From 671534358b384af53595419a62c12870fa3586fe Mon Sep 17 00:00:00 2001
From: Sean Pryor <spryor@redhat.com>
Date: Thu, 26 Oct 2017 10:25:39 -0400
Subject: Updated with a global_readonly change

Change-Id: I9b5cf128d14439923b359518c922d114606dbd33
---
 etc/nova/policy.json | 28 +++++++++++++---------------
 1 file changed, 13 insertions(+), 15 deletions(-)

(limited to 'etc/nova/policy.json')

diff --git a/etc/nova/policy.json b/etc/nova/policy.json
index 756ed11..6d71921 100644
--- a/etc/nova/policy.json
+++ b/etc/nova/policy.json
@@ -1,11 +1,9 @@
 {
   
   "readonly": "(project_id:%(project_id)s and role:readonly)",
-  "domain_readonly": "(domain_id:%(domain_id)s and role:readonly)",
-  "global_readonly": "(role:readonly)",
+  "global_readonly": "(role:global_readonly)",
   "_member_role": "(role:member or role:_member_)",
   "member": "(project_id:%(project_id)s and rule:_member_role)",
-  "domain_member": "(domain_id:%(domain_id)s and rule:_member_role)",
   "admin": "(is_admin:True or role:admin)",
   "owner": "(user_id:%(user_id)s and rule:_member_role)",
 
@@ -15,7 +13,7 @@
   "os_compute_api:servers:create:forced_host": "rule:admin",
   "os_compute_api:os-aggregates:remove_host": "rule:admin",
   "os_compute_api:os-console-output": "rule:admin or rule:member",
-  "os_compute_api:os-floating-ips": "rule:admin or rule:member or rule:readonly",
+  "os_compute_api:os-floating-ips": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
   "os_compute_api:os-aggregates:update": "rule:admin",
   "os_compute_api:os-pci:pci_servers": "rule:admin or rule:member",
   "os_compute_api:servers:start": "rule:admin or rule:member",
@@ -39,7 +37,7 @@
   "os_compute_api:os-volumes-attachments:index": "rule:admin or rule:member",
   "os_compute_api:os-pci:show": "rule:admin",
   "os_compute_api:os-remote-consoles": "rule:admin or rule:member",
-  "os_compute_api:limits": "rule:admin or rule:member or rule:readonly",
+  "os_compute_api:limits": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
   "os_compute_api:os-cells:create": "rule:admin",
   "os_compute_api:os-aggregates:delete": "rule:admin",
   "os_compute_api:servers:migrations:show": "rule:admin",
@@ -53,7 +51,7 @@
   "os_compute_api:os-rescue": "rule:admin or rule:member",
   "os_compute_api:os-agents": "rule:admin",
   "os_compute_api:os-server-tags:delete": "rule:admin or rule:member",
-  "os_compute_api:os-flavor-extra-specs:show": "rule:admin or rule:member or rule:readonly",
+  "os_compute_api:os-flavor-extra-specs:show": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
   "os_compute_api:os-attach-interfaces:delete": "rule:admin or rule:member",
   "os_compute_api:os-extended-availability-zone": "rule:admin or rule:member",
   "os_compute_api:os-instance-actions:events": "rule:admin",
@@ -80,12 +78,12 @@
   "os_compute_api:os-used-limits": "rule:admin",
   "os_compute_api:os-migrations:index": "rule:admin",
   "os_compute_api:os-admin-actions:reset_state": "rule:admin",
-  "os_compute_api:os-flavor-rxtx": "rule:admin or rule:member or rule:readonly",
+  "os_compute_api:os-flavor-rxtx": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
   "os_compute_api:os-quota-sets:defaults": "@",
   "os_compute_api:os-fping:all_tenants": "rule:admin",
   "os_compute_api:os-flavor-extra-specs:create": "rule:admin",
   "os_compute_api:os-lock-server:lock": "rule:admin or rule:member",
-  "os_compute_api:os-flavor-extra-specs:index": "rule:admin or rule:member or rule:readonly",
+  "os_compute_api:os-flavor-extra-specs:index": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
   "os_compute_api:servers:create_image:allow_volume_backed": "rule:admin or rule:member",
   "os_compute_api:os-extended-status": "rule:admin or rule:member",
   "os_compute_api:os-assisted-volume-snapshots:delete": "rule:admin",
@@ -96,16 +94,16 @@
   "os_compute_api:os-admin-actions:inject_network_info": "rule:admin",
   "os_compute_api:servers:create:attach_volume": "rule:admin or rule:member",
   "os_compute_api:os-server-tags:update_all": "@",
-  "os_compute_api:os-quota-sets:show": "rule:admin or rule:member or rule:readonly",
+  "os_compute_api:os-quota-sets:show": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
   "os_compute_api:os-server-tags:update": "@",
   "os_compute_api:os-quota-class-sets:update": "rule:admin",
-  "os_compute_api:image-size": "rule:admin or rule:member or rule:readonly",
+  "os_compute_api:image-size": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
   "os_compute_api:os-migrate-server:migrate": "rule:admin",
   "os_compute_api:extensions": "rule:admin or rule:member",
   "os_compute_api:flavors": "rule:admin or rule:member",
   "os_compute_api:os-flavor-access:remove_tenant_access": "rule:admin",
   "os_compute_api:os-simple-tenant-usage:show": "rule:admin or rule:member",
-  "os_compute_api:os-floating-ip-pools": "rule:admin or rule:member or rule:readonly",
+  "os_compute_api:os-floating-ip-pools": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
   "os_compute_api:os-volumes-attachments:show": "rule:admin or rule:member",
   "os_compute_api:os-security-groups": "rule:admin or rule:member",
   "os_compute_api:os-keypairs:show": "rule:admin or user_id:%(user_id)s",
@@ -114,15 +112,15 @@
   "os_compute_api:os-hide-server-addresses": "is_admin:False",
   "os_compute_api:os-flavor-extra-specs:update": "rule:admin",
   "os_compute_api:os-pause-server:unpause": "rule:admin or rule:member",
-  "os_compute_api:os-availability-zone:list": "rule:admin or rule:member or rule:readonly",
+  "os_compute_api:os-availability-zone:list": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
   "os_compute_api:servers:detail": "rule:admin or rule:member",
   "os_compute_api:servers:stop": "rule:admin or rule:member",
   "os_compute_api:os-pci:detail": "rule:admin",
   "os_compute_api:servers:rebuild": "rule:admin or rule:member",
   "os_compute_api:ips:index": "rule:admin or rule:member",
   "os_compute_api:os-quota-sets:delete": "rule:admin",
-  "os_compute_api:os-quota-sets:detail": "rule:admin or rule:readonly",
-  "os_compute_api:os-availability-zone:detail": "rule:admin or rule:readonly",
+  "os_compute_api:os-quota-sets:detail": "rule:admin or rule:readonly or rule:global_readonly",
+  "os_compute_api:os-availability-zone:detail": "rule:admin or rule:readonly or rule:global_readonly",
   "cells_scheduler_filter:TargetCellFilter": "is_admin:True",
   "os_compute_api:os-keypairs": "rule:admin or rule:member",
   "os_compute_api:servers:show": "rule:admin or rule:member",
@@ -165,7 +163,7 @@
   "os_compute_api:servers:reboot": "rule:admin or rule:member",
   "cells_scheduler_filter:DifferentCellFilter": "is_admin:True",
   "os_compute_api:servers:migrations:index": "rule:admin",
-  "os_compute_api:os-flavor-access": "rule:admin or rule:member or rule:readonly",
+  "os_compute_api:os-flavor-access": "rule:admin or rule:member or rule:readonly or rule:global_readonly",
   "os_compute_api:servers:delete": "rule:admin or rule:member",
   "os_compute_api:os-migrate-server:migrate_live": "rule:admin",
   "os_compute_api:servers:create:attach_network": "rule:admin or rule:member",
-- 
cgit