From f525e60288c645b3fe13d600c456a53e45760249 Mon Sep 17 00:00:00 2001
From: "Vincent S. Cojot" <vcojot@redhat.com>
Date: Wed, 17 May 2017 11:07:34 -0400
Subject: Latest set of updates: deny readonly in context_is_admin

---
 etc/aodh/policy.json       |  2 +-
 etc/ceilometer/policy.json |  2 +-
 etc/cinder/policy.json     |  4 ++--
 etc/manila/policy.json     |  8 ++++----
 etc/neutron/policy.json    |  2 +-
 etc/nova/policy.json       | 16 ++++++++--------
 etc/sahara/policy.json     |  2 +-
 etc/zaqar/policy.json      |  2 +-
 8 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/etc/aodh/policy.json b/etc/aodh/policy.json
index 1b6715e..38bb14d 100644
--- a/etc/aodh/policy.json
+++ b/etc/aodh/policy.json
@@ -1,6 +1,6 @@
 {
     "deny_readonly": "not role:readonly",
-    "context_is_admin": "role:admin",
+    "context_is_admin": "role:admin and rule:deny_readonly",
     "segregation": "rule:context_is_admin",
     "admin_or_owner": "rule:context_is_admin or project_id:%(project_id)s",
     "default": "rule:admin_or_owner",
diff --git a/etc/ceilometer/policy.json b/etc/ceilometer/policy.json
index add3ee6..d74e528 100644
--- a/etc/ceilometer/policy.json
+++ b/etc/ceilometer/policy.json
@@ -1,6 +1,6 @@
 {
     "deny_readonly": "not role:readonly",
-    "context_is_admin": "role:admin",
+    "context_is_admin": "role:admin and rule:deny_readonly",
     "segregation": "rule:context_is_admin",
 
     "telemetry:get_samples": "",
diff --git a/etc/cinder/policy.json b/etc/cinder/policy.json
index 5844cea..585b31a 100644
--- a/etc/cinder/policy.json
+++ b/etc/cinder/policy.json
@@ -34,8 +34,8 @@
     "volume_extension:access_types_qos_specs_id": "rule:admin_api",
     "volume_extension:access_types_extra_specs": "rule:admin_api",
     "volume_extension:volume_type_access": "rule:admin_or_owner",
-    "volume_extension:volume_type_access:addProjectAccess": "rule:admin_api",
-    "volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api",
+    "volume_extension:volume_type_access:addProjectAccess": "rule:admin_api and rule:deny_readonly",
+    "volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api and rule:deny_readonly",
     "volume_extension:volume_type_encryption": "rule:admin_api",
     "volume_extension:volume_encryption_metadata": "rule:admin_or_owner",
     "volume_extension:extended_snapshot_attributes": "rule:admin_or_owner",
diff --git a/etc/manila/policy.json b/etc/manila/policy.json
index c9c7c51..db1408f 100644
--- a/etc/manila/policy.json
+++ b/etc/manila/policy.json
@@ -1,6 +1,6 @@
 {
     "deny_readonly": "not role:readonly",
-    "context_is_admin": "role:admin",
+    "context_is_admin": "role:admin and rule:deny_readonly",
     "admin_or_owner": "is_admin:True or project_id:%(project_id)s",
     "default": "rule:admin_or_owner",
 
@@ -72,9 +72,9 @@
     "share_type:default": "rule:default",
     "share_type:create": "rule:admin_api",
     "share_type:delete": "rule:admin_api",
-    "share_type:add_project_access": "rule:admin_api",
+    "share_type:add_project_access": "rule:admin_api and rule:deny_readonly",
     "share_type:list_project_access": "rule:admin_api",
-    "share_type:remove_project_access": "rule:admin_api",
+    "share_type:remove_project_access": "rule:admin_api and rule:deny_readonly",
 
     "share_types_extra_spec:create": "rule:admin_api",
     "share_types_extra_spec:update": "rule:admin_api",
@@ -102,7 +102,7 @@
     "share_network:detail": "rule:default",
     "share_network:show": "rule:default",
     "share_network:add_security_service": "rule:default",
-    "share_network:remove_security_service": "rule:default",
+    "share_network:remove_security_service": "rule:default and rule:deny_readonly",
     "share_network:get_all_share_networks": "rule:admin_api",
 
     "scheduler_stats:pools:index": "rule:admin_api",
diff --git a/etc/neutron/policy.json b/etc/neutron/policy.json
index 75b5a1f..e4ea2d7 100644
--- a/etc/neutron/policy.json
+++ b/etc/neutron/policy.json
@@ -1,6 +1,6 @@
 {
     "deny_readonly": "not role:readonly",
-    "context_is_admin":  "role:admin",
+    "context_is_admin":  "role:admin and rule:deny_readonly",
     "owner": "tenant_id:%(tenant_id)s and rule:deny_readonly",
     "admin_or_owner": "rule:context_is_admin or rule:owner",
     "context_is_advsvc":  "role:advsvc and rule:deny_readonly",
diff --git a/etc/nova/policy.json b/etc/nova/policy.json
index c90baea..f0843d5 100644
--- a/etc/nova/policy.json
+++ b/etc/nova/policy.json
@@ -26,11 +26,11 @@
     "os_compute_api:os-evacuate:discoverable": "@",
     "os_compute_api:os-rescue:discoverable": "@",
     "os_compute_api:os-volumes-attachments:index": "rule:admin_or_owner",
-    "context_is_admin": "role:admin",
+    "context_is_admin": "role:admin and rule:deny_readonly",
     "os_compute_api:server-metadata:index": "rule:admin_or_owner",
     "os_compute_api:os-server-groups": "rule:admin_or_owner",
     "os_compute_api:os-cells:discoverable": "@",
-    "os_compute_api:os-aggregates:set_metadata": "rule:admin_api",
+    "os_compute_api:os-aggregates:set_metadata": "rule:admin_api and rule:deny_readonly",
     "os_compute_api:os-deferred-delete:discoverable": "@",
     "os_compute_api:os-certificates:discoverable": "@",
     "os_compute_api:server-metadata:show": "rule:admin_or_owner",
@@ -59,7 +59,7 @@
     "os_compute_api:os-instance-usage-audit-log": "rule:admin_api",
     "os_compute_api:os-volumes-attachments:show": "rule:admin_or_owner",
     "os_compute_api:os-block-device-mapping-v1:discoverable": "@",
-    "os_compute_api:os-admin-actions:reset_state": "rule:admin_api",
+    "os_compute_api:os-admin-actions:reset_state": "rule:admin_api and rule:deny_readonly",
     "os_compute_api:os-flavor-rxtx": "rule:admin_or_owner",
     "os_compute_api:servers:show": "rule:admin_or_owner",
     "os_compute_api:os-fping:all_tenants": "rule:admin_api",
@@ -111,7 +111,7 @@
     "os_compute_api:os-admin-actions": "rule:admin_api",
     "os_compute_api:os-server-tags:update_all": "@",
     "os_compute_api:os-floating-ip-dns": "rule:admin_or_owner",
-    "os_compute_api:os-quota-sets:update": "rule:admin_api",
+    "os_compute_api:os-quota-sets:update": "rule:admin_api and rule:deny_readonly",
     "os_compute_api:os-floating-ip-pools:discoverable": "@",
     "os_compute_api:os-console-output:discoverable": "@",
     "os_compute_api:servers:show:host_status": "rule:admin_api",
@@ -145,7 +145,7 @@
     "os_compute_api:os-shelve:shelve_offload": "rule:admin_api",
     "os_compute_api:os-evacuate": "rule:admin_api",
     "os_compute_api:servers:create": "rule:admin_or_owner and rule:deny_readonly",
-    "os_compute_api:os-aggregates:remove_host": "rule:admin_api",
+    "os_compute_api:os-aggregates:remove_host": "rule:admin_api and rule:deny_readonly",
     "os_compute_api:os-baremetal-nodes:discoverable": "@",
     "os_compute_api:os-console-output": "rule:admin_or_owner",
     "os_compute_api:os-aggregates:update": "rule:admin_api",
@@ -187,7 +187,7 @@
     "os_compute_api:os-pci:pci_servers": "rule:admin_or_owner",
     "os_compute_api:os-server-password:discoverable": "@",
     "os_compute_api:os-cells": "rule:admin_api",
-    "os_compute_api:os-admin-actions:reset_network": "rule:admin_api",
+    "os_compute_api:os-admin-actions:reset_network": "rule:admin_api and rule:deny_readonly",
     "os_compute_api:image-size:discoverable": "@",
     "os_compute_api:os-certificates:show": "rule:admin_or_owner",
     "os_compute_api:os-config-drive": "rule:admin_or_owner",
@@ -216,7 +216,7 @@
     "os_compute_api:os-server-tags:update": "@",
     "os_compute_api:os-quota-class-sets:update": "rule:admin_api",
     "os_compute_api:flavors": "rule:admin_or_owner",
-    "os_compute_api:os-flavor-access:remove_tenant_access": "rule:admin_api",
+    "os_compute_api:os-flavor-access:remove_tenant_access": "rule:admin_api and rule:deny_readonly",
     "os_compute_api:os-floating-ip-pools": "rule:admin_or_owner",
     "os_compute_api:servers:discoverable": "@",
     "os_compute_api:os-flavor-manage:discoverable": "@",
@@ -245,7 +245,7 @@
     "os_compute_api:os-server-tags:discoverable": "@",
     "os_compute_api:os-baremetal-nodes": "rule:admin_api",
     "os_compute_api:os-virtual-interfaces": "rule:admin_or_owner",
-    "os_compute_api:os-lock-server:unlock:unlock_override": "rule:admin_api",
+    "os_compute_api:os-lock-server:unlock:unlock_override": "rule:admin_api and rule:deny_readonly",
     "os_compute_api:os-simple-tenant-usage:discoverable": "@",
     "os_compute_api:os-networks": "rule:admin_api",
     "os_compute_api:os-pci:discoverable": "@",
diff --git a/etc/sahara/policy.json b/etc/sahara/policy.json
index 06948c5..bfab46f 100644
--- a/etc/sahara/policy.json
+++ b/etc/sahara/policy.json
@@ -1,6 +1,6 @@
 {
     "deny_readonly": "not role:readonly",
-    "context_is_admin": "role:admin",
+    "context_is_admin": "role:admin and rule:deny_readonly",
     "default": "",
 
     "data-processing:clusters:get_all": "",
diff --git a/etc/zaqar/policy.json b/etc/zaqar/policy.json
index a7645f7..259625e 100644
--- a/etc/zaqar/policy.json
+++ b/etc/zaqar/policy.json
@@ -1,6 +1,6 @@
 {
     "deny_readonly": "not role:readonly",
-    "context_is_admin": "role:admin",
+    "context_is_admin": "role:admin and rule:deny_readonly",
     "admin_or_owner": "is_admin:True or project_id:%(project_id)s",
     "default": "rule:admin_or_owner",
 
-- 
cgit