from cinder.policies import base
USER_VISIBLE_EXTRA_SPECS = (
"RESKEY:availability_zones",
"multiattach",
"replication_enabled",
)
CREATE_POLICY = "volume_extension:types_extra_specs:create"
DELETE_POLICY = "volume_extension:types_extra_specs:delete"
GET_ALL_POLICY = "volume_extension:types_extra_specs:index"
GET_POLICY = "volume_extension:types_extra_specs:show"
READ_SENSITIVE_POLICY = "volume_extension:types_extra_specs:read_sensitive"
UPDATE_POLICY = "volume_extension:types_extra_specs:update"
deprecated_get_all_policy = base.CinderDeprecatedRule(name=GET_ALL_POLICY,
check_str="")
deprecated_get_policy = base.CinderDeprecatedRule(name=GET_POLICY,
check_str="")
type_extra_specs_policies = [
policy.DocumentedRuleDefault(
name=GET_ALL_POLICY,
check_str=base.SYSTEM_READER_OR_PROJECT_READER,
description="List type extra specs.",
operations=[{
'method': 'GET',
'path': '/types/{type_id}/extra_specs'
}],
deprecated_rule=deprecated_get_all_policy,
),
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from cinder.policies import base
RESET_STATUS = 'group:reset_status'
ENABLE_REP = 'group:enable_replication'
DISABLE_REP = 'group:disable_replication'
FAILOVER_REP = 'group:failover_replication'
LIST_REP = 'group:list_replication_targets'
DELETE_POLICY = 'group:delete'
deprecated_delete_group = base.CinderDeprecatedRule(
name=DELETE_POLICY, check_str=base.RULE_ADMIN_OR_OWNER)
deprecated_enable_replication = base.CinderDeprecatedRule(
name=ENABLE_REP, check_str=base.RULE_ADMIN_OR_OWNER)
deprecated_disable_replication = base.CinderDeprecatedRule(
name=DISABLE_REP, check_str=base.RULE_ADMIN_OR_OWNER)
deprecated_failover_replication = base.CinderDeprecatedRule(
name=FAILOVER_REP, check_str=base.RULE_ADMIN_OR_OWNER)
deprecated_list_replication = base.CinderDeprecatedRule(
name=LIST_REP, check_str=base.RULE_ADMIN_OR_OWNER)
# TODO(enriquetaso): update the following in Yoga.
# We're not deprecating the reset rule in Xena.
# deprecated_reset_status = base.CinderDeprecatedRule(
# name=RESET_STATUS,
# check_str=base.RULE_ADMIN_API
# )
CREATE_POLICY = 'group:group_types:create'
UPDATE_POLICY = 'group:group_types:update'
DELETE_POLICY = 'group:group_types:delete'
SHOW_ACCESS_POLICY = 'group:access_group_types_specs'
# SPEC_POLICY is deprecated
SPEC_POLICY = 'group:group_types_specs'
SPEC_GET_POLICY = 'group:group_types_specs:get'
SPEC_GET_ALL_POLICY = 'group:group_types_specs:get_all'
SPEC_CREATE_POLICY = 'group:group_types_specs:create'
SPEC_UPDATE_POLICY = 'group:group_types_specs:update'
SPEC_DELETE_POLICY = 'group:group_types_specs:delete'
deprecated_manage_policy = base.CinderDeprecatedRule(
name=MANAGE_POLICY,
check_str=base.RULE_ADMIN_API,
deprecated_reason=(f'{MANAGE_POLICY} has been replaced by more granular '
'policies that separately govern POST, PUT, and DELETE '
'operations.'),
)
deprecated_spec_policy = base.CinderDeprecatedRule(
name=SPEC_POLICY,
check_str=base.RULE_ADMIN_API,
deprecated_reason=(f'{SPEC_POLICY} has been replaced by more granular '
'policies that separately govern GET, POST, PUT, and '
'DELETE operations.'),
)
group_types_policies = [
policy.DocumentedRuleDefault(
name=CREATE_POLICY,
check_str=base.RULE_ADMIN_API,
from cinder.policies import base
GET_POLICY = "volume:get_volume_metadata"
CREATE_POLICY = "volume:create_volume_metadata"
DELETE_POLICY = "volume:delete_volume_metadata"
UPDATE_POLICY = "volume:update_volume_metadata"
IMAGE_METADATA_POLICY = "volume_extension:volume_image_metadata"
IMAGE_METADATA_SHOW_POLICY = "volume_extension:volume_image_metadata:show"
IMAGE_METADATA_SET_POLICY = "volume_extension:volume_image_metadata:set"
IMAGE_METADATA_REMOVE_POLICY = "volume_extension:volume_image_metadata:remove"
UPDATE_ADMIN_METADATA_POLICY = "volume:update_volume_admin_metadata"
BASE_POLICY_NAME = 'volume:volume_metadata:%s'
deprecated_get_volume_metadata = base.CinderDeprecatedRule(
name=GET_POLICY, check_str=base.RULE_ADMIN_OR_OWNER)
deprecated_create_volume_metadata = base.CinderDeprecatedRule(
name=CREATE_POLICY, check_str=base.RULE_ADMIN_OR_OWNER)
deprecated_update_volume_metadata = base.CinderDeprecatedRule(
name=UPDATE_POLICY, check_str=base.RULE_ADMIN_OR_OWNER)
deprecated_delete_volume_metadata = base.CinderDeprecatedRule(
name=DELETE_POLICY, check_str=base.RULE_ADMIN_OR_OWNER)
# this is being replaced in Xena by 3 more granular policies
deprecated_image_metadata = base.CinderDeprecatedRule(
name=IMAGE_METADATA_POLICY,
check_str=base.RULE_ADMIN_OR_OWNER,
deprecated_reason=(
f'{IMAGE_METADATA_POLICY} has been replaced by more granular '
'policies that separately govern show, set, and remove operations.'))
volume_metadata_policies = [
CREATE_POLICY = "volume:create"
CREATE_FROM_IMAGE_POLICY = "volume:create_from_image"
GET_POLICY = "volume:get"
GET_ALL_POLICY = "volume:get_all"
UPDATE_POLICY = "volume:update"
DELETE_POLICY = "volume:delete"
FORCE_DELETE_POLICY = "volume:force_delete"
HOST_ATTRIBUTE_POLICY = "volume_extension:volume_host_attribute"
TENANT_ATTRIBUTE_POLICY = "volume_extension:volume_tenant_attribute"
MIG_ATTRIBUTE_POLICY = "volume_extension:volume_mig_status_attribute"
ENCRYPTION_METADATA_POLICY = "volume_extension:volume_encryption_metadata"
MULTIATTACH_POLICY = "volume:multiattach"
deprecated_create_volume = base.CinderDeprecatedRule(
name=CREATE_POLICY,
check_str=""
)
deprecated_create_volume_from_image = base.CinderDeprecatedRule(
name=CREATE_FROM_IMAGE_POLICY,
check_str=""
)
deprecated_get_volume = base.CinderDeprecatedRule(
name=GET_POLICY,
check_str=base.RULE_ADMIN_OR_OWNER
)
deprecated_get_all_volumes = base.CinderDeprecatedRule(
name=GET_ALL_POLICY,
check_str=base.RULE_ADMIN_OR_OWNER
)
deprecated_update_volume = base.CinderDeprecatedRule(
name=UPDATE_POLICY,
from cinder.policies import base
GET_ALL_POLICY = 'backup:get_all'
GET_POLICY = 'backup:get'
CREATE_POLICY = 'backup:create'
UPDATE_POLICY = 'backup:update'
DELETE_POLICY = 'backup:delete'
RESTORE_POLICY = 'backup:restore'
IMPORT_POLICY = 'backup:backup-import'
EXPORT_POLICY = 'backup:export-import'
BACKUP_ATTRIBUTES_POLICY = 'backup:backup_project_attribute'
deprecated_get_all_policy = base.CinderDeprecatedRule(
name=GET_ALL_POLICY,
check_str=base.RULE_ADMIN_OR_OWNER,
)
deprecated_get_policy = base.CinderDeprecatedRule(
name=GET_POLICY,
check_str=base.RULE_ADMIN_OR_OWNER,
)
deprecated_create_policy = base.CinderDeprecatedRule(
name=CREATE_POLICY,
check_str=""
)
deprecated_update_policy = base.CinderDeprecatedRule(
name=UPDATE_POLICY,
check_str=base.RULE_ADMIN_OR_OWNER
)
deprecated_delete_policy = base.CinderDeprecatedRule(
name=DELETE_POLICY,
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from cinder.policies import base
CREATE_POLICY = 'group:create_group_snapshot'
DELETE_POLICY = 'group:delete_group_snapshot'
UPDATE_POLICY = 'group:update_group_snapshot'
GET_POLICY = 'group:get_group_snapshot'
GET_ALL_POLICY = 'group:get_all_group_snapshots'
GROUP_SNAPSHOT_ATTRIBUTES_POLICY = 'group:group_snapshot_project_attribute'
deprecated_get_all_group_snapshots = base.CinderDeprecatedRule(
name=GET_ALL_POLICY, check_str=base.RULE_ADMIN_OR_OWNER)
deprecated_create_group_snapshot = base.CinderDeprecatedRule(
name=CREATE_POLICY, check_str="")
deprecated_get_group_snapshot = base.CinderDeprecatedRule(
name=GET_POLICY, check_str=base.RULE_ADMIN_OR_OWNER)
deprecated_delete_group_snapshot = base.CinderDeprecatedRule(
name=DELETE_POLICY, check_str=base.RULE_ADMIN_OR_OWNER)
deprecated_update_group_snapshot = base.CinderDeprecatedRule(
name=UPDATE_POLICY, check_str=base.RULE_ADMIN_OR_OWNER)
group_snapshots_policies = [
policy.DocumentedRuleDefault(
name=GET_ALL_POLICY,
check_str=base.SYSTEM_READER_OR_PROJECT_READER,
description="List group snapshots.",
operations=[{
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from cinder.policies import base
DELETE_POLICY = 'message:delete'
GET_POLICY = 'message:get'
GET_ALL_POLICY = 'message:get_all'
deprecated_get_policy = base.CinderDeprecatedRule(
name=GET_POLICY, check_str=base.RULE_ADMIN_OR_OWNER)
deprecated_get_all_policy = base.CinderDeprecatedRule(
name=GET_ALL_POLICY, check_str=base.RULE_ADMIN_OR_OWNER)
deprecated_delete_policy = base.CinderDeprecatedRule(
name=DELETE_POLICY, check_str=base.RULE_ADMIN_OR_OWNER)
messages_policies = [
policy.DocumentedRuleDefault(
name=GET_ALL_POLICY,
check_str=base.SYSTEM_READER_OR_PROJECT_READER,
description="List messages.",
operations=[{
'method': 'GET',
'path': '/messages'
}],
deprecated_rule=deprecated_get_all_policy,
UPLOAD_IMAGE_POLICY = "volume_extension:volume_actions:upload_image"
MIGRATE_POLICY = "volume_extension:volume_admin_actions:migrate_volume"
MIGRATE_COMPLETE_POLICY = \
"volume_extension:volume_admin_actions:migrate_volume_completion"
DETACH_POLICY = "volume_extension:volume_actions:detach"
ATTACH_POLICY = "volume_extension:volume_actions:attach"
BEGIN_DETACHING_POLICY = "volume_extension:volume_actions:begin_detaching"
UNRESERVE_POLICY = "volume_extension:volume_actions:unreserve"
RESERVE_POLICY = "volume_extension:volume_actions:reserve"
ROLL_DETACHING_POLICY = "volume_extension:volume_actions:roll_detaching"
TERMINATE_POLICY = "volume_extension:volume_actions:terminate_connection"
INITIALIZE_POLICY = "volume_extension:volume_actions:initialize_connection"
REIMAGE_POLICY = "volume:reimage"
REIMAGE_RESERVED_POLICY = "volume:reimage_reserved"
deprecated_extend_policy = base.CinderDeprecatedRule(
name=EXTEND_POLICY, check_str=base.RULE_ADMIN_OR_OWNER)
deprecated_extend_attached_policy = base.CinderDeprecatedRule(
name=EXTEND_ATTACHED_POLICY, check_str=base.RULE_ADMIN_OR_OWNER)
deprecated_revert_policy = base.CinderDeprecatedRule(
name=REVERT_POLICY, check_str=base.RULE_ADMIN_OR_OWNER)
deprecated_retype_policy = base.CinderDeprecatedRule(
name=RETYPE_POLICY, check_str=base.RULE_ADMIN_OR_OWNER)
deprecated_update_only_policy = base.CinderDeprecatedRule(
name=UPDATE_READONLY_POLICY, check_str=base.RULE_ADMIN_OR_OWNER)
deprecated_upload_image_policy = base.CinderDeprecatedRule(
name=UPLOAD_IMAGE_POLICY, check_str=base.RULE_ADMIN_OR_OWNER)
deprecated_initialize_policy = base.CinderDeprecatedRule(
name=INITIALIZE_POLICY, check_str=base.RULE_ADMIN_OR_OWNER)
deprecated_terminate_policy = base.CinderDeprecatedRule(
name=TERMINATE_POLICY, check_str=base.RULE_ADMIN_OR_OWNER)
deprecated_roll_detaching_policy = base.CinderDeprecatedRule(
GET_ENCRYPTION_POLICY = "volume_extension:volume_type_encryption:get"
UPDATE_ENCRYPTION_POLICY = "volume_extension:volume_type_encryption:update"
DELETE_ENCRYPTION_POLICY = "volume_extension:volume_type_encryption:delete"
GENERAL_ENCRYPTION_POLICY_REASON = (
f"Reason: '{ENCRYPTION_POLICY}' was a convenience policy that allowed you "
'to set all volume encryption type policies to the same value. We are '
'deprecating this rule to prepare for a future release in which the '
'default values for policies that read, create/update, and delete '
'encryption types will be different from each other.')
# TODO: remove in Yoga
deprecated_manage_policy = base.CinderDeprecatedRule(
name=MANAGE_POLICY,
check_str=base.RULE_ADMIN_API,
deprecated_reason=(f'{MANAGE_POLICY} has been replaced by more granular '
'policies that separately govern POST, PUT, and DELETE '
'operations.'),
)
deprecated_extra_spec_policy = base.CinderDeprecatedRule(
name=EXTRA_SPEC_POLICY, check_str=base.RULE_ADMIN_API)
deprecated_encryption_create_policy = base.CinderDeprecatedRule(
name=CREATE_ENCRYPTION_POLICY,
# TODO: change to base.RULE_ADMIN_API in Yoga & remove dep_reason
check_str=ENCRYPTION_BASE_POLICY_RULE,
deprecated_reason=GENERAL_ENCRYPTION_POLICY_REASON,
)
deprecated_encryption_get_policy = base.CinderDeprecatedRule(
name=GET_ENCRYPTION_POLICY,
# TODO: change to base.RULE_ADMIN_API in Yoga & remove dep_reason
check_str=ENCRYPTION_BASE_POLICY_RULE,
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from cinder.policies import base
ADD_PROJECT_POLICY = "volume_extension:volume_type_access:addProjectAccess"
REMOVE_PROJECT_POLICY = \
"volume_extension:volume_type_access:removeProjectAccess"
TYPE_ACCESS_POLICY = "volume_extension:volume_type_access"
TYPE_ACCESS_WHO_POLICY = "volume_extension:volume_type_access:get_all_for_type"
deprecated_volume_type_access = base.CinderDeprecatedRule(
name=TYPE_ACCESS_POLICY, check_str=base.RULE_ADMIN_OR_OWNER)
deprecated_type_access_who_policy = base.CinderDeprecatedRule(
name=TYPE_ACCESS_WHO_POLICY,
# TODO: revise check_str and dep_reason in Yoga
check_str=TYPE_ACCESS_POLICY,
deprecated_reason=(
f"Reason: '{TYPE_ACCESS_WHO_POLICY}' is a new policy that protects "
f"an API call formerly governed by '{TYPE_ACCESS_POLICY}', but which "
'has been separated for finer-grained policy control.'),
)
volume_access_policies = [
policy.DocumentedRuleDefault(
name=TYPE_ACCESS_POLICY,
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
description=(
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from cinder.policies import base
# MANAGE_POLICY is deprecated
MANAGE_POLICY = 'volume_extension:quota_classes'
GET_POLICY = 'volume_extension:quota_classes:get'
UPDATE_POLICY = 'volume_extension:quota_classes:update'
deprecated_manage_policy = base.CinderDeprecatedRule(
name=MANAGE_POLICY,
check_str=base.RULE_ADMIN_API,
deprecated_reason=(f'{MANAGE_POLICY} has been replaced by more granular '
'policies that separately govern GET and PUT '
'operations.'),
)
quota_class_policies = [
policy.DocumentedRuleDefault(
name=GET_POLICY,
check_str=base.RULE_ADMIN_API,
description="Show project quota class.",
operations=[{
'method': 'GET',
'path': '/os-quota-class-sets/{project_id}'
}],
deprecated_rule=deprecated_manage_policy,
),
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from cinder.policies import base
RESET_STATUS_POLICY = 'volume_extension:snapshot_admin_actions:reset_status'
FORCE_DELETE_POLICY = 'volume_extension:snapshot_admin_actions:force_delete'
UPDATE_STATUS_POLICY = \
'snapshot_extension:snapshot_actions:update_snapshot_status'
deprecated_update_status = base.CinderDeprecatedRule(name=UPDATE_STATUS_POLICY,
check_str="")
snapshot_actions_policies = [
policy.DocumentedRuleDefault(
name=RESET_STATUS_POLICY,
check_str=base.RULE_ADMIN_API,
description="Reset status of a snapshot.",
operations=[{
'method': 'POST',
'path': '/snapshots/{snapshot_id}/action (os-reset_status)'
}],
),
policy.DocumentedRuleDefault(
name=UPDATE_STATUS_POLICY,
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
description="Update database fields of snapshot.",
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from cinder.policies import base
CREATE_POLICY = 'volume:attachment_create'
UPDATE_POLICY = 'volume:attachment_update'
DELETE_POLICY = 'volume:attachment_delete'
COMPLETE_POLICY = 'volume:attachment_complete'
MULTIATTACH_BOOTABLE_VOLUME_POLICY = 'volume:multiattach_bootable_volume'
deprecated_create_policy = base.CinderDeprecatedRule(name=CREATE_POLICY,
check_str="")
deprecated_update_policy = base.CinderDeprecatedRule(
name=UPDATE_POLICY, check_str=base.RULE_ADMIN_OR_OWNER)
deprecated_delete_policy = base.CinderDeprecatedRule(
name=DELETE_POLICY, check_str=base.RULE_ADMIN_OR_OWNER)
deprecated_complete_policy = base.CinderDeprecatedRule(
name=COMPLETE_POLICY, check_str=base.RULE_ADMIN_OR_OWNER)
deprecated_multiattach_policy = base.CinderDeprecatedRule(
name=MULTIATTACH_BOOTABLE_VOLUME_POLICY,
check_str=base.RULE_ADMIN_OR_OWNER)
attachments_policies = [
policy.DocumentedRuleDefault(
name=CREATE_POLICY,
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
description="Create attachment.",
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from cinder.policies import base
BASE_POLICY_NAME = 'volume:snapshots:%s'
GET_POLICY = 'volume:get_snapshot'
GET_ALL_POLICY = 'volume:get_all_snapshots'
CREATE_POLICY = 'volume:create_snapshot'
DELETE_POLICY = 'volume:delete_snapshot'
UPDATE_POLICY = 'volume:update_snapshot'
EXTEND_ATTRIBUTE = 'volume_extension:extended_snapshot_attributes'
deprecated_get_all_snapshots = base.CinderDeprecatedRule(
name=GET_ALL_POLICY, check_str=base.RULE_ADMIN_OR_OWNER)
deprecated_extend_snapshot_attribute = base.CinderDeprecatedRule(
name=EXTEND_ATTRIBUTE, check_str=base.RULE_ADMIN_OR_OWNER)
deprecated_create_snapshot = base.CinderDeprecatedRule(
name=CREATE_POLICY, check_str=base.RULE_ADMIN_OR_OWNER)
deprecated_get_snapshot = base.CinderDeprecatedRule(
name=GET_POLICY, check_str=base.RULE_ADMIN_OR_OWNER)
deprecated_update_snapshot = base.CinderDeprecatedRule(
name=UPDATE_POLICY, check_str=base.RULE_ADMIN_OR_OWNER)
deprecated_delete_snapshot = base.CinderDeprecatedRule(
name=DELETE_POLICY, check_str=base.RULE_ADMIN_OR_OWNER)
snapshots_policies = [
policy.DocumentedRuleDefault(
name=GET_ALL_POLICY,
check_str=base.SYSTEM_READER_OR_PROJECT_READER,
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from cinder.policies import base
CREATE_UPDATE_POLICY = "volume_extension:default_set_or_update"
GET_POLICY = "volume_extension:default_get"
GET_ALL_POLICY = "volume_extension:default_get_all"
DELETE_POLICY = "volume_extension:default_unset"
deprecated_create_update_policy = base.CinderDeprecatedRule(
name=CREATE_UPDATE_POLICY,
check_str=base.SYSTEM_OR_DOMAIN_OR_PROJECT_ADMIN)
deprecated_get_policy = base.CinderDeprecatedRule(
name=GET_POLICY, check_str=base.SYSTEM_OR_DOMAIN_OR_PROJECT_ADMIN)
deprecated_get_all_policy = base.CinderDeprecatedRule(
name=GET_ALL_POLICY, check_str=base.SYSTEM_ADMIN)
deprecated_delete_policy = base.CinderDeprecatedRule(
name=DELETE_POLICY, check_str=base.SYSTEM_OR_DOMAIN_OR_PROJECT_ADMIN)
default_type_policies = [
policy.DocumentedRuleDefault(
name=CREATE_UPDATE_POLICY,
check_str=base.RULE_ADMIN_API,
description="Set or update default volume type.",
operations=[{
'method': 'PUT',
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from cinder.policies import base
EXTEND_LIMIT_ATTRIBUTE_POLICY = "limits_extension:used_limits"
deprecated_limits = base.CinderDeprecatedRule(
name=EXTEND_LIMIT_ATTRIBUTE_POLICY, check_str=base.RULE_ADMIN_OR_OWNER)
limits_policies = [
policy.DocumentedRuleDefault(
name=EXTEND_LIMIT_ATTRIBUTE_POLICY,
check_str=base.SYSTEM_READER_OR_PROJECT_READER,
description="Show limits with used limit attributes.",
operations=[{
'method': 'GET',
'path': '/limits'
}],
deprecated_rule=deprecated_limits,
)
]
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from cinder.policies import base
GET_POLICY = 'volume:get_snapshot_metadata'
DELETE_POLICY = 'volume:delete_snapshot_metadata'
UPDATE_POLICY = 'volume:update_snapshot_metadata'
deprecated_get_snapshot_metadata = base.CinderDeprecatedRule(
name=GET_POLICY,
check_str=base.RULE_ADMIN_OR_OWNER
)
deprecated_update_snapshot_metadata = base.CinderDeprecatedRule(
name=UPDATE_POLICY,
check_str=base.RULE_ADMIN_OR_OWNER
)
deprecated_delete_snapshot_metadata = base.CinderDeprecatedRule(
name=DELETE_POLICY,
check_str=base.RULE_ADMIN_OR_OWNER
)
snapshot_metadata_policies = [
policy.DocumentedRuleDefault(
name=GET_POLICY,
check_str=base.SYSTEM_READER_OR_PROJECT_READER,
