diff options
Diffstat (limited to 'etc/cinder/policy.json')
-rw-r--r-- | etc/cinder/policy.json | 18 |
1 files changed, 9 insertions, 9 deletions
diff --git a/etc/cinder/policy.json b/etc/cinder/policy.json index 585b31a..b1d23d1 100644 --- a/etc/cinder/policy.json +++ b/etc/cinder/policy.json @@ -2,7 +2,7 @@ "deny_readonly": "not role:readonly", "context_is_admin": "role:admin and rule:deny_readonly", "admin_or_owner": "is_admin:True or project_id:%(project_id)s", - "default": "rule:admin_or_owner", + "default": "rule:admin_or_owner and rule:deny_readonly", "admin_api": "is_admin:True", @@ -33,13 +33,13 @@ "volume_extension:types_extra_specs": "rule:admin_api", "volume_extension:access_types_qos_specs_id": "rule:admin_api", "volume_extension:access_types_extra_specs": "rule:admin_api", - "volume_extension:volume_type_access": "rule:admin_or_owner", + "volume_extension:volume_type_access": "rule:admin_or_owner and rule:deny_readonly", "volume_extension:volume_type_access:addProjectAccess": "rule:admin_api and rule:deny_readonly", "volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api and rule:deny_readonly", "volume_extension:volume_type_encryption": "rule:admin_api", - "volume_extension:volume_encryption_metadata": "rule:admin_or_owner", - "volume_extension:extended_snapshot_attributes": "rule:admin_or_owner", - "volume_extension:volume_image_metadata": "rule:admin_or_owner", + "volume_extension:volume_encryption_metadata": "rule:admin_or_owner and rule:deny_readonly", + "volume_extension:extended_snapshot_attributes": "rule:admin_or_owner and rule:deny_readonly", + "volume_extension:volume_image_metadata": "rule:admin_or_owner and rule:deny_readonly", "volume_extension:quotas:show": "", "volume_extension:quotas:update": "rule:admin_api and rule:deny_readonly", @@ -61,7 +61,7 @@ "volume_extension:volume_actions:upload_image": "rule:admin_or_owner and rule:deny_readonly", "volume_extension:volume_host_attribute": "rule:admin_api", - "volume_extension:volume_tenant_attribute": "rule:admin_or_owner", + "volume_extension:volume_tenant_attribute": "rule:admin_or_owner and rule:deny_readonly", "volume_extension:volume_mig_status_attribute": "rule:admin_api", "volume_extension:hosts": "rule:admin_api", "volume_extension:services:index": "rule:admin_api", @@ -114,7 +114,7 @@ "group:group_types_manage": "rule:admin_api", "group:group_types_specs": "rule:admin_api", "group:access_group_types_specs": "rule:admin_api", - "group:group_type_access": "rule:admin_or_owner", + "group:group_type_access": "rule:admin_or_owner and rule:deny_readonly", "group:create" : "rule:deny_readonly", "group:delete": "rule:admin_or_owner and rule:deny_readonly", @@ -130,8 +130,8 @@ "scheduler_extension:scheduler_stats:get_pools" : "rule:admin_api", "message:delete": "rule:admin_or_owner and rule:deny_readonly", - "message:get": "rule:admin_or_owner", - "message:get_all": "rule:admin_or_owner", + "message:get": "rule:admin_or_owner and rule:deny_readonly", + "message:get_all": "rule:admin_or_owner and rule:deny_readonly", "clusters:get": "rule:admin_api", "clusters:get_all": "rule:admin_api", |