diff --git a/doc/source/configuration/settings.rst b/doc/source/configuration/settings.rst index 08c4f9b2d9..466347d44b 100644 --- a/doc/source/configuration/settings.rst +++ b/doc/source/configuration/settings.rst @@ -136,6 +136,30 @@ the GUI. For example themes, see: /horizon/openstack_dashboard/themes/ Horizon ships with two themes configured. 'default' is the default theme, and 'material' is based on Google's Material Design. +DEFAULT_POLICY_FILES +-------------------- + +.. versionadded:: 19.1.0(Wallaby) + +Default: + +.. code-block:: python + + { + 'identity': 'default_policies/keystone.yaml', + 'compute': 'default_policies/nova.yaml', + 'volume': 'default_policies/cinder.yaml', + 'image': 'default_policies/glance.yaml', + 'network': 'default_policies/neutron.yaml', + } + +This is a mapping from service types to YAML files including default +policy definitions. Values of this mapping should be relative paths to +`POLICY_FILES_PATH`_ or absolute paths. Policy files specified in this +setting are generated from default policies of back-end services, +so you rarely need to configure it. If you would like to override the +default policies, consider customizing files under `POLICY_FILES`_. + DEFAULT_THEME ------------- @@ -792,20 +816,25 @@ POLICY_FILES .. versionadded:: 2013.2(Havana) +.. versionchanged:: 19.1.0(Wallaby) + + The default files are changed to YAML format. + JSON format still continues to be supported. + Default: .. code-block:: python { - 'compute': 'nova_policy.json', - 'identity': 'keystone_policy.json', - 'image': 'glance_policy.json', - 'network': 'neutron_policy.json', - 'volume': 'cinder_policy.json', + 'compute': 'nova_policy.yaml', + 'identity': 'keystone_policy.yaml', + 'image': 'glance_policy.yaml', + 'network': 'neutron_policy.yaml', + 'volume': 'cinder_policy.yaml', } This should essentially be the mapping of the contents of `POLICY_FILES_PATH`_ -to service types. When policy.json files are added to `POLICY_FILES_PATH`_, +to service types. When policy files are added to `POLICY_FILES_PATH`_, they should be included here too. POLICY_FILES_PATH diff --git a/doc/source/contributor/topics/policy.rst b/doc/source/contributor/topics/policy.rst index 96d8ab8581..f26503c27a 100644 --- a/doc/source/contributor/topics/policy.rst +++ b/doc/source/contributor/topics/policy.rst @@ -29,6 +29,7 @@ engine to work. * ``POLICY_DIRS`` * ``POLICY_FILES_PATH`` * ``POLICY_FILES`` +* ``DEFAULT_POLICY_FILES`` For more detail, see :doc:`/configuration/settings`. @@ -154,32 +155,117 @@ override the :meth:`horizon.tables.Action.get_policy_target` method. This allows a programmatic way to specify the target based on the current datum. The value returned should be the target dictionary. +Policy-in-Code and deprecated rules +=================================== + +As the effort of +`policy-in-code `__, +most OpenStack projects define their default policies in their codes. +All projects (except swift) covered by horizon supports "policy-in-code". +(Note that swift is an exception as it has its own mechanism to control RBAC.) + +"oslo.policy" provides a way to deprecate existing policy rules like +renaming rule definitions ("check_str") and renaming rule names. +They are defined as part of python codes in back-end services. +horizon cannot import python codes of back-end services, so we need a way +to restore policies defined by "policy-in-code" including deprecated rules. + +To address the above issue, horizon adopts the following two-step approach: + +* The first step scans policy-in-code of back-end services and + and dump the loaded default policies into YAML files per service + including information of deprecated rules. + This step is executed as part of the development process per release cycle + and these YAML files are shipped per release. + + Note that `oslopolicy-sample-generator` does not output deprecated rules + in a structured way, so we prepare a dedicated script for this purpose + in the horizon repo. + +* The horizon policy implementation loads the above YAML file into a list of + RuleDefault and registers the list as the default rules to the policy + enforcer. The default rules and operator-defined rules are maintained + separately, so operators still can edit the policy files as oslo.policy + does in back-end services. + +This approach has the following merits: + +* All features supported by oslo.policy can be supported in horizon + as default rules in back-end services are restored as-is. + Horizon can evaluate deprecated rules. +* The default rules and operator defined rules are maintained separately. + Operators can use the same way to maintain policy files of back-end services. + +The related files in the horizon codebase are: + +* `openstack_dashboard/conf/_policy.yaml`: + operator-defined policies. + These files are generated by `oslopolicy-sample-generator`. +* `openstack_dashboard/conf/default_policies/.yaml` + YAML files contain default policies. +* `openstack_dashboard/management/commands/dump_default_policies.py`: + This script scans policy-in-code of a specified namespace under + `oslo.policy.policies` entrypoints and dump them into the YAML file + under `openstack_dashboard/conf/default_policies`. +* `openstack_auth/policy.py`: `_load_default_rules` function loads + the YAML files with default rules and call `register_defautls` method + of the policy enforcer per service. + Policy file maintenance ======================= -The policy implementation uses the copies of policies defined in -back-end services. +* YAML files for default policies -As of Queens, the OpenStack community are in the process of -`policy-in-code `__. -Some projects already define their policies in the code, -and some still have their policies in ``policy.json`` files. + Run the following command after installing a corresponding project. + You need to run it for keystone, nova, cinder, neutron, glance. -For project with the legacy ``policy.json`` files, -what we need to do is just to copy ``policy.json`` into the horizon tree. + .. code-block:: console -For projects with "policy-in-code", all policies are defined as python codes, -so we first need to generate policy files with its default rules. -To do this, run the following command after install a corresponding project. + python3 manage.py dump_default_policies \ + --namespace $PROJECT \ + --output-file openstack_dashboard/conf/default_policies/${PROJECT}.yaml -.. code-block:: console +* Sample policy files - oslopolicy-sample-generator --namespace $PROJECT --format json \ - --output-file $HORIZON_REPO/openstack_dashboard/conf/$PROJECT_policy.json + Run the following commands after installing a corresponding project. + You need to run it for keystone, nova, cinder, neutron, glance. + + .. code-block:: console + + oslopolicy-sample-generator --namespace keystone \ + --output-file openstack_dashboard/conf/${PROJECT}_policy.yaml + sed -i 's/^"/#"/' openstack_dashboard/conf/${PROJECT}_policy.yaml + + .. note:: + + We now use YAML format for sample policy files now. + "oslo.policy" can accept both YAML and JSON files. + We now support default policies so there is no need to define all + policies using JSON files. YAML files also allows us to use comments, + so we can provide good sample policy files. + This is the same motivation as the Wallaby community goal + `Migrate RBAC Policy Format from JSON to YAML + `__. + + .. note:: + + The second "sed" command is to comment out rules for rule renames. + `oslopolicy-sample-generator` does not comment out them, but they + are unnecessary in horizon usage. A single renaming rule can map + to multiple rules, so it does not work as-is. In addition, + they trigger deprecation warnings in horizon log if these sample + files are used in horizon as-is. + Thus, we comment them out by default. After syncing policies from back-end services, you need to check what are changed. If a policy referred by horizon has been changed, you need to check and modify the horizon code base accordingly. + +.. note:: + + After the support of default policies, the following tool does not work. + It is a future work to make it work again or evaluate the need itself. + To summarize which policies are removed or added, a convenient tool is provided: diff --git a/lower-constraints.txt b/lower-constraints.txt index 832a253541..826e542832 100644 --- a/lower-constraints.txt +++ b/lower-constraints.txt @@ -56,16 +56,16 @@ os-service-types==1.2.0 osc-lib==1.8.0 oslo.concurrency==3.26.0 oslo.config==5.2.0 -oslo.context==2.19.2 +oslo.context==2.22.0 oslo.i18n==3.15.3 oslo.log==3.36.0 oslo.messaging==5.29.0 oslo.middleware==3.31.0 -oslo.policy==1.30.0 +oslo.policy==3.2.0 oslo.serialization==2.18.0 oslo.service==1.24.0 oslo.upgradecheck==0.1.1 -oslo.utils==3.33.0 +oslo.utils==3.40.0 osprofiler==2.3.0 Paste==2.0.2 PasteDeploy==1.5.0 diff --git a/openstack_auth/defaults.py b/openstack_auth/defaults.py index 845a40e7ce..060390f865 100644 --- a/openstack_auth/defaults.py +++ b/openstack_auth/defaults.py @@ -170,3 +170,4 @@ KEYSTONE_PROVIDER_IDP_ID = 'localkeystone' POLICY_FILES_PATH = '' POLICY_FILES = {} POLICY_DIRS = {} +DEFAULT_POLICY_FILES = {} diff --git a/openstack_auth/policy.py b/openstack_auth/policy.py index 69fedf1a1e..2b43ef3a51 100644 --- a/openstack_auth/policy.py +++ b/openstack_auth/policy.py @@ -20,6 +20,7 @@ from django.conf import settings from oslo_config import cfg from oslo_policy import opts as policy_opts from oslo_policy import policy +import yaml from openstack_auth import user as auth_user from openstack_auth import utils as auth_utils @@ -55,6 +56,51 @@ def _get_policy_file_with_full_path(service): return policy_file, policy_dirs +def _convert_to_ruledefault(p): + deprecated = p.get('deprecated_rule') + if deprecated: + deprecated_rule = policy.DeprecatedRule(deprecated['name'], + deprecated['check_str']) + else: + deprecated_rule = None + + return policy.RuleDefault( + p['name'], p['check_str'], + description=p['description'], + scope_types=p['scope_types'], + deprecated_rule=deprecated_rule, + deprecated_for_removal=p.get('deprecated_for_removal', False), + deprecated_reason=p.get('deprecated_reason'), + deprecated_since=p.get('deprecated_since'), + ) + + +def _load_default_rules(service, enforcer): + policy_files = settings.DEFAULT_POLICY_FILES + try: + policy_file = os.path.join(_BASE_PATH, policy_files[service]) + except KeyError: + LOG.error('Default policy file for %s is not defined. ' + 'Check DEFAULT_POLICY_FILES setting.', service) + return + + try: + with open(policy_file) as f: + policies = yaml.safe_load(f) + except IOError as e: + LOG.error('Failed to open the policy file for %(service)s %(path)s: ' + '%(reason)s', + {'service': service, 'path': policy_file, 'reason': e}) + return + except yaml.YAMLError as e: + LOG.error('Failed to load the default policies for %(service)s: ' + '%(reason)s', {'service': service, 'reason': e}) + return + + defaults = [_convert_to_ruledefault(p) for p in policies] + enforcer.register_defaults(defaults) + + def _get_enforcer(): global _ENFORCER if not _ENFORCER: @@ -64,6 +110,8 @@ def _get_enforcer(): policy_file, policy_dirs = _get_policy_file_with_full_path(service) conf = _get_policy_conf(policy_file, policy_dirs) enforcer = policy.Enforcer(conf) + enforcer.suppress_default_change_warnings = True + _load_default_rules(service, enforcer) try: enforcer.load_rules() except IOError: diff --git a/openstack_dashboard/conf/cinder_policy.json b/openstack_dashboard/conf/cinder_policy.json deleted file mode 100644 index 8bc3934528..0000000000 --- a/openstack_dashboard/conf/cinder_policy.json +++ /dev/null @@ -1,147 +0,0 @@ -{ - "context_is_admin": "role:admin", - "admin_or_owner": "is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s", - "admin_api": "is_admin:True or (role:admin and is_admin_project:True)", - "volume:attachment_create": "", - "volume:attachment_update": "rule:admin_or_owner", - "volume:attachment_delete": "rule:admin_or_owner", - "volume:attachment_complete": "rule:admin_or_owner", - "volume:multiattach_bootable_volume": "rule:admin_or_owner", - "message:get_all": "rule:admin_or_owner", - "message:get": "rule:admin_or_owner", - "message:delete": "rule:admin_or_owner", - "clusters:get_all": "rule:admin_api", - "clusters:get": "rule:admin_api", - "clusters:update": "rule:admin_api", - "workers:cleanup": "rule:admin_api", - "volume:get_snapshot_metadata": "rule:admin_or_owner", - "volume:update_snapshot_metadata": "rule:admin_or_owner", - "volume:delete_snapshot_metadata": "rule:admin_or_owner", - "volume:get_all_snapshots": "rule:admin_or_owner", - "volume_extension:extended_snapshot_attributes": "rule:admin_or_owner", - "volume:create_snapshot": "rule:admin_or_owner", - "volume:get_snapshot": "rule:admin_or_owner", - "volume:update_snapshot": "rule:admin_or_owner", - "volume:delete_snapshot": "rule:admin_or_owner", - "volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api", - "snapshot_extension:snapshot_actions:update_snapshot_status": "", - "volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api", - "snapshot_extension:list_manageable": "rule:admin_api", - "snapshot_extension:snapshot_manage": "rule:admin_api", - "snapshot_extension:snapshot_unmanage": "rule:admin_api", - "backup:get_all": "rule:admin_or_owner", - "backup:backup_project_attribute": "rule:admin_api", - "backup:create": "", - "backup:get": "rule:admin_or_owner", - "backup:update": "rule:admin_or_owner", - "backup:delete": "rule:admin_or_owner", - "backup:restore": "rule:admin_or_owner", - "backup:backup-import": "rule:admin_api", - "backup:export-import": "rule:admin_api", - "volume_extension:backup_admin_actions:reset_status": "rule:admin_api", - "volume_extension:backup_admin_actions:force_delete": "rule:admin_api", - "group:get_all": "rule:admin_or_owner", - "group:create": "", - "group:get": "rule:admin_or_owner", - "group:update": "rule:admin_or_owner", - "group:group_project_attribute": "rule:admin_api", - "group:group_types_manage": "rule:admin_api", - "group:access_group_types_specs": "rule:admin_api", - "group:group_types_specs": "rule:admin_api", - "group:get_all_group_snapshots": "rule:admin_or_owner", - "group:create_group_snapshot": "", - "group:get_group_snapshot": "rule:admin_or_owner", - "group:delete_group_snapshot": "rule:admin_or_owner", - "group:update_group_snapshot": "rule:admin_or_owner", - "group:group_snapshot_project_attribute": "rule:admin_api", - "group:reset_group_snapshot_status": "rule:admin_or_owner", - "group:delete": "rule:admin_or_owner", - "group:reset_status": "rule:admin_api", - "group:enable_replication": "rule:admin_or_owner", - "group:disable_replication": "rule:admin_or_owner", - "group:failover_replication": "rule:admin_or_owner", - "group:list_replication_targets": "rule:admin_or_owner", - "volume_extension:qos_specs_manage:get_all": "rule:admin_api", - "volume_extension:qos_specs_manage:get": "rule:admin_api", - "volume_extension:qos_specs_manage:create": "rule:admin_api", - "volume_extension:qos_specs_manage:update": "rule:admin_api", - "volume_extension:qos_specs_manage:delete": "rule:admin_api", - "volume_extension:quota_classes": "rule:admin_api", - "volume_extension:quotas:show": "rule:admin_or_owner", - "volume_extension:quotas:update": "rule:admin_api", - "volume_extension:quotas:delete": "rule:admin_api", - "volume_extension:quota_classes:validate_setup_for_nested_quota_use": "rule:admin_api", - "volume_extension:capabilities": "rule:admin_api", - "volume_extension:services:index": "rule:admin_api", - "volume_extension:services:update": "rule:admin_api", - "volume:freeze_host": "rule:admin_api", - "volume:thaw_host": "rule:admin_api", - "volume:failover_host": "rule:admin_api", - "scheduler_extension:scheduler_stats:get_pools": "rule:admin_api", - "volume_extension:hosts": "rule:admin_api", - "limits_extension:used_limits": "rule:admin_or_owner", - "volume_extension:list_manageable": "rule:admin_api", - "volume_extension:volume_manage": "rule:admin_api", - "volume_extension:volume_unmanage": "rule:admin_api", - "volume_extension:types_manage": "rule:admin_api", - "volume_extension:type_get": "", - "volume_extension:type_get_all": "", - "volume_extension:volume_type_encryption": "rule:admin_api", - "volume_extension:volume_type_encryption:create": "rule:volume_extension:volume_type_encryption", - "volume_extension:volume_type_encryption:get": "rule:volume_extension:volume_type_encryption", - "volume_extension:volume_type_encryption:update": "rule:volume_extension:volume_type_encryption", - "volume_extension:volume_type_encryption:delete": "rule:volume_extension:volume_type_encryption", - "volume_extension:access_types_extra_specs": "rule:admin_api", - "volume_extension:access_types_qos_specs_id": "rule:admin_api", - "volume_extension:volume_type_access": "rule:admin_or_owner", - "volume_extension:volume_type_access:addProjectAccess": "rule:admin_api", - "volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api", - "volume:extend": "rule:admin_or_owner", - "volume:extend_attached_volume": "rule:admin_or_owner", - "volume:revert_to_snapshot": "rule:admin_or_owner", - "volume_extension:volume_admin_actions:reset_status": "rule:admin_api", - "volume:retype": "rule:admin_or_owner", - "volume:update_readonly_flag": "rule:admin_or_owner", - "volume_extension:volume_admin_actions:force_delete": "rule:admin_api", - "volume_extension:volume_actions:upload_public": "rule:admin_api", - "volume_extension:volume_actions:upload_image": "rule:admin_or_owner", - "volume_extension:volume_admin_actions:force_detach": "rule:admin_api", - "volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api", - "volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api", - "volume_extension:volume_actions:initialize_connection": "rule:admin_or_owner", - "volume_extension:volume_actions:terminate_connection": "rule:admin_or_owner", - "volume_extension:volume_actions:roll_detaching": "rule:admin_or_owner", - "volume_extension:volume_actions:reserve": "rule:admin_or_owner", - "volume_extension:volume_actions:unreserve": "rule:admin_or_owner", - "volume_extension:volume_actions:begin_detaching": "rule:admin_or_owner", - "volume_extension:volume_actions:attach": "rule:admin_or_owner", - "volume_extension:volume_actions:detach": "rule:admin_or_owner", - "volume:get_all_transfers": "rule:admin_or_owner", - "volume:create_transfer": "rule:admin_or_owner", - "volume:get_transfer": "rule:admin_or_owner", - "volume:accept_transfer": "", - "volume:delete_transfer": "rule:admin_or_owner", - "volume:get_volume_metadata": "rule:admin_or_owner", - "volume:create_volume_metadata": "rule:admin_or_owner", - "volume:update_volume_metadata": "rule:admin_or_owner", - "volume:delete_volume_metadata": "rule:admin_or_owner", - "volume_extension:volume_image_metadata": "rule:admin_or_owner", - "volume:update_volume_admin_metadata": "rule:admin_api", - "volume_extension:types_extra_specs:index": "rule:admin_api", - "volume_extension:types_extra_specs:create": "rule:admin_api", - "volume_extension:types_extra_specs:show": "rule:admin_api", - "volume_extension:types_extra_specs:update": "rule:admin_api", - "volume_extension:types_extra_specs:delete": "rule:admin_api", - "volume:create": "", - "volume:create_from_image": "", - "volume:get": "rule:admin_or_owner", - "volume:get_all": "rule:admin_or_owner", - "volume:update": "rule:admin_or_owner", - "volume:delete": "rule:admin_or_owner", - "volume:force_delete": "rule:admin_api", - "volume_extension:volume_host_attribute": "rule:admin_api", - "volume_extension:volume_tenant_attribute": "rule:admin_or_owner", - "volume_extension:volume_mig_status_attribute": "rule:admin_api", - "volume_extension:volume_encryption_metadata": "rule:admin_or_owner", - "volume:multiattach": "rule:admin_or_owner" -} diff --git a/openstack_dashboard/conf/cinder_policy.yaml b/openstack_dashboard/conf/cinder_policy.yaml new file mode 100644 index 0000000000..1d3f0fbaa1 --- /dev/null +++ b/openstack_dashboard/conf/cinder_policy.yaml @@ -0,0 +1,646 @@ +# Decides what is required for the 'is_admin:True' check to succeed. +#"context_is_admin": "role:admin" + +# Default rule for most non-Admin APIs. +#"admin_or_owner": "is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s" + +# Default rule for most Admin APIs. +#"admin_api": "is_admin:True or (role:admin and is_admin_project:True)" + +# Create attachment. +# POST /attachments +#"volume:attachment_create": "" + +# Update attachment. +# PUT /attachments/{attachment_id} +#"volume:attachment_update": "rule:admin_or_owner" + +# Delete attachment. +# DELETE /attachments/{attachment_id} +#"volume:attachment_delete": "rule:admin_or_owner" + +# Mark a volume attachment process as completed (in-use) +# POST /attachments/{attachment_id}/action (os-complete) +#"volume:attachment_complete": "rule:admin_or_owner" + +# Allow multiattach of bootable volumes. +# POST /attachments +#"volume:multiattach_bootable_volume": "rule:admin_or_owner" + +# List messages. +# GET /messages +#"message:get_all": "rule:admin_or_owner" + +# Show message. +# GET /messages/{message_id} +#"message:get": "rule:admin_or_owner" + +# Delete message. +# DELETE /messages/{message_id} +#"message:delete": "rule:admin_or_owner" + +# List clusters. +# GET /clusters +# GET /clusters/detail +#"clusters:get_all": "rule:admin_api" + +# Show cluster. +# GET /clusters/{cluster_id} +#"clusters:get": "rule:admin_api" + +# Update cluster. +# PUT /clusters/{cluster_id} +#"clusters:update": "rule:admin_api" + +# Clean up workers. +# POST /workers/cleanup +#"workers:cleanup": "rule:admin_api" + +# Show snapshot's metadata or one specified metadata with a given key. +# GET /snapshots/{snapshot_id}/metadata +# GET /snapshots/{snapshot_id}/metadata/{key} +#"volume:get_snapshot_metadata": "rule:admin_or_owner" + +# Update snapshot's metadata or one specified metadata with a given +# key. +# PUT /snapshots/{snapshot_id}/metadata +# PUT /snapshots/{snapshot_id}/metadata/{key} +#"volume:update_snapshot_metadata": "rule:admin_or_owner" + +# Delete snapshot's specified metadata with a given key. +# DELETE /snapshots/{snapshot_id}/metadata/{key} +#"volume:delete_snapshot_metadata": "rule:admin_or_owner" + +# List snapshots. +# GET /snapshots +# GET /snapshots/detail +#"volume:get_all_snapshots": "rule:admin_or_owner" + +# List or show snapshots with extended attributes. +# GET /snapshots/{snapshot_id} +# GET /snapshots/detail +#"volume_extension:extended_snapshot_attributes": "rule:admin_or_owner" + +# Create snapshot. +# POST /snapshots +#"volume:create_snapshot": "rule:admin_or_owner" + +# Show snapshot. +# GET /snapshots/{snapshot_id} +#"volume:get_snapshot": "rule:admin_or_owner" + +# Update snapshot. +# PUT /snapshots/{snapshot_id} +#"volume:update_snapshot": "rule:admin_or_owner" + +# Delete snapshot. +# DELETE /snapshots/{snapshot_id} +#"volume:delete_snapshot": "rule:admin_or_owner" + +# Reset status of a snapshot. +# POST /snapshots/{snapshot_id}/action (os-reset_status) +#"volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api" + +# Update database fields of snapshot. +# POST /snapshots/{snapshot_id}/action (update_snapshot_status) +#"snapshot_extension:snapshot_actions:update_snapshot_status": "" + +# Force delete a snapshot. +# POST /snapshots/{snapshot_id}/action (os-force_delete) +#"volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api" + +# List (in detail) of snapshots which are available to manage. +# GET /manageable_snapshots +# GET /manageable_snapshots/detail +#"snapshot_extension:list_manageable": "rule:admin_api" + +# Manage an existing snapshot. +# POST /manageable_snapshots +#"snapshot_extension:snapshot_manage": "rule:admin_api" + +# Stop managing a snapshot. +# POST /snapshots/{snapshot_id}/action (os-unmanage) +#"snapshot_extension:snapshot_unmanage": "rule:admin_api" + +# List backups. +# GET /backups +# GET /backups/detail +#"backup:get_all": "rule:admin_or_owner" + +# List backups or show backup with project attributes. +# GET /backups/{backup_id} +# GET /backups/detail +#"backup:backup_project_attribute": "rule:admin_api" + +# Create backup. +# POST /backups +#"backup:create": "" + +# Show backup. +# GET /backups/{backup_id} +#"backup:get": "rule:admin_or_owner" + +# Update backup. +# PUT /backups/{backup_id} +#"backup:update": "rule:admin_or_owner" + +# Delete backup. +# DELETE /backups/{backup_id} +#"backup:delete": "rule:admin_or_owner" + +# Restore backup. +# POST /backups/{backup_id}/restore +#"backup:restore": "rule:admin_or_owner" + +# Import backup. +# POST /backups/{backup_id}/import_record +#"backup:backup-import": "rule:admin_api" + +# Export backup. +# POST /backups/{backup_id}/export_record +#"backup:export-import": "rule:admin_api" + +# Reset status of a backup. +# POST /backups/{backup_id}/action (os-reset_status) +#"volume_extension:backup_admin_actions:reset_status": "rule:admin_api" + +# Force delete a backup. +# POST /backups/{backup_id}/action (os-force_delete) +#"volume_extension:backup_admin_actions:force_delete": "rule:admin_api" + +# List groups. +# GET /groups +# GET /groups/detail +#"group:get_all": "rule:admin_or_owner" + +# Create group. +# POST /groups +#"group:create": "" + +# Show group. +# GET /groups/{group_id} +#"group:get": "rule:admin_or_owner" + +# Update group. +# PUT /groups/{group_id} +#"group:update": "rule:admin_or_owner" + +# List groups or show group with project attributes. +# GET /groups/{group_id} +# GET /groups/detail +#"group:group_project_attribute": "rule:admin_api" + +# Create, update or delete a group type. +# POST /group_types/ +# PUT /group_types/{group_type_id} +# DELETE /group_types/{group_type_id} +#"group:group_types_manage": "rule:admin_api" + +# Show group type with type specs attributes. +# GET /group_types/{group_type_id} +#"group:access_group_types_specs": "rule:admin_api" + +# Create, show, update and delete group type spec. +# GET /group_types/{group_type_id}/group_specs/{g_spec_id} +# GET /group_types/{group_type_id}/group_specs +# POST /group_types/{group_type_id}/group_specs +# PUT /group_types/{group_type_id}/group_specs/{g_spec_id} +# DELETE /group_types/{group_type_id}/group_specs/{g_spec_id} +#"group:group_types_specs": "rule:admin_api" + +# List group snapshots. +# GET /group_snapshots +# GET /group_snapshots/detail +#"group:get_all_group_snapshots": "rule:admin_or_owner" + +# Create group snapshot. +# POST /group_snapshots +#"group:create_group_snapshot": "" + +# Show group snapshot. +# GET /group_snapshots/{group_snapshot_id} +#"group:get_group_snapshot": "rule:admin_or_owner" + +# Delete group snapshot. +# DELETE /group_snapshots/{group_snapshot_id} +#"group:delete_group_snapshot": "rule:admin_or_owner" + +# Update group snapshot. +# PUT /group_snapshots/{group_snapshot_id} +#"group:update_group_snapshot": "rule:admin_or_owner" + +# List group snapshots or show group snapshot with project attributes. +# GET /group_snapshots/{group_snapshot_id} +# GET /group_snapshots/detail +#"group:group_snapshot_project_attribute": "rule:admin_api" + +# Reset status of group snapshot. +# POST /group_snapshots/{g_snapshot_id}/action (reset_status) +#"group:reset_group_snapshot_status": "rule:admin_or_owner" + +# Delete group. +# POST /groups/{group_id}/action (delete) +#"group:delete": "rule:admin_or_owner" + +# Reset status of group. +# POST /groups/{group_id}/action (reset_status) +#"group:reset_status": "rule:admin_api" + +# Enable replication. +# POST /groups/{group_id}/action (enable_replication) +#"group:enable_replication": "rule:admin_or_owner" + +# Disable replication. +# POST /groups/{group_id}/action (disable_replication) +#"group:disable_replication": "rule:admin_or_owner" + +# Fail over replication. +# POST /groups/{group_id}/action (failover_replication) +#"group:failover_replication": "rule:admin_or_owner" + +# List failover replication. +# POST /groups/{group_id}/action (list_replication_targets) +#"group:list_replication_targets": "rule:admin_or_owner" + +# List qos specs or list all associations. +# GET /qos-specs +# GET /qos-specs/{qos_id}/associations +#"volume_extension:qos_specs_manage:get_all": "rule:admin_api" + +# Show qos specs. +# GET /qos-specs/{qos_id} +#"volume_extension:qos_specs_manage:get": "rule:admin_api" + +# Create qos specs. +# POST /qos-specs +#"volume_extension:qos_specs_manage:create": "rule:admin_api" + +# Update qos specs (including updating association). +# PUT /qos-specs/{qos_id} +# GET /qos-specs/{qos_id}/disassociate_all +# GET /qos-specs/{qos_id}/associate +# GET /qos-specs/{qos_id}/disassociate +#"volume_extension:qos_specs_manage:update": "rule:admin_api" + +# delete qos specs or unset one specified qos key. +# DELETE /qos-specs/{qos_id} +# PUT /qos-specs/{qos_id}/delete_keys +#"volume_extension:qos_specs_manage:delete": "rule:admin_api" + +# Show or update project quota class. +# GET /os-quota-class-sets/{project_id} +# PUT /os-quota-class-sets/{project_id} +#"volume_extension:quota_classes": "rule:admin_api" + +# Show project quota (including usage and default). +# GET /os-quota-sets/{project_id} +# GET /os-quota-sets/{project_id}/default +# GET /os-quota-sets/{project_id}?usage=True +#"volume_extension:quotas:show": "rule:admin_or_owner" + +# Update project quota. +# PUT /os-quota-sets/{project_id} +#"volume_extension:quotas:update": "rule:admin_api" + +# Delete project quota. +# DELETE /os-quota-sets/{project_id} +#"volume_extension:quotas:delete": "rule:admin_api" + +# Validate setup for nested quota. +# GET /os-quota-sets/validate_setup_for_nested_quota_use +#"volume_extension:quota_classes:validate_setup_for_nested_quota_use": "rule:admin_api" + +# Show backend capabilities. +# GET /capabilities/{host_name} +#"volume_extension:capabilities": "rule:admin_api" + +# List all services. +# GET /os-services +#"volume_extension:services:index": "rule:admin_api" + +# Update service, including failover_host, thaw, freeze, disable, +# enable, set-log and get-log actions. +# PUT /os-services/{action} +#"volume_extension:services:update": "rule:admin_api" + +# Freeze a backend host. +# PUT /os-services/freeze +#"volume:freeze_host": "rule:admin_api" + +# Thaw a backend host. +# PUT /os-services/thaw +#"volume:thaw_host": "rule:admin_api" + +# Failover a backend host. +# PUT /os-services/failover_host +#"volume:failover_host": "rule:admin_api" + +# List all backend pools. +# GET /scheduler-stats/get_pools +#"scheduler_extension:scheduler_stats:get_pools": "rule:admin_api" + +# List, update or show hosts for a project. +# GET /os-hosts +# PUT /os-hosts/{host_name} +# GET /os-hosts/{host_id} +#"volume_extension:hosts": "rule:admin_api" + +# Show limits with used limit attributes. +# GET /limits +#"limits_extension:used_limits": "rule:admin_or_owner" + +# List (in detail) of volumes which are available to manage. +# GET /manageable_volumes +# GET /manageable_volumes/detail +#"volume_extension:list_manageable": "rule:admin_api" + +# Manage existing volumes. +# POST /manageable_volumes +#"volume_extension:volume_manage": "rule:admin_api" + +# Stop managing a volume. +# POST /volumes/{volume_id}/action (os-unmanage) +#"volume_extension:volume_unmanage": "rule:admin_api" + +# Create, update and delete volume type. +# POST /types +# PUT /types +# DELETE /types +#"volume_extension:types_manage": "rule:admin_api" + +# Get one specific volume type. +# GET /types/{type_id} +#"volume_extension:type_get": "" + +# List volume types. +# GET /types/ +#"volume_extension:type_get_all": "" + +# Base policy for all volume type encryption type operations. This +# can be used to set the policies for a volume type's encryption type +# create, show, update, and delete actions in one place, or any of +# those may be set individually using the following policy targets for +# finer grained control. +# POST /types/{type_id}/encryption +# PUT /types/{type_id}/encryption/{encryption_id} +# GET /types/{type_id}/encryption +# GET /types/{type_id}/encryption/{key} +# DELETE /types/{type_id}/encryption/{encryption_id} +#"volume_extension:volume_type_encryption": "rule:admin_api" + +# Create volume type encryption. +# POST /types/{type_id}/encryption +#"volume_extension:volume_type_encryption:create": "rule:volume_extension:volume_type_encryption" + +# Show a volume type's encryption type, show an encryption specs item. +# GET /types/{type_id}/encryption +# GET /types/{type_id}/encryption/{key} +#"volume_extension:volume_type_encryption:get": "rule:volume_extension:volume_type_encryption" + +# Update volume type encryption. +# PUT /types/{type_id}/encryption/{encryption_id} +#"volume_extension:volume_type_encryption:update": "rule:volume_extension:volume_type_encryption" + +# Delete volume type encryption. +# DELETE /types/{type_id}/encryption/{encryption_id} +#"volume_extension:volume_type_encryption:delete": "rule:volume_extension:volume_type_encryption" + +# List or show volume type with access type extra specs attribute. +# GET /types/{type_id} +# GET /types +#"volume_extension:access_types_extra_specs": "rule:admin_api" + +# List or show volume type with access type qos specs id attribute. +# GET /types/{type_id} +# GET /types +#"volume_extension:access_types_qos_specs_id": "rule:admin_api" + +# Volume type access related APIs. +# GET /types +# GET /types/detail +# GET /types/{type_id} +# POST /types +#"volume_extension:volume_type_access": "rule:admin_or_owner" + +# Add volume type access for project. +# POST /types/{type_id}/action (addProjectAccess) +#"volume_extension:volume_type_access:addProjectAccess": "rule:admin_api" + +# Remove volume type access for project. +# POST /types/{type_id}/action (removeProjectAccess) +#"volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api" + +# Extend a volume. +# POST /volumes/{volume_id}/action (os-extend) +#"volume:extend": "rule:admin_or_owner" + +# Extend a attached volume. +# POST /volumes/{volume_id}/action (os-extend) +#"volume:extend_attached_volume": "rule:admin_or_owner" + +# Revert a volume to a snapshot. +# POST /volumes/{volume_id}/action (revert) +#"volume:revert_to_snapshot": "rule:admin_or_owner" + +# Reset status of a volume. +# POST /volumes/{volume_id}/action (os-reset_status) +#"volume_extension:volume_admin_actions:reset_status": "rule:admin_api" + +# Retype a volume. +# POST /volumes/{volume_id}/action (os-retype) +#"volume:retype": "rule:admin_or_owner" + +# Update a volume's readonly flag. +# POST /volumes/{volume_id}/action (os-update_readonly_flag) +#"volume:update_readonly_flag": "rule:admin_or_owner" + +# Force delete a volume. +# POST /volumes/{volume_id}/action (os-force_delete) +#"volume_extension:volume_admin_actions:force_delete": "rule:admin_api" + +# Upload a volume to image with public visibility. +# POST /volumes/{volume_id}/action (os-volume_upload_image) +#"volume_extension:volume_actions:upload_public": "rule:admin_api" + +# Upload a volume to image. +# POST /volumes/{volume_id}/action (os-volume_upload_image) +#"volume_extension:volume_actions:upload_image": "rule:admin_or_owner" + +# Force detach a volume. +# POST /volumes/{volume_id}/action (os-force_detach) +#"volume_extension:volume_admin_actions:force_detach": "rule:admin_api" + +# migrate a volume to a specified host. +# POST /volumes/{volume_id}/action (os-migrate_volume) +#"volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api" + +# Complete a volume migration. +# POST /volumes/{volume_id}/action (os-migrate_volume_completion) +#"volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api" + +# Initialize volume attachment. +# POST /volumes/{volume_id}/action (os-initialize_connection) +#"volume_extension:volume_actions:initialize_connection": "rule:admin_or_owner" + +# Terminate volume attachment. +# POST /volumes/{volume_id}/action (os-terminate_connection) +#"volume_extension:volume_actions:terminate_connection": "rule:admin_or_owner" + +# Roll back volume status to 'in-use'. +# POST /volumes/{volume_id}/action (os-roll_detaching) +#"volume_extension:volume_actions:roll_detaching": "rule:admin_or_owner" + +# Mark volume as reserved. +# POST /volumes/{volume_id}/action (os-reserve) +#"volume_extension:volume_actions:reserve": "rule:admin_or_owner" + +# Unmark volume as reserved. +# POST /volumes/{volume_id}/action (os-unreserve) +#"volume_extension:volume_actions:unreserve": "rule:admin_or_owner" + +# Begin detach volumes. +# POST /volumes/{volume_id}/action (os-begin_detaching) +#"volume_extension:volume_actions:begin_detaching": "rule:admin_or_owner" + +# Add attachment metadata. +# POST /volumes/{volume_id}/action (os-attach) +#"volume_extension:volume_actions:attach": "rule:admin_or_owner" + +# Clear attachment metadata. +# POST /volumes/{volume_id}/action (os-detach) +#"volume_extension:volume_actions:detach": "rule:admin_or_owner" + +# List volume transfer. +# GET /os-volume-transfer +# GET /os-volume-transfer/detail +# GET /volume_transfers +# GET /volume-transfers/detail +#"volume:get_all_transfers": "rule:admin_or_owner" + +# Create a volume transfer. +# POST /os-volume-transfer +# POST /volume_transfers +#"volume:create_transfer": "rule:admin_or_owner" + +# Show one specified volume transfer. +# GET /os-volume-transfer/{transfer_id} +# GET /volume-transfers/{transfer_id} +#"volume:get_transfer": "rule:admin_or_owner" + +# Accept a volume transfer. +# POST /os-volume-transfer/{transfer_id}/accept +# POST /volume-transfers/{transfer_id}/accept +#"volume:accept_transfer": "" + +# Delete volume transfer. +# DELETE /os-volume-transfer/{transfer_id} +# DELETE /volume-transfers/{transfer_id} +#"volume:delete_transfer": "rule:admin_or_owner" + +# Show volume's metadata or one specified metadata with a given key. +# GET /volumes/{volume_id}/metadata +# GET /volumes/{volume_id}/metadata/{key} +#"volume:get_volume_metadata": "rule:admin_or_owner" + +# Create volume metadata. +# POST /volumes/{volume_id}/metadata +#"volume:create_volume_metadata": "rule:admin_or_owner" + +# Update volume's metadata or one specified metadata with a given key. +# PUT /volumes/{volume_id}/metadata +# PUT /volumes/{volume_id}/metadata/{key} +#"volume:update_volume_metadata": "rule:admin_or_owner" + +# Delete volume's specified metadata with a given key. +# DELETE /volumes/{volume_id}/metadata/{key} +#"volume:delete_volume_metadata": "rule:admin_or_owner" + +# Volume's image metadata related operation, create, delete, show and +# list. +# GET /volumes/detail +# GET /volumes/{volume_id} +# POST /volumes/{volume_id}/action (os-set_image_metadata) +# POST /volumes/{volume_id}/action (os-unset_image_metadata) +#"volume_extension:volume_image_metadata": "rule:admin_or_owner" + +# Update volume admin metadata. It's used in `attach` and `os- +# update_readonly_flag` APIs +# POST /volumes/{volume_id}/action (os-update_readonly_flag) +# POST /volumes/{volume_id}/action (os-attach) +#"volume:update_volume_admin_metadata": "rule:admin_api" + +# List type extra specs. +# GET /types/{type_id}/extra_specs +#"volume_extension:types_extra_specs:index": "rule:admin_api" + +# Create type extra specs. +# POST /types/{type_id}/extra_specs +#"volume_extension:types_extra_specs:create": "rule:admin_api" + +# Show one specified type extra specs. +# GET /types/{type_id}/extra_specs/{extra_spec_key} +#"volume_extension:types_extra_specs:show": "rule:admin_api" + +# Update type extra specs. +# PUT /types/{type_id}/extra_specs/{extra_spec_key} +#"volume_extension:types_extra_specs:update": "rule:admin_api" + +# Delete type extra specs. +# DELETE /types/{type_id}/extra_specs/{extra_spec_key} +#"volume_extension:types_extra_specs:delete": "rule:admin_api" + +# Create volume. +# POST /volumes +#"volume:create": "" + +# Create volume from image. +# POST /volumes +#"volume:create_from_image": "" + +# Show volume. +# GET /volumes/{volume_id} +#"volume:get": "rule:admin_or_owner" + +# List volumes or get summary of volumes. +# GET /volumes +# GET /volumes/detail +# GET /volumes/summary +#"volume:get_all": "rule:admin_or_owner" + +# Update volume or update a volume's bootable status. +# PUT /volumes +# POST /volumes/{volume_id}/action (os-set_bootable) +#"volume:update": "rule:admin_or_owner" + +# Delete volume. +# DELETE /volumes/{volume_id} +#"volume:delete": "rule:admin_or_owner" + +# Force Delete a volume. +# DELETE /volumes/{volume_id} +#"volume:force_delete": "rule:admin_api" + +# List or show volume with host attribute. +# GET /volumes/{volume_id} +# GET /volumes/detail +#"volume_extension:volume_host_attribute": "rule:admin_api" + +# List or show volume with tenant attribute. +# GET /volumes/{volume_id} +# GET /volumes/detail +#"volume_extension:volume_tenant_attribute": "rule:admin_or_owner" + +# List or show volume with migration status attribute. +# GET /volumes/{volume_id} +# GET /volumes/detail +#"volume_extension:volume_mig_status_attribute": "rule:admin_api" + +# Show volume's encryption metadata. +# GET /volumes/{volume_id}/encryption +# GET /volumes/{volume_id}/encryption/{encryption_key} +#"volume_extension:volume_encryption_metadata": "rule:admin_or_owner" + +# Create multiattach capable volume. +# POST /volumes +#"volume:multiattach": "rule:admin_or_owner" + diff --git a/openstack_dashboard/conf/default_policies/README.txt b/openstack_dashboard/conf/default_policies/README.txt new file mode 100644 index 0000000000..98bf8fb7c3 --- /dev/null +++ b/openstack_dashboard/conf/default_policies/README.txt @@ -0,0 +1,12 @@ +This folder contains default policies of back-end services. +They are generated based on policy-in-code in back-end services. +Operators are not expected to edit them. + +To update these files, run the following command: + + python manage.py dump_default_policies \ + --namespace \ + --output-file openstack_dashboard/conf/default_policies/.yaml + + must be a namespace under oslo.policy.policies to query and +we use "keystone", "nova", "cinder", "neutron" and "glance". diff --git a/openstack_dashboard/conf/default_policies/cinder.yaml b/openstack_dashboard/conf/default_policies/cinder.yaml new file mode 100644 index 0000000000..adb540988f --- /dev/null +++ b/openstack_dashboard/conf/default_policies/cinder.yaml @@ -0,0 +1,1137 @@ +- check_str: role:admin + description: Decides what is required for the 'is_admin:True' check to succeed. + name: context_is_admin + operations: [] + scope_types: null +- check_str: is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s + description: Default rule for most non-Admin APIs. + name: admin_or_owner + operations: [] + scope_types: null +- check_str: is_admin:True or (role:admin and is_admin_project:True) + description: Default rule for most Admin APIs. + name: admin_api + operations: [] + scope_types: null +- check_str: '' + description: Create attachment. + name: volume:attachment_create + operations: + - method: POST + path: /attachments + scope_types: null +- check_str: rule:admin_or_owner + description: Update attachment. + name: volume:attachment_update + operations: + - method: PUT + path: /attachments/{attachment_id} + scope_types: null +- check_str: rule:admin_or_owner + description: Delete attachment. + name: volume:attachment_delete + operations: + - method: DELETE + path: /attachments/{attachment_id} + scope_types: null +- check_str: rule:admin_or_owner + description: Mark a volume attachment process as completed (in-use) + name: volume:attachment_complete + operations: + - method: POST + path: /attachments/{attachment_id}/action (os-complete) + scope_types: null +- check_str: rule:admin_or_owner + description: Allow multiattach of bootable volumes. + name: volume:multiattach_bootable_volume + operations: + - method: POST + path: /attachments + scope_types: null +- check_str: rule:admin_or_owner + description: List messages. + name: message:get_all + operations: + - method: GET + path: /messages + scope_types: null +- check_str: rule:admin_or_owner + description: Show message. + name: message:get + operations: + - method: GET + path: /messages/{message_id} + scope_types: null +- check_str: rule:admin_or_owner + description: Delete message. + name: message:delete + operations: + - method: DELETE + path: /messages/{message_id} + scope_types: null +- check_str: rule:admin_api + description: List clusters. + name: clusters:get_all + operations: + - method: GET + path: /clusters + - method: GET + path: /clusters/detail + scope_types: null +- check_str: rule:admin_api + description: Show cluster. + name: clusters:get + operations: + - method: GET + path: /clusters/{cluster_id} + scope_types: null +- check_str: rule:admin_api + description: Update cluster. + name: clusters:update + operations: + - method: PUT + path: /clusters/{cluster_id} + scope_types: null +- check_str: rule:admin_api + description: Clean up workers. + name: workers:cleanup + operations: + - method: POST + path: /workers/cleanup + scope_types: null +- check_str: rule:admin_or_owner + description: Show snapshot's metadata or one specified metadata with a given key. + name: volume:get_snapshot_metadata + operations: + - method: GET + path: /snapshots/{snapshot_id}/metadata + - method: GET + path: /snapshots/{snapshot_id}/metadata/{key} + scope_types: null +- check_str: rule:admin_or_owner + description: Update snapshot's metadata or one specified metadata with a given key. + name: volume:update_snapshot_metadata + operations: + - method: PUT + path: /snapshots/{snapshot_id}/metadata + - method: PUT + path: /snapshots/{snapshot_id}/metadata/{key} + scope_types: null +- check_str: rule:admin_or_owner + description: Delete snapshot's specified metadata with a given key. + name: volume:delete_snapshot_metadata + operations: + - method: DELETE + path: /snapshots/{snapshot_id}/metadata/{key} + scope_types: null +- check_str: rule:admin_or_owner + description: List snapshots. + name: volume:get_all_snapshots + operations: + - method: GET + path: /snapshots + - method: GET + path: /snapshots/detail + scope_types: null +- check_str: rule:admin_or_owner + description: List or show snapshots with extended attributes. + name: volume_extension:extended_snapshot_attributes + operations: + - method: GET + path: /snapshots/{snapshot_id} + - method: GET + path: /snapshots/detail + scope_types: null +- check_str: rule:admin_or_owner + description: Create snapshot. + name: volume:create_snapshot + operations: + - method: POST + path: /snapshots + scope_types: null +- check_str: rule:admin_or_owner + description: Show snapshot. + name: volume:get_snapshot + operations: + - method: GET + path: /snapshots/{snapshot_id} + scope_types: null +- check_str: rule:admin_or_owner + description: Update snapshot. + name: volume:update_snapshot + operations: + - method: PUT + path: /snapshots/{snapshot_id} + scope_types: null +- check_str: rule:admin_or_owner + description: Delete snapshot. + name: volume:delete_snapshot + operations: + - method: DELETE + path: /snapshots/{snapshot_id} + scope_types: null +- check_str: rule:admin_api + description: Reset status of a snapshot. + name: volume_extension:snapshot_admin_actions:reset_status + operations: + - method: POST + path: /snapshots/{snapshot_id}/action (os-reset_status) + scope_types: null +- check_str: '' + description: Update database fields of snapshot. + name: snapshot_extension:snapshot_actions:update_snapshot_status + operations: + - method: POST + path: /snapshots/{snapshot_id}/action (update_snapshot_status) + scope_types: null +- check_str: rule:admin_api + description: Force delete a snapshot. + name: volume_extension:snapshot_admin_actions:force_delete + operations: + - method: POST + path: /snapshots/{snapshot_id}/action (os-force_delete) + scope_types: null +- check_str: rule:admin_api + description: List (in detail) of snapshots which are available to manage. + name: snapshot_extension:list_manageable + operations: + - method: GET + path: /manageable_snapshots + - method: GET + path: /manageable_snapshots/detail + scope_types: null +- check_str: rule:admin_api + description: Manage an existing snapshot. + name: snapshot_extension:snapshot_manage + operations: + - method: POST + path: /manageable_snapshots + scope_types: null +- check_str: rule:admin_api + description: Stop managing a snapshot. + name: snapshot_extension:snapshot_unmanage + operations: + - method: POST + path: /snapshots/{snapshot_id}/action (os-unmanage) + scope_types: null +- check_str: rule:admin_or_owner + description: List backups. + name: backup:get_all + operations: + - method: GET + path: /backups + - method: GET + path: /backups/detail + scope_types: null +- check_str: rule:admin_api + description: List backups or show backup with project attributes. + name: backup:backup_project_attribute + operations: + - method: GET + path: /backups/{backup_id} + - method: GET + path: /backups/detail + scope_types: null +- check_str: '' + description: Create backup. + name: backup:create + operations: + - method: POST + path: /backups + scope_types: null +- check_str: rule:admin_or_owner + description: Show backup. + name: backup:get + operations: + - method: GET + path: /backups/{backup_id} + scope_types: null +- check_str: rule:admin_or_owner + description: Update backup. + name: backup:update + operations: + - method: PUT + path: /backups/{backup_id} + scope_types: null +- check_str: rule:admin_or_owner + description: Delete backup. + name: backup:delete + operations: + - method: DELETE + path: /backups/{backup_id} + scope_types: null +- check_str: rule:admin_or_owner + description: Restore backup. + name: backup:restore + operations: + - method: POST + path: /backups/{backup_id}/restore + scope_types: null +- check_str: rule:admin_api + description: Import backup. + name: backup:backup-import + operations: + - method: POST + path: /backups/{backup_id}/import_record + scope_types: null +- check_str: rule:admin_api + description: Export backup. + name: backup:export-import + operations: + - method: POST + path: /backups/{backup_id}/export_record + scope_types: null +- check_str: rule:admin_api + description: Reset status of a backup. + name: volume_extension:backup_admin_actions:reset_status + operations: + - method: POST + path: /backups/{backup_id}/action (os-reset_status) + scope_types: null +- check_str: rule:admin_api + description: Force delete a backup. + name: volume_extension:backup_admin_actions:force_delete + operations: + - method: POST + path: /backups/{backup_id}/action (os-force_delete) + scope_types: null +- check_str: rule:admin_or_owner + description: List groups. + name: group:get_all + operations: + - method: GET + path: /groups + - method: GET + path: /groups/detail + scope_types: null +- check_str: '' + description: Create group. + name: group:create + operations: + - method: POST + path: /groups + scope_types: null +- check_str: rule:admin_or_owner + description: Show group. + name: group:get + operations: + - method: GET + path: /groups/{group_id} + scope_types: null +- check_str: rule:admin_or_owner + description: Update group. + name: group:update + operations: + - method: PUT + path: /groups/{group_id} + scope_types: null +- check_str: rule:admin_api + description: List groups or show group with project attributes. + name: group:group_project_attribute + operations: + - method: GET + path: /groups/{group_id} + - method: GET + path: /groups/detail + scope_types: null +- check_str: rule:admin_api + description: Create, update or delete a group type. + name: group:group_types_manage + operations: + - method: POST + path: /group_types/ + - method: PUT + path: /group_types/{group_type_id} + - method: DELETE + path: /group_types/{group_type_id} + scope_types: null +- check_str: rule:admin_api + description: Show group type with type specs attributes. + name: group:access_group_types_specs + operations: + - method: GET + path: /group_types/{group_type_id} + scope_types: null +- check_str: rule:admin_api + description: Create, show, update and delete group type spec. + name: group:group_types_specs + operations: + - method: GET + path: /group_types/{group_type_id}/group_specs/{g_spec_id} + - method: GET + path: /group_types/{group_type_id}/group_specs + - method: POST + path: /group_types/{group_type_id}/group_specs + - method: PUT + path: /group_types/{group_type_id}/group_specs/{g_spec_id} + - method: DELETE + path: /group_types/{group_type_id}/group_specs/{g_spec_id} + scope_types: null +- check_str: rule:admin_or_owner + description: List group snapshots. + name: group:get_all_group_snapshots + operations: + - method: GET + path: /group_snapshots + - method: GET + path: /group_snapshots/detail + scope_types: null +- check_str: '' + description: Create group snapshot. + name: group:create_group_snapshot + operations: + - method: POST + path: /group_snapshots + scope_types: null +- check_str: rule:admin_or_owner + description: Show group snapshot. + name: group:get_group_snapshot + operations: + - method: GET + path: /group_snapshots/{group_snapshot_id} + scope_types: null +- check_str: rule:admin_or_owner + description: Delete group snapshot. + name: group:delete_group_snapshot + operations: + - method: DELETE + path: /group_snapshots/{group_snapshot_id} + scope_types: null +- check_str: rule:admin_or_owner + description: Update group snapshot. + name: group:update_group_snapshot + operations: + - method: PUT + path: /group_snapshots/{group_snapshot_id} + scope_types: null +- check_str: rule:admin_api + description: List group snapshots or show group snapshot with project attributes. + name: group:group_snapshot_project_attribute + operations: + - method: GET + path: /group_snapshots/{group_snapshot_id} + - method: GET + path: /group_snapshots/detail + scope_types: null +- check_str: rule:admin_or_owner + description: Reset status of group snapshot. + name: group:reset_group_snapshot_status + operations: + - method: POST + path: /group_snapshots/{g_snapshot_id}/action (reset_status) + scope_types: null +- check_str: rule:admin_or_owner + description: Delete group. + name: group:delete + operations: + - method: POST + path: /groups/{group_id}/action (delete) + scope_types: null +- check_str: rule:admin_api + description: Reset status of group. + name: group:reset_status + operations: + - method: POST + path: /groups/{group_id}/action (reset_status) + scope_types: null +- check_str: rule:admin_or_owner + description: Enable replication. + name: group:enable_replication + operations: + - method: POST + path: /groups/{group_id}/action (enable_replication) + scope_types: null +- check_str: rule:admin_or_owner + description: Disable replication. + name: group:disable_replication + operations: + - method: POST + path: /groups/{group_id}/action (disable_replication) + scope_types: null +- check_str: rule:admin_or_owner + description: Fail over replication. + name: group:failover_replication + operations: + - method: POST + path: /groups/{group_id}/action (failover_replication) + scope_types: null +- check_str: rule:admin_or_owner + description: List failover replication. + name: group:list_replication_targets + operations: + - method: POST + path: /groups/{group_id}/action (list_replication_targets) + scope_types: null +- check_str: rule:admin_api + description: List qos specs or list all associations. + name: volume_extension:qos_specs_manage:get_all + operations: + - method: GET + path: /qos-specs + - method: GET + path: /qos-specs/{qos_id}/associations + scope_types: null +- check_str: rule:admin_api + description: Show qos specs. + name: volume_extension:qos_specs_manage:get + operations: + - method: GET + path: /qos-specs/{qos_id} + scope_types: null +- check_str: rule:admin_api + description: Create qos specs. + name: volume_extension:qos_specs_manage:create + operations: + - method: POST + path: /qos-specs + scope_types: null +- check_str: rule:admin_api + description: Update qos specs (including updating association). + name: volume_extension:qos_specs_manage:update + operations: + - method: PUT + path: /qos-specs/{qos_id} + - method: GET + path: /qos-specs/{qos_id}/disassociate_all + - method: GET + path: /qos-specs/{qos_id}/associate + - method: GET + path: /qos-specs/{qos_id}/disassociate + scope_types: null +- check_str: rule:admin_api + description: delete qos specs or unset one specified qos key. + name: volume_extension:qos_specs_manage:delete + operations: + - method: DELETE + path: /qos-specs/{qos_id} + - method: PUT + path: /qos-specs/{qos_id}/delete_keys + scope_types: null +- check_str: rule:admin_api + description: Show or update project quota class. + name: volume_extension:quota_classes + operations: + - method: GET + path: /os-quota-class-sets/{project_id} + - method: PUT + path: /os-quota-class-sets/{project_id} + scope_types: null +- check_str: rule:admin_or_owner + description: Show project quota (including usage and default). + name: volume_extension:quotas:show + operations: + - method: GET + path: /os-quota-sets/{project_id} + - method: GET + path: /os-quota-sets/{project_id}/default + - method: GET + path: /os-quota-sets/{project_id}?usage=True + scope_types: null +- check_str: rule:admin_api + description: Update project quota. + name: volume_extension:quotas:update + operations: + - method: PUT + path: /os-quota-sets/{project_id} + scope_types: null +- check_str: rule:admin_api + description: Delete project quota. + name: volume_extension:quotas:delete + operations: + - method: DELETE + path: /os-quota-sets/{project_id} + scope_types: null +- check_str: rule:admin_api + description: Validate setup for nested quota. + name: volume_extension:quota_classes:validate_setup_for_nested_quota_use + operations: + - method: GET + path: /os-quota-sets/validate_setup_for_nested_quota_use + scope_types: null +- check_str: rule:admin_api + description: Show backend capabilities. + name: volume_extension:capabilities + operations: + - method: GET + path: /capabilities/{host_name} + scope_types: null +- check_str: rule:admin_api + description: List all services. + name: volume_extension:services:index + operations: + - method: GET + path: /os-services + scope_types: null +- check_str: rule:admin_api + description: Update service, including failover_host, thaw, freeze, disable, enable, + set-log and get-log actions. + name: volume_extension:services:update + operations: + - method: PUT + path: /os-services/{action} + scope_types: null +- check_str: rule:admin_api + description: Freeze a backend host. + name: volume:freeze_host + operations: + - method: PUT + path: /os-services/freeze + scope_types: null +- check_str: rule:admin_api + description: Thaw a backend host. + name: volume:thaw_host + operations: + - method: PUT + path: /os-services/thaw + scope_types: null +- check_str: rule:admin_api + description: Failover a backend host. + name: volume:failover_host + operations: + - method: PUT + path: /os-services/failover_host + scope_types: null +- check_str: rule:admin_api + description: List all backend pools. + name: scheduler_extension:scheduler_stats:get_pools + operations: + - method: GET + path: /scheduler-stats/get_pools + scope_types: null +- check_str: rule:admin_api + description: List, update or show hosts for a project. + name: volume_extension:hosts + operations: + - method: GET + path: /os-hosts + - method: PUT + path: /os-hosts/{host_name} + - method: GET + path: /os-hosts/{host_id} + scope_types: null +- check_str: rule:admin_or_owner + description: Show limits with used limit attributes. + name: limits_extension:used_limits + operations: + - method: GET + path: /limits + scope_types: null +- check_str: rule:admin_api + description: List (in detail) of volumes which are available to manage. + name: volume_extension:list_manageable + operations: + - method: GET + path: /manageable_volumes + - method: GET + path: /manageable_volumes/detail + scope_types: null +- check_str: rule:admin_api + description: Manage existing volumes. + name: volume_extension:volume_manage + operations: + - method: POST + path: /manageable_volumes + scope_types: null +- check_str: rule:admin_api + description: Stop managing a volume. + name: volume_extension:volume_unmanage + operations: + - method: POST + path: /volumes/{volume_id}/action (os-unmanage) + scope_types: null +- check_str: rule:admin_api + description: Create, update and delete volume type. + name: volume_extension:types_manage + operations: + - method: POST + path: /types + - method: PUT + path: /types + - method: DELETE + path: /types + scope_types: null +- check_str: '' + description: Get one specific volume type. + name: volume_extension:type_get + operations: + - method: GET + path: /types/{type_id} + scope_types: null +- check_str: '' + description: List volume types. + name: volume_extension:type_get_all + operations: + - method: GET + path: /types/ + scope_types: null +- check_str: rule:admin_api + description: Base policy for all volume type encryption type operations. This can + be used to set the policies for a volume type's encryption type create, show, + update, and delete actions in one place, or any of those may be set individually + using the following policy targets for finer grained control. + name: volume_extension:volume_type_encryption + operations: + - method: POST + path: /types/{type_id}/encryption + - method: PUT + path: /types/{type_id}/encryption/{encryption_id} + - method: GET + path: /types/{type_id}/encryption + - method: GET + path: /types/{type_id}/encryption/{key} + - method: DELETE + path: /types/{type_id}/encryption/{encryption_id} + scope_types: null +- check_str: rule:volume_extension:volume_type_encryption + description: Create volume type encryption. + name: volume_extension:volume_type_encryption:create + operations: + - method: POST + path: /types/{type_id}/encryption + scope_types: null +- check_str: rule:volume_extension:volume_type_encryption + description: Show a volume type's encryption type, show an encryption specs item. + name: volume_extension:volume_type_encryption:get + operations: + - method: GET + path: /types/{type_id}/encryption + - method: GET + path: /types/{type_id}/encryption/{key} + scope_types: null +- check_str: rule:volume_extension:volume_type_encryption + description: Update volume type encryption. + name: volume_extension:volume_type_encryption:update + operations: + - method: PUT + path: /types/{type_id}/encryption/{encryption_id} + scope_types: null +- check_str: rule:volume_extension:volume_type_encryption + description: Delete volume type encryption. + name: volume_extension:volume_type_encryption:delete + operations: + - method: DELETE + path: /types/{type_id}/encryption/{encryption_id} + scope_types: null +- check_str: rule:admin_api + description: List or show volume type with access type extra specs attribute. + name: volume_extension:access_types_extra_specs + operations: + - method: GET + path: /types/{type_id} + - method: GET + path: /types + scope_types: null +- check_str: rule:admin_api + description: List or show volume type with access type qos specs id attribute. + name: volume_extension:access_types_qos_specs_id + operations: + - method: GET + path: /types/{type_id} + - method: GET + path: /types + scope_types: null +- check_str: rule:admin_or_owner + description: Volume type access related APIs. + name: volume_extension:volume_type_access + operations: + - method: GET + path: /types + - method: GET + path: /types/detail + - method: GET + path: /types/{type_id} + - method: POST + path: /types + scope_types: null +- check_str: rule:admin_api + description: Add volume type access for project. + name: volume_extension:volume_type_access:addProjectAccess + operations: + - method: POST + path: /types/{type_id}/action (addProjectAccess) + scope_types: null +- check_str: rule:admin_api + description: Remove volume type access for project. + name: volume_extension:volume_type_access:removeProjectAccess + operations: + - method: POST + path: /types/{type_id}/action (removeProjectAccess) + scope_types: null +- check_str: rule:admin_or_owner + description: Extend a volume. + name: volume:extend + operations: + - method: POST + path: /volumes/{volume_id}/action (os-extend) + scope_types: null +- check_str: rule:admin_or_owner + description: Extend a attached volume. + name: volume:extend_attached_volume + operations: + - method: POST + path: /volumes/{volume_id}/action (os-extend) + scope_types: null +- check_str: rule:admin_or_owner + description: Revert a volume to a snapshot. + name: volume:revert_to_snapshot + operations: + - method: POST + path: /volumes/{volume_id}/action (revert) + scope_types: null +- check_str: rule:admin_api + description: Reset status of a volume. + name: volume_extension:volume_admin_actions:reset_status + operations: + - method: POST + path: /volumes/{volume_id}/action (os-reset_status) + scope_types: null +- check_str: rule:admin_or_owner + description: Retype a volume. + name: volume:retype + operations: + - method: POST + path: /volumes/{volume_id}/action (os-retype) + scope_types: null +- check_str: rule:admin_or_owner + description: Update a volume's readonly flag. + name: volume:update_readonly_flag + operations: + - method: POST + path: /volumes/{volume_id}/action (os-update_readonly_flag) + scope_types: null +- check_str: rule:admin_api + description: Force delete a volume. + name: volume_extension:volume_admin_actions:force_delete + operations: + - method: POST + path: /volumes/{volume_id}/action (os-force_delete) + scope_types: null +- check_str: rule:admin_api + description: Upload a volume to image with public visibility. + name: volume_extension:volume_actions:upload_public + operations: + - method: POST + path: /volumes/{volume_id}/action (os-volume_upload_image) + scope_types: null +- check_str: rule:admin_or_owner + description: Upload a volume to image. + name: volume_extension:volume_actions:upload_image + operations: + - method: POST + path: /volumes/{volume_id}/action (os-volume_upload_image) + scope_types: null +- check_str: rule:admin_api + description: Force detach a volume. + name: volume_extension:volume_admin_actions:force_detach + operations: + - method: POST + path: /volumes/{volume_id}/action (os-force_detach) + scope_types: null +- check_str: rule:admin_api + description: migrate a volume to a specified host. + name: volume_extension:volume_admin_actions:migrate_volume + operations: + - method: POST + path: /volumes/{volume_id}/action (os-migrate_volume) + scope_types: null +- check_str: rule:admin_api + description: Complete a volume migration. + name: volume_extension:volume_admin_actions:migrate_volume_completion + operations: + - method: POST + path: /volumes/{volume_id}/action (os-migrate_volume_completion) + scope_types: null +- check_str: rule:admin_or_owner + description: Initialize volume attachment. + name: volume_extension:volume_actions:initialize_connection + operations: + - method: POST + path: /volumes/{volume_id}/action (os-initialize_connection) + scope_types: null +- check_str: rule:admin_or_owner + description: Terminate volume attachment. + name: volume_extension:volume_actions:terminate_connection + operations: + - method: POST + path: /volumes/{volume_id}/action (os-terminate_connection) + scope_types: null +- check_str: rule:admin_or_owner + description: Roll back volume status to 'in-use'. + name: volume_extension:volume_actions:roll_detaching + operations: + - method: POST + path: /volumes/{volume_id}/action (os-roll_detaching) + scope_types: null +- check_str: rule:admin_or_owner + description: Mark volume as reserved. + name: volume_extension:volume_actions:reserve + operations: + - method: POST + path: /volumes/{volume_id}/action (os-reserve) + scope_types: null +- check_str: rule:admin_or_owner + description: Unmark volume as reserved. + name: volume_extension:volume_actions:unreserve + operations: + - method: POST + path: /volumes/{volume_id}/action (os-unreserve) + scope_types: null +- check_str: rule:admin_or_owner + description: Begin detach volumes. + name: volume_extension:volume_actions:begin_detaching + operations: + - method: POST + path: /volumes/{volume_id}/action (os-begin_detaching) + scope_types: null +- check_str: rule:admin_or_owner + description: Add attachment metadata. + name: volume_extension:volume_actions:attach + operations: + - method: POST + path: /volumes/{volume_id}/action (os-attach) + scope_types: null +- check_str: rule:admin_or_owner + description: Clear attachment metadata. + name: volume_extension:volume_actions:detach + operations: + - method: POST + path: /volumes/{volume_id}/action (os-detach) + scope_types: null +- check_str: rule:admin_or_owner + description: List volume transfer. + name: volume:get_all_transfers + operations: + - method: GET + path: /os-volume-transfer + - method: GET + path: /os-volume-transfer/detail + - method: GET + path: /volume_transfers + - method: GET + path: /volume-transfers/detail + scope_types: null +- check_str: rule:admin_or_owner + description: Create a volume transfer. + name: volume:create_transfer + operations: + - method: POST + path: /os-volume-transfer + - method: POST + path: /volume_transfers + scope_types: null +- check_str: rule:admin_or_owner + description: Show one specified volume transfer. + name: volume:get_transfer + operations: + - method: GET + path: /os-volume-transfer/{transfer_id} + - method: GET + path: /volume-transfers/{transfer_id} + scope_types: null +- check_str: '' + description: Accept a volume transfer. + name: volume:accept_transfer + operations: + - method: POST + path: /os-volume-transfer/{transfer_id}/accept + - method: POST + path: /volume-transfers/{transfer_id}/accept + scope_types: null +- check_str: rule:admin_or_owner + description: Delete volume transfer. + name: volume:delete_transfer + operations: + - method: DELETE + path: /os-volume-transfer/{transfer_id} + - method: DELETE + path: /volume-transfers/{transfer_id} + scope_types: null +- check_str: rule:admin_or_owner + description: Show volume's metadata or one specified metadata with a given key. + name: volume:get_volume_metadata + operations: + - method: GET + path: /volumes/{volume_id}/metadata + - method: GET + path: /volumes/{volume_id}/metadata/{key} + scope_types: null +- check_str: rule:admin_or_owner + description: Create volume metadata. + name: volume:create_volume_metadata + operations: + - method: POST + path: /volumes/{volume_id}/metadata + scope_types: null +- check_str: rule:admin_or_owner + description: Update volume's metadata or one specified metadata with a given key. + name: volume:update_volume_metadata + operations: + - method: PUT + path: /volumes/{volume_id}/metadata + - method: PUT + path: /volumes/{volume_id}/metadata/{key} + scope_types: null +- check_str: rule:admin_or_owner + description: Delete volume's specified metadata with a given key. + name: volume:delete_volume_metadata + operations: + - method: DELETE + path: /volumes/{volume_id}/metadata/{key} + scope_types: null +- check_str: rule:admin_or_owner + description: Volume's image metadata related operation, create, delete, show and + list. + name: volume_extension:volume_image_metadata + operations: + - method: GET + path: /volumes/detail + - method: GET + path: /volumes/{volume_id} + - method: POST + path: /volumes/{volume_id}/action (os-set_image_metadata) + - method: POST + path: /volumes/{volume_id}/action (os-unset_image_metadata) + scope_types: null +- check_str: rule:admin_api + description: Update volume admin metadata. It's used in `attach` and `os-update_readonly_flag` + APIs + name: volume:update_volume_admin_metadata + operations: + - method: POST + path: /volumes/{volume_id}/action (os-update_readonly_flag) + - method: POST + path: /volumes/{volume_id}/action (os-attach) + scope_types: null +- check_str: rule:admin_api + description: List type extra specs. + name: volume_extension:types_extra_specs:index + operations: + - method: GET + path: /types/{type_id}/extra_specs + scope_types: null +- check_str: rule:admin_api + description: Create type extra specs. + name: volume_extension:types_extra_specs:create + operations: + - method: POST + path: /types/{type_id}/extra_specs + scope_types: null +- check_str: rule:admin_api + description: Show one specified type extra specs. + name: volume_extension:types_extra_specs:show + operations: + - method: GET + path: /types/{type_id}/extra_specs/{extra_spec_key} + scope_types: null +- check_str: rule:admin_api + description: Update type extra specs. + name: volume_extension:types_extra_specs:update + operations: + - method: PUT + path: /types/{type_id}/extra_specs/{extra_spec_key} + scope_types: null +- check_str: rule:admin_api + description: Delete type extra specs. + name: volume_extension:types_extra_specs:delete + operations: + - method: DELETE + path: /types/{type_id}/extra_specs/{extra_spec_key} + scope_types: null +- check_str: '' + description: Create volume. + name: volume:create + operations: + - method: POST + path: /volumes + scope_types: null +- check_str: '' + description: Create volume from image. + name: volume:create_from_image + operations: + - method: POST + path: /volumes + scope_types: null +- check_str: rule:admin_or_owner + description: Show volume. + name: volume:get + operations: + - method: GET + path: /volumes/{volume_id} + scope_types: null +- check_str: rule:admin_or_owner + description: List volumes or get summary of volumes. + name: volume:get_all + operations: + - method: GET + path: /volumes + - method: GET + path: /volumes/detail + - method: GET + path: /volumes/summary + scope_types: null +- check_str: rule:admin_or_owner + description: Update volume or update a volume's bootable status. + name: volume:update + operations: + - method: PUT + path: /volumes + - method: POST + path: /volumes/{volume_id}/action (os-set_bootable) + scope_types: null +- check_str: rule:admin_or_owner + description: Delete volume. + name: volume:delete + operations: + - method: DELETE + path: /volumes/{volume_id} + scope_types: null +- check_str: rule:admin_api + description: Force Delete a volume. + name: volume:force_delete + operations: + - method: DELETE + path: /volumes/{volume_id} + scope_types: null +- check_str: rule:admin_api + description: List or show volume with host attribute. + name: volume_extension:volume_host_attribute + operations: + - method: GET + path: /volumes/{volume_id} + - method: GET + path: /volumes/detail + scope_types: null +- check_str: rule:admin_or_owner + description: List or show volume with tenant attribute. + name: volume_extension:volume_tenant_attribute + operations: + - method: GET + path: /volumes/{volume_id} + - method: GET + path: /volumes/detail + scope_types: null +- check_str: rule:admin_api + description: List or show volume with migration status attribute. + name: volume_extension:volume_mig_status_attribute + operations: + - method: GET + path: /volumes/{volume_id} + - method: GET + path: /volumes/detail + scope_types: null +- check_str: rule:admin_or_owner + description: Show volume's encryption metadata. + name: volume_extension:volume_encryption_metadata + operations: + - method: GET + path: /volumes/{volume_id}/encryption + - method: GET + path: /volumes/{volume_id}/encryption/{encryption_key} + scope_types: null +- check_str: rule:admin_or_owner + description: Create multiattach capable volume. + name: volume:multiattach + operations: + - method: POST + path: /volumes + scope_types: null diff --git a/openstack_dashboard/conf/default_policies/glance.yaml b/openstack_dashboard/conf/default_policies/glance.yaml new file mode 100644 index 0000000000..149d2f9417 --- /dev/null +++ b/openstack_dashboard/conf/default_policies/glance.yaml @@ -0,0 +1,280 @@ +- check_str: '' + deprecated_reason: In order to allow operators to accept the default policies from + code by not defining them in the policy file, while still working with old policy + files that rely on the ``default`` rule for policies that are not specified in + the policy file, the ``default`` rule must now be explicitly set to ``"role:admin"`` + when that is the desired default for unspecified rules. + deprecated_rule: + check_str: role:admin + name: default + deprecated_since: Ussuri + description: Defines the default rule used for policies that historically had an + empty policy in the supplied policy.json file. + name: default + operations: [] + scope_types: null +- check_str: role:admin + description: Defines the rule for the is_admin:True check. + name: context_is_admin + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: add_image + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: delete_image + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: get_image + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: get_images + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: modify_image + operations: [] + scope_types: null +- check_str: role:admin + description: null + name: publicize_image + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: communitize_image + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: download_image + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: upload_image + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: delete_image_location + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: get_image_location + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: set_image_location + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: add_member + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: delete_member + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: get_member + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: get_members + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: modify_member + operations: [] + scope_types: null +- check_str: role:admin + description: null + name: manage_image_cache + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: deactivate + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: reactivate + operations: [] + scope_types: null +- check_str: role:admin + description: null + name: copy_image + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: get_task + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: get_tasks + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: add_task + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: modify_task + operations: [] + scope_types: null +- check_str: role:admin + description: null + name: tasks_api_access + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: get_metadef_namespace + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: get_metadef_namespaces + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: modify_metadef_namespace + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: add_metadef_namespace + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: delete_metadef_namespace + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: get_metadef_object + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: get_metadef_objects + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: modify_metadef_object + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: add_metadef_object + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: delete_metadef_object + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: list_metadef_resource_types + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: get_metadef_resource_type + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: add_metadef_resource_type_association + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: remove_metadef_resource_type_association + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: get_metadef_property + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: get_metadef_properties + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: modify_metadef_property + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: add_metadef_property + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: remove_metadef_property + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: get_metadef_tag + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: get_metadef_tags + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: modify_metadef_tag + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: add_metadef_tag + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: add_metadef_tags + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: delete_metadef_tag + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: delete_metadef_tags + operations: [] + scope_types: null diff --git a/openstack_dashboard/conf/default_policies/keystone.yaml b/openstack_dashboard/conf/default_policies/keystone.yaml new file mode 100644 index 0000000000..17d49fdc55 --- /dev/null +++ b/openstack_dashboard/conf/default_policies/keystone.yaml @@ -0,0 +1,2954 @@ +- check_str: role:admin or is_admin:1 + description: null + name: admin_required + operations: [] + scope_types: null +- check_str: role:service + description: null + name: service_role + operations: [] + scope_types: null +- check_str: rule:admin_required or rule:service_role + description: null + name: service_or_admin + operations: [] + scope_types: null +- check_str: user_id:%(user_id)s + description: null + name: owner + operations: [] + scope_types: null +- check_str: rule:admin_required or rule:owner + description: null + name: admin_or_owner + operations: [] + scope_types: null +- check_str: user_id:%(target.token.user_id)s + description: null + name: token_subject + operations: [] + scope_types: null +- check_str: rule:admin_required or rule:token_subject + description: null + name: admin_or_token_subject + operations: [] + scope_types: null +- check_str: rule:service_or_admin or rule:token_subject + description: null + name: service_admin_or_token_subject + operations: [] + scope_types: null +- check_str: (role:reader and system_scope:all) or user_id:%(target.user.id)s + description: Show access rule details. + name: identity:get_access_rule + operations: + - method: GET + path: /v3/users/{user_id}/access_rules/{access_rule_id} + - method: HEAD + path: /v3/users/{user_id}/access_rules/{access_rule_id} + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or user_id:%(target.user.id)s + description: List access rules for a user. + name: identity:list_access_rules + operations: + - method: GET + path: /v3/users/{user_id}/access_rules + - method: HEAD + path: /v3/users/{user_id}/access_rules + scope_types: + - system + - project +- check_str: (role:admin and system_scope:all) or user_id:%(target.user.id)s + description: Delete an access_rule. + name: identity:delete_access_rule + operations: + - method: DELETE + path: /v3/users/{user_id}/access_rules/{access_rule_id} + scope_types: + - system + - project +- check_str: rule:admin_required + description: Authorize OAUTH1 request token. + name: identity:authorize_request_token + operations: + - method: PUT + path: /v3/OS-OAUTH1/authorize/{request_token_id} + scope_types: + - project +- check_str: rule:admin_required + description: Get OAUTH1 access token for user by access token ID. + name: identity:get_access_token + operations: + - method: GET + path: /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id} + scope_types: + - project +- check_str: rule:admin_required + description: Get role for user OAUTH1 access token. + name: identity:get_access_token_role + operations: + - method: GET + path: /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id} + scope_types: + - project +- check_str: rule:admin_required + description: List OAUTH1 access tokens for user. + name: identity:list_access_tokens + operations: + - method: GET + path: /v3/users/{user_id}/OS-OAUTH1/access_tokens + scope_types: + - project +- check_str: rule:admin_required + description: List OAUTH1 access token roles. + name: identity:list_access_token_roles + operations: + - method: GET + path: /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles + scope_types: + - project +- check_str: rule:admin_required + description: Delete OAUTH1 access token. + name: identity:delete_access_token + operations: + - method: DELETE + path: /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id} + scope_types: + - project +- check_str: (role:reader and system_scope:all) or rule:owner + deprecated_reason: The application credential API is now aware of system scope and + default roles. + deprecated_rule: + check_str: rule:admin_or_owner + name: identity:get_application_credentials + deprecated_since: T + description: Show application credential details. + name: identity:get_application_credential + operations: + - method: GET + path: /v3/users/{user_id}/application_credentials/{application_credential_id} + - method: HEAD + path: /v3/users/{user_id}/application_credentials/{application_credential_id} + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or rule:owner + deprecated_reason: The application credential API is now aware of system scope and + default roles. + deprecated_rule: + check_str: rule:admin_or_owner + name: identity:list_application_credentials + deprecated_since: T + description: List application credentials for a user. + name: identity:list_application_credentials + operations: + - method: GET + path: /v3/users/{user_id}/application_credentials + - method: HEAD + path: /v3/users/{user_id}/application_credentials + scope_types: + - system + - project +- check_str: user_id:%(user_id)s + description: Create an application credential. + name: identity:create_application_credential + operations: + - method: POST + path: /v3/users/{user_id}/application_credentials + scope_types: + - project +- check_str: (role:admin and system_scope:all) or rule:owner + deprecated_reason: The application credential API is now aware of system scope and + default roles. + deprecated_rule: + check_str: rule:admin_or_owner + name: identity:delete_application_credentials + deprecated_since: T + description: Delete an application credential. + name: identity:delete_application_credential + operations: + - method: DELETE + path: /v3/users/{user_id}/application_credentials/{application_credential_id} + scope_types: + - system + - project +- check_str: '' + description: Get service catalog. + name: identity:get_auth_catalog + operations: + - method: GET + path: /v3/auth/catalog + - method: HEAD + path: /v3/auth/catalog + scope_types: null +- check_str: '' + description: List all projects a user has access to via role assignments. + name: identity:get_auth_projects + operations: + - method: GET + path: /v3/auth/projects + - method: HEAD + path: /v3/auth/projects + scope_types: null +- check_str: '' + description: List all domains a user has access to via role assignments. + name: identity:get_auth_domains + operations: + - method: GET + path: /v3/auth/domains + - method: HEAD + path: /v3/auth/domains + scope_types: null +- check_str: '' + description: List systems a user has access to via role assignments. + name: identity:get_auth_system + operations: + - method: GET + path: /v3/auth/system + - method: HEAD + path: /v3/auth/system + scope_types: null +- check_str: role:reader and system_scope:all + deprecated_reason: The OAUTH1 consumer API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:get_consumer + deprecated_since: T + description: Show OAUTH1 consumer details. + name: identity:get_consumer + operations: + - method: GET + path: /v3/OS-OAUTH1/consumers/{consumer_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The OAUTH1 consumer API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_consumers + deprecated_since: T + description: List OAUTH1 consumers. + name: identity:list_consumers + operations: + - method: GET + path: /v3/OS-OAUTH1/consumers + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The OAUTH1 consumer API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_consumer + deprecated_since: T + description: Create OAUTH1 consumer. + name: identity:create_consumer + operations: + - method: POST + path: /v3/OS-OAUTH1/consumers + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The OAUTH1 consumer API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:update_consumer + deprecated_since: T + description: Update OAUTH1 consumer. + name: identity:update_consumer + operations: + - method: PATCH + path: /v3/OS-OAUTH1/consumers/{consumer_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The OAUTH1 consumer API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_consumer + deprecated_since: T + description: Delete OAUTH1 consumer. + name: identity:delete_consumer + operations: + - method: DELETE + path: /v3/OS-OAUTH1/consumers/{consumer_id} + scope_types: + - system +- check_str: (role:reader and system_scope:all) or user_id:%(target.credential.user_id)s + deprecated_reason: The credential API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:get_credential + deprecated_since: S + description: Show credentials details. + name: identity:get_credential + operations: + - method: GET + path: /v3/credentials/{credential_id} + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or user_id:%(target.credential.user_id)s + deprecated_reason: The credential API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_credentials + deprecated_since: S + description: List credentials. + name: identity:list_credentials + operations: + - method: GET + path: /v3/credentials + scope_types: + - system + - project +- check_str: (role:admin and system_scope:all) or user_id:%(target.credential.user_id)s + deprecated_reason: The credential API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_credential + deprecated_since: S + description: Create credential. + name: identity:create_credential + operations: + - method: POST + path: /v3/credentials + scope_types: + - system + - project +- check_str: (role:admin and system_scope:all) or user_id:%(target.credential.user_id)s + deprecated_reason: The credential API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:update_credential + deprecated_since: S + description: Update credential. + name: identity:update_credential + operations: + - method: PATCH + path: /v3/credentials/{credential_id} + scope_types: + - system + - project +- check_str: (role:admin and system_scope:all) or user_id:%(target.credential.user_id)s + deprecated_reason: The credential API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_credential + deprecated_since: S + description: Delete credential. + name: identity:delete_credential + operations: + - method: DELETE + path: /v3/credentials/{credential_id} + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or token.domain.id:%(target.domain.id)s + or token.project.domain.id:%(target.domain.id)s + deprecated_reason: The domain API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required or token.project.domain.id:%(target.domain.id)s + name: identity:get_domain + deprecated_since: S + description: Show domain details. + name: identity:get_domain + operations: + - method: GET + path: /v3/domains/{domain_id} + scope_types: + - system + - domain + - project +- check_str: role:reader and system_scope:all + deprecated_reason: The domain API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_domains + deprecated_since: S + description: List domains. + name: identity:list_domains + operations: + - method: GET + path: /v3/domains + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The domain API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_domain + deprecated_since: S + description: Create domain. + name: identity:create_domain + operations: + - method: POST + path: /v3/domains + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The domain API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:update_domain + deprecated_since: S + description: Update domain. + name: identity:update_domain + operations: + - method: PATCH + path: /v3/domains/{domain_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The domain API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_domain + deprecated_since: S + description: Delete domain. + name: identity:delete_domain + operations: + - method: DELETE + path: /v3/domains/{domain_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The domain config API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_domain_config + deprecated_since: T + description: Create domain configuration. + name: identity:create_domain_config + operations: + - method: PUT + path: /v3/domains/{domain_id}/config + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The domain config API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:get_domain_config + deprecated_since: T + description: Get the entire domain configuration for a domain, an option group within + a domain, or a specific configuration option within a group for a domain. + name: identity:get_domain_config + operations: + - method: GET + path: /v3/domains/{domain_id}/config + - method: HEAD + path: /v3/domains/{domain_id}/config + - method: GET + path: /v3/domains/{domain_id}/config/{group} + - method: HEAD + path: /v3/domains/{domain_id}/config/{group} + - method: GET + path: /v3/domains/{domain_id}/config/{group}/{option} + - method: HEAD + path: /v3/domains/{domain_id}/config/{group}/{option} + scope_types: + - system +- check_str: '' + description: Get security compliance domain configuration for either a domain or + a specific option in a domain. + name: identity:get_security_compliance_domain_config + operations: + - method: GET + path: /v3/domains/{domain_id}/config/security_compliance + - method: HEAD + path: /v3/domains/{domain_id}/config/security_compliance + - method: GET + path: v3/domains/{domain_id}/config/security_compliance/{option} + - method: HEAD + path: v3/domains/{domain_id}/config/security_compliance/{option} + scope_types: + - system + - domain + - project +- check_str: role:admin and system_scope:all + deprecated_reason: The domain config API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:update_domain_config + deprecated_since: T + description: Update domain configuration for either a domain, specific group or + a specific option in a group. + name: identity:update_domain_config + operations: + - method: PATCH + path: /v3/domains/{domain_id}/config + - method: PATCH + path: /v3/domains/{domain_id}/config/{group} + - method: PATCH + path: /v3/domains/{domain_id}/config/{group}/{option} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The domain config API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_domain_config + deprecated_since: T + description: Delete domain configuration for either a domain, specific group or + a specific option in a group. + name: identity:delete_domain_config + operations: + - method: DELETE + path: /v3/domains/{domain_id}/config + - method: DELETE + path: /v3/domains/{domain_id}/config/{group} + - method: DELETE + path: /v3/domains/{domain_id}/config/{group}/{option} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The domain config API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:get_domain_config_default + deprecated_since: T + description: Get domain configuration default for either a domain, specific group + or a specific option in a group. + name: identity:get_domain_config_default + operations: + - method: GET + path: /v3/domains/config/default + - method: HEAD + path: /v3/domains/config/default + - method: GET + path: /v3/domains/config/{group}/default + - method: HEAD + path: /v3/domains/config/{group}/default + - method: GET + path: /v3/domains/config/{group}/{option}/default + - method: HEAD + path: /v3/domains/config/{group}/{option}/default + scope_types: + - system +- check_str: (role:reader and system_scope:all) or user_id:%(target.credential.user_id)s + deprecated_reason: The EC2 credential API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s) + name: identity:ec2_get_credential + deprecated_since: T + description: Show ec2 credential details. + name: identity:ec2_get_credential + operations: + - method: GET + path: /v3/users/{user_id}/credentials/OS-EC2/{credential_id} + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or rule:owner + deprecated_reason: The EC2 credential API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_or_owner + name: identity:ec2_list_credentials + deprecated_since: T + description: List ec2 credentials. + name: identity:ec2_list_credentials + operations: + - method: GET + path: /v3/users/{user_id}/credentials/OS-EC2 + scope_types: + - system + - project +- check_str: (role:admin and system_scope:all) or rule:owner + deprecated_reason: The EC2 credential API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_or_owner + name: identity:ec2_create_credentials + deprecated_since: T + description: Create ec2 credential. + name: identity:ec2_create_credential + operations: + - method: POST + path: /v3/users/{user_id}/credentials/OS-EC2 + scope_types: + - system + - project +- check_str: (role:admin and system_scope:all) or user_id:%(target.credential.user_id)s + deprecated_reason: The EC2 credential API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s) + name: identity:ec2_delete_credentials + deprecated_since: T + description: Delete ec2 credential. + name: identity:ec2_delete_credential + operations: + - method: DELETE + path: /v3/users/{user_id}/credentials/OS-EC2/{credential_id} + scope_types: + - system + - project +- check_str: role:reader and system_scope:all + deprecated_reason: The endpoint API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:get_endpoint + deprecated_since: S + description: Show endpoint details. + name: identity:get_endpoint + operations: + - method: GET + path: /v3/endpoints/{endpoint_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The endpoint API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_endpoints + deprecated_since: S + description: List endpoints. + name: identity:list_endpoints + operations: + - method: GET + path: /v3/endpoints + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The endpoint API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_endpoint + deprecated_since: S + description: Create endpoint. + name: identity:create_endpoint + operations: + - method: POST + path: /v3/endpoints + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The endpoint API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:update_endpoint + deprecated_since: S + description: Update endpoint. + name: identity:update_endpoint + operations: + - method: PATCH + path: /v3/endpoints/{endpoint_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The endpoint API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_endpoint + deprecated_since: S + description: Delete endpoint. + name: identity:delete_endpoint + operations: + - method: DELETE + path: /v3/endpoints/{endpoint_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The endpoint groups API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_endpoint_group + deprecated_since: T + description: Create endpoint group. + name: identity:create_endpoint_group + operations: + - method: POST + path: /v3/OS-EP-FILTER/endpoint_groups + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The endpoint groups API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_endpoint_groups + deprecated_since: T + description: List endpoint groups. + name: identity:list_endpoint_groups + operations: + - method: GET + path: /v3/OS-EP-FILTER/endpoint_groups + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The endpoint groups API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:get_endpoint_group + deprecated_since: T + description: Get endpoint group. + name: identity:get_endpoint_group + operations: + - method: GET + path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} + - method: HEAD + path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The endpoint groups API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:update_endpoint_group + deprecated_since: T + description: Update endpoint group. + name: identity:update_endpoint_group + operations: + - method: PATCH + path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The endpoint groups API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_endpoint_group + deprecated_since: T + description: Delete endpoint group. + name: identity:delete_endpoint_group + operations: + - method: DELETE + path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The endpoint groups API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_projects_associated_with_endpoint_group + deprecated_since: T + description: List all projects associated with a specific endpoint group. + name: identity:list_projects_associated_with_endpoint_group + operations: + - method: GET + path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The endpoint groups API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_endpoints_associated_with_endpoint_group + deprecated_since: T + description: List all endpoints associated with an endpoint group. + name: identity:list_endpoints_associated_with_endpoint_group + operations: + - method: GET + path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The endpoint groups API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:get_endpoint_group_in_project + deprecated_since: T + description: Check if an endpoint group is associated with a project. + name: identity:get_endpoint_group_in_project + operations: + - method: GET + path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} + - method: HEAD + path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The endpoint groups API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_endpoint_groups_for_project + deprecated_since: T + description: List endpoint groups associated with a specific project. + name: identity:list_endpoint_groups_for_project + operations: + - method: GET + path: /v3/OS-EP-FILTER/projects/{project_id}/endpoint_groups + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The endpoint groups API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:add_endpoint_group_to_project + deprecated_since: T + description: Allow a project to access an endpoint group. + name: identity:add_endpoint_group_to_project + operations: + - method: PUT + path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The endpoint groups API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:remove_endpoint_group_from_project + deprecated_since: T + description: Remove endpoint group from project. + name: identity:remove_endpoint_group_from_project + operations: + - method: DELETE + path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} + scope_types: + - system +- check_str: (role:reader and system_scope:all) or ((role:reader and domain_id:%(target.user.domain_id)s + and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s + and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s + and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s + and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s + or None:%(target.role.domain_id)s) + deprecated_reason: The assignment API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:check_grant + deprecated_since: S + description: Check a role grant between a target and an actor. A target can be either + a domain or a project. An actor can be either a user or a group. These terms also + apply to the OS-INHERIT APIs, where grants on the target are inherited to all + projects in the subtree, if applicable. + name: identity:check_grant + operations: + - method: HEAD + path: /v3/projects/{project_id}/users/{user_id}/roles/{role_id} + - method: GET + path: /v3/projects/{project_id}/users/{user_id}/roles/{role_id} + - method: HEAD + path: /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} + - method: GET + path: /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} + - method: HEAD + path: /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} + - method: GET + path: /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} + - method: HEAD + path: /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} + - method: GET + path: /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} + - method: HEAD + path: /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects + - method: GET + path: /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects + - method: HEAD + path: /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects + - method: GET + path: /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects + - method: HEAD + path: /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects + - method: GET + path: /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects + - method: HEAD + path: /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects + - method: GET + path: /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects + scope_types: + - system + - domain +- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s + and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s + and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s + and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s + and domain_id:%(target.domain.id)s) + deprecated_reason: The assignment API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_grants + deprecated_since: S + description: List roles granted to an actor on a target. A target can be either + a domain or a project. An actor can be either a user or a group. For the OS-INHERIT + APIs, it is possible to list inherited role grants for actors on domains, where + grants are inherited to all projects in the specified domain. + name: identity:list_grants + operations: + - method: GET + path: /v3/projects/{project_id}/users/{user_id}/roles + - method: HEAD + path: /v3/projects/{project_id}/users/{user_id}/roles + - method: GET + path: /v3/projects/{project_id}/groups/{group_id}/roles + - method: HEAD + path: /v3/projects/{project_id}/groups/{group_id}/roles + - method: GET + path: /v3/domains/{domain_id}/users/{user_id}/roles + - method: HEAD + path: /v3/domains/{domain_id}/users/{user_id}/roles + - method: GET + path: /v3/domains/{domain_id}/groups/{group_id}/roles + - method: HEAD + path: /v3/domains/{domain_id}/groups/{group_id}/roles + - method: GET + path: /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects + - method: GET + path: /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects + scope_types: + - system + - domain +- check_str: (role:admin and system_scope:all) or ((role:admin and domain_id:%(target.user.domain_id)s + and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s + and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s + and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s + and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s + or None:%(target.role.domain_id)s) + deprecated_reason: The assignment API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_grant + deprecated_since: S + description: Create a role grant between a target and an actor. A target can be + either a domain or a project. An actor can be either a user or a group. These + terms also apply to the OS-INHERIT APIs, where grants on the target are inherited + to all projects in the subtree, if applicable. + name: identity:create_grant + operations: + - method: PUT + path: /v3/projects/{project_id}/users/{user_id}/roles/{role_id} + - method: PUT + path: /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} + - method: PUT + path: /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} + - method: PUT + path: /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} + - method: PUT + path: /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects + - method: PUT + path: /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects + - method: PUT + path: /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects + - method: PUT + path: /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects + scope_types: + - system + - domain +- check_str: (role:admin and system_scope:all) or ((role:admin and domain_id:%(target.user.domain_id)s + and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s + and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s + and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s + and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s + or None:%(target.role.domain_id)s) + deprecated_reason: The assignment API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:revoke_grant + deprecated_since: S + description: Revoke a role grant between a target and an actor. A target can be + either a domain or a project. An actor can be either a user or a group. These + terms also apply to the OS-INHERIT APIs, where grants on the target are inherited + to all projects in the subtree, if applicable. In that case, revoking the role + grant in the target would remove the logical effect of inheriting it to the target's + projects subtree. + name: identity:revoke_grant + operations: + - method: DELETE + path: /v3/projects/{project_id}/users/{user_id}/roles/{role_id} + - method: DELETE + path: /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} + - method: DELETE + path: /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} + - method: DELETE + path: /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} + - method: DELETE + path: /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects + - method: DELETE + path: /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects + - method: DELETE + path: /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects + - method: DELETE + path: /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects + scope_types: + - system + - domain +- check_str: role:reader and system_scope:all + deprecated_reason: The assignment API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_system_grants_for_user + deprecated_since: S + description: List all grants a specific user has on the system. + name: identity:list_system_grants_for_user + operations: + - method: + - HEAD + - GET + path: /v3/system/users/{user_id}/roles + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The assignment API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:check_system_grant_for_user + deprecated_since: S + description: Check if a user has a role on the system. + name: identity:check_system_grant_for_user + operations: + - method: + - HEAD + - GET + path: /v3/system/users/{user_id}/roles/{role_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The assignment API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_system_grant_for_user + deprecated_since: S + description: Grant a user a role on the system. + name: identity:create_system_grant_for_user + operations: + - method: + - PUT + path: /v3/system/users/{user_id}/roles/{role_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The assignment API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:revoke_system_grant_for_user + deprecated_since: S + description: Remove a role from a user on the system. + name: identity:revoke_system_grant_for_user + operations: + - method: + - DELETE + path: /v3/system/users/{user_id}/roles/{role_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The assignment API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_system_grants_for_group + deprecated_since: S + description: List all grants a specific group has on the system. + name: identity:list_system_grants_for_group + operations: + - method: + - HEAD + - GET + path: /v3/system/groups/{group_id}/roles + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The assignment API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:check_system_grant_for_group + deprecated_since: S + description: Check if a group has a role on the system. + name: identity:check_system_grant_for_group + operations: + - method: + - HEAD + - GET + path: /v3/system/groups/{group_id}/roles/{role_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The assignment API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_system_grant_for_group + deprecated_since: S + description: Grant a group a role on the system. + name: identity:create_system_grant_for_group + operations: + - method: + - PUT + path: /v3/system/groups/{group_id}/roles/{role_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The assignment API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:revoke_system_grant_for_group + deprecated_since: S + description: Remove a role from a group on the system. + name: identity:revoke_system_grant_for_group + operations: + - method: + - DELETE + path: /v3/system/groups/{group_id}/roles/{role_id} + scope_types: + - system +- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s) + deprecated_reason: The group API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:get_group + deprecated_since: S + description: Show group details. + name: identity:get_group + operations: + - method: GET + path: /v3/groups/{group_id} + - method: HEAD + path: /v3/groups/{group_id} + scope_types: + - system + - domain +- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s) + deprecated_reason: The group API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_groups + deprecated_since: S + description: List groups. + name: identity:list_groups + operations: + - method: GET + path: /v3/groups + - method: HEAD + path: /v3/groups + scope_types: + - system + - domain +- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) + or user_id:%(user_id)s + deprecated_reason: The group API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_or_owner + name: identity:list_groups_for_user + deprecated_since: S + description: List groups to which a user belongs. + name: identity:list_groups_for_user + operations: + - method: GET + path: /v3/users/{user_id}/groups + - method: HEAD + path: /v3/users/{user_id}/groups + scope_types: + - system + - domain + - project +- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s) + deprecated_reason: The group API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_group + deprecated_since: S + description: Create group. + name: identity:create_group + operations: + - method: POST + path: /v3/groups + scope_types: + - system + - domain +- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s) + deprecated_reason: The group API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:update_group + deprecated_since: S + description: Update group. + name: identity:update_group + operations: + - method: PATCH + path: /v3/groups/{group_id} + scope_types: + - system + - domain +- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s) + deprecated_reason: The group API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_group + deprecated_since: S + description: Delete group. + name: identity:delete_group + operations: + - method: DELETE + path: /v3/groups/{group_id} + scope_types: + - system + - domain +- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s) + deprecated_reason: The group API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_users_in_group + deprecated_since: S + description: List members of a specific group. + name: identity:list_users_in_group + operations: + - method: GET + path: /v3/groups/{group_id}/users + - method: HEAD + path: /v3/groups/{group_id}/users + scope_types: + - system + - domain +- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s + and domain_id:%(target.user.domain_id)s) + deprecated_reason: The group API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:remove_user_from_group + deprecated_since: S + description: Remove user from group. + name: identity:remove_user_from_group + operations: + - method: DELETE + path: /v3/groups/{group_id}/users/{user_id} + scope_types: + - system + - domain +- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s + and domain_id:%(target.user.domain_id)s) + deprecated_reason: The group API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:check_user_in_group + deprecated_since: S + description: Check whether a user is a member of a group. + name: identity:check_user_in_group + operations: + - method: HEAD + path: /v3/groups/{group_id}/users/{user_id} + - method: GET + path: /v3/groups/{group_id}/users/{user_id} + scope_types: + - system + - domain +- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s + and domain_id:%(target.user.domain_id)s) + deprecated_reason: The group API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:add_user_to_group + deprecated_since: S + description: Add user to group. + name: identity:add_user_to_group + operations: + - method: PUT + path: /v3/groups/{group_id}/users/{user_id} + scope_types: + - system + - domain +- check_str: role:admin and system_scope:all + deprecated_reason: The identity provider API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_identity_providers + deprecated_since: S + description: Create identity provider. + name: identity:create_identity_provider + operations: + - method: PUT + path: /v3/OS-FEDERATION/identity_providers/{idp_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The identity provider API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_identity_providers + deprecated_since: S + description: List identity providers. + name: identity:list_identity_providers + operations: + - method: GET + path: /v3/OS-FEDERATION/identity_providers + - method: HEAD + path: /v3/OS-FEDERATION/identity_providers + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The identity provider API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:get_identity_providers + deprecated_since: S + description: Get identity provider. + name: identity:get_identity_provider + operations: + - method: GET + path: /v3/OS-FEDERATION/identity_providers/{idp_id} + - method: HEAD + path: /v3/OS-FEDERATION/identity_providers/{idp_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The identity provider API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:update_identity_providers + deprecated_since: S + description: Update identity provider. + name: identity:update_identity_provider + operations: + - method: PATCH + path: /v3/OS-FEDERATION/identity_providers/{idp_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The identity provider API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_identity_providers + deprecated_since: S + description: Delete identity provider. + name: identity:delete_identity_provider + operations: + - method: DELETE + path: /v3/OS-FEDERATION/identity_providers/{idp_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The implied role API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:get_implied_role + deprecated_since: T + description: Get information about an association between two roles. When a relationship + exists between a prior role and an implied role and the prior role is assigned + to a user, the user also assumes the implied role. + name: identity:get_implied_role + operations: + - method: GET + path: /v3/roles/{prior_role_id}/implies/{implied_role_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The implied role API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_implied_roles + deprecated_since: T + description: List associations between two roles. When a relationship exists between + a prior role and an implied role and the prior role is assigned to a user, the + user also assumes the implied role. This will return all the implied roles that + would be assumed by the user who gets the specified prior role. + name: identity:list_implied_roles + operations: + - method: GET + path: /v3/roles/{prior_role_id}/implies + - method: HEAD + path: /v3/roles/{prior_role_id}/implies + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The implied role API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_implied_role + deprecated_since: T + description: Create an association between two roles. When a relationship exists + between a prior role and an implied role and the prior role is assigned to a user, + the user also assumes the implied role. + name: identity:create_implied_role + operations: + - method: PUT + path: /v3/roles/{prior_role_id}/implies/{implied_role_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The implied role API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_implied_role + deprecated_since: T + description: Delete the association between two roles. When a relationship exists + between a prior role and an implied role and the prior role is assigned to a user, + the user also assumes the implied role. Removing the association will cause that + effect to be eliminated. + name: identity:delete_implied_role + operations: + - method: DELETE + path: /v3/roles/{prior_role_id}/implies/{implied_role_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The implied role API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_role_inference_rules + deprecated_since: T + description: List all associations between two roles in the system. When a relationship + exists between a prior role and an implied role and the prior role is assigned + to a user, the user also assumes the implied role. + name: identity:list_role_inference_rules + operations: + - method: GET + path: /v3/role_inferences + - method: HEAD + path: /v3/role_inferences + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The implied role API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:check_implied_role + deprecated_since: T + description: Check an association between two roles. When a relationship exists + between a prior role and an implied role and the prior role is assigned to a user, + the user also assumes the implied role. + name: identity:check_implied_role + operations: + - method: HEAD + path: /v3/roles/{prior_role_id}/implies/{implied_role_id} + scope_types: + - system +- check_str: '' + description: Get limit enforcement model. + name: identity:get_limit_model + operations: + - method: GET + path: /v3/limits/model + - method: HEAD + path: /v3/limits/model + scope_types: + - system + - domain + - project +- check_str: (role:reader and system_scope:all) or (domain_id:%(target.limit.domain.id)s + or domain_id:%(target.limit.project.domain_id)s) or (project_id:%(target.limit.project_id)s + and not None:%(target.limit.project_id)s) + description: Show limit details. + name: identity:get_limit + operations: + - method: GET + path: /v3/limits/{limit_id} + - method: HEAD + path: /v3/limits/{limit_id} + scope_types: + - system + - domain + - project +- check_str: '' + description: List limits. + name: identity:list_limits + operations: + - method: GET + path: /v3/limits + - method: HEAD + path: /v3/limits + scope_types: + - system + - domain + - project +- check_str: role:admin and system_scope:all + description: Create limits. + name: identity:create_limits + operations: + - method: POST + path: /v3/limits + scope_types: + - system +- check_str: role:admin and system_scope:all + description: Update limit. + name: identity:update_limit + operations: + - method: PATCH + path: /v3/limits/{limit_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + description: Delete limit. + name: identity:delete_limit + operations: + - method: DELETE + path: /v3/limits/{limit_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The federated mapping API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_mapping + deprecated_since: S + description: Create a new federated mapping containing one or more sets of rules. + name: identity:create_mapping + operations: + - method: PUT + path: /v3/OS-FEDERATION/mappings/{mapping_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The federated mapping API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:get_mapping + deprecated_since: S + description: Get a federated mapping. + name: identity:get_mapping + operations: + - method: GET + path: /v3/OS-FEDERATION/mappings/{mapping_id} + - method: HEAD + path: /v3/OS-FEDERATION/mappings/{mapping_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The federated mapping API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_mappings + deprecated_since: S + description: List federated mappings. + name: identity:list_mappings + operations: + - method: GET + path: /v3/OS-FEDERATION/mappings + - method: HEAD + path: /v3/OS-FEDERATION/mappings + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The federated mapping API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_mapping + deprecated_since: S + description: Delete a federated mapping. + name: identity:delete_mapping + operations: + - method: DELETE + path: /v3/OS-FEDERATION/mappings/{mapping_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The federated mapping API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:update_mapping + deprecated_since: S + description: Update a federated mapping. + name: identity:update_mapping + operations: + - method: PATCH + path: /v3/OS-FEDERATION/mappings/{mapping_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The policy API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:get_policy + deprecated_since: T + description: Show policy details. + name: identity:get_policy + operations: + - method: GET + path: /v3/policies/{policy_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The policy API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_policies + deprecated_since: T + description: List policies. + name: identity:list_policies + operations: + - method: GET + path: /v3/policies + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The policy API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_policy + deprecated_since: T + description: Create policy. + name: identity:create_policy + operations: + - method: POST + path: /v3/policies + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The policy API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:update_policy + deprecated_since: T + description: Update policy. + name: identity:update_policy + operations: + - method: PATCH + path: /v3/policies/{policy_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The policy API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_policy + deprecated_since: T + description: Delete policy. + name: identity:delete_policy + operations: + - method: DELETE + path: /v3/policies/{policy_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The policy association API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_policy_association_for_endpoint + deprecated_since: T + description: Associate a policy to a specific endpoint. + name: identity:create_policy_association_for_endpoint + operations: + - method: PUT + path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The policy association API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:check_policy_association_for_endpoint + deprecated_since: T + description: Check policy association for endpoint. + name: identity:check_policy_association_for_endpoint + operations: + - method: GET + path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} + - method: HEAD + path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The policy association API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_policy_association_for_endpoint + deprecated_since: T + description: Delete policy association for endpoint. + name: identity:delete_policy_association_for_endpoint + operations: + - method: DELETE + path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The policy association API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_policy_association_for_service + deprecated_since: T + description: Associate a policy to a specific service. + name: identity:create_policy_association_for_service + operations: + - method: PUT + path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The policy association API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:check_policy_association_for_service + deprecated_since: T + description: Check policy association for service. + name: identity:check_policy_association_for_service + operations: + - method: GET + path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} + - method: HEAD + path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The policy association API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_policy_association_for_service + deprecated_since: T + description: Delete policy association for service. + name: identity:delete_policy_association_for_service + operations: + - method: DELETE + path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The policy association API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_policy_association_for_region_and_service + deprecated_since: T + description: Associate a policy to a specific region and service combination. + name: identity:create_policy_association_for_region_and_service + operations: + - method: PUT + path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The policy association API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:check_policy_association_for_region_and_service + deprecated_since: T + description: Check policy association for region and service. + name: identity:check_policy_association_for_region_and_service + operations: + - method: GET + path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} + - method: HEAD + path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The policy association API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_policy_association_for_region_and_service + deprecated_since: T + description: Delete policy association for region and service. + name: identity:delete_policy_association_for_region_and_service + operations: + - method: DELETE + path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The policy association API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:get_policy_for_endpoint + deprecated_since: T + description: Get policy for endpoint. + name: identity:get_policy_for_endpoint + operations: + - method: GET + path: /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy + - method: HEAD + path: /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The policy association API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_endpoints_for_policy + deprecated_since: T + description: List endpoints for policy. + name: identity:list_endpoints_for_policy + operations: + - method: GET + path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints + scope_types: + - system +- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) + or project_id:%(target.project.id)s + deprecated_reason: The project API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required or project_id:%(target.project.id)s + name: identity:get_project + deprecated_since: S + description: Show project details. + name: identity:get_project + operations: + - method: GET + path: /v3/projects/{project_id} + scope_types: + - system + - domain + - project +- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s) + deprecated_reason: The project API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_projects + deprecated_since: S + description: List projects. + name: identity:list_projects + operations: + - method: GET + path: /v3/projects + scope_types: + - system + - domain +- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) + or user_id:%(target.user.id)s + deprecated_reason: The project API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_or_owner + name: identity:list_user_projects + deprecated_since: S + description: List projects for user. + name: identity:list_user_projects + operations: + - method: GET + path: /v3/users/{user_id}/projects + scope_types: + - system + - domain + - project +- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) + deprecated_reason: The project API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_project + deprecated_since: S + description: Create project. + name: identity:create_project + operations: + - method: POST + path: /v3/projects + scope_types: + - system + - domain +- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) + deprecated_reason: The project API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:update_project + deprecated_since: S + description: Update project. + name: identity:update_project + operations: + - method: PATCH + path: /v3/projects/{project_id} + scope_types: + - system + - domain +- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) + deprecated_reason: The project API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_project + deprecated_since: S + description: Delete project. + name: identity:delete_project + operations: + - method: DELETE + path: /v3/projects/{project_id} + scope_types: + - system + - domain +- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) + or project_id:%(target.project.id)s + deprecated_reason: ' + + As of the Train release, the project tags API understands how to handle + + system-scoped tokens in addition to project and domain tokens, making the API + + more accessible to users without compromising security or manageability for + + administrators. The new default policies for this API account for these changes + + automatically. + + ' + deprecated_rule: + check_str: rule:admin_required or project_id:%(target.project.id)s + name: identity:list_project_tags + deprecated_since: T + description: List tags for a project. + name: identity:list_project_tags + operations: + - method: GET + path: /v3/projects/{project_id}/tags + - method: HEAD + path: /v3/projects/{project_id}/tags + scope_types: + - system + - domain + - project +- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) + or project_id:%(target.project.id)s + deprecated_reason: ' + + As of the Train release, the project tags API understands how to handle + + system-scoped tokens in addition to project and domain tokens, making the API + + more accessible to users without compromising security or manageability for + + administrators. The new default policies for this API account for these changes + + automatically. + + ' + deprecated_rule: + check_str: rule:admin_required or project_id:%(target.project.id)s + name: identity:get_project_tag + deprecated_since: T + description: Check if project contains a tag. + name: identity:get_project_tag + operations: + - method: GET + path: /v3/projects/{project_id}/tags/{value} + - method: HEAD + path: /v3/projects/{project_id}/tags/{value} + scope_types: + - system + - domain + - project +- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) + or (role:admin and project_id:%(target.project.id)s) + deprecated_reason: ' + + As of the Train release, the project tags API understands how to handle + + system-scoped tokens in addition to project and domain tokens, making the API + + more accessible to users without compromising security or manageability for + + administrators. The new default policies for this API account for these changes + + automatically. + + ' + deprecated_rule: + check_str: rule:admin_required + name: identity:update_project_tags + deprecated_since: T + description: Replace all tags on a project with the new set of tags. + name: identity:update_project_tags + operations: + - method: PUT + path: /v3/projects/{project_id}/tags + scope_types: + - system + - domain + - project +- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) + or (role:admin and project_id:%(target.project.id)s) + deprecated_reason: ' + + As of the Train release, the project tags API understands how to handle + + system-scoped tokens in addition to project and domain tokens, making the API + + more accessible to users without compromising security or manageability for + + administrators. The new default policies for this API account for these changes + + automatically. + + ' + deprecated_rule: + check_str: rule:admin_required + name: identity:create_project_tag + deprecated_since: T + description: Add a single tag to a project. + name: identity:create_project_tag + operations: + - method: PUT + path: /v3/projects/{project_id}/tags/{value} + scope_types: + - system + - domain + - project +- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) + or (role:admin and project_id:%(target.project.id)s) + deprecated_reason: ' + + As of the Train release, the project tags API understands how to handle + + system-scoped tokens in addition to project and domain tokens, making the API + + more accessible to users without compromising security or manageability for + + administrators. The new default policies for this API account for these changes + + automatically. + + ' + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_project_tags + deprecated_since: T + description: Remove all tags from a project. + name: identity:delete_project_tags + operations: + - method: DELETE + path: /v3/projects/{project_id}/tags + scope_types: + - system + - domain + - project +- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) + or (role:admin and project_id:%(target.project.id)s) + deprecated_reason: ' + + As of the Train release, the project tags API understands how to handle + + system-scoped tokens in addition to project and domain tokens, making the API + + more accessible to users without compromising security or manageability for + + administrators. The new default policies for this API account for these changes + + automatically. + + ' + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_project_tag + deprecated_since: T + description: Delete a specified tag from project. + name: identity:delete_project_tag + operations: + - method: DELETE + path: /v3/projects/{project_id}/tags/{value} + scope_types: + - system + - domain + - project +- check_str: role:reader and system_scope:all + deprecated_reason: ' + + As of the Train release, the project endpoint API now understands default + + roles and system-scoped tokens, making the API more granular by default without + + compromising security. The new policy defaults account for these changes + + automatically. Be sure to take these new defaults into consideration if you are + + relying on overrides in your deployment for the project endpoint API. + + ' + deprecated_rule: + check_str: rule:admin_required + name: identity:list_projects_for_endpoint + deprecated_since: T + description: List projects allowed to access an endpoint. + name: identity:list_projects_for_endpoint + operations: + - method: GET + path: /v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: ' + + As of the Train release, the project endpoint API now understands default + + roles and system-scoped tokens, making the API more granular by default without + + compromising security. The new policy defaults account for these changes + + automatically. Be sure to take these new defaults into consideration if you are + + relying on overrides in your deployment for the project endpoint API. + + ' + deprecated_rule: + check_str: rule:admin_required + name: identity:add_endpoint_to_project + deprecated_since: T + description: Allow project to access an endpoint. + name: identity:add_endpoint_to_project + operations: + - method: PUT + path: /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: ' + + As of the Train release, the project endpoint API now understands default + + roles and system-scoped tokens, making the API more granular by default without + + compromising security. The new policy defaults account for these changes + + automatically. Be sure to take these new defaults into consideration if you are + + relying on overrides in your deployment for the project endpoint API. + + ' + deprecated_rule: + check_str: rule:admin_required + name: identity:check_endpoint_in_project + deprecated_since: T + description: Check if a project is allowed to access an endpoint. + name: identity:check_endpoint_in_project + operations: + - method: GET + path: /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} + - method: HEAD + path: /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: ' + + As of the Train release, the project endpoint API now understands default + + roles and system-scoped tokens, making the API more granular by default without + + compromising security. The new policy defaults account for these changes + + automatically. Be sure to take these new defaults into consideration if you are + + relying on overrides in your deployment for the project endpoint API. + + ' + deprecated_rule: + check_str: rule:admin_required + name: identity:list_endpoints_for_project + deprecated_since: T + description: List the endpoints a project is allowed to access. + name: identity:list_endpoints_for_project + operations: + - method: GET + path: /v3/OS-EP-FILTER/projects/{project_id}/endpoints + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: ' + + As of the Train release, the project endpoint API now understands default + + roles and system-scoped tokens, making the API more granular by default without + + compromising security. The new policy defaults account for these changes + + automatically. Be sure to take these new defaults into consideration if you are + + relying on overrides in your deployment for the project endpoint API. + + ' + deprecated_rule: + check_str: rule:admin_required + name: identity:remove_endpoint_from_project + deprecated_since: T + description: Remove access to an endpoint from a project that has previously been + given explicit access. + name: identity:remove_endpoint_from_project + operations: + - method: DELETE + path: /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The federated protocol API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_protocol + deprecated_since: S + description: Create federated protocol. + name: identity:create_protocol + operations: + - method: PUT + path: /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The federated protocol API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:update_protocol + deprecated_since: S + description: Update federated protocol. + name: identity:update_protocol + operations: + - method: PATCH + path: /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The federated protocol API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:get_protocol + deprecated_since: S + description: Get federated protocol. + name: identity:get_protocol + operations: + - method: GET + path: /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The federated protocol API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_protocols + deprecated_since: S + description: List federated protocols. + name: identity:list_protocols + operations: + - method: GET + path: /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The federated protocol API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_protocol + deprecated_since: S + description: Delete federated protocol. + name: identity:delete_protocol + operations: + - method: DELETE + path: /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} + scope_types: + - system +- check_str: '' + description: Show region details. + name: identity:get_region + operations: + - method: GET + path: /v3/regions/{region_id} + - method: HEAD + path: /v3/regions/{region_id} + scope_types: + - system + - domain + - project +- check_str: '' + description: List regions. + name: identity:list_regions + operations: + - method: GET + path: /v3/regions + - method: HEAD + path: /v3/regions + scope_types: + - system + - domain + - project +- check_str: role:admin and system_scope:all + deprecated_reason: The region API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_region + deprecated_since: S + description: Create region. + name: identity:create_region + operations: + - method: POST + path: /v3/regions + - method: PUT + path: /v3/regions/{region_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The region API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:update_region + deprecated_since: S + description: Update region. + name: identity:update_region + operations: + - method: PATCH + path: /v3/regions/{region_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The region API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_region + deprecated_since: S + description: Delete region. + name: identity:delete_region + operations: + - method: DELETE + path: /v3/regions/{region_id} + scope_types: + - system +- check_str: '' + description: Show registered limit details. + name: identity:get_registered_limit + operations: + - method: GET + path: /v3/registered_limits/{registered_limit_id} + - method: HEAD + path: /v3/registered_limits/{registered_limit_id} + scope_types: + - system + - domain + - project +- check_str: '' + description: List registered limits. + name: identity:list_registered_limits + operations: + - method: GET + path: /v3/registered_limits + - method: HEAD + path: /v3/registered_limits + scope_types: + - system + - domain + - project +- check_str: role:admin and system_scope:all + description: Create registered limits. + name: identity:create_registered_limits + operations: + - method: POST + path: /v3/registered_limits + scope_types: + - system +- check_str: role:admin and system_scope:all + description: Update registered limit. + name: identity:update_registered_limit + operations: + - method: PATCH + path: /v3/registered_limits/{registered_limit_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + description: Delete registered limit. + name: identity:delete_registered_limit + operations: + - method: DELETE + path: /v3/registered_limits/{registered_limit_id} + scope_types: + - system +- check_str: rule:service_or_admin + description: List revocation events. + name: identity:list_revoke_events + operations: + - method: GET + path: /v3/OS-REVOKE/events + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The role API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:get_role + deprecated_since: S + description: Show role details. + name: identity:get_role + operations: + - method: GET + path: /v3/roles/{role_id} + - method: HEAD + path: /v3/roles/{role_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The role API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_roles + deprecated_since: S + description: List roles. + name: identity:list_roles + operations: + - method: GET + path: /v3/roles + - method: HEAD + path: /v3/roles + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The role API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_role + deprecated_since: S + description: Create role. + name: identity:create_role + operations: + - method: POST + path: /v3/roles + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The role API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:update_role + deprecated_since: S + description: Update role. + name: identity:update_role + operations: + - method: PATCH + path: /v3/roles/{role_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The role API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_role + deprecated_since: S + description: Delete role. + name: identity:delete_role + operations: + - method: DELETE + path: /v3/roles/{role_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The role API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:get_domain_role + deprecated_since: T + description: Show domain role. + name: identity:get_domain_role + operations: + - method: GET + path: /v3/roles/{role_id} + - method: HEAD + path: /v3/roles/{role_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The role API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_domain_roles + deprecated_since: T + description: List domain roles. + name: identity:list_domain_roles + operations: + - method: GET + path: /v3/roles?domain_id={domain_id} + - method: HEAD + path: /v3/roles?domain_id={domain_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The role API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_domain_role + deprecated_since: T + description: Create domain role. + name: identity:create_domain_role + operations: + - method: POST + path: /v3/roles + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The role API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:update_domain_role + deprecated_since: T + description: Update domain role. + name: identity:update_domain_role + operations: + - method: PATCH + path: /v3/roles/{role_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The role API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_domain_role + deprecated_since: T + description: Delete domain role. + name: identity:delete_domain_role + operations: + - method: DELETE + path: /v3/roles/{role_id} + scope_types: + - system +- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s) + deprecated_reason: The assignment API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_role_assignments + deprecated_since: S + description: List role assignments. + name: identity:list_role_assignments + operations: + - method: GET + path: /v3/role_assignments + - method: HEAD + path: /v3/role_assignments + scope_types: + - system + - domain +- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) + or (role:admin and project_id:%(target.project.id)s) + deprecated_reason: The assignment API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_role_assignments_for_tree + deprecated_since: T + description: List all role assignments for a given tree of hierarchical projects. + name: identity:list_role_assignments_for_tree + operations: + - method: GET + path: /v3/role_assignments?include_subtree + - method: HEAD + path: /v3/role_assignments?include_subtree + scope_types: + - system + - domain + - project +- check_str: role:reader and system_scope:all + deprecated_reason: The service API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:get_service + deprecated_since: S + description: Show service details. + name: identity:get_service + operations: + - method: GET + path: /v3/services/{service_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The service API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_services + deprecated_since: S + description: List services. + name: identity:list_services + operations: + - method: GET + path: /v3/services + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The service API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_service + deprecated_since: S + description: Create service. + name: identity:create_service + operations: + - method: POST + path: /v3/services + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The service API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:update_service + deprecated_since: S + description: Update service. + name: identity:update_service + operations: + - method: PATCH + path: /v3/services/{service_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The service API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_service + deprecated_since: S + description: Delete service. + name: identity:delete_service + operations: + - method: DELETE + path: /v3/services/{service_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The service provider API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_service_provider + deprecated_since: S + description: Create federated service provider. + name: identity:create_service_provider + operations: + - method: PUT + path: /v3/OS-FEDERATION/service_providers/{service_provider_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The service provider API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_service_providers + deprecated_since: S + description: List federated service providers. + name: identity:list_service_providers + operations: + - method: GET + path: /v3/OS-FEDERATION/service_providers + - method: HEAD + path: /v3/OS-FEDERATION/service_providers + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The service provider API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:get_service_provider + deprecated_since: S + description: Get federated service provider. + name: identity:get_service_provider + operations: + - method: GET + path: /v3/OS-FEDERATION/service_providers/{service_provider_id} + - method: HEAD + path: /v3/OS-FEDERATION/service_providers/{service_provider_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The service provider API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:update_service_provider + deprecated_since: S + description: Update federated service provider. + name: identity:update_service_provider + operations: + - method: PATCH + path: /v3/OS-FEDERATION/service_providers/{service_provider_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The service provider API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_service_provider + deprecated_since: S + description: Delete federated service provider. + name: identity:delete_service_provider + operations: + - method: DELETE + path: /v3/OS-FEDERATION/service_providers/{service_provider_id} + scope_types: + - system +- check_str: rule:service_or_admin + deprecated_for_removal: true + deprecated_reason: ' + + The identity:revocation_list policy isn''t used to protect any APIs in keystone + + now that the revocation list API has been deprecated and only returns a 410 or + + 403 depending on how keystone is configured. This policy can be safely removed + + from policy files. + + ' + deprecated_since: T + description: List revoked PKI tokens. + name: identity:revocation_list + operations: + - method: GET + path: /v3/auth/tokens/OS-PKI/revoked + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or rule:token_subject + deprecated_reason: The token API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_or_token_subject + name: identity:check_token + deprecated_since: T + description: Check a token. + name: identity:check_token + operations: + - method: HEAD + path: /v3/auth/tokens + scope_types: + - system + - domain + - project +- check_str: (role:reader and system_scope:all) or rule:service_role or rule:token_subject + deprecated_reason: The token API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:service_admin_or_token_subject + name: identity:validate_token + deprecated_since: T + description: Validate a token. + name: identity:validate_token + operations: + - method: GET + path: /v3/auth/tokens + scope_types: + - system + - domain + - project +- check_str: (role:admin and system_scope:all) or rule:token_subject + deprecated_reason: The token API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_or_token_subject + name: identity:revoke_token + deprecated_since: T + description: Revoke a token. + name: identity:revoke_token + operations: + - method: DELETE + path: /v3/auth/tokens + scope_types: + - system + - domain + - project +- check_str: user_id:%(trust.trustor_user_id)s + description: Create trust. + name: identity:create_trust + operations: + - method: POST + path: /v3/OS-TRUST/trusts + scope_types: + - project +- check_str: role:reader and system_scope:all + deprecated_reason: The trust API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_trusts + deprecated_since: T + description: List trusts. + name: identity:list_trusts + operations: + - method: GET + path: /v3/OS-TRUST/trusts + - method: HEAD + path: /v3/OS-TRUST/trusts + scope_types: + - system +- check_str: role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s + description: List trusts for trustor. + name: identity:list_trusts_for_trustor + operations: + - method: GET + path: /v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id} + - method: HEAD + path: /v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id} + scope_types: + - system + - project +- check_str: role:reader and system_scope:all or user_id:%(target.trust.trustee_user_id)s + description: List trusts for trustee. + name: identity:list_trusts_for_trustee + operations: + - method: GET + path: /v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id} + - method: HEAD + path: /v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id} + scope_types: + - system + - project +- check_str: role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s + or user_id:%(target.trust.trustee_user_id)s + deprecated_reason: The trust API is now aware of system scope and default roles. + deprecated_rule: + check_str: user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s + name: identity:list_roles_for_trust + deprecated_since: T + description: List roles delegated by a trust. + name: identity:list_roles_for_trust + operations: + - method: GET + path: /v3/OS-TRUST/trusts/{trust_id}/roles + - method: HEAD + path: /v3/OS-TRUST/trusts/{trust_id}/roles + scope_types: + - system + - project +- check_str: role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s + or user_id:%(target.trust.trustee_user_id)s + deprecated_reason: The trust API is now aware of system scope and default roles. + deprecated_rule: + check_str: user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s + name: identity:get_role_for_trust + deprecated_since: T + description: Check if trust delegates a particular role. + name: identity:get_role_for_trust + operations: + - method: GET + path: /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id} + - method: HEAD + path: /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id} + scope_types: + - system + - project +- check_str: role:admin and system_scope:all or user_id:%(target.trust.trustor_user_id)s + deprecated_reason: The trust API is now aware of system scope and default roles. + deprecated_rule: + check_str: user_id:%(target.trust.trustor_user_id)s + name: identity:delete_trust + deprecated_since: T + description: Revoke trust. + name: identity:delete_trust + operations: + - method: DELETE + path: /v3/OS-TRUST/trusts/{trust_id} + scope_types: + - system + - project +- check_str: role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s + or user_id:%(target.trust.trustee_user_id)s + deprecated_reason: The trust API is now aware of system scope and default roles. + deprecated_rule: + check_str: user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s + name: identity:get_trust + deprecated_since: T + description: Get trust. + name: identity:get_trust + operations: + - method: GET + path: /v3/OS-TRUST/trusts/{trust_id} + - method: HEAD + path: /v3/OS-TRUST/trusts/{trust_id} + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or (role:reader and token.domain.id:%(target.user.domain_id)s) + or user_id:%(target.user.id)s + deprecated_reason: The user API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_or_owner + name: identity:get_user + deprecated_since: S + description: Show user details. + name: identity:get_user + operations: + - method: GET + path: /v3/users/{user_id} + - method: HEAD + path: /v3/users/{user_id} + scope_types: + - system + - domain + - project +- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s) + deprecated_reason: The user API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_users + deprecated_since: S + description: List users. + name: identity:list_users + operations: + - method: GET + path: /v3/users + - method: HEAD + path: /v3/users + scope_types: + - system + - domain +- check_str: '' + description: List all projects a user has access to via role assignments. + name: identity:list_projects_for_user + operations: + - method: GET + path: ' /v3/auth/projects' + scope_types: null +- check_str: '' + description: List all domains a user has access to via role assignments. + name: identity:list_domains_for_user + operations: + - method: GET + path: /v3/auth/domains + scope_types: null +- check_str: (role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s) + deprecated_reason: The user API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_user + deprecated_since: S + description: Create a user. + name: identity:create_user + operations: + - method: POST + path: /v3/users + scope_types: + - system + - domain +- check_str: (role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s) + deprecated_reason: The user API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:update_user + deprecated_since: S + description: Update a user, including administrative password resets. + name: identity:update_user + operations: + - method: PATCH + path: /v3/users/{user_id} + scope_types: + - system + - domain +- check_str: (role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s) + deprecated_reason: The user API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_user + deprecated_since: S + description: Delete a user. + name: identity:delete_user + operations: + - method: DELETE + path: /v3/users/{user_id} + scope_types: + - system + - domain diff --git a/openstack_dashboard/conf/default_policies/neutron.yaml b/openstack_dashboard/conf/default_policies/neutron.yaml new file mode 100644 index 0000000000..5628bf12e1 --- /dev/null +++ b/openstack_dashboard/conf/default_policies/neutron.yaml @@ -0,0 +1,1511 @@ +- check_str: role:admin + description: Rule for cloud admin access + name: context_is_admin + operations: [] + scope_types: null +- check_str: tenant_id:%(tenant_id)s + description: Rule for resource owner access + name: owner + operations: [] + scope_types: null +- check_str: rule:context_is_admin or rule:owner + description: Rule for admin or owner access + name: admin_or_owner + operations: [] + scope_types: null +- check_str: role:advsvc + description: Rule for advsvc role access + name: context_is_advsvc + operations: [] + scope_types: null +- check_str: rule:context_is_admin or tenant_id:%(network:tenant_id)s + description: Rule for admin or network owner access + name: admin_or_network_owner + operations: [] + scope_types: null +- check_str: rule:owner or rule:admin_or_network_owner + description: Rule for resource owner, admin or network owner access + name: admin_owner_or_network_owner + operations: [] + scope_types: null +- check_str: rule:context_is_admin + description: Rule for admin-only access + name: admin_only + operations: [] + scope_types: null +- check_str: '' + description: Rule for regular user access + name: regular_user + operations: [] + scope_types: null +- check_str: field:networks:shared=True + description: Rule of shared network + name: shared + operations: [] + scope_types: null +- check_str: rule:admin_or_owner + description: Default access rule + name: default + operations: [] + scope_types: null +- check_str: rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s + description: Rule for common parent owner check + name: admin_or_ext_parent_owner + operations: [] + scope_types: null +- check_str: field:address_scopes:shared=True + description: Definition of a shared address scope + name: shared_address_scopes + operations: [] + scope_types: null +- check_str: rule:regular_user + description: Create an address scope + name: create_address_scope + operations: + - method: POST + path: /address-scopes + scope_types: null +- check_str: rule:admin_only + description: Create a shared address scope + name: create_address_scope:shared + operations: + - method: POST + path: /address-scopes + scope_types: null +- check_str: rule:admin_or_owner or rule:shared_address_scopes + description: Get an address scope + name: get_address_scope + operations: + - method: GET + path: /address-scopes + - method: GET + path: /address-scopes/{id} + scope_types: null +- check_str: rule:admin_or_owner + description: Update an address scope + name: update_address_scope + operations: + - method: PUT + path: /address-scopes/{id} + scope_types: null +- check_str: rule:admin_only + description: Update ``shared`` attribute of an address scope + name: update_address_scope:shared + operations: + - method: PUT + path: /address-scopes/{id} + scope_types: null +- check_str: rule:admin_or_owner + description: Delete an address scope + name: delete_address_scope + operations: + - method: DELETE + path: /address-scopes/{id} + scope_types: null +- check_str: rule:admin_only + description: Get an agent + name: get_agent + operations: + - method: GET + path: /agents + - method: GET + path: /agents/{id} + scope_types: null +- check_str: rule:admin_only + description: Update an agent + name: update_agent + operations: + - method: PUT + path: /agents/{id} + scope_types: null +- check_str: rule:admin_only + description: Delete an agent + name: delete_agent + operations: + - method: DELETE + path: /agents/{id} + scope_types: null +- check_str: rule:admin_only + description: Add a network to a DHCP agent + name: create_dhcp-network + operations: + - method: POST + path: /agents/{agent_id}/dhcp-networks + scope_types: null +- check_str: rule:admin_only + description: List networks on a DHCP agent + name: get_dhcp-networks + operations: + - method: GET + path: /agents/{agent_id}/dhcp-networks + scope_types: null +- check_str: rule:admin_only + description: Remove a network from a DHCP agent + name: delete_dhcp-network + operations: + - method: DELETE + path: /agents/{agent_id}/dhcp-networks/{network_id} + scope_types: null +- check_str: rule:admin_only + description: Add a router to an L3 agent + name: create_l3-router + operations: + - method: POST + path: /agents/{agent_id}/l3-routers + scope_types: null +- check_str: rule:admin_only + description: List routers on an L3 agent + name: get_l3-routers + operations: + - method: GET + path: /agents/{agent_id}/l3-routers + scope_types: null +- check_str: rule:admin_only + description: Remove a router from an L3 agent + name: delete_l3-router + operations: + - method: DELETE + path: /agents/{agent_id}/l3-routers/{router_id} + scope_types: null +- check_str: rule:admin_only + description: List DHCP agents hosting a network + name: get_dhcp-agents + operations: + - method: GET + path: /networks/{network_id}/dhcp-agents + scope_types: null +- check_str: rule:admin_only + description: List L3 agents hosting a router + name: get_l3-agents + operations: + - method: GET + path: /routers/{router_id}/l3-agents + scope_types: null +- check_str: rule:admin_or_owner + description: Get a project's auto-allocated topology + name: get_auto_allocated_topology + operations: + - method: GET + path: /auto-allocated-topology/{project_id} + scope_types: null +- check_str: rule:admin_or_owner + description: Delete a project's auto-allocated topology + name: delete_auto_allocated_topology + operations: + - method: DELETE + path: /auto-allocated-topology/{project_id} + scope_types: null +- check_str: rule:regular_user + description: List availability zones + name: get_availability_zone + operations: + - method: GET + path: /availability_zones + scope_types: null +- check_str: rule:admin_only + description: Create a flavor + name: create_flavor + operations: + - method: POST + path: /flavors + scope_types: null +- check_str: rule:regular_user + description: Get a flavor + name: get_flavor + operations: + - method: GET + path: /flavors + - method: GET + path: /flavors/{id} + scope_types: null +- check_str: rule:admin_only + description: Update a flavor + name: update_flavor + operations: + - method: PUT + path: /flavors/{id} + scope_types: null +- check_str: rule:admin_only + description: Delete a flavor + name: delete_flavor + operations: + - method: DELETE + path: /flavors/{id} + scope_types: null +- check_str: rule:admin_only + description: Create a service profile + name: create_service_profile + operations: + - method: POST + path: /service_profiles + scope_types: null +- check_str: rule:admin_only + description: Get a service profile + name: get_service_profile + operations: + - method: GET + path: /service_profiles + - method: GET + path: /service_profiles/{id} + scope_types: null +- check_str: rule:admin_only + description: Update a service profile + name: update_service_profile + operations: + - method: PUT + path: /service_profiles/{id} + scope_types: null +- check_str: rule:admin_only + description: Delete a service profile + name: delete_service_profile + operations: + - method: DELETE + path: /service_profiles/{id} + scope_types: null +- check_str: rule:regular_user + description: Get a flavor associated with a given service profiles. There is no + corresponding GET operations in API currently. This rule is currently referred + only in the DELETE of flavor_service_profile. + name: get_flavor_service_profile + operations: [] + scope_types: null +- check_str: rule:admin_only + description: Associate a flavor with a service profile + name: create_flavor_service_profile + operations: + - method: POST + path: /flavors/{flavor_id}/service_profiles + scope_types: null +- check_str: rule:admin_only + description: Disassociate a flavor with a service profile + name: delete_flavor_service_profile + operations: + - method: DELETE + path: /flavors/{flavor_id}/service_profiles/{profile_id} + scope_types: null +- check_str: rule:regular_user + description: Create a floating IP + name: create_floatingip + operations: + - method: POST + path: /floatingips + scope_types: null +- check_str: rule:admin_only + description: Create a floating IP with a specific IP address + name: create_floatingip:floating_ip_address + operations: + - method: POST + path: /floatingips + scope_types: null +- check_str: rule:admin_or_owner + description: Get a floating IP + name: get_floatingip + operations: + - method: GET + path: /floatingips + - method: GET + path: /floatingips/{id} + scope_types: null +- check_str: rule:admin_or_owner + description: Update a floating IP + name: update_floatingip + operations: + - method: PUT + path: /floatingips/{id} + scope_types: null +- check_str: rule:admin_or_owner + description: Delete a floating IP + name: delete_floatingip + operations: + - method: DELETE + path: /floatingips/{id} + scope_types: null +- check_str: rule:regular_user + description: Get floating IP pools + name: get_floatingip_pool + operations: + - method: GET + path: /floatingip_pools + scope_types: null +- check_str: rule:admin_or_ext_parent_owner + description: Create a floating IP port forwarding + name: create_floatingip_port_forwarding + operations: + - method: POST + path: /floatingips/{floatingip_id}/port_forwardings + scope_types: null +- check_str: rule:admin_or_ext_parent_owner + description: Get a floating IP port forwarding + name: get_floatingip_port_forwarding + operations: + - method: GET + path: /floatingips/{floatingip_id}/port_forwardings + - method: GET + path: /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id} + scope_types: null +- check_str: rule:admin_or_ext_parent_owner + description: Update a floating IP port forwarding + name: update_floatingip_port_forwarding + operations: + - method: PUT + path: /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id} + scope_types: null +- check_str: rule:admin_or_ext_parent_owner + description: Delete a floating IP port forwarding + name: delete_floatingip_port_forwarding + operations: + - method: DELETE + path: /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id} + scope_types: null +- check_str: rule:admin_or_ext_parent_owner + description: Create a router conntrack helper + name: create_router_conntrack_helper + operations: + - method: POST + path: /routers/{router_id}/conntrack_helpers + scope_types: null +- check_str: rule:admin_or_ext_parent_owner + description: Get a router conntrack helper + name: get_router_conntrack_helper + operations: + - method: GET + path: /routers/{router_id}/conntrack_helpers + - method: GET + path: /routers/{router_id}/conntrack_helpers/{conntrack_helper_id} + scope_types: null +- check_str: rule:admin_or_ext_parent_owner + description: Update a router conntrack helper + name: update_router_conntrack_helper + operations: + - method: PUT + path: /routers/{router_id}/conntrack_helpers/{conntrack_helper_id} + scope_types: null +- check_str: rule:admin_or_ext_parent_owner + description: Delete a router conntrack helper + name: delete_router_conntrack_helper + operations: + - method: DELETE + path: /routers/{router_id}/conntrack_helpers/{conntrack_helper_id} + scope_types: null +- check_str: rule:admin_only + description: Get loggable resources + name: get_loggable_resource + operations: + - method: GET + path: /log/loggable-resources + scope_types: null +- check_str: rule:admin_only + description: Create a network log + name: create_log + operations: + - method: POST + path: /log/logs + scope_types: null +- check_str: rule:admin_only + description: Get a network log + name: get_log + operations: + - method: GET + path: /log/logs + - method: GET + path: /log/logs/{id} + scope_types: null +- check_str: rule:admin_only + description: Update a network log + name: update_log + operations: + - method: PUT + path: /log/logs/{id} + scope_types: null +- check_str: rule:admin_only + description: Delete a network log + name: delete_log + operations: + - method: DELETE + path: /log/logs/{id} + scope_types: null +- check_str: rule:admin_only + description: Create a metering label + name: create_metering_label + operations: + - method: POST + path: /metering/metering-labels + scope_types: null +- check_str: rule:admin_only + description: Get a metering label + name: get_metering_label + operations: + - method: GET + path: /metering/metering-labels + - method: GET + path: /metering/metering-labels/{id} + scope_types: null +- check_str: rule:admin_only + description: Delete a metering label + name: delete_metering_label + operations: + - method: DELETE + path: /metering/metering-labels/{id} + scope_types: null +- check_str: rule:admin_only + description: Create a metering label rule + name: create_metering_label_rule + operations: + - method: POST + path: /metering/metering-label-rules + scope_types: null +- check_str: rule:admin_only + description: Get a metering label rule + name: get_metering_label_rule + operations: + - method: GET + path: /metering/metering-label-rules + - method: GET + path: /metering/metering-label-rules/{id} + scope_types: null +- check_str: rule:admin_only + description: Delete a metering label rule + name: delete_metering_label_rule + operations: + - method: DELETE + path: /metering/metering-label-rules/{id} + scope_types: null +- check_str: field:networks:router:external=True + description: Definition of an external network + name: external + operations: [] + scope_types: null +- check_str: rule:regular_user + description: Create a network + name: create_network + operations: &id001 + - method: POST + path: /networks + scope_types: null +- check_str: rule:admin_only + description: Create a shared network + name: create_network:shared + operations: *id001 + scope_types: null +- check_str: rule:admin_only + description: Create an external network + name: create_network:router:external + operations: *id001 + scope_types: null +- check_str: rule:admin_only + description: Specify ``is_default`` attribute when creating a network + name: create_network:is_default + operations: *id001 + scope_types: null +- check_str: rule:regular_user + description: Specify ``port_security_enabled`` attribute when creating a network + name: create_network:port_security_enabled + operations: *id001 + scope_types: null +- check_str: rule:admin_only + description: Specify ``segments`` attribute when creating a network + name: create_network:segments + operations: *id001 + scope_types: null +- check_str: rule:admin_only + description: Specify ``provider:network_type`` when creating a network + name: create_network:provider:network_type + operations: *id001 + scope_types: null +- check_str: rule:admin_only + description: Specify ``provider:physical_network`` when creating a network + name: create_network:provider:physical_network + operations: *id001 + scope_types: null +- check_str: rule:admin_only + description: Specify ``provider:segmentation_id`` when creating a network + name: create_network:provider:segmentation_id + operations: *id001 + scope_types: null +- check_str: rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc + description: Get a network + name: get_network + operations: &id002 + - method: GET + path: /networks + - method: GET + path: /networks/{id} + scope_types: null +- check_str: rule:regular_user + description: Get ``router:external`` attribute of a network + name: get_network:router:external + operations: *id002 + scope_types: null +- check_str: rule:admin_only + description: Get ``segments`` attribute of a network + name: get_network:segments + operations: *id002 + scope_types: null +- check_str: rule:admin_only + description: Get ``provider:network_type`` attribute of a network + name: get_network:provider:network_type + operations: *id002 + scope_types: null +- check_str: rule:admin_only + description: Get ``provider:physical_network`` attribute of a network + name: get_network:provider:physical_network + operations: *id002 + scope_types: null +- check_str: rule:admin_only + description: Get ``provider:segmentation_id`` attribute of a network + name: get_network:provider:segmentation_id + operations: *id002 + scope_types: null +- check_str: rule:admin_or_owner + description: Update a network + name: update_network + operations: &id003 + - method: PUT + path: /networks/{id} + scope_types: null +- check_str: rule:admin_only + description: Update ``segments`` attribute of a network + name: update_network:segments + operations: *id003 + scope_types: null +- check_str: rule:admin_only + description: Update ``shared`` attribute of a network + name: update_network:shared + operations: *id003 + scope_types: null +- check_str: rule:admin_only + description: Update ``provider:network_type`` attribute of a network + name: update_network:provider:network_type + operations: *id003 + scope_types: null +- check_str: rule:admin_only + description: Update ``provider:physical_network`` attribute of a network + name: update_network:provider:physical_network + operations: *id003 + scope_types: null +- check_str: rule:admin_only + description: Update ``provider:segmentation_id`` attribute of a network + name: update_network:provider:segmentation_id + operations: *id003 + scope_types: null +- check_str: rule:admin_only + description: Update ``router:external`` attribute of a network + name: update_network:router:external + operations: *id003 + scope_types: null +- check_str: rule:admin_only + description: Update ``is_default`` attribute of a network + name: update_network:is_default + operations: *id003 + scope_types: null +- check_str: rule:admin_or_owner + description: Update ``port_security_enabled`` attribute of a network + name: update_network:port_security_enabled + operations: *id003 + scope_types: null +- check_str: rule:admin_or_owner + description: Delete a network + name: delete_network + operations: + - method: DELETE + path: /networks/{id} + scope_types: null +- check_str: rule:admin_only + description: Get network IP availability + name: get_network_ip_availability + operations: + - method: GET + path: /network-ip-availabilities + - method: GET + path: /network-ip-availabilities/{network_id} + scope_types: null +- check_str: rule:admin_only + description: Create a network segment range + name: create_network_segment_range + operations: + - method: POST + path: /network_segment_ranges + scope_types: null +- check_str: rule:admin_only + description: Get a network segment range + name: get_network_segment_range + operations: + - method: GET + path: /network_segment_ranges + - method: GET + path: /network_segment_ranges/{id} + scope_types: null +- check_str: rule:admin_only + description: Update a network segment range + name: update_network_segment_range + operations: + - method: PUT + path: /network_segment_ranges/{id} + scope_types: null +- check_str: rule:admin_only + description: Delete a network segment range + name: delete_network_segment_range + operations: + - method: DELETE + path: /network_segment_ranges/{id} + scope_types: null +- check_str: 'field:port:device_owner=~^network:' + description: Definition of port with network device_owner + name: network_device + operations: [] + scope_types: null +- check_str: rule:context_is_admin or role:data_plane_integrator + description: Rule for data plane integration + name: admin_or_data_plane_int + operations: [] + scope_types: null +- check_str: rule:regular_user + description: Create a port + name: create_port + operations: &id004 + - method: POST + path: /ports + scope_types: null +- check_str: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner + description: Specify ``device_owner`` attribute when creting a port + name: create_port:device_owner + operations: *id004 + scope_types: null +- check_str: rule:context_is_advsvc or rule:admin_or_network_owner + description: Specify ``mac_address`` attribute when creating a port + name: create_port:mac_address + operations: *id004 + scope_types: null +- check_str: rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared + description: Specify ``fixed_ips`` information when creating a port + name: create_port:fixed_ips + operations: *id004 + scope_types: null +- check_str: rule:context_is_advsvc or rule:admin_or_network_owner + description: Specify IP address in ``fixed_ips`` when creating a port + name: create_port:fixed_ips:ip_address + operations: *id004 + scope_types: null +- check_str: rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared + description: Specify subnet ID in ``fixed_ips`` when creating a port + name: create_port:fixed_ips:subnet_id + operations: *id004 + scope_types: null +- check_str: rule:context_is_advsvc or rule:admin_or_network_owner + description: Specify ``port_security_enabled`` attribute when creating a port + name: create_port:port_security_enabled + operations: *id004 + scope_types: null +- check_str: rule:admin_only + description: Specify ``binding:host_id`` attribute when creating a port + name: create_port:binding:host_id + operations: *id004 + scope_types: null +- check_str: rule:admin_only + description: Specify ``binding:profile`` attribute when creating a port + name: create_port:binding:profile + operations: *id004 + scope_types: null +- check_str: rule:regular_user + description: Specify ``binding:vnic_type`` attribute when creating a port + name: create_port:binding:vnic_type + operations: *id004 + scope_types: null +- check_str: rule:admin_or_network_owner + description: Specify ``allowed_address_pairs`` attribute when creating a port + name: create_port:allowed_address_pairs + operations: *id004 + scope_types: null +- check_str: rule:admin_or_network_owner + description: Specify ``mac_address` of `allowed_address_pairs`` attribute when creating + a port + name: create_port:allowed_address_pairs:mac_address + operations: *id004 + scope_types: null +- check_str: rule:admin_or_network_owner + description: Specify ``ip_address`` of ``allowed_address_pairs`` attribute when + creating a port + name: create_port:allowed_address_pairs:ip_address + operations: *id004 + scope_types: null +- check_str: rule:context_is_advsvc or rule:admin_owner_or_network_owner + description: Get a port + name: get_port + operations: &id005 + - method: GET + path: /ports + - method: GET + path: /ports/{id} + scope_types: null +- check_str: rule:admin_only + description: Get ``binding:vif_type`` attribute of a port + name: get_port:binding:vif_type + operations: *id005 + scope_types: null +- check_str: rule:admin_only + description: Get ``binding:vif_details`` attribute of a port + name: get_port:binding:vif_details + operations: *id005 + scope_types: null +- check_str: rule:admin_only + description: Get ``binding:host_id`` attribute of a port + name: get_port:binding:host_id + operations: *id005 + scope_types: null +- check_str: rule:admin_only + description: Get ``binding:profile`` attribute of a port + name: get_port:binding:profile + operations: *id005 + scope_types: null +- check_str: rule:admin_only + description: Get ``resource_request`` attribute of a port + name: get_port:resource_request + operations: *id005 + scope_types: null +- check_str: rule:admin_or_owner or rule:context_is_advsvc + description: Update a port + name: update_port + operations: &id006 + - method: PUT + path: /ports/{id} + scope_types: null +- check_str: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner + description: Update ``device_owner`` attribute of a port + name: update_port:device_owner + operations: *id006 + scope_types: null +- check_str: rule:admin_only or rule:context_is_advsvc + description: Update ``mac_address`` attribute of a port + name: update_port:mac_address + operations: *id006 + scope_types: null +- check_str: rule:context_is_advsvc or rule:admin_or_network_owner + description: Specify ``fixed_ips`` information when updating a port + name: update_port:fixed_ips + operations: *id006 + scope_types: null +- check_str: rule:context_is_advsvc or rule:admin_or_network_owner + description: Specify IP address in ``fixed_ips`` information when updating a port + name: update_port:fixed_ips:ip_address + operations: *id006 + scope_types: null +- check_str: rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared + description: Specify subnet ID in ``fixed_ips`` information when updating a port + name: update_port:fixed_ips:subnet_id + operations: *id006 + scope_types: null +- check_str: rule:context_is_advsvc or rule:admin_or_network_owner + description: Update ``port_security_enabled`` attribute of a port + name: update_port:port_security_enabled + operations: *id006 + scope_types: null +- check_str: rule:admin_only + description: Update ``binding:host_id`` attribute of a port + name: update_port:binding:host_id + operations: *id006 + scope_types: null +- check_str: rule:admin_only + description: Update ``binding:profile`` attribute of a port + name: update_port:binding:profile + operations: *id006 + scope_types: null +- check_str: rule:admin_or_owner or rule:context_is_advsvc + description: Update ``binding:vnic_type`` attribute of a port + name: update_port:binding:vnic_type + operations: *id006 + scope_types: null +- check_str: rule:admin_or_network_owner + description: Update ``allowed_address_pairs`` attribute of a port + name: update_port:allowed_address_pairs + operations: *id006 + scope_types: null +- check_str: rule:admin_or_network_owner + description: Update ``mac_address`` of ``allowed_address_pairs`` attribute of a + port + name: update_port:allowed_address_pairs:mac_address + operations: *id006 + scope_types: null +- check_str: rule:admin_or_network_owner + description: Update ``ip_address`` of ``allowed_address_pairs`` attribute of a port + name: update_port:allowed_address_pairs:ip_address + operations: *id006 + scope_types: null +- check_str: rule:admin_or_data_plane_int + description: Update ``data_plane_status`` attribute of a port + name: update_port:data_plane_status + operations: *id006 + scope_types: null +- check_str: rule:context_is_advsvc or rule:admin_owner_or_network_owner + description: Delete a port + name: delete_port + operations: + - method: DELETE + path: /ports/{id} + scope_types: null +- check_str: rule:regular_user + description: Get QoS policies + name: get_policy + operations: + - method: GET + path: /qos/policies + - method: GET + path: /qos/policies/{id} + scope_types: null +- check_str: rule:admin_only + description: Create a QoS policy + name: create_policy + operations: + - method: POST + path: /qos/policies + scope_types: null +- check_str: rule:admin_only + description: Update a QoS policy + name: update_policy + operations: + - method: PUT + path: /qos/policies/{id} + scope_types: null +- check_str: rule:admin_only + description: Delete a QoS policy + name: delete_policy + operations: + - method: DELETE + path: /qos/policies/{id} + scope_types: null +- check_str: rule:regular_user + description: Get available QoS rule types + name: get_rule_type + operations: + - method: GET + path: /qos/rule-types + - method: GET + path: /qos/rule-types/{rule_type} + scope_types: null +- check_str: rule:regular_user + description: Get a QoS bandwidth limit rule + name: get_policy_bandwidth_limit_rule + operations: + - method: GET + path: /qos/policies/{policy_id}/bandwidth_limit_rules + - method: GET + path: /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id} + scope_types: null +- check_str: rule:admin_only + description: Create a QoS bandwidth limit rule + name: create_policy_bandwidth_limit_rule + operations: + - method: POST + path: /qos/policies/{policy_id}/bandwidth_limit_rules + scope_types: null +- check_str: rule:admin_only + description: Update a QoS bandwidth limit rule + name: update_policy_bandwidth_limit_rule + operations: + - method: PUT + path: /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id} + scope_types: null +- check_str: rule:admin_only + description: Delete a QoS bandwidth limit rule + name: delete_policy_bandwidth_limit_rule + operations: + - method: DELETE + path: /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id} + scope_types: null +- check_str: rule:regular_user + description: Get a QoS DSCP marking rule + name: get_policy_dscp_marking_rule + operations: + - method: GET + path: /qos/policies/{policy_id}/dscp_marking_rules + - method: GET + path: /qos/policies/{policy_id}/dscp_marking_rules/{rule_id} + scope_types: null +- check_str: rule:admin_only + description: Create a QoS DSCP marking rule + name: create_policy_dscp_marking_rule + operations: + - method: POST + path: /qos/policies/{policy_id}/dscp_marking_rules + scope_types: null +- check_str: rule:admin_only + description: Update a QoS DSCP marking rule + name: update_policy_dscp_marking_rule + operations: + - method: PUT + path: /qos/policies/{policy_id}/dscp_marking_rules/{rule_id} + scope_types: null +- check_str: rule:admin_only + description: Delete a QoS DSCP marking rule + name: delete_policy_dscp_marking_rule + operations: + - method: DELETE + path: /qos/policies/{policy_id}/dscp_marking_rules/{rule_id} + scope_types: null +- check_str: rule:regular_user + description: Get a QoS minimum bandwidth rule + name: get_policy_minimum_bandwidth_rule + operations: + - method: GET + path: /qos/policies/{policy_id}/minimum_bandwidth_rules + - method: GET + path: /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id} + scope_types: null +- check_str: rule:admin_only + description: Create a QoS minimum bandwidth rule + name: create_policy_minimum_bandwidth_rule + operations: + - method: POST + path: /qos/policies/{policy_id}/minimum_bandwidth_rules + scope_types: null +- check_str: rule:admin_only + description: Update a QoS minimum bandwidth rule + name: update_policy_minimum_bandwidth_rule + operations: + - method: PUT + path: /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id} + scope_types: null +- check_str: rule:admin_only + description: Delete a QoS minimum bandwidth rule + name: delete_policy_minimum_bandwidth_rule + operations: + - method: DELETE + path: /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id} + scope_types: null +- check_str: rule:get_policy_bandwidth_limit_rule + description: Get a QoS bandwidth limit rule through alias + name: get_alias_bandwidth_limit_rule + operations: + - method: GET + path: /qos/alias_bandwidth_limit_rules/{rule_id}/ + scope_types: null +- check_str: rule:update_policy_bandwidth_limit_rule + description: Update a QoS bandwidth limit rule through alias + name: update_alias_bandwidth_limit_rule + operations: + - method: PUT + path: /qos/alias_bandwidth_limit_rules/{rule_id}/ + scope_types: null +- check_str: rule:delete_policy_bandwidth_limit_rule + description: Delete a QoS bandwidth limit rule through alias + name: delete_alias_bandwidth_limit_rule + operations: + - method: DELETE + path: /qos/alias_bandwidth_limit_rules/{rule_id}/ + scope_types: null +- check_str: rule:get_policy_dscp_marking_rule + description: Get a QoS DSCP marking rule through alias + name: get_alias_dscp_marking_rule + operations: + - method: GET + path: /qos/alias_dscp_marking_rules/{rule_id}/ + scope_types: null +- check_str: rule:update_policy_dscp_marking_rule + description: Update a QoS DSCP marking rule through alias + name: update_alias_dscp_marking_rule + operations: + - method: PUT + path: /qos/alias_dscp_marking_rules/{rule_id}/ + scope_types: null +- check_str: rule:delete_policy_dscp_marking_rule + description: Delete a QoS DSCP marking rule through alias + name: delete_alias_dscp_marking_rule + operations: + - method: DELETE + path: /qos/alias_dscp_marking_rules/{rule_id}/ + scope_types: null +- check_str: rule:get_policy_minimum_bandwidth_rule + description: Get a QoS minimum bandwidth rule through alias + name: get_alias_minimum_bandwidth_rule + operations: + - method: GET + path: /qos/alias_minimum_bandwidth_rules/{rule_id}/ + scope_types: null +- check_str: rule:update_policy_minimum_bandwidth_rule + description: Update a QoS minimum bandwidth rule through alias + name: update_alias_minimum_bandwidth_rule + operations: + - method: PUT + path: /qos/alias_minimum_bandwidth_rules/{rule_id}/ + scope_types: null +- check_str: rule:delete_policy_minimum_bandwidth_rule + description: Delete a QoS minimum bandwidth rule through alias + name: delete_alias_minimum_bandwidth_rule + operations: + - method: DELETE + path: /qos/alias_minimum_bandwidth_rules/{rule_id}/ + scope_types: null +- check_str: rule:admin_only + description: Get a resource quota + name: get_quota + operations: + - method: GET + path: /quota + - method: GET + path: /quota/{id} + scope_types: null +- check_str: rule:admin_only + description: Update a resource quota + name: update_quota + operations: + - method: PUT + path: /quota/{id} + scope_types: null +- check_str: rule:admin_only + description: Delete a resource quota + name: delete_quota + operations: + - method: DELETE + path: /quota/{id} + scope_types: null +- check_str: (not field:rbac_policy:target_tenant=*) or rule:admin_only + description: Definition of a wildcard target_tenant + name: restrict_wildcard + operations: [] + scope_types: null +- check_str: rule:regular_user + description: Create an RBAC policy + name: create_rbac_policy + operations: + - method: POST + path: /rbac-policies + scope_types: null +- check_str: rule:restrict_wildcard + description: Specify ``target_tenant`` when creating an RBAC policy + name: create_rbac_policy:target_tenant + operations: + - method: POST + path: /rbac-policies + scope_types: null +- check_str: rule:admin_or_owner + description: Update an RBAC policy + name: update_rbac_policy + operations: + - method: PUT + path: /rbac-policies/{id} + scope_types: null +- check_str: rule:restrict_wildcard and rule:admin_or_owner + description: Update ``target_tenant`` attribute of an RBAC policy + name: update_rbac_policy:target_tenant + operations: + - method: PUT + path: /rbac-policies/{id} + scope_types: null +- check_str: rule:admin_or_owner + description: Get an RBAC policy + name: get_rbac_policy + operations: + - method: GET + path: /rbac-policies + - method: GET + path: /rbac-policies/{id} + scope_types: null +- check_str: rule:admin_or_owner + description: Delete an RBAC policy + name: delete_rbac_policy + operations: + - method: DELETE + path: /rbac-policies/{id} + scope_types: null +- check_str: rule:regular_user + description: Create a router + name: create_router + operations: &id007 + - method: POST + path: /routers + scope_types: null +- check_str: rule:admin_only + description: Specify ``distributed`` attribute when creating a router + name: create_router:distributed + operations: *id007 + scope_types: null +- check_str: rule:admin_only + description: Specify ``ha`` attribute when creating a router + name: create_router:ha + operations: *id007 + scope_types: null +- check_str: rule:admin_or_owner + description: Specify ``external_gateway_info`` information when creating a router + name: create_router:external_gateway_info + operations: *id007 + scope_types: null +- check_str: rule:admin_or_owner + description: Specify ``network_id`` in ``external_gateway_info`` information when + creating a router + name: create_router:external_gateway_info:network_id + operations: *id007 + scope_types: null +- check_str: rule:admin_only + description: Specify ``enable_snat`` in ``external_gateway_info`` information when + creating a router + name: create_router:external_gateway_info:enable_snat + operations: *id007 + scope_types: null +- check_str: rule:admin_only + description: Specify ``external_fixed_ips`` in ``external_gateway_info`` information + when creating a router + name: create_router:external_gateway_info:external_fixed_ips + operations: *id007 + scope_types: null +- check_str: rule:admin_or_owner + description: Get a router + name: get_router + operations: &id008 + - method: GET + path: /routers + - method: GET + path: /routers/{id} + scope_types: null +- check_str: rule:admin_only + description: Get ``distributed`` attribute of a router + name: get_router:distributed + operations: *id008 + scope_types: null +- check_str: rule:admin_only + description: Get ``ha`` attribute of a router + name: get_router:ha + operations: *id008 + scope_types: null +- check_str: rule:admin_or_owner + description: Update a router + name: update_router + operations: &id009 + - method: PUT + path: /routers/{id} + scope_types: null +- check_str: rule:admin_only + description: Update ``distributed`` attribute of a router + name: update_router:distributed + operations: *id009 + scope_types: null +- check_str: rule:admin_only + description: Update ``ha`` attribute of a router + name: update_router:ha + operations: *id009 + scope_types: null +- check_str: rule:admin_or_owner + description: Update ``external_gateway_info`` information of a router + name: update_router:external_gateway_info + operations: *id009 + scope_types: null +- check_str: rule:admin_or_owner + description: Update ``network_id`` attribute of ``external_gateway_info`` information + of a router + name: update_router:external_gateway_info:network_id + operations: *id009 + scope_types: null +- check_str: rule:admin_only + description: Update ``enable_snat`` attribute of ``external_gateway_info`` information + of a router + name: update_router:external_gateway_info:enable_snat + operations: *id009 + scope_types: null +- check_str: rule:admin_only + description: Update ``external_fixed_ips`` attribute of ``external_gateway_info`` + information of a router + name: update_router:external_gateway_info:external_fixed_ips + operations: *id009 + scope_types: null +- check_str: rule:admin_or_owner + description: Delete a router + name: delete_router + operations: + - method: DELETE + path: /routers/{id} + scope_types: null +- check_str: rule:admin_or_owner + description: Add an interface to a router + name: add_router_interface + operations: + - method: PUT + path: /routers/{id}/add_router_interface + scope_types: null +- check_str: rule:admin_or_owner + description: Remove an interface from a router + name: remove_router_interface + operations: + - method: PUT + path: /routers/{id}/remove_router_interface + scope_types: null +- check_str: rule:context_is_admin or tenant_id:%(security_group:tenant_id)s + description: Rule for admin or security group owner access + name: admin_or_sg_owner + operations: [] + scope_types: null +- check_str: rule:owner or rule:admin_or_sg_owner + description: Rule for resource owner, admin or security group owner access + name: admin_owner_or_sg_owner + operations: [] + scope_types: null +- check_str: rule:admin_or_owner + description: Create a security group + name: create_security_group + operations: + - method: POST + path: /security-groups + scope_types: null +- check_str: rule:regular_user + description: Get a security group + name: get_security_group + operations: + - method: GET + path: /security-groups + - method: GET + path: /security-groups/{id} + scope_types: null +- check_str: rule:admin_or_owner + description: Update a security group + name: update_security_group + operations: + - method: PUT + path: /security-groups/{id} + scope_types: null +- check_str: rule:admin_or_owner + description: Delete a security group + name: delete_security_group + operations: + - method: DELETE + path: /security-groups/{id} + scope_types: null +- check_str: rule:admin_or_owner + description: Create a security group rule + name: create_security_group_rule + operations: + - method: POST + path: /security-group-rules + scope_types: null +- check_str: rule:admin_owner_or_sg_owner + description: Get a security group rule + name: get_security_group_rule + operations: + - method: GET + path: /security-group-rules + - method: GET + path: /security-group-rules/{id} + scope_types: null +- check_str: rule:admin_or_owner + description: Delete a security group rule + name: delete_security_group_rule + operations: + - method: DELETE + path: /security-group-rules/{id} + scope_types: null +- check_str: rule:admin_only + description: Create a segment + name: create_segment + operations: + - method: POST + path: /segments + scope_types: null +- check_str: rule:admin_only + description: Get a segment + name: get_segment + operations: + - method: GET + path: /segments + - method: GET + path: /segments/{id} + scope_types: null +- check_str: rule:admin_only + description: Update a segment + name: update_segment + operations: + - method: PUT + path: /segments/{id} + scope_types: null +- check_str: rule:admin_only + description: Delete a segment + name: delete_segment + operations: + - method: DELETE + path: /segments/{id} + scope_types: null +- check_str: rule:regular_user + description: Get service providers + name: get_service_provider + operations: + - method: GET + path: /service-providers + scope_types: null +- check_str: rule:admin_or_network_owner + description: Create a subnet + name: create_subnet + operations: &id010 + - method: POST + path: /subnets + scope_types: null +- check_str: rule:admin_only + description: Specify ``segment_id`` attribute when creating a subnet + name: create_subnet:segment_id + operations: *id010 + scope_types: null +- check_str: rule:admin_only + description: Specify ``service_types`` attribute when creating a subnet + name: create_subnet:service_types + operations: *id010 + scope_types: null +- check_str: rule:admin_or_owner or rule:shared + description: Get a subnet + name: get_subnet + operations: &id011 + - method: GET + path: /subnets + - method: GET + path: /subnets/{id} + scope_types: null +- check_str: rule:admin_only + description: Get ``segment_id`` attribute of a subnet + name: get_subnet:segment_id + operations: *id011 + scope_types: null +- check_str: rule:admin_or_network_owner + description: Update a subnet + name: update_subnet + operations: &id012 + - method: PUT + path: /subnets/{id} + scope_types: null +- check_str: rule:admin_only + description: Update ``segment_id`` attribute of a subnet + name: update_subnet:segment_id + operations: *id012 + scope_types: null +- check_str: rule:admin_only + description: Update ``service_types`` attribute of a subnet + name: update_subnet:service_types + operations: *id012 + scope_types: null +- check_str: rule:admin_or_network_owner + description: Delete a subnet + name: delete_subnet + operations: + - method: DELETE + path: /subnets/{id} + scope_types: null +- check_str: field:subnetpools:shared=True + description: Definition of a shared subnetpool + name: shared_subnetpools + operations: [] + scope_types: null +- check_str: rule:regular_user + description: Create a subnetpool + name: create_subnetpool + operations: + - method: POST + path: /subnetpools + scope_types: null +- check_str: rule:admin_only + description: Create a shared subnetpool + name: create_subnetpool:shared + operations: + - method: POST + path: /subnetpools + scope_types: null +- check_str: rule:admin_only + description: Specify ``is_default`` attribute when creating a subnetpool + name: create_subnetpool:is_default + operations: + - method: POST + path: /subnetpools + scope_types: null +- check_str: rule:admin_or_owner or rule:shared_subnetpools + description: Get a subnetpool + name: get_subnetpool + operations: + - method: GET + path: /subnetpools + - method: GET + path: /subnetpools/{id} + scope_types: null +- check_str: rule:admin_or_owner + description: Update a subnetpool + name: update_subnetpool + operations: + - method: PUT + path: /subnetpools/{id} + scope_types: null +- check_str: rule:admin_only + description: Update ``is_default`` attribute of a subnetpool + name: update_subnetpool:is_default + operations: + - method: PUT + path: /subnetpools/{id} + scope_types: null +- check_str: rule:admin_or_owner + description: Delete a subnetpool + name: delete_subnetpool + operations: + - method: DELETE + path: /subnetpools/{id} + scope_types: null +- check_str: rule:admin_or_owner + description: Onboard existing subnet into a subnetpool + name: onboard_network_subnets + operations: + - method: Put + path: /subnetpools/{id}/onboard_network_subnets + scope_types: null +- check_str: rule:admin_or_owner + description: Add prefixes to a subnetpool + name: add_prefixes + operations: + - method: Put + path: /subnetpools/{id}/add_prefixes + scope_types: null +- check_str: rule:admin_or_owner + description: Remove unallocated prefixes from a subnetpool + name: remove_prefixes + operations: + - method: Put + path: /subnetpools/{id}/remove_prefixes + scope_types: null +- check_str: rule:regular_user + description: Create a trunk + name: create_trunk + operations: + - method: POST + path: /trunks + scope_types: null +- check_str: rule:admin_or_owner + description: Get a trunk + name: get_trunk + operations: + - method: GET + path: /trunks + - method: GET + path: /trunks/{id} + scope_types: null +- check_str: rule:admin_or_owner + description: Update a trunk + name: update_trunk + operations: + - method: PUT + path: /trunks/{id} + scope_types: null +- check_str: rule:admin_or_owner + description: Delete a trunk + name: delete_trunk + operations: + - method: DELETE + path: /trunks/{id} + scope_types: null +- check_str: rule:regular_user + description: List subports attached to a trunk + name: get_subports + operations: + - method: GET + path: /trunks/{id}/get_subports + scope_types: null +- check_str: rule:admin_or_owner + description: Add subports to a trunk + name: add_subports + operations: + - method: PUT + path: /trunks/{id}/add_subports + scope_types: null +- check_str: rule:admin_or_owner + description: Delete subports from a trunk + name: remove_subports + operations: + - method: PUT + path: /trunks/{id}/remove_subports + scope_types: null diff --git a/openstack_dashboard/conf/default_policies/nova.yaml b/openstack_dashboard/conf/default_policies/nova.yaml new file mode 100644 index 0000000000..5f7f5700cc --- /dev/null +++ b/openstack_dashboard/conf/default_policies/nova.yaml @@ -0,0 +1,3103 @@ +- check_str: role:admin + description: Decides what is required for the 'is_admin:True' check to succeed. + name: context_is_admin + operations: [] + scope_types: null +- check_str: is_admin:True or project_id:%(project_id)s + deprecated_for_removal: true + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 21.0.0 + description: Default rule for most non-Admin APIs. + name: admin_or_owner + operations: [] + scope_types: null +- check_str: is_admin:True + deprecated_for_removal: true + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 21.0.0 + description: Default rule for most Admin APIs. + name: admin_api + operations: [] + scope_types: null +- check_str: role:admin and system_scope:all + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: is_admin:True + name: rule:admin_api + deprecated_since: 21.0.0 + description: Default rule for System Admin APIs. + name: system_admin_api + operations: [] + scope_types: null +- check_str: role:reader and system_scope:all + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: is_admin:True + name: rule:admin_api + deprecated_since: 21.0.0 + description: Default rule for System level read only APIs. + name: system_reader_api + operations: [] + scope_types: null +- check_str: role:admin and project_id:%(project_id)s + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: is_admin:True + name: rule:admin_api + deprecated_since: 21.0.0 + description: Default rule for Project level admin APIs. + name: project_admin_api + operations: [] + scope_types: null +- check_str: role:member and project_id:%(project_id)s + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: is_admin:True or project_id:%(project_id)s + name: rule:admin_or_owner + deprecated_since: 21.0.0 + description: Default rule for Project level non admin APIs. + name: project_member_api + operations: [] + scope_types: null +- check_str: role:reader and project_id:%(project_id)s + description: Default rule for Project level read only APIs. + name: project_reader_api + operations: [] + scope_types: null +- check_str: rule:system_admin_api or rule:project_member_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: is_admin:True or project_id:%(project_id)s + name: rule:admin_or_owner + deprecated_since: 21.0.0 + description: Default rule for System admin+owner APIs. + name: system_admin_or_owner + operations: [] + scope_types: null +- check_str: rule:system_reader_api or rule:project_reader_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: is_admin:True or project_id:%(project_id)s + name: rule:admin_or_owner + deprecated_since: 21.0.0 + description: Default rule for System+Project read only APIs. + name: system_or_project_reader + operations: [] + scope_types: null +- check_str: rule:system_admin_api + description: Reset the state of a given server + name: os_compute_api:os-admin-actions:reset_state + operations: + - method: POST + path: /servers/{server_id}/action (os-resetState) + scope_types: + - system + - project +- check_str: rule:system_admin_api + description: Inject network information into the server + name: os_compute_api:os-admin-actions:inject_network_info + operations: + - method: POST + path: /servers/{server_id}/action (injectNetworkInfo) + scope_types: + - system + - project +- check_str: rule:system_admin_api + description: Reset networking on a server + name: os_compute_api:os-admin-actions:reset_network + operations: + - method: POST + path: /servers/{server_id}/action (resetNetwork) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Change the administrative password for a server + name: os_compute_api:os-admin-password + operations: + - method: POST + path: /servers/{server_id}/action (changePassword) + scope_types: + - system + - project +- check_str: rule:system_reader_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-agents + deprecated_since: 21.0.0 + description: 'List guest agent builds + + This is XenAPI driver specific. + + It is used to force the upgrade of the XenAPI guest agent on instance boot. + + ' + name: os_compute_api:os-agents:list + operations: + - method: GET + path: /os-agents + scope_types: + - system +- check_str: rule:system_admin_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-agents + deprecated_since: 21.0.0 + description: 'Create guest agent builds + + This is XenAPI driver specific. + + It is used to force the upgrade of the XenAPI guest agent on instance boot. + + ' + name: os_compute_api:os-agents:create + operations: + - method: POST + path: /os-agents + scope_types: + - system +- check_str: rule:system_admin_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-agents + deprecated_since: 21.0.0 + description: 'Update guest agent builds + + This is XenAPI driver specific. + + It is used to force the upgrade of the XenAPI guest agent on instance boot. + + ' + name: os_compute_api:os-agents:update + operations: + - method: PUT + path: /os-agents/{agent_build_id} + scope_types: + - system +- check_str: rule:system_admin_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-agents + deprecated_since: 21.0.0 + description: 'Delete guest agent builds + + This is XenAPI driver specific. + + It is used to force the upgrade of the XenAPI guest agent on instance boot. + + ' + name: os_compute_api:os-agents:delete + operations: + - method: DELETE + path: /os-agents/{agent_build_id} + scope_types: + - system +- check_str: rule:system_admin_api + description: Create or replace metadata for an aggregate + name: os_compute_api:os-aggregates:set_metadata + operations: + - method: POST + path: /os-aggregates/{aggregate_id}/action (set_metadata) + scope_types: + - system +- check_str: rule:system_admin_api + description: Add a host to an aggregate + name: os_compute_api:os-aggregates:add_host + operations: + - method: POST + path: /os-aggregates/{aggregate_id}/action (add_host) + scope_types: + - system +- check_str: rule:system_admin_api + description: Create an aggregate + name: os_compute_api:os-aggregates:create + operations: + - method: POST + path: /os-aggregates + scope_types: + - system +- check_str: rule:system_admin_api + description: Remove a host from an aggregate + name: os_compute_api:os-aggregates:remove_host + operations: + - method: POST + path: /os-aggregates/{aggregate_id}/action (remove_host) + scope_types: + - system +- check_str: rule:system_admin_api + description: Update name and/or availability zone for an aggregate + name: os_compute_api:os-aggregates:update + operations: + - method: PUT + path: /os-aggregates/{aggregate_id} + scope_types: + - system +- check_str: rule:system_reader_api + description: List all aggregates + name: os_compute_api:os-aggregates:index + operations: + - method: GET + path: /os-aggregates + scope_types: + - system +- check_str: rule:system_admin_api + description: Delete an aggregate + name: os_compute_api:os-aggregates:delete + operations: + - method: DELETE + path: /os-aggregates/{aggregate_id} + scope_types: + - system +- check_str: rule:system_reader_api + description: Show details for an aggregate + name: os_compute_api:os-aggregates:show + operations: + - method: GET + path: /os-aggregates/{aggregate_id} + scope_types: + - system +- check_str: rule:system_admin_api + description: Request image caching for an aggregate + name: compute:aggregates:images + operations: + - method: POST + path: /os-aggregates/{aggregate_id}/images + scope_types: + - system +- check_str: rule:system_admin_api + description: Create an assisted volume snapshot + name: os_compute_api:os-assisted-volume-snapshots:create + operations: + - method: POST + path: /os-assisted-volume-snapshots + scope_types: + - system +- check_str: rule:system_admin_api + description: Delete an assisted volume snapshot + name: os_compute_api:os-assisted-volume-snapshots:delete + operations: + - method: DELETE + path: /os-assisted-volume-snapshots/{snapshot_id} + scope_types: + - system +- check_str: rule:system_or_project_reader + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-attach-interfaces + deprecated_since: 21.0.0 + description: List port interfaces attached to a server + name: os_compute_api:os-attach-interfaces:list + operations: + - method: GET + path: /servers/{server_id}/os-interface + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-attach-interfaces + deprecated_since: 21.0.0 + description: Show details of a port interface attached to a server + name: os_compute_api:os-attach-interfaces:show + operations: + - method: GET + path: /servers/{server_id}/os-interface/{port_id} + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-attach-interfaces + deprecated_since: 21.0.0 + description: Attach an interface to a server + name: os_compute_api:os-attach-interfaces:create + operations: + - method: POST + path: /servers/{server_id}/os-interface + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-attach-interfaces + deprecated_since: 21.0.0 + description: Detach an interface from a server + name: os_compute_api:os-attach-interfaces:delete + operations: + - method: DELETE + path: /servers/{server_id}/os-interface/{port_id} + scope_types: + - system + - project +- check_str: '@' + description: List availability zone information without host information + name: os_compute_api:os-availability-zone:list + operations: + - method: GET + path: /os-availability-zone + scope_types: + - system + - project +- check_str: rule:system_reader_api + description: List detailed availability zone information with host information + name: os_compute_api:os-availability-zone:detail + operations: + - method: GET + path: /os-availability-zone/detail + scope_types: + - system +- check_str: rule:system_reader_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-baremetal-nodes + deprecated_since: 22.0.0 + description: 'List and show details of bare metal nodes. + + + These APIs are proxy calls to the Ironic service and are deprecated. + + ' + name: os_compute_api:os-baremetal-nodes:list + operations: + - method: GET + path: /os-baremetal-nodes + scope_types: + - system +- check_str: rule:system_reader_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-baremetal-nodes + deprecated_since: 22.0.0 + description: Show action details for a server. + name: os_compute_api:os-baremetal-nodes:show + operations: + - method: GET + path: /os-baremetal-nodes/{node_id} + scope_types: + - system +- check_str: rule:system_reader_api + description: Show console connection information for a given console authentication + token + name: os_compute_api:os-console-auth-tokens + operations: + - method: GET + path: /os-console-auth-tokens/{console_token} + scope_types: + - system +- check_str: rule:system_admin_or_owner + description: Show console output for a server + name: os_compute_api:os-console-output + operations: + - method: POST + path: /servers/{server_id}/action (os-getConsoleOutput) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Create a back up of a server + name: os_compute_api:os-create-backup + operations: + - method: POST + path: /servers/{server_id}/action (createBackup) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-deferred-delete + deprecated_since: 21.0.0 + description: Restore a soft deleted server + name: os_compute_api:os-deferred-delete:restore + operations: + - method: POST + path: /servers/{server_id}/action (restore) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-deferred-delete + deprecated_since: 21.0.0 + description: Force delete a server before deferred cleanup + name: os_compute_api:os-deferred-delete:force + operations: + - method: POST + path: /servers/{server_id}/action (forceDelete) + scope_types: + - system + - project +- check_str: rule:system_admin_api + description: Evacuate a server from a failed host to a new host + name: os_compute_api:os-evacuate + operations: + - method: POST + path: /servers/{server_id}/action (evacuate) + scope_types: + - system + - project +- check_str: rule:system_admin_api + description: 'Return extended attributes for server. + + + This rule will control the visibility for a set of servers attributes: + + + - ``OS-EXT-SRV-ATTR:host`` + + - ``OS-EXT-SRV-ATTR:instance_name`` + + - ``OS-EXT-SRV-ATTR:reservation_id`` (since microversion 2.3) + + - ``OS-EXT-SRV-ATTR:launch_index`` (since microversion 2.3) + + - ``OS-EXT-SRV-ATTR:hostname`` (since microversion 2.3) + + - ``OS-EXT-SRV-ATTR:kernel_id`` (since microversion 2.3) + + - ``OS-EXT-SRV-ATTR:ramdisk_id`` (since microversion 2.3) + + - ``OS-EXT-SRV-ATTR:root_device_name`` (since microversion 2.3) + + - ``OS-EXT-SRV-ATTR:user_data`` (since microversion 2.3) + + + Microvision 2.75 added the above attributes in the ``PUT /servers/{server_id}`` + + and ``POST /servers/{server_id}/action (rebuild)`` API responses which are + + also controlled by this policy rule, like the ``GET /servers*`` APIs. + + ' + name: os_compute_api:os-extended-server-attributes + operations: + - method: GET + path: /servers/{id} + - method: GET + path: /servers/detail + - method: PUT + path: /servers/{server_id} + - method: POST + path: /servers/{server_id}/action (rebuild) + scope_types: + - system + - project +- check_str: '@' + description: List available extensions and show information for an extension by + alias + name: os_compute_api:extensions + operations: + - method: GET + path: /extensions + - method: GET + path: /extensions/{alias} + scope_types: + - system + - project +- check_str: rule:system_admin_api + description: Add flavor access to a tenant + name: os_compute_api:os-flavor-access:add_tenant_access + operations: + - method: POST + path: /flavors/{flavor_id}/action (addTenantAccess) + scope_types: + - system +- check_str: rule:system_admin_api + description: Remove flavor access from a tenant + name: os_compute_api:os-flavor-access:remove_tenant_access + operations: + - method: POST + path: /flavors/{flavor_id}/action (removeTenantAccess) + scope_types: + - system +- check_str: rule:system_reader_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-flavor-access + deprecated_since: 21.0.0 + description: 'List flavor access information + + + Allows access to the full list of tenants that have access + + to a flavor via an os-flavor-access API. + + ' + name: os_compute_api:os-flavor-access + operations: + - method: GET + path: /flavors/{flavor_id}/os-flavor-access + scope_types: + - system +- check_str: rule:system_or_project_reader + description: Show an extra spec for a flavor + name: os_compute_api:os-flavor-extra-specs:show + operations: + - method: GET + path: /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key} + scope_types: + - system + - project +- check_str: rule:system_admin_api + description: Create extra specs for a flavor + name: os_compute_api:os-flavor-extra-specs:create + operations: + - method: POST + path: /flavors/{flavor_id}/os-extra_specs/ + scope_types: + - system +- check_str: rule:system_admin_api + description: Update an extra spec for a flavor + name: os_compute_api:os-flavor-extra-specs:update + operations: + - method: PUT + path: /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key} + scope_types: + - system +- check_str: rule:system_admin_api + description: Delete an extra spec for a flavor + name: os_compute_api:os-flavor-extra-specs:delete + operations: + - method: DELETE + path: /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key} + scope_types: + - system +- check_str: rule:system_or_project_reader + description: List extra specs for a flavor. Starting with microversion 2.47, the + flavor used for a server is also returned in the response when showing server + details, updating a server or rebuilding a server. Starting with microversion + 2.61, extra specs may be returned in responses for the flavor resource. + name: os_compute_api:os-flavor-extra-specs:index + operations: + - method: GET + path: /flavors/{flavor_id}/os-extra_specs/ + - method: GET + path: /servers/detail + - method: GET + path: /servers/{server_id} + - method: PUT + path: /servers/{server_id} + - method: POST + path: /servers/{server_id}/action (rebuild) + - method: POST + path: /flavors + - method: GET + path: /flavors/detail + - method: GET + path: /flavors/{flavor_id} + - method: PUT + path: /flavors/{flavor_id} + scope_types: + - system + - project +- check_str: rule:system_admin_api + description: Create a flavor + name: os_compute_api:os-flavor-manage:create + operations: + - method: POST + path: /flavors + scope_types: + - system +- check_str: rule:system_admin_api + description: Update a flavor + name: os_compute_api:os-flavor-manage:update + operations: + - method: PUT + path: /flavors/{flavor_id} + scope_types: + - system +- check_str: rule:system_admin_api + description: Delete a flavor + name: os_compute_api:os-flavor-manage:delete + operations: + - method: DELETE + path: /flavors/{flavor_id} + scope_types: + - system +- check_str: '@' + description: List floating IP pools. This API is deprecated. + name: os_compute_api:os-floating-ip-pools + operations: + - method: GET + path: /os-floating-ip-pools + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-floating-ips + deprecated_since: 22.0.0 + description: Associate floating IPs to server. This API is deprecated. + name: os_compute_api:os-floating-ips:add + operations: + - method: POST + path: /servers/{server_id}/action (addFloatingIp) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-floating-ips + deprecated_since: 22.0.0 + description: Disassociate floating IPs to server. This API is deprecated. + name: os_compute_api:os-floating-ips:remove + operations: + - method: POST + path: /servers/{server_id}/action (removeFloatingIp) + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-floating-ips + deprecated_since: 22.0.0 + description: List floating IPs. This API is deprecated. + name: os_compute_api:os-floating-ips:list + operations: + - method: GET + path: /os-floating-ips + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-floating-ips + deprecated_since: 22.0.0 + description: Create floating IPs. This API is deprecated. + name: os_compute_api:os-floating-ips:create + operations: + - method: POST + path: /os-floating-ips + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-floating-ips + deprecated_since: 22.0.0 + description: Show floating IPs. This API is deprecated. + name: os_compute_api:os-floating-ips:show + operations: + - method: GET + path: /os-floating-ips/{floating_ip_id} + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-floating-ips + deprecated_since: 22.0.0 + description: Delete floating IPs. This API is deprecated. + name: os_compute_api:os-floating-ips:delete + operations: + - method: DELETE + path: /os-floating-ips/{floating_ip_id} + scope_types: + - system + - project +- check_str: rule:system_reader_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-hosts + deprecated_since: 22.0.0 + description: 'List physical hosts. + + + This API is deprecated in favor of os-hypervisors and os-services.' + name: os_compute_api:os-hosts:list + operations: + - method: GET + path: /os-hosts + scope_types: + - system +- check_str: rule:system_reader_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-hosts + deprecated_since: 22.0.0 + description: 'Show physical host. + + + This API is deprecated in favor of os-hypervisors and os-services.' + name: os_compute_api:os-hosts:show + operations: + - method: GET + path: /os-hosts/{host_name} + scope_types: + - system +- check_str: rule:system_admin_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-hosts + deprecated_since: 22.0.0 + description: 'Update physical host. + + + This API is deprecated in favor of os-hypervisors and os-services.' + name: os_compute_api:os-hosts:update + operations: + - method: PUT + path: /os-hosts/{host_name} + scope_types: + - system +- check_str: rule:system_admin_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-hosts + deprecated_since: 22.0.0 + description: 'Reboot physical host. + + + This API is deprecated in favor of os-hypervisors and os-services.' + name: os_compute_api:os-hosts:reboot + operations: + - method: GET + path: /os-hosts/{host_name}/reboot + scope_types: + - system +- check_str: rule:system_admin_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-hosts + deprecated_since: 22.0.0 + description: 'Shutdown physical host. + + + This API is deprecated in favor of os-hypervisors and os-services.' + name: os_compute_api:os-hosts:shutdown + operations: + - method: GET + path: /os-hosts/{host_name}/shutdown + scope_types: + - system +- check_str: rule:system_admin_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-hosts + deprecated_since: 22.0.0 + description: 'Start physical host. + + + This API is deprecated in favor of os-hypervisors and os-services.' + name: os_compute_api:os-hosts:start + operations: + - method: GET + path: /os-hosts/{host_name}/startup + scope_types: + - system +- check_str: rule:system_reader_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-hypervisors + deprecated_since: 21.0.0 + description: List all hypervisors. + name: os_compute_api:os-hypervisors:list + operations: + - method: GET + path: /os-hypervisors + scope_types: + - system +- check_str: rule:system_reader_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-hypervisors + deprecated_since: 21.0.0 + description: List all hypervisors with details + name: os_compute_api:os-hypervisors:list-detail + operations: + - method: GET + path: /os-hypervisors/details + scope_types: + - system +- check_str: rule:system_reader_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-hypervisors + deprecated_since: 21.0.0 + description: Show summary statistics for all hypervisors over all compute nodes. + name: os_compute_api:os-hypervisors:statistics + operations: + - method: GET + path: /os-hypervisors/statistics + scope_types: + - system +- check_str: rule:system_reader_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-hypervisors + deprecated_since: 21.0.0 + description: Show details for a hypervisor. + name: os_compute_api:os-hypervisors:show + operations: + - method: GET + path: /os-hypervisors/{hypervisor_id} + scope_types: + - system +- check_str: rule:system_reader_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-hypervisors + deprecated_since: 21.0.0 + description: Show the uptime of a hypervisor. + name: os_compute_api:os-hypervisors:uptime + operations: + - method: GET + path: /os-hypervisors/{hypervisor_id}/uptime + scope_types: + - system +- check_str: rule:system_reader_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-hypervisors + deprecated_since: 21.0.0 + description: Search hypervisor by hypervisor_hostname pattern. + name: os_compute_api:os-hypervisors:search + operations: + - method: GET + path: /os-hypervisors/{hypervisor_hostname_pattern}/search + scope_types: + - system +- check_str: rule:system_reader_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-hypervisors + deprecated_since: 21.0.0 + description: List all servers on hypervisors that can match the provided hypervisor_hostname + pattern. + name: os_compute_api:os-hypervisors:servers + operations: + - method: GET + path: /os-hypervisors/{hypervisor_hostname_pattern}/servers + scope_types: + - system +- check_str: rule:system_reader_api + description: 'Add "details" key in action events for a server. + + + This check is performed only after the check + + os_compute_api:os-instance-actions:show passes. Beginning with Microversion + + 2.84, new field ''details'' is exposed via API which can have more details about + + event failure. That field is controlled by this policy which is system reader + + by default. Making the ''details'' field visible to the non-admin user helps to + + understand the nature of the problem (i.e. if the action can be retried), + + but in the other hand it might leak information about the deployment + + (e.g. the type of the hypervisor). + + ' + name: os_compute_api:os-instance-actions:events:details + operations: + - method: GET + path: /servers/{server_id}/os-instance-actions/{request_id} + scope_types: + - system + - project +- check_str: rule:system_reader_api + description: 'Add events details in action details for a server. + + This check is performed only after the check + + os_compute_api:os-instance-actions:show passes. Beginning with Microversion + + 2.51, events details are always included; traceback information is provided + + per event if policy enforcement passes. Beginning with Microversion 2.62, + + each event includes a hashed host identifier and, if policy enforcement + + passes, the name of the host.' + name: os_compute_api:os-instance-actions:events + operations: + - method: GET + path: /servers/{server_id}/os-instance-actions/{request_id} + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-instance-actions + deprecated_since: 21.0.0 + description: List actions for a server. + name: os_compute_api:os-instance-actions:list + operations: + - method: GET + path: /servers/{server_id}/os-instance-actions + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-instance-actions + deprecated_since: 21.0.0 + description: Show action details for a server. + name: os_compute_api:os-instance-actions:show + operations: + - method: GET + path: /servers/{server_id}/os-instance-actions/{request_id} + scope_types: + - system + - project +- check_str: rule:system_reader_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-instance-usage-audit-log + deprecated_since: 21.0.0 + description: List all usage audits. + name: os_compute_api:os-instance-usage-audit-log:list + operations: + - method: GET + path: /os-instance_usage_audit_log + scope_types: + - system +- check_str: rule:system_reader_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-instance-usage-audit-log + deprecated_since: 21.0.0 + description: List all usage audits occurred before a specified time for all servers + on all compute hosts where usage auditing is configured + name: os_compute_api:os-instance-usage-audit-log:show + operations: + - method: GET + path: /os-instance_usage_audit_log/{before_timestamp} + scope_types: + - system +- check_str: rule:system_or_project_reader + description: Show IP addresses details for a network label of a server + name: os_compute_api:ips:show + operations: + - method: GET + path: /servers/{server_id}/ips/{network_label} + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + description: List IP addresses that are assigned to a server + name: os_compute_api:ips:index + operations: + - method: GET + path: /servers/{server_id}/ips + scope_types: + - system + - project +- check_str: (rule:system_reader_api) or user_id:%(user_id)s + description: List all keypairs + name: os_compute_api:os-keypairs:index + operations: + - method: GET + path: /os-keypairs + scope_types: + - system + - project +- check_str: (rule:system_admin_api) or user_id:%(user_id)s + description: Create a keypair + name: os_compute_api:os-keypairs:create + operations: + - method: POST + path: /os-keypairs + scope_types: + - system + - project +- check_str: (rule:system_admin_api) or user_id:%(user_id)s + description: Delete a keypair + name: os_compute_api:os-keypairs:delete + operations: + - method: DELETE + path: /os-keypairs/{keypair_name} + scope_types: + - system + - project +- check_str: (rule:system_reader_api) or user_id:%(user_id)s + description: Show details of a keypair + name: os_compute_api:os-keypairs:show + operations: + - method: GET + path: /os-keypairs/{keypair_name} + scope_types: + - system + - project +- check_str: '@' + description: Show rate and absolute limits for the current user project + name: os_compute_api:limits + operations: + - method: GET + path: /limits + scope_types: + - system + - project +- check_str: rule:system_reader_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-used-limits + deprecated_since: 21.0.0 + description: 'Show rate and absolute limits of other project. + + + This policy only checks if the user has access to the requested + + project limits. And this check is performed only after the check + + os_compute_api:limits passes' + name: os_compute_api:limits:other_project + operations: + - method: GET + path: /limits + scope_types: + - system +- check_str: rule:system_admin_or_owner + description: Lock a server + name: os_compute_api:os-lock-server:lock + operations: + - method: POST + path: /servers/{server_id}/action (lock) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Unlock a server + name: os_compute_api:os-lock-server:unlock + operations: + - method: POST + path: /servers/{server_id}/action (unlock) + scope_types: + - system + - project +- check_str: rule:system_admin_api + description: 'Unlock a server, regardless who locked the server. + + + This check is performed only after the check + + os_compute_api:os-lock-server:unlock passes' + name: os_compute_api:os-lock-server:unlock:unlock_override + operations: + - method: POST + path: /servers/{server_id}/action (unlock) + scope_types: + - system + - project +- check_str: rule:system_admin_api + description: Cold migrate a server to a host + name: os_compute_api:os-migrate-server:migrate + operations: + - method: POST + path: /servers/{server_id}/action (migrate) + scope_types: + - system + - project +- check_str: rule:system_admin_api + description: Live migrate a server to a new host without a reboot + name: os_compute_api:os-migrate-server:migrate_live + operations: + - method: POST + path: /servers/{server_id}/action (os-migrateLive) + scope_types: + - system + - project +- check_str: rule:system_reader_api + description: List migrations + name: os_compute_api:os-migrations:index + operations: + - method: GET + path: /os-migrations + scope_types: + - system +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-multinic + deprecated_since: 22.0.0 + description: 'Add a fixed IP address to a server. + + + This API is proxy calls to the Network service. This is + + deprecated.' + name: os_compute_api:os-multinic:add + operations: + - method: POST + path: /servers/{server_id}/action (addFixedIp) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-multinic + deprecated_since: 22.0.0 + description: 'Remove a fixed IP address from a server. + + + This API is proxy calls to the Network service. This is + + deprecated.' + name: os_compute_api:os-multinic:remove + operations: + - method: POST + path: /servers/{server_id}/action (removeFixedIp) + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-networks:view + deprecated_since: 22.0.0 + description: 'List networks for the project. + + + This API is proxy calls to the Network service. This is deprecated.' + name: os_compute_api:os-networks:list + operations: + - method: GET + path: /os-networks + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-networks:view + deprecated_since: 22.0.0 + description: 'Show network details. + + + This API is proxy calls to the Network service. This is deprecated.' + name: os_compute_api:os-networks:show + operations: + - method: GET + path: /os-networks/{network_id} + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Pause a server + name: os_compute_api:os-pause-server:pause + operations: + - method: POST + path: /servers/{server_id}/action (pause) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Unpause a paused server + name: os_compute_api:os-pause-server:unpause + operations: + - method: POST + path: /servers/{server_id}/action (unpause) + scope_types: + - system + - project +- check_str: rule:system_reader_api + description: List quotas for specific quota classs + name: os_compute_api:os-quota-class-sets:show + operations: + - method: GET + path: /os-quota-class-sets/{quota_class} + scope_types: + - system +- check_str: rule:system_admin_api + description: Update quotas for specific quota class + name: os_compute_api:os-quota-class-sets:update + operations: + - method: PUT + path: /os-quota-class-sets/{quota_class} + scope_types: + - system +- check_str: rule:system_admin_api + description: Update the quotas + name: os_compute_api:os-quota-sets:update + operations: + - method: PUT + path: /os-quota-sets/{tenant_id} + scope_types: + - system +- check_str: '@' + description: List default quotas + name: os_compute_api:os-quota-sets:defaults + operations: + - method: GET + path: /os-quota-sets/{tenant_id}/defaults + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + description: Show a quota + name: os_compute_api:os-quota-sets:show + operations: + - method: GET + path: /os-quota-sets/{tenant_id} + scope_types: + - system + - project +- check_str: rule:system_admin_api + description: Revert quotas to defaults + name: os_compute_api:os-quota-sets:delete + operations: + - method: DELETE + path: /os-quota-sets/{tenant_id} + scope_types: + - system +- check_str: rule:system_or_project_reader + description: Show the detail of quota + name: os_compute_api:os-quota-sets:detail + operations: + - method: GET + path: /os-quota-sets/{tenant_id}/detail + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: 'Generate a URL to access remove server console. + + + This policy is for ``POST /remote-consoles`` API and below Server actions APIs + + are deprecated: + + + - ``os-getRDPConsole`` + + - ``os-getSerialConsole`` + + - ``os-getSPICEConsole`` + + - ``os-getVNCConsole``.' + name: os_compute_api:os-remote-consoles + operations: + - method: POST + path: /servers/{server_id}/action (os-getRDPConsole) + - method: POST + path: /servers/{server_id}/action (os-getSerialConsole) + - method: POST + path: /servers/{server_id}/action (os-getSPICEConsole) + - method: POST + path: /servers/{server_id}/action (os-getVNCConsole) + - method: POST + path: /servers/{server_id}/remote-consoles + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Rescue a server + name: os_compute_api:os-rescue + operations: + - method: POST + path: /servers/{server_id}/action (rescue) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Rescue/Unrescue API policies are made granular with new policy + + for unrescue and keeping old policy for rescue. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-rescue + deprecated_since: 21.0.0 + description: Unrescue a server + name: os_compute_api:os-unrescue + operations: + - method: POST + path: /servers/{server_id}/action (unrescue) + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-security-groups + deprecated_since: 22.0.0 + description: List security groups. This API is deprecated. + name: os_compute_api:os-security-groups:get + operations: + - method: GET + path: /os-security-groups + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-security-groups + deprecated_since: 22.0.0 + description: Show security group. This API is deprecated. + name: os_compute_api:os-security-groups:show + operations: + - method: GET + path: /os-security-groups/{security_group_id} + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-security-groups + deprecated_since: 22.0.0 + description: Create security group. This API is deprecated. + name: os_compute_api:os-security-groups:create + operations: + - method: POST + path: /os-security-groups + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-security-groups + deprecated_since: 22.0.0 + description: Update security group. This API is deprecated. + name: os_compute_api:os-security-groups:update + operations: + - method: PUT + path: /os-security-groups/{security_group_id} + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-security-groups + deprecated_since: 22.0.0 + description: Delete security group. This API is deprecated. + name: os_compute_api:os-security-groups:delete + operations: + - method: DELETE + path: /os-security-groups/{security_group_id} + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-security-groups + deprecated_since: 22.0.0 + description: Create security group Rule. This API is deprecated. + name: os_compute_api:os-security-groups:rule:create + operations: + - method: POST + path: /os-security-group-rules + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-security-groups + deprecated_since: 22.0.0 + description: Delete security group Rule. This API is deprecated. + name: os_compute_api:os-security-groups:rule:delete + operations: + - method: DELETE + path: /os-security-group-rules/{security_group_id} + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-security-groups + deprecated_since: 21.0.0 + description: List security groups of server. + name: os_compute_api:os-security-groups:list + operations: + - method: GET + path: /servers/{server_id}/os-security-groups + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-security-groups + deprecated_since: 21.0.0 + description: Add security groups to server. + name: os_compute_api:os-security-groups:add + operations: + - method: POST + path: /servers/{server_id}/action (addSecurityGroup) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-security-groups + deprecated_since: 21.0.0 + description: Remove security groups from server. + name: os_compute_api:os-security-groups:remove + operations: + - method: POST + path: /servers/{server_id}/action (removeSecurityGroup) + scope_types: + - system + - project +- check_str: rule:system_admin_api + description: Show the usage data for a server + name: os_compute_api:os-server-diagnostics + operations: + - method: GET + path: /servers/{server_id}/diagnostics + scope_types: + - system + - project +- check_str: rule:system_admin_api + description: Create one or more external events + name: os_compute_api:os-server-external-events:create + operations: + - method: POST + path: /os-server-external-events + scope_types: + - system +- check_str: rule:project_member_api + description: Create a new server group + name: os_compute_api:os-server-groups:create + operations: + - method: POST + path: /os-server-groups + scope_types: + - project +- check_str: rule:system_admin_or_owner + description: Delete a server group + name: os_compute_api:os-server-groups:delete + operations: + - method: DELETE + path: /os-server-groups/{server_group_id} + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + description: List all server groups + name: os_compute_api:os-server-groups:index + operations: + - method: GET + path: /os-server-groups + scope_types: + - system + - project +- check_str: rule:system_reader_api + description: List all server groups for all projects + name: os_compute_api:os-server-groups:index:all_projects + operations: + - method: GET + path: /os-server-groups + scope_types: + - system +- check_str: rule:system_or_project_reader + description: Show details of a server group + name: os_compute_api:os-server-groups:show + operations: + - method: GET + path: /os-server-groups/{server_group_id} + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + description: List all metadata of a server + name: os_compute_api:server-metadata:index + operations: + - method: GET + path: /servers/{server_id}/metadata + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + description: Show metadata for a server + name: os_compute_api:server-metadata:show + operations: + - method: GET + path: /servers/{server_id}/metadata/{key} + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Create metadata for a server + name: os_compute_api:server-metadata:create + operations: + - method: POST + path: /servers/{server_id}/metadata + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Replace metadata for a server + name: os_compute_api:server-metadata:update_all + operations: + - method: PUT + path: /servers/{server_id}/metadata + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Update metadata from a server + name: os_compute_api:server-metadata:update + operations: + - method: PUT + path: /servers/{server_id}/metadata/{key} + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Delete metadata from a server + name: os_compute_api:server-metadata:delete + operations: + - method: DELETE + path: /servers/{server_id}/metadata/{key} + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-server-password + deprecated_since: 21.0.0 + description: Show the encrypted administrative password of a server + name: os_compute_api:os-server-password:show + operations: + - method: GET + path: /servers/{server_id}/os-server-password + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-server-password + deprecated_since: 21.0.0 + description: Clear the encrypted administrative password of a server + name: os_compute_api:os-server-password:clear + operations: + - method: DELETE + path: /servers/{server_id}/os-server-password + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Delete all the server tags + name: os_compute_api:os-server-tags:delete_all + operations: + - method: DELETE + path: /servers/{server_id}/tags + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + description: List all tags for given server + name: os_compute_api:os-server-tags:index + operations: + - method: GET + path: /servers/{server_id}/tags + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Replace all tags on specified server with the new set of tags. + name: os_compute_api:os-server-tags:update_all + operations: + - method: PUT + path: /servers/{server_id}/tags + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Delete a single tag from the specified server + name: os_compute_api:os-server-tags:delete + operations: + - method: DELETE + path: /servers/{server_id}/tags/{tag} + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Add a single tag to the server if server has no specified tag + name: os_compute_api:os-server-tags:update + operations: + - method: PUT + path: /servers/{server_id}/tags/{tag} + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + description: Check tag existence on the server. + name: os_compute_api:os-server-tags:show + operations: + - method: GET + path: /servers/{server_id}/tags/{tag} + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + description: Show the NUMA topology data for a server + name: compute:server:topology:index + operations: + - method: GET + path: /servers/{server_id}/topology + scope_types: + - system + - project +- check_str: rule:system_reader_api + description: Show the NUMA topology data for a server with host NUMA ID and CPU + pinning information + name: compute:server:topology:host:index + operations: + - method: GET + path: /servers/{server_id}/topology + scope_types: + - system +- check_str: rule:system_or_project_reader + description: List all servers + name: os_compute_api:servers:index + operations: + - method: GET + path: /servers + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + description: List all servers with detailed information + name: os_compute_api:servers:detail + operations: + - method: GET + path: /servers/detail + scope_types: + - system + - project +- check_str: rule:system_reader_api + description: List all servers for all projects + name: os_compute_api:servers:index:get_all_tenants + operations: + - method: GET + path: /servers + scope_types: + - system +- check_str: rule:system_reader_api + description: List all servers with detailed information for all projects + name: os_compute_api:servers:detail:get_all_tenants + operations: + - method: GET + path: /servers/detail + scope_types: + - system +- check_str: rule:system_reader_api + description: Allow all filters when listing servers + name: os_compute_api:servers:allow_all_filters + operations: + - method: GET + path: /servers + - method: GET + path: /servers/detail + scope_types: + - system +- check_str: rule:system_or_project_reader + description: Show a server + name: os_compute_api:servers:show + operations: + - method: GET + path: /servers/{server_id} + scope_types: + - system + - project +- check_str: rule:system_admin_api + description: ' + + Show a server with additional host status information. + + + This means host_status will be shown irrespective of status value. If showing + + only host_status UNKNOWN is desired, use the + + ``os_compute_api:servers:show:host_status:unknown-only`` policy rule. + + + Microvision 2.75 added the ``host_status`` attribute in the + + ``PUT /servers/{server_id}`` and ``POST /servers/{server_id}/action (rebuild)`` + + API responses which are also controlled by this policy rule, like the + + ``GET /servers*`` APIs. + + ' + name: os_compute_api:servers:show:host_status + operations: + - method: GET + path: /servers/{server_id} + - method: GET + path: /servers/detail + - method: PUT + path: /servers/{server_id} + - method: POST + path: /servers/{server_id}/action (rebuild) + scope_types: + - system + - project +- check_str: rule:system_admin_api + description: ' + + Show a server with additional host status information, only if host status is + + UNKNOWN. + + + This policy rule will only be enforced when the + + ``os_compute_api:servers:show:host_status`` policy rule does not pass for the + + request. An example policy configuration could be where the + + ``os_compute_api:servers:show:host_status`` rule is set to allow admin-only and + + the ``os_compute_api:servers:show:host_status:unknown-only`` rule is set to + + allow everyone. + + ' + name: os_compute_api:servers:show:host_status:unknown-only + operations: + - method: GET + path: /servers/{server_id} + - method: GET + path: /servers/detail + - method: PUT + path: /servers/{server_id} + - method: POST + path: /servers/{server_id}/action (rebuild) + scope_types: + - system + - project +- check_str: rule:project_member_api + description: Create a server + name: os_compute_api:servers:create + operations: + - method: POST + path: /servers + scope_types: + - project +- check_str: rule:project_admin_api + description: ' + + Create a server on the specified host and/or node. + + + In this case, the server is forced to launch on the specified + + host and/or node by bypassing the scheduler filters unlike the + + ``compute:servers:create:requested_destination`` rule. + + ' + name: os_compute_api:servers:create:forced_host + operations: + - method: POST + path: /servers + scope_types: + - system + - project +- check_str: rule:project_admin_api + description: ' + + Create a server on the requested compute service host and/or + + hypervisor_hostname. + + + In this case, the requested host and/or hypervisor_hostname is + + validated by the scheduler filters unlike the + + ``os_compute_api:servers:create:forced_host`` rule. + + ' + name: compute:servers:create:requested_destination + operations: + - method: POST + path: /servers + scope_types: + - system + - project +- check_str: rule:project_member_api + description: Create a server with the requested volume attached to it + name: os_compute_api:servers:create:attach_volume + operations: + - method: POST + path: /servers + scope_types: + - project +- check_str: rule:project_member_api + description: Create a server with the requested network attached to it + name: os_compute_api:servers:create:attach_network + operations: + - method: POST + path: /servers + scope_types: + - project +- check_str: rule:project_member_api + description: Create a server with trusted image certificate IDs + name: os_compute_api:servers:create:trusted_certs + operations: + - method: POST + path: /servers + scope_types: + - project +- check_str: rule:project_admin_api + description: ' + + This rule controls the compute API validation behavior of creating a server + + with a flavor that has 0 disk, indicating the server should be volume-backed. + + + For a flavor with disk=0, the root disk will be set to exactly the size of the + + image used to deploy the instance. However, in this case the filter_scheduler + + cannot select the compute host based on the virtual image size. Therefore, 0 + + should only be used for volume booted instances or for testing purposes. + + + WARNING: It is a potential security exposure to enable this policy rule + + if users can upload their own images since repeated attempts to + + create a disk=0 flavor instance with a large image can exhaust + + the local disk of the compute (or shared storage cluster). See bug + + https://bugs.launchpad.net/nova/+bug/1739646 for details. + + ' + name: os_compute_api:servers:create:zero_disk_flavor + operations: + - method: POST + path: /servers + scope_types: + - system + - project +- check_str: rule:project_admin_api + description: Attach an unshared external network to a server + name: network:attach_external_network + operations: + - method: POST + path: /servers + - method: POST + path: /servers/{server_id}/os-interface + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Delete a server + name: os_compute_api:servers:delete + operations: + - method: DELETE + path: /servers/{server_id} + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Update a server + name: os_compute_api:servers:update + operations: + - method: PUT + path: /servers/{server_id} + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Confirm a server resize + name: os_compute_api:servers:confirm_resize + operations: + - method: POST + path: /servers/{server_id}/action (confirmResize) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Revert a server resize + name: os_compute_api:servers:revert_resize + operations: + - method: POST + path: /servers/{server_id}/action (revertResize) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Reboot a server + name: os_compute_api:servers:reboot + operations: + - method: POST + path: /servers/{server_id}/action (reboot) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Resize a server + name: os_compute_api:servers:resize + operations: + - method: POST + path: /servers/{server_id}/action (resize) + scope_types: + - system + - project +- check_str: '!' + description: 'Resize a server across cells. By default, this is disabled for all + users and recommended to be tested in a deployment for admin users before opening + it up to non-admin users. Resizing within a cell is the default preferred behavior + even if this is enabled. ' + name: compute:servers:resize:cross_cell + operations: + - method: POST + path: /servers/{server_id}/action (resize) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Rebuild a server + name: os_compute_api:servers:rebuild + operations: + - method: POST + path: /servers/{server_id}/action (rebuild) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Rebuild a server with trusted image certificate IDs + name: os_compute_api:servers:rebuild:trusted_certs + operations: + - method: POST + path: /servers/{server_id}/action (rebuild) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Create an image from a server + name: os_compute_api:servers:create_image + operations: + - method: POST + path: /servers/{server_id}/action (createImage) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Create an image from a volume backed server + name: os_compute_api:servers:create_image:allow_volume_backed + operations: + - method: POST + path: /servers/{server_id}/action (createImage) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Start a server + name: os_compute_api:servers:start + operations: + - method: POST + path: /servers/{server_id}/action (os-start) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Stop a server + name: os_compute_api:servers:stop + operations: + - method: POST + path: /servers/{server_id}/action (os-stop) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Trigger crash dump in a server + name: os_compute_api:servers:trigger_crash_dump + operations: + - method: POST + path: /servers/{server_id}/action (trigger_crash_dump) + scope_types: + - system + - project +- check_str: rule:system_reader_api + description: Show details for an in-progress live migration for a given server + name: os_compute_api:servers:migrations:show + operations: + - method: GET + path: /servers/{server_id}/migrations/{migration_id} + scope_types: + - system + - project +- check_str: rule:system_admin_api + description: Force an in-progress live migration for a given server to complete + name: os_compute_api:servers:migrations:force_complete + operations: + - method: POST + path: /servers/{server_id}/migrations/{migration_id}/action (force_complete) + scope_types: + - system + - project +- check_str: rule:system_admin_api + description: Delete(Abort) an in-progress live migration + name: os_compute_api:servers:migrations:delete + operations: + - method: DELETE + path: /servers/{server_id}/migrations/{migration_id} + scope_types: + - system + - project +- check_str: rule:system_reader_api + description: Lists in-progress live migrations for a given server + name: os_compute_api:servers:migrations:index + operations: + - method: GET + path: /servers/{server_id}/migrations + scope_types: + - system + - project +- check_str: rule:system_reader_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-services + deprecated_since: 21.0.0 + description: List all running Compute services in a region. + name: os_compute_api:os-services:list + operations: + - method: GET + path: /os-services + scope_types: + - system +- check_str: rule:system_admin_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-services + deprecated_since: 21.0.0 + description: Update a Compute service. + name: os_compute_api:os-services:update + operations: + - method: PUT + path: /os-services/{service_id} + scope_types: + - system +- check_str: rule:system_admin_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-services + deprecated_since: 21.0.0 + description: Delete a Compute service. + name: os_compute_api:os-services:delete + operations: + - method: DELETE + path: /os-services/{service_id} + scope_types: + - system +- check_str: rule:system_admin_or_owner + description: Shelve server + name: os_compute_api:os-shelve:shelve + operations: + - method: POST + path: /servers/{server_id}/action (shelve) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Unshelve (restore) shelved server + name: os_compute_api:os-shelve:unshelve + operations: + - method: POST + path: /servers/{server_id}/action (unshelve) + scope_types: + - system + - project +- check_str: rule:system_admin_api + description: Shelf-offload (remove) server + name: os_compute_api:os-shelve:shelve_offload + operations: + - method: POST + path: /servers/{server_id}/action (shelveOffload) + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + description: Show usage statistics for a specific tenant + name: os_compute_api:os-simple-tenant-usage:show + operations: + - method: GET + path: /os-simple-tenant-usage/{tenant_id} + scope_types: + - system + - project +- check_str: rule:system_reader_api + description: List per tenant usage statistics for all tenants + name: os_compute_api:os-simple-tenant-usage:list + operations: + - method: GET + path: /os-simple-tenant-usage + scope_types: + - system +- check_str: rule:system_admin_or_owner + description: Resume suspended server + name: os_compute_api:os-suspend-server:resume + operations: + - method: POST + path: /servers/{server_id}/action (resume) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Suspend server + name: os_compute_api:os-suspend-server:suspend + operations: + - method: POST + path: /servers/{server_id}/action (suspend) + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-tenant-networks + deprecated_since: 22.0.0 + description: 'List project networks. + + + This API is proxy calls to the Network service. This is deprecated.' + name: os_compute_api:os-tenant-networks:list + operations: + - method: GET + path: /os-tenant-networks + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-tenant-networks + deprecated_since: 22.0.0 + description: 'Show project network details. + + + This API is proxy calls to the Network service. This is deprecated.' + name: os_compute_api:os-tenant-networks:show + operations: + - method: GET + path: /os-tenant-networks/{network_id} + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-volumes + deprecated_since: 22.0.0 + description: 'List volumes. + + + This API is a proxy call to the Volume service. It is deprecated.' + name: os_compute_api:os-volumes:list + operations: + - method: GET + path: /os-volumes + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-volumes + deprecated_since: 22.0.0 + description: 'Create volume. + + + This API is a proxy call to the Volume service. It is deprecated.' + name: os_compute_api:os-volumes:create + operations: + - method: POST + path: /os-volumes + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-volumes + deprecated_since: 22.0.0 + description: 'List volumes detail. + + + This API is a proxy call to the Volume service. It is deprecated.' + name: os_compute_api:os-volumes:detail + operations: + - method: GET + path: /os-volumes/detail + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-volumes + deprecated_since: 22.0.0 + description: 'Show volume. + + + This API is a proxy call to the Volume service. It is deprecated.' + name: os_compute_api:os-volumes:show + operations: + - method: GET + path: /os-volumes/{volume_id} + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-volumes + deprecated_since: 22.0.0 + description: 'Delete volume. + + + This API is a proxy call to the Volume service. It is deprecated.' + name: os_compute_api:os-volumes:delete + operations: + - method: DELETE + path: /os-volumes/{volume_id} + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-volumes + deprecated_since: 22.0.0 + description: 'List snapshots. + + + This API is a proxy call to the Volume service. It is deprecated.' + name: os_compute_api:os-volumes:snapshots:list + operations: + - method: GET + path: /os-snapshots + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-volumes + deprecated_since: 22.0.0 + description: 'Create snapshots. + + + This API is a proxy call to the Volume service. It is deprecated.' + name: os_compute_api:os-volumes:snapshots:create + operations: + - method: POST + path: /os-snapshots + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-volumes + deprecated_since: 22.0.0 + description: 'List snapshots details. + + + This API is a proxy call to the Volume service. It is deprecated.' + name: os_compute_api:os-volumes:snapshots:detail + operations: + - method: GET + path: /os-snapshots/detail + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-volumes + deprecated_since: 22.0.0 + description: 'Show snapshot. + + + This API is a proxy call to the Volume service. It is deprecated.' + name: os_compute_api:os-volumes:snapshots:show + operations: + - method: GET + path: /os-snapshots/{snapshot_id} + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-volumes + deprecated_since: 22.0.0 + description: 'Delete snapshot. + + + This API is a proxy call to the Volume service. It is deprecated.' + name: os_compute_api:os-volumes:snapshots:delete + operations: + - method: DELETE + path: /os-snapshots/{snapshot_id} + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + description: List volume attachments for an instance + name: os_compute_api:os-volumes-attachments:index + operations: + - method: GET + path: /servers/{server_id}/os-volume_attachments + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Attach a volume to an instance + name: os_compute_api:os-volumes-attachments:create + operations: + - method: POST + path: /servers/{server_id}/os-volume_attachments + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + description: Show details of a volume attachment + name: os_compute_api:os-volumes-attachments:show + operations: + - method: GET + path: /servers/{server_id}/os-volume_attachments/{volume_id} + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: 'Update a volume attachment. + + New ''update'' policy about ''swap + update'' request (which is possible + + only >2.85) only is checked. We expect to be + + always superset of this policy permission. + + ' + name: os_compute_api:os-volumes-attachments:update + operations: + - method: PUT + path: /servers/{server_id}/os-volume_attachments/{volume_id} + scope_types: + - system + - project +- check_str: rule:system_admin_api + description: Update a volume attachment with a different volumeId + name: os_compute_api:os-volumes-attachments:swap + operations: + - method: PUT + path: /servers/{server_id}/os-volume_attachments/{volume_id} + scope_types: + - system +- check_str: rule:system_admin_or_owner + description: Detach a volume from an instance + name: os_compute_api:os-volumes-attachments:delete + operations: + - method: DELETE + path: /servers/{server_id}/os-volume_attachments/{volume_id} + scope_types: + - system + - project diff --git a/openstack_dashboard/conf/glance_policy.json b/openstack_dashboard/conf/glance_policy.json deleted file mode 100644 index 5b1f6be7eb..0000000000 --- a/openstack_dashboard/conf/glance_policy.json +++ /dev/null @@ -1,63 +0,0 @@ -{ - "context_is_admin": "role:admin", - "default": "role:admin", - - "add_image": "", - "delete_image": "", - "get_image": "", - "get_images": "", - "modify_image": "", - "publicize_image": "role:admin", - "communitize_image": "", - "copy_from": "", - - "download_image": "", - "upload_image": "", - - "delete_image_location": "", - "get_image_location": "", - "set_image_location": "", - - "add_member": "", - "delete_member": "", - "get_member": "", - "get_members": "", - "modify_member": "", - - "manage_image_cache": "role:admin", - - "get_task": "", - "get_tasks": "", - "add_task": "", - "modify_task": "", - "tasks_api_access": "role:admin", - - "deactivate": "", - "reactivate": "", - - "get_metadef_namespace": "", - "get_metadef_namespaces":"", - "modify_metadef_namespace":"", - "add_metadef_namespace":"", - - "get_metadef_object":"", - "get_metadef_objects":"", - "modify_metadef_object":"", - "add_metadef_object":"", - - "list_metadef_resource_types":"", - "get_metadef_resource_type":"", - "add_metadef_resource_type_association":"", - - "get_metadef_property":"", - "get_metadef_properties":"", - "modify_metadef_property":"", - "add_metadef_property":"", - - "get_metadef_tag":"", - "get_metadef_tags":"", - "modify_metadef_tag":"", - "add_metadef_tag":"", - "add_metadef_tags":"" - -} diff --git a/openstack_dashboard/conf/glance_policy.yaml b/openstack_dashboard/conf/glance_policy.yaml new file mode 100644 index 0000000000..0d2da7ecc3 --- /dev/null +++ b/openstack_dashboard/conf/glance_policy.yaml @@ -0,0 +1,121 @@ +# Defines the default rule used for policies that historically had an +# empty policy in the supplied policy.json file. +#"default": "" + +# DEPRECATED +# "default":"role:admin" has been deprecated since Ussuri in favor of +# "default":"". +# In order to allow operators to accept the default policies from code +# by not defining them in the policy file, while still working with +# old policy files that rely on the ``default`` rule for policies that +# are not specified in the policy file, the ``default`` rule must now +# be explicitly set to ``"role:admin"`` when that is the desired +# default for unspecified rules. + +# Defines the rule for the is_admin:True check. +#"context_is_admin": "role:admin" + +#"add_image": "rule:default" + +#"delete_image": "rule:default" + +#"get_image": "rule:default" + +#"get_images": "rule:default" + +#"modify_image": "rule:default" + +#"publicize_image": "role:admin" + +#"communitize_image": "rule:default" + +#"download_image": "rule:default" + +#"upload_image": "rule:default" + +#"delete_image_location": "rule:default" + +#"get_image_location": "rule:default" + +#"set_image_location": "rule:default" + +#"add_member": "rule:default" + +#"delete_member": "rule:default" + +#"get_member": "rule:default" + +#"get_members": "rule:default" + +#"modify_member": "rule:default" + +#"manage_image_cache": "role:admin" + +#"deactivate": "rule:default" + +#"reactivate": "rule:default" + +#"copy_image": "role:admin" + +#"get_task": "rule:default" + +#"get_tasks": "rule:default" + +#"add_task": "rule:default" + +#"modify_task": "rule:default" + +#"tasks_api_access": "role:admin" + +#"get_metadef_namespace": "rule:default" + +#"get_metadef_namespaces": "rule:default" + +#"modify_metadef_namespace": "rule:default" + +#"add_metadef_namespace": "rule:default" + +#"delete_metadef_namespace": "rule:default" + +#"get_metadef_object": "rule:default" + +#"get_metadef_objects": "rule:default" + +#"modify_metadef_object": "rule:default" + +#"add_metadef_object": "rule:default" + +#"delete_metadef_object": "rule:default" + +#"list_metadef_resource_types": "rule:default" + +#"get_metadef_resource_type": "rule:default" + +#"add_metadef_resource_type_association": "rule:default" + +#"remove_metadef_resource_type_association": "rule:default" + +#"get_metadef_property": "rule:default" + +#"get_metadef_properties": "rule:default" + +#"modify_metadef_property": "rule:default" + +#"add_metadef_property": "rule:default" + +#"remove_metadef_property": "rule:default" + +#"get_metadef_tag": "rule:default" + +#"get_metadef_tags": "rule:default" + +#"modify_metadef_tag": "rule:default" + +#"add_metadef_tag": "rule:default" + +#"add_metadef_tags": "rule:default" + +#"delete_metadef_tag": "rule:default" + +#"delete_metadef_tags": "rule:default" + diff --git a/openstack_dashboard/conf/keystone_policy.json b/openstack_dashboard/conf/keystone_policy.json deleted file mode 100644 index 3d820dccab..0000000000 --- a/openstack_dashboard/conf/keystone_policy.json +++ /dev/null @@ -1,174 +0,0 @@ -{ - "admin_required": "role:admin or is_admin:1", - "service_role": "role:service", - "service_or_admin": "rule:admin_required or rule:service_role", - "owner": "user_id:%(user_id)s", - "admin_or_owner": "rule:admin_required or rule:owner", - "token_subject": "user_id:%(target.token.user_id)s", - "admin_or_token_subject": "rule:admin_required or rule:token_subject", - "service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject", - "identity:authorize_request_token": "rule:admin_required", - "identity:get_access_token": "rule:admin_required", - "identity:get_access_token_role": "rule:admin_required", - "identity:list_access_tokens": "rule:admin_required", - "identity:list_access_token_roles": "rule:admin_required", - "identity:delete_access_token": "rule:admin_required", - "identity:get_auth_catalog": "", - "identity:get_auth_projects": "", - "identity:get_auth_domains": "", - "identity:get_consumer": "rule:admin_required", - "identity:list_consumers": "rule:admin_required", - "identity:create_consumer": "rule:admin_required", - "identity:update_consumer": "rule:admin_required", - "identity:delete_consumer": "rule:admin_required", - "identity:get_credential": "rule:admin_required", - "identity:list_credentials": "rule:admin_required", - "identity:create_credential": "rule:admin_required", - "identity:update_credential": "rule:admin_required", - "identity:delete_credential": "rule:admin_required", - "identity:get_domain": "rule:admin_required or token.project.domain.id:%(target.domain.id)s", - "identity:list_domains": "rule:admin_required", - "identity:create_domain": "rule:admin_required", - "identity:update_domain": "rule:admin_required", - "identity:delete_domain": "rule:admin_required", - "identity:create_domain_config": "rule:admin_required", - "identity:get_domain_config": "rule:admin_required", - "identity:get_security_compliance_domain_config": "", - "identity:update_domain_config": "rule:admin_required", - "identity:delete_domain_config": "rule:admin_required", - "identity:get_domain_config_default": "rule:admin_required", - "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)", - "identity:ec2_list_credentials": "rule:admin_or_owner", - "identity:ec2_create_credential": "rule:admin_or_owner", - "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)", - "identity:get_endpoint": "rule:admin_required", - "identity:list_endpoints": "rule:admin_required", - "identity:create_endpoint": "rule:admin_required", - "identity:update_endpoint": "rule:admin_required", - "identity:delete_endpoint": "rule:admin_required", - "identity:create_endpoint_group": "rule:admin_required", - "identity:list_endpoint_groups": "rule:admin_required", - "identity:get_endpoint_group": "rule:admin_required", - "identity:update_endpoint_group": "rule:admin_required", - "identity:delete_endpoint_group": "rule:admin_required", - "identity:list_projects_associated_with_endpoint_group": "rule:admin_required", - "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required", - "identity:get_endpoint_group_in_project": "rule:admin_required", - "identity:list_endpoint_groups_for_project": "rule:admin_required", - "identity:add_endpoint_group_to_project": "rule:admin_required", - "identity:remove_endpoint_group_from_project": "rule:admin_required", - "identity:check_grant": "rule:admin_required", - "identity:list_grants": "rule:admin_required", - "identity:create_grant": "rule:admin_required", - "identity:revoke_grant": "rule:admin_required", - "identity:get_group": "rule:admin_required", - "identity:list_groups": "rule:admin_required", - "identity:list_groups_for_user": "rule:admin_or_owner", - "identity:create_group": "rule:admin_required", - "identity:update_group": "rule:admin_required", - "identity:delete_group": "rule:admin_required", - "identity:list_users_in_group": "rule:admin_required", - "identity:remove_user_from_group": "rule:admin_required", - "identity:check_user_in_group": "rule:admin_required", - "identity:add_user_to_group": "rule:admin_required", - "identity:create_identity_provider": "rule:admin_required", - "identity:list_identity_providers": "rule:admin_required", - "identity:get_identity_provider": "rule:admin_required", - "identity:update_identity_provider": "rule:admin_required", - "identity:delete_identity_provider": "rule:admin_required", - "identity:get_implied_role": "rule:admin_required", - "identity:list_implied_roles": "rule:admin_required", - "identity:create_implied_role": "rule:admin_required", - "identity:delete_implied_role": "rule:admin_required", - "identity:list_role_inference_rules": "rule:admin_required", - "identity:check_implied_role": "rule:admin_required", - "identity:create_mapping": "rule:admin_required", - "identity:get_mapping": "rule:admin_required", - "identity:list_mappings": "rule:admin_required", - "identity:delete_mapping": "rule:admin_required", - "identity:update_mapping": "rule:admin_required", - "identity:get_policy": "rule:admin_required", - "identity:list_policies": "rule:admin_required", - "identity:create_policy": "rule:admin_required", - "identity:update_policy": "rule:admin_required", - "identity:delete_policy": "rule:admin_required", - "identity:create_policy_association_for_endpoint": "rule:admin_required", - "identity:check_policy_association_for_endpoint": "rule:admin_required", - "identity:delete_policy_association_for_endpoint": "rule:admin_required", - "identity:create_policy_association_for_service": "rule:admin_required", - "identity:check_policy_association_for_service": "rule:admin_required", - "identity:delete_policy_association_for_service": "rule:admin_required", - "identity:create_policy_association_for_region_and_service": "rule:admin_required", - "identity:check_policy_association_for_region_and_service": "rule:admin_required", - "identity:delete_policy_association_for_region_and_service": "rule:admin_required", - "identity:get_policy_for_endpoint": "rule:admin_required", - "identity:list_endpoints_for_policy": "rule:admin_required", - "identity:get_project": "rule:admin_required or project_id:%(target.project.id)s", - "identity:list_projects": "rule:admin_required", - "identity:list_user_projects": "rule:admin_or_owner", - "identity:create_project": "rule:admin_required", - "identity:update_project": "rule:admin_required", - "identity:delete_project": "rule:admin_required", - "identity:list_project_tags": "rule:admin_required or project_id:%(target.project.id)s", - "identity:get_project_tag": "rule:admin_required or project_id:%(target.project.id)s", - "identity:update_project_tags": "rule:admin_required", - "identity:create_project_tag": "rule:admin_required", - "identity:delete_project_tags": "rule:admin_required", - "identity:delete_project_tag": "rule:admin_required", - "identity:list_projects_for_endpoint": "rule:admin_required", - "identity:add_endpoint_to_project": "rule:admin_required", - "identity:check_endpoint_in_project": "rule:admin_required", - "identity:list_endpoints_for_project": "rule:admin_required", - "identity:remove_endpoint_from_project": "rule:admin_required", - "identity:create_protocol": "rule:admin_required", - "identity:update_protocol": "rule:admin_required", - "identity:get_protocol": "rule:admin_required", - "identity:list_protocols": "rule:admin_required", - "identity:delete_protocol": "rule:admin_required", - "identity:get_region": "", - "identity:list_regions": "", - "identity:create_region": "rule:admin_required", - "identity:update_region": "rule:admin_required", - "identity:delete_region": "rule:admin_required", - "identity:list_revoke_events": "rule:service_or_admin", - "identity:get_role": "rule:admin_required", - "identity:list_roles": "rule:admin_required", - "identity:create_role": "rule:admin_required", - "identity:update_role": "rule:admin_required", - "identity:delete_role": "rule:admin_required", - "identity:get_domain_role": "rule:admin_required", - "identity:list_domain_roles": "rule:admin_required", - "identity:create_domain_role": "rule:admin_required", - "identity:update_domain_role": "rule:admin_required", - "identity:delete_domain_role": "rule:admin_required", - "identity:list_role_assignments": "rule:admin_required", - "identity:list_role_assignments_for_tree": "rule:admin_required", - "identity:get_service": "rule:admin_required", - "identity:list_services": "rule:admin_required", - "identity:create_service": "rule:admin_required", - "identity:update_service": "rule:admin_required", - "identity:delete_service": "rule:admin_required", - "identity:create_service_provider": "rule:admin_required", - "identity:list_service_providers": "rule:admin_required", - "identity:get_service_provider": "rule:admin_required", - "identity:update_service_provider": "rule:admin_required", - "identity:delete_service_provider": "rule:admin_required", - "identity:revocation_list": "rule:service_or_admin", - "identity:check_token": "rule:admin_or_token_subject", - "identity:validate_token": "rule:service_admin_or_token_subject", - "identity:validate_token_head": "rule:service_or_admin", - "identity:revoke_token": "rule:admin_or_token_subject", - "identity:create_trust": "user_id:%(trust.trustor_user_id)s", - "identity:list_trusts": "", - "identity:list_roles_for_trust": "", - "identity:get_role_for_trust": "", - "identity:delete_trust": "", - "identity:get_trust": "", - "identity:get_user": "rule:admin_or_owner", - "identity:list_users": "rule:admin_required", - "identity:list_projects_for_user": "", - "identity:list_domains_for_user": "", - "identity:create_user": "rule:admin_required", - "identity:update_user": "rule:admin_required", - "identity:delete_user": "rule:admin_required" -} diff --git a/openstack_dashboard/conf/keystone_policy.yaml b/openstack_dashboard/conf/keystone_policy.yaml new file mode 100644 index 0000000000..6439c74b5b --- /dev/null +++ b/openstack_dashboard/conf/keystone_policy.yaml @@ -0,0 +1,2330 @@ +#"admin_required": "role:admin or is_admin:1" + +#"service_role": "role:service" + +#"service_or_admin": "rule:admin_required or rule:service_role" + +#"owner": "user_id:%(user_id)s" + +#"admin_or_owner": "rule:admin_required or rule:owner" + +#"token_subject": "user_id:%(target.token.user_id)s" + +#"admin_or_token_subject": "rule:admin_required or rule:token_subject" + +#"service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject" + +# Show access rule details. +# GET /v3/users/{user_id}/access_rules/{access_rule_id} +# HEAD /v3/users/{user_id}/access_rules/{access_rule_id} +# Intended scope(s): system, project +#"identity:get_access_rule": "(role:reader and system_scope:all) or user_id:%(target.user.id)s" + +# List access rules for a user. +# GET /v3/users/{user_id}/access_rules +# HEAD /v3/users/{user_id}/access_rules +# Intended scope(s): system, project +#"identity:list_access_rules": "(role:reader and system_scope:all) or user_id:%(target.user.id)s" + +# Delete an access_rule. +# DELETE /v3/users/{user_id}/access_rules/{access_rule_id} +# Intended scope(s): system, project +#"identity:delete_access_rule": "(role:admin and system_scope:all) or user_id:%(target.user.id)s" + +# Authorize OAUTH1 request token. +# PUT /v3/OS-OAUTH1/authorize/{request_token_id} +# Intended scope(s): project +#"identity:authorize_request_token": "rule:admin_required" + +# Get OAUTH1 access token for user by access token ID. +# GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id} +# Intended scope(s): project +#"identity:get_access_token": "rule:admin_required" + +# Get role for user OAUTH1 access token. +# GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id} +# Intended scope(s): project +#"identity:get_access_token_role": "rule:admin_required" + +# List OAUTH1 access tokens for user. +# GET /v3/users/{user_id}/OS-OAUTH1/access_tokens +# Intended scope(s): project +#"identity:list_access_tokens": "rule:admin_required" + +# List OAUTH1 access token roles. +# GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles +# Intended scope(s): project +#"identity:list_access_token_roles": "rule:admin_required" + +# Delete OAUTH1 access token. +# DELETE /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id} +# Intended scope(s): project +#"identity:delete_access_token": "rule:admin_required" + +# Show application credential details. +# GET /v3/users/{user_id}/application_credentials/{application_credential_id} +# HEAD /v3/users/{user_id}/application_credentials/{application_credential_id} +# Intended scope(s): system, project +#"identity:get_application_credential": "(role:reader and system_scope:all) or rule:owner" + +# DEPRECATED +# "identity:get_application_credentials":"rule:admin_or_owner" has +# been deprecated since T in favor of +# "identity:get_application_credential":"(role:reader and +# system_scope:all) or rule:owner". +# The application credential API is now aware of system scope and +# default roles. +#"identity:get_application_credentials": "rule:identity:get_application_credential" + +# List application credentials for a user. +# GET /v3/users/{user_id}/application_credentials +# HEAD /v3/users/{user_id}/application_credentials +# Intended scope(s): system, project +#"identity:list_application_credentials": "(role:reader and system_scope:all) or rule:owner" + +# DEPRECATED +# "identity:list_application_credentials":"rule:admin_or_owner" has +# been deprecated since T in favor of +# "identity:list_application_credentials":"(role:reader and +# system_scope:all) or rule:owner". +# The application credential API is now aware of system scope and +# default roles. + +# Create an application credential. +# POST /v3/users/{user_id}/application_credentials +# Intended scope(s): project +#"identity:create_application_credential": "user_id:%(user_id)s" + +# Delete an application credential. +# DELETE /v3/users/{user_id}/application_credentials/{application_credential_id} +# Intended scope(s): system, project +#"identity:delete_application_credential": "(role:admin and system_scope:all) or rule:owner" + +# DEPRECATED +# "identity:delete_application_credentials":"rule:admin_or_owner" has +# been deprecated since T in favor of +# "identity:delete_application_credential":"(role:admin and +# system_scope:all) or rule:owner". +# The application credential API is now aware of system scope and +# default roles. +#"identity:delete_application_credentials": "rule:identity:delete_application_credential" + +# Get service catalog. +# GET /v3/auth/catalog +# HEAD /v3/auth/catalog +#"identity:get_auth_catalog": "" + +# List all projects a user has access to via role assignments. +# GET /v3/auth/projects +# HEAD /v3/auth/projects +#"identity:get_auth_projects": "" + +# List all domains a user has access to via role assignments. +# GET /v3/auth/domains +# HEAD /v3/auth/domains +#"identity:get_auth_domains": "" + +# List systems a user has access to via role assignments. +# GET /v3/auth/system +# HEAD /v3/auth/system +#"identity:get_auth_system": "" + +# Show OAUTH1 consumer details. +# GET /v3/OS-OAUTH1/consumers/{consumer_id} +# Intended scope(s): system +#"identity:get_consumer": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:get_consumer":"rule:admin_required" has been deprecated +# since T in favor of "identity:get_consumer":"role:reader and +# system_scope:all". +# The OAUTH1 consumer API is now aware of system scope and default +# roles. + +# List OAUTH1 consumers. +# GET /v3/OS-OAUTH1/consumers +# Intended scope(s): system +#"identity:list_consumers": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_consumers":"rule:admin_required" has been deprecated +# since T in favor of "identity:list_consumers":"role:reader and +# system_scope:all". +# The OAUTH1 consumer API is now aware of system scope and default +# roles. + +# Create OAUTH1 consumer. +# POST /v3/OS-OAUTH1/consumers +# Intended scope(s): system +#"identity:create_consumer": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:create_consumer":"rule:admin_required" has been deprecated +# since T in favor of "identity:create_consumer":"role:admin and +# system_scope:all". +# The OAUTH1 consumer API is now aware of system scope and default +# roles. + +# Update OAUTH1 consumer. +# PATCH /v3/OS-OAUTH1/consumers/{consumer_id} +# Intended scope(s): system +#"identity:update_consumer": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:update_consumer":"rule:admin_required" has been deprecated +# since T in favor of "identity:update_consumer":"role:admin and +# system_scope:all". +# The OAUTH1 consumer API is now aware of system scope and default +# roles. + +# Delete OAUTH1 consumer. +# DELETE /v3/OS-OAUTH1/consumers/{consumer_id} +# Intended scope(s): system +#"identity:delete_consumer": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:delete_consumer":"rule:admin_required" has been deprecated +# since T in favor of "identity:delete_consumer":"role:admin and +# system_scope:all". +# The OAUTH1 consumer API is now aware of system scope and default +# roles. + +# Show credentials details. +# GET /v3/credentials/{credential_id} +# Intended scope(s): system, project +#"identity:get_credential": "(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s" + +# DEPRECATED +# "identity:get_credential":"rule:admin_required" has been deprecated +# since S in favor of "identity:get_credential":"(role:reader and +# system_scope:all) or user_id:%(target.credential.user_id)s". +# The credential API is now aware of system scope and default roles. + +# List credentials. +# GET /v3/credentials +# Intended scope(s): system, project +#"identity:list_credentials": "(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s" + +# DEPRECATED +# "identity:list_credentials":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:list_credentials":"(role:reader and system_scope:all) or +# user_id:%(target.credential.user_id)s". +# The credential API is now aware of system scope and default roles. + +# Create credential. +# POST /v3/credentials +# Intended scope(s): system, project +#"identity:create_credential": "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s" + +# DEPRECATED +# "identity:create_credential":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:create_credential":"(role:admin and system_scope:all) or +# user_id:%(target.credential.user_id)s". +# The credential API is now aware of system scope and default roles. + +# Update credential. +# PATCH /v3/credentials/{credential_id} +# Intended scope(s): system, project +#"identity:update_credential": "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s" + +# DEPRECATED +# "identity:update_credential":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:update_credential":"(role:admin and system_scope:all) or +# user_id:%(target.credential.user_id)s". +# The credential API is now aware of system scope and default roles. + +# Delete credential. +# DELETE /v3/credentials/{credential_id} +# Intended scope(s): system, project +#"identity:delete_credential": "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s" + +# DEPRECATED +# "identity:delete_credential":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:delete_credential":"(role:admin and system_scope:all) or +# user_id:%(target.credential.user_id)s". +# The credential API is now aware of system scope and default roles. + +# Show domain details. +# GET /v3/domains/{domain_id} +# Intended scope(s): system, domain, project +#"identity:get_domain": "(role:reader and system_scope:all) or token.domain.id:%(target.domain.id)s or token.project.domain.id:%(target.domain.id)s" + +# DEPRECATED +# "identity:get_domain":"rule:admin_required or +# token.project.domain.id:%(target.domain.id)s" has been deprecated +# since S in favor of "identity:get_domain":"(role:reader and +# system_scope:all) or token.domain.id:%(target.domain.id)s or +# token.project.domain.id:%(target.domain.id)s". +# The domain API is now aware of system scope and default roles. + +# List domains. +# GET /v3/domains +# Intended scope(s): system +#"identity:list_domains": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_domains":"rule:admin_required" has been deprecated +# since S in favor of "identity:list_domains":"role:reader and +# system_scope:all". +# The domain API is now aware of system scope and default roles. + +# Create domain. +# POST /v3/domains +# Intended scope(s): system +#"identity:create_domain": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:create_domain":"rule:admin_required" has been deprecated +# since S in favor of "identity:create_domain":"role:admin and +# system_scope:all". +# The domain API is now aware of system scope and default roles. + +# Update domain. +# PATCH /v3/domains/{domain_id} +# Intended scope(s): system +#"identity:update_domain": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:update_domain":"rule:admin_required" has been deprecated +# since S in favor of "identity:update_domain":"role:admin and +# system_scope:all". +# The domain API is now aware of system scope and default roles. + +# Delete domain. +# DELETE /v3/domains/{domain_id} +# Intended scope(s): system +#"identity:delete_domain": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:delete_domain":"rule:admin_required" has been deprecated +# since S in favor of "identity:delete_domain":"role:admin and +# system_scope:all". +# The domain API is now aware of system scope and default roles. + +# Create domain configuration. +# PUT /v3/domains/{domain_id}/config +# Intended scope(s): system +#"identity:create_domain_config": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:create_domain_config":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:create_domain_config":"role:admin and system_scope:all". +# The domain config API is now aware of system scope and default +# roles. + +# Get the entire domain configuration for a domain, an option group +# within a domain, or a specific configuration option within a group +# for a domain. +# GET /v3/domains/{domain_id}/config +# HEAD /v3/domains/{domain_id}/config +# GET /v3/domains/{domain_id}/config/{group} +# HEAD /v3/domains/{domain_id}/config/{group} +# GET /v3/domains/{domain_id}/config/{group}/{option} +# HEAD /v3/domains/{domain_id}/config/{group}/{option} +# Intended scope(s): system +#"identity:get_domain_config": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:get_domain_config":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:get_domain_config":"role:reader and system_scope:all". +# The domain config API is now aware of system scope and default +# roles. + +# Get security compliance domain configuration for either a domain or +# a specific option in a domain. +# GET /v3/domains/{domain_id}/config/security_compliance +# HEAD /v3/domains/{domain_id}/config/security_compliance +# GET v3/domains/{domain_id}/config/security_compliance/{option} +# HEAD v3/domains/{domain_id}/config/security_compliance/{option} +# Intended scope(s): system, domain, project +#"identity:get_security_compliance_domain_config": "" + +# Update domain configuration for either a domain, specific group or a +# specific option in a group. +# PATCH /v3/domains/{domain_id}/config +# PATCH /v3/domains/{domain_id}/config/{group} +# PATCH /v3/domains/{domain_id}/config/{group}/{option} +# Intended scope(s): system +#"identity:update_domain_config": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:update_domain_config":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:update_domain_config":"role:admin and system_scope:all". +# The domain config API is now aware of system scope and default +# roles. + +# Delete domain configuration for either a domain, specific group or a +# specific option in a group. +# DELETE /v3/domains/{domain_id}/config +# DELETE /v3/domains/{domain_id}/config/{group} +# DELETE /v3/domains/{domain_id}/config/{group}/{option} +# Intended scope(s): system +#"identity:delete_domain_config": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:delete_domain_config":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:delete_domain_config":"role:admin and system_scope:all". +# The domain config API is now aware of system scope and default +# roles. + +# Get domain configuration default for either a domain, specific group +# or a specific option in a group. +# GET /v3/domains/config/default +# HEAD /v3/domains/config/default +# GET /v3/domains/config/{group}/default +# HEAD /v3/domains/config/{group}/default +# GET /v3/domains/config/{group}/{option}/default +# HEAD /v3/domains/config/{group}/{option}/default +# Intended scope(s): system +#"identity:get_domain_config_default": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:get_domain_config_default":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:get_domain_config_default":"role:reader and +# system_scope:all". +# The domain config API is now aware of system scope and default +# roles. + +# Show ec2 credential details. +# GET /v3/users/{user_id}/credentials/OS-EC2/{credential_id} +# Intended scope(s): system, project +#"identity:ec2_get_credential": "(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s" + +# DEPRECATED +# "identity:ec2_get_credential":"rule:admin_required or (rule:owner +# and user_id:%(target.credential.user_id)s)" has been deprecated +# since T in favor of "identity:ec2_get_credential":"(role:reader and +# system_scope:all) or user_id:%(target.credential.user_id)s". +# The EC2 credential API is now aware of system scope and default +# roles. + +# List ec2 credentials. +# GET /v3/users/{user_id}/credentials/OS-EC2 +# Intended scope(s): system, project +#"identity:ec2_list_credentials": "(role:reader and system_scope:all) or rule:owner" + +# DEPRECATED +# "identity:ec2_list_credentials":"rule:admin_or_owner" has been +# deprecated since T in favor of +# "identity:ec2_list_credentials":"(role:reader and system_scope:all) +# or rule:owner". +# The EC2 credential API is now aware of system scope and default +# roles. + +# Create ec2 credential. +# POST /v3/users/{user_id}/credentials/OS-EC2 +# Intended scope(s): system, project +#"identity:ec2_create_credential": "(role:admin and system_scope:all) or rule:owner" + +# DEPRECATED +# "identity:ec2_create_credentials":"rule:admin_or_owner" has been +# deprecated since T in favor of +# "identity:ec2_create_credential":"(role:admin and system_scope:all) +# or rule:owner". +# The EC2 credential API is now aware of system scope and default +# roles. +#"identity:ec2_create_credentials": "rule:identity:ec2_create_credential" + +# Delete ec2 credential. +# DELETE /v3/users/{user_id}/credentials/OS-EC2/{credential_id} +# Intended scope(s): system, project +#"identity:ec2_delete_credential": "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s" + +# DEPRECATED +# "identity:ec2_delete_credentials":"rule:admin_required or +# (rule:owner and user_id:%(target.credential.user_id)s)" has been +# deprecated since T in favor of +# "identity:ec2_delete_credential":"(role:admin and system_scope:all) +# or user_id:%(target.credential.user_id)s". +# The EC2 credential API is now aware of system scope and default +# roles. +#"identity:ec2_delete_credentials": "rule:identity:ec2_delete_credential" + +# Show endpoint details. +# GET /v3/endpoints/{endpoint_id} +# Intended scope(s): system +#"identity:get_endpoint": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:get_endpoint":"rule:admin_required" has been deprecated +# since S in favor of "identity:get_endpoint":"role:reader and +# system_scope:all". +# The endpoint API is now aware of system scope and default roles. + +# List endpoints. +# GET /v3/endpoints +# Intended scope(s): system +#"identity:list_endpoints": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_endpoints":"rule:admin_required" has been deprecated +# since S in favor of "identity:list_endpoints":"role:reader and +# system_scope:all". +# The endpoint API is now aware of system scope and default roles. + +# Create endpoint. +# POST /v3/endpoints +# Intended scope(s): system +#"identity:create_endpoint": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:create_endpoint":"rule:admin_required" has been deprecated +# since S in favor of "identity:create_endpoint":"role:admin and +# system_scope:all". +# The endpoint API is now aware of system scope and default roles. + +# Update endpoint. +# PATCH /v3/endpoints/{endpoint_id} +# Intended scope(s): system +#"identity:update_endpoint": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:update_endpoint":"rule:admin_required" has been deprecated +# since S in favor of "identity:update_endpoint":"role:admin and +# system_scope:all". +# The endpoint API is now aware of system scope and default roles. + +# Delete endpoint. +# DELETE /v3/endpoints/{endpoint_id} +# Intended scope(s): system +#"identity:delete_endpoint": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:delete_endpoint":"rule:admin_required" has been deprecated +# since S in favor of "identity:delete_endpoint":"role:admin and +# system_scope:all". +# The endpoint API is now aware of system scope and default roles. + +# Create endpoint group. +# POST /v3/OS-EP-FILTER/endpoint_groups +# Intended scope(s): system +#"identity:create_endpoint_group": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:create_endpoint_group":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:create_endpoint_group":"role:admin and system_scope:all". +# The endpoint groups API is now aware of system scope and default +# roles. + +# List endpoint groups. +# GET /v3/OS-EP-FILTER/endpoint_groups +# Intended scope(s): system +#"identity:list_endpoint_groups": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_endpoint_groups":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:list_endpoint_groups":"role:reader and system_scope:all". +# The endpoint groups API is now aware of system scope and default +# roles. + +# Get endpoint group. +# GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} +# HEAD /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} +# Intended scope(s): system +#"identity:get_endpoint_group": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:get_endpoint_group":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:get_endpoint_group":"role:reader and system_scope:all". +# The endpoint groups API is now aware of system scope and default +# roles. + +# Update endpoint group. +# PATCH /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} +# Intended scope(s): system +#"identity:update_endpoint_group": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:update_endpoint_group":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:update_endpoint_group":"role:admin and system_scope:all". +# The endpoint groups API is now aware of system scope and default +# roles. + +# Delete endpoint group. +# DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} +# Intended scope(s): system +#"identity:delete_endpoint_group": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:delete_endpoint_group":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:delete_endpoint_group":"role:admin and system_scope:all". +# The endpoint groups API is now aware of system scope and default +# roles. + +# List all projects associated with a specific endpoint group. +# GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects +# Intended scope(s): system +#"identity:list_projects_associated_with_endpoint_group": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_projects_associated_with_endpoint_group":"rule:admin_ +# required" has been deprecated since T in favor of +# "identity:list_projects_associated_with_endpoint_group":"role:reader +# and system_scope:all". +# The endpoint groups API is now aware of system scope and default +# roles. + +# List all endpoints associated with an endpoint group. +# GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints +# Intended scope(s): system +#"identity:list_endpoints_associated_with_endpoint_group": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_endpoints_associated_with_endpoint_group":"rule:admin +# _required" has been deprecated since T in favor of "identity:list_en +# dpoints_associated_with_endpoint_group":"role:reader and +# system_scope:all". +# The endpoint groups API is now aware of system scope and default +# roles. + +# Check if an endpoint group is associated with a project. +# GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} +# HEAD /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} +# Intended scope(s): system +#"identity:get_endpoint_group_in_project": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:get_endpoint_group_in_project":"rule:admin_required" has +# been deprecated since T in favor of +# "identity:get_endpoint_group_in_project":"role:reader and +# system_scope:all". +# The endpoint groups API is now aware of system scope and default +# roles. + +# List endpoint groups associated with a specific project. +# GET /v3/OS-EP-FILTER/projects/{project_id}/endpoint_groups +# Intended scope(s): system +#"identity:list_endpoint_groups_for_project": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_endpoint_groups_for_project":"rule:admin_required" +# has been deprecated since T in favor of +# "identity:list_endpoint_groups_for_project":"role:reader and +# system_scope:all". +# The endpoint groups API is now aware of system scope and default +# roles. + +# Allow a project to access an endpoint group. +# PUT /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} +# Intended scope(s): system +#"identity:add_endpoint_group_to_project": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:add_endpoint_group_to_project":"rule:admin_required" has +# been deprecated since T in favor of +# "identity:add_endpoint_group_to_project":"role:admin and +# system_scope:all". +# The endpoint groups API is now aware of system scope and default +# roles. + +# Remove endpoint group from project. +# DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} +# Intended scope(s): system +#"identity:remove_endpoint_group_from_project": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:remove_endpoint_group_from_project":"rule:admin_required" +# has been deprecated since T in favor of +# "identity:remove_endpoint_group_from_project":"role:admin and +# system_scope:all". +# The endpoint groups API is now aware of system scope and default +# roles. + +# Check a role grant between a target and an actor. A target can be +# either a domain or a project. An actor can be either a user or a +# group. These terms also apply to the OS-INHERIT APIs, where grants +# on the target are inherited to all projects in the subtree, if +# applicable. +# HEAD /v3/projects/{project_id}/users/{user_id}/roles/{role_id} +# GET /v3/projects/{project_id}/users/{user_id}/roles/{role_id} +# HEAD /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} +# GET /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} +# HEAD /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} +# GET /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} +# HEAD /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} +# GET /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} +# HEAD /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects +# GET /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects +# HEAD /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects +# GET /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects +# HEAD /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects +# GET /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects +# HEAD /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects +# GET /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects +# Intended scope(s): system, domain +#"identity:check_grant": "(role:reader and system_scope:all) or ((role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)" + +# DEPRECATED +# "identity:check_grant":"rule:admin_required" has been deprecated +# since S in favor of "identity:check_grant":"(role:reader and +# system_scope:all) or ((role:reader and +# domain_id:%(target.user.domain_id)s and +# domain_id:%(target.project.domain_id)s) or (role:reader and +# domain_id:%(target.user.domain_id)s and +# domain_id:%(target.domain.id)s) or (role:reader and +# domain_id:%(target.group.domain_id)s and +# domain_id:%(target.project.domain_id)s) or (role:reader and +# domain_id:%(target.group.domain_id)s and +# domain_id:%(target.domain.id)s)) and +# (domain_id:%(target.role.domain_id)s or +# None:%(target.role.domain_id)s)". +# The assignment API is now aware of system scope and default roles. + +# List roles granted to an actor on a target. A target can be either a +# domain or a project. An actor can be either a user or a group. For +# the OS-INHERIT APIs, it is possible to list inherited role grants +# for actors on domains, where grants are inherited to all projects in +# the specified domain. +# GET /v3/projects/{project_id}/users/{user_id}/roles +# HEAD /v3/projects/{project_id}/users/{user_id}/roles +# GET /v3/projects/{project_id}/groups/{group_id}/roles +# HEAD /v3/projects/{project_id}/groups/{group_id}/roles +# GET /v3/domains/{domain_id}/users/{user_id}/roles +# HEAD /v3/domains/{domain_id}/users/{user_id}/roles +# GET /v3/domains/{domain_id}/groups/{group_id}/roles +# HEAD /v3/domains/{domain_id}/groups/{group_id}/roles +# GET /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects +# GET /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects +# Intended scope(s): system, domain +#"identity:list_grants": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)" + +# DEPRECATED +# "identity:list_grants":"rule:admin_required" has been deprecated +# since S in favor of "identity:list_grants":"(role:reader and +# system_scope:all) or (role:reader and +# domain_id:%(target.user.domain_id)s and +# domain_id:%(target.project.domain_id)s) or (role:reader and +# domain_id:%(target.user.domain_id)s and +# domain_id:%(target.domain.id)s) or (role:reader and +# domain_id:%(target.group.domain_id)s and +# domain_id:%(target.project.domain_id)s) or (role:reader and +# domain_id:%(target.group.domain_id)s and +# domain_id:%(target.domain.id)s)". +# The assignment API is now aware of system scope and default roles. + +# Create a role grant between a target and an actor. A target can be +# either a domain or a project. An actor can be either a user or a +# group. These terms also apply to the OS-INHERIT APIs, where grants +# on the target are inherited to all projects in the subtree, if +# applicable. +# PUT /v3/projects/{project_id}/users/{user_id}/roles/{role_id} +# PUT /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} +# PUT /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} +# PUT /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} +# PUT /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects +# PUT /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects +# PUT /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects +# PUT /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects +# Intended scope(s): system, domain +#"identity:create_grant": "(role:admin and system_scope:all) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)" + +# DEPRECATED +# "identity:create_grant":"rule:admin_required" has been deprecated +# since S in favor of "identity:create_grant":"(role:admin and +# system_scope:all) or ((role:admin and +# domain_id:%(target.user.domain_id)s and +# domain_id:%(target.project.domain_id)s) or (role:admin and +# domain_id:%(target.user.domain_id)s and +# domain_id:%(target.domain.id)s) or (role:admin and +# domain_id:%(target.group.domain_id)s and +# domain_id:%(target.project.domain_id)s) or (role:admin and +# domain_id:%(target.group.domain_id)s and +# domain_id:%(target.domain.id)s)) and +# (domain_id:%(target.role.domain_id)s or +# None:%(target.role.domain_id)s)". +# The assignment API is now aware of system scope and default roles. + +# Revoke a role grant between a target and an actor. A target can be +# either a domain or a project. An actor can be either a user or a +# group. These terms also apply to the OS-INHERIT APIs, where grants +# on the target are inherited to all projects in the subtree, if +# applicable. In that case, revoking the role grant in the target +# would remove the logical effect of inheriting it to the target's +# projects subtree. +# DELETE /v3/projects/{project_id}/users/{user_id}/roles/{role_id} +# DELETE /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} +# DELETE /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} +# DELETE /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} +# DELETE /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects +# DELETE /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects +# DELETE /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects +# DELETE /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects +# Intended scope(s): system, domain +#"identity:revoke_grant": "(role:admin and system_scope:all) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)" + +# DEPRECATED +# "identity:revoke_grant":"rule:admin_required" has been deprecated +# since S in favor of "identity:revoke_grant":"(role:admin and +# system_scope:all) or ((role:admin and +# domain_id:%(target.user.domain_id)s and +# domain_id:%(target.project.domain_id)s) or (role:admin and +# domain_id:%(target.user.domain_id)s and +# domain_id:%(target.domain.id)s) or (role:admin and +# domain_id:%(target.group.domain_id)s and +# domain_id:%(target.project.domain_id)s) or (role:admin and +# domain_id:%(target.group.domain_id)s and +# domain_id:%(target.domain.id)s)) and +# (domain_id:%(target.role.domain_id)s or +# None:%(target.role.domain_id)s)". +# The assignment API is now aware of system scope and default roles. + +# List all grants a specific user has on the system. +# ['HEAD', 'GET'] /v3/system/users/{user_id}/roles +# Intended scope(s): system +#"identity:list_system_grants_for_user": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_system_grants_for_user":"rule:admin_required" has +# been deprecated since S in favor of +# "identity:list_system_grants_for_user":"role:reader and +# system_scope:all". +# The assignment API is now aware of system scope and default roles. + +# Check if a user has a role on the system. +# ['HEAD', 'GET'] /v3/system/users/{user_id}/roles/{role_id} +# Intended scope(s): system +#"identity:check_system_grant_for_user": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:check_system_grant_for_user":"rule:admin_required" has +# been deprecated since S in favor of +# "identity:check_system_grant_for_user":"role:reader and +# system_scope:all". +# The assignment API is now aware of system scope and default roles. + +# Grant a user a role on the system. +# ['PUT'] /v3/system/users/{user_id}/roles/{role_id} +# Intended scope(s): system +#"identity:create_system_grant_for_user": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:create_system_grant_for_user":"rule:admin_required" has +# been deprecated since S in favor of +# "identity:create_system_grant_for_user":"role:admin and +# system_scope:all". +# The assignment API is now aware of system scope and default roles. + +# Remove a role from a user on the system. +# ['DELETE'] /v3/system/users/{user_id}/roles/{role_id} +# Intended scope(s): system +#"identity:revoke_system_grant_for_user": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:revoke_system_grant_for_user":"rule:admin_required" has +# been deprecated since S in favor of +# "identity:revoke_system_grant_for_user":"role:admin and +# system_scope:all". +# The assignment API is now aware of system scope and default roles. + +# List all grants a specific group has on the system. +# ['HEAD', 'GET'] /v3/system/groups/{group_id}/roles +# Intended scope(s): system +#"identity:list_system_grants_for_group": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_system_grants_for_group":"rule:admin_required" has +# been deprecated since S in favor of +# "identity:list_system_grants_for_group":"role:reader and +# system_scope:all". +# The assignment API is now aware of system scope and default roles. + +# Check if a group has a role on the system. +# ['HEAD', 'GET'] /v3/system/groups/{group_id}/roles/{role_id} +# Intended scope(s): system +#"identity:check_system_grant_for_group": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:check_system_grant_for_group":"rule:admin_required" has +# been deprecated since S in favor of +# "identity:check_system_grant_for_group":"role:reader and +# system_scope:all". +# The assignment API is now aware of system scope and default roles. + +# Grant a group a role on the system. +# ['PUT'] /v3/system/groups/{group_id}/roles/{role_id} +# Intended scope(s): system +#"identity:create_system_grant_for_group": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:create_system_grant_for_group":"rule:admin_required" has +# been deprecated since S in favor of +# "identity:create_system_grant_for_group":"role:admin and +# system_scope:all". +# The assignment API is now aware of system scope and default roles. + +# Remove a role from a group on the system. +# ['DELETE'] /v3/system/groups/{group_id}/roles/{role_id} +# Intended scope(s): system +#"identity:revoke_system_grant_for_group": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:revoke_system_grant_for_group":"rule:admin_required" has +# been deprecated since S in favor of +# "identity:revoke_system_grant_for_group":"role:admin and +# system_scope:all". +# The assignment API is now aware of system scope and default roles. + +# Show group details. +# GET /v3/groups/{group_id} +# HEAD /v3/groups/{group_id} +# Intended scope(s): system, domain +#"identity:get_group": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)" + +# DEPRECATED +# "identity:get_group":"rule:admin_required" has been deprecated since +# S in favor of "identity:get_group":"(role:reader and +# system_scope:all) or (role:reader and +# domain_id:%(target.group.domain_id)s)". +# The group API is now aware of system scope and default roles. + +# List groups. +# GET /v3/groups +# HEAD /v3/groups +# Intended scope(s): system, domain +#"identity:list_groups": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)" + +# DEPRECATED +# "identity:list_groups":"rule:admin_required" has been deprecated +# since S in favor of "identity:list_groups":"(role:reader and +# system_scope:all) or (role:reader and +# domain_id:%(target.group.domain_id)s)". +# The group API is now aware of system scope and default roles. + +# List groups to which a user belongs. +# GET /v3/users/{user_id}/groups +# HEAD /v3/users/{user_id}/groups +# Intended scope(s): system, domain, project +#"identity:list_groups_for_user": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(user_id)s" + +# DEPRECATED +# "identity:list_groups_for_user":"rule:admin_or_owner" has been +# deprecated since S in favor of +# "identity:list_groups_for_user":"(role:reader and system_scope:all) +# or (role:reader and domain_id:%(target.user.domain_id)s) or +# user_id:%(user_id)s". +# The group API is now aware of system scope and default roles. + +# Create group. +# POST /v3/groups +# Intended scope(s): system, domain +#"identity:create_group": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)" + +# DEPRECATED +# "identity:create_group":"rule:admin_required" has been deprecated +# since S in favor of "identity:create_group":"(role:admin and +# system_scope:all) or (role:admin and +# domain_id:%(target.group.domain_id)s)". +# The group API is now aware of system scope and default roles. + +# Update group. +# PATCH /v3/groups/{group_id} +# Intended scope(s): system, domain +#"identity:update_group": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)" + +# DEPRECATED +# "identity:update_group":"rule:admin_required" has been deprecated +# since S in favor of "identity:update_group":"(role:admin and +# system_scope:all) or (role:admin and +# domain_id:%(target.group.domain_id)s)". +# The group API is now aware of system scope and default roles. + +# Delete group. +# DELETE /v3/groups/{group_id} +# Intended scope(s): system, domain +#"identity:delete_group": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)" + +# DEPRECATED +# "identity:delete_group":"rule:admin_required" has been deprecated +# since S in favor of "identity:delete_group":"(role:admin and +# system_scope:all) or (role:admin and +# domain_id:%(target.group.domain_id)s)". +# The group API is now aware of system scope and default roles. + +# List members of a specific group. +# GET /v3/groups/{group_id}/users +# HEAD /v3/groups/{group_id}/users +# Intended scope(s): system, domain +#"identity:list_users_in_group": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)" + +# DEPRECATED +# "identity:list_users_in_group":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:list_users_in_group":"(role:reader and system_scope:all) +# or (role:reader and domain_id:%(target.group.domain_id)s)". +# The group API is now aware of system scope and default roles. + +# Remove user from group. +# DELETE /v3/groups/{group_id}/users/{user_id} +# Intended scope(s): system, domain +#"identity:remove_user_from_group": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)" + +# DEPRECATED +# "identity:remove_user_from_group":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:remove_user_from_group":"(role:admin and system_scope:all) +# or (role:admin and domain_id:%(target.group.domain_id)s and +# domain_id:%(target.user.domain_id)s)". +# The group API is now aware of system scope and default roles. + +# Check whether a user is a member of a group. +# HEAD /v3/groups/{group_id}/users/{user_id} +# GET /v3/groups/{group_id}/users/{user_id} +# Intended scope(s): system, domain +#"identity:check_user_in_group": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)" + +# DEPRECATED +# "identity:check_user_in_group":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:check_user_in_group":"(role:reader and system_scope:all) +# or (role:reader and domain_id:%(target.group.domain_id)s and +# domain_id:%(target.user.domain_id)s)". +# The group API is now aware of system scope and default roles. + +# Add user to group. +# PUT /v3/groups/{group_id}/users/{user_id} +# Intended scope(s): system, domain +#"identity:add_user_to_group": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)" + +# DEPRECATED +# "identity:add_user_to_group":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:add_user_to_group":"(role:admin and system_scope:all) or +# (role:admin and domain_id:%(target.group.domain_id)s and +# domain_id:%(target.user.domain_id)s)". +# The group API is now aware of system scope and default roles. + +# Create identity provider. +# PUT /v3/OS-FEDERATION/identity_providers/{idp_id} +# Intended scope(s): system +#"identity:create_identity_provider": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:create_identity_providers":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:create_identity_provider":"role:admin and +# system_scope:all". +# The identity provider API is now aware of system scope and default +# roles. +#"identity:create_identity_providers": "rule:identity:create_identity_provider" + +# List identity providers. +# GET /v3/OS-FEDERATION/identity_providers +# HEAD /v3/OS-FEDERATION/identity_providers +# Intended scope(s): system +#"identity:list_identity_providers": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_identity_providers":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:list_identity_providers":"role:reader and +# system_scope:all". +# The identity provider API is now aware of system scope and default +# roles. + +# Get identity provider. +# GET /v3/OS-FEDERATION/identity_providers/{idp_id} +# HEAD /v3/OS-FEDERATION/identity_providers/{idp_id} +# Intended scope(s): system +#"identity:get_identity_provider": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:get_identity_providers":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:get_identity_provider":"role:reader and system_scope:all". +# The identity provider API is now aware of system scope and default +# roles. +#"identity:get_identity_providers": "rule:identity:get_identity_provider" + +# Update identity provider. +# PATCH /v3/OS-FEDERATION/identity_providers/{idp_id} +# Intended scope(s): system +#"identity:update_identity_provider": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:update_identity_providers":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:update_identity_provider":"role:admin and +# system_scope:all". +# The identity provider API is now aware of system scope and default +# roles. +#"identity:update_identity_providers": "rule:identity:update_identity_provider" + +# Delete identity provider. +# DELETE /v3/OS-FEDERATION/identity_providers/{idp_id} +# Intended scope(s): system +#"identity:delete_identity_provider": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:delete_identity_providers":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:delete_identity_provider":"role:admin and +# system_scope:all". +# The identity provider API is now aware of system scope and default +# roles. +#"identity:delete_identity_providers": "rule:identity:delete_identity_provider" + +# Get information about an association between two roles. When a +# relationship exists between a prior role and an implied role and the +# prior role is assigned to a user, the user also assumes the implied +# role. +# GET /v3/roles/{prior_role_id}/implies/{implied_role_id} +# Intended scope(s): system +#"identity:get_implied_role": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:get_implied_role":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:get_implied_role":"role:reader and system_scope:all". +# The implied role API is now aware of system scope and default roles. + +# List associations between two roles. When a relationship exists +# between a prior role and an implied role and the prior role is +# assigned to a user, the user also assumes the implied role. This +# will return all the implied roles that would be assumed by the user +# who gets the specified prior role. +# GET /v3/roles/{prior_role_id}/implies +# HEAD /v3/roles/{prior_role_id}/implies +# Intended scope(s): system +#"identity:list_implied_roles": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_implied_roles":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:list_implied_roles":"role:reader and system_scope:all". +# The implied role API is now aware of system scope and default roles. + +# Create an association between two roles. When a relationship exists +# between a prior role and an implied role and the prior role is +# assigned to a user, the user also assumes the implied role. +# PUT /v3/roles/{prior_role_id}/implies/{implied_role_id} +# Intended scope(s): system +#"identity:create_implied_role": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:create_implied_role":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:create_implied_role":"role:admin and system_scope:all". +# The implied role API is now aware of system scope and default roles. + +# Delete the association between two roles. When a relationship exists +# between a prior role and an implied role and the prior role is +# assigned to a user, the user also assumes the implied role. Removing +# the association will cause that effect to be eliminated. +# DELETE /v3/roles/{prior_role_id}/implies/{implied_role_id} +# Intended scope(s): system +#"identity:delete_implied_role": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:delete_implied_role":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:delete_implied_role":"role:admin and system_scope:all". +# The implied role API is now aware of system scope and default roles. + +# List all associations between two roles in the system. When a +# relationship exists between a prior role and an implied role and the +# prior role is assigned to a user, the user also assumes the implied +# role. +# GET /v3/role_inferences +# HEAD /v3/role_inferences +# Intended scope(s): system +#"identity:list_role_inference_rules": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_role_inference_rules":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:list_role_inference_rules":"role:reader and +# system_scope:all". +# The implied role API is now aware of system scope and default roles. + +# Check an association between two roles. When a relationship exists +# between a prior role and an implied role and the prior role is +# assigned to a user, the user also assumes the implied role. +# HEAD /v3/roles/{prior_role_id}/implies/{implied_role_id} +# Intended scope(s): system +#"identity:check_implied_role": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:check_implied_role":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:check_implied_role":"role:reader and system_scope:all". +# The implied role API is now aware of system scope and default roles. + +# Get limit enforcement model. +# GET /v3/limits/model +# HEAD /v3/limits/model +# Intended scope(s): system, domain, project +#"identity:get_limit_model": "" + +# Show limit details. +# GET /v3/limits/{limit_id} +# HEAD /v3/limits/{limit_id} +# Intended scope(s): system, domain, project +#"identity:get_limit": "(role:reader and system_scope:all) or (domain_id:%(target.limit.domain.id)s or domain_id:%(target.limit.project.domain_id)s) or (project_id:%(target.limit.project_id)s and not None:%(target.limit.project_id)s)" + +# List limits. +# GET /v3/limits +# HEAD /v3/limits +# Intended scope(s): system, domain, project +#"identity:list_limits": "" + +# Create limits. +# POST /v3/limits +# Intended scope(s): system +#"identity:create_limits": "role:admin and system_scope:all" + +# Update limit. +# PATCH /v3/limits/{limit_id} +# Intended scope(s): system +#"identity:update_limit": "role:admin and system_scope:all" + +# Delete limit. +# DELETE /v3/limits/{limit_id} +# Intended scope(s): system +#"identity:delete_limit": "role:admin and system_scope:all" + +# Create a new federated mapping containing one or more sets of rules. +# PUT /v3/OS-FEDERATION/mappings/{mapping_id} +# Intended scope(s): system +#"identity:create_mapping": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:create_mapping":"rule:admin_required" has been deprecated +# since S in favor of "identity:create_mapping":"role:admin and +# system_scope:all". +# The federated mapping API is now aware of system scope and default +# roles. + +# Get a federated mapping. +# GET /v3/OS-FEDERATION/mappings/{mapping_id} +# HEAD /v3/OS-FEDERATION/mappings/{mapping_id} +# Intended scope(s): system +#"identity:get_mapping": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:get_mapping":"rule:admin_required" has been deprecated +# since S in favor of "identity:get_mapping":"role:reader and +# system_scope:all". +# The federated mapping API is now aware of system scope and default +# roles. + +# List federated mappings. +# GET /v3/OS-FEDERATION/mappings +# HEAD /v3/OS-FEDERATION/mappings +# Intended scope(s): system +#"identity:list_mappings": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_mappings":"rule:admin_required" has been deprecated +# since S in favor of "identity:list_mappings":"role:reader and +# system_scope:all". +# The federated mapping API is now aware of system scope and default +# roles. + +# Delete a federated mapping. +# DELETE /v3/OS-FEDERATION/mappings/{mapping_id} +# Intended scope(s): system +#"identity:delete_mapping": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:delete_mapping":"rule:admin_required" has been deprecated +# since S in favor of "identity:delete_mapping":"role:admin and +# system_scope:all". +# The federated mapping API is now aware of system scope and default +# roles. + +# Update a federated mapping. +# PATCH /v3/OS-FEDERATION/mappings/{mapping_id} +# Intended scope(s): system +#"identity:update_mapping": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:update_mapping":"rule:admin_required" has been deprecated +# since S in favor of "identity:update_mapping":"role:admin and +# system_scope:all". +# The federated mapping API is now aware of system scope and default +# roles. + +# Show policy details. +# GET /v3/policies/{policy_id} +# Intended scope(s): system +#"identity:get_policy": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:get_policy":"rule:admin_required" has been deprecated +# since T in favor of "identity:get_policy":"role:reader and +# system_scope:all". +# The policy API is now aware of system scope and default roles. + +# List policies. +# GET /v3/policies +# Intended scope(s): system +#"identity:list_policies": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_policies":"rule:admin_required" has been deprecated +# since T in favor of "identity:list_policies":"role:reader and +# system_scope:all". +# The policy API is now aware of system scope and default roles. + +# Create policy. +# POST /v3/policies +# Intended scope(s): system +#"identity:create_policy": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:create_policy":"rule:admin_required" has been deprecated +# since T in favor of "identity:create_policy":"role:admin and +# system_scope:all". +# The policy API is now aware of system scope and default roles. + +# Update policy. +# PATCH /v3/policies/{policy_id} +# Intended scope(s): system +#"identity:update_policy": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:update_policy":"rule:admin_required" has been deprecated +# since T in favor of "identity:update_policy":"role:admin and +# system_scope:all". +# The policy API is now aware of system scope and default roles. + +# Delete policy. +# DELETE /v3/policies/{policy_id} +# Intended scope(s): system +#"identity:delete_policy": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:delete_policy":"rule:admin_required" has been deprecated +# since T in favor of "identity:delete_policy":"role:admin and +# system_scope:all". +# The policy API is now aware of system scope and default roles. + +# Associate a policy to a specific endpoint. +# PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} +# Intended scope(s): system +#"identity:create_policy_association_for_endpoint": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:create_policy_association_for_endpoint":"rule:admin_requir +# ed" has been deprecated since T in favor of +# "identity:create_policy_association_for_endpoint":"role:admin and +# system_scope:all". +# The policy association API is now aware of system scope and default +# roles. + +# Check policy association for endpoint. +# GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} +# HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} +# Intended scope(s): system +#"identity:check_policy_association_for_endpoint": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:check_policy_association_for_endpoint":"rule:admin_require +# d" has been deprecated since T in favor of +# "identity:check_policy_association_for_endpoint":"role:reader and +# system_scope:all". +# The policy association API is now aware of system scope and default +# roles. + +# Delete policy association for endpoint. +# DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} +# Intended scope(s): system +#"identity:delete_policy_association_for_endpoint": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:delete_policy_association_for_endpoint":"rule:admin_requir +# ed" has been deprecated since T in favor of +# "identity:delete_policy_association_for_endpoint":"role:admin and +# system_scope:all". +# The policy association API is now aware of system scope and default +# roles. + +# Associate a policy to a specific service. +# PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} +# Intended scope(s): system +#"identity:create_policy_association_for_service": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:create_policy_association_for_service":"rule:admin_require +# d" has been deprecated since T in favor of +# "identity:create_policy_association_for_service":"role:admin and +# system_scope:all". +# The policy association API is now aware of system scope and default +# roles. + +# Check policy association for service. +# GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} +# HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} +# Intended scope(s): system +#"identity:check_policy_association_for_service": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:check_policy_association_for_service":"rule:admin_required +# " has been deprecated since T in favor of +# "identity:check_policy_association_for_service":"role:reader and +# system_scope:all". +# The policy association API is now aware of system scope and default +# roles. + +# Delete policy association for service. +# DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} +# Intended scope(s): system +#"identity:delete_policy_association_for_service": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:delete_policy_association_for_service":"rule:admin_require +# d" has been deprecated since T in favor of +# "identity:delete_policy_association_for_service":"role:admin and +# system_scope:all". +# The policy association API is now aware of system scope and default +# roles. + +# Associate a policy to a specific region and service combination. +# PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} +# Intended scope(s): system +#"identity:create_policy_association_for_region_and_service": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:create_policy_association_for_region_and_service":"rule:ad +# min_required" has been deprecated since T in favor of "identity:crea +# te_policy_association_for_region_and_service":"role:admin and +# system_scope:all". +# The policy association API is now aware of system scope and default +# roles. + +# Check policy association for region and service. +# GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} +# HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} +# Intended scope(s): system +#"identity:check_policy_association_for_region_and_service": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:check_policy_association_for_region_and_service":"rule:adm +# in_required" has been deprecated since T in favor of "identity:check +# _policy_association_for_region_and_service":"role:reader and +# system_scope:all". +# The policy association API is now aware of system scope and default +# roles. + +# Delete policy association for region and service. +# DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} +# Intended scope(s): system +#"identity:delete_policy_association_for_region_and_service": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:delete_policy_association_for_region_and_service":"rule:ad +# min_required" has been deprecated since T in favor of "identity:dele +# te_policy_association_for_region_and_service":"role:admin and +# system_scope:all". +# The policy association API is now aware of system scope and default +# roles. + +# Get policy for endpoint. +# GET /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy +# HEAD /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy +# Intended scope(s): system +#"identity:get_policy_for_endpoint": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:get_policy_for_endpoint":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:get_policy_for_endpoint":"role:reader and +# system_scope:all". +# The policy association API is now aware of system scope and default +# roles. + +# List endpoints for policy. +# GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints +# Intended scope(s): system +#"identity:list_endpoints_for_policy": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_endpoints_for_policy":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:list_endpoints_for_policy":"role:reader and +# system_scope:all". +# The policy association API is now aware of system scope and default +# roles. + +# Show project details. +# GET /v3/projects/{project_id} +# Intended scope(s): system, domain, project +#"identity:get_project": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s" + +# DEPRECATED +# "identity:get_project":"rule:admin_required or +# project_id:%(target.project.id)s" has been deprecated since S in +# favor of "identity:get_project":"(role:reader and system_scope:all) +# or (role:reader and domain_id:%(target.project.domain_id)s) or +# project_id:%(target.project.id)s". +# The project API is now aware of system scope and default roles. + +# List projects. +# GET /v3/projects +# Intended scope(s): system, domain +#"identity:list_projects": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)" + +# DEPRECATED +# "identity:list_projects":"rule:admin_required" has been deprecated +# since S in favor of "identity:list_projects":"(role:reader and +# system_scope:all) or (role:reader and +# domain_id:%(target.domain_id)s)". +# The project API is now aware of system scope and default roles. + +# List projects for user. +# GET /v3/users/{user_id}/projects +# Intended scope(s): system, domain, project +#"identity:list_user_projects": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(target.user.id)s" + +# DEPRECATED +# "identity:list_user_projects":"rule:admin_or_owner" has been +# deprecated since S in favor of +# "identity:list_user_projects":"(role:reader and system_scope:all) or +# (role:reader and domain_id:%(target.user.domain_id)s) or +# user_id:%(target.user.id)s". +# The project API is now aware of system scope and default roles. + +# Create project. +# POST /v3/projects +# Intended scope(s): system, domain +#"identity:create_project": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)" + +# DEPRECATED +# "identity:create_project":"rule:admin_required" has been deprecated +# since S in favor of "identity:create_project":"(role:admin and +# system_scope:all) or (role:admin and +# domain_id:%(target.project.domain_id)s)". +# The project API is now aware of system scope and default roles. + +# Update project. +# PATCH /v3/projects/{project_id} +# Intended scope(s): system, domain +#"identity:update_project": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)" + +# DEPRECATED +# "identity:update_project":"rule:admin_required" has been deprecated +# since S in favor of "identity:update_project":"(role:admin and +# system_scope:all) or (role:admin and +# domain_id:%(target.project.domain_id)s)". +# The project API is now aware of system scope and default roles. + +# Delete project. +# DELETE /v3/projects/{project_id} +# Intended scope(s): system, domain +#"identity:delete_project": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)" + +# DEPRECATED +# "identity:delete_project":"rule:admin_required" has been deprecated +# since S in favor of "identity:delete_project":"(role:admin and +# system_scope:all) or (role:admin and +# domain_id:%(target.project.domain_id)s)". +# The project API is now aware of system scope and default roles. + +# List tags for a project. +# GET /v3/projects/{project_id}/tags +# HEAD /v3/projects/{project_id}/tags +# Intended scope(s): system, domain, project +#"identity:list_project_tags": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s" + +# DEPRECATED +# "identity:list_project_tags":"rule:admin_required or +# project_id:%(target.project.id)s" has been deprecated since T in +# favor of "identity:list_project_tags":"(role:reader and +# system_scope:all) or (role:reader and +# domain_id:%(target.project.domain_id)s) or +# project_id:%(target.project.id)s". +# As of the Train release, the project tags API understands how to +# handle system-scoped tokens in addition to project and domain +# tokens, making the API more accessible to users without compromising +# security or manageability for administrators. The new default +# policies for this API account for these changes automatically. + +# Check if project contains a tag. +# GET /v3/projects/{project_id}/tags/{value} +# HEAD /v3/projects/{project_id}/tags/{value} +# Intended scope(s): system, domain, project +#"identity:get_project_tag": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s" + +# DEPRECATED +# "identity:get_project_tag":"rule:admin_required or +# project_id:%(target.project.id)s" has been deprecated since T in +# favor of "identity:get_project_tag":"(role:reader and +# system_scope:all) or (role:reader and +# domain_id:%(target.project.domain_id)s) or +# project_id:%(target.project.id)s". +# As of the Train release, the project tags API understands how to +# handle system-scoped tokens in addition to project and domain +# tokens, making the API more accessible to users without compromising +# security or manageability for administrators. The new default +# policies for this API account for these changes automatically. + +# Replace all tags on a project with the new set of tags. +# PUT /v3/projects/{project_id}/tags +# Intended scope(s): system, domain, project +#"identity:update_project_tags": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" + +# DEPRECATED +# "identity:update_project_tags":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:update_project_tags":"(role:admin and system_scope:all) or +# (role:admin and domain_id:%(target.project.domain_id)s) or +# (role:admin and project_id:%(target.project.id)s)". +# As of the Train release, the project tags API understands how to +# handle system-scoped tokens in addition to project and domain +# tokens, making the API more accessible to users without compromising +# security or manageability for administrators. The new default +# policies for this API account for these changes automatically. + +# Add a single tag to a project. +# PUT /v3/projects/{project_id}/tags/{value} +# Intended scope(s): system, domain, project +#"identity:create_project_tag": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" + +# DEPRECATED +# "identity:create_project_tag":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:create_project_tag":"(role:admin and system_scope:all) or +# (role:admin and domain_id:%(target.project.domain_id)s) or +# (role:admin and project_id:%(target.project.id)s)". +# As of the Train release, the project tags API understands how to +# handle system-scoped tokens in addition to project and domain +# tokens, making the API more accessible to users without compromising +# security or manageability for administrators. The new default +# policies for this API account for these changes automatically. + +# Remove all tags from a project. +# DELETE /v3/projects/{project_id}/tags +# Intended scope(s): system, domain, project +#"identity:delete_project_tags": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" + +# DEPRECATED +# "identity:delete_project_tags":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:delete_project_tags":"(role:admin and system_scope:all) or +# (role:admin and domain_id:%(target.project.domain_id)s) or +# (role:admin and project_id:%(target.project.id)s)". +# As of the Train release, the project tags API understands how to +# handle system-scoped tokens in addition to project and domain +# tokens, making the API more accessible to users without compromising +# security or manageability for administrators. The new default +# policies for this API account for these changes automatically. + +# Delete a specified tag from project. +# DELETE /v3/projects/{project_id}/tags/{value} +# Intended scope(s): system, domain, project +#"identity:delete_project_tag": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" + +# DEPRECATED +# "identity:delete_project_tag":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:delete_project_tag":"(role:admin and system_scope:all) or +# (role:admin and domain_id:%(target.project.domain_id)s) or +# (role:admin and project_id:%(target.project.id)s)". +# As of the Train release, the project tags API understands how to +# handle system-scoped tokens in addition to project and domain +# tokens, making the API more accessible to users without compromising +# security or manageability for administrators. The new default +# policies for this API account for these changes automatically. + +# List projects allowed to access an endpoint. +# GET /v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects +# Intended scope(s): system +#"identity:list_projects_for_endpoint": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_projects_for_endpoint":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:list_projects_for_endpoint":"role:reader and +# system_scope:all". +# As of the Train release, the project endpoint API now understands +# default roles and system-scoped tokens, making the API more granular +# by default without compromising security. The new policy defaults +# account for these changes automatically. Be sure to take these new +# defaults into consideration if you are relying on overrides in your +# deployment for the project endpoint API. + +# Allow project to access an endpoint. +# PUT /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} +# Intended scope(s): system +#"identity:add_endpoint_to_project": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:add_endpoint_to_project":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:add_endpoint_to_project":"role:admin and +# system_scope:all". +# As of the Train release, the project endpoint API now understands +# default roles and system-scoped tokens, making the API more granular +# by default without compromising security. The new policy defaults +# account for these changes automatically. Be sure to take these new +# defaults into consideration if you are relying on overrides in your +# deployment for the project endpoint API. + +# Check if a project is allowed to access an endpoint. +# GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} +# HEAD /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} +# Intended scope(s): system +#"identity:check_endpoint_in_project": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:check_endpoint_in_project":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:check_endpoint_in_project":"role:reader and +# system_scope:all". +# As of the Train release, the project endpoint API now understands +# default roles and system-scoped tokens, making the API more granular +# by default without compromising security. The new policy defaults +# account for these changes automatically. Be sure to take these new +# defaults into consideration if you are relying on overrides in your +# deployment for the project endpoint API. + +# List the endpoints a project is allowed to access. +# GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints +# Intended scope(s): system +#"identity:list_endpoints_for_project": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_endpoints_for_project":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:list_endpoints_for_project":"role:reader and +# system_scope:all". +# As of the Train release, the project endpoint API now understands +# default roles and system-scoped tokens, making the API more granular +# by default without compromising security. The new policy defaults +# account for these changes automatically. Be sure to take these new +# defaults into consideration if you are relying on overrides in your +# deployment for the project endpoint API. + +# Remove access to an endpoint from a project that has previously been +# given explicit access. +# DELETE /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} +# Intended scope(s): system +#"identity:remove_endpoint_from_project": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:remove_endpoint_from_project":"rule:admin_required" has +# been deprecated since T in favor of +# "identity:remove_endpoint_from_project":"role:admin and +# system_scope:all". +# As of the Train release, the project endpoint API now understands +# default roles and system-scoped tokens, making the API more granular +# by default without compromising security. The new policy defaults +# account for these changes automatically. Be sure to take these new +# defaults into consideration if you are relying on overrides in your +# deployment for the project endpoint API. + +# Create federated protocol. +# PUT /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} +# Intended scope(s): system +#"identity:create_protocol": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:create_protocol":"rule:admin_required" has been deprecated +# since S in favor of "identity:create_protocol":"role:admin and +# system_scope:all". +# The federated protocol API is now aware of system scope and default +# roles. + +# Update federated protocol. +# PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} +# Intended scope(s): system +#"identity:update_protocol": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:update_protocol":"rule:admin_required" has been deprecated +# since S in favor of "identity:update_protocol":"role:admin and +# system_scope:all". +# The federated protocol API is now aware of system scope and default +# roles. + +# Get federated protocol. +# GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} +# Intended scope(s): system +#"identity:get_protocol": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:get_protocol":"rule:admin_required" has been deprecated +# since S in favor of "identity:get_protocol":"role:reader and +# system_scope:all". +# The federated protocol API is now aware of system scope and default +# roles. + +# List federated protocols. +# GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols +# Intended scope(s): system +#"identity:list_protocols": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_protocols":"rule:admin_required" has been deprecated +# since S in favor of "identity:list_protocols":"role:reader and +# system_scope:all". +# The federated protocol API is now aware of system scope and default +# roles. + +# Delete federated protocol. +# DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} +# Intended scope(s): system +#"identity:delete_protocol": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:delete_protocol":"rule:admin_required" has been deprecated +# since S in favor of "identity:delete_protocol":"role:admin and +# system_scope:all". +# The federated protocol API is now aware of system scope and default +# roles. + +# Show region details. +# GET /v3/regions/{region_id} +# HEAD /v3/regions/{region_id} +# Intended scope(s): system, domain, project +#"identity:get_region": "" + +# List regions. +# GET /v3/regions +# HEAD /v3/regions +# Intended scope(s): system, domain, project +#"identity:list_regions": "" + +# Create region. +# POST /v3/regions +# PUT /v3/regions/{region_id} +# Intended scope(s): system +#"identity:create_region": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:create_region":"rule:admin_required" has been deprecated +# since S in favor of "identity:create_region":"role:admin and +# system_scope:all". +# The region API is now aware of system scope and default roles. + +# Update region. +# PATCH /v3/regions/{region_id} +# Intended scope(s): system +#"identity:update_region": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:update_region":"rule:admin_required" has been deprecated +# since S in favor of "identity:update_region":"role:admin and +# system_scope:all". +# The region API is now aware of system scope and default roles. + +# Delete region. +# DELETE /v3/regions/{region_id} +# Intended scope(s): system +#"identity:delete_region": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:delete_region":"rule:admin_required" has been deprecated +# since S in favor of "identity:delete_region":"role:admin and +# system_scope:all". +# The region API is now aware of system scope and default roles. + +# Show registered limit details. +# GET /v3/registered_limits/{registered_limit_id} +# HEAD /v3/registered_limits/{registered_limit_id} +# Intended scope(s): system, domain, project +#"identity:get_registered_limit": "" + +# List registered limits. +# GET /v3/registered_limits +# HEAD /v3/registered_limits +# Intended scope(s): system, domain, project +#"identity:list_registered_limits": "" + +# Create registered limits. +# POST /v3/registered_limits +# Intended scope(s): system +#"identity:create_registered_limits": "role:admin and system_scope:all" + +# Update registered limit. +# PATCH /v3/registered_limits/{registered_limit_id} +# Intended scope(s): system +#"identity:update_registered_limit": "role:admin and system_scope:all" + +# Delete registered limit. +# DELETE /v3/registered_limits/{registered_limit_id} +# Intended scope(s): system +#"identity:delete_registered_limit": "role:admin and system_scope:all" + +# List revocation events. +# GET /v3/OS-REVOKE/events +# Intended scope(s): system +#"identity:list_revoke_events": "rule:service_or_admin" + +# Show role details. +# GET /v3/roles/{role_id} +# HEAD /v3/roles/{role_id} +# Intended scope(s): system +#"identity:get_role": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:get_role":"rule:admin_required" has been deprecated since +# S in favor of "identity:get_role":"role:reader and +# system_scope:all". +# The role API is now aware of system scope and default roles. + +# List roles. +# GET /v3/roles +# HEAD /v3/roles +# Intended scope(s): system +#"identity:list_roles": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_roles":"rule:admin_required" has been deprecated +# since S in favor of "identity:list_roles":"role:reader and +# system_scope:all". +# The role API is now aware of system scope and default roles. + +# Create role. +# POST /v3/roles +# Intended scope(s): system +#"identity:create_role": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:create_role":"rule:admin_required" has been deprecated +# since S in favor of "identity:create_role":"role:admin and +# system_scope:all". +# The role API is now aware of system scope and default roles. + +# Update role. +# PATCH /v3/roles/{role_id} +# Intended scope(s): system +#"identity:update_role": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:update_role":"rule:admin_required" has been deprecated +# since S in favor of "identity:update_role":"role:admin and +# system_scope:all". +# The role API is now aware of system scope and default roles. + +# Delete role. +# DELETE /v3/roles/{role_id} +# Intended scope(s): system +#"identity:delete_role": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:delete_role":"rule:admin_required" has been deprecated +# since S in favor of "identity:delete_role":"role:admin and +# system_scope:all". +# The role API is now aware of system scope and default roles. + +# Show domain role. +# GET /v3/roles/{role_id} +# HEAD /v3/roles/{role_id} +# Intended scope(s): system +#"identity:get_domain_role": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:get_domain_role":"rule:admin_required" has been deprecated +# since T in favor of "identity:get_domain_role":"role:reader and +# system_scope:all". +# The role API is now aware of system scope and default roles. + +# List domain roles. +# GET /v3/roles?domain_id={domain_id} +# HEAD /v3/roles?domain_id={domain_id} +# Intended scope(s): system +#"identity:list_domain_roles": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_domain_roles":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:list_domain_roles":"role:reader and system_scope:all". +# The role API is now aware of system scope and default roles. + +# Create domain role. +# POST /v3/roles +# Intended scope(s): system +#"identity:create_domain_role": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:create_domain_role":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:create_domain_role":"role:admin and system_scope:all". +# The role API is now aware of system scope and default roles. + +# Update domain role. +# PATCH /v3/roles/{role_id} +# Intended scope(s): system +#"identity:update_domain_role": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:update_domain_role":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:update_domain_role":"role:admin and system_scope:all". +# The role API is now aware of system scope and default roles. + +# Delete domain role. +# DELETE /v3/roles/{role_id} +# Intended scope(s): system +#"identity:delete_domain_role": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:delete_domain_role":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:delete_domain_role":"role:admin and system_scope:all". +# The role API is now aware of system scope and default roles. + +# List role assignments. +# GET /v3/role_assignments +# HEAD /v3/role_assignments +# Intended scope(s): system, domain +#"identity:list_role_assignments": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)" + +# DEPRECATED +# "identity:list_role_assignments":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:list_role_assignments":"(role:reader and system_scope:all) +# or (role:reader and domain_id:%(target.domain_id)s)". +# The assignment API is now aware of system scope and default roles. + +# List all role assignments for a given tree of hierarchical projects. +# GET /v3/role_assignments?include_subtree +# HEAD /v3/role_assignments?include_subtree +# Intended scope(s): system, domain, project +#"identity:list_role_assignments_for_tree": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" + +# DEPRECATED +# "identity:list_role_assignments_for_tree":"rule:admin_required" has +# been deprecated since T in favor of +# "identity:list_role_assignments_for_tree":"(role:reader and +# system_scope:all) or (role:reader and +# domain_id:%(target.project.domain_id)s) or (role:admin and +# project_id:%(target.project.id)s)". +# The assignment API is now aware of system scope and default roles. + +# Show service details. +# GET /v3/services/{service_id} +# Intended scope(s): system +#"identity:get_service": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:get_service":"rule:admin_required" has been deprecated +# since S in favor of "identity:get_service":"role:reader and +# system_scope:all". +# The service API is now aware of system scope and default roles. + +# List services. +# GET /v3/services +# Intended scope(s): system +#"identity:list_services": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_services":"rule:admin_required" has been deprecated +# since S in favor of "identity:list_services":"role:reader and +# system_scope:all". +# The service API is now aware of system scope and default roles. + +# Create service. +# POST /v3/services +# Intended scope(s): system +#"identity:create_service": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:create_service":"rule:admin_required" has been deprecated +# since S in favor of "identity:create_service":"role:admin and +# system_scope:all". +# The service API is now aware of system scope and default roles. + +# Update service. +# PATCH /v3/services/{service_id} +# Intended scope(s): system +#"identity:update_service": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:update_service":"rule:admin_required" has been deprecated +# since S in favor of "identity:update_service":"role:admin and +# system_scope:all". +# The service API is now aware of system scope and default roles. + +# Delete service. +# DELETE /v3/services/{service_id} +# Intended scope(s): system +#"identity:delete_service": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:delete_service":"rule:admin_required" has been deprecated +# since S in favor of "identity:delete_service":"role:admin and +# system_scope:all". +# The service API is now aware of system scope and default roles. + +# Create federated service provider. +# PUT /v3/OS-FEDERATION/service_providers/{service_provider_id} +# Intended scope(s): system +#"identity:create_service_provider": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:create_service_provider":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:create_service_provider":"role:admin and +# system_scope:all". +# The service provider API is now aware of system scope and default +# roles. + +# List federated service providers. +# GET /v3/OS-FEDERATION/service_providers +# HEAD /v3/OS-FEDERATION/service_providers +# Intended scope(s): system +#"identity:list_service_providers": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_service_providers":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:list_service_providers":"role:reader and +# system_scope:all". +# The service provider API is now aware of system scope and default +# roles. + +# Get federated service provider. +# GET /v3/OS-FEDERATION/service_providers/{service_provider_id} +# HEAD /v3/OS-FEDERATION/service_providers/{service_provider_id} +# Intended scope(s): system +#"identity:get_service_provider": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:get_service_provider":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:get_service_provider":"role:reader and system_scope:all". +# The service provider API is now aware of system scope and default +# roles. + +# Update federated service provider. +# PATCH /v3/OS-FEDERATION/service_providers/{service_provider_id} +# Intended scope(s): system +#"identity:update_service_provider": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:update_service_provider":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:update_service_provider":"role:admin and +# system_scope:all". +# The service provider API is now aware of system scope and default +# roles. + +# Delete federated service provider. +# DELETE /v3/OS-FEDERATION/service_providers/{service_provider_id} +# Intended scope(s): system +#"identity:delete_service_provider": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:delete_service_provider":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:delete_service_provider":"role:admin and +# system_scope:all". +# The service provider API is now aware of system scope and default +# roles. + +# DEPRECATED +# "identity:revocation_list" has been deprecated since T. +# The identity:revocation_list policy isn't used to protect any APIs +# in keystone now that the revocation list API has been deprecated and +# only returns a 410 or 403 depending on how keystone is configured. +# This policy can be safely removed from policy files. +# List revoked PKI tokens. +# GET /v3/auth/tokens/OS-PKI/revoked +# Intended scope(s): system, project +#"identity:revocation_list": "rule:service_or_admin" + +# Check a token. +# HEAD /v3/auth/tokens +# Intended scope(s): system, domain, project +#"identity:check_token": "(role:reader and system_scope:all) or rule:token_subject" + +# DEPRECATED +# "identity:check_token":"rule:admin_or_token_subject" has been +# deprecated since T in favor of "identity:check_token":"(role:reader +# and system_scope:all) or rule:token_subject". +# The token API is now aware of system scope and default roles. + +# Validate a token. +# GET /v3/auth/tokens +# Intended scope(s): system, domain, project +#"identity:validate_token": "(role:reader and system_scope:all) or rule:service_role or rule:token_subject" + +# DEPRECATED +# "identity:validate_token":"rule:service_admin_or_token_subject" has +# been deprecated since T in favor of +# "identity:validate_token":"(role:reader and system_scope:all) or +# rule:service_role or rule:token_subject". +# The token API is now aware of system scope and default roles. + +# Revoke a token. +# DELETE /v3/auth/tokens +# Intended scope(s): system, domain, project +#"identity:revoke_token": "(role:admin and system_scope:all) or rule:token_subject" + +# DEPRECATED +# "identity:revoke_token":"rule:admin_or_token_subject" has been +# deprecated since T in favor of "identity:revoke_token":"(role:admin +# and system_scope:all) or rule:token_subject". +# The token API is now aware of system scope and default roles. + +# Create trust. +# POST /v3/OS-TRUST/trusts +# Intended scope(s): project +#"identity:create_trust": "user_id:%(trust.trustor_user_id)s" + +# List trusts. +# GET /v3/OS-TRUST/trusts +# HEAD /v3/OS-TRUST/trusts +# Intended scope(s): system +#"identity:list_trusts": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_trusts":"rule:admin_required" has been deprecated +# since T in favor of "identity:list_trusts":"role:reader and +# system_scope:all". +# The trust API is now aware of system scope and default roles. + +# List trusts for trustor. +# GET /v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id} +# HEAD /v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id} +# Intended scope(s): system, project +#"identity:list_trusts_for_trustor": "role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s" + +# List trusts for trustee. +# GET /v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id} +# HEAD /v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id} +# Intended scope(s): system, project +#"identity:list_trusts_for_trustee": "role:reader and system_scope:all or user_id:%(target.trust.trustee_user_id)s" + +# List roles delegated by a trust. +# GET /v3/OS-TRUST/trusts/{trust_id}/roles +# HEAD /v3/OS-TRUST/trusts/{trust_id}/roles +# Intended scope(s): system, project +#"identity:list_roles_for_trust": "role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s" + +# DEPRECATED +# "identity:list_roles_for_trust":"user_id:%(target.trust.trustor_user +# _id)s or user_id:%(target.trust.trustee_user_id)s" has been +# deprecated since T in favor of +# "identity:list_roles_for_trust":"role:reader and system_scope:all or +# user_id:%(target.trust.trustor_user_id)s or +# user_id:%(target.trust.trustee_user_id)s". +# The trust API is now aware of system scope and default roles. + +# Check if trust delegates a particular role. +# GET /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id} +# HEAD /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id} +# Intended scope(s): system, project +#"identity:get_role_for_trust": "role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s" + +# DEPRECATED +# "identity:get_role_for_trust":"user_id:%(target.trust.trustor_user_i +# d)s or user_id:%(target.trust.trustee_user_id)s" has been deprecated +# since T in favor of "identity:get_role_for_trust":"role:reader and +# system_scope:all or user_id:%(target.trust.trustor_user_id)s or +# user_id:%(target.trust.trustee_user_id)s". +# The trust API is now aware of system scope and default roles. + +# Revoke trust. +# DELETE /v3/OS-TRUST/trusts/{trust_id} +# Intended scope(s): system, project +#"identity:delete_trust": "role:admin and system_scope:all or user_id:%(target.trust.trustor_user_id)s" + +# DEPRECATED +# "identity:delete_trust":"user_id:%(target.trust.trustor_user_id)s" +# has been deprecated since T in favor of +# "identity:delete_trust":"role:admin and system_scope:all or +# user_id:%(target.trust.trustor_user_id)s". +# The trust API is now aware of system scope and default roles. + +# Get trust. +# GET /v3/OS-TRUST/trusts/{trust_id} +# HEAD /v3/OS-TRUST/trusts/{trust_id} +# Intended scope(s): system, project +#"identity:get_trust": "role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s" + +# DEPRECATED +# "identity:get_trust":"user_id:%(target.trust.trustor_user_id)s or +# user_id:%(target.trust.trustee_user_id)s" has been deprecated since +# T in favor of "identity:get_trust":"role:reader and system_scope:all +# or user_id:%(target.trust.trustor_user_id)s or +# user_id:%(target.trust.trustee_user_id)s". +# The trust API is now aware of system scope and default roles. + +# Show user details. +# GET /v3/users/{user_id} +# HEAD /v3/users/{user_id} +# Intended scope(s): system, domain, project +#"identity:get_user": "(role:reader and system_scope:all) or (role:reader and token.domain.id:%(target.user.domain_id)s) or user_id:%(target.user.id)s" + +# DEPRECATED +# "identity:get_user":"rule:admin_or_owner" has been deprecated since +# S in favor of "identity:get_user":"(role:reader and +# system_scope:all) or (role:reader and +# token.domain.id:%(target.user.domain_id)s) or +# user_id:%(target.user.id)s". +# The user API is now aware of system scope and default roles. + +# List users. +# GET /v3/users +# HEAD /v3/users +# Intended scope(s): system, domain +#"identity:list_users": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)" + +# DEPRECATED +# "identity:list_users":"rule:admin_required" has been deprecated +# since S in favor of "identity:list_users":"(role:reader and +# system_scope:all) or (role:reader and +# domain_id:%(target.domain_id)s)". +# The user API is now aware of system scope and default roles. + +# List all projects a user has access to via role assignments. +# GET /v3/auth/projects +#"identity:list_projects_for_user": "" + +# List all domains a user has access to via role assignments. +# GET /v3/auth/domains +#"identity:list_domains_for_user": "" + +# Create a user. +# POST /v3/users +# Intended scope(s): system, domain +#"identity:create_user": "(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)" + +# DEPRECATED +# "identity:create_user":"rule:admin_required" has been deprecated +# since S in favor of "identity:create_user":"(role:admin and +# system_scope:all) or (role:admin and +# token.domain.id:%(target.user.domain_id)s)". +# The user API is now aware of system scope and default roles. + +# Update a user, including administrative password resets. +# PATCH /v3/users/{user_id} +# Intended scope(s): system, domain +#"identity:update_user": "(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)" + +# DEPRECATED +# "identity:update_user":"rule:admin_required" has been deprecated +# since S in favor of "identity:update_user":"(role:admin and +# system_scope:all) or (role:admin and +# token.domain.id:%(target.user.domain_id)s)". +# The user API is now aware of system scope and default roles. + +# Delete a user. +# DELETE /v3/users/{user_id} +# Intended scope(s): system, domain +#"identity:delete_user": "(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)" + +# DEPRECATED +# "identity:delete_user":"rule:admin_required" has been deprecated +# since S in favor of "identity:delete_user":"(role:admin and +# system_scope:all) or (role:admin and +# token.domain.id:%(target.user.domain_id)s)". +# The user API is now aware of system scope and default roles. + diff --git a/openstack_dashboard/conf/neutron_policy.json b/openstack_dashboard/conf/neutron_policy.json deleted file mode 100644 index a1dfae1767..0000000000 --- a/openstack_dashboard/conf/neutron_policy.json +++ /dev/null @@ -1,220 +0,0 @@ -{ - "context_is_admin": "role:admin", - "owner": "tenant_id:%(tenant_id)s", - "admin_or_owner": "rule:context_is_admin or rule:owner", - "context_is_advsvc": "role:advsvc", - "admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s", - "admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner", - "admin_only": "rule:context_is_admin", - "regular_user": "", - "shared": "field:networks:shared=True", - "default": "rule:admin_or_owner", - "admin_or_ext_parent_owner": "rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s", - "shared_address_scopes": "field:address_scopes:shared=True", - "create_address_scope": "rule:regular_user", - "create_address_scope:shared": "rule:admin_only", - "get_address_scope": "rule:admin_or_owner or rule:shared_address_scopes", - "update_address_scope": "rule:admin_or_owner", - "update_address_scope:shared": "rule:admin_only", - "delete_address_scope": "rule:admin_or_owner", - "get_agent": "rule:admin_only", - "update_agent": "rule:admin_only", - "delete_agent": "rule:admin_only", - "create_dhcp-network": "rule:admin_only", - "get_dhcp-networks": "rule:admin_only", - "delete_dhcp-network": "rule:admin_only", - "create_l3-router": "rule:admin_only", - "get_l3-routers": "rule:admin_only", - "delete_l3-router": "rule:admin_only", - "get_dhcp-agents": "rule:admin_only", - "get_l3-agents": "rule:admin_only", - "get_agent-loadbalancers": "rule:admin_only", - "get_loadbalancer-hosting-agent": "rule:admin_only", - "get_auto_allocated_topology": "rule:admin_or_owner", - "delete_auto_allocated_topology": "rule:admin_or_owner", - "get_availability_zone": "rule:regular_user", - "create_flavor": "rule:admin_only", - "get_flavor": "rule:regular_user", - "update_flavor": "rule:admin_only", - "delete_flavor": "rule:admin_only", - "create_service_profile": "rule:admin_only", - "get_service_profile": "rule:admin_only", - "update_service_profile": "rule:admin_only", - "delete_service_profile": "rule:admin_only", - "create_flavor_service_profile": "rule:admin_only", - "delete_flavor_service_profile": "rule:admin_only", - "create_floatingip": "rule:regular_user", - "create_floatingip:floating_ip_address": "rule:admin_only", - "get_floatingip": "rule:admin_or_owner", - "update_floatingip": "rule:admin_or_owner", - "delete_floatingip": "rule:admin_or_owner", - "get_floatingip_pool": "rule:regular_user", - "create_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner", - "get_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner", - "update_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner", - "delete_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner", - "get_loggable_resource": "rule:admin_only", - "create_log": "rule:admin_only", - "get_log": "rule:admin_only", - "update_log": "rule:admin_only", - "delete_log": "rule:admin_only", - "create_metering_label": "rule:admin_only", - "get_metering_label": "rule:admin_only", - "delete_metering_label": "rule:admin_only", - "create_metering_label_rule": "rule:admin_only", - "get_metering_label_rule": "rule:admin_only", - "delete_metering_label_rule": "rule:admin_only", - "external": "field:networks:router:external=True", - "create_network": "rule:regular_user", - "create_network:shared": "rule:admin_only", - "create_network:router:external": "rule:admin_only", - "create_network:is_default": "rule:admin_only", - "create_network:port_security_enabled": "rule:regular_user", - "create_network:segments": "rule:admin_only", - "create_network:provider:network_type": "rule:admin_only", - "create_network:provider:physical_network": "rule:admin_only", - "create_network:provider:segmentation_id": "rule:admin_only", - "get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc", - "get_network:router:external": "rule:regular_user", - "get_network:segments": "rule:admin_only", - "get_network:provider:network_type": "rule:admin_only", - "get_network:provider:physical_network": "rule:admin_only", - "get_network:provider:segmentation_id": "rule:admin_only", - "update_network": "rule:admin_or_owner", - "update_network:segments": "rule:admin_only", - "update_network:shared": "rule:admin_only", - "update_network:provider:network_type": "rule:admin_only", - "update_network:provider:physical_network": "rule:admin_only", - "update_network:provider:segmentation_id": "rule:admin_only", - "update_network:router:external": "rule:admin_only", - "update_network:is_default": "rule:admin_only", - "update_network:port_security_enabled": "rule:admin_or_owner", - "delete_network": "rule:admin_or_owner", - "get_network_ip_availability": "rule:admin_only", - "create_network_segment_range": "rule:admin_only", - "get_network_segment_range": "rule:admin_only", - "update_network_segment_range": "rule:admin_only", - "delete_network_segment_range": "rule:admin_only", - "network_device": "field:port:device_owner=~^network:", - "admin_or_data_plane_int": "rule:context_is_admin or role:data_plane_integrator", - "create_port": "rule:regular_user", - "create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner", - "create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner", - "create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner", - "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner", - "create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared", - "create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner", - "create_port:binding:host_id": "rule:admin_only", - "create_port:binding:profile": "rule:admin_only", - "create_port:binding:vnic_type": "rule:regular_user", - "create_port:allowed_address_pairs": "rule:admin_or_network_owner", - "get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner", - "get_port:binding:vif_type": "rule:admin_only", - "get_port:binding:vif_details": "rule:admin_only", - "get_port:binding:host_id": "rule:admin_only", - "get_port:binding:profile": "rule:admin_only", - "get_port:resource_request": "rule:admin_only", - "update_port": "rule:admin_or_owner or rule:context_is_advsvc", - "update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner", - "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc", - "update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner", - "update_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner", - "update_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared", - "update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner", - "update_port:binding:host_id": "rule:admin_only", - "update_port:binding:profile": "rule:admin_only", - "update_port:binding:vnic_type": "rule:admin_or_owner or rule:context_is_advsvc", - "update_port:allowed_address_pairs": "rule:admin_or_network_owner", - "update_port:data_plane_status": "rule:admin_or_data_plane_int", - "delete_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner", - "get_policy": "rule:regular_user", - "create_policy": "rule:admin_only", - "update_policy": "rule:admin_only", - "delete_policy": "rule:admin_only", - "get_rule_type": "rule:regular_user", - "get_policy_bandwidth_limit_rule": "rule:regular_user", - "create_policy_bandwidth_limit_rule": "rule:admin_only", - "update_policy_bandwidth_limit_rule": "rule:admin_only", - "delete_policy_bandwidth_limit_rule": "rule:admin_only", - "get_policy_dscp_marking_rule": "rule:regular_user", - "create_policy_dscp_marking_rule": "rule:admin_only", - "update_policy_dscp_marking_rule": "rule:admin_only", - "delete_policy_dscp_marking_rule": "rule:admin_only", - "get_policy_minimum_bandwidth_rule": "rule:regular_user", - "create_policy_minimum_bandwidth_rule": "rule:admin_only", - "update_policy_minimum_bandwidth_rule": "rule:admin_only", - "delete_policy_minimum_bandwidth_rule": "rule:admin_only", - "get_alias_bandwidth_limit_rule": "rule:get_policy_bandwidth_limit_rule", - "update_alias_bandwidth_limit_rule": "rule:update_policy_bandwidth_limit_rule", - "delete_alias_bandwidth_limit_rule": "rule:delete_policy_bandwidth_limit_rule", - "get_alias_dscp_marking_rule": "rule:get_policy_dscp_marking_rule", - "update_alias_dscp_marking_rule": "rule:update_policy_dscp_marking_rule", - "delete_alias_dscp_marking_rule": "rule:delete_policy_dscp_marking_rule", - "get_alias_minimum_bandwidth_rule": "rule:get_policy_minimum_bandwidth_rule", - "update_alias_minimum_bandwidth_rule": "rule:update_policy_minimum_bandwidth_rule", - "delete_alias_minimum_bandwidth_rule": "rule:delete_policy_minimum_bandwidth_rule", - "restrict_wildcard": "(not field:rbac_policy:target_tenant=*) or rule:admin_only", - "create_rbac_policy": "rule:regular_user", - "create_rbac_policy:target_tenant": "rule:restrict_wildcard", - "update_rbac_policy": "rule:admin_or_owner", - "update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner", - "get_rbac_policy": "rule:admin_or_owner", - "delete_rbac_policy": "rule:admin_or_owner", - "create_router": "rule:regular_user", - "create_router:distributed": "rule:admin_only", - "create_router:ha": "rule:admin_only", - "create_router:external_gateway_info": "rule:admin_or_owner", - "create_router:external_gateway_info:network_id": "rule:admin_or_owner", - "create_router:external_gateway_info:enable_snat": "rule:admin_only", - "create_router:external_gateway_info:external_fixed_ips": "rule:admin_only", - "get_router": "rule:admin_or_owner", - "get_router:distributed": "rule:admin_only", - "get_router:ha": "rule:admin_only", - "update_router": "rule:admin_or_owner", - "update_router:distributed": "rule:admin_only", - "update_router:ha": "rule:admin_only", - "update_router:external_gateway_info": "rule:admin_or_owner", - "update_router:external_gateway_info:network_id": "rule:admin_or_owner", - "update_router:external_gateway_info:enable_snat": "rule:admin_only", - "update_router:external_gateway_info:external_fixed_ips": "rule:admin_only", - "delete_router": "rule:admin_or_owner", - "add_router_interface": "rule:admin_or_owner", - "remove_router_interface": "rule:admin_or_owner", - "create_security_group": "rule:admin_or_owner", - "get_security_group": "rule:regular_user", - "update_security_group": "rule:admin_or_owner", - "delete_security_group": "rule:admin_or_owner", - "create_security_group_rule": "rule:admin_or_owner", - "get_security_group_rule": "rule:admin_or_owner", - "delete_security_group_rule": "rule:admin_or_owner", - "create_segment": "rule:admin_only", - "get_segment": "rule:admin_only", - "update_segment": "rule:admin_only", - "delete_segment": "rule:admin_only", - "get_service_provider": "rule:regular_user", - "create_subnet": "rule:admin_or_network_owner", - "create_subnet:segment_id": "rule:admin_only", - "create_subnet:service_types": "rule:admin_only", - "get_subnet": "rule:admin_or_owner or rule:shared", - "get_subnet:segment_id": "rule:admin_only", - "update_subnet": "rule:admin_or_network_owner", - "update_subnet:segment_id": "rule:admin_only", - "update_subnet:service_types": "rule:admin_only", - "delete_subnet": "rule:admin_or_network_owner", - "shared_subnetpools": "field:subnetpools:shared=True", - "create_subnetpool": "rule:regular_user", - "create_subnetpool:shared": "rule:admin_only", - "create_subnetpool:is_default": "rule:admin_only", - "get_subnetpool": "rule:admin_or_owner or rule:shared_subnetpools", - "update_subnetpool": "rule:admin_or_owner", - "update_subnetpool:is_default": "rule:admin_only", - "delete_subnetpool": "rule:admin_or_owner", - "onboard_network_subnets": "rule:admin_or_owner", - "create_trunk": "rule:regular_user", - "get_trunk": "rule:admin_or_owner", - "update_trunk": "rule:admin_or_owner", - "delete_trunk": "rule:admin_or_owner", - "get_subports": "rule:regular_user", - "add_subports": "rule:admin_or_owner", - "remove_subports": "rule:admin_or_owner" -} diff --git a/openstack_dashboard/conf/neutron_policy.yaml b/openstack_dashboard/conf/neutron_policy.yaml new file mode 100644 index 0000000000..75b8adcf94 --- /dev/null +++ b/openstack_dashboard/conf/neutron_policy.yaml @@ -0,0 +1,961 @@ +# Rule for cloud admin access +#"context_is_admin": "role:admin" + +# Rule for resource owner access +#"owner": "tenant_id:%(tenant_id)s" + +# Rule for admin or owner access +#"admin_or_owner": "rule:context_is_admin or rule:owner" + +# Rule for advsvc role access +#"context_is_advsvc": "role:advsvc" + +# Rule for admin or network owner access +#"admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s" + +# Rule for resource owner, admin or network owner access +#"admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner" + +# Rule for admin-only access +#"admin_only": "rule:context_is_admin" + +# Rule for regular user access +#"regular_user": "" + +# Rule of shared network +#"shared": "field:networks:shared=True" + +# Default access rule +#"default": "rule:admin_or_owner" + +# Rule for common parent owner check +#"admin_or_ext_parent_owner": "rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s" + +# Definition of a shared address scope +#"shared_address_scopes": "field:address_scopes:shared=True" + +# Create an address scope +# POST /address-scopes +#"create_address_scope": "rule:regular_user" + +# Create a shared address scope +# POST /address-scopes +#"create_address_scope:shared": "rule:admin_only" + +# Get an address scope +# GET /address-scopes +# GET /address-scopes/{id} +#"get_address_scope": "rule:admin_or_owner or rule:shared_address_scopes" + +# Update an address scope +# PUT /address-scopes/{id} +#"update_address_scope": "rule:admin_or_owner" + +# Update ``shared`` attribute of an address scope +# PUT /address-scopes/{id} +#"update_address_scope:shared": "rule:admin_only" + +# Delete an address scope +# DELETE /address-scopes/{id} +#"delete_address_scope": "rule:admin_or_owner" + +# Get an agent +# GET /agents +# GET /agents/{id} +#"get_agent": "rule:admin_only" + +# Update an agent +# PUT /agents/{id} +#"update_agent": "rule:admin_only" + +# Delete an agent +# DELETE /agents/{id} +#"delete_agent": "rule:admin_only" + +# Add a network to a DHCP agent +# POST /agents/{agent_id}/dhcp-networks +#"create_dhcp-network": "rule:admin_only" + +# List networks on a DHCP agent +# GET /agents/{agent_id}/dhcp-networks +#"get_dhcp-networks": "rule:admin_only" + +# Remove a network from a DHCP agent +# DELETE /agents/{agent_id}/dhcp-networks/{network_id} +#"delete_dhcp-network": "rule:admin_only" + +# Add a router to an L3 agent +# POST /agents/{agent_id}/l3-routers +#"create_l3-router": "rule:admin_only" + +# List routers on an L3 agent +# GET /agents/{agent_id}/l3-routers +#"get_l3-routers": "rule:admin_only" + +# Remove a router from an L3 agent +# DELETE /agents/{agent_id}/l3-routers/{router_id} +#"delete_l3-router": "rule:admin_only" + +# List DHCP agents hosting a network +# GET /networks/{network_id}/dhcp-agents +#"get_dhcp-agents": "rule:admin_only" + +# List L3 agents hosting a router +# GET /routers/{router_id}/l3-agents +#"get_l3-agents": "rule:admin_only" + +# Get a project's auto-allocated topology +# GET /auto-allocated-topology/{project_id} +#"get_auto_allocated_topology": "rule:admin_or_owner" + +# Delete a project's auto-allocated topology +# DELETE /auto-allocated-topology/{project_id} +#"delete_auto_allocated_topology": "rule:admin_or_owner" + +# List availability zones +# GET /availability_zones +#"get_availability_zone": "rule:regular_user" + +# Create a flavor +# POST /flavors +#"create_flavor": "rule:admin_only" + +# Get a flavor +# GET /flavors +# GET /flavors/{id} +#"get_flavor": "rule:regular_user" + +# Update a flavor +# PUT /flavors/{id} +#"update_flavor": "rule:admin_only" + +# Delete a flavor +# DELETE /flavors/{id} +#"delete_flavor": "rule:admin_only" + +# Create a service profile +# POST /service_profiles +#"create_service_profile": "rule:admin_only" + +# Get a service profile +# GET /service_profiles +# GET /service_profiles/{id} +#"get_service_profile": "rule:admin_only" + +# Update a service profile +# PUT /service_profiles/{id} +#"update_service_profile": "rule:admin_only" + +# Delete a service profile +# DELETE /service_profiles/{id} +#"delete_service_profile": "rule:admin_only" + +# Get a flavor associated with a given service profiles. There is no +# corresponding GET operations in API currently. This rule is +# currently referred only in the DELETE of flavor_service_profile. +#"get_flavor_service_profile": "rule:regular_user" + +# Associate a flavor with a service profile +# POST /flavors/{flavor_id}/service_profiles +#"create_flavor_service_profile": "rule:admin_only" + +# Disassociate a flavor with a service profile +# DELETE /flavors/{flavor_id}/service_profiles/{profile_id} +#"delete_flavor_service_profile": "rule:admin_only" + +# Create a floating IP +# POST /floatingips +#"create_floatingip": "rule:regular_user" + +# Create a floating IP with a specific IP address +# POST /floatingips +#"create_floatingip:floating_ip_address": "rule:admin_only" + +# Get a floating IP +# GET /floatingips +# GET /floatingips/{id} +#"get_floatingip": "rule:admin_or_owner" + +# Update a floating IP +# PUT /floatingips/{id} +#"update_floatingip": "rule:admin_or_owner" + +# Delete a floating IP +# DELETE /floatingips/{id} +#"delete_floatingip": "rule:admin_or_owner" + +# Get floating IP pools +# GET /floatingip_pools +#"get_floatingip_pool": "rule:regular_user" + +# Create a floating IP port forwarding +# POST /floatingips/{floatingip_id}/port_forwardings +#"create_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner" + +# Get a floating IP port forwarding +# GET /floatingips/{floatingip_id}/port_forwardings +# GET /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id} +#"get_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner" + +# Update a floating IP port forwarding +# PUT /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id} +#"update_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner" + +# Delete a floating IP port forwarding +# DELETE /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id} +#"delete_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner" + +# Create a router conntrack helper +# POST /routers/{router_id}/conntrack_helpers +#"create_router_conntrack_helper": "rule:admin_or_ext_parent_owner" + +# Get a router conntrack helper +# GET /routers/{router_id}/conntrack_helpers +# GET /routers/{router_id}/conntrack_helpers/{conntrack_helper_id} +#"get_router_conntrack_helper": "rule:admin_or_ext_parent_owner" + +# Update a router conntrack helper +# PUT /routers/{router_id}/conntrack_helpers/{conntrack_helper_id} +#"update_router_conntrack_helper": "rule:admin_or_ext_parent_owner" + +# Delete a router conntrack helper +# DELETE /routers/{router_id}/conntrack_helpers/{conntrack_helper_id} +#"delete_router_conntrack_helper": "rule:admin_or_ext_parent_owner" + +# Get loggable resources +# GET /log/loggable-resources +#"get_loggable_resource": "rule:admin_only" + +# Create a network log +# POST /log/logs +#"create_log": "rule:admin_only" + +# Get a network log +# GET /log/logs +# GET /log/logs/{id} +#"get_log": "rule:admin_only" + +# Update a network log +# PUT /log/logs/{id} +#"update_log": "rule:admin_only" + +# Delete a network log +# DELETE /log/logs/{id} +#"delete_log": "rule:admin_only" + +# Create a metering label +# POST /metering/metering-labels +#"create_metering_label": "rule:admin_only" + +# Get a metering label +# GET /metering/metering-labels +# GET /metering/metering-labels/{id} +#"get_metering_label": "rule:admin_only" + +# Delete a metering label +# DELETE /metering/metering-labels/{id} +#"delete_metering_label": "rule:admin_only" + +# Create a metering label rule +# POST /metering/metering-label-rules +#"create_metering_label_rule": "rule:admin_only" + +# Get a metering label rule +# GET /metering/metering-label-rules +# GET /metering/metering-label-rules/{id} +#"get_metering_label_rule": "rule:admin_only" + +# Delete a metering label rule +# DELETE /metering/metering-label-rules/{id} +#"delete_metering_label_rule": "rule:admin_only" + +# Definition of an external network +#"external": "field:networks:router:external=True" + +# Create a network +# POST /networks +#"create_network": "rule:regular_user" + +# Create a shared network +# POST /networks +#"create_network:shared": "rule:admin_only" + +# Create an external network +# POST /networks +#"create_network:router:external": "rule:admin_only" + +# Specify ``is_default`` attribute when creating a network +# POST /networks +#"create_network:is_default": "rule:admin_only" + +# Specify ``port_security_enabled`` attribute when creating a network +# POST /networks +#"create_network:port_security_enabled": "rule:regular_user" + +# Specify ``segments`` attribute when creating a network +# POST /networks +#"create_network:segments": "rule:admin_only" + +# Specify ``provider:network_type`` when creating a network +# POST /networks +#"create_network:provider:network_type": "rule:admin_only" + +# Specify ``provider:physical_network`` when creating a network +# POST /networks +#"create_network:provider:physical_network": "rule:admin_only" + +# Specify ``provider:segmentation_id`` when creating a network +# POST /networks +#"create_network:provider:segmentation_id": "rule:admin_only" + +# Get a network +# GET /networks +# GET /networks/{id} +#"get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc" + +# Get ``router:external`` attribute of a network +# GET /networks +# GET /networks/{id} +#"get_network:router:external": "rule:regular_user" + +# Get ``segments`` attribute of a network +# GET /networks +# GET /networks/{id} +#"get_network:segments": "rule:admin_only" + +# Get ``provider:network_type`` attribute of a network +# GET /networks +# GET /networks/{id} +#"get_network:provider:network_type": "rule:admin_only" + +# Get ``provider:physical_network`` attribute of a network +# GET /networks +# GET /networks/{id} +#"get_network:provider:physical_network": "rule:admin_only" + +# Get ``provider:segmentation_id`` attribute of a network +# GET /networks +# GET /networks/{id} +#"get_network:provider:segmentation_id": "rule:admin_only" + +# Update a network +# PUT /networks/{id} +#"update_network": "rule:admin_or_owner" + +# Update ``segments`` attribute of a network +# PUT /networks/{id} +#"update_network:segments": "rule:admin_only" + +# Update ``shared`` attribute of a network +# PUT /networks/{id} +#"update_network:shared": "rule:admin_only" + +# Update ``provider:network_type`` attribute of a network +# PUT /networks/{id} +#"update_network:provider:network_type": "rule:admin_only" + +# Update ``provider:physical_network`` attribute of a network +# PUT /networks/{id} +#"update_network:provider:physical_network": "rule:admin_only" + +# Update ``provider:segmentation_id`` attribute of a network +# PUT /networks/{id} +#"update_network:provider:segmentation_id": "rule:admin_only" + +# Update ``router:external`` attribute of a network +# PUT /networks/{id} +#"update_network:router:external": "rule:admin_only" + +# Update ``is_default`` attribute of a network +# PUT /networks/{id} +#"update_network:is_default": "rule:admin_only" + +# Update ``port_security_enabled`` attribute of a network +# PUT /networks/{id} +#"update_network:port_security_enabled": "rule:admin_or_owner" + +# Delete a network +# DELETE /networks/{id} +#"delete_network": "rule:admin_or_owner" + +# Get network IP availability +# GET /network-ip-availabilities +# GET /network-ip-availabilities/{network_id} +#"get_network_ip_availability": "rule:admin_only" + +# Create a network segment range +# POST /network_segment_ranges +#"create_network_segment_range": "rule:admin_only" + +# Get a network segment range +# GET /network_segment_ranges +# GET /network_segment_ranges/{id} +#"get_network_segment_range": "rule:admin_only" + +# Update a network segment range +# PUT /network_segment_ranges/{id} +#"update_network_segment_range": "rule:admin_only" + +# Delete a network segment range +# DELETE /network_segment_ranges/{id} +#"delete_network_segment_range": "rule:admin_only" + +# Definition of port with network device_owner +#"network_device": "field:port:device_owner=~^network:" + +# Rule for data plane integration +#"admin_or_data_plane_int": "rule:context_is_admin or role:data_plane_integrator" + +# Create a port +# POST /ports +#"create_port": "rule:regular_user" + +# Specify ``device_owner`` attribute when creting a port +# POST /ports +#"create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner" + +# Specify ``mac_address`` attribute when creating a port +# POST /ports +#"create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner" + +# Specify ``fixed_ips`` information when creating a port +# POST /ports +#"create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared" + +# Specify IP address in ``fixed_ips`` when creating a port +# POST /ports +#"create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner" + +# Specify subnet ID in ``fixed_ips`` when creating a port +# POST /ports +#"create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared" + +# Specify ``port_security_enabled`` attribute when creating a port +# POST /ports +#"create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner" + +# Specify ``binding:host_id`` attribute when creating a port +# POST /ports +#"create_port:binding:host_id": "rule:admin_only" + +# Specify ``binding:profile`` attribute when creating a port +# POST /ports +#"create_port:binding:profile": "rule:admin_only" + +# Specify ``binding:vnic_type`` attribute when creating a port +# POST /ports +#"create_port:binding:vnic_type": "rule:regular_user" + +# Specify ``allowed_address_pairs`` attribute when creating a port +# POST /ports +#"create_port:allowed_address_pairs": "rule:admin_or_network_owner" + +# Specify ``mac_address` of `allowed_address_pairs`` attribute when +# creating a port +# POST /ports +#"create_port:allowed_address_pairs:mac_address": "rule:admin_or_network_owner" + +# Specify ``ip_address`` of ``allowed_address_pairs`` attribute when +# creating a port +# POST /ports +#"create_port:allowed_address_pairs:ip_address": "rule:admin_or_network_owner" + +# Get a port +# GET /ports +# GET /ports/{id} +#"get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner" + +# Get ``binding:vif_type`` attribute of a port +# GET /ports +# GET /ports/{id} +#"get_port:binding:vif_type": "rule:admin_only" + +# Get ``binding:vif_details`` attribute of a port +# GET /ports +# GET /ports/{id} +#"get_port:binding:vif_details": "rule:admin_only" + +# Get ``binding:host_id`` attribute of a port +# GET /ports +# GET /ports/{id} +#"get_port:binding:host_id": "rule:admin_only" + +# Get ``binding:profile`` attribute of a port +# GET /ports +# GET /ports/{id} +#"get_port:binding:profile": "rule:admin_only" + +# Get ``resource_request`` attribute of a port +# GET /ports +# GET /ports/{id} +#"get_port:resource_request": "rule:admin_only" + +# Update a port +# PUT /ports/{id} +#"update_port": "rule:admin_or_owner or rule:context_is_advsvc" + +# Update ``device_owner`` attribute of a port +# PUT /ports/{id} +#"update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner" + +# Update ``mac_address`` attribute of a port +# PUT /ports/{id} +#"update_port:mac_address": "rule:admin_only or rule:context_is_advsvc" + +# Specify ``fixed_ips`` information when updating a port +# PUT /ports/{id} +#"update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner" + +# Specify IP address in ``fixed_ips`` information when updating a port +# PUT /ports/{id} +#"update_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner" + +# Specify subnet ID in ``fixed_ips`` information when updating a port +# PUT /ports/{id} +#"update_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared" + +# Update ``port_security_enabled`` attribute of a port +# PUT /ports/{id} +#"update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner" + +# Update ``binding:host_id`` attribute of a port +# PUT /ports/{id} +#"update_port:binding:host_id": "rule:admin_only" + +# Update ``binding:profile`` attribute of a port +# PUT /ports/{id} +#"update_port:binding:profile": "rule:admin_only" + +# Update ``binding:vnic_type`` attribute of a port +# PUT /ports/{id} +#"update_port:binding:vnic_type": "rule:admin_or_owner or rule:context_is_advsvc" + +# Update ``allowed_address_pairs`` attribute of a port +# PUT /ports/{id} +#"update_port:allowed_address_pairs": "rule:admin_or_network_owner" + +# Update ``mac_address`` of ``allowed_address_pairs`` attribute of a +# port +# PUT /ports/{id} +#"update_port:allowed_address_pairs:mac_address": "rule:admin_or_network_owner" + +# Update ``ip_address`` of ``allowed_address_pairs`` attribute of a +# port +# PUT /ports/{id} +#"update_port:allowed_address_pairs:ip_address": "rule:admin_or_network_owner" + +# Update ``data_plane_status`` attribute of a port +# PUT /ports/{id} +#"update_port:data_plane_status": "rule:admin_or_data_plane_int" + +# Delete a port +# DELETE /ports/{id} +#"delete_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner" + +# Get QoS policies +# GET /qos/policies +# GET /qos/policies/{id} +#"get_policy": "rule:regular_user" + +# Create a QoS policy +# POST /qos/policies +#"create_policy": "rule:admin_only" + +# Update a QoS policy +# PUT /qos/policies/{id} +#"update_policy": "rule:admin_only" + +# Delete a QoS policy +# DELETE /qos/policies/{id} +#"delete_policy": "rule:admin_only" + +# Get available QoS rule types +# GET /qos/rule-types +# GET /qos/rule-types/{rule_type} +#"get_rule_type": "rule:regular_user" + +# Get a QoS bandwidth limit rule +# GET /qos/policies/{policy_id}/bandwidth_limit_rules +# GET /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id} +#"get_policy_bandwidth_limit_rule": "rule:regular_user" + +# Create a QoS bandwidth limit rule +# POST /qos/policies/{policy_id}/bandwidth_limit_rules +#"create_policy_bandwidth_limit_rule": "rule:admin_only" + +# Update a QoS bandwidth limit rule +# PUT /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id} +#"update_policy_bandwidth_limit_rule": "rule:admin_only" + +# Delete a QoS bandwidth limit rule +# DELETE /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id} +#"delete_policy_bandwidth_limit_rule": "rule:admin_only" + +# Get a QoS DSCP marking rule +# GET /qos/policies/{policy_id}/dscp_marking_rules +# GET /qos/policies/{policy_id}/dscp_marking_rules/{rule_id} +#"get_policy_dscp_marking_rule": "rule:regular_user" + +# Create a QoS DSCP marking rule +# POST /qos/policies/{policy_id}/dscp_marking_rules +#"create_policy_dscp_marking_rule": "rule:admin_only" + +# Update a QoS DSCP marking rule +# PUT /qos/policies/{policy_id}/dscp_marking_rules/{rule_id} +#"update_policy_dscp_marking_rule": "rule:admin_only" + +# Delete a QoS DSCP marking rule +# DELETE /qos/policies/{policy_id}/dscp_marking_rules/{rule_id} +#"delete_policy_dscp_marking_rule": "rule:admin_only" + +# Get a QoS minimum bandwidth rule +# GET /qos/policies/{policy_id}/minimum_bandwidth_rules +# GET /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id} +#"get_policy_minimum_bandwidth_rule": "rule:regular_user" + +# Create a QoS minimum bandwidth rule +# POST /qos/policies/{policy_id}/minimum_bandwidth_rules +#"create_policy_minimum_bandwidth_rule": "rule:admin_only" + +# Update a QoS minimum bandwidth rule +# PUT /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id} +#"update_policy_minimum_bandwidth_rule": "rule:admin_only" + +# Delete a QoS minimum bandwidth rule +# DELETE /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id} +#"delete_policy_minimum_bandwidth_rule": "rule:admin_only" + +# Get a QoS bandwidth limit rule through alias +# GET /qos/alias_bandwidth_limit_rules/{rule_id}/ +#"get_alias_bandwidth_limit_rule": "rule:get_policy_bandwidth_limit_rule" + +# Update a QoS bandwidth limit rule through alias +# PUT /qos/alias_bandwidth_limit_rules/{rule_id}/ +#"update_alias_bandwidth_limit_rule": "rule:update_policy_bandwidth_limit_rule" + +# Delete a QoS bandwidth limit rule through alias +# DELETE /qos/alias_bandwidth_limit_rules/{rule_id}/ +#"delete_alias_bandwidth_limit_rule": "rule:delete_policy_bandwidth_limit_rule" + +# Get a QoS DSCP marking rule through alias +# GET /qos/alias_dscp_marking_rules/{rule_id}/ +#"get_alias_dscp_marking_rule": "rule:get_policy_dscp_marking_rule" + +# Update a QoS DSCP marking rule through alias +# PUT /qos/alias_dscp_marking_rules/{rule_id}/ +#"update_alias_dscp_marking_rule": "rule:update_policy_dscp_marking_rule" + +# Delete a QoS DSCP marking rule through alias +# DELETE /qos/alias_dscp_marking_rules/{rule_id}/ +#"delete_alias_dscp_marking_rule": "rule:delete_policy_dscp_marking_rule" + +# Get a QoS minimum bandwidth rule through alias +# GET /qos/alias_minimum_bandwidth_rules/{rule_id}/ +#"get_alias_minimum_bandwidth_rule": "rule:get_policy_minimum_bandwidth_rule" + +# Update a QoS minimum bandwidth rule through alias +# PUT /qos/alias_minimum_bandwidth_rules/{rule_id}/ +#"update_alias_minimum_bandwidth_rule": "rule:update_policy_minimum_bandwidth_rule" + +# Delete a QoS minimum bandwidth rule through alias +# DELETE /qos/alias_minimum_bandwidth_rules/{rule_id}/ +#"delete_alias_minimum_bandwidth_rule": "rule:delete_policy_minimum_bandwidth_rule" + +# Get a resource quota +# GET /quota +# GET /quota/{id} +#"get_quota": "rule:admin_only" + +# Update a resource quota +# PUT /quota/{id} +#"update_quota": "rule:admin_only" + +# Delete a resource quota +# DELETE /quota/{id} +#"delete_quota": "rule:admin_only" + +# Definition of a wildcard target_tenant +#"restrict_wildcard": "(not field:rbac_policy:target_tenant=*) or rule:admin_only" + +# Create an RBAC policy +# POST /rbac-policies +#"create_rbac_policy": "rule:regular_user" + +# Specify ``target_tenant`` when creating an RBAC policy +# POST /rbac-policies +#"create_rbac_policy:target_tenant": "rule:restrict_wildcard" + +# Update an RBAC policy +# PUT /rbac-policies/{id} +#"update_rbac_policy": "rule:admin_or_owner" + +# Update ``target_tenant`` attribute of an RBAC policy +# PUT /rbac-policies/{id} +#"update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner" + +# Get an RBAC policy +# GET /rbac-policies +# GET /rbac-policies/{id} +#"get_rbac_policy": "rule:admin_or_owner" + +# Delete an RBAC policy +# DELETE /rbac-policies/{id} +#"delete_rbac_policy": "rule:admin_or_owner" + +# Create a router +# POST /routers +#"create_router": "rule:regular_user" + +# Specify ``distributed`` attribute when creating a router +# POST /routers +#"create_router:distributed": "rule:admin_only" + +# Specify ``ha`` attribute when creating a router +# POST /routers +#"create_router:ha": "rule:admin_only" + +# Specify ``external_gateway_info`` information when creating a router +# POST /routers +#"create_router:external_gateway_info": "rule:admin_or_owner" + +# Specify ``network_id`` in ``external_gateway_info`` information when +# creating a router +# POST /routers +#"create_router:external_gateway_info:network_id": "rule:admin_or_owner" + +# Specify ``enable_snat`` in ``external_gateway_info`` information +# when creating a router +# POST /routers +#"create_router:external_gateway_info:enable_snat": "rule:admin_only" + +# Specify ``external_fixed_ips`` in ``external_gateway_info`` +# information when creating a router +# POST /routers +#"create_router:external_gateway_info:external_fixed_ips": "rule:admin_only" + +# Get a router +# GET /routers +# GET /routers/{id} +#"get_router": "rule:admin_or_owner" + +# Get ``distributed`` attribute of a router +# GET /routers +# GET /routers/{id} +#"get_router:distributed": "rule:admin_only" + +# Get ``ha`` attribute of a router +# GET /routers +# GET /routers/{id} +#"get_router:ha": "rule:admin_only" + +# Update a router +# PUT /routers/{id} +#"update_router": "rule:admin_or_owner" + +# Update ``distributed`` attribute of a router +# PUT /routers/{id} +#"update_router:distributed": "rule:admin_only" + +# Update ``ha`` attribute of a router +# PUT /routers/{id} +#"update_router:ha": "rule:admin_only" + +# Update ``external_gateway_info`` information of a router +# PUT /routers/{id} +#"update_router:external_gateway_info": "rule:admin_or_owner" + +# Update ``network_id`` attribute of ``external_gateway_info`` +# information of a router +# PUT /routers/{id} +#"update_router:external_gateway_info:network_id": "rule:admin_or_owner" + +# Update ``enable_snat`` attribute of ``external_gateway_info`` +# information of a router +# PUT /routers/{id} +#"update_router:external_gateway_info:enable_snat": "rule:admin_only" + +# Update ``external_fixed_ips`` attribute of ``external_gateway_info`` +# information of a router +# PUT /routers/{id} +#"update_router:external_gateway_info:external_fixed_ips": "rule:admin_only" + +# Delete a router +# DELETE /routers/{id} +#"delete_router": "rule:admin_or_owner" + +# Add an interface to a router +# PUT /routers/{id}/add_router_interface +#"add_router_interface": "rule:admin_or_owner" + +# Remove an interface from a router +# PUT /routers/{id}/remove_router_interface +#"remove_router_interface": "rule:admin_or_owner" + +# Rule for admin or security group owner access +#"admin_or_sg_owner": "rule:context_is_admin or tenant_id:%(security_group:tenant_id)s" + +# Rule for resource owner, admin or security group owner access +#"admin_owner_or_sg_owner": "rule:owner or rule:admin_or_sg_owner" + +# Create a security group +# POST /security-groups +#"create_security_group": "rule:admin_or_owner" + +# Get a security group +# GET /security-groups +# GET /security-groups/{id} +#"get_security_group": "rule:regular_user" + +# Update a security group +# PUT /security-groups/{id} +#"update_security_group": "rule:admin_or_owner" + +# Delete a security group +# DELETE /security-groups/{id} +#"delete_security_group": "rule:admin_or_owner" + +# Create a security group rule +# POST /security-group-rules +#"create_security_group_rule": "rule:admin_or_owner" + +# Get a security group rule +# GET /security-group-rules +# GET /security-group-rules/{id} +#"get_security_group_rule": "rule:admin_owner_or_sg_owner" + +# Delete a security group rule +# DELETE /security-group-rules/{id} +#"delete_security_group_rule": "rule:admin_or_owner" + +# Create a segment +# POST /segments +#"create_segment": "rule:admin_only" + +# Get a segment +# GET /segments +# GET /segments/{id} +#"get_segment": "rule:admin_only" + +# Update a segment +# PUT /segments/{id} +#"update_segment": "rule:admin_only" + +# Delete a segment +# DELETE /segments/{id} +#"delete_segment": "rule:admin_only" + +# Get service providers +# GET /service-providers +#"get_service_provider": "rule:regular_user" + +# Create a subnet +# POST /subnets +#"create_subnet": "rule:admin_or_network_owner" + +# Specify ``segment_id`` attribute when creating a subnet +# POST /subnets +#"create_subnet:segment_id": "rule:admin_only" + +# Specify ``service_types`` attribute when creating a subnet +# POST /subnets +#"create_subnet:service_types": "rule:admin_only" + +# Get a subnet +# GET /subnets +# GET /subnets/{id} +#"get_subnet": "rule:admin_or_owner or rule:shared" + +# Get ``segment_id`` attribute of a subnet +# GET /subnets +# GET /subnets/{id} +#"get_subnet:segment_id": "rule:admin_only" + +# Update a subnet +# PUT /subnets/{id} +#"update_subnet": "rule:admin_or_network_owner" + +# Update ``segment_id`` attribute of a subnet +# PUT /subnets/{id} +#"update_subnet:segment_id": "rule:admin_only" + +# Update ``service_types`` attribute of a subnet +# PUT /subnets/{id} +#"update_subnet:service_types": "rule:admin_only" + +# Delete a subnet +# DELETE /subnets/{id} +#"delete_subnet": "rule:admin_or_network_owner" + +# Definition of a shared subnetpool +#"shared_subnetpools": "field:subnetpools:shared=True" + +# Create a subnetpool +# POST /subnetpools +#"create_subnetpool": "rule:regular_user" + +# Create a shared subnetpool +# POST /subnetpools +#"create_subnetpool:shared": "rule:admin_only" + +# Specify ``is_default`` attribute when creating a subnetpool +# POST /subnetpools +#"create_subnetpool:is_default": "rule:admin_only" + +# Get a subnetpool +# GET /subnetpools +# GET /subnetpools/{id} +#"get_subnetpool": "rule:admin_or_owner or rule:shared_subnetpools" + +# Update a subnetpool +# PUT /subnetpools/{id} +#"update_subnetpool": "rule:admin_or_owner" + +# Update ``is_default`` attribute of a subnetpool +# PUT /subnetpools/{id} +#"update_subnetpool:is_default": "rule:admin_only" + +# Delete a subnetpool +# DELETE /subnetpools/{id} +#"delete_subnetpool": "rule:admin_or_owner" + +# Onboard existing subnet into a subnetpool +# Put /subnetpools/{id}/onboard_network_subnets +#"onboard_network_subnets": "rule:admin_or_owner" + +# Add prefixes to a subnetpool +# Put /subnetpools/{id}/add_prefixes +#"add_prefixes": "rule:admin_or_owner" + +# Remove unallocated prefixes from a subnetpool +# Put /subnetpools/{id}/remove_prefixes +#"remove_prefixes": "rule:admin_or_owner" + +# Create a trunk +# POST /trunks +#"create_trunk": "rule:regular_user" + +# Get a trunk +# GET /trunks +# GET /trunks/{id} +#"get_trunk": "rule:admin_or_owner" + +# Update a trunk +# PUT /trunks/{id} +#"update_trunk": "rule:admin_or_owner" + +# Delete a trunk +# DELETE /trunks/{id} +#"delete_trunk": "rule:admin_or_owner" + +# List subports attached to a trunk +# GET /trunks/{id}/get_subports +#"get_subports": "rule:regular_user" + +# Add subports to a trunk +# PUT /trunks/{id}/add_subports +#"add_subports": "rule:admin_or_owner" + +# Delete subports from a trunk +# PUT /trunks/{id}/remove_subports +#"remove_subports": "rule:admin_or_owner" + diff --git a/openstack_dashboard/conf/nova_policy.json b/openstack_dashboard/conf/nova_policy.json deleted file mode 100644 index 8015bc347b..0000000000 --- a/openstack_dashboard/conf/nova_policy.json +++ /dev/null @@ -1,158 +0,0 @@ -{ - "context_is_admin": "role:admin", - "admin_or_owner": "is_admin:True or project_id:%(project_id)s", - "admin_api": "is_admin:True", - "os_compute_api:os-admin-actions:reset_state": "rule:admin_api", - "os_compute_api:os-admin-actions:inject_network_info": "rule:admin_api", - "os_compute_api:os-admin-actions:reset_network": "rule:admin_api", - "os_compute_api:os-admin-password": "rule:admin_or_owner", - "os_compute_api:os-agents": "rule:admin_api", - "os_compute_api:os-aggregates:set_metadata": "rule:admin_api", - "os_compute_api:os-aggregates:add_host": "rule:admin_api", - "os_compute_api:os-aggregates:create": "rule:admin_api", - "os_compute_api:os-aggregates:remove_host": "rule:admin_api", - "os_compute_api:os-aggregates:update": "rule:admin_api", - "os_compute_api:os-aggregates:index": "rule:admin_api", - "os_compute_api:os-aggregates:delete": "rule:admin_api", - "os_compute_api:os-aggregates:show": "rule:admin_api", - "os_compute_api:os-assisted-volume-snapshots:create": "rule:admin_api", - "os_compute_api:os-assisted-volume-snapshots:delete": "rule:admin_api", - "os_compute_api:os-attach-interfaces": "rule:admin_or_owner", - "os_compute_api:os-attach-interfaces:create": "rule:admin_or_owner", - "os_compute_api:os-attach-interfaces:delete": "rule:admin_or_owner", - "os_compute_api:os-availability-zone:list": "rule:admin_or_owner", - "os_compute_api:os-availability-zone:detail": "rule:admin_api", - "os_compute_api:os-baremetal-nodes": "rule:admin_api", - "os_compute_api:os-cells:update": "rule:admin_api", - "os_compute_api:os-cells:create": "rule:admin_api", - "os_compute_api:os-cells": "rule:admin_api", - "os_compute_api:os-cells:sync_instances": "rule:admin_api", - "os_compute_api:os-cells:delete": "rule:admin_api", - "cells_scheduler_filter:DifferentCellFilter": "is_admin:True", - "cells_scheduler_filter:TargetCellFilter": "is_admin:True", - "os_compute_api:os-console-auth-tokens": "rule:admin_api", - "os_compute_api:os-console-output": "rule:admin_or_owner", - "os_compute_api:os-consoles:create": "rule:admin_or_owner", - "os_compute_api:os-consoles:show": "rule:admin_or_owner", - "os_compute_api:os-consoles:delete": "rule:admin_or_owner", - "os_compute_api:os-consoles:index": "rule:admin_or_owner", - "os_compute_api:os-create-backup": "rule:admin_or_owner", - "os_compute_api:os-deferred-delete": "rule:admin_or_owner", - "os_compute_api:os-evacuate": "rule:admin_api", - "os_compute_api:os-extended-server-attributes": "rule:admin_api", - "os_compute_api:extensions": "rule:admin_or_owner", - "os_compute_api:os-flavor-access:add_tenant_access": "rule:admin_api", - "os_compute_api:os-flavor-access:remove_tenant_access": "rule:admin_api", - "os_compute_api:os-flavor-access": "rule:admin_or_owner", - "os_compute_api:os-flavor-extra-specs:show": "rule:admin_or_owner", - "os_compute_api:os-flavor-extra-specs:create": "rule:admin_api", - "os_compute_api:os-flavor-extra-specs:update": "rule:admin_api", - "os_compute_api:os-flavor-extra-specs:delete": "rule:admin_api", - "os_compute_api:os-flavor-extra-specs:index": "rule:admin_or_owner", - "os_compute_api:os-flavor-manage:create": "rule:admin_api", - "os_compute_api:os-flavor-manage:update": "rule:admin_api", - "os_compute_api:os-flavor-manage:delete": "rule:admin_api", - "os_compute_api:os-floating-ip-pools": "rule:admin_or_owner", - "os_compute_api:os-floating-ips": "rule:admin_or_owner", - "os_compute_api:os-hosts": "rule:admin_api", - "os_compute_api:os-hypervisors": "rule:admin_api", - "os_compute_api:os-instance-actions:events": "rule:admin_api", - "os_compute_api:os-instance-actions": "rule:admin_or_owner", - "os_compute_api:os-instance-usage-audit-log": "rule:admin_api", - "os_compute_api:ips:show": "rule:admin_or_owner", - "os_compute_api:ips:index": "rule:admin_or_owner", - "os_compute_api:os-keypairs:index": "rule:admin_api or user_id:%(user_id)s", - "os_compute_api:os-keypairs:create": "rule:admin_api or user_id:%(user_id)s", - "os_compute_api:os-keypairs:delete": "rule:admin_api or user_id:%(user_id)s", - "os_compute_api:os-keypairs:show": "rule:admin_api or user_id:%(user_id)s", - "os_compute_api:limits": "rule:admin_or_owner", - "os_compute_api:os-lock-server:lock": "rule:admin_or_owner", - "os_compute_api:os-lock-server:unlock": "rule:admin_or_owner", - "os_compute_api:os-lock-server:unlock:unlock_override": "rule:admin_api", - "os_compute_api:os-migrate-server:migrate": "rule:admin_api", - "os_compute_api:os-migrate-server:migrate_live": "rule:admin_api", - "os_compute_api:os-migrations:index": "rule:admin_api", - "os_compute_api:os-multinic": "rule:admin_or_owner", - "os_compute_api:os-networks": "rule:admin_api", - "os_compute_api:os-networks:view": "rule:admin_or_owner", - "os_compute_api:os-networks-associate": "rule:admin_api", - "os_compute_api:os-pause-server:pause": "rule:admin_or_owner", - "os_compute_api:os-pause-server:unpause": "rule:admin_or_owner", - "os_compute_api:os-quota-class-sets:show": "is_admin:True or quota_class:%(quota_class)s", - "os_compute_api:os-quota-class-sets:update": "rule:admin_api", - "os_compute_api:os-quota-sets:update": "rule:admin_api", - "os_compute_api:os-quota-sets:defaults": "@", - "os_compute_api:os-quota-sets:show": "rule:admin_or_owner", - "os_compute_api:os-quota-sets:delete": "rule:admin_api", - "os_compute_api:os-quota-sets:detail": "rule:admin_or_owner", - "os_compute_api:os-remote-consoles": "rule:admin_or_owner", - "os_compute_api:os-rescue": "rule:admin_or_owner", - "os_compute_api:os-security-group-default-rules": "rule:admin_api", - "os_compute_api:os-security-groups": "rule:admin_or_owner", - "os_compute_api:os-server-diagnostics": "rule:admin_api", - "os_compute_api:os-server-external-events:create": "rule:admin_api", - "os_compute_api:os-server-groups:create": "rule:admin_or_owner", - "os_compute_api:os-server-groups:delete": "rule:admin_or_owner", - "os_compute_api:os-server-groups:index": "rule:admin_or_owner", - "os_compute_api:os-server-groups:show": "rule:admin_or_owner", - "os_compute_api:server-metadata:index": "rule:admin_or_owner", - "os_compute_api:server-metadata:show": "rule:admin_or_owner", - "os_compute_api:server-metadata:create": "rule:admin_or_owner", - "os_compute_api:server-metadata:update_all": "rule:admin_or_owner", - "os_compute_api:server-metadata:update": "rule:admin_or_owner", - "os_compute_api:server-metadata:delete": "rule:admin_or_owner", - "os_compute_api:os-server-password": "rule:admin_or_owner", - "os_compute_api:os-server-tags:delete_all": "rule:admin_or_owner", - "os_compute_api:os-server-tags:index": "rule:admin_or_owner", - "os_compute_api:os-server-tags:update_all": "rule:admin_or_owner", - "os_compute_api:os-server-tags:delete": "rule:admin_or_owner", - "os_compute_api:os-server-tags:update": "rule:admin_or_owner", - "os_compute_api:os-server-tags:show": "rule:admin_or_owner", - "os_compute_api:servers:index": "rule:admin_or_owner", - "os_compute_api:servers:detail": "rule:admin_or_owner", - "os_compute_api:servers:index:get_all_tenants": "rule:admin_api", - "os_compute_api:servers:detail:get_all_tenants": "rule:admin_api", - "os_compute_api:servers:allow_all_filters": "rule:admin_api", - "os_compute_api:servers:show": "rule:admin_or_owner", - "os_compute_api:servers:show:host_status": "rule:admin_api", - "os_compute_api:servers:create": "rule:admin_or_owner", - "os_compute_api:servers:create:forced_host": "rule:admin_api", - "os_compute_api:servers:create:attach_volume": "rule:admin_or_owner", - "os_compute_api:servers:create:attach_network": "rule:admin_or_owner", - "os_compute_api:servers:create:trusted_certs": "rule:admin_or_owner", - "os_compute_api:servers:create:zero_disk_flavor": "rule:admin_api", - "network:attach_external_network": "is_admin:True", - "os_compute_api:servers:delete": "rule:admin_or_owner", - "os_compute_api:servers:update": "rule:admin_or_owner", - "os_compute_api:servers:confirm_resize": "rule:admin_or_owner", - "os_compute_api:servers:revert_resize": "rule:admin_or_owner", - "os_compute_api:servers:reboot": "rule:admin_or_owner", - "os_compute_api:servers:resize": "rule:admin_or_owner", - "os_compute_api:servers:rebuild": "rule:admin_or_owner", - "os_compute_api:servers:rebuild:trusted_certs": "rule:admin_or_owner", - "os_compute_api:servers:create_image": "rule:admin_or_owner", - "os_compute_api:servers:create_image:allow_volume_backed": "rule:admin_or_owner", - "os_compute_api:servers:start": "rule:admin_or_owner", - "os_compute_api:servers:stop": "rule:admin_or_owner", - "os_compute_api:servers:trigger_crash_dump": "rule:admin_or_owner", - "os_compute_api:servers:migrations:show": "rule:admin_api", - "os_compute_api:servers:migrations:force_complete": "rule:admin_api", - "os_compute_api:servers:migrations:delete": "rule:admin_api", - "os_compute_api:servers:migrations:index": "rule:admin_api", - "os_compute_api:os-services": "rule:admin_api", - "os_compute_api:os-shelve:shelve": "rule:admin_or_owner", - "os_compute_api:os-shelve:unshelve": "rule:admin_or_owner", - "os_compute_api:os-shelve:shelve_offload": "rule:admin_api", - "os_compute_api:os-simple-tenant-usage:show": "rule:admin_or_owner", - "os_compute_api:os-simple-tenant-usage:list": "rule:admin_api", - "os_compute_api:os-suspend-server:resume": "rule:admin_or_owner", - "os_compute_api:os-suspend-server:suspend": "rule:admin_or_owner", - "os_compute_api:os-tenant-networks": "rule:admin_or_owner", - "os_compute_api:os-used-limits": "rule:admin_api", - "os_compute_api:os-volumes": "rule:admin_or_owner", - "os_compute_api:os-volumes-attachments:index": "rule:admin_or_owner", - "os_compute_api:os-volumes-attachments:create": "rule:admin_or_owner", - "os_compute_api:os-volumes-attachments:show": "rule:admin_or_owner", - "os_compute_api:os-volumes-attachments:update": "rule:admin_api", - "os_compute_api:os-volumes-attachments:delete": "rule:admin_or_owner" -} diff --git a/openstack_dashboard/conf/nova_policy.yaml b/openstack_dashboard/conf/nova_policy.yaml new file mode 100644 index 0000000000..dab2e4e458 --- /dev/null +++ b/openstack_dashboard/conf/nova_policy.yaml @@ -0,0 +1,1877 @@ +# Decides what is required for the 'is_admin:True' check to succeed. +#"context_is_admin": "role:admin" + +# DEPRECATED +# "admin_or_owner" has been deprecated since 21.0.0. +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +# Default rule for most non-Admin APIs. +#"admin_or_owner": "is_admin:True or project_id:%(project_id)s" + +# DEPRECATED +# "admin_api" has been deprecated since 21.0.0. +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +# Default rule for most Admin APIs. +#"admin_api": "is_admin:True" + +# Default rule for System Admin APIs. +#"system_admin_api": "role:admin and system_scope:all" + +# DEPRECATED +# "rule:admin_api":"is_admin:True" has been deprecated since 21.0.0 in +# favor of "system_admin_api":"role:admin and system_scope:all". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"rule:admin_api": "rule:system_admin_api" + +# Default rule for System level read only APIs. +#"system_reader_api": "role:reader and system_scope:all" + +# DEPRECATED +# "rule:admin_api":"is_admin:True" has been deprecated since 21.0.0 in +# favor of "system_reader_api":"role:reader and system_scope:all". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"rule:admin_api": "rule:system_reader_api" + +# Default rule for Project level admin APIs. +#"project_admin_api": "role:admin and project_id:%(project_id)s" + +# DEPRECATED +# "rule:admin_api":"is_admin:True" has been deprecated since 21.0.0 in +# favor of "project_admin_api":"role:admin and +# project_id:%(project_id)s". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"rule:admin_api": "rule:project_admin_api" + +# Default rule for Project level non admin APIs. +#"project_member_api": "role:member and project_id:%(project_id)s" + +# DEPRECATED +# "rule:admin_or_owner":"is_admin:True or project_id:%(project_id)s" +# has been deprecated since 21.0.0 in favor of +# "project_member_api":"role:member and project_id:%(project_id)s". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"rule:admin_or_owner": "rule:project_member_api" + +# Default rule for Project level read only APIs. +#"project_reader_api": "role:reader and project_id:%(project_id)s" + +# Default rule for System admin+owner APIs. +#"system_admin_or_owner": "rule:system_admin_api or rule:project_member_api" + +# DEPRECATED +# "rule:admin_or_owner":"is_admin:True or project_id:%(project_id)s" +# has been deprecated since 21.0.0 in favor of +# "system_admin_or_owner":"rule:system_admin_api or +# rule:project_member_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"rule:admin_or_owner": "rule:system_admin_or_owner" + +# Default rule for System+Project read only APIs. +#"system_or_project_reader": "rule:system_reader_api or rule:project_reader_api" + +# DEPRECATED +# "rule:admin_or_owner":"is_admin:True or project_id:%(project_id)s" +# has been deprecated since 21.0.0 in favor of +# "system_or_project_reader":"rule:system_reader_api or +# rule:project_reader_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"rule:admin_or_owner": "rule:system_or_project_reader" + +# Reset the state of a given server +# POST /servers/{server_id}/action (os-resetState) +# Intended scope(s): system, project +#"os_compute_api:os-admin-actions:reset_state": "rule:system_admin_api" + +# Inject network information into the server +# POST /servers/{server_id}/action (injectNetworkInfo) +# Intended scope(s): system, project +#"os_compute_api:os-admin-actions:inject_network_info": "rule:system_admin_api" + +# Reset networking on a server +# POST /servers/{server_id}/action (resetNetwork) +# Intended scope(s): system, project +#"os_compute_api:os-admin-actions:reset_network": "rule:system_admin_api" + +# Change the administrative password for a server +# POST /servers/{server_id}/action (changePassword) +# Intended scope(s): system, project +#"os_compute_api:os-admin-password": "rule:system_admin_or_owner" + +# List guest agent builds This is XenAPI driver specific. It is used +# to force the upgrade of the XenAPI guest agent on instance boot. +# GET /os-agents +# Intended scope(s): system +#"os_compute_api:os-agents:list": "rule:system_reader_api" + +# DEPRECATED +# "os_compute_api:os-agents":"rule:admin_api" has been deprecated +# since 21.0.0 in favor of "os_compute_api:os- +# agents:list":"rule:system_reader_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-agents": "rule:os_compute_api:os-agents:list" + +# Create guest agent builds This is XenAPI driver specific. It is used +# to force the upgrade of the XenAPI guest agent on instance boot. +# POST /os-agents +# Intended scope(s): system +#"os_compute_api:os-agents:create": "rule:system_admin_api" + +# DEPRECATED +# "os_compute_api:os-agents":"rule:admin_api" has been deprecated +# since 21.0.0 in favor of "os_compute_api:os- +# agents:create":"rule:system_admin_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-agents": "rule:os_compute_api:os-agents:create" + +# Update guest agent builds This is XenAPI driver specific. It is used +# to force the upgrade of the XenAPI guest agent on instance boot. +# PUT /os-agents/{agent_build_id} +# Intended scope(s): system +#"os_compute_api:os-agents:update": "rule:system_admin_api" + +# DEPRECATED +# "os_compute_api:os-agents":"rule:admin_api" has been deprecated +# since 21.0.0 in favor of "os_compute_api:os- +# agents:update":"rule:system_admin_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-agents": "rule:os_compute_api:os-agents:update" + +# Delete guest agent builds This is XenAPI driver specific. It is used +# to force the upgrade of the XenAPI guest agent on instance boot. +# DELETE /os-agents/{agent_build_id} +# Intended scope(s): system +#"os_compute_api:os-agents:delete": "rule:system_admin_api" + +# DEPRECATED +# "os_compute_api:os-agents":"rule:admin_api" has been deprecated +# since 21.0.0 in favor of "os_compute_api:os- +# agents:delete":"rule:system_admin_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-agents": "rule:os_compute_api:os-agents:delete" + +# Create or replace metadata for an aggregate +# POST /os-aggregates/{aggregate_id}/action (set_metadata) +# Intended scope(s): system +#"os_compute_api:os-aggregates:set_metadata": "rule:system_admin_api" + +# Add a host to an aggregate +# POST /os-aggregates/{aggregate_id}/action (add_host) +# Intended scope(s): system +#"os_compute_api:os-aggregates:add_host": "rule:system_admin_api" + +# Create an aggregate +# POST /os-aggregates +# Intended scope(s): system +#"os_compute_api:os-aggregates:create": "rule:system_admin_api" + +# Remove a host from an aggregate +# POST /os-aggregates/{aggregate_id}/action (remove_host) +# Intended scope(s): system +#"os_compute_api:os-aggregates:remove_host": "rule:system_admin_api" + +# Update name and/or availability zone for an aggregate +# PUT /os-aggregates/{aggregate_id} +# Intended scope(s): system +#"os_compute_api:os-aggregates:update": "rule:system_admin_api" + +# List all aggregates +# GET /os-aggregates +# Intended scope(s): system +#"os_compute_api:os-aggregates:index": "rule:system_reader_api" + +# Delete an aggregate +# DELETE /os-aggregates/{aggregate_id} +# Intended scope(s): system +#"os_compute_api:os-aggregates:delete": "rule:system_admin_api" + +# Show details for an aggregate +# GET /os-aggregates/{aggregate_id} +# Intended scope(s): system +#"os_compute_api:os-aggregates:show": "rule:system_reader_api" + +# Request image caching for an aggregate +# POST /os-aggregates/{aggregate_id}/images +# Intended scope(s): system +#"compute:aggregates:images": "rule:system_admin_api" + +# Create an assisted volume snapshot +# POST /os-assisted-volume-snapshots +# Intended scope(s): system +#"os_compute_api:os-assisted-volume-snapshots:create": "rule:system_admin_api" + +# Delete an assisted volume snapshot +# DELETE /os-assisted-volume-snapshots/{snapshot_id} +# Intended scope(s): system +#"os_compute_api:os-assisted-volume-snapshots:delete": "rule:system_admin_api" + +# List port interfaces attached to a server +# GET /servers/{server_id}/os-interface +# Intended scope(s): system, project +#"os_compute_api:os-attach-interfaces:list": "rule:system_or_project_reader" + +# DEPRECATED +# "os_compute_api:os-attach-interfaces":"rule:admin_or_owner" has been +# deprecated since 21.0.0 in favor of "os_compute_api:os-attach- +# interfaces:list":"rule:system_or_project_reader". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-attach-interfaces": "rule:os_compute_api:os-attach-interfaces:list" + +# Show details of a port interface attached to a server +# GET /servers/{server_id}/os-interface/{port_id} +# Intended scope(s): system, project +#"os_compute_api:os-attach-interfaces:show": "rule:system_or_project_reader" + +# DEPRECATED +# "os_compute_api:os-attach-interfaces":"rule:admin_or_owner" has been +# deprecated since 21.0.0 in favor of "os_compute_api:os-attach- +# interfaces:show":"rule:system_or_project_reader". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-attach-interfaces": "rule:os_compute_api:os-attach-interfaces:show" + +# Attach an interface to a server +# POST /servers/{server_id}/os-interface +# Intended scope(s): system, project +#"os_compute_api:os-attach-interfaces:create": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-attach-interfaces":"rule:admin_or_owner" has been +# deprecated since 21.0.0 in favor of "os_compute_api:os-attach- +# interfaces:create":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-attach-interfaces": "rule:os_compute_api:os-attach-interfaces:create" + +# Detach an interface from a server +# DELETE /servers/{server_id}/os-interface/{port_id} +# Intended scope(s): system, project +#"os_compute_api:os-attach-interfaces:delete": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-attach-interfaces":"rule:admin_or_owner" has been +# deprecated since 21.0.0 in favor of "os_compute_api:os-attach- +# interfaces:delete":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-attach-interfaces": "rule:os_compute_api:os-attach-interfaces:delete" + +# List availability zone information without host information +# GET /os-availability-zone +# Intended scope(s): system, project +#"os_compute_api:os-availability-zone:list": "@" + +# List detailed availability zone information with host information +# GET /os-availability-zone/detail +# Intended scope(s): system +#"os_compute_api:os-availability-zone:detail": "rule:system_reader_api" + +# List and show details of bare metal nodes. +# +# These APIs are proxy calls to the Ironic service and are deprecated. +# GET /os-baremetal-nodes +# Intended scope(s): system +#"os_compute_api:os-baremetal-nodes:list": "rule:system_reader_api" + +# DEPRECATED +# "os_compute_api:os-baremetal-nodes":"rule:admin_api" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os-baremetal- +# nodes:list":"rule:system_reader_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-baremetal-nodes": "rule:os_compute_api:os-baremetal-nodes:list" + +# Show action details for a server. +# GET /os-baremetal-nodes/{node_id} +# Intended scope(s): system +#"os_compute_api:os-baremetal-nodes:show": "rule:system_reader_api" + +# DEPRECATED +# "os_compute_api:os-baremetal-nodes":"rule:admin_api" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os-baremetal- +# nodes:show":"rule:system_reader_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-baremetal-nodes": "rule:os_compute_api:os-baremetal-nodes:show" + +# Show console connection information for a given console +# authentication token +# GET /os-console-auth-tokens/{console_token} +# Intended scope(s): system +#"os_compute_api:os-console-auth-tokens": "rule:system_reader_api" + +# Show console output for a server +# POST /servers/{server_id}/action (os-getConsoleOutput) +# Intended scope(s): system, project +#"os_compute_api:os-console-output": "rule:system_admin_or_owner" + +# Create a back up of a server +# POST /servers/{server_id}/action (createBackup) +# Intended scope(s): system, project +#"os_compute_api:os-create-backup": "rule:system_admin_or_owner" + +# Restore a soft deleted server +# POST /servers/{server_id}/action (restore) +# Intended scope(s): system, project +#"os_compute_api:os-deferred-delete:restore": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-deferred-delete":"rule:admin_or_owner" has been +# deprecated since 21.0.0 in favor of "os_compute_api:os-deferred- +# delete:restore":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-deferred-delete": "rule:os_compute_api:os-deferred-delete:restore" + +# Force delete a server before deferred cleanup +# POST /servers/{server_id}/action (forceDelete) +# Intended scope(s): system, project +#"os_compute_api:os-deferred-delete:force": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-deferred-delete":"rule:admin_or_owner" has been +# deprecated since 21.0.0 in favor of "os_compute_api:os-deferred- +# delete:force":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-deferred-delete": "rule:os_compute_api:os-deferred-delete:force" + +# Evacuate a server from a failed host to a new host +# POST /servers/{server_id}/action (evacuate) +# Intended scope(s): system, project +#"os_compute_api:os-evacuate": "rule:system_admin_api" + +# Return extended attributes for server. +# +# This rule will control the visibility for a set of servers +# attributes: +# +# - ``OS-EXT-SRV-ATTR:host`` - ``OS-EXT-SRV-ATTR:instance_name`` - +# ``OS-EXT-SRV-ATTR:reservation_id`` (since microversion 2.3) - ``OS- +# EXT-SRV-ATTR:launch_index`` (since microversion 2.3) - ``OS-EXT-SRV- +# ATTR:hostname`` (since microversion 2.3) - ``OS-EXT-SRV- +# ATTR:kernel_id`` (since microversion 2.3) - ``OS-EXT-SRV- +# ATTR:ramdisk_id`` (since microversion 2.3) - ``OS-EXT-SRV- +# ATTR:root_device_name`` (since microversion 2.3) - ``OS-EXT-SRV- +# ATTR:user_data`` (since microversion 2.3) +# +# Microvision 2.75 added the above attributes in the ``PUT +# /servers/{server_id}`` and ``POST /servers/{server_id}/action +# (rebuild)`` API responses which are also controlled by this policy +# rule, like the ``GET /servers*`` APIs. +# GET /servers/{id} +# GET /servers/detail +# PUT /servers/{server_id} +# POST /servers/{server_id}/action (rebuild) +# Intended scope(s): system, project +#"os_compute_api:os-extended-server-attributes": "rule:system_admin_api" + +# List available extensions and show information for an extension by +# alias +# GET /extensions +# GET /extensions/{alias} +# Intended scope(s): system, project +#"os_compute_api:extensions": "@" + +# Add flavor access to a tenant +# POST /flavors/{flavor_id}/action (addTenantAccess) +# Intended scope(s): system +#"os_compute_api:os-flavor-access:add_tenant_access": "rule:system_admin_api" + +# Remove flavor access from a tenant +# POST /flavors/{flavor_id}/action (removeTenantAccess) +# Intended scope(s): system +#"os_compute_api:os-flavor-access:remove_tenant_access": "rule:system_admin_api" + +# List flavor access information +# +# Allows access to the full list of tenants that have access to a +# flavor via an os-flavor-access API. +# GET /flavors/{flavor_id}/os-flavor-access +# Intended scope(s): system +#"os_compute_api:os-flavor-access": "rule:system_reader_api" + +# DEPRECATED +# "os_compute_api:os-flavor-access":"rule:admin_or_owner" has been +# deprecated since 21.0.0 in favor of "os_compute_api:os-flavor- +# access":"rule:system_reader_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. + +# Show an extra spec for a flavor +# GET /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key} +# Intended scope(s): system, project +#"os_compute_api:os-flavor-extra-specs:show": "rule:system_or_project_reader" + +# Create extra specs for a flavor +# POST /flavors/{flavor_id}/os-extra_specs/ +# Intended scope(s): system +#"os_compute_api:os-flavor-extra-specs:create": "rule:system_admin_api" + +# Update an extra spec for a flavor +# PUT /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key} +# Intended scope(s): system +#"os_compute_api:os-flavor-extra-specs:update": "rule:system_admin_api" + +# Delete an extra spec for a flavor +# DELETE /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key} +# Intended scope(s): system +#"os_compute_api:os-flavor-extra-specs:delete": "rule:system_admin_api" + +# List extra specs for a flavor. Starting with microversion 2.47, the +# flavor used for a server is also returned in the response when +# showing server details, updating a server or rebuilding a server. +# Starting with microversion 2.61, extra specs may be returned in +# responses for the flavor resource. +# GET /flavors/{flavor_id}/os-extra_specs/ +# GET /servers/detail +# GET /servers/{server_id} +# PUT /servers/{server_id} +# POST /servers/{server_id}/action (rebuild) +# POST /flavors +# GET /flavors/detail +# GET /flavors/{flavor_id} +# PUT /flavors/{flavor_id} +# Intended scope(s): system, project +#"os_compute_api:os-flavor-extra-specs:index": "rule:system_or_project_reader" + +# Create a flavor +# POST /flavors +# Intended scope(s): system +#"os_compute_api:os-flavor-manage:create": "rule:system_admin_api" + +# Update a flavor +# PUT /flavors/{flavor_id} +# Intended scope(s): system +#"os_compute_api:os-flavor-manage:update": "rule:system_admin_api" + +# Delete a flavor +# DELETE /flavors/{flavor_id} +# Intended scope(s): system +#"os_compute_api:os-flavor-manage:delete": "rule:system_admin_api" + +# List floating IP pools. This API is deprecated. +# GET /os-floating-ip-pools +# Intended scope(s): system, project +#"os_compute_api:os-floating-ip-pools": "@" + +# Associate floating IPs to server. This API is deprecated. +# POST /servers/{server_id}/action (addFloatingIp) +# Intended scope(s): system, project +#"os_compute_api:os-floating-ips:add": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-floating-ips":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os-floating- +# ips:add":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-floating-ips": "rule:os_compute_api:os-floating-ips:add" + +# Disassociate floating IPs to server. This API is deprecated. +# POST /servers/{server_id}/action (removeFloatingIp) +# Intended scope(s): system, project +#"os_compute_api:os-floating-ips:remove": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-floating-ips":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os-floating- +# ips:remove":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-floating-ips": "rule:os_compute_api:os-floating-ips:remove" + +# List floating IPs. This API is deprecated. +# GET /os-floating-ips +# Intended scope(s): system, project +#"os_compute_api:os-floating-ips:list": "rule:system_or_project_reader" + +# DEPRECATED +# "os_compute_api:os-floating-ips":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os-floating- +# ips:list":"rule:system_or_project_reader". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-floating-ips": "rule:os_compute_api:os-floating-ips:list" + +# Create floating IPs. This API is deprecated. +# POST /os-floating-ips +# Intended scope(s): system, project +#"os_compute_api:os-floating-ips:create": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-floating-ips":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os-floating- +# ips:create":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-floating-ips": "rule:os_compute_api:os-floating-ips:create" + +# Show floating IPs. This API is deprecated. +# GET /os-floating-ips/{floating_ip_id} +# Intended scope(s): system, project +#"os_compute_api:os-floating-ips:show": "rule:system_or_project_reader" + +# DEPRECATED +# "os_compute_api:os-floating-ips":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os-floating- +# ips:show":"rule:system_or_project_reader". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-floating-ips": "rule:os_compute_api:os-floating-ips:show" + +# Delete floating IPs. This API is deprecated. +# DELETE /os-floating-ips/{floating_ip_id} +# Intended scope(s): system, project +#"os_compute_api:os-floating-ips:delete": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-floating-ips":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os-floating- +# ips:delete":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-floating-ips": "rule:os_compute_api:os-floating-ips:delete" + +# List physical hosts. +# +# This API is deprecated in favor of os-hypervisors and os-services. +# GET /os-hosts +# Intended scope(s): system +#"os_compute_api:os-hosts:list": "rule:system_reader_api" + +# DEPRECATED +# "os_compute_api:os-hosts":"rule:admin_api" has been deprecated since +# 22.0.0 in favor of "os_compute_api:os- +# hosts:list":"rule:system_reader_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-hosts": "rule:os_compute_api:os-hosts:list" + +# Show physical host. +# +# This API is deprecated in favor of os-hypervisors and os-services. +# GET /os-hosts/{host_name} +# Intended scope(s): system +#"os_compute_api:os-hosts:show": "rule:system_reader_api" + +# DEPRECATED +# "os_compute_api:os-hosts":"rule:admin_api" has been deprecated since +# 22.0.0 in favor of "os_compute_api:os- +# hosts:show":"rule:system_reader_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-hosts": "rule:os_compute_api:os-hosts:show" + +# Update physical host. +# +# This API is deprecated in favor of os-hypervisors and os-services. +# PUT /os-hosts/{host_name} +# Intended scope(s): system +#"os_compute_api:os-hosts:update": "rule:system_admin_api" + +# DEPRECATED +# "os_compute_api:os-hosts":"rule:admin_api" has been deprecated since +# 22.0.0 in favor of "os_compute_api:os- +# hosts:update":"rule:system_admin_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-hosts": "rule:os_compute_api:os-hosts:update" + +# Reboot physical host. +# +# This API is deprecated in favor of os-hypervisors and os-services. +# GET /os-hosts/{host_name}/reboot +# Intended scope(s): system +#"os_compute_api:os-hosts:reboot": "rule:system_admin_api" + +# DEPRECATED +# "os_compute_api:os-hosts":"rule:admin_api" has been deprecated since +# 22.0.0 in favor of "os_compute_api:os- +# hosts:reboot":"rule:system_admin_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-hosts": "rule:os_compute_api:os-hosts:reboot" + +# Shutdown physical host. +# +# This API is deprecated in favor of os-hypervisors and os-services. +# GET /os-hosts/{host_name}/shutdown +# Intended scope(s): system +#"os_compute_api:os-hosts:shutdown": "rule:system_admin_api" + +# DEPRECATED +# "os_compute_api:os-hosts":"rule:admin_api" has been deprecated since +# 22.0.0 in favor of "os_compute_api:os- +# hosts:shutdown":"rule:system_admin_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-hosts": "rule:os_compute_api:os-hosts:shutdown" + +# Start physical host. +# +# This API is deprecated in favor of os-hypervisors and os-services. +# GET /os-hosts/{host_name}/startup +# Intended scope(s): system +#"os_compute_api:os-hosts:start": "rule:system_admin_api" + +# DEPRECATED +# "os_compute_api:os-hosts":"rule:admin_api" has been deprecated since +# 22.0.0 in favor of "os_compute_api:os- +# hosts:start":"rule:system_admin_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-hosts": "rule:os_compute_api:os-hosts:start" + +# List all hypervisors. +# GET /os-hypervisors +# Intended scope(s): system +#"os_compute_api:os-hypervisors:list": "rule:system_reader_api" + +# DEPRECATED +# "os_compute_api:os-hypervisors":"rule:admin_api" has been deprecated +# since 21.0.0 in favor of "os_compute_api:os- +# hypervisors:list":"rule:system_reader_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-hypervisors": "rule:os_compute_api:os-hypervisors:list" + +# List all hypervisors with details +# GET /os-hypervisors/details +# Intended scope(s): system +#"os_compute_api:os-hypervisors:list-detail": "rule:system_reader_api" + +# DEPRECATED +# "os_compute_api:os-hypervisors":"rule:admin_api" has been deprecated +# since 21.0.0 in favor of "os_compute_api:os-hypervisors:list- +# detail":"rule:system_reader_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-hypervisors": "rule:os_compute_api:os-hypervisors:list-detail" + +# Show summary statistics for all hypervisors over all compute nodes. +# GET /os-hypervisors/statistics +# Intended scope(s): system +#"os_compute_api:os-hypervisors:statistics": "rule:system_reader_api" + +# DEPRECATED +# "os_compute_api:os-hypervisors":"rule:admin_api" has been deprecated +# since 21.0.0 in favor of "os_compute_api:os- +# hypervisors:statistics":"rule:system_reader_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-hypervisors": "rule:os_compute_api:os-hypervisors:statistics" + +# Show details for a hypervisor. +# GET /os-hypervisors/{hypervisor_id} +# Intended scope(s): system +#"os_compute_api:os-hypervisors:show": "rule:system_reader_api" + +# DEPRECATED +# "os_compute_api:os-hypervisors":"rule:admin_api" has been deprecated +# since 21.0.0 in favor of "os_compute_api:os- +# hypervisors:show":"rule:system_reader_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-hypervisors": "rule:os_compute_api:os-hypervisors:show" + +# Show the uptime of a hypervisor. +# GET /os-hypervisors/{hypervisor_id}/uptime +# Intended scope(s): system +#"os_compute_api:os-hypervisors:uptime": "rule:system_reader_api" + +# DEPRECATED +# "os_compute_api:os-hypervisors":"rule:admin_api" has been deprecated +# since 21.0.0 in favor of "os_compute_api:os- +# hypervisors:uptime":"rule:system_reader_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-hypervisors": "rule:os_compute_api:os-hypervisors:uptime" + +# Search hypervisor by hypervisor_hostname pattern. +# GET /os-hypervisors/{hypervisor_hostname_pattern}/search +# Intended scope(s): system +#"os_compute_api:os-hypervisors:search": "rule:system_reader_api" + +# DEPRECATED +# "os_compute_api:os-hypervisors":"rule:admin_api" has been deprecated +# since 21.0.0 in favor of "os_compute_api:os- +# hypervisors:search":"rule:system_reader_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-hypervisors": "rule:os_compute_api:os-hypervisors:search" + +# List all servers on hypervisors that can match the provided +# hypervisor_hostname pattern. +# GET /os-hypervisors/{hypervisor_hostname_pattern}/servers +# Intended scope(s): system +#"os_compute_api:os-hypervisors:servers": "rule:system_reader_api" + +# DEPRECATED +# "os_compute_api:os-hypervisors":"rule:admin_api" has been deprecated +# since 21.0.0 in favor of "os_compute_api:os- +# hypervisors:servers":"rule:system_reader_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-hypervisors": "rule:os_compute_api:os-hypervisors:servers" + +# Add "details" key in action events for a server. +# +# This check is performed only after the check os_compute_api:os- +# instance-actions:show passes. Beginning with Microversion 2.84, new +# field 'details' is exposed via API which can have more details about +# event failure. That field is controlled by this policy which is +# system reader by default. Making the 'details' field visible to the +# non-admin user helps to understand the nature of the problem (i.e. +# if the action can be retried), but in the other hand it might leak +# information about the deployment (e.g. the type of the hypervisor). +# GET /servers/{server_id}/os-instance-actions/{request_id} +# Intended scope(s): system, project +#"os_compute_api:os-instance-actions:events:details": "rule:system_reader_api" + +# Add events details in action details for a server. This check is +# performed only after the check os_compute_api:os-instance- +# actions:show passes. Beginning with Microversion 2.51, events +# details are always included; traceback information is provided per +# event if policy enforcement passes. Beginning with Microversion +# 2.62, each event includes a hashed host identifier and, if policy +# enforcement passes, the name of the host. +# GET /servers/{server_id}/os-instance-actions/{request_id} +# Intended scope(s): system, project +#"os_compute_api:os-instance-actions:events": "rule:system_reader_api" + +# List actions for a server. +# GET /servers/{server_id}/os-instance-actions +# Intended scope(s): system, project +#"os_compute_api:os-instance-actions:list": "rule:system_or_project_reader" + +# DEPRECATED +# "os_compute_api:os-instance-actions":"rule:admin_or_owner" has been +# deprecated since 21.0.0 in favor of "os_compute_api:os-instance- +# actions:list":"rule:system_or_project_reader". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-instance-actions": "rule:os_compute_api:os-instance-actions:list" + +# Show action details for a server. +# GET /servers/{server_id}/os-instance-actions/{request_id} +# Intended scope(s): system, project +#"os_compute_api:os-instance-actions:show": "rule:system_or_project_reader" + +# DEPRECATED +# "os_compute_api:os-instance-actions":"rule:admin_or_owner" has been +# deprecated since 21.0.0 in favor of "os_compute_api:os-instance- +# actions:show":"rule:system_or_project_reader". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-instance-actions": "rule:os_compute_api:os-instance-actions:show" + +# List all usage audits. +# GET /os-instance_usage_audit_log +# Intended scope(s): system +#"os_compute_api:os-instance-usage-audit-log:list": "rule:system_reader_api" + +# DEPRECATED +# "os_compute_api:os-instance-usage-audit-log":"rule:admin_api" has +# been deprecated since 21.0.0 in favor of "os_compute_api:os- +# instance-usage-audit-log:list":"rule:system_reader_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-instance-usage-audit-log": "rule:os_compute_api:os-instance-usage-audit-log:list" + +# List all usage audits occurred before a specified time for all +# servers on all compute hosts where usage auditing is configured +# GET /os-instance_usage_audit_log/{before_timestamp} +# Intended scope(s): system +#"os_compute_api:os-instance-usage-audit-log:show": "rule:system_reader_api" + +# DEPRECATED +# "os_compute_api:os-instance-usage-audit-log":"rule:admin_api" has +# been deprecated since 21.0.0 in favor of "os_compute_api:os- +# instance-usage-audit-log:show":"rule:system_reader_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-instance-usage-audit-log": "rule:os_compute_api:os-instance-usage-audit-log:show" + +# Show IP addresses details for a network label of a server +# GET /servers/{server_id}/ips/{network_label} +# Intended scope(s): system, project +#"os_compute_api:ips:show": "rule:system_or_project_reader" + +# List IP addresses that are assigned to a server +# GET /servers/{server_id}/ips +# Intended scope(s): system, project +#"os_compute_api:ips:index": "rule:system_or_project_reader" + +# List all keypairs +# GET /os-keypairs +# Intended scope(s): system, project +#"os_compute_api:os-keypairs:index": "(rule:system_reader_api) or user_id:%(user_id)s" + +# Create a keypair +# POST /os-keypairs +# Intended scope(s): system, project +#"os_compute_api:os-keypairs:create": "(rule:system_admin_api) or user_id:%(user_id)s" + +# Delete a keypair +# DELETE /os-keypairs/{keypair_name} +# Intended scope(s): system, project +#"os_compute_api:os-keypairs:delete": "(rule:system_admin_api) or user_id:%(user_id)s" + +# Show details of a keypair +# GET /os-keypairs/{keypair_name} +# Intended scope(s): system, project +#"os_compute_api:os-keypairs:show": "(rule:system_reader_api) or user_id:%(user_id)s" + +# Show rate and absolute limits for the current user project +# GET /limits +# Intended scope(s): system, project +#"os_compute_api:limits": "@" + +# Show rate and absolute limits of other project. +# +# This policy only checks if the user has access to the requested +# project limits. And this check is performed only after the check +# os_compute_api:limits passes +# GET /limits +# Intended scope(s): system +#"os_compute_api:limits:other_project": "rule:system_reader_api" + +# DEPRECATED +# "os_compute_api:os-used-limits":"rule:admin_api" has been deprecated +# since 21.0.0 in favor of +# "os_compute_api:limits:other_project":"rule:system_reader_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-used-limits": "rule:os_compute_api:limits:other_project" + +# Lock a server +# POST /servers/{server_id}/action (lock) +# Intended scope(s): system, project +#"os_compute_api:os-lock-server:lock": "rule:system_admin_or_owner" + +# Unlock a server +# POST /servers/{server_id}/action (unlock) +# Intended scope(s): system, project +#"os_compute_api:os-lock-server:unlock": "rule:system_admin_or_owner" + +# Unlock a server, regardless who locked the server. +# +# This check is performed only after the check os_compute_api:os-lock- +# server:unlock passes +# POST /servers/{server_id}/action (unlock) +# Intended scope(s): system, project +#"os_compute_api:os-lock-server:unlock:unlock_override": "rule:system_admin_api" + +# Cold migrate a server to a host +# POST /servers/{server_id}/action (migrate) +# Intended scope(s): system, project +#"os_compute_api:os-migrate-server:migrate": "rule:system_admin_api" + +# Live migrate a server to a new host without a reboot +# POST /servers/{server_id}/action (os-migrateLive) +# Intended scope(s): system, project +#"os_compute_api:os-migrate-server:migrate_live": "rule:system_admin_api" + +# List migrations +# GET /os-migrations +# Intended scope(s): system +#"os_compute_api:os-migrations:index": "rule:system_reader_api" + +# Add a fixed IP address to a server. +# +# This API is proxy calls to the Network service. This is deprecated. +# POST /servers/{server_id}/action (addFixedIp) +# Intended scope(s): system, project +#"os_compute_api:os-multinic:add": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-multinic":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os- +# multinic:add":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-multinic": "rule:os_compute_api:os-multinic:add" + +# Remove a fixed IP address from a server. +# +# This API is proxy calls to the Network service. This is deprecated. +# POST /servers/{server_id}/action (removeFixedIp) +# Intended scope(s): system, project +#"os_compute_api:os-multinic:remove": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-multinic":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os- +# multinic:remove":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-multinic": "rule:os_compute_api:os-multinic:remove" + +# List networks for the project. +# +# This API is proxy calls to the Network service. This is deprecated. +# GET /os-networks +# Intended scope(s): system, project +#"os_compute_api:os-networks:list": "rule:system_or_project_reader" + +# DEPRECATED +# "os_compute_api:os-networks:view":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os- +# networks:list":"rule:system_or_project_reader". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-networks:view": "rule:os_compute_api:os-networks:list" + +# Show network details. +# +# This API is proxy calls to the Network service. This is deprecated. +# GET /os-networks/{network_id} +# Intended scope(s): system, project +#"os_compute_api:os-networks:show": "rule:system_or_project_reader" + +# DEPRECATED +# "os_compute_api:os-networks:view":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os- +# networks:show":"rule:system_or_project_reader". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-networks:view": "rule:os_compute_api:os-networks:show" + +# Pause a server +# POST /servers/{server_id}/action (pause) +# Intended scope(s): system, project +#"os_compute_api:os-pause-server:pause": "rule:system_admin_or_owner" + +# Unpause a paused server +# POST /servers/{server_id}/action (unpause) +# Intended scope(s): system, project +#"os_compute_api:os-pause-server:unpause": "rule:system_admin_or_owner" + +# List quotas for specific quota classs +# GET /os-quota-class-sets/{quota_class} +# Intended scope(s): system +#"os_compute_api:os-quota-class-sets:show": "rule:system_reader_api" + +# Update quotas for specific quota class +# PUT /os-quota-class-sets/{quota_class} +# Intended scope(s): system +#"os_compute_api:os-quota-class-sets:update": "rule:system_admin_api" + +# Update the quotas +# PUT /os-quota-sets/{tenant_id} +# Intended scope(s): system +#"os_compute_api:os-quota-sets:update": "rule:system_admin_api" + +# List default quotas +# GET /os-quota-sets/{tenant_id}/defaults +# Intended scope(s): system, project +#"os_compute_api:os-quota-sets:defaults": "@" + +# Show a quota +# GET /os-quota-sets/{tenant_id} +# Intended scope(s): system, project +#"os_compute_api:os-quota-sets:show": "rule:system_or_project_reader" + +# Revert quotas to defaults +# DELETE /os-quota-sets/{tenant_id} +# Intended scope(s): system +#"os_compute_api:os-quota-sets:delete": "rule:system_admin_api" + +# Show the detail of quota +# GET /os-quota-sets/{tenant_id}/detail +# Intended scope(s): system, project +#"os_compute_api:os-quota-sets:detail": "rule:system_or_project_reader" + +# Generate a URL to access remove server console. +# +# This policy is for ``POST /remote-consoles`` API and below Server +# actions APIs are deprecated: +# +# - ``os-getRDPConsole`` - ``os-getSerialConsole`` - ``os- +# getSPICEConsole`` - ``os-getVNCConsole``. +# POST /servers/{server_id}/action (os-getRDPConsole) +# POST /servers/{server_id}/action (os-getSerialConsole) +# POST /servers/{server_id}/action (os-getSPICEConsole) +# POST /servers/{server_id}/action (os-getVNCConsole) +# POST /servers/{server_id}/remote-consoles +# Intended scope(s): system, project +#"os_compute_api:os-remote-consoles": "rule:system_admin_or_owner" + +# Rescue a server +# POST /servers/{server_id}/action (rescue) +# Intended scope(s): system, project +#"os_compute_api:os-rescue": "rule:system_admin_or_owner" + +# Unrescue a server +# POST /servers/{server_id}/action (unrescue) +# Intended scope(s): system, project +#"os_compute_api:os-unrescue": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-rescue":"rule:admin_or_owner" has been deprecated +# since 21.0.0 in favor of "os_compute_api:os- +# unrescue":"rule:system_admin_or_owner". +# Rescue/Unrescue API policies are made granular with new policy for +# unrescue and keeping old policy for rescue. +#"os_compute_api:os-rescue": "rule:os_compute_api:os-unrescue" + +# List security groups. This API is deprecated. +# GET /os-security-groups +# Intended scope(s): system, project +#"os_compute_api:os-security-groups:get": "rule:system_or_project_reader" + +# DEPRECATED +# "os_compute_api:os-security-groups":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os-security- +# groups:get":"rule:system_or_project_reader". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:get" + +# Show security group. This API is deprecated. +# GET /os-security-groups/{security_group_id} +# Intended scope(s): system, project +#"os_compute_api:os-security-groups:show": "rule:system_or_project_reader" + +# DEPRECATED +# "os_compute_api:os-security-groups":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os-security- +# groups:show":"rule:system_or_project_reader". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:show" + +# Create security group. This API is deprecated. +# POST /os-security-groups +# Intended scope(s): system, project +#"os_compute_api:os-security-groups:create": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-security-groups":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os-security- +# groups:create":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:create" + +# Update security group. This API is deprecated. +# PUT /os-security-groups/{security_group_id} +# Intended scope(s): system, project +#"os_compute_api:os-security-groups:update": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-security-groups":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os-security- +# groups:update":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:update" + +# Delete security group. This API is deprecated. +# DELETE /os-security-groups/{security_group_id} +# Intended scope(s): system, project +#"os_compute_api:os-security-groups:delete": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-security-groups":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os-security- +# groups:delete":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:delete" + +# Create security group Rule. This API is deprecated. +# POST /os-security-group-rules +# Intended scope(s): system, project +#"os_compute_api:os-security-groups:rule:create": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-security-groups":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os-security- +# groups:rule:create":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:rule:create" + +# Delete security group Rule. This API is deprecated. +# DELETE /os-security-group-rules/{security_group_id} +# Intended scope(s): system, project +#"os_compute_api:os-security-groups:rule:delete": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-security-groups":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os-security- +# groups:rule:delete":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:rule:delete" + +# List security groups of server. +# GET /servers/{server_id}/os-security-groups +# Intended scope(s): system, project +#"os_compute_api:os-security-groups:list": "rule:system_or_project_reader" + +# DEPRECATED +# "os_compute_api:os-security-groups":"rule:admin_or_owner" has been +# deprecated since 21.0.0 in favor of "os_compute_api:os-security- +# groups:list":"rule:system_or_project_reader". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:list" + +# Add security groups to server. +# POST /servers/{server_id}/action (addSecurityGroup) +# Intended scope(s): system, project +#"os_compute_api:os-security-groups:add": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-security-groups":"rule:admin_or_owner" has been +# deprecated since 21.0.0 in favor of "os_compute_api:os-security- +# groups:add":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:add" + +# Remove security groups from server. +# POST /servers/{server_id}/action (removeSecurityGroup) +# Intended scope(s): system, project +#"os_compute_api:os-security-groups:remove": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-security-groups":"rule:admin_or_owner" has been +# deprecated since 21.0.0 in favor of "os_compute_api:os-security- +# groups:remove":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:remove" + +# Show the usage data for a server +# GET /servers/{server_id}/diagnostics +# Intended scope(s): system, project +#"os_compute_api:os-server-diagnostics": "rule:system_admin_api" + +# Create one or more external events +# POST /os-server-external-events +# Intended scope(s): system +#"os_compute_api:os-server-external-events:create": "rule:system_admin_api" + +# Create a new server group +# POST /os-server-groups +# Intended scope(s): project +#"os_compute_api:os-server-groups:create": "rule:project_member_api" + +# Delete a server group +# DELETE /os-server-groups/{server_group_id} +# Intended scope(s): system, project +#"os_compute_api:os-server-groups:delete": "rule:system_admin_or_owner" + +# List all server groups +# GET /os-server-groups +# Intended scope(s): system, project +#"os_compute_api:os-server-groups:index": "rule:system_or_project_reader" + +# List all server groups for all projects +# GET /os-server-groups +# Intended scope(s): system +#"os_compute_api:os-server-groups:index:all_projects": "rule:system_reader_api" + +# Show details of a server group +# GET /os-server-groups/{server_group_id} +# Intended scope(s): system, project +#"os_compute_api:os-server-groups:show": "rule:system_or_project_reader" + +# List all metadata of a server +# GET /servers/{server_id}/metadata +# Intended scope(s): system, project +#"os_compute_api:server-metadata:index": "rule:system_or_project_reader" + +# Show metadata for a server +# GET /servers/{server_id}/metadata/{key} +# Intended scope(s): system, project +#"os_compute_api:server-metadata:show": "rule:system_or_project_reader" + +# Create metadata for a server +# POST /servers/{server_id}/metadata +# Intended scope(s): system, project +#"os_compute_api:server-metadata:create": "rule:system_admin_or_owner" + +# Replace metadata for a server +# PUT /servers/{server_id}/metadata +# Intended scope(s): system, project +#"os_compute_api:server-metadata:update_all": "rule:system_admin_or_owner" + +# Update metadata from a server +# PUT /servers/{server_id}/metadata/{key} +# Intended scope(s): system, project +#"os_compute_api:server-metadata:update": "rule:system_admin_or_owner" + +# Delete metadata from a server +# DELETE /servers/{server_id}/metadata/{key} +# Intended scope(s): system, project +#"os_compute_api:server-metadata:delete": "rule:system_admin_or_owner" + +# Show the encrypted administrative password of a server +# GET /servers/{server_id}/os-server-password +# Intended scope(s): system, project +#"os_compute_api:os-server-password:show": "rule:system_or_project_reader" + +# DEPRECATED +# "os_compute_api:os-server-password":"rule:admin_or_owner" has been +# deprecated since 21.0.0 in favor of "os_compute_api:os-server- +# password:show":"rule:system_or_project_reader". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-server-password": "rule:os_compute_api:os-server-password:show" + +# Clear the encrypted administrative password of a server +# DELETE /servers/{server_id}/os-server-password +# Intended scope(s): system, project +#"os_compute_api:os-server-password:clear": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-server-password":"rule:admin_or_owner" has been +# deprecated since 21.0.0 in favor of "os_compute_api:os-server- +# password:clear":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-server-password": "rule:os_compute_api:os-server-password:clear" + +# Delete all the server tags +# DELETE /servers/{server_id}/tags +# Intended scope(s): system, project +#"os_compute_api:os-server-tags:delete_all": "rule:system_admin_or_owner" + +# List all tags for given server +# GET /servers/{server_id}/tags +# Intended scope(s): system, project +#"os_compute_api:os-server-tags:index": "rule:system_or_project_reader" + +# Replace all tags on specified server with the new set of tags. +# PUT /servers/{server_id}/tags +# Intended scope(s): system, project +#"os_compute_api:os-server-tags:update_all": "rule:system_admin_or_owner" + +# Delete a single tag from the specified server +# DELETE /servers/{server_id}/tags/{tag} +# Intended scope(s): system, project +#"os_compute_api:os-server-tags:delete": "rule:system_admin_or_owner" + +# Add a single tag to the server if server has no specified tag +# PUT /servers/{server_id}/tags/{tag} +# Intended scope(s): system, project +#"os_compute_api:os-server-tags:update": "rule:system_admin_or_owner" + +# Check tag existence on the server. +# GET /servers/{server_id}/tags/{tag} +# Intended scope(s): system, project +#"os_compute_api:os-server-tags:show": "rule:system_or_project_reader" + +# Show the NUMA topology data for a server +# GET /servers/{server_id}/topology +# Intended scope(s): system, project +#"compute:server:topology:index": "rule:system_or_project_reader" + +# Show the NUMA topology data for a server with host NUMA ID and CPU +# pinning information +# GET /servers/{server_id}/topology +# Intended scope(s): system +#"compute:server:topology:host:index": "rule:system_reader_api" + +# List all servers +# GET /servers +# Intended scope(s): system, project +#"os_compute_api:servers:index": "rule:system_or_project_reader" + +# List all servers with detailed information +# GET /servers/detail +# Intended scope(s): system, project +#"os_compute_api:servers:detail": "rule:system_or_project_reader" + +# List all servers for all projects +# GET /servers +# Intended scope(s): system +#"os_compute_api:servers:index:get_all_tenants": "rule:system_reader_api" + +# List all servers with detailed information for all projects +# GET /servers/detail +# Intended scope(s): system +#"os_compute_api:servers:detail:get_all_tenants": "rule:system_reader_api" + +# Allow all filters when listing servers +# GET /servers +# GET /servers/detail +# Intended scope(s): system +#"os_compute_api:servers:allow_all_filters": "rule:system_reader_api" + +# Show a server +# GET /servers/{server_id} +# Intended scope(s): system, project +#"os_compute_api:servers:show": "rule:system_or_project_reader" + +# Show a server with additional host status information. +# +# This means host_status will be shown irrespective of status value. +# If showing only host_status UNKNOWN is desired, use the +# ``os_compute_api:servers:show:host_status:unknown-only`` policy +# rule. +# +# Microvision 2.75 added the ``host_status`` attribute in the ``PUT +# /servers/{server_id}`` and ``POST /servers/{server_id}/action +# (rebuild)`` API responses which are also controlled by this policy +# rule, like the ``GET /servers*`` APIs. +# GET /servers/{server_id} +# GET /servers/detail +# PUT /servers/{server_id} +# POST /servers/{server_id}/action (rebuild) +# Intended scope(s): system, project +#"os_compute_api:servers:show:host_status": "rule:system_admin_api" + +# Show a server with additional host status information, only if host +# status is UNKNOWN. +# +# This policy rule will only be enforced when the +# ``os_compute_api:servers:show:host_status`` policy rule does not +# pass for the request. An example policy configuration could be where +# the ``os_compute_api:servers:show:host_status`` rule is set to allow +# admin-only and the +# ``os_compute_api:servers:show:host_status:unknown-only`` rule is set +# to allow everyone. +# GET /servers/{server_id} +# GET /servers/detail +# PUT /servers/{server_id} +# POST /servers/{server_id}/action (rebuild) +# Intended scope(s): system, project +#"os_compute_api:servers:show:host_status:unknown-only": "rule:system_admin_api" + +# Create a server +# POST /servers +# Intended scope(s): project +#"os_compute_api:servers:create": "rule:project_member_api" + +# Create a server on the specified host and/or node. +# +# In this case, the server is forced to launch on the specified host +# and/or node by bypassing the scheduler filters unlike the +# ``compute:servers:create:requested_destination`` rule. +# POST /servers +# Intended scope(s): system, project +#"os_compute_api:servers:create:forced_host": "rule:project_admin_api" + +# Create a server on the requested compute service host and/or +# hypervisor_hostname. +# +# In this case, the requested host and/or hypervisor_hostname is +# validated by the scheduler filters unlike the +# ``os_compute_api:servers:create:forced_host`` rule. +# POST /servers +# Intended scope(s): system, project +#"compute:servers:create:requested_destination": "rule:project_admin_api" + +# Create a server with the requested volume attached to it +# POST /servers +# Intended scope(s): project +#"os_compute_api:servers:create:attach_volume": "rule:project_member_api" + +# Create a server with the requested network attached to it +# POST /servers +# Intended scope(s): project +#"os_compute_api:servers:create:attach_network": "rule:project_member_api" + +# Create a server with trusted image certificate IDs +# POST /servers +# Intended scope(s): project +#"os_compute_api:servers:create:trusted_certs": "rule:project_member_api" + +# This rule controls the compute API validation behavior of creating a +# server with a flavor that has 0 disk, indicating the server should +# be volume-backed. +# +# For a flavor with disk=0, the root disk will be set to exactly the +# size of the image used to deploy the instance. However, in this case +# the filter_scheduler cannot select the compute host based on the +# virtual image size. Therefore, 0 should only be used for volume +# booted instances or for testing purposes. +# +# WARNING: It is a potential security exposure to enable this policy +# rule if users can upload their own images since repeated attempts to +# create a disk=0 flavor instance with a large image can exhaust the +# local disk of the compute (or shared storage cluster). See bug +# https://bugs.launchpad.net/nova/+bug/1739646 for details. +# POST /servers +# Intended scope(s): system, project +#"os_compute_api:servers:create:zero_disk_flavor": "rule:project_admin_api" + +# Attach an unshared external network to a server +# POST /servers +# POST /servers/{server_id}/os-interface +# Intended scope(s): system, project +#"network:attach_external_network": "rule:project_admin_api" + +# Delete a server +# DELETE /servers/{server_id} +# Intended scope(s): system, project +#"os_compute_api:servers:delete": "rule:system_admin_or_owner" + +# Update a server +# PUT /servers/{server_id} +# Intended scope(s): system, project +#"os_compute_api:servers:update": "rule:system_admin_or_owner" + +# Confirm a server resize +# POST /servers/{server_id}/action (confirmResize) +# Intended scope(s): system, project +#"os_compute_api:servers:confirm_resize": "rule:system_admin_or_owner" + +# Revert a server resize +# POST /servers/{server_id}/action (revertResize) +# Intended scope(s): system, project +#"os_compute_api:servers:revert_resize": "rule:system_admin_or_owner" + +# Reboot a server +# POST /servers/{server_id}/action (reboot) +# Intended scope(s): system, project +#"os_compute_api:servers:reboot": "rule:system_admin_or_owner" + +# Resize a server +# POST /servers/{server_id}/action (resize) +# Intended scope(s): system, project +#"os_compute_api:servers:resize": "rule:system_admin_or_owner" + +# Resize a server across cells. By default, this is disabled for all +# users and recommended to be tested in a deployment for admin users +# before opening it up to non-admin users. Resizing within a cell is +# the default preferred behavior even if this is enabled. +# POST /servers/{server_id}/action (resize) +# Intended scope(s): system, project +#"compute:servers:resize:cross_cell": "!" + +# Rebuild a server +# POST /servers/{server_id}/action (rebuild) +# Intended scope(s): system, project +#"os_compute_api:servers:rebuild": "rule:system_admin_or_owner" + +# Rebuild a server with trusted image certificate IDs +# POST /servers/{server_id}/action (rebuild) +# Intended scope(s): system, project +#"os_compute_api:servers:rebuild:trusted_certs": "rule:system_admin_or_owner" + +# Create an image from a server +# POST /servers/{server_id}/action (createImage) +# Intended scope(s): system, project +#"os_compute_api:servers:create_image": "rule:system_admin_or_owner" + +# Create an image from a volume backed server +# POST /servers/{server_id}/action (createImage) +# Intended scope(s): system, project +#"os_compute_api:servers:create_image:allow_volume_backed": "rule:system_admin_or_owner" + +# Start a server +# POST /servers/{server_id}/action (os-start) +# Intended scope(s): system, project +#"os_compute_api:servers:start": "rule:system_admin_or_owner" + +# Stop a server +# POST /servers/{server_id}/action (os-stop) +# Intended scope(s): system, project +#"os_compute_api:servers:stop": "rule:system_admin_or_owner" + +# Trigger crash dump in a server +# POST /servers/{server_id}/action (trigger_crash_dump) +# Intended scope(s): system, project +#"os_compute_api:servers:trigger_crash_dump": "rule:system_admin_or_owner" + +# Show details for an in-progress live migration for a given server +# GET /servers/{server_id}/migrations/{migration_id} +# Intended scope(s): system, project +#"os_compute_api:servers:migrations:show": "rule:system_reader_api" + +# Force an in-progress live migration for a given server to complete +# POST /servers/{server_id}/migrations/{migration_id}/action (force_complete) +# Intended scope(s): system, project +#"os_compute_api:servers:migrations:force_complete": "rule:system_admin_api" + +# Delete(Abort) an in-progress live migration +# DELETE /servers/{server_id}/migrations/{migration_id} +# Intended scope(s): system, project +#"os_compute_api:servers:migrations:delete": "rule:system_admin_api" + +# Lists in-progress live migrations for a given server +# GET /servers/{server_id}/migrations +# Intended scope(s): system, project +#"os_compute_api:servers:migrations:index": "rule:system_reader_api" + +# List all running Compute services in a region. +# GET /os-services +# Intended scope(s): system +#"os_compute_api:os-services:list": "rule:system_reader_api" + +# DEPRECATED +# "os_compute_api:os-services":"rule:admin_api" has been deprecated +# since 21.0.0 in favor of "os_compute_api:os- +# services:list":"rule:system_reader_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-services": "rule:os_compute_api:os-services:list" + +# Update a Compute service. +# PUT /os-services/{service_id} +# Intended scope(s): system +#"os_compute_api:os-services:update": "rule:system_admin_api" + +# DEPRECATED +# "os_compute_api:os-services":"rule:admin_api" has been deprecated +# since 21.0.0 in favor of "os_compute_api:os- +# services:update":"rule:system_admin_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-services": "rule:os_compute_api:os-services:update" + +# Delete a Compute service. +# DELETE /os-services/{service_id} +# Intended scope(s): system +#"os_compute_api:os-services:delete": "rule:system_admin_api" + +# DEPRECATED +# "os_compute_api:os-services":"rule:admin_api" has been deprecated +# since 21.0.0 in favor of "os_compute_api:os- +# services:delete":"rule:system_admin_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-services": "rule:os_compute_api:os-services:delete" + +# Shelve server +# POST /servers/{server_id}/action (shelve) +# Intended scope(s): system, project +#"os_compute_api:os-shelve:shelve": "rule:system_admin_or_owner" + +# Unshelve (restore) shelved server +# POST /servers/{server_id}/action (unshelve) +# Intended scope(s): system, project +#"os_compute_api:os-shelve:unshelve": "rule:system_admin_or_owner" + +# Shelf-offload (remove) server +# POST /servers/{server_id}/action (shelveOffload) +# Intended scope(s): system, project +#"os_compute_api:os-shelve:shelve_offload": "rule:system_admin_api" + +# Show usage statistics for a specific tenant +# GET /os-simple-tenant-usage/{tenant_id} +# Intended scope(s): system, project +#"os_compute_api:os-simple-tenant-usage:show": "rule:system_or_project_reader" + +# List per tenant usage statistics for all tenants +# GET /os-simple-tenant-usage +# Intended scope(s): system +#"os_compute_api:os-simple-tenant-usage:list": "rule:system_reader_api" + +# Resume suspended server +# POST /servers/{server_id}/action (resume) +# Intended scope(s): system, project +#"os_compute_api:os-suspend-server:resume": "rule:system_admin_or_owner" + +# Suspend server +# POST /servers/{server_id}/action (suspend) +# Intended scope(s): system, project +#"os_compute_api:os-suspend-server:suspend": "rule:system_admin_or_owner" + +# List project networks. +# +# This API is proxy calls to the Network service. This is deprecated. +# GET /os-tenant-networks +# Intended scope(s): system, project +#"os_compute_api:os-tenant-networks:list": "rule:system_or_project_reader" + +# DEPRECATED +# "os_compute_api:os-tenant-networks":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os-tenant- +# networks:list":"rule:system_or_project_reader". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-tenant-networks": "rule:os_compute_api:os-tenant-networks:list" + +# Show project network details. +# +# This API is proxy calls to the Network service. This is deprecated. +# GET /os-tenant-networks/{network_id} +# Intended scope(s): system, project +#"os_compute_api:os-tenant-networks:show": "rule:system_or_project_reader" + +# DEPRECATED +# "os_compute_api:os-tenant-networks":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os-tenant- +# networks:show":"rule:system_or_project_reader". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-tenant-networks": "rule:os_compute_api:os-tenant-networks:show" + +# List volumes. +# +# This API is a proxy call to the Volume service. It is deprecated. +# GET /os-volumes +# Intended scope(s): system, project +#"os_compute_api:os-volumes:list": "rule:system_or_project_reader" + +# DEPRECATED +# "os_compute_api:os-volumes":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os- +# volumes:list":"rule:system_or_project_reader". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:list" + +# Create volume. +# +# This API is a proxy call to the Volume service. It is deprecated. +# POST /os-volumes +# Intended scope(s): system, project +#"os_compute_api:os-volumes:create": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-volumes":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os- +# volumes:create":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:create" + +# List volumes detail. +# +# This API is a proxy call to the Volume service. It is deprecated. +# GET /os-volumes/detail +# Intended scope(s): system, project +#"os_compute_api:os-volumes:detail": "rule:system_or_project_reader" + +# DEPRECATED +# "os_compute_api:os-volumes":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os- +# volumes:detail":"rule:system_or_project_reader". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:detail" + +# Show volume. +# +# This API is a proxy call to the Volume service. It is deprecated. +# GET /os-volumes/{volume_id} +# Intended scope(s): system, project +#"os_compute_api:os-volumes:show": "rule:system_or_project_reader" + +# DEPRECATED +# "os_compute_api:os-volumes":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os- +# volumes:show":"rule:system_or_project_reader". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:show" + +# Delete volume. +# +# This API is a proxy call to the Volume service. It is deprecated. +# DELETE /os-volumes/{volume_id} +# Intended scope(s): system, project +#"os_compute_api:os-volumes:delete": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-volumes":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os- +# volumes:delete":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:delete" + +# List snapshots. +# +# This API is a proxy call to the Volume service. It is deprecated. +# GET /os-snapshots +# Intended scope(s): system, project +#"os_compute_api:os-volumes:snapshots:list": "rule:system_or_project_reader" + +# DEPRECATED +# "os_compute_api:os-volumes":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os- +# volumes:snapshots:list":"rule:system_or_project_reader". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:snapshots:list" + +# Create snapshots. +# +# This API is a proxy call to the Volume service. It is deprecated. +# POST /os-snapshots +# Intended scope(s): system, project +#"os_compute_api:os-volumes:snapshots:create": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-volumes":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os- +# volumes:snapshots:create":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:snapshots:create" + +# List snapshots details. +# +# This API is a proxy call to the Volume service. It is deprecated. +# GET /os-snapshots/detail +# Intended scope(s): system, project +#"os_compute_api:os-volumes:snapshots:detail": "rule:system_or_project_reader" + +# DEPRECATED +# "os_compute_api:os-volumes":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os- +# volumes:snapshots:detail":"rule:system_or_project_reader". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:snapshots:detail" + +# Show snapshot. +# +# This API is a proxy call to the Volume service. It is deprecated. +# GET /os-snapshots/{snapshot_id} +# Intended scope(s): system, project +#"os_compute_api:os-volumes:snapshots:show": "rule:system_or_project_reader" + +# DEPRECATED +# "os_compute_api:os-volumes":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os- +# volumes:snapshots:show":"rule:system_or_project_reader". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:snapshots:show" + +# Delete snapshot. +# +# This API is a proxy call to the Volume service. It is deprecated. +# DELETE /os-snapshots/{snapshot_id} +# Intended scope(s): system, project +#"os_compute_api:os-volumes:snapshots:delete": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-volumes":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os- +# volumes:snapshots:delete":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:snapshots:delete" + +# List volume attachments for an instance +# GET /servers/{server_id}/os-volume_attachments +# Intended scope(s): system, project +#"os_compute_api:os-volumes-attachments:index": "rule:system_or_project_reader" + +# Attach a volume to an instance +# POST /servers/{server_id}/os-volume_attachments +# Intended scope(s): system, project +#"os_compute_api:os-volumes-attachments:create": "rule:system_admin_or_owner" + +# Show details of a volume attachment +# GET /servers/{server_id}/os-volume_attachments/{volume_id} +# Intended scope(s): system, project +#"os_compute_api:os-volumes-attachments:show": "rule:system_or_project_reader" + +# Update a volume attachment. New 'update' policy about 'swap + +# update' request (which is possible only >2.85) only is +# checked. We expect to be always superset of this +# policy permission. +# PUT /servers/{server_id}/os-volume_attachments/{volume_id} +# Intended scope(s): system, project +#"os_compute_api:os-volumes-attachments:update": "rule:system_admin_or_owner" + +# Update a volume attachment with a different volumeId +# PUT /servers/{server_id}/os-volume_attachments/{volume_id} +# Intended scope(s): system +#"os_compute_api:os-volumes-attachments:swap": "rule:system_admin_api" + +# Detach a volume from an instance +# DELETE /servers/{server_id}/os-volume_attachments/{volume_id} +# Intended scope(s): system, project +#"os_compute_api:os-volumes-attachments:delete": "rule:system_admin_or_owner" + diff --git a/openstack_dashboard/defaults.py b/openstack_dashboard/defaults.py index 6b151ae719..45ce2d230a 100644 --- a/openstack_dashboard/defaults.py +++ b/openstack_dashboard/defaults.py @@ -73,11 +73,11 @@ POLICY_FILES_PATH = os.path.join(_get_root_path(), "conf") # Having matching policy files on the Horizon and Keystone servers is essential # for normal operation. This holds true for all services and their policy files. POLICY_FILES = { - 'identity': 'keystone_policy.json', - 'compute': 'nova_policy.json', - 'volume': 'cinder_policy.json', - 'image': 'glance_policy.json', - 'network': 'neutron_policy.json', + 'identity': 'keystone_policy.yaml', + 'compute': 'nova_policy.yaml', + 'volume': 'cinder_policy.yaml', + 'image': 'glance_policy.yaml', + 'network': 'neutron_policy.yaml', } # Services for which horizon has extra policies are defined # in POLICY_DIRS by default. @@ -85,6 +85,13 @@ POLICY_DIRS = { 'compute': ['nova_policy.d'], 'volume': ['cinder_policy.d'], } +DEFAULT_POLICY_FILES = { + 'identity': 'default_policies/keystone.yaml', + 'compute': 'default_policies/nova.yaml', + 'volume': 'default_policies/cinder.yaml', + 'image': 'default_policies/glance.yaml', + 'network': 'default_policies/neutron.yaml', +} POLICY_CHECK_FUNCTION = 'openstack_auth.policy.check' SITE_BRANDING = 'OpenStack Dashboard' diff --git a/openstack_dashboard/management/commands/dump_default_policies.py b/openstack_dashboard/management/commands/dump_default_policies.py new file mode 100644 index 0000000000..d253536362 --- /dev/null +++ b/openstack_dashboard/management/commands/dump_default_policies.py @@ -0,0 +1,82 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import logging +import sys + +from django.core.management.base import BaseCommand +from oslo_policy import generator +import yaml + + +LOG = logging.getLogger(__name__) + + +def _load_default_policies(namespace): + defaults = generator.get_policies_dict([namespace]) + return defaults.get(namespace) + + +def _format_default_policy(default): + data = { + 'name': default.name, + 'check_str': default.check_str, + 'description': default.description, + } + data['operations'] = getattr(default, 'operations', []) + data['scope_types'] = getattr(default, 'scope_types', None) + + if default.deprecated_for_removal: + data['deprecated_for_removal'] = True + data['deprecated_since'] = default.deprecated_since + data['deprecated_reason'] = default.deprecated_reason + + if default.deprecated_rule: + data['deprecated_rule'] = { + 'name': default.deprecated_rule.name, + 'check_str': default.deprecated_rule.check_str, + } + data['deprecated_since'] = default.deprecated_since + data['deprecated_reason'] = default.deprecated_reason + + return data + + +def _write_yaml_file(policies, output_file): + stream = open(output_file, 'w') if output_file else sys.stdout + yaml.dump(policies, stream=stream) + if output_file: + stream.close() + + +class Command(BaseCommand): + help = ("Dump default policies of back-end services defined in codes " + "as YAML file so that horizon can load default policies.") + + def add_arguments(self, parser): + parser.add_argument( + '--namespace', + required=True, + help='Namespace under "oslo.policy.policies" to query.') + parser.add_argument( + '--output-file', + help='Path of the file to write to. Defaults to stdout.') + + def handle(self, *args, **options): + namespace = options['namespace'] + defaults = _load_default_policies(namespace) + if defaults is None: + LOG.error('The requested namespace "%s" is not found.', namespace) + sys.exit(1) + + policies = [_format_default_policy(default) for default in defaults] + _write_yaml_file(policies, options['output_file']) diff --git a/releasenotes/notes/policy-in-code-support-f79d559c25976215.yaml b/releasenotes/notes/policy-in-code-support-f79d559c25976215.yaml new file mode 100644 index 0000000000..d1f06895e2 --- /dev/null +++ b/releasenotes/notes/policy-in-code-support-f79d559c25976215.yaml @@ -0,0 +1,22 @@ +--- +features: + - | + Horizon supports the registered default policies and operators now + only need to define policies which they would like to override in policy + files in ``POLICY_FILES`` setting. (Previously the policy files need to + contain all defined policies including default policies.) + The registered default policies are defined in files under + ``DEFAULT_POLICY_FILES`` and they are synced with registered defaults + of back-end services before the horizon release. +issues: + - | + Policies with the system scoped token (``system_scope:all``) are not + supported in horizon yet. The horizon team recognizes it as an important + feature gap and would like to support it in near future. +upgrade: + - | + The format of the policy files under ``POLICY_FILES`` is changed to YAML + and all contents of these files are commented out now. You only need to + define policies which you would like to modify from the default. + You can still use policy files with JSON format. If you continue to use + JSON format, configure ``POLICY_FILES`` setting to point JSON files. diff --git a/requirements.txt b/requirements.txt index 02089ef6c1..aaa9ad13a6 100644 --- a/requirements.txt +++ b/requirements.txt @@ -23,10 +23,10 @@ netaddr>=0.7.18 # BSD oslo.concurrency>=3.26.0 # Apache-2.0 oslo.config>=5.2.0 # Apache-2.0 oslo.i18n>=3.15.3 # Apache-2.0 -oslo.policy>=1.30.0 # Apache-2.0 +oslo.policy>=3.2.0 # Apache-2.0 oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0 oslo.upgradecheck>=0.1.1 # Apache-2.0 -oslo.utils>=3.33.0 # Apache-2.0 +oslo.utils>=3.40.0 # Apache-2.0 osprofiler>=2.3.0 # Apache-2.0 pymongo!=3.1,>=3.0.2 # Apache-2.0 pyScss>=1.3.7 # MIT License