openstack
/
horizon
Code Issues Proposed changes

Sync default policy rules 

This patch updates default policy-in-code rules in horizon based on
nova/neutron/keystone/glance/cinder RC deliverables.

It also bumps a few packages versions in lower-constraints.txt and
requirements.txt to fix the failed lower-constraints job after
updating policy rules.

Change-Id: I168bb171076e3442b29670461a29d12c9988df52
This commit is contained in:
manchandavishal 2022-03-16 23:03:08 +05:30
parent 1bb9092abf
commit 05473b765e
12 changed files with 4922 additions and 3588 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
lower-constraints.txt
View File

@ -54,19 +54,19 @@ openstacksdk==0.11.2
os-client-config==1.28.0
os-service-types==1.2.0
osc-lib==1.8.0
oslo.concurrency==3.26.0
oslo.config==5.2.0
oslo.context==2.22.0
oslo.i18n==5.0.1
oslo.log==3.36.0
oslo.concurrency==4.5.0
oslo.config==8.8.0
oslo.context==4.1.0
oslo.i18n==5.1.0
oslo.log==4.7.0
oslo.messaging==5.29.0
oslo.middleware==3.31.0
oslo.policy==3.2.0
oslo.serialization==2.18.0
oslo.policy==3.11.0
oslo.serialization==4.3.0
oslo.service==1.24.0
oslo.upgradecheck==0.1.1
oslo.utils==4.8.0
osprofiler==2.3.0
oslo.upgradecheck==1.5.0
oslo.utils==4.12.0
osprofiler==3.4.2
Paste==2.0.2
PasteDeploy==1.5.0
pbr==5.5.0
@ -97,14 +97,14 @@ python-neutronclient==6.7.0
python-novaclient==9.1.0
python-swiftclient==3.2.0
pytz==2013.6
PyYAML==3.12
PyYAML==6.0
rcssmin==1.0.6
reno==3.1.0
repoze.lru==0.7
requests==2.25.1
requestsexceptions==1.2.0
restructuredtext-lint==1.1.1
rfc3986==0.3.1
rfc3986==1.5.0
rjsmin==1.1.0
Routes==2.3.1
selenium==2.50.1

1237
openstack_dashboard/conf/cinder_policy.yaml
View File

File diff suppressed because it is too large Load Diff

946
openstack_dashboard/conf/default_policies/cinder.yaml
View File

File diff suppressed because it is too large Load Diff

573
openstack_dashboard/conf/default_policies/glance.yaml
View File

@ -1,13 +1,9 @@
- check_str: ''
deprecated_reason: In order to allow operators to accept the default policies from
code by not defining them in the policy file, while still working with old policy
files that rely on the ``default`` rule for policies that are not specified in
the policy file, the ``default`` rule must now be explicitly set to ``"role:admin"``
when that is the desired default for unspecified rules.
deprecated_reason: null
deprecated_rule:
check_str: role:admin
name: default
deprecated_since: Ussuri
deprecated_since: null
description: Defines the default rule used for policies that historically had an
empty policy in the supplied policy.json file.
name: default
@ -18,16 +14,12 @@
name: context_is_admin
operations: []
scope_types: null
- check_str: role:role:admin or (role:member and project_id:%(project_id)s and project_id:%(owner)s)
deprecated_reason: '
The image API now supports roles.
'
- check_str: role:admin or (role:member and project_id:%(project_id)s and project_id:%(owner)s)
deprecated_reason: null
deprecated_rule:
check_str: rule:default
name: add_image
deprecated_since: W
deprecated_since: null
description: Create new image
name: add_image
operations:
@ -37,15 +29,11 @@
- system
- project
- check_str: role:admin or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The image API now supports roles.
'
deprecated_reason: null
deprecated_rule:
check_str: rule:default
name: delete_image
deprecated_since: W
deprecated_since: null
description: Deletes the image
name: delete_image
operations:
@ -55,16 +43,12 @@
- system
- project
- check_str: role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s
or "community":%(visibility)s or "public":%(visibility)s or "shared":%(visibility)s))
deprecated_reason: '
The image API now supports roles.
'
or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))
deprecated_reason: null
deprecated_rule:
check_str: rule:default
name: get_image
deprecated_since: W
deprecated_since: null
description: Get specified image
name: get_image
operations:
@ -74,15 +58,11 @@
- system
- project
- check_str: role:admin or (role:reader and project_id:%(project_id)s)
deprecated_reason: '
The image API now supports roles.
'
deprecated_reason: null
deprecated_rule:
check_str: rule:default
name: get_images
deprecated_since: W
deprecated_since: null
description: Get all available images
name: get_images
operations:
@ -92,15 +72,11 @@
- system
- project
- check_str: role:admin or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The image API now supports roles.
'
deprecated_reason: null
deprecated_rule:
check_str: rule:default
name: modify_image
deprecated_since: W
deprecated_since: null
description: Updates given image
name: modify_image
operations:
@ -119,15 +95,11 @@
- system
- project
- check_str: role:admin or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The image API now supports roles.
'
deprecated_reason: null
deprecated_rule:
check_str: rule:default
name: communitize_image
deprecated_since: W
deprecated_since: null
description: Communitize given image
name: communitize_image
operations:
@ -137,16 +109,12 @@
- system
- project
- check_str: role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s
or "community":%(visibility)s or "public":%(visibility)s))
deprecated_reason: '
The image API now supports roles.
'
or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))
deprecated_reason: null
deprecated_rule:
check_str: rule:default
name: download_image
deprecated_since: W
deprecated_since: null
description: Downloads given image
name: download_image
operations:
@ -156,15 +124,11 @@
- system
- project
- check_str: role:admin or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The image API now supports roles.
'
deprecated_reason: null
deprecated_rule:
check_str: rule:default
name: upload_image
deprecated_since: W
deprecated_since: null
description: Uploads data to specified image
name: upload_image
operations:
@ -174,15 +138,11 @@
- system
- project
- check_str: role:admin
deprecated_reason: '
The image API now supports roles.
'
deprecated_reason: null
deprecated_rule:
check_str: rule:default
name: delete_image_location
deprecated_since: W
deprecated_since: null
description: Deletes the location of given image
name: delete_image_location
operations:
@ -192,15 +152,11 @@
- system
- project
- check_str: role:admin or (role:reader and project_id:%(project_id)s)
deprecated_reason: '
The image API now supports roles.
'
deprecated_reason: null
deprecated_rule:
check_str: rule:default
name: get_image_location
deprecated_since: W
deprecated_since: null
description: Reads the location of the image
name: get_image_location
operations:
@ -210,15 +166,11 @@
- system
- project
- check_str: role:admin or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The image API now supports roles.
'
deprecated_reason: null
deprecated_rule:
check_str: rule:default
name: set_image_location
deprecated_since: W
deprecated_since: null
description: Sets location URI to given image
name: set_image_location
operations:
@ -228,15 +180,11 @@
- system
- project
- check_str: role:admin or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The image API now supports roles.
'
deprecated_reason: null
deprecated_rule:
check_str: rule:default
name: add_member
deprecated_since: W
deprecated_since: null
description: Create image member
name: add_member
operations:
@ -246,15 +194,11 @@
- system
- project
- check_str: role:admin or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The image API now supports roles.
'
deprecated_reason: null
deprecated_rule:
check_str: rule:default
name: delete_member
deprecated_since: W
deprecated_since: null
description: Delete image member
name: delete_member
operations:
@ -264,15 +208,11 @@
- system
- project
- check_str: role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)
deprecated_reason: '
The image API now supports roles.
'
deprecated_reason: null
deprecated_rule:
check_str: rule:default
name: get_member
deprecated_since: W
deprecated_since: null
description: Show image member details
name: get_member
operations:
@ -282,15 +222,11 @@
- system
- project
- check_str: role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)
deprecated_reason: '
The image API now supports roles.
'
deprecated_reason: null
deprecated_rule:
check_str: rule:default
name: get_members
deprecated_since: W
deprecated_since: null
description: List image members
name: get_members
operations:
@ -300,15 +236,11 @@
- system
- project
- check_str: role:admin or (role:member and project_id:%(member_id)s)
deprecated_reason: '
The image API now supports roles.
'
deprecated_reason: null
deprecated_rule:
check_str: rule:default
name: modify_member
deprecated_since: W
deprecated_since: null
description: Update image member
name: modify_member
operations:
@ -325,15 +257,11 @@
- system
- project
- check_str: role:admin or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The image API now supports roles.
'
deprecated_reason: null
deprecated_rule:
check_str: rule:default
name: deactivate
deprecated_since: W
deprecated_since: null
description: Deactivate image
name: deactivate
operations:
@ -343,15 +271,11 @@
- system
- project
- check_str: role:admin or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The image API now supports roles.
'
deprecated_reason: null
deprecated_rule:
check_str: rule:default
name: reactivate
deprecated_since: W
deprecated_since: null
description: Reactivate image
name: reactivate
operations:
@ -370,18 +294,11 @@
- system
- project
- check_str: rule:default
deprecated_reason: '
From Xena we are enforcing policy checks in the API and policy layer where task
policies were enforcing will be removed. Since task APIs are already deprecated
and `tasks_api_access` is checked for each API at API layer, there will be no
benefit of other having other task related policies.
'
deprecated_reason: null
deprecated_rule:
check_str: rule:default
name: get_task
deprecated_since: X
deprecated_since: null
description: 'Get an image task.
@ -406,18 +323,11 @@
- system
- project
- check_str: rule:default
deprecated_reason: '
From Xena we are enforcing policy checks in the API and policy layer where task
policies were enforcing will be removed. Since task APIs are already deprecated
and `tasks_api_access` is checked for each API at API layer, there will be no
benefit of other having other task related policies.
'
deprecated_reason: null
deprecated_rule:
check_str: rule:default
name: get_task
deprecated_since: X
name: get_tasks
deprecated_since: null
description: 'List tasks for all images.
@ -442,18 +352,11 @@
- system
- project
- check_str: rule:default
deprecated_reason: '
From Xena we are enforcing policy checks in the API and policy layer where task
policies were enforcing will be removed. Since task APIs are already deprecated
and `tasks_api_access` is checked for each API at API layer, there will be no
benefit of other having other task related policies.
'
deprecated_reason: null
deprecated_rule:
check_str: rule:default
name: add_task
deprecated_since: X
deprecated_since: null
description: 'List tasks for all images.
@ -528,133 +431,337 @@
name: metadef_admin
operations: []
scope_types: null
- check_str: rule:metadef_default
description: null
- check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))
deprecated_reason: null
deprecated_rule:
check_str: rule:metadef_default
name: get_metadef_namespace
deprecated_since: null
description: Get a specific namespace.
name: get_metadef_namespace
operations: []
scope_types: null
- check_str: rule:metadef_default
description: null
operations:
- method: GET
path: /v2/metadefs/namespaces/{namespace_name}
scope_types:
- system
- project
- check_str: role:admin or (role:reader and project_id:%(project_id)s)
deprecated_reason: null
deprecated_rule:
check_str: rule:metadef_default
name: get_metadef_namespaces
deprecated_since: null
description: List namespace.
name: get_metadef_namespaces
operations: []
scope_types: null
operations:
- method: GET
path: /v2/metadefs/namespaces
scope_types:
- system
- project
- check_str: rule:metadef_admin
description: null
description: Modify an existing namespace.
name: modify_metadef_namespace
operations: []
scope_types: null
operations:
- method: PUT
path: /v2/metadefs/namespaces/{namespace_name}
scope_types:
- system
- project
- check_str: rule:metadef_admin
description: null
description: Create a namespace.
name: add_metadef_namespace
operations: []
scope_types: null
operations:
- method: POST
path: /v2/metadefs/namespaces
scope_types:
- system
- project
- check_str: rule:metadef_admin
description: null
description: Delete a namespace.
name: delete_metadef_namespace
operations: []
scope_types: null
- check_str: rule:metadef_default
description: null
operations:
- method: DELETE
path: /v2/metadefs/namespaces/{namespace_name}
scope_types:
- system
- project
- check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))
deprecated_reason: null
deprecated_rule:
check_str: rule:metadef_default
name: get_metadef_object
deprecated_since: null
description: Get a specific object from a namespace.
name: get_metadef_object
operations: []
scope_types: null
- check_str: rule:metadef_default
description: null
operations:
- method: GET
path: /v2/metadefs/namespaces/{namespace_name}/objects/{object_name}
scope_types:
- system
- project
- check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))
deprecated_reason: null
deprecated_rule:
check_str: rule:metadef_default
name: get_metadef_objects
deprecated_since: null
description: Get objects from a namespace.
name: get_metadef_objects
operations: []
scope_types: null
operations:
- method: GET
path: /v2/metadefs/namespaces/{namespace_name}/objects
scope_types:
- system
- project
- check_str: rule:metadef_admin
description: null
description: Update an object within a namespace.
name: modify_metadef_object
operations: []
scope_types: null
operations:
- method: PUT
path: /v2/metadefs/namespaces/{namespace_name}/objects/{object_name}
scope_types:
- system
- project
- check_str: rule:metadef_admin
description: null
description: Create an object within a namespace.
name: add_metadef_object
operations: []
scope_types: null
operations:
- method: POST
path: /v2/metadefs/namespaces/{namespace_name}/objects
scope_types:
- system
- project
- check_str: rule:metadef_admin
description: null
description: Delete an object within a namespace.
name: delete_metadef_object
operations: []
scope_types: null
- check_str: rule:metadef_default
description: null
operations:
- method: DELETE
path: /v2/metadefs/namespaces/{namespace_name}/objects/{object_name}
scope_types:
- system
- project
- check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))
deprecated_reason: null
deprecated_rule:
check_str: rule:metadef_default
name: list_metadef_resource_types
deprecated_since: null
description: List meta definition resource types.
name: list_metadef_resource_types
operations: []
scope_types: null
- check_str: rule:metadef_default
description: null
operations:
- method: GET
path: /v2/metadefs/resource_types
scope_types:
- system
- project
- check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))
deprecated_reason: null
deprecated_rule:
check_str: rule:metadef_default
name: get_metadef_resource_type
deprecated_since: null
description: Get meta definition resource types associations.
name: get_metadef_resource_type
operations: []
scope_types: null
operations:
- method: GET
path: /v2/metadefs/namespaces/{namespace_name}/resource_types
scope_types:
- system
- project
- check_str: rule:metadef_admin
description: null
description: Create meta definition resource types association.
name: add_metadef_resource_type_association
operations: []
scope_types: null
operations:
- method: POST
path: /v2/metadefs/namespaces/{namespace_name}/resource_types
scope_types:
- system
- project
- check_str: rule:metadef_admin
description: null
description: Delete meta definition resource types association.
name: remove_metadef_resource_type_association
operations: []
scope_types: null
- check_str: rule:metadef_default
description: null
operations:
- method: POST
path: /v2/metadefs/namespaces/{namespace_name}/resource_types/{name}
scope_types:
- system
- project
- check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))
deprecated_reason: null
deprecated_rule:
check_str: rule:metadef_default
name: get_metadef_property
deprecated_since: null
description: Get a specific meta definition property.
name: get_metadef_property
operations: []
scope_types: null
- check_str: rule:metadef_default
description: null
operations:
- method: GET
path: /v2/metadefs/namespaces/{namespace_name}/properties/{property_name}
scope_types:
- system
- project
- check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))
deprecated_reason: null
deprecated_rule:
check_str: rule:metadef_default
name: get_metadef_properties
deprecated_since: null
description: List meta definition properties.
name: get_metadef_properties
operations: []
scope_types: null
operations:
- method: GET
path: /v2/metadefs/namespaces/{namespace_name}/properties
scope_types:
- system
- project
- check_str: rule:metadef_admin
description: null
description: Update meta definition property.
name: modify_metadef_property
operations: []
scope_types: null
operations:
- method: GET
path: /v2/metadefs/namespaces/{namespace_name}/properties/{property_name}
scope_types:
- system
- project
- check_str: rule:metadef_admin
description: null
description: Create meta definition property.
name: add_metadef_property
operations: []
scope_types: null
operations:
- method: POST
path: /v2/metadefs/namespaces/{namespace_name}/properties
scope_types:
- system
- project
- check_str: rule:metadef_admin
description: null
description: Delete meta definition property.
name: remove_metadef_property
operations: []
scope_types: null
- check_str: rule:metadef_default
description: null
operations:
- method: DELETE
path: /v2/metadefs/namespaces/{namespace_name}/properties/{property_name}
scope_types:
- system
- project
- check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))
deprecated_reason: null
deprecated_rule:
check_str: rule:metadef_default
name: get_metadef_tag
deprecated_since: null
description: Get tag definition.
name: get_metadef_tag
operations: []
scope_types: null
- check_str: rule:metadef_default
description: null
operations:
- method: GET
path: /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}
scope_types:
- system
- project
- check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))
deprecated_reason: null
deprecated_rule:
check_str: rule:metadef_default
name: get_metadef_tags
deprecated_since: null
description: List tag definitions.
name: get_metadef_tags
operations: []
scope_types: null
operations:
- method: GET
path: /v2/metadefs/namespaces/{namespace_name}/tags
scope_types:
- system
- project
- check_str: rule:metadef_admin
description: null
description: Update tag definition.
name: modify_metadef_tag
operations: []
scope_types: null
operations:
- method: PUT
path: /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}
scope_types:
- system
- project
- check_str: rule:metadef_admin
description: null
description: Add tag definition.
name: add_metadef_tag
operations: []
scope_types: null
operations:
- method: POST
path: /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}
scope_types:
- system
- project
- check_str: rule:metadef_admin
description: null
description: Create tag definitions.
name: add_metadef_tags
operations: []
scope_types: null
operations:
- method: POST
path: /v2/metadefs/namespaces/{namespace_name}/tags
scope_types:
- system
- project
- check_str: rule:metadef_admin
description: null
description: Delete tag definition.
name: delete_metadef_tag
operations: []
scope_types: null
operations:
- method: DELETE
path: /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}
scope_types:
- system
- project
- check_str: rule:metadef_admin
description: null
description: Delete tag definitions.
name: delete_metadef_tags
operations: []
scope_types: null
operations:
- method: DELETE
path: /v2/metadefs/namespaces/{namespace_name}/tags
scope_types:
- system
- project
- check_str: role:admin
deprecated_reason: null
deprecated_rule:
check_str: rule:manage_image_cache
name: cache_image
deprecated_since: null
description: Queue image for caching
name: cache_image
operations:
- method: PUT
path: /v2/cache/{image_id}
scope_types:
- project
- check_str: role:admin
deprecated_reason: null
deprecated_rule:
check_str: rule:manage_image_cache
name: cache_list
deprecated_since: null
description: List cache status
name: cache_list
operations:
- method: GET
path: /v2/cache
scope_types:
- project
- check_str: role:admin
deprecated_reason: null
deprecated_rule:
check_str: rule:manage_image_cache
name: cache_delete
deprecated_since: null
description: Delete image(s) from cache and/or queue
name: cache_delete
operations:
- method: DELETE
path: /v2/cache
- method: DELETE
path: /v2/cache/{image_id}
scope_types:
- project
- check_str: role:admin
description: Expose store specific information
name: stores_info_detail
operations:
- method: GET
path: /v2/info/stores/detail
scope_types:
- system
- project

793
openstack_dashboard/conf/default_policies/keystone.yaml
View File

File diff suppressed because it is too large Load Diff

900
openstack_dashboard/conf/default_policies/neutron.yaml
View File

File diff suppressed because it is too large Load Diff

1441
openstack_dashboard/conf/default_policies/nova.yaml
View File

File diff suppressed because it is too large Load Diff

212
openstack_dashboard/conf/glance_policy.yaml
View File

@ -40,14 +40,14 @@
# Get specified image
# GET /v2/images/{image_id}
# Intended scope(s): system, project
#"get_image": "role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or "community":%(visibility)s or "public":%(visibility)s or "shared":%(visibility)s))"
#"get_image": "role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))"
# DEPRECATED
# "get_image":"rule:default" has been deprecated since W in favor of
# "get_image":"role:admin or (role:reader and
# (project_id:%(project_id)s or project_id:%(member_id)s or
# "community":%(visibility)s or "public":%(visibility)s or
# "shared":%(visibility)s))".
# 'community':%(visibility)s or 'public':%(visibility)s or
# 'shared':%(visibility)s))".
# The image API now supports roles.
# Get all available images
@ -91,14 +91,14 @@
# Downloads given image
# GET /v2/images/{image_id}/file
# Intended scope(s): system, project
#"download_image": "role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or "community":%(visibility)s or "public":%(visibility)s or "shared":%(visibility)s))"
#"download_image": "role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))"
# DEPRECATED
# "download_image":"rule:default" has been deprecated since W in favor
# of "download_image":"role:admin or (role:member and
# (project_id:%(project_id)s or project_id:%(member_id)s or
# "community":%(visibility)s or "public":%(visibility)s or
# "shared":%(visibility)s))".
# 'community':%(visibility)s or 'public':%(visibility)s or
# 'shared':%(visibility)s))".
# The image API now supports roles.
# Uploads data to specified image
@ -319,55 +319,235 @@
#"metadef_admin": "role:admin"
#"get_metadef_namespace": "rule:metadef_default"
# Get a specific namespace.
# GET /v2/metadefs/namespaces/{namespace_name}
# Intended scope(s): system, project
#"get_metadef_namespace": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
#"get_metadef_namespaces": "rule:metadef_default"
# DEPRECATED
# "get_metadef_namespace":"rule:metadef_default" has been deprecated
# since X in favor of "get_metadef_namespace":"role:admin or
# (role:reader and (project_id:%(project_id)s or
# 'public':%(visibility)s))".
# The metadata API now supports project scope and default roles.
# List namespace.
# GET /v2/metadefs/namespaces
# Intended scope(s): system, project
#"get_metadef_namespaces": "role:admin or (role:reader and project_id:%(project_id)s)"
# DEPRECATED
# "get_metadef_namespaces":"rule:metadef_default" has been deprecated
# since X in favor of "get_metadef_namespaces":"role:admin or
# (role:reader and project_id:%(project_id)s)".
# The metadata API now supports project scope and default roles.
# Modify an existing namespace.
# PUT /v2/metadefs/namespaces/{namespace_name}
# Intended scope(s): system, project
#"modify_metadef_namespace": "rule:metadef_admin"
# Create a namespace.
# POST /v2/metadefs/namespaces
# Intended scope(s): system, project
#"add_metadef_namespace": "rule:metadef_admin"
# Delete a namespace.
# DELETE /v2/metadefs/namespaces/{namespace_name}
# Intended scope(s): system, project
#"delete_metadef_namespace": "rule:metadef_admin"
#"get_metadef_object": "rule:metadef_default"
# Get a specific object from a namespace.
# GET /v2/metadefs/namespaces/{namespace_name}/objects/{object_name}
# Intended scope(s): system, project
#"get_metadef_object": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
#"get_metadef_objects": "rule:metadef_default"
# DEPRECATED
# "get_metadef_object":"rule:metadef_default" has been deprecated
# since X in favor of "get_metadef_object":"role:admin or (role:reader
# and (project_id:%(project_id)s or 'public':%(visibility)s))".
# The metadata API now supports project scope and default roles.
# Get objects from a namespace.
# GET /v2/metadefs/namespaces/{namespace_name}/objects
# Intended scope(s): system, project
#"get_metadef_objects": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
# DEPRECATED
# "get_metadef_objects":"rule:metadef_default" has been deprecated
# since X in favor of "get_metadef_objects":"role:admin or
# (role:reader and (project_id:%(project_id)s or
# 'public':%(visibility)s))".
# The metadata API now supports project scope and default roles.
# Update an object within a namespace.
# PUT /v2/metadefs/namespaces/{namespace_name}/objects/{object_name}
# Intended scope(s): system, project
#"modify_metadef_object": "rule:metadef_admin"
# Create an object within a namespace.
# POST /v2/metadefs/namespaces/{namespace_name}/objects
# Intended scope(s): system, project
#"add_metadef_object": "rule:metadef_admin"
# Delete an object within a namespace.
# DELETE /v2/metadefs/namespaces/{namespace_name}/objects/{object_name}
# Intended scope(s): system, project
#"delete_metadef_object": "rule:metadef_admin"
#"list_metadef_resource_types": "rule:metadef_default"
# List meta definition resource types.
# GET /v2/metadefs/resource_types
# Intended scope(s): system, project
#"list_metadef_resource_types": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
#"get_metadef_resource_type": "rule:metadef_default"
# DEPRECATED
# "list_metadef_resource_types":"rule:metadef_default" has been
# deprecated since X in favor of
# "list_metadef_resource_types":"role:admin or (role:reader and
# (project_id:%(project_id)s or 'public':%(visibility)s))".
# The metadata API now supports project scope and default roles.
# Get meta definition resource types associations.
# GET /v2/metadefs/namespaces/{namespace_name}/resource_types
# Intended scope(s): system, project
#"get_metadef_resource_type": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
# DEPRECATED
# "get_metadef_resource_type":"rule:metadef_default" has been
# deprecated since X in favor of
# "get_metadef_resource_type":"role:admin or (role:reader and
# (project_id:%(project_id)s or 'public':%(visibility)s))".
# The metadata API now supports project scope and default roles.
# Create meta definition resource types association.
# POST /v2/metadefs/namespaces/{namespace_name}/resource_types
# Intended scope(s): system, project
#"add_metadef_resource_type_association": "rule:metadef_admin"
# Delete meta definition resource types association.
# POST /v2/metadefs/namespaces/{namespace_name}/resource_types/{name}
# Intended scope(s): system, project
#"remove_metadef_resource_type_association": "rule:metadef_admin"
#"get_metadef_property": "rule:metadef_default"
# Get a specific meta definition property.
# GET /v2/metadefs/namespaces/{namespace_name}/properties/{property_name}
# Intended scope(s): system, project
#"get_metadef_property": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
#"get_metadef_properties": "rule:metadef_default"
# DEPRECATED
# "get_metadef_property":"rule:metadef_default" has been deprecated
# since X in favor of "get_metadef_property":"role:admin or
# (role:reader and (project_id:%(project_id)s or
# 'public':%(visibility)s))".
# The metadata API now supports project scope and default roles.
# List meta definition properties.
# GET /v2/metadefs/namespaces/{namespace_name}/properties
# Intended scope(s): system, project
#"get_metadef_properties": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
# DEPRECATED
# "get_metadef_properties":"rule:metadef_default" has been deprecated
# since X in favor of "get_metadef_properties":"role:admin or
# (role:reader and (project_id:%(project_id)s or
# 'public':%(visibility)s))".
# The metadata API now supports project scope and default roles.
# Update meta definition property.
# GET /v2/metadefs/namespaces/{namespace_name}/properties/{property_name}
# Intended scope(s): system, project
#"modify_metadef_property": "rule:metadef_admin"
# Create meta definition property.
# POST /v2/metadefs/namespaces/{namespace_name}/properties
# Intended scope(s): system, project
#"add_metadef_property": "rule:metadef_admin"
# Delete meta definition property.
# DELETE /v2/metadefs/namespaces/{namespace_name}/properties/{property_name}
# Intended scope(s): system, project
#"remove_metadef_property": "rule:metadef_admin"
#"get_metadef_tag": "rule:metadef_default"
# Get tag definition.
# GET /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}
# Intended scope(s): system, project
#"get_metadef_tag": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
#"get_metadef_tags": "rule:metadef_default"
# DEPRECATED
# "get_metadef_tag":"rule:metadef_default" has been deprecated since X
# in favor of "get_metadef_tag":"role:admin or (role:reader and
# (project_id:%(project_id)s or 'public':%(visibility)s))".
# The metadata API now supports project scope and default roles.
# List tag definitions.
# GET /v2/metadefs/namespaces/{namespace_name}/tags
# Intended scope(s): system, project
#"get_metadef_tags": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
# DEPRECATED
# "get_metadef_tags":"rule:metadef_default" has been deprecated since
# X in favor of "get_metadef_tags":"role:admin or (role:reader and
# (project_id:%(project_id)s or 'public':%(visibility)s))".
# The metadata API now supports project scope and default roles.
# Update tag definition.
# PUT /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}
# Intended scope(s): system, project
#"modify_metadef_tag": "rule:metadef_admin"
# Add tag definition.
# POST /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}
# Intended scope(s): system, project
#"add_metadef_tag": "rule:metadef_admin"
# Create tag definitions.
# POST /v2/metadefs/namespaces/{namespace_name}/tags
# Intended scope(s): system, project
#"add_metadef_tags": "rule:metadef_admin"
# Delete tag definition.
# DELETE /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}
# Intended scope(s): system, project
#"delete_metadef_tag": "rule:metadef_admin"
# Delete tag definitions.
# DELETE /v2/metadefs/namespaces/{namespace_name}/tags
# Intended scope(s): system, project
#"delete_metadef_tags": "rule:metadef_admin"
# Queue image for caching
# PUT /v2/cache/{image_id}
# Intended scope(s): project
#"cache_image": "role:admin"
# DEPRECATED
# "cache_image":"rule:manage_image_cache" has been deprecated since X
# in favor of "cache_image":"role:admin".
# The image API now supports roles.
# List cache status
# GET /v2/cache
# Intended scope(s): project
#"cache_list": "role:admin"
# DEPRECATED
# "cache_list":"rule:manage_image_cache" has been deprecated since X
# in favor of "cache_list":"role:admin".
# The image API now supports roles.
# Delete image(s) from cache and/or queue
# DELETE /v2/cache
# DELETE /v2/cache/{image_id}
# Intended scope(s): project
#"cache_delete": "role:admin"
# DEPRECATED
# "cache_delete":"rule:manage_image_cache" has been deprecated since X
# in favor of "cache_delete":"role:admin".
# The image API now supports roles.
# Expose store specific information
# GET /v2/info/stores/detail
# Intended scope(s): system, project
#"stores_info_detail": "role:admin"

33
openstack_dashboard/conf/keystone_policy.yaml
View File

@ -68,13 +68,12 @@
#"identity:get_application_credential": "(role:reader and system_scope:all) or rule:owner"
# DEPRECATED
# "identity:get_application_credentials":"rule:admin_or_owner" has
# been deprecated since T in favor of
# "identity:get_application_credential":"rule:admin_or_owner" has been
# deprecated since T in favor of
# "identity:get_application_credential":"(role:reader and
# system_scope:all) or rule:owner".
# The application credential API is now aware of system scope and
# default roles.
#"identity:get_application_credentials": "rule:identity:get_application_credential"
# List application credentials for a user.
# GET /v3/users/{user_id}/application_credentials
@ -101,13 +100,12 @@
#"identity:delete_application_credential": "(role:admin and system_scope:all) or rule:owner"
# DEPRECATED
# "identity:delete_application_credentials":"rule:admin_or_owner" has
# "identity:delete_application_credential":"rule:admin_or_owner" has
# been deprecated since T in favor of
# "identity:delete_application_credential":"(role:admin and
# system_scope:all) or rule:owner".
# The application credential API is now aware of system scope and
# default roles.
#"identity:delete_application_credentials": "rule:identity:delete_application_credential"
# Get service catalog.
# GET /v3/auth/catalog
@ -426,13 +424,12 @@
#"identity:ec2_create_credential": "(role:admin and system_scope:all) or rule:owner"
# DEPRECATED
# "identity:ec2_create_credentials":"rule:admin_or_owner" has been
# "identity:ec2_create_credential":"rule:admin_or_owner" has been
# deprecated since T in favor of
# "identity:ec2_create_credential":"(role:admin and system_scope:all)
# or rule:owner".
# The EC2 credential API is now aware of system scope and default
# roles.
#"identity:ec2_create_credentials": "rule:identity:ec2_create_credential"
# Delete ec2 credential.
# DELETE /v3/users/{user_id}/credentials/OS-EC2/{credential_id}
@ -440,14 +437,12 @@
#"identity:ec2_delete_credential": "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s"
# DEPRECATED
# "identity:ec2_delete_credentials":"rule:admin_required or
# (rule:owner and user_id:%(target.credential.user_id)s)" has been
# deprecated since T in favor of
# "identity:ec2_delete_credential":"(role:admin and system_scope:all)
# or user_id:%(target.credential.user_id)s".
# "identity:ec2_delete_credential":"rule:admin_required or (rule:owner
# and user_id:%(target.credential.user_id)s)" has been deprecated
# since T in favor of "identity:ec2_delete_credential":"(role:admin
# and system_scope:all) or user_id:%(target.credential.user_id)s".
# The EC2 credential API is now aware of system scope and default
# roles.
#"identity:ec2_delete_credentials": "rule:identity:ec2_delete_credential"
# Show endpoint details.
# GET /v3/endpoints/{endpoint_id}
@ -1013,13 +1008,12 @@
#"identity:create_identity_provider": "role:admin and system_scope:all"
# DEPRECATED
# "identity:create_identity_providers":"rule:admin_required" has been
# "identity:create_identity_provider":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:create_identity_provider":"role:admin and
# system_scope:all".
# The identity provider API is now aware of system scope and default
# roles.
#"identity:create_identity_providers": "rule:identity:create_identity_provider"
# List identity providers.
# GET /v3/OS-FEDERATION/identity_providers
@ -1042,12 +1036,11 @@
#"identity:get_identity_provider": "role:reader and system_scope:all"
# DEPRECATED
# "identity:get_identity_providers":"rule:admin_required" has been
# "identity:get_identity_provider":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:get_identity_provider":"role:reader and system_scope:all".
# The identity provider API is now aware of system scope and default
# roles.
#"identity:get_identity_providers": "rule:identity:get_identity_provider"
# Update identity provider.
# PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}
@ -1055,13 +1048,12 @@
#"identity:update_identity_provider": "role:admin and system_scope:all"
# DEPRECATED
# "identity:update_identity_providers":"rule:admin_required" has been
# "identity:update_identity_provider":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:update_identity_provider":"role:admin and
# system_scope:all".
# The identity provider API is now aware of system scope and default
# roles.
#"identity:update_identity_providers": "rule:identity:update_identity_provider"
# Delete identity provider.
# DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}
@ -1069,13 +1061,12 @@
#"identity:delete_identity_provider": "role:admin and system_scope:all"
# DEPRECATED
# "identity:delete_identity_providers":"rule:admin_required" has been
# "identity:delete_identity_provider":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:delete_identity_provider":"role:admin and
# system_scope:all".
# The identity provider API is now aware of system scope and default
# roles.
#"identity:delete_identity_providers": "rule:identity:delete_identity_provider"
# Get information about an association between two roles. When a
# relationship exists between a prior role and an implied role and the

1478
openstack_dashboard/conf/neutron_policy.yaml
View File

File diff suppressed because it is too large Load Diff

855
openstack_dashboard/conf/nova_policy.yaml
View File

File diff suppressed because it is too large Load Diff

18
requirements.txt
View File

@ -20,14 +20,14 @@ futurist>=1.2.0 # Apache-2.0
iso8601>=0.1.11 # MIT
keystoneauth1>=4.3.1 # Apache-2.0
netaddr>=0.7.18 # BSD
oslo.concurrency>=3.26.0 # Apache-2.0
oslo.config>=5.2.0 # Apache-2.0
oslo.i18n>=5.0.1 # Apache-2.0
oslo.policy>=3.2.0 # Apache-2.0
oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0
oslo.upgradecheck>=0.1.1 # Apache-2.0
oslo.utils>=4.8.0 # Apache-2.0
osprofiler>=2.3.0 # Apache-2.0
oslo.concurrency>=4.5.0 # Apache-2.0
oslo.config>=8.8.0 # Apache-2.0
oslo.i18n>=5.1.0 # Apache-2.0
oslo.policy>=3.11.0 # Apache-2.0
oslo.serialization>=4.3.0 # Apache-2.0
oslo.upgradecheck>=1.5.0 # Apache-2.0
oslo.utils>=4.12.0 # Apache-2.0
osprofiler>=3.4.2 # Apache-2.0
pymongo!=3.1,>=3.0.2 # Apache-2.0
pyScss>=1.3.7 # MIT License
python-cinderclient>=8.0.0 # Apache-2.0
@ -37,7 +37,7 @@ python-neutronclient>=6.7.0 # Apache-2.0
python-novaclient>=9.1.0 # Apache-2.0
python-swiftclient>=3.2.0 # Apache-2.0
pytz>=2013.6 # MIT
PyYAML>=3.12 # MIT
PyYAML>=6.0 # MIT
requests>=2.25.1 # Apache-2.0
six>=1.16.0 # MIT
semantic-version>=2.3.1 # BSD