from cinder.policies import base USER_VISIBLE_EXTRA_SPECS = ( "RESKEY:availability_zones", "multiattach", "replication_enabled", ) CREATE_POLICY = "volume_extension:types_extra_specs:create" DELETE_POLICY = "volume_extension:types_extra_specs:delete" GET_ALL_POLICY = "volume_extension:types_extra_specs:index" GET_POLICY = "volume_extension:types_extra_specs:show" READ_SENSITIVE_POLICY = "volume_extension:types_extra_specs:read_sensitive" UPDATE_POLICY = "volume_extension:types_extra_specs:update" deprecated_get_all_policy = base.CinderDeprecatedRule(name=GET_ALL_POLICY, check_str="") deprecated_get_policy = base.CinderDeprecatedRule(name=GET_POLICY, check_str="") type_extra_specs_policies = [ policy.DocumentedRuleDefault( name=GET_ALL_POLICY, check_str=base.SYSTEM_READER_OR_PROJECT_READER, description="List type extra specs.", operations=[{ 'method': 'GET', 'path': '/types/{type_id}/extra_specs' }], deprecated_rule=deprecated_get_all_policy, ),
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. from oslo_policy import policy from cinder.policies import base RESET_STATUS = 'group:reset_status' ENABLE_REP = 'group:enable_replication' DISABLE_REP = 'group:disable_replication' FAILOVER_REP = 'group:failover_replication' LIST_REP = 'group:list_replication_targets' DELETE_POLICY = 'group:delete' deprecated_delete_group = base.CinderDeprecatedRule( name=DELETE_POLICY, check_str=base.RULE_ADMIN_OR_OWNER) deprecated_enable_replication = base.CinderDeprecatedRule( name=ENABLE_REP, check_str=base.RULE_ADMIN_OR_OWNER) deprecated_disable_replication = base.CinderDeprecatedRule( name=DISABLE_REP, check_str=base.RULE_ADMIN_OR_OWNER) deprecated_failover_replication = base.CinderDeprecatedRule( name=FAILOVER_REP, check_str=base.RULE_ADMIN_OR_OWNER) deprecated_list_replication = base.CinderDeprecatedRule( name=LIST_REP, check_str=base.RULE_ADMIN_OR_OWNER) # TODO(enriquetaso): update the following in Yoga. # We're not deprecating the reset rule in Xena. # deprecated_reset_status = base.CinderDeprecatedRule( # name=RESET_STATUS, # check_str=base.RULE_ADMIN_API # )
CREATE_POLICY = 'group:group_types:create' UPDATE_POLICY = 'group:group_types:update' DELETE_POLICY = 'group:group_types:delete' SHOW_ACCESS_POLICY = 'group:access_group_types_specs' # SPEC_POLICY is deprecated SPEC_POLICY = 'group:group_types_specs' SPEC_GET_POLICY = 'group:group_types_specs:get' SPEC_GET_ALL_POLICY = 'group:group_types_specs:get_all' SPEC_CREATE_POLICY = 'group:group_types_specs:create' SPEC_UPDATE_POLICY = 'group:group_types_specs:update' SPEC_DELETE_POLICY = 'group:group_types_specs:delete' deprecated_manage_policy = base.CinderDeprecatedRule( name=MANAGE_POLICY, check_str=base.RULE_ADMIN_API, deprecated_reason=(f'{MANAGE_POLICY} has been replaced by more granular ' 'policies that separately govern POST, PUT, and DELETE ' 'operations.'), ) deprecated_spec_policy = base.CinderDeprecatedRule( name=SPEC_POLICY, check_str=base.RULE_ADMIN_API, deprecated_reason=(f'{SPEC_POLICY} has been replaced by more granular ' 'policies that separately govern GET, POST, PUT, and ' 'DELETE operations.'), ) group_types_policies = [ policy.DocumentedRuleDefault( name=CREATE_POLICY, check_str=base.RULE_ADMIN_API,
from cinder.policies import base GET_POLICY = "volume:get_volume_metadata" CREATE_POLICY = "volume:create_volume_metadata" DELETE_POLICY = "volume:delete_volume_metadata" UPDATE_POLICY = "volume:update_volume_metadata" IMAGE_METADATA_POLICY = "volume_extension:volume_image_metadata" IMAGE_METADATA_SHOW_POLICY = "volume_extension:volume_image_metadata:show" IMAGE_METADATA_SET_POLICY = "volume_extension:volume_image_metadata:set" IMAGE_METADATA_REMOVE_POLICY = "volume_extension:volume_image_metadata:remove" UPDATE_ADMIN_METADATA_POLICY = "volume:update_volume_admin_metadata" BASE_POLICY_NAME = 'volume:volume_metadata:%s' deprecated_get_volume_metadata = base.CinderDeprecatedRule( name=GET_POLICY, check_str=base.RULE_ADMIN_OR_OWNER) deprecated_create_volume_metadata = base.CinderDeprecatedRule( name=CREATE_POLICY, check_str=base.RULE_ADMIN_OR_OWNER) deprecated_update_volume_metadata = base.CinderDeprecatedRule( name=UPDATE_POLICY, check_str=base.RULE_ADMIN_OR_OWNER) deprecated_delete_volume_metadata = base.CinderDeprecatedRule( name=DELETE_POLICY, check_str=base.RULE_ADMIN_OR_OWNER) # this is being replaced in Xena by 3 more granular policies deprecated_image_metadata = base.CinderDeprecatedRule( name=IMAGE_METADATA_POLICY, check_str=base.RULE_ADMIN_OR_OWNER, deprecated_reason=( f'{IMAGE_METADATA_POLICY} has been replaced by more granular ' 'policies that separately govern show, set, and remove operations.')) volume_metadata_policies = [
CREATE_POLICY = "volume:create" CREATE_FROM_IMAGE_POLICY = "volume:create_from_image" GET_POLICY = "volume:get" GET_ALL_POLICY = "volume:get_all" UPDATE_POLICY = "volume:update" DELETE_POLICY = "volume:delete" FORCE_DELETE_POLICY = "volume:force_delete" HOST_ATTRIBUTE_POLICY = "volume_extension:volume_host_attribute" TENANT_ATTRIBUTE_POLICY = "volume_extension:volume_tenant_attribute" MIG_ATTRIBUTE_POLICY = "volume_extension:volume_mig_status_attribute" ENCRYPTION_METADATA_POLICY = "volume_extension:volume_encryption_metadata" MULTIATTACH_POLICY = "volume:multiattach" deprecated_create_volume = base.CinderDeprecatedRule( name=CREATE_POLICY, check_str="" ) deprecated_create_volume_from_image = base.CinderDeprecatedRule( name=CREATE_FROM_IMAGE_POLICY, check_str="" ) deprecated_get_volume = base.CinderDeprecatedRule( name=GET_POLICY, check_str=base.RULE_ADMIN_OR_OWNER ) deprecated_get_all_volumes = base.CinderDeprecatedRule( name=GET_ALL_POLICY, check_str=base.RULE_ADMIN_OR_OWNER ) deprecated_update_volume = base.CinderDeprecatedRule( name=UPDATE_POLICY,
from cinder.policies import base GET_ALL_POLICY = 'backup:get_all' GET_POLICY = 'backup:get' CREATE_POLICY = 'backup:create' UPDATE_POLICY = 'backup:update' DELETE_POLICY = 'backup:delete' RESTORE_POLICY = 'backup:restore' IMPORT_POLICY = 'backup:backup-import' EXPORT_POLICY = 'backup:export-import' BACKUP_ATTRIBUTES_POLICY = 'backup:backup_project_attribute' deprecated_get_all_policy = base.CinderDeprecatedRule( name=GET_ALL_POLICY, check_str=base.RULE_ADMIN_OR_OWNER, ) deprecated_get_policy = base.CinderDeprecatedRule( name=GET_POLICY, check_str=base.RULE_ADMIN_OR_OWNER, ) deprecated_create_policy = base.CinderDeprecatedRule( name=CREATE_POLICY, check_str="" ) deprecated_update_policy = base.CinderDeprecatedRule( name=UPDATE_POLICY, check_str=base.RULE_ADMIN_OR_OWNER ) deprecated_delete_policy = base.CinderDeprecatedRule( name=DELETE_POLICY,
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. from oslo_policy import policy from cinder.policies import base CREATE_POLICY = 'group:create_group_snapshot' DELETE_POLICY = 'group:delete_group_snapshot' UPDATE_POLICY = 'group:update_group_snapshot' GET_POLICY = 'group:get_group_snapshot' GET_ALL_POLICY = 'group:get_all_group_snapshots' GROUP_SNAPSHOT_ATTRIBUTES_POLICY = 'group:group_snapshot_project_attribute' deprecated_get_all_group_snapshots = base.CinderDeprecatedRule( name=GET_ALL_POLICY, check_str=base.RULE_ADMIN_OR_OWNER) deprecated_create_group_snapshot = base.CinderDeprecatedRule( name=CREATE_POLICY, check_str="") deprecated_get_group_snapshot = base.CinderDeprecatedRule( name=GET_POLICY, check_str=base.RULE_ADMIN_OR_OWNER) deprecated_delete_group_snapshot = base.CinderDeprecatedRule( name=DELETE_POLICY, check_str=base.RULE_ADMIN_OR_OWNER) deprecated_update_group_snapshot = base.CinderDeprecatedRule( name=UPDATE_POLICY, check_str=base.RULE_ADMIN_OR_OWNER) group_snapshots_policies = [ policy.DocumentedRuleDefault( name=GET_ALL_POLICY, check_str=base.SYSTEM_READER_OR_PROJECT_READER, description="List group snapshots.", operations=[{
# # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. from oslo_policy import policy from cinder.policies import base DELETE_POLICY = 'message:delete' GET_POLICY = 'message:get' GET_ALL_POLICY = 'message:get_all' deprecated_get_policy = base.CinderDeprecatedRule( name=GET_POLICY, check_str=base.RULE_ADMIN_OR_OWNER) deprecated_get_all_policy = base.CinderDeprecatedRule( name=GET_ALL_POLICY, check_str=base.RULE_ADMIN_OR_OWNER) deprecated_delete_policy = base.CinderDeprecatedRule( name=DELETE_POLICY, check_str=base.RULE_ADMIN_OR_OWNER) messages_policies = [ policy.DocumentedRuleDefault( name=GET_ALL_POLICY, check_str=base.SYSTEM_READER_OR_PROJECT_READER, description="List messages.", operations=[{ 'method': 'GET', 'path': '/messages' }], deprecated_rule=deprecated_get_all_policy,
UPLOAD_IMAGE_POLICY = "volume_extension:volume_actions:upload_image" MIGRATE_POLICY = "volume_extension:volume_admin_actions:migrate_volume" MIGRATE_COMPLETE_POLICY = \ "volume_extension:volume_admin_actions:migrate_volume_completion" DETACH_POLICY = "volume_extension:volume_actions:detach" ATTACH_POLICY = "volume_extension:volume_actions:attach" BEGIN_DETACHING_POLICY = "volume_extension:volume_actions:begin_detaching" UNRESERVE_POLICY = "volume_extension:volume_actions:unreserve" RESERVE_POLICY = "volume_extension:volume_actions:reserve" ROLL_DETACHING_POLICY = "volume_extension:volume_actions:roll_detaching" TERMINATE_POLICY = "volume_extension:volume_actions:terminate_connection" INITIALIZE_POLICY = "volume_extension:volume_actions:initialize_connection" REIMAGE_POLICY = "volume:reimage" REIMAGE_RESERVED_POLICY = "volume:reimage_reserved" deprecated_extend_policy = base.CinderDeprecatedRule( name=EXTEND_POLICY, check_str=base.RULE_ADMIN_OR_OWNER) deprecated_extend_attached_policy = base.CinderDeprecatedRule( name=EXTEND_ATTACHED_POLICY, check_str=base.RULE_ADMIN_OR_OWNER) deprecated_revert_policy = base.CinderDeprecatedRule( name=REVERT_POLICY, check_str=base.RULE_ADMIN_OR_OWNER) deprecated_retype_policy = base.CinderDeprecatedRule( name=RETYPE_POLICY, check_str=base.RULE_ADMIN_OR_OWNER) deprecated_update_only_policy = base.CinderDeprecatedRule( name=UPDATE_READONLY_POLICY, check_str=base.RULE_ADMIN_OR_OWNER) deprecated_upload_image_policy = base.CinderDeprecatedRule( name=UPLOAD_IMAGE_POLICY, check_str=base.RULE_ADMIN_OR_OWNER) deprecated_initialize_policy = base.CinderDeprecatedRule( name=INITIALIZE_POLICY, check_str=base.RULE_ADMIN_OR_OWNER) deprecated_terminate_policy = base.CinderDeprecatedRule( name=TERMINATE_POLICY, check_str=base.RULE_ADMIN_OR_OWNER) deprecated_roll_detaching_policy = base.CinderDeprecatedRule(
GET_ENCRYPTION_POLICY = "volume_extension:volume_type_encryption:get" UPDATE_ENCRYPTION_POLICY = "volume_extension:volume_type_encryption:update" DELETE_ENCRYPTION_POLICY = "volume_extension:volume_type_encryption:delete" GENERAL_ENCRYPTION_POLICY_REASON = ( f"Reason: '{ENCRYPTION_POLICY}' was a convenience policy that allowed you " 'to set all volume encryption type policies to the same value. We are ' 'deprecating this rule to prepare for a future release in which the ' 'default values for policies that read, create/update, and delete ' 'encryption types will be different from each other.') # TODO: remove in Yoga deprecated_manage_policy = base.CinderDeprecatedRule( name=MANAGE_POLICY, check_str=base.RULE_ADMIN_API, deprecated_reason=(f'{MANAGE_POLICY} has been replaced by more granular ' 'policies that separately govern POST, PUT, and DELETE ' 'operations.'), ) deprecated_extra_spec_policy = base.CinderDeprecatedRule( name=EXTRA_SPEC_POLICY, check_str=base.RULE_ADMIN_API) deprecated_encryption_create_policy = base.CinderDeprecatedRule( name=CREATE_ENCRYPTION_POLICY, # TODO: change to base.RULE_ADMIN_API in Yoga & remove dep_reason check_str=ENCRYPTION_BASE_POLICY_RULE, deprecated_reason=GENERAL_ENCRYPTION_POLICY_REASON, ) deprecated_encryption_get_policy = base.CinderDeprecatedRule( name=GET_ENCRYPTION_POLICY, # TODO: change to base.RULE_ADMIN_API in Yoga & remove dep_reason check_str=ENCRYPTION_BASE_POLICY_RULE,
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. from oslo_policy import policy from cinder.policies import base ADD_PROJECT_POLICY = "volume_extension:volume_type_access:addProjectAccess" REMOVE_PROJECT_POLICY = \ "volume_extension:volume_type_access:removeProjectAccess" TYPE_ACCESS_POLICY = "volume_extension:volume_type_access" TYPE_ACCESS_WHO_POLICY = "volume_extension:volume_type_access:get_all_for_type" deprecated_volume_type_access = base.CinderDeprecatedRule( name=TYPE_ACCESS_POLICY, check_str=base.RULE_ADMIN_OR_OWNER) deprecated_type_access_who_policy = base.CinderDeprecatedRule( name=TYPE_ACCESS_WHO_POLICY, # TODO: revise check_str and dep_reason in Yoga check_str=TYPE_ACCESS_POLICY, deprecated_reason=( f"Reason: '{TYPE_ACCESS_WHO_POLICY}' is a new policy that protects " f"an API call formerly governed by '{TYPE_ACCESS_POLICY}', but which " 'has been separated for finer-grained policy control.'), ) volume_access_policies = [ policy.DocumentedRuleDefault( name=TYPE_ACCESS_POLICY, check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, description=(
# License for the specific language governing permissions and limitations # under the License. from oslo_policy import policy from cinder.policies import base # MANAGE_POLICY is deprecated MANAGE_POLICY = 'volume_extension:quota_classes' GET_POLICY = 'volume_extension:quota_classes:get' UPDATE_POLICY = 'volume_extension:quota_classes:update' deprecated_manage_policy = base.CinderDeprecatedRule( name=MANAGE_POLICY, check_str=base.RULE_ADMIN_API, deprecated_reason=(f'{MANAGE_POLICY} has been replaced by more granular ' 'policies that separately govern GET and PUT ' 'operations.'), ) quota_class_policies = [ policy.DocumentedRuleDefault( name=GET_POLICY, check_str=base.RULE_ADMIN_API, description="Show project quota class.", operations=[{ 'method': 'GET', 'path': '/os-quota-class-sets/{project_id}' }], deprecated_rule=deprecated_manage_policy, ),
# Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. from oslo_policy import policy from cinder.policies import base RESET_STATUS_POLICY = 'volume_extension:snapshot_admin_actions:reset_status' FORCE_DELETE_POLICY = 'volume_extension:snapshot_admin_actions:force_delete' UPDATE_STATUS_POLICY = \ 'snapshot_extension:snapshot_actions:update_snapshot_status' deprecated_update_status = base.CinderDeprecatedRule(name=UPDATE_STATUS_POLICY, check_str="") snapshot_actions_policies = [ policy.DocumentedRuleDefault( name=RESET_STATUS_POLICY, check_str=base.RULE_ADMIN_API, description="Reset status of a snapshot.", operations=[{ 'method': 'POST', 'path': '/snapshots/{snapshot_id}/action (os-reset_status)' }], ), policy.DocumentedRuleDefault( name=UPDATE_STATUS_POLICY, check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, description="Update database fields of snapshot.",
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. from oslo_policy import policy from cinder.policies import base CREATE_POLICY = 'volume:attachment_create' UPDATE_POLICY = 'volume:attachment_update' DELETE_POLICY = 'volume:attachment_delete' COMPLETE_POLICY = 'volume:attachment_complete' MULTIATTACH_BOOTABLE_VOLUME_POLICY = 'volume:multiattach_bootable_volume' deprecated_create_policy = base.CinderDeprecatedRule(name=CREATE_POLICY, check_str="") deprecated_update_policy = base.CinderDeprecatedRule( name=UPDATE_POLICY, check_str=base.RULE_ADMIN_OR_OWNER) deprecated_delete_policy = base.CinderDeprecatedRule( name=DELETE_POLICY, check_str=base.RULE_ADMIN_OR_OWNER) deprecated_complete_policy = base.CinderDeprecatedRule( name=COMPLETE_POLICY, check_str=base.RULE_ADMIN_OR_OWNER) deprecated_multiattach_policy = base.CinderDeprecatedRule( name=MULTIATTACH_BOOTABLE_VOLUME_POLICY, check_str=base.RULE_ADMIN_OR_OWNER) attachments_policies = [ policy.DocumentedRuleDefault( name=CREATE_POLICY, check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, description="Create attachment.",
# License for the specific language governing permissions and limitations # under the License. from oslo_policy import policy from cinder.policies import base BASE_POLICY_NAME = 'volume:snapshots:%s' GET_POLICY = 'volume:get_snapshot' GET_ALL_POLICY = 'volume:get_all_snapshots' CREATE_POLICY = 'volume:create_snapshot' DELETE_POLICY = 'volume:delete_snapshot' UPDATE_POLICY = 'volume:update_snapshot' EXTEND_ATTRIBUTE = 'volume_extension:extended_snapshot_attributes' deprecated_get_all_snapshots = base.CinderDeprecatedRule( name=GET_ALL_POLICY, check_str=base.RULE_ADMIN_OR_OWNER) deprecated_extend_snapshot_attribute = base.CinderDeprecatedRule( name=EXTEND_ATTRIBUTE, check_str=base.RULE_ADMIN_OR_OWNER) deprecated_create_snapshot = base.CinderDeprecatedRule( name=CREATE_POLICY, check_str=base.RULE_ADMIN_OR_OWNER) deprecated_get_snapshot = base.CinderDeprecatedRule( name=GET_POLICY, check_str=base.RULE_ADMIN_OR_OWNER) deprecated_update_snapshot = base.CinderDeprecatedRule( name=UPDATE_POLICY, check_str=base.RULE_ADMIN_OR_OWNER) deprecated_delete_snapshot = base.CinderDeprecatedRule( name=DELETE_POLICY, check_str=base.RULE_ADMIN_OR_OWNER) snapshots_policies = [ policy.DocumentedRuleDefault( name=GET_ALL_POLICY, check_str=base.SYSTEM_READER_OR_PROJECT_READER,
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. from oslo_policy import policy from cinder.policies import base CREATE_UPDATE_POLICY = "volume_extension:default_set_or_update" GET_POLICY = "volume_extension:default_get" GET_ALL_POLICY = "volume_extension:default_get_all" DELETE_POLICY = "volume_extension:default_unset" deprecated_create_update_policy = base.CinderDeprecatedRule( name=CREATE_UPDATE_POLICY, check_str=base.SYSTEM_OR_DOMAIN_OR_PROJECT_ADMIN) deprecated_get_policy = base.CinderDeprecatedRule( name=GET_POLICY, check_str=base.SYSTEM_OR_DOMAIN_OR_PROJECT_ADMIN) deprecated_get_all_policy = base.CinderDeprecatedRule( name=GET_ALL_POLICY, check_str=base.SYSTEM_ADMIN) deprecated_delete_policy = base.CinderDeprecatedRule( name=DELETE_POLICY, check_str=base.SYSTEM_OR_DOMAIN_OR_PROJECT_ADMIN) default_type_policies = [ policy.DocumentedRuleDefault( name=CREATE_UPDATE_POLICY, check_str=base.RULE_ADMIN_API, description="Set or update default volume type.", operations=[{ 'method': 'PUT',
# # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. from oslo_policy import policy from cinder.policies import base EXTEND_LIMIT_ATTRIBUTE_POLICY = "limits_extension:used_limits" deprecated_limits = base.CinderDeprecatedRule( name=EXTEND_LIMIT_ATTRIBUTE_POLICY, check_str=base.RULE_ADMIN_OR_OWNER) limits_policies = [ policy.DocumentedRuleDefault( name=EXTEND_LIMIT_ATTRIBUTE_POLICY, check_str=base.SYSTEM_READER_OR_PROJECT_READER, description="Show limits with used limit attributes.", operations=[{ 'method': 'GET', 'path': '/limits' }], deprecated_rule=deprecated_limits, ) ]
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. from oslo_policy import policy from cinder.policies import base GET_POLICY = 'volume:get_snapshot_metadata' DELETE_POLICY = 'volume:delete_snapshot_metadata' UPDATE_POLICY = 'volume:update_snapshot_metadata' deprecated_get_snapshot_metadata = base.CinderDeprecatedRule( name=GET_POLICY, check_str=base.RULE_ADMIN_OR_OWNER ) deprecated_update_snapshot_metadata = base.CinderDeprecatedRule( name=UPDATE_POLICY, check_str=base.RULE_ADMIN_OR_OWNER ) deprecated_delete_snapshot_metadata = base.CinderDeprecatedRule( name=DELETE_POLICY, check_str=base.RULE_ADMIN_OR_OWNER ) snapshot_metadata_policies = [ policy.DocumentedRuleDefault( name=GET_POLICY, check_str=base.SYSTEM_READER_OR_PROJECT_READER,