Add new default policy
This patch adds five default policy roles: *system_admin_api *system_reader_api *project_reader_api *project_member_api *system_or_project_reader Reference link: Specs: https://review.opendev.org/#/c/699099/ Cyborg policy: https://wiki.openstack.org/wiki/Cyborg/Policy Change-Id: Ic86075a4b5d1c1a3a2cdbcf18585062a09a2cc07 Task: 37815 Story: 2007024
This commit is contained in:
parent
f361adf39f
commit
c4f63f40dc
|
@ -66,6 +66,21 @@ default_policies = [
|
|||
policy.RuleDefault('default',
|
||||
'rule:admin_or_owner',
|
||||
description='Default API access rule'),
|
||||
policy.RuleDefault("system_admin_api",
|
||||
'role:admin and system_scope:all',
|
||||
"Default rule for System Admin APIs."),
|
||||
policy.RuleDefault("system_reader_api",
|
||||
"role:reader and system_scope:all",
|
||||
"Default rule for System level read only APIs."),
|
||||
policy.RuleDefault("project_reader_api",
|
||||
"role:reader and project_id:%(project_id)s",
|
||||
"Default rule for Project level read only APIs."),
|
||||
policy.RuleDefault("system_or_project_reader",
|
||||
"rule:system_reader_api or rule:project_reader_api",
|
||||
"Default rule for System+Project read only APIs."),
|
||||
policy.RuleDefault("project_member_api",
|
||||
"role:member and project_id:%(project_id)s",
|
||||
"Default rule for Project member APIs."),
|
||||
]
|
||||
|
||||
# NOTE: to follow policy-in-code spec, we define defaults for
|
||||
|
|
Loading…
Reference in New Issue