Browse Source

Merge "Support policy-in-code and deprecated policy"

changes/66/778366/3
Zuul 5 months ago
committed by Gerrit Code Review
parent
commit
c756724cda
  1. 41
      doc/source/configuration/settings.rst
  2. 114
      doc/source/contributor/topics/policy.rst
  3. 6
      lower-constraints.txt
  4. 1
      openstack_auth/defaults.py
  5. 48
      openstack_auth/policy.py
  6. 147
      openstack_dashboard/conf/cinder_policy.json
  7. 646
      openstack_dashboard/conf/cinder_policy.yaml
  8. 12
      openstack_dashboard/conf/default_policies/README.txt
  9. 1137
      openstack_dashboard/conf/default_policies/cinder.yaml
  10. 280
      openstack_dashboard/conf/default_policies/glance.yaml
  11. 2954
      openstack_dashboard/conf/default_policies/keystone.yaml
  12. 1511
      openstack_dashboard/conf/default_policies/neutron.yaml
  13. 3103
      openstack_dashboard/conf/default_policies/nova.yaml
  14. 63
      openstack_dashboard/conf/glance_policy.json
  15. 121
      openstack_dashboard/conf/glance_policy.yaml
  16. 174
      openstack_dashboard/conf/keystone_policy.json
  17. 2330
      openstack_dashboard/conf/keystone_policy.yaml
  18. 220
      openstack_dashboard/conf/neutron_policy.json
  19. 961
      openstack_dashboard/conf/neutron_policy.yaml
  20. 158
      openstack_dashboard/conf/nova_policy.json
  21. 1877
      openstack_dashboard/conf/nova_policy.yaml
  22. 17
      openstack_dashboard/defaults.py
  23. 82
      openstack_dashboard/management/commands/dump_default_policies.py
  24. 22
      releasenotes/notes/policy-in-code-support-f79d559c25976215.yaml
  25. 4
      requirements.txt

41
doc/source/configuration/settings.rst

@ -136,6 +136,30 @@ the GUI. For example themes, see: /horizon/openstack_dashboard/themes/
Horizon ships with two themes configured. 'default' is the default theme,
and 'material' is based on Google's Material Design.
DEFAULT_POLICY_FILES
--------------------
.. versionadded:: 19.1.0(Wallaby)
Default:
.. code-block:: python
{
'identity': 'default_policies/keystone.yaml',
'compute': 'default_policies/nova.yaml',
'volume': 'default_policies/cinder.yaml',
'image': 'default_policies/glance.yaml',
'network': 'default_policies/neutron.yaml',
}
This is a mapping from service types to YAML files including default
policy definitions. Values of this mapping should be relative paths to
`POLICY_FILES_PATH`_ or absolute paths. Policy files specified in this
setting are generated from default policies of back-end services,
so you rarely need to configure it. If you would like to override the
default policies, consider customizing files under `POLICY_FILES`_.
DEFAULT_THEME
-------------
@ -792,20 +816,25 @@ POLICY_FILES
.. versionadded:: 2013.2(Havana)
.. versionchanged:: 19.1.0(Wallaby)
The default files are changed to YAML format.
JSON format still continues to be supported.
Default:
.. code-block:: python
{
'compute': 'nova_policy.json',
'identity': 'keystone_policy.json',
'image': 'glance_policy.json',
'network': 'neutron_policy.json',
'volume': 'cinder_policy.json',
'compute': 'nova_policy.yaml',
'identity': 'keystone_policy.yaml',
'image': 'glance_policy.yaml',
'network': 'neutron_policy.yaml',
'volume': 'cinder_policy.yaml',
}
This should essentially be the mapping of the contents of `POLICY_FILES_PATH`_
to service types. When policy.json files are added to `POLICY_FILES_PATH`_,
to service types. When policy files are added to `POLICY_FILES_PATH`_,
they should be included here too.
POLICY_FILES_PATH

114
doc/source/contributor/topics/policy.rst

@ -29,6 +29,7 @@ engine to work.
* ``POLICY_DIRS``
* ``POLICY_FILES_PATH``
* ``POLICY_FILES``
* ``DEFAULT_POLICY_FILES``
For more detail, see :doc:`/configuration/settings`.
@ -154,32 +155,117 @@ override the :meth:`horizon.tables.Action.get_policy_target` method. This
allows a programmatic way to specify the target based on the current datum. The
value returned should be the target dictionary.
Policy-in-Code and deprecated rules
===================================
As the effort of
`policy-in-code <https://governance.openstack.org/tc/goals/queens/policy-in-code.html>`__,
most OpenStack projects define their default policies in their codes.
All projects (except swift) covered by horizon supports "policy-in-code".
(Note that swift is an exception as it has its own mechanism to control RBAC.)
"oslo.policy" provides a way to deprecate existing policy rules like
renaming rule definitions ("check_str") and renaming rule names.
They are defined as part of python codes in back-end services.
horizon cannot import python codes of back-end services, so we need a way
to restore policies defined by "policy-in-code" including deprecated rules.
To address the above issue, horizon adopts the following two-step approach:
* The first step scans policy-in-code of back-end services and
and dump the loaded default policies into YAML files per service
including information of deprecated rules.
This step is executed as part of the development process per release cycle
and these YAML files are shipped per release.
Note that `oslopolicy-sample-generator` does not output deprecated rules
in a structured way, so we prepare a dedicated script for this purpose
in the horizon repo.
* The horizon policy implementation loads the above YAML file into a list of
RuleDefault and registers the list as the default rules to the policy
enforcer. The default rules and operator-defined rules are maintained
separately, so operators still can edit the policy files as oslo.policy
does in back-end services.
This approach has the following merits:
* All features supported by oslo.policy can be supported in horizon
as default rules in back-end services are restored as-is.
Horizon can evaluate deprecated rules.
* The default rules and operator defined rules are maintained separately.
Operators can use the same way to maintain policy files of back-end services.
The related files in the horizon codebase are:
* `openstack_dashboard/conf/<service>_policy.yaml`:
operator-defined policies.
These files are generated by `oslopolicy-sample-generator`.
* `openstack_dashboard/conf/default_policies/<service>.yaml`
YAML files contain default policies.
* `openstack_dashboard/management/commands/dump_default_policies.py`:
This script scans policy-in-code of a specified namespace under
`oslo.policy.policies` entrypoints and dump them into the YAML file
under `openstack_dashboard/conf/default_policies`.
* `openstack_auth/policy.py`: `_load_default_rules` function loads
the YAML files with default rules and call `register_defautls` method
of the policy enforcer per service.
Policy file maintenance
=======================
The policy implementation uses the copies of policies defined in
back-end services.
* YAML files for default policies
As of Queens, the OpenStack community are in the process of
`policy-in-code <https://governance.openstack.org/tc/goals/queens/policy-in-code.html>`__.
Some projects already define their policies in the code,
and some still have their policies in ``policy.json`` files.
Run the following command after installing a corresponding project.
You need to run it for keystone, nova, cinder, neutron, glance.
For project with the legacy ``policy.json`` files,
what we need to do is just to copy ``policy.json`` into the horizon tree.
.. code-block:: console
For projects with "policy-in-code", all policies are defined as python codes,
so we first need to generate policy files with its default rules.
To do this, run the following command after install a corresponding project.
python3 manage.py dump_default_policies \
--namespace $PROJECT \
--output-file openstack_dashboard/conf/default_policies/${PROJECT}.yaml
.. code-block:: console
* Sample policy files
Run the following commands after installing a corresponding project.
You need to run it for keystone, nova, cinder, neutron, glance.
.. code-block:: console
oslopolicy-sample-generator --namespace keystone \
--output-file openstack_dashboard/conf/${PROJECT}_policy.yaml
sed -i 's/^"/#"/' openstack_dashboard/conf/${PROJECT}_policy.yaml
.. note::
oslopolicy-sample-generator --namespace $PROJECT --format json \
--output-file $HORIZON_REPO/openstack_dashboard/conf/$PROJECT_policy.json
We now use YAML format for sample policy files now.
"oslo.policy" can accept both YAML and JSON files.
We now support default policies so there is no need to define all
policies using JSON files. YAML files also allows us to use comments,
so we can provide good sample policy files.
This is the same motivation as the Wallaby community goal
`Migrate RBAC Policy Format from JSON to YAML
<https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html>`__.
.. note::
The second "sed" command is to comment out rules for rule renames.
`oslopolicy-sample-generator` does not comment out them, but they
are unnecessary in horizon usage. A single renaming rule can map
to multiple rules, so it does not work as-is. In addition,
they trigger deprecation warnings in horizon log if these sample
files are used in horizon as-is.
Thus, we comment them out by default.
After syncing policies from back-end services, you need to check what are
changed. If a policy referred by horizon has been changed, you need to check
and modify the horizon code base accordingly.
.. note::
After the support of default policies, the following tool does not work.
It is a future work to make it work again or evaluate the need itself.
To summarize which policies are removed or added, a convenient tool is
provided:

6
lower-constraints.txt

@ -56,16 +56,16 @@ os-service-types==1.2.0
osc-lib==1.8.0
oslo.concurrency==3.26.0
oslo.config==5.2.0
oslo.context==2.19.2
oslo.context==2.22.0
oslo.i18n==3.15.3
oslo.log==3.36.0
oslo.messaging==5.29.0
oslo.middleware==3.31.0
oslo.policy==1.30.0
oslo.policy==3.2.0
oslo.serialization==2.18.0
oslo.service==1.24.0
oslo.upgradecheck==0.1.1
oslo.utils==3.33.0
oslo.utils==3.40.0
osprofiler==2.3.0
Paste==2.0.2
PasteDeploy==1.5.0

1
openstack_auth/defaults.py

@ -170,3 +170,4 @@ KEYSTONE_PROVIDER_IDP_ID = 'localkeystone'
POLICY_FILES_PATH = ''
POLICY_FILES = {}
POLICY_DIRS = {}
DEFAULT_POLICY_FILES = {}

48
openstack_auth/policy.py

@ -20,6 +20,7 @@ from django.conf import settings
from oslo_config import cfg
from oslo_policy import opts as policy_opts
from oslo_policy import policy
import yaml
from openstack_auth import user as auth_user
from openstack_auth import utils as auth_utils
@ -55,6 +56,51 @@ def _get_policy_file_with_full_path(service):
return policy_file, policy_dirs
def _convert_to_ruledefault(p):
deprecated = p.get('deprecated_rule')
if deprecated:
deprecated_rule = policy.DeprecatedRule(deprecated['name'],
deprecated['check_str'])
else:
deprecated_rule = None
return policy.RuleDefault(
p['name'], p['check_str'],
description=p['description'],
scope_types=p['scope_types'],
deprecated_rule=deprecated_rule,
deprecated_for_removal=p.get('deprecated_for_removal', False),
deprecated_reason=p.get('deprecated_reason'),
deprecated_since=p.get('deprecated_since'),
)
def _load_default_rules(service, enforcer):
policy_files = settings.DEFAULT_POLICY_FILES
try:
policy_file = os.path.join(_BASE_PATH, policy_files[service])
except KeyError:
LOG.error('Default policy file for %s is not defined. '
'Check DEFAULT_POLICY_FILES setting.', service)
return
try:
with open(policy_file) as f:
policies = yaml.safe_load(f)
except IOError as e:
LOG.error('Failed to open the policy file for %(service)s %(path)s: '
'%(reason)s',
{'service': service, 'path': policy_file, 'reason': e})
return
except yaml.YAMLError as e:
LOG.error('Failed to load the default policies for %(service)s: '
'%(reason)s', {'service': service, 'reason': e})
return
defaults = [_convert_to_ruledefault(p) for p in policies]
enforcer.register_defaults(defaults)
def _get_enforcer():
global _ENFORCER
if not _ENFORCER:
@ -64,6 +110,8 @@ def _get_enforcer():
policy_file, policy_dirs = _get_policy_file_with_full_path(service)
conf = _get_policy_conf(policy_file, policy_dirs)
enforcer = policy.Enforcer(conf)
enforcer.suppress_default_change_warnings = True
_load_default_rules(service, enforcer)
try:
enforcer.load_rules()
except IOError:

147
openstack_dashboard/conf/cinder_policy.json

@ -1,147 +0,0 @@
{
"context_is_admin": "role:admin",
"admin_or_owner": "is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s",
"admin_api": "is_admin:True or (role:admin and is_admin_project:True)",
"volume:attachment_create": "",
"volume:attachment_update": "rule:admin_or_owner",
"volume:attachment_delete": "rule:admin_or_owner",
"volume:attachment_complete": "rule:admin_or_owner",
"volume:multiattach_bootable_volume": "rule:admin_or_owner",
"message:get_all": "rule:admin_or_owner",
"message:get": "rule:admin_or_owner",
"message:delete": "rule:admin_or_owner",
"clusters:get_all": "rule:admin_api",
"clusters:get": "rule:admin_api",
"clusters:update": "rule:admin_api",
"workers:cleanup": "rule:admin_api",
"volume:get_snapshot_metadata": "rule:admin_or_owner",
"volume:update_snapshot_metadata": "rule:admin_or_owner",
"volume:delete_snapshot_metadata": "rule:admin_or_owner",
"volume:get_all_snapshots": "rule:admin_or_owner",
"volume_extension:extended_snapshot_attributes": "rule:admin_or_owner",
"volume:create_snapshot": "rule:admin_or_owner",
"volume:get_snapshot": "rule:admin_or_owner",
"volume:update_snapshot": "rule:admin_or_owner",
"volume:delete_snapshot": "rule:admin_or_owner",
"volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api",
"snapshot_extension:snapshot_actions:update_snapshot_status": "",
"volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api",
"snapshot_extension:list_manageable": "rule:admin_api",
"snapshot_extension:snapshot_manage": "rule:admin_api",
"snapshot_extension:snapshot_unmanage": "rule:admin_api",
"backup:get_all": "rule:admin_or_owner",
"backup:backup_project_attribute": "rule:admin_api",
"backup:create": "",
"backup:get": "rule:admin_or_owner",
"backup:update": "rule:admin_or_owner",
"backup:delete": "rule:admin_or_owner",
"backup:restore": "rule:admin_or_owner",
"backup:backup-import": "rule:admin_api",
"backup:export-import": "rule:admin_api",
"volume_extension:backup_admin_actions:reset_status": "rule:admin_api",
"volume_extension:backup_admin_actions:force_delete": "rule:admin_api",
"group:get_all": "rule:admin_or_owner",
"group:create": "",
"group:get": "rule:admin_or_owner",
"group:update": "rule:admin_or_owner",
"group:group_project_attribute": "rule:admin_api",
"group:group_types_manage": "rule:admin_api",
"group:access_group_types_specs": "rule:admin_api",
"group:group_types_specs": "rule:admin_api",
"group:get_all_group_snapshots": "rule:admin_or_owner",
"group:create_group_snapshot": "",
"group:get_group_snapshot": "rule:admin_or_owner",
"group:delete_group_snapshot": "rule:admin_or_owner",
"group:update_group_snapshot": "rule:admin_or_owner",
"group:group_snapshot_project_attribute": "rule:admin_api",
"group:reset_group_snapshot_status": "rule:admin_or_owner",
"group:delete": "rule:admin_or_owner",
"group:reset_status": "rule:admin_api",
"group:enable_replication": "rule:admin_or_owner",
"group:disable_replication": "rule:admin_or_owner",
"group:failover_replication": "rule:admin_or_owner",
"group:list_replication_targets": "rule:admin_or_owner",
"volume_extension:qos_specs_manage:get_all": "rule:admin_api",
"volume_extension:qos_specs_manage:get": "rule:admin_api",
"volume_extension:qos_specs_manage:create": "rule:admin_api",
"volume_extension:qos_specs_manage:update": "rule:admin_api",
"volume_extension:qos_specs_manage:delete": "rule:admin_api",
"volume_extension:quota_classes": "rule:admin_api",
"volume_extension:quotas:show": "rule:admin_or_owner",
"volume_extension:quotas:update": "rule:admin_api",
"volume_extension:quotas:delete": "rule:admin_api",
"volume_extension:quota_classes:validate_setup_for_nested_quota_use": "rule:admin_api",
"volume_extension:capabilities": "rule:admin_api",
"volume_extension:services:index": "rule:admin_api",
"volume_extension:services:update": "rule:admin_api",
"volume:freeze_host": "rule:admin_api",
"volume:thaw_host": "rule:admin_api",
"volume:failover_host": "rule:admin_api",
"scheduler_extension:scheduler_stats:get_pools": "rule:admin_api",
"volume_extension:hosts": "rule:admin_api",
"limits_extension:used_limits": "rule:admin_or_owner",
"volume_extension:list_manageable": "rule:admin_api",
"volume_extension:volume_manage": "rule:admin_api",
"volume_extension:volume_unmanage": "rule:admin_api",
"volume_extension:types_manage": "rule:admin_api",
"volume_extension:type_get": "",
"volume_extension:type_get_all": "",
"volume_extension:volume_type_encryption": "rule:admin_api",
"volume_extension:volume_type_encryption:create": "rule:volume_extension:volume_type_encryption",
"volume_extension:volume_type_encryption:get": "rule:volume_extension:volume_type_encryption",
"volume_extension:volume_type_encryption:update": "rule:volume_extension:volume_type_encryption",
"volume_extension:volume_type_encryption:delete": "rule:volume_extension:volume_type_encryption",
"volume_extension:access_types_extra_specs": "rule:admin_api",
"volume_extension:access_types_qos_specs_id": "rule:admin_api",
"volume_extension:volume_type_access": "rule:admin_or_owner",
"volume_extension:volume_type_access:addProjectAccess": "rule:admin_api",
"volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api",
"volume:extend": "rule:admin_or_owner",
"volume:extend_attached_volume": "rule:admin_or_owner",
"volume:revert_to_snapshot": "rule:admin_or_owner",
"volume_extension:volume_admin_actions:reset_status": "rule:admin_api",
"volume:retype": "rule:admin_or_owner",
"volume:update_readonly_flag": "rule:admin_or_owner",
"volume_extension:volume_admin_actions:force_delete": "rule:admin_api",
"volume_extension:volume_actions:upload_public": "rule:admin_api",
"volume_extension:volume_actions:upload_image": "rule:admin_or_owner",
"volume_extension:volume_admin_actions:force_detach": "rule:admin_api",
"volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api",
"volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api",
"volume_extension:volume_actions:initialize_connection": "rule:admin_or_owner",
"volume_extension:volume_actions:terminate_connection": "rule:admin_or_owner",
"volume_extension:volume_actions:roll_detaching": "rule:admin_or_owner",
"volume_extension:volume_actions:reserve": "rule:admin_or_owner",
"volume_extension:volume_actions:unreserve": "rule:admin_or_owner",
"volume_extension:volume_actions:begin_detaching": "rule:admin_or_owner",
"volume_extension:volume_actions:attach": "rule:admin_or_owner",
"volume_extension:volume_actions:detach": "rule:admin_or_owner",
"volume:get_all_transfers": "rule:admin_or_owner",
"volume:create_transfer": "rule:admin_or_owner",
"volume:get_transfer": "rule:admin_or_owner",
"volume:accept_transfer": "",
"volume:delete_transfer": "rule:admin_or_owner",
"volume:get_volume_metadata": "rule:admin_or_owner",
"volume:create_volume_metadata": "rule:admin_or_owner",
"volume:update_volume_metadata": "rule:admin_or_owner",
"volume:delete_volume_metadata": "rule:admin_or_owner",
"volume_extension:volume_image_metadata": "rule:admin_or_owner",
"volume:update_volume_admin_metadata": "rule:admin_api",
"volume_extension:types_extra_specs:index": "rule:admin_api",
"volume_extension:types_extra_specs:create": "rule:admin_api",
"volume_extension:types_extra_specs:show": "rule:admin_api",
"volume_extension:types_extra_specs:update": "rule:admin_api",
"volume_extension:types_extra_specs:delete": "rule:admin_api",
"volume:create": "",
"volume:create_from_image": "",
"volume:get": "rule:admin_or_owner",
"volume:get_all": "rule:admin_or_owner",
"volume:update": "rule:admin_or_owner",
"volume:delete": "rule:admin_or_owner",
"volume:force_delete": "rule:admin_api",
"volume_extension:volume_host_attribute": "rule:admin_api",
"volume_extension:volume_tenant_attribute": "rule:admin_or_owner",
"volume_extension:volume_mig_status_attribute": "rule:admin_api",
"volume_extension:volume_encryption_metadata": "rule:admin_or_owner",
"volume:multiattach": "rule:admin_or_owner"
}

646
openstack_dashboard/conf/cinder_policy.yaml

@ -0,0 +1,646 @@
# Decides what is required for the 'is_admin:True' check to succeed.
#"context_is_admin": "role:admin"
# Default rule for most non-Admin APIs.
#"admin_or_owner": "is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s"
# Default rule for most Admin APIs.
#"admin_api": "is_admin:True or (role:admin and is_admin_project:True)"
# Create attachment.
# POST /attachments
#"volume:attachment_create": ""
# Update attachment.
# PUT /attachments/{attachment_id}
#"volume:attachment_update": "rule:admin_or_owner"
# Delete attachment.
# DELETE /attachments/{attachment_id}
#"volume:attachment_delete": "rule:admin_or_owner"
# Mark a volume attachment process as completed (in-use)
# POST /attachments/{attachment_id}/action (os-complete)
#"volume:attachment_complete": "rule:admin_or_owner"
# Allow multiattach of bootable volumes.
# POST /attachments
#"volume:multiattach_bootable_volume": "rule:admin_or_owner"
# List messages.
# GET /messages
#"message:get_all": "rule:admin_or_owner"
# Show message.
# GET /messages/{message_id}
#"message:get": "rule:admin_or_owner"
# Delete message.
# DELETE /messages/{message_id}
#"message:delete": "rule:admin_or_owner"
# List clusters.
# GET /clusters
# GET /clusters/detail
#"clusters:get_all": "rule:admin_api"
# Show cluster.
# GET /clusters/{cluster_id}
#"clusters:get": "rule:admin_api"
# Update cluster.
# PUT /clusters/{cluster_id}
#"clusters:update": "rule:admin_api"
# Clean up workers.
# POST /workers/cleanup
#"workers:cleanup": "rule:admin_api"
# Show snapshot's metadata or one specified metadata with a given key.
# GET /snapshots/{snapshot_id}/metadata
# GET /snapshots/{snapshot_id}/metadata/{key}
#"volume:get_snapshot_metadata": "rule:admin_or_owner"
# Update snapshot's metadata or one specified metadata with a given
# key.
# PUT /snapshots/{snapshot_id}/metadata
# PUT /snapshots/{snapshot_id}/metadata/{key}
#"volume:update_snapshot_metadata": "rule:admin_or_owner"
# Delete snapshot's specified metadata with a given key.
# DELETE /snapshots/{snapshot_id}/metadata/{key}
#"volume:delete_snapshot_metadata": "rule:admin_or_owner"
# List snapshots.
# GET /snapshots
# GET /snapshots/detail
#"volume:get_all_snapshots": "rule:admin_or_owner"
# List or show snapshots with extended attributes.
# GET /snapshots/{snapshot_id}
# GET /snapshots/detail
#"volume_extension:extended_snapshot_attributes": "rule:admin_or_owner"
# Create snapshot.
# POST /snapshots
#"volume:create_snapshot": "rule:admin_or_owner"
# Show snapshot.
# GET /snapshots/{snapshot_id}
#"volume:get_snapshot": "rule:admin_or_owner"
# Update snapshot.
# PUT /snapshots/{snapshot_id}
#"volume:update_snapshot": "rule:admin_or_owner"
# Delete snapshot.
# DELETE /snapshots/{snapshot_id}
#"volume:delete_snapshot": "rule:admin_or_owner"
# Reset status of a snapshot.
# POST /snapshots/{snapshot_id}/action (os-reset_status)
#"volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api"
# Update database fields of snapshot.
# POST /snapshots/{snapshot_id}/action (update_snapshot_status)
#"snapshot_extension:snapshot_actions:update_snapshot_status": ""
# Force delete a snapshot.
# POST /snapshots/{snapshot_id}/action (os-force_delete)
#"volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api"
# List (in detail) of snapshots which are available to manage.
# GET /manageable_snapshots
# GET /manageable_snapshots/detail
#"snapshot_extension:list_manageable": "rule:admin_api"
# Manage an existing snapshot.
# POST /manageable_snapshots
#"snapshot_extension:snapshot_manage": "rule:admin_api"
# Stop managing a snapshot.
# POST /snapshots/{snapshot_id}/action (os-unmanage)
#"snapshot_extension:snapshot_unmanage": "rule:admin_api"
# List backups.
# GET /backups
# GET /backups/detail
#"backup:get_all": "rule:admin_or_owner"
# List backups or show backup with project attributes.
# GET /backups/{backup_id}
# GET /backups/detail
#"backup:backup_project_attribute": "rule:admin_api"
# Create backup.
# POST /backups
#"backup:create": ""
# Show backup.
# GET /backups/{backup_id}
#"backup:get": "rule:admin_or_owner"
# Update backup.
# PUT /backups/{backup_id}
#"backup:update": "rule:admin_or_owner"
# Delete backup.
# DELETE /backups/{backup_id}
#"backup:delete": "rule:admin_or_owner"
# Restore backup.
# POST /backups/{backup_id}/restore
#"backup:restore": "rule:admin_or_owner"
# Import backup.
# POST /backups/{backup_id}/import_record
#"backup:backup-import": "rule:admin_api"
# Export backup.
# POST /backups/{backup_id}/export_record
#"backup:export-import": "rule:admin_api"
# Reset status of a backup.
# POST /backups/{backup_id}/action (os-reset_status)
#"volume_extension:backup_admin_actions:reset_status": "rule:admin_api"
# Force delete a backup.
# POST /backups/{backup_id}/action (os-force_delete)
#"volume_extension:backup_admin_actions:force_delete": "rule:admin_api"
# List groups.
# GET /groups
# GET /groups/detail
#"group:get_all": "rule:admin_or_owner"
# Create group.
# POST /groups
#"group:create": ""
# Show group.
# GET /groups/{group_id}
#"group:get": "rule:admin_or_owner"
# Update group.
# PUT /groups/{group_id}
#"group:update": "rule:admin_or_owner"
# List groups or show group with project attributes.
# GET /groups/{group_id}
# GET /groups/detail
#"group:group_project_attribute": "rule:admin_api"
# Create, update or delete a group type.
# POST /group_types/
# PUT /group_types/{group_type_id}
# DELETE /group_types/{group_type_id}
#"group:group_types_manage": "rule:admin_api"
# Show group type with type specs attributes.
# GET /group_types/{group_type_id}
#"group:access_group_types_specs": "rule:admin_api"
# Create, show, update and delete group type spec.
# GET /group_types/{group_type_id}/group_specs/{g_spec_id}
# GET /group_types/{group_type_id}/group_specs
# POST /group_types/{group_type_id}/group_specs
# PUT /group_types/{group_type_id}/group_specs/{g_spec_id}
# DELETE /group_types/{group_type_id}/group_specs/{g_spec_id}
#"group:group_types_specs": "rule:admin_api"
# List group snapshots.
# GET /group_snapshots
# GET /group_snapshots/detail
#"group:get_all_group_snapshots": "rule:admin_or_owner"
# Create group snapshot.
# POST /group_snapshots
#"group:create_group_snapshot": ""
# Show group snapshot.
# GET /group_snapshots/{group_snapshot_id}
#"group:get_group_snapshot": "rule:admin_or_owner"
# Delete group snapshot.
# DELETE /group_snapshots/{group_snapshot_id}
#"group:delete_group_snapshot": "rule:admin_or_owner"
# Update group snapshot.
# PUT /group_snapshots/{group_snapshot_id}
#"group:update_group_snapshot": "rule:admin_or_owner"
# List group snapshots or show group snapshot with project attributes.
# GET /group_snapshots/{group_snapshot_id}
# GET /group_snapshots/detail
#"group:group_snapshot_project_attribute": "rule:admin_api"
# Reset status of group snapshot.
# POST /group_snapshots/{g_snapshot_id}/action (reset_status)
#"group:reset_group_snapshot_status": "rule:admin_or_owner"
# Delete group.
# POST /groups/{group_id}/action (delete)
#"group:delete": "rule:admin_or_owner"
# Reset status of group.
# POST /groups/{group_id}/action (reset_status)
#"group:reset_status": "rule:admin_api"
# Enable replication.
# POST /groups/{group_id}/action (enable_replication)
#"group:enable_replication": "rule:admin_or_owner"
# Disable replication.
# POST /groups/{group_id}/action (disable_replication)
#"group:disable_replication": "rule:admin_or_owner"
# Fail over replication.
# POST /groups/{group_id}/action (failover_replication)
#"group:failover_replication": "rule:admin_or_owner"
# List failover replication.
# POST /groups/{group_id}/action (list_replication_targets)
#"group:list_replication_targets": "rule:admin_or_owner"
# List qos specs or list all associations.
# GET /qos-specs
# GET /qos-specs/{qos_id}/associations
#"volume_extension:qos_specs_manage:get_all": "rule:admin_api"
# Show qos specs.
# GET /qos-specs/{qos_id}
#"volume_extension:qos_specs_manage:get": "rule:admin_api"
# Create qos specs.
# POST /qos-specs
#"volume_extension:qos_specs_manage:create": "rule:admin_api"
# Update qos specs (including updating association).
# PUT /qos-specs/{qos_id}
# GET /qos-specs/{qos_id}/disassociate_all
# GET /qos-specs/{qos_id}/associate
# GET /qos-specs/{qos_id}/disassociate
#"volume_extension:qos_specs_manage:update": "rule:admin_api"
# delete qos specs or unset one specified qos key.
# DELETE /qos-specs/{qos_id}
# PUT /qos-specs/{qos_id}/delete_keys
#"volume_extension:qos_specs_manage:delete": "rule:admin_api"
# Show or update project quota class.
# GET /os-quota-class-sets/{project_id}
# PUT /os-quota-class-sets/{project_id}
#"volume_extension:quota_classes": "rule:admin_api"
# Show project quota (including usage and default).
# GET /os-quota-sets/{project_id}
# GET /os-quota-sets/{project_id}/default
# GET /os-quota-sets/{project_id}?usage=True
#"volume_extension:quotas:show": "rule:admin_or_owner"
# Update project quota.
# PUT /os-quota-sets/{project_id}
#"volume_extension:quotas:update": "rule:admin_api"
# Delete project quota.
# DELETE /os-quota-sets/{project_id}
#"volume_extension:quotas:delete": "rule:admin_api"
# Validate setup for nested quota.
# GET /os-quota-sets/validate_setup_for_nested_quota_use
#"volume_extension:quota_classes:validate_setup_for_nested_quota_use": "rule:admin_api"
# Show backend capabilities.
# GET /capabilities/{host_name}
#"volume_extension:capabilities": "rule:admin_api"
# List all services.
# GET /os-services
#"volume_extension:services:index": "rule:admin_api"
# Update service, including failover_host, thaw, freeze, disable,
# enable, set-log and get-log actions.
# PUT /os-services/{action}
#"volume_extension:services:update": "rule:admin_api"
# Freeze a backend host.
# PUT /os-services/freeze
#"volume:freeze_host": "rule:admin_api"
# Thaw a backend host.
# PUT /os-services/thaw
#"volume:thaw_host": "rule:admin_api"
# Failover a backend host.
# PUT /os-services/failover_host
#"volume:failover_host": "rule:admin_api"
# List all backend pools.
# GET /scheduler-stats/get_pools
#"scheduler_extension:scheduler_stats:get_pools": "rule:admin_api"
# List, update or show hosts for a project.
# GET /os-hosts
# PUT /os-hosts/{host_name}
# GET /os-hosts/{host_id}
#"volume_extension:hosts": "rule:admin_api"
# Show limits with used limit attributes.
# GET /limits
#"limits_extension:used_limits": "rule:admin_or_owner"
# List (in detail) of volumes which are available to manage.
# GET /manageable_volumes
# GET /manageable_volumes/detail
#"volume_extension:list_manageable": "rule:admin_api"
# Manage existing volumes.
# POST /manageable_volumes
#"volume_extension:volume_manage": "rule:admin_api"
# Stop managing a volume.
# POST /volumes/{volume_id}/action (os-unmanage)
#"volume_extension:volume_unmanage": "rule:admin_api"
# Create, update and delete volume type.
# POST /types
# PUT /types
# DELETE /types
#"volume_extension:types_manage": "rule:admin_api"
# Get one specific volume type.
# GET /types/{type_id}
#"volume_extension:type_get": ""
# List volume types.
# GET /types/
#"volume_extension:type_get_all": ""
# Base policy for all volume type encryption type operations. This
# can be used to set the policies for a volume type's encryption type
# create, show, update, and delete actions in one place, or any of
# those may be set individually using the following policy targets for
# finer grained control.
# POST /types/{type_id}/encryption
# PUT /types/{type_id}/encryption/{encryption_id}
# GET /types/{type_id}/encryption
# GET /types/{type_id}/encryption/{key}
# DELETE /types/{type_id}/encryption/{encryption_id}
#"volume_extension:volume_type_encryption": "rule:admin_api"
# Create volume type encryption.
# POST /types/{type_id}/encryption
#"volume_extension:volume_type_encryption:create": "rule:volume_extension:volume_type_encryption"
# Show a volume type's encryption type, show an encryption specs item.
# GET /types/{type_id}/encryption
# GET /types/{type_id}/encryption/{key}
#"volume_extension:volume_type_encryption:get": "rule:volume_extension:volume_type_encryption"
# Update volume type encryption.
# PUT /types/{type_id}/encryption/{encryption_id}
#"volume_extension:volume_type_encryption:update": "rule:volume_extension:volume_type_encryption"
# Delete volume type encryption.
# DELETE /types/{type_id}/encryption/{encryption_id}
#"volume_extension:volume_type_encryption:delete": "rule:volume_extension:volume_type_encryption"
# List or show volume type with access type extra specs attribute.
# GET /types/{type_id}
# GET /types
#"volume_extension:access_types_extra_specs": "rule:admin_api"
# List or show volume type with access type qos specs id attribute.
# GET /types/{type_id}
# GET /types
#"volume_extension:access_types_qos_specs_id": "rule:admin_api"
# Volume type access related APIs.
# GET /types
# GET /types/detail
# GET /types/{type_id}
# POST /types
#"volume_extension:volume_type_access": "rule:admin_or_owner"
# Add volume type access for project.
# POST /types/{type_id}/action (addProjectAccess)
#"volume_extension:volume_type_access:addProjectAccess": "rule:admin_api"
# Remove volume type access for project.
# POST /types/{type_id}/action (removeProjectAccess)
#"volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api"
# Extend a volume.
# POST /volumes/{volume_id}/action (os-extend)
#"volume:extend": "rule:admin_or_owner"
# Extend a attached volume.
# POST /volumes/{volume_id}/action (os-extend)
#"volume:extend_attached_volume": "rule:admin_or_owner"
# Revert a volume to a snapshot.
# POST /volumes/{volume_id}/action (revert)
#"volume:revert_to_snapshot": "rule:admin_or_owner"
# Reset status of a volume.
# POST /volumes/{volume_id}/action (os-reset_status)
#"volume_extension:volume_admin_actions:reset_status": "rule:admin_api"
# Retype a volume.
# POST /volumes/{volume_id}/action (os-retype)
#"volume:retype": "rule:admin_or_owner"
# Update a volume's readonly flag.
# POST /volumes/{volume_id}/action (os-update_readonly_flag)
#"volume:update_readonly_flag": "rule:admin_or_owner"
# Force delete a volume.
# POST /volumes/{volume_id}/action (os-force_delete)
#"volume_extension:volume_admin_actions:force_delete": "rule:admin_api"
# Upload a volume to image with public visibility.
# POST /volumes/{volume_id}/action (os-volume_upload_image)
#"volume_extension:volume_actions:upload_public": "rule:admin_api"
# Upload a volume to image.
# POST /volumes/{volume_id}/action (os-volume_upload_image)
#"volume_extension:volume_actions:upload_image": "rule:admin_or_owner"
# Force detach a volume.
# POST /volumes/{volume_id}/action (os-force_detach)
#"volume_extension:volume_admin_actions:force_detach": "rule:admin_api"
# migrate a volume to a specified host.
# POST /volumes/{volume_id}/action (os-migrate_volume)
#"volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api"
# Complete a volume migration.
# POST /volumes/{volume_id}/action (os-migrate_volume_completion)
#"volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api"
# Initialize volume attachment.
# POST /volumes/{volume_id}/action (os-initialize_connection)
#"volume_extension:volume_actions:initialize_connection": "rule:admin_or_owner"
# Terminate volume attachment.
# POST /volumes/{volume_id}/action (os-terminate_connection)
#"volume_extension:volume_actions:terminate_connection": "rule:admin_or_owner"
# Roll back volume status to 'in-use'.
# POST /volumes/{volume_id}/action (os-roll_detaching)
#"volume_extension:volume_actions:roll_detaching": "rule:admin_or_owner"
# Mark volume as reserved.
# POST /volumes/{volume_id}/action (os-reserve)
#"volume_extension:volume_actions:reserve": "rule:admin_or_owner"
# Unmark volume as reserved.
# POST /volumes/{volume_id}/action (os-unreserve)
#"volume_extension:volume_actions:unreserve": "rule:admin_or_owner"
# Begin detach volumes.
# POST /volumes/{volume_id}/action (os-begin_detaching)
#"volume_extension:volume_actions:begin_detaching": "rule:admin_or_owner"
# Add attachment metadata.
# POST /volumes/{volume_id}/action (os-attach)
#"volume_extension:volume_actions:attach": "rule:admin_or_owner"
# Clear attachment metadata.
# POST /volumes/{volume_id}/action (os-detach)
#"volume_extension:volume_actions:detach": "rule:admin_or_owner"
# List volume transfer.
# GET /os-volume-transfer
# GET /os-volume-transfer/detail
# GET /volume_transfers
# GET /volume-transfers/detail
#"volume:get_all_transfers": "rule:admin_or_owner"
# Create a volume transfer.
# POST /os-volume-transfer
# POST /volume_transfers
#"volume:create_transfer": "rule:admin_or_owner"
# Show one specified volume transfer.
# GET /os-volume-transfer/{transfer_id}
# GET /volume-transfers/{transfer_id}
#"volume:get_transfer": "rule:admin_or_owner"
# Accept a volume transfer.
# POST /os-volume-transfer/{transfer_id}/accept
# POST /volume-transfers/{transfer_id}/accept
#"volume:accept_transfer": ""
# Delete volume transfer.
# DELETE /os-volume-transfer/{transfer_id}
# DELETE /volume-transfers/{transfer_id}
#"volume:delete_transfer": "rule:admin_or_owner"
# Show volume's metadata or one specified metadata with a given key.
# GET /volumes/{volume_id}/metadata
# GET /volumes/{volume_id}/metadata/{key}
#"volume:get_volume_metadata": "rule:admin_or_owner"
# Create volume metadata.
# POST /volumes/{volume_id}/metadata
#"volume:create_volume_metadata": "rule:admin_or_owner"
# Update volume's metadata or one specified metadata with a given key.
# PUT /volumes/{volume_id}/metadata
# PUT /volumes/{volume_id}/metadata/{key}
#"volume:update_volume_metadata": "rule:admin_or_owner"
# Delete volume's specified metadata with a given key.
# DELETE /volumes/{volume_id}/metadata/{key}
#"volume:delete_volume_metadata": "rule:admin_or_owner"
# Volume's image metadata related operation, create, delete, show and
# list.
# GET /volumes/detail
# GET /volumes/{volume_id}
# POST /volumes/{volume_id}/action (os-set_image_metadata)
# POST /volumes/{volume_id}/action (os-unset_image_metadata)
#"volume_extension:volume_image_metadata": "rule:admin_or_owner"
# Update volume admin metadata. It's used in `attach` and `os-
# update_readonly_flag` APIs
# POST /volumes/{volume_id}/action (os-update_readonly_flag)
# POST /volumes/{volume_id}/action (os-attach)
#"volume:update_volume_admin_metadata": "rule:admin_api"
# List type extra specs.
# GET /types/{type_id}/extra_specs
#"volume_extension:types_extra_specs:index": "rule:admin_api"
# Create type extra specs.
# POST /types/{type_id}/extra_specs
#"volume_extension:types_extra_specs:create": "rule:admin_api"
# Show one specified type extra specs.
# GET /types/{type_id}/extra_specs/{extra_spec_key}
#"volume_extension:types_extra_specs:show": "rule:admin_api"
# Update type extra specs.
# PUT /types/{type_id}/extra_specs/{extra_spec_key}
#"volume_extension:types_extra_specs:update": "rule:admin_api"
# Delete type extra specs.
# DELETE /types/{type_id}/extra_specs/{extra_spec_key}
#"volume_extension:types_extra_specs:delete": "rule:admin_api"
# Create volume.
# POST /volumes
#"volume:create": ""
# Create volume from image.
# POST /volumes
#"volume:create_from_image": ""
# Show volume.
# GET /volumes/{volume_id}
#"volume:get": "rule:admin_or_owner"
# List volumes or get summary of volumes.
# GET /volumes
# GET /volumes/detail
# GET /volumes/summary
#"volume:get_all": "rule:admin_or_owner"
# Update volume or update a volume's bootable status.
# PUT /volumes
# POST /volumes/{volume_id}/action (os-set_bootable)
#"volume:update": "rule:admin_or_owner"
# Delete volume.
# DELETE /volumes/{volume_id}
#"volume:delete": "rule:admin_or_owner"
# Force Delete a volume.
# DELETE /volumes/{volume_id}
#"volume:force_delete": "rule:admin_api"
# List or show volume with host attribute.
# GET /volumes/{volume_id}
# GET /volumes/detail
#"volume_extension:volume_host_attribute": "rule:admin_api"
# List or show volume with tenant attribute.
# GET /volumes/{volume_id}
# GET /volumes/detail
#"volume_extension:volume_tenant_attribute": "rule:admin_or_owner"
# List or show volume with migration status attribute.
# GET /volumes/{volume_id}
# GET /volumes/detail
#"volume_extension:volume_mig_status_attribute": "rule:admin_api"
# Show volume's encryption metadata.
# GET /volumes/{volume_id}/encryption
# GET /volumes/{volume_id}/encryption/{encryption_key}
#"volume_extension:volume_encryption_metadata": "rule:admin_or_owner"
# Create multiattach capable volume.
# POST /volumes
#"volume:multiattach": "rule:admin_or_owner"

12
openstack_dashboard/conf/default_policies/README.txt

@ -0,0 +1,12 @@
This folder contains default policies of back-end services.
They are generated based on policy-in-code in back-end services.
Operators are not expected to edit them.
To update these files, run the following command:
python manage.py dump_default_policies \
--namespace <service> \
--output-file openstack_dashboard/conf/default_policies/<service>.yaml
<service> must be a namespace under oslo.policy.policies to query and
we use "keystone", "nova", "cinder", "neutron" and "glance".

1137
openstack_dashboard/conf/default_policies/cinder.yaml
File diff suppressed because it is too large
View File

280
openstack_dashboard/conf/default_policies/glance.yaml

@ -0,0 +1,280 @@
- check_str: ''
deprecated_reason: In order to allow operators to accept the default policies from
code by not defining them in the policy file, while still working with old policy
files that rely on the ``default`` rule for policies that are not specified in
the policy file, the ``default`` rule must now be explicitly set to ``"role:admin"``
when that is the desired default for unspecified rules.
deprecated_rule:
check_str: role:admin
name: default
deprecated_since: Ussuri
description: Defines the default rule used for policies that historically had an
empty policy in the supplied policy.json file.
name: default
operations: []
scope_types: null
- check_str: role:admin
description: Defines the rule for the is_admin:True check.
name: context_is_admin
operations: []
scope_types: null
- check_str: rule:default
description: null
name: add_image
operations: []
scope_types: null
- check_str: rule:default
description: null
name: delete_image
operations: []
scope_types: null
- check_str: rule:default
description: null
name: get_image
operations: []
scope_types: null
- check_str: rule:default
description: null
name: get_images
operations: []
scope_types: null
- check_str: rule:default
description: null
name: modify_image
operations: []
scope_types: null
- check_str: role:admin
description: null
name: publicize_image
operations: []
scope_types: null
- check_str: rule:default
description: null
name: communitize_image
operations: []
scope_types: null
- check_str: rule:default
description: null
name: download_image
operations: []
scope_types: null
- check_str: rule:default
description: null
name: upload_image
operations: []
scope_types: null
- check_str: rule:default
description: null
name: delete_image_location
operations: []
scope_types: null
- check_str: rule:default
description: null
name: get_image_location
operations: []
scope_types: null
- check_str: rule:default
description: null
name: set_image_location
operations: []
scope_types: null
- check_str: rule:default
description: null
name: add_member
operations: []
scope_types: null
- check_str: rule:default
description: null
name: delete_member
operations: []
scope_types: null
- check_str: rule:default
description: null
name: get_member
operations: []
scope_types: null
- check_str: rule:default
description: null
name: get_members
operations: []
scope_types: null
- check_str: rule:default
description: null
name: modify_member
operations: []
scope_types: null
- check_str: role:admin
description: null
name: manage_image_cache
operations: []
scope_types: null
- check_str: rule:default
description: null
name: deactivate
operations: []
scope_types: null
- check_str: rule:default
description: null
name: reactivate
operations: []
scope_types: null
- check_str: role:admin
description: null
name: copy_image
operations: []
scope_types: null
- check_str: rule:default
description: null
name: get_task
operations: []
scope_types: null
- check_str: rule:default
description: null
name: get_tasks
operations: []
scope_types: null
- check_str: rule:default
description: null
name: add_task
operations: []
scope_types: null
- check_str: rule:default
description: null
name: modify_task
operations: []
scope_types: null
- check_str: role:admin
description: null
name: tasks_api_access
operations: []
scope_types: null
- check_str: rule:default
description: null
name: get_metadef_namespace
operations: []
scope_types: null
- check_str: rule:default
description: null
name: get_metadef_namespaces
operations: []
scope_types: null
- check_str: rule:default
description: null
name: modify_metadef_namespace
operations: []
scope_types: null
- check_str: rule:default
description: null
name: add_metadef_namespace
operations: []
scope_types: null
- check_str: rule:default
description: null
name: delete_metadef_namespace
operations: []
scope_types: null
- check_str: rule:default
description: null
name: get_metadef_object
operations: []
scope_types: null
- check_str: rule:default
description: null
name: get_metadef_objects
operations: []
scope_types: null
- check_str: rule:default
description: null
name: modify_metadef_object
operations: []
scope_types: null
- check_str: rule:default
description: null
name: add_metadef_object
operations: []
scope_types: null
- check_str: rule:default
description: null
name: delete_metadef_object
operations: []
scope_types: null
- check_str: rule:default
description: null
name: list_metadef_resource_types
operations: []
scope_types: null
- check_str: rule:default
description: null
name: get_metadef_resource_type
operations: []
scope_types: null
- check_str: rule:default
description: null
name: add_metadef_resource_type_association
operations: []
scope_types: null
- check_str: rule:default
description: null
name: remove_metadef_resource_type_association
operations: []
scope_types: null
- check_str: rule:default
description: null
name: get_metadef_property
operations: []
scope_types: null
- check_str: rule:default
description: null
name: get_metadef_properties
operations: []
scope_types: null
- check_str: rule:default
description: null
name: modify_metadef_property
operations: []
scope_types: null
- check_str: rule:default
description: null
name: add_metadef_property
operations: []
scope_types: null
- check_str: rule:default
description: null
name: remove_metadef_property
operations: []
scope_types: null
- check_str: rule:default
description: null
name: get_metadef_tag
operations: []
scope_types: null
- check_str: rule:default
description: null
name: get_metadef_tags
operations: []
scope_types: null
- check_str: rule:default
description: null
name: modify_metadef_tag
operations: []
scope_types: null
- check_str: rule:default
description: null
name: add_metadef_tag
operations: []
scope_types: null
- check_str: rule:default
description: null
name: add_metadef_tags
operations: []
scope_types: null
- check_str: rule:default
description: null
name: delete_metadef_tag
operations: []
scope_types: null
- check_str: rule:default
description: null
name: delete_metadef_tags
operations: []
scope_types: null

2954
openstack_dashboard/conf/default_policies/keystone.yaml
File diff suppressed because it is too large
View File

1511
openstack_dashboard/conf/default_policies/neutron.yaml
File diff suppressed because it is too large
View File

3103
openstack_dashboard/conf/default_policies/nova.yaml
File diff suppressed because it is too large
View File

63
openstack_dashboard/conf/glance_policy.json

@ -1,63 +0,0 @@
{
"context_is_admin": "role:admin",
"default": "role:admin",
"add_image": "",
"delete_image": "",
"get_image": "",
"get_images": "",
"modify_image": "",
"publicize_image": "role:admin",
"communitize_image": "",
"copy_from": "",
"download_image": "",
"upload_image": "",
"delete_image_location": "",
"get_image_location": "",
"set_image_location": "",
"add_member": "",
"delete_member": "",
"get_member": "",
"get_members": "",
"modify_member": "",
"manage_image_cache": "role:admin",
"get_task": "",
"get_tasks": "",
"add_task": "",
"modify_task": "",
"tasks_api_access": "role:admin",
"deactivate": "",
"reactivate": "",
"get_metadef_namespace": "",
"get_metadef_namespaces":"",
"modify_metadef_namespace":"",
"add_metadef_namespace":"",
"get_metadef_object":"",
"get_metadef_objects":"",
"modify_metadef_object":"",
"add_metadef_object":"",
"list_metadef_resource_types":"",
"get_metadef_resource_type":"",
"add_metadef_resource_type_association":"",
"get_metadef_property":"",
"get_metadef_properties":"",
"modify_metadef_property":"",
"add_metadef_property":"",
"get_metadef_tag":"",
"get_metadef_tags":"",
"modify_metadef_tag":"",
"add_metadef_tag":"",
"add_metadef_tags":""
}

121
openstack_dashboard/conf/glance_policy.yaml

@ -0,0 +1,121 @@
# Defines the default rule used for policies that historically had an
# empty policy in the supplied policy.json file.
#"default": ""
# DEPRECATED
# "default":"role:admin" has been deprecated since Ussuri in favor of
# "default":"".
# In order to allow operators to accept the default policies from code
# by not defining them in the policy file, while still working with
# old policy files that rely on the ``default`` rule for policies that
# are not specified in the policy file, the ``default`` rule must now
# be explicitly set to ``"role:admin"`` when that is the desired
# default for unspecified rules.
# Defines the rule for the is_admin:True check.
#"context_is_admin": "role:admin"
#"add_image": "rule:default"
#"delete_image": "rule:default"
#"get_image": "rule:default"
#"get_images": "rule:default"
#"modify_image": "rule:default"
#"publicize_image": "role:admin"
#"communitize_image": "rule:default"
#"download_image": "rule:default"
#"upload_image": "rule:default"
#"delete_image_location": "rule:default"
#"get_image_location": "rule:default"
#"set_image_location": "rule:default"
#"add_member": "rule:default"
#"delete_member": "rule:default"
#"get_member": "rule:default"
#"get_members": "rule:default"
#"modify_member": "rule:default"
#"manage_image_cache": "role:admin"
#"deactivate": "rule:default"
#"reactivate": "rule:default"
#"copy_image": "role:admin"
#"get_task": "rule:default"
#"get_tasks": "rule:default"
#"add_task": "rule:default"
#"modify_task": "rule:default"
#"tasks_api_access": "role:admin"
#"get_metadef_namespace": "rule:default"
#"get_metadef_namespaces": "rule:default"
#"modify_metadef_namespace": "rule:default"
#"add_metadef_namespace": "rule:default"
#"delete_metadef_namespace": "rule:default"
#"get_metadef_object": "rule:default"
#"get_metadef_objects": "rule:default"
#"modify_metadef_object": "rule:default"
#"add_metadef_object": "rule:default"
#"delete_metadef_object": "rule:default"
#"list_metadef_resource_types": "rule:default"
#"get_metadef_resource_type": "rule:default"
#"add_metadef_resource_type_association": "rule:default"
#"remove_metadef_resource_type_association": "rule:default"
#"get_metadef_property": "rule:default"
#"get_metadef_properties": "rule:default"
#"modify_metadef_property": "rule:default"
#"add_metadef_property": "rule:default"
#"remove_metadef_property": "rule:default"
#"get_metadef_tag": "rule:default"
#"get_metadef_tags": "rule:default"
#"modify_metadef_tag": "rule:default"
#"add_metadef_tag": "rule:default"
#"add_metadef_tags": "rule:default"
#"delete_metadef_tag": "rule:default"
#"delete_metadef_tags": "rule:default"

174
openstack_dashboard/conf/keystone_policy.json

@ -1,174 +0,0 @@
{
"admin_required": "role:admin or is_admin:1",
"service_role": "role:service",
"service_or_admin": "rule:admin_required or rule:service_role",
"owner": "user_id:%(user_id)s",
"admin_or_owner": "rule:admin_required or rule:owner",
"token_subject": "user_id:%(target.token.user_id)s",
"admin_or_token_subject": "rule:admin_required or rule:token_subject",
"service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject",
"identity:authorize_request_token": "rule:admin_required",
"identity:get_access_token": "rule:admin_required",
"identity:get_access_token_role": "rule:admin_required",
"identity:list_access_tokens": "rule:admin_required",
"identity:list_access_token_roles": "rule:admin_required",
"identity:delete_access_token": "rule:admin_required",
"identity:get_auth_catalog": "",
"identity:get_auth_projects": "",
"identity:get_auth_domains": "",
"identity:get_consumer": "rule:admin_required",
"identity:list_consumers": "rule:admin_required",
"identity:create_consumer": "rule:admin_required",
"identity:update_consumer": "rule:admin_required",
"identity:delete_consumer": "rule:admin_required",
"identity:get_credential": "rule:admin_required",
"identity:list_credentials": "rule:admin_required",
"identity:create_credential": "rule:admin_required",
"identity:update_credential": "rule:admin_required",
"identity:delete_credential": "rule:admin_required",
"identity:get_domain": "rule:admin_required or token.project.domain.id:%(target.domain.id)s",
"identity:list_domains": "rule:admin_required",
"identity:create_domain": "rule:admin_required",
"identity:update_domain": "rule:admin_required",
"identity:delete_domain": "rule:admin_required",
"identity:create_domain_config": "rule:admin_required",
"identity:get_domain_config": "rule:admin_required",
"identity:get_security_compliance_domain_config": "",
"identity:update_domain_config": "rule:admin_required",
"identity:delete_domain_config": "rule:admin_required",
"identity:get_domain_config_default": "rule:admin_required",
"identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
"identity:ec2_list_credentials": "rule:admin_or_owner",
"identity:ec2_create_credential": "rule:admin_or_owner",
"identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
"identity:get_endpoint": "rule:admin_required",
"identity:list_endpoints": "rule:admin_required",
"identity:create_endpoint": "rule:admin_required",
"identity:update_endpoint": "rule:admin_required",
"identity:delete_endpoint": "rule:admin_required",
"identity:create_endpoint_group": "rule:admin_required",
"identity:list_endpoint_groups": "rule:admin_required",
"identity:get_endpoint_group": "rule:admin_required",
"identity:update_endpoint_group": "rule:admin_required",
"identity:delete_endpoint_group": "rule:admin_required",
"identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
"identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
"identity:get_endpoint_group_in_project": "rule:admin_required",
"identity:list_endpoint_groups_for_project": "rule:admin_required",
"identity:add_endpoint_group_to_project": "rule:admin_required",
"identity:remove_endpoint_group_from_project": "rule:admin_required",
"identity:check_grant": "rule:admin_required",
"identity:list_grants": "rule:admin_required",
"identity:create_grant": "rule:admin_required",
"identity:revoke_grant": "rule:admin_required",
"identity:get_group": "rule:admin_required",
"identity:list_groups": "rule:admin_required",
"identity:list_groups_for_user": "rule:admin_or_owner",
"identity:create_group": "rule:admin_required",
"identity:update_group": "rule:admin_required",
"identity:delete_group": "rule:admin_required",
"identity:list_users_in_group": "rule:admin_required",
"identity:remove_user_from_group": "rule:admin_required",
"identity:check_user_in_group": "rule:admin_required",
"identity:add_user_to_group": "rule:admin_required",
"identity:create_identity_provider": "rule:admin_required",
"identity:list_identity_providers": "rule:admin_required",
"identity:get_identity_provider": "rule:admin_required",
"identity:update_identity_provider": "rule:admin_required",
"identity:delete_identity_provider": "rule:admin_required",
"identity:get_implied_role": "rule:admin_required",
"identity:list_implied_roles": "rule:admin_required",
"identity:create_implied_role": "rule:admin_required",
"identity:delete_implied_role": "rule:admin_required",
"identity:list_role_inference_rules": "rule:admin_required",
"identity:check_implied_role": "rule:admin_required",
"identity:create_mapping": "rule:admin_required",
"identity:get_mapping": "rule:admin_required",
"identity:list_mappings": "rule:admin_required",
"identity:delete_mapping": "rule:admin_required",
"identity:update_mapping": "rule:admin_required",
"identity:get_policy": "rule:admin_required",
"identity:list_policies": "rule:admin_required",
"identity:create_policy": "rule:admin_required",
"identity:update_policy": "rule:admin_required",
"identity:delete_policy": "rule:admin_required",
"identity:create_policy_association_for_endpoint": "rule:admin_required",
"identity:check_policy_association_for_endpoint": "rule:admin_required",
"identity:delete_policy_association_for_endpoint": "rule:admin_required",
"identity:create_policy_association_for_service": "rule:admin_required",
"identity:check_policy_association_for_service": "rule:admin_required",
"identity:delete_policy_association_for_service": "rule:admin_required",
"identity:create_policy_association_for_region_and_service": "rule:admin_required",
"identity:check_policy_association_for_region_and_service": "rule:admin_required",
"identity:delete_policy_association_for_region_and_service": "rule:admin_required",
"identity:get_policy_for_endpoint": "rule:admin_required",
"identity:list_endpoints_for_policy": "rule:admin_required",
"identity:get_project": "rule:admin_required or project_id:%(target.project.id)s",
"identity:list_projects": "rule:admin_required",
"identity:list_user_projects": "rule:admin_or_owner",
"identity:create_project": "rule:admin_required",
"identity:update_project": "rule:admin_required",
"identity:delete_project": "rule:admin_required",
"identity:list_project_tags": "rule:admin_required or project_id:%(target.project.id)s",
"identity:get_project_tag": "rule:admin_required or project_id:%(target.project.id)s",
"identity:update_project_tags": "rule:admin_required",
"identity:create_project_tag": "rule:admin_required",
"identity:delete_project_tags": "rule:admin_required",
"identity:delete_project_tag": "rule:admin_required",
"identity:list_projects_for_endpoint": "rule:admin_required",
"identity:add_endpoint_to_project": "rule:admin_required",
"identity:check_endpoint_in_project": "rule:admin_required",
"identity:list_endpoints_for_project": "rule:admin_required",
"identity:remove_endpoint_from_project": "rule:admin_required",
"identity:create_protocol": "rule:admin_required",
"identity:update_protocol": "rule:admin_required",
"identity:get_protocol": "rule:admin_required",
"identity:list_protocols": "rule:admin_required",
"identity:delete_protocol": "rule:admin_required",