diff options
Diffstat (limited to 'etc/manila/policy.json')
-rw-r--r-- | etc/manila/policy.json | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/etc/manila/policy.json b/etc/manila/policy.json index c9c7c51..db1408f 100644 --- a/etc/manila/policy.json +++ b/etc/manila/policy.json @@ -1,6 +1,6 @@ { "deny_readonly": "not role:readonly", - "context_is_admin": "role:admin", + "context_is_admin": "role:admin and rule:deny_readonly", "admin_or_owner": "is_admin:True or project_id:%(project_id)s", "default": "rule:admin_or_owner", @@ -72,9 +72,9 @@ "share_type:default": "rule:default", "share_type:create": "rule:admin_api", "share_type:delete": "rule:admin_api", - "share_type:add_project_access": "rule:admin_api", + "share_type:add_project_access": "rule:admin_api and rule:deny_readonly", "share_type:list_project_access": "rule:admin_api", - "share_type:remove_project_access": "rule:admin_api", + "share_type:remove_project_access": "rule:admin_api and rule:deny_readonly", "share_types_extra_spec:create": "rule:admin_api", "share_types_extra_spec:update": "rule:admin_api", @@ -102,7 +102,7 @@ "share_network:detail": "rule:default", "share_network:show": "rule:default", "share_network:add_security_service": "rule:default", - "share_network:remove_security_service": "rule:default", + "share_network:remove_security_service": "rule:default and rule:deny_readonly", "share_network:get_all_share_networks": "rule:admin_api", "scheduler_stats:pools:index": "rule:admin_api", |