diff --git a/openstack_dashboard/conf/default_policies/glance.yaml b/openstack_dashboard/conf/default_policies/glance.yaml index ee348b2c06..46d635804d 100644 --- a/openstack_dashboard/conf/default_policies/glance.yaml +++ b/openstack_dashboard/conf/default_policies/glance.yaml @@ -18,10 +18,10 @@ name: context_is_admin operations: [] scope_types: null -- check_str: role:admin or (role:member and project_id:%(project_id)s) +- check_str: role:role:admin or (role:member and project_id:%(project_id)s and project_id:%(owner)s) deprecated_reason: ' - The image API now supports and default roles. + The image API now supports roles. ' deprecated_rule: @@ -39,7 +39,7 @@ - check_str: role:admin or (role:member and project_id:%(project_id)s) deprecated_reason: ' - The image API now supports and default roles. + The image API now supports roles. ' deprecated_rule: @@ -55,10 +55,10 @@ - system - project - check_str: role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s - or "community":%(visibility)s or "public":%(visibility)s)) + or "community":%(visibility)s or "public":%(visibility)s or "shared":%(visibility)s)) deprecated_reason: ' - The image API now supports and default roles. + The image API now supports roles. ' deprecated_rule: @@ -76,7 +76,7 @@ - check_str: role:admin or (role:reader and project_id:%(project_id)s) deprecated_reason: ' - The image API now supports and default roles. + The image API now supports roles. ' deprecated_rule: @@ -94,7 +94,7 @@ - check_str: role:admin or (role:member and project_id:%(project_id)s) deprecated_reason: ' - The image API now supports and default roles. + The image API now supports roles. ' deprecated_rule: @@ -121,7 +121,7 @@ - check_str: role:admin or (role:member and project_id:%(project_id)s) deprecated_reason: ' - The image API now supports and default roles. + The image API now supports roles. ' deprecated_rule: @@ -140,7 +140,7 @@ or "community":%(visibility)s or "public":%(visibility)s)) deprecated_reason: ' - The image API now supports and default roles. + The image API now supports roles. ' deprecated_rule: @@ -158,7 +158,7 @@ - check_str: role:admin or (role:member and project_id:%(project_id)s) deprecated_reason: ' - The image API now supports and default roles. + The image API now supports roles. ' deprecated_rule: @@ -176,7 +176,7 @@ - check_str: role:admin deprecated_reason: ' - The image API now supports and default roles. + The image API now supports roles. ' deprecated_rule: @@ -194,7 +194,7 @@ - check_str: role:admin or (role:reader and project_id:%(project_id)s) deprecated_reason: ' - The image API now supports and default roles. + The image API now supports roles. ' deprecated_rule: @@ -212,7 +212,7 @@ - check_str: role:admin or (role:member and project_id:%(project_id)s) deprecated_reason: ' - The image API now supports and default roles. + The image API now supports roles. ' deprecated_rule: @@ -230,7 +230,7 @@ - check_str: role:admin or (role:member and project_id:%(project_id)s) deprecated_reason: ' - The image API now supports and default roles. + The image API now supports roles. ' deprecated_rule: @@ -248,7 +248,7 @@ - check_str: role:admin or (role:member and project_id:%(project_id)s) deprecated_reason: ' - The image API now supports and default roles. + The image API now supports roles. ' deprecated_rule: @@ -263,10 +263,10 @@ scope_types: - system - project -- check_str: role:admin or (role:reader and project_id:%(project_id)s) +- check_str: role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s) deprecated_reason: ' - The image API now supports and default roles. + The image API now supports roles. ' deprecated_rule: @@ -281,10 +281,10 @@ scope_types: - system - project -- check_str: role:admin or (role:reader and project_id:%(project_id)s) +- check_str: role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s) deprecated_reason: ' - The image API now supports and default roles. + The image API now supports roles. ' deprecated_rule: @@ -299,10 +299,10 @@ scope_types: - system - project -- check_str: role:admin or (role:member and project_id:%(project_id)s) +- check_str: role:admin or (role:member and project_id:%(member_id)s) deprecated_reason: ' - The image API now supports and default roles. + The image API now supports roles. ' deprecated_rule: @@ -327,7 +327,7 @@ - check_str: role:admin or (role:member and project_id:%(project_id)s) deprecated_reason: ' - The image API now supports and default roles. + The image API now supports roles. ' deprecated_rule: @@ -345,7 +345,7 @@ - check_str: role:admin or (role:member and project_id:%(project_id)s) deprecated_reason: ' - The image API now supports and default roles. + The image API now supports roles. ' deprecated_rule: @@ -370,6 +370,18 @@ - system - project - check_str: rule:default + deprecated_reason: ' + + From Xena we are enforcing policy checks in the API and policy layer where task + policies were enforcing will be removed. Since task APIs are already deprecated + and `tasks_api_access` is checked for each API at API layer, there will be no + benefit of other having other task related policies. + + ' + deprecated_rule: + check_str: rule:default + name: get_task + deprecated_since: X description: 'Get an image task. @@ -394,6 +406,18 @@ - system - project - check_str: rule:default + deprecated_reason: ' + + From Xena we are enforcing policy checks in the API and policy layer where task + policies were enforcing will be removed. Since task APIs are already deprecated + and `tasks_api_access` is checked for each API at API layer, there will be no + benefit of other having other task related policies. + + ' + deprecated_rule: + check_str: rule:default + name: get_task + deprecated_since: X description: 'List tasks for all images. @@ -418,6 +442,18 @@ - system - project - check_str: rule:default + deprecated_reason: ' + + From Xena we are enforcing policy checks in the API and policy layer where task + policies were enforcing will be removed. Since task APIs are already deprecated + and `tasks_api_access` is checked for each API at API layer, there will be no + benefit of other having other task related policies. + + ' + deprecated_rule: + check_str: rule:default + name: add_task + deprecated_since: X description: 'List tasks for all images. diff --git a/openstack_dashboard/conf/default_policies/keystone.yaml b/openstack_dashboard/conf/default_policies/keystone.yaml index 17d49fdc55..51161ebb22 100644 --- a/openstack_dashboard/conf/default_policies/keystone.yaml +++ b/openstack_dashboard/conf/default_policies/keystone.yaml @@ -467,9 +467,9 @@ - method: HEAD path: /v3/domains/{domain_id}/config/security_compliance - method: GET - path: v3/domains/{domain_id}/config/security_compliance/{option} + path: /v3/domains/{domain_id}/config/security_compliance/{option} - method: HEAD - path: v3/domains/{domain_id}/config/security_compliance/{option} + path: /v3/domains/{domain_id}/config/security_compliance/{option} scope_types: - system - domain @@ -1887,15 +1887,7 @@ or project_id:%(target.project.id)s deprecated_reason: ' - As of the Train release, the project tags API understands how to handle - - system-scoped tokens in addition to project and domain tokens, making the API - - more accessible to users without compromising security or manageability for - - administrators. The new default policies for this API account for these changes - - automatically. + The project API is now aware of system scope and default roles. ' deprecated_rule: @@ -1917,15 +1909,7 @@ or project_id:%(target.project.id)s deprecated_reason: ' - As of the Train release, the project tags API understands how to handle - - system-scoped tokens in addition to project and domain tokens, making the API - - more accessible to users without compromising security or manageability for - - administrators. The new default policies for this API account for these changes - - automatically. + The project API is now aware of system scope and default roles. ' deprecated_rule: @@ -1947,15 +1931,7 @@ or (role:admin and project_id:%(target.project.id)s) deprecated_reason: ' - As of the Train release, the project tags API understands how to handle - - system-scoped tokens in addition to project and domain tokens, making the API - - more accessible to users without compromising security or manageability for - - administrators. The new default policies for this API account for these changes - - automatically. + The project API is now aware of system scope and default roles. ' deprecated_rule: @@ -1975,15 +1951,7 @@ or (role:admin and project_id:%(target.project.id)s) deprecated_reason: ' - As of the Train release, the project tags API understands how to handle - - system-scoped tokens in addition to project and domain tokens, making the API - - more accessible to users without compromising security or manageability for - - administrators. The new default policies for this API account for these changes - - automatically. + The project API is now aware of system scope and default roles. ' deprecated_rule: @@ -2003,15 +1971,7 @@ or (role:admin and project_id:%(target.project.id)s) deprecated_reason: ' - As of the Train release, the project tags API understands how to handle - - system-scoped tokens in addition to project and domain tokens, making the API - - more accessible to users without compromising security or manageability for - - administrators. The new default policies for this API account for these changes - - automatically. + The project API is now aware of system scope and default roles. ' deprecated_rule: @@ -2031,15 +1991,7 @@ or (role:admin and project_id:%(target.project.id)s) deprecated_reason: ' - As of the Train release, the project tags API understands how to handle - - system-scoped tokens in addition to project and domain tokens, making the API - - more accessible to users without compromising security or manageability for - - administrators. The new default policies for this API account for these changes - - automatically. + The project API is now aware of system scope and default roles. ' deprecated_rule: diff --git a/openstack_dashboard/conf/default_policies/neutron.yaml b/openstack_dashboard/conf/default_policies/neutron.yaml index 13130dd048..0fa10c8484 100644 --- a/openstack_dashboard/conf/default_policies/neutron.yaml +++ b/openstack_dashboard/conf/default_policies/neutron.yaml @@ -529,6 +529,7 @@ - method: POST path: /floatingips scope_types: + - system - project - check_str: role:admin and system_scope:all deprecated_reason: null @@ -600,7 +601,7 @@ - method: GET path: /floatingip_pools scope_types: - - admin + - system - project - check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner @@ -752,6 +753,7 @@ path: /log/logs scope_types: - system + - project - check_str: role:reader and system_scope:all deprecated_reason: null deprecated_rule: @@ -898,6 +900,7 @@ - method: POST path: /networks scope_types: + - system - project - check_str: role:admin and system_scope:all deprecated_reason: null @@ -942,6 +945,7 @@ name: create_network:port_security_enabled operations: *id001 scope_types: + - system - project - check_str: role:admin and system_scope:all deprecated_reason: null @@ -1014,6 +1018,7 @@ name: get_network:router:external operations: *id002 scope_types: + - system - project - check_str: role:reader and system_scope:all deprecated_reason: null @@ -1379,6 +1384,7 @@ name: create_port:binding:vnic_type operations: *id004 scope_types: + - system - project - check_str: role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner @@ -2046,7 +2052,7 @@ scope_types: - system - project -- check_str: role:admin and system_scope:all or rule:restrict_wildcard +- check_str: role:admin and system_scope:all or (not field:rbac_policy:target_tenant=*) deprecated_reason: null deprecated_rule: check_str: rule:restrict_wildcard @@ -2074,7 +2080,7 @@ scope_types: - project - system -- check_str: role:admin and system_scope:all or rule:restrict_wildcard +- check_str: role:admin and system_scope:all or (not field:rbac_policy:target_tenant=*) deprecated_reason: null deprecated_rule: check_str: rule:restrict_wildcard and rule:admin_or_owner @@ -2130,6 +2136,7 @@ - method: POST path: /routers scope_types: + - system - project - check_str: role:admin and system_scope:all deprecated_reason: null @@ -2367,6 +2374,34 @@ scope_types: - system - project +- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: add_extraroutes + deprecated_since: null + description: Add extra route to a router + name: add_extraroutes + operations: + - method: PUT + path: /routers/{id}/add_extraroutes + scope_types: + - system + - project +- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: remove_extraroutes + deprecated_since: null + description: Remove extra route from a router + name: remove_extraroutes + operations: + - method: PUT + path: /routers/{id}/remove_extraroutes + scope_types: + - system + - project - check_str: rule:context_is_admin or tenant_id:%(security_group:tenant_id)s description: Rule for admin or security group owner access name: admin_or_sg_owner @@ -2534,7 +2569,7 @@ path: /segments/{id} scope_types: - system -- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) +- check_str: role:reader deprecated_reason: null deprecated_rule: check_str: rule:regular_user diff --git a/openstack_dashboard/conf/default_policies/nova.yaml b/openstack_dashboard/conf/default_policies/nova.yaml index 11b0be1d53..0c593877b9 100644 --- a/openstack_dashboard/conf/default_policies/nova.yaml +++ b/openstack_dashboard/conf/default_policies/nova.yaml @@ -1808,7 +1808,7 @@ deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-security-groups - deprecated_since: 21.0.0 + deprecated_since: 22.0.0 description: List security groups of server. name: os_compute_api:os-security-groups:list operations: @@ -1830,7 +1830,7 @@ deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-security-groups - deprecated_since: 21.0.0 + deprecated_since: 22.0.0 description: Add security groups to server. name: os_compute_api:os-security-groups:add operations: @@ -1852,7 +1852,7 @@ deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-security-groups - deprecated_since: 21.0.0 + deprecated_since: 22.0.0 description: Remove security groups from server. name: os_compute_api:os-security-groups:remove operations: diff --git a/openstack_dashboard/conf/glance_policy.yaml b/openstack_dashboard/conf/glance_policy.yaml index f7dda32cd4..4299d6edac 100644 --- a/openstack_dashboard/conf/glance_policy.yaml +++ b/openstack_dashboard/conf/glance_policy.yaml @@ -18,13 +18,13 @@ # Create new image # POST /v2/images # Intended scope(s): system, project -#"add_image": "role:admin or (role:member and project_id:%(project_id)s)" +#"add_image": "role:admin or (role:member and project_id:%(project_id)s and project_id:%(owner)s)" # DEPRECATED # "add_image":"rule:default" has been deprecated since W in favor of # "add_image":"role:admin or (role:member and -# project_id:%(project_id)s)". -# The image API now supports and default roles. +# project_id:%(project_id)s and project_id:%(owner)s)". +# The image API now supports roles. # Deletes the image # DELETE /v2/images/{image_id} @@ -35,19 +35,20 @@ # "delete_image":"rule:default" has been deprecated since W in favor # of "delete_image":"role:admin or (role:member and # project_id:%(project_id)s)". -# The image API now supports and default roles. +# The image API now supports roles. # Get specified image # GET /v2/images/{image_id} # Intended scope(s): system, project -#"get_image": "role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or "community":%(visibility)s or "public":%(visibility)s))" +#"get_image": "role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or "community":%(visibility)s or "public":%(visibility)s or "shared":%(visibility)s))" # DEPRECATED # "get_image":"rule:default" has been deprecated since W in favor of # "get_image":"role:admin or (role:reader and # (project_id:%(project_id)s or project_id:%(member_id)s or -# "community":%(visibility)s or "public":%(visibility)s))". -# The image API now supports and default roles. +# "community":%(visibility)s or "public":%(visibility)s or +# "shared":%(visibility)s))". +# The image API now supports roles. # Get all available images # GET /v2/images @@ -58,7 +59,7 @@ # "get_images":"rule:default" has been deprecated since W in favor of # "get_images":"role:admin or (role:reader and # project_id:%(project_id)s)". -# The image API now supports and default roles. +# The image API now supports roles. # Updates given image # PATCH /v2/images/{image_id} @@ -69,7 +70,7 @@ # "modify_image":"rule:default" has been deprecated since W in favor # of "modify_image":"role:admin or (role:member and # project_id:%(project_id)s)". -# The image API now supports and default roles. +# The image API now supports roles. # Publicize given image # PATCH /v2/images/{image_id} @@ -85,19 +86,20 @@ # "communitize_image":"rule:default" has been deprecated since W in # favor of "communitize_image":"role:admin or (role:member and # project_id:%(project_id)s)". -# The image API now supports and default roles. +# The image API now supports roles. # Downloads given image # GET /v2/images/{image_id}/file # Intended scope(s): system, project -#"download_image": "role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or "community":%(visibility)s or "public":%(visibility)s))" +#"download_image": "role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or "community":%(visibility)s or "public":%(visibility)s or "shared":%(visibility)s))" # DEPRECATED # "download_image":"rule:default" has been deprecated since W in favor # of "download_image":"role:admin or (role:member and # (project_id:%(project_id)s or project_id:%(member_id)s or -# "community":%(visibility)s or "public":%(visibility)s))". -# The image API now supports and default roles. +# "community":%(visibility)s or "public":%(visibility)s or +# "shared":%(visibility)s))". +# The image API now supports roles. # Uploads data to specified image # PUT /v2/images/{image_id}/file @@ -108,7 +110,7 @@ # "upload_image":"rule:default" has been deprecated since W in favor # of "upload_image":"role:admin or (role:member and # project_id:%(project_id)s)". -# The image API now supports and default roles. +# The image API now supports roles. # Deletes the location of given image # PATCH /v2/images/{image_id} @@ -118,7 +120,7 @@ # DEPRECATED # "delete_image_location":"rule:default" has been deprecated since W # in favor of "delete_image_location":"role:admin". -# The image API now supports and default roles. +# The image API now supports roles. # Reads the location of the image # GET /v2/images/{image_id} @@ -129,7 +131,7 @@ # "get_image_location":"rule:default" has been deprecated since W in # favor of "get_image_location":"role:admin or (role:reader and # project_id:%(project_id)s)". -# The image API now supports and default roles. +# The image API now supports roles. # Sets location URI to given image # PATCH /v2/images/{image_id} @@ -140,7 +142,7 @@ # "set_image_location":"rule:default" has been deprecated since W in # favor of "set_image_location":"role:admin or (role:member and # project_id:%(project_id)s)". -# The image API now supports and default roles. +# The image API now supports roles. # Create image member # POST /v2/images/{image_id}/members @@ -151,7 +153,7 @@ # "add_member":"rule:default" has been deprecated since W in favor of # "add_member":"role:admin or (role:member and # project_id:%(project_id)s)". -# The image API now supports and default roles. +# The image API now supports roles. # Delete image member # DELETE /v2/images/{image_id}/members/{member_id} @@ -162,40 +164,40 @@ # "delete_member":"rule:default" has been deprecated since W in favor # of "delete_member":"role:admin or (role:member and # project_id:%(project_id)s)". -# The image API now supports and default roles. +# The image API now supports roles. # Show image member details # GET /v2/images/{image_id}/members/{member_id} # Intended scope(s): system, project -#"get_member": "role:admin or (role:reader and project_id:%(project_id)s)" +#"get_member": "role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)" # DEPRECATED # "get_member":"rule:default" has been deprecated since W in favor of -# "get_member":"role:admin or (role:reader and -# project_id:%(project_id)s)". -# The image API now supports and default roles. +# "get_member":"role:admin or role:reader and +# (project_id:%(project_id)s or project_id:%(member_id)s)". +# The image API now supports roles. # List image members # GET /v2/images/{image_id}/members # Intended scope(s): system, project -#"get_members": "role:admin or (role:reader and project_id:%(project_id)s)" +#"get_members": "role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)" # DEPRECATED # "get_members":"rule:default" has been deprecated since W in favor of -# "get_members":"role:admin or (role:reader and -# project_id:%(project_id)s)". -# The image API now supports and default roles. +# "get_members":"role:admin or role:reader and +# (project_id:%(project_id)s or project_id:%(member_id)s)". +# The image API now supports roles. # Update image member # PUT /v2/images/{image_id}/members/{member_id} # Intended scope(s): system, project -#"modify_member": "role:admin or (role:member and project_id:%(project_id)s)" +#"modify_member": "role:admin or (role:member and project_id:%(member_id)s)" # DEPRECATED # "modify_member":"rule:default" has been deprecated since W in favor # of "modify_member":"role:admin or (role:member and -# project_id:%(project_id)s)". -# The image API now supports and default roles. +# project_id:%(member_id)s)". +# The image API now supports roles. # Manage image cache # Intended scope(s): system, project @@ -210,7 +212,7 @@ # "deactivate":"rule:default" has been deprecated since W in favor of # "deactivate":"role:admin or (role:member and # project_id:%(project_id)s)". -# The image API now supports and default roles. +# The image API now supports roles. # Reactivate image # POST /v2/images/{image_id}/actions/reactivate @@ -221,7 +223,7 @@ # "reactivate":"rule:default" has been deprecated since W in favor of # "reactivate":"role:admin or (role:member and # project_id:%(project_id)s)". -# The image API now supports and default roles. +# The image API now supports roles. # Copy existing image to other stores # POST /v2/images/{image_id}/import @@ -241,6 +243,15 @@ # Intended scope(s): system, project #"get_task": "rule:default" +# DEPRECATED +# "get_task":"rule:default" has been deprecated since X in favor of +# "get_task":"rule:default". +# From Xena we are enforcing policy checks in the API and policy layer +# where task policies were enforcing will be removed. Since task APIs +# are already deprecated and `tasks_api_access` is checked for each +# API at API layer, there will be no benefit of other having other +# task related policies. + # List tasks for all images. # # This granular policy controls access to tasks, both from the tasks @@ -254,6 +265,15 @@ # Intended scope(s): system, project #"get_tasks": "rule:default" +# DEPRECATED +# "get_tasks":"rule:default" has been deprecated since X in favor of +# "get_tasks":"rule:default". +# From Xena we are enforcing policy checks in the API and policy layer +# where task policies were enforcing will be removed. Since task APIs +# are already deprecated and `tasks_api_access` is checked for each +# API at API layer, there will be no benefit of other having other +# task related policies. + # List tasks for all images. # # This granular policy controls access to tasks, both from the tasks @@ -267,6 +287,15 @@ # Intended scope(s): system, project #"add_task": "rule:default" +# DEPRECATED +# "add_task":"rule:default" has been deprecated since X in favor of +# "add_task":"rule:default". +# From Xena we are enforcing policy checks in the API and policy layer +# where task policies were enforcing will be removed. Since task APIs +# are already deprecated and `tasks_api_access` is checked for each +# API at API layer, there will be no benefit of other having other +# task related policies. + # DEPRECATED # "modify_task" has been deprecated since W. # This policy check has never been honored by the API. It will be diff --git a/openstack_dashboard/conf/keystone_policy.yaml b/openstack_dashboard/conf/keystone_policy.yaml index 6439c74b5b..15913e796e 100644 --- a/openstack_dashboard/conf/keystone_policy.yaml +++ b/openstack_dashboard/conf/keystone_policy.yaml @@ -340,8 +340,8 @@ # a specific option in a domain. # GET /v3/domains/{domain_id}/config/security_compliance # HEAD /v3/domains/{domain_id}/config/security_compliance -# GET v3/domains/{domain_id}/config/security_compliance/{option} -# HEAD v3/domains/{domain_id}/config/security_compliance/{option} +# GET /v3/domains/{domain_id}/config/security_compliance/{option} +# HEAD /v3/domains/{domain_id}/config/security_compliance/{option} # Intended scope(s): system, domain, project #"identity:get_security_compliance_domain_config": "" @@ -1547,11 +1547,7 @@ # system_scope:all) or (role:reader and # domain_id:%(target.project.domain_id)s) or # project_id:%(target.project.id)s". -# As of the Train release, the project tags API understands how to -# handle system-scoped tokens in addition to project and domain -# tokens, making the API more accessible to users without compromising -# security or manageability for administrators. The new default -# policies for this API account for these changes automatically. +# The project API is now aware of system scope and default roles. # Check if project contains a tag. # GET /v3/projects/{project_id}/tags/{value} @@ -1566,11 +1562,7 @@ # system_scope:all) or (role:reader and # domain_id:%(target.project.domain_id)s) or # project_id:%(target.project.id)s". -# As of the Train release, the project tags API understands how to -# handle system-scoped tokens in addition to project and domain -# tokens, making the API more accessible to users without compromising -# security or manageability for administrators. The new default -# policies for this API account for these changes automatically. +# The project API is now aware of system scope and default roles. # Replace all tags on a project with the new set of tags. # PUT /v3/projects/{project_id}/tags @@ -1583,11 +1575,7 @@ # "identity:update_project_tags":"(role:admin and system_scope:all) or # (role:admin and domain_id:%(target.project.domain_id)s) or # (role:admin and project_id:%(target.project.id)s)". -# As of the Train release, the project tags API understands how to -# handle system-scoped tokens in addition to project and domain -# tokens, making the API more accessible to users without compromising -# security or manageability for administrators. The new default -# policies for this API account for these changes automatically. +# The project API is now aware of system scope and default roles. # Add a single tag to a project. # PUT /v3/projects/{project_id}/tags/{value} @@ -1600,11 +1588,7 @@ # "identity:create_project_tag":"(role:admin and system_scope:all) or # (role:admin and domain_id:%(target.project.domain_id)s) or # (role:admin and project_id:%(target.project.id)s)". -# As of the Train release, the project tags API understands how to -# handle system-scoped tokens in addition to project and domain -# tokens, making the API more accessible to users without compromising -# security or manageability for administrators. The new default -# policies for this API account for these changes automatically. +# The project API is now aware of system scope and default roles. # Remove all tags from a project. # DELETE /v3/projects/{project_id}/tags @@ -1617,11 +1601,7 @@ # "identity:delete_project_tags":"(role:admin and system_scope:all) or # (role:admin and domain_id:%(target.project.domain_id)s) or # (role:admin and project_id:%(target.project.id)s)". -# As of the Train release, the project tags API understands how to -# handle system-scoped tokens in addition to project and domain -# tokens, making the API more accessible to users without compromising -# security or manageability for administrators. The new default -# policies for this API account for these changes automatically. +# The project API is now aware of system scope and default roles. # Delete a specified tag from project. # DELETE /v3/projects/{project_id}/tags/{value} @@ -1634,11 +1614,7 @@ # "identity:delete_project_tag":"(role:admin and system_scope:all) or # (role:admin and domain_id:%(target.project.domain_id)s) or # (role:admin and project_id:%(target.project.id)s)". -# As of the Train release, the project tags API understands how to -# handle system-scoped tokens in addition to project and domain -# tokens, making the API more accessible to users without compromising -# security or manageability for administrators. The new default -# policies for this API account for these changes automatically. +# The project API is now aware of system scope and default roles. # List projects allowed to access an endpoint. # GET /v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects diff --git a/openstack_dashboard/conf/neutron_policy.yaml b/openstack_dashboard/conf/neutron_policy.yaml index b98f9809d7..9784dc4bc3 100644 --- a/openstack_dashboard/conf/neutron_policy.yaml +++ b/openstack_dashboard/conf/neutron_policy.yaml @@ -403,7 +403,7 @@ # Create a floating IP # POST /floatingips -# Intended scope(s): project +# Intended scope(s): system, project #"create_floatingip": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" # DEPRECATED @@ -460,7 +460,7 @@ # Get floating IP pools # GET /floatingip_pools -# Intended scope(s): admin, project +# Intended scope(s): system, project #"get_floatingip_pool": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" # DEPRECATED @@ -708,7 +708,7 @@ # Create a network # POST /networks -# Intended scope(s): project +# Intended scope(s): system, project #"create_network": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" # DEPRECATED @@ -752,7 +752,7 @@ # Specify ``port_security_enabled`` attribute when creating a network # POST /networks -# Intended scope(s): project +# Intended scope(s): system, project #"create_network:port_security_enabled": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" # DEPRECATED @@ -826,7 +826,7 @@ # Get ``router:external`` attribute of a network # GET /networks # GET /networks/{id} -# Intended scope(s): project +# Intended scope(s): system, project #"get_network:router:external": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" # DEPRECATED @@ -1184,7 +1184,7 @@ # Specify ``binding:vnic_type`` attribute when creating a port # POST /ports -# Intended scope(s): project +# Intended scope(s): system, project #"create_port:binding:vnic_type": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" # DEPRECATED @@ -1779,13 +1779,13 @@ # Specify ``target_tenant`` when creating an RBAC policy # POST /rbac-policies # Intended scope(s): system, project -#"create_rbac_policy:target_tenant": "role:admin and system_scope:all or rule:restrict_wildcard" +#"create_rbac_policy:target_tenant": "role:admin and system_scope:all or (not field:rbac_policy:target_tenant=*)" # DEPRECATED # "create_rbac_policy:target_tenant":"rule:restrict_wildcard" has been # deprecated since W in favor of # "create_rbac_policy:target_tenant":"role:admin and system_scope:all -# or rule:restrict_wildcard". +# or (not field:rbac_policy:target_tenant=*)". # The RBAC API now supports system scope and default roles. # Update an RBAC policy @@ -1802,13 +1802,13 @@ # Update ``target_tenant`` attribute of an RBAC policy # PUT /rbac-policies/{id} # Intended scope(s): system, project -#"update_rbac_policy:target_tenant": "role:admin and system_scope:all or rule:restrict_wildcard" +#"update_rbac_policy:target_tenant": "role:admin and system_scope:all or (not field:rbac_policy:target_tenant=*)" # DEPRECATED # "update_rbac_policy:target_tenant":"rule:restrict_wildcard and # rule:admin_or_owner" has been deprecated since W in favor of # "update_rbac_policy:target_tenant":"role:admin and system_scope:all -# or rule:restrict_wildcard". +# or (not field:rbac_policy:target_tenant=*)". # The RBAC API now supports system scope and default roles. # Get an RBAC policy @@ -1836,7 +1836,7 @@ # Create a router # POST /routers -# Intended scope(s): project +# Intended scope(s): system, project #"create_router": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" # DEPRECATED @@ -2068,6 +2068,28 @@ # system_scope:all) or (role:member and project_id:%(project_id)s)". # The router API now supports system scope and default roles. +# Add extra route to a router +# PUT /routers/{id}/add_extraroutes +# Intended scope(s): system, project +#"add_extraroutes": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + +# DEPRECATED +# "add_extraroutes":"rule:admin_or_owner" has been deprecated since +# Xena in favor of "add_extraroutes":"(role:admin and +# system_scope:all) or (role:member and project_id:%(project_id)s)". +# The router API now supports system scope and default roles. + +# Remove extra route from a router +# PUT /routers/{id}/remove_extraroutes +# Intended scope(s): system, project +#"remove_extraroutes": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + +# DEPRECATED +# "remove_extraroutes":"rule:admin_or_owner" has been deprecated since +# Xena in favor of "remove_extraroutes":"(role:admin and +# system_scope:all) or (role:member and project_id:%(project_id)s)". +# The router API now supports system scope and default roles. + # Rule for admin or security group owner access #"admin_or_sg_owner": "rule:context_is_admin or tenant_id:%(security_group:tenant_id)s" @@ -2200,12 +2222,11 @@ # Get service providers # GET /service-providers # Intended scope(s): system, project -#"get_service_provider": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +#"get_service_provider": "role:reader" # DEPRECATED # "get_service_provider":"rule:regular_user" has been deprecated since -# W in favor of "get_service_provider":"(role:reader and -# system_scope:all) or (role:reader and project_id:%(project_id)s)". +# W in favor of "get_service_provider":"role:reader". # The Service Providers API now supports system scope and default # roles. diff --git a/openstack_dashboard/conf/nova_policy.yaml b/openstack_dashboard/conf/nova_policy.yaml index 091a89b400..babffa2bb8 100644 --- a/openstack_dashboard/conf/nova_policy.yaml +++ b/openstack_dashboard/conf/nova_policy.yaml @@ -1116,7 +1116,7 @@ # DEPRECATED # "os_compute_api:os-security-groups":"rule:admin_or_owner" has been -# deprecated since 21.0.0 in favor of "os_compute_api:os-security- +# deprecated since 22.0.0 in favor of "os_compute_api:os-security- # groups:list":"rule:system_or_project_reader". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be @@ -1130,7 +1130,7 @@ # DEPRECATED # "os_compute_api:os-security-groups":"rule:admin_or_owner" has been -# deprecated since 21.0.0 in favor of "os_compute_api:os-security- +# deprecated since 22.0.0 in favor of "os_compute_api:os-security- # groups:add":"rule:system_admin_or_owner". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be @@ -1144,7 +1144,7 @@ # DEPRECATED # "os_compute_api:os-security-groups":"rule:admin_or_owner" has been -# deprecated since 21.0.0 in favor of "os_compute_api:os-security- +# deprecated since 22.0.0 in favor of "os_compute_api:os-security- # groups:remove":"rule:system_admin_or_owner". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be