openstack
/
nova
Code Issues Proposed changes

Consistent policies 

All of the documentation for these is going into user-facing docs, so
clean them up accordingly.

Change-Id: I5f9c284525bac773a897b7acc3773ac5851b9632
Implements: blueprint policy-docs
This commit is contained in:
Stephen Finucane 2017-07-03 11:25:33 +01:00 committed by Matt Riedemann
parent 56c4d684bf
commit 6f8fe3cb14
36 changed files with 73 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
nova/policies/aggregates.py
View File

@ -35,7 +35,7 @@ aggregates_policies = [
policy.DocumentedRuleDefault(
POLICY_ROOT % 'add_host',
base.RULE_ADMIN_API,
"Add a host to an aggregate.",
"Add a host to an aggregate",
[
{
'path': '/os-aggregates/{aggregate_id}/action (add_host)',
@ -95,7 +95,7 @@ aggregates_policies = [
policy.DocumentedRuleDefault(
POLICY_ROOT % 'show',
base.RULE_ADMIN_API,
"Show details for an aggregate.",
"Show details for an aggregate",
[
{
'path': '/os-aggregates/{aggregate_id}',

8
nova/policies/attach_interfaces.py
View File

@ -26,8 +26,8 @@ attach_interfaces_policies = [
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"List port interfaces or show details of a port \
interface attached to a server",
"List port interfaces or show details of a port interface attached "
"to a server",
[
{
'method': 'GET',
@ -41,7 +41,7 @@ interface attached to a server",
policy.DocumentedRuleDefault(
POLICY_ROOT % 'create',
base.RULE_ADMIN_OR_OWNER,
'Attach an interface to a server',
"Attach an interface to a server",
[
{
'method': 'POST',
@ -51,7 +51,7 @@ interface attached to a server",
policy.DocumentedRuleDefault(
POLICY_ROOT % 'delete',
base.RULE_ADMIN_OR_OWNER,
'Detach an interface from a server',
"Detach an interface from a server",
[
{
'method': 'DELETE',

4
nova/policies/availability_zone.py
View File

@ -25,7 +25,7 @@ availability_zone_policies = [
policy.DocumentedRuleDefault(
POLICY_ROOT % 'list',
base.RULE_ADMIN_OR_OWNER,
"Lists availability zone information without host information",
"List availability zone information without host information",
[
{
'method': 'GET',
@ -35,7 +35,7 @@ availability_zone_policies = [
policy.DocumentedRuleDefault(
POLICY_ROOT % 'detail',
base.RULE_ADMIN_API,
"Lists detailed availability zone information with host information",
"List detailed availability zone information with host information",
[
{
'method': 'GET',

2
nova/policies/cells.py
View File

@ -46,7 +46,7 @@ cells_policies = [
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_API,
'List and get detailed info of a given cell or all cells',
'List and show detailed info for a given cell or all cells',
[
{
'method': 'GET',

2
nova/policies/config_drive.py
View File

@ -25,7 +25,7 @@ config_drive_policies = [
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"""Add 'config_drive' attribute in the server response.""",
"Add 'config_drive' attribute in the server response",
[
{
'method': 'GET',

4
nova/policies/console_auth_tokens.py
View File

@ -25,8 +25,8 @@ console_auth_tokens_policies = [
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_API,
'Show console connection information for a given console \
authentication token',
"Show console connection information for a given console "
"authentication token",
[
{
'method': 'GET',

4
nova/policies/deferred_delete.py
View File

@ -25,8 +25,8 @@ deferred_delete_policies = [
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
'Restore a soft deleted server or force delete a server before \
deferred cleanup',
"Restore a soft deleted server or force delete a server before "
"deferred cleanup",
[
{
'method': 'POST',

2
nova/policies/extended_availability_zone.py
View File

@ -25,7 +25,7 @@ extended_availability_zone_policies = [
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"Add `OS-EXT-AZ:availability_zone` into the server response.",
"Add `OS-EXT-AZ:availability_zone` into the server response",
[
{
'method': 'GET',

19
nova/policies/extended_server_attributes.py
View File

@ -28,15 +28,16 @@ extended_server_attributes_policies = [
"""Return extended attributes for server.
This rule will control the visibility for a set of servers attributes:
OS-EXT-SRV-ATTR:host
OS-EXT-SRV-ATTR:instance_name
OS-EXT-SRV-ATTR:reservation_id (since microversion 2.3)
OS-EXT-SRV-ATTR:launch_index (since microversion 2.3)
OS-EXT-SRV-ATTR:hostname (since microversion 2.3)
OS-EXT-SRV-ATTR:kernel_id (since microversion 2.3)
OS-EXT-SRV-ATTR:ramdisk_id (since microversion 2.3)
OS-EXT-SRV-ATTR:root_device_name (since microversion 2.3)
OS-EXT-SRV-ATTR:user_data (since microversion 2.3)""",
- OS-EXT-SRV-ATTR:host
- OS-EXT-SRV-ATTR:instance_name
- OS-EXT-SRV-ATTR:reservation_id (since microversion 2.3)
- OS-EXT-SRV-ATTR:launch_index (since microversion 2.3)
- OS-EXT-SRV-ATTR:hostname (since microversion 2.3)
- OS-EXT-SRV-ATTR:kernel_id (since microversion 2.3)
- OS-EXT-SRV-ATTR:ramdisk_id (since microversion 2.3)
- OS-EXT-SRV-ATTR:root_device_name (since microversion 2.3)
- OS-EXT-SRV-ATTR:user_data (since microversion 2.3)""",
[
{
'method': 'GET',

7
nova/policies/extended_status.py
View File

@ -28,9 +28,10 @@ extended_status_policies = [
"""Return extended status in the response of server.
This policy will control the visibility for a set of attributes:
OS-EXT-STS:task_state
OS-EXT-STS:vm_state
OS-EXT-STS:power_state
- OS-EXT-STS:task_state
- OS-EXT-STS:vm_state
- OS-EXT-STS:power_state
""",
[
{

2
nova/policies/extended_volumes.py
View File

@ -26,7 +26,7 @@ extended_volumes_policies = [
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"Return 'os-extended-volumes:volumes_attached' in the response of "
"server.",
"server",
[
{
'method': 'GET',

4
nova/policies/extensions.py
View File

@ -25,8 +25,8 @@ extensions_policies = [
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"Lists available extensions and shows information for an extension "
"by alias.",
"List available extensions and show information for an extension "
"by alias",
[
{
'method': 'GET',

2
nova/policies/fixed_ips.py
View File

@ -25,7 +25,7 @@ fixed_ips_policies = [
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_API,
"""Shows details for, reserve and unreserve a fixed IP address.
"""Show details for, reserve and unreserve a fixed IP address.
These APIs are only available with nova-network which is deprecated.""",
[

2
nova/policies/flavor_access.py
View File

@ -47,7 +47,7 @@ flavor_access_policies = [
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"""Allow the listing of flavor access information
"""List flavor access information
Adds the os-flavor-access:is_public key into several flavor APIs.

2
nova/policies/flavor_rxtx.py
View File

@ -26,7 +26,7 @@ flavor_rxtx_policies = [
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"Adds the rxtx_factor key into some Flavor APIs",
"Add the rxtx_factor key into some Flavor APIs",
[
{
'method': 'GET',

2
nova/policies/hosts.py
View File

@ -25,7 +25,7 @@ hosts_policies = [
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_API,
"""List, Show and Manage physical hosts.
"""List, show and manage physical hosts.
These APIs are all deprecated in favor of os-hypervisors and os-services.""",
[

11
nova/policies/hypervisors.py
View File

@ -29,12 +29,11 @@ hypervisors_policies = [
This rule will be checked for the following APIs:
List all hypervisors, list all hypervisors with details, show
summary statistics for all hypervisors over all compute nodes,
show details for a hypervisor, show the uptime of a hypervisor,
search hypervisor by hypervisor_hostname pattern and list all
servers on hypervisors that can match the provided hypervisor_hostname
pattern.""",
List all hypervisors, list all hypervisors with details, show summary
statistics for all hypervisors over all compute nodes, show details for a
hypervisor, show the uptime of a hypervisor, search hypervisor by
hypervisor_hostname pattern and list all servers on hypervisors that can match
the provided hypervisor_hostname pattern.""",
[
{
'path': '/os-hypervisors',

5
nova/policies/instance_usage_audit_log.py
View File

@ -25,8 +25,9 @@ instance_usage_audit_log_policies = [
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_API,
"""Lists all usage audits and that occurred before a specified time
for all servers on all compute hosts where usage auditing is configured.""",
"List all usage audits and that occurred before a specified time "
"for all servers on all compute hosts where usage auditing is "
"configured",
[
{
'method': 'GET',

4
nova/policies/ips.py
View File

@ -25,7 +25,7 @@ ips_policies = [
policy.DocumentedRuleDefault(
POLICY_ROOT % 'show',
base.RULE_ADMIN_OR_OWNER,
"""Shows IP addresses details for a network label of a server.""",
"Show IP addresses details for a network label of a server",
[
{
'method': 'GET',
@ -35,7 +35,7 @@ ips_policies = [
policy.DocumentedRuleDefault(
POLICY_ROOT % 'index',
base.RULE_ADMIN_OR_OWNER,
"""Lists IP addresses that are assigned to a server.""",
"List IP addresses that are assigned to a server",
[
{
'method': 'GET',

2
nova/policies/limits.py
View File

@ -25,7 +25,7 @@ limits_policies = [
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"""Shows rate and absolute limits for the project.""",
"Show rate and absolute limits for the project",
[
{
'method': 'GET',

4
nova/policies/lock_server.py
View File

@ -49,8 +49,8 @@ lock_server_policies = [
base.RULE_ADMIN_API,
"""Unlock a server, regardless who locked the server.
This check is performed only after the check
os_compute_api:os-lock-server:unlock passes""",
This check is performed only after the check
os_compute_api:os-lock-server:unlock passes""",
[
{
'path': '/servers/{server_id}/action (unlock)',

2
nova/policies/multinic.py
View File

@ -25,7 +25,7 @@ multinic_policies = [
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"""Adds or Removes a fixed IP address from a server.
"""Add or remove a fixed IP address from a server.
These APIs are proxy calls to the Network service. These are all
deprecated.""",

2
nova/policies/networks_associate.py
View File

@ -25,7 +25,7 @@ networks_associate_policies = [
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_API,
"""Associates and Disassociates a network from a host or project.
"""Associate or disassociate a network from a host or project.
These APIs are only available with nova-network which is deprecated.""",
[

4
nova/policies/pause_server.py
View File

@ -25,7 +25,7 @@ pause_server_policies = [
policy.DocumentedRuleDefault(
POLICY_ROOT % 'pause',
base.RULE_ADMIN_OR_OWNER,
"Pause a server.",
"Pause a server",
[
{
'path': '/servers/{server_id}/action (pause)',
@ -36,7 +36,7 @@ pause_server_policies = [
policy.DocumentedRuleDefault(
POLICY_ROOT % 'unpause',
base.RULE_ADMIN_OR_OWNER,
"Unpause a paused server.",
"Unpause a paused server",
[
{
'path': '/servers/{server_id}/action (unpause)',

2
nova/policies/remote_consoles.py
View File

@ -25,7 +25,7 @@ remote_consoles_policies = [
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"Generates a URL to access remove server console",
"Generate a URL to access remove server console",
[
{
'method': 'POST',

4
nova/policies/security_group_default_rules.py
View File

@ -25,10 +25,10 @@ security_group_default_rules_policies = [
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_API,
"""Lists, shows information for, creates and deletes default security
"""List, show information for, create, or delete default security
group rules.
These API's are only available with nova-network which is now deprecated.""",
These APIs are only available with nova-network which is now deprecated.""",
[
{
'method': 'GET',

4
nova/policies/security_groups.py
View File

@ -25,12 +25,12 @@ security_groups_policies = [
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"""This policy checks permission on security groups related APIs.
"""List, show, add, or remove security groups.
APIs which are directly related to security groups resource are deprecated:
Lists, shows information for, creates, updates and deletes
security groups. Creates and deletes security group rules. All these
API's are deprecated.
APIs are deprecated.
APIs which are related to server resource are not deprecated:
Lists Security Groups for a server. Add Security Group to a server

2
nova/policies/server_diagnostics.py
View File

@ -25,7 +25,7 @@ server_diagnostics_policies = [
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_API,
"Shows the usage data for a server",
"Show the usage data for a server",
[
{
'method': 'GET',

2
nova/policies/server_external_events.py
View File

@ -25,7 +25,7 @@ server_external_events_policies = [
policy.DocumentedRuleDefault(
POLICY_ROOT % 'create',
base.RULE_ADMIN_API,
"Creates one or more external events",
"Create one or more external events",
[
{
'method': 'POST',

8
nova/policies/services.py
View File

@ -25,10 +25,10 @@ services_policies = [
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_API,
"""Lists all running Compute services in a region, enables \
or disables scheduling for a Compute service, logs disabled Compute service \
information, set or unset forced_down flag for the compute service and \
deletes a Compute service.""",
"List all running Compute services in a region, enables or disable "
"scheduling for a Compute service, logs disabled Compute service "
"information, set or unset forced_down flag for the compute service "
"and delete a Compute service",
[
{
'method': 'GET',

6
nova/policies/shelve.py
View File

@ -25,7 +25,7 @@ shelve_policies = [
policy.DocumentedRuleDefault(
POLICY_ROOT % 'shelve',
base.RULE_ADMIN_OR_OWNER,
"Shelve Server",
"Shelve server",
[
{
'method': 'POST',
@ -35,7 +35,7 @@ shelve_policies = [
policy.DocumentedRuleDefault(
POLICY_ROOT % 'unshelve',
base.RULE_ADMIN_OR_OWNER,
"Unshelve (Restore) Shelved Server",
"Unshelve (restore) shelved server",
[
{
'method': 'POST',
@ -45,7 +45,7 @@ shelve_policies = [
policy.DocumentedRuleDefault(
POLICY_ROOT % 'shelve_offload',
base.RULE_ADMIN_API,
"Shelf-Offload (Remove) Server",
"Shelf-offload (remove) server",
[
{
'method': 'POST',

4
nova/policies/simple_tenant_usage.py
View File

@ -25,7 +25,7 @@ simple_tenant_usage_policies = [
policy.DocumentedRuleDefault(
POLICY_ROOT % 'show',
base.RULE_ADMIN_OR_OWNER,
"Show usage statistics for a specific tenant.",
"Show usage statistics for a specific tenant",
[
{
'method': 'GET',
@ -35,7 +35,7 @@ simple_tenant_usage_policies = [
policy.DocumentedRuleDefault(
POLICY_ROOT % 'list',
base.RULE_ADMIN_API,
"List per tenant usage statistics for all tenants.",
"List per tenant usage statistics for all tenants",
[
{
'method': 'GET',

3
nova/policies/tenant_networks.py
View File

@ -25,8 +25,7 @@ tenant_networks_policies = [
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"""Creates, lists, shows information for, and deletes
project networks.
"""Create, list, show information for, and delete project networks.
These APIs are proxy calls to the Network service. These are all
deprecated.""",

2
nova/policies/used_limits.py
View File

@ -27,7 +27,7 @@ used_limits_policies = [
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_API,
"""Shows rate and absolute limits for the project.
"""Show rate and absolute limits for the project.
This policy only checks if the user has access to the requested
project limits. And this check is performed only after the check

2
nova/policies/virtual_interfaces.py
View File

@ -25,7 +25,7 @@ virtual_interfaces_policies = [
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"""List Virtual Interfaces.
"""List virtual interfaces.
This works only with the nova-network service, which is now deprecated""",
[

2
nova/policies/volumes.py
View File

@ -25,7 +25,7 @@ volumes_policies = [
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"""Manages volumes for use with the Compute API.
"""Manage volumes for use with the Compute API.
Lists, shows details, creates, and deletes volumes and snapshots. These APIs
are proxy calls to the Volume service. These are all deprecated.