From 3c70bb60c1c30fbb4fce5ae4f9b87d1d6ff65593 Mon Sep 17 00:00:00 2001 From: Sean Pryor Date: Fri, 17 Nov 2017 17:09:37 -0500 Subject: Untested drafts of modifications to all other policies Change-Id: I150ddcf2d0d104c8e3e066b4adb25814b3bb0246 --- etc/aodh/policy.json | 34 +++++++----- etc/ceilometer/policy.json | 27 ++++++---- etc/heat/policy.json | 97 +++++++++++++++++++++++++++++++++- etc/keystone/policy.json | 2 +- etc/manila/policy.json | 125 ++++++++++++++++++++++---------------------- etc/mistral/policy.json | 107 ++++++++++++++++++++------------------ etc/sahara/policy.json | 126 ++++++++++++++++++++++++--------------------- etc/zaqar/policy.json | 93 +++++++++++++++++---------------- 8 files changed, 370 insertions(+), 241 deletions(-) diff --git a/etc/aodh/policy.json b/etc/aodh/policy.json index 4fd873e..444f1d5 100644 --- a/etc/aodh/policy.json +++ b/etc/aodh/policy.json @@ -1,20 +1,26 @@ { - "context_is_admin": "role:admin", - "segregation": "rule:context_is_admin", - "admin_or_owner": "rule:context_is_admin or project_id:%(project_id)s", - "default": "rule:admin_or_owner", + "global_readonly": "(role:global_readonly)", + "readonly": "((project_id:%(project_id)s and role:readonly) or rule:global_readonly)", + "_member_role": "(role:member or role:_member_)", + "member": "(project_id:%(project_id)s and rule:_member_role)", + "admin": "(is_admin:True or role:admin)", + "owner": "(user_id:%(user_id)s and rule:_member_role)", - "telemetry:get_alarm": "rule:admin_or_owner", - "telemetry:get_alarms": "rule:admin_or_owner", - "telemetry:query_alarm": "rule:admin_or_owner", + "segregation": "rule:admin", - "telemetry:create_alarm": "", - "telemetry:change_alarm": "rule:admin_or_owner", - "telemetry:delete_alarm": "rule:admin_or_owner", + "default": "rule:admin or rule:member", - "telemetry:get_alarm_state": "rule:admin_or_owner", - "telemetry:change_alarm_state": "rule:admin_or_owner", + "telemetry:get_alarm": "rule:admin or rule:member", + "telemetry:get_alarms": "rule:admin or rule:member", + "telemetry:query_alarm": "rule:admin or rule:member", - "telemetry:alarm_history": "rule:admin_or_owner", - "telemetry:query_alarm_history": "rule:admin_or_owner" + "telemetry:create_alarm": "rule:admin or rule: member", + "telemetry:change_alarm": "rule:admin or rule:member", + "telemetry:delete_alarm": "rule:admin or rule:member", + + "telemetry:get_alarm_state": "rule:admin or rule:member", + "telemetry:change_alarm_state": "rule:admin or rule:member", + + "telemetry:alarm_history": "rule:admin or rule:member", + "telemetry:query_alarm_history": "rule:admin or rule:member" } diff --git a/etc/ceilometer/policy.json b/etc/ceilometer/policy.json index a5e836a..2b13529 100644 --- a/etc/ceilometer/policy.json +++ b/etc/ceilometer/policy.json @@ -1,18 +1,25 @@ { + "global_readonly": "(role:global_readonly)", + "readonly": "((project_id:%(project_id)s and role:readonly) or rule:global_readonly)", + "_member_role": "(role:member or role:_member_)", + "member": "(project_id:%(project_id)s and rule:_member_role)", + "admin": "(is_admin:True or role:admin)", + "owner": "(user_id:%(user_id)s and rule:_member_role)", + "context_is_admin": "role:admin", "segregation": "rule:context_is_admin", - "telemetry:get_samples": "", - "telemetry:get_sample": "", - "telemetry:query_sample": "", - "telemetry:create_samples": "", + "telemetry:get_samples": "rule:admin or rule: member", + "telemetry:get_sample": "rule:admin or rule: member", + "telemetry:query_sample": "rule:admin or rule: member", + "telemetry:create_samples": "rule:admin or rule: member", - "telemetry:compute_statistics": "", - "telemetry:get_meters": "", + "telemetry:compute_statistics": "rule:admin or rule: member", + "telemetry:get_meters": "rule:admin or rule: member", - "telemetry:get_resource": "", - "telemetry:get_resources": "", + "telemetry:get_resource": "rule:admin or rule: member", + "telemetry:get_resources": "rule:admin or rule: member", - "telemetry:events:index": "", - "telemetry:events:show": "" + "telemetry:events:index": "rule:admin or rule: member", + "telemetry:events:show": "rule:admin or rule: member" } diff --git a/etc/heat/policy.json b/etc/heat/policy.json index c093f33..acb0d7e 100644 --- a/etc/heat/policy.json +++ b/etc/heat/policy.json @@ -1,3 +1,98 @@ { - "context_is_admin": "role:admin","project_admin": "role:admin","deny_stack_user": "not role:heat_stack_user","deny_everybody": "!","cloudformation:ListStacks": "rule:deny_stack_user","cloudformation:CreateStack": "rule:deny_stack_user","cloudformation:DescribeStacks": "rule:deny_stack_user","cloudformation:DeleteStack": "rule:deny_stack_user","cloudformation:UpdateStack": "rule:deny_stack_user","cloudformation:CancelUpdateStack": "rule:deny_stack_user","cloudformation:DescribeStackEvents": "rule:deny_stack_user","cloudformation:ValidateTemplate": "rule:deny_stack_user","cloudformation:GetTemplate": "rule:deny_stack_user","cloudformation:EstimateTemplateCost": "rule:deny_stack_user","cloudformation:DescribeStackResource": "","cloudformation:DescribeStackResources": "rule:deny_stack_user","cloudformation:ListStackResources": "rule:deny_stack_user","cloudwatch:DeleteAlarms": "rule:deny_stack_user","cloudwatch:DescribeAlarmHistory": "rule:deny_stack_user","cloudwatch:DescribeAlarms": "rule:deny_stack_user","cloudwatch:DescribeAlarmsForMetric": "rule:deny_stack_user","cloudwatch:DisableAlarmActions": "rule:deny_stack_user","cloudwatch:EnableAlarmActions": "rule:deny_stack_user","cloudwatch:GetMetricStatistics": "rule:deny_stack_user","cloudwatch:ListMetrics": "rule:deny_stack_user","cloudwatch:PutMetricAlarm": "rule:deny_stack_user","cloudwatch:PutMetricData": "","cloudwatch:SetAlarmState": "rule:deny_stack_user","actions:action": "rule:deny_stack_user","build_info:build_info": "rule:deny_stack_user","events:index": "rule:deny_stack_user","events:show": "rule:deny_stack_user","resource:index": "rule:deny_stack_user","resource:metadata": "","resource:signal": "","resource:mark_unhealthy": "rule:deny_stack_user","resource:show": "rule:deny_stack_user","stacks:abandon": "rule:deny_stack_user","stacks:create": "rule:deny_stack_user","stacks:delete": "rule:deny_stack_user","stacks:detail": "rule:deny_stack_user","stacks:export": "rule:deny_stack_user","stacks:generate_template": "rule:deny_stack_user","stacks:global_index": "rule:deny_everybody","stacks:index": "rule:deny_stack_user","stacks:list_resource_types": "rule:deny_stack_user","stacks:list_template_versions": "rule:deny_stack_user","stacks:list_template_functions": "rule:deny_stack_user","stacks:lookup": "","stacks:preview": "rule:deny_stack_user","stacks:resource_schema": "rule:deny_stack_user","stacks:show": "rule:deny_stack_user","stacks:template": "rule:deny_stack_user","stacks:environment": "rule:deny_stack_user","stacks:files": "rule:deny_stack_user","stacks:update": "rule:deny_stack_user","stacks:update_patch": "rule:deny_stack_user","stacks:preview_update": "rule:deny_stack_user","stacks:preview_update_patch": "rule:deny_stack_user","stacks:validate_template": "rule:deny_stack_user","stacks:snapshot": "rule:deny_stack_user","stacks:show_snapshot": "rule:deny_stack_user","stacks:delete_snapshot": "rule:deny_stack_user","stacks:list_snapshots": "rule:deny_stack_user","stacks:restore_snapshot": "rule:deny_stack_user","stacks:list_outputs": "rule:deny_stack_user","stacks:show_output": "rule:deny_stack_user","software_configs:global_index": "rule:deny_everybody","software_configs:index": "rule:deny_stack_user","software_configs:create": "rule:deny_stack_user","software_configs:show": "rule:deny_stack_user","software_configs:delete": "rule:deny_stack_user","software_deployments:index": "rule:deny_stack_user","software_deployments:create": "rule:deny_stack_user","software_deployments:show": "rule:deny_stack_user","software_deployments:update": "rule:deny_stack_user","software_deployments:delete": "rule:deny_stack_user","software_deployments:metadata": "","service:index": "rule:context_is_admin","resource_types:OS::Nova::Flavor": "rule:project_admin","resource_types:OS::Cinder::EncryptedVolumeType": "rule:project_admin","resource_types:OS::Cinder::VolumeType": "rule:project_admin","resource_types:OS::Cinder::Quota": "rule:project_admin","resource_types:OS::Manila::ShareType": "rule:project_admin","resource_types:OS::Neutron::QoSPolicy": "rule:project_admin","resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:project_admin","resource_types:OS::Nova::HostAggregate": "rule:project_admin","resource_types:OS::Cinder::QoSSpecs": "rule:project_admin" + "global_readonly": "(role:global_readonly)", + "readonly": "((project_id:%(project_id)s and role:readonly) or rule:global_readonly)", + "_member_role": "(role:member or role:_member_)", + "member": "(project_id:%(project_id)s and rule:_member_role)", + "admin": "(is_admin:True or role:admin)", + "owner": "(user_id:%(user_id)s and rule:_member_role)", + + "context_is_admin": "role:admin", + "project_admin": "role:admin", + "deny_stack_user": "not role:heat_stack_user", + "deny_everybody": "!", + + "cloudformation:ListStacks": "rule:deny_stack_user", + "cloudformation:CreateStack": "rule:deny_stack_user", + "cloudformation:DescribeStacks": "rule:deny_stack_user", + "cloudformation:DeleteStack": "rule:deny_stack_user", + "cloudformation:UpdateStack": "rule:deny_stack_user", + "cloudformation:CancelUpdateStack": "rule:deny_stack_user", + "cloudformation:DescribeStackEvents": "rule:deny_stack_user", + "cloudformation:ValidateTemplate": "rule:deny_stack_user", + "cloudformation:GetTemplate": "rule:deny_stack_user", + "cloudformation:EstimateTemplateCost": "rule:deny_stack_user", + "cloudformation:DescribeStackResource": "", + "cloudformation:DescribeStackResources": "rule:deny_stack_user", + "cloudformation:ListStackResources": "rule:deny_stack_user", + "cloudwatch:DeleteAlarms": "rule:deny_stack_user", + "cloudwatch:DescribeAlarmHistory": "rule:deny_stack_user", + "cloudwatch:DescribeAlarms": "rule:deny_stack_user", + "cloudwatch:DescribeAlarmsForMetric": "rule:deny_stack_user", + "cloudwatch:DisableAlarmActions": "rule:deny_stack_user", + "cloudwatch:EnableAlarmActions": "rule:deny_stack_user", + "cloudwatch:GetMetricStatistics": "rule:deny_stack_user", + "cloudwatch:ListMetrics": "rule:deny_stack_user", + "cloudwatch:PutMetricAlarm": "rule:deny_stack_user", + "cloudwatch:PutMetricData": "", + "cloudwatch:SetAlarmState": "rule:deny_stack_user", + "actions:action": "rule:deny_stack_user", + "build_info:build_info": "rule:deny_stack_user", + "events:index": "rule:deny_stack_user", + "events:show": "rule:deny_stack_user", + "resource:index": "rule:deny_stack_user", + "resource:metadata": "", + "resource:signal": "", + "resource:mark_unhealthy": "rule:deny_stack_user", + "resource:show": "rule:deny_stack_user", + "stacks:abandon": "rule:deny_stack_user", + "stacks:create": "rule:deny_stack_user", + "stacks:delete": "rule:deny_stack_user", + "stacks:detail": "rule:deny_stack_user", + "stacks:export": "rule:deny_stack_user", + "stacks:generate_template": "rule:deny_stack_user", + "stacks:global_index": "rule:deny_everybody", + "stacks:index": "rule:deny_stack_user", + "stacks:list_resource_types": "rule:deny_stack_user", + "stacks:list_template_versions": "rule:deny_stack_user", + "stacks:list_template_functions": "rule:deny_stack_user", + "stacks:lookup": "", + "stacks:preview": "rule:deny_stack_user", + "stacks:resource_schema": "rule:deny_stack_user", + "stacks:show": "rule:deny_stack_user", + "stacks:template": "rule:deny_stack_user", + "stacks:environment": "rule:deny_stack_user", + "stacks:files": "rule:deny_stack_user", + "stacks:update": "rule:deny_stack_user", + "stacks:update_patch": "rule:deny_stack_user", + "stacks:preview_update": "rule:deny_stack_user", + "stacks:preview_update_patch": "rule:deny_stack_user", + "stacks:validate_template": "rule:deny_stack_user", + "stacks:snapshot": "rule:deny_stack_user", + "stacks:show_snapshot": "rule:deny_stack_user", + "stacks:delete_snapshot": "rule:deny_stack_user", + "stacks:list_snapshots": "rule:deny_stack_user", + "stacks:restore_snapshot": "rule:deny_stack_user", + "stacks:list_outputs": "rule:deny_stack_user", + "stacks:show_output": "rule:deny_stack_user", + "software_configs:global_index": "rule:deny_everybody", + "software_configs:index": "rule:deny_stack_user", + "software_configs:create": "rule:deny_stack_user", + "software_configs:show": "rule:deny_stack_user", + "software_configs:delete": "rule:deny_stack_user", + "software_deployments:index": "rule:deny_stack_user", + "software_deployments:create": "rule:deny_stack_user", + "software_deployments:show": "rule:deny_stack_user", + "software_deployments:update": "rule:deny_stack_user", + "software_deployments:delete": "rule:deny_stack_user", + "software_deployments:metadata": "", + "service:index": "rule:context_is_admin", + "resource_types:OS::Nova::Flavor": "rule:project_admin", + "resource_types:OS::Cinder::EncryptedVolumeType": "rule:project_admin", + "resource_types:OS::Cinder::VolumeType": "rule:project_admin", + "resource_types:OS::Cinder::Quota": "rule:project_admin", + "resource_types:OS::Manila::ShareType": "rule:project_admin", + "resource_types:OS::Neutron::QoSPolicy": "rule:project_admin", + "resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:project_admin", + "resource_types:OS::Nova::HostAggregate": "rule:project_admin", + "resource_types:OS::Cinder::QoSSpecs": "rule:project_admin" } diff --git a/etc/keystone/policy.json b/etc/keystone/policy.json index 2c801c2..223a651 100644 --- a/etc/keystone/policy.json +++ b/etc/keystone/policy.json @@ -1,6 +1,6 @@ { - "readonly": "(project_id:%(project_id)s and role:readonly)", "global_readonly": "(role:global_readonly)", + "readonly": "((project_id:%(project_id)s and role:readonly) or rule:global_readonly)", "_member_role": "(role:member or role:_member_)", "member": "(project_id:%(project_id)s and rule:_member_role)", "admin": "(is_admin:True or role:admin)", diff --git a/etc/manila/policy.json b/etc/manila/policy.json index d8188f6..a0b6df6 100644 --- a/etc/manila/policy.json +++ b/etc/manila/policy.json @@ -1,27 +1,30 @@ { - "context_is_admin": "role:admin", - "admin_or_owner": "is_admin:True or project_id:%(project_id)s", - "default": "rule:admin_or_owner", + "global_readonly": "(role:global_readonly)", + "readonly": "((project_id:%(project_id)s and role:readonly) or rule:global_readonly)", + "_member_role": "(role:member or role:_member_)", + "member": "(project_id:%(project_id)s and rule:_member_role)", + "admin": "(is_admin:True or role:admin)", + "owner": "(user_id:%(user_id)s and rule:_member_role)", - "admin_api": "is_admin:True", + "default": "rule:admin or rule:member", "availability_zone:index": "rule:default", - "quota_set:update": "rule:admin_api", + "quota_set:update": "rule:admin", "quota_set:show": "rule:default", - "quota_set:delete": "rule:admin_api", + "quota_set:delete": "rule:admin", "quota_class_set:show": "rule:default", - "quota_class_set:update": "rule:admin_api", + "quota_class_set:update": "rule:admin", - "service:index": "rule:admin_api", - "service:update": "rule:admin_api", + "service:index": "rule:admin", + "service:update": "rule:admin", - "share:create": "", + "share:create": "rule:admin or rule: member", "share:delete": "rule:default", "share:get": "rule:default", "share:get_all": "rule:default", - "share:list_by_share_server_id": "rule:admin_api", + "share:list_by_share_server_id": "rule:admin", "share:update": "rule:default", "share:access_get": "rule:default", "share:access_get_all": "rule:default", @@ -32,54 +35,54 @@ "share:get_share_metadata": "rule:default", "share:delete_share_metadata": "rule:default", "share:update_share_metadata": "rule:default", - "share:migration_start": "rule:admin_api", - "share:migration_complete": "rule:admin_api", - "share:migration_cancel": "rule:admin_api", - "share:migration_get_progress": "rule:admin_api", - "share:reset_task_state": "rule:admin_api", - "share:manage": "rule:admin_api", - "share:unmanage": "rule:admin_api", - "share:force_delete": "rule:admin_api", - "share:reset_status": "rule:admin_api", + "share:migration_start": "rule:admin", + "share:migration_complete": "rule:admin", + "share:migration_cancel": "rule:admin", + "share:migration_get_progress": "rule:admin", + "share:reset_task_state": "rule:admin", + "share:manage": "rule:admin", + "share:unmanage": "rule:admin", + "share:force_delete": "rule:admin", + "share:reset_status": "rule:admin", "share_export_location:index": "rule:default", "share_export_location:show": "rule:default", - "share_instance:index": "rule:admin_api", - "share_instance:show": "rule:admin_api", - "share_instance:force_delete": "rule:admin_api", - "share_instance:reset_status": "rule:admin_api", - "share_instance_export_location:index": "rule:admin_api", - "share_instance_export_location:show": "rule:admin_api", + "share_instance:index": "rule:admin", + "share_instance:show": "rule:admin", + "share_instance:force_delete": "rule:admin", + "share_instance:reset_status": "rule:admin", + "share_instance_export_location:index": "rule:admin", + "share_instance_export_location:show": "rule:admin", "share_snapshot:create_snapshot": "rule:default", "share_snapshot:delete_snapshot": "rule:default", "share_snapshot:get_snapshot": "rule:default", "share_snapshot:get_all_snapshots": "rule:default", "share_snapshot:snapshot_update": "rule:default", - "share_snapshot:manage_snapshot": "rule:admin_api", - "share_snapshot:unmanage_snapshot": "rule:admin_api", - "share_snapshot:force_delete": "rule:admin_api", - "share_snapshot:reset_status": "rule:admin_api", + "share_snapshot:manage_snapshot": "rule:admin", + "share_snapshot:unmanage_snapshot": "rule:admin", + "share_snapshot:force_delete": "rule:admin", + "share_snapshot:reset_status": "rule:admin", - "share_snapshot_instance:detail": "rule:admin_api", - "share_snapshot_instance:index": "rule:admin_api", - "share_snapshot_instance:show": "rule:admin_api", - "share_snapshot_instance:reset_status": "rule:admin_api", + "share_snapshot_instance:detail": "rule:admin", + "share_snapshot_instance:index": "rule:admin", + "share_snapshot_instance:show": "rule:admin", + "share_snapshot_instance:reset_status": "rule:admin", "share_type:index": "rule:default", "share_type:show": "rule:default", "share_type:default": "rule:default", - "share_type:create": "rule:admin_api", - "share_type:delete": "rule:admin_api", - "share_type:add_project_access": "rule:admin_api", - "share_type:list_project_access": "rule:admin_api", - "share_type:remove_project_access": "rule:admin_api", - - "share_types_extra_spec:create": "rule:admin_api", - "share_types_extra_spec:update": "rule:admin_api", - "share_types_extra_spec:show": "rule:admin_api", - "share_types_extra_spec:index": "rule:admin_api", - "share_types_extra_spec:delete": "rule:admin_api", + "share_type:create": "rule:admin", + "share_type:delete": "rule:admin", + "share_type:add_project_access": "rule:admin", + "share_type:list_project_access": "rule:admin", + "share_type:remove_project_access": "rule:admin", + + "share_types_extra_spec:create": "rule:admin", + "share_types_extra_spec:update": "rule:admin", + "share_types_extra_spec:show": "rule:admin", + "share_types_extra_spec:index": "rule:admin", + "share_types_extra_spec:delete": "rule:admin", "security_service:create": "rule:default", "security_service:delete": "rule:default", @@ -87,12 +90,12 @@ "security_service:show": "rule:default", "security_service:index": "rule:default", "security_service:detail": "rule:default", - "security_service:get_all_security_services": "rule:admin_api", + "security_service:get_all_security_services": "rule:admin", - "share_server:index": "rule:admin_api", - "share_server:show": "rule:admin_api", - "share_server:details": "rule:admin_api", - "share_server:delete": "rule:admin_api", + "share_server:index": "rule:admin", + "share_server:show": "rule:admin", + "share_server:details": "rule:admin", + "share_server:delete": "rule:admin", "share_network:create": "rule:default", "share_network:delete": "rule:default", @@ -102,21 +105,21 @@ "share_network:show": "rule:default", "share_network:add_security_service": "rule:default", "share_network:remove_security_service": "rule:default", - "share_network:get_all_share_networks": "rule:admin_api", + "share_network:get_all_share_networks": "rule:admin", - "scheduler_stats:pools:index": "rule:admin_api", - "scheduler_stats:pools:detail": "rule:admin_api", + "scheduler_stats:pools:index": "rule:admin", + "scheduler_stats:pools:detail": "rule:admin", "consistency_group:create" : "rule:default", "consistency_group:delete": "rule:default", "consistency_group:update": "rule:default", "consistency_group:get": "rule:default", "consistency_group:get_all": "rule:default", - "consistency_group:force_delete": "rule:admin_api", - "consistency_group:reset_status": "rule:admin_api", + "consistency_group:force_delete": "rule:admin", + "consistency_group:reset_status": "rule:admin", - "cgsnapshot:force_delete": "rule:admin_api", - "cgsnapshot:reset_status": "rule:admin_api", + "cgsnapshot:force_delete": "rule:admin", + "cgsnapshot:reset_status": "rule:admin", "cgsnapshot:create" : "rule:default", "cgsnapshot:update" : "rule:default", "cgsnapshot:delete": "rule:default", @@ -128,8 +131,8 @@ "share_replica:create" : "rule:default", "share_replica:delete": "rule:default", "share_replica:promote": "rule:default", - "share_replica:resync": "rule:admin_api", - "share_replica:reset_status": "rule:admin_api", - "share_replica:force_delete": "rule:admin_api", - "share_replica:reset_replica_state": "rule:admin_api" + "share_replica:resync": "rule:admin", + "share_replica:reset_status": "rule:admin", + "share_replica:force_delete": "rule:admin", + "share_replica:reset_replica_state": "rule:admin" } diff --git a/etc/mistral/policy.json b/etc/mistral/policy.json index 3278023..774d22a 100644 --- a/etc/mistral/policy.json +++ b/etc/mistral/policy.json @@ -1,64 +1,69 @@ { - "admin_only": "is_admin:True", - "admin_or_owner": "is_admin:True or project_id:%(project_id)s", - "default": "rule:admin_or_owner", + "global_readonly": "(role:global_readonly)", + "readonly": "((project_id:%(project_id)s and role:readonly) or rule:global_readonly)", + "_member_role": "(role:member or role:_member_)", + "member": "(project_id:%(project_id)s and rule:_member_role)", + "admin": "(is_admin:True or role:admin)", + "owner": "(user_id:%(user_id)s and rule:_member_role)", - "action_executions:delete": "rule:admin_or_owner", - "action_execution:create": "rule:admin_or_owner", - "action_executions:get": "rule:admin_or_owner", - "action_executions:list": "rule:admin_or_owner", - "action_executions:update": "rule:admin_or_owner", + "default": "rule:admin or rule:member", - "actions:create": "rule:admin_or_owner", - "actions:delete": "rule:admin_or_owner", - "actions:get": "rule:admin_or_owner", - "actions:list": "rule:admin_or_owner", - "actions:update": "rule:admin_or_owner", + "action_executions:delete": "rule:admin or rule:member", + "action_execution:create": "rule:admin or rule:member", + "action_executions:get": "rule:admin or rule:member", + "action_executions:list": "rule:admin or rule:member", + "action_executions:update": "rule:admin or rule:member", - "cron_triggers:create": "rule:admin_or_owner", - "cron_triggers:delete": "rule:admin_or_owner", - "cron_triggers:get": "rule:admin_or_owner", - "cron_triggers:list": "rule:admin_or_owner", + "actions:create": "rule:admin or rule:member", + "actions:delete": "rule:admin or rule:member", + "actions:get": "rule:admin or rule:member", + "actions:list": "rule:admin or rule:member", + "actions:update": "rule:admin or rule:member", - "environments:create": "rule:admin_or_owner", - "environments:delete": "rule:admin_or_owner", - "environments:get": "rule:admin_or_owner", - "environments:list": "rule:admin_or_owner", - "environments:update": "rule:admin_or_owner", + "cron_triggers:create": "rule:admin or rule:member", + "cron_triggers:delete": "rule:admin or rule:member", + "cron_triggers:get": "rule:admin or rule:member", + "cron_triggers:list": "rule:admin or rule:member", - "executions:create": "rule:admin_or_owner", - "executions:delete": "rule:admin_or_owner", - "executions:get": "rule:admin_or_owner", - "executions:list": "rule:admin_or_owner", - "executions:update": "rule:admin_or_owner", + "environments:create": "rule:admin or rule:member", + "environments:delete": "rule:admin or rule:member", + "environments:get": "rule:admin or rule:member", + "environments:list": "rule:admin or rule:member", + "environments:update": "rule:admin or rule:member", - "members:create": "rule:admin_or_owner", - "members:delete": "rule:admin_or_owner", - "members:get": "rule:admin_or_owner", - "members:list": "rule:admin_or_owner", - "members:update": "rule:admin_or_owner", + "executions:create": "rule:admin or rule:member", + "executions:delete": "rule:admin or rule:member", + "executions:get": "rule:admin or rule:member", + "executions:list": "rule:admin or rule:member", + "executions:update": "rule:admin or rule:member", - "services:list": "rule:admin_or_owner", + "members:create": "rule:admin or rule:member", + "members:delete": "rule:admin or rule:member", + "members:get": "rule:admin or rule:member", + "members:list": "rule:admin or rule:member", + "members:update": "rule:admin or rule:member", - "tasks:get": "rule:admin_or_owner", - "tasks:list": "rule:admin_or_owner", - "tasks:update": "rule:admin_or_owner", + "services:list": "rule:admin or rule:member", - "workbooks:create": "rule:admin_or_owner", - "workbooks:delete": "rule:admin_or_owner", - "workbooks:get": "rule:admin_or_owner", - "workbooks:list": "rule:admin_or_owner", - "workbooks:update": "rule:admin_or_owner", + "tasks:get": "rule:admin or rule:member", + "tasks:list": "rule:admin or rule:member", + "tasks:update": "rule:admin or rule:member", - "workflows:create": "rule:admin_or_owner", - "workflows:delete": "rule:admin_or_owner", - "workflows:get": "rule:admin_or_owner", - "workflows:list": "rule:admin_or_owner", - "workflows:update": "rule:admin_or_owner", + "workbooks:create": "rule:admin or rule:member", + "workbooks:delete": "rule:admin or rule:member", + "workbooks:get": "rule:admin or rule:member", + "workbooks:list": "rule:admin or rule:member", + "workbooks:update": "rule:admin or rule:member", - "event_triggers:create": "rule:admin_or_owner", - "event_triggers:delete": "rule:admin_or_owner", - "event_triggers:get": "rule:admin_or_owner", - "event_triggers:list": "rule:admin_or_owner", - "event_triggers:update": "rule:admin_or_owner" + "workflows:create": "rule:admin or rule:member", + "workflows:delete": "rule:admin or rule:member", + "workflows:get": "rule:admin or rule:member", + "workflows:list": "rule:admin or rule:member", + "workflows:update": "rule:admin or rule:member", + + "event_triggers:create": "rule:admin or rule:member", + "event_triggers:delete": "rule:admin or rule:member", + "event_triggers:get": "rule:admin or rule:member", + "event_triggers:list": "rule:admin or rule:member", + "event_triggers:update": "rule:admin or rule:member" } diff --git a/etc/sahara/policy.json b/etc/sahara/policy.json index 789dafc..15eeb69 100644 --- a/etc/sahara/policy.json +++ b/etc/sahara/policy.json @@ -1,73 +1,79 @@ { - "context_is_admin": "role:admin", - "default": "", + "global_readonly": "(role:global_readonly)", + "readonly": "((project_id:%(project_id)s and role:readonly) or rule:global_readonly)", + "_member_role": "(role:member or role:_member_)", + "member": "(project_id:%(project_id)s and rule:_member_role)", + "admin": "(is_admin:True or role:admin)", + "owner": "(user_id:%(user_id)s and rule:_member_role)", - "data-processing:clusters:get_all": "", - "data-processing:clusters:create": "", - "data-processing:clusters:scale": "", - "data-processing:clusters:get": "", - "data-processing:clusters:delete": "", - "data-processing:clusters:modify": "", + "default": "rule:admin or rule:member", - "data-processing:cluster-templates:get_all": "", - "data-processing:cluster-templates:create": "", - "data-processing:cluster-templates:get": "", - "data-processing:cluster-templates:modify": "", - "data-processing:cluster-templates:delete": "", + "data-processing:clusters:get_all": "rule:admin or rule:member", + "data-processing:clusters:create": "rule:admin or rule:member", + "data-processing:clusters:scale": "rule:admin or rule:member", + "data-processing:clusters:get": "rule:admin or rule:member", + "data-processing:clusters:delete": "rule:admin or rule:member", + "data-processing:clusters:modify": "rule:admin or rule:member", - "data-processing:node-group-templates:get_all": "", - "data-processing:node-group-templates:create": "", - "data-processing:node-group-templates:get": "", - "data-processing:node-group-templates:modify": "", - "data-processing:node-group-templates:delete": "", + "data-processing:cluster-templates:get_all": "rule:admin or rule:member", + "data-processing:cluster-templates:create": "rule:admin or rule:member", + "data-processing:cluster-templates:get": "rule:admin or rule:member", + "data-processing:cluster-templates:modify": "rule:admin or rule:member", + "data-processing:cluster-templates:delete": "rule:admin or rule:member", - "data-processing:plugins:get_all": "", - "data-processing:plugins:get": "", - "data-processing:plugins:get_version": "", - "data-processing:plugins:convert_config": "", - "data-processing:plugins:patch": "role:admin", + "data-processing:node-group-templates:get_all": "rule:admin or rule:member", + "data-processing:node-group-templates:create": "rule:admin or rule:member", + "data-processing:node-group-templates:get": "rule:admin or rule:member", + "data-processing:node-group-templates:modify": "rule:admin or rule:member", + "data-processing:node-group-templates:delete": "rule:admin or rule:member", - "data-processing:images:get_all": "", - "data-processing:images:get": "", - "data-processing:images:register": "", - "data-processing:images:unregister": "", - "data-processing:images:add_tags": "", - "data-processing:images:remove_tags": "", + "data-processing:plugins:get_all": "rule:admin or rule:member", + "data-processing:plugins:get": "rule:admin or rule:member", + "data-processing:plugins:get_version": "rule:admin or rule:member", + "data-processing:plugins:convert_config": "rule:admin or rule:member", + "data-processing:plugins:patch": "rule:admin", - "data-processing:job-executions:get_all": "", - "data-processing:job-executions:get": "", - "data-processing:job-executions:refresh_status": "", - "data-processing:job-executions:cancel": "", - "data-processing:job-executions:delete": "", - "data-processing:job-executions:modify": "", + "data-processing:images:get_all": "rule:admin or rule:member", + "data-processing:images:get": "rule:admin or rule:member", + "data-processing:images:register": "rule:admin or rule:member", + "data-processing:images:unregister": "rule:admin or rule:member", + "data-processing:images:add_tags": "rule:admin or rule:member", + "data-processing:images:remove_tags": "rule:admin or rule:member", - "data-processing:data-sources:get_all": "", - "data-processing:data-sources:get": "", - "data-processing:data-sources:register": "", - "data-processing:data-sources:delete": "", - "data-processing:data-sources:modify": "", + "data-processing:job-executions:get_all": "rule:admin or rule:member", + "data-processing:job-executions:get": "rule:admin or rule:member", + "data-processing:job-executions:refresh_status": "rule:admin or rule:member", + "data-processing:job-executions:cancel": "rule:admin or rule:member", + "data-processing:job-executions:delete": "rule:admin or rule:member", + "data-processing:job-executions:modify": "rule:admin or rule:member", - "data-processing:jobs:get_all": "", - "data-processing:jobs:create": "", - "data-processing:jobs:get": "", - "data-processing:jobs:delete": "", - "data-processing:jobs:get_config_hints": "", - "data-processing:jobs:execute": "", - "data-processing:jobs:modify": "", + "data-processing:data-sources:get_all": "rule:admin or rule:member", + "data-processing:data-sources:get": "rule:admin or rule:member", + "data-processing:data-sources:register": "rule:admin or rule:member", + "data-processing:data-sources:delete": "rule:admin or rule:member", + "data-processing:data-sources:modify": "rule:admin or rule:member", - "data-processing:job-binaries:get_all": "", - "data-processing:job-binaries:create": "", - "data-processing:job-binaries:get": "", - "data-processing:job-binaries:delete": "", - "data-processing:job-binaries:get_data": "", - "data-processing:job-binaries:modify": "", + "data-processing:jobs:get_all": "rule:admin or rule:member", + "data-processing:jobs:create": "rule:admin or rule:member", + "data-processing:jobs:get": "rule:admin or rule:member", + "data-processing:jobs:delete": "rule:admin or rule:member", + "data-processing:jobs:get_config_hints": "rule:admin or rule:member", + "data-processing:jobs:execute": "rule:admin or rule:member", + "data-processing:jobs:modify": "rule:admin or rule:member", - "data-processing:job-binary-internals:get_all": "", - "data-processing:job-binary-internals:create": "", - "data-processing:job-binary-internals:get": "", - "data-processing:job-binary-internals:delete": "", - "data-processing:job-binary-internals:get_data": "", - "data-processing:job-binary-internals:modify": "", + "data-processing:job-binaries:get_all": "rule:admin or rule:member", + "data-processing:job-binaries:create": "rule:admin or rule:member", + "data-processing:job-binaries:get": "rule:admin or rule:member", + "data-processing:job-binaries:delete": "rule:admin or rule:member", + "data-processing:job-binaries:get_data": "rule:admin or rule:member", + "data-processing:job-binaries:modify": "rule:admin or rule:member", - "data-processing:job-types:get_all": "" + "data-processing:job-binary-internals:get_all": "rule:admin or rule:member", + "data-processing:job-binary-internals:create": "rule:admin or rule:member", + "data-processing:job-binary-internals:get": "rule:admin or rule:member", + "data-processing:job-binary-internals:delete": "rule:admin or rule:member", + "data-processing:job-binary-internals:get_data": "rule:admin or rule:member", + "data-processing:job-binary-internals:modify": "rule:admin or rule:member", + + "data-processing:job-types:get_all": "rule:admin or rule:member" } diff --git a/etc/zaqar/policy.json b/etc/zaqar/policy.json index 89d5076..1a6c49e 100644 --- a/etc/zaqar/policy.json +++ b/etc/zaqar/policy.json @@ -1,46 +1,53 @@ { + "global_readonly": "(role:global_readonly)", + "readonly": "((project_id:%(project_id)s and role:readonly) or rule:global_readonly)", + "_member_role": "(role:member or role:_member_)", + "member": "(project_id:%(project_id)s and rule:_member_role)", + "admin": "(is_admin:True or role:admin)", + "owner": "(user_id:%(user_id)s and rule:_member_role)", + "context_is_admin": "role:admin", - "admin_or_owner": "is_admin:True or project_id:%(project_id)s", - "default": "rule:admin_or_owner", - - "queues:get_all": "", - "queues:create": "", - "queues:get": "", - "queues:delete": "", - "queues:update": "", - "queues:stats": "", - - "messages:get_all": "", - "messages:create": "", - "messages:get": "", - "messages:delete": "", - "messages:delete_all": "", - - "claims:get_all": "", - "claims:create": "", - "claims:get": "", - "claims:delete": "", - "claims:update": "", - - "subscription:get_all": "", - "subscription:create": "", - "subscription:get": "", - "subscription:delete": "", - "subscription:update": "", - "subscription:confirm": "", - - "pools:get_all": "rule:context_is_admin", - "pools:create": "rule:context_is_admin", - "pools:get": "rule:context_is_admin", - "pools:delete": "rule:context_is_admin", - "pools:update": "rule:context_is_admin", - - "flavors:get_all": "", - "flavors:create": "rule:context_is_admin", - "flavors:get": "", - "flavors:delete": "rule:context_is_admin", - "flavors:update": "rule:context_is_admin", - - "ping:get": "", - "health:get": "rule:context_is_admin" + + "default": "rule:admin or rule:member", + + "queues:get_all": "rule:admin or rule:member", + "queues:create": "rule:admin or rule:member", + "queues:get": "rule:admin or rule:member", + "queues:delete": "rule:admin or rule:member", + "queues:update": "rule:admin or rule:member", + "queues:stats": "rule:admin or rule:member", + + "messages:get_all": "rule:admin or rule:member", + "messages:create": "rule:admin or rule:member", + "messages:get": "rule:admin or rule:member", + "messages:delete": "rule:admin or rule:member", + "messages:delete_all": "rule:admin or rule:member", + + "claims:get_all": "rule:admin or rule:member", + "claims:create": "rule:admin or rule:member", + "claims:get": "rule:admin or rule:member", + "claims:delete": "rule:admin or rule:member", + "claims:update": "rule:admin or rule:member", + + "subscription:get_all": "rule:admin or rule:member", + "subscription:create": "rule:admin or rule:member", + "subscription:get": "rule:admin or rule:member", + "subscription:delete": "rule:admin or rule:member", + "subscription:update": "rule:admin or rule:member", + "subscription:confirm": "rule:admin or rule:member", + + "pools:get_all": "rule:admin or rule:member", + "pools:create": "rule:admin or rule:member", + "pools:get": "rule:admin or rule:member", + "pools:delete": "rule:admin or rule:member", + "pools:update": "rule:admin or rule:member", + + "flavors:get_all": "rule:admin or rule:member", + "flavors:create": "rule:admin or rule:member", + "flavors:get": "rule:admin or rule:member", + "flavors:delete": "rule:admin or rule:member", + "flavors:update": "rule:admin or rule:member", + + "ping:get": "rule:admin or rule:member", + "health:get": "rule:admin or rule:member" } -- cgit