_compute_api:os-cells:discoverable": "@",
- "os_compute_api:os-aggregates:set_metadata": "rule:admin_api",
+ "os_compute_api:os-aggregates:set_metadata": "rule:admin_api and rule:deny_readonly",
"os_compute_api:os-deferred-delete:discoverable": "@",
"os_compute_api:os-certificates:discoverable": "@",
"os_compute_api:server-metadata:show": "rule:admin_or_owner",
@@ -59,7 +59,7 @@
"os_compute_api:os-instance-usage-audit-log": "rule:admin_api",
"os_compute_api:os-volumes-attachments:show": "rule:admin_or_owner",
"os_compute_api:os-block-device-mapping-v1:discoverable": "@",
- "os_compute_api:os-admin-actions:reset_state": "rule:admin_api",
+ "os_compute_api:os-admin-actions:reset_state": "rule:admin_api and rule:deny_readonly",
"os_compute_api:os-flavor-rxtx": "rule:admin_or_owner",
"os_compute_api:servers:show": "rule:admin_or_owner",
"os_compute_api:os-fping:all_tenants": "rule:admin_api",
@@ -75,7 +75,7 @@
"os_compute_api:servers:migrations:show": "rule:admin_api",
"os_compute_api:os-admin-actions:inject_network_info": "rule:admin_api",
"os_compute_api:image-metadata:discoverable": "@",
- "os_compute_api:os-migrate-server:migrate": "rule:admin_api",
+ "os_compute_api:os-migrate-server:migrate": "rule:admin_api and rule:deny_readonly",
"os_compute_api:extensions": "rule:admin_or_owner",
"os_compute_api:os-simple-tenant-usage:show": "rule:admin_or_owner",
"os_compute_api:os-security-groups": "rule:admin_or_owner",
@@ -103,7 +103,7 @@
"os_compute_api:os-certificates:create": "rule:admin_or_owner and rule:deny_readonly",
"os_compute_api:os-server-usage": "rule:admin_or_owner",
"os_compute_api:os-services": "rule:admin_api",
- "os_compute_api:servers:migrations:force_complete": "rule:admin_api",
+ "os_compute_api:servers:migrations:force_complete": "rule:admin_api and rule:deny_readonly",
"os_compute_api:servers:index": "rule:admin_or_owner",
"os_compute_api:os-keypairs:index": "rule:admin_api or user_id:%(user_id)s",
"os_compute_api:os-flavor-rxtx:discoverable": "@",
@@ -111,7 +111,7 @@
"os_compute_api:os-admin-actions": "rule:admin_api",
"os_compute_api:os-server-tags:update_all": "@",
"os_compute_api:os-floating-ip-dns": "rule:admin_or_owner",
- "os_compute_api:os-quota-sets:update": "rule:admin_api",
+ "os_compute_api:os-quota-sets:update": "rule:admin_api and rule:deny_readonly",
"os_compute_api:os-floating-ip-pools:discoverable": "@",
"os_compute_api:os-console-output:discoverable": "@",
"os_compute_api:servers:show:host_status": "rule:admin_api",
@@ -132,7 +132,7 @@
"os_compute_api:os-server-password": "rule:admin_or_owner",
"os_compute_api:os-suspend-server:discoverable": "@",
"os_compute_api:servers:delete": "rule:admin_or_owner and rule:deny_readonly",
- "os_compute_api:os-migrate-server:migrate_live": "rule:admin_api",
+ "os_compute_api:os-migrate-server:migrate_live": "rule:admin_api and rule:deny_readonly",
"os_compute_api:os-console-auth-tokens": "rule:admin_api",
"os_compute_api:ips:show": "rule:admin_or_owner",
"os_compute_api:os-hypervisors:discoverable": "@",
@@ -145,7 +145,7 @@
"os_compute_api:os-shelve:shelve_offload": "rule:admin_api",
"os_compute_api:os-evacuate": "rule:admin_api",
"os_compute_api:servers:create": "rule:admin_or_owner and rule:deny_readonly",
- "os_compute_api:os-aggregates:remove_host": "rule:admin_api",
+ "os_compute_api:os-aggregates:remove_host": "rule:admin_api and rule:deny_readonly",
"os_compute_api:os-baremetal-nodes:discoverable": "@",
"os_compute_api:os-console-output": "rule:admin_or_owner",
"os_compute_api:os-aggregates:update": "rule:admin_api",
@@ -165,8 +165,8 @@
"os_compute_api:os-floating-ip-dns:domain:update": "rule:admin_api",
"os_compute_api:os-hypervisors": "rule:admin_api",
"os_compute_api:os-consoles:delete": "rule:admin_or_owner and rule:deny_readonly",
- "os_compute_api:os-networks-associate": "rule:admin_api",
- "os_compute_api:os-remote-consoles": "rule:admin_or_owner",
+ "os_compute_api:os-networks-associate": "rule:admin_api and rule:deny_readonly",
+ "os_compute_api:os-remote-consoles": "rule:admin_or_owner and rule:deny_readonly",
"os_compute_api:limits": "rule:admin_or_owner",
"os_compute_api:os-cells:create": "rule:admin_api and rule:deny_readonly",
"os_compute_api:os-create-backup:discoverable": "@",
@@ -187,7 +187,7 @@
"os_compute_api:os-pci:pci_servers": "rule:admin_or_owner",
"os_compute_api:os-server-password:discoverable": "@",
"os_compute_api:os-cells": "rule:admin_api",
- "os_compute_api:os-admin-actions:reset_network": "rule:admin_api",
+ "os_compute_api:os-admin-actions:reset_network": "rule:admin_api and rule:deny_readonly",
"os_compute_api:image-size:discoverable": "@",
"os_compute_api:os-certificates:show": "rule:admin_or_owner",
"os_compute_api:os-config-drive": "rule:admin_or_owner",
@@ -216,7 +216,7 @@
"os_compute_api:os-server-tags:update": "@",
"os_compute_api:os-quota-class-sets:update": "rule:admin_api",
"os_compute_api:flavors": "rule:admin_or_owner",
- "os_compute_api:os-flavor-access:remove_tenant_access": "rule:admin_api",
+ "os_compute_api:os-flavor-access:remove_tenant_access": "rule:admin_api and rule:deny_readonly",
"os_compute_api:os-floating-ip-pools": "rule:admin_or_owner",
"os_compute_api:servers:discoverable": "@",
"os_compute_api:os-flavor-manage:discoverable": "@",
@@ -240,12 +240,12 @@
"os_compute_api:servers:detail:get_all_tenants": "rule:admin_api",
"os_compute_api:os-services:discoverable": "@",
"os_compute_api:extensions:discoverable": "@",
- "os_compute_api:servers:stop": "rule:admin_or_owner",
+ "os_compute_api:servers:stop": "rule:admin_or_owner and rule:deny_readonly",
"os_compute_api:os-volumes": "rule:admin_or_owner",
"os_compute_api:os-server-tags:discoverable": "@",
"os_compute_api:os-baremetal-nodes": "rule:admin_api",
"os_compute_api:os-virtual-interfaces": "rule:admin_or_owner",
- "os_compute_api:os-lock-server:unlock:unlock_override": "rule:admin_api",
+ "os_compute_api:os-lock-server:unlock:unlock_override": "rule:admin_api and rule:deny_readonly",
"os_compute_api:os-simple-tenant-usage:discoverable": "@",
"os_compute_api:os-networks": "rule:admin_api",
"os_compute_api:os-pci:discoverable": "@",
@@ -264,7 +264,7 @@
"os_compute_api:os-server-external-events:discoverable": "@",
"os_compute_api:os-hosts": "rule:admin_api",
"os_compute_api:os-migrations:discoverable": "@",
- "os_compute_api:server-metadata:update": "rule:admin_or_owner",
+ "os_compute_api:server-metadata:update": "rule:admin_or_owner and rule:deny_readonly",
"os_compute_api:os-floating-ip-dns:domain:delete": "rule:admin_api and rule:deny_readonly",
"os_compute_api:os-volumes-attachments:delete": "rule:admin_or_owner and rule:deny_readonly"
-} \ No newline at end of file
+}
diff --git a/etc/sahara/policy.json b/etc/sahara/policy.json
index 06948c5..bfab46f 100644
--- a/etc/sahara/policy.json
+++ b/etc/sahara/policy.json
@@ -1,6 +1,6 @@
{
"deny_readonly": "not role:readonly",
- "context_is_admin": "role:admin",
+ "context_is_admin": "role:admin and rule:deny_readonly",
"default": "",
"data-processing:clusters:get_all": "",
diff --git a/etc/zaqar/policy.json b/etc/zaqar/policy.json
index a7645f7..259625e 100644
--- a/etc/zaqar/policy.json
+++ b/etc/zaqar/policy.json
@@ -1,6 +1,6 @@
{
"deny_readonly": "not role:readonly",
- "context_is_admin": "role:admin",
+ "context_is_admin": "role:admin and rule:deny_readonly",
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
"default": "rule:admin_or_owner",
diff --git a/files/SevoneOSPprereqs_MOPV_1.10.txt b/files/SevoneOSPprereqs_MOPV_1.11.txt
index 77a324e..84b07d1 100644
--- a/files/SevoneOSPprereqs_MOPV_1.10.txt
+++ b/files/SevoneOSPprereqs_MOPV_1.11.txt
@@ -162,7 +162,7 @@ may first require logging in as root
VI. Allow the sevone user to query mysql status
-[root@slmsc2ctl0 ~]# mysql -e “create user 'sevone'@'localhost';
+[root@slmsc2ctl0 ~]# mysql -e “create user 'sevone'@'localhost';"
If during this step, you exit the current shell session instead of escalating to root, you will need to
re-source overcloudrc before continuing.
@@ -189,8 +189,8 @@ for generating one.
[stack@ospdirector ~]$ TRAPDEST1=<Enter First Destination IP>
[stack@ospdirector ~]$ TRAPDEST2=<Enter Second Destination IP>
[stack@ospdirector ~]$ echo -e "TRAPDEST1 = ${TRAPDEST1}\nTRAPDEST2 = ${TRAPDEST2}"
-[stack@ospdirector ~]$ sed -i s/TRAPTARGET1/$TRAPDEST1/ ~/policydir/files/snmpd.conf
-[stack@ospdirector ~]$ sed -i s/TRAPTARGET2/$TRAPDEST2/ ~/policydir/files/snmpd.conf
+[stack@ospdirector ~]$ sed -i "s/TRAPTARGET1/$TRAPDEST1/" ~/policydir/files/snmpd.conf
+[stack@ospdirector ~]$ sed -i "s/TRAPTARGET2/$TRAPDEST2/" ~/policydir/files/snmpd.conf
III. Distribute the SNMP configuration file to the OSP director
diff --git a/files/push_readonly_policies_to_overcloud.sh b/files/push_readonly_policies_to_overcloud.sh
index 307af39..208a5ed 100755
--- a/files/push_readonly_policies_to_overcloud.sh
+++ b/files/push_readonly_policies_to_overcloud.sh
@@ -102,7 +102,7 @@ do
# Take a backup, if not present already..
ssh -q heat-admin@${myip} "sudo test -f ${sev1_backup}"
if [ $? -ne 0 ]; then
- echo" (II) Taking a backup of ${dst_config} as ${sev1_backup}"
+ echo " (II) Taking a backup of ${dst_config} as ${sev1_backup}"
ssh -q heat-admin@${myip} "sudo test -f ${dst_config}" && ssh -q heat-admin@${myip} "sudo /bin/cp -afx ${dst_config} ${sev1_backup}"
fi