Sync default policy rules

This patch updates default policy-in-code rules in horizon based on
nova/neutron/keystone/glance/cinder RC deliverables.

It also bumps a few packages versions in lower-constraints.txt and
requirements.txt to fix the failed lower-constraints job after
updating policy rules.

Change-Id: I168bb171076e3442b29670461a29d12c9988df52

lower-constraints.txt

@@ -54,19 +54,19 @@ openstacksdk==0.11.2
 os-client-config==1.28.0
 os-service-types==1.2.0
 osc-lib==1.8.0
-oslo.concurrency==3.26.0
+oslo.concurrency==4.5.0
-oslo.config==5.2.0
+oslo.config==8.8.0
-oslo.context==2.22.0
+oslo.context==4.1.0
-oslo.i18n==5.0.1
+oslo.i18n==5.1.0
-oslo.log==3.36.0
+oslo.log==4.7.0
 oslo.messaging==5.29.0
 oslo.middleware==3.31.0
-oslo.policy==3.2.0
+oslo.policy==3.11.0
-oslo.serialization==2.18.0
+oslo.serialization==4.3.0
 oslo.service==1.24.0
-oslo.upgradecheck==0.1.1
+oslo.upgradecheck==1.5.0
-oslo.utils==4.8.0
+oslo.utils==4.12.0
-osprofiler==2.3.0
+osprofiler==3.4.2
 Paste==2.0.2
 PasteDeploy==1.5.0
 pbr==5.5.0
@@ -97,14 +97,14 @@ python-neutronclient==6.7.0
 python-novaclient==9.1.0
 python-swiftclient==3.2.0
 pytz==2013.6
-PyYAML==3.12
+PyYAML==6.0
 rcssmin==1.0.6
 reno==3.1.0
 repoze.lru==0.7
 requests==2.25.1
 requestsexceptions==1.2.0
 restructuredtext-lint==1.1.1
-rfc3986==0.3.1
+rfc3986==1.5.0
 rjsmin==1.1.0
 Routes==2.3.1
 selenium==2.50.1

openstack_dashboard/conf/default_policies/glance.yaml

@@ -1,13 +1,9 @@
 - check_str: ''
-  deprecated_reason: In order to allow operators to accept the default policies from
+  deprecated_reason: null
-    code by not defining them in the policy file, while still working with old policy
-    files that rely on the ``default`` rule for policies that are not specified in
-    the policy file, the ``default`` rule must now be explicitly set to ``"role:admin"``
-    when that is the desired default for unspecified rules.
   deprecated_rule:
     check_str: role:admin
     name: default
-  deprecated_since: Ussuri
+  deprecated_since: null
   description: Defines the default rule used for policies that historically had an
     empty policy in the supplied policy.json file.
   name: default
@@ -18,16 +14,12 @@
   name: context_is_admin
   operations: []
   scope_types: null
-- check_str: role:role:admin or (role:member and project_id:%(project_id)s and project_id:%(owner)s)
+- check_str: role:admin or (role:member and project_id:%(project_id)s and project_id:%(owner)s)
-  deprecated_reason: '
+  deprecated_reason: null
-
-    The image API now supports roles.
-
-    '
   deprecated_rule:
     check_str: rule:default
     name: add_image
-  deprecated_since: W
+  deprecated_since: null
   description: Create new image
   name: add_image
   operations:
@@ -37,15 +29,11 @@
   - system
   - project
 - check_str: role:admin or (role:member and project_id:%(project_id)s)
-  deprecated_reason: '
+  deprecated_reason: null
-
-    The image API now supports roles.
-
-    '
   deprecated_rule:
     check_str: rule:default
     name: delete_image
-  deprecated_since: W
+  deprecated_since: null
   description: Deletes the image
   name: delete_image
   operations:
@@ -55,16 +43,12 @@
   - system
   - project
 - check_str: role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s
-    or "community":%(visibility)s or "public":%(visibility)s or "shared":%(visibility)s))
+    or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))
-  deprecated_reason: '
+  deprecated_reason: null
-
-    The image API now supports roles.
-
-    '
   deprecated_rule:
     check_str: rule:default
     name: get_image
-  deprecated_since: W
+  deprecated_since: null
   description: Get specified image
   name: get_image
   operations:
@@ -74,15 +58,11 @@
   - system
   - project
 - check_str: role:admin or (role:reader and project_id:%(project_id)s)
-  deprecated_reason: '
+  deprecated_reason: null
-
-    The image API now supports roles.
-
-    '
   deprecated_rule:
     check_str: rule:default
     name: get_images
-  deprecated_since: W
+  deprecated_since: null
   description: Get all available images
   name: get_images
   operations:
@@ -92,15 +72,11 @@
   - system
   - project
 - check_str: role:admin or (role:member and project_id:%(project_id)s)
-  deprecated_reason: '
+  deprecated_reason: null
-
-    The image API now supports roles.
-
-    '
   deprecated_rule:
     check_str: rule:default
     name: modify_image
-  deprecated_since: W
+  deprecated_since: null
   description: Updates given image
   name: modify_image
   operations:
@@ -119,15 +95,11 @@
   - system
   - project
 - check_str: role:admin or (role:member and project_id:%(project_id)s)
-  deprecated_reason: '
+  deprecated_reason: null
-
-    The image API now supports roles.
-
-    '
   deprecated_rule:
     check_str: rule:default
     name: communitize_image
-  deprecated_since: W
+  deprecated_since: null
   description: Communitize given image
   name: communitize_image
   operations:
@@ -137,16 +109,12 @@
   - system
   - project
 - check_str: role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s
-    or "community":%(visibility)s or "public":%(visibility)s))
+    or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))
-  deprecated_reason: '
+  deprecated_reason: null
-
-    The image API now supports roles.
-
-    '
   deprecated_rule:
     check_str: rule:default
     name: download_image
-  deprecated_since: W
+  deprecated_since: null
   description: Downloads given image
   name: download_image
   operations:
@@ -156,15 +124,11 @@
   - system
   - project
 - check_str: role:admin or (role:member and project_id:%(project_id)s)
-  deprecated_reason: '
+  deprecated_reason: null
-
-    The image API now supports roles.
-
-    '
   deprecated_rule:
     check_str: rule:default
     name: upload_image
-  deprecated_since: W
+  deprecated_since: null
   description: Uploads data to specified image
   name: upload_image
   operations:
@@ -174,15 +138,11 @@
   - system
   - project
 - check_str: role:admin
-  deprecated_reason: '
+  deprecated_reason: null
-
-    The image API now supports roles.
-
-    '
   deprecated_rule:
     check_str: rule:default
     name: delete_image_location
-  deprecated_since: W
+  deprecated_since: null
   description: Deletes the location of given image
   name: delete_image_location
   operations:
@@ -192,15 +152,11 @@
   - system
   - project
 - check_str: role:admin or (role:reader and project_id:%(project_id)s)
-  deprecated_reason: '
+  deprecated_reason: null
-
-    The image API now supports roles.
-
-    '
   deprecated_rule:
     check_str: rule:default
     name: get_image_location
-  deprecated_since: W
+  deprecated_since: null
   description: Reads the location of the image
   name: get_image_location
   operations:
@@ -210,15 +166,11 @@
   - system
   - project
 - check_str: role:admin or (role:member and project_id:%(project_id)s)
-  deprecated_reason: '
+  deprecated_reason: null
-
-    The image API now supports roles.
-
-    '
   deprecated_rule:
     check_str: rule:default
     name: set_image_location
-  deprecated_since: W
+  deprecated_since: null
   description: Sets location URI to given image
   name: set_image_location
   operations:
@@ -228,15 +180,11 @@
   - system
   - project
 - check_str: role:admin or (role:member and project_id:%(project_id)s)
-  deprecated_reason: '
+  deprecated_reason: null
-
-    The image API now supports roles.
-
-    '
   deprecated_rule:
     check_str: rule:default
     name: add_member
-  deprecated_since: W
+  deprecated_since: null
   description: Create image member
   name: add_member
   operations:
@@ -246,15 +194,11 @@
   - system
   - project
 - check_str: role:admin or (role:member and project_id:%(project_id)s)
-  deprecated_reason: '
+  deprecated_reason: null
-
-    The image API now supports roles.
-
-    '
   deprecated_rule:
     check_str: rule:default
     name: delete_member
-  deprecated_since: W
+  deprecated_since: null
   description: Delete image member
   name: delete_member
   operations:
@@ -264,15 +208,11 @@
   - system
   - project
 - check_str: role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)
-  deprecated_reason: '
+  deprecated_reason: null
-
-    The image API now supports roles.
-
-    '
   deprecated_rule:
     check_str: rule:default
     name: get_member
-  deprecated_since: W
+  deprecated_since: null
   description: Show image member details
   name: get_member
   operations:
@@ -282,15 +222,11 @@
   - system
   - project
 - check_str: role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)
-  deprecated_reason: '
+  deprecated_reason: null
-
-    The image API now supports roles.
-
-    '
   deprecated_rule:
     check_str: rule:default
     name: get_members
-  deprecated_since: W
+  deprecated_since: null
   description: List image members
   name: get_members
   operations:
@@ -300,15 +236,11 @@
   - system
   - project
 - check_str: role:admin or (role:member and project_id:%(member_id)s)
-  deprecated_reason: '
+  deprecated_reason: null
-
-    The image API now supports roles.
-
-    '
   deprecated_rule:
     check_str: rule:default
     name: modify_member
-  deprecated_since: W
+  deprecated_since: null
   description: Update image member
   name: modify_member
   operations:
@@ -325,15 +257,11 @@
   - system
   - project
 - check_str: role:admin or (role:member and project_id:%(project_id)s)
-  deprecated_reason: '
+  deprecated_reason: null
-
-    The image API now supports roles.
-
-    '
   deprecated_rule:
     check_str: rule:default
     name: deactivate
-  deprecated_since: W
+  deprecated_since: null
   description: Deactivate image
   name: deactivate
   operations:
@@ -343,15 +271,11 @@
   - system
   - project
 - check_str: role:admin or (role:member and project_id:%(project_id)s)
-  deprecated_reason: '
+  deprecated_reason: null
-
-    The image API now supports roles.
-
-    '
   deprecated_rule:
     check_str: rule:default
     name: reactivate
-  deprecated_since: W
+  deprecated_since: null
   description: Reactivate image
   name: reactivate
   operations:
@@ -370,18 +294,11 @@
   - system
   - project
 - check_str: rule:default
-  deprecated_reason: '
+  deprecated_reason: null
-
-    From Xena we are enforcing policy checks in the API and policy layer where task
-    policies were enforcing will be removed. Since task APIs are already deprecated
-    and `tasks_api_access` is checked for each API at API layer, there will be no
-    benefit of other having other task related policies.
-
-    '
   deprecated_rule:
     check_str: rule:default
     name: get_task
-  deprecated_since: X
+  deprecated_since: null
   description: 'Get an image task.
 
 
@@ -406,18 +323,11 @@
   - system
   - project
 - check_str: rule:default
-  deprecated_reason: '
+  deprecated_reason: null
-
-    From Xena we are enforcing policy checks in the API and policy layer where task
-    policies were enforcing will be removed. Since task APIs are already deprecated
-    and `tasks_api_access` is checked for each API at API layer, there will be no
-    benefit of other having other task related policies.
-
-    '
   deprecated_rule:
     check_str: rule:default
-    name: get_task
+    name: get_tasks
-  deprecated_since: X
+  deprecated_since: null
   description: 'List tasks for all images.
 
 
@@ -442,18 +352,11 @@
   - system
   - project
 - check_str: rule:default
-  deprecated_reason: '
+  deprecated_reason: null
-
-    From Xena we are enforcing policy checks in the API and policy layer where task
-    policies were enforcing will be removed. Since task APIs are already deprecated
-    and `tasks_api_access` is checked for each API at API layer, there will be no
-    benefit of other having other task related policies.
-
-    '
   deprecated_rule:
     check_str: rule:default
     name: add_task
-  deprecated_since: X
+  deprecated_since: null
   description: 'List tasks for all images.
 
 
@@ -528,133 +431,337 @@
   name: metadef_admin
   operations: []
   scope_types: null
-- check_str: rule:metadef_default
+- check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))
-  description: null
+  deprecated_reason: null
+  deprecated_rule:
+    check_str: rule:metadef_default
+    name: get_metadef_namespace
+  deprecated_since: null
+  description: Get a specific namespace.
   name: get_metadef_namespace
-  operations: []
+  operations:
-  scope_types: null
+  - method: GET
-- check_str: rule:metadef_default
+    path: /v2/metadefs/namespaces/{namespace_name}
-  description: null
+  scope_types:
+  - system
+  - project
+- check_str: role:admin or (role:reader and project_id:%(project_id)s)
+  deprecated_reason: null
+  deprecated_rule:
+    check_str: rule:metadef_default
+    name: get_metadef_namespaces
+  deprecated_since: null
+  description: List namespace.
   name: get_metadef_namespaces
-  operations: []
+  operations:
-  scope_types: null
+  - method: GET
+    path: /v2/metadefs/namespaces
+  scope_types:
+  - system
+  - project
 - check_str: rule:metadef_admin
-  description: null
+  description: Modify an existing namespace.
   name: modify_metadef_namespace
-  operations: []
+  operations:
-  scope_types: null
+  - method: PUT
+    path: /v2/metadefs/namespaces/{namespace_name}
+  scope_types:
+  - system
+  - project
 - check_str: rule:metadef_admin
-  description: null
+  description: Create a namespace.
   name: add_metadef_namespace
-  operations: []
+  operations:
-  scope_types: null
+  - method: POST
+    path: /v2/metadefs/namespaces
+  scope_types:
+  - system
+  - project
 - check_str: rule:metadef_admin
-  description: null
+  description: Delete a namespace.
   name: delete_metadef_namespace
-  operations: []
+  operations:
-  scope_types: null
+  - method: DELETE
-- check_str: rule:metadef_default
+    path: /v2/metadefs/namespaces/{namespace_name}
-  description: null
+  scope_types:
+  - system
+  - project
+- check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))
+  deprecated_reason: null
+  deprecated_rule:
+    check_str: rule:metadef_default
+    name: get_metadef_object
+  deprecated_since: null
+  description: Get a specific object from a namespace.
   name: get_metadef_object
-  operations: []
+  operations:
-  scope_types: null
+  - method: GET
-- check_str: rule:metadef_default
+    path: /v2/metadefs/namespaces/{namespace_name}/objects/{object_name}
-  description: null
+  scope_types:
+  - system
+  - project
+- check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))
+  deprecated_reason: null
+  deprecated_rule:
+    check_str: rule:metadef_default
+    name: get_metadef_objects
+  deprecated_since: null
+  description: Get objects from a namespace.
   name: get_metadef_objects
-  operations: []
+  operations:
-  scope_types: null
+  - method: GET
+    path: /v2/metadefs/namespaces/{namespace_name}/objects
+  scope_types:
+  - system
+  - project
 - check_str: rule:metadef_admin
-  description: null
+  description: Update an object within a namespace.
   name: modify_metadef_object
-  operations: []
+  operations:
-  scope_types: null
+  - method: PUT
+    path: /v2/metadefs/namespaces/{namespace_name}/objects/{object_name}
+  scope_types:
+  - system
+  - project
 - check_str: rule:metadef_admin
-  description: null
+  description: Create an object within a namespace.
   name: add_metadef_object
-  operations: []
+  operations:
-  scope_types: null
+  - method: POST
+    path: /v2/metadefs/namespaces/{namespace_name}/objects
+  scope_types:
+  - system
+  - project
 - check_str: rule:metadef_admin
-  description: null
+  description: Delete an object within a namespace.
   name: delete_metadef_object
-  operations: []
+  operations:
-  scope_types: null
+  - method: DELETE
-- check_str: rule:metadef_default
+    path: /v2/metadefs/namespaces/{namespace_name}/objects/{object_name}
-  description: null
+  scope_types:
+  - system
+  - project
+- check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))
+  deprecated_reason: null
+  deprecated_rule:
+    check_str: rule:metadef_default
+    name: list_metadef_resource_types
+  deprecated_since: null
+  description: List meta definition resource types.
   name: list_metadef_resource_types
-  operations: []
+  operations:
-  scope_types: null
+  - method: GET
-- check_str: rule:metadef_default
+    path: /v2/metadefs/resource_types
-  description: null
+  scope_types:
+  - system
+  - project
+- check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))
+  deprecated_reason: null
+  deprecated_rule:
+    check_str: rule:metadef_default
+    name: get_metadef_resource_type
+  deprecated_since: null
+  description: Get meta definition resource types associations.
   name: get_metadef_resource_type
-  operations: []
+  operations:
-  scope_types: null
+  - method: GET
+    path: /v2/metadefs/namespaces/{namespace_name}/resource_types
+  scope_types:
+  - system
+  - project
 - check_str: rule:metadef_admin
-  description: null
+  description: Create meta definition resource types association.
   name: add_metadef_resource_type_association
-  operations: []
+  operations:
-  scope_types: null
+  - method: POST
+    path: /v2/metadefs/namespaces/{namespace_name}/resource_types
+  scope_types:
+  - system
+  - project
 - check_str: rule:metadef_admin
-  description: null
+  description: Delete meta definition resource types association.
   name: remove_metadef_resource_type_association
-  operations: []
+  operations:
-  scope_types: null
+  - method: POST
-- check_str: rule:metadef_default
+    path: /v2/metadefs/namespaces/{namespace_name}/resource_types/{name}
-  description: null
+  scope_types:
+  - system
+  - project
+- check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))
+  deprecated_reason: null
+  deprecated_rule:
+    check_str: rule:metadef_default
+    name: get_metadef_property
+  deprecated_since: null
+  description: Get a specific meta definition property.
   name: get_metadef_property
-  operations: []
+  operations:
-  scope_types: null
+  - method: GET
-- check_str: rule:metadef_default
+    path: /v2/metadefs/namespaces/{namespace_name}/properties/{property_name}
-  description: null
+  scope_types:
+  - system
+  - project
+- check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))
+  deprecated_reason: null
+  deprecated_rule:
+    check_str: rule:metadef_default
+    name: get_metadef_properties
+  deprecated_since: null
+  description: List meta definition properties.
   name: get_metadef_properties
-  operations: []
+  operations:
-  scope_types: null
+  - method: GET
+    path: /v2/metadefs/namespaces/{namespace_name}/properties
+  scope_types:
+  - system
+  - project
 - check_str: rule:metadef_admin
-  description: null
+  description: Update meta definition property.
   name: modify_metadef_property
-  operations: []
+  operations:
-  scope_types: null
+  - method: GET
+    path: /v2/metadefs/namespaces/{namespace_name}/properties/{property_name}
+  scope_types:
+  - system
+  - project
 - check_str: rule:metadef_admin
-  description: null
+  description: Create meta definition property.
   name: add_metadef_property
-  operations: []
+  operations:
-  scope_types: null
+  - method: POST
+    path: /v2/metadefs/namespaces/{namespace_name}/properties
+  scope_types:
+  - system
+  - project
 - check_str: rule:metadef_admin
-  description: null
+  description: Delete meta definition property.
   name: remove_metadef_property
-  operations: []
+  operations:
-  scope_types: null
+  - method: DELETE
-- check_str: rule:metadef_default
+    path: /v2/metadefs/namespaces/{namespace_name}/properties/{property_name}
-  description: null
+  scope_types:
+  - system
+  - project
+- check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))
+  deprecated_reason: null
+  deprecated_rule:
+    check_str: rule:metadef_default
+    name: get_metadef_tag
+  deprecated_since: null
+  description: Get tag definition.
   name: get_metadef_tag
-  operations: []
+  operations:
-  scope_types: null
+  - method: GET
-- check_str: rule:metadef_default
+    path: /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}
-  description: null
+  scope_types:
+  - system
+  - project
+- check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))
+  deprecated_reason: null
+  deprecated_rule:
+    check_str: rule:metadef_default
+    name: get_metadef_tags
+  deprecated_since: null
+  description: List tag definitions.
   name: get_metadef_tags
-  operations: []
+  operations:
-  scope_types: null
+  - method: GET
+    path: /v2/metadefs/namespaces/{namespace_name}/tags
+  scope_types:
+  - system
+  - project
 - check_str: rule:metadef_admin
-  description: null
+  description: Update tag definition.
   name: modify_metadef_tag
-  operations: []
+  operations:
-  scope_types: null
+  - method: PUT
+    path: /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}
+  scope_types:
+  - system
+  - project
 - check_str: rule:metadef_admin
-  description: null
+  description: Add tag definition.
   name: add_metadef_tag
-  operations: []
+  operations:
-  scope_types: null
+  - method: POST
+    path: /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}
+  scope_types:
+  - system
+  - project
 - check_str: rule:metadef_admin
-  description: null
+  description: Create tag definitions.
   name: add_metadef_tags
-  operations: []
+  operations:
-  scope_types: null
+  - method: POST
+    path: /v2/metadefs/namespaces/{namespace_name}/tags
+  scope_types:
+  - system
+  - project
 - check_str: rule:metadef_admin
-  description: null
+  description: Delete tag definition.
   name: delete_metadef_tag
-  operations: []
+  operations:
-  scope_types: null
+  - method: DELETE
+    path: /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}
+  scope_types:
+  - system
+  - project
 - check_str: rule:metadef_admin
-  description: null
+  description: Delete tag definitions.
   name: delete_metadef_tags
-  operations: []
+  operations:
-  scope_types: null
+  - method: DELETE
+    path: /v2/metadefs/namespaces/{namespace_name}/tags
+  scope_types:
+  - system
+  - project
+- check_str: role:admin
+  deprecated_reason: null
+  deprecated_rule:
+    check_str: rule:manage_image_cache
+    name: cache_image
+  deprecated_since: null
+  description: Queue image for caching
+  name: cache_image
+  operations:
+  - method: PUT
+    path: /v2/cache/{image_id}
+  scope_types:
+  - project
+- check_str: role:admin
+  deprecated_reason: null
+  deprecated_rule:
+    check_str: rule:manage_image_cache
+    name: cache_list
+  deprecated_since: null
+  description: List cache status
+  name: cache_list
+  operations:
+  - method: GET
+    path: /v2/cache
+  scope_types:
+  - project
+- check_str: role:admin
+  deprecated_reason: null
+  deprecated_rule:
+    check_str: rule:manage_image_cache
+    name: cache_delete
+  deprecated_since: null
+  description: Delete image(s) from cache and/or queue
+  name: cache_delete
+  operations:
+  - method: DELETE
+    path: /v2/cache
+  - method: DELETE
+    path: /v2/cache/{image_id}
+  scope_types:
+  - project
+- check_str: role:admin
+  description: Expose store specific information
+  name: stores_info_detail
+  operations:
+  - method: GET
+    path: /v2/info/stores/detail
+  scope_types:
+  - system
+  - project

openstack_dashboard/conf/glance_policy.yaml

@@ -40,14 +40,14 @@
 # Get specified image
 # GET  /v2/images/{image_id}
 # Intended scope(s): system, project
-#"get_image": "role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or "community":%(visibility)s or "public":%(visibility)s or "shared":%(visibility)s))"
+#"get_image": "role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))"
 
 # DEPRECATED
 # "get_image":"rule:default" has been deprecated since W in favor of
 # "get_image":"role:admin or (role:reader and
 # (project_id:%(project_id)s or project_id:%(member_id)s or
-# "community":%(visibility)s or "public":%(visibility)s or
+# 'community':%(visibility)s or 'public':%(visibility)s or
-# "shared":%(visibility)s))".
+# 'shared':%(visibility)s))".
 # The image API now supports roles.
 
 # Get all available images
@@ -91,14 +91,14 @@
 # Downloads given image
 # GET  /v2/images/{image_id}/file
 # Intended scope(s): system, project
-#"download_image": "role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or "community":%(visibility)s or "public":%(visibility)s or "shared":%(visibility)s))"
+#"download_image": "role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))"
 
 # DEPRECATED
 # "download_image":"rule:default" has been deprecated since W in favor
 # of "download_image":"role:admin or (role:member and
 # (project_id:%(project_id)s or project_id:%(member_id)s or
-# "community":%(visibility)s or "public":%(visibility)s or
+# 'community':%(visibility)s or 'public':%(visibility)s or
-# "shared":%(visibility)s))".
+# 'shared':%(visibility)s))".
 # The image API now supports roles.
 
 # Uploads data to specified image
@@ -319,55 +319,235 @@
 
 #"metadef_admin": "role:admin"
 
-#"get_metadef_namespace": "rule:metadef_default"
+# Get a specific namespace.
+# GET  /v2/metadefs/namespaces/{namespace_name}
+# Intended scope(s): system, project
+#"get_metadef_namespace": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
 
-#"get_metadef_namespaces": "rule:metadef_default"
+# DEPRECATED
+# "get_metadef_namespace":"rule:metadef_default" has been deprecated
+# since X in favor of "get_metadef_namespace":"role:admin or
+# (role:reader and (project_id:%(project_id)s or
+# 'public':%(visibility)s))".
+# The metadata API now supports project scope and default roles.
 
+# List namespace.
+# GET  /v2/metadefs/namespaces
+# Intended scope(s): system, project
+#"get_metadef_namespaces": "role:admin or (role:reader and project_id:%(project_id)s)"
+
+# DEPRECATED
+# "get_metadef_namespaces":"rule:metadef_default" has been deprecated
+# since X in favor of "get_metadef_namespaces":"role:admin or
+# (role:reader and project_id:%(project_id)s)".
+# The metadata API now supports project scope and default roles.
+
+# Modify an existing namespace.
+# PUT  /v2/metadefs/namespaces/{namespace_name}
+# Intended scope(s): system, project
 #"modify_metadef_namespace": "rule:metadef_admin"
 
+# Create a namespace.
+# POST  /v2/metadefs/namespaces
+# Intended scope(s): system, project
 #"add_metadef_namespace": "rule:metadef_admin"
 
+# Delete a namespace.
+# DELETE  /v2/metadefs/namespaces/{namespace_name}
+# Intended scope(s): system, project
 #"delete_metadef_namespace": "rule:metadef_admin"
 
-#"get_metadef_object": "rule:metadef_default"
+# Get a specific object from a namespace.
+# GET  /v2/metadefs/namespaces/{namespace_name}/objects/{object_name}
+# Intended scope(s): system, project
+#"get_metadef_object": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
 
-#"get_metadef_objects": "rule:metadef_default"
+# DEPRECATED
+# "get_metadef_object":"rule:metadef_default" has been deprecated
+# since X in favor of "get_metadef_object":"role:admin or (role:reader
+# and (project_id:%(project_id)s or 'public':%(visibility)s))".
+# The metadata API now supports project scope and default roles.
 
+# Get objects from a namespace.
+# GET  /v2/metadefs/namespaces/{namespace_name}/objects
+# Intended scope(s): system, project
+#"get_metadef_objects": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
+
+# DEPRECATED
+# "get_metadef_objects":"rule:metadef_default" has been deprecated
+# since X in favor of "get_metadef_objects":"role:admin or
+# (role:reader and (project_id:%(project_id)s or
+# 'public':%(visibility)s))".
+# The metadata API now supports project scope and default roles.
+
+# Update an object within a namespace.
+# PUT  /v2/metadefs/namespaces/{namespace_name}/objects/{object_name}
+# Intended scope(s): system, project
 #"modify_metadef_object": "rule:metadef_admin"
 
+# Create an object within a namespace.
+# POST  /v2/metadefs/namespaces/{namespace_name}/objects
+# Intended scope(s): system, project
 #"add_metadef_object": "rule:metadef_admin"
 
+# Delete an object within a namespace.
+# DELETE  /v2/metadefs/namespaces/{namespace_name}/objects/{object_name}
+# Intended scope(s): system, project
 #"delete_metadef_object": "rule:metadef_admin"
 
-#"list_metadef_resource_types": "rule:metadef_default"
+# List meta definition resource types.
+# GET  /v2/metadefs/resource_types
+# Intended scope(s): system, project
+#"list_metadef_resource_types": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
 
-#"get_metadef_resource_type": "rule:metadef_default"
+# DEPRECATED
+# "list_metadef_resource_types":"rule:metadef_default" has been
+# deprecated since X in favor of
+# "list_metadef_resource_types":"role:admin or (role:reader and
+# (project_id:%(project_id)s or 'public':%(visibility)s))".
+# The metadata API now supports project scope and default roles.
 
+# Get meta definition resource types associations.
+# GET  /v2/metadefs/namespaces/{namespace_name}/resource_types
+# Intended scope(s): system, project
+#"get_metadef_resource_type": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
+
+# DEPRECATED
+# "get_metadef_resource_type":"rule:metadef_default" has been
+# deprecated since X in favor of
+# "get_metadef_resource_type":"role:admin or (role:reader and
+# (project_id:%(project_id)s or 'public':%(visibility)s))".
+# The metadata API now supports project scope and default roles.
+
+# Create meta definition resource types association.
+# POST  /v2/metadefs/namespaces/{namespace_name}/resource_types
+# Intended scope(s): system, project
 #"add_metadef_resource_type_association": "rule:metadef_admin"
 
+# Delete meta definition resource types association.
+# POST  /v2/metadefs/namespaces/{namespace_name}/resource_types/{name}
+# Intended scope(s): system, project
 #"remove_metadef_resource_type_association": "rule:metadef_admin"
 
-#"get_metadef_property": "rule:metadef_default"
+# Get a specific meta definition property.
+# GET  /v2/metadefs/namespaces/{namespace_name}/properties/{property_name}
+# Intended scope(s): system, project
+#"get_metadef_property": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
 
-#"get_metadef_properties": "rule:metadef_default"
+# DEPRECATED
+# "get_metadef_property":"rule:metadef_default" has been deprecated
+# since X in favor of "get_metadef_property":"role:admin or
+# (role:reader and (project_id:%(project_id)s or
+# 'public':%(visibility)s))".
+# The metadata API now supports project scope and default roles.
 
+# List meta definition properties.
+# GET  /v2/metadefs/namespaces/{namespace_name}/properties
+# Intended scope(s): system, project
+#"get_metadef_properties": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
+
+# DEPRECATED
+# "get_metadef_properties":"rule:metadef_default" has been deprecated
+# since X in favor of "get_metadef_properties":"role:admin or
+# (role:reader and (project_id:%(project_id)s or
+# 'public':%(visibility)s))".
+# The metadata API now supports project scope and default roles.
+
+# Update meta definition property.
+# GET  /v2/metadefs/namespaces/{namespace_name}/properties/{property_name}
+# Intended scope(s): system, project
 #"modify_metadef_property": "rule:metadef_admin"
 
+# Create meta definition property.
+# POST  /v2/metadefs/namespaces/{namespace_name}/properties
+# Intended scope(s): system, project
 #"add_metadef_property": "rule:metadef_admin"
 
+# Delete meta definition property.
+# DELETE  /v2/metadefs/namespaces/{namespace_name}/properties/{property_name}
+# Intended scope(s): system, project
 #"remove_metadef_property": "rule:metadef_admin"
 
-#"get_metadef_tag": "rule:metadef_default"
+# Get tag definition.
+# GET  /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}
+# Intended scope(s): system, project
+#"get_metadef_tag": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
 
-#"get_metadef_tags": "rule:metadef_default"
+# DEPRECATED
+# "get_metadef_tag":"rule:metadef_default" has been deprecated since X
+# in favor of "get_metadef_tag":"role:admin or (role:reader and
+# (project_id:%(project_id)s or 'public':%(visibility)s))".
+# The metadata API now supports project scope and default roles.
 
+# List tag definitions.
+# GET  /v2/metadefs/namespaces/{namespace_name}/tags
+# Intended scope(s): system, project
+#"get_metadef_tags": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
+
+# DEPRECATED
+# "get_metadef_tags":"rule:metadef_default" has been deprecated since
+# X in favor of "get_metadef_tags":"role:admin or (role:reader and
+# (project_id:%(project_id)s or 'public':%(visibility)s))".
+# The metadata API now supports project scope and default roles.
+
+# Update tag definition.
+# PUT  /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}
+# Intended scope(s): system, project
 #"modify_metadef_tag": "rule:metadef_admin"
 
+# Add tag definition.
+# POST  /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}
+# Intended scope(s): system, project
 #"add_metadef_tag": "rule:metadef_admin"
 
+# Create tag definitions.
+# POST  /v2/metadefs/namespaces/{namespace_name}/tags
+# Intended scope(s): system, project
 #"add_metadef_tags": "rule:metadef_admin"
 
+# Delete tag definition.
+# DELETE  /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}
+# Intended scope(s): system, project
 #"delete_metadef_tag": "rule:metadef_admin"
 
+# Delete tag definitions.
+# DELETE  /v2/metadefs/namespaces/{namespace_name}/tags
+# Intended scope(s): system, project
 #"delete_metadef_tags": "rule:metadef_admin"
 
+# Queue image for caching
+# PUT  /v2/cache/{image_id}
+# Intended scope(s): project
+#"cache_image": "role:admin"
+
+# DEPRECATED
+# "cache_image":"rule:manage_image_cache" has been deprecated since X
+# in favor of "cache_image":"role:admin".
+# The image API now supports roles.
+
+# List cache status
+# GET  /v2/cache
+# Intended scope(s): project
+#"cache_list": "role:admin"
+
+# DEPRECATED
+# "cache_list":"rule:manage_image_cache" has been deprecated since X
+# in favor of "cache_list":"role:admin".
+# The image API now supports roles.
+
+# Delete image(s) from cache and/or queue
+# DELETE  /v2/cache
+# DELETE  /v2/cache/{image_id}
+# Intended scope(s): project
+#"cache_delete": "role:admin"
+
+# DEPRECATED
+# "cache_delete":"rule:manage_image_cache" has been deprecated since X
+# in favor of "cache_delete":"role:admin".
+# The image API now supports roles.
+
+# Expose store specific information
+# GET  /v2/info/stores/detail
+# Intended scope(s): system, project
+#"stores_info_detail": "role:admin"
+

openstack_dashboard/conf/keystone_policy.yaml

@@ -68,13 +68,12 @@
 #"identity:get_application_credential": "(role:reader and system_scope:all) or rule:owner"
 
 # DEPRECATED
-# "identity:get_application_credentials":"rule:admin_or_owner" has
+# "identity:get_application_credential":"rule:admin_or_owner" has been
-# been deprecated since T in favor of
+# deprecated since T in favor of
 # "identity:get_application_credential":"(role:reader and
 # system_scope:all) or rule:owner".
 # The application credential API is now aware of system scope and
 # default roles.
-#"identity:get_application_credentials": "rule:identity:get_application_credential"
 
 # List application credentials for a user.
 # GET  /v3/users/{user_id}/application_credentials
@@ -101,13 +100,12 @@
 #"identity:delete_application_credential": "(role:admin and system_scope:all) or rule:owner"
 
 # DEPRECATED
-# "identity:delete_application_credentials":"rule:admin_or_owner" has
+# "identity:delete_application_credential":"rule:admin_or_owner" has
 # been deprecated since T in favor of
 # "identity:delete_application_credential":"(role:admin and
 # system_scope:all) or rule:owner".
 # The application credential API is now aware of system scope and
 # default roles.
-#"identity:delete_application_credentials": "rule:identity:delete_application_credential"
 
 # Get service catalog.
 # GET  /v3/auth/catalog
@@ -426,13 +424,12 @@
 #"identity:ec2_create_credential": "(role:admin and system_scope:all) or rule:owner"
 
 # DEPRECATED
-# "identity:ec2_create_credentials":"rule:admin_or_owner" has been
+# "identity:ec2_create_credential":"rule:admin_or_owner" has been
 # deprecated since T in favor of
 # "identity:ec2_create_credential":"(role:admin and system_scope:all)
 # or rule:owner".
 # The EC2 credential API is now aware of system scope and default
 # roles.
-#"identity:ec2_create_credentials": "rule:identity:ec2_create_credential"
 
 # Delete ec2 credential.
 # DELETE  /v3/users/{user_id}/credentials/OS-EC2/{credential_id}
@@ -440,14 +437,12 @@
 #"identity:ec2_delete_credential": "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s"
 
 # DEPRECATED
-# "identity:ec2_delete_credentials":"rule:admin_required or
+# "identity:ec2_delete_credential":"rule:admin_required or (rule:owner
-# (rule:owner and user_id:%(target.credential.user_id)s)" has been
+# and user_id:%(target.credential.user_id)s)" has been deprecated
-# deprecated since T in favor of
+# since T in favor of "identity:ec2_delete_credential":"(role:admin
-# "identity:ec2_delete_credential":"(role:admin and system_scope:all)
+# and system_scope:all) or user_id:%(target.credential.user_id)s".
-# or user_id:%(target.credential.user_id)s".
 # The EC2 credential API is now aware of system scope and default
 # roles.
-#"identity:ec2_delete_credentials": "rule:identity:ec2_delete_credential"
 
 # Show endpoint details.
 # GET  /v3/endpoints/{endpoint_id}
@@ -1013,13 +1008,12 @@
 #"identity:create_identity_provider": "role:admin and system_scope:all"
 
 # DEPRECATED
-# "identity:create_identity_providers":"rule:admin_required" has been
+# "identity:create_identity_provider":"rule:admin_required" has been
 # deprecated since S in favor of
 # "identity:create_identity_provider":"role:admin and
 # system_scope:all".
 # The identity provider API is now aware of system scope and default
 # roles.
-#"identity:create_identity_providers": "rule:identity:create_identity_provider"
 
 # List identity providers.
 # GET  /v3/OS-FEDERATION/identity_providers
@@ -1042,12 +1036,11 @@
 #"identity:get_identity_provider": "role:reader and system_scope:all"
 
 # DEPRECATED
-# "identity:get_identity_providers":"rule:admin_required" has been
+# "identity:get_identity_provider":"rule:admin_required" has been
 # deprecated since S in favor of
 # "identity:get_identity_provider":"role:reader and system_scope:all".
 # The identity provider API is now aware of system scope and default
 # roles.
-#"identity:get_identity_providers": "rule:identity:get_identity_provider"
 
 # Update identity provider.
 # PATCH  /v3/OS-FEDERATION/identity_providers/{idp_id}
@@ -1055,13 +1048,12 @@
 #"identity:update_identity_provider": "role:admin and system_scope:all"
 
 # DEPRECATED
-# "identity:update_identity_providers":"rule:admin_required" has been
+# "identity:update_identity_provider":"rule:admin_required" has been
 # deprecated since S in favor of
 # "identity:update_identity_provider":"role:admin and
 # system_scope:all".
 # The identity provider API is now aware of system scope and default
 # roles.
-#"identity:update_identity_providers": "rule:identity:update_identity_provider"
 
 # Delete identity provider.
 # DELETE  /v3/OS-FEDERATION/identity_providers/{idp_id}
@@ -1069,13 +1061,12 @@
 #"identity:delete_identity_provider": "role:admin and system_scope:all"
 
 # DEPRECATED
-# "identity:delete_identity_providers":"rule:admin_required" has been
+# "identity:delete_identity_provider":"rule:admin_required" has been
 # deprecated since S in favor of
 # "identity:delete_identity_provider":"role:admin and
 # system_scope:all".
 # The identity provider API is now aware of system scope and default
 # roles.
-#"identity:delete_identity_providers": "rule:identity:delete_identity_provider"
 
 # Get information about an association between two roles. When a
 # relationship exists between a prior role and an implied role and the

requirements.txt

@@ -20,14 +20,14 @@ futurist>=1.2.0 # Apache-2.0
 iso8601>=0.1.11 # MIT
 keystoneauth1>=4.3.1 # Apache-2.0
 netaddr>=0.7.18 # BSD
-oslo.concurrency>=3.26.0 # Apache-2.0
+oslo.concurrency>=4.5.0 # Apache-2.0
-oslo.config>=5.2.0 # Apache-2.0
+oslo.config>=8.8.0 # Apache-2.0
-oslo.i18n>=5.0.1 # Apache-2.0
+oslo.i18n>=5.1.0 # Apache-2.0
-oslo.policy>=3.2.0 # Apache-2.0
+oslo.policy>=3.11.0 # Apache-2.0
-oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0
+oslo.serialization>=4.3.0 # Apache-2.0
-oslo.upgradecheck>=0.1.1 # Apache-2.0
+oslo.upgradecheck>=1.5.0 # Apache-2.0
-oslo.utils>=4.8.0 # Apache-2.0
+oslo.utils>=4.12.0 # Apache-2.0
-osprofiler>=2.3.0 # Apache-2.0
+osprofiler>=3.4.2 # Apache-2.0
 pymongo!=3.1,>=3.0.2 # Apache-2.0
 pyScss>=1.3.7 # MIT License
 python-cinderclient>=8.0.0 # Apache-2.0
@@ -37,7 +37,7 @@ python-neutronclient>=6.7.0 # Apache-2.0
 python-novaclient>=9.1.0 # Apache-2.0
 python-swiftclient>=3.2.0 # Apache-2.0
 pytz>=2013.6 # MIT
-PyYAML>=3.12 # MIT
+PyYAML>=6.0 # MIT
 requests>=2.25.1 # Apache-2.0
 six>=1.16.0 # MIT
 semantic-version>=2.3.1 # BSD