diff options
Diffstat (limited to 'etc/neutron/policy.json')
-rw-r--r-- | etc/neutron/policy.json | 18 |
1 files changed, 9 insertions, 9 deletions
diff --git a/etc/neutron/policy.json b/etc/neutron/policy.json index e4ea2d7..b397281 100644 --- a/etc/neutron/policy.json +++ b/etc/neutron/policy.json @@ -12,7 +12,7 @@ "shared_subnetpools": "field:subnetpools:shared=True", "shared_address_scopes": "field:address_scopes:shared=True", "external": "field:networks:router:external=True", - "default": "rule:admin_or_owner", + "default": "rule:admin_or_owner and rule:deny_readonly", "create_subnet": "rule:admin_or_network_owner and rule:deny_readonly", "create_subnet:segment_id": "rule:admin_only", @@ -101,7 +101,7 @@ "create_router:external_gateway_info:enable_snat": "rule:admin_only", "create_router:distributed": "rule:admin_only", "create_router:ha": "rule:admin_only", - "get_router": "rule:admin_or_owner", + "get_router": "rule:admin_or_owner and rule:deny_readonly", "get_router:distributed": "rule:admin_only", "update_router:external_gateway_info:enable_snat": "rule:admin_only", "update_router:distributed": "rule:admin_only", @@ -141,7 +141,7 @@ "create_floatingip:floating_ip_address": "rule:admin_only", "update_floatingip": "rule:admin_or_owner and rule:deny_readonly", "delete_floatingip": "rule:admin_or_owner and rule:deny_readonly", - "get_floatingip": "rule:admin_or_owner", + "get_floatingip": "rule:admin_or_owner and rule:deny_readonly", "create_network_profile": "rule:admin_only", "update_network_profile": "rule:admin_only", @@ -196,18 +196,18 @@ "restrict_wildcard": "(not field:rbac_policy:target_tenant=*) or rule:admin_only", "create_rbac_policy": "rule:deny_readonly", "create_rbac_policy:target_tenant": "rule:restrict_wildcard", - "update_rbac_policy": "rule:admin_or_owner", - "update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner", - "get_rbac_policy": "rule:admin_or_owner", - "delete_rbac_policy": "rule:admin_or_owner", + "update_rbac_policy": "rule:admin_or_owner and rule:deny_readonly", + "update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner and rule:deny_readonly", + "get_rbac_policy": "rule:admin_or_owner and rule:deny_readonly", + "delete_rbac_policy": "rule:admin_or_owner and rule:deny_readonly", "create_flavor_service_profile": "rule:admin_only", "delete_flavor_service_profile": "rule:admin_only", "get_flavor_service_profile": "rule:regular_user", - "get_auto_allocated_topology": "rule:admin_or_owner", + "get_auto_allocated_topology": "rule:admin_or_owner and rule:deny_readonly", "create_trunk": "rule:regular_user and rule:deny_readonly", - "get_trunk": "rule:admin_or_owner", + "get_trunk": "rule:admin_or_owner and rule:deny_readonly", "delete_trunk": "rule:admin_or_owner and rule:deny_readonly", "get_subports": "", "add_subports": "rule:admin_or_owner and rule:deny_readonly", |