52235d0748
The ceilometer events RBAC is currently hard-coded so that only an admin user can view events.The end-user should be able to customize who should be able to view events rather than hard-coding the control to admins. This changeset adds two new rules into the policy.json so that RBAC for events index and show methods can be configured using the policy.json file. DocImpact Change-Id: I7bf4d385b9ee8fa8f1097b6400cbbc4135f2a9b6 blueprint: events-rbac
35 lines
1.4 KiB
Plaintext
35 lines
1.4 KiB
Plaintext
{
|
|
"context_is_admin": "role:admin",
|
|
"context_is_project": "project_id:%(target.project_id)s",
|
|
"context_is_owner": "user_id:%(target.user_id)s",
|
|
"segregation": "rule:context_is_admin",
|
|
"service_role": "role:service",
|
|
"iaas_role": "role:iaas",
|
|
|
|
"telemetry:get_samples": "rule:service_role or rule:iaas_role",
|
|
"telemetry:get_sample": "rule:context_is_project",
|
|
"telemetry:query_sample": "rule:context_is_admin",
|
|
"telemetry:create_samples": "rule:context_is_admin",
|
|
|
|
"telemetry:compute_statistics": "rule:context_is_admin",
|
|
"telemetry:get_meters": "rule:context_is_admin",
|
|
|
|
"telemetry:get_resource": "rule:context_is_admin",
|
|
"telemetry:get_resources": "rule:context_is_admin",
|
|
|
|
"telemetry:get_alarm": "rule:context_is_admin",
|
|
"telemetry:query_alarm": "rule:context_is_admin",
|
|
"telemetry:get_alarm_state": "rule:context_is_admin",
|
|
"telemetry:get_alarms": "rule:context_is_admin",
|
|
"telemetry:create_alarm": "rule:context_is_admin",
|
|
"telemetry:set_alarm": "rule:context_is_admin",
|
|
"telemetry:delete_alarm": "rule:context_is_admin",
|
|
|
|
"telemetry:alarm_history": "rule:context_is_admin",
|
|
"telemetry:change_alarm_state": "rule:context_is_admin",
|
|
"telemetry:query_alarm_history": "rule:context_is_admin",
|
|
|
|
"telemetry:events:index": "rule:context_is_admin",
|
|
"telemetry:events:show": "rule:context_is_admin"
|
|
}
|