diff --git a/openstack_dashboard/conf/default_policies/glance.yaml b/openstack_dashboard/conf/default_policies/glance.yaml index 9e03ed5c0e..c3fcd62d47 100644 --- a/openstack_dashboard/conf/default_policies/glance.yaml +++ b/openstack_dashboard/conf/default_policies/glance.yaml @@ -1,7 +1,7 @@ - check_str: '' deprecated_reason: null deprecated_rule: - check_str: role:admin + check_str: rule:context_is_admin name: default deprecated_since: null description: Defines the default rule used for policies that historically had an @@ -14,7 +14,8 @@ name: context_is_admin operations: [] scope_types: null -- check_str: role:admin or (role:member and project_id:%(project_id)s and project_id:%(owner)s) +- check_str: rule:context_is_admin or (role:member and project_id:%(project_id)s and + project_id:%(owner)s) deprecated_reason: null deprecated_rule: check_str: rule:default @@ -27,7 +28,7 @@ path: /v2/images scope_types: - project -- check_str: role:admin or (role:member and project_id:%(project_id)s) +- check_str: rule:context_is_admin or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:default @@ -40,8 +41,9 @@ path: /v2/images/{image_id} scope_types: - project -- check_str: role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s - or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s)) +- check_str: rule:context_is_admin or (role:reader and (project_id:%(project_id)s + or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s + or 'shared':%(visibility)s)) deprecated_reason: null deprecated_rule: check_str: rule:default @@ -54,7 +56,7 @@ path: /v2/images/{image_id} scope_types: - project -- check_str: role:admin or (role:reader and project_id:%(project_id)s) +- check_str: rule:context_is_admin or (role:reader and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:default @@ -67,7 +69,7 @@ path: /v2/images scope_types: - project -- check_str: role:admin or (role:member and project_id:%(project_id)s) +- check_str: rule:context_is_admin or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:default @@ -80,7 +82,7 @@ path: /v2/images/{image_id} scope_types: - project -- check_str: role:admin +- check_str: rule:context_is_admin description: Publicize given image name: publicize_image operations: @@ -88,7 +90,7 @@ path: /v2/images/{image_id} scope_types: - project -- check_str: role:admin or (role:member and project_id:%(project_id)s) +- check_str: rule:context_is_admin or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:default @@ -101,8 +103,9 @@ path: /v2/images/{image_id} scope_types: - project -- check_str: role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s - or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s)) +- check_str: rule:context_is_admin or (role:member and (project_id:%(project_id)s + or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s + or 'shared':%(visibility)s)) deprecated_reason: null deprecated_rule: check_str: rule:default @@ -115,7 +118,7 @@ path: /v2/images/{image_id}/file scope_types: - project -- check_str: role:admin or (role:member and project_id:%(project_id)s) +- check_str: rule:context_is_admin or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:default @@ -128,7 +131,7 @@ path: /v2/images/{image_id}/file scope_types: - project -- check_str: role:admin +- check_str: rule:context_is_admin deprecated_reason: null deprecated_rule: check_str: rule:default @@ -141,7 +144,7 @@ path: /v2/images/{image_id} scope_types: - project -- check_str: role:admin or (role:reader and project_id:%(project_id)s) +- check_str: rule:context_is_admin or (role:reader and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:default @@ -154,7 +157,7 @@ path: /v2/images/{image_id} scope_types: - project -- check_str: role:admin or (role:member and project_id:%(project_id)s) +- check_str: rule:context_is_admin or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:default @@ -167,7 +170,7 @@ path: /v2/images/{image_id} scope_types: - project -- check_str: role:admin or (role:member and project_id:%(project_id)s) +- check_str: rule:context_is_admin or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:default @@ -180,7 +183,7 @@ path: /v2/images/{image_id}/members scope_types: - project -- check_str: role:admin or (role:member and project_id:%(project_id)s) +- check_str: rule:context_is_admin or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:default @@ -193,7 +196,8 @@ path: /v2/images/{image_id}/members/{member_id} scope_types: - project -- check_str: role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s) +- check_str: rule:context_is_admin or role:reader and (project_id:%(project_id)s or + project_id:%(member_id)s) deprecated_reason: null deprecated_rule: check_str: rule:default @@ -206,7 +210,8 @@ path: /v2/images/{image_id}/members/{member_id} scope_types: - project -- check_str: role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s) +- check_str: rule:context_is_admin or role:reader and (project_id:%(project_id)s or + project_id:%(member_id)s) deprecated_reason: null deprecated_rule: check_str: rule:default @@ -219,7 +224,7 @@ path: /v2/images/{image_id}/members scope_types: - project -- check_str: role:admin or (role:member and project_id:%(member_id)s) +- check_str: rule:context_is_admin or (role:member and project_id:%(member_id)s) deprecated_reason: null deprecated_rule: check_str: rule:default @@ -232,13 +237,13 @@ path: /v2/images/{image_id}/members/{member_id} scope_types: - project -- check_str: role:admin +- check_str: rule:context_is_admin description: Manage image cache name: manage_image_cache operations: [] scope_types: - project -- check_str: role:admin or (role:member and project_id:%(project_id)s) +- check_str: rule:context_is_admin or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:default @@ -251,7 +256,7 @@ path: /v2/images/{image_id}/actions/deactivate scope_types: - project -- check_str: role:admin or (role:member and project_id:%(project_id)s) +- check_str: rule:context_is_admin or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:default @@ -264,7 +269,7 @@ path: /v2/images/{image_id}/actions/reactivate scope_types: - project -- check_str: role:admin +- check_str: rule:context_is_admin description: Copy existing image to other stores name: copy_image operations: @@ -373,7 +378,7 @@ path: /v2/tasks/{task_id} scope_types: - project -- check_str: role:admin +- check_str: rule:context_is_admin description: ' This is a generic blanket policy for protecting all task APIs. It is not @@ -400,12 +405,13 @@ name: metadef_default operations: [] scope_types: null -- check_str: role:admin +- check_str: rule:context_is_admin description: null name: metadef_admin operations: [] scope_types: null -- check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s)) +- check_str: rule:context_is_admin or (role:reader and (project_id:%(project_id)s + or 'public':%(visibility)s)) deprecated_reason: null deprecated_rule: check_str: rule:metadef_default @@ -418,7 +424,7 @@ path: /v2/metadefs/namespaces/{namespace_name} scope_types: - project -- check_str: role:admin or (role:reader and project_id:%(project_id)s) +- check_str: rule:context_is_admin or (role:reader and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:metadef_default @@ -455,7 +461,8 @@ path: /v2/metadefs/namespaces/{namespace_name} scope_types: - project -- check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s)) +- check_str: rule:context_is_admin or (role:reader and (project_id:%(project_id)s + or 'public':%(visibility)s)) deprecated_reason: null deprecated_rule: check_str: rule:metadef_default @@ -468,7 +475,8 @@ path: /v2/metadefs/namespaces/{namespace_name}/objects/{object_name} scope_types: - project -- check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s)) +- check_str: rule:context_is_admin or (role:reader and (project_id:%(project_id)s + or 'public':%(visibility)s)) deprecated_reason: null deprecated_rule: check_str: rule:metadef_default @@ -505,7 +513,8 @@ path: /v2/metadefs/namespaces/{namespace_name}/objects/{object_name} scope_types: - project -- check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s)) +- check_str: rule:context_is_admin or (role:reader and (project_id:%(project_id)s + or 'public':%(visibility)s)) deprecated_reason: null deprecated_rule: check_str: rule:metadef_default @@ -518,7 +527,8 @@ path: /v2/metadefs/resource_types scope_types: - project -- check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s)) +- check_str: rule:context_is_admin or (role:reader and (project_id:%(project_id)s + or 'public':%(visibility)s)) deprecated_reason: null deprecated_rule: check_str: rule:metadef_default @@ -547,7 +557,8 @@ path: /v2/metadefs/namespaces/{namespace_name}/resource_types/{name} scope_types: - project -- check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s)) +- check_str: rule:context_is_admin or (role:reader and (project_id:%(project_id)s + or 'public':%(visibility)s)) deprecated_reason: null deprecated_rule: check_str: rule:metadef_default @@ -560,7 +571,8 @@ path: /v2/metadefs/namespaces/{namespace_name}/properties/{property_name} scope_types: - project -- check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s)) +- check_str: rule:context_is_admin or (role:reader and (project_id:%(project_id)s + or 'public':%(visibility)s)) deprecated_reason: null deprecated_rule: check_str: rule:metadef_default @@ -597,7 +609,8 @@ path: /v2/metadefs/namespaces/{namespace_name}/properties/{property_name} scope_types: - project -- check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s)) +- check_str: rule:context_is_admin or (role:reader and (project_id:%(project_id)s + or 'public':%(visibility)s)) deprecated_reason: null deprecated_rule: check_str: rule:metadef_default @@ -610,7 +623,8 @@ path: /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name} scope_types: - project -- check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s)) +- check_str: rule:context_is_admin or (role:reader and (project_id:%(project_id)s + or 'public':%(visibility)s)) deprecated_reason: null deprecated_rule: check_str: rule:metadef_default @@ -663,7 +677,7 @@ path: /v2/metadefs/namespaces/{namespace_name}/tags scope_types: - project -- check_str: role:admin +- check_str: rule:context_is_admin deprecated_reason: null deprecated_rule: check_str: rule:manage_image_cache @@ -676,7 +690,7 @@ path: /v2/cache/{image_id} scope_types: - project -- check_str: role:admin +- check_str: rule:context_is_admin deprecated_reason: null deprecated_rule: check_str: rule:manage_image_cache @@ -689,7 +703,7 @@ path: /v2/cache scope_types: - project -- check_str: role:admin +- check_str: rule:context_is_admin deprecated_reason: null deprecated_rule: check_str: rule:manage_image_cache @@ -704,7 +718,7 @@ path: /v2/cache/{image_id} scope_types: - project -- check_str: role:admin +- check_str: rule:context_is_admin description: Expose store specific information name: stores_info_detail operations: diff --git a/openstack_dashboard/conf/default_policies/neutron.yaml b/openstack_dashboard/conf/default_policies/neutron.yaml index ca2d544b42..a3124db87c 100644 --- a/openstack_dashboard/conf/default_policies/neutron.yaml +++ b/openstack_dashboard/conf/default_policies/neutron.yaml @@ -344,7 +344,7 @@ path: /auto-allocated-topology/{project_id} scope_types: - project -- check_str: rule:admin_only +- check_str: role:reader deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -357,6 +357,47 @@ path: /availability_zones scope_types: - project +- check_str: rule:admin_only + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_only + name: create_default_security_group_rule + deprecated_since: null + description: Create a templated of the security group rule + name: create_default_security_group_rule + operations: + - method: POST + path: /default-security-group-rules + scope_types: + - project +- check_str: role:reader + deprecated_reason: null + deprecated_rule: + check_str: rule:regular_user + name: get_default_security_group_rule + deprecated_since: null + description: Get a templated of the security group rule + name: get_default_security_group_rule + operations: + - method: GET + path: /default-security-group-rules + - method: GET + path: /default-security-group-rules/{id} + scope_types: + - project +- check_str: rule:admin_only + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_only + name: delete_default_security_group_rule + deprecated_since: null + description: Delete a templated of the security group rule + name: delete_default_security_group_rule + operations: + - method: DELETE + path: /default-security-group-rules/{id} + scope_types: + - project - check_str: rule:admin_only deprecated_reason: null deprecated_rule: @@ -584,7 +625,7 @@ path: /floatingip_pools scope_types: - project -- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner +- check_str: (rule:admin_only) or (role:member and rule:ext_parent_owner) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_ext_parent_owner @@ -597,7 +638,7 @@ path: /floatingips/{floatingip_id}/port_forwardings scope_types: - project -- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner +- check_str: (rule:admin_only) or (role:reader and rule:ext_parent_owner) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_ext_parent_owner @@ -612,7 +653,7 @@ path: /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id} scope_types: - project -- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner +- check_str: (rule:admin_only) or (role:member and rule:ext_parent_owner) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_ext_parent_owner @@ -625,7 +666,7 @@ path: /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id} scope_types: - project -- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner +- check_str: (rule:admin_only) or (role:member and rule:ext_parent_owner) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_ext_parent_owner @@ -1339,6 +1380,38 @@ path: /network_segment_ranges/{id} scope_types: - project +- check_str: rule:admin_only + description: Get port binding information + name: get_port_binding + operations: + - method: GET + path: /ports/{port_id}/bindings/ + scope_types: + - project +- check_str: rule:admin_only + description: Create port binding on the host + name: create_port_binding + operations: + - method: POST + path: /ports/{port_id}/bindings/ + scope_types: + - project +- check_str: rule:admin_only + description: Delete port binding on the host + name: delete_port_binding + operations: + - method: DELETE + path: /ports/{port_id}/bindings/ + scope_types: + - project +- check_str: rule:admin_only + description: Activate port binding on the host + name: activate + operations: + - method: PUT + path: /ports/{port_id}/bindings/{host} + scope_types: + - project - check_str: 'field:port:device_owner=~^network:' description: Definition of port with network device_owner name: network_device @@ -1362,8 +1435,8 @@ path: /ports scope_types: - project -- check_str: not rule:network_device or rule:admin_only or rule:context_is_advsvc - or rule:network_owner +- check_str: not rule:network_device or rule:context_is_advsvc or (rule:admin_only) + or (role:member and rule:network_owner) deprecated_reason: null deprecated_rule: check_str: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner @@ -1374,7 +1447,7 @@ operations: *id004 scope_types: - project -- check_str: rule:context_is_advsvc or rule:network_owner or rule:admin_only +- check_str: rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner) deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_or_network_owner @@ -1385,7 +1458,8 @@ operations: *id004 scope_types: - project -- check_str: rule:context_is_advsvc or rule:network_owner or rule:admin_only or rule:shared +- check_str: rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner) + or rule:shared deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared @@ -1396,7 +1470,7 @@ operations: *id004 scope_types: - project -- check_str: rule:context_is_advsvc or rule:network_owner or rule:admin_only +- check_str: rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner) deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_or_network_owner @@ -1407,7 +1481,8 @@ operations: *id004 scope_types: - project -- check_str: rule:context_is_advsvc or rule:network_owner or rule:admin_only or rule:shared +- check_str: rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner) + or rule:shared deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared @@ -1418,7 +1493,7 @@ operations: *id004 scope_types: - project -- check_str: rule:context_is_advsvc or rule:network_owner or rule:admin_only +- check_str: rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner) deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_or_network_owner @@ -1462,7 +1537,7 @@ operations: *id004 scope_types: - project -- check_str: rule:admin_only or rule:network_owner +- check_str: (rule:admin_only) or (role:member and rule:network_owner) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_network_owner @@ -1473,7 +1548,7 @@ operations: *id004 scope_types: - project -- check_str: rule:admin_only or rule:network_owner +- check_str: (rule:admin_only) or (role:member and rule:network_owner) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_network_owner @@ -1485,7 +1560,7 @@ operations: *id004 scope_types: - project -- check_str: rule:admin_only or rule:network_owner +- check_str: (rule:admin_only) or (role:member and rule:network_owner) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_network_owner @@ -1497,7 +1572,14 @@ operations: *id004 scope_types: - project -- check_str: rule:admin_only or rule:context_is_advsvc or role:reader and project_id:%(project_id)s +- check_str: rule:admin_only + description: Specify ``hints`` attribute when creating a port + name: create_port:hints + operations: *id004 + scope_types: + - project +- check_str: rule:context_is_advsvc or (rule:admin_only) or (role:reader and rule:network_owner) + or role:reader and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_owner_or_network_owner @@ -1567,6 +1649,12 @@ operations: *id005 scope_types: - project +- check_str: rule:admin_only + description: Get ``hints`` attribute of a port + name: get_port:hints + operations: *id005 + scope_types: + - project - check_str: rule:admin_only or role:member and project_id:%(project_id)s or rule:context_is_advsvc deprecated_reason: null deprecated_rule: @@ -1580,8 +1668,8 @@ path: /ports/{id} scope_types: - project -- check_str: not rule:network_device or rule:context_is_advsvc or rule:network_owner - or rule:admin_only +- check_str: not rule:network_device or rule:context_is_advsvc or (rule:admin_only) + or (role:member and rule:network_owner) deprecated_reason: null deprecated_rule: check_str: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner @@ -1603,7 +1691,7 @@ operations: *id006 scope_types: - project -- check_str: rule:context_is_advsvc or rule:network_owner or rule:admin_only +- check_str: rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner) deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_or_network_owner @@ -1614,7 +1702,7 @@ operations: *id006 scope_types: - project -- check_str: rule:context_is_advsvc or rule:network_owner or rule:admin_only +- check_str: rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner) deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_or_network_owner @@ -1625,7 +1713,8 @@ operations: *id006 scope_types: - project -- check_str: rule:context_is_advsvc or rule:network_owner or rule:admin_only or rule:shared +- check_str: rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner) + or rule:shared deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared @@ -1636,7 +1725,7 @@ operations: *id006 scope_types: - project -- check_str: rule:context_is_advsvc or rule:network_owner or rule:admin_only +- check_str: rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner) deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_or_network_owner @@ -1680,7 +1769,7 @@ operations: *id006 scope_types: - project -- check_str: rule:admin_only or rule:network_owner +- check_str: (rule:admin_only) or (role:member and rule:network_owner) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_network_owner @@ -1691,7 +1780,7 @@ operations: *id006 scope_types: - project -- check_str: rule:admin_only or rule:network_owner +- check_str: (rule:admin_only) or (role:member and rule:network_owner) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_network_owner @@ -1703,7 +1792,7 @@ operations: *id006 scope_types: - project -- check_str: rule:admin_only or rule:network_owner +- check_str: (rule:admin_only) or (role:member and rule:network_owner) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_network_owner @@ -1725,8 +1814,14 @@ operations: *id006 scope_types: - project -- check_str: rule:admin_only or rule:context_is_advsvc or role:member and project_id:%(project_id)s - or rule:network_owner +- check_str: rule:admin_only + description: Update ``hints`` attribute of a port + name: update_port:hints + operations: *id006 + scope_types: + - project +- check_str: rule:context_is_advsvc or role:member and project_id:%(project_id)s or + (rule:admin_only) or (role:member and rule:network_owner) deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_owner_or_network_owner @@ -1798,7 +1893,7 @@ path: /qos/policies/{id} scope_types: - project -- check_str: rule:admin_only +- check_str: role:reader deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -1813,7 +1908,7 @@ path: /qos/rule-types/{rule_type} scope_types: - project -- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) +- check_str: (rule:admin_only) or (role:reader and rule:ext_parent_owner) deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -1867,7 +1962,7 @@ path: /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id} scope_types: - project -- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) +- check_str: (rule:admin_only) or (role:reader and rule:ext_parent_owner) description: Get a QoS packet rate limit rule name: get_policy_packet_rate_limit_rule operations: @@ -1901,7 +1996,7 @@ path: /qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id} scope_types: - project -- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) +- check_str: (rule:admin_only) or (role:reader and rule:ext_parent_owner) deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -1955,7 +2050,7 @@ path: /qos/policies/{policy_id}/dscp_marking_rules/{rule_id} scope_types: - project -- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) +- check_str: (rule:admin_only) or (role:reader and rule:ext_parent_owner) deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -2009,7 +2104,7 @@ path: /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id} scope_types: - project -- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) +- check_str: (rule:admin_only) or (role:reader and rule:ext_parent_owner) description: Get a QoS minimum packet rate rule name: get_policy_minimum_packet_rate_rule operations: @@ -2043,7 +2138,7 @@ path: /qos/policies/{policy_id}/minimum_packet_rate_rules/{rule_id} scope_types: - project -- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) +- check_str: (rule:admin_only) or (role:reader and rule:ext_parent_owner) deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -2082,7 +2177,7 @@ path: /qos/alias_bandwidth_limit_rules/{rule_id}/ scope_types: - project -- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) +- check_str: (rule:admin_only) or (role:reader and rule:ext_parent_owner) deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -2121,7 +2216,7 @@ path: /qos/alias_dscp_marking_rules/{rule_id}/ scope_types: - project -- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) +- check_str: (rule:admin_only) or (role:reader and rule:ext_parent_owner) deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -2393,6 +2488,18 @@ operations: *id007 scope_types: - project +- check_str: rule:admin_only + description: Specify ``enable_default_route_bfd`` attribute when creating a router + name: create_router:enable_default_route_bfd + operations: *id007 + scope_types: + - project +- check_str: rule:admin_only + description: Specify ``enable_default_route_ecmp`` attribute when creating a router + name: create_router:enable_default_route_ecmp + operations: *id007 + scope_types: + - project - check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: @@ -2512,6 +2619,18 @@ operations: *id009 scope_types: - project +- check_str: rule:admin_only + description: Specify ``enable_default_route_bfd`` attribute when updating a router + name: update_router:enable_default_route_bfd + operations: *id007 + scope_types: + - project +- check_str: rule:admin_only + description: Specify ``enable_default_route_ecmp`` attribute when updating a router + name: update_router:enable_default_route_ecmp + operations: *id007 + scope_types: + - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: @@ -2754,7 +2873,7 @@ path: /service-providers scope_types: - project -- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:network_owner +- check_str: (rule:admin_only) or (role:member and rule:network_owner) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_network_owner @@ -2815,7 +2934,7 @@ operations: *id011 scope_types: - project -- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:network_owner +- check_str: (rule:admin_only) or (role:member and rule:network_owner) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_network_owner @@ -2850,7 +2969,7 @@ operations: *id012 scope_types: - project -- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:network_owner +- check_str: (rule:admin_only) or (role:member and rule:network_owner) deprecated_reason: null deprecated_rule: check_str: rule:admin_or_network_owner diff --git a/openstack_dashboard/conf/default_policies/nova.yaml b/openstack_dashboard/conf/default_policies/nova.yaml index 5b0f4b21ca..05019f863f 100644 --- a/openstack_dashboard/conf/default_policies/nova.yaml +++ b/openstack_dashboard/conf/default_policies/nova.yaml @@ -1004,13 +1004,21 @@ scope_types: - project - check_str: rule:context_is_admin - description: Cold migrate a server to a host + description: Cold migrate a server without specifying a host name: os_compute_api:os-migrate-server:migrate operations: - method: POST path: /servers/{server_id}/action (migrate) scope_types: - project +- check_str: rule:context_is_admin + description: Cold migrate a server to a specified host + name: os_compute_api:os-migrate-server:migrate:host + operations: + - method: POST + path: /servers/{server_id}/action (migrate) + scope_types: + - project - check_str: rule:context_is_admin description: Live migrate a server to a new host without a reboot name: os_compute_api:os-migrate-server:migrate_live diff --git a/openstack_dashboard/conf/glance_policy.yaml b/openstack_dashboard/conf/glance_policy.yaml index 0e889b9a41..4f9ed992bc 100644 --- a/openstack_dashboard/conf/glance_policy.yaml +++ b/openstack_dashboard/conf/glance_policy.yaml @@ -3,8 +3,8 @@ #"default": "" # DEPRECATED -# "default":"role:admin" has been deprecated since Ussuri in favor of -# "default":"". +# "default":"rule:context_is_admin" has been deprecated since Ussuri +# in favor of "default":"". # In order to allow operators to accept the default policies from code # by not defining them in the policy file, while still working with # old policy files that rely on the ``default`` rule for policies that @@ -18,33 +18,33 @@ # Create new image # POST /v2/images # Intended scope(s): project -#"add_image": "role:admin or (role:member and project_id:%(project_id)s and project_id:%(owner)s)" +#"add_image": "rule:context_is_admin or (role:member and project_id:%(project_id)s and project_id:%(owner)s)" # DEPRECATED # "add_image":"rule:default" has been deprecated since W in favor of -# "add_image":"role:admin or (role:member and +# "add_image":"rule:context_is_admin or (role:member and # project_id:%(project_id)s and project_id:%(owner)s)". # The image API now supports roles. # Deletes the image # DELETE /v2/images/{image_id} # Intended scope(s): project -#"delete_image": "role:admin or (role:member and project_id:%(project_id)s)" +#"delete_image": "rule:context_is_admin or (role:member and project_id:%(project_id)s)" # DEPRECATED # "delete_image":"rule:default" has been deprecated since W in favor -# of "delete_image":"role:admin or (role:member and +# of "delete_image":"rule:context_is_admin or (role:member and # project_id:%(project_id)s)". # The image API now supports roles. # Get specified image # GET /v2/images/{image_id} # Intended scope(s): project -#"get_image": "role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))" +#"get_image": "rule:context_is_admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))" # DEPRECATED # "get_image":"rule:default" has been deprecated since W in favor of -# "get_image":"role:admin or (role:reader and +# "get_image":"rule:context_is_admin or (role:reader and # (project_id:%(project_id)s or project_id:%(member_id)s or # 'community':%(visibility)s or 'public':%(visibility)s or # 'shared':%(visibility)s))". @@ -53,49 +53,49 @@ # Get all available images # GET /v2/images # Intended scope(s): project -#"get_images": "role:admin or (role:reader and project_id:%(project_id)s)" +#"get_images": "rule:context_is_admin or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "get_images":"rule:default" has been deprecated since W in favor of -# "get_images":"role:admin or (role:reader and +# "get_images":"rule:context_is_admin or (role:reader and # project_id:%(project_id)s)". # The image API now supports roles. # Updates given image # PATCH /v2/images/{image_id} # Intended scope(s): project -#"modify_image": "role:admin or (role:member and project_id:%(project_id)s)" +#"modify_image": "rule:context_is_admin or (role:member and project_id:%(project_id)s)" # DEPRECATED # "modify_image":"rule:default" has been deprecated since W in favor -# of "modify_image":"role:admin or (role:member and +# of "modify_image":"rule:context_is_admin or (role:member and # project_id:%(project_id)s)". # The image API now supports roles. # Publicize given image # PATCH /v2/images/{image_id} # Intended scope(s): project -#"publicize_image": "role:admin" +#"publicize_image": "rule:context_is_admin" # Communitize given image # PATCH /v2/images/{image_id} # Intended scope(s): project -#"communitize_image": "role:admin or (role:member and project_id:%(project_id)s)" +#"communitize_image": "rule:context_is_admin or (role:member and project_id:%(project_id)s)" # DEPRECATED # "communitize_image":"rule:default" has been deprecated since W in -# favor of "communitize_image":"role:admin or (role:member and -# project_id:%(project_id)s)". +# favor of "communitize_image":"rule:context_is_admin or (role:member +# and project_id:%(project_id)s)". # The image API now supports roles. # Downloads given image # GET /v2/images/{image_id}/file # Intended scope(s): project -#"download_image": "role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))" +#"download_image": "rule:context_is_admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))" # DEPRECATED # "download_image":"rule:default" has been deprecated since W in favor -# of "download_image":"role:admin or (role:member and +# of "download_image":"rule:context_is_admin or (role:member and # (project_id:%(project_id)s or project_id:%(member_id)s or # 'community':%(visibility)s or 'public':%(visibility)s or # 'shared':%(visibility)s))". @@ -104,131 +104,131 @@ # Uploads data to specified image # PUT /v2/images/{image_id}/file # Intended scope(s): project -#"upload_image": "role:admin or (role:member and project_id:%(project_id)s)" +#"upload_image": "rule:context_is_admin or (role:member and project_id:%(project_id)s)" # DEPRECATED # "upload_image":"rule:default" has been deprecated since W in favor -# of "upload_image":"role:admin or (role:member and +# of "upload_image":"rule:context_is_admin or (role:member and # project_id:%(project_id)s)". # The image API now supports roles. # Deletes the location of given image # PATCH /v2/images/{image_id} # Intended scope(s): project -#"delete_image_location": "role:admin" +#"delete_image_location": "rule:context_is_admin" # DEPRECATED # "delete_image_location":"rule:default" has been deprecated since W -# in favor of "delete_image_location":"role:admin". +# in favor of "delete_image_location":"rule:context_is_admin". # The image API now supports roles. # Reads the location of the image # GET /v2/images/{image_id} # Intended scope(s): project -#"get_image_location": "role:admin or (role:reader and project_id:%(project_id)s)" +#"get_image_location": "rule:context_is_admin or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "get_image_location":"rule:default" has been deprecated since W in -# favor of "get_image_location":"role:admin or (role:reader and -# project_id:%(project_id)s)". +# favor of "get_image_location":"rule:context_is_admin or (role:reader +# and project_id:%(project_id)s)". # The image API now supports roles. # Sets location URI to given image # PATCH /v2/images/{image_id} # Intended scope(s): project -#"set_image_location": "role:admin or (role:member and project_id:%(project_id)s)" +#"set_image_location": "rule:context_is_admin or (role:member and project_id:%(project_id)s)" # DEPRECATED # "set_image_location":"rule:default" has been deprecated since W in -# favor of "set_image_location":"role:admin or (role:member and -# project_id:%(project_id)s)". +# favor of "set_image_location":"rule:context_is_admin or (role:member +# and project_id:%(project_id)s)". # The image API now supports roles. # Create image member # POST /v2/images/{image_id}/members # Intended scope(s): project -#"add_member": "role:admin or (role:member and project_id:%(project_id)s)" +#"add_member": "rule:context_is_admin or (role:member and project_id:%(project_id)s)" # DEPRECATED # "add_member":"rule:default" has been deprecated since W in favor of -# "add_member":"role:admin or (role:member and +# "add_member":"rule:context_is_admin or (role:member and # project_id:%(project_id)s)". # The image API now supports roles. # Delete image member # DELETE /v2/images/{image_id}/members/{member_id} # Intended scope(s): project -#"delete_member": "role:admin or (role:member and project_id:%(project_id)s)" +#"delete_member": "rule:context_is_admin or (role:member and project_id:%(project_id)s)" # DEPRECATED # "delete_member":"rule:default" has been deprecated since W in favor -# of "delete_member":"role:admin or (role:member and +# of "delete_member":"rule:context_is_admin or (role:member and # project_id:%(project_id)s)". # The image API now supports roles. # Show image member details # GET /v2/images/{image_id}/members/{member_id} # Intended scope(s): project -#"get_member": "role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)" +#"get_member": "rule:context_is_admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)" # DEPRECATED # "get_member":"rule:default" has been deprecated since W in favor of -# "get_member":"role:admin or role:reader and +# "get_member":"rule:context_is_admin or role:reader and # (project_id:%(project_id)s or project_id:%(member_id)s)". # The image API now supports roles. # List image members # GET /v2/images/{image_id}/members # Intended scope(s): project -#"get_members": "role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)" +#"get_members": "rule:context_is_admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)" # DEPRECATED # "get_members":"rule:default" has been deprecated since W in favor of -# "get_members":"role:admin or role:reader and +# "get_members":"rule:context_is_admin or role:reader and # (project_id:%(project_id)s or project_id:%(member_id)s)". # The image API now supports roles. # Update image member # PUT /v2/images/{image_id}/members/{member_id} # Intended scope(s): project -#"modify_member": "role:admin or (role:member and project_id:%(member_id)s)" +#"modify_member": "rule:context_is_admin or (role:member and project_id:%(member_id)s)" # DEPRECATED # "modify_member":"rule:default" has been deprecated since W in favor -# of "modify_member":"role:admin or (role:member and +# of "modify_member":"rule:context_is_admin or (role:member and # project_id:%(member_id)s)". # The image API now supports roles. # Manage image cache # Intended scope(s): project -#"manage_image_cache": "role:admin" +#"manage_image_cache": "rule:context_is_admin" # Deactivate image # POST /v2/images/{image_id}/actions/deactivate # Intended scope(s): project -#"deactivate": "role:admin or (role:member and project_id:%(project_id)s)" +#"deactivate": "rule:context_is_admin or (role:member and project_id:%(project_id)s)" # DEPRECATED # "deactivate":"rule:default" has been deprecated since W in favor of -# "deactivate":"role:admin or (role:member and +# "deactivate":"rule:context_is_admin or (role:member and # project_id:%(project_id)s)". # The image API now supports roles. # Reactivate image # POST /v2/images/{image_id}/actions/reactivate # Intended scope(s): project -#"reactivate": "role:admin or (role:member and project_id:%(project_id)s)" +#"reactivate": "rule:context_is_admin or (role:member and project_id:%(project_id)s)" # DEPRECATED # "reactivate":"rule:default" has been deprecated since W in favor of -# "reactivate":"role:admin or (role:member and +# "reactivate":"rule:context_is_admin or (role:member and # project_id:%(project_id)s)". # The image API now supports roles. # Copy existing image to other stores # POST /v2/images/{image_id}/import # Intended scope(s): project -#"copy_image": "role:admin" +#"copy_image": "rule:context_is_admin" # Get an image task. # @@ -313,33 +313,33 @@ # POST /v2/tasks # DELETE /v2/tasks/{task_id} # Intended scope(s): project -#"tasks_api_access": "role:admin" +#"tasks_api_access": "rule:context_is_admin" #"metadef_default": "" -#"metadef_admin": "role:admin" +#"metadef_admin": "rule:context_is_admin" # Get a specific namespace. # GET /v2/metadefs/namespaces/{namespace_name} # Intended scope(s): project -#"get_metadef_namespace": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" +#"get_metadef_namespace": "rule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" # DEPRECATED # "get_metadef_namespace":"rule:metadef_default" has been deprecated -# since X in favor of "get_metadef_namespace":"role:admin or -# (role:reader and (project_id:%(project_id)s or +# since X in favor of "get_metadef_namespace":"rule:context_is_admin +# or (role:reader and (project_id:%(project_id)s or # 'public':%(visibility)s))". # The metadata API now supports project scope and default roles. # List namespace. # GET /v2/metadefs/namespaces # Intended scope(s): project -#"get_metadef_namespaces": "role:admin or (role:reader and project_id:%(project_id)s)" +#"get_metadef_namespaces": "rule:context_is_admin or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "get_metadef_namespaces":"rule:metadef_default" has been deprecated -# since X in favor of "get_metadef_namespaces":"role:admin or -# (role:reader and project_id:%(project_id)s)". +# since X in favor of "get_metadef_namespaces":"rule:context_is_admin +# or (role:reader and project_id:%(project_id)s)". # The metadata API now supports project scope and default roles. # Modify an existing namespace. @@ -360,22 +360,23 @@ # Get a specific object from a namespace. # GET /v2/metadefs/namespaces/{namespace_name}/objects/{object_name} # Intended scope(s): project -#"get_metadef_object": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" +#"get_metadef_object": "rule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" # DEPRECATED # "get_metadef_object":"rule:metadef_default" has been deprecated -# since X in favor of "get_metadef_object":"role:admin or (role:reader -# and (project_id:%(project_id)s or 'public':%(visibility)s))". +# since X in favor of "get_metadef_object":"rule:context_is_admin or +# (role:reader and (project_id:%(project_id)s or +# 'public':%(visibility)s))". # The metadata API now supports project scope and default roles. # Get objects from a namespace. # GET /v2/metadefs/namespaces/{namespace_name}/objects # Intended scope(s): project -#"get_metadef_objects": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" +#"get_metadef_objects": "rule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" # DEPRECATED # "get_metadef_objects":"rule:metadef_default" has been deprecated -# since X in favor of "get_metadef_objects":"role:admin or +# since X in favor of "get_metadef_objects":"rule:context_is_admin or # (role:reader and (project_id:%(project_id)s or # 'public':%(visibility)s))". # The metadata API now supports project scope and default roles. @@ -398,25 +399,25 @@ # List meta definition resource types. # GET /v2/metadefs/resource_types # Intended scope(s): project -#"list_metadef_resource_types": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" +#"list_metadef_resource_types": "rule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" # DEPRECATED # "list_metadef_resource_types":"rule:metadef_default" has been # deprecated since X in favor of -# "list_metadef_resource_types":"role:admin or (role:reader and -# (project_id:%(project_id)s or 'public':%(visibility)s))". +# "list_metadef_resource_types":"rule:context_is_admin or (role:reader +# and (project_id:%(project_id)s or 'public':%(visibility)s))". # The metadata API now supports project scope and default roles. # Get meta definition resource types associations. # GET /v2/metadefs/namespaces/{namespace_name}/resource_types # Intended scope(s): project -#"get_metadef_resource_type": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" +#"get_metadef_resource_type": "rule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" # DEPRECATED # "get_metadef_resource_type":"rule:metadef_default" has been # deprecated since X in favor of -# "get_metadef_resource_type":"role:admin or (role:reader and -# (project_id:%(project_id)s or 'public':%(visibility)s))". +# "get_metadef_resource_type":"rule:context_is_admin or (role:reader +# and (project_id:%(project_id)s or 'public':%(visibility)s))". # The metadata API now supports project scope and default roles. # Create meta definition resource types association. @@ -432,11 +433,11 @@ # Get a specific meta definition property. # GET /v2/metadefs/namespaces/{namespace_name}/properties/{property_name} # Intended scope(s): project -#"get_metadef_property": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" +#"get_metadef_property": "rule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" # DEPRECATED # "get_metadef_property":"rule:metadef_default" has been deprecated -# since X in favor of "get_metadef_property":"role:admin or +# since X in favor of "get_metadef_property":"rule:context_is_admin or # (role:reader and (project_id:%(project_id)s or # 'public':%(visibility)s))". # The metadata API now supports project scope and default roles. @@ -444,12 +445,12 @@ # List meta definition properties. # GET /v2/metadefs/namespaces/{namespace_name}/properties # Intended scope(s): project -#"get_metadef_properties": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" +#"get_metadef_properties": "rule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" # DEPRECATED # "get_metadef_properties":"rule:metadef_default" has been deprecated -# since X in favor of "get_metadef_properties":"role:admin or -# (role:reader and (project_id:%(project_id)s or +# since X in favor of "get_metadef_properties":"rule:context_is_admin +# or (role:reader and (project_id:%(project_id)s or # 'public':%(visibility)s))". # The metadata API now supports project scope and default roles. @@ -471,23 +472,24 @@ # Get tag definition. # GET /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name} # Intended scope(s): project -#"get_metadef_tag": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" +#"get_metadef_tag": "rule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" # DEPRECATED # "get_metadef_tag":"rule:metadef_default" has been deprecated since X -# in favor of "get_metadef_tag":"role:admin or (role:reader and -# (project_id:%(project_id)s or 'public':%(visibility)s))". +# in favor of "get_metadef_tag":"rule:context_is_admin or (role:reader +# and (project_id:%(project_id)s or 'public':%(visibility)s))". # The metadata API now supports project scope and default roles. # List tag definitions. # GET /v2/metadefs/namespaces/{namespace_name}/tags # Intended scope(s): project -#"get_metadef_tags": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" +#"get_metadef_tags": "rule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" # DEPRECATED # "get_metadef_tags":"rule:metadef_default" has been deprecated since -# X in favor of "get_metadef_tags":"role:admin or (role:reader and -# (project_id:%(project_id)s or 'public':%(visibility)s))". +# X in favor of "get_metadef_tags":"rule:context_is_admin or +# (role:reader and (project_id:%(project_id)s or +# 'public':%(visibility)s))". # The metadata API now supports project scope and default roles. # Update tag definition. @@ -518,36 +520,36 @@ # Queue image for caching # PUT /v2/cache/{image_id} # Intended scope(s): project -#"cache_image": "role:admin" +#"cache_image": "rule:context_is_admin" # DEPRECATED # "cache_image":"rule:manage_image_cache" has been deprecated since X -# in favor of "cache_image":"role:admin". +# in favor of "cache_image":"rule:context_is_admin". # The image API now supports roles. # List cache status # GET /v2/cache # Intended scope(s): project -#"cache_list": "role:admin" +#"cache_list": "rule:context_is_admin" # DEPRECATED # "cache_list":"rule:manage_image_cache" has been deprecated since X -# in favor of "cache_list":"role:admin". +# in favor of "cache_list":"rule:context_is_admin". # The image API now supports roles. # Delete image(s) from cache and/or queue # DELETE /v2/cache # DELETE /v2/cache/{image_id} # Intended scope(s): project -#"cache_delete": "role:admin" +#"cache_delete": "rule:context_is_admin" # DEPRECATED # "cache_delete":"rule:manage_image_cache" has been deprecated since X -# in favor of "cache_delete":"role:admin". +# in favor of "cache_delete":"rule:context_is_admin". # The image API now supports roles. # Expose store specific information # GET /v2/info/stores/detail # Intended scope(s): project -#"stores_info_detail": "role:admin" +#"stores_info_detail": "rule:context_is_admin" diff --git a/openstack_dashboard/conf/neutron_policy.yaml b/openstack_dashboard/conf/neutron_policy.yaml index 00f28fe365..583f0da4a5 100644 --- a/openstack_dashboard/conf/neutron_policy.yaml +++ b/openstack_dashboard/conf/neutron_policy.yaml @@ -265,14 +265,51 @@ # List availability zones # GET /availability_zones # Intended scope(s): project -#"get_availability_zone": "rule:admin_only" +#"get_availability_zone": "role:reader" # DEPRECATED # "get_availability_zone":"rule:regular_user" has been deprecated -# since W in favor of "get_availability_zone":"rule:admin_only". +# since W in favor of "get_availability_zone":"role:reader". # The Availability Zone API now supports project scope and default # roles. +# Create a templated of the security group rule +# POST /default-security-group-rules +# Intended scope(s): project +#"create_default_security_group_rule": "rule:admin_only" + +# DEPRECATED +# "create_default_security_group_rule":"rule:admin_only" has been +# deprecated since 2023.2 in favor of +# "create_default_security_group_rule":"rule:admin_only". +# The default security group rules API supports system scope and +# default roles. + +# Get a templated of the security group rule +# GET /default-security-group-rules +# GET /default-security-group-rules/{id} +# Intended scope(s): project +#"get_default_security_group_rule": "role:reader" + +# DEPRECATED +# "get_default_security_group_rule":"rule:regular_user" has been +# deprecated since 2023.2 in favor of +# "get_default_security_group_rule":"role:reader". +# The default security group rules API supports system scope and +# default roles. + +# Delete a templated of the security group rule +# DELETE /default-security-group-rules/{id} +# Intended scope(s): project +#"delete_default_security_group_rule": "rule:admin_only" + +# DEPRECATED +# "delete_default_security_group_rule":"rule:admin_only" has been +# deprecated since 2023.2 in favor of +# "delete_default_security_group_rule":"rule:admin_only". +# The default security group rules API supports system scope and +# default roles. + # Create a flavor # POST /flavors # Intended scope(s): project @@ -460,14 +497,13 @@ # Create a floating IP port forwarding # POST /floatingips/{floatingip_id}/port_forwardings # Intended scope(s): project -#"create_floatingip_port_forwarding": "(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" +#"create_floatingip_port_forwarding": "(rule:admin_only) or (role:member and rule:ext_parent_owner)" # DEPRECATED # "create_floatingip_port_forwarding":"rule:admin_or_ext_parent_owner" # has been deprecated since W in favor of # "create_floatingip_port_forwarding":"(rule:admin_only) or -# (role:member and project_id:%(project_id)s) or -# rule:ext_parent_owner". +# (role:member and rule:ext_parent_owner)". # The floating IP port forwarding API now supports system scope and # default roles. @@ -475,41 +511,39 @@ # GET /floatingips/{floatingip_id}/port_forwardings # GET /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id} # Intended scope(s): project -#"get_floatingip_port_forwarding": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner" +#"get_floatingip_port_forwarding": "(rule:admin_only) or (role:reader and rule:ext_parent_owner)" # DEPRECATED # "get_floatingip_port_forwarding":"rule:admin_or_ext_parent_owner" # has been deprecated since W in favor of # "get_floatingip_port_forwarding":"(rule:admin_only) or (role:reader -# and project_id:%(project_id)s) or rule:ext_parent_owner". +# and rule:ext_parent_owner)". # The floating IP port forwarding API now supports system scope and # default roles. # Update a floating IP port forwarding # PUT /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id} # Intended scope(s): project -#"update_floatingip_port_forwarding": "(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" +#"update_floatingip_port_forwarding": "(rule:admin_only) or (role:member and rule:ext_parent_owner)" # DEPRECATED # "update_floatingip_port_forwarding":"rule:admin_or_ext_parent_owner" # has been deprecated since W in favor of # "update_floatingip_port_forwarding":"(rule:admin_only) or -# (role:member and project_id:%(project_id)s) or -# rule:ext_parent_owner". +# (role:member and rule:ext_parent_owner)". # The floating IP port forwarding API now supports system scope and # default roles. # Delete a floating IP port forwarding # DELETE /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id} # Intended scope(s): project -#"delete_floatingip_port_forwarding": "(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" +#"delete_floatingip_port_forwarding": "(rule:admin_only) or (role:member and rule:ext_parent_owner)" # DEPRECATED # "delete_floatingip_port_forwarding":"rule:admin_or_ext_parent_owner" # has been deprecated since W in favor of # "delete_floatingip_port_forwarding":"(rule:admin_only) or -# (role:member and project_id:%(project_id)s) or -# rule:ext_parent_owner". +# (role:member and rule:ext_parent_owner)". # The floating IP port forwarding API now supports system scope and # default roles. @@ -1139,6 +1173,26 @@ # The network segment range API now supports project scope and default # roles. +# Get port binding information +# GET /ports/{port_id}/bindings/ +# Intended scope(s): project +#"get_port_binding": "rule:admin_only" + +# Create port binding on the host +# POST /ports/{port_id}/bindings/ +# Intended scope(s): project +#"create_port_binding": "rule:admin_only" + +# Delete port binding on the host +# DELETE /ports/{port_id}/bindings/ +# Intended scope(s): project +#"delete_port_binding": "rule:admin_only" + +# Activate port binding on the host +# PUT /ports/{port_id}/bindings/{host} +# Intended scope(s): project +#"activate": "rule:admin_only" + # Definition of port with network device_owner #"network_device": "field:port:device_owner=~^network:" @@ -1159,75 +1213,77 @@ # Specify ``device_owner`` attribute when creating a port # POST /ports # Intended scope(s): project -#"create_port:device_owner": "not rule:network_device or rule:admin_only or rule:context_is_advsvc or rule:network_owner" +#"create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner)" # DEPRECATED # "create_port:device_owner":"not rule:network_device or # rule:context_is_advsvc or rule:admin_or_network_owner" has been # deprecated since W in favor of "create_port:device_owner":"not -# rule:network_device or rule:admin_only or rule:context_is_advsvc or -# rule:network_owner". +# rule:network_device or rule:context_is_advsvc or (rule:admin_only) +# or (role:member and rule:network_owner)". # The port API now supports project scope and default roles. # Specify ``mac_address`` attribute when creating a port # POST /ports # Intended scope(s): project -#"create_port:mac_address": "rule:context_is_advsvc or rule:network_owner or rule:admin_only" +#"create_port:mac_address": "rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner)" # DEPRECATED # "create_port:mac_address":"rule:context_is_advsvc or # rule:admin_or_network_owner" has been deprecated since W in favor of # "create_port:mac_address":"rule:context_is_advsvc or -# rule:network_owner or rule:admin_only". +# (rule:admin_only) or (role:member and rule:network_owner)". # The port API now supports project scope and default roles. # Specify ``fixed_ips`` information when creating a port # POST /ports # Intended scope(s): project -#"create_port:fixed_ips": "rule:context_is_advsvc or rule:network_owner or rule:admin_only or rule:shared" +#"create_port:fixed_ips": "rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner) or rule:shared" # DEPRECATED # "create_port:fixed_ips":"rule:context_is_advsvc or # rule:admin_or_network_owner or rule:shared" has been deprecated # since W in favor of "create_port:fixed_ips":"rule:context_is_advsvc -# or rule:network_owner or rule:admin_only or rule:shared". +# or (rule:admin_only) or (role:member and rule:network_owner) or +# rule:shared". # The port API now supports project scope and default roles. # Specify IP address in ``fixed_ips`` when creating a port # POST /ports # Intended scope(s): project -#"create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:network_owner or rule:admin_only" +#"create_port:fixed_ips:ip_address": "rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner)" # DEPRECATED # "create_port:fixed_ips:ip_address":"rule:context_is_advsvc or # rule:admin_or_network_owner" has been deprecated since W in favor of # "create_port:fixed_ips:ip_address":"rule:context_is_advsvc or -# rule:network_owner or rule:admin_only". +# (rule:admin_only) or (role:member and rule:network_owner)". # The port API now supports project scope and default roles. # Specify subnet ID in ``fixed_ips`` when creating a port # POST /ports # Intended scope(s): project -#"create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:network_owner or rule:admin_only or rule:shared" +#"create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner) or rule:shared" # DEPRECATED # "create_port:fixed_ips:subnet_id":"rule:context_is_advsvc or # rule:admin_or_network_owner or rule:shared" has been deprecated # since W in favor of # "create_port:fixed_ips:subnet_id":"rule:context_is_advsvc or -# rule:network_owner or rule:admin_only or rule:shared". +# (rule:admin_only) or (role:member and rule:network_owner) or +# rule:shared". # The port API now supports project scope and default roles. # Specify ``port_security_enabled`` attribute when creating a port # POST /ports # Intended scope(s): project -#"create_port:port_security_enabled": "rule:context_is_advsvc or rule:network_owner or rule:admin_only" +#"create_port:port_security_enabled": "rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner)" # DEPRECATED # "create_port:port_security_enabled":"rule:context_is_advsvc or # rule:admin_or_network_owner" has been deprecated since W in favor of # "create_port:port_security_enabled":"rule:context_is_advsvc or -# rule:network_owner or rule:admin_only". +# (rule:admin_only) or (role:member and rule:network_owner)". # The port API now supports project scope and default roles. # Specify ``binding:host_id`` attribute when creating a port @@ -1265,52 +1321,58 @@ # Specify ``allowed_address_pairs`` attribute when creating a port # POST /ports # Intended scope(s): project -#"create_port:allowed_address_pairs": "rule:admin_only or rule:network_owner" +#"create_port:allowed_address_pairs": "(rule:admin_only) or (role:member and rule:network_owner)" # DEPRECATED # "create_port:allowed_address_pairs":"rule:admin_or_network_owner" # has been deprecated since W in favor of -# "create_port:allowed_address_pairs":"rule:admin_only or -# rule:network_owner". +# "create_port:allowed_address_pairs":"(rule:admin_only) or +# (role:member and rule:network_owner)". # The port API now supports project scope and default roles. # Specify ``mac_address` of `allowed_address_pairs`` attribute when # creating a port # POST /ports # Intended scope(s): project -#"create_port:allowed_address_pairs:mac_address": "rule:admin_only or rule:network_owner" +#"create_port:allowed_address_pairs:mac_address": "(rule:admin_only) or (role:member and rule:network_owner)" # DEPRECATED # "create_port:allowed_address_pairs:mac_address":"rule:admin_or_netwo # rk_owner" has been deprecated since W in favor of -# "create_port:allowed_address_pairs:mac_address":"rule:admin_only or -# rule:network_owner". +# "create_port:allowed_address_pairs:mac_address":"(rule:admin_only) +# or (role:member and rule:network_owner)". # The port API now supports project scope and default roles. # Specify ``ip_address`` of ``allowed_address_pairs`` attribute when # creating a port # POST /ports # Intended scope(s): project -#"create_port:allowed_address_pairs:ip_address": "rule:admin_only or rule:network_owner" +#"create_port:allowed_address_pairs:ip_address": "(rule:admin_only) or (role:member and rule:network_owner)" # DEPRECATED # "create_port:allowed_address_pairs:ip_address":"rule:admin_or_networ # k_owner" has been deprecated since W in favor of -# "create_port:allowed_address_pairs:ip_address":"rule:admin_only or -# rule:network_owner". +# "create_port:allowed_address_pairs:ip_address":"(rule:admin_only) or +# (role:member and rule:network_owner)". # The port API now supports project scope and default roles. +# Specify ``hints`` attribute when creating a port +# POST /ports +# Intended scope(s): project +#"create_port:hints": "rule:admin_only" + # Get a port # GET /ports # GET /ports/{id} # Intended scope(s): project -#"get_port": "rule:admin_only or rule:context_is_advsvc or role:reader and project_id:%(project_id)s" +#"get_port": "rule:context_is_advsvc or (rule:admin_only) or (role:reader and rule:network_owner) or role:reader and project_id:%(project_id)s" # DEPRECATED # "get_port":"rule:context_is_advsvc or # rule:admin_owner_or_network_owner" has been deprecated since W in -# favor of "get_port":"rule:admin_only or rule:context_is_advsvc or -# role:reader and project_id:%(project_id)s". +# favor of "get_port":"rule:context_is_advsvc or (rule:admin_only) or +# (role:reader and rule:network_owner) or role:reader and +# project_id:%(project_id)s". # The port API now supports project scope and default roles. # Get ``binding:vif_type`` attribute of a port @@ -1369,6 +1431,12 @@ # since W in favor of "get_port:resource_request":"rule:admin_only". # The port API now supports project scope and default roles. +# Get ``hints`` attribute of a port +# GET /ports +# GET /ports/{id} +# Intended scope(s): project +#"get_port:hints": "rule:admin_only" + # Update a port # PUT /ports/{id} # Intended scope(s): project @@ -1384,14 +1452,14 @@ # Update ``device_owner`` attribute of a port # PUT /ports/{id} # Intended scope(s): project -#"update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:network_owner or rule:admin_only" +#"update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner)" # DEPRECATED # "update_port:device_owner":"not rule:network_device or # rule:context_is_advsvc or rule:admin_or_network_owner" has been # deprecated since W in favor of "update_port:device_owner":"not -# rule:network_device or rule:context_is_advsvc or rule:network_owner -# or rule:admin_only". +# rule:network_device or rule:context_is_advsvc or (rule:admin_only) +# or (role:member and rule:network_owner)". # The port API now supports project scope and default roles. # Update ``mac_address`` attribute of a port @@ -1409,50 +1477,51 @@ # Specify ``fixed_ips`` information when updating a port # PUT /ports/{id} # Intended scope(s): project -#"update_port:fixed_ips": "rule:context_is_advsvc or rule:network_owner or rule:admin_only" +#"update_port:fixed_ips": "rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner)" # DEPRECATED # "update_port:fixed_ips":"rule:context_is_advsvc or # rule:admin_or_network_owner" has been deprecated since W in favor of -# "update_port:fixed_ips":"rule:context_is_advsvc or -# rule:network_owner or rule:admin_only". +# "update_port:fixed_ips":"rule:context_is_advsvc or (rule:admin_only) +# or (role:member and rule:network_owner)". # The port API now supports project scope and default roles. # Specify IP address in ``fixed_ips`` information when updating a port # PUT /ports/{id} # Intended scope(s): project -#"update_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:network_owner or rule:admin_only" +#"update_port:fixed_ips:ip_address": "rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner)" # DEPRECATED # "update_port:fixed_ips:ip_address":"rule:context_is_advsvc or # rule:admin_or_network_owner" has been deprecated since W in favor of # "update_port:fixed_ips:ip_address":"rule:context_is_advsvc or -# rule:network_owner or rule:admin_only". +# (rule:admin_only) or (role:member and rule:network_owner)". # The port API now supports project scope and default roles. # Specify subnet ID in ``fixed_ips`` information when updating a port # PUT /ports/{id} # Intended scope(s): project -#"update_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:network_owner or rule:admin_only or rule:shared" +#"update_port:fixed_ips:subnet_id": "rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner) or rule:shared" # DEPRECATED # "update_port:fixed_ips:subnet_id":"rule:context_is_advsvc or # rule:admin_or_network_owner or rule:shared" has been deprecated # since W in favor of # "update_port:fixed_ips:subnet_id":"rule:context_is_advsvc or -# rule:network_owner or rule:admin_only or rule:shared". +# (rule:admin_only) or (role:member and rule:network_owner) or +# rule:shared". # The port API now supports project scope and default roles. # Update ``port_security_enabled`` attribute of a port # PUT /ports/{id} # Intended scope(s): project -#"update_port:port_security_enabled": "rule:context_is_advsvc or rule:network_owner or rule:admin_only" +#"update_port:port_security_enabled": "rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner)" # DEPRECATED # "update_port:port_security_enabled":"rule:context_is_advsvc or # rule:admin_or_network_owner" has been deprecated since W in favor of # "update_port:port_security_enabled":"rule:context_is_advsvc or -# rule:network_owner or rule:admin_only". +# (rule:admin_only) or (role:member and rule:network_owner)". # The port API now supports project scope and default roles. # Update ``binding:host_id`` attribute of a port @@ -1490,39 +1559,39 @@ # Update ``allowed_address_pairs`` attribute of a port # PUT /ports/{id} # Intended scope(s): project -#"update_port:allowed_address_pairs": "rule:admin_only or rule:network_owner" +#"update_port:allowed_address_pairs": "(rule:admin_only) or (role:member and rule:network_owner)" # DEPRECATED # "update_port:allowed_address_pairs":"rule:admin_or_network_owner" # has been deprecated since W in favor of -# "update_port:allowed_address_pairs":"rule:admin_only or -# rule:network_owner". +# "update_port:allowed_address_pairs":"(rule:admin_only) or +# (role:member and rule:network_owner)". # The port API now supports project scope and default roles. # Update ``mac_address`` of ``allowed_address_pairs`` attribute of a # port # PUT /ports/{id} # Intended scope(s): project -#"update_port:allowed_address_pairs:mac_address": "rule:admin_only or rule:network_owner" +#"update_port:allowed_address_pairs:mac_address": "(rule:admin_only) or (role:member and rule:network_owner)" # DEPRECATED # "update_port:allowed_address_pairs:mac_address":"rule:admin_or_netwo # rk_owner" has been deprecated since W in favor of -# "update_port:allowed_address_pairs:mac_address":"rule:admin_only or -# rule:network_owner". +# "update_port:allowed_address_pairs:mac_address":"(rule:admin_only) +# or (role:member and rule:network_owner)". # The port API now supports project scope and default roles. # Update ``ip_address`` of ``allowed_address_pairs`` attribute of a # port # PUT /ports/{id} # Intended scope(s): project -#"update_port:allowed_address_pairs:ip_address": "rule:admin_only or rule:network_owner" +#"update_port:allowed_address_pairs:ip_address": "(rule:admin_only) or (role:member and rule:network_owner)" # DEPRECATED # "update_port:allowed_address_pairs:ip_address":"rule:admin_or_networ # k_owner" has been deprecated since W in favor of -# "update_port:allowed_address_pairs:ip_address":"rule:admin_only or -# rule:network_owner". +# "update_port:allowed_address_pairs:ip_address":"(rule:admin_only) or +# (role:member and rule:network_owner)". # The port API now supports project scope and default roles. # Update ``data_plane_status`` attribute of a port @@ -1537,16 +1606,22 @@ # role:data_plane_integrator". # The port API now supports project scope and default roles. +# Update ``hints`` attribute of a port +# PUT /ports/{id} +# Intended scope(s): project +#"update_port:hints": "rule:admin_only" + # Delete a port # DELETE /ports/{id} # Intended scope(s): project -#"delete_port": "rule:admin_only or rule:context_is_advsvc or role:member and project_id:%(project_id)s or rule:network_owner" +#"delete_port": "rule:context_is_advsvc or role:member and project_id:%(project_id)s or (rule:admin_only) or (role:member and rule:network_owner)" # DEPRECATED # "delete_port":"rule:context_is_advsvc or # rule:admin_owner_or_network_owner" has been deprecated since W in -# favor of "delete_port":"rule:admin_only or rule:context_is_advsvc or -# role:member and project_id:%(project_id)s or rule:network_owner". +# favor of "delete_port":"rule:context_is_advsvc or role:member and +# project_id:%(project_id)s or (rule:admin_only) or (role:member and +# rule:network_owner)". # The port API now supports project scope and default roles. # Rule of shared qos policy @@ -1598,24 +1673,24 @@ # GET /qos/rule-types # GET /qos/rule-types/{rule_type} # Intended scope(s): project -#"get_rule_type": "rule:admin_only" +#"get_rule_type": "role:reader" # DEPRECATED # "get_rule_type":"rule:regular_user" has been deprecated since W in -# favor of "get_rule_type":"rule:admin_only". +# favor of "get_rule_type":"role:reader". # The QoS API now supports project scope and default roles. # Get a QoS bandwidth limit rule # GET /qos/policies/{policy_id}/bandwidth_limit_rules # GET /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id} # Intended scope(s): project -#"get_policy_bandwidth_limit_rule": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" +#"get_policy_bandwidth_limit_rule": "(rule:admin_only) or (role:reader and rule:ext_parent_owner)" # DEPRECATED # "get_policy_bandwidth_limit_rule":"rule:regular_user" has been # deprecated since W in favor of # "get_policy_bandwidth_limit_rule":"(rule:admin_only) or (role:reader -# and project_id:%(project_id)s)". +# and rule:ext_parent_owner)". # The QoS API now supports project scope and default roles. # Create a QoS bandwidth limit rule @@ -1655,7 +1730,7 @@ # GET /qos/policies/{policy_id}/packet_rate_limit_rules # GET /qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id} # Intended scope(s): project -#"get_policy_packet_rate_limit_rule": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" +#"get_policy_packet_rate_limit_rule": "(rule:admin_only) or (role:reader and rule:ext_parent_owner)" # Create a QoS packet rate limit rule # POST /qos/policies/{policy_id}/packet_rate_limit_rules @@ -1676,13 +1751,13 @@ # GET /qos/policies/{policy_id}/dscp_marking_rules # GET /qos/policies/{policy_id}/dscp_marking_rules/{rule_id} # Intended scope(s): project -#"get_policy_dscp_marking_rule": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" +#"get_policy_dscp_marking_rule": "(rule:admin_only) or (role:reader and rule:ext_parent_owner)" # DEPRECATED # "get_policy_dscp_marking_rule":"rule:regular_user" has been # deprecated since W in favor of # "get_policy_dscp_marking_rule":"(rule:admin_only) or (role:reader -# and project_id:%(project_id)s)". +# and rule:ext_parent_owner)". # The QoS API now supports project scope and default roles. # Create a QoS DSCP marking rule @@ -1722,13 +1797,13 @@ # GET /qos/policies/{policy_id}/minimum_bandwidth_rules # GET /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id} # Intended scope(s): project -#"get_policy_minimum_bandwidth_rule": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" +#"get_policy_minimum_bandwidth_rule": "(rule:admin_only) or (role:reader and rule:ext_parent_owner)" # DEPRECATED # "get_policy_minimum_bandwidth_rule":"rule:regular_user" has been # deprecated since W in favor of # "get_policy_minimum_bandwidth_rule":"(rule:admin_only) or -# (role:reader and project_id:%(project_id)s)". +# (role:reader and rule:ext_parent_owner)". # The QoS API now supports project scope and default roles. # Create a QoS minimum bandwidth rule @@ -1768,7 +1843,7 @@ # GET /qos/policies/{policy_id}/minimum_packet_rate_rules # GET /qos/policies/{policy_id}/minimum_packet_rate_rules/{rule_id} # Intended scope(s): project -#"get_policy_minimum_packet_rate_rule": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" +#"get_policy_minimum_packet_rate_rule": "(rule:admin_only) or (role:reader and rule:ext_parent_owner)" # Create a QoS minimum packet rate rule # POST /qos/policies/{policy_id}/minimum_packet_rate_rules @@ -1788,13 +1863,13 @@ # Get a QoS bandwidth limit rule through alias # GET /qos/alias_bandwidth_limit_rules/{rule_id}/ # Intended scope(s): project -#"get_alias_bandwidth_limit_rule": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" +#"get_alias_bandwidth_limit_rule": "(rule:admin_only) or (role:reader and rule:ext_parent_owner)" # DEPRECATED # "get_alias_bandwidth_limit_rule":"rule:regular_user" has been # deprecated since W in favor of # "get_alias_bandwidth_limit_rule":"(rule:admin_only) or (role:reader -# and project_id:%(project_id)s)". +# and rule:ext_parent_owner)". # The QoS API now supports project scope and default roles. # Update a QoS bandwidth limit rule through alias @@ -1822,13 +1897,13 @@ # Get a QoS DSCP marking rule through alias # GET /qos/alias_dscp_marking_rules/{rule_id}/ # Intended scope(s): project -#"get_alias_dscp_marking_rule": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" +#"get_alias_dscp_marking_rule": "(rule:admin_only) or (role:reader and rule:ext_parent_owner)" # DEPRECATED # "get_alias_dscp_marking_rule":"rule:regular_user" has been # deprecated since W in favor of # "get_alias_dscp_marking_rule":"(rule:admin_only) or (role:reader and -# project_id:%(project_id)s)". +# rule:ext_parent_owner)". # The QoS API now supports project scope and default roles. # Update a QoS DSCP marking rule through alias @@ -1856,13 +1931,13 @@ # Get a QoS minimum bandwidth rule through alias # GET /qos/alias_minimum_bandwidth_rules/{rule_id}/ # Intended scope(s): project -#"get_alias_minimum_bandwidth_rule": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" +#"get_alias_minimum_bandwidth_rule": "(rule:admin_only) or (role:reader and rule:ext_parent_owner)" # DEPRECATED # "get_alias_minimum_bandwidth_rule":"rule:regular_user" has been # deprecated since W in favor of # "get_alias_minimum_bandwidth_rule":"(rule:admin_only) or -# (role:reader and project_id:%(project_id)s)". +# (role:reader and rule:ext_parent_owner)". # The QoS API now supports project scope and default roles. # Update a QoS minimum bandwidth rule through alias @@ -2087,6 +2162,18 @@ # al_gateway_info:external_fixed_ips":"rule:admin_only". # The router API now supports system scope and default roles. +# Specify ``enable_default_route_bfd`` attribute when creating a +# router +# POST /routers +# Intended scope(s): project +#"create_router:enable_default_route_bfd": "rule:admin_only" + +# Specify ``enable_default_route_ecmp`` attribute when creating a +# router +# POST /routers +# Intended scope(s): project +#"create_router:enable_default_route_ecmp": "rule:admin_only" + # Get a router # GET /routers # GET /routers/{id} @@ -2201,6 +2288,18 @@ # al_gateway_info:external_fixed_ips":"rule:admin_only". # The router API now supports system scope and default roles. +# Specify ``enable_default_route_bfd`` attribute when updating a +# router +# POST /routers +# Intended scope(s): project +#"update_router:enable_default_route_bfd": "rule:admin_only" + +# Specify ``enable_default_route_ecmp`` attribute when updating a +# router +# POST /routers +# Intended scope(s): project +#"update_router:enable_default_route_ecmp": "rule:admin_only" + # Delete a router # DELETE /routers/{id} # Intended scope(s): project @@ -2402,12 +2501,12 @@ # Create a subnet # POST /subnets # Intended scope(s): project -#"create_subnet": "(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:network_owner" +#"create_subnet": "(rule:admin_only) or (role:member and rule:network_owner)" # DEPRECATED # "create_subnet":"rule:admin_or_network_owner" has been deprecated # since W in favor of "create_subnet":"(rule:admin_only) or -# (role:member and project_id:%(project_id)s) or rule:network_owner". +# (role:member and rule:network_owner)". # The subnet API now supports system scope and default roles. # Specify ``segment_id`` attribute when creating a subnet @@ -2456,12 +2555,12 @@ # Update a subnet # PUT /subnets/{id} # Intended scope(s): project -#"update_subnet": "(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:network_owner" +#"update_subnet": "(rule:admin_only) or (role:member and rule:network_owner)" # DEPRECATED # "update_subnet":"rule:admin_or_network_owner" has been deprecated # since W in favor of "update_subnet":"(rule:admin_only) or -# (role:member and project_id:%(project_id)s) or rule:network_owner". +# (role:member and rule:network_owner)". # The subnet API now supports system scope and default roles. # Update ``segment_id`` attribute of a subnet @@ -2487,12 +2586,12 @@ # Delete a subnet # DELETE /subnets/{id} # Intended scope(s): project -#"delete_subnet": "(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:network_owner" +#"delete_subnet": "(rule:admin_only) or (role:member and rule:network_owner)" # DEPRECATED # "delete_subnet":"rule:admin_or_network_owner" has been deprecated # since W in favor of "delete_subnet":"(rule:admin_only) or -# (role:member and project_id:%(project_id)s) or rule:network_owner". +# (role:member and rule:network_owner)". # The subnet API now supports system scope and default roles. # Definition of a shared subnetpool diff --git a/openstack_dashboard/conf/nova_policy.yaml b/openstack_dashboard/conf/nova_policy.yaml index 46868868fa..82c55b845d 100644 --- a/openstack_dashboard/conf/nova_policy.yaml +++ b/openstack_dashboard/conf/nova_policy.yaml @@ -1169,11 +1169,16 @@ # Intended scope(s): project #"os_compute_api:os-lock-server:unlock:unlock_override": "rule:context_is_admin" -# Cold migrate a server to a host +# Cold migrate a server without specifying a host # POST /servers/{server_id}/action (migrate) # Intended scope(s): project #"os_compute_api:os-migrate-server:migrate": "rule:context_is_admin" +# Cold migrate a server to a specified host +# POST /servers/{server_id}/action (migrate) +# Intended scope(s): project +#"os_compute_api:os-migrate-server:migrate:host": "rule:context_is_admin" + # Live migrate a server to a new host without a reboot # POST /servers/{server_id}/action (os-migrateLive) # Intended scope(s): project