Add new default policy

This patch adds five default policy roles: *system_admin_api *system_reader_api *project_reader_api *project_member_api *system_or_project_reader Reference link: Specs: https://review.opendev.org/#/c/699099/ Cyborg policy: https://wiki.openstack.org/wiki/Cyborg/Policy Change-Id: Ic86075a4b5d1c1a3a2cdbcf18585062a09a2cc07 Task: 37815 Story: 2007024
2019-12-15 16:55:55 +08:00 · 2019-12-15 16:55:55 +08:00 · c4f63f40dc
parent f361adf39f
commit c4f63f40dc
1 changed files with 15 additions and 0 deletions
--- a/cyborg/common/policy.py
+++ b/cyborg/common/policy.py
@ -66,6 +66,21 @@ default_policies = [
    policy.RuleDefault('default',
                       'rule:admin_or_owner',
                       description='Default API access rule'),
+    policy.RuleDefault("system_admin_api",
+                       'role:admin and system_scope:all',
+                       "Default rule for System Admin APIs."),
+    policy.RuleDefault("system_reader_api",
+                       "role:reader and system_scope:all",
+                       "Default rule for System level read only APIs."),
+    policy.RuleDefault("project_reader_api",
+                       "role:reader and project_id:%(project_id)s",
+                       "Default rule for Project level read only APIs."),
+    policy.RuleDefault("system_or_project_reader",
+                       "rule:system_reader_api or rule:project_reader_api",
+                       "Default rule for System+Project read only APIs."),
+    policy.RuleDefault("project_member_api",
+                       "role:member and project_id:%(project_id)s",
+                       "Default rule for Project member APIs."),
 ]

 # NOTE: to follow policy-in-code spec, we define defaults for