diff --git a/designate/common/policies/__init__.py b/designate/common/policies/__init__.py index c787d85a6..46c5fd63f 100644 --- a/designate/common/policies/__init__.py +++ b/designate/common/policies/__init__.py @@ -29,6 +29,11 @@ from designate.common.policies import service_status from designate.common.policies import tenant from designate.common.policies import tld from designate.common.policies import tsigkey +from designate.common.policies import zone +from designate.common.policies import zone_export +from designate.common.policies import zone_import +from designate.common.policies import zone_transfer_accept +from designate.common.policies import zone_transfer_request def list_rules(): @@ -45,4 +50,9 @@ def list_rules(): tenant.list_rules(), tld.list_rules(), tsigkey.list_rules(), + zone.list_rules(), + zone_export.list_rules(), + zone_import.list_rules(), + zone_transfer_accept.list_rules(), + zone_transfer_request.list_rules(), ) diff --git a/designate/common/policies/base.py b/designate/common/policies/base.py index d5d0f2cb4..9d342134e 100644 --- a/designate/common/policies/base.py +++ b/designate/common/policies/base.py @@ -20,6 +20,8 @@ RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner' RULE_ADMIN = 'rule:admin' RULE_ZONE_PRIMARY_OR_ADMIN = "('PRIMARY':%(zone_type)s and rule:admin_or_owner)\ OR ('SECONDARY':%(zone_type)s AND is_admin:True)" +RULE_ZONE_TRANSFER = "rule:admin_or_owner or tenant:%(target_tenant_id)s \ + or None:%(target_tenant_id)s" RULE_ANY = "@" rules = [ diff --git a/designate/common/policies/zone.py b/designate/common/policies/zone.py new file mode 100644 index 000000000..0ebeaf162 --- /dev/null +++ b/designate/common/policies/zone.py @@ -0,0 +1,170 @@ +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +from oslo_policy import policy + +from designate.common.policies import base + +rules = [ + policy.DocumentedRuleDefault( + name="create_zone", + check_str=base.RULE_ADMIN_OR_OWNER, + description="Create Zone", + operations=[ + { + 'path': '/v1//domains', + 'method': 'POST' + }, { + 'path': '/v2/zones', + 'method': 'POST' + } + ] + ), + policy.RuleDefault( + name="get_zones", + check_str=base.RULE_ADMIN_OR_OWNER + ), + policy.DocumentedRuleDefault( + name="get_zone", + check_str=base.RULE_ADMIN_OR_OWNER, + description="Get Zone", + operations=[ + { + 'path': '/v1/domains//records/', # noqa + 'method': 'GET' + }, { + 'path': '/v1/domains//records', + 'method': 'GET' + }, { + 'path': '/v2/zones/{zone_id}', + 'method': 'GET' + }, { + 'path': '/v2/zones/{zone_id}', + 'method': 'PATCH' + }, { + 'path': '/v2/zones/{zone_id}/recordsets/{recordset_id}', + 'method': 'PUT' + } + ] + ), + policy.RuleDefault( + name="get_zone_servers", + check_str=base.RULE_ADMIN_OR_OWNER + ), + policy.DocumentedRuleDefault( + name="find_zones", + check_str=base.RULE_ADMIN_OR_OWNER, + description="List existing zones", + operations=[ + { + 'path': '/v1/domains', + 'method': 'GET' + }, { + 'path': '/v2/zones', + 'method': 'GET' + } + ] + ), + policy.DocumentedRuleDefault( + name="find_zone", + check_str=base.RULE_ADMIN_OR_OWNER, + description="Find Zone", + operations=[ + { + 'path': '/v1/domains/', + 'method': 'GET' + }, { + 'path': '/v1/domains//servers', + 'method': 'GET' + }, { + 'path': '/v1/domains/', + 'method': 'PUT' + }, { + 'path': '/v1/domains/', + 'method': 'DELETE' + } + ] + ), + policy.DocumentedRuleDefault( + name="update_zone", + check_str=base.RULE_ADMIN_OR_OWNER, + description="Update Zone", + operations=[ + { + 'path': '/v1/domains/', + 'method': 'PUT' + }, { + 'path': '/v2/zones/{zone_id}', + 'method': 'PATCH' + } + ] + ), + policy.DocumentedRuleDefault( + name="delete_zone", + check_str=base.RULE_ADMIN_OR_OWNER, + description="Delete Zone", + operations=[ + { + 'path': '/v1/domains/', + 'method': 'DELETE' + }, { + 'path': '/v2/zones/{zone_id}', + 'method': 'DELETE' + } + ] + ), + policy.DocumentedRuleDefault( + name="xfr_zone", + check_str=base.RULE_ADMIN_OR_OWNER, + description="Manually Trigger an Update of a Secondary Zone", + operations=[ + { + 'path': '/v2/zones/{zone_id}/tasks/xfr', + 'method': 'POST' + } + ] + ), + policy.DocumentedRuleDefault( + name="abandon_zone", + check_str=base.RULE_ADMIN, + description="Abandon Zone", + operations=[ + { + 'path': '/v2/zones/{zone_id}/tasks/abandon', + 'method': 'POST' + } + ] + ), + policy.RuleDefault( + name="count_zones", + check_str=base.RULE_ADMIN_OR_OWNER + ), + policy.RuleDefault( + name="count_zones_pending_notify", + check_str=base.RULE_ADMIN_OR_OWNER + ), + policy.RuleDefault( + name="purge_zones", + check_str=base.RULE_ADMIN + ), + policy.RuleDefault( + name="touch_zone", + check_str=base.RULE_ADMIN_OR_OWNER + ) +] + + +def list_rules(): + return rules diff --git a/designate/common/policies/zone_export.py b/designate/common/policies/zone_export.py new file mode 100644 index 000000000..42d5bf9b9 --- /dev/null +++ b/designate/common/policies/zone_export.py @@ -0,0 +1,83 @@ +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +from oslo_policy import policy + +from designate.common.policies import base + +rules = [ + policy.DocumentedRuleDefault( + name="zone_export", + check_str=base.RULE_ADMIN_OR_OWNER, + description="Retrive a Zone Export from the Designate Datastore", + operations=[ + { + 'path': '/v2/zones/tasks/exports/{zone_export_id}/export', + 'method': 'GET' + } + ] + ), + policy.DocumentedRuleDefault( + name="create_zone_export", + check_str=base.RULE_ADMIN_OR_OWNER, + description="Create Zone Export", + operations=[ + { + 'path': '/v2/zones/{zone_id}/tasks/export', + 'method': 'POST' + } + ] + ), + policy.DocumentedRuleDefault( + name="find_zone_exports", + check_str=base.RULE_ADMIN_OR_OWNER, + description="List Zone Exports", + operations=[ + { + 'path': '/v2/zones/tasks/exports', + 'method': 'GET' + } + ] + ), + policy.DocumentedRuleDefault( + name="get_zone_export", + check_str=base.RULE_ADMIN_OR_OWNER, + description="Get Zone Exports", + operations=[ + { + 'path': '/v2/zones/tasks/exports/{zone_export_id}', + 'method': 'GET' + }, { + 'path': '/v2/zones/tasks/exports/{zone_export_id}/export', + 'method': 'GET' + } + ] + ), + policy.DocumentedRuleDefault( + name="update_zone_export", + check_str=base.RULE_ADMIN_OR_OWNER, + description="Update Zone Exports", + operations=[ + { + 'path': '/v2/zones/{zone_id}/tasks/export', + 'method': 'POST' + } + ] + ) +] + + +def list_rules(): + return rules diff --git a/designate/common/policies/zone_import.py b/designate/common/policies/zone_import.py new file mode 100644 index 000000000..1aaa64fda --- /dev/null +++ b/designate/common/policies/zone_import.py @@ -0,0 +1,81 @@ +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +from oslo_policy import policy + +from designate.common.policies import base + + +rules = [ + policy.DocumentedRuleDefault( + name="create_zone_import", + check_str=base.RULE_ADMIN_OR_OWNER, + description="Create Zone Import", + operations=[ + { + 'path': '/v2/zones/tasks/imports', + 'method': 'POST' + } + ] + ), + policy.DocumentedRuleDefault( + name="find_zone_imports", + check_str=base.RULE_ADMIN_OR_OWNER, + description="List all Zone Imports", + operations=[ + { + 'path': '/v2/zones/tasks/imports', + 'method': 'GET' + } + ] + ), + policy.DocumentedRuleDefault( + name="get_zone_import", + check_str=base.RULE_ADMIN_OR_OWNER, + description="Get Zone Imports", + operations=[ + { + 'path': '/v2/zones/tasks/imports/{zone_import_id}', + 'method': 'GET' + } + ] + ), + policy.DocumentedRuleDefault( + name="update_zone_import", + check_str=base.RULE_ADMIN_OR_OWNER, + description="Update Zone Imports", + operations=[ + { + 'path': '/v2/zones/tasks/imports', + 'method': 'POST' + } + ] + ), + policy.DocumentedRuleDefault( + name="delete_zone_import", + check_str=base.RULE_ADMIN_OR_OWNER, + description="Delete a Zone Import", + operations=[ + { + 'path': '/v2/zones/tasks/imports/{zone_import_id}', + 'method': 'GET' + } + ] + ) +] + + +def list_rules(): + return rules diff --git a/designate/common/policies/zone_transfer_accept.py b/designate/common/policies/zone_transfer_accept.py new file mode 100644 index 000000000..d7616fef7 --- /dev/null +++ b/designate/common/policies/zone_transfer_accept.py @@ -0,0 +1,77 @@ +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +from oslo_policy import policy + +from designate.common.policies import base + +rules = [ + policy.DocumentedRuleDefault( + name="create_zone_transfer_accept", + check_str=base.RULE_ZONE_TRANSFER, + description="Create Zone Transfer Accept", + operations=[ + { + 'path': '/v2/zones/tasks/transfer_accepts', + 'method': 'POST' + } + ] + ), + policy.DocumentedRuleDefault( + name="get_zone_transfer_accept", + check_str=base.RULE_ADMIN_OR_OWNER, + description="Get Zone Transfer Accept", + operations=[ + { + 'path': '/v2/zones/tasks/transfer_requests/{zone_transfer_accept_id}', # noqa + 'method': 'GET' + } + ] + ), + policy.DocumentedRuleDefault( + name="find_zone_transfer_accepts", + check_str=base.RULE_ADMIN, + description="List Zone Transfer Accepts", + operations=[ + { + 'path': '/v2/zones/tasks/transfer_accepts', + 'method': 'GET' + } + ] + ), + policy.RuleDefault( + name="find_zone_transfer_accept", + check_str=base.RULE_ADMIN + ), + policy.DocumentedRuleDefault( + name="update_zone_transfer_accept", + check_str=base.RULE_ADMIN, + description="Update a Zone Transfer Accept", + operations=[ + { + 'path': '/v2/zones/tasks/transfer_accepts', + 'method': 'POST' + } + ] + ), + policy.RuleDefault( + name="delete_zone_transfer_accept", + check_str=base.RULE_ADMIN + ) +] + + +def list_rules(): + return rules diff --git a/designate/common/policies/zone_transfer_request.py b/designate/common/policies/zone_transfer_request.py new file mode 100644 index 000000000..5e1c88840 --- /dev/null +++ b/designate/common/policies/zone_transfer_request.py @@ -0,0 +1,91 @@ +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +from oslo_policy import policy + +from designate.common.policies import base + +rules = [ + policy.DocumentedRuleDefault( + name="create_zone_transfer_request", + check_str=base.RULE_ADMIN_OR_OWNER, + description="Create Zone Transfer Accept", + operations=[ + { + 'path': '/v2/zones/{zone_id}/tasks/transfer_requests', + 'method': 'POST' + } + ] + ), + policy.DocumentedRuleDefault( + name="get_zone_transfer_request", + check_str=base.RULE_ZONE_TRANSFER, + description="Show a Zone Transfer Request", + operations=[ + { + 'path': '/v2/zones/tasks/transfer_requests/{zone_transfer_request_id}', # noqa + 'method': 'GET' + }, { + 'path': '/v2/zones/tasks/transfer_requests/{zone_transfer_request_id}', # noqa + 'method': 'PATCH' + } + ] + ), + policy.RuleDefault( + name="get_zone_transfer_request_detailed", + check_str=base.RULE_ADMIN_OR_OWNER + ), + policy.DocumentedRuleDefault( + name="find_zone_transfer_requests", + check_str=base.RULE_ANY, + description="List Zone Transfer Requests", + operations=[ + { + 'path': '/v2/zones/tasks/transfer_requests', + 'method': 'GET' + } + ] + ), + policy.RuleDefault( + name="find_zone_transfer_request", + check_str=base.RULE_ANY + ), + policy.DocumentedRuleDefault( + name="update_zone_transfer_request", + check_str=base.RULE_ADMIN_OR_OWNER, + description="Update a Zone Transfer Request", + operations=[ + { + 'path': '/v2/zones/tasks/transfer_requests/{zone_transfer_request_id}', # noqa + 'method': 'PATCH' + } + ] + ), + policy.DocumentedRuleDefault( + name="delete_zone_transfer_request", + check_str=base.RULE_ADMIN_OR_OWNER, + description="Delete a Zone Transfer Request", + operations=[ + { + 'path': '/v2/zones/tasks/transfer_requests/{zone_transfer_request_id}', # noqa + 'method': 'DELETE' + } + ] + ) +] + + +def list_rules(): + return rules diff --git a/designate/tests/fixtures.py b/designate/tests/fixtures.py index bb43a3052..dfc7ba555 100644 --- a/designate/tests/fixtures.py +++ b/designate/tests/fixtures.py @@ -32,7 +32,6 @@ from designate import policy from designate import network_api from designate import rpc from designate.network_api import fake as fake_network_api -from designate import utils from designate.sqlalchemy import utils as sqlalchemy_utils """Test fixtures @@ -105,8 +104,6 @@ class ServiceFixture(fixtures.Fixture): class PolicyFixture(fixtures.Fixture): def setUp(self): super(PolicyFixture, self).setUp() - policy.init(policy_file=utils.find_config( - cfg.CONF.oslo_policy.policy_file)[0]) self.addCleanup(policy.reset) diff --git a/devstack/plugin.sh b/devstack/plugin.sh index 38c7cc305..fa3ade9a6 100755 --- a/devstack/plugin.sh +++ b/devstack/plugin.sh @@ -68,10 +68,6 @@ function configure_designate { iniset $DESIGNATE_CONF coordination backend_url $DESIGNATE_COORDINATION_URL fi - # Install the policy file for the API server - cp $DESIGNATE_DIR/etc/designate/policy.json $DESIGNATE_CONF_DIR/policy.json - iniset $DESIGNATE_CONF DEFAULT policy_file $DESIGNATE_CONF_DIR/policy.json - # Pool Manager Configuration iniset $DESIGNATE_CONF service:pool_manager pool_id $DESIGNATE_POOL_ID iniset $DESIGNATE_CONF service:pool_manager cache_driver $DESIGNATE_POOL_MANAGER_CACHE_DRIVER diff --git a/etc/designate/policy.json b/etc/designate/policy.json deleted file mode 100644 index a9585add6..000000000 --- a/etc/designate/policy.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "create_zone": "rule:admin_or_owner", - "get_zones": "rule:admin_or_owner", - "get_zone": "rule:admin_or_owner", - "get_zone_servers": "rule:admin_or_owner", - "find_zones": "rule:admin_or_owner", - "find_zone": "rule:admin_or_owner", - "update_zone": "rule:admin_or_owner", - "delete_zone": "rule:admin_or_owner", - "xfr_zone": "rule:admin_or_owner", - "abandon_zone": "rule:admin", - "count_zones": "rule:admin_or_owner", - "count_zones_pending_notify": "rule:admin_or_owner", - "purge_zones": "rule:admin", - "touch_zone": "rule:admin_or_owner", - - "create_zone_transfer_request": "rule:admin_or_owner", - "get_zone_transfer_request": "rule:admin_or_owner or tenant:%(target_tenant_id)s or None:%(target_tenant_id)s", - "get_zone_transfer_request_detailed": "rule:admin_or_owner", - "find_zone_transfer_requests": "@", - "find_zone_transfer_request": "@", - "update_zone_transfer_request": "rule:admin_or_owner", - "delete_zone_transfer_request": "rule:admin_or_owner", - - "create_zone_transfer_accept": "rule:admin_or_owner or tenant:%(target_tenant_id)s or None:%(target_tenant_id)s", - "get_zone_transfer_accept": "rule:admin_or_owner", - "find_zone_transfer_accepts": "rule:admin", - "find_zone_transfer_accept": "rule:admin", - "update_zone_transfer_accept": "rule:admin", - "delete_zone_transfer_accept": "rule:admin", - - "create_zone_import": "rule:admin_or_owner", - "find_zone_imports": "rule:admin_or_owner", - "get_zone_import": "rule:admin_or_owner", - "update_zone_import": "rule:admin_or_owner", - "delete_zone_import": "rule:admin_or_owner", - - "zone_export": "rule:admin_or_owner", - "create_zone_export": "rule:admin_or_owner", - "find_zone_exports": "rule:admin_or_owner", - "get_zone_export": "rule:admin_or_owner", - "update_zone_export": "rule:admin_or_owner", -} diff --git a/etc/designate/policy.yaml.sample b/etc/designate/policy.yaml.sample new file mode 100644 index 000000000..5123b1e33 --- /dev/null +++ b/etc/designate/policy.yaml.sample @@ -0,0 +1,413 @@ +# +#"admin": "role:admin or is_admin:True" + +# +#"primary_zone": "target.zone_type:SECONDARY" + +# +#"owner": "tenant:%(tenant_id)s" + +# +#"admin_or_owner": "rule:admin or rule:owner" + +# +#"default": "rule:admin_or_owner" + +# +#"target": "tenant:%(target_tenant_id)s" + +# +#"owner_or_target": "rule:target or rule:owner" + +# +#"admin_or_owner_or_target": "rule:owner_or_target or rule:admin" + +# +#"admin_or_target": "rule:admin or rule:target" + +# +#"zone_primary_or_admin": "('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)" + +# Create blacklist. +# POST /v2/blacklists +#"create_blacklist": "rule:admin" + +# Find blacklist. +# GET /v2/blacklists +#"find_blacklist": "rule:admin" + +# Find blacklists. +# GET /v2/blacklists +#"find_blacklists": "rule:admin" + +# Get blacklist. +# GET /v2/blacklists/{blacklist_id} +#"get_blacklist": "rule:admin" + +# Update blacklist. +# PATCH /v2/blacklists/{blacklist_id} +#"update_blacklist": "rule:admin" + +# Delete blacklist. +# DELETE /v2/blacklists/{blacklist_id} +#"delete_blacklist": "rule:admin" + +# Allowed bypass the blacklist. +# POST /v2/zones +#"use_blacklisted_zone": "rule:admin" + +# Action on all tenants. +#"all_tenants": "rule:admin" + +# Edit managed records. +#"edit_managed_records": "rule:admin" + +# Use low TTL. +#"use_low_ttl": "rule:admin" + +# Accept sudo from user to tenant. +#"use_sudo": "rule:admin" + +# Diagnose ping. +#"diagnostics_ping": "rule:admin" + +# Diagnose sync zones. +#"diagnostics_sync_zones": "rule:admin" + +# Diagnose sync zone. +#"diagnostics_sync_zone": "rule:admin" + +# Diagnose sync record. +#"diagnostics_sync_record": "rule:admin" + +# Create pool. +#"create_pool": "rule:admin" + +# Find pool. +# GET /v2/pools +#"find_pools": "rule:admin" + +# Find pools. +# GET /v2/pools +#"find_pool": "rule:admin" + +# Get pool. +# GET /v2/pools/{pool_id} +#"get_pool": "rule:admin" + +# Update pool. +#"update_pool": "rule:admin" + +# Delete pool. +#"delete_pool": "rule:admin" + +# load and set the pool to the one provided in the Zone attributes. +# POST /v2/zones +#"zone_create_forced_pool": "rule:admin" + +# View Current Project's Quotas. +# GET /v2/quotas +#"get_quotas": "rule:admin_or_owner" + +# +#"get_quota": "rule:admin_or_owner" + +# Set Quotas. +# PATCH /v2/quotas/{project_id} +#"set_quota": "rule:admin" + +# Reset Quotas. +# DELETE /v2/quotas/{project_id} +#"reset_quotas": "rule:admin" + +# Create record. +# POST /v1/domains//records +#"create_record": "rule:admin_or_owner" + +# Get records. +# GET /v1/domains//records +#"get_records": "rule:admin_or_owner" + +# Get record. +# GET /v1/domains//records/ +#"get_record": "rule:admin_or_owner" + +# Find records. +# GET /v2/reverse/floatingips/{region}:{floatingip_id} +# GET /v2/reverse/floatingips +#"find_records": "rule:admin_or_owner" + +# Find record. +# GET /v1/domains//records/ +# DELETE /v1/domains//records/ +# PUT /v1/domains//records/ +#"find_record": "rule:admin_or_owner" + +# Update record. +# PUT /v1/domains//records/ +#"update_record": "rule:admin_or_owner" + +# Delete record. +# DELETE /v1/domains//records/ +#"delete_record": "rule:admin_or_owner" + +# +#"count_records": "rule:admin_or_owner" + +# Create Recordset +# POST /v2/zones/{zone_id}/recordsets +# PATCH /v2/reverse/floatingips/{region}:{floatingip_id} +#"create_recordset": "('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)" + +# +#"get_recordsets": "rule:admin_or_owner" + +# Get recordset +# GET /v1/domains//records/ +# PUT /v1/domains//records/ +# GET /v2/zones/{zone_id}/recordsets/{recordset_id} +# DELETE /v2/zones/{zone_id}/recordsets/{recordset_id} +# PUT /v2/zones/{zone_id}/recordsets/{recordset_id} +#"get_recordset": "rule:admin_or_owner" + +# Find recordsets +# GET /v1/domains//records +#"find_recordsets": "rule:admin_or_owner" + +# Find recordset +# POST /v1/domains//records +# DELETE /v1/domains//records/ +#"find_recordset": "rule:admin_or_owner" + +# Update recordset +# PUT /v1/domains//records/ +# PUT /v2/zones/{zone_id}/recordsets/{recordset_id} +# PATCH /v2/reverse/floatingips/{region}:{floatingip_id} +#"update_recordset": "('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)" + +# Delete RecordSet +# DELETE /v1/domains//records/ +# DELETE /v2/zones/{zone_id}/recordsets/{recordset_id} +#"delete_recordset": "('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)" + +# Count recordsets +#"count_recordset": "rule:admin_or_owner" + +# Find a single Service Status +# GET /v2/service_status/{service_id} +#"find_service_status": "rule:admin" + +# List service statuses. +# GET /v2/service_status +#"find_service_statuses": "rule:admin" + +# +#"update_service_service_status": "rule:admin" + +# Find all Tenants. +#"find_tenants": "rule:admin" + +# Get all Tenants. +#"get_tenant": "rule:admin" + +# Count tenants +#"count_tenants": "rule:admin" + +# Create Tld +# POST /v2/tlds +#"create_tld": "rule:admin" + +# List Tlds +# GET /v2/tlds +#"find_tlds": "rule:admin" + +# Show Tld +# GET /v2/tlds/{tld_id} +#"get_tld": "rule:admin" + +# Update Tld +# PATCH /v2/tlds/{tld_id} +#"update_tld": "rule:admin" + +# Delete Tld +# DELETE /v2/tlds/{tld_id} +#"delete_tld": "rule:admin" + +# Create Tsigkey +# POST /v1/tsigkeys +# POST /v2/tsigkeys +#"create_tsigkey": "rule:admin" + +# List Tsigkeys +# GET /v1/tsigkeys +# GET /v1/tsigkeys/ +# DELETE /v1/tsigkeys/ +# GET /v2/tsigkeys +#"find_tsigkeys": "rule:admin" + +# Show a Tsigkey +# PATCH /v2/tsigkeys/{tsigkey_id} +# GET /v2/tsigkeys/{tsigkey_id} +#"get_tsigkey": "rule:admin" + +# Update Tsigkey +# PATCH /v1/tsigkeys/{tsigkey_id} +# PATCH /v2/tsigkeys/{tsigkey_id} +#"update_tsigkey": "rule:admin" + +# Delete a Tsigkey +# DELETE /v1/tsigkeys/{tsigkey_id} +# DELETE /v2/tsigkeys/{tsigkey_id} +#"delete_tsigkey": "rule:admin" + +# Create Zone +# POST /v1//domains +# POST /v2/zones +#"create_zone": "rule:admin_or_owner" + +# +#"get_zones": "rule:admin_or_owner" + +# Get Zone +# GET /v1/domains//records/ +# GET /v1/domains//records +# GET /v2/zones/{zone_id} +# PATCH /v2/zones/{zone_id} +# PUT /v2/zones/{zone_id}/recordsets/{recordset_id} +#"get_zone": "rule:admin_or_owner" + +# +#"get_zone_servers": "rule:admin_or_owner" + +# List existing zones +# GET /v1/domains +# GET /v2/zones +#"find_zones": "rule:admin_or_owner" + +# Find Zone +# GET /v1/domains/ +# GET /v1/domains//servers +# PUT /v1/domains/ +# DELETE /v1/domains/ +#"find_zone": "rule:admin_or_owner" + +# Update Zone +# PUT /v1/domains/ +# PATCH /v2/zones/{zone_id} +#"update_zone": "rule:admin_or_owner" + +# Delete Zone +# DELETE /v1/domains/ +# DELETE /v2/zones/{zone_id} +#"delete_zone": "rule:admin_or_owner" + +# Manually Trigger an Update of a Secondary Zone +# POST /v2/zones/{zone_id}/tasks/xfr +#"xfr_zone": "rule:admin_or_owner" + +# Abandon Zone +# POST /v2/zones/{zone_id}/tasks/abandon +#"abandon_zone": "rule:admin" + +# +#"count_zones": "rule:admin_or_owner" + +# +#"count_zones_pending_notify": "rule:admin_or_owner" + +# +#"purge_zones": "rule:admin" + +# +#"touch_zone": "rule:admin_or_owner" + +# Retrive a Zone Export from the Designate Datastore +# GET /v2/zones/tasks/exports/{zone_export_id}/export +#"zone_export": "rule:admin_or_owner" + +# Create Zone Export +# POST /v2/zones/{zone_id}/tasks/export +#"create_zone_export": "rule:admin_or_owner" + +# List Zone Exports +# GET /v2/zones/tasks/exports +#"find_zone_exports": "rule:admin_or_owner" + +# Get Zone Exports +# GET /v2/zones/tasks/exports/{zone_export_id} +# GET /v2/zones/tasks/exports/{zone_export_id}/export +#"get_zone_export": "rule:admin_or_owner" + +# Update Zone Exports +# POST /v2/zones/{zone_id}/tasks/export +#"update_zone_export": "rule:admin_or_owner" + +# Create Zone Import +# POST /v2/zones/tasks/imports +#"create_zone_import": "rule:admin_or_owner" + +# List all Zone Imports +# GET /v2/zones/tasks/imports +#"find_zone_imports": "rule:admin_or_owner" + +# Get Zone Imports +# GET /v2/zones/tasks/imports/{zone_import_id} +#"get_zone_import": "rule:admin_or_owner" + +# Update Zone Imports +# POST /v2/zones/tasks/imports +#"update_zone_import": "rule:admin_or_owner" + +# Delete a Zone Import +# GET /v2/zones/tasks/imports/{zone_import_id} +#"delete_zone_import": "rule:admin_or_owner" + +# Create Zone Transfer Accept +# POST /v2/zones/tasks/transfer_accepts +#"create_zone_transfer_accept": "rule:admin_or_owner or tenant:%(target_tenant_id)s or None:%(target_tenant_id)s" + +# Get Zone Transfer Accept +# GET /v2/zones/tasks/transfer_requests/{zone_transfer_accept_id} +#"get_zone_transfer_accept": "rule:admin_or_owner" + +# List Zone Transfer Accepts +# GET /v2/zones/tasks/transfer_accepts +#"find_zone_transfer_accepts": "rule:admin" + +# +#"find_zone_transfer_accept": "rule:admin" + +# Update a Zone Transfer Accept +# POST /v2/zones/tasks/transfer_accepts +#"update_zone_transfer_accept": "rule:admin" + +# +#"delete_zone_transfer_accept": "rule:admin" + +# Create Zone Transfer Accept +# POST /v2/zones/{zone_id}/tasks/transfer_requests +#"create_zone_transfer_request": "rule:admin_or_owner" + +# Show a Zone Transfer Request +# GET /v2/zones/tasks/transfer_requests/{zone_transfer_request_id} +# PATCH /v2/zones/tasks/transfer_requests/{zone_transfer_request_id} +#"get_zone_transfer_request": "rule:admin_or_owner or tenant:%(target_tenant_id)s or None:%(target_tenant_id)s" + +# +#"get_zone_transfer_request_detailed": "rule:admin_or_owner" + +# List Zone Transfer Requests +# GET /v2/zones/tasks/transfer_requests +#"find_zone_transfer_requests": "@" + +# +#"find_zone_transfer_request": "@" + +# Update a Zone Transfer Request +# PATCH /v2/zones/tasks/transfer_requests/{zone_transfer_request_id} +#"update_zone_transfer_request": "rule:admin_or_owner" + +# Delete a Zone Transfer Request +# DELETE /v2/zones/tasks/transfer_requests/{zone_transfer_request_id} +#"delete_zone_transfer_request": "rule:admin_or_owner" + diff --git a/setup.cfg b/setup.cfg index 6fc17b1d6..542db1c4c 100644 --- a/setup.cfg +++ b/setup.cfg @@ -30,7 +30,6 @@ packages = data_files = etc/designate = etc/designate/api-paste.ini - etc/designate/policy.json etc/designate/designate.conf.sample etc/designate/rootwrap.conf.sample etc/designate/rootwrap.d = etc/designate/rootwrap.d/*