d2cc0dc566
Several Metadata Definition delete APIs do not have RBAC. This
patchset add policy enforcment to the following APIs:
- `Delete namespace`
- `Delete object`
- `Remove resource type association`
- `Remove property definition`
- `Delete tag definition`
- `Delete all tag definitions`
The following actions are enforce and added to the policy.json:
- `delete_metadef_namespace`
- `delete_metadef_object`
- `remove_metadef_resource_type_association`
- `remove_metadef_property`
- `delete_metadef_tag`
- `delete_metadef_tags`
Most other APIs have policy enforcement, so the ones above should as
well. Without adding policy enforcement for the above APIs, all roles
can peform the delete APIs noted above.
Change-Id: I8cd6eb26b0d3401fa4667384c31e4c56d838d42b
Closes-Bug: #1782840
Co-Authored-By: julian.sy@att.com
62 lines
2.9 KiB
Python
62 lines
2.9 KiB
Python
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
from oslo_policy import policy
|
|
|
|
|
|
metadef_policies = [
|
|
policy.RuleDefault(name="get_metadef_namespace", check_str="rule:default"),
|
|
policy.RuleDefault(name="get_metadef_namespaces",
|
|
check_str="rule:default"),
|
|
policy.RuleDefault(name="modify_metadef_namespace",
|
|
check_str="rule:default"),
|
|
policy.RuleDefault(name="add_metadef_namespace", check_str="rule:default"),
|
|
policy.RuleDefault(name="delete_metadef_namespace",
|
|
check_str="rule:default"),
|
|
|
|
policy.RuleDefault(name="get_metadef_object", check_str="rule:default"),
|
|
policy.RuleDefault(name="get_metadef_objects", check_str="rule:default"),
|
|
policy.RuleDefault(name="modify_metadef_object", check_str="rule:default"),
|
|
policy.RuleDefault(name="add_metadef_object", check_str="rule:default"),
|
|
policy.RuleDefault(name="delete_metadef_object", check_str="rule:default"),
|
|
|
|
policy.RuleDefault(name="list_metadef_resource_types",
|
|
check_str="rule:default"),
|
|
policy.RuleDefault(name="get_metadef_resource_type",
|
|
check_str="rule:default"),
|
|
policy.RuleDefault(name="add_metadef_resource_type_association",
|
|
check_str="rule:default"),
|
|
policy.RuleDefault(name="remove_metadef_resource_type_association",
|
|
check_str="rule:default"),
|
|
|
|
policy.RuleDefault(name="get_metadef_property", check_str="rule:default"),
|
|
policy.RuleDefault(name="get_metadef_properties",
|
|
check_str="rule:default"),
|
|
policy.RuleDefault(name="modify_metadef_property",
|
|
check_str="rule:default"),
|
|
policy.RuleDefault(name="add_metadef_property", check_str="rule:default"),
|
|
policy.RuleDefault(name="remove_metadef_property",
|
|
check_str="rule:default"),
|
|
|
|
policy.RuleDefault(name="get_metadef_tag", check_str="rule:default"),
|
|
policy.RuleDefault(name="get_metadef_tags", check_str="rule:default"),
|
|
policy.RuleDefault(name="modify_metadef_tag", check_str="rule:default"),
|
|
policy.RuleDefault(name="add_metadef_tag", check_str="rule:default"),
|
|
policy.RuleDefault(name="add_metadef_tags", check_str="rule:default"),
|
|
policy.RuleDefault(name="delete_metadef_tag", check_str="rule:default"),
|
|
policy.RuleDefault(name="delete_metadef_tags", check_str="rule:default"),
|
|
]
|
|
|
|
|
|
def list_rules():
|
|
return metadef_policies
|