Exemple #1
0
#  Licensed under the Apache License, Version 2.0 (the "License"); you may
#  not use this file except in compliance with the License. You may obtain
#  a copy of the License at
#
#       http://www.apache.org/licenses/LICENSE-2.0
#
#  Unless required by applicable law or agreed to in writing, software
#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
#  License for the specific language governing permissions and limitations
#  under the License.

from oslo_policy import policy

from neutron.conf.policies import base

rules = [
    policy.RuleDefault('get_auto_allocated_topology',
                       base.RULE_ADMIN_OR_OWNER,
                       description=("Access rule for getting a project's "
                                    "auto-allocated topology")),
    policy.RuleDefault('delete_auto_allocated_topology',
                       base.RULE_ADMIN_OR_OWNER,
                       description=("Access rule for deleting a project's "
                                    "auto-allocated topology")),
]


def list_rules():
    return rules
Exemple #2
0
#
#         http://www.apache.org/licenses/LICENSE-2.0
#
#    Unless required by applicable law or agreed to in writing, software
#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
#    License for the specific language governing permissions and limitations
#    under the License.

from oslo_policy import policy

from nova.policies import base

BASE_POLICY_NAME = 'os_compute_api:os-flavor-access'
POLICY_ROOT = 'os_compute_api:os-flavor-access:%s'

flavor_access_policies = [
    policy.RuleDefault(name=POLICY_ROOT % 'add_tenant_access',
                       check_str=base.RULE_ADMIN_API),
    policy.RuleDefault(name=POLICY_ROOT % 'discoverable',
                       check_str=base.RULE_ANY),
    policy.RuleDefault(name=POLICY_ROOT % 'remove_tenant_access',
                       check_str=base.RULE_ADMIN_API),
    policy.RuleDefault(name=BASE_POLICY_NAME,
                       check_str=base.RULE_ADMIN_OR_OWNER),
]


def list_rules():
    return flavor_access_policies
#
#         http://www.apache.org/licenses/LICENSE-2.0
#
#    Unless required by applicable law or agreed to in writing, software
#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
#    License for the specific language governing permissions and limitations
#    under the License.

from oslo_policy import policy

from nova.policies import base


BASE_POLICY_NAME = 'os_compute_api:os-extended-server-attributes'
POLICY_ROOT = 'os_compute_api:os-extended-server-attributes:%s'


extended_server_attributes_policies = [
    policy.RuleDefault(
        name=BASE_POLICY_NAME,
        check_str=base.RULE_ADMIN_API),
    policy.RuleDefault(
        name=POLICY_ROOT % 'discoverable',
        check_str=base.RULE_ANY),
]


def list_rules():
    return extended_server_attributes_policies
Exemple #4
0
from oslo_versionedobjects import base as object_base
import pecan
import wsme

from cyborg.common import exception

_ENFORCER = None
CONF = cfg.CONF
LOG = log.getLogger(__name__)

default_policies = [
    # Legacy setting, don't remove. Likely to be overridden by operators who
    # forget to update their policy.json configuration file.
    # This gets rolled into the new "is_admin" rule below.
    policy.RuleDefault('admin_api',
                       'role:admin or role:administrator',
                       description='Legacy rule for cloud admin access'),
    # is_public_api is set in the environment from AuthTokenMiddleware
    policy.RuleDefault('public_api',
                       'is_public_api:True',
                       description='Internal flag for public API routes'),
    # The policy check "@" will always accept an access. The empty list
    # (``[]``) or the empty string (``""``) is equivalent to the "@"
    policy.RuleDefault('allow', '@', description='any access will be passed'),
    # the policy check "!" will always reject an access.
    policy.RuleDefault('deny', '!',
                       description='all access will be forbidden'),
    policy.RuleDefault('is_admin',
                       'rule:admin_api',
                       description='Full read/write API access'),
    policy.RuleDefault('admin_or_owner',
Exemple #5
0
#       http://www.apache.org/licenses/LICENSE-2.0
#
#  Unless required by applicable law or agreed to in writing, software
#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
#  License for the specific language governing permissions and limitations
#  under the License.

from oslo_policy import policy

from neutron.conf.policies import base


rules = [
    policy.RuleDefault(
        'external',
        'field:networks:router:external=True',
        description='Rule of external network'),

    policy.RuleDefault(
        'create_network',
        base.RULE_ANY,
        description='Access rule for creating network'),
    policy.RuleDefault(
        'create_network:shared',
        base.RULE_ADMIN_ONLY,
        description='Access rule for creating shared network'),
    policy.RuleDefault(
        'create_network:router:external',
        base.RULE_ADMIN_ONLY,
        description='Access rule for creating external network'),
    policy.RuleDefault(
Exemple #6
0
 def test_str(self):
     opt = policy.RuleDefault(name='foo', check_str='rule:foo')
     self.assertEqual('"foo": "rule:foo"', str(opt))
Exemple #7
0
 def test_not_equal_name(self):
     opt1 = policy.RuleDefault(name='foo', check_str='rule:foo',
                               description='foo')
     opt2 = policy.RuleDefault(name='bar', check_str='rule:foo',
                               description='bar')
     self.assertNotEqual(opt1, opt2)
Exemple #8
0
#
#    Unless required by applicable law or agreed to in writing, software
#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
#    License for the specific language governing permissions and limitations
#    under the License.

from oslo_policy import policy

from designate.common.policies import base

rules = [
    policy.DocumentedRuleDefault(
        name="find_records",
        check_str=base.RULE_ADMIN_OR_OWNER,
        description='Find records.',
        operations=[{
            'path': '/v2/reverse/floatingips/{region}:{floatingip_id}',
            'method': 'GET'
        }, {
            'path': '/v2/reverse/floatingips',
            'method': 'GET'
        }]),
    policy.RuleDefault(name="count_records",
                       check_str=base.RULE_ADMIN_OR_OWNER)
]


def list_rules():
    return rules
Exemple #9
0
#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
#    License for the specific language governing permissions and limitations
#    under the License.

from oslo_policy import policy

COMPUTE_API = 'os_compute_api'
NETWORK_ATTACH_EXTERNAL = 'network:attach_external_network'

RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
RULE_ADMIN_API = 'rule:admin_api'
RULE_ANY = '@'

rules = [
    policy.RuleDefault('context_is_admin', 'role:admin'),
    policy.RuleDefault('admin_or_owner',
                       'is_admin:True or project_id:%(project_id)s'),
    policy.RuleDefault('admin_api', 'is_admin:True'),
    policy.RuleDefault(NETWORK_ATTACH_EXTERNAL, 'is_admin:True'),
]


def create_rule_default(name, check_str, description, operations):
    # TODO(sneti): use DocumentedRuleDefault instead of RuleDefault
    # when oslo.policy library with DocumentedRuleDefault change is released.
    # formatted_description hack can be removed then.
    ops = ""
    for operation in operations:
        ops += ('%(method)s %(path)s\n' % {
            'method': operation['method'],
Exemple #10
0
#         http://www.apache.org/licenses/LICENSE-2.0
#
#    Unless required by applicable law or agreed to in writing, software
#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
#    License for the specific language governing permissions and limitations
#    under the License.

from oslo_policy import policy

RULE_CONTEXT_IS_ADMIN = 'rule:context_is_admin'
RULE_ADMIN_OR_OWNER = 'rule:context_is_admin or project_id:%(project_id)s'
UNPROTECTED = ''

rules = [
    policy.RuleDefault(name="context_is_admin", check_str="role:admin"),
    policy.RuleDefault(name="segregation", check_str=RULE_CONTEXT_IS_ADMIN),
    policy.RuleDefault(name="admin_or_owner", check_str=RULE_ADMIN_OR_OWNER),
    policy.RuleDefault(name="default", check_str=RULE_ADMIN_OR_OWNER),
    policy.DocumentedRuleDefault(name="telemetry:get_alarm",
                                 check_str=RULE_ADMIN_OR_OWNER,
                                 description='Get an alarm.',
                                 operations=[{
                                     'path': '/v2/alarms/{alarm_id}',
                                     'method': 'GET'
                                 }]),
    policy.DocumentedRuleDefault(
        name="telemetry:get_alarms",
        check_str=RULE_ADMIN_OR_OWNER,
        description='Get all alarms, based on the query provided.',
        operations=[{
from oslo_config import cfg
from oslo_log import log
from oslo_policy import policy

from ironic.common import exception

_ENFORCER = None
CONF = cfg.CONF
LOG = log.getLogger(__name__)

default_policies = [
    # Legacy setting, don't remove. Likely to be overridden by operators who
    # forget to update their policy.json configuration file.
    # This gets rolled into the new "is_admin" rule below.
    policy.RuleDefault('admin_api',
                       'role:admin or role:administrator',
                       description='Legacy rule for cloud admin access'),
    # is_public_api is set in the environment from AuthTokenMiddleware
    policy.RuleDefault('public_api',
                       'is_public_api:True',
                       description='Internal flag for public API routes'),
    # Generic default to hide passwords in node driver_info
    # NOTE(deva): the 'show_password' policy setting hides secrets in
    #             driver_info. However, the name exists for legacy
    #             purposes and can not be changed. Changing it will cause
    #             upgrade problems for any operators who have customized
    #             the value of this field
    policy.RuleDefault('show_password',
                       '!',
                       description='Show or mask secrets within node driver information in API responses'),  # noqa
    # Generic default to hide instance secrets
Exemple #12
0
from oslo_utils import excutils
from oslo_utils import importutils
import six

from tacker._i18n import _
from tacker.api.v1 import attributes
from tacker.common import exceptions

LOG = logging.getLogger(__name__)

_ENFORCER = None
ADMIN_CTX_POLICY = 'context_is_admin'

_BASE_RULES = [
    policy.RuleDefault(ADMIN_CTX_POLICY,
                       'role:admin',
                       description='Rule for cloud admin access'),
    # policy.RuleDefault(
    #    _ADVSVC_CTX_POLICY,
    #     'role:advsvc',
    #     description='Rule for advanced service role access'),
]


def reset():
    global _ENFORCER
    if _ENFORCER:
        _ENFORCER.clear()
        _ENFORCER = None

Exemple #13
0
#  Licensed under the Apache License, Version 2.0 (the "License"); you may
#  not use this file except in compliance with the License. You may obtain
#  a copy of the License at
#
#       http://www.apache.org/licenses/LICENSE-2.0
#
#  Unless required by applicable law or agreed to in writing, software
#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
#  License for the specific language governing permissions and limitations
#  under the License.

from oslo_policy import policy


rules = [
    policy.RuleDefault(
        'get_floatingip_pool',
        'rule:regular_user',
        description='Access rule for getting floating IP pools'),
]


def list_rules():
    return rules
Exemple #14
0
#  Licensed under the Apache License, Version 2.0 (the "License"); you may
#  not use this file except in compliance with the License. You may obtain
#  a copy of the License at
#
#       http://www.apache.org/licenses/LICENSE-2.0
#
#  Unless required by applicable law or agreed to in writing, software
#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
#  License for the specific language governing permissions and limitations
#  under the License.

from oslo_policy import policy

rules = [policy.RuleDefault('version:get', '@')]


def list_rules():
    return rules
Exemple #15
0
 def test_authorize_opt_registered(self):
     self.enforcer.register_default(policy.RuleDefault(name='test',
                                    check_str='role:test'))
     self.assertTrue(self.enforcer.authorize('test', {},
                                             {'roles': ['test']}))
Exemple #16
0
# NOTE(johngarbutt) The base rules here affect so many APIs the list
# of related API operations has not been populated. It would be
# crazy hard to manually maintain such a list.

# NOTE(gmann): Keystone already support implied roles means assignment
# of one role implies the assignment of another. New defaults roles
# `reader`, `member` also has been added in bootstrap. If the bootstrap
# process is re-run, and a `reader`, `member`, or `admin` role already
# exists, a role implication chain will be created: `admin` implies
# `member` implies `reader`.
# For example: If we give access to 'reader' it means the 'admin' and
# 'member' also get access.
rules = [
    policy.RuleDefault(
        "context_is_admin",
        "role:admin",
        "Decides what is required for the 'is_admin:True' check to succeed."),
    policy.RuleDefault(
        "admin_or_owner",
        "is_admin:True or project_id:%(project_id)s",
        "Default rule for most non-Admin APIs.",
        deprecated_for_removal=True,
        deprecated_reason=DEPRECATED_REASON,
        deprecated_since='21.0.0'),
    policy.RuleDefault(
        "admin_api",
        "is_admin:True",
        "Default rule for most Admin APIs.",
        deprecated_for_removal=True,
        deprecated_reason=DEPRECATED_REASON,
        deprecated_since='21.0.0'),
Exemple #17
0
 def test_rule_is_parsed(self):
     opt = policy.RuleDefault(name='foo', check_str='rule:foo')
     self.assertIsInstance(opt.check, _checks.BaseCheck)
     self.assertEqual('rule:foo', str(opt.check))
Exemple #18
0
#  a copy of the License at
#
#       http://www.apache.org/licenses/LICENSE-2.0
#
#  Unless required by applicable law or agreed to in writing, software
#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
#  License for the specific language governing permissions and limitations
#  under the License.

from oslo_policy import policy


rules = [
    policy.RuleDefault('create_metering_label',
                       'rule:admin_only',
                       description='Access rule for creating metering label'),
    policy.RuleDefault('get_metering_label',
                       'rule:admin_only',
                       description='Access rule for getting metering label'),
    policy.RuleDefault('delete_metering_label',
                       'rule:admin_only',
                       description='Access rule for deleting metering label'),
    policy.RuleDefault('create_metering_label_rule',
                       'rule:admin_only',
                       description=('Access rule for creating '
                                    'metering label rule')),
    policy.RuleDefault('get_metering_label_rule',
                       'rule:admin_only',
                       description=('Access rule for getting '
                                    'metering label rule')),
Exemple #19
0
 def test_equality_less_obvious(self):
     opt1 = policy.RuleDefault(name='foo', check_str='',
                               description='foo')
     opt2 = policy.RuleDefault(name='foo', check_str='@',
                               description='bar')
     self.assertEqual(opt1, opt2)
Exemple #20
0
deprecated_find_pool = policy.DeprecatedRule(name="find_pools",
                                             check_str=base.RULE_ADMIN)
deprecated_get_pool = policy.DeprecatedRule(name="get_pool",
                                            check_str=base.RULE_ADMIN)
deprecated_update_pool = policy.DeprecatedRule(name="update_pool",
                                               check_str=base.RULE_ADMIN)
deprecated_delete_pool = policy.DeprecatedRule(name="delete_pool",
                                               check_str=base.RULE_ADMIN)
deprecated_zone_created_forced_pool = policy.DeprecatedRule(
    name="zone_create_forced_pool", check_str=base.RULE_ADMIN)

rules = [
    policy.RuleDefault(name="create_pool",
                       check_str=base.SYSTEM_ADMIN,
                       scope_types=['system'],
                       description='Create pool.',
                       deprecated_rule=deprecated_create_pool,
                       deprecated_reason=DEPRECATED_REASON,
                       deprecated_since=versionutils.deprecated.WALLABY),
    policy.DocumentedRuleDefault(
        name="find_pools",
        check_str=base.SYSTEM_READER,
        scope_types=['system'],
        description='Find pool.',
        operations=[{
            'path': '/v2/pools',
            'method': 'GET'
        }],
        deprecated_rule=deprecated_find_pools,
        deprecated_reason=DEPRECATED_REASON,
        deprecated_since=versionutils.deprecated.WALLABY),
Exemple #21
0
import fixtures
import mock
from oslo_config import cfg
from six import moves
import stevedore
import testtools

from oslo_policy import generator
from oslo_policy import policy
from oslo_policy.tests import base

OPTS = {
    'base_rules': [
        policy.RuleDefault('admin',
                           'is_admin:True',
                           description='Basic admin check'),
        policy.DocumentedRuleDefault(
            'owner', ('project_id:%'
                      '(project_id)s'), 'This is a long '
            'description to check '
            'that line wrapping '
            'functions properly', [{
                'path': '/foo/',
                'method': 'GET'
            }, {
                'path': '/test/',
                'method': 'POST'
            }])
    ],
    'custom_field':
Exemple #22
0
# Copyright 2016 Cloudbase Solutions Srl
# All Rights Reserved.
#
#    Licensed under the Apache License, Version 2.0 (the "License"); you may
#    not use this file except in compliance with the License. You may obtain
#    a copy of the License at
#
#         http://www.apache.org/licenses/LICENSE-2.0
#
#    Unless required by applicable law or agreed to in writing, software
#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
#    License for the specific language governing permissions and limitations
#    under the License.

from oslo_policy import policy

from nova.policies import base

BASE_POLICY_NAME = 'os_compute_api:os-flavor-manage'

flavor_manage_policies = [
    policy.RuleDefault(name=BASE_POLICY_NAME, check_str=base.RULE_ADMIN_API),
]


def list_rules():
    return flavor_manage_policies
Exemple #23
0
#  a copy of the License at
#
#       http://www.apache.org/licenses/LICENSE-2.0
#
#  Unless required by applicable law or agreed to in writing, software
#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
#  License for the specific language governing permissions and limitations
#  under the License.

from oslo_policy import policy


rules = [
    policy.RuleDefault('secret_acls:put_patch',
                       'rule:secret_project_admin or '
                       'rule:secret_project_creator'),
    policy.RuleDefault('secret_acls:delete',
                       'rule:secret_project_admin or '
                       'rule:secret_project_creator'),
    policy.RuleDefault('secret_acls:get',
                       'rule:all_but_audit and '
                       'rule:secret_project_match'),
    policy.RuleDefault('container_acls:put_patch',
                       'rule:container_project_admin or '
                       'rule:container_project_creator'),
    policy.RuleDefault('container_acls:delete',
                       'rule:container_project_admin or '
                       'rule:container_project_creator'),
    policy.RuleDefault('container_acls:get',
                       'rule:all_but_audit and rule:container_project_match'),
Exemple #24
0
#
#    Unless required by applicable law or agreed to in writing, software
#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
#    License for the specific language governing permissions and limitations
#    under the License.

from oslo_policy import policy

from nova.policies import base

BASE_POLICY_NAME = 'os_compute_api:os-cells'
POLICY_ROOT = 'os_compute_api:os-cells:%s'

cells_policies = [
    policy.RuleDefault(name=POLICY_ROOT % 'discoverable',
                       check_str=base.RULE_ANY),
    base.create_rule_default(POLICY_ROOT % 'update', base.RULE_ADMIN_API,
                             'Update an existing cell',
                             [{
                                 'method': 'PUT',
                                 'path': '/os-cells/{cell_id}'
                             }]),
    base.create_rule_default(POLICY_ROOT % 'create', base.RULE_ADMIN_API,
                             'Create a new cell', [{
                                 'method': 'POST',
                                 'path': '/os-cells'
                             }]),
    base.create_rule_default(
        BASE_POLICY_NAME, base.RULE_ADMIN_API,
        'List and get detailed info of a given cell or all cells',
        [{
Exemple #25
0
 def setUp(self):
     super(PolicyTestCase, self).setUp()
     rules = [
         oslo_policy.RuleDefault("true", '@'),
         oslo_policy.RuleDefault("example:allowed", '@'),
         oslo_policy.RuleDefault("example:denied", "!"),
         oslo_policy.RuleDefault("old_action_not_default", "@"),
         oslo_policy.RuleDefault("new_action", "@"),
         oslo_policy.RuleDefault("old_action_default", "rule:admin_api"),
         oslo_policy.RuleDefault("example:get_http",
                                 "http://www.example.com"),
         oslo_policy.RuleDefault(
             "example:my_file", "role:compute_admin or "
             "project_id:%(project_id)s"),
         oslo_policy.RuleDefault("example:early_and_fail", "! and @"),
         oslo_policy.RuleDefault("example:early_or_success", "@ or !"),
         oslo_policy.RuleDefault("example:lowercase_admin",
                                 "role:admin or role:sysadmin"),
         oslo_policy.RuleDefault("example:uppercase_admin",
                                 "role:ADMIN or role:sysadmin"),
     ]
     policy.reset()
     policy.init()
     # before a policy rule can be used, its default has to be registered.
     policy._ENFORCER.register_defaults(rules)
     self.context = context.RequestContext('fake', 'fake', roles=['member'])
     self.target = {}
Exemple #26
0
 def setUp(self):
     super(PolicyTestCase, self).setUp()
     rule = oslo_policy.RuleDefault('has_foo_role', "role:foo")
     enforcer = policy.get_enforcer()
     enforcer.register_default(rule)
Exemple #27
0
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.

from oslo_policy import policy

RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
ROLE_ADMIN = 'role:admin'
UNPROTECTED = ''

rules = [
    policy.RuleDefault(name='context_is_admin', check_str='role:admin'),
    policy.RuleDefault(name='admin_or_owner',
                       check_str='is_admin:True or project_id:%(project_id)s'),
    policy.RuleDefault(name='default', check_str=UNPROTECTED)
]


def list_rules():
    return rules
Exemple #28
0
DEPRECATED_REASON = (
    "The security group API now supports system scope and default roles.")

SG_COLLECTION_PATH = '/security-groups'
SG_RESOURCE_PATH = '/security-groups/{id}'
RULE_COLLECTION_PATH = '/security-group-rules'
RULE_RESOURCE_PATH = '/security-group-rules/{id}'

RULE_ADMIN_OR_SG_OWNER = 'rule:admin_or_sg_owner'
RULE_ADMIN_OWNER_OR_SG_OWNER = 'rule:admin_owner_or_sg_owner'

rules = [
    policy.RuleDefault(
        name='admin_or_sg_owner',
        check_str=base.policy_or('rule:context_is_admin',
                                 'tenant_id:%(security_group:tenant_id)s'),
        description='Rule for admin or security group owner access'),
    policy.RuleDefault(name='admin_owner_or_sg_owner',
                       check_str=base.policy_or('rule:owner',
                                                RULE_ADMIN_OR_SG_OWNER),
                       description=('Rule for resource owner, '
                                    'admin or security group owner access')),
    # TODO(amotoki): admin_or_owner is the right rule?
    # Does an empty string make more sense for create_security_group?
    policy.DocumentedRuleDefault(
        name='create_security_group',
        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
        scope_types=['system', 'project'],
        description='Create a security group',
        operations=[
Exemple #29
0
from oslo_policy import policy

from neutron.conf.policies import base

DEPRECATED_REASON = (
    "The subnet pool API now supports system scope and default roles.")

COLLECTION_PATH = '/subnetpools'
RESOURCE_PATH = '/subnetpools/{id}'
ONBOARD_PATH = '/subnetpools/{id}/onboard_network_subnets'
ADD_PREFIXES_PATH = '/subnetpools/{id}/add_prefixes'
REMOVE_PREFIXES_PATH = '/subnetpools/{id}/remove_prefixes'

rules = [
    policy.RuleDefault(name='shared_subnetpools',
                       check_str='field:subnetpools:shared=True',
                       description='Definition of a shared subnetpool'),
    policy.DocumentedRuleDefault(
        name='create_subnetpool',
        check_str=base.PROJECT_MEMBER,
        scope_types=['project'],
        description='Create a subnetpool',
        operations=[
            {
                'method': 'POST',
                'path': COLLECTION_PATH,
            },
        ],
        deprecated_rule=policy.DeprecatedRule(
            name='create_subnetpool',
            check_str=base.RULE_ANY,
Exemple #30
0
#  Licensed under the Apache License, Version 2.0 (the "License"); you may
#  not use this file except in compliance with the License. You may obtain
#  a copy of the License at
#
#       http://www.apache.org/licenses/LICENSE-2.0
#
#  Unless required by applicable law or agreed to in writing, software
#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
#  License for the specific language governing permissions and limitations
#  under the License.

from oslo_policy import policy

rules = [
    policy.RuleDefault('admin', 'role:admin'),
    policy.RuleDefault('observer', 'role:observer'),
    policy.RuleDefault('creator', 'role:creator'),
    policy.RuleDefault('audit', 'role:audit'),
    policy.RuleDefault('service_admin', 'role:key-manager:service-admin'),
    policy.RuleDefault('admin_or_creator', 'rule:admin or rule:creator'),
    policy.RuleDefault('all_but_audit',
                       'rule:admin or rule:observer or rule:creator'),
    policy.RuleDefault(
        'all_users', 'rule:admin or rule:observer or rule:creator or '
        'rule:audit or rule:service_admin'),
    policy.RuleDefault('secret_project_match',
                       'project:%(target.secret.project_id)s'),
    policy.RuleDefault('secret_acl_read', "'read':%(target.secret.read)s"),
    policy.RuleDefault('secret_private_read',
                       "'False':%(target.secret.read_project_access)s"),