#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from neutron_vpnaas.policies import base
rules = [
policy.DocumentedRuleDefault('create_ikepolicy', base.RULE_ANY,
'Create an IKE policy', [
{
'method': 'POST',
'path': '/vpn/ikepolicies',
},
]),
policy.DocumentedRuleDefault('update_ikepolicy', base.RULE_ADMIN_OR_OWNER,
'Update an IKE policy', [
{
'method': 'PUT',
'path': '/vpn/ikepolicies/{id}',
},
]),
policy.DocumentedRuleDefault('delete_ikepolicy', base.RULE_ADMIN_OR_OWNER,
'Delete an IKE policy', [
{
'method': 'DELETE',
'path': '/vpn/ikepolicies/{id}',
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from solum.common.policies import base
assembly_policies = [
policy.DocumentedRuleDefault(
name='get_assemblies',
check_str=base.RULE_DEFAULT,
description='Return all assemblies, based on the query provided.',
operations=[{'path': '/v1/assemblies',
'method': 'GET'}]),
policy.DocumentedRuleDefault(
name='show_assembly',
check_str=base.RULE_DEFAULT,
description='Return a assembly.',
operations=[{'path': '/v1/assemblies/{assemblie_id}',
'method': 'GET'}]),
policy.DocumentedRuleDefault(
name='update_assembly',
check_str=base.RULE_DEFAULT,
description='Modify this assembly.',
operations=[{'path': '/v1/assemblies/{assemblie_id}',
'method': 'PUT'}]),
policy.DocumentedRuleDefault(
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-used-limits'
used_limits_policies = [
# TODO(aunnam): Remove this rule after we separate the scope check from
# policies, as this is only checking the scope.
policy.DocumentedRuleDefault(
BASE_POLICY_NAME, base.RULE_ADMIN_API,
"""Shows rate and absolute limits for the project.
This policy only checks if the user has access to the requested
project limits. And this check is performed only after the check
os_compute_api:limits passes""", [{
'method': 'GET',
'path': '/limits'
}]),
]
def list_rules():
return used_limits_policies
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-flavor-access'
POLICY_ROOT = 'os_compute_api:os-flavor-access:%s'
flavor_access_policies = [
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'add_tenant_access',
check_str=base.RULE_ADMIN_API,
description="Add flavor access to a tenant",
operations=[{
'method': 'POST',
'path': '/flavors/{flavor_id}/action (addTenantAccess)'
}],
scope_types=['system']),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'remove_tenant_access',
check_str=base.RULE_ADMIN_API,
description="Remove flavor access from a tenant",
operations=[{
'method': 'POST',
'path': '/flavors/{flavor_id}/action (removeTenantAccess)'
}],
scope_types=['system']),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME,
)
deprecated_replica_reset_status = policy.DeprecatedRule(
name=BASE_POLICY_NAME % 'reset_status',
check_str=base.RULE_ADMIN_API
)
share_replica_policies = [
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'create',
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
scope_types=['system', 'project'],
description="Create share replica.",
operations=[
{
'method': 'POST',
'path': '/share-replicas',
}
],
deprecated_rule=deprecated_replica_create,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'get_all',
check_str=base.SYSTEM_OR_PROJECT_READER,
scope_types=['system', 'project'],
description="Get all share replicas.",
operations=[
{
'method': 'GET',
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-floating-ip-pools'
floating_ip_pools_policies = [
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME,
check_str=base.RULE_ANY,
description="List floating IP pools. This API is deprecated.",
operations=[
{
'method': 'GET',
'path': '/os-floating-ip-pools'
}
],
scope_types=['system', 'project']),
]
def list_rules():
return floating_ip_pools_policies
DEPRECATED_REASON = """
The identity:revocation_list policy isn't used to protect any APIs in keystone
now that the revocation list API has been deprecated and only returns a 410 or
403 depending on how keystone is configured. This policy can be safely removed
from policy files.
"""
token_revocation_policies = [
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'revocation_list',
check_str=base.RULE_SERVICE_OR_ADMIN,
# NOTE(lbragstad): Documenting scope_types here doesn't really make a
# difference since this API is going to return an empty list regardless
# of the token scope used in the API call. More-or-less just doing this
# for consistency with other policies.
scope_types=['system', 'project'],
description='List revoked PKI tokens.',
operations=[{
'path': '/v3/auth/tokens/OS-PKI/revoked',
'method': 'GET'
}],
deprecated_for_removal=True,
deprecated_since=versionutils.deprecated.TRAIN,
deprecated_reason=DEPRECATED_REASON)
]
def list_rules():
return token_revocation_policies
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from cinder.policies import base
MANAGE_POLICY = "volume_extension:hosts"
hosts_policies = [
policy.DocumentedRuleDefault(
name=MANAGE_POLICY,
check_str=base.RULE_ADMIN_API,
description="List, update or show hosts for a project.",
operations=[{
'method': 'GET',
'path': '/os-hosts'
}, {
'method': 'PUT',
'path': '/os-hosts/{host_name}'
}, {
'method': 'GET',
'path': '/os-hosts/{host_id}'
}])
]
def list_rules():
return hosts_policies
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from octavia.common import constants
rules = [
policy.DocumentedRuleDefault(
'{rbac_obj}{action}'.format(rbac_obj=constants.RBAC_FLAVOR_PROFILE,
action=constants.RBAC_GET_ALL),
constants.RULE_API_ADMIN, "List Flavor Profiles",
[{
'method': 'GET',
'path': '/v2.0/lbaas/flavorprofiles'
}]),
policy.DocumentedRuleDefault(
'{rbac_obj}{action}'.format(rbac_obj=constants.RBAC_FLAVOR_PROFILE,
action=constants.RBAC_POST),
constants.RULE_API_ADMIN, "Create a Flavor Profile",
[{
'method': 'POST',
'path': '/v2.0/lbaas/flavorprofiles'
}]),
policy.DocumentedRuleDefault(
'{rbac_obj}{action}'.format(rbac_obj=constants.RBAC_FLAVOR_PROFILE,
action=constants.RBAC_PUT),
constants.RULE_API_ADMIN, "Update a Flavor Profile",
deprecated_access_rule_index = policy.DeprecatedRule(
name=BASE_POLICY_NAME % 'index',
check_str=base.RULE_DEFAULT,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY
)
share_access_rule_policies = [
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'get',
check_str=base.SYSTEM_OR_PROJECT_READER,
scope_types=['system', 'project'],
description="Get details of a share access rule.",
operations=[
{
'method': 'GET',
'path': '/share-access-rules/{share_access_id}'
}
],
deprecated_rule=deprecated_access_rule_get
),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'index',
check_str=base.SYSTEM_OR_PROJECT_READER,
scope_types=['system', 'project'],
description="List access rules of a given share.",
operations=[
{
'method': 'GET',
'path': ('/share-access-rules?share_id={share_id}'
deprecated_create_zone_export = policy.DeprecatedRule(
name="create_zone_export", check_str=base.RULE_ADMIN_OR_OWNER)
deprecated_find_zone_exports = policy.DeprecatedRule(
name="find_zone_exports", check_str=base.RULE_ADMIN_OR_OWNER)
deprecated_get_zone_export = policy.DeprecatedRule(
name="get_zone_export", check_str=base.RULE_ADMIN_OR_OWNER)
deprecated_update_zone_export = policy.DeprecatedRule(
name="update_zone_export", check_str=base.RULE_ADMIN_OR_OWNER)
rules = [
policy.DocumentedRuleDefault(
name="zone_export",
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
scope_types=['system', 'project'],
description="Retrive a Zone Export from the Designate Datastore",
operations=[{
'path': '/v2/zones/tasks/exports/{zone_export_id}/export',
'method': 'GET'
}],
deprecated_rule=deprecated_zone_export,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
policy.DocumentedRuleDefault(
name="create_zone_export",
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
scope_types=['system', 'project'],
description="Create Zone Export",
operations=[{
'path': '/v2/zones/{zone_id}/tasks/export',
'method': 'POST'
}],
deprecated_rule=deprecated_create_zone_export,
check_str=base.RULE_ADMIN_REQUIRED)
DEPRECATED_REASON = (
"The service provider API is now aware of system scope and default roles.")
service_provider_policies = [
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_service_provider',
check_str=base.SYSTEM_ADMIN,
# FIXME(lbragstad): Today, keystone doesn't support federation without
# modifying configuration files. It makes sense to require system scope
# for these operations until keystone supports a way to add federated
# identity and service providers strictly over the API. At that point,
# it will make sense to include `project` in the list of `scope_types`
# for service provider policies.
scope_types=['system'],
description='Create federated service provider.',
operations=[{
'path': ('/v3/OS-FEDERATION/service_providers/'
'{service_provider_id}'),
'method':
'PUT'
}],
deprecated_rule=deprecated_create_sp,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_service_providers',
check_str=base.SYSTEM_READER,
scope_types=['system'],
description='List federated service providers.',
operations=[{
RP_TRAIT_PREFIX = 'placement:resource_providers:traits:%s'
RP_TRAIT_LIST = RP_TRAIT_PREFIX % 'list'
RP_TRAIT_UPDATE = RP_TRAIT_PREFIX % 'update'
RP_TRAIT_DELETE = RP_TRAIT_PREFIX % 'delete'
TRAITS_PREFIX = 'placement:traits:%s'
TRAITS_LIST = TRAITS_PREFIX % 'list'
TRAITS_SHOW = TRAITS_PREFIX % 'show'
TRAITS_UPDATE = TRAITS_PREFIX % 'update'
TRAITS_DELETE = TRAITS_PREFIX % 'delete'
rules = [
policy.DocumentedRuleDefault(TRAITS_LIST,
base.RULE_ADMIN_API,
"List traits.", [{
'method': 'GET',
'path': '/traits'
}],
scope_types=['system']),
policy.DocumentedRuleDefault(
TRAITS_SHOW,
base.RULE_ADMIN_API,
"Show trait.",
[{
'method': 'GET',
'path': '/traits/{name}'
}],
scope_types=['system'],
),
policy.DocumentedRuleDefault(
TRAITS_UPDATE,
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'compute:server:topology:%s'
server_topology_policies = [
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'index',
check_str=base.PROJECT_READER_OR_SYSTEM_READER,
description="Show the NUMA topology data for a server",
operations=[{
'method': 'GET',
'path': '/servers/{server_id}/topology'
}],
scope_types=['system', 'project']),
policy.DocumentedRuleDefault(
# Control host NUMA node and cpu pinning information
name=BASE_POLICY_NAME % 'host:index',
check_str=base.SYSTEM_READER,
description="Show the NUMA topology data for a server with host"
"NUMA ID and CPU pinning information",
operations=[{
'method': 'GET',
'path': '/servers/{server_id}/topology'
}],
scope_types=['system']),
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from armada.common.policies import base
tiller_policies = [
policy.DocumentedRuleDefault(name=base.TILLER % 'get_status',
check_str=base.RULE_ADMIN_REQUIRED,
description='Get Tiller status',
operations=[{
'path': '/api/v1.0/status/',
'method': 'GET'
}]),
policy.DocumentedRuleDefault(name=base.TILLER % 'get_release',
check_str=base.RULE_ADMIN_REQUIRED,
description='Get Tiller release',
operations=[{
'path': '/api/v1.0/releases/',
'method': 'GET'
}]),
]
def list_rules():
return tiller_policies
)
DEPRECATED_REASON = """
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
"""
instance_usage_audit_log_policies = [
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'list',
check_str=base.SYSTEM_READER,
description="List all usage audits.",
operations=[
{
'method': 'GET',
'path': '/os-instance_usage_audit_log'
},
],
scope_types=['system'],
deprecated_rule=DEPRECATED_POLICY,
deprecated_reason=DEPRECATED_REASON,
deprecated_since='21.0.0'),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'show',
check_str=base.SYSTEM_READER,
description="List all usage audits occurred before "
"a specified time for all servers on all compute hosts where "
"usage auditing is configured",
operations=[
{
deprecated_list_role_assignments_for_tree = policy.DeprecatedRule(
name=base.IDENTITY % 'list_role_assignments_for_tree',
check_str=base.RULE_ADMIN_REQUIRED)
DEPRECATED_REASON = (
"The assignment API is now aware of system scope and default roles.")
role_assignment_policies = [
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_role_assignments',
check_str=SYSTEM_READER_OR_DOMAIN_READER,
scope_types=['system', 'domain'],
description='List role assignments.',
operations=[{
'path': '/v3/role_assignments',
'method': 'GET'
}, {
'path': '/v3/role_assignments',
'method': 'HEAD'
}],
deprecated_rule=deprecated_list_role_assignments,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_role_assignments_for_tree',
check_str=SYSTEM_READER_OR_PROJECT_DOMAIN_READER_OR_PROJECT_ADMIN,
scope_types=['system', 'domain', 'project'],
description=('List all role assignments for a given tree of '
'hierarchical projects.'),
operations=[{
'path': '/v3/role_assignments?include_subtree',
policy.DocumentedRuleDefault(
BASE_POLICY_NAME, base.RULE_ADMIN_OR_OWNER,
"""Manages volumes for use with the Compute API.
Lists, shows details, creates, and deletes volumes and snapshots. These APIs
are proxy calls to the Volume service. These are all deprecated.
""", [{
'method': 'GET',
'path': '/os-volumes'
}, {
'method': 'POST',
'path': '/os-volumes'
}, {
'method': 'GET',
'path': '/os-volumes/detail'
}, {
'method': 'GET',
'path': '/os-volumes/{volume_id}'
}, {
'method': 'DELETE',
'path': '/os-volumes/{volume_id}'
}, {
'method': 'GET',
'path': '/os-snapshots'
}, {
'method': 'POST',
'path': '/os-snapshots'
}, {
'method': 'GET',
'path': '/os-snapshots/detail'
}, {
'method': 'GET',
'path': '/os-snapshots/{snapshot_id}'
}, {
'method': 'DELETE',
'path': '/os-snapshots/{snapshot_id}'
}]),
from oslo_policy import policy
RULE_CONTEXT_IS_ADMIN = 'rule:context_is_admin'
RULE_ADMIN_OR_OWNER = 'rule:context_is_admin or project_id:%(project_id)s'
UNPROTECTED = ''
rules = [
policy.RuleDefault(name="context_is_admin", check_str="role:admin"),
policy.RuleDefault(name="segregation", check_str=RULE_CONTEXT_IS_ADMIN),
policy.RuleDefault(name="admin_or_owner", check_str=RULE_ADMIN_OR_OWNER),
policy.RuleDefault(name="default", check_str=RULE_ADMIN_OR_OWNER),
policy.DocumentedRuleDefault(name="telemetry:get_alarm",
check_str=RULE_ADMIN_OR_OWNER,
description='Get an alarm.',
operations=[{
'path': '/v2/alarms/{alarm_id}',
'method': 'GET'
}]),
policy.DocumentedRuleDefault(
name="telemetry:get_alarms",
check_str=RULE_ADMIN_OR_OWNER,
description='Get all alarms, based on the query provided.',
operations=[{
'path': '/v2/alarms',
'method': 'GET'
}]),
policy.DocumentedRuleDefault(name="telemetry:get_alarms:all_projects",
check_str=RULE_CONTEXT_IS_ADMIN,
description='Get alarms of all projects.',
operations=[{
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from keystone.common.policies import base
limit_policies = [
policy.DocumentedRuleDefault(name=base.IDENTITY % 'get_limit_model',
check_str='',
scope_types=['system', 'project'],
description='Get limit enforcement model.',
operations=[{
'path': '/v3/limits/model',
'method': 'GET'
}, {
'path': '/v3/limits/model',
'method': 'HEAD'
}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'get_limit',
check_str='',
# Getting a single limit or listing all limits should be information
# accessible to everyone. By setting scope_types=['system', 'project']
# we're making it so that anyone with a role on the system or a project
# can obtain this information. Making changes to a limit should be
# considered a protected system-level API, as noted below with
# scope_types=['system'].
scope_types=['system', 'project'],
deprecated_create_update_policy = base.CinderDeprecatedRule(
name=CREATE_UPDATE_POLICY,
check_str=base.SYSTEM_OR_DOMAIN_OR_PROJECT_ADMIN)
deprecated_get_policy = base.CinderDeprecatedRule(
name=GET_POLICY, check_str=base.SYSTEM_OR_DOMAIN_OR_PROJECT_ADMIN)
deprecated_get_all_policy = base.CinderDeprecatedRule(
name=GET_ALL_POLICY, check_str=base.SYSTEM_ADMIN)
deprecated_delete_policy = base.CinderDeprecatedRule(
name=DELETE_POLICY, check_str=base.SYSTEM_OR_DOMAIN_OR_PROJECT_ADMIN)
default_type_policies = [
policy.DocumentedRuleDefault(
name=CREATE_UPDATE_POLICY,
check_str=base.RULE_ADMIN_API,
description="Set or update default volume type.",
operations=[{
'method': 'PUT',
'path': '/default-types'
}],
deprecated_rule=deprecated_create_update_policy,
),
policy.DocumentedRuleDefault(
name=GET_POLICY,
check_str=base.RULE_ADMIN_API,
description="Get default types.",
operations=[{
'method': 'GET',
'path': '/default-types/{project-id}'
}],
deprecated_rule=deprecated_get_policy,
),
policy.DocumentedRuleDefault(
BASE_POLICY_NAME = 'os_compute_api:os-hosts'
hosts_policies = [
policy.DocumentedRuleDefault(
BASE_POLICY_NAME, base.RULE_ADMIN_API,
"""List, show and manage physical hosts.
These APIs are all deprecated in favor of os-hypervisors and os-services.""",
[{
'method': 'GET',
'path': '/os-hosts'
}, {
'method': 'GET',
'path': '/os-hosts/{host_name}'
}, {
'method': 'PUT',
'path': '/os-hosts/{host_name}'
}, {
'method': 'GET',
'path': '/os-hosts/{host_name}/reboot'
}, {
'method': 'GET',
'path': '/os-hosts/{host_name}/shutdown'
}, {
'method': 'GET',
'path': '/os-hosts/{host_name}/startup'
}]),
]
def list_rules():
# deprecated legacy snapshot policies with "share" as base resource
deprecated_share_create_snapshot = policy.DeprecatedRule(
name=BASE_POLICY_NAME % 'create_snapshot', check_str=base.RULE_DEFAULT)
deprecated_share_delete_snapshot = policy.DeprecatedRule(
name=BASE_POLICY_NAME % 'delete_snapshot', check_str=base.RULE_DEFAULT)
deprecated_share_snapshot_update = policy.DeprecatedRule(
name=BASE_POLICY_NAME % 'snapshot_update', check_str=base.RULE_DEFAULT)
shares_policies = [
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'create',
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
scope_types=['system', 'project'],
description="Create share.",
operations=[{
'method': 'POST',
'path': '/shares',
}],
deprecated_rule=deprecated_share_create,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'create_public_share',
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
description="Create shares visible across all projects in the cloud.",
operations=[{
'method': 'POST',
'path': '/shares',
}],
deprecated_rule=deprecated_share_create_public,
from oslo_log import versionutils
from oslo_policy import policy
from neutron.conf.policies import base
DEPRECATION_REASON = (
"The Availability Zone API now supports system scope and default roles.")
rules = [
policy.DocumentedRuleDefault(
name='get_availability_zone',
check_str=base.SYSTEM_READER,
description='List availability zones',
operations=[
{
'method': 'GET',
'path': '/availability_zones',
},
],
scope_types=['system'],
deprecated_rule=policy.DeprecatedRule(
name='get_availability_zone',
check_str=base.RULE_ANY,
deprecated_reason=DEPRECATION_REASON,
deprecated_since=versionutils.deprecated.WALLABY)),
]
def list_rules():
return rules
# under the License.
from oslo_policy import policy
from keystone.common.policies import base
role_policies = [
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'get_role',
check_str=base.RULE_ADMIN_REQUIRED,
# FIXME(lbragstad): Roles should be considered a system-level resource.
# The current RBAC design of OpenStack requires configuration
# modification depending on the roles created in keystone. Once that is
# no longer true we should consider adding `project` to the list of
# scope_types.
scope_types=['system'],
description='Show role details.',
operations=[{
'path': '/v3/roles/{role_id}',
'method': 'GET'
}, {
'path': '/v3/roles/{role_id}',
'method': 'HEAD'
}]),
policy.DocumentedRuleDefault(name=base.IDENTITY % 'list_roles',
check_str=base.RULE_ADMIN_REQUIRED,
scope_types=['system'],
description='List roles.',
operations=[{
'path': '/v3/roles',
'method': 'GET'
check_str=base.RULE_ADMIN_API,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY
)
share_server_policies = [
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'index',
check_str=base.SYSTEM_READER,
scope_types=['system'],
description="Get share servers.",
operations=[
{
'method': 'GET',
'path': '/share-servers',
},
{
'method': 'GET',
'path': '/share-servers?{query}',
}
],
deprecated_rule=deprecated_server_index
),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'show',
check_str=base.SYSTEM_READER,
scope_types=['system'],
description="Show share server.",
operations=[
{
name=CREATE_POLICY, check_str="")
deprecated_get_group_snapshot = base.CinderDeprecatedRule(
name=GET_POLICY, check_str=base.RULE_ADMIN_OR_OWNER)
deprecated_delete_group_snapshot = base.CinderDeprecatedRule(
name=DELETE_POLICY, check_str=base.RULE_ADMIN_OR_OWNER)
deprecated_update_group_snapshot = base.CinderDeprecatedRule(
name=UPDATE_POLICY, check_str=base.RULE_ADMIN_OR_OWNER)
group_snapshots_policies = [
policy.DocumentedRuleDefault(
name=GET_ALL_POLICY,
check_str=base.SYSTEM_READER_OR_PROJECT_READER,
description="List group snapshots.",
operations=[{
'method': 'GET',
'path': '/group_snapshots'
}, {
'method': 'GET',
'path': '/group_snapshots/detail'
}],
deprecated_rule=deprecated_get_all_group_snapshots,
),
policy.DocumentedRuleDefault(
name=CREATE_POLICY,
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
description="Create group snapshot.",
operations=[{
'method': 'POST',
'path': '/group_snapshots'
}],
deprecated_rule=deprecated_create_group_snapshot,
from oslo_log import versionutils
from oslo_policy import policy
from neutron.conf.policies import base
DEPRECATION_REASON = (
"The Service Providers API now supports system scope and default roles.")
rules = [
policy.DocumentedRuleDefault(
name='get_service_provider',
check_str='role:reader',
description='Get service providers',
operations=[
{
'method': 'GET',
'path': '/service-providers',
},
],
scope_types=['system', 'project'],
deprecated_rule=policy.DeprecatedRule(
name='get_service_provider',
check_str=base.RULE_ANY,
deprecated_reason=DEPRECATION_REASON,
deprecated_since=versionutils.deprecated.WALLABY)),
]
def list_rules():
return rules
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from designate.common.policies import base
rules = [
policy.DocumentedRuleDefault(
name="find_records",
check_str=base.RULE_ADMIN_OR_OWNER,
description='Find records.',
operations=[{
'path': '/v2/reverse/floatingips/{region}:{floatingip_id}',
'method': 'GET'
}, {
'path': '/v2/reverse/floatingips',
'method': 'GET'
}]),
policy.RuleDefault(name="count_records",
check_str=base.RULE_ADMIN_OR_OWNER)
]
def list_rules():
return rules
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from octavia.common import constants
rules = [
policy.DocumentedRuleDefault(
'{rbac_obj}{action}'.format(rbac_obj=constants.RBAC_MEMBER,
action=constants.RBAC_GET_ALL),
constants.RULE_API_READ, "List Members of a Pool",
[{
'method': 'GET',
'path': '/v2/lbaas/pools/{pool_id}/members'
}]),
policy.DocumentedRuleDefault(
'{rbac_obj}{action}'.format(rbac_obj=constants.RBAC_MEMBER,
action=constants.RBAC_POST),
constants.RULE_API_WRITE, "Create a Member",
[{
'method': 'POST',
'path': '/v2/lbaas/pools/{pool_id}/members'
}]),
policy.DocumentedRuleDefault(
'{rbac_obj}{action}'.format(rbac_obj=constants.RBAC_MEMBER,
action=constants.RBAC_GET_ONE),
constants.RULE_API_READ, "Show Member details",
