'Specify ``segments`` attribute when creating a network', ACTION_POST),
policy.DocumentedRuleDefault(
'create_network:provider:network_type', base.RULE_ADMIN_ONLY,
'Specify ``provider:network_type`` when creating a network',
ACTION_POST),
policy.DocumentedRuleDefault(
'create_network:provider:physical_network', base.RULE_ADMIN_ONLY,
'Specify ``provider:physical_network`` when creating a network',
ACTION_POST),
policy.DocumentedRuleDefault(
'create_network:provider:segmentation_id', base.RULE_ADMIN_ONLY,
'Specify ``provider:segmentation_id`` when creating a network',
ACTION_POST),
policy.DocumentedRuleDefault(
'get_network',
base.policy_or(base.RULE_ADMIN_OR_OWNER, 'rule:shared',
'rule:external', base.RULE_ADVSVC), 'Get a network',
ACTION_GET),
policy.DocumentedRuleDefault(
'get_network:router:external', base.RULE_ANY,
'Get ``router:external`` attribute of a network', ACTION_GET),
policy.DocumentedRuleDefault('get_network:segments', base.RULE_ADMIN_ONLY,
'Get ``segments`` attribute of a network',
ACTION_GET),
policy.DocumentedRuleDefault(
'get_network:provider:network_type', base.RULE_ADMIN_ONLY,
'Get ``provider:network_type`` attribute of a network', ACTION_GET),
policy.DocumentedRuleDefault(
'get_network:provider:physical_network', base.RULE_ADMIN_ONLY,
'Get ``provider:physical_network`` attribute of a network',
ACTION_GET),
policy.DocumentedRuleDefault(
from oslo_log import versionutils
from oslo_policy import policy
from neutron.conf.policies import base
DEPRECATED_REASON = """
The RBAC API now supports system scope and default roles.
"""
COLLECTION_PATH = '/rbac-policies'
RESOURCE_PATH = '/rbac-policies/{id}'
rules = [
policy.RuleDefault(name='restrict_wildcard',
check_str=base.policy_or(
'(not field:rbac_policy:target_tenant=*)',
base.RULE_ADMIN_ONLY),
description='Definition of a wildcard target_tenant'),
policy.DocumentedRuleDefault(
name='create_rbac_policy',
check_str=base.PROJECT_MEMBER,
scope_types=['system', 'project'],
description='Create an RBAC policy',
operations=[
{
'method': 'POST',
'path': COLLECTION_PATH,
},
],
deprecated_rule=policy.DeprecatedRule(
name='create_rbac_policy',
'method': 'GET',
'path': COLLECTION_PATH
},
{
'method': 'GET',
'path': RESOURCE_PATH
},
]
rules = [
policy.RuleDefault(
name='network_device',
check_str='field:port:device_owner=~^network:',
description='Definition of port with network device_owner'),
policy.RuleDefault(name='admin_or_data_plane_int',
check_str=base.policy_or('rule:context_is_admin',
'role:data_plane_integrator'),
description='Rule for data plane integration'),
policy.DocumentedRuleDefault(
name='create_port',
check_str=base.PROJECT_MEMBER,
scope_types=['system', 'project'],
description='Create a port',
operations=ACTION_POST,
deprecated_rule=policy.DeprecatedRule(name='create_port',
check_str=base.RULE_ANY),
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
policy.DocumentedRuleDefault(
name='create_port:device_owner',
check_str=base.policy_or('not rule:network_device', base.SYSTEM_ADMIN,
base.PROJECT_ADMIN, base.RULE_ADVSVC,
description=(
'Specify ``is_default`` attribute when creating a subnetpool'),
operations=[
{
'method': 'POST',
'path': COLLECTION_PATH,
},
],
deprecated_rule=policy.DeprecatedRule(
name='create_subnetpool:is_default',
check_str=base.RULE_ADMIN_ONLY,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY)),
policy.DocumentedRuleDefault(
name='get_subnetpool',
check_str=base.policy_or(base.SYSTEM_OR_PROJECT_READER,
'rule:shared_subnetpools'),
scope_types=['system', 'project'],
description='Get a subnetpool',
operations=[
{
'method': 'GET',
'path': COLLECTION_PATH,
},
{
'method': 'GET',
'path': RESOURCE_PATH,
},
],
deprecated_rule=policy.DeprecatedRule(
name='get_subnetpool',
check_str=base.policy_or(base.RULE_ADMIN_OR_OWNER,
AG_RESOURCE_PATH = '/address-groups/{id}'
DEPRECATION_REASON = (
"The Address scope API now supports system scope and default roles.")
rules = [
policy.RuleDefault(
'shared_address_groups',
'field:address_groups:shared=True',
'Definition of a shared address group'
),
policy.DocumentedRuleDefault(
name='get_address_group',
check_str=base.policy_or(
base.SYSTEM_OR_PROJECT_READER,
'rule:shared_address_groups'),
description='Get an address group',
operations=[
{
'method': 'GET',
'path': AG_COLLECTION_PATH,
},
{
'method': 'GET',
'path': AG_RESOURCE_PATH,
},
],
scope_types=['system', 'project'],
deprecated_rule=policy.DeprecatedRule(
name='get_address_group',
description='Create a shared address scope',
operations=[
{
'method': 'POST',
'path': COLLECTION_PATH,
},
],
scope_types=['project'],
deprecated_rule=policy.DeprecatedRule(
name='create_address_scope:shared',
check_str=base.RULE_ADMIN_ONLY,
deprecated_reason=DEPRECATION_REASON,
deprecated_since=versionutils.deprecated.WALLABY)),
policy.DocumentedRuleDefault(
name='get_address_scope',
check_str=base.policy_or(base.PROJECT_READER,
'rule:shared_address_scopes'),
description='Get an address scope',
operations=[
{
'method': 'GET',
'path': COLLECTION_PATH,
},
{
'method': 'GET',
'path': RESOURCE_PATH,
},
],
scope_types=['project'],
deprecated_rule=policy.DeprecatedRule(
name='get_address_scope',
check_str=base.policy_or(base.RULE_ADMIN_OR_OWNER,
deprecated_since=versionutils.deprecated.WALLABY)),
policy.DocumentedRuleDefault(
name='create_network:provider:segmentation_id',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
description=(
'Specify ``provider:segmentation_id`` when creating a network'),
operations=ACTION_POST,
deprecated_rule=policy.DeprecatedRule(
name='create_network:provider:segmentation_id',
check_str=base.RULE_ADMIN_ONLY,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY)),
policy.DocumentedRuleDefault(
name='get_network',
check_str=base.policy_or(base.SYSTEM_OR_PROJECT_READER, 'rule:shared',
'rule:external', base.RULE_ADVSVC),
scope_types=['system', 'project'],
description='Get a network',
operations=ACTION_GET,
deprecated_rule=policy.DeprecatedRule(
name='get_network',
check_str=base.policy_or(base.RULE_ADMIN_OR_OWNER, 'rule:shared',
'rule:external', base.RULE_ADVSVC),
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY)),
policy.DocumentedRuleDefault(
name='get_network:router:external',
check_str=base.SYSTEM_OR_PROJECT_READER,
scope_types=['system', 'project'],
description='Get ``router:external`` attribute of a network',
operations=ACTION_GET,
DEPRECATED_REASON = (
"The security group API now supports system scope and default roles.")
SG_COLLECTION_PATH = '/security-groups'
SG_RESOURCE_PATH = '/security-groups/{id}'
RULE_COLLECTION_PATH = '/security-group-rules'
RULE_RESOURCE_PATH = '/security-group-rules/{id}'
RULE_ADMIN_OR_SG_OWNER = 'rule:admin_or_sg_owner'
RULE_ADMIN_OWNER_OR_SG_OWNER = 'rule:admin_owner_or_sg_owner'
rules = [
policy.RuleDefault(
name='admin_or_sg_owner',
check_str=base.policy_or('rule:context_is_admin',
'tenant_id:%(security_group:tenant_id)s'),
description='Rule for admin or security group owner access'),
policy.RuleDefault(name='admin_owner_or_sg_owner',
check_str=base.policy_or('rule:owner',
RULE_ADMIN_OR_SG_OWNER),
description=('Rule for resource owner, '
'admin or security group owner access')),
# TODO(amotoki): admin_or_owner is the right rule?
# Does an empty string make more sense for create_security_group?
policy.DocumentedRuleDefault(
name='create_security_group',
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
scope_types=['system', 'project'],
description='Create a security group',
operations=[
{
from neutron.conf.policies import base
rules = [
policy.RuleDefault('create_subnet',
base.RULE_ADMIN_OR_NET_OWNER,
description='Access rule for creating subnet'),
policy.RuleDefault('create_subnet:segment_id',
base.RULE_ADMIN_ONLY,
description=('Access rule for creating '
'subnet with segment_id')),
policy.RuleDefault('create_subnet:service_types',
base.RULE_ADMIN_ONLY,
description=('Access rule for creating '
'subnet with service_type')),
policy.RuleDefault('get_subnet',
base.policy_or(base.RULE_ADMIN_OR_OWNER, 'rule:shared'),
description='Access rule for getting subnet'),
policy.RuleDefault('get_subnet:segment_id',
base.RULE_ADMIN_ONLY,
description=('Access rule for getting '
'segment_id of subnet')),
policy.RuleDefault('update_subnet',
base.RULE_ADMIN_OR_NET_OWNER,
description='Access rule for updating subnet'),
policy.RuleDefault('update_subnet:segment_id',
base.RULE_ADMIN_ONLY,
description=('Access rule for updating segment_id '
'attribute of subnet')),
policy.RuleDefault('update_subnet:service_types',
base.RULE_ADMIN_ONLY,
description=('Access rule for updating '
from neutron.conf.policies import base
DEPRECATED_REASON = """
The RBAC API now supports system scope and default roles.
"""
COLLECTION_PATH = '/rbac-policies'
RESOURCE_PATH = '/rbac-policies/{id}'
rules = [
policy.RuleDefault(
name='restrict_wildcard',
check_str=base.policy_or(
'(not field:rbac_policy:target_tenant=*)',
base.RULE_ADMIN_ONLY),
description='Definition of a wildcard target_tenant'),
policy.DocumentedRuleDefault(
name='create_rbac_policy',
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
scope_types=['system', 'project'],
description='Create an RBAC policy',
operations=[
{
'method': 'POST',
'path': COLLECTION_PATH,
},
],
deprecated_rule=policy.DeprecatedRule(
from oslo_policy import policy
from neutron.conf.policies import base
DEPRECATED_REASON = """
The router conntrack API now supports system scope and default roles.
"""
COLLECTION_PATH = '/routers/{router_id}/conntrack_helpers'
RESOURCE_PATH = ('/routers/{router_id}'
'/conntrack_helpers/{conntrack_helper_id}')
rules = [
policy.DocumentedRuleDefault(
name='create_router_conntrack_helper',
check_str=base.policy_or(base.PROJECT_MEMBER, base.RULE_PARENT_OWNER),
scope_types=['project'],
description='Create a router conntrack helper',
operations=[
{
'method': 'POST',
'path': COLLECTION_PATH,
},
],
deprecated_rule=policy.DeprecatedRule(
name='create_router_conntrack_helper',
check_str=base.RULE_ADMIN_OR_PARENT_OWNER,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY)),
policy.DocumentedRuleDefault(
name='get_router_conntrack_helper',
DEPRECATED_REASON = """
The RBAC API now supports system scope and default roles.
"""
COLLECTION_PATH = '/rbac-policies'
RESOURCE_PATH = '/rbac-policies/{id}'
rules = [
# TODO(ralonsoh): remove 'target_tenant=*' reference.
policy.RuleDefault(
name='restrict_wildcard',
check_str=base.policy_or(
'(not field:rbac_policy:target_tenant=* and '
'not field:rbac_policy:target_project=*)',
base.RULE_ADMIN_ONLY),
description='Definition of a wildcard target_project'),
policy.DocumentedRuleDefault(
name='create_rbac_policy',
check_str=base.PROJECT_MEMBER,
scope_types=['project'],
description='Create an RBAC policy',
operations=[
{
'method': 'POST',
'path': COLLECTION_PATH,
},
],
deprecated_rule=policy.DeprecatedRule(
},
]
rules = [
policy.DocumentedRuleDefault('create_subnet', base.RULE_ADMIN_OR_NET_OWNER,
'Create a subnet', ACTION_POST),
policy.DocumentedRuleDefault(
'create_subnet:segment_id', base.RULE_ADMIN_ONLY,
'Specify ``segment_id`` attribute when creating a subnet',
ACTION_POST),
policy.DocumentedRuleDefault(
'create_subnet:service_types', base.RULE_ADMIN_ONLY,
'Specify ``service_types`` attribute when creating a subnet',
ACTION_POST),
policy.DocumentedRuleDefault(
'get_subnet', base.policy_or(base.RULE_ADMIN_OR_OWNER, 'rule:shared'),
'Get a subnet', ACTION_GET),
policy.DocumentedRuleDefault('get_subnet:segment_id', base.RULE_ADMIN_ONLY,
'Get ``segment_id`` attribute of a subnet',
ACTION_GET),
policy.DocumentedRuleDefault('update_subnet', base.RULE_ADMIN_OR_NET_OWNER,
'Update a subnet', ACTION_PUT),
policy.DocumentedRuleDefault(
'update_subnet:segment_id', base.RULE_ADMIN_ONLY,
'Update ``segment_id`` attribute of a subnet', ACTION_PUT),
policy.DocumentedRuleDefault(
'update_subnet:service_types', base.RULE_ADMIN_ONLY,
'Update ``service_types`` attribute of a subnet', ACTION_PUT),
policy.DocumentedRuleDefault(
'delete_subnet',
base.RULE_ADMIN_OR_NET_OWNER,
]
),
policy.DocumentedRuleDefault(
'create_address_scope:shared',
base.RULE_ADMIN_ONLY,
'Create a shared address scope',
[
{
'method': 'POST',
'path': COLLECTION_PATH,
},
]
),
policy.DocumentedRuleDefault(
'get_address_scope',
base.policy_or(base.RULE_ADMIN_OR_OWNER,
'rule:shared_address_scopes'),
'Get an address scope',
[
{
'method': 'GET',
'path': COLLECTION_PATH,
},
{
'method': 'GET',
'path': RESOURCE_PATH,
},
]
),
policy.DocumentedRuleDefault(
'update_address_scope',
base.RULE_ADMIN_OR_OWNER,
]
ACTION_GET = [
{
'method': 'GET',
'path': COLLECTION_PATH
},
{
'method': 'GET',
'path': RESOURCE_PATH
},
]
rules = [
policy.DocumentedRuleDefault(
name='create_subnet',
check_str=base.policy_or(base.PROJECT_MEMBER, base.RULE_NET_OWNER),
scope_types=['project'],
description='Create a subnet',
operations=ACTION_POST,
deprecated_rule=policy.DeprecatedRule(
name='create_subnet',
check_str=base.RULE_ADMIN_OR_NET_OWNER,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY)),
policy.DocumentedRuleDefault(
name='create_subnet:segment_id',
check_str=base.PROJECT_ADMIN,
scope_types=['project'],
description=(
'Specify ``segment_id`` attribute when creating a subnet'),
operations=ACTION_POST,
]
),
policy.DocumentedRuleDefault(
'create_subnetpool:is_default',
base.RULE_ADMIN_ONLY,
'Specify ``is_default`` attribute when creating a subnetpool',
[
{
'method': 'POST',
'path': COLLECTION_PATH,
},
]
),
policy.DocumentedRuleDefault(
'get_subnetpool',
base.policy_or(base.RULE_ADMIN_OR_OWNER,
'rule:shared_subnetpools'),
'Get a subnetpool',
[
{
'method': 'GET',
'path': COLLECTION_PATH,
},
{
'method': 'GET',
'path': RESOURCE_PATH,
},
]
),
policy.DocumentedRuleDefault(
'update_subnetpool',
base.RULE_ADMIN_OR_OWNER,
from neutron.conf.policies import base
DEPRECATED_REASON = """
The floating IP port forwarding API now supports system scope and default
roles.
"""
COLLECTION_PATH = '/floatingips/{floatingip_id}/port_forwardings'
RESOURCE_PATH = ('/floatingips/{floatingip_id}'
'/port_forwardings/{port_forwarding_id}')
rules = [
policy.DocumentedRuleDefault(
name='create_floatingip_port_forwarding',
check_str=base.policy_or(base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
base.RULE_PARENT_OWNER),
scope_types=['system', 'project'],
description='Create a floating IP port forwarding',
operations=[
{
'method': 'POST',
'path': COLLECTION_PATH,
},
],
deprecated_rule=policy.DeprecatedRule(
name='create_floatingip_port_forwarding',
check_str=base.RULE_ADMIN_OR_PARENT_OWNER,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY)),
policy.DocumentedRuleDefault(
name='get_floatingip_port_forwarding',
{'method': 'DELETE', 'path': RESOURCE_PATH},
]
ACTION_GET = [
{'method': 'GET', 'path': COLLECTION_PATH},
{'method': 'GET', 'path': RESOURCE_PATH},
]
rules = [
policy.RuleDefault(
'network_device',
'field:port:device_owner=~^network:',
'Definition of port with network device_owner'),
policy.RuleDefault(
'admin_or_data_plane_int',
base.policy_or('rule:context_is_admin',
'role:data_plane_integrator'),
'Rule for data plane integration'),
policy.DocumentedRuleDefault(
'create_port',
base.RULE_ANY,
'Create a port',
ACTION_POST
),
policy.DocumentedRuleDefault(
'create_port:device_owner',
base.policy_or('not rule:network_device',
base.RULE_ADVSVC,
base.RULE_ADMIN_OR_NET_OWNER),
'Specify ``device_owner`` attribute when creting a port',
ACTION_POST
{
'method': 'GET',
'path': COLLECTION_PATH
},
{
'method': 'GET',
'path': RESOURCE_PATH
},
]
rules = [
policy.RuleDefault('network_device', 'field:port:device_owner=~^network:',
'Definition of port with network device_owner'),
policy.RuleDefault(
'admin_or_data_plane_int',
base.policy_or('rule:context_is_admin', 'role:data_plane_integrator'),
'Rule for data plane integration'),
policy.DocumentedRuleDefault('create_port', base.RULE_ANY, 'Create a port',
ACTION_POST),
policy.DocumentedRuleDefault(
'create_port:device_owner',
base.policy_or('not rule:network_device', base.RULE_ADVSVC,
base.RULE_ADMIN_OR_NET_OWNER),
'Specify ``device_owner`` attribute when creting a port', ACTION_POST),
policy.DocumentedRuleDefault(
'create_port:mac_address',
base.policy_or(base.RULE_ADVSVC, base.RULE_ADMIN_OR_NET_OWNER),
'Specify ``mac_address`` attribute when creating a port', ACTION_POST),
policy.DocumentedRuleDefault(
'create_port:fixed_ips',
base.policy_or(base.RULE_ADVSVC, base.RULE_ADMIN_OR_NET_OWNER),
{
'method': 'POST',
'path': COLLECTION_PATH,
},
]),
policy.DocumentedRuleDefault('create_address_scope:shared',
base.RULE_ADMIN_ONLY,
'Create a shared address scope', [
{
'method': 'POST',
'path': COLLECTION_PATH,
},
]),
policy.DocumentedRuleDefault(
'get_address_scope',
base.policy_or(base.RULE_ADMIN_OR_OWNER, 'rule:shared_address_scopes'),
'Get an address scope', [
{
'method': 'GET',
'path': COLLECTION_PATH,
},
{
'method': 'GET',
'path': RESOURCE_PATH,
},
]),
policy.DocumentedRuleDefault('update_address_scope',
base.RULE_ADMIN_OR_OWNER,
'Update an address scope', [
{
'method': 'PUT',
# under the License.
from oslo_policy import policy
from neutron.conf.policies import base
AG_COLLECTION_PATH = '/address-groups'
AG_RESOURCE_PATH = '/address-groups/{id}'
rules = [
policy.RuleDefault('shared_address_groups',
'field:address_groups:shared=True',
'Definition of a shared address group'),
policy.DocumentedRuleDefault(name='get_address_group',
check_str=base.policy_or(
base.RULE_ADMIN_OR_OWNER,
'rule:shared_address_groups'),
description='Get an address group',
operations=[
{
'method': 'GET',
'path': AG_COLLECTION_PATH,
},
{
'method': 'GET',
'path': AG_RESOURCE_PATH,
},
]),
]
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from neutron.conf.policies import base
rules = [
policy.RuleDefault(
'restrict_wildcard',
base.policy_or('(not field:rbac_policy:target_tenant=*)',
base.RULE_ADMIN_ONLY),
description='Rule of restrict wildcard'),
policy.RuleDefault(
'create_rbac_policy',
base.RULE_ANY,
description='Access rule for creating RBAC policy'),
policy.RuleDefault(
'create_rbac_policy:target_tenant',
'rule:restrict_wildcard',
description=('Access rule for creating RBAC '
'policy with a specific target tenant')),
policy.RuleDefault(
'update_rbac_policy',
base.RULE_ADMIN_OR_OWNER,
description='Access rule for updating RBAC policy'),
{
'method': 'POST',
'path': COLLECTION_PATH,
},
]),
policy.DocumentedRuleDefault(
'create_subnetpool:is_default', base.RULE_ADMIN_ONLY,
'Specify ``is_default`` attribute when creating a subnetpool', [
{
'method': 'POST',
'path': COLLECTION_PATH,
},
]),
policy.DocumentedRuleDefault(
'get_subnetpool',
base.policy_or(base.RULE_ADMIN_OR_OWNER, 'rule:shared_subnetpools'),
'Get a subnetpool', [
{
'method': 'GET',
'path': COLLECTION_PATH,
},
{
'method': 'GET',
'path': RESOURCE_PATH,
},
]),
policy.DocumentedRuleDefault('update_subnetpool', base.RULE_ADMIN_OR_OWNER,
'Update a subnetpool', [
{
'method': 'PUT',
'path': RESOURCE_PATH,
from neutron.conf.policies import base
SG_COLLECTION_PATH = '/security-groups'
SG_RESOURCE_PATH = '/security-groups/{id}'
RULE_COLLECTION_PATH = '/security-group-rules'
RULE_RESOURCE_PATH = '/security-group-rules/{id}'
RULE_ADMIN_OR_SG_OWNER = 'rule:admin_or_sg_owner'
RULE_ADMIN_OWNER_OR_SG_OWNER = 'rule:admin_owner_or_sg_owner'
rules = [
policy.RuleDefault(
'admin_or_sg_owner',
base.policy_or('rule:context_is_admin',
'tenant_id:%(security_group:tenant_id)s'),
description='Rule for admin or security group owner access'),
policy.RuleDefault(
'admin_owner_or_sg_owner',
base.policy_or('rule:owner',
RULE_ADMIN_OR_SG_OWNER),
description=('Rule for resource owner, '
'admin or security group owner access')),
# TODO(amotoki): admin_or_owner is the right rule?
# Does an empty string make more sense for create_security_group?
policy.DocumentedRuleDefault(
'create_security_group',
base.RULE_ADMIN_OR_OWNER,
'Create a security group',
[
{
