summaryrefslogtreecommitdiffstats
path: root/etc/neutron/policy.json
diff options
context:
space:
mode:
Diffstat (limited to 'etc/neutron/policy.json')
-rw-r--r--etc/neutron/policy.json18
1 files changed, 9 insertions, 9 deletions
diff --git a/etc/neutron/policy.json b/etc/neutron/policy.json
index e4ea2d7..b397281 100644
--- a/etc/neutron/policy.json
+++ b/etc/neutron/policy.json
@@ -12,7 +12,7 @@
"shared_subnetpools": "field:subnetpools:shared=True",
"shared_address_scopes": "field:address_scopes:shared=True",
"external": "field:networks:router:external=True",
- "default": "rule:admin_or_owner",
+ "default": "rule:admin_or_owner and rule:deny_readonly",
"create_subnet": "rule:admin_or_network_owner and rule:deny_readonly",
"create_subnet:segment_id": "rule:admin_only",
@@ -101,7 +101,7 @@
"create_router:external_gateway_info:enable_snat": "rule:admin_only",
"create_router:distributed": "rule:admin_only",
"create_router:ha": "rule:admin_only",
- "get_router": "rule:admin_or_owner",
+ "get_router": "rule:admin_or_owner and rule:deny_readonly",
"get_router:distributed": "rule:admin_only",
"update_router:external_gateway_info:enable_snat": "rule:admin_only",
"update_router:distributed": "rule:admin_only",
@@ -141,7 +141,7 @@
"create_floatingip:floating_ip_address": "rule:admin_only",
"update_floatingip": "rule:admin_or_owner and rule:deny_readonly",
"delete_floatingip": "rule:admin_or_owner and rule:deny_readonly",
- "get_floatingip": "rule:admin_or_owner",
+ "get_floatingip": "rule:admin_or_owner and rule:deny_readonly",
"create_network_profile": "rule:admin_only",
"update_network_profile": "rule:admin_only",
@@ -196,18 +196,18 @@
"restrict_wildcard": "(not field:rbac_policy:target_tenant=*) or rule:admin_only",
"create_rbac_policy": "rule:deny_readonly",
"create_rbac_policy:target_tenant": "rule:restrict_wildcard",
- "update_rbac_policy": "rule:admin_or_owner",
- "update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner",
- "get_rbac_policy": "rule:admin_or_owner",
- "delete_rbac_policy": "rule:admin_or_owner",
+ "update_rbac_policy": "rule:admin_or_owner and rule:deny_readonly",
+ "update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner and rule:deny_readonly",
+ "get_rbac_policy": "rule:admin_or_owner and rule:deny_readonly",
+ "delete_rbac_policy": "rule:admin_or_owner and rule:deny_readonly",
"create_flavor_service_profile": "rule:admin_only",
"delete_flavor_service_profile": "rule:admin_only",
"get_flavor_service_profile": "rule:regular_user",
- "get_auto_allocated_topology": "rule:admin_or_owner",
+ "get_auto_allocated_topology": "rule:admin_or_owner and rule:deny_readonly",
"create_trunk": "rule:regular_user and rule:deny_readonly",
- "get_trunk": "rule:admin_or_owner",
+ "get_trunk": "rule:admin_or_owner and rule:deny_readonly",
"delete_trunk": "rule:admin_or_owner and rule:deny_readonly",
"get_subports": "",
"add_subports": "rule:admin_or_owner and rule:deny_readonly",
generated by cgit (git 2.34.1) at 2024-04-23 22:39:53 +0000