Merge "Use constants for common rules"
This commit is contained in:
Zuul
Gerrit Code Review
commit
4dec531b0a
@ -57,34 +57,34 @@ PROJECT_READER_OR_PUBLIC_NAMESPACE = (
|
|||||||
# typical in OpenStack services. But following check strings offer formal
|
# typical in OpenStack services. But following check strings offer formal
|
||||||
# support for project membership and a read-only variant consistent with
|
# support for project membership and a read-only variant consistent with
|
||||||
# other OpenStack services.
|
# other OpenStack services.
|
||||||
ADMIN_OR_PROJECT_MEMBER = f'rule:context_is_admin or ({PROJECT_MEMBER})'
|
ADMIN = 'rule:context_is_admin'
|
||||||
ADMIN_OR_PROJECT_READER = f'rule:context_is_admin or ({PROJECT_READER})'
|
DEFAULT = 'rule:default'
|
||||||
|
ADMIN_OR_PROJECT_MEMBER = f'{ADMIN} or ({PROJECT_MEMBER})'
|
||||||
|
ADMIN_OR_PROJECT_READER = f'{ADMIN} or ({PROJECT_READER})'
|
||||||
ADMIN_OR_PROJECT_READER_GET_IMAGE = (
|
ADMIN_OR_PROJECT_READER_GET_IMAGE = (
|
||||||
f'rule:context_is_admin or '
|
f'{ADMIN} or '
|
||||||
f'({PROJECT_READER_OR_IMAGE_MEMBER_OR_COMMUNITY_OR_PUBLIC_OR_SHARED})'
|
f'({PROJECT_READER_OR_IMAGE_MEMBER_OR_COMMUNITY_OR_PUBLIC_OR_SHARED})'
|
||||||
)
|
)
|
||||||
ADMIN_OR_PROJECT_MEMBER_DOWNLOAD_IMAGE = (
|
ADMIN_OR_PROJECT_MEMBER_DOWNLOAD_IMAGE = (
|
||||||
f'rule:context_is_admin or '
|
f'{ADMIN} or '
|
||||||
f'({PROJECT_MEMBER_OR_IMAGE_MEMBER_OR_COMMUNITY_OR_PUBLIC_OR_SHARED})'
|
f'({PROJECT_MEMBER_OR_IMAGE_MEMBER_OR_COMMUNITY_OR_PUBLIC_OR_SHARED})'
|
||||||
)
|
)
|
||||||
ADMIN_OR_PROJECT_MEMBER_CREATE_IMAGE = (
|
ADMIN_OR_PROJECT_MEMBER_CREATE_IMAGE = (
|
||||||
f'rule:context_is_admin or ({PROJECT_MEMBER} and project_id:%(owner)s)'
|
f'{ADMIN} or ({PROJECT_MEMBER} and project_id:%(owner)s)'
|
||||||
)
|
)
|
||||||
ADMIN_OR_PROJECT_READER_GET_NAMESPACE = (
|
ADMIN_OR_PROJECT_READER_GET_NAMESPACE = (
|
||||||
f'rule:context_is_admin or ({PROJECT_READER_OR_PUBLIC_NAMESPACE})'
|
f'{ADMIN} or ({PROJECT_READER_OR_PUBLIC_NAMESPACE})'
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
ADMIN_OR_SHARED_MEMBER = (
|
ADMIN_OR_SHARED_MEMBER = (
|
||||||
f'rule:context_is_admin or (role:member and {IMAGE_MEMBER_CHECK})'
|
f'{ADMIN} or (role:member and {IMAGE_MEMBER_CHECK})'
|
||||||
)
|
)
|
||||||
ADMIN_OR_PROJECT_READER_OR_SHARED_MEMBER = (
|
ADMIN_OR_PROJECT_READER_OR_SHARED_MEMBER = (
|
||||||
f'rule:context_is_admin or '
|
f'{ADMIN} or '
|
||||||
f'role:reader and (project_id:%(project_id)s or {IMAGE_MEMBER_CHECK})'
|
f'role:reader and (project_id:%(project_id)s or {IMAGE_MEMBER_CHECK})'
|
||||||
)
|
)
|
||||||
|
|
||||||
ADMIN = 'rule:context_is_admin'
|
|
||||||
|
|
||||||
rules = [
|
rules = [
|
||||||
policy.RuleDefault(name='default', check_str='',
|
policy.RuleDefault(name='default', check_str='',
|
||||||
description='Defines the default rule used for '
|
description='Defines the default rule used for '
|
||||||
@ -92,7 +92,7 @@ rules = [
|
|||||||
'policy in the supplied policy.json file.',
|
'policy in the supplied policy.json file.',
|
||||||
deprecated_rule=policy.DeprecatedRule(
|
deprecated_rule=policy.DeprecatedRule(
|
||||||
name='default',
|
name='default',
|
||||||
check_str='rule:context_is_admin',
|
check_str=ADMIN,
|
||||||
deprecated_reason='In order to allow operators to '
|
deprecated_reason='In order to allow operators to '
|
||||||
'accept the default policies from code by not '
|
'accept the default policies from code by not '
|
||||||
'defining them in the policy file, while still '
|
'defining them in the policy file, while still '
|
||||||
|
|||||||
@ -14,11 +14,13 @@
|
|||||||
# under the License.
|
# under the License.
|
||||||
from oslo_policy import policy
|
from oslo_policy import policy
|
||||||
|
|
||||||
|
from glance.policies import base
|
||||||
|
|
||||||
|
|
||||||
discovery_policies = [
|
discovery_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name="stores_info_detail",
|
name="stores_info_detail",
|
||||||
check_str='rule:context_is_admin',
|
check_str=base.ADMIN,
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Expose store specific information',
|
description='Expose store specific information',
|
||||||
operations=[
|
operations=[
|
||||||
|
|||||||
@ -31,7 +31,7 @@ image_policies = [
|
|||||||
'method': 'POST'}
|
'method': 'POST'}
|
||||||
],
|
],
|
||||||
deprecated_rule=policy.DeprecatedRule(
|
deprecated_rule=policy.DeprecatedRule(
|
||||||
name="add_image", check_str="rule:default",
|
name="add_image", check_str=base.DEFAULT,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
deprecated_since=versionutils.deprecated.WALLABY)
|
deprecated_since=versionutils.deprecated.WALLABY)
|
||||||
),
|
),
|
||||||
@ -45,7 +45,7 @@ image_policies = [
|
|||||||
'method': 'DELETE'}
|
'method': 'DELETE'}
|
||||||
],
|
],
|
||||||
deprecated_rule=policy.DeprecatedRule(
|
deprecated_rule=policy.DeprecatedRule(
|
||||||
name="delete_image", check_str="rule:default",
|
name="delete_image", check_str=base.DEFAULT,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
deprecated_since=versionutils.deprecated.WALLABY),
|
deprecated_since=versionutils.deprecated.WALLABY),
|
||||||
),
|
),
|
||||||
@ -59,7 +59,7 @@ image_policies = [
|
|||||||
'method': 'GET'}
|
'method': 'GET'}
|
||||||
],
|
],
|
||||||
deprecated_rule=policy.DeprecatedRule(
|
deprecated_rule=policy.DeprecatedRule(
|
||||||
name="get_image", check_str="rule:default",
|
name="get_image", check_str=base.DEFAULT,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
deprecated_since=versionutils.deprecated.WALLABY),
|
deprecated_since=versionutils.deprecated.WALLABY),
|
||||||
),
|
),
|
||||||
@ -73,7 +73,7 @@ image_policies = [
|
|||||||
'method': 'GET'}
|
'method': 'GET'}
|
||||||
],
|
],
|
||||||
deprecated_rule=policy.DeprecatedRule(
|
deprecated_rule=policy.DeprecatedRule(
|
||||||
name="get_images", check_str="rule:default",
|
name="get_images", check_str=base.DEFAULT,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
deprecated_since=versionutils.deprecated.WALLABY),
|
deprecated_since=versionutils.deprecated.WALLABY),
|
||||||
),
|
),
|
||||||
@ -87,13 +87,13 @@ image_policies = [
|
|||||||
'method': 'PATCH'}
|
'method': 'PATCH'}
|
||||||
],
|
],
|
||||||
deprecated_rule=policy.DeprecatedRule(
|
deprecated_rule=policy.DeprecatedRule(
|
||||||
name="modify_image", check_str="rule:default",
|
name="modify_image", check_str=base.DEFAULT,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
deprecated_since=versionutils.deprecated.WALLABY),
|
deprecated_since=versionutils.deprecated.WALLABY),
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name="publicize_image",
|
name="publicize_image",
|
||||||
check_str='rule:context_is_admin',
|
check_str=base.ADMIN,
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Publicize given image',
|
description='Publicize given image',
|
||||||
operations=[
|
operations=[
|
||||||
@ -111,7 +111,7 @@ image_policies = [
|
|||||||
'method': 'PATCH'}
|
'method': 'PATCH'}
|
||||||
],
|
],
|
||||||
deprecated_rule=policy.DeprecatedRule(
|
deprecated_rule=policy.DeprecatedRule(
|
||||||
name="communitize_image", check_str="rule:default",
|
name="communitize_image", check_str=base.DEFAULT,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
deprecated_since=versionutils.deprecated.WALLABY),
|
deprecated_since=versionutils.deprecated.WALLABY),
|
||||||
),
|
),
|
||||||
@ -126,7 +126,7 @@ image_policies = [
|
|||||||
'method': 'GET'}
|
'method': 'GET'}
|
||||||
],
|
],
|
||||||
deprecated_rule=policy.DeprecatedRule(
|
deprecated_rule=policy.DeprecatedRule(
|
||||||
name="download_image", check_str="rule:default",
|
name="download_image", check_str=base.DEFAULT,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
deprecated_since=versionutils.deprecated.WALLABY),
|
deprecated_since=versionutils.deprecated.WALLABY),
|
||||||
),
|
),
|
||||||
@ -140,14 +140,14 @@ image_policies = [
|
|||||||
'method': 'PUT'}
|
'method': 'PUT'}
|
||||||
],
|
],
|
||||||
deprecated_rule=policy.DeprecatedRule(
|
deprecated_rule=policy.DeprecatedRule(
|
||||||
name="upload_image", check_str="rule:default",
|
name="upload_image", check_str=base.DEFAULT,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
deprecated_since=versionutils.deprecated.WALLABY),
|
deprecated_since=versionutils.deprecated.WALLABY),
|
||||||
),
|
),
|
||||||
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name="delete_image_location",
|
name="delete_image_location",
|
||||||
check_str="rule:context_is_admin",
|
check_str=base.ADMIN,
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Deletes the location of given image',
|
description='Deletes the location of given image',
|
||||||
operations=[
|
operations=[
|
||||||
@ -155,7 +155,7 @@ image_policies = [
|
|||||||
'method': 'PATCH'}
|
'method': 'PATCH'}
|
||||||
],
|
],
|
||||||
deprecated_rule=policy.DeprecatedRule(
|
deprecated_rule=policy.DeprecatedRule(
|
||||||
name="delete_image_location", check_str="rule:default",
|
name="delete_image_location", check_str=base.DEFAULT,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
deprecated_since=versionutils.deprecated.WALLABY),
|
deprecated_since=versionutils.deprecated.WALLABY),
|
||||||
),
|
),
|
||||||
@ -169,7 +169,7 @@ image_policies = [
|
|||||||
'method': 'GET'}
|
'method': 'GET'}
|
||||||
],
|
],
|
||||||
deprecated_rule=policy.DeprecatedRule(
|
deprecated_rule=policy.DeprecatedRule(
|
||||||
name="get_image_location", check_str="rule:default",
|
name="get_image_location", check_str=base.DEFAULT,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
deprecated_since=versionutils.deprecated.WALLABY),
|
deprecated_since=versionutils.deprecated.WALLABY),
|
||||||
),
|
),
|
||||||
@ -183,7 +183,7 @@ image_policies = [
|
|||||||
'method': 'PATCH'}
|
'method': 'PATCH'}
|
||||||
],
|
],
|
||||||
deprecated_rule=policy.DeprecatedRule(
|
deprecated_rule=policy.DeprecatedRule(
|
||||||
name="set_image_location", check_str="rule:default",
|
name="set_image_location", check_str=base.DEFAULT,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
deprecated_since=versionutils.deprecated.WALLABY),
|
deprecated_since=versionutils.deprecated.WALLABY),
|
||||||
),
|
),
|
||||||
@ -198,7 +198,7 @@ image_policies = [
|
|||||||
'method': 'POST'}
|
'method': 'POST'}
|
||||||
],
|
],
|
||||||
deprecated_rule=policy.DeprecatedRule(
|
deprecated_rule=policy.DeprecatedRule(
|
||||||
name="add_member", check_str="rule:default",
|
name="add_member", check_str=base.DEFAULT,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
deprecated_since=versionutils.deprecated.WALLABY),
|
deprecated_since=versionutils.deprecated.WALLABY),
|
||||||
),
|
),
|
||||||
@ -212,7 +212,7 @@ image_policies = [
|
|||||||
'method': 'DELETE'}
|
'method': 'DELETE'}
|
||||||
],
|
],
|
||||||
deprecated_rule=policy.DeprecatedRule(
|
deprecated_rule=policy.DeprecatedRule(
|
||||||
name="delete_member", check_str="rule:default",
|
name="delete_member", check_str=base.DEFAULT,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
deprecated_since=versionutils.deprecated.WALLABY),
|
deprecated_since=versionutils.deprecated.WALLABY),
|
||||||
),
|
),
|
||||||
@ -226,7 +226,7 @@ image_policies = [
|
|||||||
'method': 'GET'}
|
'method': 'GET'}
|
||||||
],
|
],
|
||||||
deprecated_rule=policy.DeprecatedRule(
|
deprecated_rule=policy.DeprecatedRule(
|
||||||
name="get_member", check_str="rule:default",
|
name="get_member", check_str=base.DEFAULT,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
deprecated_since=versionutils.deprecated.WALLABY),
|
deprecated_since=versionutils.deprecated.WALLABY),
|
||||||
),
|
),
|
||||||
@ -240,7 +240,7 @@ image_policies = [
|
|||||||
'method': 'GET'}
|
'method': 'GET'}
|
||||||
],
|
],
|
||||||
deprecated_rule=policy.DeprecatedRule(
|
deprecated_rule=policy.DeprecatedRule(
|
||||||
name="get_members", check_str="rule:default",
|
name="get_members", check_str=base.DEFAULT,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
deprecated_since=versionutils.deprecated.WALLABY),
|
deprecated_since=versionutils.deprecated.WALLABY),
|
||||||
),
|
),
|
||||||
@ -254,14 +254,14 @@ image_policies = [
|
|||||||
'method': 'PUT'}
|
'method': 'PUT'}
|
||||||
],
|
],
|
||||||
deprecated_rule=policy.DeprecatedRule(
|
deprecated_rule=policy.DeprecatedRule(
|
||||||
name="modify_member", check_str="rule:default",
|
name="modify_member", check_str=base.DEFAULT,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
deprecated_since=versionutils.deprecated.WALLABY),
|
deprecated_since=versionutils.deprecated.WALLABY),
|
||||||
),
|
),
|
||||||
|
|
||||||
policy.RuleDefault(
|
policy.RuleDefault(
|
||||||
name="manage_image_cache",
|
name="manage_image_cache",
|
||||||
check_str='rule:context_is_admin',
|
check_str=base.ADMIN,
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Manage image cache'
|
description='Manage image cache'
|
||||||
),
|
),
|
||||||
@ -276,7 +276,7 @@ image_policies = [
|
|||||||
'method': 'POST'}
|
'method': 'POST'}
|
||||||
],
|
],
|
||||||
deprecated_rule=policy.DeprecatedRule(
|
deprecated_rule=policy.DeprecatedRule(
|
||||||
name="deactivate", check_str="rule:default",
|
name="deactivate", check_str=base.DEFAULT,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
deprecated_since=versionutils.deprecated.WALLABY),
|
deprecated_since=versionutils.deprecated.WALLABY),
|
||||||
),
|
),
|
||||||
@ -290,14 +290,14 @@ image_policies = [
|
|||||||
'method': 'POST'}
|
'method': 'POST'}
|
||||||
],
|
],
|
||||||
deprecated_rule=policy.DeprecatedRule(
|
deprecated_rule=policy.DeprecatedRule(
|
||||||
name="reactivate", check_str="rule:default",
|
name="reactivate", check_str=base.DEFAULT,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
deprecated_since=versionutils.deprecated.WALLABY),
|
deprecated_since=versionutils.deprecated.WALLABY),
|
||||||
),
|
),
|
||||||
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name="copy_image",
|
name="copy_image",
|
||||||
check_str='rule:context_is_admin',
|
check_str=base.ADMIN,
|
||||||
# For now this is restricted to project-admins.
|
# For now this is restricted to project-admins.
|
||||||
# That might change in the future if we decide to push
|
# That might change in the future if we decide to push
|
||||||
# this functionality down to project-members.
|
# this functionality down to project-members.
|
||||||
|
|||||||
@ -20,11 +20,14 @@ DEPRECATED_REASON = """
|
|||||||
The metadata API now supports project scope and default roles.
|
The metadata API now supports project scope and default roles.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
METADEF_ADMIN = "rule:metadef_admin"
|
||||||
|
METADEF_DEFAULT = "rule:metadef_default"
|
||||||
|
|
||||||
|
|
||||||
metadef_policies = [
|
metadef_policies = [
|
||||||
policy.RuleDefault(name="metadef_default", check_str=""),
|
policy.RuleDefault(name="metadef_default", check_str=""),
|
||||||
policy.RuleDefault(name="metadef_admin",
|
policy.RuleDefault(name="metadef_admin",
|
||||||
check_str="rule:context_is_admin"),
|
check_str=base.ADMIN),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name="get_metadef_namespace",
|
name="get_metadef_namespace",
|
||||||
check_str=base.ADMIN_OR_PROJECT_READER_GET_NAMESPACE,
|
check_str=base.ADMIN_OR_PROJECT_READER_GET_NAMESPACE,
|
||||||
@ -35,7 +38,7 @@ metadef_policies = [
|
|||||||
'method': 'GET'}
|
'method': 'GET'}
|
||||||
],
|
],
|
||||||
deprecated_rule=policy.DeprecatedRule(
|
deprecated_rule=policy.DeprecatedRule(
|
||||||
name="get_metadef_namespace", check_str="rule:metadef_default",
|
name="get_metadef_namespace", check_str=METADEF_DEFAULT,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
deprecated_since=versionutils.deprecated.XENA
|
deprecated_since=versionutils.deprecated.XENA
|
||||||
),
|
),
|
||||||
@ -50,14 +53,14 @@ metadef_policies = [
|
|||||||
'method': 'GET'}
|
'method': 'GET'}
|
||||||
],
|
],
|
||||||
deprecated_rule=policy.DeprecatedRule(
|
deprecated_rule=policy.DeprecatedRule(
|
||||||
name="get_metadef_namespaces", check_str="rule:metadef_default",
|
name="get_metadef_namespaces", check_str=METADEF_DEFAULT,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
deprecated_since=versionutils.deprecated.XENA
|
deprecated_since=versionutils.deprecated.XENA
|
||||||
),
|
),
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name="modify_metadef_namespace",
|
name="modify_metadef_namespace",
|
||||||
check_str="rule:metadef_admin",
|
check_str=METADEF_ADMIN,
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description="Modify an existing namespace.",
|
description="Modify an existing namespace.",
|
||||||
operations=[
|
operations=[
|
||||||
@ -67,7 +70,7 @@ metadef_policies = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name="add_metadef_namespace",
|
name="add_metadef_namespace",
|
||||||
check_str="rule:metadef_admin",
|
check_str=METADEF_ADMIN,
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description="Create a namespace.",
|
description="Create a namespace.",
|
||||||
operations=[
|
operations=[
|
||||||
@ -77,7 +80,7 @@ metadef_policies = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name="delete_metadef_namespace",
|
name="delete_metadef_namespace",
|
||||||
check_str="rule:metadef_admin",
|
check_str=METADEF_ADMIN,
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description="Delete a namespace.",
|
description="Delete a namespace.",
|
||||||
operations=[
|
operations=[
|
||||||
@ -97,7 +100,7 @@ metadef_policies = [
|
|||||||
'method': 'GET'}
|
'method': 'GET'}
|
||||||
],
|
],
|
||||||
deprecated_rule=policy.DeprecatedRule(
|
deprecated_rule=policy.DeprecatedRule(
|
||||||
name="get_metadef_object", check_str="rule:metadef_default",
|
name="get_metadef_object", check_str=METADEF_DEFAULT,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
deprecated_since=versionutils.deprecated.XENA
|
deprecated_since=versionutils.deprecated.XENA
|
||||||
),
|
),
|
||||||
@ -112,14 +115,14 @@ metadef_policies = [
|
|||||||
'method': 'GET'}
|
'method': 'GET'}
|
||||||
],
|
],
|
||||||
deprecated_rule=policy.DeprecatedRule(
|
deprecated_rule=policy.DeprecatedRule(
|
||||||
name="get_metadef_objects", check_str="rule:metadef_default",
|
name="get_metadef_objects", check_str=METADEF_DEFAULT,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
deprecated_since=versionutils.deprecated.XENA
|
deprecated_since=versionutils.deprecated.XENA
|
||||||
),
|
),
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name="modify_metadef_object",
|
name="modify_metadef_object",
|
||||||
check_str="rule:metadef_admin",
|
check_str=METADEF_ADMIN,
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description="Update an object within a namespace.",
|
description="Update an object within a namespace.",
|
||||||
operations=[
|
operations=[
|
||||||
@ -130,7 +133,7 @@ metadef_policies = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name="add_metadef_object",
|
name="add_metadef_object",
|
||||||
check_str="rule:metadef_admin",
|
check_str=METADEF_ADMIN,
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description="Create an object within a namespace.",
|
description="Create an object within a namespace.",
|
||||||
operations=[
|
operations=[
|
||||||
@ -140,7 +143,7 @@ metadef_policies = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name="delete_metadef_object",
|
name="delete_metadef_object",
|
||||||
check_str="rule:metadef_admin",
|
check_str=METADEF_ADMIN,
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description="Delete an object within a namespace.",
|
description="Delete an object within a namespace.",
|
||||||
operations=[
|
operations=[
|
||||||
@ -161,7 +164,7 @@ metadef_policies = [
|
|||||||
],
|
],
|
||||||
deprecated_rule=policy.DeprecatedRule(
|
deprecated_rule=policy.DeprecatedRule(
|
||||||
name="list_metadef_resource_types",
|
name="list_metadef_resource_types",
|
||||||
check_str="rule:metadef_default",
|
check_str=METADEF_DEFAULT,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
deprecated_since=versionutils.deprecated.XENA
|
deprecated_since=versionutils.deprecated.XENA
|
||||||
),
|
),
|
||||||
@ -177,14 +180,14 @@ metadef_policies = [
|
|||||||
],
|
],
|
||||||
deprecated_rule=policy.DeprecatedRule(
|
deprecated_rule=policy.DeprecatedRule(
|
||||||
name="get_metadef_resource_type",
|
name="get_metadef_resource_type",
|
||||||
check_str="rule:metadef_default",
|
check_str=METADEF_DEFAULT,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
deprecated_since=versionutils.deprecated.XENA
|
deprecated_since=versionutils.deprecated.XENA
|
||||||
),
|
),
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name="add_metadef_resource_type_association",
|
name="add_metadef_resource_type_association",
|
||||||
check_str="rule:metadef_admin",
|
check_str=METADEF_ADMIN,
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description="Create meta definition resource types association.",
|
description="Create meta definition resource types association.",
|
||||||
operations=[
|
operations=[
|
||||||
@ -194,7 +197,7 @@ metadef_policies = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name="remove_metadef_resource_type_association",
|
name="remove_metadef_resource_type_association",
|
||||||
check_str="rule:metadef_admin",
|
check_str=METADEF_ADMIN,
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description="Delete meta definition resource types association.",
|
description="Delete meta definition resource types association.",
|
||||||
operations=[
|
operations=[
|
||||||
@ -216,7 +219,7 @@ metadef_policies = [
|
|||||||
],
|
],
|
||||||
deprecated_rule=policy.DeprecatedRule(
|
deprecated_rule=policy.DeprecatedRule(
|
||||||
name="get_metadef_property",
|
name="get_metadef_property",
|
||||||
check_str="rule:metadef_default",
|
check_str=METADEF_DEFAULT,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
deprecated_since=versionutils.deprecated.XENA
|
deprecated_since=versionutils.deprecated.XENA
|
||||||
),
|
),
|
||||||
@ -232,14 +235,14 @@ metadef_policies = [
|
|||||||
],
|
],
|
||||||
deprecated_rule=policy.DeprecatedRule(
|
deprecated_rule=policy.DeprecatedRule(
|
||||||
name="get_metadef_properties",
|
name="get_metadef_properties",
|
||||||
check_str="rule:metadef_default",
|
check_str=METADEF_DEFAULT,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
deprecated_since=versionutils.deprecated.XENA
|
deprecated_since=versionutils.deprecated.XENA
|
||||||
),
|
),
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name="modify_metadef_property",
|
name="modify_metadef_property",
|
||||||
check_str="rule:metadef_admin",
|
check_str=METADEF_ADMIN,
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description="Update meta definition property.",
|
description="Update meta definition property.",
|
||||||
operations=[
|
operations=[
|
||||||
@ -250,7 +253,7 @@ metadef_policies = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name="add_metadef_property",
|
name="add_metadef_property",
|
||||||
check_str="rule:metadef_admin",
|
check_str=METADEF_ADMIN,
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description="Create meta definition property.",
|
description="Create meta definition property.",
|
||||||
operations=[
|
operations=[
|
||||||
@ -260,7 +263,7 @@ metadef_policies = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name="remove_metadef_property",
|
name="remove_metadef_property",
|
||||||
check_str="rule:metadef_admin",
|
check_str=METADEF_ADMIN,
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description="Delete meta definition property.",
|
description="Delete meta definition property.",
|
||||||
operations=[
|
operations=[
|
||||||
@ -281,7 +284,7 @@ metadef_policies = [
|
|||||||
'method': 'GET'}
|
'method': 'GET'}
|
||||||
],
|
],
|
||||||
deprecated_rule=policy.DeprecatedRule(
|
deprecated_rule=policy.DeprecatedRule(
|
||||||
name="get_metadef_tag", check_str="rule:metadef_default",
|
name="get_metadef_tag", check_str=METADEF_DEFAULT,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
deprecated_since=versionutils.deprecated.XENA
|
deprecated_since=versionutils.deprecated.XENA
|
||||||
),
|
),
|
||||||
@ -296,14 +299,14 @@ metadef_policies = [
|
|||||||
'method': 'GET'}
|
'method': 'GET'}
|
||||||
],
|
],
|
||||||
deprecated_rule=policy.DeprecatedRule(
|
deprecated_rule=policy.DeprecatedRule(
|
||||||
name="get_metadef_tags", check_str="rule:metadef_default",
|
name="get_metadef_tags", check_str=METADEF_DEFAULT,
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
deprecated_since=versionutils.deprecated.XENA
|
deprecated_since=versionutils.deprecated.XENA
|
||||||
),
|
),
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name="modify_metadef_tag",
|
name="modify_metadef_tag",
|
||||||
check_str="rule:metadef_admin",
|
check_str=METADEF_ADMIN,
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description="Update tag definition.",
|
description="Update tag definition.",
|
||||||
operations=[
|
operations=[
|
||||||
@ -314,7 +317,7 @@ metadef_policies = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name="add_metadef_tag",
|
name="add_metadef_tag",
|
||||||
check_str="rule:metadef_admin",
|
check_str=METADEF_ADMIN,
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description="Add tag definition.",
|
description="Add tag definition.",
|
||||||
operations=[
|
operations=[
|
||||||
@ -325,7 +328,7 @@ metadef_policies = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name="add_metadef_tags",
|
name="add_metadef_tags",
|
||||||
check_str="rule:metadef_admin",
|
check_str=METADEF_ADMIN,
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description="Create tag definitions.",
|
description="Create tag definitions.",
|
||||||
operations=[
|
operations=[
|
||||||
@ -335,7 +338,7 @@ metadef_policies = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name="delete_metadef_tag",
|
name="delete_metadef_tag",
|
||||||
check_str="rule:metadef_admin",
|
check_str=METADEF_ADMIN,
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description="Delete tag definition.",
|
description="Delete tag definition.",
|
||||||
operations=[
|
operations=[
|
||||||
@ -346,7 +349,7 @@ metadef_policies = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name="delete_metadef_tags",
|
name="delete_metadef_tags",
|
||||||
check_str="rule:metadef_admin",
|
check_str=METADEF_ADMIN,
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description="Delete tag definitions.",
|
description="Delete tag definitions.",
|
||||||
operations=[
|
operations=[
|
||||||
|
|||||||
@ -13,6 +13,8 @@
|
|||||||
from oslo_log import versionutils
|
from oslo_log import versionutils
|
||||||
from oslo_policy import policy
|
from oslo_policy import policy
|
||||||
|
|
||||||
|
from glance.policies import base
|
||||||
|
|
||||||
|
|
||||||
TASK_DESCRIPTION = """
|
TASK_DESCRIPTION = """
|
||||||
This granular policy controls access to tasks, both from the tasks API as well
|
This granular policy controls access to tasks, both from the tasks API as well
|
||||||
@ -46,7 +48,7 @@ task_policies = [
|
|||||||
name="get_task",
|
name="get_task",
|
||||||
# All policies except tasks_api_access are internal policies that are
|
# All policies except tasks_api_access are internal policies that are
|
||||||
# only called by glance as a result of some other operation.
|
# only called by glance as a result of some other operation.
|
||||||
check_str='rule:default',
|
check_str=base.DEFAULT,
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Get an image task.\n' + TASK_DESCRIPTION,
|
description='Get an image task.\n' + TASK_DESCRIPTION,
|
||||||
operations=[
|
operations=[
|
||||||
@ -54,13 +56,13 @@ task_policies = [
|
|||||||
'method': 'GET'}
|
'method': 'GET'}
|
||||||
],
|
],
|
||||||
deprecated_rule=policy.DeprecatedRule(
|
deprecated_rule=policy.DeprecatedRule(
|
||||||
name="get_task", check_str="rule:default",
|
name="get_task", check_str=base.DEFAULT,
|
||||||
deprecated_reason=DEPRECATION_REASON,
|
deprecated_reason=DEPRECATION_REASON,
|
||||||
deprecated_since=versionutils.deprecated.XENA)
|
deprecated_since=versionutils.deprecated.XENA)
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name="get_tasks",
|
name="get_tasks",
|
||||||
check_str='rule:default',
|
check_str=base.DEFAULT,
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='List tasks for all images.\n' + TASK_DESCRIPTION,
|
description='List tasks for all images.\n' + TASK_DESCRIPTION,
|
||||||
operations=[
|
operations=[
|
||||||
@ -68,13 +70,13 @@ task_policies = [
|
|||||||
'method': 'GET'}
|
'method': 'GET'}
|
||||||
],
|
],
|
||||||
deprecated_rule=policy.DeprecatedRule(
|
deprecated_rule=policy.DeprecatedRule(
|
||||||
name="get_tasks", check_str="rule:default",
|
name="get_tasks", check_str=base.DEFAULT,
|
||||||
deprecated_reason=DEPRECATION_REASON,
|
deprecated_reason=DEPRECATION_REASON,
|
||||||
deprecated_since=versionutils.deprecated.XENA)
|
deprecated_since=versionutils.deprecated.XENA)
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name="add_task",
|
name="add_task",
|
||||||
check_str='rule:default',
|
check_str=base.DEFAULT,
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='List tasks for all images.\n' + TASK_DESCRIPTION,
|
description='List tasks for all images.\n' + TASK_DESCRIPTION,
|
||||||
operations=[
|
operations=[
|
||||||
@ -82,13 +84,13 @@ task_policies = [
|
|||||||
'method': 'POST'}
|
'method': 'POST'}
|
||||||
],
|
],
|
||||||
deprecated_rule=policy.DeprecatedRule(
|
deprecated_rule=policy.DeprecatedRule(
|
||||||
name="add_task", check_str="rule:default",
|
name="add_task", check_str=base.DEFAULT,
|
||||||
deprecated_reason=DEPRECATION_REASON,
|
deprecated_reason=DEPRECATION_REASON,
|
||||||
deprecated_since=versionutils.deprecated.XENA)
|
deprecated_since=versionutils.deprecated.XENA)
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name="modify_task",
|
name="modify_task",
|
||||||
check_str='rule:default',
|
check_str=base.DEFAULT,
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description="This policy is not used.",
|
description="This policy is not used.",
|
||||||
operations=[
|
operations=[
|
||||||
@ -101,7 +103,7 @@ task_policies = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name="tasks_api_access",
|
name="tasks_api_access",
|
||||||
check_str="rule:context_is_admin",
|
check_str=base.ADMIN,
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description=TASK_ACCESS_DESCRIPTION,
|
description=TASK_ACCESS_DESCRIPTION,
|
||||||
operations=[
|
operations=[
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user