openstack/heat-dashboard
Code Issues Proposed changes
458e9b0519
heat-dashboard/heat_dashboard/conf/default_policies/heat.yaml
Takashi Kajinami 8e7914fce2 Support policy-in-code and deprecated policy 
This change adds support for policy-in-code and deprecated policy
following the change in horizon.

Depends-on: https://review.opendev.org/750134
Change-Id: I0e53dfd653213a78ccca8a20f4e909b5ed798641
2021-03-18 23:01:14 +09:00

1357 lines
36 KiB
YAML
Raw Blame History

- check_str: (role:admin and is_admin_project:True) OR (role:admin and system_scope:all)
description: Decides what is required for the 'is_admin:True' check to succeed.
name: context_is_admin
operations: []
scope_types: null
- check_str: role:admin
description: Default rule for project admin.
name: project_admin
operations: []
scope_types: null
- check_str: not role:heat_stack_user
description: Default rule for deny stack user.
name: deny_stack_user
operations: []
scope_types: null
- check_str: '!'
description: Default rule for deny everybody.
name: deny_everybody
operations: []
scope_types: null
- check_str: ''
description: Default rule for allow everybody.
name: allow_everybody
operations: []
scope_types: null
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The actions API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: actions:action
deprecated_since: W
description: Performs non-lifecycle operations on the stack (Snapshot, Resume, Cancel
update, or check stack resources). This is the default for all actions but can
be overridden by more specific policies for individual actions.
name: actions:action
operations:
- method: POST
path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions
scope_types: null
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The actions API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: actions:snapshot
deprecated_since: W
description: Create stack snapshot
name: actions:snapshot
operations:
- method: POST
path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions
scope_types:
- system
- project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The actions API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: actions:suspend
deprecated_since: W
description: Suspend a stack.
name: actions:suspend
operations:
- method: POST
path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions
scope_types:
- system
- project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The actions API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: actions:resume
deprecated_since: W
description: Resume a suspended stack.
name: actions:resume
operations:
- method: POST
path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
deprecated_reason: '
The actions API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: actions:check
deprecated_since: W
description: Check stack resources.
name: actions:check
operations:
- method: POST
path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions
scope_types:
- system
- project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The actions API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: actions:cancel_update
deprecated_since: W
description: Cancel stack operation and roll back.
name: actions:cancel_update
operations:
- method: POST
path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions
scope_types:
- system
- project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The actions API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: actions:cancel_without_rollback
deprecated_since: W
description: Cancel stack operation without rolling back.
name: actions:cancel_without_rollback
operations:
- method: POST
path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
deprecated_reason: '
The build API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: build_info:build_info
deprecated_since: W
description: Show build information.
name: build_info:build_info
operations:
- method: GET
path: /v1/{tenant_id}/build_info
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
deprecated_reason: '
The cloud formation API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: cloudformation:ListStacks
deprecated_since: W
description: null
name: cloudformation:ListStacks
operations: []
scope_types:
- system
- project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The cloud formation API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: cloudformation:CreateStack
deprecated_since: W
description: null
name: cloudformation:CreateStack
operations: []
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
deprecated_reason: '
The cloud formation API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: cloudformation:DescribeStacks
deprecated_since: W
description: null
name: cloudformation:DescribeStacks
operations: []
scope_types:
- system
- project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The cloud formation API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: cloudformation:DeleteStack
deprecated_since: W
description: null
name: cloudformation:DeleteStack
operations: []
scope_types:
- system
- project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The cloud formation API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: cloudformation:UpdateStack
deprecated_since: W
description: null
name: cloudformation:UpdateStack
operations: []
scope_types:
- system
- project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The cloud formation API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: cloudformation:CancelUpdateStack
deprecated_since: W
description: null
name: cloudformation:CancelUpdateStack
operations: []
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
deprecated_reason: '
The cloud formation API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: cloudformation:DescribeStackEvents
deprecated_since: W
description: null
name: cloudformation:DescribeStackEvents
operations: []
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
deprecated_reason: '
The cloud formation API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: cloudformation:ValidateTemplate
deprecated_since: W
description: null
name: cloudformation:ValidateTemplate
operations: []
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
deprecated_reason: '
The cloud formation API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: cloudformation:GetTemplate
deprecated_since: W
description: null
name: cloudformation:GetTemplate
operations: []
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
deprecated_reason: '
The cloud formation API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: cloudformation:EstimateTemplateCost
deprecated_since: W
description: null
name: cloudformation:EstimateTemplateCost
operations: []
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
or (role:heat_stack_user and project_id:%(project_id)s)
deprecated_reason: '
The cloud formation API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:allow_everybody
name: cloudformation:DescribeStackResource
deprecated_since: W
description: null
name: cloudformation:DescribeStackResource
operations: []
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
deprecated_reason: '
The cloud formation API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: cloudformation:DescribeStackResources
deprecated_since: W
description: null
name: cloudformation:DescribeStackResources
operations: []
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
deprecated_reason: '
The cloud formation API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: cloudformation:ListStackResources
deprecated_since: W
description: null
name: cloudformation:ListStackResources
operations: []
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
deprecated_reason: '
The events API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: events:index
deprecated_since: W
description: List events.
name: events:index
operations:
- method: GET
path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/events
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
deprecated_reason: '
The events API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: events:show
deprecated_since: W
description: Show event.
name: events:show
operations:
- method: GET
path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/events/{event_id}
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
deprecated_reason: '
The resources API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: resource:index
deprecated_since: W
description: List resources.
name: resource:index
operations:
- method: GET
path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
or (role:heat_stack_user and project_id:%(project_id)s)
deprecated_reason: '
The resources API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:allow_everybody
name: resource:metadata
deprecated_since: W
description: Show resource metadata.
name: resource:metadata
operations:
- method: GET
path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/metadata
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
or (role:heat_stack_user and project_id:%(project_id)s)
deprecated_reason: '
The resources API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:allow_everybody
name: resource:signal
deprecated_since: W
description: Signal resource.
name: resource:signal
operations:
- method: POST
path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/signal
scope_types:
- system
- project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The resources API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: resource:mark_unhealthy
deprecated_since: W
description: Mark resource as unhealthy.
name: resource:mark_unhealthy
operations:
- method: PATCH
path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name_or_physical_id}
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
deprecated_reason: '
The resources API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: resource:show
deprecated_since: W
description: Show resource.
name: resource:show
operations:
- method: GET
path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}
scope_types:
- system
- project
- check_str: rule:project_admin
description: null
name: resource_types:OS::Nova::Flavor
operations: []
scope_types: null
- check_str: rule:project_admin
description: null
name: resource_types:OS::Cinder::EncryptedVolumeType
operations: []
scope_types: null
- check_str: rule:project_admin
description: null
name: resource_types:OS::Cinder::VolumeType
operations: []
scope_types: null
- check_str: rule:project_admin
description: null
name: resource_types:OS::Cinder::Quota
operations: []
scope_types: null
- check_str: rule:project_admin
description: null
name: resource_types:OS::Neutron::Quota
operations: []
scope_types: null
- check_str: rule:project_admin
description: null
name: resource_types:OS::Nova::Quota
operations: []
scope_types: null
- check_str: rule:project_admin
description: null
name: resource_types:OS::Octavia::Quota
operations: []
scope_types: null
- check_str: rule:project_admin
description: null
name: resource_types:OS::Manila::ShareType
operations: []
scope_types: null
- check_str: rule:project_admin
description: null
name: resource_types:OS::Neutron::ProviderNet
operations: []
scope_types: null
- check_str: rule:project_admin
description: null
name: resource_types:OS::Neutron::QoSPolicy
operations: []
scope_types: null
- check_str: rule:project_admin
description: null
name: resource_types:OS::Neutron::QoSBandwidthLimitRule
operations: []
scope_types: null
- check_str: rule:project_admin
description: null
name: resource_types:OS::Neutron::QoSDscpMarkingRule
operations: []
scope_types: null
- check_str: rule:project_admin
description: null
name: resource_types:OS::Neutron::QoSMinimumBandwidthRule
operations: []
scope_types: null
- check_str: rule:project_admin
description: null
name: resource_types:OS::Neutron::Segment
operations: []
scope_types: null
- check_str: rule:project_admin
description: null
name: resource_types:OS::Nova::HostAggregate
operations: []
scope_types: null
- check_str: rule:project_admin
description: null
name: resource_types:OS::Cinder::QoSSpecs
operations: []
scope_types: null
- check_str: rule:project_admin
description: null
name: resource_types:OS::Cinder::QoSAssociation
operations: []
scope_types: null
- check_str: rule:project_admin
description: null
name: resource_types:OS::Keystone::*
operations: []
scope_types: null
- check_str: rule:project_admin
description: null
name: resource_types:OS::Blazar::Host
operations: []
scope_types: null
- check_str: rule:project_admin
description: null
name: resource_types:OS::Octavia::Flavor
operations: []
scope_types: null
- check_str: rule:project_admin
description: null
name: resource_types:OS::Octavia::FlavorProfile
operations: []
scope_types: null
- check_str: role:reader and system_scope:all
deprecated_reason: '
The service API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:context_is_admin
name: service:index
deprecated_since: W
description: null
name: service:index
operations: []
scope_types: null
- check_str: role:reader and system_scope:all
deprecated_reason: '
The software configuration API now support system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_everybody
name: software_configs:global_index
deprecated_since: W
description: List configs globally.
name: software_configs:global_index
operations:
- method: GET
path: /v1/{tenant_id}/software_configs
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
deprecated_reason: '
The software configuration API now support system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: software_configs:index
deprecated_since: W
description: List configs.
name: software_configs:index
operations:
- method: GET
path: /v1/{tenant_id}/software_configs
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
deprecated_reason: '
The software configuration API now support system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: software_configs:create
deprecated_since: W
description: Create config.
name: software_configs:create
operations:
- method: POST
path: /v1/{tenant_id}/software_configs
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
deprecated_reason: '
The software configuration API now support system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: software_configs:show
deprecated_since: W
description: Show config details.
name: software_configs:show
operations:
- method: GET
path: /v1/{tenant_id}/software_configs/{config_id}
scope_types:
- system
- project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The software configuration API now support system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: software_configs:delete
deprecated_since: W
description: Delete config.
name: software_configs:delete
operations:
- method: DELETE
path: /v1/{tenant_id}/software_configs/{config_id}
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
deprecated_reason: '
The software deployment API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: software_deployments:index
deprecated_since: W
description: List deployments.
name: software_deployments:index
operations:
- method: GET
path: /v1/{tenant_id}/software_deployments
scope_types:
- system
- project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The software deployment API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: software_deployments:create
deprecated_since: W
description: Create deployment.
name: software_deployments:create
operations:
- method: POST
path: /v1/{tenant_id}/software_deployments
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
deprecated_reason: '
The software deployment API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: software_deployments:show
deprecated_since: W
description: Show deployment details.
name: software_deployments:show
operations:
- method: GET
path: /v1/{tenant_id}/software_deployments/{deployment_id}
scope_types:
- system
- project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The software deployment API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: software_deployments:update
deprecated_since: W
description: Update deployment.
name: software_deployments:update
operations:
- method: PUT
path: /v1/{tenant_id}/software_deployments/{deployment_id}
scope_types:
- system
- project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The software deployment API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: software_deployments:delete
deprecated_since: W
description: Delete deployment.
name: software_deployments:delete
operations:
- method: DELETE
path: /v1/{tenant_id}/software_deployments/{deployment_id}
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
or (role:heat_stack_user and project_id:%(project_id)s)
description: Show server configuration metadata.
name: software_deployments:metadata
operations:
- method: GET
path: /v1/{tenant_id}/software_deployments/metadata/{server_id}
scope_types:
- system
- project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The stack API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: stacks:abandon
deprecated_since: W
description: Abandon stack.
name: stacks:abandon
operations:
- method: DELETE
path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/abandon
scope_types:
- system
- project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The stack API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: stacks:create
deprecated_since: W
description: Create stack.
name: stacks:create
operations:
- method: POST
path: /v1/{tenant_id}/stacks
scope_types:
- system
- project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The stack API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: stacks:delete
deprecated_since: W
description: Delete stack.
name: stacks:delete
operations:
- method: DELETE
path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
deprecated_reason: '
The stack API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: stacks:detail
deprecated_since: W
description: List stacks in detail.
name: stacks:detail
operations:
- method: GET
path: /v1/{tenant_id}/stacks
scope_types:
- system
- project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The stack API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: stacks:export
deprecated_since: W
description: Export stack.
name: stacks:export
operations:
- method: GET
path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/export
scope_types:
- system
- project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The stack API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: stacks:generate_template
deprecated_since: W
description: Generate stack template.
name: stacks:generate_template
operations:
- method: GET
path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/template
scope_types:
- system
- project
- check_str: role:reader and system_scope:all
deprecated_reason: '
The stack API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_everybody
name: stacks:global_index
deprecated_since: W
description: List stacks globally.
name: stacks:global_index
operations:
- method: GET
path: /v1/{tenant_id}/stacks
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
deprecated_reason: '
The stack API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: stacks:index
deprecated_since: W
description: List stacks.
name: stacks:index
operations:
- method: GET
path: /v1/{tenant_id}/stacks
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
deprecated_reason: '
The stack API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: stacks:list_resource_types
deprecated_since: W
description: List resource types.
name: stacks:list_resource_types
operations:
- method: GET
path: /v1/{tenant_id}/resource_types
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
deprecated_reason: '
The stack API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: stacks:list_template_versions
deprecated_since: W
description: List template versions.
name: stacks:list_template_versions
operations:
- method: GET
path: /v1/{tenant_id}/template_versions
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
deprecated_reason: '
The stack API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: stacks:list_template_functions
deprecated_since: W
description: List template functions.
name: stacks:list_template_functions
operations:
- method: GET
path: /v1/{tenant_id}/template_versions/{template_version}/functions
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
or (role:heat_stack_user and project_id:%(project_id)s)
deprecated_reason: '
The stack API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:allow_everybody
name: stacks:lookup
deprecated_since: W
description: Find stack.
name: stacks:lookup
operations:
- method: GET
path: /v1/{tenant_id}/stacks/{stack_identity}
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
deprecated_reason: '
The stack API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: stacks:preview
deprecated_since: W
description: Preview stack.
name: stacks:preview
operations:
- method: POST
path: /v1/{tenant_id}/stacks/preview
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
deprecated_reason: '
The stack API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: stacks:resource_schema
deprecated_since: W
description: Show resource type schema.
name: stacks:resource_schema
operations:
- method: GET
path: /v1/{tenant_id}/resource_types/{type_name}
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
deprecated_reason: '
The stack API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: stacks:show
deprecated_since: W
description: Show stack.
name: stacks:show
operations:
- method: GET
path: /v1/{tenant_id}/stacks/{stack_identity}
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
deprecated_reason: '
The stack API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: stacks:template
deprecated_since: W
description: Get stack template.
name: stacks:template
operations:
- method: GET
path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/template
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
deprecated_reason: '
The stack API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: stacks:environment
deprecated_since: W
description: Get stack environment.
name: stacks:environment
operations:
- method: GET
path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/environment
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
deprecated_reason: '
The stack API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: stacks:files
deprecated_since: W
description: Get stack files.
name: stacks:files
operations:
- method: GET
path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/files
scope_types:
- system
- project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The stack API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: stacks:update
deprecated_since: W
description: Update stack.
name: stacks:update
operations:
- method: PUT
path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}
scope_types:
- system
- project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The stack API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: stacks:update_patch
deprecated_since: W
description: Update stack (PATCH).
name: stacks:update_patch
operations:
- method: PATCH
path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}
scope_types:
- system
- project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The stack API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: stacks:preview_update
deprecated_since: W
description: Preview update stack.
name: stacks:preview_update
operations:
- method: PUT
path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/preview
scope_types:
- system
- project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The stack API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: stacks:preview_update_patch
deprecated_since: W
description: Preview update stack (PATCH).
name: stacks:preview_update_patch
operations:
- method: PATCH
path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/preview
scope_types:
- system
- project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The stack API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: stacks:validate_template
deprecated_since: W
description: Validate template.
name: stacks:validate_template
operations:
- method: POST
path: /v1/{tenant_id}/validate
scope_types:
- system
- project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The stack API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: stacks:snapshot
deprecated_since: W
description: Snapshot Stack.
name: stacks:snapshot
operations:
- method: POST
path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
deprecated_reason: '
The stack API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: stacks:show_snapshot
deprecated_since: W
description: Show snapshot.
name: stacks:show_snapshot
operations:
- method: GET
path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}
scope_types:
- system
- project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The stack API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: stacks:delete_snapshot
deprecated_since: W
description: Delete snapshot.
name: stacks:delete_snapshot
operations:
- method: DELETE
path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
deprecated_reason: '
The stack API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: stacks:list_snapshots
deprecated_since: W
description: List snapshots.
name: stacks:list_snapshots
operations:
- method: GET
path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots
scope_types:
- system
- project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
deprecated_reason: '
The stack API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: stacks:restore_snapshot
deprecated_since: W
description: Restore snapshot.
name: stacks:restore_snapshot
operations:
- method: POST
path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}/restore
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
deprecated_reason: '
The stack API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: stacks:list_outputs
deprecated_since: W
description: List outputs.
name: stacks:list_outputs
operations:
- method: GET
path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/outputs
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
deprecated_reason: '
The stack API now supports system scope and default roles.
'
deprecated_rule:
check_str: rule:deny_stack_user
name: stacks:show_output
deprecated_since: W
description: Show outputs.
name: stacks:show_output
operations:
- method: GET
path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/outputs/{output_key}
scope_types:
- system
- project
View Git Blame Copy Permalink