[Docs] Add policy file description
Closes-Bug: #1463306 Change-Id: Id5444b873f21a873a37db18711889dd08a27a15d
This commit is contained in:
parent
ce7295a99d
commit
048b2e75ed
|
@ -12,3 +12,72 @@ Network configuration
|
||||||
|
|
||||||
Policy configuration
|
Policy configuration
|
||||||
~~~~~~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
Like each service in OpenStack, murano has its own role-based access policies
|
||||||
|
that determine who and how can access objects. These policies are defined
|
||||||
|
in the service's :file:`policy.json` file.
|
||||||
|
|
||||||
|
On each API call corresponding policy check is performed.
|
||||||
|
:file:`policy.json` file can be changed whiteout interrupting the API service.
|
||||||
|
|
||||||
|
For detailed information on :file:`policy.json` syntax, please refer to the
|
||||||
|
`OpenStack official documentation <http://docs.openstack.org/kilo/config-reference/content/policy-json-file.html>`_
|
||||||
|
|
||||||
|
With this file you can set who may upload packages and perform other operations.
|
||||||
|
|
||||||
|
The :file:`policy.json` example is:
|
||||||
|
|
||||||
|
.. code-block:: javascript
|
||||||
|
|
||||||
|
{
|
||||||
|
// Rule declaration
|
||||||
|
"context_is_admin": "role:admin",
|
||||||
|
"admin_api": "is_admin:True",
|
||||||
|
"default": "",
|
||||||
|
|
||||||
|
// Package operations
|
||||||
|
"get_package": "rule:default",
|
||||||
|
"upload_package": "rule:default",
|
||||||
|
"modify_package": "rule:default",
|
||||||
|
"publicize_package": "rule:admin_api",
|
||||||
|
"manage_public_package": "rule:default",
|
||||||
|
"delete_package": "rule:default",
|
||||||
|
"download_package": "rule:default",
|
||||||
|
|
||||||
|
// Category operations
|
||||||
|
"get_category": "rule:default",
|
||||||
|
"delete_category": "rule:admin_api",
|
||||||
|
"add_category": "rule:admin_api",
|
||||||
|
|
||||||
|
// Deployment read operations
|
||||||
|
"list_deployments": "rule:default",
|
||||||
|
"statuses_deployments": "rule:default",
|
||||||
|
|
||||||
|
// Environment operations
|
||||||
|
"list_environments": "rule:default",
|
||||||
|
"list_environments_all_tenants": "rule:admin_api",
|
||||||
|
"show_environment": "rule:default",
|
||||||
|
"update_environment": "rule:default",
|
||||||
|
"create_environment": "rule:default",
|
||||||
|
"delete_environment": "rule:default",
|
||||||
|
|
||||||
|
// Environment template operations
|
||||||
|
"list_env_templates": "rule:default",
|
||||||
|
"create_env_template": "rule:default",
|
||||||
|
"show_env_template": "rule:default",
|
||||||
|
"update_env_template": "rule:default",
|
||||||
|
"delete_env_template": "rule:default",
|
||||||
|
|
||||||
|
// Control on executing actions on deployment environments
|
||||||
|
"execute_action": "rule:default"
|
||||||
|
}
|
||||||
|
|
||||||
|
So, changing ``"upload_package": "rule:default"`` to ``"rule:admin_api"``
|
||||||
|
will forbid regular users to upload packages.
|
||||||
|
|
||||||
|
Uploading package wizard in murano dashboard consists of several steps.
|
||||||
|
Upload package API call requested from the first form and modify from
|
||||||
|
the second one. It provides modifying package parameters on time of
|
||||||
|
uploading. So, please modify both configuration together. Otherwise it
|
||||||
|
will not be possible to browse package details on the second step
|
||||||
|
of the wizard.
|
||||||
|
|
Loading…
Reference in New Issue