Implement policy in code (4)

This commit will move all default policies to code for:
- zone
- zone_export
- zone_import
- zone_transfer_accept
- zone_transfer_request

Change-Id: I9945fe66d127696907695c73ecef77a6f07acd38
Co-authored-By: Nam Nguyen Hoai <namnh@vn.fujitsu.com>
Implements: blueprint policy-in-code

designate/common/policies/__init__.py

@@ -29,6 +29,11 @@ from designate.common.policies import service_status
 from designate.common.policies import tenant
 from designate.common.policies import tld
 from designate.common.policies import tsigkey
+from designate.common.policies import zone
+from designate.common.policies import zone_export
+from designate.common.policies import zone_import
+from designate.common.policies import zone_transfer_accept
+from designate.common.policies import zone_transfer_request
 
 
 def list_rules():
@@ -45,4 +50,9 @@ def list_rules():
         tenant.list_rules(),
         tld.list_rules(),
         tsigkey.list_rules(),
+        zone.list_rules(),
+        zone_export.list_rules(),
+        zone_import.list_rules(),
+        zone_transfer_accept.list_rules(),
+        zone_transfer_request.list_rules(),
     )

designate/common/policies/base.py

@@ -20,6 +20,8 @@ RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
 RULE_ADMIN = 'rule:admin'
 RULE_ZONE_PRIMARY_OR_ADMIN = "('PRIMARY':%(zone_type)s and rule:admin_or_owner)\
                             OR ('SECONDARY':%(zone_type)s AND is_admin:True)"
+RULE_ZONE_TRANSFER = "rule:admin_or_owner or tenant:%(target_tenant_id)s \
+                            or None:%(target_tenant_id)s"
 RULE_ANY = "@"
 
 rules = [

designate/common/policies/zone.py

@@ -0,0 +1,170 @@
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+
+from oslo_policy import policy
+
+from designate.common.policies import base
+
+rules = [
+    policy.DocumentedRuleDefault(
+        name="create_zone",
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description="Create Zone",
+        operations=[
+            {
+                'path': '/v1//domains',
+                'method': 'POST'
+            }, {
+                'path': '/v2/zones',
+                'method': 'POST'
+            }
+        ]
+    ),
+    policy.RuleDefault(
+        name="get_zones",
+        check_str=base.RULE_ADMIN_OR_OWNER
+    ),
+    policy.DocumentedRuleDefault(
+        name="get_zone",
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description="Get Zone",
+        operations=[
+            {
+                'path': '/v1/domains/<uuid:domain_id>/records/<uuid:record_id>',  # noqa
+                'method': 'GET'
+            }, {
+                'path': '/v1/domains/<uuid:domain_id>/records',
+                'method': 'GET'
+            }, {
+                'path': '/v2/zones/{zone_id}',
+                'method': 'GET'
+            }, {
+                'path': '/v2/zones/{zone_id}',
+                'method': 'PATCH'
+            }, {
+                'path': '/v2/zones/{zone_id}/recordsets/{recordset_id}',
+                'method': 'PUT'
+            }
+        ]
+    ),
+    policy.RuleDefault(
+        name="get_zone_servers",
+        check_str=base.RULE_ADMIN_OR_OWNER
+    ),
+    policy.DocumentedRuleDefault(
+        name="find_zones",
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description="List existing zones",
+        operations=[
+            {
+                'path': '/v1/domains',
+                'method': 'GET'
+            }, {
+                'path': '/v2/zones',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name="find_zone",
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description="Find Zone",
+        operations=[
+            {
+                'path': '/v1/domains/<uuid:domain_id>',
+                'method': 'GET'
+            }, {
+                'path': '/v1/domains/<uuid:domain_id>/servers',
+                'method': 'GET'
+            }, {
+                'path': '/v1/domains/<uuid:domain_id>',
+                'method': 'PUT'
+            }, {
+                'path': '/v1/domains/<uuid:domain_id>',
+                'method': 'DELETE'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name="update_zone",
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description="Update Zone",
+        operations=[
+            {
+                'path': '/v1/domains/<uuid:domain_id>',
+                'method': 'PUT'
+            }, {
+                'path': '/v2/zones/{zone_id}',
+                'method': 'PATCH'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name="delete_zone",
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description="Delete Zone",
+        operations=[
+            {
+                'path': '/v1/domains/<uuid:domain_id>',
+                'method': 'DELETE'
+            }, {
+                'path': '/v2/zones/{zone_id}',
+                'method': 'DELETE'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name="xfr_zone",
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description="Manually Trigger an Update of a Secondary Zone",
+        operations=[
+            {
+                'path': '/v2/zones/{zone_id}/tasks/xfr',
+                'method': 'POST'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name="abandon_zone",
+        check_str=base.RULE_ADMIN,
+        description="Abandon Zone",
+        operations=[
+            {
+                'path': '/v2/zones/{zone_id}/tasks/abandon',
+                'method': 'POST'
+            }
+        ]
+    ),
+    policy.RuleDefault(
+        name="count_zones",
+        check_str=base.RULE_ADMIN_OR_OWNER
+    ),
+    policy.RuleDefault(
+        name="count_zones_pending_notify",
+        check_str=base.RULE_ADMIN_OR_OWNER
+    ),
+    policy.RuleDefault(
+        name="purge_zones",
+        check_str=base.RULE_ADMIN
+    ),
+    policy.RuleDefault(
+        name="touch_zone",
+        check_str=base.RULE_ADMIN_OR_OWNER
+    )
+]
+
+
+def list_rules():
+    return rules

designate/common/policies/zone_export.py

@@ -0,0 +1,83 @@
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+
+from oslo_policy import policy
+
+from designate.common.policies import base
+
+rules = [
+    policy.DocumentedRuleDefault(
+        name="zone_export",
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description="Retrive a Zone Export from the Designate Datastore",
+        operations=[
+            {
+                'path': '/v2/zones/tasks/exports/{zone_export_id}/export',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name="create_zone_export",
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description="Create Zone Export",
+        operations=[
+            {
+                'path': '/v2/zones/{zone_id}/tasks/export',
+                'method': 'POST'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name="find_zone_exports",
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description="List Zone Exports",
+        operations=[
+            {
+                'path': '/v2/zones/tasks/exports',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name="get_zone_export",
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description="Get Zone Exports",
+        operations=[
+            {
+                'path': '/v2/zones/tasks/exports/{zone_export_id}',
+                'method': 'GET'
+            }, {
+                'path': '/v2/zones/tasks/exports/{zone_export_id}/export',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name="update_zone_export",
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description="Update Zone Exports",
+        operations=[
+            {
+                'path': '/v2/zones/{zone_id}/tasks/export',
+                'method': 'POST'
+            }
+        ]
+    )
+]
+
+
+def list_rules():
+    return rules

designate/common/policies/zone_import.py

@@ -0,0 +1,81 @@
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+
+from oslo_policy import policy
+
+from designate.common.policies import base
+
+
+rules = [
+    policy.DocumentedRuleDefault(
+        name="create_zone_import",
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description="Create Zone Import",
+        operations=[
+            {
+                'path': '/v2/zones/tasks/imports',
+                'method': 'POST'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name="find_zone_imports",
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description="List all Zone Imports",
+        operations=[
+            {
+                'path': '/v2/zones/tasks/imports',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name="get_zone_import",
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description="Get Zone Imports",
+        operations=[
+            {
+                'path': '/v2/zones/tasks/imports/{zone_import_id}',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name="update_zone_import",
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description="Update Zone Imports",
+        operations=[
+            {
+                'path': '/v2/zones/tasks/imports',
+                'method': 'POST'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name="delete_zone_import",
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description="Delete a Zone Import",
+        operations=[
+            {
+                'path': '/v2/zones/tasks/imports/{zone_import_id}',
+                'method': 'GET'
+            }
+        ]
+    )
+]
+
+
+def list_rules():
+    return rules

designate/common/policies/zone_transfer_accept.py

@@ -0,0 +1,77 @@
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+
+from oslo_policy import policy
+
+from designate.common.policies import base
+
+rules = [
+    policy.DocumentedRuleDefault(
+        name="create_zone_transfer_accept",
+        check_str=base.RULE_ZONE_TRANSFER,
+        description="Create Zone Transfer Accept",
+        operations=[
+            {
+                'path': '/v2/zones/tasks/transfer_accepts',
+                'method': 'POST'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name="get_zone_transfer_accept",
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description="Get Zone Transfer Accept",
+        operations=[
+            {
+                'path': '/v2/zones/tasks/transfer_requests/{zone_transfer_accept_id}',  # noqa
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name="find_zone_transfer_accepts",
+        check_str=base.RULE_ADMIN,
+        description="List Zone Transfer Accepts",
+        operations=[
+            {
+                'path': '/v2/zones/tasks/transfer_accepts',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.RuleDefault(
+        name="find_zone_transfer_accept",
+        check_str=base.RULE_ADMIN
+    ),
+    policy.DocumentedRuleDefault(
+        name="update_zone_transfer_accept",
+        check_str=base.RULE_ADMIN,
+        description="Update a Zone Transfer Accept",
+        operations=[
+            {
+                'path': '/v2/zones/tasks/transfer_accepts',
+                'method': 'POST'
+            }
+        ]
+    ),
+    policy.RuleDefault(
+        name="delete_zone_transfer_accept",
+        check_str=base.RULE_ADMIN
+    )
+]
+
+
+def list_rules():
+    return rules

designate/common/policies/zone_transfer_request.py

@@ -0,0 +1,91 @@
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+
+from oslo_policy import policy
+
+from designate.common.policies import base
+
+rules = [
+    policy.DocumentedRuleDefault(
+        name="create_zone_transfer_request",
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description="Create Zone Transfer Accept",
+        operations=[
+            {
+                'path': '/v2/zones/{zone_id}/tasks/transfer_requests',
+                'method': 'POST'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name="get_zone_transfer_request",
+        check_str=base.RULE_ZONE_TRANSFER,
+        description="Show a Zone Transfer Request",
+        operations=[
+            {
+                'path': '/v2/zones/tasks/transfer_requests/{zone_transfer_request_id}',  # noqa
+                'method': 'GET'
+            }, {
+                'path': '/v2/zones/tasks/transfer_requests/{zone_transfer_request_id}',  # noqa
+                'method': 'PATCH'
+            }
+        ]
+    ),
+    policy.RuleDefault(
+        name="get_zone_transfer_request_detailed",
+        check_str=base.RULE_ADMIN_OR_OWNER
+    ),
+    policy.DocumentedRuleDefault(
+        name="find_zone_transfer_requests",
+        check_str=base.RULE_ANY,
+        description="List Zone Transfer Requests",
+        operations=[
+            {
+                'path': '/v2/zones/tasks/transfer_requests',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.RuleDefault(
+        name="find_zone_transfer_request",
+        check_str=base.RULE_ANY
+    ),
+    policy.DocumentedRuleDefault(
+        name="update_zone_transfer_request",
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description="Update a Zone Transfer Request",
+        operations=[
+            {
+                'path': '/v2/zones/tasks/transfer_requests/{zone_transfer_request_id}',  # noqa
+                'method': 'PATCH'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name="delete_zone_transfer_request",
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description="Delete a Zone Transfer Request",
+        operations=[
+            {
+                'path': '/v2/zones/tasks/transfer_requests/{zone_transfer_request_id}',  # noqa
+                'method': 'DELETE'
+            }
+        ]
+    )
+]
+
+
+def list_rules():
+    return rules

designate/tests/fixtures.py

@@ -32,7 +32,6 @@ from designate import policy
 from designate import network_api
 from designate import rpc
 from designate.network_api import fake as fake_network_api
-from designate import utils
 from designate.sqlalchemy import utils as sqlalchemy_utils
 
 """Test fixtures
@@ -105,8 +104,6 @@ class ServiceFixture(fixtures.Fixture):
 class PolicyFixture(fixtures.Fixture):
     def setUp(self):
         super(PolicyFixture, self).setUp()
-        policy.init(policy_file=utils.find_config(
-            cfg.CONF.oslo_policy.policy_file)[0])
         self.addCleanup(policy.reset)
 
 

devstack/plugin.sh

@@ -68,10 +68,6 @@ function configure_designate {
         iniset $DESIGNATE_CONF coordination backend_url $DESIGNATE_COORDINATION_URL
     fi
 
-    # Install the policy file for the API server
-    cp $DESIGNATE_DIR/etc/designate/policy.json $DESIGNATE_CONF_DIR/policy.json
-    iniset $DESIGNATE_CONF DEFAULT policy_file $DESIGNATE_CONF_DIR/policy.json
-
     # Pool Manager Configuration
     iniset $DESIGNATE_CONF service:pool_manager pool_id $DESIGNATE_POOL_ID
     iniset $DESIGNATE_CONF service:pool_manager cache_driver $DESIGNATE_POOL_MANAGER_CACHE_DRIVER

etc/designate/policy.json

@@ -1,43 +0,0 @@
-{
-    "create_zone": "rule:admin_or_owner",
-    "get_zones": "rule:admin_or_owner",
-    "get_zone": "rule:admin_or_owner",
-    "get_zone_servers": "rule:admin_or_owner",
-    "find_zones": "rule:admin_or_owner",
-    "find_zone": "rule:admin_or_owner",
-    "update_zone": "rule:admin_or_owner",
-    "delete_zone": "rule:admin_or_owner",
-    "xfr_zone": "rule:admin_or_owner",
-    "abandon_zone": "rule:admin",
-    "count_zones": "rule:admin_or_owner",
-    "count_zones_pending_notify": "rule:admin_or_owner",
-    "purge_zones": "rule:admin",
-    "touch_zone": "rule:admin_or_owner",
-
-    "create_zone_transfer_request": "rule:admin_or_owner",
-    "get_zone_transfer_request": "rule:admin_or_owner or tenant:%(target_tenant_id)s or None:%(target_tenant_id)s",
-    "get_zone_transfer_request_detailed": "rule:admin_or_owner",
-    "find_zone_transfer_requests": "@",
-    "find_zone_transfer_request": "@",
-    "update_zone_transfer_request": "rule:admin_or_owner",
-    "delete_zone_transfer_request": "rule:admin_or_owner",
-
-    "create_zone_transfer_accept": "rule:admin_or_owner or tenant:%(target_tenant_id)s or None:%(target_tenant_id)s",
-    "get_zone_transfer_accept": "rule:admin_or_owner",
-    "find_zone_transfer_accepts": "rule:admin",
-    "find_zone_transfer_accept": "rule:admin",
-    "update_zone_transfer_accept": "rule:admin",
-    "delete_zone_transfer_accept": "rule:admin",
-
-    "create_zone_import": "rule:admin_or_owner",
-    "find_zone_imports": "rule:admin_or_owner",
-    "get_zone_import": "rule:admin_or_owner",
-    "update_zone_import": "rule:admin_or_owner",
-    "delete_zone_import": "rule:admin_or_owner",
-
-    "zone_export": "rule:admin_or_owner",
-    "create_zone_export": "rule:admin_or_owner",
-    "find_zone_exports": "rule:admin_or_owner",
-    "get_zone_export": "rule:admin_or_owner",
-    "update_zone_export": "rule:admin_or_owner",
-}

etc/designate/policy.yaml.sample

@@ -0,0 +1,413 @@
+#
+#"admin": "role:admin or is_admin:True"
+
+#
+#"primary_zone": "target.zone_type:SECONDARY"
+
+#
+#"owner": "tenant:%(tenant_id)s"
+
+#
+#"admin_or_owner": "rule:admin or rule:owner"
+
+#
+#"default": "rule:admin_or_owner"
+
+#
+#"target": "tenant:%(target_tenant_id)s"
+
+#
+#"owner_or_target": "rule:target or rule:owner"
+
+#
+#"admin_or_owner_or_target": "rule:owner_or_target or rule:admin"
+
+#
+#"admin_or_target": "rule:admin or rule:target"
+
+#
+#"zone_primary_or_admin": "('PRIMARY':%(zone_type)s and rule:admin_or_owner)                            OR ('SECONDARY':%(zone_type)s AND is_admin:True)"
+
+# Create blacklist.
+# POST  /v2/blacklists
+#"create_blacklist": "rule:admin"
+
+# Find blacklist.
+# GET  /v2/blacklists
+#"find_blacklist": "rule:admin"
+
+# Find blacklists.
+# GET  /v2/blacklists
+#"find_blacklists": "rule:admin"
+
+# Get blacklist.
+# GET  /v2/blacklists/{blacklist_id}
+#"get_blacklist": "rule:admin"
+
+# Update blacklist.
+# PATCH  /v2/blacklists/{blacklist_id}
+#"update_blacklist": "rule:admin"
+
+# Delete blacklist.
+# DELETE  /v2/blacklists/{blacklist_id}
+#"delete_blacklist": "rule:admin"
+
+# Allowed bypass the blacklist.
+# POST  /v2/zones
+#"use_blacklisted_zone": "rule:admin"
+
+# Action on all tenants.
+#"all_tenants": "rule:admin"
+
+# Edit managed records.
+#"edit_managed_records": "rule:admin"
+
+# Use low TTL.
+#"use_low_ttl": "rule:admin"
+
+# Accept sudo from user to tenant.
+#"use_sudo": "rule:admin"
+
+# Diagnose ping.
+#"diagnostics_ping": "rule:admin"
+
+# Diagnose sync zones.
+#"diagnostics_sync_zones": "rule:admin"
+
+# Diagnose sync zone.
+#"diagnostics_sync_zone": "rule:admin"
+
+# Diagnose sync record.
+#"diagnostics_sync_record": "rule:admin"
+
+# Create pool.
+#"create_pool": "rule:admin"
+
+# Find pool.
+# GET  /v2/pools
+#"find_pools": "rule:admin"
+
+# Find pools.
+# GET  /v2/pools
+#"find_pool": "rule:admin"
+
+# Get pool.
+# GET  /v2/pools/{pool_id}
+#"get_pool": "rule:admin"
+
+# Update pool.
+#"update_pool": "rule:admin"
+
+# Delete pool.
+#"delete_pool": "rule:admin"
+
+# load and set the pool to the one provided in the Zone attributes.
+# POST  /v2/zones
+#"zone_create_forced_pool": "rule:admin"
+
+# View Current Project's Quotas.
+# GET  /v2/quotas
+#"get_quotas": "rule:admin_or_owner"
+
+#
+#"get_quota": "rule:admin_or_owner"
+
+# Set Quotas.
+# PATCH  /v2/quotas/{project_id}
+#"set_quota": "rule:admin"
+
+# Reset Quotas.
+# DELETE  /v2/quotas/{project_id}
+#"reset_quotas": "rule:admin"
+
+# Create record.
+# POST  /v1/domains/<uuid:domain_id>/records
+#"create_record": "rule:admin_or_owner"
+
+# Get records.
+# GET  /v1/domains/<uuid:domain_id>/records
+#"get_records": "rule:admin_or_owner"
+
+# Get record.
+# GET  /v1/domains/<uuid:domain_id>/records/<uuid:record_id>
+#"get_record": "rule:admin_or_owner"
+
+# Find records.
+# GET  /v2/reverse/floatingips/{region}:{floatingip_id}
+# GET  /v2/reverse/floatingips
+#"find_records": "rule:admin_or_owner"
+
+# Find record.
+# GET  /v1/domains/<uuid:domain_id>/records/<uuid:record_id>
+# DELETE  /v1/domains/<uuid:domain_id>/records/<uuid:record_id>
+# PUT  /v1/domains/<uuid:domain_id>/records/<uuid:record_id>
+#"find_record": "rule:admin_or_owner"
+
+# Update record.
+# PUT  /v1/domains/<uuid:domain_id>/records/<uuid:record_id>
+#"update_record": "rule:admin_or_owner"
+
+# Delete record.
+# DELETE  /v1/domains/<uuid:domain_id>/records/<uuid:record_id>
+#"delete_record": "rule:admin_or_owner"
+
+#
+#"count_records": "rule:admin_or_owner"
+
+# Create Recordset
+# POST  /v2/zones/{zone_id}/recordsets
+# PATCH  /v2/reverse/floatingips/{region}:{floatingip_id}
+#"create_recordset": "('PRIMARY':%(zone_type)s and rule:admin_or_owner)                            OR ('SECONDARY':%(zone_type)s AND is_admin:True)"
+
+#
+#"get_recordsets": "rule:admin_or_owner"
+
+# Get recordset
+# GET  /v1/domains/<uuid:domain_id>/records/<uuid:record_id>
+# PUT  /v1/domains/<uuid:domain_id>/records/<uuid:record_id>
+# GET  /v2/zones/{zone_id}/recordsets/{recordset_id}
+# DELETE  /v2/zones/{zone_id}/recordsets/{recordset_id}
+# PUT  /v2/zones/{zone_id}/recordsets/{recordset_id}
+#"get_recordset": "rule:admin_or_owner"
+
+# Find recordsets
+# GET  /v1/domains/<uuid:domain_id>/records
+#"find_recordsets": "rule:admin_or_owner"
+
+# Find recordset
+# POST  /v1/domains/<uuid:domain_id>/records
+# DELETE  /v1/domains/<uuid:domain_id>/records/<uuid:record_id>
+#"find_recordset": "rule:admin_or_owner"
+
+# Update recordset
+# PUT  /v1/domains/<uuid:domain_id>/records/<uuid:record_id>
+# PUT  /v2/zones/{zone_id}/recordsets/{recordset_id}
+# PATCH  /v2/reverse/floatingips/{region}:{floatingip_id}
+#"update_recordset": "('PRIMARY':%(zone_type)s and rule:admin_or_owner)                            OR ('SECONDARY':%(zone_type)s AND is_admin:True)"
+
+# Delete RecordSet
+# DELETE  /v1/domains/<uuid:domain_id>/records/<uuid:record_id>
+# DELETE  /v2/zones/{zone_id}/recordsets/{recordset_id}
+#"delete_recordset": "('PRIMARY':%(zone_type)s and rule:admin_or_owner)                            OR ('SECONDARY':%(zone_type)s AND is_admin:True)"
+
+# Count recordsets
+#"count_recordset": "rule:admin_or_owner"
+
+# Find a single Service Status
+# GET  /v2/service_status/{service_id}
+#"find_service_status": "rule:admin"
+
+# List service statuses.
+# GET  /v2/service_status
+#"find_service_statuses": "rule:admin"
+
+#
+#"update_service_service_status": "rule:admin"
+
+# Find all Tenants.
+#"find_tenants": "rule:admin"
+
+# Get all Tenants.
+#"get_tenant": "rule:admin"
+
+# Count tenants
+#"count_tenants": "rule:admin"
+
+# Create Tld
+# POST  /v2/tlds
+#"create_tld": "rule:admin"
+
+# List Tlds
+# GET  /v2/tlds
+#"find_tlds": "rule:admin"
+
+# Show Tld
+# GET  /v2/tlds/{tld_id}
+#"get_tld": "rule:admin"
+
+# Update Tld
+# PATCH  /v2/tlds/{tld_id}
+#"update_tld": "rule:admin"
+
+# Delete Tld
+# DELETE  /v2/tlds/{tld_id}
+#"delete_tld": "rule:admin"
+
+# Create Tsigkey
+# POST  /v1/tsigkeys
+# POST  /v2/tsigkeys
+#"create_tsigkey": "rule:admin"
+
+# List Tsigkeys
+# GET  /v1/tsigkeys
+# GET  /v1/tsigkeys/<uuid:tsigkey_id>
+# DELETE  /v1/tsigkeys/<uuid:tsigkey_id>
+# GET  /v2/tsigkeys
+#"find_tsigkeys": "rule:admin"
+
+# Show a Tsigkey
+# PATCH  /v2/tsigkeys/{tsigkey_id}
+# GET  /v2/tsigkeys/{tsigkey_id}
+#"get_tsigkey": "rule:admin"
+
+# Update Tsigkey
+# PATCH  /v1/tsigkeys/{tsigkey_id}
+# PATCH  /v2/tsigkeys/{tsigkey_id}
+#"update_tsigkey": "rule:admin"
+
+# Delete a Tsigkey
+# DELETE  /v1/tsigkeys/{tsigkey_id}
+# DELETE  /v2/tsigkeys/{tsigkey_id}
+#"delete_tsigkey": "rule:admin"
+
+# Create Zone
+# POST  /v1//domains
+# POST  /v2/zones
+#"create_zone": "rule:admin_or_owner"
+
+#
+#"get_zones": "rule:admin_or_owner"
+
+# Get Zone
+# GET  /v1/domains/<uuid:domain_id>/records/<uuid:record_id>
+# GET  /v1/domains/<uuid:domain_id>/records
+# GET  /v2/zones/{zone_id}
+# PATCH  /v2/zones/{zone_id}
+# PUT  /v2/zones/{zone_id}/recordsets/{recordset_id}
+#"get_zone": "rule:admin_or_owner"
+
+#
+#"get_zone_servers": "rule:admin_or_owner"
+
+# List existing zones
+# GET  /v1/domains
+# GET  /v2/zones
+#"find_zones": "rule:admin_or_owner"
+
+# Find Zone
+# GET  /v1/domains/<uuid:domain_id>
+# GET  /v1/domains/<uuid:domain_id>/servers
+# PUT  /v1/domains/<uuid:domain_id>
+# DELETE  /v1/domains/<uuid:domain_id>
+#"find_zone": "rule:admin_or_owner"
+
+# Update Zone
+# PUT  /v1/domains/<uuid:domain_id>
+# PATCH  /v2/zones/{zone_id}
+#"update_zone": "rule:admin_or_owner"
+
+# Delete Zone
+# DELETE  /v1/domains/<uuid:domain_id>
+# DELETE  /v2/zones/{zone_id}
+#"delete_zone": "rule:admin_or_owner"
+
+# Manually Trigger an Update of a Secondary Zone
+# POST  /v2/zones/{zone_id}/tasks/xfr
+#"xfr_zone": "rule:admin_or_owner"
+
+# Abandon Zone
+# POST  /v2/zones/{zone_id}/tasks/abandon
+#"abandon_zone": "rule:admin"
+
+#
+#"count_zones": "rule:admin_or_owner"
+
+#
+#"count_zones_pending_notify": "rule:admin_or_owner"
+
+#
+#"purge_zones": "rule:admin"
+
+#
+#"touch_zone": "rule:admin_or_owner"
+
+# Retrive a Zone Export from the Designate Datastore
+# GET  /v2/zones/tasks/exports/{zone_export_id}/export
+#"zone_export": "rule:admin_or_owner"
+
+# Create Zone Export
+# POST  /v2/zones/{zone_id}/tasks/export
+#"create_zone_export": "rule:admin_or_owner"
+
+# List Zone Exports
+# GET  /v2/zones/tasks/exports
+#"find_zone_exports": "rule:admin_or_owner"
+
+# Get Zone Exports
+# GET  /v2/zones/tasks/exports/{zone_export_id}
+# GET  /v2/zones/tasks/exports/{zone_export_id}/export
+#"get_zone_export": "rule:admin_or_owner"
+
+# Update Zone Exports
+# POST  /v2/zones/{zone_id}/tasks/export
+#"update_zone_export": "rule:admin_or_owner"
+
+# Create Zone Import
+# POST  /v2/zones/tasks/imports
+#"create_zone_import": "rule:admin_or_owner"
+
+# List all Zone Imports
+# GET  /v2/zones/tasks/imports
+#"find_zone_imports": "rule:admin_or_owner"
+
+# Get Zone Imports
+# GET  /v2/zones/tasks/imports/{zone_import_id}
+#"get_zone_import": "rule:admin_or_owner"
+
+# Update Zone Imports
+# POST  /v2/zones/tasks/imports
+#"update_zone_import": "rule:admin_or_owner"
+
+# Delete a Zone Import
+# GET  /v2/zones/tasks/imports/{zone_import_id}
+#"delete_zone_import": "rule:admin_or_owner"
+
+# Create Zone Transfer Accept
+# POST  /v2/zones/tasks/transfer_accepts
+#"create_zone_transfer_accept": "rule:admin_or_owner or tenant:%(target_tenant_id)s                             or None:%(target_tenant_id)s"
+
+# Get Zone Transfer Accept
+# GET  /v2/zones/tasks/transfer_requests/{zone_transfer_accept_id}
+#"get_zone_transfer_accept": "rule:admin_or_owner"
+
+# List Zone Transfer Accepts
+# GET  /v2/zones/tasks/transfer_accepts
+#"find_zone_transfer_accepts": "rule:admin"
+
+#
+#"find_zone_transfer_accept": "rule:admin"
+
+# Update a Zone Transfer Accept
+# POST  /v2/zones/tasks/transfer_accepts
+#"update_zone_transfer_accept": "rule:admin"
+
+#
+#"delete_zone_transfer_accept": "rule:admin"
+
+# Create Zone Transfer Accept
+# POST  /v2/zones/{zone_id}/tasks/transfer_requests
+#"create_zone_transfer_request": "rule:admin_or_owner"
+
+# Show a Zone Transfer Request
+# GET  /v2/zones/tasks/transfer_requests/{zone_transfer_request_id}
+# PATCH  /v2/zones/tasks/transfer_requests/{zone_transfer_request_id}
+#"get_zone_transfer_request": "rule:admin_or_owner or tenant:%(target_tenant_id)s                             or None:%(target_tenant_id)s"
+
+#
+#"get_zone_transfer_request_detailed": "rule:admin_or_owner"
+
+# List Zone Transfer Requests
+# GET  /v2/zones/tasks/transfer_requests
+#"find_zone_transfer_requests": "@"
+
+#
+#"find_zone_transfer_request": "@"
+
+# Update a Zone Transfer Request
+# PATCH  /v2/zones/tasks/transfer_requests/{zone_transfer_request_id}
+#"update_zone_transfer_request": "rule:admin_or_owner"
+
+# Delete a Zone Transfer Request
+# DELETE  /v2/zones/tasks/transfer_requests/{zone_transfer_request_id}
+#"delete_zone_transfer_request": "rule:admin_or_owner"
+

setup.cfg

@@ -30,7 +30,6 @@ packages =
 data_files =
     etc/designate =
         etc/designate/api-paste.ini
-        etc/designate/policy.json
         etc/designate/designate.conf.sample
         etc/designate/rootwrap.conf.sample
     etc/designate/rootwrap.d = etc/designate/rootwrap.d/*