Remove empty rules from policies for API access

Empty policy rule means that API method is allowed by anybody. Default rule is used only if such rule is not defined in policy.json. This patch changes empty rules to admin_api or admin_or_owner. Closes-Bug: #1477621 Closes-Bug: #1491495 Change-Id: I512e65e62da7dab5834a21ef9fd967ed6e9bb695
2015-09-01 14:00:06 +03:00 · 2015-09-01 14:00:06 +03:00 · e065e70a69
parent 19cee43def
commit e065e70a69
1 changed files with 26 additions and 26 deletions
--- a/etc/cinder/policy.json
+++ b/etc/cinder/policy.json
@ -6,36 +6,36 @@
    "admin_api": "is_admin:True",

    "volume:create": "",
-    "volume:delete": "",
+    "volume:delete": "rule:admin_or_owner",
    "volume:get": "rule:admin_or_owner",
-    "volume:get_all": "",
-    "volume:get_volume_metadata": "",
-    "volume:delete_volume_metadata": "",
-    "volume:update_volume_metadata": "",
+    "volume:get_all": "rule:admin_or_owner",
+    "volume:get_volume_metadata": "rule:admin_or_owner",
+    "volume:delete_volume_metadata": "rule:admin_or_owner",
+    "volume:update_volume_metadata": "rule:admin_or_owner",
    "volume:get_volume_admin_metadata": "rule:admin_api",
    "volume:update_volume_admin_metadata": "rule:admin_api",
-    "volume:get_snapshot": "",
-    "volume:get_all_snapshots": "",
-    "volume:delete_snapshot": "",
-    "volume:update_snapshot": "",
-    "volume:extend": "",
-    "volume:update_readonly_flag": "",
-    "volume:retype": "",
-    "volume:update": "",
+    "volume:get_snapshot": "rule:admin_or_owner",
+    "volume:get_all_snapshots": "rule:admin_or_owner",
+    "volume:delete_snapshot": "rule:admin_or_owner",
+    "volume:update_snapshot": "rule:admin_or_owner",
+    "volume:extend": "rule:admin_or_owner",
+    "volume:update_readonly_flag": "rule:admin_or_owner",
+    "volume:retype": "rule:admin_or_owner",
+    "volume:update": "rule:admin_or_owner",

    "volume_extension:types_manage": "rule:admin_api",
    "volume_extension:types_extra_specs": "rule:admin_api",
-    "volume_extension:volume_type_access": "",
+    "volume_extension:volume_type_access": "rule:admin_or_owner",
    "volume_extension:volume_type_access:addProjectAccess": "rule:admin_api",
    "volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api",
    "volume_extension:volume_type_encryption": "rule:admin_api",
    "volume_extension:volume_encryption_metadata": "rule:admin_or_owner",
-    "volume_extension:extended_snapshot_attributes": "",
-    "volume_extension:volume_image_metadata": "",
+    "volume_extension:extended_snapshot_attributes": "rule:admin_or_owner",
+    "volume_extension:volume_image_metadata": "rule:admin_or_owner",

-    "volume_extension:quotas:show": "",
+    "volume_extension:quotas:show": "rule:admin_api",
    "volume_extension:quotas:update": "rule:admin_api",
-    "volume_extension:quota_classes": "",
+    "volume_extension:quota_classes": "rule:admin_api",

    "volume_extension:volume_admin_actions:reset_status": "rule:admin_api",
    "volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api",
@ -51,7 +51,7 @@
    "volume_extension:volume_tenant_attribute": "rule:admin_or_owner",
    "volume_extension:volume_mig_status_attribute": "rule:admin_api",
    "volume_extension:hosts": "rule:admin_api",
-    "volume_extension:services:index": "",
+    "volume_extension:services:index": "rule:admin_api",
    "volume_extension:services:update" : "rule:admin_api",

    "volume_extension:volume_manage": "rule:admin_api",
@ -59,10 +59,10 @@

    "volume_extension:capabilities": "rule:admin_api",

-    "volume:create_transfer": "",
+    "volume:create_transfer": "rule:admin_or_owner",
    "volume:accept_transfer": "",
-    "volume:delete_transfer": "",
-    "volume:get_all_transfers": "",
+    "volume:delete_transfer": "rule:admin_or_owner",
+    "volume:get_all_transfers": "rule:admin_or_owner",

    "volume_extension:replication:promote": "rule:admin_api",
    "volume_extension:replication:reenable": "rule:admin_api",
@ -73,10 +73,10 @@
    "volume:list_replication_targets": "rule:admin_api",

    "backup:create" : "",
-    "backup:delete": "",
-    "backup:get": "",
-    "backup:get_all": "",
-    "backup:restore": "",
+    "backup:delete": "rule:admin_or_owner",
+    "backup:get": "rule:admin_or_owner",
+    "backup:get_all": "rule:admin_or_owner",
+    "backup:restore": "rule:admin_or_owner",
    "backup:backup-import": "rule:admin_api",
    "backup:backup-export": "rule:admin_api",