From 3c70bb60c1c30fbb4fce5ae4f9b87d1d6ff65593 Mon Sep 17 00:00:00 2001
From: Sean Pryor <spryor@redhat.com>
Date: Fri, 17 Nov 2017 17:09:37 -0500
Subject: Untested drafts of modifications to all other policies

Change-Id: I150ddcf2d0d104c8e3e066b4adb25814b3bb0246
---
 etc/sahara/policy.json | 126 ++++++++++++++++++++++++++-----------------------
 1 file changed, 66 insertions(+), 60 deletions(-)

(limited to 'etc/sahara/policy.json')

diff --git a/etc/sahara/policy.json b/etc/sahara/policy.json
index 789dafc..15eeb69 100644
--- a/etc/sahara/policy.json
+++ b/etc/sahara/policy.json
@@ -1,73 +1,79 @@
 {
-    "context_is_admin": "role:admin",
-    "default": "",
+    "global_readonly": "(role:global_readonly)",
+    "readonly": "((project_id:%(project_id)s and role:readonly) or rule:global_readonly)",
+    "_member_role": "(role:member or role:_member_)",
+    "member": "(project_id:%(project_id)s and rule:_member_role)",
+    "admin": "(is_admin:True or role:admin)",
+    "owner": "(user_id:%(user_id)s and rule:_member_role)",
 
-    "data-processing:clusters:get_all": "",
-    "data-processing:clusters:create": "",
-    "data-processing:clusters:scale": "",
-    "data-processing:clusters:get": "",
-    "data-processing:clusters:delete": "",
-    "data-processing:clusters:modify": "",
+    "default": "rule:admin or rule:member",
 
-    "data-processing:cluster-templates:get_all": "",
-    "data-processing:cluster-templates:create": "",
-    "data-processing:cluster-templates:get": "",
-    "data-processing:cluster-templates:modify": "",
-    "data-processing:cluster-templates:delete": "",
+    "data-processing:clusters:get_all": "rule:admin or rule:member",
+    "data-processing:clusters:create": "rule:admin or rule:member",
+    "data-processing:clusters:scale": "rule:admin or rule:member",
+    "data-processing:clusters:get": "rule:admin or rule:member",
+    "data-processing:clusters:delete": "rule:admin or rule:member",
+    "data-processing:clusters:modify": "rule:admin or rule:member",
 
-    "data-processing:node-group-templates:get_all": "",
-    "data-processing:node-group-templates:create": "",
-    "data-processing:node-group-templates:get": "",
-    "data-processing:node-group-templates:modify": "",
-    "data-processing:node-group-templates:delete": "",
+    "data-processing:cluster-templates:get_all": "rule:admin or rule:member",
+    "data-processing:cluster-templates:create": "rule:admin or rule:member",
+    "data-processing:cluster-templates:get": "rule:admin or rule:member",
+    "data-processing:cluster-templates:modify": "rule:admin or rule:member",
+    "data-processing:cluster-templates:delete": "rule:admin or rule:member",
 
-    "data-processing:plugins:get_all": "",
-    "data-processing:plugins:get": "",
-    "data-processing:plugins:get_version": "",
-    "data-processing:plugins:convert_config": "",
-    "data-processing:plugins:patch": "role:admin",
+    "data-processing:node-group-templates:get_all": "rule:admin or rule:member",
+    "data-processing:node-group-templates:create": "rule:admin or rule:member",
+    "data-processing:node-group-templates:get": "rule:admin or rule:member",
+    "data-processing:node-group-templates:modify": "rule:admin or rule:member",
+    "data-processing:node-group-templates:delete": "rule:admin or rule:member",
 
-    "data-processing:images:get_all": "",
-    "data-processing:images:get": "",
-    "data-processing:images:register": "",
-    "data-processing:images:unregister": "",
-    "data-processing:images:add_tags": "",
-    "data-processing:images:remove_tags": "",
+    "data-processing:plugins:get_all": "rule:admin or rule:member",
+    "data-processing:plugins:get": "rule:admin or rule:member",
+    "data-processing:plugins:get_version": "rule:admin or rule:member",
+    "data-processing:plugins:convert_config": "rule:admin or rule:member",
+    "data-processing:plugins:patch": "rule:admin",
 
-    "data-processing:job-executions:get_all": "",
-    "data-processing:job-executions:get": "",
-    "data-processing:job-executions:refresh_status": "",
-    "data-processing:job-executions:cancel": "",
-    "data-processing:job-executions:delete": "",
-    "data-processing:job-executions:modify": "",
+    "data-processing:images:get_all": "rule:admin or rule:member",
+    "data-processing:images:get": "rule:admin or rule:member",
+    "data-processing:images:register": "rule:admin or rule:member",
+    "data-processing:images:unregister": "rule:admin or rule:member",
+    "data-processing:images:add_tags": "rule:admin or rule:member",
+    "data-processing:images:remove_tags": "rule:admin or rule:member",
 
-    "data-processing:data-sources:get_all": "",
-    "data-processing:data-sources:get": "",
-    "data-processing:data-sources:register": "",
-    "data-processing:data-sources:delete": "",
-    "data-processing:data-sources:modify": "",
+    "data-processing:job-executions:get_all": "rule:admin or rule:member",
+    "data-processing:job-executions:get": "rule:admin or rule:member",
+    "data-processing:job-executions:refresh_status": "rule:admin or rule:member",
+    "data-processing:job-executions:cancel": "rule:admin or rule:member",
+    "data-processing:job-executions:delete": "rule:admin or rule:member",
+    "data-processing:job-executions:modify": "rule:admin or rule:member",
 
-    "data-processing:jobs:get_all": "",
-    "data-processing:jobs:create": "",
-    "data-processing:jobs:get": "",
-    "data-processing:jobs:delete": "",
-    "data-processing:jobs:get_config_hints": "",
-    "data-processing:jobs:execute": "",
-    "data-processing:jobs:modify": "",
+    "data-processing:data-sources:get_all": "rule:admin or rule:member",
+    "data-processing:data-sources:get": "rule:admin or rule:member",
+    "data-processing:data-sources:register": "rule:admin or rule:member",
+    "data-processing:data-sources:delete": "rule:admin or rule:member",
+    "data-processing:data-sources:modify": "rule:admin or rule:member",
 
-    "data-processing:job-binaries:get_all": "",
-    "data-processing:job-binaries:create": "",
-    "data-processing:job-binaries:get": "",
-    "data-processing:job-binaries:delete": "",
-    "data-processing:job-binaries:get_data": "",
-    "data-processing:job-binaries:modify": "",
+    "data-processing:jobs:get_all": "rule:admin or rule:member",
+    "data-processing:jobs:create": "rule:admin or rule:member",
+    "data-processing:jobs:get": "rule:admin or rule:member",
+    "data-processing:jobs:delete": "rule:admin or rule:member",
+    "data-processing:jobs:get_config_hints": "rule:admin or rule:member",
+    "data-processing:jobs:execute": "rule:admin or rule:member",
+    "data-processing:jobs:modify": "rule:admin or rule:member",
 
-    "data-processing:job-binary-internals:get_all": "",
-    "data-processing:job-binary-internals:create": "",
-    "data-processing:job-binary-internals:get": "",
-    "data-processing:job-binary-internals:delete": "",
-    "data-processing:job-binary-internals:get_data": "",
-    "data-processing:job-binary-internals:modify": "",
+    "data-processing:job-binaries:get_all": "rule:admin or rule:member",
+    "data-processing:job-binaries:create": "rule:admin or rule:member",
+    "data-processing:job-binaries:get": "rule:admin or rule:member",
+    "data-processing:job-binaries:delete": "rule:admin or rule:member",
+    "data-processing:job-binaries:get_data": "rule:admin or rule:member",
+    "data-processing:job-binaries:modify": "rule:admin or rule:member",
 
-    "data-processing:job-types:get_all": ""
+    "data-processing:job-binary-internals:get_all": "rule:admin or rule:member",
+    "data-processing:job-binary-internals:create": "rule:admin or rule:member",
+    "data-processing:job-binary-internals:get": "rule:admin or rule:member",
+    "data-processing:job-binary-internals:delete": "rule:admin or rule:member",
+    "data-processing:job-binary-internals:get_data": "rule:admin or rule:member",
+    "data-processing:job-binary-internals:modify": "rule:admin or rule:member",
+
+    "data-processing:job-types:get_all": "rule:admin or rule:member"
 }
-- 
cgit