8e7914fce2
This change adds support for policy-in-code and deprecated policy following the change in horizon. Depends-on: https://review.opendev.org/750134 Change-Id: I0e53dfd653213a78ccca8a20f4e909b5ed798641
97 lines
9.2 KiB
YAML
97 lines
9.2 KiB
YAML
#"context_is_admin": "(role:admin and is_admin_project:True) OR (role:admin and system_scope:all)"
|
|
#"project_admin": "role:admin"
|
|
#"deny_stack_user": "not role:heat_stack_user"
|
|
#"deny_everybody": "!"
|
|
#"allow_everybody": ""
|
|
#"actions:action": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
|
#"actions:snapshot": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
|
#"actions:suspend": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
|
#"actions:resume": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
|
#"actions:check": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
|
#"actions:cancel_update": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
|
#"actions:cancel_without_rollback": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
|
#"build_info:build_info": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
|
#"cloudformation:ListStacks": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
|
#"cloudformation:CreateStack": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
|
#"cloudformation:DescribeStacks": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
|
#"cloudformation:DeleteStack": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
|
#"cloudformation:UpdateStack": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
|
#"cloudformation:CancelUpdateStack": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
|
#"cloudformation:DescribeStackEvents": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
|
#"cloudformation:ValidateTemplate": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
|
#"cloudformation:GetTemplate": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
|
#"cloudformation:EstimateTemplateCost": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
|
#"cloudformation:DescribeStackResource": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"
|
|
#"cloudformation:DescribeStackResources": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
|
#"cloudformation:ListStackResources": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
|
#"events:index": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
|
#"events:show": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
|
#"resource:index": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
|
#"resource:metadata": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"
|
|
#"resource:signal": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"
|
|
#"resource:mark_unhealthy": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
|
#"resource:show": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
|
#"resource_types:OS::Nova::Flavor": "rule:project_admin"
|
|
#"resource_types:OS::Cinder::EncryptedVolumeType": "rule:project_admin"
|
|
#"resource_types:OS::Cinder::VolumeType": "rule:project_admin"
|
|
#"resource_types:OS::Cinder::Quota": "rule:project_admin"
|
|
#"resource_types:OS::Neutron::Quota": "rule:project_admin"
|
|
#"resource_types:OS::Nova::Quota": "rule:project_admin"
|
|
#"resource_types:OS::Octavia::Quota": "rule:project_admin"
|
|
#"resource_types:OS::Manila::ShareType": "rule:project_admin"
|
|
#"resource_types:OS::Neutron::ProviderNet": "rule:project_admin"
|
|
#"resource_types:OS::Neutron::QoSPolicy": "rule:project_admin"
|
|
#"resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:project_admin"
|
|
#"resource_types:OS::Neutron::QoSDscpMarkingRule": "rule:project_admin"
|
|
#"resource_types:OS::Neutron::QoSMinimumBandwidthRule": "rule:project_admin"
|
|
#"resource_types:OS::Neutron::Segment": "rule:project_admin"
|
|
#"resource_types:OS::Nova::HostAggregate": "rule:project_admin"
|
|
#"resource_types:OS::Cinder::QoSSpecs": "rule:project_admin"
|
|
#"resource_types:OS::Cinder::QoSAssociation": "rule:project_admin"
|
|
#"resource_types:OS::Keystone::*": "rule:project_admin"
|
|
#"resource_types:OS::Blazar::Host": "rule:project_admin"
|
|
#"resource_types:OS::Octavia::Flavor": "rule:project_admin"
|
|
#"resource_types:OS::Octavia::FlavorProfile": "rule:project_admin"
|
|
#"service:index": "role:reader and system_scope:all"
|
|
#"software_configs:global_index": "role:reader and system_scope:all"
|
|
#"software_configs:index": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
|
#"software_configs:create": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
|
#"software_configs:show": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
|
#"software_configs:delete": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
|
#"software_deployments:index": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
|
#"software_deployments:create": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
|
#"software_deployments:show": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
|
#"software_deployments:update": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
|
#"software_deployments:delete": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
|
#"software_deployments:metadata": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"
|
|
#"stacks:abandon": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
|
#"stacks:create": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
|
#"stacks:delete": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
|
#"stacks:detail": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
|
#"stacks:export": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
|
#"stacks:generate_template": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
|
#"stacks:global_index": "role:reader and system_scope:all"
|
|
#"stacks:index": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
|
#"stacks:list_resource_types": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
|
#"stacks:list_template_versions": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
|
#"stacks:list_template_functions": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
|
#"stacks:lookup": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"
|
|
#"stacks:preview": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
|
#"stacks:resource_schema": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
|
#"stacks:show": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
|
#"stacks:template": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
|
#"stacks:environment": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
|
#"stacks:files": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
|
#"stacks:update": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
|
#"stacks:update_patch": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
|
#"stacks:preview_update": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
|
#"stacks:preview_update_patch": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
|
#"stacks:validate_template": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
|
#"stacks:snapshot": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
|
#"stacks:show_snapshot": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
|
#"stacks:delete_snapshot": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
|
#"stacks:list_snapshots": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
|
#"stacks:restore_snapshot": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
|
#"stacks:list_outputs": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
|
#"stacks:show_output": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|