Merge "Set scope for remaining placement policy rules"
This commit is contained in:
commit
8863b501b7
|
@ -33,7 +33,8 @@ rules = [
|
|||
policy.RuleDefault(
|
||||
"admin_api",
|
||||
"role:admin",
|
||||
description="Default rule for most placement APIs."),
|
||||
description="Default rule for most placement APIs.",
|
||||
scope_types=['system']),
|
||||
]
|
||||
|
||||
|
||||
|
|
|
@ -34,7 +34,8 @@ rules = [
|
|||
'method': 'GET',
|
||||
'path': BASE_PATH
|
||||
}
|
||||
]),
|
||||
],
|
||||
scope_types=['system']),
|
||||
policy.DocumentedRuleDefault(
|
||||
CREATE,
|
||||
base.RULE_ADMIN_API,
|
||||
|
@ -44,7 +45,8 @@ rules = [
|
|||
'method': 'POST',
|
||||
'path': BASE_PATH
|
||||
}
|
||||
]),
|
||||
],
|
||||
scope_types=['system']),
|
||||
policy.DocumentedRuleDefault(
|
||||
SHOW,
|
||||
base.RULE_ADMIN_API,
|
||||
|
@ -54,7 +56,8 @@ rules = [
|
|||
'method': 'GET',
|
||||
'path': BASE_PATH + '/{resource_class}'
|
||||
}
|
||||
]),
|
||||
],
|
||||
scope_types=['system']),
|
||||
policy.DocumentedRuleDefault(
|
||||
UPDATE,
|
||||
base.RULE_ADMIN_API,
|
||||
|
@ -68,7 +71,8 @@ rules = [
|
|||
'method': 'PUT',
|
||||
'path': BASE_PATH + '/{resource_class}'
|
||||
}
|
||||
]),
|
||||
],
|
||||
scope_types=['system']),
|
||||
policy.DocumentedRuleDefault(
|
||||
DELETE,
|
||||
base.RULE_ADMIN_API,
|
||||
|
@ -82,7 +86,8 @@ rules = [
|
|||
'method': 'DELETE',
|
||||
'path': BASE_PATH + '/{resource_class}'
|
||||
}
|
||||
]),
|
||||
],
|
||||
scope_types=['system']),
|
||||
]
|
||||
|
||||
|
||||
|
|
|
@ -33,7 +33,8 @@ rules = [
|
|||
'method': 'GET',
|
||||
'path': '/resource_classes'
|
||||
}
|
||||
]),
|
||||
],
|
||||
scope_types=['system']),
|
||||
policy.DocumentedRuleDefault(
|
||||
CREATE,
|
||||
base.RULE_ADMIN_API,
|
||||
|
@ -43,7 +44,8 @@ rules = [
|
|||
'method': 'POST',
|
||||
'path': '/resource_classes'
|
||||
}
|
||||
]),
|
||||
],
|
||||
scope_types=['system']),
|
||||
policy.DocumentedRuleDefault(
|
||||
SHOW,
|
||||
base.RULE_ADMIN_API,
|
||||
|
@ -53,7 +55,8 @@ rules = [
|
|||
'method': 'GET',
|
||||
'path': '/resource_classes/{name}'
|
||||
}
|
||||
]),
|
||||
],
|
||||
scope_types=['system']),
|
||||
policy.DocumentedRuleDefault(
|
||||
UPDATE,
|
||||
base.RULE_ADMIN_API,
|
||||
|
@ -63,7 +66,8 @@ rules = [
|
|||
'method': 'PUT',
|
||||
'path': '/resource_classes/{name}'
|
||||
}
|
||||
]),
|
||||
],
|
||||
scope_types=['system']),
|
||||
policy.DocumentedRuleDefault(
|
||||
DELETE,
|
||||
base.RULE_ADMIN_API,
|
||||
|
@ -73,7 +77,8 @@ rules = [
|
|||
'method': 'DELETE',
|
||||
'path': '/resource_classes/{name}'
|
||||
}
|
||||
]),
|
||||
],
|
||||
scope_types=['system']),
|
||||
]
|
||||
|
||||
|
||||
|
|
|
@ -33,7 +33,8 @@ rules = [
|
|||
'method': 'GET',
|
||||
'path': '/resource_providers'
|
||||
}
|
||||
]),
|
||||
],
|
||||
scope_types=['system']),
|
||||
policy.DocumentedRuleDefault(
|
||||
CREATE,
|
||||
base.RULE_ADMIN_API,
|
||||
|
@ -43,7 +44,8 @@ rules = [
|
|||
'method': 'POST',
|
||||
'path': '/resource_providers'
|
||||
}
|
||||
]),
|
||||
],
|
||||
scope_types=['system']),
|
||||
policy.DocumentedRuleDefault(
|
||||
SHOW,
|
||||
base.RULE_ADMIN_API,
|
||||
|
@ -53,7 +55,8 @@ rules = [
|
|||
'method': 'GET',
|
||||
'path': '/resource_providers/{uuid}'
|
||||
}
|
||||
]),
|
||||
],
|
||||
scope_types=['system']),
|
||||
policy.DocumentedRuleDefault(
|
||||
UPDATE,
|
||||
base.RULE_ADMIN_API,
|
||||
|
@ -63,7 +66,8 @@ rules = [
|
|||
'method': 'PUT',
|
||||
'path': '/resource_providers/{uuid}'
|
||||
}
|
||||
]),
|
||||
],
|
||||
scope_types=['system']),
|
||||
policy.DocumentedRuleDefault(
|
||||
DELETE,
|
||||
base.RULE_ADMIN_API,
|
||||
|
@ -73,7 +77,8 @@ rules = [
|
|||
'method': 'DELETE',
|
||||
'path': '/resource_providers/{uuid}'
|
||||
}
|
||||
]),
|
||||
],
|
||||
scope_types=['system']),
|
||||
]
|
||||
|
||||
|
||||
|
|
|
@ -30,9 +30,10 @@ rules = [
|
|||
'method': 'GET',
|
||||
'path': '/resource_providers/{uuid}/usages'
|
||||
}
|
||||
]),
|
||||
],
|
||||
scope_types=['system']),
|
||||
policy.DocumentedRuleDefault(
|
||||
# TODO(mriedem): At some point we should set scope_types=['project']
|
||||
# TODO(mriedem): At some point we might set scope_types=['project']
|
||||
# so that non-admin project-scoped token users can query usages for
|
||||
# their project. The context.can() target will need to change as well
|
||||
# in the actual policy enforcement check in the handler code.
|
||||
|
@ -44,7 +45,8 @@ rules = [
|
|||
'method': 'GET',
|
||||
'path': '/usages'
|
||||
}
|
||||
])
|
||||
],
|
||||
scope_types=['system'])
|
||||
]
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue