diff options
Diffstat (limited to 'etc/manila/policy.json')
-rw-r--r-- | etc/manila/policy.json | 125 |
1 files changed, 64 insertions, 61 deletions
diff --git a/etc/manila/policy.json b/etc/manila/policy.json index d8188f6..a0b6df6 100644 --- a/etc/manila/policy.json +++ b/etc/manila/policy.json @@ -1,27 +1,30 @@ { - "context_is_admin": "role:admin", - "admin_or_owner": "is_admin:True or project_id:%(project_id)s", - "default": "rule:admin_or_owner", + "global_readonly": "(role:global_readonly)", + "readonly": "((project_id:%(project_id)s and role:readonly) or rule:global_readonly)", + "_member_role": "(role:member or role:_member_)", + "member": "(project_id:%(project_id)s and rule:_member_role)", + "admin": "(is_admin:True or role:admin)", + "owner": "(user_id:%(user_id)s and rule:_member_role)", - "admin_api": "is_admin:True", + "default": "rule:admin or rule:member", "availability_zone:index": "rule:default", - "quota_set:update": "rule:admin_api", + "quota_set:update": "rule:admin", "quota_set:show": "rule:default", - "quota_set:delete": "rule:admin_api", + "quota_set:delete": "rule:admin", "quota_class_set:show": "rule:default", - "quota_class_set:update": "rule:admin_api", + "quota_class_set:update": "rule:admin", - "service:index": "rule:admin_api", - "service:update": "rule:admin_api", + "service:index": "rule:admin", + "service:update": "rule:admin", - "share:create": "", + "share:create": "rule:admin or rule: member", "share:delete": "rule:default", "share:get": "rule:default", "share:get_all": "rule:default", - "share:list_by_share_server_id": "rule:admin_api", + "share:list_by_share_server_id": "rule:admin", "share:update": "rule:default", "share:access_get": "rule:default", "share:access_get_all": "rule:default", @@ -32,54 +35,54 @@ "share:get_share_metadata": "rule:default", "share:delete_share_metadata": "rule:default", "share:update_share_metadata": "rule:default", - "share:migration_start": "rule:admin_api", - "share:migration_complete": "rule:admin_api", - "share:migration_cancel": "rule:admin_api", - "share:migration_get_progress": "rule:admin_api", - "share:reset_task_state": "rule:admin_api", - "share:manage": "rule:admin_api", - "share:unmanage": "rule:admin_api", - "share:force_delete": "rule:admin_api", - "share:reset_status": "rule:admin_api", + "share:migration_start": "rule:admin", + "share:migration_complete": "rule:admin", + "share:migration_cancel": "rule:admin", + "share:migration_get_progress": "rule:admin", + "share:reset_task_state": "rule:admin", + "share:manage": "rule:admin", + "share:unmanage": "rule:admin", + "share:force_delete": "rule:admin", + "share:reset_status": "rule:admin", "share_export_location:index": "rule:default", "share_export_location:show": "rule:default", - "share_instance:index": "rule:admin_api", - "share_instance:show": "rule:admin_api", - "share_instance:force_delete": "rule:admin_api", - "share_instance:reset_status": "rule:admin_api", - "share_instance_export_location:index": "rule:admin_api", - "share_instance_export_location:show": "rule:admin_api", + "share_instance:index": "rule:admin", + "share_instance:show": "rule:admin", + "share_instance:force_delete": "rule:admin", + "share_instance:reset_status": "rule:admin", + "share_instance_export_location:index": "rule:admin", + "share_instance_export_location:show": "rule:admin", "share_snapshot:create_snapshot": "rule:default", "share_snapshot:delete_snapshot": "rule:default", "share_snapshot:get_snapshot": "rule:default", "share_snapshot:get_all_snapshots": "rule:default", "share_snapshot:snapshot_update": "rule:default", - "share_snapshot:manage_snapshot": "rule:admin_api", - "share_snapshot:unmanage_snapshot": "rule:admin_api", - "share_snapshot:force_delete": "rule:admin_api", - "share_snapshot:reset_status": "rule:admin_api", + "share_snapshot:manage_snapshot": "rule:admin", + "share_snapshot:unmanage_snapshot": "rule:admin", + "share_snapshot:force_delete": "rule:admin", + "share_snapshot:reset_status": "rule:admin", - "share_snapshot_instance:detail": "rule:admin_api", - "share_snapshot_instance:index": "rule:admin_api", - "share_snapshot_instance:show": "rule:admin_api", - "share_snapshot_instance:reset_status": "rule:admin_api", + "share_snapshot_instance:detail": "rule:admin", + "share_snapshot_instance:index": "rule:admin", + "share_snapshot_instance:show": "rule:admin", + "share_snapshot_instance:reset_status": "rule:admin", "share_type:index": "rule:default", "share_type:show": "rule:default", "share_type:default": "rule:default", - "share_type:create": "rule:admin_api", - "share_type:delete": "rule:admin_api", - "share_type:add_project_access": "rule:admin_api", - "share_type:list_project_access": "rule:admin_api", - "share_type:remove_project_access": "rule:admin_api", - - "share_types_extra_spec:create": "rule:admin_api", - "share_types_extra_spec:update": "rule:admin_api", - "share_types_extra_spec:show": "rule:admin_api", - "share_types_extra_spec:index": "rule:admin_api", - "share_types_extra_spec:delete": "rule:admin_api", + "share_type:create": "rule:admin", + "share_type:delete": "rule:admin", + "share_type:add_project_access": "rule:admin", + "share_type:list_project_access": "rule:admin", + "share_type:remove_project_access": "rule:admin", + + "share_types_extra_spec:create": "rule:admin", + "share_types_extra_spec:update": "rule:admin", + "share_types_extra_spec:show": "rule:admin", + "share_types_extra_spec:index": "rule:admin", + "share_types_extra_spec:delete": "rule:admin", "security_service:create": "rule:default", "security_service:delete": "rule:default", @@ -87,12 +90,12 @@ "security_service:show": "rule:default", "security_service:index": "rule:default", "security_service:detail": "rule:default", - "security_service:get_all_security_services": "rule:admin_api", + "security_service:get_all_security_services": "rule:admin", - "share_server:index": "rule:admin_api", - "share_server:show": "rule:admin_api", - "share_server:details": "rule:admin_api", - "share_server:delete": "rule:admin_api", + "share_server:index": "rule:admin", + "share_server:show": "rule:admin", + "share_server:details": "rule:admin", + "share_server:delete": "rule:admin", "share_network:create": "rule:default", "share_network:delete": "rule:default", @@ -102,21 +105,21 @@ "share_network:show": "rule:default", "share_network:add_security_service": "rule:default", "share_network:remove_security_service": "rule:default", - "share_network:get_all_share_networks": "rule:admin_api", + "share_network:get_all_share_networks": "rule:admin", - "scheduler_stats:pools:index": "rule:admin_api", - "scheduler_stats:pools:detail": "rule:admin_api", + "scheduler_stats:pools:index": "rule:admin", + "scheduler_stats:pools:detail": "rule:admin", "consistency_group:create" : "rule:default", "consistency_group:delete": "rule:default", "consistency_group:update": "rule:default", "consistency_group:get": "rule:default", "consistency_group:get_all": "rule:default", - "consistency_group:force_delete": "rule:admin_api", - "consistency_group:reset_status": "rule:admin_api", + "consistency_group:force_delete": "rule:admin", + "consistency_group:reset_status": "rule:admin", - "cgsnapshot:force_delete": "rule:admin_api", - "cgsnapshot:reset_status": "rule:admin_api", + "cgsnapshot:force_delete": "rule:admin", + "cgsnapshot:reset_status": "rule:admin", "cgsnapshot:create" : "rule:default", "cgsnapshot:update" : "rule:default", "cgsnapshot:delete": "rule:default", @@ -128,8 +131,8 @@ "share_replica:create" : "rule:default", "share_replica:delete": "rule:default", "share_replica:promote": "rule:default", - "share_replica:resync": "rule:admin_api", - "share_replica:reset_status": "rule:admin_api", - "share_replica:force_delete": "rule:admin_api", - "share_replica:reset_replica_state": "rule:admin_api" + "share_replica:resync": "rule:admin", + "share_replica:reset_status": "rule:admin", + "share_replica:force_delete": "rule:admin", + "share_replica:reset_replica_state": "rule:admin" } |