From 3c70bb60c1c30fbb4fce5ae4f9b87d1d6ff65593 Mon Sep 17 00:00:00 2001 From: Sean Pryor Date: Fri, 17 Nov 2017 17:09:37 -0500 Subject: Untested drafts of modifications to all other policies Change-Id: I150ddcf2d0d104c8e3e066b4adb25814b3bb0246 --- etc/zaqar/policy.json | 93 +++++++++++++++++++++++++++------------------------ 1 file changed, 50 insertions(+), 43 deletions(-) (limited to 'etc/zaqar') diff --git a/etc/zaqar/policy.json b/etc/zaqar/policy.json index 89d5076..1a6c49e 100644 --- a/etc/zaqar/policy.json +++ b/etc/zaqar/policy.json @@ -1,46 +1,53 @@ { + "global_readonly": "(role:global_readonly)", + "readonly": "((project_id:%(project_id)s and role:readonly) or rule:global_readonly)", + "_member_role": "(role:member or role:_member_)", + "member": "(project_id:%(project_id)s and rule:_member_role)", + "admin": "(is_admin:True or role:admin)", + "owner": "(user_id:%(user_id)s and rule:_member_role)", + "context_is_admin": "role:admin", - "admin_or_owner": "is_admin:True or project_id:%(project_id)s", - "default": "rule:admin_or_owner", - - "queues:get_all": "", - "queues:create": "", - "queues:get": "", - "queues:delete": "", - "queues:update": "", - "queues:stats": "", - - "messages:get_all": "", - "messages:create": "", - "messages:get": "", - "messages:delete": "", - "messages:delete_all": "", - - "claims:get_all": "", - "claims:create": "", - "claims:get": "", - "claims:delete": "", - "claims:update": "", - - "subscription:get_all": "", - "subscription:create": "", - "subscription:get": "", - "subscription:delete": "", - "subscription:update": "", - "subscription:confirm": "", - - "pools:get_all": "rule:context_is_admin", - "pools:create": "rule:context_is_admin", - "pools:get": "rule:context_is_admin", - "pools:delete": "rule:context_is_admin", - "pools:update": "rule:context_is_admin", - - "flavors:get_all": "", - "flavors:create": "rule:context_is_admin", - "flavors:get": "", - "flavors:delete": "rule:context_is_admin", - "flavors:update": "rule:context_is_admin", - - "ping:get": "", - "health:get": "rule:context_is_admin" + + "default": "rule:admin or rule:member", + + "queues:get_all": "rule:admin or rule:member", + "queues:create": "rule:admin or rule:member", + "queues:get": "rule:admin or rule:member", + "queues:delete": "rule:admin or rule:member", + "queues:update": "rule:admin or rule:member", + "queues:stats": "rule:admin or rule:member", + + "messages:get_all": "rule:admin or rule:member", + "messages:create": "rule:admin or rule:member", + "messages:get": "rule:admin or rule:member", + "messages:delete": "rule:admin or rule:member", + "messages:delete_all": "rule:admin or rule:member", + + "claims:get_all": "rule:admin or rule:member", + "claims:create": "rule:admin or rule:member", + "claims:get": "rule:admin or rule:member", + "claims:delete": "rule:admin or rule:member", + "claims:update": "rule:admin or rule:member", + + "subscription:get_all": "rule:admin or rule:member", + "subscription:create": "rule:admin or rule:member", + "subscription:get": "rule:admin or rule:member", + "subscription:delete": "rule:admin or rule:member", + "subscription:update": "rule:admin or rule:member", + "subscription:confirm": "rule:admin or rule:member", + + "pools:get_all": "rule:admin or rule:member", + "pools:create": "rule:admin or rule:member", + "pools:get": "rule:admin or rule:member", + "pools:delete": "rule:admin or rule:member", + "pools:update": "rule:admin or rule:member", + + "flavors:get_all": "rule:admin or rule:member", + "flavors:create": "rule:admin or rule:member", + "flavors:get": "rule:admin or rule:member", + "flavors:delete": "rule:admin or rule:member", + "flavors:update": "rule:admin or rule:member", + + "ping:get": "rule:admin or rule:member", + "health:get": "rule:admin or rule:member" } -- cgit