3af76d3677
Since force delete volume apis are only admin apis, force detach volume api should also be an admin only api. Currently, the force detach api, which uses the default rule in policy.json, can be called by admins and owners. This patch make force detach volume api an admin only api like force delete volume. Closes-Bug: #1303882 Change-Id: I12f927e816a5ba6809da9a27ac4ad150546286a1
61 lines
2.5 KiB
JSON
61 lines
2.5 KiB
JSON
{
|
|
"context_is_admin": [["role:admin"]],
|
|
"admin_or_owner": [["is_admin:True"], ["project_id:%(project_id)s"]],
|
|
"default": [["rule:admin_or_owner"]],
|
|
|
|
"admin_api": [["is_admin:True"]],
|
|
|
|
"volume:create": [],
|
|
"volume:get_all": [],
|
|
"volume:get_volume_metadata": [],
|
|
"volume:get_volume_admin_metadata": [["rule:admin_api"]],
|
|
"volume:delete_volume_admin_metadata": [["rule:admin_api"]],
|
|
"volume:update_volume_admin_metadata": [["rule:admin_api"]],
|
|
"volume:get_snapshot": [],
|
|
"volume:get_all_snapshots": [],
|
|
"volume:extend": [],
|
|
"volume:update_readonly_flag": [],
|
|
"volume:retype": [],
|
|
|
|
"volume_extension:types_manage": [["rule:admin_api"]],
|
|
"volume_extension:types_extra_specs": [["rule:admin_api"]],
|
|
"volume_extension:volume_type_encryption": [["rule:admin_api"]],
|
|
"volume_extension:volume_encryption_metadata": [["rule:admin_or_owner"]],
|
|
"volume_extension:extended_snapshot_attributes": [],
|
|
"volume_extension:volume_image_metadata": [],
|
|
|
|
"volume_extension:quotas:show": [],
|
|
"volume_extension:quotas:update": [["rule:admin_api"]],
|
|
"volume_extension:quota_classes": [],
|
|
|
|
"volume_extension:volume_admin_actions:reset_status": [["rule:admin_api"]],
|
|
"volume_extension:snapshot_admin_actions:reset_status": [["rule:admin_api"]],
|
|
"volume_extension:volume_admin_actions:force_delete": [["rule:admin_api"]],
|
|
"volume_extension:volume_admin_actions:force_detach": [["rule:admin_api"]],
|
|
"volume_extension:snapshot_admin_actions:force_delete": [["rule:admin_api"]],
|
|
"volume_extension:volume_admin_actions:migrate_volume": [["rule:admin_api"]],
|
|
"volume_extension:volume_admin_actions:migrate_volume_completion": [["rule:admin_api"]],
|
|
|
|
"volume_extension:volume_host_attribute": [["rule:admin_api"]],
|
|
"volume_extension:volume_tenant_attribute": [["rule:admin_or_owner"]],
|
|
"volume_extension:volume_mig_status_attribute": [["rule:admin_api"]],
|
|
"volume_extension:hosts": [["rule:admin_api"]],
|
|
"volume_extension:services": [["rule:admin_api"]],
|
|
"volume:services": [["rule:admin_api"]],
|
|
|
|
"volume:create_transfer": [],
|
|
"volume:accept_transfer": [],
|
|
"volume:delete_transfer": [],
|
|
"volume:get_all_transfers": [],
|
|
|
|
"backup:create" : [],
|
|
"backup:delete": [],
|
|
"backup:get": [],
|
|
"backup:get_all": [],
|
|
"backup:restore": [],
|
|
"backup:backup-import": [["rule:admin_api"]],
|
|
"backup:backup-export": [["rule:admin_api"]],
|
|
|
|
"snapshot_extension:snapshot_actions:update_snapshot_status": []
|
|
}
|