Sync default policy rules
This patch updates default policy-in-code rules in horizon based on nova/neutron/keystone/glance RC deliverables. It doesn't update policy rules for cinder as I have found no changes in cinder policy rules. Change-Id: Ie249e6d066ad31c7783b936e52141b1745fd2703
This commit is contained in:
manchandavishal
parent
75e7d66b8e
commit
3e1a93f1cf
@ -18,10 +18,10 @@
|
||||
name: context_is_admin
|
||||
operations: []
|
||||
scope_types: null
|
||||
- check_str: role:admin or (role:member and project_id:%(project_id)s)
|
||||
- check_str: role:role:admin or (role:member and project_id:%(project_id)s and project_id:%(owner)s)
|
||||
deprecated_reason: '
|
||||
|
||||
The image API now supports and default roles.
|
||||
The image API now supports roles.
|
||||
|
||||
'
|
||||
deprecated_rule:
|
||||
@ -39,7 +39,7 @@
|
||||
- check_str: role:admin or (role:member and project_id:%(project_id)s)
|
||||
deprecated_reason: '
|
||||
|
||||
The image API now supports and default roles.
|
||||
The image API now supports roles.
|
||||
|
||||
'
|
||||
deprecated_rule:
|
||||
@ -55,10 +55,10 @@
|
||||
- system
|
||||
- project
|
||||
- check_str: role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s
|
||||
or "community":%(visibility)s or "public":%(visibility)s))
|
||||
or "community":%(visibility)s or "public":%(visibility)s or "shared":%(visibility)s))
|
||||
deprecated_reason: '
|
||||
|
||||
The image API now supports and default roles.
|
||||
The image API now supports roles.
|
||||
|
||||
'
|
||||
deprecated_rule:
|
||||
@ -76,7 +76,7 @@
|
||||
- check_str: role:admin or (role:reader and project_id:%(project_id)s)
|
||||
deprecated_reason: '
|
||||
|
||||
The image API now supports and default roles.
|
||||
The image API now supports roles.
|
||||
|
||||
'
|
||||
deprecated_rule:
|
||||
@ -94,7 +94,7 @@
|
||||
- check_str: role:admin or (role:member and project_id:%(project_id)s)
|
||||
deprecated_reason: '
|
||||
|
||||
The image API now supports and default roles.
|
||||
The image API now supports roles.
|
||||
|
||||
'
|
||||
deprecated_rule:
|
||||
@ -121,7 +121,7 @@
|
||||
- check_str: role:admin or (role:member and project_id:%(project_id)s)
|
||||
deprecated_reason: '
|
||||
|
||||
The image API now supports and default roles.
|
||||
The image API now supports roles.
|
||||
|
||||
'
|
||||
deprecated_rule:
|
||||
@ -140,7 +140,7 @@
|
||||
or "community":%(visibility)s or "public":%(visibility)s))
|
||||
deprecated_reason: '
|
||||
|
||||
The image API now supports and default roles.
|
||||
The image API now supports roles.
|
||||
|
||||
'
|
||||
deprecated_rule:
|
||||
@ -158,7 +158,7 @@
|
||||
- check_str: role:admin or (role:member and project_id:%(project_id)s)
|
||||
deprecated_reason: '
|
||||
|
||||
The image API now supports and default roles.
|
||||
The image API now supports roles.
|
||||
|
||||
'
|
||||
deprecated_rule:
|
||||
@ -176,7 +176,7 @@
|
||||
- check_str: role:admin
|
||||
deprecated_reason: '
|
||||
|
||||
The image API now supports and default roles.
|
||||
The image API now supports roles.
|
||||
|
||||
'
|
||||
deprecated_rule:
|
||||
@ -194,7 +194,7 @@
|
||||
- check_str: role:admin or (role:reader and project_id:%(project_id)s)
|
||||
deprecated_reason: '
|
||||
|
||||
The image API now supports and default roles.
|
||||
The image API now supports roles.
|
||||
|
||||
'
|
||||
deprecated_rule:
|
||||
@ -212,7 +212,7 @@
|
||||
- check_str: role:admin or (role:member and project_id:%(project_id)s)
|
||||
deprecated_reason: '
|
||||
|
||||
The image API now supports and default roles.
|
||||
The image API now supports roles.
|
||||
|
||||
'
|
||||
deprecated_rule:
|
||||
@ -230,7 +230,7 @@
|
||||
- check_str: role:admin or (role:member and project_id:%(project_id)s)
|
||||
deprecated_reason: '
|
||||
|
||||
The image API now supports and default roles.
|
||||
The image API now supports roles.
|
||||
|
||||
'
|
||||
deprecated_rule:
|
||||
@ -248,7 +248,7 @@
|
||||
- check_str: role:admin or (role:member and project_id:%(project_id)s)
|
||||
deprecated_reason: '
|
||||
|
||||
The image API now supports and default roles.
|
||||
The image API now supports roles.
|
||||
|
||||
'
|
||||
deprecated_rule:
|
||||
@ -263,10 +263,10 @@
|
||||
scope_types:
|
||||
- system
|
||||
- project
|
||||
- check_str: role:admin or (role:reader and project_id:%(project_id)s)
|
||||
- check_str: role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)
|
||||
deprecated_reason: '
|
||||
|
||||
The image API now supports and default roles.
|
||||
The image API now supports roles.
|
||||
|
||||
'
|
||||
deprecated_rule:
|
||||
@ -281,10 +281,10 @@
|
||||
scope_types:
|
||||
- system
|
||||
- project
|
||||
- check_str: role:admin or (role:reader and project_id:%(project_id)s)
|
||||
- check_str: role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)
|
||||
deprecated_reason: '
|
||||
|
||||
The image API now supports and default roles.
|
||||
The image API now supports roles.
|
||||
|
||||
'
|
||||
deprecated_rule:
|
||||
@ -299,10 +299,10 @@
|
||||
scope_types:
|
||||
- system
|
||||
- project
|
||||
- check_str: role:admin or (role:member and project_id:%(project_id)s)
|
||||
- check_str: role:admin or (role:member and project_id:%(member_id)s)
|
||||
deprecated_reason: '
|
||||
|
||||
The image API now supports and default roles.
|
||||
The image API now supports roles.
|
||||
|
||||
'
|
||||
deprecated_rule:
|
||||
@ -327,7 +327,7 @@
|
||||
- check_str: role:admin or (role:member and project_id:%(project_id)s)
|
||||
deprecated_reason: '
|
||||
|
||||
The image API now supports and default roles.
|
||||
The image API now supports roles.
|
||||
|
||||
'
|
||||
deprecated_rule:
|
||||
@ -345,7 +345,7 @@
|
||||
- check_str: role:admin or (role:member and project_id:%(project_id)s)
|
||||
deprecated_reason: '
|
||||
|
||||
The image API now supports and default roles.
|
||||
The image API now supports roles.
|
||||
|
||||
'
|
||||
deprecated_rule:
|
||||
@ -370,6 +370,18 @@
|
||||
- system
|
||||
- project
|
||||
- check_str: rule:default
|
||||
deprecated_reason: '
|
||||
|
||||
From Xena we are enforcing policy checks in the API and policy layer where task
|
||||
policies were enforcing will be removed. Since task APIs are already deprecated
|
||||
and `tasks_api_access` is checked for each API at API layer, there will be no
|
||||
benefit of other having other task related policies.
|
||||
|
||||
'
|
||||
deprecated_rule:
|
||||
check_str: rule:default
|
||||
name: get_task
|
||||
deprecated_since: X
|
||||
description: 'Get an image task.
|
||||
|
||||
|
||||
@ -394,6 +406,18 @@
|
||||
- system
|
||||
- project
|
||||
- check_str: rule:default
|
||||
deprecated_reason: '
|
||||
|
||||
From Xena we are enforcing policy checks in the API and policy layer where task
|
||||
policies were enforcing will be removed. Since task APIs are already deprecated
|
||||
and `tasks_api_access` is checked for each API at API layer, there will be no
|
||||
benefit of other having other task related policies.
|
||||
|
||||
'
|
||||
deprecated_rule:
|
||||
check_str: rule:default
|
||||
name: get_task
|
||||
deprecated_since: X
|
||||
description: 'List tasks for all images.
|
||||
|
||||
|
||||
@ -418,6 +442,18 @@
|
||||
- system
|
||||
- project
|
||||
- check_str: rule:default
|
||||
deprecated_reason: '
|
||||
|
||||
From Xena we are enforcing policy checks in the API and policy layer where task
|
||||
policies were enforcing will be removed. Since task APIs are already deprecated
|
||||
and `tasks_api_access` is checked for each API at API layer, there will be no
|
||||
benefit of other having other task related policies.
|
||||
|
||||
'
|
||||
deprecated_rule:
|
||||
check_str: rule:default
|
||||
name: add_task
|
||||
deprecated_since: X
|
||||
description: 'List tasks for all images.
|
||||
|
||||
|
||||
|
||||
@ -467,9 +467,9 @@
|
||||
- method: HEAD
|
||||
path: /v3/domains/{domain_id}/config/security_compliance
|
||||
- method: GET
|
||||
path: v3/domains/{domain_id}/config/security_compliance/{option}
|
||||
path: /v3/domains/{domain_id}/config/security_compliance/{option}
|
||||
- method: HEAD
|
||||
path: v3/domains/{domain_id}/config/security_compliance/{option}
|
||||
path: /v3/domains/{domain_id}/config/security_compliance/{option}
|
||||
scope_types:
|
||||
- system
|
||||
- domain
|
||||
@ -1887,15 +1887,7 @@
|
||||
or project_id:%(target.project.id)s
|
||||
deprecated_reason: '
|
||||
|
||||
As of the Train release, the project tags API understands how to handle
|
||||
|
||||
system-scoped tokens in addition to project and domain tokens, making the API
|
||||
|
||||
more accessible to users without compromising security or manageability for
|
||||
|
||||
administrators. The new default policies for this API account for these changes
|
||||
|
||||
automatically.
|
||||
The project API is now aware of system scope and default roles.
|
||||
|
||||
'
|
||||
deprecated_rule:
|
||||
@ -1917,15 +1909,7 @@
|
||||
or project_id:%(target.project.id)s
|
||||
deprecated_reason: '
|
||||
|
||||
As of the Train release, the project tags API understands how to handle
|
||||
|
||||
system-scoped tokens in addition to project and domain tokens, making the API
|
||||
|
||||
more accessible to users without compromising security or manageability for
|
||||
|
||||
administrators. The new default policies for this API account for these changes
|
||||
|
||||
automatically.
|
||||
The project API is now aware of system scope and default roles.
|
||||
|
||||
'
|
||||
deprecated_rule:
|
||||
@ -1947,15 +1931,7 @@
|
||||
or (role:admin and project_id:%(target.project.id)s)
|
||||
deprecated_reason: '
|
||||
|
||||
As of the Train release, the project tags API understands how to handle
|
||||
|
||||
system-scoped tokens in addition to project and domain tokens, making the API
|
||||
|
||||
more accessible to users without compromising security or manageability for
|
||||
|
||||
administrators. The new default policies for this API account for these changes
|
||||
|
||||
automatically.
|
||||
The project API is now aware of system scope and default roles.
|
||||
|
||||
'
|
||||
deprecated_rule:
|
||||
@ -1975,15 +1951,7 @@
|
||||
or (role:admin and project_id:%(target.project.id)s)
|
||||
deprecated_reason: '
|
||||
|
||||
As of the Train release, the project tags API understands how to handle
|
||||
|
||||
system-scoped tokens in addition to project and domain tokens, making the API
|
||||
|
||||
more accessible to users without compromising security or manageability for
|
||||
|
||||
administrators. The new default policies for this API account for these changes
|
||||
|
||||
automatically.
|
||||
The project API is now aware of system scope and default roles.
|
||||
|
||||
'
|
||||
deprecated_rule:
|
||||
@ -2003,15 +1971,7 @@
|
||||
or (role:admin and project_id:%(target.project.id)s)
|
||||
deprecated_reason: '
|
||||
|
||||
As of the Train release, the project tags API understands how to handle
|
||||
|
||||
system-scoped tokens in addition to project and domain tokens, making the API
|
||||
|
||||
more accessible to users without compromising security or manageability for
|
||||
|
||||
administrators. The new default policies for this API account for these changes
|
||||
|
||||
automatically.
|
||||
The project API is now aware of system scope and default roles.
|
||||
|
||||
'
|
||||
deprecated_rule:
|
||||
@ -2031,15 +1991,7 @@
|
||||
or (role:admin and project_id:%(target.project.id)s)
|
||||
deprecated_reason: '
|
||||
|
||||
As of the Train release, the project tags API understands how to handle
|
||||
|
||||
system-scoped tokens in addition to project and domain tokens, making the API
|
||||
|
||||
more accessible to users without compromising security or manageability for
|
||||
|
||||
administrators. The new default policies for this API account for these changes
|
||||
|
||||
automatically.
|
||||
The project API is now aware of system scope and default roles.
|
||||
|
||||
'
|
||||
deprecated_rule:
|
||||
|
||||
@ -529,6 +529,7 @@
|
||||
- method: POST
|
||||
path: /floatingips
|
||||
scope_types:
|
||||
- system
|
||||
- project
|
||||
- check_str: role:admin and system_scope:all
|
||||
deprecated_reason: null
|
||||
@ -600,7 +601,7 @@
|
||||
- method: GET
|
||||
path: /floatingip_pools
|
||||
scope_types:
|
||||
- admin
|
||||
- system
|
||||
- project
|
||||
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
|
||||
or rule:ext_parent_owner
|
||||
@ -752,6 +753,7 @@
|
||||
path: /log/logs
|
||||
scope_types:
|
||||
- system
|
||||
- project
|
||||
- check_str: role:reader and system_scope:all
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
@ -898,6 +900,7 @@
|
||||
- method: POST
|
||||
path: /networks
|
||||
scope_types:
|
||||
- system
|
||||
- project
|
||||
- check_str: role:admin and system_scope:all
|
||||
deprecated_reason: null
|
||||
@ -942,6 +945,7 @@
|
||||
name: create_network:port_security_enabled
|
||||
operations: *id001
|
||||
scope_types:
|
||||
- system
|
||||
- project
|
||||
- check_str: role:admin and system_scope:all
|
||||
deprecated_reason: null
|
||||
@ -1014,6 +1018,7 @@
|
||||
name: get_network:router:external
|
||||
operations: *id002
|
||||
scope_types:
|
||||
- system
|
||||
- project
|
||||
- check_str: role:reader and system_scope:all
|
||||
deprecated_reason: null
|
||||
@ -1379,6 +1384,7 @@
|
||||
name: create_port:binding:vnic_type
|
||||
operations: *id004
|
||||
scope_types:
|
||||
- system
|
||||
- project
|
||||
- check_str: role:admin and system_scope:all or role:admin and project_id:%(project_id)s
|
||||
or rule:network_owner
|
||||
@ -2046,7 +2052,7 @@
|
||||
scope_types:
|
||||
- system
|
||||
- project
|
||||
- check_str: role:admin and system_scope:all or rule:restrict_wildcard
|
||||
- check_str: role:admin and system_scope:all or (not field:rbac_policy:target_tenant=*)
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
check_str: rule:restrict_wildcard
|
||||
@ -2074,7 +2080,7 @@
|
||||
scope_types:
|
||||
- project
|
||||
- system
|
||||
- check_str: role:admin and system_scope:all or rule:restrict_wildcard
|
||||
- check_str: role:admin and system_scope:all or (not field:rbac_policy:target_tenant=*)
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
check_str: rule:restrict_wildcard and rule:admin_or_owner
|
||||
@ -2130,6 +2136,7 @@
|
||||
- method: POST
|
||||
path: /routers
|
||||
scope_types:
|
||||
- system
|
||||
- project
|
||||
- check_str: role:admin and system_scope:all
|
||||
deprecated_reason: null
|
||||
@ -2367,6 +2374,34 @@
|
||||
scope_types:
|
||||
- system
|
||||
- project
|
||||
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
check_str: rule:admin_or_owner
|
||||
name: add_extraroutes
|
||||
deprecated_since: null
|
||||
description: Add extra route to a router
|
||||
name: add_extraroutes
|
||||
operations:
|
||||
- method: PUT
|
||||
path: /routers/{id}/add_extraroutes
|
||||
scope_types:
|
||||
- system
|
||||
- project
|
||||
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
check_str: rule:admin_or_owner
|
||||
name: remove_extraroutes
|
||||
deprecated_since: null
|
||||
description: Remove extra route from a router
|
||||
name: remove_extraroutes
|
||||
operations:
|
||||
- method: PUT
|
||||
path: /routers/{id}/remove_extraroutes
|
||||
scope_types:
|
||||
- system
|
||||
- project
|
||||
- check_str: rule:context_is_admin or tenant_id:%(security_group:tenant_id)s
|
||||
description: Rule for admin or security group owner access
|
||||
name: admin_or_sg_owner
|
||||
@ -2534,7 +2569,7 @@
|
||||
path: /segments/{id}
|
||||
scope_types:
|
||||
- system
|
||||
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
|
||||
- check_str: role:reader
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
check_str: rule:regular_user
|
||||
|
||||
@ -1808,7 +1808,7 @@
|
||||
deprecated_rule:
|
||||
check_str: rule:admin_or_owner
|
||||
name: os_compute_api:os-security-groups
|
||||
deprecated_since: 21.0.0
|
||||
deprecated_since: 22.0.0
|
||||
description: List security groups of server.
|
||||
name: os_compute_api:os-security-groups:list
|
||||
operations:
|
||||
@ -1830,7 +1830,7 @@
|
||||
deprecated_rule:
|
||||
check_str: rule:admin_or_owner
|
||||
name: os_compute_api:os-security-groups
|
||||
deprecated_since: 21.0.0
|
||||
deprecated_since: 22.0.0
|
||||
description: Add security groups to server.
|
||||
name: os_compute_api:os-security-groups:add
|
||||
operations:
|
||||
@ -1852,7 +1852,7 @@
|
||||
deprecated_rule:
|
||||
check_str: rule:admin_or_owner
|
||||
name: os_compute_api:os-security-groups
|
||||
deprecated_since: 21.0.0
|
||||
deprecated_since: 22.0.0
|
||||
description: Remove security groups from server.
|
||||
name: os_compute_api:os-security-groups:remove
|
||||
operations:
|
||||
|
||||
@ -18,13 +18,13 @@
|
||||
# Create new image
|
||||
# POST /v2/images
|
||||
# Intended scope(s): system, project
|
||||
#"add_image": "role:admin or (role:member and project_id:%(project_id)s)"
|
||||
#"add_image": "role:admin or (role:member and project_id:%(project_id)s and project_id:%(owner)s)"
|
||||
|
||||
# DEPRECATED
|
||||
# "add_image":"rule:default" has been deprecated since W in favor of
|
||||
# "add_image":"role:admin or (role:member and
|
||||
# project_id:%(project_id)s)".
|
||||
# The image API now supports and default roles.
|
||||
# project_id:%(project_id)s and project_id:%(owner)s)".
|
||||
# The image API now supports roles.
|
||||
|
||||
# Deletes the image
|
||||
# DELETE /v2/images/{image_id}
|
||||
@ -35,19 +35,20 @@
|
||||
# "delete_image":"rule:default" has been deprecated since W in favor
|
||||
# of "delete_image":"role:admin or (role:member and
|
||||
# project_id:%(project_id)s)".
|
||||
# The image API now supports and default roles.
|
||||
# The image API now supports roles.
|
||||
|
||||
# Get specified image
|
||||
# GET /v2/images/{image_id}
|
||||
# Intended scope(s): system, project
|
||||
#"get_image": "role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or "community":%(visibility)s or "public":%(visibility)s))"
|
||||
#"get_image": "role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or "community":%(visibility)s or "public":%(visibility)s or "shared":%(visibility)s))"
|
||||
|
||||
# DEPRECATED
|
||||
# "get_image":"rule:default" has been deprecated since W in favor of
|
||||
# "get_image":"role:admin or (role:reader and
|
||||
# (project_id:%(project_id)s or project_id:%(member_id)s or
|
||||
# "community":%(visibility)s or "public":%(visibility)s))".
|
||||
# The image API now supports and default roles.
|
||||
# "community":%(visibility)s or "public":%(visibility)s or
|
||||
# "shared":%(visibility)s))".
|
||||
# The image API now supports roles.
|
||||
|
||||
# Get all available images
|
||||
# GET /v2/images
|
||||
@ -58,7 +59,7 @@
|
||||
# "get_images":"rule:default" has been deprecated since W in favor of
|
||||
# "get_images":"role:admin or (role:reader and
|
||||
# project_id:%(project_id)s)".
|
||||
# The image API now supports and default roles.
|
||||
# The image API now supports roles.
|
||||
|
||||
# Updates given image
|
||||
# PATCH /v2/images/{image_id}
|
||||
@ -69,7 +70,7 @@
|
||||
# "modify_image":"rule:default" has been deprecated since W in favor
|
||||
# of "modify_image":"role:admin or (role:member and
|
||||
# project_id:%(project_id)s)".
|
||||
# The image API now supports and default roles.
|
||||
# The image API now supports roles.
|
||||
|
||||
# Publicize given image
|
||||
# PATCH /v2/images/{image_id}
|
||||
@ -85,19 +86,20 @@
|
||||
# "communitize_image":"rule:default" has been deprecated since W in
|
||||
# favor of "communitize_image":"role:admin or (role:member and
|
||||
# project_id:%(project_id)s)".
|
||||
# The image API now supports and default roles.
|
||||
# The image API now supports roles.
|
||||
|
||||
# Downloads given image
|
||||
# GET /v2/images/{image_id}/file
|
||||
# Intended scope(s): system, project
|
||||
#"download_image": "role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or "community":%(visibility)s or "public":%(visibility)s))"
|
||||
#"download_image": "role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or "community":%(visibility)s or "public":%(visibility)s or "shared":%(visibility)s))"
|
||||
|
||||
# DEPRECATED
|
||||
# "download_image":"rule:default" has been deprecated since W in favor
|
||||
# of "download_image":"role:admin or (role:member and
|
||||
# (project_id:%(project_id)s or project_id:%(member_id)s or
|
||||
# "community":%(visibility)s or "public":%(visibility)s))".
|
||||
# The image API now supports and default roles.
|
||||
# "community":%(visibility)s or "public":%(visibility)s or
|
||||
# "shared":%(visibility)s))".
|
||||
# The image API now supports roles.
|
||||
|
||||
# Uploads data to specified image
|
||||
# PUT /v2/images/{image_id}/file
|
||||
@ -108,7 +110,7 @@
|
||||
# "upload_image":"rule:default" has been deprecated since W in favor
|
||||
# of "upload_image":"role:admin or (role:member and
|
||||
# project_id:%(project_id)s)".
|
||||
# The image API now supports and default roles.
|
||||
# The image API now supports roles.
|
||||
|
||||
# Deletes the location of given image
|
||||
# PATCH /v2/images/{image_id}
|
||||
@ -118,7 +120,7 @@
|
||||
# DEPRECATED
|
||||
# "delete_image_location":"rule:default" has been deprecated since W
|
||||
# in favor of "delete_image_location":"role:admin".
|
||||
# The image API now supports and default roles.
|
||||
# The image API now supports roles.
|
||||
|
||||
# Reads the location of the image
|
||||
# GET /v2/images/{image_id}
|
||||
@ -129,7 +131,7 @@
|
||||
# "get_image_location":"rule:default" has been deprecated since W in
|
||||
# favor of "get_image_location":"role:admin or (role:reader and
|
||||
# project_id:%(project_id)s)".
|
||||
# The image API now supports and default roles.
|
||||
# The image API now supports roles.
|
||||
|
||||
# Sets location URI to given image
|
||||
# PATCH /v2/images/{image_id}
|
||||
@ -140,7 +142,7 @@
|
||||
# "set_image_location":"rule:default" has been deprecated since W in
|
||||
# favor of "set_image_location":"role:admin or (role:member and
|
||||
# project_id:%(project_id)s)".
|
||||
# The image API now supports and default roles.
|
||||
# The image API now supports roles.
|
||||
|
||||
# Create image member
|
||||
# POST /v2/images/{image_id}/members
|
||||
@ -151,7 +153,7 @@
|
||||
# "add_member":"rule:default" has been deprecated since W in favor of
|
||||
# "add_member":"role:admin or (role:member and
|
||||
# project_id:%(project_id)s)".
|
||||
# The image API now supports and default roles.
|
||||
# The image API now supports roles.
|
||||
|
||||
# Delete image member
|
||||
# DELETE /v2/images/{image_id}/members/{member_id}
|
||||
@ -162,40 +164,40 @@
|
||||
# "delete_member":"rule:default" has been deprecated since W in favor
|
||||
# of "delete_member":"role:admin or (role:member and
|
||||
# project_id:%(project_id)s)".
|
||||
# The image API now supports and default roles.
|
||||
# The image API now supports roles.
|
||||
|
||||
# Show image member details
|
||||
# GET /v2/images/{image_id}/members/{member_id}
|
||||
# Intended scope(s): system, project
|
||||
#"get_member": "role:admin or (role:reader and project_id:%(project_id)s)"
|
||||
#"get_member": "role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)"
|
||||
|
||||
# DEPRECATED
|
||||
# "get_member":"rule:default" has been deprecated since W in favor of
|
||||
# "get_member":"role:admin or (role:reader and
|
||||
# project_id:%(project_id)s)".
|
||||
# The image API now supports and default roles.
|
||||
# "get_member":"role:admin or role:reader and
|
||||
# (project_id:%(project_id)s or project_id:%(member_id)s)".
|
||||
# The image API now supports roles.
|
||||
|
||||
# List image members
|
||||
# GET /v2/images/{image_id}/members
|
||||
# Intended scope(s): system, project
|
||||
#"get_members": "role:admin or (role:reader and project_id:%(project_id)s)"
|
||||
#"get_members": "role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)"
|
||||
|
||||
# DEPRECATED
|
||||
# "get_members":"rule:default" has been deprecated since W in favor of
|
||||
# "get_members":"role:admin or (role:reader and
|
||||
# project_id:%(project_id)s)".
|
||||
# The image API now supports and default roles.
|
||||
# "get_members":"role:admin or role:reader and
|
||||
# (project_id:%(project_id)s or project_id:%(member_id)s)".
|
||||
# The image API now supports roles.
|
||||
|
||||
# Update image member
|
||||
# PUT /v2/images/{image_id}/members/{member_id}
|
||||
# Intended scope(s): system, project
|
||||
#"modify_member": "role:admin or (role:member and project_id:%(project_id)s)"
|
||||
#"modify_member": "role:admin or (role:member and project_id:%(member_id)s)"
|
||||
|
||||
# DEPRECATED
|
||||
# "modify_member":"rule:default" has been deprecated since W in favor
|
||||
# of "modify_member":"role:admin or (role:member and
|
||||
# project_id:%(project_id)s)".
|
||||
# The image API now supports and default roles.
|
||||
# project_id:%(member_id)s)".
|
||||
# The image API now supports roles.
|
||||
|
||||
# Manage image cache
|
||||
# Intended scope(s): system, project
|
||||
@ -210,7 +212,7 @@
|
||||
# "deactivate":"rule:default" has been deprecated since W in favor of
|
||||
# "deactivate":"role:admin or (role:member and
|
||||
# project_id:%(project_id)s)".
|
||||
# The image API now supports and default roles.
|
||||
# The image API now supports roles.
|
||||
|
||||
# Reactivate image
|
||||
# POST /v2/images/{image_id}/actions/reactivate
|
||||
@ -221,7 +223,7 @@
|
||||
# "reactivate":"rule:default" has been deprecated since W in favor of
|
||||
# "reactivate":"role:admin or (role:member and
|
||||
# project_id:%(project_id)s)".
|
||||
# The image API now supports and default roles.
|
||||
# The image API now supports roles.
|
||||
|
||||
# Copy existing image to other stores
|
||||
# POST /v2/images/{image_id}/import
|
||||
@ -241,6 +243,15 @@
|
||||
# Intended scope(s): system, project
|
||||
#"get_task": "rule:default"
|
||||
|
||||
# DEPRECATED
|
||||
# "get_task":"rule:default" has been deprecated since X in favor of
|
||||
# "get_task":"rule:default".
|
||||
# From Xena we are enforcing policy checks in the API and policy layer
|
||||
# where task policies were enforcing will be removed. Since task APIs
|
||||
# are already deprecated and `tasks_api_access` is checked for each
|
||||
# API at API layer, there will be no benefit of other having other
|
||||
# task related policies.
|
||||
|
||||
# List tasks for all images.
|
||||
#
|
||||
# This granular policy controls access to tasks, both from the tasks
|
||||
@ -254,6 +265,15 @@
|
||||
# Intended scope(s): system, project
|
||||
#"get_tasks": "rule:default"
|
||||
|
||||
# DEPRECATED
|
||||
# "get_tasks":"rule:default" has been deprecated since X in favor of
|
||||
# "get_tasks":"rule:default".
|
||||
# From Xena we are enforcing policy checks in the API and policy layer
|
||||
# where task policies were enforcing will be removed. Since task APIs
|
||||
# are already deprecated and `tasks_api_access` is checked for each
|
||||
# API at API layer, there will be no benefit of other having other
|
||||
# task related policies.
|
||||
|
||||
# List tasks for all images.
|
||||
#
|
||||
# This granular policy controls access to tasks, both from the tasks
|
||||
@ -267,6 +287,15 @@
|
||||
# Intended scope(s): system, project
|
||||
#"add_task": "rule:default"
|
||||
|
||||
# DEPRECATED
|
||||
# "add_task":"rule:default" has been deprecated since X in favor of
|
||||
# "add_task":"rule:default".
|
||||
# From Xena we are enforcing policy checks in the API and policy layer
|
||||
# where task policies were enforcing will be removed. Since task APIs
|
||||
# are already deprecated and `tasks_api_access` is checked for each
|
||||
# API at API layer, there will be no benefit of other having other
|
||||
# task related policies.
|
||||
|
||||
# DEPRECATED
|
||||
# "modify_task" has been deprecated since W.
|
||||
# This policy check has never been honored by the API. It will be
|
||||
|
||||
@ -340,8 +340,8 @@
|
||||
# a specific option in a domain.
|
||||
# GET /v3/domains/{domain_id}/config/security_compliance
|
||||
# HEAD /v3/domains/{domain_id}/config/security_compliance
|
||||
# GET v3/domains/{domain_id}/config/security_compliance/{option}
|
||||
# HEAD v3/domains/{domain_id}/config/security_compliance/{option}
|
||||
# GET /v3/domains/{domain_id}/config/security_compliance/{option}
|
||||
# HEAD /v3/domains/{domain_id}/config/security_compliance/{option}
|
||||
# Intended scope(s): system, domain, project
|
||||
#"identity:get_security_compliance_domain_config": ""
|
||||
|
||||
@ -1547,11 +1547,7 @@
|
||||
# system_scope:all) or (role:reader and
|
||||
# domain_id:%(target.project.domain_id)s) or
|
||||
# project_id:%(target.project.id)s".
|
||||
# As of the Train release, the project tags API understands how to
|
||||
# handle system-scoped tokens in addition to project and domain
|
||||
# tokens, making the API more accessible to users without compromising
|
||||
# security or manageability for administrators. The new default
|
||||
# policies for this API account for these changes automatically.
|
||||
# The project API is now aware of system scope and default roles.
|
||||
|
||||
# Check if project contains a tag.
|
||||
# GET /v3/projects/{project_id}/tags/{value}
|
||||
@ -1566,11 +1562,7 @@
|
||||
# system_scope:all) or (role:reader and
|
||||
# domain_id:%(target.project.domain_id)s) or
|
||||
# project_id:%(target.project.id)s".
|
||||
# As of the Train release, the project tags API understands how to
|
||||
# handle system-scoped tokens in addition to project and domain
|
||||
# tokens, making the API more accessible to users without compromising
|
||||
# security or manageability for administrators. The new default
|
||||
# policies for this API account for these changes automatically.
|
||||
# The project API is now aware of system scope and default roles.
|
||||
|
||||
# Replace all tags on a project with the new set of tags.
|
||||
# PUT /v3/projects/{project_id}/tags
|
||||
@ -1583,11 +1575,7 @@
|
||||
# "identity:update_project_tags":"(role:admin and system_scope:all) or
|
||||
# (role:admin and domain_id:%(target.project.domain_id)s) or
|
||||
# (role:admin and project_id:%(target.project.id)s)".
|
||||
# As of the Train release, the project tags API understands how to
|
||||
# handle system-scoped tokens in addition to project and domain
|
||||
# tokens, making the API more accessible to users without compromising
|
||||
# security or manageability for administrators. The new default
|
||||
# policies for this API account for these changes automatically.
|
||||
# The project API is now aware of system scope and default roles.
|
||||
|
||||
# Add a single tag to a project.
|
||||
# PUT /v3/projects/{project_id}/tags/{value}
|
||||
@ -1600,11 +1588,7 @@
|
||||
# "identity:create_project_tag":"(role:admin and system_scope:all) or
|
||||
# (role:admin and domain_id:%(target.project.domain_id)s) or
|
||||
# (role:admin and project_id:%(target.project.id)s)".
|
||||
# As of the Train release, the project tags API understands how to
|
||||
# handle system-scoped tokens in addition to project and domain
|
||||
# tokens, making the API more accessible to users without compromising
|
||||
# security or manageability for administrators. The new default
|
||||
# policies for this API account for these changes automatically.
|
||||
# The project API is now aware of system scope and default roles.
|
||||
|
||||
# Remove all tags from a project.
|
||||
# DELETE /v3/projects/{project_id}/tags
|
||||
@ -1617,11 +1601,7 @@
|
||||
# "identity:delete_project_tags":"(role:admin and system_scope:all) or
|
||||
# (role:admin and domain_id:%(target.project.domain_id)s) or
|
||||
# (role:admin and project_id:%(target.project.id)s)".
|
||||
# As of the Train release, the project tags API understands how to
|
||||
# handle system-scoped tokens in addition to project and domain
|
||||
# tokens, making the API more accessible to users without compromising
|
||||
# security or manageability for administrators. The new default
|
||||
# policies for this API account for these changes automatically.
|
||||
# The project API is now aware of system scope and default roles.
|
||||
|
||||
# Delete a specified tag from project.
|
||||
# DELETE /v3/projects/{project_id}/tags/{value}
|
||||
@ -1634,11 +1614,7 @@
|
||||
# "identity:delete_project_tag":"(role:admin and system_scope:all) or
|
||||
# (role:admin and domain_id:%(target.project.domain_id)s) or
|
||||
# (role:admin and project_id:%(target.project.id)s)".
|
||||
# As of the Train release, the project tags API understands how to
|
||||
# handle system-scoped tokens in addition to project and domain
|
||||
# tokens, making the API more accessible to users without compromising
|
||||
# security or manageability for administrators. The new default
|
||||
# policies for this API account for these changes automatically.
|
||||
# The project API is now aware of system scope and default roles.
|
||||
|
||||
# List projects allowed to access an endpoint.
|
||||
# GET /v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects
|
||||
|
||||
@ -403,7 +403,7 @@
|
||||
|
||||
# Create a floating IP
|
||||
# POST /floatingips
|
||||
# Intended scope(s): project
|
||||
# Intended scope(s): system, project
|
||||
#"create_floatingip": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
|
||||
# DEPRECATED
|
||||
@ -460,7 +460,7 @@
|
||||
|
||||
# Get floating IP pools
|
||||
# GET /floatingip_pools
|
||||
# Intended scope(s): admin, project
|
||||
# Intended scope(s): system, project
|
||||
#"get_floatingip_pool": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||
|
||||
# DEPRECATED
|
||||
@ -708,7 +708,7 @@
|
||||
|
||||
# Create a network
|
||||
# POST /networks
|
||||
# Intended scope(s): project
|
||||
# Intended scope(s): system, project
|
||||
#"create_network": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
|
||||
# DEPRECATED
|
||||
@ -752,7 +752,7 @@
|
||||
|
||||
# Specify ``port_security_enabled`` attribute when creating a network
|
||||
# POST /networks
|
||||
# Intended scope(s): project
|
||||
# Intended scope(s): system, project
|
||||
#"create_network:port_security_enabled": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
|
||||
# DEPRECATED
|
||||
@ -826,7 +826,7 @@
|
||||
# Get ``router:external`` attribute of a network
|
||||
# GET /networks
|
||||
# GET /networks/{id}
|
||||
# Intended scope(s): project
|
||||
# Intended scope(s): system, project
|
||||
#"get_network:router:external": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||
|
||||
# DEPRECATED
|
||||
@ -1184,7 +1184,7 @@
|
||||
|
||||
# Specify ``binding:vnic_type`` attribute when creating a port
|
||||
# POST /ports
|
||||
# Intended scope(s): project
|
||||
# Intended scope(s): system, project
|
||||
#"create_port:binding:vnic_type": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
|
||||
# DEPRECATED
|
||||
@ -1779,13 +1779,13 @@
|
||||
# Specify ``target_tenant`` when creating an RBAC policy
|
||||
# POST /rbac-policies
|
||||
# Intended scope(s): system, project
|
||||
#"create_rbac_policy:target_tenant": "role:admin and system_scope:all or rule:restrict_wildcard"
|
||||
#"create_rbac_policy:target_tenant": "role:admin and system_scope:all or (not field:rbac_policy:target_tenant=*)"
|
||||
|
||||
# DEPRECATED
|
||||
# "create_rbac_policy:target_tenant":"rule:restrict_wildcard" has been
|
||||
# deprecated since W in favor of
|
||||
# "create_rbac_policy:target_tenant":"role:admin and system_scope:all
|
||||
# or rule:restrict_wildcard".
|
||||
# or (not field:rbac_policy:target_tenant=*)".
|
||||
# The RBAC API now supports system scope and default roles.
|
||||
|
||||
# Update an RBAC policy
|
||||
@ -1802,13 +1802,13 @@
|
||||
# Update ``target_tenant`` attribute of an RBAC policy
|
||||
# PUT /rbac-policies/{id}
|
||||
# Intended scope(s): system, project
|
||||
#"update_rbac_policy:target_tenant": "role:admin and system_scope:all or rule:restrict_wildcard"
|
||||
#"update_rbac_policy:target_tenant": "role:admin and system_scope:all or (not field:rbac_policy:target_tenant=*)"
|
||||
|
||||
# DEPRECATED
|
||||
# "update_rbac_policy:target_tenant":"rule:restrict_wildcard and
|
||||
# rule:admin_or_owner" has been deprecated since W in favor of
|
||||
# "update_rbac_policy:target_tenant":"role:admin and system_scope:all
|
||||
# or rule:restrict_wildcard".
|
||||
# or (not field:rbac_policy:target_tenant=*)".
|
||||
# The RBAC API now supports system scope and default roles.
|
||||
|
||||
# Get an RBAC policy
|
||||
@ -1836,7 +1836,7 @@
|
||||
|
||||
# Create a router
|
||||
# POST /routers
|
||||
# Intended scope(s): project
|
||||
# Intended scope(s): system, project
|
||||
#"create_router": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
|
||||
# DEPRECATED
|
||||
@ -2068,6 +2068,28 @@
|
||||
# system_scope:all) or (role:member and project_id:%(project_id)s)".
|
||||
# The router API now supports system scope and default roles.
|
||||
|
||||
# Add extra route to a router
|
||||
# PUT /routers/{id}/add_extraroutes
|
||||
# Intended scope(s): system, project
|
||||
#"add_extraroutes": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
|
||||
# DEPRECATED
|
||||
# "add_extraroutes":"rule:admin_or_owner" has been deprecated since
|
||||
# Xena in favor of "add_extraroutes":"(role:admin and
|
||||
# system_scope:all) or (role:member and project_id:%(project_id)s)".
|
||||
# The router API now supports system scope and default roles.
|
||||
|
||||
# Remove extra route from a router
|
||||
# PUT /routers/{id}/remove_extraroutes
|
||||
# Intended scope(s): system, project
|
||||
#"remove_extraroutes": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
|
||||
# DEPRECATED
|
||||
# "remove_extraroutes":"rule:admin_or_owner" has been deprecated since
|
||||
# Xena in favor of "remove_extraroutes":"(role:admin and
|
||||
# system_scope:all) or (role:member and project_id:%(project_id)s)".
|
||||
# The router API now supports system scope and default roles.
|
||||
|
||||
# Rule for admin or security group owner access
|
||||
#"admin_or_sg_owner": "rule:context_is_admin or tenant_id:%(security_group:tenant_id)s"
|
||||
|
||||
@ -2200,12 +2222,11 @@
|
||||
# Get service providers
|
||||
# GET /service-providers
|
||||
# Intended scope(s): system, project
|
||||
#"get_service_provider": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||
#"get_service_provider": "role:reader"
|
||||
|
||||
# DEPRECATED
|
||||
# "get_service_provider":"rule:regular_user" has been deprecated since
|
||||
# W in favor of "get_service_provider":"(role:reader and
|
||||
# system_scope:all) or (role:reader and project_id:%(project_id)s)".
|
||||
# W in favor of "get_service_provider":"role:reader".
|
||||
# The Service Providers API now supports system scope and default
|
||||
# roles.
|
||||
|
||||
|
||||
@ -1116,7 +1116,7 @@
|
||||
|
||||
# DEPRECATED
|
||||
# "os_compute_api:os-security-groups":"rule:admin_or_owner" has been
|
||||
# deprecated since 21.0.0 in favor of "os_compute_api:os-security-
|
||||
# deprecated since 22.0.0 in favor of "os_compute_api:os-security-
|
||||
# groups:list":"rule:system_or_project_reader".
|
||||
# Nova API policies are introducing new default roles with scope_type
|
||||
# capabilities. Old policies are deprecated and silently going to be
|
||||
@ -1130,7 +1130,7 @@
|
||||
|
||||
# DEPRECATED
|
||||
# "os_compute_api:os-security-groups":"rule:admin_or_owner" has been
|
||||
# deprecated since 21.0.0 in favor of "os_compute_api:os-security-
|
||||
# deprecated since 22.0.0 in favor of "os_compute_api:os-security-
|
||||
# groups:add":"rule:system_admin_or_owner".
|
||||
# Nova API policies are introducing new default roles with scope_type
|
||||
# capabilities. Old policies are deprecated and silently going to be
|
||||
@ -1144,7 +1144,7 @@
|
||||
|
||||
# DEPRECATED
|
||||
# "os_compute_api:os-security-groups":"rule:admin_or_owner" has been
|
||||
# deprecated since 21.0.0 in favor of "os_compute_api:os-security-
|
||||
# deprecated since 22.0.0 in favor of "os_compute_api:os-security-
|
||||
# groups:remove":"rule:system_admin_or_owner".
|
||||
# Nova API policies are introducing new default roles with scope_type
|
||||
# capabilities. Old policies are deprecated and silently going to be
|
||||
|
||||
Loading…
Reference in New Issue
Block a user