'Specify ``segments`` attribute when creating a network', ACTION_POST), policy.DocumentedRuleDefault( 'create_network:provider:network_type', base.RULE_ADMIN_ONLY, 'Specify ``provider:network_type`` when creating a network', ACTION_POST), policy.DocumentedRuleDefault( 'create_network:provider:physical_network', base.RULE_ADMIN_ONLY, 'Specify ``provider:physical_network`` when creating a network', ACTION_POST), policy.DocumentedRuleDefault( 'create_network:provider:segmentation_id', base.RULE_ADMIN_ONLY, 'Specify ``provider:segmentation_id`` when creating a network', ACTION_POST), policy.DocumentedRuleDefault( 'get_network', base.policy_or(base.RULE_ADMIN_OR_OWNER, 'rule:shared', 'rule:external', base.RULE_ADVSVC), 'Get a network', ACTION_GET), policy.DocumentedRuleDefault( 'get_network:router:external', base.RULE_ANY, 'Get ``router:external`` attribute of a network', ACTION_GET), policy.DocumentedRuleDefault('get_network:segments', base.RULE_ADMIN_ONLY, 'Get ``segments`` attribute of a network', ACTION_GET), policy.DocumentedRuleDefault( 'get_network:provider:network_type', base.RULE_ADMIN_ONLY, 'Get ``provider:network_type`` attribute of a network', ACTION_GET), policy.DocumentedRuleDefault( 'get_network:provider:physical_network', base.RULE_ADMIN_ONLY, 'Get ``provider:physical_network`` attribute of a network', ACTION_GET), policy.DocumentedRuleDefault(
from oslo_log import versionutils from oslo_policy import policy from neutron.conf.policies import base DEPRECATED_REASON = """ The RBAC API now supports system scope and default roles. """ COLLECTION_PATH = '/rbac-policies' RESOURCE_PATH = '/rbac-policies/{id}' rules = [ policy.RuleDefault(name='restrict_wildcard', check_str=base.policy_or( '(not field:rbac_policy:target_tenant=*)', base.RULE_ADMIN_ONLY), description='Definition of a wildcard target_tenant'), policy.DocumentedRuleDefault( name='create_rbac_policy', check_str=base.PROJECT_MEMBER, scope_types=['system', 'project'], description='Create an RBAC policy', operations=[ { 'method': 'POST', 'path': COLLECTION_PATH, }, ], deprecated_rule=policy.DeprecatedRule( name='create_rbac_policy',
'method': 'GET', 'path': COLLECTION_PATH }, { 'method': 'GET', 'path': RESOURCE_PATH }, ] rules = [ policy.RuleDefault( name='network_device', check_str='field:port:device_owner=~^network:', description='Definition of port with network device_owner'), policy.RuleDefault(name='admin_or_data_plane_int', check_str=base.policy_or('rule:context_is_admin', 'role:data_plane_integrator'), description='Rule for data plane integration'), policy.DocumentedRuleDefault( name='create_port', check_str=base.PROJECT_MEMBER, scope_types=['system', 'project'], description='Create a port', operations=ACTION_POST, deprecated_rule=policy.DeprecatedRule(name='create_port', check_str=base.RULE_ANY), deprecated_reason=DEPRECATED_REASON, deprecated_since=versionutils.deprecated.WALLABY), policy.DocumentedRuleDefault( name='create_port:device_owner', check_str=base.policy_or('not rule:network_device', base.SYSTEM_ADMIN, base.PROJECT_ADMIN, base.RULE_ADVSVC,
description=( 'Specify ``is_default`` attribute when creating a subnetpool'), operations=[ { 'method': 'POST', 'path': COLLECTION_PATH, }, ], deprecated_rule=policy.DeprecatedRule( name='create_subnetpool:is_default', check_str=base.RULE_ADMIN_ONLY, deprecated_reason=DEPRECATED_REASON, deprecated_since=versionutils.deprecated.WALLABY)), policy.DocumentedRuleDefault( name='get_subnetpool', check_str=base.policy_or(base.SYSTEM_OR_PROJECT_READER, 'rule:shared_subnetpools'), scope_types=['system', 'project'], description='Get a subnetpool', operations=[ { 'method': 'GET', 'path': COLLECTION_PATH, }, { 'method': 'GET', 'path': RESOURCE_PATH, }, ], deprecated_rule=policy.DeprecatedRule( name='get_subnetpool', check_str=base.policy_or(base.RULE_ADMIN_OR_OWNER,
AG_RESOURCE_PATH = '/address-groups/{id}' DEPRECATION_REASON = ( "The Address scope API now supports system scope and default roles.") rules = [ policy.RuleDefault( 'shared_address_groups', 'field:address_groups:shared=True', 'Definition of a shared address group' ), policy.DocumentedRuleDefault( name='get_address_group', check_str=base.policy_or( base.SYSTEM_OR_PROJECT_READER, 'rule:shared_address_groups'), description='Get an address group', operations=[ { 'method': 'GET', 'path': AG_COLLECTION_PATH, }, { 'method': 'GET', 'path': AG_RESOURCE_PATH, }, ], scope_types=['system', 'project'], deprecated_rule=policy.DeprecatedRule( name='get_address_group',
description='Create a shared address scope', operations=[ { 'method': 'POST', 'path': COLLECTION_PATH, }, ], scope_types=['project'], deprecated_rule=policy.DeprecatedRule( name='create_address_scope:shared', check_str=base.RULE_ADMIN_ONLY, deprecated_reason=DEPRECATION_REASON, deprecated_since=versionutils.deprecated.WALLABY)), policy.DocumentedRuleDefault( name='get_address_scope', check_str=base.policy_or(base.PROJECT_READER, 'rule:shared_address_scopes'), description='Get an address scope', operations=[ { 'method': 'GET', 'path': COLLECTION_PATH, }, { 'method': 'GET', 'path': RESOURCE_PATH, }, ], scope_types=['project'], deprecated_rule=policy.DeprecatedRule( name='get_address_scope', check_str=base.policy_or(base.RULE_ADMIN_OR_OWNER,
deprecated_since=versionutils.deprecated.WALLABY)), policy.DocumentedRuleDefault( name='create_network:provider:segmentation_id', check_str=base.SYSTEM_ADMIN, scope_types=['system'], description=( 'Specify ``provider:segmentation_id`` when creating a network'), operations=ACTION_POST, deprecated_rule=policy.DeprecatedRule( name='create_network:provider:segmentation_id', check_str=base.RULE_ADMIN_ONLY, deprecated_reason=DEPRECATED_REASON, deprecated_since=versionutils.deprecated.WALLABY)), policy.DocumentedRuleDefault( name='get_network', check_str=base.policy_or(base.SYSTEM_OR_PROJECT_READER, 'rule:shared', 'rule:external', base.RULE_ADVSVC), scope_types=['system', 'project'], description='Get a network', operations=ACTION_GET, deprecated_rule=policy.DeprecatedRule( name='get_network', check_str=base.policy_or(base.RULE_ADMIN_OR_OWNER, 'rule:shared', 'rule:external', base.RULE_ADVSVC), deprecated_reason=DEPRECATED_REASON, deprecated_since=versionutils.deprecated.WALLABY)), policy.DocumentedRuleDefault( name='get_network:router:external', check_str=base.SYSTEM_OR_PROJECT_READER, scope_types=['system', 'project'], description='Get ``router:external`` attribute of a network', operations=ACTION_GET,
DEPRECATED_REASON = ( "The security group API now supports system scope and default roles.") SG_COLLECTION_PATH = '/security-groups' SG_RESOURCE_PATH = '/security-groups/{id}' RULE_COLLECTION_PATH = '/security-group-rules' RULE_RESOURCE_PATH = '/security-group-rules/{id}' RULE_ADMIN_OR_SG_OWNER = 'rule:admin_or_sg_owner' RULE_ADMIN_OWNER_OR_SG_OWNER = 'rule:admin_owner_or_sg_owner' rules = [ policy.RuleDefault( name='admin_or_sg_owner', check_str=base.policy_or('rule:context_is_admin', 'tenant_id:%(security_group:tenant_id)s'), description='Rule for admin or security group owner access'), policy.RuleDefault(name='admin_owner_or_sg_owner', check_str=base.policy_or('rule:owner', RULE_ADMIN_OR_SG_OWNER), description=('Rule for resource owner, ' 'admin or security group owner access')), # TODO(amotoki): admin_or_owner is the right rule? # Does an empty string make more sense for create_security_group? policy.DocumentedRuleDefault( name='create_security_group', check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, scope_types=['system', 'project'], description='Create a security group', operations=[ {
from neutron.conf.policies import base rules = [ policy.RuleDefault('create_subnet', base.RULE_ADMIN_OR_NET_OWNER, description='Access rule for creating subnet'), policy.RuleDefault('create_subnet:segment_id', base.RULE_ADMIN_ONLY, description=('Access rule for creating ' 'subnet with segment_id')), policy.RuleDefault('create_subnet:service_types', base.RULE_ADMIN_ONLY, description=('Access rule for creating ' 'subnet with service_type')), policy.RuleDefault('get_subnet', base.policy_or(base.RULE_ADMIN_OR_OWNER, 'rule:shared'), description='Access rule for getting subnet'), policy.RuleDefault('get_subnet:segment_id', base.RULE_ADMIN_ONLY, description=('Access rule for getting ' 'segment_id of subnet')), policy.RuleDefault('update_subnet', base.RULE_ADMIN_OR_NET_OWNER, description='Access rule for updating subnet'), policy.RuleDefault('update_subnet:segment_id', base.RULE_ADMIN_ONLY, description=('Access rule for updating segment_id ' 'attribute of subnet')), policy.RuleDefault('update_subnet:service_types', base.RULE_ADMIN_ONLY, description=('Access rule for updating '
from neutron.conf.policies import base DEPRECATED_REASON = """ The RBAC API now supports system scope and default roles. """ COLLECTION_PATH = '/rbac-policies' RESOURCE_PATH = '/rbac-policies/{id}' rules = [ policy.RuleDefault( name='restrict_wildcard', check_str=base.policy_or( '(not field:rbac_policy:target_tenant=*)', base.RULE_ADMIN_ONLY), description='Definition of a wildcard target_tenant'), policy.DocumentedRuleDefault( name='create_rbac_policy', check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, scope_types=['system', 'project'], description='Create an RBAC policy', operations=[ { 'method': 'POST', 'path': COLLECTION_PATH, }, ], deprecated_rule=policy.DeprecatedRule(
from oslo_policy import policy from neutron.conf.policies import base DEPRECATED_REASON = """ The router conntrack API now supports system scope and default roles. """ COLLECTION_PATH = '/routers/{router_id}/conntrack_helpers' RESOURCE_PATH = ('/routers/{router_id}' '/conntrack_helpers/{conntrack_helper_id}') rules = [ policy.DocumentedRuleDefault( name='create_router_conntrack_helper', check_str=base.policy_or(base.PROJECT_MEMBER, base.RULE_PARENT_OWNER), scope_types=['project'], description='Create a router conntrack helper', operations=[ { 'method': 'POST', 'path': COLLECTION_PATH, }, ], deprecated_rule=policy.DeprecatedRule( name='create_router_conntrack_helper', check_str=base.RULE_ADMIN_OR_PARENT_OWNER, deprecated_reason=DEPRECATED_REASON, deprecated_since=versionutils.deprecated.WALLABY)), policy.DocumentedRuleDefault( name='get_router_conntrack_helper',
DEPRECATED_REASON = """ The RBAC API now supports system scope and default roles. """ COLLECTION_PATH = '/rbac-policies' RESOURCE_PATH = '/rbac-policies/{id}' rules = [ # TODO(ralonsoh): remove 'target_tenant=*' reference. policy.RuleDefault( name='restrict_wildcard', check_str=base.policy_or( '(not field:rbac_policy:target_tenant=* and ' 'not field:rbac_policy:target_project=*)', base.RULE_ADMIN_ONLY), description='Definition of a wildcard target_project'), policy.DocumentedRuleDefault( name='create_rbac_policy', check_str=base.PROJECT_MEMBER, scope_types=['project'], description='Create an RBAC policy', operations=[ { 'method': 'POST', 'path': COLLECTION_PATH, }, ], deprecated_rule=policy.DeprecatedRule(
}, ] rules = [ policy.DocumentedRuleDefault('create_subnet', base.RULE_ADMIN_OR_NET_OWNER, 'Create a subnet', ACTION_POST), policy.DocumentedRuleDefault( 'create_subnet:segment_id', base.RULE_ADMIN_ONLY, 'Specify ``segment_id`` attribute when creating a subnet', ACTION_POST), policy.DocumentedRuleDefault( 'create_subnet:service_types', base.RULE_ADMIN_ONLY, 'Specify ``service_types`` attribute when creating a subnet', ACTION_POST), policy.DocumentedRuleDefault( 'get_subnet', base.policy_or(base.RULE_ADMIN_OR_OWNER, 'rule:shared'), 'Get a subnet', ACTION_GET), policy.DocumentedRuleDefault('get_subnet:segment_id', base.RULE_ADMIN_ONLY, 'Get ``segment_id`` attribute of a subnet', ACTION_GET), policy.DocumentedRuleDefault('update_subnet', base.RULE_ADMIN_OR_NET_OWNER, 'Update a subnet', ACTION_PUT), policy.DocumentedRuleDefault( 'update_subnet:segment_id', base.RULE_ADMIN_ONLY, 'Update ``segment_id`` attribute of a subnet', ACTION_PUT), policy.DocumentedRuleDefault( 'update_subnet:service_types', base.RULE_ADMIN_ONLY, 'Update ``service_types`` attribute of a subnet', ACTION_PUT), policy.DocumentedRuleDefault( 'delete_subnet', base.RULE_ADMIN_OR_NET_OWNER,
] ), policy.DocumentedRuleDefault( 'create_address_scope:shared', base.RULE_ADMIN_ONLY, 'Create a shared address scope', [ { 'method': 'POST', 'path': COLLECTION_PATH, }, ] ), policy.DocumentedRuleDefault( 'get_address_scope', base.policy_or(base.RULE_ADMIN_OR_OWNER, 'rule:shared_address_scopes'), 'Get an address scope', [ { 'method': 'GET', 'path': COLLECTION_PATH, }, { 'method': 'GET', 'path': RESOURCE_PATH, }, ] ), policy.DocumentedRuleDefault( 'update_address_scope', base.RULE_ADMIN_OR_OWNER,
] ACTION_GET = [ { 'method': 'GET', 'path': COLLECTION_PATH }, { 'method': 'GET', 'path': RESOURCE_PATH }, ] rules = [ policy.DocumentedRuleDefault( name='create_subnet', check_str=base.policy_or(base.PROJECT_MEMBER, base.RULE_NET_OWNER), scope_types=['project'], description='Create a subnet', operations=ACTION_POST, deprecated_rule=policy.DeprecatedRule( name='create_subnet', check_str=base.RULE_ADMIN_OR_NET_OWNER, deprecated_reason=DEPRECATED_REASON, deprecated_since=versionutils.deprecated.WALLABY)), policy.DocumentedRuleDefault( name='create_subnet:segment_id', check_str=base.PROJECT_ADMIN, scope_types=['project'], description=( 'Specify ``segment_id`` attribute when creating a subnet'), operations=ACTION_POST,
] ), policy.DocumentedRuleDefault( 'create_subnetpool:is_default', base.RULE_ADMIN_ONLY, 'Specify ``is_default`` attribute when creating a subnetpool', [ { 'method': 'POST', 'path': COLLECTION_PATH, }, ] ), policy.DocumentedRuleDefault( 'get_subnetpool', base.policy_or(base.RULE_ADMIN_OR_OWNER, 'rule:shared_subnetpools'), 'Get a subnetpool', [ { 'method': 'GET', 'path': COLLECTION_PATH, }, { 'method': 'GET', 'path': RESOURCE_PATH, }, ] ), policy.DocumentedRuleDefault( 'update_subnetpool', base.RULE_ADMIN_OR_OWNER,
from neutron.conf.policies import base DEPRECATED_REASON = """ The floating IP port forwarding API now supports system scope and default roles. """ COLLECTION_PATH = '/floatingips/{floatingip_id}/port_forwardings' RESOURCE_PATH = ('/floatingips/{floatingip_id}' '/port_forwardings/{port_forwarding_id}') rules = [ policy.DocumentedRuleDefault( name='create_floatingip_port_forwarding', check_str=base.policy_or(base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, base.RULE_PARENT_OWNER), scope_types=['system', 'project'], description='Create a floating IP port forwarding', operations=[ { 'method': 'POST', 'path': COLLECTION_PATH, }, ], deprecated_rule=policy.DeprecatedRule( name='create_floatingip_port_forwarding', check_str=base.RULE_ADMIN_OR_PARENT_OWNER, deprecated_reason=DEPRECATED_REASON, deprecated_since=versionutils.deprecated.WALLABY)), policy.DocumentedRuleDefault( name='get_floatingip_port_forwarding',
{'method': 'DELETE', 'path': RESOURCE_PATH}, ] ACTION_GET = [ {'method': 'GET', 'path': COLLECTION_PATH}, {'method': 'GET', 'path': RESOURCE_PATH}, ] rules = [ policy.RuleDefault( 'network_device', 'field:port:device_owner=~^network:', 'Definition of port with network device_owner'), policy.RuleDefault( 'admin_or_data_plane_int', base.policy_or('rule:context_is_admin', 'role:data_plane_integrator'), 'Rule for data plane integration'), policy.DocumentedRuleDefault( 'create_port', base.RULE_ANY, 'Create a port', ACTION_POST ), policy.DocumentedRuleDefault( 'create_port:device_owner', base.policy_or('not rule:network_device', base.RULE_ADVSVC, base.RULE_ADMIN_OR_NET_OWNER), 'Specify ``device_owner`` attribute when creting a port', ACTION_POST
{ 'method': 'GET', 'path': COLLECTION_PATH }, { 'method': 'GET', 'path': RESOURCE_PATH }, ] rules = [ policy.RuleDefault('network_device', 'field:port:device_owner=~^network:', 'Definition of port with network device_owner'), policy.RuleDefault( 'admin_or_data_plane_int', base.policy_or('rule:context_is_admin', 'role:data_plane_integrator'), 'Rule for data plane integration'), policy.DocumentedRuleDefault('create_port', base.RULE_ANY, 'Create a port', ACTION_POST), policy.DocumentedRuleDefault( 'create_port:device_owner', base.policy_or('not rule:network_device', base.RULE_ADVSVC, base.RULE_ADMIN_OR_NET_OWNER), 'Specify ``device_owner`` attribute when creting a port', ACTION_POST), policy.DocumentedRuleDefault( 'create_port:mac_address', base.policy_or(base.RULE_ADVSVC, base.RULE_ADMIN_OR_NET_OWNER), 'Specify ``mac_address`` attribute when creating a port', ACTION_POST), policy.DocumentedRuleDefault( 'create_port:fixed_ips', base.policy_or(base.RULE_ADVSVC, base.RULE_ADMIN_OR_NET_OWNER),
{ 'method': 'POST', 'path': COLLECTION_PATH, }, ]), policy.DocumentedRuleDefault('create_address_scope:shared', base.RULE_ADMIN_ONLY, 'Create a shared address scope', [ { 'method': 'POST', 'path': COLLECTION_PATH, }, ]), policy.DocumentedRuleDefault( 'get_address_scope', base.policy_or(base.RULE_ADMIN_OR_OWNER, 'rule:shared_address_scopes'), 'Get an address scope', [ { 'method': 'GET', 'path': COLLECTION_PATH, }, { 'method': 'GET', 'path': RESOURCE_PATH, }, ]), policy.DocumentedRuleDefault('update_address_scope', base.RULE_ADMIN_OR_OWNER, 'Update an address scope', [ { 'method': 'PUT',
# under the License. from oslo_policy import policy from neutron.conf.policies import base AG_COLLECTION_PATH = '/address-groups' AG_RESOURCE_PATH = '/address-groups/{id}' rules = [ policy.RuleDefault('shared_address_groups', 'field:address_groups:shared=True', 'Definition of a shared address group'), policy.DocumentedRuleDefault(name='get_address_group', check_str=base.policy_or( base.RULE_ADMIN_OR_OWNER, 'rule:shared_address_groups'), description='Get an address group', operations=[ { 'method': 'GET', 'path': AG_COLLECTION_PATH, }, { 'method': 'GET', 'path': AG_RESOURCE_PATH, }, ]), ]
# # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. from oslo_policy import policy from neutron.conf.policies import base rules = [ policy.RuleDefault( 'restrict_wildcard', base.policy_or('(not field:rbac_policy:target_tenant=*)', base.RULE_ADMIN_ONLY), description='Rule of restrict wildcard'), policy.RuleDefault( 'create_rbac_policy', base.RULE_ANY, description='Access rule for creating RBAC policy'), policy.RuleDefault( 'create_rbac_policy:target_tenant', 'rule:restrict_wildcard', description=('Access rule for creating RBAC ' 'policy with a specific target tenant')), policy.RuleDefault( 'update_rbac_policy', base.RULE_ADMIN_OR_OWNER, description='Access rule for updating RBAC policy'),
{ 'method': 'POST', 'path': COLLECTION_PATH, }, ]), policy.DocumentedRuleDefault( 'create_subnetpool:is_default', base.RULE_ADMIN_ONLY, 'Specify ``is_default`` attribute when creating a subnetpool', [ { 'method': 'POST', 'path': COLLECTION_PATH, }, ]), policy.DocumentedRuleDefault( 'get_subnetpool', base.policy_or(base.RULE_ADMIN_OR_OWNER, 'rule:shared_subnetpools'), 'Get a subnetpool', [ { 'method': 'GET', 'path': COLLECTION_PATH, }, { 'method': 'GET', 'path': RESOURCE_PATH, }, ]), policy.DocumentedRuleDefault('update_subnetpool', base.RULE_ADMIN_OR_OWNER, 'Update a subnetpool', [ { 'method': 'PUT', 'path': RESOURCE_PATH,
from neutron.conf.policies import base SG_COLLECTION_PATH = '/security-groups' SG_RESOURCE_PATH = '/security-groups/{id}' RULE_COLLECTION_PATH = '/security-group-rules' RULE_RESOURCE_PATH = '/security-group-rules/{id}' RULE_ADMIN_OR_SG_OWNER = 'rule:admin_or_sg_owner' RULE_ADMIN_OWNER_OR_SG_OWNER = 'rule:admin_owner_or_sg_owner' rules = [ policy.RuleDefault( 'admin_or_sg_owner', base.policy_or('rule:context_is_admin', 'tenant_id:%(security_group:tenant_id)s'), description='Rule for admin or security group owner access'), policy.RuleDefault( 'admin_owner_or_sg_owner', base.policy_or('rule:owner', RULE_ADMIN_OR_SG_OWNER), description=('Rule for resource owner, ' 'admin or security group owner access')), # TODO(amotoki): admin_or_owner is the right rule? # Does an empty string make more sense for create_security_group? policy.DocumentedRuleDefault( 'create_security_group', base.RULE_ADMIN_OR_OWNER, 'Create a security group', [ {