diff options
Diffstat (limited to 'etc')
-rw-r--r-- | etc/aodh/policy.json | 25 | ||||
-rw-r--r-- | etc/ceilometer/policy.json | 5 | ||||
-rw-r--r-- | etc/cinder/policy.json | 147 | ||||
-rw-r--r-- | etc/glance/policy.json | 53 | ||||
-rw-r--r-- | etc/gnocchi/policy.json | 11 | ||||
-rw-r--r-- | etc/heat/policy.json | 91 | ||||
-rw-r--r-- | etc/ironic/policy.json | 2 | ||||
-rw-r--r-- | etc/keystone/policy.json | 15 | ||||
-rw-r--r-- | etc/manila/policy.json | 13 | ||||
-rw-r--r-- | etc/mistral/policy.json | 98 | ||||
-rw-r--r-- | etc/neutron/policy.json | 97 | ||||
-rw-r--r-- | etc/nova/policy.json | 268 | ||||
-rw-r--r-- | etc/sahara/policy.json | 65 | ||||
-rw-r--r-- | etc/zaqar/policy.json | 31 |
14 files changed, 278 insertions, 643 deletions
diff --git a/etc/aodh/policy.json b/etc/aodh/policy.json index 0ebd883..4fd873e 100644 --- a/etc/aodh/policy.json +++ b/etc/aodh/policy.json @@ -1,21 +1,20 @@ { - "deny_readonly": "not role:readonly", - "context_is_admin": "role:admin and rule:deny_readonly", + "context_is_admin": "role:admin", "segregation": "rule:context_is_admin", "admin_or_owner": "rule:context_is_admin or project_id:%(project_id)s", - "default": "rule:admin_or_owner and rule:deny_readonly", + "default": "rule:admin_or_owner", - "telemetry:get_alarm": "rule:admin_or_owner and rule:deny_readonly", - "telemetry:get_alarms": "rule:admin_or_owner and rule:deny_readonly", - "telemetry:query_alarm": "rule:admin_or_owner and rule:deny_readonly", + "telemetry:get_alarm": "rule:admin_or_owner", + "telemetry:get_alarms": "rule:admin_or_owner", + "telemetry:query_alarm": "rule:admin_or_owner", - "telemetry:create_alarm": "rule:deny_readonly", - "telemetry:change_alarm": "rule:admin_or_owner and rule:deny_readonly", - "telemetry:delete_alarm": "rule:admin_or_owner and rule:deny_readonly", + "telemetry:create_alarm": "", + "telemetry:change_alarm": "rule:admin_or_owner", + "telemetry:delete_alarm": "rule:admin_or_owner", - "telemetry:get_alarm_state": "rule:admin_or_owner and rule:deny_readonly", - "telemetry:change_alarm_state": "rule:admin_or_owner and rule:deny_readonly", + "telemetry:get_alarm_state": "rule:admin_or_owner", + "telemetry:change_alarm_state": "rule:admin_or_owner", - "telemetry:alarm_history": "rule:admin_or_owner and rule:deny_readonly", - "telemetry:query_alarm_history": "rule:admin_or_owner and rule:deny_readonly" + "telemetry:alarm_history": "rule:admin_or_owner", + "telemetry:query_alarm_history": "rule:admin_or_owner" } diff --git a/etc/ceilometer/policy.json b/etc/ceilometer/policy.json index d74e528..a5e836a 100644 --- a/etc/ceilometer/policy.json +++ b/etc/ceilometer/policy.json @@ -1,12 +1,11 @@ { - "deny_readonly": "not role:readonly", - "context_is_admin": "role:admin and rule:deny_readonly", + "context_is_admin": "role:admin", "segregation": "rule:context_is_admin", "telemetry:get_samples": "", "telemetry:get_sample": "", "telemetry:query_sample": "", - "telemetry:create_samples": "rule:deny_readonly", + "telemetry:create_samples": "", "telemetry:compute_statistics": "", "telemetry:get_meters": "", diff --git a/etc/cinder/policy.json b/etc/cinder/policy.json index b1d23d1..8818372 100644 --- a/etc/cinder/policy.json +++ b/etc/cinder/policy.json @@ -1,139 +1,138 @@ { - "deny_readonly": "not role:readonly", - "context_is_admin": "role:admin and rule:deny_readonly", + "context_is_admin": "role:admin", "admin_or_owner": "is_admin:True or project_id:%(project_id)s", - "default": "rule:admin_or_owner and rule:deny_readonly", + "default": "rule:admin_or_owner", "admin_api": "is_admin:True", - "volume:create": "rule:deny_readonly", - "volume:delete": "rule:admin_or_owner and rule:deny_readonly", + "volume:create": "", + "volume:delete": "rule:admin_or_owner", "volume:get": "rule:admin_or_owner", "volume:get_all": "rule:admin_or_owner", "volume:get_volume_metadata": "rule:admin_or_owner", - "volume:create_volume_metadata": "rule:admin_or_owner and rule:deny_readonly", - "volume:delete_volume_metadata": "rule:admin_or_owner and rule:deny_readonly", - "volume:update_volume_metadata": "rule:admin_or_owner and rule:deny_readonly", + "volume:create_volume_metadata": "rule:admin_or_owner", + "volume:delete_volume_metadata": "rule:admin_or_owner", + "volume:update_volume_metadata": "rule:admin_or_owner", "volume:get_volume_admin_metadata": "rule:admin_api", - "volume:update_volume_admin_metadata": "rule:admin_api and rule:deny_readonly", + "volume:update_volume_admin_metadata": "rule:admin_api", "volume:get_snapshot": "rule:admin_or_owner", "volume:get_all_snapshots": "rule:admin_or_owner", - "volume:create_snapshot": "rule:admin_or_owner and rule:deny_readonly", - "volume:delete_snapshot": "rule:admin_or_owner and rule:deny_readonly", - "volume:update_snapshot": "rule:admin_or_owner and rule:deny_readonly", + "volume:create_snapshot": "rule:admin_or_owner", + "volume:delete_snapshot": "rule:admin_or_owner", + "volume:update_snapshot": "rule:admin_or_owner", "volume:get_snapshot_metadata": "rule:admin_or_owner", - "volume:delete_snapshot_metadata": "rule:admin_or_owner and rule:deny_readonly", - "volume:update_snapshot_metadata": "rule:admin_or_owner and rule:deny_readonly", - "volume:extend": "rule:admin_or_owner and rule:deny_readonly", - "volume:update_readonly_flag": "rule:admin_or_owner and rule:deny_readonly", - "volume:retype": "rule:admin_or_owner and rule:deny_readonly", - "volume:update": "rule:admin_or_owner and rule:deny_readonly", + "volume:delete_snapshot_metadata": "rule:admin_or_owner", + "volume:update_snapshot_metadata": "rule:admin_or_owner", + "volume:extend": "rule:admin_or_owner", + "volume:update_readonly_flag": "rule:admin_or_owner", + "volume:retype": "rule:admin_or_owner", + "volume:update": "rule:admin_or_owner", "volume_extension:types_manage": "rule:admin_api", "volume_extension:types_extra_specs": "rule:admin_api", "volume_extension:access_types_qos_specs_id": "rule:admin_api", "volume_extension:access_types_extra_specs": "rule:admin_api", - "volume_extension:volume_type_access": "rule:admin_or_owner and rule:deny_readonly", - "volume_extension:volume_type_access:addProjectAccess": "rule:admin_api and rule:deny_readonly", - "volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api and rule:deny_readonly", + "volume_extension:volume_type_access": "rule:admin_or_owner", + "volume_extension:volume_type_access:addProjectAccess": "rule:admin_api", + "volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api", "volume_extension:volume_type_encryption": "rule:admin_api", - "volume_extension:volume_encryption_metadata": "rule:admin_or_owner and rule:deny_readonly", - "volume_extension:extended_snapshot_attributes": "rule:admin_or_owner and rule:deny_readonly", - "volume_extension:volume_image_metadata": "rule:admin_or_owner and rule:deny_readonly", + "volume_extension:volume_encryption_metadata": "rule:admin_or_owner", + "volume_extension:extended_snapshot_attributes": "rule:admin_or_owner", + "volume_extension:volume_image_metadata": "rule:admin_or_owner", "volume_extension:quotas:show": "", - "volume_extension:quotas:update": "rule:admin_api and rule:deny_readonly", - "volume_extension:quotas:delete": "rule:admin_api and rule:deny_readonly", + "volume_extension:quotas:update": "rule:admin_api", + "volume_extension:quotas:delete": "rule:admin_api", "volume_extension:quota_classes": "rule:admin_api", - "volume_extension:quota_classes:validate_setup_for_nested_quota_use": "rule:admin_api and rule:deny_readonly", + "volume_extension:quota_classes:validate_setup_for_nested_quota_use": "rule:admin_api", - "volume_extension:volume_admin_actions:reset_status": "rule:admin_api and rule:deny_readonly", - "volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api and rule:deny_readonly", - "volume_extension:backup_admin_actions:reset_status": "rule:admin_api and rule:deny_readonly", - "volume_extension:volume_admin_actions:force_delete": "rule:admin_api and rule:deny_readonly", - "volume_extension:volume_admin_actions:force_detach": "rule:admin_api and rule:deny_readonly", - "volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api and rule:deny_readonly", - "volume_extension:backup_admin_actions:force_delete": "rule:admin_api and rule:deny_readonly", - "volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api and rule:deny_readonly", - "volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api and rule:deny_readonly", + "volume_extension:volume_admin_actions:reset_status": "rule:admin_api", + "volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api", + "volume_extension:backup_admin_actions:reset_status": "rule:admin_api", + "volume_extension:volume_admin_actions:force_delete": "rule:admin_api", + "volume_extension:volume_admin_actions:force_detach": "rule:admin_api", + "volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api", + "volume_extension:backup_admin_actions:force_delete": "rule:admin_api", + "volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api", + "volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api", - "volume_extension:volume_actions:upload_public": "rule:admin_api and rule:deny_readonly", - "volume_extension:volume_actions:upload_image": "rule:admin_or_owner and rule:deny_readonly", + "volume_extension:volume_actions:upload_public": "rule:admin_api", + "volume_extension:volume_actions:upload_image": "rule:admin_or_owner", "volume_extension:volume_host_attribute": "rule:admin_api", - "volume_extension:volume_tenant_attribute": "rule:admin_or_owner and rule:deny_readonly", + "volume_extension:volume_tenant_attribute": "rule:admin_or_owner", "volume_extension:volume_mig_status_attribute": "rule:admin_api", "volume_extension:hosts": "rule:admin_api", "volume_extension:services:index": "rule:admin_api", "volume_extension:services:update" : "rule:admin_api", - "volume_extension:volume_manage": "rule:admin_api and rule:deny_readonly", - "volume_extension:volume_unmanage": "rule:admin_api and rule:deny_readonly", + "volume_extension:volume_manage": "rule:admin_api", + "volume_extension:volume_unmanage": "rule:admin_api", "volume_extension:list_manageable": "rule:admin_api", "volume_extension:capabilities": "rule:admin_api", - "volume:create_transfer": "rule:admin_or_owner and rule:deny_readonly", - "volume:accept_transfer": "rule:deny_readonly", - "volume:delete_transfer": "rule:admin_or_owner and rule:deny_readonly", - "volume:get_transfer": "rule:admin_or_owner and rule:deny_readonly", - "volume:get_all_transfers": "rule:admin_or_owner and rule:deny_readonly", + "volume:create_transfer": "rule:admin_or_owner", + "volume:accept_transfer": "", + "volume:delete_transfer": "rule:admin_or_owner", + "volume:get_transfer": "rule:admin_or_owner", + "volume:get_all_transfers": "rule:admin_or_owner", - "volume_extension:replication:promote": "rule:admin_api and rule:deny_readonly", - "volume_extension:replication:reenable": "rule:admin_api and rule:deny_readonly", + "volume_extension:replication:promote": "rule:admin_api", + "volume_extension:replication:reenable": "rule:admin_api", - "volume:failover_host": "rule:admin_api and rule:deny_readonly", - "volume:freeze_host": "rule:admin_api and rule:deny_readonly", - "volume:thaw_host": "rule:admin_api and rule:deny_readonly", + "volume:failover_host": "rule:admin_api", + "volume:freeze_host": "rule:admin_api", + "volume:thaw_host": "rule:admin_api", - "backup:create" : "rule:deny_readonly", - "backup:delete": "rule:admin_or_owner and rule:deny_readonly", + "backup:create" : "", + "backup:delete": "rule:admin_or_owner", "backup:get": "rule:admin_or_owner", "backup:get_all": "rule:admin_or_owner", - "backup:restore": "rule:admin_or_owner and rule:deny_readonly", + "backup:restore": "rule:admin_or_owner", "backup:backup-import": "rule:admin_api", "backup:backup-export": "rule:admin_api", - "backup:update": "rule:admin_or_owner and rule:deny_readonly", + "backup:update": "rule:admin_or_owner", - "snapshot_extension:snapshot_actions:update_snapshot_status": "rule:deny_readonly", - "snapshot_extension:snapshot_manage": "rule:admin_api and rule:deny_readonly", - "snapshot_extension:snapshot_unmanage": "rule:admin_api and rule:deny_readonly", + "snapshot_extension:snapshot_actions:update_snapshot_status": "", + "snapshot_extension:snapshot_manage": "rule:admin_api", + "snapshot_extension:snapshot_unmanage": "rule:admin_api", "snapshot_extension:list_manageable": "rule:admin_api", - "consistencygroup:create" : "group:nobody and rule:deny_readonly", - "consistencygroup:delete": "group:nobody and rule:deny_readonly", - "consistencygroup:update": "group:nobody and rule:deny_readonly", + "consistencygroup:create" : "group:nobody", + "consistencygroup:delete": "group:nobody", + "consistencygroup:update": "group:nobody", "consistencygroup:get": "group:nobody", "consistencygroup:get_all": "group:nobody", - "consistencygroup:create_cgsnapshot" : "group:nobody and rule:deny_readonly", - "consistencygroup:delete_cgsnapshot": "group:nobody and rule:deny_readonly", + "consistencygroup:create_cgsnapshot" : "group:nobody", + "consistencygroup:delete_cgsnapshot": "group:nobody", "consistencygroup:get_cgsnapshot": "group:nobody", "consistencygroup:get_all_cgsnapshots": "group:nobody", "group:group_types_manage": "rule:admin_api", "group:group_types_specs": "rule:admin_api", "group:access_group_types_specs": "rule:admin_api", - "group:group_type_access": "rule:admin_or_owner and rule:deny_readonly", + "group:group_type_access": "rule:admin_or_owner", - "group:create" : "rule:deny_readonly", - "group:delete": "rule:admin_or_owner and rule:deny_readonly", - "group:update": "rule:admin_or_owner and rule:deny_readonly", + "group:create" : "", + "group:delete": "rule:admin_or_owner", + "group:update": "rule:admin_or_owner", "group:get": "rule:admin_or_owner", "group:get_all": "rule:admin_or_owner", - "group:create_group_snapshot": "rule:deny_readonly", - "group:delete_group_snapshot": "rule:admin_or_owner and rule:deny_readonly", - "group:update_group_snapshot": "rule:admin_or_owner and rule:deny_readonly", + "group:create_group_snapshot": "", + "group:delete_group_snapshot": "rule:admin_or_owner", + "group:update_group_snapshot": "rule:admin_or_owner", "group:get_group_snapshot": "rule:admin_or_owner", "group:get_all_group_snapshots": "rule:admin_or_owner", "scheduler_extension:scheduler_stats:get_pools" : "rule:admin_api", - "message:delete": "rule:admin_or_owner and rule:deny_readonly", - "message:get": "rule:admin_or_owner and rule:deny_readonly", - "message:get_all": "rule:admin_or_owner and rule:deny_readonly", + "message:delete": "rule:admin_or_owner", + "message:get": "rule:admin_or_owner", + "message:get_all": "rule:admin_or_owner", "clusters:get": "rule:admin_api", "clusters:get_all": "rule:admin_api", - "clusters:update": "rule:admin_api and rule:deny_readonly" + "clusters:update": "rule:admin_api" } diff --git a/etc/glance/policy.json b/etc/glance/policy.json index 7913cf1..0a058c1 100644 --- a/etc/glance/policy.json +++ b/etc/glance/policy.json @@ -1,62 +1,61 @@ { - "deny_readonly": "not role:readonly", - "context_is_admin": "role:admin and rule:deny_readonly", + "context_is_admin": "role:admin", "default": "role:admin", - "add_image": "rule:deny_readonly", - "delete_image": "rule:deny_readonly", + "add_image": "", + "delete_image": "", "get_image": "", "get_images": "", - "modify_image": "rule:deny_readonly", + "modify_image": "", "publicize_image": "role:admin", - "copy_from": "rule:deny_readonly", + "copy_from": "", - "download_image": "rule:deny_readonly", - "upload_image": "rule:deny_readonly", + "download_image": "", + "upload_image": "", - "delete_image_location": "rule:deny_readonly", + "delete_image_location": "", "get_image_location": "", - "set_image_location": "rule:deny_readonly", + "set_image_location": "", - "add_member": "rule:deny_readonly", - "delete_member": "rule:deny_readonly", + "add_member": "", + "delete_member": "", "get_member": "", "get_members": "", - "modify_member": "rule:deny_readonly", + "modify_member": "", "manage_image_cache": "role:admin", "get_task": "role:admin", "get_tasks": "role:admin", - "add_task": "role:admin and rule:deny_readonly", - "modify_task": "role:admin and rule:deny_readonly", + "add_task": "role:admin", + "modify_task": "role:admin", - "deactivate": "rule:deny_readonly", - "reactivate": "rule:deny_readonly", + "deactivate": "", + "reactivate": "", "get_metadef_namespace": "", "get_metadef_namespaces":"", - "modify_metadef_namespace":"rule:deny_readonly", - "add_metadef_namespace":"rule:deny_readonly", + "modify_metadef_namespace":"", + "add_metadef_namespace":"", "get_metadef_object":"", "get_metadef_objects":"", - "modify_metadef_object":"rule:deny_readonly", - "add_metadef_object":"rule:deny_readonly", + "modify_metadef_object":"", + "add_metadef_object":"", "list_metadef_resource_types":"", "get_metadef_resource_type":"", - "add_metadef_resource_type_association":"rule:deny_readonly", + "add_metadef_resource_type_association":"", "get_metadef_property":"", "get_metadef_properties":"", - "modify_metadef_property":"rule:deny_readonly", - "add_metadef_property":"rule:deny_readonly", + "modify_metadef_property":"", + "add_metadef_property":"", "get_metadef_tag":"", "get_metadef_tags":"", - "modify_metadef_tag":"rule:deny_readonly", - "add_metadef_tag":"rule:deny_readonly", - "add_metadef_tags":"rule:deny_readonly" + "modify_metadef_tag":"", + "add_metadef_tag":"", + "add_metadef_tags":"" } diff --git a/etc/gnocchi/policy.json b/etc/gnocchi/policy.json index 9381e11..00aaedd 100644 --- a/etc/gnocchi/policy.json +++ b/etc/gnocchi/policy.json @@ -1,12 +1,11 @@ { - "deny_readonly": "not role:readonly", "admin_or_creator": "role:admin or project_id:%(created_by_project_id)s", "resource_owner": "project_id:%(project_id)s", "metric_owner": "project_id:%(resource.project_id)s", "get status": "role:admin", - "create resource": "rule:deny_readonly", + "create resource": "", "get resource": "rule:admin_or_creator or rule:resource_owner", "update resource": "rule:admin_or_creator", "delete resource": "rule:admin_or_creator", @@ -31,13 +30,13 @@ "list archive policy rule": "", "delete archive policy rule": "role:admin", - "create metric": "rule:deny_readonly", + "create metric": "", "delete metric": "rule:admin_or_creator", - "get metric": "rule:admin_or_creator or rule:metric_owner or role:readonly", + "get metric": "rule:admin_or_creator or rule:metric_owner", "search metric": "rule:admin_or_creator or rule:metric_owner", "list metric": "", - "list all metric": "role:admin or role:readonly", + "list all metric": "role:admin", - "get measures": "rule:admin_or_creator or rule:metric_owner or role:readonly", + "get measures": "rule:admin_or_creator or rule:metric_owner", "post measures": "rule:admin_or_creator" } diff --git a/etc/heat/policy.json b/etc/heat/policy.json index 0f5dd61..c093f33 100644 --- a/etc/heat/policy.json +++ b/etc/heat/policy.json @@ -1,92 +1,3 @@ { - "deny_readonly": "not role:readonly", - "context_is_admin": "role:admin and rule:deny_readonly", - "project_admin": "role:admin", - "deny_stack_user": "not role:heat_stack_user", - "deny_everybody": "!", - - "cloudformation:ListStacks": "rule:deny_stack_user", - "cloudformation:CreateStack": "rule:deny_stack_user and rule:deny_readonly", - "cloudformation:DescribeStacks": "rule:deny_stack_user", - "cloudformation:DeleteStack": "rule:deny_stack_user and rule:deny_readonly", - "cloudformation:UpdateStack": "rule:deny_stack_user and rule:deny_readonly", - "cloudformation:CancelUpdateStack": "rule:deny_stack_user and rule:deny_readonly", - "cloudformation:DescribeStackEvents": "rule:deny_stack_user", - "cloudformation:ValidateTemplate": "rule:deny_stack_user", - "cloudformation:GetTemplate": "rule:deny_stack_user", - "cloudformation:EstimateTemplateCost": "rule:deny_stack_user", - "cloudformation:DescribeStackResource": "", - "cloudformation:DescribeStackResources": "rule:deny_stack_user", - "cloudformation:ListStackResources": "rule:deny_stack_user", - "cloudwatch:DeleteAlarms": "rule:deny_stack_user and rule:deny_readonly", - "cloudwatch:DescribeAlarmHistory": "rule:deny_stack_user", - "cloudwatch:DescribeAlarms": "rule:deny_stack_user", - "cloudwatch:DescribeAlarmsForMetric": "rule:deny_stack_user", - "cloudwatch:DisableAlarmActions": "rule:deny_stack_user and rule:deny_readonly", - "cloudwatch:EnableAlarmActions": "rule:deny_stack_user and rule:deny_readonly", - "cloudwatch:GetMetricStatistics": "rule:deny_stack_user", - "cloudwatch:ListMetrics": "rule:deny_stack_user", - "cloudwatch:PutMetricAlarm": "rule:deny_stack_user", - "cloudwatch:PutMetricData": "", - "cloudwatch:SetAlarmState": "rule:deny_stack_user and rule:deny_readonly", - "actions:action": "rule:deny_stack_user", - "build_info:build_info": "rule:deny_stack_user", - "events:index": "rule:deny_stack_user", - "events:show": "rule:deny_stack_user", - "resource:index": "rule:deny_stack_user", - "resource:metadata": "", - "resource:signal": "", - "resource:mark_unhealthy": "rule:deny_stack_user", - "resource:show": "rule:deny_stack_user", - "stacks:abandon": "rule:deny_stack_user and rule:deny_readonly", - "stacks:create": "rule:deny_stack_user and rule:deny_readonly", - "stacks:delete": "rule:deny_stack_user and rule:deny_readonly", - "stacks:detail": "rule:deny_stack_user", - "stacks:export": "rule:deny_stack_user", - "stacks:generate_template": "rule:deny_stack_user", - "stacks:global_index": "rule:deny_everybody", - "stacks:index": "rule:deny_stack_user", - "stacks:list_resource_types": "rule:deny_stack_user", - "stacks:list_template_versions": "rule:deny_stack_user", - "stacks:list_template_functions": "rule:deny_stack_user", - "stacks:lookup": "", - "stacks:preview": "rule:deny_stack_user", - "stacks:resource_schema": "rule:deny_stack_user", - "stacks:show": "rule:deny_stack_user", - "stacks:template": "rule:deny_stack_user", - "stacks:environment": "rule:deny_stack_user", - "stacks:files": "rule:deny_stack_user", - "stacks:update": "rule:deny_stack_user and rule:deny_readonly", - "stacks:update_patch": "rule:deny_stack_user and rule:deny_readonly", - "stacks:preview_update": "rule:deny_stack_user and rule:deny_readonly", - "stacks:preview_update_patch": "rule:deny_stack_user and rule:deny_readonly", - "stacks:validate_template": "rule:deny_stack_user", - "stacks:snapshot": "rule:deny_stack_user", - "stacks:show_snapshot": "rule:deny_stack_user", - "stacks:delete_snapshot": "rule:deny_stack_user and rule:deny_readonly", - "stacks:list_snapshots": "rule:deny_stack_user", - "stacks:restore_snapshot": "rule:deny_stack_user and rule:deny_readonly", - "stacks:list_outputs": "rule:deny_stack_user", - "stacks:show_output": "rule:deny_stack_user", - "software_configs:global_index": "rule:deny_everybody", - "software_configs:index": "rule:deny_stack_user", - "software_configs:create": "rule:deny_stack_user and rule:deny_readonly", - "software_configs:show": "rule:deny_stack_user", - "software_configs:delete": "rule:deny_stack_user and rule:deny_readonly", - "software_deployments:index": "rule:deny_stack_user", - "software_deployments:create": "rule:deny_stack_user and rule:deny_readonly", - "software_deployments:show": "rule:deny_stack_user", - "software_deployments:update": "rule:deny_stack_user and rule:deny_readonly", - "software_deployments:delete": "rule:deny_stack_user and rule:deny_readonly", - "software_deployments:metadata": "", - "service:index": "rule:context_is_admin", - "resource_types:OS::Nova::Flavor": "rule:project_admin", - "resource_types:OS::Cinder::EncryptedVolumeType": "rule:project_admin", - "resource_types:OS::Cinder::VolumeType": "rule:project_admin", - "resource_types:OS::Cinder::Quota": "rule:project_admin", - "resource_types:OS::Manila::ShareType": "rule:project_admin", - "resource_types:OS::Neutron::QoSPolicy": "rule:project_admin", - "resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:project_admin", - "resource_types:OS::Nova::HostAggregate": "rule:project_admin", - "resource_types:OS::Cinder::QoSSpecs": "rule:project_admin" + "context_is_admin": "role:admin","project_admin": "role:admin","deny_stack_user": "not role:heat_stack_user","deny_everybody": "!","cloudformation:ListStacks": "rule:deny_stack_user","cloudformation:CreateStack": "rule:deny_stack_user","cloudformation:DescribeStacks": "rule:deny_stack_user","cloudformation:DeleteStack": "rule:deny_stack_user","cloudformation:UpdateStack": "rule:deny_stack_user","cloudformation:CancelUpdateStack": "rule:deny_stack_user","cloudformation:DescribeStackEvents": "rule:deny_stack_user","cloudformation:ValidateTemplate": "rule:deny_stack_user","cloudformation:GetTemplate": "rule:deny_stack_user","cloudformation:EstimateTemplateCost": "rule:deny_stack_user","cloudformation:DescribeStackResource": "","cloudformation:DescribeStackResources": "rule:deny_stack_user","cloudformation:ListStackResources": "rule:deny_stack_user","cloudwatch:DeleteAlarms": "rule:deny_stack_user","cloudwatch:DescribeAlarmHistory": "rule:deny_stack_user","cloudwatch:DescribeAlarms": "rule:deny_stack_user","cloudwatch:DescribeAlarmsForMetric": "rule:deny_stack_user","cloudwatch:DisableAlarmActions": "rule:deny_stack_user","cloudwatch:EnableAlarmActions": "rule:deny_stack_user","cloudwatch:GetMetricStatistics": "rule:deny_stack_user","cloudwatch:ListMetrics": "rule:deny_stack_user","cloudwatch:PutMetricAlarm": "rule:deny_stack_user","cloudwatch:PutMetricData": "","cloudwatch:SetAlarmState": "rule:deny_stack_user","actions:action": "rule:deny_stack_user","build_info:build_info": "rule:deny_stack_user","events:index": "rule:deny_stack_user","events:show": "rule:deny_stack_user","resource:index": "rule:deny_stack_user","resource:metadata": "","resource:signal": "","resource:mark_unhealthy": "rule:deny_stack_user","resource:show": "rule:deny_stack_user","stacks:abandon": "rule:deny_stack_user","stacks:create": "rule:deny_stack_user","stacks:delete": "rule:deny_stack_user","stacks:detail": "rule:deny_stack_user","stacks:export": "rule:deny_stack_user","stacks:generate_template": "rule:deny_stack_user","stacks:global_index": "rule:deny_everybody","stacks:index": "rule:deny_stack_user","stacks:list_resource_types": "rule:deny_stack_user","stacks:list_template_versions": "rule:deny_stack_user","stacks:list_template_functions": "rule:deny_stack_user","stacks:lookup": "","stacks:preview": "rule:deny_stack_user","stacks:resource_schema": "rule:deny_stack_user","stacks:show": "rule:deny_stack_user","stacks:template": "rule:deny_stack_user","stacks:environment": "rule:deny_stack_user","stacks:files": "rule:deny_stack_user","stacks:update": "rule:deny_stack_user","stacks:update_patch": "rule:deny_stack_user","stacks:preview_update": "rule:deny_stack_user","stacks:preview_update_patch": "rule:deny_stack_user","stacks:validate_template": "rule:deny_stack_user","stacks:snapshot": "rule:deny_stack_user","stacks:show_snapshot": "rule:deny_stack_user","stacks:delete_snapshot": "rule:deny_stack_user","stacks:list_snapshots": "rule:deny_stack_user","stacks:restore_snapshot": "rule:deny_stack_user","stacks:list_outputs": "rule:deny_stack_user","stacks:show_output": "rule:deny_stack_user","software_configs:global_index": "rule:deny_everybody","software_configs:index": "rule:deny_stack_user","software_configs:create": "rule:deny_stack_user","software_configs:show": "rule:deny_stack_user","software_configs:delete": "rule:deny_stack_user","software_deployments:index": "rule:deny_stack_user","software_deployments:create": "rule:deny_stack_user","software_deployments:show": "rule:deny_stack_user","software_deployments:update": "rule:deny_stack_user","software_deployments:delete": "rule:deny_stack_user","software_deployments:metadata": "","service:index": "rule:context_is_admin","resource_types:OS::Nova::Flavor": "rule:project_admin","resource_types:OS::Cinder::EncryptedVolumeType": "rule:project_admin","resource_types:OS::Cinder::VolumeType": "rule:project_admin","resource_types:OS::Cinder::Quota": "rule:project_admin","resource_types:OS::Manila::ShareType": "rule:project_admin","resource_types:OS::Neutron::QoSPolicy": "rule:project_admin","resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:project_admin","resource_types:OS::Nova::HostAggregate": "rule:project_admin","resource_types:OS::Cinder::QoSSpecs": "rule:project_admin" } diff --git a/etc/ironic/policy.json b/etc/ironic/policy.json index 0db3279..1ae73ec 100644 --- a/etc/ironic/policy.json +++ b/etc/ironic/policy.json @@ -1,3 +1,5 @@ +# Beginning with the Newton release, you may leave this file empty +# to use default policy defined in code. { } diff --git a/etc/keystone/policy.json b/etc/keystone/policy.json index f0177fa..1e37bef 100644 --- a/etc/keystone/policy.json +++ b/etc/keystone/policy.json @@ -1,5 +1,4 @@ { - "deny_readonly": "not role:readonly", "admin_required": "role:admin or is_admin:1", "service_role": "role:service", "service_or_admin": "rule:admin_required or rule:service_role", @@ -37,21 +36,21 @@ "identity:get_project": "rule:admin_required or project_id:%(target.project.id)s", "identity:list_projects": "rule:admin_required", - "identity:list_user_projects": "rule:admin_or_owner and rule:deny_readonly", + "identity:list_user_projects": "rule:admin_or_owner", "identity:create_project": "rule:admin_required", "identity:update_project": "rule:admin_required", "identity:delete_project": "rule:admin_required", - "identity:get_user": "rule:admin_or_owner and rule:deny_readonly", + "identity:get_user": "rule:admin_or_owner", "identity:list_users": "rule:admin_required", "identity:create_user": "rule:admin_required", "identity:update_user": "rule:admin_required", "identity:delete_user": "rule:admin_required", - "identity:change_password": "rule:admin_or_owner and rule:deny_readonly", + "identity:change_password": "rule:admin_or_owner", "identity:get_group": "rule:admin_required", "identity:list_groups": "rule:admin_required", - "identity:list_groups_for_user": "rule:admin_or_owner and rule:deny_readonly", + "identity:list_groups_for_user": "rule:admin_or_owner", "identity:create_group": "rule:admin_required", "identity:update_group": "rule:admin_required", "identity:delete_group": "rule:admin_required", @@ -67,8 +66,8 @@ "identity:delete_credential": "rule:admin_required", "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)", - "identity:ec2_list_credentials": "rule:admin_or_owner and rule:deny_readonly", - "identity:ec2_create_credential": "rule:admin_or_owner and rule:deny_readonly", + "identity:ec2_list_credentials": "rule:admin_or_owner", + "identity:ec2_create_credential": "rule:admin_or_owner", "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)", "identity:get_role": "rule:admin_required", @@ -113,7 +112,7 @@ "identity:list_trusts": "", "identity:list_roles_for_trust": "", "identity:get_role_for_trust": "", - "identity:delete_trust": "rule:deny_readonly", + "identity:delete_trust": "", "identity:create_consumer": "rule:admin_required", "identity:get_consumer": "rule:admin_required", diff --git a/etc/manila/policy.json b/etc/manila/policy.json index f2002ff..d8188f6 100644 --- a/etc/manila/policy.json +++ b/etc/manila/policy.json @@ -1,8 +1,7 @@ { - "deny_readonly": "not role:readonly", - "context_is_admin": "role:admin and rule:deny_readonly", + "context_is_admin": "role:admin", "admin_or_owner": "is_admin:True or project_id:%(project_id)s", - "default": "rule:admin_or_owner and rule:deny_readonly", + "default": "rule:admin_or_owner", "admin_api": "is_admin:True", @@ -18,7 +17,7 @@ "service:index": "rule:admin_api", "service:update": "rule:admin_api", - "share:create": "rule:deny_readonly", + "share:create": "", "share:delete": "rule:default", "share:get": "rule:default", "share:get_all": "rule:default", @@ -72,9 +71,9 @@ "share_type:default": "rule:default", "share_type:create": "rule:admin_api", "share_type:delete": "rule:admin_api", - "share_type:add_project_access": "rule:admin_api and rule:deny_readonly", + "share_type:add_project_access": "rule:admin_api", "share_type:list_project_access": "rule:admin_api", - "share_type:remove_project_access": "rule:admin_api and rule:deny_readonly", + "share_type:remove_project_access": "rule:admin_api", "share_types_extra_spec:create": "rule:admin_api", "share_types_extra_spec:update": "rule:admin_api", @@ -102,7 +101,7 @@ "share_network:detail": "rule:default", "share_network:show": "rule:default", "share_network:add_security_service": "rule:default", - "share_network:remove_security_service": "rule:default and rule:deny_readonly", + "share_network:remove_security_service": "rule:default", "share_network:get_all_share_networks": "rule:admin_api", "scheduler_stats:pools:index": "rule:admin_api", diff --git a/etc/mistral/policy.json b/etc/mistral/policy.json index a5787af..3278023 100644 --- a/etc/mistral/policy.json +++ b/etc/mistral/policy.json @@ -1,64 +1,64 @@ { "admin_only": "is_admin:True", "admin_or_owner": "is_admin:True or project_id:%(project_id)s", - "default": "rule:admin_or_owner and rule:deny_readonly", + "default": "rule:admin_or_owner", - "action_executions:delete": "rule:admin_or_owner and rule:deny_readonly", - "action_execution:create": "rule:admin_or_owner and rule:deny_readonly", - "action_executions:get": "rule:admin_or_owner and rule:deny_readonly", - "action_executions:list": "rule:admin_or_owner and rule:deny_readonly", - "action_executions:update": "rule:admin_or_owner and rule:deny_readonly", + "action_executions:delete": "rule:admin_or_owner", + "action_execution:create": "rule:admin_or_owner", + "action_executions:get": "rule:admin_or_owner", + "action_executions:list": "rule:admin_or_owner", + "action_executions:update": "rule:admin_or_owner", - "actions:create": "rule:admin_or_owner and rule:deny_readonly", - "actions:delete": "rule:admin_or_owner and rule:deny_readonly", - "actions:get": "rule:admin_or_owner and rule:deny_readonly", - "actions:list": "rule:admin_or_owner and rule:deny_readonly", - "actions:update": "rule:admin_or_owner and rule:deny_readonly", + "actions:create": "rule:admin_or_owner", + "actions:delete": "rule:admin_or_owner", + "actions:get": "rule:admin_or_owner", + "actions:list": "rule:admin_or_owner", + "actions:update": "rule:admin_or_owner", - "cron_triggers:create": "rule:admin_or_owner and rule:deny_readonly", - "cron_triggers:delete": "rule:admin_or_owner and rule:deny_readonly", - "cron_triggers:get": "rule:admin_or_owner and rule:deny_readonly", - "cron_triggers:list": "rule:admin_or_owner and rule:deny_readonly", + "cron_triggers:create": "rule:admin_or_owner", + "cron_triggers:delete": "rule:admin_or_owner", + "cron_triggers:get": "rule:admin_or_owner", + "cron_triggers:list": "rule:admin_or_owner", - "environments:create": "rule:admin_or_owner and rule:deny_readonly", - "environments:delete": "rule:admin_or_owner and rule:deny_readonly", - "environments:get": "rule:admin_or_owner and rule:deny_readonly", - "environments:list": "rule:admin_or_owner and rule:deny_readonly", - "environments:update": "rule:admin_or_owner and rule:deny_readonly", + "environments:create": "rule:admin_or_owner", + "environments:delete": "rule:admin_or_owner", + "environments:get": "rule:admin_or_owner", + "environments:list": "rule:admin_or_owner", + "environments:update": "rule:admin_or_owner", - "executions:create": "rule:admin_or_owner and rule:deny_readonly", - "executions:delete": "rule:admin_or_owner and rule:deny_readonly", - "executions:get": "rule:admin_or_owner and rule:deny_readonly", - "executions:list": "rule:admin_or_owner and rule:deny_readonly", - "executions:update": "rule:admin_or_owner and rule:deny_readonly", + "executions:create": "rule:admin_or_owner", + "executions:delete": "rule:admin_or_owner", + "executions:get": "rule:admin_or_owner", + "executions:list": "rule:admin_or_owner", + "executions:update": "rule:admin_or_owner", - "members:create": "rule:admin_or_owner and rule:deny_readonly", - "members:delete": "rule:admin_or_owner and rule:deny_readonly", - "members:get": "rule:admin_or_owner and rule:deny_readonly", - "members:list": "rule:admin_or_owner and rule:deny_readonly", - "members:update": "rule:admin_or_owner and rule:deny_readonly", + "members:create": "rule:admin_or_owner", + "members:delete": "rule:admin_or_owner", + "members:get": "rule:admin_or_owner", + "members:list": "rule:admin_or_owner", + "members:update": "rule:admin_or_owner", - "services:list": "rule:admin_or_owner and rule:deny_readonly", + "services:list": "rule:admin_or_owner", - "tasks:get": "rule:admin_or_owner and rule:deny_readonly", - "tasks:list": "rule:admin_or_owner and rule:deny_readonly", - "tasks:update": "rule:admin_or_owner and rule:deny_readonly", + "tasks:get": "rule:admin_or_owner", + "tasks:list": "rule:admin_or_owner", + "tasks:update": "rule:admin_or_owner", - "workbooks:create": "rule:admin_or_owner and rule:deny_readonly", - "workbooks:delete": "rule:admin_or_owner and rule:deny_readonly", - "workbooks:get": "rule:admin_or_owner and rule:deny_readonly", - "workbooks:list": "rule:admin_or_owner and rule:deny_readonly", - "workbooks:update": "rule:admin_or_owner and rule:deny_readonly", + "workbooks:create": "rule:admin_or_owner", + "workbooks:delete": "rule:admin_or_owner", + "workbooks:get": "rule:admin_or_owner", + "workbooks:list": "rule:admin_or_owner", + "workbooks:update": "rule:admin_or_owner", - "workflows:create": "rule:admin_or_owner and rule:deny_readonly", - "workflows:delete": "rule:admin_or_owner and rule:deny_readonly", - "workflows:get": "rule:admin_or_owner and rule:deny_readonly", - "workflows:list": "rule:admin_or_owner and rule:deny_readonly", - "workflows:update": "rule:admin_or_owner and rule:deny_readonly", + "workflows:create": "rule:admin_or_owner", + "workflows:delete": "rule:admin_or_owner", + "workflows:get": "rule:admin_or_owner", + "workflows:list": "rule:admin_or_owner", + "workflows:update": "rule:admin_or_owner", - "event_triggers:create": "rule:admin_or_owner and rule:deny_readonly", - "event_triggers:delete": "rule:admin_or_owner and rule:deny_readonly", - "event_triggers:get": "rule:admin_or_owner and rule:deny_readonly", - "event_triggers:list": "rule:admin_or_owner and rule:deny_readonly", - "event_triggers:update": "rule:admin_or_owner and rule:deny_readonly" + "event_triggers:create": "rule:admin_or_owner", + "event_triggers:delete": "rule:admin_or_owner", + "event_triggers:get": "rule:admin_or_owner", + "event_triggers:list": "rule:admin_or_owner", + "event_triggers:update": "rule:admin_or_owner" } diff --git a/etc/neutron/policy.json b/etc/neutron/policy.json index b397281..cd6662b 100644 --- a/etc/neutron/policy.json +++ b/etc/neutron/policy.json @@ -1,44 +1,43 @@ { - "deny_readonly": "not role:readonly", - "context_is_admin": "role:admin and rule:deny_readonly", - "owner": "tenant_id:%(tenant_id)s and rule:deny_readonly", + "context_is_admin": "role:admin", + "owner": "tenant_id:%(tenant_id)s", "admin_or_owner": "rule:context_is_admin or rule:owner", - "context_is_advsvc": "role:advsvc and rule:deny_readonly", + "context_is_advsvc": "role:advsvc", "admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s or role:network_admin", "admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner", - "admin_only": "rule:context_is_admin and rule:deny_readonly", - "regular_user": "rule:deny_readonly", + "admin_only": "rule:context_is_admin", + "regular_user": "", "shared": "field:networks:shared=True", "shared_subnetpools": "field:subnetpools:shared=True", "shared_address_scopes": "field:address_scopes:shared=True", "external": "field:networks:router:external=True", - "default": "rule:admin_or_owner and rule:deny_readonly", + "default": "rule:admin_or_owner", - "create_subnet": "rule:admin_or_network_owner and rule:deny_readonly", + "create_subnet": "rule:admin_or_network_owner", "create_subnet:segment_id": "rule:admin_only", "create_subnet:service_types": "rule:admin_only", "get_subnet": "rule:admin_or_owner or rule:shared", "get_subnet:segment_id": "rule:admin_only", - "update_subnet": "rule:admin_or_network_owner and rule:deny_readonly", + "update_subnet": "rule:admin_or_network_owner", "update_subnet:service_types": "rule:admin_only", - "delete_subnet": "rule:admin_or_network_owner and rule:deny_readonly", + "delete_subnet": "rule:admin_or_network_owner", - "create_subnetpool": "rule:deny_readonly", + "create_subnetpool": "", "create_subnetpool:shared": "rule:admin_only", "create_subnetpool:is_default": "rule:admin_only", "get_subnetpool": "rule:admin_or_owner or rule:shared_subnetpools", - "update_subnetpool": "rule:admin_or_owner and rule:deny_readonly", + "update_subnetpool": "rule:admin_or_owner", "update_subnetpool:is_default": "rule:admin_only", - "delete_subnetpool": "rule:admin_or_owner and rule:deny_readonly", + "delete_subnetpool": "rule:admin_or_owner", - "create_address_scope": "rule:deny_readonly", + "create_address_scope": "", "create_address_scope:shared": "rule:admin_only", "get_address_scope": "rule:admin_or_owner or rule:shared_address_scopes", - "update_address_scope": "rule:admin_or_owner and rule:deny_readonly", + "update_address_scope": "rule:admin_or_owner", "update_address_scope:shared": "rule:admin_only", - "delete_address_scope": "rule:admin_or_owner and rule:deny_readonly", + "delete_address_scope": "rule:admin_or_owner", - "create_network": "rule:deny_readonly", + "create_network": "", "get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc", "get_network:router:external": "rule:regular_user", "get_network:segments": "rule:admin_only", @@ -55,22 +54,22 @@ "create_network:provider:network_type": "rule:admin_only", "create_network:provider:physical_network": "rule:admin_only", "create_network:provider:segmentation_id": "rule:admin_only", - "update_network": "rule:admin_or_owner and rule:deny_readonly", + "update_network": "rule:admin_or_owner", "update_network:segments": "rule:admin_only", "update_network:shared": "rule:admin_only", "update_network:provider:network_type": "rule:admin_only", "update_network:provider:physical_network": "rule:admin_only", "update_network:provider:segmentation_id": "rule:admin_only", "update_network:router:external": "rule:admin_only", - "delete_network": "rule:admin_or_owner and rule:deny_readonly", + "delete_network": "rule:admin_or_owner", - "create_segment": "rule:admin_only and rule:deny_readonly", + "create_segment": "rule:admin_only", "get_segment": "rule:admin_only", - "update_segment": "rule:admin_only and rule:deny_readonly", - "delete_segment": "rule:admin_only and rule:deny_readonly", + "update_segment": "rule:admin_only", + "delete_segment": "rule:admin_only", "network_device": "field:port:device_owner=~^network:", - "create_port": "rule:deny_readonly", + "create_port": "", "create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner", "create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner", "create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner", @@ -78,7 +77,7 @@ "create_port:binding:host_id": "rule:admin_only", "create_port:binding:profile": "rule:admin_only", "create_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner", - "create_port:allowed_address_pairs": "rule:admin_or_network_owner and rule:deny_readonly", + "create_port:allowed_address_pairs": "rule:admin_or_network_owner", "get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner", "get_port:queue_id": "rule:admin_only", "get_port:binding:vif_type": "rule:admin_only", @@ -90,32 +89,32 @@ "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc", "update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner", "update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner", - "update_port:binding:host_id": "rule:admin_only and rule:deny_readonly", - "update_port:binding:profile": "rule:admin_only and rule:deny_readonly", + "update_port:binding:host_id": "rule:admin_only", + "update_port:binding:profile": "rule:admin_only", "update_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner", - "update_port:allowed_address_pairs": "rule:admin_or_network_owner and rule:deny_readonly", + "update_port:allowed_address_pairs": "rule:admin_or_network_owner", "delete_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner", "get_router:ha": "rule:admin_only", - "create_router": "rule:regular_user and rule:deny_readonly", + "create_router": "rule:regular_user", "create_router:external_gateway_info:enable_snat": "rule:admin_only", "create_router:distributed": "rule:admin_only", "create_router:ha": "rule:admin_only", - "get_router": "rule:admin_or_owner and rule:deny_readonly", + "get_router": "rule:admin_or_owner", "get_router:distributed": "rule:admin_only", "update_router:external_gateway_info:enable_snat": "rule:admin_only", "update_router:distributed": "rule:admin_only", "update_router:ha": "rule:admin_only", - "delete_router": "rule:admin_or_owner and rule:deny_readonly", + "delete_router": "rule:admin_or_owner", - "add_router_interface": "rule:admin_or_owner and rule:deny_readonly", - "remove_router_interface": "rule:admin_or_owner and rule:deny_readonly", + "add_router_interface": "rule:admin_or_owner", + "remove_router_interface": "rule:admin_or_owner", "create_router:external_gateway_info:external_fixed_ips": "rule:admin_only", "update_router:external_gateway_info:external_fixed_ips": "rule:admin_only", - "insert_rule": "rule:admin_or_owner and rule:deny_readonly", - "remove_rule": "rule:admin_or_owner and rule:deny_readonly", + "insert_rule": "rule:admin_or_owner", + "remove_rule": "rule:admin_or_owner", "create_qos_queue": "rule:admin_only", "get_qos_queue": "rule:admin_only", @@ -137,11 +136,11 @@ "get_agent-loadbalancers": "rule:admin_only", "get_loadbalancer-hosting-agent": "rule:admin_only", - "create_floatingip": "rule:regular_user and rule:deny_readonly", + "create_floatingip": "rule:regular_user", "create_floatingip:floating_ip_address": "rule:admin_only", - "update_floatingip": "rule:admin_or_owner and rule:deny_readonly", - "delete_floatingip": "rule:admin_or_owner and rule:deny_readonly", - "get_floatingip": "rule:admin_or_owner and rule:deny_readonly", + "update_floatingip": "rule:admin_or_owner", + "delete_floatingip": "rule:admin_or_owner", + "get_floatingip": "rule:admin_or_owner", "create_network_profile": "rule:admin_only", "update_network_profile": "rule:admin_only", @@ -194,22 +193,22 @@ "update_policy_minimum_bandwidth_rule": "rule:admin_only", "restrict_wildcard": "(not field:rbac_policy:target_tenant=*) or rule:admin_only", - "create_rbac_policy": "rule:deny_readonly", + "create_rbac_policy": "", "create_rbac_policy:target_tenant": "rule:restrict_wildcard", - "update_rbac_policy": "rule:admin_or_owner and rule:deny_readonly", - "update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner and rule:deny_readonly", - "get_rbac_policy": "rule:admin_or_owner and rule:deny_readonly", - "delete_rbac_policy": "rule:admin_or_owner and rule:deny_readonly", + "update_rbac_policy": "rule:admin_or_owner", + "update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner", + "get_rbac_policy": "rule:admin_or_owner", + "delete_rbac_policy": "rule:admin_or_owner", "create_flavor_service_profile": "rule:admin_only", "delete_flavor_service_profile": "rule:admin_only", "get_flavor_service_profile": "rule:regular_user", - "get_auto_allocated_topology": "rule:admin_or_owner and rule:deny_readonly", + "get_auto_allocated_topology": "rule:admin_or_owner", - "create_trunk": "rule:regular_user and rule:deny_readonly", - "get_trunk": "rule:admin_or_owner and rule:deny_readonly", - "delete_trunk": "rule:admin_or_owner and rule:deny_readonly", + "create_trunk": "rule:regular_user", + "get_trunk": "rule:admin_or_owner", + "delete_trunk": "rule:admin_or_owner", "get_subports": "", - "add_subports": "rule:admin_or_owner and rule:deny_readonly", - "remove_subports": "rule:admin_or_owner and rule:deny_readonly" + "add_subports": "rule:admin_or_owner", + "remove_subports": "rule:admin_or_owner" } diff --git a/etc/nova/policy.json b/etc/nova/policy.json index 12e5042..2c63c08 100644 --- a/etc/nova/policy.json +++ b/etc/nova/policy.json @@ -1,270 +1,2 @@ { - "deny_readonly": "not role:readonly", - "context_is_admin": "role:admin and rule:deny_readonly", - "owner": "tenant_id:%(tenant_id)s and rule:deny_readonly", - - "admin_or_owner": "rule:context_is_admin or rule:owner", - "context_is_advsvc": "role:advsvc", - "admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s or role:network_admin", - "admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner", - "admin_only": "rule:context_is_admin and rule:deny_readonly", - "regular_user": "rule:deny_readonly", - - "os_compute_api:os-extended-volumes": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:servers:create:forced_host": "rule:admin_api and rule:deny_readonly", - "os_compute_api:os-volumes:discoverable": "@", - "os_compute_api:os-fping": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-floating-ips": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:servers:start": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-hosts:discoverable": "@", - "os_compute_api:os-server-tags:delete_all": "@", - "os_compute_api:servers:index:get_all_tenants": "rule:admin_api", - "os_compute_api:os-console-auth-tokens:discoverable": "@", - "os_compute_api:os-suspend-server:resume": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-tenant-networks": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:limits:discoverable": "@", - "os_compute_api:os-evacuate:discoverable": "@", - "os_compute_api:os-rescue:discoverable": "@", - "os_compute_api:os-volumes-attachments:index": "rule:admin_or_owner", - "context_is_admin": "role:admin and rule:deny_readonly", - "os_compute_api:server-metadata:index": "rule:admin_or_owner", - "os_compute_api:os-server-groups": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-cells:discoverable": "@", - "os_compute_api:os-aggregates:set_metadata": "rule:admin_api and rule:deny_readonly", - "os_compute_api:os-deferred-delete:discoverable": "@", - "os_compute_api:os-certificates:discoverable": "@", - "os_compute_api:server-metadata:show": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-hide-server-addresses:discoverable": "@", - "os_compute_api:os-extended-server-attributes": "rule:admin_api", - "os_compute_api:os-remote-consoles:discoverable": "@", - "os_compute_api:os-agents": "rule:admin_api", - "os_compute_api:os-flavor-extra-specs:show": "rule:admin_or_owner", - "os_compute_api:os-attach-interfaces:delete": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-extended-availability-zone": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-instance-actions:events": "rule:admin_api", - "os_compute_api:os-scheduler-hints:discoverable": "@", - "os_compute_api:os-flavor-manage": "rule:admin_api", - "os_compute_api:server-metadata:create": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-shelve:shelve": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:server-metadata:discoverable": "@", - "os_compute_api:os-aggregates:add_host": "rule:admin_api", - "os_compute_api:os-cells:update": "rule:admin_api", - "os_compute_api:os-server-diagnostics": "rule:admin_api", - "os_compute_api:versions:discoverable": "@", - "os_compute_api:os-admin-actions:discoverable": "@", - "os_compute_api:servers:update": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-migrations:index": "rule:admin_api", - "os_compute_api:os-attach-interfaces:create": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-volumes-attachments:create": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-instance-usage-audit-log": "rule:admin_api", - "os_compute_api:os-volumes-attachments:show": "rule:admin_or_owner", - "os_compute_api:os-block-device-mapping-v1:discoverable": "@", - "os_compute_api:os-admin-actions:reset_state": "rule:admin_api and rule:deny_readonly", - "os_compute_api:os-flavor-rxtx": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:servers:show": "rule:admin_or_owner", - "os_compute_api:os-fping:all_tenants": "rule:admin_api", - "os_compute_api:os-flavor-extra-specs:create": "rule:admin_api and rule:deny_readonly", - "os_compute_api:os-server-tags:index": "@", - "os_compute_api:servers:confirm_resize": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-networks:discoverable": "@", - "os_compute_api:os-aggregates:discoverable": "@", - "os_compute_api:os-volumes-attachments:discoverable": "@", - "os_compute_api:os-floating-ips-bulk:discoverable": "@", - "os_compute_api:os-flavor-extra-specs:discoverable": "@", - "os_compute_api:os-consoles:show": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:servers:migrations:show": "rule:admin_api", - "os_compute_api:os-admin-actions:inject_network_info": "rule:admin_api", - "os_compute_api:image-metadata:discoverable": "@", - "os_compute_api:os-migrate-server:migrate": "rule:admin_api and rule:deny_readonly", - "os_compute_api:extensions": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-simple-tenant-usage:show": "rule:admin_or_owner", - "os_compute_api:os-security-groups": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-migrate-server:discoverable": "@", - "os_compute_api:os-fping:discoverable": "@", - "os_compute_api:os-keypairs:discoverable": "@", - "os_compute_api:os-extended-status:discoverable": "@", - "os_compute_api:os-config-drive:discoverable": "@", - "os_compute_api:os-pci:index": "rule:admin_api", - "os_compute_api:ips:discoverable": "@", - "os_compute_api:os-flavor-extra-specs:update": "rule:admin_api", - "os_compute_api:os-pause-server:unpause": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-availability-zone:list": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-pause-server:discoverable": "@", - "os_compute_api:server-migrations:discoverable": "@", - "os_compute_api:extension_info:discoverable": "@", - "os_compute_api:os-pci:detail": "rule:admin_api", - "admin_or_owner": "is_admin:True or project_id:%(project_id)s", - "os_compute_api:os-server-diagnostics:discoverable": "@", - "os_compute_api:os-multiple-create:discoverable": "@ and rule:deny_readonly", - "os_compute_api:servers:trigger_crash_dump": "rule:admin_or_owner and rule:deny_readonly", - "cells_scheduler_filter:TargetCellFilter": "is_admin:True", - "network:attach_external_network": "is_admin:True", - "os_compute_api:os-cloudpipe": "rule:admin_api", - "os_compute_api:os-certificates:create": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-server-usage": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-services": "rule:admin_api", - "os_compute_api:servers:migrations:force_complete": "rule:admin_api and rule:deny_readonly", - "os_compute_api:servers:index": "rule:admin_or_owner", - "os_compute_api:os-keypairs:index": "rule:admin_api or user_id:%(user_id)s", - "os_compute_api:os-flavor-rxtx:discoverable": "@", - "os_compute_api:os-suspend-server:suspend": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-admin-actions": "rule:admin_api", - "os_compute_api:os-server-tags:update_all": "@", - "os_compute_api:os-floating-ip-dns": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-quota-sets:update": "rule:admin_api and rule:deny_readonly", - "os_compute_api:os-floating-ip-pools:discoverable": "@", - "os_compute_api:os-console-output:discoverable": "@", - "os_compute_api:servers:show:host_status": "rule:admin_api", - "os_compute_api:os-aggregates:index": "rule:admin_api", - "os_compute_api:os-flavor-extra-specs:delete": "rule:admin_api", - "os_compute_api:os-server-groups:discoverable": "@", - "os_compute_api:os-aggregates:create": "rule:admin_api and rule:deny_readonly", - "os_compute_api:os-instance-usage-audit-log:discoverable": "@", - "os_compute_api:os-tenant-networks:discoverable": "@", - "os_compute_api:os-fixed-ips:discoverable": "@", - "os_compute_api:os-extended-status": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-instance-actions": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:server-metadata:update_all": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:servers:reboot": "rule:admin_or_owner and rule:deny_readonly", - "cells_scheduler_filter:DifferentCellFilter": "is_admin:True", - "os_compute_api:os-availability-zone:discoverable": "@", - "os_compute_api:os-extended-server-attributes:discoverable": "@", - "os_compute_api:os-server-password": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-suspend-server:discoverable": "@", - "os_compute_api:servers:delete": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-migrate-server:migrate_live": "rule:admin_api and rule:deny_readonly", - "os_compute_api:os-console-auth-tokens": "rule:admin_api", - "os_compute_api:ips:show": "rule:admin_or_owner", - "os_compute_api:os-hypervisors:discoverable": "@", - "os_compute_api:os-attach-interfaces": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:servers:migrations:delete": "rule:admin_api and rule:deny_readonly", - "os_compute_api:os-multinic": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-extended-availability-zone:discoverable": "@", - "os_compute_api:os-shelve:unshelve": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-lock-server:discoverable": "@", - "os_compute_api:os-shelve:shelve_offload": "rule:admin_api", - "os_compute_api:os-evacuate": "rule:admin_api", - "os_compute_api:servers:create": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-aggregates:remove_host": "rule:admin_api and rule:deny_readonly", - "os_compute_api:os-baremetal-nodes:discoverable": "@", - "os_compute_api:os-console-output": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-aggregates:update": "rule:admin_api", - "os_compute_api:images:discoverable": "@", - "os_compute_api:os-keypairs:create": "rule:admin_api or user_id:%(user_id)s", - "os_compute_api:os-shelve:discoverable": "@", - "os_compute_api:servers:create_image": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-consoles:discoverable": "@", - "os_compute_api:os-consoles:create": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:servers:revert_resize": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-keypairs:delete": "rule:admin_api or user_id:%(user_id)s", - "os_compute_api:os-pause-server:pause": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-floating-ips-bulk": "rule:admin_api", - "os_compute_api:os-simple-tenant-usage:list": "rule:admin_api", - "os_compute_api:os-quota-class-sets:show": "is_admin:True or quota_class:%(quota_class)s", - "os_compute_api:os-volumes-attachments:update": "rule:admin_api", - "os_compute_api:os-floating-ip-dns:domain:update": "rule:admin_api", - "os_compute_api:os-hypervisors": "rule:admin_api", - "os_compute_api:os-consoles:delete": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-networks-associate": "rule:admin_api and rule:deny_readonly", - "os_compute_api:os-remote-consoles": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:limits": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-cells:create": "rule:admin_api and rule:deny_readonly", - "os_compute_api:os-create-backup:discoverable": "@", - "os_compute_api:os-agents:discoverable": "@", - "os_compute_api:os-create-backup": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-security-group-default-rules:discoverable": "@", - "os_compute_api:os-aggregates:delete": "rule:admin_api and rule:deny_readonly", - "os_compute_api:server-metadata:delete": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-rescue": "rule:admin_or_owner and rule:deny_readonly", - "admin_api": "is_admin:True", - "os_compute_api:os-server-tags:delete": "@", - "os_compute_api:flavors:discoverable": "@", - "os_compute_api:os-cloudpipe:discoverable": "@", - "os_compute_api:os-fixed-ips": "rule:admin_api", - "os_compute_api:os-admin-password:discoverable": "@", - "os_compute_api:servers:resize": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-flavor-access:add_tenant_access": "rule:admin_api", - "os_compute_api:os-pci:pci_servers": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-server-password:discoverable": "@", - "os_compute_api:os-cells": "rule:admin_api", - "os_compute_api:os-admin-actions:reset_network": "rule:admin_api and rule:deny_readonly", - "os_compute_api:image-size:discoverable": "@", - "os_compute_api:os-certificates:show": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-config-drive": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-networks:view": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-consoles:index": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-quota-class-sets:discoverable": "@", - "os_compute_api:os-used-limits": "rule:admin_api", - "os_compute_api:os-flavor-access:discoverable": "@", - "os_compute_api:os-quota-sets:defaults": "@", - "os_compute_api:servers:detail": "rule:admin_or_owner", - "os_compute_api:os-server-external-events:create": "rule:admin_api", - "os_compute_api:os-lock-server:lock": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-block-device-mapping:discoverable": "@", - "os_compute_api:os-flavor-extra-specs:index": "rule:admin_or_owner", - "os_compute_api:os-extended-volumes:discoverable": "@", - "os_compute_api:servers:create_image:allow_volume_backed": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-pci:show": "rule:admin_api", - "os_compute_api:os-assisted-volume-snapshots:delete": "rule:admin_api and rule:deny_readonly", - "os_compute_api:os-security-groups:discoverable": "@", - "os_compute_api:ips:index": "rule:admin_or_owner", - "os_compute_api:os-assisted-volume-snapshots:discoverable": "@", - "os_compute_api:os-assisted-volume-snapshots:create": "rule:admin_api", - "os_compute_api:os-attach-interfaces:discoverable": "@", - "os_compute_api:servers:create:attach_volume": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-quota-sets:show": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-server-tags:update": "@", - "os_compute_api:os-quota-class-sets:update": "rule:admin_api", - "os_compute_api:flavors": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-flavor-access:remove_tenant_access": "rule:admin_api and rule:deny_readonly", - "os_compute_api:os-floating-ip-pools": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:servers:discoverable": "@", - "os_compute_api:os-flavor-manage:discoverable": "@", - "os_compute_api:os-keypairs:show": "rule:admin_api or user_id:%(user_id)s", - "os_compute_api:image-size": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-deferred-delete": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-hide-server-addresses": "is_admin:False", - "os_compute_api:os-admin-password": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-server-tags:show": "@", - "os_compute_api:servers:rebuild": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-used-limits:discoverable": "@", - "os_compute_api:os-quota-sets:delete": "rule:admin_api and rule:deny_readonly", - "os_compute_api:os-floating-ip-dns:discoverable": "@", - "os_compute_api:os-availability-zone:detail": "rule:admin_api", - "os_compute_api:os-server-usage:discoverable": "@", - "os_compute_api:os-keypairs": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-quota-sets:discoverable": "@", - "os_compute_api:os-virtual-interfaces:discoverable": "@", - "os_compute_api:os-aggregates:show": "rule:admin_api", - "os_compute_api:os-cells:sync_instances": "rule:admin_api", - "os_compute_api:servers:detail:get_all_tenants": "rule:admin_api", - "os_compute_api:os-services:discoverable": "@", - "os_compute_api:extensions:discoverable": "@", - "os_compute_api:servers:stop": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-volumes": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-server-tags:discoverable": "@", - "os_compute_api:os-baremetal-nodes": "rule:admin_api", - "os_compute_api:os-virtual-interfaces": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-lock-server:unlock:unlock_override": "rule:admin_api and rule:deny_readonly", - "os_compute_api:os-simple-tenant-usage:discoverable": "@", - "os_compute_api:os-networks": "rule:admin_api", - "os_compute_api:os-pci:discoverable": "@", - "os_compute_api:os-lock-server:unlock": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-cells:delete": "rule:admin_api and rule:deny_readonly", - "os_compute_api:os-floating-ips:discoverable": "@", - "os_compute_api:os-security-group-default-rules": "rule:admin_api", - "os_compute_api:os-user-data:discoverable": "@", - "os_compute_api:servers:migrations:index": "rule:admin_api", - "os_compute_api:os-flavor-access": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-multinic:discoverable": "@", - "os_compute_api:os-networks-associate:discoverable": "@", - "os_compute_api:os-quota-sets:detail": "rule:admin_api", - "os_compute_api:servers:create:attach_network": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-instance-actions:discoverable": "@", - "os_compute_api:os-server-external-events:discoverable": "@", - "os_compute_api:os-hosts": "rule:admin_api", - "os_compute_api:os-migrations:discoverable": "@", - "os_compute_api:server-metadata:update": "rule:admin_or_owner and rule:deny_readonly", - "os_compute_api:os-floating-ip-dns:domain:delete": "rule:admin_api and rule:deny_readonly", - "os_compute_api:os-volumes-attachments:delete": "rule:admin_or_owner and rule:deny_readonly" } diff --git a/etc/sahara/policy.json b/etc/sahara/policy.json index bfab46f..789dafc 100644 --- a/etc/sahara/policy.json +++ b/etc/sahara/policy.json @@ -1,74 +1,73 @@ { - "deny_readonly": "not role:readonly", - "context_is_admin": "role:admin and rule:deny_readonly", + "context_is_admin": "role:admin", "default": "", "data-processing:clusters:get_all": "", - "data-processing:clusters:create": "rule:deny_readonly", - "data-processing:clusters:scale": "rule:deny_readonly", + "data-processing:clusters:create": "", + "data-processing:clusters:scale": "", "data-processing:clusters:get": "", - "data-processing:clusters:delete": "rule:deny_readonly", - "data-processing:clusters:modify": "rule:deny_readonly", + "data-processing:clusters:delete": "", + "data-processing:clusters:modify": "", "data-processing:cluster-templates:get_all": "", - "data-processing:cluster-templates:create": "rule:deny_readonly", + "data-processing:cluster-templates:create": "", "data-processing:cluster-templates:get": "", - "data-processing:cluster-templates:modify": "rule:deny_readonly", - "data-processing:cluster-templates:delete": "rule:deny_readonly", + "data-processing:cluster-templates:modify": "", + "data-processing:cluster-templates:delete": "", "data-processing:node-group-templates:get_all": "", - "data-processing:node-group-templates:create": "rule:deny_readonly", + "data-processing:node-group-templates:create": "", "data-processing:node-group-templates:get": "", - "data-processing:node-group-templates:modify": "rule:deny_readonly", - "data-processing:node-group-templates:delete": "rule:deny_readonly", + "data-processing:node-group-templates:modify": "", + "data-processing:node-group-templates:delete": "", "data-processing:plugins:get_all": "", "data-processing:plugins:get": "", "data-processing:plugins:get_version": "", - "data-processing:plugins:convert_config": "rule:deny_readonly", + "data-processing:plugins:convert_config": "", "data-processing:plugins:patch": "role:admin", "data-processing:images:get_all": "", "data-processing:images:get": "", - "data-processing:images:register": "rule:deny_readonly", - "data-processing:images:unregister": "rule:deny_readonly", - "data-processing:images:add_tags": "rule:deny_readonly", - "data-processing:images:remove_tags": "rule:deny_readonly", + "data-processing:images:register": "", + "data-processing:images:unregister": "", + "data-processing:images:add_tags": "", + "data-processing:images:remove_tags": "", "data-processing:job-executions:get_all": "", "data-processing:job-executions:get": "", "data-processing:job-executions:refresh_status": "", - "data-processing:job-executions:cancel": "rule:deny_readonly", - "data-processing:job-executions:delete": "rule:deny_readonly", - "data-processing:job-executions:modify": "rule:deny_readonly", + "data-processing:job-executions:cancel": "", + "data-processing:job-executions:delete": "", + "data-processing:job-executions:modify": "", "data-processing:data-sources:get_all": "", "data-processing:data-sources:get": "", - "data-processing:data-sources:register": "rule:deny_readonly", - "data-processing:data-sources:delete": "rule:deny_readonly", - "data-processing:data-sources:modify": "rule:deny_readonly", + "data-processing:data-sources:register": "", + "data-processing:data-sources:delete": "", + "data-processing:data-sources:modify": "", "data-processing:jobs:get_all": "", - "data-processing:jobs:create": "rule:deny_readonly", + "data-processing:jobs:create": "", "data-processing:jobs:get": "", - "data-processing:jobs:delete": "rule:deny_readonly", + "data-processing:jobs:delete": "", "data-processing:jobs:get_config_hints": "", - "data-processing:jobs:execute": "rule:deny_readonly", - "data-processing:jobs:modify": "rule:deny_readonly", + "data-processing:jobs:execute": "", + "data-processing:jobs:modify": "", "data-processing:job-binaries:get_all": "", - "data-processing:job-binaries:create": "rule:deny_readonly", + "data-processing:job-binaries:create": "", "data-processing:job-binaries:get": "", - "data-processing:job-binaries:delete": "rule:deny_readonly", + "data-processing:job-binaries:delete": "", "data-processing:job-binaries:get_data": "", - "data-processing:job-binaries:modify": "rule:deny_readonly", + "data-processing:job-binaries:modify": "", "data-processing:job-binary-internals:get_all": "", - "data-processing:job-binary-internals:create": "rule:deny_readonly", + "data-processing:job-binary-internals:create": "", "data-processing:job-binary-internals:get": "", - "data-processing:job-binary-internals:delete": "rule:deny_readonly", + "data-processing:job-binary-internals:delete": "", "data-processing:job-binary-internals:get_data": "", - "data-processing:job-binary-internals:modify": "rule:deny_readonly", + "data-processing:job-binary-internals:modify": "", "data-processing:job-types:get_all": "" } diff --git a/etc/zaqar/policy.json b/etc/zaqar/policy.json index 9dff654..89d5076 100644 --- a/etc/zaqar/policy.json +++ b/etc/zaqar/policy.json @@ -1,34 +1,33 @@ { - "deny_readonly": "not role:readonly", - "context_is_admin": "role:admin and rule:deny_readonly", + "context_is_admin": "role:admin", "admin_or_owner": "is_admin:True or project_id:%(project_id)s", - "default": "rule:admin_or_owner and rule:deny_readonly", + "default": "rule:admin_or_owner", "queues:get_all": "", - "queues:create": "rule:deny_readonly", + "queues:create": "", "queues:get": "", - "queues:delete": "rule:deny_readonly", - "queues:update": "rule:deny_readonly", + "queues:delete": "", + "queues:update": "", "queues:stats": "", "messages:get_all": "", - "messages:create": "rule:deny_readonly", + "messages:create": "", "messages:get": "", - "messages:delete": "rule:deny_readonly", - "messages:delete_all": "rule:deny_readonly", + "messages:delete": "", + "messages:delete_all": "", "claims:get_all": "", - "claims:create": "rule:deny_readonly", + "claims:create": "", "claims:get": "", - "claims:delete": "rule:deny_readonly", - "claims:update": "rule:deny_readonly", + "claims:delete": "", + "claims:update": "", "subscription:get_all": "", - "subscription:create": "rule:deny_readonly", + "subscription:create": "", "subscription:get": "", - "subscription:delete": "rule:deny_readonly", - "subscription:update": "rule:deny_readonly", - "subscription:confirm": "rule:deny_readonly", + "subscription:delete": "", + "subscription:update": "", + "subscription:confirm": "", "pools:get_all": "rule:context_is_admin", "pools:create": "rule:context_is_admin", |