# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from neutron.conf.policies import base
rules = [
policy.RuleDefault('get_auto_allocated_topology',
base.RULE_ADMIN_OR_OWNER,
description=("Access rule for getting a project's "
"auto-allocated topology")),
policy.RuleDefault('delete_auto_allocated_topology',
base.RULE_ADMIN_OR_OWNER,
description=("Access rule for deleting a project's "
"auto-allocated topology")),
]
def list_rules():
return rules
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-flavor-access'
POLICY_ROOT = 'os_compute_api:os-flavor-access:%s'
flavor_access_policies = [
policy.RuleDefault(name=POLICY_ROOT % 'add_tenant_access',
check_str=base.RULE_ADMIN_API),
policy.RuleDefault(name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
policy.RuleDefault(name=POLICY_ROOT % 'remove_tenant_access',
check_str=base.RULE_ADMIN_API),
policy.RuleDefault(name=BASE_POLICY_NAME,
check_str=base.RULE_ADMIN_OR_OWNER),
]
def list_rules():
return flavor_access_policies
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-extended-server-attributes'
POLICY_ROOT = 'os_compute_api:os-extended-server-attributes:%s'
extended_server_attributes_policies = [
policy.RuleDefault(
name=BASE_POLICY_NAME,
check_str=base.RULE_ADMIN_API),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]
def list_rules():
return extended_server_attributes_policies
from oslo_versionedobjects import base as object_base
import pecan
import wsme
from cyborg.common import exception
_ENFORCER = None
CONF = cfg.CONF
LOG = log.getLogger(__name__)
default_policies = [
# Legacy setting, don't remove. Likely to be overridden by operators who
# forget to update their policy.json configuration file.
# This gets rolled into the new "is_admin" rule below.
policy.RuleDefault('admin_api',
'role:admin or role:administrator',
description='Legacy rule for cloud admin access'),
# is_public_api is set in the environment from AuthTokenMiddleware
policy.RuleDefault('public_api',
'is_public_api:True',
description='Internal flag for public API routes'),
# The policy check "@" will always accept an access. The empty list
# (``[]``) or the empty string (``""``) is equivalent to the "@"
policy.RuleDefault('allow', '@', description='any access will be passed'),
# the policy check "!" will always reject an access.
policy.RuleDefault('deny', '!',
description='all access will be forbidden'),
policy.RuleDefault('is_admin',
'rule:admin_api',
description='Full read/write API access'),
policy.RuleDefault('admin_or_owner',
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from neutron.conf.policies import base
rules = [
policy.RuleDefault(
'external',
'field:networks:router:external=True',
description='Rule of external network'),
policy.RuleDefault(
'create_network',
base.RULE_ANY,
description='Access rule for creating network'),
policy.RuleDefault(
'create_network:shared',
base.RULE_ADMIN_ONLY,
description='Access rule for creating shared network'),
policy.RuleDefault(
'create_network:router:external',
base.RULE_ADMIN_ONLY,
description='Access rule for creating external network'),
policy.RuleDefault(
def test_str(self):
opt = policy.RuleDefault(name='foo', check_str='rule:foo')
self.assertEqual('"foo": "rule:foo"', str(opt))
def test_not_equal_name(self):
opt1 = policy.RuleDefault(name='foo', check_str='rule:foo',
description='foo')
opt2 = policy.RuleDefault(name='bar', check_str='rule:foo',
description='bar')
self.assertNotEqual(opt1, opt2)
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from designate.common.policies import base
rules = [
policy.DocumentedRuleDefault(
name="find_records",
check_str=base.RULE_ADMIN_OR_OWNER,
description='Find records.',
operations=[{
'path': '/v2/reverse/floatingips/{region}:{floatingip_id}',
'method': 'GET'
}, {
'path': '/v2/reverse/floatingips',
'method': 'GET'
}]),
policy.RuleDefault(name="count_records",
check_str=base.RULE_ADMIN_OR_OWNER)
]
def list_rules():
return rules
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
COMPUTE_API = 'os_compute_api'
NETWORK_ATTACH_EXTERNAL = 'network:attach_external_network'
RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
RULE_ADMIN_API = 'rule:admin_api'
RULE_ANY = '@'
rules = [
policy.RuleDefault('context_is_admin', 'role:admin'),
policy.RuleDefault('admin_or_owner',
'is_admin:True or project_id:%(project_id)s'),
policy.RuleDefault('admin_api', 'is_admin:True'),
policy.RuleDefault(NETWORK_ATTACH_EXTERNAL, 'is_admin:True'),
]
def create_rule_default(name, check_str, description, operations):
# TODO(sneti): use DocumentedRuleDefault instead of RuleDefault
# when oslo.policy library with DocumentedRuleDefault change is released.
# formatted_description hack can be removed then.
ops = ""
for operation in operations:
ops += ('%(method)s %(path)s\n' % {
'method': operation['method'],
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
RULE_CONTEXT_IS_ADMIN = 'rule:context_is_admin'
RULE_ADMIN_OR_OWNER = 'rule:context_is_admin or project_id:%(project_id)s'
UNPROTECTED = ''
rules = [
policy.RuleDefault(name="context_is_admin", check_str="role:admin"),
policy.RuleDefault(name="segregation", check_str=RULE_CONTEXT_IS_ADMIN),
policy.RuleDefault(name="admin_or_owner", check_str=RULE_ADMIN_OR_OWNER),
policy.RuleDefault(name="default", check_str=RULE_ADMIN_OR_OWNER),
policy.DocumentedRuleDefault(name="telemetry:get_alarm",
check_str=RULE_ADMIN_OR_OWNER,
description='Get an alarm.',
operations=[{
'path': '/v2/alarms/{alarm_id}',
'method': 'GET'
}]),
policy.DocumentedRuleDefault(
name="telemetry:get_alarms",
check_str=RULE_ADMIN_OR_OWNER,
description='Get all alarms, based on the query provided.',
operations=[{
from oslo_config import cfg
from oslo_log import log
from oslo_policy import policy
from ironic.common import exception
_ENFORCER = None
CONF = cfg.CONF
LOG = log.getLogger(__name__)
default_policies = [
# Legacy setting, don't remove. Likely to be overridden by operators who
# forget to update their policy.json configuration file.
# This gets rolled into the new "is_admin" rule below.
policy.RuleDefault('admin_api',
'role:admin or role:administrator',
description='Legacy rule for cloud admin access'),
# is_public_api is set in the environment from AuthTokenMiddleware
policy.RuleDefault('public_api',
'is_public_api:True',
description='Internal flag for public API routes'),
# Generic default to hide passwords in node driver_info
# NOTE(deva): the 'show_password' policy setting hides secrets in
# driver_info. However, the name exists for legacy
# purposes and can not be changed. Changing it will cause
# upgrade problems for any operators who have customized
# the value of this field
policy.RuleDefault('show_password',
'!',
description='Show or mask secrets within node driver information in API responses'), # noqa
# Generic default to hide instance secrets
from oslo_utils import excutils
from oslo_utils import importutils
import six
from tacker._i18n import _
from tacker.api.v1 import attributes
from tacker.common import exceptions
LOG = logging.getLogger(__name__)
_ENFORCER = None
ADMIN_CTX_POLICY = 'context_is_admin'
_BASE_RULES = [
policy.RuleDefault(ADMIN_CTX_POLICY,
'role:admin',
description='Rule for cloud admin access'),
# policy.RuleDefault(
# _ADVSVC_CTX_POLICY,
# 'role:advsvc',
# description='Rule for advanced service role access'),
]
def reset():
global _ENFORCER
if _ENFORCER:
_ENFORCER.clear()
_ENFORCER = None
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [
policy.RuleDefault(
'get_floatingip_pool',
'rule:regular_user',
description='Access rule for getting floating IP pools'),
]
def list_rules():
return rules
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [policy.RuleDefault('version:get', '@')]
def list_rules():
return rules
def test_authorize_opt_registered(self):
self.enforcer.register_default(policy.RuleDefault(name='test',
check_str='role:test'))
self.assertTrue(self.enforcer.authorize('test', {},
{'roles': ['test']}))
# NOTE(johngarbutt) The base rules here affect so many APIs the list
# of related API operations has not been populated. It would be
# crazy hard to manually maintain such a list.
# NOTE(gmann): Keystone already support implied roles means assignment
# of one role implies the assignment of another. New defaults roles
# `reader`, `member` also has been added in bootstrap. If the bootstrap
# process is re-run, and a `reader`, `member`, or `admin` role already
# exists, a role implication chain will be created: `admin` implies
# `member` implies `reader`.
# For example: If we give access to 'reader' it means the 'admin' and
# 'member' also get access.
rules = [
policy.RuleDefault(
"context_is_admin",
"role:admin",
"Decides what is required for the 'is_admin:True' check to succeed."),
policy.RuleDefault(
"admin_or_owner",
"is_admin:True or project_id:%(project_id)s",
"Default rule for most non-Admin APIs.",
deprecated_for_removal=True,
deprecated_reason=DEPRECATED_REASON,
deprecated_since='21.0.0'),
policy.RuleDefault(
"admin_api",
"is_admin:True",
"Default rule for most Admin APIs.",
deprecated_for_removal=True,
deprecated_reason=DEPRECATED_REASON,
deprecated_since='21.0.0'),
def test_rule_is_parsed(self):
opt = policy.RuleDefault(name='foo', check_str='rule:foo')
self.assertIsInstance(opt.check, _checks.BaseCheck)
self.assertEqual('rule:foo', str(opt.check))
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [
policy.RuleDefault('create_metering_label',
'rule:admin_only',
description='Access rule for creating metering label'),
policy.RuleDefault('get_metering_label',
'rule:admin_only',
description='Access rule for getting metering label'),
policy.RuleDefault('delete_metering_label',
'rule:admin_only',
description='Access rule for deleting metering label'),
policy.RuleDefault('create_metering_label_rule',
'rule:admin_only',
description=('Access rule for creating '
'metering label rule')),
policy.RuleDefault('get_metering_label_rule',
'rule:admin_only',
description=('Access rule for getting '
'metering label rule')),
def test_equality_less_obvious(self):
opt1 = policy.RuleDefault(name='foo', check_str='',
description='foo')
opt2 = policy.RuleDefault(name='foo', check_str='@',
description='bar')
self.assertEqual(opt1, opt2)
deprecated_find_pool = policy.DeprecatedRule(name="find_pools",
check_str=base.RULE_ADMIN)
deprecated_get_pool = policy.DeprecatedRule(name="get_pool",
check_str=base.RULE_ADMIN)
deprecated_update_pool = policy.DeprecatedRule(name="update_pool",
check_str=base.RULE_ADMIN)
deprecated_delete_pool = policy.DeprecatedRule(name="delete_pool",
check_str=base.RULE_ADMIN)
deprecated_zone_created_forced_pool = policy.DeprecatedRule(
name="zone_create_forced_pool", check_str=base.RULE_ADMIN)
rules = [
policy.RuleDefault(name="create_pool",
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
description='Create pool.',
deprecated_rule=deprecated_create_pool,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
policy.DocumentedRuleDefault(
name="find_pools",
check_str=base.SYSTEM_READER,
scope_types=['system'],
description='Find pool.',
operations=[{
'path': '/v2/pools',
'method': 'GET'
}],
deprecated_rule=deprecated_find_pools,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
import fixtures
import mock
from oslo_config import cfg
from six import moves
import stevedore
import testtools
from oslo_policy import generator
from oslo_policy import policy
from oslo_policy.tests import base
OPTS = {
'base_rules': [
policy.RuleDefault('admin',
'is_admin:True',
description='Basic admin check'),
policy.DocumentedRuleDefault(
'owner', ('project_id:%'
'(project_id)s'), 'This is a long '
'description to check '
'that line wrapping '
'functions properly', [{
'path': '/foo/',
'method': 'GET'
}, {
'path': '/test/',
'method': 'POST'
}])
],
'custom_field':
# Copyright 2016 Cloudbase Solutions Srl
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-flavor-manage'
flavor_manage_policies = [
policy.RuleDefault(name=BASE_POLICY_NAME, check_str=base.RULE_ADMIN_API),
]
def list_rules():
return flavor_manage_policies
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [
policy.RuleDefault('secret_acls:put_patch',
'rule:secret_project_admin or '
'rule:secret_project_creator'),
policy.RuleDefault('secret_acls:delete',
'rule:secret_project_admin or '
'rule:secret_project_creator'),
policy.RuleDefault('secret_acls:get',
'rule:all_but_audit and '
'rule:secret_project_match'),
policy.RuleDefault('container_acls:put_patch',
'rule:container_project_admin or '
'rule:container_project_creator'),
policy.RuleDefault('container_acls:delete',
'rule:container_project_admin or '
'rule:container_project_creator'),
policy.RuleDefault('container_acls:get',
'rule:all_but_audit and rule:container_project_match'),
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-cells'
POLICY_ROOT = 'os_compute_api:os-cells:%s'
cells_policies = [
policy.RuleDefault(name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
base.create_rule_default(POLICY_ROOT % 'update', base.RULE_ADMIN_API,
'Update an existing cell',
[{
'method': 'PUT',
'path': '/os-cells/{cell_id}'
}]),
base.create_rule_default(POLICY_ROOT % 'create', base.RULE_ADMIN_API,
'Create a new cell', [{
'method': 'POST',
'path': '/os-cells'
}]),
base.create_rule_default(
BASE_POLICY_NAME, base.RULE_ADMIN_API,
'List and get detailed info of a given cell or all cells',
[{
def setUp(self):
super(PolicyTestCase, self).setUp()
rules = [
oslo_policy.RuleDefault("true", '@'),
oslo_policy.RuleDefault("example:allowed", '@'),
oslo_policy.RuleDefault("example:denied", "!"),
oslo_policy.RuleDefault("old_action_not_default", "@"),
oslo_policy.RuleDefault("new_action", "@"),
oslo_policy.RuleDefault("old_action_default", "rule:admin_api"),
oslo_policy.RuleDefault("example:get_http",
"http://www.example.com"),
oslo_policy.RuleDefault(
"example:my_file", "role:compute_admin or "
"project_id:%(project_id)s"),
oslo_policy.RuleDefault("example:early_and_fail", "! and @"),
oslo_policy.RuleDefault("example:early_or_success", "@ or !"),
oslo_policy.RuleDefault("example:lowercase_admin",
"role:admin or role:sysadmin"),
oslo_policy.RuleDefault("example:uppercase_admin",
"role:ADMIN or role:sysadmin"),
]
policy.reset()
policy.init()
# before a policy rule can be used, its default has to be registered.
policy._ENFORCER.register_defaults(rules)
self.context = context.RequestContext('fake', 'fake', roles=['member'])
self.target = {}
def setUp(self):
super(PolicyTestCase, self).setUp()
rule = oslo_policy.RuleDefault('has_foo_role', "role:foo")
enforcer = policy.get_enforcer()
enforcer.register_default(rule)
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
ROLE_ADMIN = 'role:admin'
UNPROTECTED = ''
rules = [
policy.RuleDefault(name='context_is_admin', check_str='role:admin'),
policy.RuleDefault(name='admin_or_owner',
check_str='is_admin:True or project_id:%(project_id)s'),
policy.RuleDefault(name='default', check_str=UNPROTECTED)
]
def list_rules():
return rules
DEPRECATED_REASON = (
"The security group API now supports system scope and default roles.")
SG_COLLECTION_PATH = '/security-groups'
SG_RESOURCE_PATH = '/security-groups/{id}'
RULE_COLLECTION_PATH = '/security-group-rules'
RULE_RESOURCE_PATH = '/security-group-rules/{id}'
RULE_ADMIN_OR_SG_OWNER = 'rule:admin_or_sg_owner'
RULE_ADMIN_OWNER_OR_SG_OWNER = 'rule:admin_owner_or_sg_owner'
rules = [
policy.RuleDefault(
name='admin_or_sg_owner',
check_str=base.policy_or('rule:context_is_admin',
'tenant_id:%(security_group:tenant_id)s'),
description='Rule for admin or security group owner access'),
policy.RuleDefault(name='admin_owner_or_sg_owner',
check_str=base.policy_or('rule:owner',
RULE_ADMIN_OR_SG_OWNER),
description=('Rule for resource owner, '
'admin or security group owner access')),
# TODO(amotoki): admin_or_owner is the right rule?
# Does an empty string make more sense for create_security_group?
policy.DocumentedRuleDefault(
name='create_security_group',
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
scope_types=['system', 'project'],
description='Create a security group',
operations=[
from oslo_policy import policy
from neutron.conf.policies import base
DEPRECATED_REASON = (
"The subnet pool API now supports system scope and default roles.")
COLLECTION_PATH = '/subnetpools'
RESOURCE_PATH = '/subnetpools/{id}'
ONBOARD_PATH = '/subnetpools/{id}/onboard_network_subnets'
ADD_PREFIXES_PATH = '/subnetpools/{id}/add_prefixes'
REMOVE_PREFIXES_PATH = '/subnetpools/{id}/remove_prefixes'
rules = [
policy.RuleDefault(name='shared_subnetpools',
check_str='field:subnetpools:shared=True',
description='Definition of a shared subnetpool'),
policy.DocumentedRuleDefault(
name='create_subnetpool',
check_str=base.PROJECT_MEMBER,
scope_types=['project'],
description='Create a subnetpool',
operations=[
{
'method': 'POST',
'path': COLLECTION_PATH,
},
],
deprecated_rule=policy.DeprecatedRule(
name='create_subnetpool',
check_str=base.RULE_ANY,
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [
policy.RuleDefault('admin', 'role:admin'),
policy.RuleDefault('observer', 'role:observer'),
policy.RuleDefault('creator', 'role:creator'),
policy.RuleDefault('audit', 'role:audit'),
policy.RuleDefault('service_admin', 'role:key-manager:service-admin'),
policy.RuleDefault('admin_or_creator', 'rule:admin or rule:creator'),
policy.RuleDefault('all_but_audit',
'rule:admin or rule:observer or rule:creator'),
policy.RuleDefault(
'all_users', 'rule:admin or rule:observer or rule:creator or '
'rule:audit or rule:service_admin'),
policy.RuleDefault('secret_project_match',
'project:%(target.secret.project_id)s'),
policy.RuleDefault('secret_acl_read', "'read':%(target.secret.read)s"),
policy.RuleDefault('secret_private_read',
"'False':%(target.secret.read_project_access)s"),
