From 9cb5f547dc6f3242edf393928dbc14b7cbfbbdd4 Mon Sep 17 00:00:00 2001 From: Brian Waldon Date: Thu, 19 Jan 2012 15:30:55 -0800 Subject: Remove admin_only ext attr in favor of authz Working on blueprint separate-nova-adminapi. This removes the admin_only extension attribute and the allow_admin_api flag. The approach we're going for now is to load all extensions, but to set an admin-only rule in our policy file for those extensions that should be limited to just admin users. Now that all of our admin api code has been moved to extensions, in order to prevent admin api code from being loaded, simply remove it from the extension list. Change-Id: Ic574e06af44922ba764013b769077fc5099fd1a2 --- etc/nova/policy.json | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) (limited to 'etc') diff --git a/etc/nova/policy.json b/etc/nova/policy.json index 7d97c3be1..abf8908f6 100644 --- a/etc/nova/policy.json +++ b/etc/nova/policy.json @@ -9,6 +9,38 @@ "compute:get_all": [], + "admin_api": [["role:admin"]], + "compute_extension:accounts": [["rule:admin_api"]], + "compute_extension:admin_actions": [["rule:admin_api"]], + "compute_extension:cloudpipe": [], + "compute_extension:console_output": [], + "compute_extension:consoles": [], + "compute_extension:createserverext": [], + "compute_extension:deferred_delete": [], + "compute_extension:disk_config": [], + "compute_extension:extended_status": [["rule:admin_api"]], + "compute_extension:flavorextraspecs": [], + "compute_extension:floating_ip_dns": [], + "compute_extension:floating_ip_pools": [], + "compute_extension:floating_ips": [], + "compute_extension:hosts": [["rule:admin_api"]], + "compute_extension:keypairs": [], + "compute_extension:multinic": [], + "compute_extension:networks": [["rule:admin_api"]], + "compute_extension:quotas": [], + "compute_extension:rescue": [], + "compute_extension:security_groups": [], + "compute_extension:server_action_list": [["rule:admin_api"]], + "compute_extension:server_diagnostics": [["rule:admin_api"]], + "compute_extension:simple_tenant_usage": [["rule:admin_api"]], + "compute_extension:users": [["rule:admin_api"]], + "compute_extension:virtual_interfaces": [], + "compute_extension:virtual_storage_arrays": [], + "compute_extension:volumes": [], + "compute_extension:volumetypes": [], + "compute_extension:zones": [], + + "volume:create": [], "volume:get_all": [], "volume:get_volume_metadata": [], -- cgit