From 671534358b384af53595419a62c12870fa3586fe Mon Sep 17 00:00:00 2001
From: Sean Pryor <spryor@redhat.com>
Date: Thu, 26 Oct 2017 10:25:39 -0400
Subject: Updated with a global_readonly change

Change-Id: I9b5cf128d14439923b359518c922d114606dbd33
---
 etc/cinder/policy.json  | 41 +++++++++++++++++++-------------------
 etc/neutron/policy.json | 53 ++++++++++++++++++++++++-------------------------
 etc/nova/policy.json    | 28 ++++++++++++--------------
 3 files changed, 59 insertions(+), 63 deletions(-)

diff --git a/etc/cinder/policy.json b/etc/cinder/policy.json
index 4dc2030..3d23c3c 100644
--- a/etc/cinder/policy.json
+++ b/etc/cinder/policy.json
@@ -1,31 +1,30 @@
 {
+
     "readonly": "(project_id:%(project_id)s and role:readonly)",
-    "domain_readonly": "(domain_id:%(domain_id)s and role:readonly)",
-    "global_readonly": "(role:readonly)",
+    "global_readonly": "(role:global_readonly)",
     "_member_role": "(role:member or role:_member_)",
     "member": "(project_id:%(project_id)s and rule:_member_role)",
-    "domain_member": "(domain_id:%(domain_id)s and rule:_member_role)",
     "admin": "(is_admin:True or role:admin)",
     "owner": "(user_id:%(user_id)s and rule:_member_role)",
-    
+
     "default": "rule:admin or rule:member",
 
     "volume:create": "rule:admin or rule:member",
     "volume:delete": "rule:admin or rule:member",
-    "volume:get": "rule:admin or rule:member or rule:readonly",
-    "volume:get_all": "rule:admin or rule:member or rule:readonly",
-    "volume:get_volume_metadata": "rule:admin or rule:member or rule:readonly",
+    "volume:get": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
+    "volume:get_all": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
+    "volume:get_volume_metadata": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
     "volume:create_volume_metadata": "rule:admin or rule:member",
     "volume:delete_volume_metadata": "rule:admin or rule:member",
     "volume:update_volume_metadata": "rule:admin or rule:member",
     "volume:get_volume_admin_metadata": "rule:admin",
     "volume:update_volume_admin_metadata": "rule:admin",
-    "volume:get_snapshot": "rule:admin or rule:member or rule:readonly",
-    "volume:get_all_snapshots": "rule:admin or rule:member or rule:readonly",
+    "volume:get_snapshot": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
+    "volume:get_all_snapshots": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
     "volume:create_snapshot": "rule:admin or rule:member",
     "volume:delete_snapshot": "rule:admin or rule:member",
     "volume:update_snapshot": "rule:admin or rule:member",
-    "volume:get_snapshot_metadata": "rule:admin or rule:member or rule:readonly",
+    "volume:get_snapshot_metadata": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
     "volume:delete_snapshot_metadata": "rule:admin or rule:member",
     "volume:update_snapshot_metadata": "rule:admin or rule:member",
     "volume:extend": "rule:admin or rule:member",
@@ -43,9 +42,9 @@
     "volume_extension:volume_type_encryption": "rule:admin",
     "volume_extension:volume_encryption_metadata": "rule:admin or rule:member",
     "volume_extension:extended_snapshot_attributes": "rule:admin or rule:member",
-    "volume_extension:volume_image_metadata": "rule:admin or rule:member or rule:readonly",
+    "volume_extension:volume_image_metadata": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
 
-    "volume_extension:quotas:show": "rule:admin or rule:member or rule:readonly",
+    "volume_extension:quotas:show": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
     "volume_extension:quotas:update": "rule:admin",
     "volume_extension:quotas:delete": "rule:admin",
     "volume_extension:quota_classes": "rule:admin",
@@ -65,23 +64,23 @@
     "volume_extension:volume_actions:upload_image": "rule:admin or rule:member",
 
     "volume_extension:volume_host_attribute": "rule:admin",
-    "volume_extension:volume_tenant_attribute": "rule:admin or rule:member or rule:readonly",
+    "volume_extension:volume_tenant_attribute": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
     "volume_extension:volume_mig_status_attribute": "rule:admin",
-    "volume_extension:hosts": "rule:admin or rule:readonly",
-    "volume_extension:services:index": "rule:admin or rule:readonly",
+    "volume_extension:hosts": "rule:admin or rule:readonly or rule:global_readonly",
+    "volume_extension:services:index": "rule:admin or rule:readonly or rule:global_readonly",
     "volume_extension:services:update" : "rule:admin",
 
     "volume_extension:volume_manage": "rule:admin",
     "volume_extension:volume_unmanage": "rule:admin",
     "volume_extension:list_manageable": "rule:admin",
 
-    "volume_extension:capabilities": "rule:admin or rule:readonly",
+    "volume_extension:capabilities": "rule:admin or rule:readonly or rule:global_readonly",
 
     "volume:create_transfer": "rule:admin or rule:member",
     "volume:accept_transfer": "rule:admin or rule:member",
     "volume:delete_transfer": "rule:admin or rule:member",
-    "volume:get_transfer": "rule:admin or rule:member or rule:readonly",
-    "volume:get_all_transfers": "rule:admin or rule:member or rule:readonly",
+    "volume:get_transfer": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
+    "volume:get_all_transfers": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
 
     "volume_extension:replication:promote": "rule:admin",
     "volume_extension:replication:reenable": "rule:admin",
@@ -92,8 +91,8 @@
 
     "backup:create" : "rule:admin or rule:member",
     "backup:delete": "rule:admin or rule:member",
-    "backup:get": "rule:admin or rule:member or rule:readonly",
-    "backup:get_all": "rule:admin or rule:member or rule:readonly",
+    "backup:get": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
+    "backup:get_all": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
     "backup:restore": "rule:admin or rule:member",
     "backup:backup-import": "rule:admin",
     "backup:backup-export": "rule:admin",
@@ -132,7 +131,7 @@
     "group:get_group_snapshot": "rule:admin or rule:member",
     "group:get_all_group_snapshots": "rule:admin or rule:member",
 
-    "scheduler_extension:scheduler_stats:get_pools" : "rule:admin or rule:readonly",
+    "scheduler_extension:scheduler_stats:get_pools" : "rule:admin or rule:readonly or rule:global_readonly",
     "message:delete": "rule:admin or rule:member",
     "message:get": "rule:admin or rule:member",
     "message:get_all": "rule:admin or rule:member",
diff --git a/etc/neutron/policy.json b/etc/neutron/policy.json
index 7e6913f..b1f9a87 100644
--- a/etc/neutron/policy.json
+++ b/etc/neutron/policy.json
@@ -1,13 +1,12 @@
 {
+
     "readonly": "(project_id:%(project_id)s and role:readonly)",
-    "domain_readonly": "(domain_id:%(domain_id)s and role:readonly)",
-    "global_readonly": "(role:readonly)",
+    "global_readonly": "(role:global_readonly)",
     "_member_role": "(role:member or role:_member_)",
     "member": "(project_id:%(project_id)s and rule:_member_role)",
-    "domain_member": "(domain_id:%(domain_id)s and rule:_member_role)",
     "admin": "(is_admin:True or role:admin)",
     "owner": "(user_id:%(user_id)s and rule:_member_role)",
-    
+
     "context_is_advsvc":  "role:advsvc",
 
     "admin_or_network_owner": "(rule:admin or rule:member or role:network_admin)",
@@ -22,7 +21,7 @@
     "create_subnet": "rule:admin_or_network_owner",
     "create_subnet:segment_id": "rule:admin",
     "create_subnet:service_types": "rule:admin",
-    "get_subnet": "rule:admin or rule:member or rule:shared or rule:readonly or rule:readonly",
+    "get_subnet": "rule:admin or rule:member or rule:shared or rule:readonly or rule:global_readonly",
     "get_subnet:segment_id": "rule:admin",
     "update_subnet": "rule:admin_or_network_owner",
     "update_subnet:service_types": "rule:admin",
@@ -31,7 +30,7 @@
     "create_subnetpool": "rule:admin or rule:member",
     "create_subnetpool:shared": "rule:admin",
     "create_subnetpool:is_default": "rule:admin",
-    "get_subnetpool": "rule:admin or rule:member or rule:shared_subnetpools or rule:readonly",
+    "get_subnetpool": "rule:admin or rule:member or rule:shared_subnetpools or rule:readonly or rule:global_readonly",
     "update_subnetpool": "rule:admin or rule:member",
     "update_subnetpool:is_default": "rule:admin",
     "delete_subnetpool": "rule:admin or rule:member",
@@ -44,12 +43,12 @@
     "delete_address_scope": "rule:admin or rule:member",
 
     "create_network": "rule:admin or rule:member",
-    "get_network": "rule:admin or rule:member or rule:readonly or rule:shared or rule:external or rule:context_is_advsvc",
-    "get_network:router:external": "rule:admin or rule:member or rule:readonly",
-    "get_network:segments": "rule:admin or rule:readonly",
-    "get_network:provider:network_type": "rule:admin or rule:readonly",
-    "get_network:provider:physical_network": "rule:admin or rule:readonly",
-    "get_network:provider:segmentation_id": "rule:admin or rule:readonly",
+    "get_network": "rule:admin or rule:member or rule:readonly or rule:global_readonly or rule:shared or rule:external or rule:context_is_advsvc",
+    "get_network:router:external": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
+    "get_network:segments": "rule:admin or rule:readonly or rule:global_readonly",
+    "get_network:provider:network_type": "rule:admin or rule:readonly or rule:global_readonly",
+    "get_network:provider:physical_network": "rule:admin or rule:readonly or rule:global_readonly",
+    "get_network:provider:segmentation_id": "rule:admin or rule:readonly or rule:global_readonly",
     "get_network:queue_id": "rule:admin",
     "get_network_ip_availabilities": "rule:admin",
     "get_network_ip_availability": "rule:admin",
@@ -84,12 +83,12 @@
     "create_port:binding:profile": "rule:admin",
     "create_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
     "create_port:allowed_address_pairs": "rule:admin_or_network_owner",
-    "get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner or rule:readonly",
+    "get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner or rule:readonly or rule:global_readonly",
     "get_port:queue_id": "rule:admin",
-    "get_port:binding:vif_type": "rule:admin or rule:readonly",
-    "get_port:binding:vif_details": "rule:admin or rule:readonly",
-    "get_port:binding:host_id": "rule:admin or rule:readonly",
-    "get_port:binding:profile": "rule:admin or rule:readonly",
+    "get_port:binding:vif_type": "rule:admin or rule:readonly or rule:global_readonly",
+    "get_port:binding:vif_details": "rule:admin or rule:readonly or rule:global_readonly",
+    "get_port:binding:host_id": "rule:admin or rule:readonly or rule:global_readonly",
+    "get_port:binding:profile": "rule:admin or rule:readonly or rule:global_readonly",
     "update_port": "rule:admin or rule:member or rule:context_is_advsvc",
     "update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
     "update_port:mac_address": "rule:admin or rule:context_is_advsvc",
@@ -106,8 +105,8 @@
     "create_router:external_gateway_info:enable_snat": "rule:admin",
     "create_router:distributed": "rule:admin",
     "create_router:ha": "rule:admin",
-    "get_router": "rule:admin or rule:member or rule:readonly",
-    "get_router:distributed": "rule:admin or rule:readonly",
+    "get_router": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
+    "get_router:distributed": "rule:admin or rule:readonly or rule:global_readonly",
     "update_router:external_gateway_info:enable_snat": "rule:admin",
     "update_router:distributed": "rule:admin",
     "update_router:ha": "rule:admin",
@@ -127,15 +126,15 @@
 
     "update_agent": "rule:admin",
     "delete_agent": "rule:admin",
-    "get_agent": "rule:admin or rule:readonly",
+    "get_agent": "rule:admin or rule:readonly or rule:global_readonly",
 
     "create_dhcp-network": "rule:admin",
     "delete_dhcp-network": "rule:admin",
-    "get_dhcp-networks": "rule:admin or rule:readonly",
+    "get_dhcp-networks": "rule:admin or rule:readonly or rule:global_readonly",
     "create_l3-router": "rule:admin",
     "delete_l3-router": "rule:admin",
-    "get_l3-routers": "rule:admin or rule:readonly",
-    "get_dhcp-agents": "rule:admin or rule:readonly",
+    "get_l3-routers": "rule:admin or rule:readonly or rule:global_readonly",
+    "get_dhcp-agents": "rule:admin or rule:readonly or rule:global_readonly",
     "get_l3-agents": "rule:admin",
     "get_loadbalancer-agent": "rule:admin",
     "get_loadbalancer-pools": "rule:admin",
@@ -146,7 +145,7 @@
     "create_floatingip:floating_ip_address": "rule:admin",
     "update_floatingip": "rule:admin or rule:member",
     "delete_floatingip": "rule:admin or rule:member",
-    "get_floatingip": "rule:admin or rule:member or rule:readonly",
+    "get_floatingip": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
 
     "create_network_profile": "rule:admin",
     "update_network_profile": "rule:admin",
@@ -159,13 +158,13 @@
 
     "create_metering_label": "rule:admin",
     "delete_metering_label": "rule:admin",
-    "get_metering_label": "rule:admin or rule:readonly",
+    "get_metering_label": "rule:admin or rule:readonly or rule:global_readonly",
 
     "create_metering_label_rule": "rule:admin",
     "delete_metering_label_rule": "rule:admin",
-    "get_metering_label_rule": "rule:admin or rule:readonly",
+    "get_metering_label_rule": "rule:admin or rule:readonly or rule:global_readonly",
 
-    "get_service_provider": "rule:admin or rule:member or rule:readonly",
+    "get_service_provider": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
     "get_lsn": "rule:admin",
     "create_lsn": "rule:admin",
 
diff --git a/etc/nova/policy.json b/etc/nova/policy.json
index 756ed11..6d71921 100644
--- a/etc/nova/policy.json
+++ b/etc/nova/policy.json
@@ -1,11 +1,9 @@
 {
   
   "readonly": "(project_id:%(project_id)s and role:readonly)",
-  "domain_readonly": "(domain_id:%(domain_id)s and role:readonly)",
-  "global_readonly": "(role:readonly)",
+  "global_readonly": "(role:global_readonly)",
   "_member_role": "(role:member or role:_member_)",
   "member": "(project_id:%(project_id)s and rule:_member_role)",
-  "domain_member": "(domain_id:%(domain_id)s and rule:_member_role)",
   "admin": "(is_admin:True or role:admin)",
   "owner": "(user_id:%(user_id)s and rule:_member_role)",
 
@@ -15,7 +13,7 @@
   "os_compute_api:servers:create:forced_host": "rule:admin",
   "os_compute_api:os-aggregates:remove_host": "rule:admin",
   "os_compute_api:os-console-output": "rule:admin or rule:member",
-  "os_compute_api:os-floating-ips": "rule:admin or rule:member or rule:readonly",
+  "os_compute_api:os-floating-ips": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
   "os_compute_api:os-aggregates:update": "rule:admin",
   "os_compute_api:os-pci:pci_servers": "rule:admin or rule:member",
   "os_compute_api:servers:start": "rule:admin or rule:member",
@@ -39,7 +37,7 @@
   "os_compute_api:os-volumes-attachments:index": "rule:admin or rule:member",
   "os_compute_api:os-pci:show": "rule:admin",
   "os_compute_api:os-remote-consoles": "rule:admin or rule:member",
-  "os_compute_api:limits": "rule:admin or rule:member or rule:readonly",
+  "os_compute_api:limits": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
   "os_compute_api:os-cells:create": "rule:admin",
   "os_compute_api:os-aggregates:delete": "rule:admin",
   "os_compute_api:servers:migrations:show": "rule:admin",
@@ -53,7 +51,7 @@
   "os_compute_api:os-rescue": "rule:admin or rule:member",
   "os_compute_api:os-agents": "rule:admin",
   "os_compute_api:os-server-tags:delete": "rule:admin or rule:member",
-  "os_compute_api:os-flavor-extra-specs:show": "rule:admin or rule:member or rule:readonly",
+  "os_compute_api:os-flavor-extra-specs:show": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
   "os_compute_api:os-attach-interfaces:delete": "rule:admin or rule:member",
   "os_compute_api:os-extended-availability-zone": "rule:admin or rule:member",
   "os_compute_api:os-instance-actions:events": "rule:admin",
@@ -80,12 +78,12 @@
   "os_compute_api:os-used-limits": "rule:admin",
   "os_compute_api:os-migrations:index": "rule:admin",
   "os_compute_api:os-admin-actions:reset_state": "rule:admin",
-  "os_compute_api:os-flavor-rxtx": "rule:admin or rule:member or rule:readonly",
+  "os_compute_api:os-flavor-rxtx": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
   "os_compute_api:os-quota-sets:defaults": "@",
   "os_compute_api:os-fping:all_tenants": "rule:admin",
   "os_compute_api:os-flavor-extra-specs:create": "rule:admin",
   "os_compute_api:os-lock-server:lock": "rule:admin or rule:member",
-  "os_compute_api:os-flavor-extra-specs:index": "rule:admin or rule:member or rule:readonly",
+  "os_compute_api:os-flavor-extra-specs:index": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
   "os_compute_api:servers:create_image:allow_volume_backed": "rule:admin or rule:member",
   "os_compute_api:os-extended-status": "rule:admin or rule:member",
   "os_compute_api:os-assisted-volume-snapshots:delete": "rule:admin",
@@ -96,16 +94,16 @@
   "os_compute_api:os-admin-actions:inject_network_info": "rule:admin",
   "os_compute_api:servers:create:attach_volume": "rule:admin or rule:member",
   "os_compute_api:os-server-tags:update_all": "@",
-  "os_compute_api:os-quota-sets:show": "rule:admin or rule:member or rule:readonly",
+  "os_compute_api:os-quota-sets:show": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
   "os_compute_api:os-server-tags:update": "@",
   "os_compute_api:os-quota-class-sets:update": "rule:admin",
-  "os_compute_api:image-size": "rule:admin or rule:member or rule:readonly",
+  "os_compute_api:image-size": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
   "os_compute_api:os-migrate-server:migrate": "rule:admin",
   "os_compute_api:extensions": "rule:admin or rule:member",
   "os_compute_api:flavors": "rule:admin or rule:member",
   "os_compute_api:os-flavor-access:remove_tenant_access": "rule:admin",
   "os_compute_api:os-simple-tenant-usage:show": "rule:admin or rule:member",
-  "os_compute_api:os-floating-ip-pools": "rule:admin or rule:member or rule:readonly",
+  "os_compute_api:os-floating-ip-pools": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
   "os_compute_api:os-volumes-attachments:show": "rule:admin or rule:member",
   "os_compute_api:os-security-groups": "rule:admin or rule:member",
   "os_compute_api:os-keypairs:show": "rule:admin or user_id:%(user_id)s",
@@ -114,15 +112,15 @@
   "os_compute_api:os-hide-server-addresses": "is_admin:False",
   "os_compute_api:os-flavor-extra-specs:update": "rule:admin",
   "os_compute_api:os-pause-server:unpause": "rule:admin or rule:member",
-  "os_compute_api:os-availability-zone:list": "rule:admin or rule:member or rule:readonly",
+  "os_compute_api:os-availability-zone:list": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
   "os_compute_api:servers:detail": "rule:admin or rule:member",
   "os_compute_api:servers:stop": "rule:admin or rule:member",
   "os_compute_api:os-pci:detail": "rule:admin",
   "os_compute_api:servers:rebuild": "rule:admin or rule:member",
   "os_compute_api:ips:index": "rule:admin or rule:member",
   "os_compute_api:os-quota-sets:delete": "rule:admin",
-  "os_compute_api:os-quota-sets:detail": "rule:admin or rule:readonly",
-  "os_compute_api:os-availability-zone:detail": "rule:admin or rule:readonly",
+  "os_compute_api:os-quota-sets:detail": "rule:admin or rule:readonly or rule:global_readonly",
+  "os_compute_api:os-availability-zone:detail": "rule:admin or rule:readonly or rule:global_readonly",
   "cells_scheduler_filter:TargetCellFilter": "is_admin:True",
   "os_compute_api:os-keypairs": "rule:admin or rule:member",
   "os_compute_api:servers:show": "rule:admin or rule:member",
@@ -165,7 +163,7 @@
   "os_compute_api:servers:reboot": "rule:admin or rule:member",
   "cells_scheduler_filter:DifferentCellFilter": "is_admin:True",
   "os_compute_api:servers:migrations:index": "rule:admin",
-  "os_compute_api:os-flavor-access": "rule:admin or rule:member or rule:readonly",
+  "os_compute_api:os-flavor-access": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
   "os_compute_api:servers:delete": "rule:admin or rule:member",
   "os_compute_api:os-migrate-server:migrate_live": "rule:admin",
   "os_compute_api:servers:create:attach_network": "rule:admin or rule:member",
-- 
cgit