965db538aa
We already supported role based api access control, this series patches will implement resource access control for mistral, so that administrator could define the rules of resource accessibility, e.g. admin user could get/delete/update the workflows of other tenants according to the policy. TODO: - Implement update workflow by admin - Implement delete workflow by admin - Implement for other resources(workfbook/execution/task/action, etc.) Partially implements: blueprint mistral-rbac Change-Id: I8b00e8a260a74457ad037ee7322a7cba9ae34fab
66 lines
2.4 KiB
JSON
66 lines
2.4 KiB
JSON
{
|
|
"admin_only": "is_admin:True",
|
|
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
|
|
"default": "rule:admin_or_owner",
|
|
|
|
"action_executions:delete": "rule:admin_or_owner",
|
|
"action_execution:create": "rule:admin_or_owner",
|
|
"action_executions:get": "rule:admin_or_owner",
|
|
"action_executions:list": "rule:admin_or_owner",
|
|
"action_executions:update": "rule:admin_or_owner",
|
|
|
|
"actions:create": "rule:admin_or_owner",
|
|
"actions:delete": "rule:admin_or_owner",
|
|
"actions:get": "rule:admin_or_owner",
|
|
"actions:list": "rule:admin_or_owner",
|
|
"actions:update": "rule:admin_or_owner",
|
|
|
|
"cron_triggers:create": "rule:admin_or_owner",
|
|
"cron_triggers:delete": "rule:admin_or_owner",
|
|
"cron_triggers:get": "rule:admin_or_owner",
|
|
"cron_triggers:list": "rule:admin_or_owner",
|
|
|
|
"environments:create": "rule:admin_or_owner",
|
|
"environments:delete": "rule:admin_or_owner",
|
|
"environments:get": "rule:admin_or_owner",
|
|
"environments:list": "rule:admin_or_owner",
|
|
"environments:update": "rule:admin_or_owner",
|
|
|
|
"executions:create": "rule:admin_or_owner",
|
|
"executions:delete": "rule:admin_or_owner",
|
|
"executions:get": "rule:admin_or_owner",
|
|
"executions:list": "rule:admin_or_owner",
|
|
"executions:update": "rule:admin_or_owner",
|
|
|
|
"members:create": "rule:admin_or_owner",
|
|
"members:delete": "rule:admin_or_owner",
|
|
"members:get": "rule:admin_or_owner",
|
|
"members:list": "rule:admin_or_owner",
|
|
"members:update": "rule:admin_or_owner",
|
|
|
|
"services:list": "rule:admin_or_owner",
|
|
|
|
"tasks:get": "rule:admin_or_owner",
|
|
"tasks:list": "rule:admin_or_owner",
|
|
"tasks:update": "rule:admin_or_owner",
|
|
|
|
"workbooks:create": "rule:admin_or_owner",
|
|
"workbooks:delete": "rule:admin_or_owner",
|
|
"workbooks:get": "rule:admin_or_owner",
|
|
"workbooks:list": "rule:admin_or_owner",
|
|
"workbooks:update": "rule:admin_or_owner",
|
|
|
|
"workflows:create": "rule:admin_or_owner",
|
|
"workflows:delete": "rule:admin_or_owner",
|
|
"workflows:get": "rule:admin_or_owner",
|
|
"workflows:list": "rule:admin_or_owner",
|
|
"workflows:list:all_projects": "rule:admin_only",
|
|
"workflows:update": "rule:admin_or_owner",
|
|
|
|
"event_triggers:create": "rule:admin_or_owner",
|
|
"event_triggers:delete": "rule:admin_or_owner",
|
|
"event_triggers:get": "rule:admin_or_owner",
|
|
"event_triggers:list": "rule:admin_or_owner",
|
|
"event_triggers:update": "rule:admin_or_owner"
|
|
}
|