def test_create_rule_default(self):
rule_default = base.create_rule_default(
"name", "check_str", "description goes in here",
[{'method': 'GET', 'path': '/test_url'},
{'method': 'POST', 'path': '/test_url'}])
expected = """description goes in here
GET /test_url
POST /test_url
"""
self.assertEqual(expected, rule_default.description)
self.assertEqual("name", rule_default.name)
self.assertEqual("check_str", rule_default.check_str)
def test_create_rule_default(self):
rule_default = base.create_rule_default("name", "check_str",
"description goes in here",
[{
'method': 'GET',
'path': '/test_url'
}, {
'method': 'POST',
'path': '/test_url'
}])
expected = """description goes in here
GET /test_url
POST /test_url
"""
self.assertEqual(expected, rule_default.description)
self.assertEqual("name", rule_default.name)
self.assertEqual("check_str", rule_default.check_str)
def test_create_rule_default_improper_formatting(self):
"""Ensure we correctly handle various formatting misdemeanours."""
rule_default = base.create_rule_default(
"name", "check_str", """Joe's special policy.
This is Joe's special policy. Joe writes
really, really long sentences that should really be wrapped better than \
they are.
Unfortunately we can't expect him
to just do
things
right, so we must fix the problem ourselves.
Oh, Joe. You so silly.
""", [{
'method': 'GET',
'path': '/test_url'
}, {
'method': 'POST',
'path': '/test_url'
}])
expected = """Joe's special policy.
This is Joe's special policy. Joe writes really, really long sentences \
that should really be wrapped better than they are. Unfortunately we \
can't expect him to just do things right, so we must fix the problem \
ourselves.
Oh, Joe. You so silly.
GET /test_url
POST /test_url
"""
self.assertEqual(expected, rule_default.description)
self.assertEqual("name", rule_default.name)
self.assertEqual("check_str", rule_default.check_str)
def test_create_rule_default_improper_formatting(self):
"""Ensure we correctly handle various formatting misdemeanours."""
rule_default = base.create_rule_default(
"name",
"check_str",
"""Joe's special policy.
This is Joe's special policy. Joe writes
really, really long sentences that should really be wrapped better than \
they are.
Unfortunately we can't expect him
to just do
things
right, so we must fix the problem ourselves.
Oh, Joe. You so silly.
""",
[{'method': 'GET', 'path': '/test_url'},
{'method': 'POST', 'path': '/test_url'}])
expected = """Joe's special policy.
This is Joe's special policy. Joe writes really, really long sentences \
that should really be wrapped better than they are. Unfortunately we \
can't expect him to just do things right, so we must fix the problem \
ourselves.
Oh, Joe. You so silly.
GET /test_url
POST /test_url
"""
self.assertEqual(expected, rule_default.description)
self.assertEqual("name", rule_default.name)
self.assertEqual("check_str", rule_default.check_str)
security_group_default_rules_policies = [
base.create_rule_default(
BASE_POLICY_NAME,
base.RULE_ADMIN_API,
"""Lists, shows information for, creates and deletes default security
group rules.
These API's are only available with nova-network which is now deprecated.""",
[
{
'method': 'GET',
'path': '/os-security-group-default-rules'
},
{
'method': 'GET',
'path': '/os-security-group-default-rules'
'/{security_group_default_rule_id}'
},
{
'method': 'POST',
'path': '/os-security-group-default-rules'
},
{
'method': 'DELETE',
'path': '/os-security-group-default-rules'
'/{security_group_default_rule_id}'
}
]),
]
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-virtual-interfaces'
virtual_interfaces_policies = [
base.create_rule_default(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"""List Virtual Interfaces.
This works only with the nova-network service, which is now deprecated""",
[
{
'method': 'GET',
'path': '/servers/{server_id}/os-virtual-interfaces'
}
]),
]
def list_rules():
return virtual_interfaces_policies
# License for the specific language governing permissions and limitations
# under the License.
from nova.policies import base
POLICY_ROOT = 'os_compute_api:os-lock-server:%s'
lock_server_policies = [
base.create_rule_default(
POLICY_ROOT % 'lock',
base.RULE_ADMIN_OR_OWNER,
"Lock a server",
[
{
'path': '/servers/{server_id}/action (lock)',
'method': 'POST'
}
]
),
base.create_rule_default(
POLICY_ROOT % 'unlock',
base.RULE_ADMIN_OR_OWNER,
"Unlock a server",
[
{
'path': '/servers/{server_id}/action (unlock)',
'method': 'POST'
}
]
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-agents'
POLICY_ROOT = 'os_compute_api:os-agents:%s'
agents_policies = [
base.create_rule_default(
BASE_POLICY_NAME, base.RULE_ADMIN_API,
"""Create, list, update, and delete guest agent builds
This is XenAPI driver specific. It is used to force the upgrade of the
XenAPI guest agent on instance boot.
""", [{
'path': '/os-agents',
'method': 'GET'
}, {
'path': '/os-agents',
'method': 'POST'
}, {
'path': '/os-agents/{agent_build_id}',
'method': 'PUT'
}, {
'path': '/os-agents/{agent_build_id}',
'method': 'DELETE'
}]),
policy.RuleDefault(name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]
def list_rules():
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-floating-ip-pools'
floating_ip_pools_policies = [
base.create_rule_default(
BASE_POLICY_NAME, base.RULE_ADMIN_OR_OWNER,
"List floating IP pools. This API is deprecated.",
[{
'method': 'GET',
'path': '/os-floating-ip-pools'
}]),
]
def list_rules():
return floating_ip_pools_policies
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-flavor-access'
POLICY_ROOT = 'os_compute_api:os-flavor-access:%s'
flavor_access_policies = [
base.create_rule_default(
POLICY_ROOT % 'add_tenant_access', base.RULE_ADMIN_API,
"Add flavor access to a tenant",
[{
'method': 'POST',
'path': '/flavors/{flavor_id}/action (addTenantAccess)'
}]),
base.create_rule_default(
POLICY_ROOT % 'remove_tenant_access', base.RULE_ADMIN_API,
"Remove flavor access from a tenant",
[{
'method': 'POST',
'path': '/flavors/{flavor_id}/action (removeTenantAccess)'
}]),
base.create_rule_default(
BASE_POLICY_NAME, base.RULE_ADMIN_OR_OWNER,
"""Allow the listing of flavor access information
Adds the os-flavor-access:is_public key into several flavor APIs.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-console-auth-tokens'
POLICY_ROOT = 'os_compute_api:os-console-auth-tokens:%s'
console_auth_tokens_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
base.create_rule_default(
BASE_POLICY_NAME,
base.RULE_ADMIN_API,
'Show console connection information for a given console \
authentication token',
[
{
'method': 'GET',
'path': '/os-console-auth-tokens/{console_token}'
}
])
]
def list_rules():
return console_auth_tokens_policies
# License for the specific language governing permissions and limitations
# under the License.
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-keypairs'
POLICY_ROOT = 'os_compute_api:os-keypairs:%s'
keypairs_policies = [
base.create_rule_default(
POLICY_ROOT % 'index',
'rule:admin_api or user_id:%(user_id)s',
"List all keypairs",
[
{
'path': '/os-keypairs',
'method': 'GET'
}
]),
base.create_rule_default(
POLICY_ROOT % 'create',
'rule:admin_api or user_id:%(user_id)s',
"Create a keypair",
[
{
'path': '/os-keypairs',
'method': 'POST'
}
]),
base.create_rule_default(
base.create_rule_default(
BASE_POLICY_NAME,
base.RULE_ADMIN_API,
"""Lists all running Compute services in a region, enables \
or disables scheduling for a Compute service, logs disabled Compute service \
information, set or unset forced_down flag for the compute service and \
deletes a Compute service.""",
[
{
'method': 'GET',
'path': '/os-services'
},
{
'method': 'PUT',
'path': '/os-services/enable'
},
{
'method': 'PUT',
'path': '/os-services/disable'
},
{
'method': 'PUT',
'path': '/os-services/disable-log-reason'
},
{
'method': 'PUT',
'path': '/os-services/force-down'
},
{
'method': 'DELETE',
'path': '/os-services/{service_id}'
}
]),
# under the License.
from oslo_policy import policy
from nova.policies import base
POLICY_ROOT = 'os_compute_api:os-shelve:%s'
shelve_policies = [
base.create_rule_default(
POLICY_ROOT % 'shelve',
base.RULE_ADMIN_OR_OWNER,
"Shelve Server",
[
{
'method': 'POST',
'path': '/servers/{server_id}/action (shelve)'
}
]),
base.create_rule_default(
POLICY_ROOT % 'unshelve',
base.RULE_ADMIN_OR_OWNER,
"Unshelve (Restore) Shelved Server",
[
{
'method': 'POST',
'path': '/servers/{server_id}/action (unshelve)'
}
]),
base.create_rule_default(
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from nova.policies import base
POLICY_ROOT = 'os_compute_api:os-volumes-attachments:%s'
volumes_attachments_policies = [
base.create_rule_default(
POLICY_ROOT % 'index',
base.RULE_ADMIN_OR_OWNER,
"List volume attachments for an instance",
[
{'method': 'GET',
'path': '/servers/{server_id}/os-volume_attachments'
}
]),
base.create_rule_default(
POLICY_ROOT % 'create',
base.RULE_ADMIN_OR_OWNER,
"Attach a volume to an instance",
[
{
'method': 'POST',
'path': '/servers/{server_id}/os-volume_attachments'
}
]),
base.create_rule_default(
# License for the specific language governing permissions and limitations
# under the License.
from nova.policies import base
RULE_AOO = base.RULE_ADMIN_OR_OWNER
SERVERS = 'os_compute_api:servers:%s'
rules = [
base.create_rule_default(
SERVERS % 'index',
RULE_AOO,
"List all servers",
[
{
'method': 'GET',
'path': '/servers'
}
]),
base.create_rule_default(
SERVERS % 'detail',
RULE_AOO,
"List all servers with detailed information",
[
{
'method': 'GET',
'path': '/servers/detail'
}
]),
base.create_rule_default(
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-agents'
POLICY_ROOT = 'os_compute_api:os-agents:%s'
agents_policies = [
base.create_rule_default(
BASE_POLICY_NAME,
base.RULE_ADMIN_API,
"""Create, list, update, and delete guest agent builds
This is XenAPI driver specific. It is used to force the upgrade of the
XenAPI guest agent on instance boot.
""",
[{'path': '/os-agents', 'method': 'GET'},
{'path': '/os-agents', 'method': 'POST'},
{'path': '/os-agents/{agent_build_id}', 'method': 'PUT'},
{'path': '/os-agents/{agent_build_id}', 'method': 'DELETE'}]),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]
def list_rules():
return agents_policies
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-console-auth-tokens'
console_auth_tokens_policies = [
base.create_rule_default(
BASE_POLICY_NAME, base.RULE_ADMIN_API,
'Show console connection information for a given console \
authentication token', [{
'method': 'GET',
'path': '/os-console-auth-tokens/{console_token}'
}])
]
def list_rules():
return console_auth_tokens_policies
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from nova.policies import base
POLICY_ROOT = 'os_compute_api:os-server-tags:%s'
server_tags_policies = [
base.create_rule_default(
POLICY_ROOT % 'delete_all',
base.RULE_ADMIN_OR_OWNER,
"Delete all the server tags",
[
{
'method': 'DELETE',
'path': '/servers/{server_id}/tags'
}
]),
base.create_rule_default(
POLICY_ROOT % 'index',
base.RULE_ADMIN_OR_OWNER,
"List all tags for given server",
[
{
'method': 'GET',
'path': '/servers/{server_id}/tags'
}
]),
base.create_rule_default(
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from nova.policies import base
POLICY_ROOT = 'os_compute_api:os-server-external-events:%s'
server_external_events_policies = [
base.create_rule_default(POLICY_ROOT % 'create', base.RULE_ADMIN_API,
"Creates one or more external events",
[{
'method': 'POST',
'path': '/os-server-external-events'
}]),
]
def list_rules():
return server_external_events_policies
# under the License.
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-flavor-manage'
flavor_manage_policies = [
base.create_rule_default(
BASE_POLICY_NAME,
base.RULE_ADMIN_API,
"Create and delete Flavors",
[
{
'method': 'POST',
'path': '/flavors'
},
{
'method': 'DELETE',
'path': '/flavors/{flavor_id}'
},
]),
]
def list_rules():
return flavor_manage_policies
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from nova.policies import base
POLICY_ROOT = 'os_compute_api:server-metadata:%s'
server_metadata_policies = [
base.create_rule_default(POLICY_ROOT % 'index', base.RULE_ADMIN_OR_OWNER,
"List all metadata of a server", [{
'path': '/servers/server_id/metadata',
'method': 'GET'
}]),
base.create_rule_default(POLICY_ROOT % 'show', base.RULE_ADMIN_OR_OWNER,
"Show metadata for a server", [{
'path': '/servers/server_id/metadata/{key}',
'method': 'GET'
}]),
base.create_rule_default(POLICY_ROOT % 'create', base.RULE_ADMIN_OR_OWNER,
"Create metadata for a server", [{
'path': '/servers/server_id/metadata',
'method': 'POST'
}]),
base.create_rule_default(POLICY_ROOT % 'update_all',
base.RULE_ADMIN_OR_OWNER,
"Replace metadata for a server", [{
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-console-output'
console_output_policies = [
base.create_rule_default(
BASE_POLICY_NAME, base.RULE_ADMIN_OR_OWNER,
'Show console output for a server',
[{
'method': 'POST',
'path': '/servers/{server_id}/action (os-getConsoleOutput)'
}])
]
def list_rules():
return console_output_policies
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from nova.policies import base
POLICY_ROOT = 'os_compute_api:os-pause-server:%s'
pause_server_policies = [
base.create_rule_default(POLICY_ROOT % 'pause', base.RULE_ADMIN_OR_OWNER,
"Pause a server.", [{
'path': '/servers/{server_id}/action (pause)',
'method': 'POST'
}]),
base.create_rule_default(
POLICY_ROOT % 'unpause', base.RULE_ADMIN_OR_OWNER,
"Unpause a paused server.", [{
'path': '/servers/{server_id}/action (unpause)',
'method': 'POST'
}]),
]
def list_rules():
return pause_server_policies
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-create-backup'
POLICY_ROOT = 'os_compute_api:os-create-backup:%s'
create_backup_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
base.create_rule_default(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
'Create a back up of a server',
[
{
'method': 'POST',
'path': '/servers/{server_id}/action (createBackup)'
}
])
]
def list_rules():
return create_backup_policies
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from nova.policies import base
POLICY_ROOT = 'os_compute_api:ips:%s'
ips_policies = [
base.create_rule_default(
POLICY_ROOT % 'show', base.RULE_ADMIN_OR_OWNER,
"""Shows IP addresses details for a network label of a server.""",
[{
'method': 'GET',
'path': '/servers/{server_id}/ips/{network_label}'
}]),
base.create_rule_default(
POLICY_ROOT % 'index', base.RULE_ADMIN_OR_OWNER,
"""Lists IP addresses that are assigned to a server.""",
[{
'method': 'GET',
'path': '/servers/{server_id}/ips'
}]),
]
def list_rules():
return ips_policies
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-create-backup'
create_backup_policies = [
base.create_rule_default(
BASE_POLICY_NAME, base.RULE_ADMIN_OR_OWNER,
'Create a back up of a server',
[{
'method': 'POST',
'path': '/servers/{server_id}/action (createBackup)'
}])
]
def list_rules():
return create_backup_policies
# under the License.
from oslo_policy import policy
from nova.policies import base
POLICY_ROOT = 'os_compute_api:servers:migrations:%s'
servers_migrations_policies = [
base.create_rule_default(
POLICY_ROOT % 'show',
base.RULE_ADMIN_API,
"Show details for an in-progress live migration for a given server",
[
{
'method': 'GET',
'path': '/servers/{server_id}/migrations/{migration_id}'
}
]),
base.create_rule_default(
POLICY_ROOT % 'force_complete',
base.RULE_ADMIN_API,
"Force an in-progress live migration for a given server to complete",
[
{
'method': 'POST',
'path': '/servers/{server_id}/migrations/{migration_id}'
'/action (force_complete)'
}
]),
# License for the specific language governing permissions and limitations
# under the License.
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-cells'
POLICY_ROOT = 'os_compute_api:os-cells:%s'
cells_policies = [
base.create_rule_default(
POLICY_ROOT % 'update',
base.RULE_ADMIN_API,
'Update an existing cell',
[
{
'method': 'PUT',
'path': '/os-cells/{cell_id}'
}
]),
base.create_rule_default(
POLICY_ROOT % 'create',
base.RULE_ADMIN_API,
'Create a new cell',
[
{
'method': 'POST',
'path': '/os-cells'
}
]),
base.create_rule_default(
# Copyright 2016 Cloudbase Solutions Srl
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from nova.policies import base
POLICY_ROOT = 'os_compute_api:os-migrations:%s'
migrations_policies = [
base.create_rule_default(POLICY_ROOT % 'index', base.RULE_ADMIN_API,
"List migrations", [{
'method': 'GET',
'path': '/os-migrations'
}]),
]
def list_rules():
return migrations_policies
# under the License.
from oslo_policy import policy
from nova.policies import base
POLICY_ROOT = 'os_compute_api:os-assisted-volume-snapshots:%s'
assisted_volume_snapshots_policies = [
base.create_rule_default(
POLICY_ROOT % 'create',
base.RULE_ADMIN_API,
"Create an assisted volume snapshot",
[
{
'path': '/os-assisted-volume-snapshots',
'method': 'POST'
}
]),
base.create_rule_default(
POLICY_ROOT % 'delete',
base.RULE_ADMIN_API,
"Delete an assisted volume snapshot",
[
{
'path': '/os-assisted-volume-snapshots/{snapshot_id}',
'method': 'DELETE'
}
]),
policy.RuleDefault(
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
POLICY_ROOT = 'os_compute_api:os-shelve:%s'
shelve_policies = [
base.create_rule_default(POLICY_ROOT % 'shelve', base.RULE_ADMIN_OR_OWNER,
"Shelve Server",
[{
'method': 'POST',
'path': '/servers/{server_id}/action (shelve)'
}]),
base.create_rule_default(
POLICY_ROOT % 'unshelve', base.RULE_ADMIN_OR_OWNER,
"Unshelve (Restore) Shelved Server",
[{
'method': 'POST',
'path': '/servers/{server_id}/action (unshelve)'
}]),
base.create_rule_default(
POLICY_ROOT % 'shelve_offload', base.RULE_ADMIN_API,
"Shelf-Offload (Remove) Server",
[{
'method': 'POST',
'path': '/servers/{server_id}/action (shelveOffload)'
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-baremetal-nodes'
POLICY_ROOT = 'os_compute_api:os-baremetal-nodes:%s'
baremetal_nodes_policies = [
policy.RuleDefault(name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
base.create_rule_default(
BASE_POLICY_NAME, base.RULE_ADMIN_API,
"""List and show details of bare metal nodes.
These APIs are proxy calls to the Ironic service and are deprecated.
""", [{
'method': 'GET',
'path': '/os-baremetal-nodes'
}, {
'method': 'GET',
'path': '/os-baremetal-nodes/{node_id}'
}]),
]
def list_rules():
return baremetal_nodes_policies
POLICY_ROOT = 'os_compute_api:os-server-groups:%s'
BASE_POLICY_RULE = 'rule:%s' % BASE_POLICY_NAME
server_groups_policies = [
# TODO(Kevin_Zheng): remove this rule as this not used by any API
policy.RuleDefault(
name=BASE_POLICY_NAME,
check_str=base.RULE_ADMIN_OR_OWNER,
description='Deprecated in Pike and will be removed in next release'),
base.create_rule_default(
POLICY_ROOT % 'create',
BASE_POLICY_RULE,
"Create a new server group",
[
{
'path': '/os-server-groups',
'method': 'POST'
}
]
),
base.create_rule_default(
POLICY_ROOT % 'delete',
BASE_POLICY_RULE,
"Delete a server group",
[
{
'path': '/os-server-groups/{server_group_id}',
'method': 'DELETE'
}
]
tenant_networks_policies = [
base.create_rule_default(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"""Creates, lists, shows information for, and deletes
project networks.
These APIs are proxy calls to the Network service. These are all
deprecated.""",
[
{
'method': 'GET',
'path': '/os-tenant-networks'
},
{
'method': 'POST',
'path': '/os-tenant-networks'
},
{
'method': 'GET',
'path': '/os-tenant-networks/{network_id}'
},
{
'method': 'DELETE',
'path': '/os-tenant-networks/{network_id}'
}
]),
policy.RuleDefault(
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-admin-actions'
POLICY_ROOT = 'os_compute_api:os-admin-actions:%s'
admin_actions_policies = [
policy.RuleDefault(name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
base.create_rule_default(
POLICY_ROOT % 'reset_state', base.RULE_ADMIN_API,
"Reset the state of a given server",
[{
'method': 'POST',
'path': '/servers/{server_id}/action (os-resetState)'
}]),
base.create_rule_default(
POLICY_ROOT % 'inject_network_info', base.RULE_ADMIN_API,
"Inject network information into the server",
[{
'method': 'POST',
'path': '/servers/{server_id}/action (injectNetworkInfo)'
}]),
base.create_rule_default(
POLICY_ROOT % 'reset_network', base.RULE_ADMIN_API,
"Reset networking on a server",
[{
'method': 'POST',
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from nova.policies import base
POLICY_ROOT = 'cells_scheduler_filter:%s'
cells_scheduler_policies = [
base.create_rule_default(
POLICY_ROOT % 'DifferentCellFilter',
'is_admin:True',
"""Different cell filter to route a build away from a particular cell
This policy is read by nova-scheduler process.
""",
[]),
base.create_rule_default(
POLICY_ROOT % 'TargetCellFilter',
'is_admin:True',
"""Target cell filter to route a build to a particular cell
This policy is read by nova-scheduler process.
""",
[])
]
def list_rules():
floating_ips_policies = [
base.create_rule_default(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"Manage a project's floating IPs. These APIs are all deprecated.",
[
{
'method': 'POST',
'path': '/servers/{server_id}/action (addFloatingIp)'
},
{
'method': 'POST',
'path': '/servers/{server_id}/action (removeFloatingIp)'
},
{
'method': 'GET',
'path': '/os-floating-ips'
},
{
'method': 'POST',
'path': '/os-floating-ips'
},
{
'method': 'GET',
'path': '/os-floating-ips/{floating_ip_id}'
},
{
'method': 'DELETE',
'path': '/os-floating-ips/{floating_ip_id}'
},
]),
]
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-multinic'
multinic_policies = [
base.create_rule_default(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"""Adds or Removes a fixed IP address from a server.
These APIs are proxy calls to the Network service. These are all
deprecated.""",
[
{
'method': 'POST',
'path': '/servers/{server_id}/action (addFixedIp)'
},
{
'method': 'POST',
'path': '/servers/{server_id}/action (removeFixedIp)'
}
]),
]
def list_rules():
return multinic_policies
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-server-groups'
POLICY_ROOT = 'os_compute_api:os-server-groups:%s'
BASE_POLICY_RULE = 'rule:%s' % BASE_POLICY_NAME
server_groups_policies = [
# TODO(Kevin_Zheng): remove this rule as this not used by any API
policy.RuleDefault(
name=BASE_POLICY_NAME,
check_str=base.RULE_ADMIN_OR_OWNER,
description='Deprecated in Pike and will be removed in next release'),
base.create_rule_default(POLICY_ROOT % 'create', BASE_POLICY_RULE,
"Create a new server group", [{
'path': '/os-server-groups',
'method': 'POST'
}]),
base.create_rule_default(POLICY_ROOT % 'delete', BASE_POLICY_RULE,
"Delete a server group", [{
'path': '/os-server-groups/{server_group_id}',
'method': 'DELETE'
}]),
base.create_rule_default(POLICY_ROOT % 'index', BASE_POLICY_RULE,
"List all server groups", [{
'path': '/os-server-groups',
'method': 'GET'
}]),
base.create_rule_default(POLICY_ROOT % 'show', BASE_POLICY_RULE,
"Show details of a server group", [{
'path': '/os-server-groups/{server_group_id}',
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from nova.policies import base
POLICY_ROOT = 'os_compute_api:os-simple-tenant-usage:%s'
simple_tenant_usage_policies = [
base.create_rule_default(
POLICY_ROOT % 'show',
base.RULE_ADMIN_OR_OWNER,
"Show usage statistics for a specific tenant.",
[
{
'method': 'GET',
'path': '/os-simple-tenant-usage/{tenant_id}'
}
]),
base.create_rule_default(
POLICY_ROOT % 'list',
base.RULE_ADMIN_API,
"List per tenant usage statistics for all tenants.",
[
{
'method': 'GET',
'path': '/os-simple-tenant-usage'
}
]),
]
# License for the specific language governing permissions and limitations
# under the License.
from nova.policies import base
POLICY_ROOT = 'os_compute_api:os-flavor-extra-specs:%s'
flavor_extra_specs_policies = [
base.create_rule_default(
POLICY_ROOT % 'show',
base.RULE_ADMIN_OR_OWNER,
"Show an extra spec for a flavor",
[
{
'path': '/flavors/{flavor_id}/os-extra_specs/'
'{flavor_extra_spec_key}',
'method': 'GET'
}
]
),
base.create_rule_default(
POLICY_ROOT % 'create',
base.RULE_ADMIN_API,
"Create extra specs for a flavor",
[
{
'path': '/flavors/{flavor_id}/os-extra_specs/',
'method': 'POST'
}
]
floating_ip_dns_policies = [
base.create_rule_default(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"""List registered DNS domains, and CRUD actions on domain names.
Note this only works with nova-network and this API is deprecated.""",
[
{
'method': 'GET',
'path': '/os-floating-ip-dns'
},
{
'method': 'GET',
'path': '/os-floating-ip-dns/{domain}/entries/{ip}'
},
{
'method': 'GET',
'path': '/os-floating-ip-dns/{domain}/entries/{name}'
},
{
'method': 'PUT',
'path': '/os-floating-ip-dns/{domain}/entries/{name}'
},
{
'method': 'DELETE',
'path': '/os-floating-ip-dns/{domain}/entries/{name}'
},
]),
base.create_rule_default(
POLICY_ROOT % 'domain:update',
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-instance-usage-audit-log'
instance_usage_audit_log_policies = [
base.create_rule_default(
BASE_POLICY_NAME, base.RULE_ADMIN_API,
"""Lists all usage audits and that occurred before a specified time
for all servers on all compute hosts where usage auditing is configured.""",
[{
'method': 'GET',
'path': '/os-instance_usage_audit_log'
}, {
'method': 'GET',
'path': '/os-instance_usage_audit_log/{before_timestamp}'
}]),
]
def list_rules():
return instance_usage_audit_log_policies
remote_consoles_policies = [
base.create_rule_default(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"Generates a URL to access remove server console",
[
{
'method': 'POST',
'path': '/servers/{server_id}/action (os-getRDPConsole)'
},
{
'method': 'POST',
'path': '/servers/{server_id}/action (os-getSerialConsole)'
},
{
'method': 'POST',
'path': '/servers/{server_id}/action (os-getSPICEConsole)'
},
{
'method': 'POST',
'path': '/servers/{server_id}/action (os-getVNCConsole)'
},
{
'method': 'POST',
'path': '/servers/{server_id}/remote-consoles'
},
]),
]
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from nova.policies import base
POLICY_ROOT = 'cells_scheduler_filter:%s'
cells_scheduler_policies = [
base.create_rule_default(
POLICY_ROOT % 'DifferentCellFilter', 'is_admin:True',
"""Different cell filter to route a build away from a particular cell
This policy is read by nova-scheduler process.
""", []),
base.create_rule_default(
POLICY_ROOT % 'TargetCellFilter', 'is_admin:True',
"""Target cell filter to route a build to a particular cell
This policy is read by nova-scheduler process.
""", [])
]
def list_rules():
return cells_scheduler_policies
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-hide-server-addresses'
hide_server_addresses_policies = [
base.create_rule_default(
BASE_POLICY_NAME, 'is_admin:False',
"""Hide server's 'addresses' key in the server response.
This set the 'addresses' key in the server response to an empty dictionary
when the server is in a specific set of states as defined in
CONF.api.hide_server_address_states.
By default 'addresses' is hidden only when the server is in 'BUILDING'
state.""", [{
'method': 'GET',
'path': '/servers/{id}'
}, {
'method': 'GET',
'path': '/servers/detail'
}]),
]
def list_rules():
return hide_server_addresses_policies
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
POLICY_ROOT = 'os_compute_api:os-assisted-volume-snapshots:%s'
assisted_volume_snapshots_policies = [
base.create_rule_default(POLICY_ROOT % 'create', base.RULE_ADMIN_API,
"Create an assisted volume snapshot",
[{
'path': '/os-assisted-volume-snapshots',
'method': 'POST'
}]),
base.create_rule_default(
POLICY_ROOT % 'delete', base.RULE_ADMIN_API,
"Delete an assisted volume snapshot", [{
'path': '/os-assisted-volume-snapshots/{snapshot_id}',
'method': 'DELETE'
}]),
policy.RuleDefault(name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]
def list_rules():
return assisted_volume_snapshots_policies
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-server-password'
POLICY_ROOT = 'os_compute_api:os-server-password:%s'
server_password_policies = [
base.create_rule_default(
BASE_POLICY_NAME, base.RULE_ADMIN_OR_OWNER,
"Show and clear the encrypted administrative password of a server",
[{
'method': 'GET',
'path': '/servers/{server_id}/os-server-password'
}, {
'method': 'DELETE',
'path': '/servers/{server_id}/os-server-password'
}]),
policy.RuleDefault(name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]
def list_rules():
return server_password_policies
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-flavor-rxtx'
flavor_rxtx_policies = [
base.create_rule_default(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"Adds the rxtx_factor key into some Flavor APIs",
[
{
'method': 'GET',
'path': '/flavors/detail'
},
{
'method': 'GET',
'path': '/flavors/{flavor_id}'
},
{
'method': 'POST',
'path': '/flavors'
},
]),
]
def list_rules():
return flavor_rxtx_policies
base.create_rule_default(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"""Manages volumes for use with the Compute API.
Lists, shows details, creates, and deletes volumes and snapshots. These APIs
are proxy calls to the Volume service. These are all deprecated.
""",
[
{
'method': 'GET',
'path': '/os-volumes'
},
{
'method': 'POST',
'path': '/os-volumes'
},
{
'method': 'GET',
'path': '/os-volumes/detail'
},
{
'method': 'GET',
'path': '/os-volumes/{volume_id}'
},
{
'method': 'DELETE',
'path': '/os-volumes/{volume_id}'
},
{
'method': 'GET',
'path': '/os-snapshots'
},
{
'method': 'POST',
'path': '/os-snapshots'
},
{
'method': 'GET',
'path': '/os-snapshots/detail'
},
{
'method': 'GET',
'path': '/os-snapshots/{snapshot_id}'
},
{
'method': 'DELETE',
'path': '/os-snapshots/{snapshot_id}'
}
]),
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:limits'
limits_policies = [
base.create_rule_default(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"""Shows rate and absolute limits for the project.""",
[
{
'method': 'GET',
'path': '/limits'
}
]),
]
def list_rules():
return limits_policies
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-evacuate'
POLICY_ROOT = 'os_compute_api:os-evacuate:%s'
evacuate_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
base.create_rule_default(
BASE_POLICY_NAME,
base.RULE_ADMIN_API,
"Evacuate a server from a failed host to a new host",
[
{
'path': '/servers/{server_id}/action (evacuate)',
'method': 'POST'
}
]),
]
def list_rules():
return evacuate_policies
POLICY_ROOT = 'os_compute_api:os-floating-ip-dns:%s'
floating_ip_dns_policies = [
base.create_rule_default(
BASE_POLICY_NAME, base.RULE_ADMIN_OR_OWNER,
"""List registered DNS domains, and CRUD actions on domain names.
Note this only works with nova-network and this API is deprecated.""", [
{
'method': 'GET',
'path': '/os-floating-ip-dns'
},
{
'method': 'GET',
'path': '/os-floating-ip-dns/{domain}/entries/{ip}'
},
{
'method': 'GET',
'path': '/os-floating-ip-dns/{domain}/entries/{name}'
},
{
'method': 'PUT',
'path': '/os-floating-ip-dns/{domain}/entries/{name}'
},
{
'method': 'DELETE',
'path': '/os-floating-ip-dns/{domain}/entries/{name}'
},
]),
base.create_rule_default(POLICY_ROOT % 'domain:update',
base.RULE_ADMIN_API,
"Create or update a DNS domain.",
from oslo_policy import policy
from nova.policies import base
RULE_AOO = base.RULE_ADMIN_OR_OWNER
SERVERS = 'os_compute_api:servers:%s'
rules = [
base.create_rule_default(
SERVERS % 'index',
RULE_AOO,
"List all servers",
[
{
'method': 'GET',
'path': '/servers'
}
]),
base.create_rule_default(
SERVERS % 'detail',
RULE_AOO,
"List all servers with detailed information",
[
{
'method': 'GET',
'path': '/servers/detail'
}
]),
base.create_rule_default(
