Ejemplo n.º 1
0
     'Specify ``segments`` attribute when creating a network', ACTION_POST),
 policy.DocumentedRuleDefault(
     'create_network:provider:network_type', base.RULE_ADMIN_ONLY,
     'Specify ``provider:network_type`` when creating a network',
     ACTION_POST),
 policy.DocumentedRuleDefault(
     'create_network:provider:physical_network', base.RULE_ADMIN_ONLY,
     'Specify ``provider:physical_network`` when creating a network',
     ACTION_POST),
 policy.DocumentedRuleDefault(
     'create_network:provider:segmentation_id', base.RULE_ADMIN_ONLY,
     'Specify ``provider:segmentation_id`` when creating a network',
     ACTION_POST),
 policy.DocumentedRuleDefault(
     'get_network',
     base.policy_or(base.RULE_ADMIN_OR_OWNER, 'rule:shared',
                    'rule:external', base.RULE_ADVSVC), 'Get a network',
     ACTION_GET),
 policy.DocumentedRuleDefault(
     'get_network:router:external', base.RULE_ANY,
     'Get ``router:external`` attribute of a network', ACTION_GET),
 policy.DocumentedRuleDefault('get_network:segments', base.RULE_ADMIN_ONLY,
                              'Get ``segments`` attribute of a network',
                              ACTION_GET),
 policy.DocumentedRuleDefault(
     'get_network:provider:network_type', base.RULE_ADMIN_ONLY,
     'Get ``provider:network_type`` attribute of a network', ACTION_GET),
 policy.DocumentedRuleDefault(
     'get_network:provider:physical_network', base.RULE_ADMIN_ONLY,
     'Get ``provider:physical_network`` attribute of a network',
     ACTION_GET),
 policy.DocumentedRuleDefault(
Ejemplo n.º 2
0
from oslo_log import versionutils
from oslo_policy import policy

from neutron.conf.policies import base

DEPRECATED_REASON = """
The RBAC API now supports system scope and default roles.
"""

COLLECTION_PATH = '/rbac-policies'
RESOURCE_PATH = '/rbac-policies/{id}'

rules = [
    policy.RuleDefault(name='restrict_wildcard',
                       check_str=base.policy_or(
                           '(not field:rbac_policy:target_tenant=*)',
                           base.RULE_ADMIN_ONLY),
                       description='Definition of a wildcard target_tenant'),
    policy.DocumentedRuleDefault(
        name='create_rbac_policy',
        check_str=base.PROJECT_MEMBER,
        scope_types=['system', 'project'],
        description='Create an RBAC policy',
        operations=[
            {
                'method': 'POST',
                'path': COLLECTION_PATH,
            },
        ],
        deprecated_rule=policy.DeprecatedRule(
            name='create_rbac_policy',
Ejemplo n.º 3
0
        'method': 'GET',
        'path': COLLECTION_PATH
    },
    {
        'method': 'GET',
        'path': RESOURCE_PATH
    },
]

rules = [
    policy.RuleDefault(
        name='network_device',
        check_str='field:port:device_owner=~^network:',
        description='Definition of port with network device_owner'),
    policy.RuleDefault(name='admin_or_data_plane_int',
                       check_str=base.policy_or('rule:context_is_admin',
                                                'role:data_plane_integrator'),
                       description='Rule for data plane integration'),
    policy.DocumentedRuleDefault(
        name='create_port',
        check_str=base.PROJECT_MEMBER,
        scope_types=['system', 'project'],
        description='Create a port',
        operations=ACTION_POST,
        deprecated_rule=policy.DeprecatedRule(name='create_port',
                                              check_str=base.RULE_ANY),
        deprecated_reason=DEPRECATED_REASON,
        deprecated_since=versionutils.deprecated.WALLABY),
    policy.DocumentedRuleDefault(
        name='create_port:device_owner',
        check_str=base.policy_or('not rule:network_device', base.SYSTEM_ADMIN,
                                 base.PROJECT_ADMIN, base.RULE_ADVSVC,
Ejemplo n.º 4
0
     description=(
         'Specify ``is_default`` attribute when creating a subnetpool'),
     operations=[
         {
             'method': 'POST',
             'path': COLLECTION_PATH,
         },
     ],
     deprecated_rule=policy.DeprecatedRule(
         name='create_subnetpool:is_default',
         check_str=base.RULE_ADMIN_ONLY,
         deprecated_reason=DEPRECATED_REASON,
         deprecated_since=versionutils.deprecated.WALLABY)),
 policy.DocumentedRuleDefault(
     name='get_subnetpool',
     check_str=base.policy_or(base.SYSTEM_OR_PROJECT_READER,
                              'rule:shared_subnetpools'),
     scope_types=['system', 'project'],
     description='Get a subnetpool',
     operations=[
         {
             'method': 'GET',
             'path': COLLECTION_PATH,
         },
         {
             'method': 'GET',
             'path': RESOURCE_PATH,
         },
     ],
     deprecated_rule=policy.DeprecatedRule(
         name='get_subnetpool',
         check_str=base.policy_or(base.RULE_ADMIN_OR_OWNER,
Ejemplo n.º 5
0
AG_RESOURCE_PATH = '/address-groups/{id}'

DEPRECATION_REASON = (
    "The Address scope API now supports system scope and default roles.")


rules = [
    policy.RuleDefault(
        'shared_address_groups',
        'field:address_groups:shared=True',
        'Definition of a shared address group'
    ),
    policy.DocumentedRuleDefault(
        name='get_address_group',
        check_str=base.policy_or(
            base.SYSTEM_OR_PROJECT_READER,
            'rule:shared_address_groups'),
        description='Get an address group',
        operations=[
            {
                'method': 'GET',
                'path': AG_COLLECTION_PATH,
            },
            {
                'method': 'GET',
                'path': AG_RESOURCE_PATH,
            },
        ],
        scope_types=['system', 'project'],
        deprecated_rule=policy.DeprecatedRule(
            name='get_address_group',
Ejemplo n.º 6
0
     description='Create a shared address scope',
     operations=[
         {
             'method': 'POST',
             'path': COLLECTION_PATH,
         },
     ],
     scope_types=['project'],
     deprecated_rule=policy.DeprecatedRule(
         name='create_address_scope:shared',
         check_str=base.RULE_ADMIN_ONLY,
         deprecated_reason=DEPRECATION_REASON,
         deprecated_since=versionutils.deprecated.WALLABY)),
 policy.DocumentedRuleDefault(
     name='get_address_scope',
     check_str=base.policy_or(base.PROJECT_READER,
                              'rule:shared_address_scopes'),
     description='Get an address scope',
     operations=[
         {
             'method': 'GET',
             'path': COLLECTION_PATH,
         },
         {
             'method': 'GET',
             'path': RESOURCE_PATH,
         },
     ],
     scope_types=['project'],
     deprecated_rule=policy.DeprecatedRule(
         name='get_address_scope',
         check_str=base.policy_or(base.RULE_ADMIN_OR_OWNER,
Ejemplo n.º 7
0
         deprecated_since=versionutils.deprecated.WALLABY)),
 policy.DocumentedRuleDefault(
     name='create_network:provider:segmentation_id',
     check_str=base.SYSTEM_ADMIN,
     scope_types=['system'],
     description=(
         'Specify ``provider:segmentation_id`` when creating a network'),
     operations=ACTION_POST,
     deprecated_rule=policy.DeprecatedRule(
         name='create_network:provider:segmentation_id',
         check_str=base.RULE_ADMIN_ONLY,
         deprecated_reason=DEPRECATED_REASON,
         deprecated_since=versionutils.deprecated.WALLABY)),
 policy.DocumentedRuleDefault(
     name='get_network',
     check_str=base.policy_or(base.SYSTEM_OR_PROJECT_READER, 'rule:shared',
                              'rule:external', base.RULE_ADVSVC),
     scope_types=['system', 'project'],
     description='Get a network',
     operations=ACTION_GET,
     deprecated_rule=policy.DeprecatedRule(
         name='get_network',
         check_str=base.policy_or(base.RULE_ADMIN_OR_OWNER, 'rule:shared',
                                  'rule:external', base.RULE_ADVSVC),
         deprecated_reason=DEPRECATED_REASON,
         deprecated_since=versionutils.deprecated.WALLABY)),
 policy.DocumentedRuleDefault(
     name='get_network:router:external',
     check_str=base.SYSTEM_OR_PROJECT_READER,
     scope_types=['system', 'project'],
     description='Get ``router:external`` attribute of a network',
     operations=ACTION_GET,
Ejemplo n.º 8
0
DEPRECATED_REASON = (
    "The security group API now supports system scope and default roles.")

SG_COLLECTION_PATH = '/security-groups'
SG_RESOURCE_PATH = '/security-groups/{id}'
RULE_COLLECTION_PATH = '/security-group-rules'
RULE_RESOURCE_PATH = '/security-group-rules/{id}'

RULE_ADMIN_OR_SG_OWNER = 'rule:admin_or_sg_owner'
RULE_ADMIN_OWNER_OR_SG_OWNER = 'rule:admin_owner_or_sg_owner'

rules = [
    policy.RuleDefault(
        name='admin_or_sg_owner',
        check_str=base.policy_or('rule:context_is_admin',
                                 'tenant_id:%(security_group:tenant_id)s'),
        description='Rule for admin or security group owner access'),
    policy.RuleDefault(name='admin_owner_or_sg_owner',
                       check_str=base.policy_or('rule:owner',
                                                RULE_ADMIN_OR_SG_OWNER),
                       description=('Rule for resource owner, '
                                    'admin or security group owner access')),
    # TODO(amotoki): admin_or_owner is the right rule?
    # Does an empty string make more sense for create_security_group?
    policy.DocumentedRuleDefault(
        name='create_security_group',
        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
        scope_types=['system', 'project'],
        description='Create a security group',
        operations=[
            {
Ejemplo n.º 9
0
from neutron.conf.policies import base

rules = [
    policy.RuleDefault('create_subnet',
                       base.RULE_ADMIN_OR_NET_OWNER,
                       description='Access rule for creating subnet'),
    policy.RuleDefault('create_subnet:segment_id',
                       base.RULE_ADMIN_ONLY,
                       description=('Access rule for creating '
                                    'subnet with segment_id')),
    policy.RuleDefault('create_subnet:service_types',
                       base.RULE_ADMIN_ONLY,
                       description=('Access rule for creating '
                                    'subnet with service_type')),
    policy.RuleDefault('get_subnet',
                       base.policy_or(base.RULE_ADMIN_OR_OWNER, 'rule:shared'),
                       description='Access rule for getting subnet'),
    policy.RuleDefault('get_subnet:segment_id',
                       base.RULE_ADMIN_ONLY,
                       description=('Access rule for getting '
                                    'segment_id of subnet')),
    policy.RuleDefault('update_subnet',
                       base.RULE_ADMIN_OR_NET_OWNER,
                       description='Access rule for updating subnet'),
    policy.RuleDefault('update_subnet:segment_id',
                       base.RULE_ADMIN_ONLY,
                       description=('Access rule for updating segment_id '
                                    'attribute of subnet')),
    policy.RuleDefault('update_subnet:service_types',
                       base.RULE_ADMIN_ONLY,
                       description=('Access rule for updating '
Ejemplo n.º 10
0
from neutron.conf.policies import base

DEPRECATED_REASON = """
The RBAC API now supports system scope and default roles.
"""


COLLECTION_PATH = '/rbac-policies'
RESOURCE_PATH = '/rbac-policies/{id}'


rules = [
    policy.RuleDefault(
        name='restrict_wildcard',
        check_str=base.policy_or(
            '(not field:rbac_policy:target_tenant=*)',
            base.RULE_ADMIN_ONLY),
        description='Definition of a wildcard target_tenant'),

    policy.DocumentedRuleDefault(
        name='create_rbac_policy',
        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
        scope_types=['system', 'project'],
        description='Create an RBAC policy',
        operations=[
            {
                'method': 'POST',
                'path': COLLECTION_PATH,
            },
        ],
        deprecated_rule=policy.DeprecatedRule(
Ejemplo n.º 11
0
from oslo_policy import policy

from neutron.conf.policies import base

DEPRECATED_REASON = """
The router conntrack API now supports system scope and default roles.
"""

COLLECTION_PATH = '/routers/{router_id}/conntrack_helpers'
RESOURCE_PATH = ('/routers/{router_id}'
                 '/conntrack_helpers/{conntrack_helper_id}')

rules = [
    policy.DocumentedRuleDefault(
        name='create_router_conntrack_helper',
        check_str=base.policy_or(base.PROJECT_MEMBER, base.RULE_PARENT_OWNER),
        scope_types=['project'],
        description='Create a router conntrack helper',
        operations=[
            {
                'method': 'POST',
                'path': COLLECTION_PATH,
            },
        ],
        deprecated_rule=policy.DeprecatedRule(
            name='create_router_conntrack_helper',
            check_str=base.RULE_ADMIN_OR_PARENT_OWNER,
            deprecated_reason=DEPRECATED_REASON,
            deprecated_since=versionutils.deprecated.WALLABY)),
    policy.DocumentedRuleDefault(
        name='get_router_conntrack_helper',
Ejemplo n.º 12
0
DEPRECATED_REASON = """
The RBAC API now supports system scope and default roles.
"""


COLLECTION_PATH = '/rbac-policies'
RESOURCE_PATH = '/rbac-policies/{id}'


rules = [
    # TODO(ralonsoh): remove 'target_tenant=*' reference.
    policy.RuleDefault(
        name='restrict_wildcard',
        check_str=base.policy_or(
            '(not field:rbac_policy:target_tenant=* and '
            'not field:rbac_policy:target_project=*)',
            base.RULE_ADMIN_ONLY),
        description='Definition of a wildcard target_project'),

    policy.DocumentedRuleDefault(
        name='create_rbac_policy',
        check_str=base.PROJECT_MEMBER,
        scope_types=['project'],
        description='Create an RBAC policy',
        operations=[
            {
                'method': 'POST',
                'path': COLLECTION_PATH,
            },
        ],
        deprecated_rule=policy.DeprecatedRule(
Ejemplo n.º 13
0
    },
]

rules = [
    policy.DocumentedRuleDefault('create_subnet', base.RULE_ADMIN_OR_NET_OWNER,
                                 'Create a subnet', ACTION_POST),
    policy.DocumentedRuleDefault(
        'create_subnet:segment_id', base.RULE_ADMIN_ONLY,
        'Specify ``segment_id`` attribute when creating a subnet',
        ACTION_POST),
    policy.DocumentedRuleDefault(
        'create_subnet:service_types', base.RULE_ADMIN_ONLY,
        'Specify ``service_types`` attribute when creating a subnet',
        ACTION_POST),
    policy.DocumentedRuleDefault(
        'get_subnet', base.policy_or(base.RULE_ADMIN_OR_OWNER, 'rule:shared'),
        'Get a subnet', ACTION_GET),
    policy.DocumentedRuleDefault('get_subnet:segment_id', base.RULE_ADMIN_ONLY,
                                 'Get ``segment_id`` attribute of a subnet',
                                 ACTION_GET),
    policy.DocumentedRuleDefault('update_subnet', base.RULE_ADMIN_OR_NET_OWNER,
                                 'Update a subnet', ACTION_PUT),
    policy.DocumentedRuleDefault(
        'update_subnet:segment_id', base.RULE_ADMIN_ONLY,
        'Update ``segment_id`` attribute of a subnet', ACTION_PUT),
    policy.DocumentedRuleDefault(
        'update_subnet:service_types', base.RULE_ADMIN_ONLY,
        'Update ``service_types`` attribute of a subnet', ACTION_PUT),
    policy.DocumentedRuleDefault(
        'delete_subnet',
        base.RULE_ADMIN_OR_NET_OWNER,
Ejemplo n.º 14
0
     ]
 ),
 policy.DocumentedRuleDefault(
     'create_address_scope:shared',
     base.RULE_ADMIN_ONLY,
     'Create a shared address scope',
     [
         {
             'method': 'POST',
             'path': COLLECTION_PATH,
         },
     ]
 ),
 policy.DocumentedRuleDefault(
     'get_address_scope',
     base.policy_or(base.RULE_ADMIN_OR_OWNER,
                    'rule:shared_address_scopes'),
     'Get an address scope',
     [
         {
             'method': 'GET',
             'path': COLLECTION_PATH,
         },
         {
             'method': 'GET',
             'path': RESOURCE_PATH,
         },
     ]
 ),
 policy.DocumentedRuleDefault(
     'update_address_scope',
     base.RULE_ADMIN_OR_OWNER,
Ejemplo n.º 15
0
]
ACTION_GET = [
    {
        'method': 'GET',
        'path': COLLECTION_PATH
    },
    {
        'method': 'GET',
        'path': RESOURCE_PATH
    },
]

rules = [
    policy.DocumentedRuleDefault(
        name='create_subnet',
        check_str=base.policy_or(base.PROJECT_MEMBER, base.RULE_NET_OWNER),
        scope_types=['project'],
        description='Create a subnet',
        operations=ACTION_POST,
        deprecated_rule=policy.DeprecatedRule(
            name='create_subnet',
            check_str=base.RULE_ADMIN_OR_NET_OWNER,
            deprecated_reason=DEPRECATED_REASON,
            deprecated_since=versionutils.deprecated.WALLABY)),
    policy.DocumentedRuleDefault(
        name='create_subnet:segment_id',
        check_str=base.PROJECT_ADMIN,
        scope_types=['project'],
        description=(
            'Specify ``segment_id`` attribute when creating a subnet'),
        operations=ACTION_POST,
Ejemplo n.º 16
0
     ]
 ),
 policy.DocumentedRuleDefault(
     'create_subnetpool:is_default',
     base.RULE_ADMIN_ONLY,
     'Specify ``is_default`` attribute when creating a subnetpool',
     [
         {
             'method': 'POST',
             'path': COLLECTION_PATH,
         },
     ]
 ),
 policy.DocumentedRuleDefault(
     'get_subnetpool',
     base.policy_or(base.RULE_ADMIN_OR_OWNER,
                    'rule:shared_subnetpools'),
     'Get a subnetpool',
     [
         {
             'method': 'GET',
             'path': COLLECTION_PATH,
         },
         {
             'method': 'GET',
             'path': RESOURCE_PATH,
         },
     ]
 ),
 policy.DocumentedRuleDefault(
     'update_subnetpool',
     base.RULE_ADMIN_OR_OWNER,
Ejemplo n.º 17
0
from neutron.conf.policies import base

DEPRECATED_REASON = """
The floating IP port forwarding API now supports system scope and default
roles.
"""

COLLECTION_PATH = '/floatingips/{floatingip_id}/port_forwardings'
RESOURCE_PATH = ('/floatingips/{floatingip_id}'
                 '/port_forwardings/{port_forwarding_id}')

rules = [
    policy.DocumentedRuleDefault(
        name='create_floatingip_port_forwarding',
        check_str=base.policy_or(base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
                                 base.RULE_PARENT_OWNER),
        scope_types=['system', 'project'],
        description='Create a floating IP port forwarding',
        operations=[
            {
                'method': 'POST',
                'path': COLLECTION_PATH,
            },
        ],
        deprecated_rule=policy.DeprecatedRule(
            name='create_floatingip_port_forwarding',
            check_str=base.RULE_ADMIN_OR_PARENT_OWNER,
            deprecated_reason=DEPRECATED_REASON,
            deprecated_since=versionutils.deprecated.WALLABY)),
    policy.DocumentedRuleDefault(
        name='get_floatingip_port_forwarding',
Ejemplo n.º 18
0
    {'method': 'DELETE', 'path': RESOURCE_PATH},
]
ACTION_GET = [
    {'method': 'GET', 'path': COLLECTION_PATH},
    {'method': 'GET', 'path': RESOURCE_PATH},
]


rules = [
    policy.RuleDefault(
        'network_device',
        'field:port:device_owner=~^network:',
        'Definition of port with network device_owner'),
    policy.RuleDefault(
        'admin_or_data_plane_int',
        base.policy_or('rule:context_is_admin',
                       'role:data_plane_integrator'),
        'Rule for data plane integration'),

    policy.DocumentedRuleDefault(
        'create_port',
        base.RULE_ANY,
        'Create a port',
        ACTION_POST
    ),
    policy.DocumentedRuleDefault(
        'create_port:device_owner',
        base.policy_or('not rule:network_device',
                       base.RULE_ADVSVC,
                       base.RULE_ADMIN_OR_NET_OWNER),
        'Specify ``device_owner`` attribute when creting a port',
        ACTION_POST
Ejemplo n.º 19
0
    {
        'method': 'GET',
        'path': COLLECTION_PATH
    },
    {
        'method': 'GET',
        'path': RESOURCE_PATH
    },
]

rules = [
    policy.RuleDefault('network_device', 'field:port:device_owner=~^network:',
                       'Definition of port with network device_owner'),
    policy.RuleDefault(
        'admin_or_data_plane_int',
        base.policy_or('rule:context_is_admin', 'role:data_plane_integrator'),
        'Rule for data plane integration'),
    policy.DocumentedRuleDefault('create_port', base.RULE_ANY, 'Create a port',
                                 ACTION_POST),
    policy.DocumentedRuleDefault(
        'create_port:device_owner',
        base.policy_or('not rule:network_device', base.RULE_ADVSVC,
                       base.RULE_ADMIN_OR_NET_OWNER),
        'Specify ``device_owner`` attribute when creting a port', ACTION_POST),
    policy.DocumentedRuleDefault(
        'create_port:mac_address',
        base.policy_or(base.RULE_ADVSVC, base.RULE_ADMIN_OR_NET_OWNER),
        'Specify ``mac_address`` attribute when creating a port', ACTION_POST),
    policy.DocumentedRuleDefault(
        'create_port:fixed_ips',
        base.policy_or(base.RULE_ADVSVC, base.RULE_ADMIN_OR_NET_OWNER),
Ejemplo n.º 20
0
                                  {
                                      'method': 'POST',
                                      'path': COLLECTION_PATH,
                                  },
                              ]),
 policy.DocumentedRuleDefault('create_address_scope:shared',
                              base.RULE_ADMIN_ONLY,
                              'Create a shared address scope', [
                                  {
                                      'method': 'POST',
                                      'path': COLLECTION_PATH,
                                  },
                              ]),
 policy.DocumentedRuleDefault(
     'get_address_scope',
     base.policy_or(base.RULE_ADMIN_OR_OWNER, 'rule:shared_address_scopes'),
     'Get an address scope', [
         {
             'method': 'GET',
             'path': COLLECTION_PATH,
         },
         {
             'method': 'GET',
             'path': RESOURCE_PATH,
         },
     ]),
 policy.DocumentedRuleDefault('update_address_scope',
                              base.RULE_ADMIN_OR_OWNER,
                              'Update an address scope', [
                                  {
                                      'method': 'PUT',
Ejemplo n.º 21
0
#  under the License.

from oslo_policy import policy

from neutron.conf.policies import base

AG_COLLECTION_PATH = '/address-groups'
AG_RESOURCE_PATH = '/address-groups/{id}'

rules = [
    policy.RuleDefault('shared_address_groups',
                       'field:address_groups:shared=True',
                       'Definition of a shared address group'),
    policy.DocumentedRuleDefault(name='get_address_group',
                                 check_str=base.policy_or(
                                     base.RULE_ADMIN_OR_OWNER,
                                     'rule:shared_address_groups'),
                                 description='Get an address group',
                                 operations=[
                                     {
                                         'method': 'GET',
                                         'path': AG_COLLECTION_PATH,
                                     },
                                     {
                                         'method': 'GET',
                                         'path': AG_RESOURCE_PATH,
                                     },
                                 ]),
]

Ejemplo n.º 22
0
#
#  Unless required by applicable law or agreed to in writing, software
#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
#  License for the specific language governing permissions and limitations
#  under the License.

from oslo_policy import policy

from neutron.conf.policies import base


rules = [
    policy.RuleDefault(
        'restrict_wildcard',
        base.policy_or('(not field:rbac_policy:target_tenant=*)',
                       base.RULE_ADMIN_ONLY),
        description='Rule of restrict wildcard'),

    policy.RuleDefault(
        'create_rbac_policy',
        base.RULE_ANY,
        description='Access rule for creating RBAC policy'),
    policy.RuleDefault(
        'create_rbac_policy:target_tenant',
        'rule:restrict_wildcard',
        description=('Access rule for creating RBAC '
                     'policy with a specific target tenant')),
    policy.RuleDefault(
        'update_rbac_policy',
        base.RULE_ADMIN_OR_OWNER,
        description='Access rule for updating RBAC policy'),
Ejemplo n.º 23
0
                                  {
                                      'method': 'POST',
                                      'path': COLLECTION_PATH,
                                  },
                              ]),
 policy.DocumentedRuleDefault(
     'create_subnetpool:is_default', base.RULE_ADMIN_ONLY,
     'Specify ``is_default`` attribute when creating a subnetpool', [
         {
             'method': 'POST',
             'path': COLLECTION_PATH,
         },
     ]),
 policy.DocumentedRuleDefault(
     'get_subnetpool',
     base.policy_or(base.RULE_ADMIN_OR_OWNER, 'rule:shared_subnetpools'),
     'Get a subnetpool', [
         {
             'method': 'GET',
             'path': COLLECTION_PATH,
         },
         {
             'method': 'GET',
             'path': RESOURCE_PATH,
         },
     ]),
 policy.DocumentedRuleDefault('update_subnetpool', base.RULE_ADMIN_OR_OWNER,
                              'Update a subnetpool', [
                                  {
                                      'method': 'PUT',
                                      'path': RESOURCE_PATH,
Ejemplo n.º 24
0
from neutron.conf.policies import base


SG_COLLECTION_PATH = '/security-groups'
SG_RESOURCE_PATH = '/security-groups/{id}'
RULE_COLLECTION_PATH = '/security-group-rules'
RULE_RESOURCE_PATH = '/security-group-rules/{id}'

RULE_ADMIN_OR_SG_OWNER = 'rule:admin_or_sg_owner'
RULE_ADMIN_OWNER_OR_SG_OWNER = 'rule:admin_owner_or_sg_owner'


rules = [
    policy.RuleDefault(
        'admin_or_sg_owner',
        base.policy_or('rule:context_is_admin',
                       'tenant_id:%(security_group:tenant_id)s'),
        description='Rule for admin or security group owner access'),
    policy.RuleDefault(
        'admin_owner_or_sg_owner',
        base.policy_or('rule:owner',
                       RULE_ADMIN_OR_SG_OWNER),
        description=('Rule for resource owner, '
                     'admin or security group owner access')),
    # TODO(amotoki): admin_or_owner is the right rule?
    # Does an empty string make more sense for create_security_group?
    policy.DocumentedRuleDefault(
        'create_security_group',
        base.RULE_ADMIN_OR_OWNER,
        'Create a security group',
        [
            {