From cd1216c05a44a7819ee60c73ebd71899df7fbaf4 Mon Sep 17 00:00:00 2001
From: Sean Pryor <spryor@redhat.com>
Date: Fri, 17 Nov 2017 16:02:21 -0500
Subject: Untested draft of gnocchi readonly policy

Change-Id: I52bd17655046e48d55bd1cce257583db3ca0eaac
---
 etc/gnocchi/policy.json | 87 ++++++++++++++++++++++++++-----------------------
 1 file changed, 47 insertions(+), 40 deletions(-)

diff --git a/etc/gnocchi/policy.json b/etc/gnocchi/policy.json
index 00aaedd..d0689b7 100644
--- a/etc/gnocchi/policy.json
+++ b/etc/gnocchi/policy.json
@@ -1,42 +1,49 @@
 {
-    "admin_or_creator": "role:admin or project_id:%(created_by_project_id)s",
-    "resource_owner": "project_id:%(project_id)s",
-    "metric_owner": "project_id:%(resource.project_id)s",
-
-    "get status": "role:admin",
-
-    "create resource": "",
-    "get resource": "rule:admin_or_creator or rule:resource_owner",
-    "update resource": "rule:admin_or_creator",
-    "delete resource": "rule:admin_or_creator",
-    "delete resources": "rule:admin_or_creator",
-    "list resource": "rule:admin_or_creator or rule:resource_owner",
-    "search resource": "rule:admin_or_creator or rule:resource_owner",
-
-    "create resource type": "role:admin",
-    "delete resource type": "role:admin",
-    "update resource type": "role:admin",
-    "list resource type": "",
-    "get resource type": "",
-
-    "get archive policy": "",
-    "list archive policy": "",
-    "create archive policy": "role:admin",
-    "update archive policy": "role:admin",
-    "delete archive policy": "role:admin",
-
-    "create archive policy rule": "role:admin",
-    "get archive policy rule": "",
-    "list archive policy rule": "",
-    "delete archive policy rule": "role:admin",
-
-    "create metric": "",
-    "delete metric": "rule:admin_or_creator",
-    "get metric": "rule:admin_or_creator or rule:metric_owner",
-    "search metric": "rule:admin_or_creator or rule:metric_owner",
-    "list metric": "",
-    "list all metric": "role:admin",
-
-    "get measures":  "rule:admin_or_creator or rule:metric_owner",
-    "post measures":  "rule:admin_or_creator"
+    "global_readonly": "(role:global_readonly)",
+    "readonly": "((project_id:%(project_id)s and role:readonly) or rule:global_readonly)",
+    "_member_role": "(role:member or role:_member_)",
+    "member": "(project_id:%(project_id)s and rule:_member_role)",
+    "admin": "(is_admin:True or role:admin)",
+    "owner": "(user_id:%(user_id)s and rule:_member_role)",
+
+    "creator": "(project_id:%(created_by_project_id)s and (rule:_member_role or role:service))",
+    "resource_owner": "(project_id:%(project_id)s and (rule:_member_role or role:service))",
+    "metric_owner": "(project_id:%(resource.project_id)s and (rule:_member_role or role:service))",
+
+    "get status": "rule:admin or rule:readonly",
+
+    "create resource": "rule:admin or rule:member or rule:resource_owner",
+    "get resource": "rule:creator or rule:resource_owner or rule:readonly",
+    "update resource": "rule:admin or rule:creator",
+    "delete resource": "rule:admin or rule:creator",
+    "delete resources": "rule:admin or rule:creator",
+    "list resource": "rule:admin or rule:creator or rule:resource_owner or rule:readonly",
+    "search resource": "rule:admin or rule:creator or rule:resource_owner or rule:readonly",
+
+    "create resource type": "rule:admin",
+    "delete resource type": "rule:admin",
+    "update resource type": "rule:admin",
+    "list resource type": "rule:admin or rule:member or rule:readonly",
+    "get resource type": "rule:admin or rule:member or rule:readonly",
+
+    "get archive policy": "rule:admin or rule:member or rule:readonly",
+    "list archive policy": "rule:admin or rule:member or rule:readonly",
+    "create archive policy": "rule:admin",
+    "update archive policy": "rule:admin",
+    "delete archive policy": "rule:admin",
+
+    "create archive policy rule": "rule:admin",
+    "get archive policy rule": "rule:admin or rule:member or rule:readonly",
+    "list archive policy rule": "rule:admin or rule:member or rule:readonly",
+    "delete archive policy rule": "rule:admin",
+
+    "create metric": "rule:admin or rule:member or rule:metric_owner",
+    "delete metric": "rule:admin or rule:creator",
+    "get metric": "rule:admin or rule:creator or rule:metric_owner or rule:readonly",
+    "search metric": "rule:admin or rule:creator or rule:metric_owner or rule:readonly",
+    "list metric": "rule:admin or rule:member or rule:readonly",
+    "list all metric": "rule:admin or rule:readonly",
+
+    "get measures":  "rule:creator or rule:metric_owner or rule:readonly",
+    "post measures":  "rule:creator"
 }
-- 
cgit