summaryrefslogtreecommitdiffstats
path: root/etc/nova/policy.json
diff options
context:
space:
mode:
Diffstat (limited to 'etc/nova/policy.json')
-rw-r--r--etc/nova/policy.json28
1 files changed, 13 insertions, 15 deletions
diff --git a/etc/nova/policy.json b/etc/nova/policy.json
index 756ed11..6d71921 100644
--- a/etc/nova/policy.json
+++ b/etc/nova/policy.json
@@ -1,11 +1,9 @@
{
"readonly": "(project_id:%(project_id)s and role:readonly)",
- "domain_readonly": "(domain_id:%(domain_id)s and role:readonly)",
- "global_readonly": "(role:readonly)",
+ "global_readonly": "(role:global_readonly)",
"_member_role": "(role:member or role:_member_)",
"member": "(project_id:%(project_id)s and rule:_member_role)",
- "domain_member": "(domain_id:%(domain_id)s and rule:_member_role)",
"admin": "(is_admin:True or role:admin)",
"owner": "(user_id:%(user_id)s and rule:_member_role)",
@@ -15,7 +13,7 @@
"os_compute_api:servers:create:forced_host": "rule:admin",
"os_compute_api:os-aggregates:remove_host": "rule:admin",
"os_compute_api:os-console-output": "rule:admin or rule:member",
- "os_compute_api:os-floating-ips": "rule:admin or rule:member or rule:readonly",
+ "os_compute_api:os-floating-ips": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
"os_compute_api:os-aggregates:update": "rule:admin",
"os_compute_api:os-pci:pci_servers": "rule:admin or rule:member",
"os_compute_api:servers:start": "rule:admin or rule:member",
@@ -39,7 +37,7 @@
"os_compute_api:os-volumes-attachments:index": "rule:admin or rule:member",
"os_compute_api:os-pci:show": "rule:admin",
"os_compute_api:os-remote-consoles": "rule:admin or rule:member",
- "os_compute_api:limits": "rule:admin or rule:member or rule:readonly",
+ "os_compute_api:limits": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
"os_compute_api:os-cells:create": "rule:admin",
"os_compute_api:os-aggregates:delete": "rule:admin",
"os_compute_api:servers:migrations:show": "rule:admin",
@@ -53,7 +51,7 @@
"os_compute_api:os-rescue": "rule:admin or rule:member",
"os_compute_api:os-agents": "rule:admin",
"os_compute_api:os-server-tags:delete": "rule:admin or rule:member",
- "os_compute_api:os-flavor-extra-specs:show": "rule:admin or rule:member or rule:readonly",
+ "os_compute_api:os-flavor-extra-specs:show": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
"os_compute_api:os-attach-interfaces:delete": "rule:admin or rule:member",
"os_compute_api:os-extended-availability-zone": "rule:admin or rule:member",
"os_compute_api:os-instance-actions:events": "rule:admin",
@@ -80,12 +78,12 @@
"os_compute_api:os-used-limits": "rule:admin",
"os_compute_api:os-migrations:index": "rule:admin",
"os_compute_api:os-admin-actions:reset_state": "rule:admin",
- "os_compute_api:os-flavor-rxtx": "rule:admin or rule:member or rule:readonly",
+ "os_compute_api:os-flavor-rxtx": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
"os_compute_api:os-quota-sets:defaults": "@",
"os_compute_api:os-fping:all_tenants": "rule:admin",
"os_compute_api:os-flavor-extra-specs:create": "rule:admin",
"os_compute_api:os-lock-server:lock": "rule:admin or rule:member",
- "os_compute_api:os-flavor-extra-specs:index": "rule:admin or rule:member or rule:readonly",
+ "os_compute_api:os-flavor-extra-specs:index": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
"os_compute_api:servers:create_image:allow_volume_backed": "rule:admin or rule:member",
"os_compute_api:os-extended-status": "rule:admin or rule:member",
"os_compute_api:os-assisted-volume-snapshots:delete": "rule:admin",
@@ -96,16 +94,16 @@
"os_compute_api:os-admin-actions:inject_network_info": "rule:admin",
"os_compute_api:servers:create:attach_volume": "rule:admin or rule:member",
"os_compute_api:os-server-tags:update_all": "@",
- "os_compute_api:os-quota-sets:show": "rule:admin or rule:member or rule:readonly",
+ "os_compute_api:os-quota-sets:show": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
"os_compute_api:os-server-tags:update": "@",
"os_compute_api:os-quota-class-sets:update": "rule:admin",
- "os_compute_api:image-size": "rule:admin or rule:member or rule:readonly",
+ "os_compute_api:image-size": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
"os_compute_api:os-migrate-server:migrate": "rule:admin",
"os_compute_api:extensions": "rule:admin or rule:member",
"os_compute_api:flavors": "rule:admin or rule:member",
"os_compute_api:os-flavor-access:remove_tenant_access": "rule:admin",
"os_compute_api:os-simple-tenant-usage:show": "rule:admin or rule:member",
- "os_compute_api:os-floating-ip-pools": "rule:admin or rule:member or rule:readonly",
+ "os_compute_api:os-floating-ip-pools": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
"os_compute_api:os-volumes-attachments:show": "rule:admin or rule:member",
"os_compute_api:os-security-groups": "rule:admin or rule:member",
"os_compute_api:os-keypairs:show": "rule:admin or user_id:%(user_id)s",
@@ -114,15 +112,15 @@
"os_compute_api:os-hide-server-addresses": "is_admin:False",
"os_compute_api:os-flavor-extra-specs:update": "rule:admin",
"os_compute_api:os-pause-server:unpause": "rule:admin or rule:member",
- "os_compute_api:os-availability-zone:list": "rule:admin or rule:member or rule:readonly",
+ "os_compute_api:os-availability-zone:list": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
"os_compute_api:servers:detail": "rule:admin or rule:member",
"os_compute_api:servers:stop": "rule:admin or rule:member",
"os_compute_api:os-pci:detail": "rule:admin",
"os_compute_api:servers:rebuild": "rule:admin or rule:member",
"os_compute_api:ips:index": "rule:admin or rule:member",
"os_compute_api:os-quota-sets:delete": "rule:admin",
- "os_compute_api:os-quota-sets:detail": "rule:admin or rule:readonly",
- "os_compute_api:os-availability-zone:detail": "rule:admin or rule:readonly",
+ "os_compute_api:os-quota-sets:detail": "rule:admin or rule:readonly or rule:global_readonly",
+ "os_compute_api:os-availability-zone:detail": "rule:admin or rule:readonly or rule:global_readonly",
"cells_scheduler_filter:TargetCellFilter": "is_admin:True",
"os_compute_api:os-keypairs": "rule:admin or rule:member",
"os_compute_api:servers:show": "rule:admin or rule:member",
@@ -165,7 +163,7 @@
"os_compute_api:servers:reboot": "rule:admin or rule:member",
"cells_scheduler_filter:DifferentCellFilter": "is_admin:True",
"os_compute_api:servers:migrations:index": "rule:admin",
- "os_compute_api:os-flavor-access": "rule:admin or rule:member or rule:readonly",
+ "os_compute_api:os-flavor-access": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
"os_compute_api:servers:delete": "rule:admin or rule:member",
"os_compute_api:os-migrate-server:migrate_live": "rule:admin",
"os_compute_api:servers:create:attach_network": "rule:admin or rule:member",
generated by cgit (git 2.34.1) at 2024-04-25 15:30:40 +0000