Allow Admin to perform all API requests
This propose changes is base on same concerns as this bug in neutron https://bugs.launchpad.net/neutron/+bug/1997089 This propose to keep and make sure ADMIN can perform all API requests. Change-Id: I9a3003963bf13a591cc363fa04ec8e5719ae9114
This commit is contained in:
ricolin
parent
5971243169
commit
74897768e3
|
|
@ -175,7 +175,8 @@ rules = [
|
|||
name='admin_or_project_member_deny_cluster_user',
|
||||
check_str=(
|
||||
f"({RULE_ADMIN_API}) or ({RULE_PROJECT_MEMBER_DENY_CLUSTER_USER})"
|
||||
)
|
||||
),
|
||||
deprecated_rule=DEPRECATED_DENY_CLUSTER_USER
|
||||
),
|
||||
policy.RuleDefault(
|
||||
name='project_reader_deny_cluster_user',
|
||||
|
|
@ -188,7 +189,8 @@ rules = [
|
|||
name='admin_or_project_reader_deny_cluster_user',
|
||||
check_str=(
|
||||
f"({RULE_ADMIN_API}) or ({RULE_PROJECT_READER_DENY_CLUSTER_USER})"
|
||||
)
|
||||
),
|
||||
deprecated_rule=DEPRECATED_DENY_CLUSTER_USER
|
||||
),
|
||||
policy.RuleDefault(
|
||||
name='admin_or_project_reader_user_or_cluster_user',
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ CLUSTER = 'cluster:%s'
|
|||
rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=CLUSTER % 'create',
|
||||
check_str=base.RULE_PROJECT_MEMBER_DENY_CLUSTER_USER,
|
||||
check_str=base.RULE_ADMIN_OR_PROJECT_MEMBER_DENY_CLUSTER_USER,
|
||||
scope_types=["project"],
|
||||
description='Create a new cluster.',
|
||||
operations=[
|
||||
|
|
@ -32,7 +32,7 @@ rules = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=CLUSTER % 'delete',
|
||||
check_str=base.RULE_PROJECT_MEMBER_DENY_CLUSTER_USER,
|
||||
check_str=base.RULE_ADMIN_OR_PROJECT_MEMBER_DENY_CLUSTER_USER,
|
||||
scope_types=["project"],
|
||||
description='Delete a cluster.',
|
||||
operations=[
|
||||
|
|
@ -55,7 +55,7 @@ rules = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=CLUSTER % 'detail',
|
||||
check_str=base.RULE_PROJECT_READER_DENY_CLUSTER_USER,
|
||||
check_str=base.RULE_ADMIN_OR_PROJECT_READER_DENY_CLUSTER_USER,
|
||||
scope_types=["project"],
|
||||
description='Retrieve a list of clusters with detail.',
|
||||
operations=[
|
||||
|
|
@ -78,7 +78,7 @@ rules = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=CLUSTER % 'get',
|
||||
check_str=base.RULE_PROJECT_READER_DENY_CLUSTER_USER,
|
||||
check_str=base.RULE_ADMIN_OR_PROJECT_READER_DENY_CLUSTER_USER,
|
||||
scope_types=["project"],
|
||||
description='Retrieve information about the given cluster.',
|
||||
operations=[
|
||||
|
|
@ -102,7 +102,7 @@ rules = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=CLUSTER % 'get_all',
|
||||
check_str=base.RULE_PROJECT_READER_DENY_CLUSTER_USER,
|
||||
check_str=base.RULE_ADMIN_OR_PROJECT_READER_DENY_CLUSTER_USER,
|
||||
scope_types=["project"],
|
||||
description='Retrieve a list of clusters.',
|
||||
operations=[
|
||||
|
|
@ -125,7 +125,7 @@ rules = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=CLUSTER % 'update',
|
||||
check_str=base.RULE_PROJECT_MEMBER_DENY_CLUSTER_USER,
|
||||
check_str=base.RULE_ADMIN_OR_PROJECT_MEMBER_DENY_CLUSTER_USER,
|
||||
scope_types=["project"],
|
||||
description='Update an existing cluster.',
|
||||
operations=[
|
||||
|
|
@ -160,7 +160,7 @@ rules = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=CLUSTER % 'resize',
|
||||
check_str=base.RULE_PROJECT_MEMBER_DENY_CLUSTER_USER,
|
||||
check_str=base.RULE_ADMIN_OR_PROJECT_MEMBER_DENY_CLUSTER_USER,
|
||||
scope_types=["project"],
|
||||
description='Resize an existing cluster.',
|
||||
operations=[
|
||||
|
|
@ -172,7 +172,7 @@ rules = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=CLUSTER % 'upgrade',
|
||||
check_str=base.RULE_PROJECT_MEMBER_DENY_CLUSTER_USER,
|
||||
check_str=base.RULE_ADMIN_OR_PROJECT_MEMBER_DENY_CLUSTER_USER,
|
||||
scope_types=["project"],
|
||||
description='Upgrade an existing cluster.',
|
||||
operations=[
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ CLUSTER_TEMPLATE = 'clustertemplate:%s'
|
|||
rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=CLUSTER_TEMPLATE % 'create',
|
||||
check_str=base.RULE_PROJECT_MEMBER_DENY_CLUSTER_USER,
|
||||
check_str=base.RULE_ADMIN_OR_PROJECT_MEMBER_DENY_CLUSTER_USER,
|
||||
scope_types=["project"],
|
||||
description='Create a new cluster template.',
|
||||
operations=[
|
||||
|
|
@ -67,7 +67,7 @@ rules = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=CLUSTER_TEMPLATE % 'detail',
|
||||
check_str=base.RULE_PROJECT_READER_DENY_CLUSTER_USER,
|
||||
check_str=base.RULE_ADMIN_OR_PROJECT_READER_DENY_CLUSTER_USER,
|
||||
scope_types=["project"],
|
||||
description='Retrieve a list of cluster templates with detail.',
|
||||
operations=[
|
||||
|
|
@ -79,7 +79,7 @@ rules = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=CLUSTER_TEMPLATE % 'get',
|
||||
check_str=base.RULE_PROJECT_READER_DENY_CLUSTER_USER,
|
||||
check_str=base.RULE_ADMIN_OR_PROJECT_READER_DENY_CLUSTER_USER,
|
||||
scope_types=["project"],
|
||||
description='Retrieve information about the given cluster template.',
|
||||
operations=[
|
||||
|
|
@ -103,7 +103,7 @@ rules = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=CLUSTER_TEMPLATE % 'get_all',
|
||||
check_str=base.RULE_PROJECT_READER_DENY_CLUSTER_USER,
|
||||
check_str=base.RULE_ADMIN_OR_PROJECT_READER_DENY_CLUSTER_USER,
|
||||
scope_types=["project"],
|
||||
description='Retrieve a list of cluster templates.',
|
||||
operations=[
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ FEDERATION = 'federation:%s'
|
|||
rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=FEDERATION % 'create',
|
||||
check_str=base.RULE_PROJECT_MEMBER_DENY_CLUSTER_USER,
|
||||
check_str=base.RULE_ADMIN_OR_PROJECT_MEMBER_DENY_CLUSTER_USER,
|
||||
scope_types=["project"],
|
||||
description='Create a new federation.',
|
||||
operations=[
|
||||
|
|
@ -32,7 +32,7 @@ rules = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=FEDERATION % 'delete',
|
||||
check_str=base.RULE_PROJECT_MEMBER_DENY_CLUSTER_USER,
|
||||
check_str=base.RULE_ADMIN_OR_PROJECT_MEMBER_DENY_CLUSTER_USER,
|
||||
scope_types=["project"],
|
||||
description='Delete a federation.',
|
||||
operations=[
|
||||
|
|
@ -44,7 +44,7 @@ rules = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=FEDERATION % 'detail',
|
||||
check_str=base.RULE_PROJECT_READER_DENY_CLUSTER_USER,
|
||||
check_str=base.RULE_ADMIN_OR_PROJECT_READER_DENY_CLUSTER_USER,
|
||||
scope_types=["project"],
|
||||
description='Retrieve a list of federations with detail.',
|
||||
operations=[
|
||||
|
|
@ -56,7 +56,7 @@ rules = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=FEDERATION % 'get',
|
||||
check_str=base.RULE_PROJECT_READER_DENY_CLUSTER_USER,
|
||||
check_str=base.RULE_ADMIN_OR_PROJECT_READER_DENY_CLUSTER_USER,
|
||||
scope_types=["project"],
|
||||
description='Retrieve information about the given federation.',
|
||||
operations=[
|
||||
|
|
@ -68,7 +68,7 @@ rules = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=FEDERATION % 'get_all',
|
||||
check_str=base.RULE_PROJECT_READER_DENY_CLUSTER_USER,
|
||||
check_str=base.RULE_ADMIN_OR_PROJECT_READER_DENY_CLUSTER_USER,
|
||||
scope_types=["project"],
|
||||
description='Retrieve a list of federations.',
|
||||
operations=[
|
||||
|
|
@ -80,7 +80,7 @@ rules = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=FEDERATION % 'update',
|
||||
check_str=base.RULE_PROJECT_MEMBER_DENY_CLUSTER_USER,
|
||||
check_str=base.RULE_ADMIN_OR_PROJECT_MEMBER_DENY_CLUSTER_USER,
|
||||
scope_types=["project"],
|
||||
description='Update an existing federation.',
|
||||
operations=[
|
||||
|
|
|
|||
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
upgrade:
|
||||
- |
|
||||
To make sure better have backward compatibility,
|
||||
we set specific rule to allow admin perform all actions.
|
||||
This will apply on part of APIs in
|
||||
* Cluster
|
||||
* Cluster Template
|
||||
* federation
|
||||
Loading…
Reference in New Issue