Update Horizon to use latest nova policy rules for validation
As Nova's API is unified to os_compute_api, the API policies are also updated to use this format, Horizon needs to use Nova policy enforce rules in the codebase. This patch also update nova_policy.json using oslo-config-generator for Nova policy file. Co-Authored-By: Rob Cresswell <robert.cresswell@outlook.com> Implements: blueprint update-nova-enforce-policies Change-Id: Id7d01a39930c88592301a5035f0befe5293a78fa
This commit is contained in:
parent
f54c52418b
commit
c61ae4f083
@ -2,436 +2,175 @@
|
|||||||
"context_is_admin": "role:admin",
|
"context_is_admin": "role:admin",
|
||||||
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
|
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
|
||||||
"default": "rule:admin_or_owner",
|
"default": "rule:admin_or_owner",
|
||||||
|
|
||||||
"cells_scheduler_filter:TargetCellFilter": "is_admin:True",
|
|
||||||
|
|
||||||
"compute:create": "rule:admin_or_owner",
|
|
||||||
"compute:create:attach_network": "rule:admin_or_owner",
|
|
||||||
"compute:create:attach_volume": "rule:admin_or_owner",
|
|
||||||
"compute:create:forced_host": "is_admin:True",
|
|
||||||
|
|
||||||
"compute:get": "rule:admin_or_owner",
|
|
||||||
"compute:get_all": "rule:admin_or_owner",
|
|
||||||
"compute:get_all_tenants": "is_admin:True",
|
|
||||||
|
|
||||||
"compute:update": "rule:admin_or_owner",
|
|
||||||
|
|
||||||
"compute:get_instance_metadata": "rule:admin_or_owner",
|
|
||||||
"compute:get_all_instance_metadata": "rule:admin_or_owner",
|
|
||||||
"compute:get_all_instance_system_metadata": "rule:admin_or_owner",
|
|
||||||
"compute:update_instance_metadata": "rule:admin_or_owner",
|
|
||||||
"compute:delete_instance_metadata": "rule:admin_or_owner",
|
|
||||||
|
|
||||||
"compute:get_diagnostics": "rule:admin_or_owner",
|
|
||||||
"compute:get_instance_diagnostics": "rule:admin_or_owner",
|
|
||||||
|
|
||||||
"compute:start": "rule:admin_or_owner",
|
|
||||||
"compute:stop": "rule:admin_or_owner",
|
|
||||||
|
|
||||||
"compute:lock": "rule:admin_or_owner",
|
|
||||||
"compute:unlock": "rule:admin_or_owner",
|
|
||||||
"compute:unlock_override": "rule:admin_api",
|
|
||||||
|
|
||||||
"compute:get_vnc_console": "rule:admin_or_owner",
|
|
||||||
"compute:get_spice_console": "rule:admin_or_owner",
|
|
||||||
"compute:get_rdp_console": "rule:admin_or_owner",
|
|
||||||
"compute:get_serial_console": "rule:admin_or_owner",
|
|
||||||
"compute:get_mks_console": "rule:admin_or_owner",
|
|
||||||
"compute:get_console_output": "rule:admin_or_owner",
|
|
||||||
|
|
||||||
"compute:reset_network": "rule:admin_or_owner",
|
|
||||||
"compute:inject_network_info": "rule:admin_or_owner",
|
|
||||||
"compute:add_fixed_ip": "rule:admin_or_owner",
|
|
||||||
"compute:remove_fixed_ip": "rule:admin_or_owner",
|
|
||||||
|
|
||||||
"compute:attach_volume": "rule:admin_or_owner",
|
|
||||||
"compute:detach_volume": "rule:admin_or_owner",
|
|
||||||
"compute:swap_volume": "rule:admin_api",
|
|
||||||
|
|
||||||
"compute:attach_interface": "rule:admin_or_owner",
|
|
||||||
"compute:detach_interface": "rule:admin_or_owner",
|
|
||||||
|
|
||||||
"compute:set_admin_password": "rule:admin_or_owner",
|
|
||||||
|
|
||||||
"compute:rescue": "rule:admin_or_owner",
|
|
||||||
"compute:unrescue": "rule:admin_or_owner",
|
|
||||||
|
|
||||||
"compute:suspend": "rule:admin_or_owner",
|
|
||||||
"compute:resume": "rule:admin_or_owner",
|
|
||||||
|
|
||||||
"compute:pause": "rule:admin_or_owner",
|
|
||||||
"compute:unpause": "rule:admin_or_owner",
|
|
||||||
|
|
||||||
"compute:shelve": "rule:admin_or_owner",
|
|
||||||
"compute:shelve_offload": "rule:admin_or_owner",
|
|
||||||
"compute:unshelve": "rule:admin_or_owner",
|
|
||||||
|
|
||||||
"compute:snapshot": "rule:admin_or_owner",
|
|
||||||
"compute:snapshot_volume_backed": "rule:admin_or_owner",
|
|
||||||
"compute:backup": "rule:admin_or_owner",
|
|
||||||
|
|
||||||
"compute:resize": "rule:admin_or_owner",
|
|
||||||
"compute:confirm_resize": "rule:admin_or_owner",
|
|
||||||
"compute:revert_resize": "rule:admin_or_owner",
|
|
||||||
|
|
||||||
"compute:rebuild": "rule:admin_or_owner",
|
|
||||||
"compute:reboot": "rule:admin_or_owner",
|
|
||||||
"compute:delete": "rule:admin_or_owner",
|
|
||||||
"compute:soft_delete": "rule:admin_or_owner",
|
|
||||||
"compute:force_delete": "rule:admin_or_owner",
|
|
||||||
|
|
||||||
"compute:security_groups:add_to_instance": "rule:admin_or_owner",
|
|
||||||
"compute:security_groups:remove_from_instance": "rule:admin_or_owner",
|
|
||||||
|
|
||||||
"compute:restore": "rule:admin_or_owner",
|
|
||||||
|
|
||||||
"compute:volume_snapshot_create": "rule:admin_or_owner",
|
|
||||||
"compute:volume_snapshot_delete": "rule:admin_or_owner",
|
|
||||||
|
|
||||||
"admin_api": "is_admin:True",
|
"admin_api": "is_admin:True",
|
||||||
"compute_extension:accounts": "rule:admin_api",
|
|
||||||
"compute_extension:admin_actions": "rule:admin_api",
|
|
||||||
"compute_extension:admin_actions:pause": "rule:admin_or_owner",
|
|
||||||
"compute_extension:admin_actions:unpause": "rule:admin_or_owner",
|
|
||||||
"compute_extension:admin_actions:suspend": "rule:admin_or_owner",
|
|
||||||
"compute_extension:admin_actions:resume": "rule:admin_or_owner",
|
|
||||||
"compute_extension:admin_actions:lock": "rule:admin_or_owner",
|
|
||||||
"compute_extension:admin_actions:unlock": "rule:admin_or_owner",
|
|
||||||
"compute_extension:admin_actions:resetNetwork": "rule:admin_api",
|
|
||||||
"compute_extension:admin_actions:injectNetworkInfo": "rule:admin_api",
|
|
||||||
"compute_extension:admin_actions:createBackup": "rule:admin_or_owner",
|
|
||||||
"compute_extension:admin_actions:migrateLive": "rule:admin_api",
|
|
||||||
"compute_extension:admin_actions:resetState": "rule:admin_api",
|
|
||||||
"compute_extension:admin_actions:migrate": "rule:admin_api",
|
|
||||||
"compute_extension:aggregates": "rule:admin_api",
|
|
||||||
"compute_extension:agents": "rule:admin_api",
|
|
||||||
"compute_extension:attach_interfaces": "rule:admin_or_owner",
|
|
||||||
"compute_extension:baremetal_nodes": "rule:admin_api",
|
|
||||||
"compute_extension:cells": "rule:admin_api",
|
|
||||||
"compute_extension:cells:create": "rule:admin_api",
|
|
||||||
"compute_extension:cells:delete": "rule:admin_api",
|
|
||||||
"compute_extension:cells:update": "rule:admin_api",
|
|
||||||
"compute_extension:cells:sync_instances": "rule:admin_api",
|
|
||||||
"compute_extension:certificates": "rule:admin_or_owner",
|
|
||||||
"compute_extension:cloudpipe": "rule:admin_api",
|
|
||||||
"compute_extension:cloudpipe_update": "rule:admin_api",
|
|
||||||
"compute_extension:config_drive": "rule:admin_or_owner",
|
|
||||||
"compute_extension:console_output": "rule:admin_or_owner",
|
|
||||||
"compute_extension:consoles": "rule:admin_or_owner",
|
|
||||||
"compute_extension:createserverext": "rule:admin_or_owner",
|
|
||||||
"compute_extension:deferred_delete": "rule:admin_or_owner",
|
|
||||||
"compute_extension:disk_config": "rule:admin_or_owner",
|
|
||||||
"compute_extension:evacuate": "rule:admin_api",
|
|
||||||
"compute_extension:extended_server_attributes": "rule:admin_api",
|
|
||||||
"compute_extension:extended_status": "rule:admin_or_owner",
|
|
||||||
"compute_extension:extended_availability_zone": "rule:admin_or_owner",
|
|
||||||
"compute_extension:extended_ips": "rule:admin_or_owner",
|
|
||||||
"compute_extension:extended_ips_mac": "rule:admin_or_owner",
|
|
||||||
"compute_extension:extended_vif_net": "rule:admin_or_owner",
|
|
||||||
"compute_extension:extended_volumes": "rule:admin_or_owner",
|
|
||||||
"compute_extension:fixed_ips": "rule:admin_api",
|
|
||||||
"compute_extension:flavor_access": "rule:admin_or_owner",
|
|
||||||
"compute_extension:flavor_access:addTenantAccess": "rule:admin_api",
|
|
||||||
"compute_extension:flavor_access:removeTenantAccess": "rule:admin_api",
|
|
||||||
"compute_extension:flavor_disabled": "rule:admin_or_owner",
|
|
||||||
"compute_extension:flavor_rxtx": "rule:admin_or_owner",
|
|
||||||
"compute_extension:flavor_swap": "rule:admin_or_owner",
|
|
||||||
"compute_extension:flavorextradata": "rule:admin_or_owner",
|
|
||||||
"compute_extension:flavorextraspecs:index": "rule:admin_or_owner",
|
|
||||||
"compute_extension:flavorextraspecs:show": "rule:admin_or_owner",
|
|
||||||
"compute_extension:flavorextraspecs:create": "rule:admin_api",
|
|
||||||
"compute_extension:flavorextraspecs:update": "rule:admin_api",
|
|
||||||
"compute_extension:flavorextraspecs:delete": "rule:admin_api",
|
|
||||||
"compute_extension:flavormanage": "rule:admin_api",
|
|
||||||
"compute_extension:floating_ip_dns": "rule:admin_or_owner",
|
|
||||||
"compute_extension:floating_ip_pools": "rule:admin_or_owner",
|
|
||||||
"compute_extension:floating_ips": "rule:admin_or_owner",
|
|
||||||
"compute_extension:floating_ips_bulk": "rule:admin_api",
|
|
||||||
"compute_extension:fping": "rule:admin_or_owner",
|
|
||||||
"compute_extension:fping:all_tenants": "rule:admin_api",
|
|
||||||
"compute_extension:hide_server_addresses": "is_admin:False",
|
|
||||||
"compute_extension:hosts": "rule:admin_api",
|
|
||||||
"compute_extension:hypervisors": "rule:admin_api",
|
|
||||||
"compute_extension:image_size": "rule:admin_or_owner",
|
|
||||||
"compute_extension:instance_actions": "rule:admin_or_owner",
|
|
||||||
"compute_extension:instance_actions:events": "rule:admin_api",
|
|
||||||
"compute_extension:instance_usage_audit_log": "rule:admin_api",
|
|
||||||
"compute_extension:keypairs": "rule:admin_or_owner",
|
|
||||||
"compute_extension:keypairs:index": "rule:admin_or_owner",
|
|
||||||
"compute_extension:keypairs:show": "rule:admin_or_owner",
|
|
||||||
"compute_extension:keypairs:create": "rule:admin_or_owner",
|
|
||||||
"compute_extension:keypairs:delete": "rule:admin_or_owner",
|
|
||||||
"compute_extension:multinic": "rule:admin_or_owner",
|
|
||||||
"compute_extension:networks": "rule:admin_api",
|
|
||||||
"compute_extension:networks:view": "rule:admin_or_owner",
|
|
||||||
"compute_extension:networks_associate": "rule:admin_api",
|
|
||||||
"compute_extension:os-tenant-networks": "rule:admin_or_owner",
|
|
||||||
"compute_extension:quotas:show": "rule:admin_or_owner",
|
|
||||||
"compute_extension:quotas:update": "rule:admin_api",
|
|
||||||
"compute_extension:quotas:delete": "rule:admin_api",
|
|
||||||
"compute_extension:quota_classes": "rule:admin_or_owner",
|
|
||||||
"compute_extension:rescue": "rule:admin_or_owner",
|
|
||||||
"compute_extension:security_group_default_rules": "rule:admin_api",
|
|
||||||
"compute_extension:security_groups": "rule:admin_or_owner",
|
|
||||||
"compute_extension:server_diagnostics": "rule:admin_api",
|
|
||||||
"compute_extension:server_groups": "rule:admin_or_owner",
|
|
||||||
"compute_extension:server_password": "rule:admin_or_owner",
|
|
||||||
"compute_extension:server_usage": "rule:admin_or_owner",
|
|
||||||
"compute_extension:services": "rule:admin_api",
|
|
||||||
"compute_extension:shelve": "rule:admin_or_owner",
|
|
||||||
"compute_extension:shelveOffload": "rule:admin_api",
|
|
||||||
"compute_extension:simple_tenant_usage:show": "rule:admin_or_owner",
|
|
||||||
"compute_extension:simple_tenant_usage:list": "rule:admin_api",
|
|
||||||
"compute_extension:unshelve": "rule:admin_or_owner",
|
|
||||||
"compute_extension:users": "rule:admin_api",
|
|
||||||
"compute_extension:virtual_interfaces": "rule:admin_or_owner",
|
|
||||||
"compute_extension:virtual_storage_arrays": "rule:admin_or_owner",
|
|
||||||
"compute_extension:volumes": "rule:admin_or_owner",
|
|
||||||
"compute_extension:volume_attachments:index": "rule:admin_or_owner",
|
|
||||||
"compute_extension:volume_attachments:show": "rule:admin_or_owner",
|
|
||||||
"compute_extension:volume_attachments:create": "rule:admin_or_owner",
|
|
||||||
"compute_extension:volume_attachments:update": "rule:admin_api",
|
|
||||||
"compute_extension:volume_attachments:delete": "rule:admin_or_owner",
|
|
||||||
"compute_extension:volumetypes": "rule:admin_or_owner",
|
|
||||||
"compute_extension:availability_zone:list": "rule:admin_or_owner",
|
|
||||||
"compute_extension:availability_zone:detail": "rule:admin_api",
|
|
||||||
"compute_extension:used_limits_for_admin": "rule:admin_api",
|
|
||||||
"compute_extension:migrations:index": "rule:admin_api",
|
|
||||||
"compute_extension:os-assisted-volume-snapshots:create": "rule:admin_api",
|
|
||||||
"compute_extension:os-assisted-volume-snapshots:delete": "rule:admin_api",
|
|
||||||
"compute_extension:console_auth_tokens": "rule:admin_api",
|
|
||||||
"compute_extension:os-server-external-events:create": "rule:admin_api",
|
|
||||||
|
|
||||||
"network:get_all": "rule:admin_or_owner",
|
|
||||||
"network:get": "rule:admin_or_owner",
|
|
||||||
"network:create": "rule:admin_or_owner",
|
|
||||||
"network:delete": "rule:admin_or_owner",
|
|
||||||
"network:associate": "rule:admin_or_owner",
|
|
||||||
"network:disassociate": "rule:admin_or_owner",
|
|
||||||
"network:get_vifs_by_instance": "rule:admin_or_owner",
|
|
||||||
"network:allocate_for_instance": "rule:admin_or_owner",
|
|
||||||
"network:deallocate_for_instance": "rule:admin_or_owner",
|
|
||||||
"network:validate_networks": "rule:admin_or_owner",
|
|
||||||
"network:get_instance_uuids_by_ip_filter": "rule:admin_or_owner",
|
|
||||||
"network:get_instance_id_by_floating_address": "rule:admin_or_owner",
|
|
||||||
"network:setup_networks_on_host": "rule:admin_or_owner",
|
|
||||||
"network:get_backdoor_port": "rule:admin_or_owner",
|
|
||||||
|
|
||||||
"network:get_floating_ip": "rule:admin_or_owner",
|
|
||||||
"network:get_floating_ip_pools": "rule:admin_or_owner",
|
|
||||||
"network:get_floating_ip_by_address": "rule:admin_or_owner",
|
|
||||||
"network:get_floating_ips_by_project": "rule:admin_or_owner",
|
|
||||||
"network:get_floating_ips_by_fixed_address": "rule:admin_or_owner",
|
|
||||||
"network:allocate_floating_ip": "rule:admin_or_owner",
|
|
||||||
"network:associate_floating_ip": "rule:admin_or_owner",
|
|
||||||
"network:disassociate_floating_ip": "rule:admin_or_owner",
|
|
||||||
"network:release_floating_ip": "rule:admin_or_owner",
|
|
||||||
"network:migrate_instance_start": "rule:admin_or_owner",
|
|
||||||
"network:migrate_instance_finish": "rule:admin_or_owner",
|
|
||||||
|
|
||||||
"network:get_fixed_ip": "rule:admin_or_owner",
|
|
||||||
"network:get_fixed_ip_by_address": "rule:admin_or_owner",
|
|
||||||
"network:add_fixed_ip_to_instance": "rule:admin_or_owner",
|
|
||||||
"network:remove_fixed_ip_from_instance": "rule:admin_or_owner",
|
|
||||||
"network:add_network_to_project": "rule:admin_or_owner",
|
|
||||||
"network:get_instance_nw_info": "rule:admin_or_owner",
|
|
||||||
|
|
||||||
"network:get_dns_domains": "rule:admin_or_owner",
|
|
||||||
"network:add_dns_entry": "rule:admin_or_owner",
|
|
||||||
"network:modify_dns_entry": "rule:admin_or_owner",
|
|
||||||
"network:delete_dns_entry": "rule:admin_or_owner",
|
|
||||||
"network:get_dns_entries_by_address": "rule:admin_or_owner",
|
|
||||||
"network:get_dns_entries_by_name": "rule:admin_or_owner",
|
|
||||||
"network:create_private_dns_domain": "rule:admin_or_owner",
|
|
||||||
"network:create_public_dns_domain": "rule:admin_or_owner",
|
|
||||||
"network:delete_dns_domain": "rule:admin_or_owner",
|
|
||||||
"network:attach_external_network": "rule:admin_api",
|
|
||||||
"network:get_vif_by_mac_address": "rule:admin_or_owner",
|
|
||||||
|
|
||||||
"os_compute_api:servers:detail:get_all_tenants": "is_admin:True",
|
|
||||||
"os_compute_api:servers:index:get_all_tenants": "is_admin:True",
|
|
||||||
"os_compute_api:servers:confirm_resize": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:servers:create": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:servers:create:attach_network": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:servers:create:attach_volume": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:servers:create:forced_host": "rule:admin_api",
|
|
||||||
"os_compute_api:servers:delete": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:servers:update": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:servers:detail": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:servers:index": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:servers:reboot": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:servers:rebuild": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:servers:resize": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:servers:revert_resize": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:servers:show": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:servers:show:host_status": "rule:admin_api",
|
|
||||||
"os_compute_api:servers:create_image": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:servers:create_image:allow_volume_backed": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:servers:start": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:servers:stop": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:servers:trigger_crash_dump": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:servers:migrations:force_complete": "rule:admin_api",
|
|
||||||
"os_compute_api:servers:migrations:delete": "rule:admin_api",
|
|
||||||
"os_compute_api:servers:discoverable": "@",
|
|
||||||
"os_compute_api:servers:migrations:index": "rule:admin_api",
|
|
||||||
"os_compute_api:servers:migrations:show": "rule:admin_api",
|
|
||||||
"os_compute_api:os-access-ips:discoverable": "@",
|
|
||||||
"os_compute_api:os-access-ips": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:os-admin-actions": "rule:admin_api",
|
|
||||||
"os_compute_api:os-admin-actions:discoverable": "@",
|
"os_compute_api:os-admin-actions:discoverable": "@",
|
||||||
"os_compute_api:os-admin-actions:reset_network": "rule:admin_api",
|
|
||||||
"os_compute_api:os-admin-actions:inject_network_info": "rule:admin_api",
|
|
||||||
"os_compute_api:os-admin-actions:reset_state": "rule:admin_api",
|
"os_compute_api:os-admin-actions:reset_state": "rule:admin_api",
|
||||||
"os_compute_api:os-admin-password": "rule:admin_or_owner",
|
"os_compute_api:os-admin-actions:inject_network_info": "rule:admin_api",
|
||||||
|
"os_compute_api:os-admin-actions": "rule:admin_api",
|
||||||
|
"os_compute_api:os-admin-actions:reset_network": "rule:admin_api",
|
||||||
"os_compute_api:os-admin-password:discoverable": "@",
|
"os_compute_api:os-admin-password:discoverable": "@",
|
||||||
"os_compute_api:os-aggregates:discoverable": "@",
|
"os_compute_api:os-admin-password": "rule:admin_or_owner",
|
||||||
"os_compute_api:os-aggregates:index": "rule:admin_api",
|
|
||||||
"os_compute_api:os-aggregates:create": "rule:admin_api",
|
|
||||||
"os_compute_api:os-aggregates:show": "rule:admin_api",
|
|
||||||
"os_compute_api:os-aggregates:update": "rule:admin_api",
|
|
||||||
"os_compute_api:os-aggregates:delete": "rule:admin_api",
|
|
||||||
"os_compute_api:os-aggregates:add_host": "rule:admin_api",
|
|
||||||
"os_compute_api:os-aggregates:remove_host": "rule:admin_api",
|
|
||||||
"os_compute_api:os-aggregates:set_metadata": "rule:admin_api",
|
|
||||||
"os_compute_api:os-agents": "rule:admin_api",
|
"os_compute_api:os-agents": "rule:admin_api",
|
||||||
"os_compute_api:os-agents:discoverable": "@",
|
"os_compute_api:os-agents:discoverable": "@",
|
||||||
|
"os_compute_api:os-aggregates:set_metadata": "rule:admin_api",
|
||||||
|
"os_compute_api:os-aggregates:add_host": "rule:admin_api",
|
||||||
|
"os_compute_api:os-aggregates:discoverable": "@",
|
||||||
|
"os_compute_api:os-aggregates:create": "rule:admin_api",
|
||||||
|
"os_compute_api:os-aggregates:remove_host": "rule:admin_api",
|
||||||
|
"os_compute_api:os-aggregates:update": "rule:admin_api",
|
||||||
|
"os_compute_api:os-aggregates:index": "rule:admin_api",
|
||||||
|
"os_compute_api:os-aggregates:delete": "rule:admin_api",
|
||||||
|
"os_compute_api:os-aggregates:show": "rule:admin_api",
|
||||||
|
"os_compute_api:os-assisted-volume-snapshots:create": "rule:admin_api",
|
||||||
|
"os_compute_api:os-assisted-volume-snapshots:delete": "rule:admin_api",
|
||||||
|
"os_compute_api:os-assisted-volume-snapshots:discoverable": "@",
|
||||||
"os_compute_api:os-attach-interfaces": "rule:admin_or_owner",
|
"os_compute_api:os-attach-interfaces": "rule:admin_or_owner",
|
||||||
"os_compute_api:os-attach-interfaces:discoverable": "@",
|
"os_compute_api:os-attach-interfaces:discoverable": "@",
|
||||||
"os_compute_api:os-baremetal-nodes": "rule:admin_api",
|
"os_compute_api:os-availability-zone:list": "rule:admin_or_owner",
|
||||||
|
"os_compute_api:os-availability-zone:discoverable": "@",
|
||||||
|
"os_compute_api:os-availability-zone:detail": "rule:admin_api",
|
||||||
"os_compute_api:os-baremetal-nodes:discoverable": "@",
|
"os_compute_api:os-baremetal-nodes:discoverable": "@",
|
||||||
|
"os_compute_api:os-baremetal-nodes": "rule:admin_api",
|
||||||
|
"network:attach_external_network": "is_admin:True",
|
||||||
|
"os_compute_api:os-block-device-mapping:discoverable": "@",
|
||||||
"os_compute_api:os-block-device-mapping-v1:discoverable": "@",
|
"os_compute_api:os-block-device-mapping-v1:discoverable": "@",
|
||||||
"os_compute_api:os-cells": "rule:admin_api",
|
|
||||||
"os_compute_api:os-cells:create": "rule:admin_api",
|
|
||||||
"os_compute_api:os-cells:delete": "rule:admin_api",
|
|
||||||
"os_compute_api:os-cells:update": "rule:admin_api",
|
|
||||||
"os_compute_api:os-cells:sync_instances": "rule:admin_api",
|
|
||||||
"os_compute_api:os-cells:discoverable": "@",
|
"os_compute_api:os-cells:discoverable": "@",
|
||||||
|
"os_compute_api:os-cells:update": "rule:admin_api",
|
||||||
|
"os_compute_api:os-cells:create": "rule:admin_api",
|
||||||
|
"os_compute_api:os-cells": "rule:admin_api",
|
||||||
|
"os_compute_api:os-cells:sync_instances": "rule:admin_api",
|
||||||
|
"os_compute_api:os-cells:delete": "rule:admin_api",
|
||||||
|
"cells_scheduler_filter:DifferentCellFilter": "is_admin:True",
|
||||||
|
"cells_scheduler_filter:TargetCellFilter": "is_admin:True",
|
||||||
|
"os_compute_api:os-certificates:discoverable": "@",
|
||||||
"os_compute_api:os-certificates:create": "rule:admin_or_owner",
|
"os_compute_api:os-certificates:create": "rule:admin_or_owner",
|
||||||
"os_compute_api:os-certificates:show": "rule:admin_or_owner",
|
"os_compute_api:os-certificates:show": "rule:admin_or_owner",
|
||||||
"os_compute_api:os-certificates:discoverable": "@",
|
|
||||||
"os_compute_api:os-cloudpipe": "rule:admin_api",
|
"os_compute_api:os-cloudpipe": "rule:admin_api",
|
||||||
"os_compute_api:os-cloudpipe:discoverable": "@",
|
"os_compute_api:os-cloudpipe:discoverable": "@",
|
||||||
"os_compute_api:os-config-drive": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:os-config-drive:discoverable": "@",
|
"os_compute_api:os-config-drive:discoverable": "@",
|
||||||
"os_compute_api:os-consoles:discoverable": "@",
|
"os_compute_api:os-config-drive": "rule:admin_or_owner",
|
||||||
"os_compute_api:os-consoles:create": "rule:admin_or_owner",
|
"os_compute_api:os-console-auth-tokens:discoverable": "@",
|
||||||
"os_compute_api:os-consoles:delete": "rule:admin_or_owner",
|
"os_compute_api:os-console-auth-tokens": "rule:admin_api",
|
||||||
"os_compute_api:os-consoles:index": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:os-consoles:show": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:os-console-output:discoverable": "@",
|
"os_compute_api:os-console-output:discoverable": "@",
|
||||||
"os_compute_api:os-console-output": "rule:admin_or_owner",
|
"os_compute_api:os-console-output": "rule:admin_or_owner",
|
||||||
"os_compute_api:os-remote-consoles": "rule:admin_or_owner",
|
"os_compute_api:os-consoles:create": "rule:admin_or_owner",
|
||||||
"os_compute_api:os-remote-consoles:discoverable": "@",
|
"os_compute_api:os-consoles:show": "rule:admin_or_owner",
|
||||||
|
"os_compute_api:os-consoles:delete": "rule:admin_or_owner",
|
||||||
|
"os_compute_api:os-consoles:discoverable": "@",
|
||||||
|
"os_compute_api:os-consoles:index": "rule:admin_or_owner",
|
||||||
"os_compute_api:os-create-backup:discoverable": "@",
|
"os_compute_api:os-create-backup:discoverable": "@",
|
||||||
"os_compute_api:os-create-backup": "rule:admin_or_owner",
|
"os_compute_api:os-create-backup": "rule:admin_or_owner",
|
||||||
"os_compute_api:os-deferred-delete": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:os-deferred-delete:discoverable": "@",
|
"os_compute_api:os-deferred-delete:discoverable": "@",
|
||||||
"os_compute_api:os-disk-config": "rule:admin_or_owner",
|
"os_compute_api:os-deferred-delete": "rule:admin_or_owner",
|
||||||
"os_compute_api:os-disk-config:discoverable": "@",
|
|
||||||
"os_compute_api:os-evacuate": "rule:admin_api",
|
|
||||||
"os_compute_api:os-evacuate:discoverable": "@",
|
"os_compute_api:os-evacuate:discoverable": "@",
|
||||||
"os_compute_api:os-extended-server-attributes": "rule:admin_api",
|
"os_compute_api:os-evacuate": "rule:admin_api",
|
||||||
"os_compute_api:os-extended-server-attributes:discoverable": "@",
|
|
||||||
"os_compute_api:os-extended-status": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:os-extended-status:discoverable": "@",
|
|
||||||
"os_compute_api:os-extended-availability-zone": "rule:admin_or_owner",
|
"os_compute_api:os-extended-availability-zone": "rule:admin_or_owner",
|
||||||
"os_compute_api:os-extended-availability-zone:discoverable": "@",
|
"os_compute_api:os-extended-availability-zone:discoverable": "@",
|
||||||
"os_compute_api:extensions": "rule:admin_or_owner",
|
"os_compute_api:os-extended-server-attributes": "rule:admin_api",
|
||||||
"os_compute_api:extensions:discoverable": "@",
|
"os_compute_api:os-extended-server-attributes:discoverable": "@",
|
||||||
"os_compute_api:extension_info:discoverable": "@",
|
"os_compute_api:os-extended-status:discoverable": "@",
|
||||||
|
"os_compute_api:os-extended-status": "rule:admin_or_owner",
|
||||||
"os_compute_api:os-extended-volumes": "rule:admin_or_owner",
|
"os_compute_api:os-extended-volumes": "rule:admin_or_owner",
|
||||||
"os_compute_api:os-extended-volumes:discoverable": "@",
|
"os_compute_api:os-extended-volumes:discoverable": "@",
|
||||||
"os_compute_api:os-fixed-ips": "rule:admin_api",
|
"os_compute_api:extension_info:discoverable": "@",
|
||||||
|
"os_compute_api:extensions": "rule:admin_or_owner",
|
||||||
|
"os_compute_api:extensions:discoverable": "@",
|
||||||
"os_compute_api:os-fixed-ips:discoverable": "@",
|
"os_compute_api:os-fixed-ips:discoverable": "@",
|
||||||
"os_compute_api:os-flavor-access": "rule:admin_or_owner",
|
"os_compute_api:os-fixed-ips": "rule:admin_api",
|
||||||
|
"os_compute_api:os-flavor-access:add_tenant_access": "rule:admin_api",
|
||||||
"os_compute_api:os-flavor-access:discoverable": "@",
|
"os_compute_api:os-flavor-access:discoverable": "@",
|
||||||
"os_compute_api:os-flavor-access:remove_tenant_access": "rule:admin_api",
|
"os_compute_api:os-flavor-access:remove_tenant_access": "rule:admin_api",
|
||||||
"os_compute_api:os-flavor-access:add_tenant_access": "rule:admin_api",
|
"os_compute_api:os-flavor-access": "rule:admin_or_owner",
|
||||||
"os_compute_api:os-flavor-rxtx": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:os-flavor-rxtx:discoverable": "@",
|
|
||||||
"os_compute_api:flavors": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:flavors:discoverable": "@",
|
|
||||||
"os_compute_api:os-flavor-extra-specs:discoverable": "@",
|
|
||||||
"os_compute_api:os-flavor-extra-specs:index": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:os-flavor-extra-specs:show": "rule:admin_or_owner",
|
"os_compute_api:os-flavor-extra-specs:show": "rule:admin_or_owner",
|
||||||
"os_compute_api:os-flavor-extra-specs:create": "rule:admin_api",
|
"os_compute_api:os-flavor-extra-specs:create": "rule:admin_api",
|
||||||
|
"os_compute_api:os-flavor-extra-specs:discoverable": "@",
|
||||||
"os_compute_api:os-flavor-extra-specs:update": "rule:admin_api",
|
"os_compute_api:os-flavor-extra-specs:update": "rule:admin_api",
|
||||||
"os_compute_api:os-flavor-extra-specs:delete": "rule:admin_api",
|
"os_compute_api:os-flavor-extra-specs:delete": "rule:admin_api",
|
||||||
"os_compute_api:os-flavor-manage:discoverable": "@",
|
"os_compute_api:os-flavor-extra-specs:index": "rule:admin_or_owner",
|
||||||
"os_compute_api:os-flavor-manage": "rule:admin_api",
|
"os_compute_api:os-flavor-manage": "rule:admin_api",
|
||||||
|
"os_compute_api:os-flavor-manage:discoverable": "@",
|
||||||
|
"os_compute_api:os-flavor-rxtx": "rule:admin_or_owner",
|
||||||
|
"os_compute_api:os-flavor-rxtx:discoverable": "@",
|
||||||
|
"os_compute_api:flavors:discoverable": "@",
|
||||||
|
"os_compute_api:flavors": "rule:admin_or_owner",
|
||||||
"os_compute_api:os-floating-ip-dns": "rule:admin_or_owner",
|
"os_compute_api:os-floating-ip-dns": "rule:admin_or_owner",
|
||||||
"os_compute_api:os-floating-ip-dns:discoverable": "@",
|
|
||||||
"os_compute_api:os-floating-ip-dns:domain:update": "rule:admin_api",
|
"os_compute_api:os-floating-ip-dns:domain:update": "rule:admin_api",
|
||||||
|
"os_compute_api:os-floating-ip-dns:discoverable": "@",
|
||||||
"os_compute_api:os-floating-ip-dns:domain:delete": "rule:admin_api",
|
"os_compute_api:os-floating-ip-dns:domain:delete": "rule:admin_api",
|
||||||
"os_compute_api:os-floating-ip-pools": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:os-floating-ip-pools:discoverable": "@",
|
"os_compute_api:os-floating-ip-pools:discoverable": "@",
|
||||||
|
"os_compute_api:os-floating-ip-pools": "rule:admin_or_owner",
|
||||||
"os_compute_api:os-floating-ips": "rule:admin_or_owner",
|
"os_compute_api:os-floating-ips": "rule:admin_or_owner",
|
||||||
"os_compute_api:os-floating-ips:discoverable": "@",
|
"os_compute_api:os-floating-ips:discoverable": "@",
|
||||||
"os_compute_api:os-floating-ips-bulk": "rule:admin_api",
|
|
||||||
"os_compute_api:os-floating-ips-bulk:discoverable": "@",
|
"os_compute_api:os-floating-ips-bulk:discoverable": "@",
|
||||||
"os_compute_api:os-fping": "rule:admin_or_owner",
|
"os_compute_api:os-floating-ips-bulk": "rule:admin_api",
|
||||||
"os_compute_api:os-fping:discoverable": "@",
|
|
||||||
"os_compute_api:os-fping:all_tenants": "rule:admin_api",
|
"os_compute_api:os-fping:all_tenants": "rule:admin_api",
|
||||||
"os_compute_api:os-hide-server-addresses": "is_admin:False",
|
"os_compute_api:os-fping:discoverable": "@",
|
||||||
|
"os_compute_api:os-fping": "rule:admin_or_owner",
|
||||||
"os_compute_api:os-hide-server-addresses:discoverable": "@",
|
"os_compute_api:os-hide-server-addresses:discoverable": "@",
|
||||||
"os_compute_api:os-hosts": "rule:admin_api",
|
"os_compute_api:os-hide-server-addresses": "is_admin:False",
|
||||||
"os_compute_api:os-hosts:discoverable": "@",
|
"os_compute_api:os-hosts:discoverable": "@",
|
||||||
"os_compute_api:os-hypervisors": "rule:admin_api",
|
"os_compute_api:os-hosts": "rule:admin_api",
|
||||||
"os_compute_api:os-hypervisors:discoverable": "@",
|
"os_compute_api:os-hypervisors:discoverable": "@",
|
||||||
"os_compute_api:images:discoverable": "@",
|
"os_compute_api:os-hypervisors": "rule:admin_api",
|
||||||
"os_compute_api:image-size": "rule:admin_or_owner",
|
"os_compute_api:image-metadata:discoverable": "@",
|
||||||
"os_compute_api:image-size:discoverable": "@",
|
"os_compute_api:image-size:discoverable": "@",
|
||||||
|
"os_compute_api:image-size": "rule:admin_or_owner",
|
||||||
|
"os_compute_api:images:discoverable": "@",
|
||||||
|
"os_compute_api:os-instance-actions:events": "rule:admin_api",
|
||||||
"os_compute_api:os-instance-actions": "rule:admin_or_owner",
|
"os_compute_api:os-instance-actions": "rule:admin_or_owner",
|
||||||
"os_compute_api:os-instance-actions:discoverable": "@",
|
"os_compute_api:os-instance-actions:discoverable": "@",
|
||||||
"os_compute_api:os-instance-actions:events": "rule:admin_api",
|
|
||||||
"os_compute_api:os-instance-usage-audit-log": "rule:admin_api",
|
"os_compute_api:os-instance-usage-audit-log": "rule:admin_api",
|
||||||
"os_compute_api:os-instance-usage-audit-log:discoverable": "@",
|
"os_compute_api:os-instance-usage-audit-log:discoverable": "@",
|
||||||
"os_compute_api:ips:discoverable": "@",
|
"os_compute_api:ips:discoverable": "@",
|
||||||
"os_compute_api:ips:index": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:ips:show": "rule:admin_or_owner",
|
"os_compute_api:ips:show": "rule:admin_or_owner",
|
||||||
|
"os_compute_api:ips:index": "rule:admin_or_owner",
|
||||||
"os_compute_api:os-keypairs:discoverable": "@",
|
"os_compute_api:os-keypairs:discoverable": "@",
|
||||||
"os_compute_api:os-keypairs": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:os-keypairs:index": "rule:admin_api or user_id:%(user_id)s",
|
"os_compute_api:os-keypairs:index": "rule:admin_api or user_id:%(user_id)s",
|
||||||
"os_compute_api:os-keypairs:show": "rule:admin_api or user_id:%(user_id)s",
|
|
||||||
"os_compute_api:os-keypairs:create": "rule:admin_api or user_id:%(user_id)s",
|
"os_compute_api:os-keypairs:create": "rule:admin_api or user_id:%(user_id)s",
|
||||||
"os_compute_api:os-keypairs:delete": "rule:admin_api or user_id:%(user_id)s",
|
"os_compute_api:os-keypairs:delete": "rule:admin_api or user_id:%(user_id)s",
|
||||||
|
"os_compute_api:os-keypairs:show": "rule:admin_api or user_id:%(user_id)s",
|
||||||
|
"os_compute_api:os-keypairs": "rule:admin_or_owner",
|
||||||
"os_compute_api:limits:discoverable": "@",
|
"os_compute_api:limits:discoverable": "@",
|
||||||
"os_compute_api:limits": "rule:admin_or_owner",
|
"os_compute_api:limits": "rule:admin_or_owner",
|
||||||
"os_compute_api:os-lock-server:discoverable": "@",
|
"os_compute_api:os-lock-server:discoverable": "@",
|
||||||
"os_compute_api:os-lock-server:lock": "rule:admin_or_owner",
|
"os_compute_api:os-lock-server:lock": "rule:admin_or_owner",
|
||||||
"os_compute_api:os-lock-server:unlock": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:os-lock-server:unlock:unlock_override": "rule:admin_api",
|
"os_compute_api:os-lock-server:unlock:unlock_override": "rule:admin_api",
|
||||||
"os_compute_api:os-migrate-server:discoverable": "@",
|
"os_compute_api:os-lock-server:unlock": "rule:admin_or_owner",
|
||||||
"os_compute_api:os-migrate-server:migrate": "rule:admin_api",
|
"os_compute_api:os-migrate-server:migrate": "rule:admin_api",
|
||||||
|
"os_compute_api:os-migrate-server:discoverable": "@",
|
||||||
"os_compute_api:os-migrate-server:migrate_live": "rule:admin_api",
|
"os_compute_api:os-migrate-server:migrate_live": "rule:admin_api",
|
||||||
|
"os_compute_api:os-migrations:index": "rule:admin_api",
|
||||||
|
"os_compute_api:os-migrations:discoverable": "@",
|
||||||
"os_compute_api:os-multinic": "rule:admin_or_owner",
|
"os_compute_api:os-multinic": "rule:admin_or_owner",
|
||||||
"os_compute_api:os-multinic:discoverable": "@",
|
"os_compute_api:os-multinic:discoverable": "@",
|
||||||
|
"os_compute_api:os-multiple-create:discoverable": "@",
|
||||||
|
"os_compute_api:os-networks:discoverable": "@",
|
||||||
"os_compute_api:os-networks": "rule:admin_api",
|
"os_compute_api:os-networks": "rule:admin_api",
|
||||||
"os_compute_api:os-networks:view": "rule:admin_or_owner",
|
"os_compute_api:os-networks:view": "rule:admin_or_owner",
|
||||||
"os_compute_api:os-networks:discoverable": "@",
|
|
||||||
"os_compute_api:os-networks-associate": "rule:admin_api",
|
"os_compute_api:os-networks-associate": "rule:admin_api",
|
||||||
"os_compute_api:os-networks-associate:discoverable": "@",
|
"os_compute_api:os-networks-associate:discoverable": "@",
|
||||||
|
"os_compute_api:os-pause-server:unpause": "rule:admin_or_owner",
|
||||||
"os_compute_api:os-pause-server:discoverable": "@",
|
"os_compute_api:os-pause-server:discoverable": "@",
|
||||||
"os_compute_api:os-pause-server:pause": "rule:admin_or_owner",
|
"os_compute_api:os-pause-server:pause": "rule:admin_or_owner",
|
||||||
"os_compute_api:os-pause-server:unpause": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:os-pci:pci_servers": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:os-pci:discoverable": "@",
|
|
||||||
"os_compute_api:os-pci:index": "rule:admin_api",
|
"os_compute_api:os-pci:index": "rule:admin_api",
|
||||||
"os_compute_api:os-pci:detail": "rule:admin_api",
|
"os_compute_api:os-pci:detail": "rule:admin_api",
|
||||||
|
"os_compute_api:os-pci:pci_servers": "rule:admin_or_owner",
|
||||||
"os_compute_api:os-pci:show": "rule:admin_api",
|
"os_compute_api:os-pci:show": "rule:admin_api",
|
||||||
"os_compute_api:os-personality:discoverable": "@",
|
"os_compute_api:os-pci:discoverable": "@",
|
||||||
"os_compute_api:os-preserve-ephemeral-rebuild:discoverable": "@",
|
|
||||||
"os_compute_api:os-quota-sets:discoverable": "@",
|
|
||||||
"os_compute_api:os-quota-sets:show": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:os-quota-sets:defaults": "@",
|
|
||||||
"os_compute_api:os-quota-sets:update": "rule:admin_api",
|
|
||||||
"os_compute_api:os-quota-sets:delete": "rule:admin_api",
|
|
||||||
"os_compute_api:os-quota-sets:detail": "rule:admin_api",
|
|
||||||
"os_compute_api:os-quota-class-sets:update": "rule:admin_api",
|
|
||||||
"os_compute_api:os-quota-class-sets:show": "is_admin:True or quota_class:%(quota_class)s",
|
"os_compute_api:os-quota-class-sets:show": "is_admin:True or quota_class:%(quota_class)s",
|
||||||
"os_compute_api:os-quota-class-sets:discoverable": "@",
|
"os_compute_api:os-quota-class-sets:discoverable": "@",
|
||||||
"os_compute_api:os-rescue": "rule:admin_or_owner",
|
"os_compute_api:os-quota-class-sets:update": "rule:admin_api",
|
||||||
|
"os_compute_api:os-quota-sets:update": "rule:admin_api",
|
||||||
|
"os_compute_api:os-quota-sets:defaults": "@",
|
||||||
|
"os_compute_api:os-quota-sets:show": "rule:admin_or_owner",
|
||||||
|
"os_compute_api:os-quota-sets:delete": "rule:admin_api",
|
||||||
|
"os_compute_api:os-quota-sets:discoverable": "@",
|
||||||
|
"os_compute_api:os-quota-sets:detail": "rule:admin_api",
|
||||||
|
"os_compute_api:os-remote-consoles": "rule:admin_or_owner",
|
||||||
|
"os_compute_api:os-remote-consoles:discoverable": "@",
|
||||||
"os_compute_api:os-rescue:discoverable": "@",
|
"os_compute_api:os-rescue:discoverable": "@",
|
||||||
|
"os_compute_api:os-rescue": "rule:admin_or_owner",
|
||||||
"os_compute_api:os-scheduler-hints:discoverable": "@",
|
"os_compute_api:os-scheduler-hints:discoverable": "@",
|
||||||
"os_compute_api:os-security-group-default-rules:discoverable": "@",
|
"os_compute_api:os-security-group-default-rules:discoverable": "@",
|
||||||
"os_compute_api:os-security-group-default-rules": "rule:admin_api",
|
"os_compute_api:os-security-group-default-rules": "rule:admin_api",
|
||||||
@ -439,62 +178,82 @@
|
|||||||
"os_compute_api:os-security-groups:discoverable": "@",
|
"os_compute_api:os-security-groups:discoverable": "@",
|
||||||
"os_compute_api:os-server-diagnostics": "rule:admin_api",
|
"os_compute_api:os-server-diagnostics": "rule:admin_api",
|
||||||
"os_compute_api:os-server-diagnostics:discoverable": "@",
|
"os_compute_api:os-server-diagnostics:discoverable": "@",
|
||||||
"os_compute_api:os-server-password": "rule:admin_or_owner",
|
"os_compute_api:os-server-external-events:create": "rule:admin_api",
|
||||||
"os_compute_api:os-server-password:discoverable": "@",
|
"os_compute_api:os-server-external-events:discoverable": "@",
|
||||||
"os_compute_api:os-server-usage": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:os-server-usage:discoverable": "@",
|
|
||||||
"os_compute_api:os-server-groups": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:os-server-groups:discoverable": "@",
|
"os_compute_api:os-server-groups:discoverable": "@",
|
||||||
"os_compute_api:os-server-tags:index": "@",
|
"os_compute_api:os-server-groups": "rule:admin_or_owner",
|
||||||
"os_compute_api:os-server-tags:show": "@",
|
|
||||||
"os_compute_api:os-server-tags:update": "@",
|
|
||||||
"os_compute_api:os-server-tags:update_all": "@",
|
|
||||||
"os_compute_api:os-server-tags:delete": "@",
|
|
||||||
"os_compute_api:os-server-tags:delete_all": "@",
|
|
||||||
"os_compute_api:os-services": "rule:admin_api",
|
|
||||||
"os_compute_api:os-services:discoverable": "@",
|
|
||||||
"os_compute_api:server-metadata:discoverable": "@",
|
|
||||||
"os_compute_api:server-metadata:index": "rule:admin_or_owner",
|
"os_compute_api:server-metadata:index": "rule:admin_or_owner",
|
||||||
"os_compute_api:server-metadata:show": "rule:admin_or_owner",
|
"os_compute_api:server-metadata:show": "rule:admin_or_owner",
|
||||||
"os_compute_api:server-metadata:delete": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:server-metadata:create": "rule:admin_or_owner",
|
"os_compute_api:server-metadata:create": "rule:admin_or_owner",
|
||||||
"os_compute_api:server-metadata:update": "rule:admin_or_owner",
|
"os_compute_api:server-metadata:discoverable": "@",
|
||||||
"os_compute_api:server-metadata:update_all": "rule:admin_or_owner",
|
"os_compute_api:server-metadata:update_all": "rule:admin_or_owner",
|
||||||
|
"os_compute_api:server-metadata:delete": "rule:admin_or_owner",
|
||||||
|
"os_compute_api:server-metadata:update": "rule:admin_or_owner",
|
||||||
|
"os_compute_api:os-server-password": "rule:admin_or_owner",
|
||||||
|
"os_compute_api:os-server-password:discoverable": "@",
|
||||||
|
"os_compute_api:os-server-tags:delete_all": "@",
|
||||||
|
"os_compute_api:os-server-tags:index": "@",
|
||||||
|
"os_compute_api:os-server-tags:update_all": "@",
|
||||||
|
"os_compute_api:os-server-tags:delete": "@",
|
||||||
|
"os_compute_api:os-server-tags:update": "@",
|
||||||
|
"os_compute_api:os-server-tags:show": "@",
|
||||||
|
"os_compute_api:os-server-tags:discoverable": "@",
|
||||||
|
"os_compute_api:os-server-usage": "rule:admin_or_owner",
|
||||||
|
"os_compute_api:os-server-usage:discoverable": "@",
|
||||||
|
"os_compute_api:servers:index": "rule:admin_or_owner",
|
||||||
|
"os_compute_api:servers:detail": "rule:admin_or_owner",
|
||||||
|
"os_compute_api:servers:detail:get_all_tenants": "rule:admin_api",
|
||||||
|
"os_compute_api:servers:index:get_all_tenants": "rule:admin_api",
|
||||||
|
"os_compute_api:servers:show": "rule:admin_or_owner",
|
||||||
|
"os_compute_api:servers:show:host_status": "rule:admin_api",
|
||||||
|
"os_compute_api:servers:create": "rule:admin_or_owner",
|
||||||
|
"os_compute_api:servers:create:forced_host": "rule:admin_or_owner",
|
||||||
|
"os_compute_api:servers:create:attach_volume": "rule:admin_or_owner",
|
||||||
|
"os_compute_api:servers:create:attach_network": "rule:admin_or_owner",
|
||||||
|
"os_compute_api:servers:delete": "rule:admin_or_owner",
|
||||||
|
"os_compute_api:servers:update": "rule:admin_or_owner",
|
||||||
|
"os_compute_api:servers:confirm_resize": "rule:admin_or_owner",
|
||||||
|
"os_compute_api:servers:revert_resize": "rule:admin_or_owner",
|
||||||
|
"os_compute_api:servers:reboot": "rule:admin_or_owner",
|
||||||
|
"os_compute_api:servers:resize": "rule:admin_or_owner",
|
||||||
|
"os_compute_api:servers:rebuild": "rule:admin_or_owner",
|
||||||
|
"os_compute_api:servers:create_image": "rule:admin_or_owner",
|
||||||
|
"os_compute_api:servers:create_image:allow_volume_backed": "rule:admin_or_owner",
|
||||||
|
"os_compute_api:servers:start": "rule:admin_or_owner",
|
||||||
|
"os_compute_api:servers:stop": "rule:admin_or_owner",
|
||||||
|
"os_compute_api:servers:trigger_crash_dump": "rule:admin_or_owner",
|
||||||
|
"os_compute_api:servers:discoverable": "@",
|
||||||
|
"os_compute_api:servers:migrations:show": "rule:admin_api",
|
||||||
|
"os_compute_api:servers:migrations:force_complete": "rule:admin_api",
|
||||||
|
"os_compute_api:servers:migrations:delete": "rule:admin_api",
|
||||||
|
"os_compute_api:servers:migrations:index": "rule:admin_api",
|
||||||
|
"os_compute_api:server-migrations:discoverable": "@",
|
||||||
|
"os_compute_api:os-services": "rule:admin_api",
|
||||||
|
"os_compute_api:os-services:discoverable": "@",
|
||||||
"os_compute_api:os-shelve:shelve": "rule:admin_or_owner",
|
"os_compute_api:os-shelve:shelve": "rule:admin_or_owner",
|
||||||
"os_compute_api:os-shelve:shelve:discoverable": "@",
|
"os_compute_api:os-shelve:unshelve": "rule:admin_or_owner",
|
||||||
"os_compute_api:os-shelve:shelve_offload": "rule:admin_api",
|
"os_compute_api:os-shelve:shelve_offload": "rule:admin_api",
|
||||||
"os_compute_api:os-simple-tenant-usage:discoverable": "@",
|
"os_compute_api:os-shelve:discoverable": "@",
|
||||||
"os_compute_api:os-simple-tenant-usage:show": "rule:admin_or_owner",
|
"os_compute_api:os-simple-tenant-usage:show": "rule:admin_or_owner",
|
||||||
"os_compute_api:os-simple-tenant-usage:list": "rule:admin_api",
|
"os_compute_api:os-simple-tenant-usage:list": "rule:admin_api",
|
||||||
"os_compute_api:os-suspend-server:discoverable": "@",
|
"os_compute_api:os-simple-tenant-usage:discoverable": "@",
|
||||||
"os_compute_api:os-suspend-server:suspend": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:os-suspend-server:resume": "rule:admin_or_owner",
|
"os_compute_api:os-suspend-server:resume": "rule:admin_or_owner",
|
||||||
|
"os_compute_api:os-suspend-server:suspend": "rule:admin_or_owner",
|
||||||
|
"os_compute_api:os-suspend-server:discoverable": "@",
|
||||||
"os_compute_api:os-tenant-networks": "rule:admin_or_owner",
|
"os_compute_api:os-tenant-networks": "rule:admin_or_owner",
|
||||||
"os_compute_api:os-tenant-networks:discoverable": "@",
|
"os_compute_api:os-tenant-networks:discoverable": "@",
|
||||||
"os_compute_api:os-shelve:unshelve": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:os-user-data:discoverable": "@",
|
|
||||||
"os_compute_api:os-virtual-interfaces": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:os-virtual-interfaces:discoverable": "@",
|
|
||||||
"os_compute_api:os-volumes": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:os-volumes:discoverable": "@",
|
|
||||||
"os_compute_api:os-volumes-attachments:index": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:os-volumes-attachments:show": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:os-volumes-attachments:create": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:os-volumes-attachments:update": "rule:admin_api",
|
|
||||||
"os_compute_api:os-volumes-attachments:delete": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:os-volumes-attachments:discoverable": "@",
|
|
||||||
"os_compute_api:os-availability-zone:list": "rule:admin_or_owner",
|
|
||||||
"os_compute_api:os-availability-zone:discoverable": "@",
|
|
||||||
"os_compute_api:os-availability-zone:detail": "rule:admin_api",
|
|
||||||
"os_compute_api:os-used-limits": "rule:admin_api",
|
|
||||||
"os_compute_api:os-used-limits:discoverable": "@",
|
"os_compute_api:os-used-limits:discoverable": "@",
|
||||||
"os_compute_api:os-migrations:index": "rule:admin_api",
|
"os_compute_api:os-used-limits": "rule:admin_api",
|
||||||
"os_compute_api:os-migrations:discoverable": "@",
|
"os_compute_api:os-user-data:discoverable": "@",
|
||||||
"os_compute_api:os-assisted-volume-snapshots:create": "rule:admin_api",
|
"os_compute_api:versions:discoverable": "@",
|
||||||
"os_compute_api:os-assisted-volume-snapshots:delete": "rule:admin_api",
|
"os_compute_api:os-virtual-interfaces:discoverable": "@",
|
||||||
"os_compute_api:os-assisted-volume-snapshots:discoverable": "@",
|
"os_compute_api:os-virtual-interfaces": "rule:admin_or_owner",
|
||||||
"os_compute_api:os-console-auth-tokens": "rule:admin_api",
|
"os_compute_api:os-volumes:discoverable": "@",
|
||||||
"os_compute_api:os-console-auth-tokens:discoverable": "@",
|
"os_compute_api:os-volumes": "rule:admin_or_owner",
|
||||||
"os_compute_api:os-server-external-events:create": "rule:admin_api",
|
"os_compute_api:os-volumes-attachments:index": "rule:admin_or_owner",
|
||||||
"os_compute_api:os-server-external-events:discoverable": "@"
|
"os_compute_api:os-volumes-attachments:create": "rule:admin_or_owner",
|
||||||
|
"os_compute_api:os-volumes-attachments:show": "rule:admin_or_owner",
|
||||||
|
"os_compute_api:os-volumes-attachments:discoverable": "@",
|
||||||
|
"os_compute_api:os-volumes-attachments:update": "rule:admin_api",
|
||||||
|
"os_compute_api:os-volumes-attachments:delete": "rule:admin_or_owner"
|
||||||
}
|
}
|
||||||
|
@ -27,7 +27,7 @@ class EvacuateHost(tables.LinkAction):
|
|||||||
verbose_name = _("Evacuate Host")
|
verbose_name = _("Evacuate Host")
|
||||||
url = "horizon:admin:hypervisors:compute:evacuate_host"
|
url = "horizon:admin:hypervisors:compute:evacuate_host"
|
||||||
classes = ("ajax-modal", "btn-migrate")
|
classes = ("ajax-modal", "btn-migrate")
|
||||||
policy_rules = (("compute", "compute_extension:evacuate"),)
|
policy_rules = (("compute", "os_compute_api:os-evacuate"),)
|
||||||
|
|
||||||
def __init__(self, **kwargs):
|
def __init__(self, **kwargs):
|
||||||
super(EvacuateHost, self).__init__(**kwargs)
|
super(EvacuateHost, self).__init__(**kwargs)
|
||||||
@ -45,7 +45,7 @@ class DisableService(policy.PolicyTargetMixin, tables.LinkAction):
|
|||||||
verbose_name = _("Disable Service")
|
verbose_name = _("Disable Service")
|
||||||
url = "horizon:admin:hypervisors:compute:disable_service"
|
url = "horizon:admin:hypervisors:compute:disable_service"
|
||||||
classes = ("ajax-modal", "btn-confirm")
|
classes = ("ajax-modal", "btn-confirm")
|
||||||
policy_rules = (("compute", "compute_extension:services"),)
|
policy_rules = (("compute", "os_compute_api:os-services"),)
|
||||||
|
|
||||||
def allowed(self, request, service):
|
def allowed(self, request, service):
|
||||||
if not api.nova.extension_supported('AdminActions', request):
|
if not api.nova.extension_supported('AdminActions', request):
|
||||||
@ -56,7 +56,7 @@ class DisableService(policy.PolicyTargetMixin, tables.LinkAction):
|
|||||||
|
|
||||||
class EnableService(policy.PolicyTargetMixin, tables.BatchAction):
|
class EnableService(policy.PolicyTargetMixin, tables.BatchAction):
|
||||||
name = "enable"
|
name = "enable"
|
||||||
policy_rules = (("compute", "compute_extension:services"),)
|
policy_rules = (("compute", "os_compute_api:os-services"),)
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def action_present(count):
|
def action_present(count):
|
||||||
@ -86,7 +86,7 @@ class EnableService(policy.PolicyTargetMixin, tables.BatchAction):
|
|||||||
|
|
||||||
class MigrateMaintenanceHost(tables.LinkAction):
|
class MigrateMaintenanceHost(tables.LinkAction):
|
||||||
name = "migrate_maintenance"
|
name = "migrate_maintenance"
|
||||||
policy_rules = (("compute", "compute_extension:admin_actions:migrate"),)
|
policy_rules = (("compute", "os_compute_api:os-migrate-server:migrate"),)
|
||||||
classes = ('ajax-modal', 'btn-migrate')
|
classes = ('ajax-modal', 'btn-migrate')
|
||||||
verbose_name = _("Migrate Host")
|
verbose_name = _("Migrate Host")
|
||||||
url = "horizon:admin:hypervisors:compute:migrate_host"
|
url = "horizon:admin:hypervisors:compute:migrate_host"
|
||||||
|
@ -21,4 +21,4 @@ class Hypervisors(horizon.Panel):
|
|||||||
name = _("Hypervisors")
|
name = _("Hypervisors")
|
||||||
slug = 'hypervisors'
|
slug = 'hypervisors'
|
||||||
permissions = ('openstack.services.compute',)
|
permissions = ('openstack.services.compute',)
|
||||||
policy_rules = (("compute", "compute_extension:hypervisors"),)
|
policy_rules = (("compute", "os_compute_api:os-hypervisors"),)
|
||||||
|
@ -43,7 +43,7 @@ class AdminLogLink(project_tables.LogLink):
|
|||||||
class MigrateInstance(policy.PolicyTargetMixin, tables.BatchAction):
|
class MigrateInstance(policy.PolicyTargetMixin, tables.BatchAction):
|
||||||
name = "migrate"
|
name = "migrate"
|
||||||
classes = ("btn-migrate",)
|
classes = ("btn-migrate",)
|
||||||
policy_rules = (("compute", "compute_extension:admin_actions:migrate"),)
|
policy_rules = (("compute", "os_compute_api:os-migrate-server:migrate"),)
|
||||||
help_text = _("Migrating instances may cause some unrecoverable results.")
|
help_text = _("Migrating instances may cause some unrecoverable results.")
|
||||||
action_type = "danger"
|
action_type = "danger"
|
||||||
|
|
||||||
@ -79,7 +79,7 @@ class LiveMigrateInstance(policy.PolicyTargetMixin,
|
|||||||
url = "horizon:admin:instances:live_migrate"
|
url = "horizon:admin:instances:live_migrate"
|
||||||
classes = ("ajax-modal", "btn-migrate")
|
classes = ("ajax-modal", "btn-migrate")
|
||||||
policy_rules = (
|
policy_rules = (
|
||||||
("compute", "compute_extension:admin_actions:migrateLive"),)
|
("compute", "os_compute_api:os-migrate-server:migrate_live"),)
|
||||||
action_type = "danger"
|
action_type = "danger"
|
||||||
|
|
||||||
def allowed(self, request, instance):
|
def allowed(self, request, instance):
|
||||||
|
@ -98,7 +98,7 @@ class UsageLink(tables.LinkAction):
|
|||||||
verbose_name = _("View Usage")
|
verbose_name = _("View Usage")
|
||||||
url = "horizon:identity:projects:usage"
|
url = "horizon:identity:projects:usage"
|
||||||
icon = "stats"
|
icon = "stats"
|
||||||
policy_rules = (("compute", "compute_extension:simple_tenant_usage:show"),)
|
policy_rules = (("compute", "os_compute_api:os-simple-tenant-usage:show"),)
|
||||||
|
|
||||||
def allowed(self, request, project):
|
def allowed(self, request, project):
|
||||||
return (request.user.is_superuser and
|
return (request.user.is_superuser and
|
||||||
@ -146,7 +146,7 @@ class ModifyQuotas(tables.LinkAction):
|
|||||||
url = "horizon:identity:projects:update"
|
url = "horizon:identity:projects:update"
|
||||||
classes = ("ajax-modal",)
|
classes = ("ajax-modal",)
|
||||||
icon = "pencil"
|
icon = "pencil"
|
||||||
policy_rules = (('compute', "compute_extension:quotas:update"),)
|
policy_rules = (('compute', "os_compute_api:os-quota-sets:update"),)
|
||||||
|
|
||||||
def allowed(self, request, datum):
|
def allowed(self, request, datum):
|
||||||
if api.keystone.VERSIONS.active < 3:
|
if api.keystone.VERSIONS.active < 3:
|
||||||
|
@ -37,8 +37,8 @@ class DownloadEC2(tables.LinkAction):
|
|||||||
verbose_name = _("Download EC2 Credentials")
|
verbose_name = _("Download EC2 Credentials")
|
||||||
verbose_name_plural = _("Download EC2 Credentials")
|
verbose_name_plural = _("Download EC2 Credentials")
|
||||||
icon = "download"
|
icon = "download"
|
||||||
url = "horizon:project:api_access:ec2"
|
url = "horizon:project:access_and_security:api_access:ec2"
|
||||||
policy_rules = (("compute", "compute_extension:certificates"),)
|
policy_rules = (("compute", "os_compute_api:os-certificates:create"),)
|
||||||
|
|
||||||
def allowed(self, request, datum=None):
|
def allowed(self, request, datum=None):
|
||||||
return api.base.is_service_enabled(request, 'ec2')
|
return api.base.is_service_enabled(request, 'ec2')
|
||||||
@ -77,8 +77,8 @@ class RecreateCredentials(tables.LinkAction):
|
|||||||
classes = ("ajax-modal",)
|
classes = ("ajax-modal",)
|
||||||
icon = "refresh"
|
icon = "refresh"
|
||||||
url = \
|
url = \
|
||||||
"horizon:project:api_access:recreate_credentials"
|
"horizon:project:access_and_security:api_access:recreate_credentials"
|
||||||
policy_rules = (("compute", "compute_extension:certificates"))
|
policy_rules = (("compute", "os_compute_api:certificates:create"))
|
||||||
action_type = "danger"
|
action_type = "danger"
|
||||||
|
|
||||||
def allowed(self, request, datum=None):
|
def allowed(self, request, datum=None):
|
||||||
|
@ -61,8 +61,7 @@ class AllocateIP(tables.LinkAction):
|
|||||||
if api.base.is_service_enabled(request, "network"):
|
if api.base.is_service_enabled(request, "network"):
|
||||||
policy_rules = (("network", "create_floatingip"),)
|
policy_rules = (("network", "create_floatingip"),)
|
||||||
else:
|
else:
|
||||||
policy_rules = (("compute", "compute_extension:floating_ips"),
|
policy_rules = (("compute", "os_compute_api:os-floating-ips"),)
|
||||||
("compute", "network:allocate_floating_ip"),)
|
|
||||||
|
|
||||||
return policy.check(policy_rules, request)
|
return policy.check(policy_rules, request)
|
||||||
|
|
||||||
@ -94,8 +93,7 @@ class ReleaseIPs(tables.BatchAction):
|
|||||||
if api.base.is_service_enabled(request, "network"):
|
if api.base.is_service_enabled(request, "network"):
|
||||||
policy_rules = (("network", "delete_floatingip"),)
|
policy_rules = (("network", "delete_floatingip"),)
|
||||||
else:
|
else:
|
||||||
policy_rules = (("compute", "compute_extension:floating_ips"),
|
policy_rules = (("compute", "os_compute_api:os-floating-ips"),)
|
||||||
("compute", "network:release_floating_ip"),)
|
|
||||||
|
|
||||||
return policy.check(policy_rules, request)
|
return policy.check(policy_rules, request)
|
||||||
|
|
||||||
@ -114,8 +112,7 @@ class AssociateIP(tables.LinkAction):
|
|||||||
if api.base.is_service_enabled(request, "network"):
|
if api.base.is_service_enabled(request, "network"):
|
||||||
policy_rules = (("network", "update_floatingip"),)
|
policy_rules = (("network", "update_floatingip"),)
|
||||||
else:
|
else:
|
||||||
policy_rules = (("compute", "compute_extension:floating_ips"),
|
policy_rules = (("compute", "os_compute_api:os-floating-ips"),)
|
||||||
("compute", "network:associate_floating_ip"),)
|
|
||||||
|
|
||||||
return not fip.port_id and policy.check(policy_rules, request)
|
return not fip.port_id and policy.check(policy_rules, request)
|
||||||
|
|
||||||
@ -136,8 +133,7 @@ class DisassociateIP(tables.Action):
|
|||||||
if api.base.is_service_enabled(request, "network"):
|
if api.base.is_service_enabled(request, "network"):
|
||||||
policy_rules = (("network", "update_floatingip"),)
|
policy_rules = (("network", "update_floatingip"),)
|
||||||
else:
|
else:
|
||||||
policy_rules = (("compute", "compute_extension:floating_ips"),
|
policy_rules = (("compute", "os_compute_api:os-floating-ips"),)
|
||||||
("compute", "network:disassociate_floating_ip"),)
|
|
||||||
|
|
||||||
return fip.port_id and policy.check(policy_rules, request)
|
return fip.port_id and policy.check(policy_rules, request)
|
||||||
|
|
||||||
|
@ -36,7 +36,7 @@ class LaunchImage(tables.LinkAction):
|
|||||||
url = "horizon:project:instances:launch"
|
url = "horizon:project:instances:launch"
|
||||||
classes = ("ajax-modal", "btn-launch")
|
classes = ("ajax-modal", "btn-launch")
|
||||||
icon = "cloud-upload"
|
icon = "cloud-upload"
|
||||||
policy_rules = (("compute", "compute:create"),)
|
policy_rules = (("compute", "os_compute_api:servers:create"),)
|
||||||
|
|
||||||
def get_link_url(self, datum):
|
def get_link_url(self, datum):
|
||||||
base_url = reverse(self.url)
|
base_url = reverse(self.url)
|
||||||
|
@ -81,7 +81,7 @@ def is_deleting(instance):
|
|||||||
|
|
||||||
|
|
||||||
class DeleteInstance(policy.PolicyTargetMixin, tables.DeleteAction):
|
class DeleteInstance(policy.PolicyTargetMixin, tables.DeleteAction):
|
||||||
policy_rules = (("compute", "compute:delete"),)
|
policy_rules = (("compute", "os_compute_api:servers:delete"),)
|
||||||
help_text = _("Deleted instances are not recoverable.")
|
help_text = _("Deleted instances are not recoverable.")
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
@ -116,7 +116,7 @@ class DeleteInstance(policy.PolicyTargetMixin, tables.DeleteAction):
|
|||||||
class RebootInstance(policy.PolicyTargetMixin, tables.BatchAction):
|
class RebootInstance(policy.PolicyTargetMixin, tables.BatchAction):
|
||||||
name = "reboot"
|
name = "reboot"
|
||||||
classes = ('btn-reboot',)
|
classes = ('btn-reboot',)
|
||||||
policy_rules = (("compute", "compute:reboot"),)
|
policy_rules = (("compute", "os_compute_api:servers:reboot"),)
|
||||||
help_text = _("Restarted instances will lose any data"
|
help_text = _("Restarted instances will lose any data"
|
||||||
" not saved in persistent storage.")
|
" not saved in persistent storage.")
|
||||||
action_type = "danger"
|
action_type = "danger"
|
||||||
@ -216,11 +216,11 @@ class TogglePause(tables.BatchAction):
|
|||||||
if self.paused:
|
if self.paused:
|
||||||
self.current_present_action = UNPAUSE
|
self.current_present_action = UNPAUSE
|
||||||
policy_rules = (
|
policy_rules = (
|
||||||
("compute", "compute_extension:admin_actions:unpause"),)
|
("compute", "os_compute_api:os-pause-server:unpause"),)
|
||||||
else:
|
else:
|
||||||
self.current_present_action = PAUSE
|
self.current_present_action = PAUSE
|
||||||
policy_rules = (
|
policy_rules = (
|
||||||
("compute", "compute_extension:admin_actions:pause"),)
|
("compute", "os_compute_api:os-pause-server:pause"),)
|
||||||
|
|
||||||
has_permission = policy.check(
|
has_permission = policy.check(
|
||||||
policy_rules, request,
|
policy_rules, request,
|
||||||
@ -283,11 +283,11 @@ class ToggleSuspend(tables.BatchAction):
|
|||||||
if self.suspended:
|
if self.suspended:
|
||||||
self.current_present_action = RESUME
|
self.current_present_action = RESUME
|
||||||
policy_rules = (
|
policy_rules = (
|
||||||
("compute", "compute_extension:admin_actions:resume"),)
|
("compute", "os_compute_api:os-rescue"),)
|
||||||
else:
|
else:
|
||||||
self.current_present_action = SUSPEND
|
self.current_present_action = SUSPEND
|
||||||
policy_rules = (
|
policy_rules = (
|
||||||
("compute", "compute_extension:admin_actions:suspend"),)
|
("compute", "os_compute_api:os-suspend-server:suspend"),)
|
||||||
|
|
||||||
has_permission = policy.check(
|
has_permission = policy.check(
|
||||||
policy_rules, request,
|
policy_rules, request,
|
||||||
@ -352,10 +352,10 @@ class ToggleShelve(tables.BatchAction):
|
|||||||
self.shelved = instance.status == "SHELVED_OFFLOADED"
|
self.shelved = instance.status == "SHELVED_OFFLOADED"
|
||||||
if self.shelved:
|
if self.shelved:
|
||||||
self.current_present_action = UNSHELVE
|
self.current_present_action = UNSHELVE
|
||||||
policy_rules = (("compute", "compute_extension:unshelve"),)
|
policy_rules = (("compute", "os_compute_api:os-shelve:unshelve"),)
|
||||||
else:
|
else:
|
||||||
self.current_present_action = SHELVE
|
self.current_present_action = SHELVE
|
||||||
policy_rules = (("compute", "compute_extension:shelve"),)
|
policy_rules = (("compute", "os_compute_api:os-shelve:shelve"),)
|
||||||
|
|
||||||
has_permission = policy.check(
|
has_permission = policy.check(
|
||||||
policy_rules, request,
|
policy_rules, request,
|
||||||
@ -380,7 +380,7 @@ class LaunchLink(tables.LinkAction):
|
|||||||
url = "horizon:project:instances:launch"
|
url = "horizon:project:instances:launch"
|
||||||
classes = ("ajax-modal", "btn-launch")
|
classes = ("ajax-modal", "btn-launch")
|
||||||
icon = "cloud-upload"
|
icon = "cloud-upload"
|
||||||
policy_rules = (("compute", "compute:create"),)
|
policy_rules = (("compute", "os_compute_api:servers:create"),)
|
||||||
ajax = True
|
ajax = True
|
||||||
|
|
||||||
def __init__(self, attrs=None, **kwargs):
|
def __init__(self, attrs=None, **kwargs):
|
||||||
@ -444,7 +444,7 @@ class EditInstance(policy.PolicyTargetMixin, tables.LinkAction):
|
|||||||
url = "horizon:project:instances:update"
|
url = "horizon:project:instances:update"
|
||||||
classes = ("ajax-modal",)
|
classes = ("ajax-modal",)
|
||||||
icon = "pencil"
|
icon = "pencil"
|
||||||
policy_rules = (("compute", "compute:update"),)
|
policy_rules = (("compute", "os_compute_api:servers:update"),)
|
||||||
|
|
||||||
def get_link_url(self, project):
|
def get_link_url(self, project):
|
||||||
return self._get_link_url(project, 'instance_info')
|
return self._get_link_url(project, 'instance_info')
|
||||||
@ -480,7 +480,7 @@ class CreateSnapshot(policy.PolicyTargetMixin, tables.LinkAction):
|
|||||||
url = "horizon:project:images:snapshots:create"
|
url = "horizon:project:images:snapshots:create"
|
||||||
classes = ("ajax-modal",)
|
classes = ("ajax-modal",)
|
||||||
icon = "camera"
|
icon = "camera"
|
||||||
policy_rules = (("compute", "compute:snapshot"),)
|
policy_rules = (("compute", "os_compute_api:snapshot"),)
|
||||||
|
|
||||||
def allowed(self, request, instance=None):
|
def allowed(self, request, instance=None):
|
||||||
return instance.status in SNAPSHOT_READY_STATES \
|
return instance.status in SNAPSHOT_READY_STATES \
|
||||||
@ -492,7 +492,7 @@ class ConsoleLink(policy.PolicyTargetMixin, tables.LinkAction):
|
|||||||
verbose_name = _("Console")
|
verbose_name = _("Console")
|
||||||
url = "horizon:project:instances:detail"
|
url = "horizon:project:instances:detail"
|
||||||
classes = ("btn-console",)
|
classes = ("btn-console",)
|
||||||
policy_rules = (("compute", "compute_extension:consoles"),)
|
policy_rules = (("compute", "os_compute_api:os-consoles:index"),)
|
||||||
|
|
||||||
def allowed(self, request, instance=None):
|
def allowed(self, request, instance=None):
|
||||||
# We check if ConsoleLink is allowed only if settings.CONSOLE_TYPE is
|
# We check if ConsoleLink is allowed only if settings.CONSOLE_TYPE is
|
||||||
@ -512,7 +512,7 @@ class LogLink(policy.PolicyTargetMixin, tables.LinkAction):
|
|||||||
verbose_name = _("View Log")
|
verbose_name = _("View Log")
|
||||||
url = "horizon:project:instances:detail"
|
url = "horizon:project:instances:detail"
|
||||||
classes = ("btn-log",)
|
classes = ("btn-log",)
|
||||||
policy_rules = (("compute", "compute_extension:console_output"),)
|
policy_rules = (("compute", "os_compute_api:os-console-output"),)
|
||||||
|
|
||||||
def allowed(self, request, instance=None):
|
def allowed(self, request, instance=None):
|
||||||
return instance.status in ACTIVE_STATES and not is_deleting(instance)
|
return instance.status in ACTIVE_STATES and not is_deleting(instance)
|
||||||
@ -529,7 +529,7 @@ class ResizeLink(policy.PolicyTargetMixin, tables.LinkAction):
|
|||||||
verbose_name = _("Resize Instance")
|
verbose_name = _("Resize Instance")
|
||||||
url = "horizon:project:instances:resize"
|
url = "horizon:project:instances:resize"
|
||||||
classes = ("ajax-modal", "btn-resize")
|
classes = ("ajax-modal", "btn-resize")
|
||||||
policy_rules = (("compute", "compute:resize"),)
|
policy_rules = (("compute", "os_compute_api:servers:resize"),)
|
||||||
|
|
||||||
def get_link_url(self, project):
|
def get_link_url(self, project):
|
||||||
return self._get_link_url(project, 'flavor_choice')
|
return self._get_link_url(project, 'flavor_choice')
|
||||||
@ -552,7 +552,7 @@ class ConfirmResize(policy.PolicyTargetMixin, tables.Action):
|
|||||||
name = "confirm"
|
name = "confirm"
|
||||||
verbose_name = _("Confirm Resize/Migrate")
|
verbose_name = _("Confirm Resize/Migrate")
|
||||||
classes = ("btn-confirm", "btn-action-required")
|
classes = ("btn-confirm", "btn-action-required")
|
||||||
policy_rules = (("compute", "compute:confirm_resize"),)
|
policy_rules = (("compute", "os_compute_api:servers:confirm_resize"),)
|
||||||
|
|
||||||
def allowed(self, request, instance):
|
def allowed(self, request, instance):
|
||||||
return instance.status == 'VERIFY_RESIZE'
|
return instance.status == 'VERIFY_RESIZE'
|
||||||
@ -565,7 +565,7 @@ class RevertResize(policy.PolicyTargetMixin, tables.Action):
|
|||||||
name = "revert"
|
name = "revert"
|
||||||
verbose_name = _("Revert Resize/Migrate")
|
verbose_name = _("Revert Resize/Migrate")
|
||||||
classes = ("btn-revert", "btn-action-required")
|
classes = ("btn-revert", "btn-action-required")
|
||||||
policy_rules = (("compute", "compute:revert_resize"),)
|
policy_rules = (("compute", "os_compute_api:servers:revert_resize"),)
|
||||||
|
|
||||||
def allowed(self, request, instance):
|
def allowed(self, request, instance):
|
||||||
return instance.status == 'VERIFY_RESIZE'
|
return instance.status == 'VERIFY_RESIZE'
|
||||||
@ -579,7 +579,7 @@ class RebuildInstance(policy.PolicyTargetMixin, tables.LinkAction):
|
|||||||
verbose_name = _("Rebuild Instance")
|
verbose_name = _("Rebuild Instance")
|
||||||
classes = ("btn-rebuild", "ajax-modal")
|
classes = ("btn-rebuild", "ajax-modal")
|
||||||
url = "horizon:project:instances:rebuild"
|
url = "horizon:project:instances:rebuild"
|
||||||
policy_rules = (("compute", "compute:rebuild"),)
|
policy_rules = (("compute", "os_compute_api:servers:rebuild"),)
|
||||||
|
|
||||||
def allowed(self, request, instance):
|
def allowed(self, request, instance):
|
||||||
return ((instance.status in ACTIVE_STATES
|
return ((instance.status in ACTIVE_STATES
|
||||||
@ -620,7 +620,9 @@ class AssociateIP(policy.PolicyTargetMixin, tables.LinkAction):
|
|||||||
url = "horizon:project:floating_ips:associate"
|
url = "horizon:project:floating_ips:associate"
|
||||||
classes = ("ajax-modal",)
|
classes = ("ajax-modal",)
|
||||||
icon = "link"
|
icon = "link"
|
||||||
policy_rules = (("compute", "network:associate_floating_ip"),)
|
# Nova doesn't support floating ip actions policy, update this
|
||||||
|
# when bug #1610520 resloved
|
||||||
|
policy_rules = (("compute", "os_compute_api:os-floating-ips"),)
|
||||||
|
|
||||||
def allowed(self, request, instance):
|
def allowed(self, request, instance):
|
||||||
if not api.network.floating_ip_supported(request):
|
if not api.network.floating_ip_supported(request):
|
||||||
@ -649,7 +651,9 @@ class SimpleAssociateIP(policy.PolicyTargetMixin, tables.Action):
|
|||||||
name = "associate-simple"
|
name = "associate-simple"
|
||||||
verbose_name = _("Associate Floating IP")
|
verbose_name = _("Associate Floating IP")
|
||||||
icon = "link"
|
icon = "link"
|
||||||
policy_rules = (("compute", "network:associate_floating_ip"),)
|
# Nova doesn't support floating ip actions policy, update this
|
||||||
|
# when bug #1610520 resloved
|
||||||
|
policy_rules = (("compute", "os_compute_api:os-floating-ips"),)
|
||||||
|
|
||||||
def allowed(self, request, instance):
|
def allowed(self, request, instance):
|
||||||
if not api.network.floating_ip_simple_associate_supported(request):
|
if not api.network.floating_ip_simple_associate_supported(request):
|
||||||
@ -680,7 +684,9 @@ class SimpleDisassociateIP(policy.PolicyTargetMixin, tables.Action):
|
|||||||
name = "disassociate"
|
name = "disassociate"
|
||||||
verbose_name = _("Disassociate Floating IP")
|
verbose_name = _("Disassociate Floating IP")
|
||||||
classes = ("btn-disassociate",)
|
classes = ("btn-disassociate",)
|
||||||
policy_rules = (("compute", "network:disassociate_floating_ip"),)
|
# Nova doesn't support floating ip actions policy, update this
|
||||||
|
# when bug #1610520 resloved
|
||||||
|
policy_rules = (("compute", "os_compute_api:os-floating-ips"),)
|
||||||
action_type = "danger"
|
action_type = "danger"
|
||||||
|
|
||||||
def allowed(self, request, instance):
|
def allowed(self, request, instance):
|
||||||
@ -727,7 +733,7 @@ class UpdateMetadata(policy.PolicyTargetMixin, tables.LinkAction):
|
|||||||
ajax = False
|
ajax = False
|
||||||
icon = "pencil"
|
icon = "pencil"
|
||||||
attrs = {"ng-controller": "MetadataModalHelperController as modal"}
|
attrs = {"ng-controller": "MetadataModalHelperController as modal"}
|
||||||
policy_rules = (("compute", "compute:update_instance_metadata"),)
|
policy_rules = (("compute", "os_compute_api:server-metadata:update"),)
|
||||||
|
|
||||||
def __init__(self, attrs=None, **kwargs):
|
def __init__(self, attrs=None, **kwargs):
|
||||||
kwargs['preempt'] = True
|
kwargs['preempt'] = True
|
||||||
@ -797,7 +803,7 @@ class UpdateRow(tables.Row):
|
|||||||
class StartInstance(policy.PolicyTargetMixin, tables.BatchAction):
|
class StartInstance(policy.PolicyTargetMixin, tables.BatchAction):
|
||||||
name = "start"
|
name = "start"
|
||||||
classes = ('btn-confirm',)
|
classes = ('btn-confirm',)
|
||||||
policy_rules = (("compute", "compute:start"),)
|
policy_rules = (("compute", "os_compute_api:servers:start"),)
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def action_present(count):
|
def action_present(count):
|
||||||
@ -825,7 +831,7 @@ class StartInstance(policy.PolicyTargetMixin, tables.BatchAction):
|
|||||||
|
|
||||||
class StopInstance(policy.PolicyTargetMixin, tables.BatchAction):
|
class StopInstance(policy.PolicyTargetMixin, tables.BatchAction):
|
||||||
name = "stop"
|
name = "stop"
|
||||||
policy_rules = (("compute", "compute:stop"),)
|
policy_rules = (("compute", "os_compute_api:servers:stop"),)
|
||||||
help_text = _("The instance(s) will be shut off.")
|
help_text = _("The instance(s) will be shut off.")
|
||||||
action_type = "danger"
|
action_type = "danger"
|
||||||
|
|
||||||
@ -858,7 +864,7 @@ class StopInstance(policy.PolicyTargetMixin, tables.BatchAction):
|
|||||||
|
|
||||||
class LockInstance(policy.PolicyTargetMixin, tables.BatchAction):
|
class LockInstance(policy.PolicyTargetMixin, tables.BatchAction):
|
||||||
name = "lock"
|
name = "lock"
|
||||||
policy_rules = (("compute", "compute_extension:admin_actions:lock"),)
|
policy_rules = (("compute", "os_compute_api:os-lock-server:lock"),)
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def action_present(count):
|
def action_present(count):
|
||||||
@ -891,7 +897,7 @@ class LockInstance(policy.PolicyTargetMixin, tables.BatchAction):
|
|||||||
|
|
||||||
class UnlockInstance(policy.PolicyTargetMixin, tables.BatchAction):
|
class UnlockInstance(policy.PolicyTargetMixin, tables.BatchAction):
|
||||||
name = "unlock"
|
name = "unlock"
|
||||||
policy_rules = (("compute", "compute_extension:admin_actions:unlock"),)
|
policy_rules = (("compute", "os_compute_api:os-lock-server:unlock"),)
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def action_present(count):
|
def action_present(count):
|
||||||
@ -926,7 +932,7 @@ class AttachVolume(tables.LinkAction):
|
|||||||
verbose_name = _("Attach Volume")
|
verbose_name = _("Attach Volume")
|
||||||
url = "horizon:project:instances:attach_volume"
|
url = "horizon:project:instances:attach_volume"
|
||||||
classes = ("ajax-modal",)
|
classes = ("ajax-modal",)
|
||||||
policy_rules = (("compute", "compute:attach_volume"),)
|
policy_rules = (("compute", "os_compute_api:servers:attach_volume"),)
|
||||||
|
|
||||||
# This action should be disabled if the instance
|
# This action should be disabled if the instance
|
||||||
# is not active, or the instance is being deleted
|
# is not active, or the instance is being deleted
|
||||||
@ -939,7 +945,7 @@ class DetachVolume(AttachVolume):
|
|||||||
name = "detach_volume"
|
name = "detach_volume"
|
||||||
verbose_name = _("Detach Volume")
|
verbose_name = _("Detach Volume")
|
||||||
url = "horizon:project:instances:detach_volume"
|
url = "horizon:project:instances:detach_volume"
|
||||||
policy_rules = (("compute", "compute:detach_volume"),)
|
policy_rules = (("compute", "os_compute_api:servers:detach_volume"),)
|
||||||
|
|
||||||
# This action should be disabled if the instance
|
# This action should be disabled if the instance
|
||||||
# is not active, or the instance is being deleted
|
# is not active, or the instance is being deleted
|
||||||
@ -953,7 +959,7 @@ class AttachInterface(policy.PolicyTargetMixin, tables.LinkAction):
|
|||||||
verbose_name = _("Attach Interface")
|
verbose_name = _("Attach Interface")
|
||||||
classes = ("btn-confirm", "ajax-modal")
|
classes = ("btn-confirm", "ajax-modal")
|
||||||
url = "horizon:project:instances:attach_interface"
|
url = "horizon:project:instances:attach_interface"
|
||||||
policy_rules = (("compute", "compute_extension:attach_interfaces"),)
|
policy_rules = (("compute", "os_compute_api:os-attach-interfaces"),)
|
||||||
|
|
||||||
def allowed(self, request, instance):
|
def allowed(self, request, instance):
|
||||||
return ((instance.status in ACTIVE_STATES
|
return ((instance.status in ACTIVE_STATES
|
||||||
|
@ -3613,7 +3613,7 @@ class InstanceTests(helpers.ResetImageAPIVersionMixin, helpers.TestCase):
|
|||||||
self.assertEqual(set(['btn-launch']),
|
self.assertEqual(set(['btn-launch']),
|
||||||
set(launch_action.classes))
|
set(launch_action.classes))
|
||||||
self.assertEqual('Launch Instance', launch_action.verbose_name)
|
self.assertEqual('Launch Instance', launch_action.verbose_name)
|
||||||
self.assertEqual((('compute', 'compute:create'),),
|
self.assertEqual((('compute', 'os_compute_api:servers:create'),),
|
||||||
launch_action.policy_rules)
|
launch_action.policy_rules)
|
||||||
|
|
||||||
@helpers.create_stubs({
|
@helpers.create_stubs({
|
||||||
|
@ -23,7 +23,7 @@ from openstack_dashboard.usage import quotas
|
|||||||
|
|
||||||
|
|
||||||
class DeleteKeyPairs(tables.DeleteAction):
|
class DeleteKeyPairs(tables.DeleteAction):
|
||||||
policy_rules = (("compute", "compute_extension:keypairs:delete"),)
|
policy_rules = (("compute", "os_compute_api:os-keypairs:delete"),)
|
||||||
help_text = _("Removing a key pair can leave OpenStack resources orphaned."
|
help_text = _("Removing a key pair can leave OpenStack resources orphaned."
|
||||||
" You should not remove a key pair unless you are certain it"
|
" You should not remove a key pair unless you are certain it"
|
||||||
" is not being used anywhere.")
|
" is not being used anywhere.")
|
||||||
|
@ -31,7 +31,7 @@ def get_context(request, context=None):
|
|||||||
network_config = getattr(settings, 'OPENSTACK_NEUTRON_NETWORK', {})
|
network_config = getattr(settings, 'OPENSTACK_NEUTRON_NETWORK', {})
|
||||||
|
|
||||||
context['launch_instance_allowed'] = policy.check(
|
context['launch_instance_allowed'] = policy.check(
|
||||||
(("compute", "compute:create"),), request)
|
(("compute", "os_compute_api:servers:create"),), request)
|
||||||
context['instance_quota_exceeded'] = _quota_exceeded(request, 'instances')
|
context['instance_quota_exceeded'] = _quota_exceeded(request, 'instances')
|
||||||
context['create_network_allowed'] = policy.check(
|
context['create_network_allowed'] = policy.check(
|
||||||
(("network", "create_network"),), request)
|
(("network", "create_network"),), request)
|
||||||
|
@ -47,7 +47,7 @@ class DeleteGroup(policy.PolicyTargetMixin, tables.DeleteAction):
|
|||||||
def allowed(self, request, security_group=None):
|
def allowed(self, request, security_group=None):
|
||||||
policy_target = self.get_policy_target(request, security_group)
|
policy_target = self.get_policy_target(request, security_group)
|
||||||
if not api.base.is_service_enabled(request, "network"):
|
if not api.base.is_service_enabled(request, "network"):
|
||||||
policy_rules = (("compute", "compute_extension:security_groups"),)
|
policy_rules = (("compute", "os_compute_api:os-security-groups"),)
|
||||||
if not policy.check(policy_rules, request, policy_target):
|
if not policy.check(policy_rules, request, policy_target):
|
||||||
return False
|
return False
|
||||||
|
|
||||||
@ -77,7 +77,7 @@ class CreateGroup(tables.LinkAction):
|
|||||||
self.classes = [c for c in self.classes if c != "disabled"]
|
self.classes = [c for c in self.classes if c != "disabled"]
|
||||||
|
|
||||||
if not api.base.is_service_enabled(request, "network"):
|
if not api.base.is_service_enabled(request, "network"):
|
||||||
policy_rules = (("compute", "compute_extension:security_groups"),)
|
policy_rules = (("compute", "os_compute_api:os-security-groups"),)
|
||||||
return policy.check(policy_rules, request, target={})
|
return policy.check(policy_rules, request, target={})
|
||||||
|
|
||||||
return True
|
return True
|
||||||
@ -93,7 +93,7 @@ class EditGroup(policy.PolicyTargetMixin, tables.LinkAction):
|
|||||||
def allowed(self, request, security_group=None):
|
def allowed(self, request, security_group=None):
|
||||||
policy_target = self.get_policy_target(request, security_group)
|
policy_target = self.get_policy_target(request, security_group)
|
||||||
if not api.base.is_service_enabled(request, "network"):
|
if not api.base.is_service_enabled(request, "network"):
|
||||||
policy_rules = (("compute", "compute_extension:security_groups"),)
|
policy_rules = (("compute", "os_compute_api:os-security-groups"),)
|
||||||
if not policy.check(policy_rules, request, policy_target):
|
if not policy.check(policy_rules, request, policy_target):
|
||||||
return False
|
return False
|
||||||
|
|
||||||
@ -111,7 +111,7 @@ class ManageRules(policy.PolicyTargetMixin, tables.LinkAction):
|
|||||||
def allowed(self, request, security_group=None):
|
def allowed(self, request, security_group=None):
|
||||||
policy_target = self.get_policy_target(request, security_group)
|
policy_target = self.get_policy_target(request, security_group)
|
||||||
if not api.base.is_service_enabled(request, "network"):
|
if not api.base.is_service_enabled(request, "network"):
|
||||||
policy_rules = (("compute", "compute_extension:security_groups"),)
|
policy_rules = (("compute", "os_compute_api:os-security-groups"),)
|
||||||
return policy.check(policy_rules, request, policy_target)
|
return policy.check(policy_rules, request, policy_target)
|
||||||
|
|
||||||
return True
|
return True
|
||||||
@ -151,7 +151,7 @@ class CreateRule(tables.LinkAction):
|
|||||||
|
|
||||||
def allowed(self, request, security_group_rule=None):
|
def allowed(self, request, security_group_rule=None):
|
||||||
if not api.base.is_service_enabled(request, "network"):
|
if not api.base.is_service_enabled(request, "network"):
|
||||||
policy_rules = (("compute", "compute_extension:security_groups"),)
|
policy_rules = (("compute", "os_compute_api:os-security-groups"),)
|
||||||
return policy.check(policy_rules, request, target={})
|
return policy.check(policy_rules, request, target={})
|
||||||
|
|
||||||
return True
|
return True
|
||||||
@ -179,7 +179,7 @@ class DeleteRule(tables.DeleteAction):
|
|||||||
|
|
||||||
def allowed(self, request, security_group_rule=None):
|
def allowed(self, request, security_group_rule=None):
|
||||||
if not api.base.is_service_enabled(request, "network"):
|
if not api.base.is_service_enabled(request, "network"):
|
||||||
policy_rules = (("compute", "compute_extension:security_groups"),)
|
policy_rules = (("compute", "os_compute_api:os-security-groups"),)
|
||||||
return policy.check(policy_rules, request, target={})
|
return policy.check(policy_rules, request, target={})
|
||||||
|
|
||||||
return True
|
return True
|
||||||
|
@ -48,7 +48,7 @@ class LaunchVolume(tables.LinkAction):
|
|||||||
url = "horizon:project:instances:launch"
|
url = "horizon:project:instances:launch"
|
||||||
classes = ("ajax-modal", "btn-launch")
|
classes = ("ajax-modal", "btn-launch")
|
||||||
icon = "cloud-upload"
|
icon = "cloud-upload"
|
||||||
policy_rules = (("compute", "compute:create"),)
|
policy_rules = (("compute", "os_compute_api:servers:create"),)
|
||||||
|
|
||||||
def get_link_url(self, datum):
|
def get_link_url(self, datum):
|
||||||
base_url = reverse(self.url)
|
base_url = reverse(self.url)
|
||||||
@ -188,11 +188,13 @@ class EditAttachments(tables.LinkAction):
|
|||||||
if volume:
|
if volume:
|
||||||
project_id = getattr(volume, "os-vol-tenant-attr:tenant_id", None)
|
project_id = getattr(volume, "os-vol-tenant-attr:tenant_id", None)
|
||||||
attach_allowed = \
|
attach_allowed = \
|
||||||
policy.check((("compute", "compute:attach_volume"),),
|
policy.check((("compute",
|
||||||
|
"os_compute_api:servers:attach_volume"),),
|
||||||
request,
|
request,
|
||||||
{"project_id": project_id})
|
{"project_id": project_id})
|
||||||
detach_allowed = \
|
detach_allowed = \
|
||||||
policy.check((("compute", "compute:detach_volume"),),
|
policy.check((("compute",
|
||||||
|
"os_compute_api:servers:detach_volume"),),
|
||||||
request,
|
request,
|
||||||
{"project_id": project_id})
|
{"project_id": project_id})
|
||||||
|
|
||||||
@ -528,7 +530,7 @@ class VolumesTable(VolumesTableBase):
|
|||||||
class DetachVolume(tables.BatchAction):
|
class DetachVolume(tables.BatchAction):
|
||||||
name = "detach"
|
name = "detach"
|
||||||
classes = ('btn-detach',)
|
classes = ('btn-detach',)
|
||||||
policy_rules = (("compute", "compute:detach_volume"),)
|
policy_rules = (("compute", "os_compute_api:servers:detach_volume"),)
|
||||||
help_text = _("The data will remain in the volume and another instance"
|
help_text = _("The data will remain in the volume and another instance"
|
||||||
" will be able to access the data if you attach"
|
" will be able to access the data if you attach"
|
||||||
" this volume to it.")
|
" this volume to it.")
|
||||||
|
@ -26,26 +26,27 @@ class PolicyRestTestCase(test.TestCase):
|
|||||||
|
|
||||||
@override_settings(POLICY_CHECK_FUNCTION='openstack_auth.policy.check')
|
@override_settings(POLICY_CHECK_FUNCTION='openstack_auth.policy.check')
|
||||||
def test_rule_alone(self):
|
def test_rule_alone(self):
|
||||||
body = '{"rules": [["compute", "compute:get_all" ]]}'
|
body = '{"rules": [["compute", \
|
||||||
|
"os_compute_api:index:get_all_tenants"]]}'
|
||||||
self.test_policy(body)
|
self.test_policy(body)
|
||||||
|
|
||||||
@override_settings(POLICY_CHECK_FUNCTION='openstack_auth.policy.check')
|
@override_settings(POLICY_CHECK_FUNCTION='openstack_auth.policy.check')
|
||||||
def test_multiple_rule(self):
|
def test_multiple_rule(self):
|
||||||
body = '{"rules": [["compute", "compute:get_all"],' \
|
body = '{"rules": [["compute", "os_compute_api:stop"],' \
|
||||||
' ["compute", "compute:start"]]}'
|
' ["compute", "os_compute_api:start"]]}'
|
||||||
self.test_policy(body)
|
self.test_policy(body)
|
||||||
|
|
||||||
@override_settings(POLICY_CHECK_FUNCTION='openstack_auth.policy.check')
|
@override_settings(POLICY_CHECK_FUNCTION='openstack_auth.policy.check')
|
||||||
def test_rule_with_empty_target(self):
|
def test_rule_with_empty_target(self):
|
||||||
body = '{"rules": [["compute", "compute:get_all"],' \
|
body = '{"rules": [["compute", "os_compute_api:stop"],' \
|
||||||
' ["compute", "compute:start"]],' \
|
' ["compute", "os_compute_api:start"]],' \
|
||||||
' "target": {}}'
|
' "target": {}}'
|
||||||
self.test_policy(body)
|
self.test_policy(body)
|
||||||
|
|
||||||
@override_settings(POLICY_CHECK_FUNCTION='openstack_auth.policy.check')
|
@override_settings(POLICY_CHECK_FUNCTION='openstack_auth.policy.check')
|
||||||
def test_rule_with_target(self):
|
def test_rule_with_target(self):
|
||||||
body = '{"rules": [["compute", "compute:get_all"],' \
|
body = '{"rules": [["compute", "os_compute_api:stop"],' \
|
||||||
' ["compute", "compute:start"]],' \
|
' ["compute", "os_compute_api:start"]],' \
|
||||||
' "target": {"project_id": "1"}}'
|
' "target": {"project_id": "1"}}'
|
||||||
self.test_policy(body)
|
self.test_policy(body)
|
||||||
|
|
||||||
@ -53,7 +54,9 @@ class PolicyRestTestCase(test.TestCase):
|
|||||||
def test_policy_fail(self):
|
def test_policy_fail(self):
|
||||||
# admin only rule, default test case user should fail
|
# admin only rule, default test case user should fail
|
||||||
request = self.mock_rest_request(
|
request = self.mock_rest_request(
|
||||||
body='''{"rules": [["compute", "compute:unlock_override"]]}''')
|
body=('{"rules": ['
|
||||||
|
'["compute",'
|
||||||
|
'"os_compute_api:servers:index:get_all_tenants"]]}'))
|
||||||
response = policy.Policy().post(request)
|
response = policy.Policy().post(request)
|
||||||
self.assertStatusCode(response, 200)
|
self.assertStatusCode(response, 200)
|
||||||
self.assertEqual({"allowed": False}, response.json)
|
self.assertEqual({"allowed": False}, response.json)
|
||||||
@ -70,7 +73,8 @@ class PolicyRestTestCase(test.TestCase):
|
|||||||
class AdminPolicyRestTestCase(test.BaseAdminViewTests):
|
class AdminPolicyRestTestCase(test.BaseAdminViewTests):
|
||||||
@override_settings(POLICY_CHECK_FUNCTION='openstack_auth.policy.check')
|
@override_settings(POLICY_CHECK_FUNCTION='openstack_auth.policy.check')
|
||||||
def test_rule_with_target(self):
|
def test_rule_with_target(self):
|
||||||
body = '{"rules": [["compute", "compute:unlock_override"]]}'
|
body = '{"rules": [["compute", \
|
||||||
|
"os_compute_api:index:get_all_tenants"]]}'
|
||||||
request = self.mock_rest_request(body=body)
|
request = self.mock_rest_request(body=body)
|
||||||
response = policy.Policy().post(request)
|
response = policy.Policy().post(request)
|
||||||
self.assertStatusCode(response, 200)
|
self.assertStatusCode(response, 200)
|
||||||
|
@ -0,0 +1,7 @@
|
|||||||
|
---
|
||||||
|
upgrade:
|
||||||
|
- Horizon is updated to use the same API policy
|
||||||
|
target rules with Nova, if you made any changes
|
||||||
|
to Horizon's old nova policy file before, make sure
|
||||||
|
to apply your specific policy changes to the new
|
||||||
|
Nova policy file used by Horizon.
|
Loading…
Reference in New Issue
Block a user