320 lines
12 KiB
Python
320 lines
12 KiB
Python
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
from oslo_log import versionutils
|
|
from oslo_policy import policy
|
|
|
|
from glance.policies import base
|
|
|
|
|
|
DEPRECATED_REASON = """
|
|
The image API now supports roles.
|
|
"""
|
|
|
|
|
|
image_policies = [
|
|
policy.DocumentedRuleDefault(
|
|
name="add_image",
|
|
check_str=base.ADMIN_OR_PROJECT_MEMBER_CREATE_IMAGE,
|
|
scope_types=['system', 'project'],
|
|
description='Create new image',
|
|
operations=[
|
|
{'path': '/v2/images',
|
|
'method': 'POST'}
|
|
],
|
|
deprecated_rule=policy.DeprecatedRule(
|
|
name="add_image", check_str="rule:default",
|
|
deprecated_reason=DEPRECATED_REASON,
|
|
deprecated_since=versionutils.deprecated.WALLABY)
|
|
),
|
|
policy.DocumentedRuleDefault(
|
|
name="delete_image",
|
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
|
scope_types=['system', 'project'],
|
|
description='Deletes the image',
|
|
operations=[
|
|
{'path': '/v2/images/{image_id}',
|
|
'method': 'DELETE'}
|
|
],
|
|
deprecated_rule=policy.DeprecatedRule(
|
|
name="delete_image", check_str="rule:default",
|
|
deprecated_reason=DEPRECATED_REASON,
|
|
deprecated_since=versionutils.deprecated.WALLABY),
|
|
),
|
|
policy.DocumentedRuleDefault(
|
|
name="get_image",
|
|
check_str=base.ADMIN_OR_PROJECT_READER_GET_IMAGE,
|
|
scope_types=['system', 'project'],
|
|
description='Get specified image',
|
|
operations=[
|
|
{'path': '/v2/images/{image_id}',
|
|
'method': 'GET'}
|
|
],
|
|
deprecated_rule=policy.DeprecatedRule(
|
|
name="get_image", check_str="rule:default",
|
|
deprecated_reason=DEPRECATED_REASON,
|
|
deprecated_since=versionutils.deprecated.WALLABY),
|
|
),
|
|
policy.DocumentedRuleDefault(
|
|
name="get_images",
|
|
check_str=base.ADMIN_OR_PROJECT_READER,
|
|
scope_types=['system', 'project'],
|
|
description='Get all available images',
|
|
operations=[
|
|
{'path': '/v2/images',
|
|
'method': 'GET'}
|
|
],
|
|
deprecated_rule=policy.DeprecatedRule(
|
|
name="get_images", check_str="rule:default",
|
|
deprecated_reason=DEPRECATED_REASON,
|
|
deprecated_since=versionutils.deprecated.WALLABY),
|
|
),
|
|
policy.DocumentedRuleDefault(
|
|
name="modify_image",
|
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
|
scope_types=['system', 'project'],
|
|
description='Updates given image',
|
|
operations=[
|
|
{'path': '/v2/images/{image_id}',
|
|
'method': 'PATCH'}
|
|
],
|
|
deprecated_rule=policy.DeprecatedRule(
|
|
name="modify_image", check_str="rule:default",
|
|
deprecated_reason=DEPRECATED_REASON,
|
|
deprecated_since=versionutils.deprecated.WALLABY),
|
|
),
|
|
policy.DocumentedRuleDefault(
|
|
name="publicize_image",
|
|
check_str='role:admin',
|
|
scope_types=['system', 'project'],
|
|
description='Publicize given image',
|
|
operations=[
|
|
{'path': '/v2/images/{image_id}',
|
|
'method': 'PATCH'}
|
|
]
|
|
),
|
|
policy.DocumentedRuleDefault(
|
|
name="communitize_image",
|
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
|
scope_types=['system', 'project'],
|
|
description='Communitize given image',
|
|
operations=[
|
|
{'path': '/v2/images/{image_id}',
|
|
'method': 'PATCH'}
|
|
],
|
|
deprecated_rule=policy.DeprecatedRule(
|
|
name="communitize_image", check_str="rule:default",
|
|
deprecated_reason=DEPRECATED_REASON,
|
|
deprecated_since=versionutils.deprecated.WALLABY),
|
|
),
|
|
|
|
policy.DocumentedRuleDefault(
|
|
name="download_image",
|
|
check_str=base.ADMIN_OR_PROJECT_MEMBER_DOWNLOAD_IMAGE,
|
|
scope_types=['system', 'project'],
|
|
description='Downloads given image',
|
|
operations=[
|
|
{'path': '/v2/images/{image_id}/file',
|
|
'method': 'GET'}
|
|
],
|
|
deprecated_rule=policy.DeprecatedRule(
|
|
name="download_image", check_str="rule:default",
|
|
deprecated_reason=DEPRECATED_REASON,
|
|
deprecated_since=versionutils.deprecated.WALLABY),
|
|
),
|
|
policy.DocumentedRuleDefault(
|
|
name="upload_image",
|
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
|
scope_types=['system', 'project'],
|
|
description='Uploads data to specified image',
|
|
operations=[
|
|
{'path': '/v2/images/{image_id}/file',
|
|
'method': 'PUT'}
|
|
],
|
|
deprecated_rule=policy.DeprecatedRule(
|
|
name="upload_image", check_str="rule:default",
|
|
deprecated_reason=DEPRECATED_REASON,
|
|
deprecated_since=versionutils.deprecated.WALLABY),
|
|
),
|
|
|
|
policy.DocumentedRuleDefault(
|
|
name="delete_image_location",
|
|
check_str="role:admin",
|
|
scope_types=['system', 'project'],
|
|
description='Deletes the location of given image',
|
|
operations=[
|
|
{'path': '/v2/images/{image_id}',
|
|
'method': 'PATCH'}
|
|
],
|
|
deprecated_rule=policy.DeprecatedRule(
|
|
name="delete_image_location", check_str="rule:default",
|
|
deprecated_reason=DEPRECATED_REASON,
|
|
deprecated_since=versionutils.deprecated.WALLABY),
|
|
),
|
|
policy.DocumentedRuleDefault(
|
|
name="get_image_location",
|
|
check_str=base.ADMIN_OR_PROJECT_READER,
|
|
scope_types=['system', 'project'],
|
|
description='Reads the location of the image',
|
|
operations=[
|
|
{'path': '/v2/images/{image_id}',
|
|
'method': 'GET'}
|
|
],
|
|
deprecated_rule=policy.DeprecatedRule(
|
|
name="get_image_location", check_str="rule:default",
|
|
deprecated_reason=DEPRECATED_REASON,
|
|
deprecated_since=versionutils.deprecated.WALLABY),
|
|
),
|
|
policy.DocumentedRuleDefault(
|
|
name="set_image_location",
|
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
|
scope_types=['system', 'project'],
|
|
description='Sets location URI to given image',
|
|
operations=[
|
|
{'path': '/v2/images/{image_id}',
|
|
'method': 'PATCH'}
|
|
],
|
|
deprecated_rule=policy.DeprecatedRule(
|
|
name="set_image_location", check_str="rule:default",
|
|
deprecated_reason=DEPRECATED_REASON,
|
|
deprecated_since=versionutils.deprecated.WALLABY),
|
|
),
|
|
|
|
policy.DocumentedRuleDefault(
|
|
name="add_member",
|
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
|
scope_types=['system', 'project'],
|
|
description='Create image member',
|
|
operations=[
|
|
{'path': '/v2/images/{image_id}/members',
|
|
'method': 'POST'}
|
|
],
|
|
deprecated_rule=policy.DeprecatedRule(
|
|
name="add_member", check_str="rule:default",
|
|
deprecated_reason=DEPRECATED_REASON,
|
|
deprecated_since=versionutils.deprecated.WALLABY),
|
|
),
|
|
policy.DocumentedRuleDefault(
|
|
name="delete_member",
|
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
|
scope_types=['system', 'project'],
|
|
description='Delete image member',
|
|
operations=[
|
|
{'path': '/v2/images/{image_id}/members/{member_id}',
|
|
'method': 'DELETE'}
|
|
],
|
|
deprecated_rule=policy.DeprecatedRule(
|
|
name="delete_member", check_str="rule:default",
|
|
deprecated_reason=DEPRECATED_REASON,
|
|
deprecated_since=versionutils.deprecated.WALLABY),
|
|
),
|
|
policy.DocumentedRuleDefault(
|
|
name="get_member",
|
|
check_str=base.ADMIN_OR_PROJECT_READER_OR_SHARED_MEMBER,
|
|
scope_types=['system', 'project'],
|
|
description='Show image member details',
|
|
operations=[
|
|
{'path': '/v2/images/{image_id}/members/{member_id}',
|
|
'method': 'GET'}
|
|
],
|
|
deprecated_rule=policy.DeprecatedRule(
|
|
name="get_member", check_str="rule:default",
|
|
deprecated_reason=DEPRECATED_REASON,
|
|
deprecated_since=versionutils.deprecated.WALLABY),
|
|
),
|
|
policy.DocumentedRuleDefault(
|
|
name="get_members",
|
|
check_str=base.ADMIN_OR_PROJECT_READER_OR_SHARED_MEMBER,
|
|
scope_types=['system', 'project'],
|
|
description='List image members',
|
|
operations=[
|
|
{'path': '/v2/images/{image_id}/members',
|
|
'method': 'GET'}
|
|
],
|
|
deprecated_rule=policy.DeprecatedRule(
|
|
name="get_members", check_str="rule:default",
|
|
deprecated_reason=DEPRECATED_REASON,
|
|
deprecated_since=versionutils.deprecated.WALLABY),
|
|
),
|
|
policy.DocumentedRuleDefault(
|
|
name="modify_member",
|
|
check_str=base.ADMIN_OR_SHARED_MEMBER,
|
|
scope_types=['system', 'project'],
|
|
description='Update image member',
|
|
operations=[
|
|
{'path': '/v2/images/{image_id}/members/{member_id}',
|
|
'method': 'PUT'}
|
|
],
|
|
deprecated_rule=policy.DeprecatedRule(
|
|
name="modify_member", check_str="rule:default",
|
|
deprecated_reason=DEPRECATED_REASON,
|
|
deprecated_since=versionutils.deprecated.WALLABY),
|
|
),
|
|
|
|
policy.RuleDefault(
|
|
name="manage_image_cache",
|
|
check_str='role:admin',
|
|
# NOTE(lbragstad): Remove 'project' from the list below when glance
|
|
# fully supports system-scope and this policy is updated to reflect
|
|
# that in the check string.
|
|
scope_types=['system', 'project'],
|
|
description='Manage image cache'
|
|
),
|
|
|
|
policy.DocumentedRuleDefault(
|
|
name="deactivate",
|
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
|
scope_types=['system', 'project'],
|
|
description='Deactivate image',
|
|
operations=[
|
|
{'path': '/v2/images/{image_id}/actions/deactivate',
|
|
'method': 'POST'}
|
|
],
|
|
deprecated_rule=policy.DeprecatedRule(
|
|
name="deactivate", check_str="rule:default",
|
|
deprecated_reason=DEPRECATED_REASON,
|
|
deprecated_since=versionutils.deprecated.WALLABY),
|
|
),
|
|
policy.DocumentedRuleDefault(
|
|
name="reactivate",
|
|
check_str=base.ADMIN_OR_PROJECT_MEMBER,
|
|
scope_types=['system', 'project'],
|
|
description='Reactivate image',
|
|
operations=[
|
|
{'path': '/v2/images/{image_id}/actions/reactivate',
|
|
'method': 'POST'}
|
|
],
|
|
deprecated_rule=policy.DeprecatedRule(
|
|
name="reactivate", check_str="rule:default",
|
|
deprecated_reason=DEPRECATED_REASON,
|
|
deprecated_since=versionutils.deprecated.WALLABY),
|
|
),
|
|
|
|
policy.DocumentedRuleDefault(
|
|
name="copy_image",
|
|
check_str='role:admin',
|
|
# Eventually, we need to make sure we update the check string here to
|
|
# be scope-aware, but for now this is restricted to system-admins and
|
|
# project-admins. That might change in the future if we decide to push
|
|
# this functionality down to project-members.
|
|
scope_types=['system', 'project'],
|
|
description='Copy existing image to other stores',
|
|
operations=[
|
|
{'path': '/v2/images/{image_id}/import',
|
|
'method': 'POST'}
|
|
]
|
|
),
|
|
]
|
|
|
|
|
|
def list_rules():
|
|
return image_policies
|