summaryrefslogtreecommitdiffstats
path: root/etc/cinder/policy.json
diff options
context:
space:
mode:
Diffstat (limited to 'etc/cinder/policy.json')
-rw-r--r--etc/cinder/policy.json18
1 files changed, 9 insertions, 9 deletions
diff --git a/etc/cinder/policy.json b/etc/cinder/policy.json
index 585b31a..b1d23d1 100644
--- a/etc/cinder/policy.json
+++ b/etc/cinder/policy.json
@@ -2,7 +2,7 @@
"deny_readonly": "not role:readonly",
"context_is_admin": "role:admin and rule:deny_readonly",
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
- "default": "rule:admin_or_owner",
+ "default": "rule:admin_or_owner and rule:deny_readonly",
"admin_api": "is_admin:True",
@@ -33,13 +33,13 @@
"volume_extension:types_extra_specs": "rule:admin_api",
"volume_extension:access_types_qos_specs_id": "rule:admin_api",
"volume_extension:access_types_extra_specs": "rule:admin_api",
- "volume_extension:volume_type_access": "rule:admin_or_owner",
+ "volume_extension:volume_type_access": "rule:admin_or_owner and rule:deny_readonly",
"volume_extension:volume_type_access:addProjectAccess": "rule:admin_api and rule:deny_readonly",
"volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api and rule:deny_readonly",
"volume_extension:volume_type_encryption": "rule:admin_api",
- "volume_extension:volume_encryption_metadata": "rule:admin_or_owner",
- "volume_extension:extended_snapshot_attributes": "rule:admin_or_owner",
- "volume_extension:volume_image_metadata": "rule:admin_or_owner",
+ "volume_extension:volume_encryption_metadata": "rule:admin_or_owner and rule:deny_readonly",
+ "volume_extension:extended_snapshot_attributes": "rule:admin_or_owner and rule:deny_readonly",
+ "volume_extension:volume_image_metadata": "rule:admin_or_owner and rule:deny_readonly",
"volume_extension:quotas:show": "",
"volume_extension:quotas:update": "rule:admin_api and rule:deny_readonly",
@@ -61,7 +61,7 @@
"volume_extension:volume_actions:upload_image": "rule:admin_or_owner and rule:deny_readonly",
"volume_extension:volume_host_attribute": "rule:admin_api",
- "volume_extension:volume_tenant_attribute": "rule:admin_or_owner",
+ "volume_extension:volume_tenant_attribute": "rule:admin_or_owner and rule:deny_readonly",
"volume_extension:volume_mig_status_attribute": "rule:admin_api",
"volume_extension:hosts": "rule:admin_api",
"volume_extension:services:index": "rule:admin_api",
@@ -114,7 +114,7 @@
"group:group_types_manage": "rule:admin_api",
"group:group_types_specs": "rule:admin_api",
"group:access_group_types_specs": "rule:admin_api",
- "group:group_type_access": "rule:admin_or_owner",
+ "group:group_type_access": "rule:admin_or_owner and rule:deny_readonly",
"group:create" : "rule:deny_readonly",
"group:delete": "rule:admin_or_owner and rule:deny_readonly",
@@ -130,8 +130,8 @@
"scheduler_extension:scheduler_stats:get_pools" : "rule:admin_api",
"message:delete": "rule:admin_or_owner and rule:deny_readonly",
- "message:get": "rule:admin_or_owner",
- "message:get_all": "rule:admin_or_owner",
+ "message:get": "rule:admin_or_owner and rule:deny_readonly",
+ "message:get_all": "rule:admin_or_owner and rule:deny_readonly",
"clusters:get": "rule:admin_api",
"clusters:get_all": "rule:admin_api",
generated by cgit (git 2.34.1) at 2024-04-24 16:00:59 +0000