Add default policy rule

If a specific rule is not found, we will check the rule defined in FLAGS.policy_default_action.

Change-Id: Ib1b1aa4bbeec74bdb1562d0fc649d33838076f01

1 files changed, 4 insertions, 82 deletions

diff --git a/etc/nova/policy.json b/etc/nova/policy.json
index 00140886b..78003d2e3 100644
--- a/etc/nova/policy.json
+++ b/etc/nova/policy.json
@@ -1,95 +1,17 @@
 {
     "admin_or_owner":  [["role:admin"], ["project_id:%(project_id)s"]],
+    "default": [["rule:admin_or_owner"]],
 
 
-    "compute:create": [["rule:admin_or_owner"]],
-    "compute:create:attach_network": [["rule:admin_or_owner"]],
-    "compute:create:attach_volume": [["rule:admin_or_owner"]],
-
-    "compute:get": [["rule:admin_or_owner"]],
+    "compute:create": [],
+    "compute:create:attach_network": [],
+    "compute:create:attach_volume": [],
     "compute:get_all" :[],
 
-    "compute:update": [["rule:admin_or_owner"]],
-
-    "compute:get_instance_metadata": [["rule:admin_or_owner"]],
-    "compute:update_instance_metadata": [["rule:admin_or_owner"]],
-    "compute:delete_instance_metadata": [["rule:admin_or_owner"]],
-
-    "compute:get_instance_faults": [["rule:admin_or_owner"]],
-    "compute:get_actions": [["rule:admin_or_owner"]],
-    "compute:get_diagnostics": [["rule:admin_or_owner"]],
-
-    "compute:get_lock": [["rule:admin_or_owner"]],
-    "compute:lock": [["rule:admin_or_owner"]],
-    "compute:unlock": [["rule:admin_or_owner"]],
-
-    "compute:get_ajax_console": [["rule:admin_or_owner"]],
-    "compute:get_vnc_console": [["rule:admin_or_owner"]],
-    "compute:get_console_output": [["rule:admin_or_owner"]],
-
-    "compute:associate_floating_ip": [["rule:admin_or_owner"]],
-    "compute:reset_network": [["rule:admin_or_owner"]],
-    "compute:inject_network_info": [["rule:admin_or_owner"]],
-    "compute:add_fixed_ip": [["rule:admin_or_owner"]],
-    "compute:remove_fixed_ip": [["rule:admin_or_owner"]],
-
-    "compute:attach_volume": [["rule:admin_or_owner"]],
-    "compute:detach_volume": [["rule:admin_or_owner"]],
-
-    "compute:inject_file": [["rule:admin_or_owner"]],
-
-    "compute:set_admin_password": [["rule:admin_or_owner"]],
-
-    "compute:rescue": [["rule:admin_or_owner"]],
-    "compute:unrescue": [["rule:admin_or_owner"]],
-
-    "compute:suspend": [["rule:admin_or_owner"]],
-    "compute:resume": [["rule:admin_or_owner"]],
-
-    "compute:pause": [["rule:admin_or_owner"]],
-    "compute:unpause": [["rule:admin_or_owner"]],
-
-    "compute:start": [["rule:admin_or_owner"]],
-    "compute:stop": [["rule:admin_or_owner"]],
-
-    "compute:resize": [["rule:admin_or_owner"]],
-    "compute:confirm_resize": [["rule:admin_or_owner"]],
-    "compute:revert_resize": [["rule:admin_or_owner"]],
-
-    "compute:rebuild": [["rule:admin_or_owner"]],
-
-    "compute:reboot": [["rule:admin_or_owner"]],
-
-    "compute:snapshot": [["rule:admin_or_owner"]],
-    "compute:backup": [["rule:admin_or_owner"]],
-
-    "compute:add_security_group": [["rule:admin_or_owner"]],
-    "compute:remove_security_group": [["rule:admin_or_owner"]],
-
-    "compute:delete": [["rule:admin_or_owner"]],
-    "compute:soft_delete": [["rule:admin_or_owner"]],
-    "compute:force_delete": [["rule:admin_or_owner"]],
-    "compute:restore": [["rule:admin_or_owner"]],
-
 
     "volume:create": [],
-    "volume:get": [],
     "volume:get_all": [],
     "volume:get_volume_metadata": [],
-    "volume:delete": [],
-    "volume:update": [],
-    "volume:delete_volume_metadata": [],
-    "volume:update_volume_metadata": [],
-
-    "volume:attach": [],
-    "volume:detach": [],
-    "volume:check_attach": [],
-    "volume:check_detach": [],
-    "volume:initialize_connection": [],
-    "volume:terminate_connection": [],
-
-    "volume:create_snapshot": [],
-    "volume:delete_snapshot": [],
     "volume:get_snapshot": [],
     "volume:get_all_snapshots": []
 }