Merge "Support policy-in-code and deprecated policy"

doc/source/configuration/settings.rst

@@ -136,6 +136,30 @@ the GUI. For example themes, see: /horizon/openstack_dashboard/themes/
 Horizon ships with two themes configured. 'default' is the default theme,
 and 'material' is based on Google's Material Design.
 
+DEFAULT_POLICY_FILES
+--------------------
+
+.. versionadded:: 19.1.0(Wallaby)
+
+Default:
+
+.. code-block:: python
+
+    {
+        'identity': 'default_policies/keystone.yaml',
+        'compute': 'default_policies/nova.yaml',
+        'volume': 'default_policies/cinder.yaml',
+        'image': 'default_policies/glance.yaml',
+        'network': 'default_policies/neutron.yaml',
+    }
+
+This is a mapping from service types to YAML files including default
+policy definitions. Values of this mapping should be relative paths to
+`POLICY_FILES_PATH`_ or absolute paths. Policy files specified in this
+setting are generated from default policies of back-end services,
+so you rarely need to configure it. If you would like to override the
+default policies, consider customizing files under `POLICY_FILES`_.
+
 DEFAULT_THEME
 -------------
 
@@ -792,20 +816,25 @@ POLICY_FILES
 
 .. versionadded:: 2013.2(Havana)
 
+.. versionchanged:: 19.1.0(Wallaby)
+
+   The default files are changed to YAML format.
+   JSON format still continues to be supported.
+
 Default:
 
 .. code-block:: python
 
     {
-        'compute': 'nova_policy.json',
-        'identity': 'keystone_policy.json',
-        'image': 'glance_policy.json',
-        'network': 'neutron_policy.json',
-        'volume': 'cinder_policy.json',
+        'compute': 'nova_policy.yaml',
+        'identity': 'keystone_policy.yaml',
+        'image': 'glance_policy.yaml',
+        'network': 'neutron_policy.yaml',
+        'volume': 'cinder_policy.yaml',
     }
 
 This should essentially be the mapping of the contents of `POLICY_FILES_PATH`_
-to service types. When policy.json files are added to `POLICY_FILES_PATH`_,
+to service types. When policy files are added to `POLICY_FILES_PATH`_,
 they should be included here too.
 
 POLICY_FILES_PATH

doc/source/contributor/topics/policy.rst

@@ -29,6 +29,7 @@ engine to work.
 * ``POLICY_DIRS``
 * ``POLICY_FILES_PATH``
 * ``POLICY_FILES``
+* ``DEFAULT_POLICY_FILES``
 
 For more detail, see :doc:`/configuration/settings`.
 
@@ -154,32 +155,117 @@ override the :meth:`horizon.tables.Action.get_policy_target` method. This
 allows a programmatic way to specify the target based on the current datum. The
 value returned should be the target dictionary.
 
+Policy-in-Code and deprecated rules
+===================================
+
+As the effort of
+`policy-in-code <https://governance.openstack.org/tc/goals/queens/policy-in-code.html>`__,
+most OpenStack projects define their default policies in their codes.
+All projects (except swift) covered by horizon supports "policy-in-code".
+(Note that swift is an exception as it has its own mechanism to control RBAC.)
+
+"oslo.policy" provides a way to deprecate existing policy rules like
+renaming rule definitions ("check_str") and renaming rule names.
+They are defined as part of python codes in back-end services.
+horizon cannot import python codes of back-end services, so we need a way
+to restore policies defined by "policy-in-code" including deprecated rules.
+
+To address the above issue, horizon adopts the following two-step approach:
+
+* The first step scans policy-in-code of back-end services and
+  and dump the loaded default policies into YAML files per service
+  including information of deprecated rules.
+  This step is executed as part of the development process per release cycle
+  and these YAML files are shipped per release.
+
+  Note that `oslopolicy-sample-generator` does not output deprecated rules
+  in a structured way, so we prepare a dedicated script for this purpose
+  in the horizon repo.
+
+* The horizon policy implementation loads the above YAML file into a list of
+  RuleDefault and registers the list as the default rules to the policy
+  enforcer. The default rules and operator-defined rules are maintained
+  separately, so operators still can edit the policy files as oslo.policy
+  does in back-end services.
+
+This approach has the following merits:
+
+* All features supported by oslo.policy can be supported in horizon
+  as default rules in back-end services are restored as-is.
+  Horizon can evaluate deprecated rules.
+* The default rules and operator defined rules are maintained separately.
+  Operators can use the same way to maintain policy files of back-end services.
+
+The related files in the horizon codebase are:
+
+* `openstack_dashboard/conf/<service>_policy.yaml`:
+  operator-defined policies.
+  These files are generated by `oslopolicy-sample-generator`.
+* `openstack_dashboard/conf/default_policies/<service>.yaml`
+  YAML files contain default policies.
+* `openstack_dashboard/management/commands/dump_default_policies.py`:
+  This script scans policy-in-code of a specified namespace under
+  `oslo.policy.policies` entrypoints and dump them into the YAML file
+  under `openstack_dashboard/conf/default_policies`.
+* `openstack_auth/policy.py`: `_load_default_rules` function loads
+  the YAML files with default rules and call `register_defautls` method
+  of the policy enforcer per service.
+
 Policy file maintenance
 =======================
 
-The policy implementation uses the copies of policies defined in
-back-end services.
+* YAML files for default policies
 
-As of Queens, the OpenStack community are in the process of
-`policy-in-code <https://governance.openstack.org/tc/goals/queens/policy-in-code.html>`__.
-Some projects already define their policies in the code,
-and some still have their policies in ``policy.json`` files.
+  Run the following command after installing a corresponding project.
+  You need to run it for keystone, nova, cinder, neutron, glance.
 
-For project with the legacy ``policy.json`` files,
-what we need to do is just to copy ``policy.json`` into the horizon tree.
+  .. code-block:: console
 
-For projects with "policy-in-code", all policies are defined as python codes,
-so we first need to generate policy files with its default rules.
-To do this, run the following command after install a corresponding project.
+     python3 manage.py dump_default_policies \
+       --namespace $PROJECT \
+       --output-file openstack_dashboard/conf/default_policies/${PROJECT}.yaml
 
-.. code-block:: console
+* Sample policy files
 
-   oslopolicy-sample-generator --namespace $PROJECT --format json \
-       --output-file $HORIZON_REPO/openstack_dashboard/conf/$PROJECT_policy.json
+  Run the following commands after installing a corresponding project.
+  You need to run it for keystone, nova, cinder, neutron, glance.
+
+  .. code-block:: console
+
+     oslopolicy-sample-generator --namespace keystone \
+       --output-file openstack_dashboard/conf/${PROJECT}_policy.yaml
+     sed -i 's/^"/#"/' openstack_dashboard/conf/${PROJECT}_policy.yaml
+
+  .. note::
+
+     We now use YAML format for sample policy files now.
+     "oslo.policy" can accept both YAML and JSON files.
+     We now support default policies so there is no need to define all
+     policies using JSON files. YAML files also allows us to use comments,
+     so we can provide good sample policy files.
+     This is the same motivation as the Wallaby community goal
+     `Migrate RBAC Policy Format from JSON to YAML
+     <https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html>`__.
+
+  .. note::
+
+     The second "sed" command is to comment out rules for rule renames.
+     `oslopolicy-sample-generator` does not comment out them, but they
+     are unnecessary in horizon usage. A single renaming rule can map
+     to multiple rules, so it does not work as-is. In addition,
+     they trigger deprecation warnings in horizon log if these sample
+     files are used in horizon as-is.
+     Thus, we comment them out by default.
 
 After syncing policies from back-end services, you need to check what are
 changed. If a policy referred by horizon has been changed, you need to check
 and modify the horizon code base accordingly.
+
+.. note::
+
+   After the support of default policies, the following tool does not work.
+   It is a future work to make it work again or evaluate the need itself.
+
 To summarize which policies are removed or added, a convenient tool is
 provided:
 

lower-constraints.txt

@@ -56,16 +56,16 @@ os-service-types==1.2.0
 osc-lib==1.8.0
 oslo.concurrency==3.26.0
 oslo.config==5.2.0
-oslo.context==2.19.2
+oslo.context==2.22.0
 oslo.i18n==3.15.3
 oslo.log==3.36.0
 oslo.messaging==5.29.0
 oslo.middleware==3.31.0
-oslo.policy==1.30.0
+oslo.policy==3.2.0
 oslo.serialization==2.18.0
 oslo.service==1.24.0
 oslo.upgradecheck==0.1.1
-oslo.utils==3.33.0
+oslo.utils==3.40.0
 osprofiler==2.3.0
 Paste==2.0.2
 PasteDeploy==1.5.0

openstack_auth/defaults.py

@@ -170,3 +170,4 @@ KEYSTONE_PROVIDER_IDP_ID = 'localkeystone'
 POLICY_FILES_PATH = ''
 POLICY_FILES = {}
 POLICY_DIRS = {}
+DEFAULT_POLICY_FILES = {}

openstack_auth/policy.py

@@ -20,6 +20,7 @@ from django.conf import settings
 from oslo_config import cfg
 from oslo_policy import opts as policy_opts
 from oslo_policy import policy
+import yaml
 
 from openstack_auth import user as auth_user
 from openstack_auth import utils as auth_utils
@@ -55,6 +56,51 @@ def _get_policy_file_with_full_path(service):
     return policy_file, policy_dirs
 
 
+def _convert_to_ruledefault(p):
+    deprecated = p.get('deprecated_rule')
+    if deprecated:
+        deprecated_rule = policy.DeprecatedRule(deprecated['name'],
+                                                deprecated['check_str'])
+    else:
+        deprecated_rule = None
+
+    return policy.RuleDefault(
+        p['name'], p['check_str'],
+        description=p['description'],
+        scope_types=p['scope_types'],
+        deprecated_rule=deprecated_rule,
+        deprecated_for_removal=p.get('deprecated_for_removal', False),
+        deprecated_reason=p.get('deprecated_reason'),
+        deprecated_since=p.get('deprecated_since'),
+    )
+
+
+def _load_default_rules(service, enforcer):
+    policy_files = settings.DEFAULT_POLICY_FILES
+    try:
+        policy_file = os.path.join(_BASE_PATH, policy_files[service])
+    except KeyError:
+        LOG.error('Default policy file for %s is not defined. '
+                  'Check DEFAULT_POLICY_FILES setting.', service)
+        return
+
+    try:
+        with open(policy_file) as f:
+            policies = yaml.safe_load(f)
+    except IOError as e:
+        LOG.error('Failed to open the policy file for %(service)s %(path)s: '
+                  '%(reason)s',
+                  {'service': service, 'path': policy_file, 'reason': e})
+        return
+    except yaml.YAMLError as e:
+        LOG.error('Failed to load the default policies for %(service)s: '
+                  '%(reason)s', {'service': service, 'reason': e})
+        return
+
+    defaults = [_convert_to_ruledefault(p) for p in policies]
+    enforcer.register_defaults(defaults)
+
+
 def _get_enforcer():
     global _ENFORCER
     if not _ENFORCER:
@@ -64,6 +110,8 @@ def _get_enforcer():
             policy_file, policy_dirs = _get_policy_file_with_full_path(service)
             conf = _get_policy_conf(policy_file, policy_dirs)
             enforcer = policy.Enforcer(conf)
+            enforcer.suppress_default_change_warnings = True
+            _load_default_rules(service, enforcer)
             try:
                 enforcer.load_rules()
             except IOError:

openstack_dashboard/conf/cinder_policy.json

@@ -1,147 +0,0 @@
-{
-    "context_is_admin": "role:admin",
-    "admin_or_owner": "is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s",
-    "admin_api": "is_admin:True or (role:admin and is_admin_project:True)",
-    "volume:attachment_create": "",
-    "volume:attachment_update": "rule:admin_or_owner",
-    "volume:attachment_delete": "rule:admin_or_owner",
-    "volume:attachment_complete": "rule:admin_or_owner",
-    "volume:multiattach_bootable_volume": "rule:admin_or_owner",
-    "message:get_all": "rule:admin_or_owner",
-    "message:get": "rule:admin_or_owner",
-    "message:delete": "rule:admin_or_owner",
-    "clusters:get_all": "rule:admin_api",
-    "clusters:get": "rule:admin_api",
-    "clusters:update": "rule:admin_api",
-    "workers:cleanup": "rule:admin_api",
-    "volume:get_snapshot_metadata": "rule:admin_or_owner",
-    "volume:update_snapshot_metadata": "rule:admin_or_owner",
-    "volume:delete_snapshot_metadata": "rule:admin_or_owner",
-    "volume:get_all_snapshots": "rule:admin_or_owner",
-    "volume_extension:extended_snapshot_attributes": "rule:admin_or_owner",
-    "volume:create_snapshot": "rule:admin_or_owner",
-    "volume:get_snapshot": "rule:admin_or_owner",
-    "volume:update_snapshot": "rule:admin_or_owner",
-    "volume:delete_snapshot": "rule:admin_or_owner",
-    "volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api",
-    "snapshot_extension:snapshot_actions:update_snapshot_status": "",
-    "volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api",
-    "snapshot_extension:list_manageable": "rule:admin_api",
-    "snapshot_extension:snapshot_manage": "rule:admin_api",
-    "snapshot_extension:snapshot_unmanage": "rule:admin_api",
-    "backup:get_all": "rule:admin_or_owner",
-    "backup:backup_project_attribute": "rule:admin_api",
-    "backup:create": "",
-    "backup:get": "rule:admin_or_owner",
-    "backup:update": "rule:admin_or_owner",
-    "backup:delete": "rule:admin_or_owner",
-    "backup:restore": "rule:admin_or_owner",
-    "backup:backup-import": "rule:admin_api",
-    "backup:export-import": "rule:admin_api",
-    "volume_extension:backup_admin_actions:reset_status": "rule:admin_api",
-    "volume_extension:backup_admin_actions:force_delete": "rule:admin_api",
-    "group:get_all": "rule:admin_or_owner",
-    "group:create": "",
-    "group:get": "rule:admin_or_owner",
-    "group:update": "rule:admin_or_owner",
-    "group:group_project_attribute": "rule:admin_api",
-    "group:group_types_manage": "rule:admin_api",
-    "group:access_group_types_specs": "rule:admin_api",
-    "group:group_types_specs": "rule:admin_api",
-    "group:get_all_group_snapshots": "rule:admin_or_owner",
-    "group:create_group_snapshot": "",
-    "group:get_group_snapshot": "rule:admin_or_owner",
-    "group:delete_group_snapshot": "rule:admin_or_owner",
-    "group:update_group_snapshot": "rule:admin_or_owner",
-    "group:group_snapshot_project_attribute": "rule:admin_api",
-    "group:reset_group_snapshot_status": "rule:admin_or_owner",
-    "group:delete": "rule:admin_or_owner",
-    "group:reset_status": "rule:admin_api",
-    "group:enable_replication": "rule:admin_or_owner",
-    "group:disable_replication": "rule:admin_or_owner",
-    "group:failover_replication": "rule:admin_or_owner",
-    "group:list_replication_targets": "rule:admin_or_owner",
-    "volume_extension:qos_specs_manage:get_all": "rule:admin_api",
-    "volume_extension:qos_specs_manage:get": "rule:admin_api",
-    "volume_extension:qos_specs_manage:create": "rule:admin_api",
-    "volume_extension:qos_specs_manage:update": "rule:admin_api",
-    "volume_extension:qos_specs_manage:delete": "rule:admin_api",
-    "volume_extension:quota_classes": "rule:admin_api",
-    "volume_extension:quotas:show": "rule:admin_or_owner",
-    "volume_extension:quotas:update": "rule:admin_api",
-    "volume_extension:quotas:delete": "rule:admin_api",
-    "volume_extension:quota_classes:validate_setup_for_nested_quota_use": "rule:admin_api",
-    "volume_extension:capabilities": "rule:admin_api",
-    "volume_extension:services:index": "rule:admin_api",
-    "volume_extension:services:update": "rule:admin_api",
-    "volume:freeze_host": "rule:admin_api",
-    "volume:thaw_host": "rule:admin_api",
-    "volume:failover_host": "rule:admin_api",
-    "scheduler_extension:scheduler_stats:get_pools": "rule:admin_api",
-    "volume_extension:hosts": "rule:admin_api",
-    "limits_extension:used_limits": "rule:admin_or_owner",
-    "volume_extension:list_manageable": "rule:admin_api",
-    "volume_extension:volume_manage": "rule:admin_api",
-    "volume_extension:volume_unmanage": "rule:admin_api",
-    "volume_extension:types_manage": "rule:admin_api",
-    "volume_extension:type_get": "",
-    "volume_extension:type_get_all": "",
-    "volume_extension:volume_type_encryption": "rule:admin_api",
-    "volume_extension:volume_type_encryption:create": "rule:volume_extension:volume_type_encryption",
-    "volume_extension:volume_type_encryption:get": "rule:volume_extension:volume_type_encryption",
-    "volume_extension:volume_type_encryption:update": "rule:volume_extension:volume_type_encryption",
-    "volume_extension:volume_type_encryption:delete": "rule:volume_extension:volume_type_encryption",
-    "volume_extension:access_types_extra_specs": "rule:admin_api",
-    "volume_extension:access_types_qos_specs_id": "rule:admin_api",
-    "volume_extension:volume_type_access": "rule:admin_or_owner",
-    "volume_extension:volume_type_access:addProjectAccess": "rule:admin_api",
-    "volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api",
-    "volume:extend": "rule:admin_or_owner",
-    "volume:extend_attached_volume": "rule:admin_or_owner",
-    "volume:revert_to_snapshot": "rule:admin_or_owner",
-    "volume_extension:volume_admin_actions:reset_status": "rule:admin_api",
-    "volume:retype": "rule:admin_or_owner",
-    "volume:update_readonly_flag": "rule:admin_or_owner",
-    "volume_extension:volume_admin_actions:force_delete": "rule:admin_api",
-    "volume_extension:volume_actions:upload_public": "rule:admin_api",
-    "volume_extension:volume_actions:upload_image": "rule:admin_or_owner",
-    "volume_extension:volume_admin_actions:force_detach": "rule:admin_api",
-    "volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api",
-    "volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api",
-    "volume_extension:volume_actions:initialize_connection": "rule:admin_or_owner",
-    "volume_extension:volume_actions:terminate_connection": "rule:admin_or_owner",
-    "volume_extension:volume_actions:roll_detaching": "rule:admin_or_owner",
-    "volume_extension:volume_actions:reserve": "rule:admin_or_owner",
-    "volume_extension:volume_actions:unreserve": "rule:admin_or_owner",
-    "volume_extension:volume_actions:begin_detaching": "rule:admin_or_owner",
-    "volume_extension:volume_actions:attach": "rule:admin_or_owner",
-    "volume_extension:volume_actions:detach": "rule:admin_or_owner",
-    "volume:get_all_transfers": "rule:admin_or_owner",
-    "volume:create_transfer": "rule:admin_or_owner",
-    "volume:get_transfer": "rule:admin_or_owner",
-    "volume:accept_transfer": "",
-    "volume:delete_transfer": "rule:admin_or_owner",
-    "volume:get_volume_metadata": "rule:admin_or_owner",
-    "volume:create_volume_metadata": "rule:admin_or_owner",
-    "volume:update_volume_metadata": "rule:admin_or_owner",
-    "volume:delete_volume_metadata": "rule:admin_or_owner",
-    "volume_extension:volume_image_metadata": "rule:admin_or_owner",
-    "volume:update_volume_admin_metadata": "rule:admin_api",
-    "volume_extension:types_extra_specs:index": "rule:admin_api",
-    "volume_extension:types_extra_specs:create": "rule:admin_api",
-    "volume_extension:types_extra_specs:show": "rule:admin_api",
-    "volume_extension:types_extra_specs:update": "rule:admin_api",
-    "volume_extension:types_extra_specs:delete": "rule:admin_api",
-    "volume:create": "",
-    "volume:create_from_image": "",
-    "volume:get": "rule:admin_or_owner",
-    "volume:get_all": "rule:admin_or_owner",
-    "volume:update": "rule:admin_or_owner",
-    "volume:delete": "rule:admin_or_owner",
-    "volume:force_delete": "rule:admin_api",
-    "volume_extension:volume_host_attribute": "rule:admin_api",
-    "volume_extension:volume_tenant_attribute": "rule:admin_or_owner",
-    "volume_extension:volume_mig_status_attribute": "rule:admin_api",
-    "volume_extension:volume_encryption_metadata": "rule:admin_or_owner",
-    "volume:multiattach": "rule:admin_or_owner"
-}

openstack_dashboard/conf/cinder_policy.yaml

@@ -0,0 +1,646 @@
+# Decides what is required for the 'is_admin:True' check to succeed.
+#"context_is_admin": "role:admin"
+
+# Default rule for most non-Admin APIs.
+#"admin_or_owner": "is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s"
+
+# Default rule for most Admin APIs.
+#"admin_api": "is_admin:True or (role:admin and is_admin_project:True)"
+
+# Create attachment.
+# POST  /attachments
+#"volume:attachment_create": ""
+
+# Update attachment.
+# PUT  /attachments/{attachment_id}
+#"volume:attachment_update": "rule:admin_or_owner"
+
+# Delete attachment.
+# DELETE  /attachments/{attachment_id}
+#"volume:attachment_delete": "rule:admin_or_owner"
+
+# Mark a volume attachment process as completed (in-use)
+# POST  /attachments/{attachment_id}/action (os-complete)
+#"volume:attachment_complete": "rule:admin_or_owner"
+
+# Allow multiattach of bootable volumes.
+# POST  /attachments
+#"volume:multiattach_bootable_volume": "rule:admin_or_owner"
+
+# List messages.
+# GET  /messages
+#"message:get_all": "rule:admin_or_owner"
+
+# Show message.
+# GET  /messages/{message_id}
+#"message:get": "rule:admin_or_owner"
+
+# Delete message.
+# DELETE  /messages/{message_id}
+#"message:delete": "rule:admin_or_owner"
+
+# List clusters.
+# GET  /clusters
+# GET  /clusters/detail
+#"clusters:get_all": "rule:admin_api"
+
+# Show cluster.
+# GET  /clusters/{cluster_id}
+#"clusters:get": "rule:admin_api"
+
+# Update cluster.
+# PUT  /clusters/{cluster_id}
+#"clusters:update": "rule:admin_api"
+
+# Clean up workers.
+# POST  /workers/cleanup
+#"workers:cleanup": "rule:admin_api"
+
+# Show snapshot's metadata or one specified metadata with a given key.
+# GET  /snapshots/{snapshot_id}/metadata
+# GET  /snapshots/{snapshot_id}/metadata/{key}
+#"volume:get_snapshot_metadata": "rule:admin_or_owner"
+
+# Update snapshot's metadata or one specified metadata with a given
+# key.
+# PUT  /snapshots/{snapshot_id}/metadata
+# PUT  /snapshots/{snapshot_id}/metadata/{key}
+#"volume:update_snapshot_metadata": "rule:admin_or_owner"
+
+# Delete snapshot's specified metadata with a given key.
+# DELETE  /snapshots/{snapshot_id}/metadata/{key}
+#"volume:delete_snapshot_metadata": "rule:admin_or_owner"
+
+# List snapshots.
+# GET  /snapshots
+# GET  /snapshots/detail
+#"volume:get_all_snapshots": "rule:admin_or_owner"
+
+# List or show snapshots with extended attributes.
+# GET  /snapshots/{snapshot_id}
+# GET  /snapshots/detail
+#"volume_extension:extended_snapshot_attributes": "rule:admin_or_owner"
+
+# Create snapshot.
+# POST  /snapshots
+#"volume:create_snapshot": "rule:admin_or_owner"
+
+# Show snapshot.
+# GET  /snapshots/{snapshot_id}
+#"volume:get_snapshot": "rule:admin_or_owner"
+
+# Update snapshot.
+# PUT  /snapshots/{snapshot_id}
+#"volume:update_snapshot": "rule:admin_or_owner"
+
+# Delete snapshot.
+# DELETE  /snapshots/{snapshot_id}
+#"volume:delete_snapshot": "rule:admin_or_owner"
+
+# Reset status of a snapshot.
+# POST  /snapshots/{snapshot_id}/action (os-reset_status)
+#"volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api"
+
+# Update database fields of snapshot.
+# POST  /snapshots/{snapshot_id}/action (update_snapshot_status)
+#"snapshot_extension:snapshot_actions:update_snapshot_status": ""
+
+# Force delete a snapshot.
+# POST  /snapshots/{snapshot_id}/action (os-force_delete)
+#"volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api"
+
+# List (in detail) of snapshots which are available to manage.
+# GET  /manageable_snapshots
+# GET  /manageable_snapshots/detail
+#"snapshot_extension:list_manageable": "rule:admin_api"
+
+# Manage an existing snapshot.
+# POST  /manageable_snapshots
+#"snapshot_extension:snapshot_manage": "rule:admin_api"
+
+# Stop managing a snapshot.
+# POST  /snapshots/{snapshot_id}/action (os-unmanage)
+#"snapshot_extension:snapshot_unmanage": "rule:admin_api"
+
+# List backups.
+# GET  /backups
+# GET  /backups/detail
+#"backup:get_all": "rule:admin_or_owner"
+
+# List backups or show backup with project attributes.
+# GET  /backups/{backup_id}
+# GET  /backups/detail
+#"backup:backup_project_attribute": "rule:admin_api"
+
+# Create backup.
+# POST  /backups
+#"backup:create": ""
+
+# Show backup.
+# GET  /backups/{backup_id}
+#"backup:get": "rule:admin_or_owner"
+
+# Update backup.
+# PUT  /backups/{backup_id}
+#"backup:update": "rule:admin_or_owner"
+
+# Delete backup.
+# DELETE  /backups/{backup_id}
+#"backup:delete": "rule:admin_or_owner"
+
+# Restore backup.
+# POST  /backups/{backup_id}/restore
+#"backup:restore": "rule:admin_or_owner"
+
+# Import backup.
+# POST  /backups/{backup_id}/import_record
+#"backup:backup-import": "rule:admin_api"
+
+# Export backup.
+# POST  /backups/{backup_id}/export_record
+#"backup:export-import": "rule:admin_api"
+
+# Reset status of a backup.
+# POST  /backups/{backup_id}/action (os-reset_status)
+#"volume_extension:backup_admin_actions:reset_status": "rule:admin_api"
+
+# Force delete a backup.
+# POST  /backups/{backup_id}/action (os-force_delete)
+#"volume_extension:backup_admin_actions:force_delete": "rule:admin_api"
+
+# List groups.
+# GET  /groups
+# GET  /groups/detail
+#"group:get_all": "rule:admin_or_owner"
+
+# Create group.
+# POST  /groups
+#"group:create": ""
+
+# Show group.
+# GET  /groups/{group_id}
+#"group:get": "rule:admin_or_owner"
+
+# Update group.
+# PUT  /groups/{group_id}
+#"group:update": "rule:admin_or_owner"
+
+# List groups or show group with project attributes.
+# GET  /groups/{group_id}
+# GET  /groups/detail
+#"group:group_project_attribute": "rule:admin_api"
+
+# Create, update or delete a group type.
+# POST  /group_types/
+# PUT  /group_types/{group_type_id}
+# DELETE  /group_types/{group_type_id}
+#"group:group_types_manage": "rule:admin_api"
+
+# Show group type with type specs attributes.
+# GET  /group_types/{group_type_id}
+#"group:access_group_types_specs": "rule:admin_api"
+
+# Create, show, update and delete group type spec.
+# GET  /group_types/{group_type_id}/group_specs/{g_spec_id}
+# GET  /group_types/{group_type_id}/group_specs
+# POST  /group_types/{group_type_id}/group_specs
+# PUT  /group_types/{group_type_id}/group_specs/{g_spec_id}
+# DELETE  /group_types/{group_type_id}/group_specs/{g_spec_id}
+#"group:group_types_specs": "rule:admin_api"
+
+# List group snapshots.
+# GET  /group_snapshots
+# GET  /group_snapshots/detail
+#"group:get_all_group_snapshots": "rule:admin_or_owner"
+
+# Create group snapshot.
+# POST  /group_snapshots
+#"group:create_group_snapshot": ""
+
+# Show group snapshot.
+# GET  /group_snapshots/{group_snapshot_id}
+#"group:get_group_snapshot": "rule:admin_or_owner"
+
+# Delete group snapshot.
+# DELETE  /group_snapshots/{group_snapshot_id}
+#"group:delete_group_snapshot": "rule:admin_or_owner"
+
+# Update group snapshot.
+# PUT  /group_snapshots/{group_snapshot_id}
+#"group:update_group_snapshot": "rule:admin_or_owner"
+
+# List group snapshots or show group snapshot with project attributes.
+# GET  /group_snapshots/{group_snapshot_id}
+# GET  /group_snapshots/detail
+#"group:group_snapshot_project_attribute": "rule:admin_api"
+
+# Reset status of group snapshot.
+# POST  /group_snapshots/{g_snapshot_id}/action (reset_status)
+#"group:reset_group_snapshot_status": "rule:admin_or_owner"
+
+# Delete group.
+# POST  /groups/{group_id}/action (delete)
+#"group:delete": "rule:admin_or_owner"
+
+# Reset status of group.
+# POST  /groups/{group_id}/action (reset_status)
+#"group:reset_status": "rule:admin_api"
+
+# Enable replication.
+# POST  /groups/{group_id}/action (enable_replication)
+#"group:enable_replication": "rule:admin_or_owner"
+
+# Disable replication.
+# POST  /groups/{group_id}/action (disable_replication)
+#"group:disable_replication": "rule:admin_or_owner"
+
+# Fail over replication.
+# POST  /groups/{group_id}/action (failover_replication)
+#"group:failover_replication": "rule:admin_or_owner"
+
+# List failover replication.
+# POST  /groups/{group_id}/action (list_replication_targets)
+#"group:list_replication_targets": "rule:admin_or_owner"
+
+# List qos specs or list all associations.
+# GET  /qos-specs
+# GET  /qos-specs/{qos_id}/associations
+#"volume_extension:qos_specs_manage:get_all": "rule:admin_api"
+
+# Show qos specs.
+# GET  /qos-specs/{qos_id}
+#"volume_extension:qos_specs_manage:get": "rule:admin_api"
+
+# Create qos specs.
+# POST  /qos-specs
+#"volume_extension:qos_specs_manage:create": "rule:admin_api"
+
+# Update qos specs (including updating association).
+# PUT  /qos-specs/{qos_id}
+# GET  /qos-specs/{qos_id}/disassociate_all
+# GET  /qos-specs/{qos_id}/associate
+# GET  /qos-specs/{qos_id}/disassociate
+#"volume_extension:qos_specs_manage:update": "rule:admin_api"
+
+# delete qos specs or unset one specified qos key.
+# DELETE  /qos-specs/{qos_id}
+# PUT  /qos-specs/{qos_id}/delete_keys
+#"volume_extension:qos_specs_manage:delete": "rule:admin_api"
+
+# Show or update project quota class.
+# GET  /os-quota-class-sets/{project_id}
+# PUT  /os-quota-class-sets/{project_id}
+#"volume_extension:quota_classes": "rule:admin_api"
+
+# Show project quota (including usage and default).
+# GET  /os-quota-sets/{project_id}
+# GET  /os-quota-sets/{project_id}/default
+# GET  /os-quota-sets/{project_id}?usage=True
+#"volume_extension:quotas:show": "rule:admin_or_owner"
+
+# Update project quota.
+# PUT  /os-quota-sets/{project_id}
+#"volume_extension:quotas:update": "rule:admin_api"
+
+# Delete project quota.
+# DELETE  /os-quota-sets/{project_id}
+#"volume_extension:quotas:delete": "rule:admin_api"
+
+# Validate setup for nested quota.
+# GET  /os-quota-sets/validate_setup_for_nested_quota_use
+#"volume_extension:quota_classes:validate_setup_for_nested_quota_use": "rule:admin_api"
+
+# Show backend capabilities.
+# GET  /capabilities/{host_name}
+#"volume_extension:capabilities": "rule:admin_api"
+
+# List all services.
+# GET  /os-services
+#"volume_extension:services:index": "rule:admin_api"
+
+# Update service, including failover_host, thaw, freeze, disable,
+# enable, set-log and get-log actions.
+# PUT  /os-services/{action}
+#"volume_extension:services:update": "rule:admin_api"
+
+# Freeze a backend host.
+# PUT  /os-services/freeze
+#"volume:freeze_host": "rule:admin_api"
+
+# Thaw a backend host.
+# PUT  /os-services/thaw
+#"volume:thaw_host": "rule:admin_api"
+
+# Failover a backend host.
+# PUT  /os-services/failover_host
+#"volume:failover_host": "rule:admin_api"
+
+# List all backend pools.
+# GET  /scheduler-stats/get_pools
+#"scheduler_extension:scheduler_stats:get_pools": "rule:admin_api"
+
+# List, update or show hosts for a project.
+# GET  /os-hosts
+# PUT  /os-hosts/{host_name}
+# GET  /os-hosts/{host_id}
+#"volume_extension:hosts": "rule:admin_api"
+
+# Show limits with used limit attributes.
+# GET  /limits
+#"limits_extension:used_limits": "rule:admin_or_owner"
+
+# List (in detail) of volumes which are available to manage.
+# GET  /manageable_volumes
+# GET  /manageable_volumes/detail
+#"volume_extension:list_manageable": "rule:admin_api"
+
+# Manage existing volumes.
+# POST  /manageable_volumes
+#"volume_extension:volume_manage": "rule:admin_api"
+
+# Stop managing a volume.
+# POST  /volumes/{volume_id}/action (os-unmanage)
+#"volume_extension:volume_unmanage": "rule:admin_api"
+
+# Create, update and delete volume type.
+# POST  /types
+# PUT  /types
+# DELETE  /types
+#"volume_extension:types_manage": "rule:admin_api"
+
+# Get one specific volume type.
+# GET  /types/{type_id}
+#"volume_extension:type_get": ""
+
+# List volume types.
+# GET  /types/
+#"volume_extension:type_get_all": ""
+
+# Base policy for all volume type encryption type operations.  This
+# can be used to set the policies for a volume type's encryption type
+# create, show, update, and delete actions in one place, or any of
+# those may be set individually using the following policy targets for
+# finer grained control.
+# POST  /types/{type_id}/encryption
+# PUT  /types/{type_id}/encryption/{encryption_id}
+# GET  /types/{type_id}/encryption
+# GET  /types/{type_id}/encryption/{key}
+# DELETE  /types/{type_id}/encryption/{encryption_id}
+#"volume_extension:volume_type_encryption": "rule:admin_api"
+
+# Create volume type encryption.
+# POST  /types/{type_id}/encryption
+#"volume_extension:volume_type_encryption:create": "rule:volume_extension:volume_type_encryption"
+
+# Show a volume type's encryption type, show an encryption specs item.
+# GET  /types/{type_id}/encryption
+# GET  /types/{type_id}/encryption/{key}
+#"volume_extension:volume_type_encryption:get": "rule:volume_extension:volume_type_encryption"
+
+# Update volume type encryption.
+# PUT  /types/{type_id}/encryption/{encryption_id}
+#"volume_extension:volume_type_encryption:update": "rule:volume_extension:volume_type_encryption"
+
+# Delete volume type encryption.
+# DELETE  /types/{type_id}/encryption/{encryption_id}
+#"volume_extension:volume_type_encryption:delete": "rule:volume_extension:volume_type_encryption"
+
+# List or show volume type with access type extra specs attribute.
+# GET  /types/{type_id}
+# GET  /types
+#"volume_extension:access_types_extra_specs": "rule:admin_api"
+
+# List or show volume type with access type qos specs id attribute.
+# GET  /types/{type_id}
+# GET  /types
+#"volume_extension:access_types_qos_specs_id": "rule:admin_api"
+
+# Volume type access related APIs.
+# GET  /types
+# GET  /types/detail
+# GET  /types/{type_id}
+# POST  /types
+#"volume_extension:volume_type_access": "rule:admin_or_owner"
+
+# Add volume type access for project.
+# POST  /types/{type_id}/action (addProjectAccess)
+#"volume_extension:volume_type_access:addProjectAccess": "rule:admin_api"
+
+# Remove volume type access for project.
+# POST  /types/{type_id}/action (removeProjectAccess)
+#"volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api"
+
+# Extend a volume.
+# POST  /volumes/{volume_id}/action (os-extend)
+#"volume:extend": "rule:admin_or_owner"
+
+# Extend a attached volume.
+# POST  /volumes/{volume_id}/action (os-extend)
+#"volume:extend_attached_volume": "rule:admin_or_owner"
+
+# Revert a volume to a snapshot.
+# POST  /volumes/{volume_id}/action (revert)
+#"volume:revert_to_snapshot": "rule:admin_or_owner"
+
+# Reset status of a volume.
+# POST  /volumes/{volume_id}/action (os-reset_status)
+#"volume_extension:volume_admin_actions:reset_status": "rule:admin_api"
+
+# Retype a volume.
+# POST  /volumes/{volume_id}/action (os-retype)
+#"volume:retype": "rule:admin_or_owner"
+
+# Update a volume's readonly flag.
+# POST  /volumes/{volume_id}/action (os-update_readonly_flag)
+#"volume:update_readonly_flag": "rule:admin_or_owner"
+
+# Force delete a volume.
+# POST  /volumes/{volume_id}/action (os-force_delete)
+#"volume_extension:volume_admin_actions:force_delete": "rule:admin_api"
+
+# Upload a volume to image with public visibility.
+# POST  /volumes/{volume_id}/action (os-volume_upload_image)
+#"volume_extension:volume_actions:upload_public": "rule:admin_api"
+
+# Upload a volume to image.
+# POST  /volumes/{volume_id}/action (os-volume_upload_image)
+#"volume_extension:volume_actions:upload_image": "rule:admin_or_owner"
+
+# Force detach a volume.
+# POST  /volumes/{volume_id}/action (os-force_detach)
+#"volume_extension:volume_admin_actions:force_detach": "rule:admin_api"
+
+# migrate a volume to a specified host.
+# POST  /volumes/{volume_id}/action (os-migrate_volume)
+#"volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api"
+
+# Complete a volume migration.
+# POST  /volumes/{volume_id}/action (os-migrate_volume_completion)
+#"volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api"
+
+# Initialize volume attachment.
+# POST  /volumes/{volume_id}/action (os-initialize_connection)
+#"volume_extension:volume_actions:initialize_connection": "rule:admin_or_owner"
+
+# Terminate volume attachment.
+# POST  /volumes/{volume_id}/action (os-terminate_connection)
+#"volume_extension:volume_actions:terminate_connection": "rule:admin_or_owner"
+
+# Roll back volume status to 'in-use'.
+# POST  /volumes/{volume_id}/action (os-roll_detaching)
+#"volume_extension:volume_actions:roll_detaching": "rule:admin_or_owner"
+
+# Mark volume as reserved.
+# POST  /volumes/{volume_id}/action (os-reserve)
+#"volume_extension:volume_actions:reserve": "rule:admin_or_owner"
+
+# Unmark volume as reserved.
+# POST  /volumes/{volume_id}/action (os-unreserve)
+#"volume_extension:volume_actions:unreserve": "rule:admin_or_owner"
+
+# Begin detach volumes.
+# POST  /volumes/{volume_id}/action (os-begin_detaching)
+#"volume_extension:volume_actions:begin_detaching": "rule:admin_or_owner"
+
+# Add attachment metadata.
+# POST  /volumes/{volume_id}/action (os-attach)
+#"volume_extension:volume_actions:attach": "rule:admin_or_owner"
+
+# Clear attachment metadata.
+# POST  /volumes/{volume_id}/action (os-detach)
+#"volume_extension:volume_actions:detach": "rule:admin_or_owner"
+
+# List volume transfer.
+# GET  /os-volume-transfer
+# GET  /os-volume-transfer/detail
+# GET  /volume_transfers
+# GET  /volume-transfers/detail
+#"volume:get_all_transfers": "rule:admin_or_owner"
+
+# Create a volume transfer.
+# POST  /os-volume-transfer
+# POST  /volume_transfers
+#"volume:create_transfer": "rule:admin_or_owner"
+
+# Show one specified volume transfer.
+# GET  /os-volume-transfer/{transfer_id}
+# GET  /volume-transfers/{transfer_id}
+#"volume:get_transfer": "rule:admin_or_owner"
+
+# Accept a volume transfer.
+# POST  /os-volume-transfer/{transfer_id}/accept
+# POST  /volume-transfers/{transfer_id}/accept
+#"volume:accept_transfer": ""
+
+# Delete volume transfer.
+# DELETE  /os-volume-transfer/{transfer_id}
+# DELETE  /volume-transfers/{transfer_id}
+#"volume:delete_transfer": "rule:admin_or_owner"
+
+# Show volume's metadata or one specified metadata with a given key.
+# GET  /volumes/{volume_id}/metadata
+# GET  /volumes/{volume_id}/metadata/{key}
+#"volume:get_volume_metadata": "rule:admin_or_owner"
+
+# Create volume metadata.
+# POST  /volumes/{volume_id}/metadata
+#"volume:create_volume_metadata": "rule:admin_or_owner"
+
+# Update volume's metadata or one specified metadata with a given key.
+# PUT  /volumes/{volume_id}/metadata
+# PUT  /volumes/{volume_id}/metadata/{key}
+#"volume:update_volume_metadata": "rule:admin_or_owner"
+
+# Delete volume's specified metadata with a given key.
+# DELETE  /volumes/{volume_id}/metadata/{key}
+#"volume:delete_volume_metadata": "rule:admin_or_owner"
+
+# Volume's image metadata related operation, create, delete, show and
+# list.
+# GET  /volumes/detail
+# GET  /volumes/{volume_id}
+# POST  /volumes/{volume_id}/action (os-set_image_metadata)
+# POST  /volumes/{volume_id}/action (os-unset_image_metadata)
+#"volume_extension:volume_image_metadata": "rule:admin_or_owner"
+
+# Update volume admin metadata. It's used in `attach` and `os-
+# update_readonly_flag` APIs
+# POST  /volumes/{volume_id}/action (os-update_readonly_flag)
+# POST  /volumes/{volume_id}/action (os-attach)
+#"volume:update_volume_admin_metadata": "rule:admin_api"
+
+# List type extra specs.
+# GET  /types/{type_id}/extra_specs
+#"volume_extension:types_extra_specs:index": "rule:admin_api"
+
+# Create type extra specs.
+# POST  /types/{type_id}/extra_specs
+#"volume_extension:types_extra_specs:create": "rule:admin_api"
+
+# Show one specified type extra specs.
+# GET  /types/{type_id}/extra_specs/{extra_spec_key}
+#"volume_extension:types_extra_specs:show": "rule:admin_api"
+
+# Update type extra specs.
+# PUT  /types/{type_id}/extra_specs/{extra_spec_key}
+#"volume_extension:types_extra_specs:update": "rule:admin_api"
+
+# Delete type extra specs.
+# DELETE  /types/{type_id}/extra_specs/{extra_spec_key}
+#"volume_extension:types_extra_specs:delete": "rule:admin_api"
+
+# Create volume.
+# POST  /volumes
+#"volume:create": ""
+
+# Create volume from image.
+# POST  /volumes
+#"volume:create_from_image": ""
+
+# Show volume.
+# GET  /volumes/{volume_id}
+#"volume:get": "rule:admin_or_owner"
+
+# List volumes or get summary of volumes.
+# GET  /volumes
+# GET  /volumes/detail
+# GET  /volumes/summary
+#"volume:get_all": "rule:admin_or_owner"
+
+# Update volume or update a volume's bootable status.
+# PUT  /volumes
+# POST  /volumes/{volume_id}/action (os-set_bootable)
+#"volume:update": "rule:admin_or_owner"
+
+# Delete volume.
+# DELETE  /volumes/{volume_id}
+#"volume:delete": "rule:admin_or_owner"
+
+# Force Delete a volume.
+# DELETE  /volumes/{volume_id}
+#"volume:force_delete": "rule:admin_api"
+
+# List or show volume with host attribute.
+# GET  /volumes/{volume_id}
+# GET  /volumes/detail
+#"volume_extension:volume_host_attribute": "rule:admin_api"
+
+# List or show volume with tenant attribute.
+# GET  /volumes/{volume_id}
+# GET  /volumes/detail
+#"volume_extension:volume_tenant_attribute": "rule:admin_or_owner"
+
+# List or show volume with migration status attribute.
+# GET  /volumes/{volume_id}
+# GET  /volumes/detail
+#"volume_extension:volume_mig_status_attribute": "rule:admin_api"
+
+# Show volume's encryption metadata.
+# GET  /volumes/{volume_id}/encryption
+# GET  /volumes/{volume_id}/encryption/{encryption_key}
+#"volume_extension:volume_encryption_metadata": "rule:admin_or_owner"
+
+# Create multiattach capable volume.
+# POST  /volumes
+#"volume:multiattach": "rule:admin_or_owner"
+

openstack_dashboard/conf/default_policies/README.txt

@@ -0,0 +1,12 @@
+This folder contains default policies of back-end services.
+They are generated based on policy-in-code in back-end services.
+Operators are not expected to edit them.
+
+To update these files, run the following command:
+
+ python manage.py dump_default_policies \
+   --namespace <service> \
+   --output-file openstack_dashboard/conf/default_policies/<service>.yaml
+
+<service> must be a namespace under oslo.policy.policies to query and
+we use "keystone", "nova", "cinder", "neutron" and "glance".

openstack_dashboard/conf/default_policies/glance.yaml

@@ -0,0 +1,280 @@
+- check_str: ''
+  deprecated_reason: In order to allow operators to accept the default policies from
+    code by not defining them in the policy file, while still working with old policy
+    files that rely on the ``default`` rule for policies that are not specified in
+    the policy file, the ``default`` rule must now be explicitly set to ``"role:admin"``
+    when that is the desired default for unspecified rules.
+  deprecated_rule:
+    check_str: role:admin
+    name: default
+  deprecated_since: Ussuri
+  description: Defines the default rule used for policies that historically had an
+    empty policy in the supplied policy.json file.
+  name: default
+  operations: []
+  scope_types: null
+- check_str: role:admin
+  description: Defines the rule for the is_admin:True check.
+  name: context_is_admin
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: add_image
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: delete_image
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: get_image
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: get_images
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: modify_image
+  operations: []
+  scope_types: null
+- check_str: role:admin
+  description: null
+  name: publicize_image
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: communitize_image
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: download_image
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: upload_image
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: delete_image_location
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: get_image_location
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: set_image_location
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: add_member
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: delete_member
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: get_member
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: get_members
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: modify_member
+  operations: []
+  scope_types: null
+- check_str: role:admin
+  description: null
+  name: manage_image_cache
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: deactivate
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: reactivate
+  operations: []
+  scope_types: null
+- check_str: role:admin
+  description: null
+  name: copy_image
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: get_task
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: get_tasks
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: add_task
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: modify_task
+  operations: []
+  scope_types: null
+- check_str: role:admin
+  description: null
+  name: tasks_api_access
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: get_metadef_namespace
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: get_metadef_namespaces
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: modify_metadef_namespace
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: add_metadef_namespace
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: delete_metadef_namespace
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: get_metadef_object
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: get_metadef_objects
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: modify_metadef_object
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: add_metadef_object
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: delete_metadef_object
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: list_metadef_resource_types
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: get_metadef_resource_type
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: add_metadef_resource_type_association
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: remove_metadef_resource_type_association
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: get_metadef_property
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: get_metadef_properties
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: modify_metadef_property
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: add_metadef_property
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: remove_metadef_property
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: get_metadef_tag
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: get_metadef_tags
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: modify_metadef_tag
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: add_metadef_tag
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: add_metadef_tags
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: delete_metadef_tag
+  operations: []
+  scope_types: null
+- check_str: rule:default
+  description: null
+  name: delete_metadef_tags
+  operations: []
+  scope_types: null

openstack_dashboard/conf/glance_policy.json

@@ -1,63 +0,0 @@
-{
-    "context_is_admin":  "role:admin",
-    "default": "role:admin",
-
-    "add_image": "",
-    "delete_image": "",
-    "get_image": "",
-    "get_images": "",
-    "modify_image": "",
-    "publicize_image": "role:admin",
-    "communitize_image": "",
-    "copy_from": "",
-
-    "download_image": "",
-    "upload_image": "",
-
-    "delete_image_location": "",
-    "get_image_location": "",
-    "set_image_location": "",
-
-    "add_member": "",
-    "delete_member": "",
-    "get_member": "",
-    "get_members": "",
-    "modify_member": "",
-
-    "manage_image_cache": "role:admin",
-
-    "get_task": "",
-    "get_tasks": "",
-    "add_task": "",
-    "modify_task": "",
-    "tasks_api_access": "role:admin",
-
-    "deactivate": "",
-    "reactivate": "",
-
-    "get_metadef_namespace": "",
-    "get_metadef_namespaces":"",
-    "modify_metadef_namespace":"",
-    "add_metadef_namespace":"",
-
-    "get_metadef_object":"",
-    "get_metadef_objects":"",
-    "modify_metadef_object":"",
-    "add_metadef_object":"",
-
-    "list_metadef_resource_types":"",
-    "get_metadef_resource_type":"",
-    "add_metadef_resource_type_association":"",
-
-    "get_metadef_property":"",
-    "get_metadef_properties":"",
-    "modify_metadef_property":"",
-    "add_metadef_property":"",
-
-    "get_metadef_tag":"",
-    "get_metadef_tags":"",
-    "modify_metadef_tag":"",
-    "add_metadef_tag":"",
-    "add_metadef_tags":""
-
-}

openstack_dashboard/conf/glance_policy.yaml

@@ -0,0 +1,121 @@
+# Defines the default rule used for policies that historically had an
+# empty policy in the supplied policy.json file.
+#"default": ""
+
+# DEPRECATED
+# "default":"role:admin" has been deprecated since Ussuri in favor of
+# "default":"".
+# In order to allow operators to accept the default policies from code
+# by not defining them in the policy file, while still working with
+# old policy files that rely on the ``default`` rule for policies that
+# are not specified in the policy file, the ``default`` rule must now
+# be explicitly set to ``"role:admin"`` when that is the desired
+# default for unspecified rules.
+
+# Defines the rule for the is_admin:True check.
+#"context_is_admin": "role:admin"
+
+#"add_image": "rule:default"
+
+#"delete_image": "rule:default"
+
+#"get_image": "rule:default"
+
+#"get_images": "rule:default"
+
+#"modify_image": "rule:default"
+
+#"publicize_image": "role:admin"
+
+#"communitize_image": "rule:default"
+
+#"download_image": "rule:default"
+
+#"upload_image": "rule:default"
+
+#"delete_image_location": "rule:default"
+
+#"get_image_location": "rule:default"
+
+#"set_image_location": "rule:default"
+
+#"add_member": "rule:default"
+
+#"delete_member": "rule:default"
+
+#"get_member": "rule:default"
+
+#"get_members": "rule:default"
+
+#"modify_member": "rule:default"
+
+#"manage_image_cache": "role:admin"
+
+#"deactivate": "rule:default"
+
+#"reactivate": "rule:default"
+
+#"copy_image": "role:admin"
+
+#"get_task": "rule:default"
+
+#"get_tasks": "rule:default"
+
+#"add_task": "rule:default"
+
+#"modify_task": "rule:default"
+
+#"tasks_api_access": "role:admin"
+
+#"get_metadef_namespace": "rule:default"
+
+#"get_metadef_namespaces": "rule:default"
+
+#"modify_metadef_namespace": "rule:default"
+
+#"add_metadef_namespace": "rule:default"
+
+#"delete_metadef_namespace": "rule:default"
+
+#"get_metadef_object": "rule:default"
+
+#"get_metadef_objects": "rule:default"
+
+#"modify_metadef_object": "rule:default"
+
+#"add_metadef_object": "rule:default"
+
+#"delete_metadef_object": "rule:default"
+
+#"list_metadef_resource_types": "rule:default"
+
+#"get_metadef_resource_type": "rule:default"
+
+#"add_metadef_resource_type_association": "rule:default"
+
+#"remove_metadef_resource_type_association": "rule:default"
+
+#"get_metadef_property": "rule:default"
+
+#"get_metadef_properties": "rule:default"
+
+#"modify_metadef_property": "rule:default"
+
+#"add_metadef_property": "rule:default"
+
+#"remove_metadef_property": "rule:default"
+
+#"get_metadef_tag": "rule:default"
+
+#"get_metadef_tags": "rule:default"
+
+#"modify_metadef_tag": "rule:default"
+
+#"add_metadef_tag": "rule:default"
+
+#"add_metadef_tags": "rule:default"
+
+#"delete_metadef_tag": "rule:default"
+
+#"delete_metadef_tags": "rule:default"
+

openstack_dashboard/conf/keystone_policy.json

@@ -1,174 +0,0 @@
-{
-    "admin_required": "role:admin or is_admin:1",
-    "service_role": "role:service",
-    "service_or_admin": "rule:admin_required or rule:service_role",
-    "owner": "user_id:%(user_id)s",
-    "admin_or_owner": "rule:admin_required or rule:owner",
-    "token_subject": "user_id:%(target.token.user_id)s",
-    "admin_or_token_subject": "rule:admin_required or rule:token_subject",
-    "service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject",
-    "identity:authorize_request_token": "rule:admin_required",
-    "identity:get_access_token": "rule:admin_required",
-    "identity:get_access_token_role": "rule:admin_required",
-    "identity:list_access_tokens": "rule:admin_required",
-    "identity:list_access_token_roles": "rule:admin_required",
-    "identity:delete_access_token": "rule:admin_required",
-    "identity:get_auth_catalog": "",
-    "identity:get_auth_projects": "",
-    "identity:get_auth_domains": "",
-    "identity:get_consumer": "rule:admin_required",
-    "identity:list_consumers": "rule:admin_required",
-    "identity:create_consumer": "rule:admin_required",
-    "identity:update_consumer": "rule:admin_required",
-    "identity:delete_consumer": "rule:admin_required",
-    "identity:get_credential": "rule:admin_required",
-    "identity:list_credentials": "rule:admin_required",
-    "identity:create_credential": "rule:admin_required",
-    "identity:update_credential": "rule:admin_required",
-    "identity:delete_credential": "rule:admin_required",
-    "identity:get_domain": "rule:admin_required or token.project.domain.id:%(target.domain.id)s",
-    "identity:list_domains": "rule:admin_required",
-    "identity:create_domain": "rule:admin_required",
-    "identity:update_domain": "rule:admin_required",
-    "identity:delete_domain": "rule:admin_required",
-    "identity:create_domain_config": "rule:admin_required",
-    "identity:get_domain_config": "rule:admin_required",
-    "identity:get_security_compliance_domain_config": "",
-    "identity:update_domain_config": "rule:admin_required",
-    "identity:delete_domain_config": "rule:admin_required",
-    "identity:get_domain_config_default": "rule:admin_required",
-    "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
-    "identity:ec2_list_credentials": "rule:admin_or_owner",
-    "identity:ec2_create_credential": "rule:admin_or_owner",
-    "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
-    "identity:get_endpoint": "rule:admin_required",
-    "identity:list_endpoints": "rule:admin_required",
-    "identity:create_endpoint": "rule:admin_required",
-    "identity:update_endpoint": "rule:admin_required",
-    "identity:delete_endpoint": "rule:admin_required",
-    "identity:create_endpoint_group": "rule:admin_required",
-    "identity:list_endpoint_groups": "rule:admin_required",
-    "identity:get_endpoint_group": "rule:admin_required",
-    "identity:update_endpoint_group": "rule:admin_required",
-    "identity:delete_endpoint_group": "rule:admin_required",
-    "identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
-    "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
-    "identity:get_endpoint_group_in_project": "rule:admin_required",
-    "identity:list_endpoint_groups_for_project": "rule:admin_required",
-    "identity:add_endpoint_group_to_project": "rule:admin_required",
-    "identity:remove_endpoint_group_from_project": "rule:admin_required",
-    "identity:check_grant": "rule:admin_required",
-    "identity:list_grants": "rule:admin_required",
-    "identity:create_grant": "rule:admin_required",
-    "identity:revoke_grant": "rule:admin_required",
-    "identity:get_group": "rule:admin_required",
-    "identity:list_groups": "rule:admin_required",
-    "identity:list_groups_for_user": "rule:admin_or_owner",
-    "identity:create_group": "rule:admin_required",
-    "identity:update_group": "rule:admin_required",
-    "identity:delete_group": "rule:admin_required",
-    "identity:list_users_in_group": "rule:admin_required",
-    "identity:remove_user_from_group": "rule:admin_required",
-    "identity:check_user_in_group": "rule:admin_required",
-    "identity:add_user_to_group": "rule:admin_required",
-    "identity:create_identity_provider": "rule:admin_required",
-    "identity:list_identity_providers": "rule:admin_required",
-    "identity:get_identity_provider": "rule:admin_required",
-    "identity:update_identity_provider": "rule:admin_required",
-    "identity:delete_identity_provider": "rule:admin_required",
-    "identity:get_implied_role": "rule:admin_required",
-    "identity:list_implied_roles": "rule:admin_required",
-    "identity:create_implied_role": "rule:admin_required",
-    "identity:delete_implied_role": "rule:admin_required",
-    "identity:list_role_inference_rules": "rule:admin_required",
-    "identity:check_implied_role": "rule:admin_required",
-    "identity:create_mapping": "rule:admin_required",
-    "identity:get_mapping": "rule:admin_required",
-    "identity:list_mappings": "rule:admin_required",
-    "identity:delete_mapping": "rule:admin_required",
-    "identity:update_mapping": "rule:admin_required",
-    "identity:get_policy": "rule:admin_required",
-    "identity:list_policies": "rule:admin_required",
-    "identity:create_policy": "rule:admin_required",
-    "identity:update_policy": "rule:admin_required",
-    "identity:delete_policy": "rule:admin_required",
-    "identity:create_policy_association_for_endpoint": "rule:admin_required",
-    "identity:check_policy_association_for_endpoint": "rule:admin_required",
-    "identity:delete_policy_association_for_endpoint": "rule:admin_required",
-    "identity:create_policy_association_for_service": "rule:admin_required",
-    "identity:check_policy_association_for_service": "rule:admin_required",
-    "identity:delete_policy_association_for_service": "rule:admin_required",
-    "identity:create_policy_association_for_region_and_service": "rule:admin_required",
-    "identity:check_policy_association_for_region_and_service": "rule:admin_required",
-    "identity:delete_policy_association_for_region_and_service": "rule:admin_required",
-    "identity:get_policy_for_endpoint": "rule:admin_required",
-    "identity:list_endpoints_for_policy": "rule:admin_required",
-    "identity:get_project": "rule:admin_required or project_id:%(target.project.id)s",
-    "identity:list_projects": "rule:admin_required",
-    "identity:list_user_projects": "rule:admin_or_owner",
-    "identity:create_project": "rule:admin_required",
-    "identity:update_project": "rule:admin_required",
-    "identity:delete_project": "rule:admin_required",
-    "identity:list_project_tags": "rule:admin_required or project_id:%(target.project.id)s",
-    "identity:get_project_tag": "rule:admin_required or project_id:%(target.project.id)s",
-    "identity:update_project_tags": "rule:admin_required",
-    "identity:create_project_tag": "rule:admin_required",
-    "identity:delete_project_tags": "rule:admin_required",
-    "identity:delete_project_tag": "rule:admin_required",
-    "identity:list_projects_for_endpoint": "rule:admin_required",
-    "identity:add_endpoint_to_project": "rule:admin_required",
-    "identity:check_endpoint_in_project": "rule:admin_required",
-    "identity:list_endpoints_for_project": "rule:admin_required",
-    "identity:remove_endpoint_from_project": "rule:admin_required",
-    "identity:create_protocol": "rule:admin_required",
-    "identity:update_protocol": "rule:admin_required",
-    "identity:get_protocol": "rule:admin_required",
-    "identity:list_protocols": "rule:admin_required",
-    "identity:delete_protocol": "rule:admin_required",
-    "identity:get_region": "",
-    "identity:list_regions": "",
-    "identity:create_region": "rule:admin_required",
-    "identity:update_region": "rule:admin_required",
-    "identity:delete_region": "rule:admin_required",
-    "identity:list_revoke_events": "rule:service_or_admin",
-    "identity:get_role": "rule:admin_required",
-    "identity:list_roles": "rule:admin_required",
-    "identity:create_role": "rule:admin_required",
-    "identity:update_role": "rule:admin_required",
-    "identity:delete_role": "rule:admin_required",
-    "identity:get_domain_role": "rule:admin_required",
-    "identity:list_domain_roles": "rule:admin_required",
-    "identity:create_domain_role": "rule:admin_required",
-    "identity:update_domain_role": "rule:admin_required",
-    "identity:delete_domain_role": "rule:admin_required",
-    "identity:list_role_assignments": "rule:admin_required",
-    "identity:list_role_assignments_for_tree": "rule:admin_required",
-    "identity:get_service": "rule:admin_required",
-    "identity:list_services": "rule:admin_required",
-    "identity:create_service": "rule:admin_required",
-    "identity:update_service": "rule:admin_required",
-    "identity:delete_service": "rule:admin_required",
-    "identity:create_service_provider": "rule:admin_required",
-    "identity:list_service_providers": "rule:admin_required",
-    "identity:get_service_provider": "rule:admin_required",
-    "identity:update_service_provider": "rule:admin_required",
-    "identity:delete_service_provider": "rule:admin_required",
-    "identity:revocation_list": "rule:service_or_admin",
-    "identity:check_token": "rule:admin_or_token_subject",
-    "identity:validate_token": "rule:service_admin_or_token_subject",
-    "identity:validate_token_head": "rule:service_or_admin",
-    "identity:revoke_token": "rule:admin_or_token_subject",
-    "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
-    "identity:list_trusts": "",
-    "identity:list_roles_for_trust": "",
-    "identity:get_role_for_trust": "",
-    "identity:delete_trust": "",
-    "identity:get_trust": "",
-    "identity:get_user": "rule:admin_or_owner",
-    "identity:list_users": "rule:admin_required",
-    "identity:list_projects_for_user": "",
-    "identity:list_domains_for_user": "",
-    "identity:create_user": "rule:admin_required",
-    "identity:update_user": "rule:admin_required",
-    "identity:delete_user": "rule:admin_required"
-}

openstack_dashboard/conf/neutron_policy.json

@@ -1,220 +0,0 @@
-{
-    "context_is_admin": "role:admin",
-    "owner": "tenant_id:%(tenant_id)s",
-    "admin_or_owner": "rule:context_is_admin or rule:owner",
-    "context_is_advsvc": "role:advsvc",
-    "admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
-    "admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner",
-    "admin_only": "rule:context_is_admin",
-    "regular_user": "",
-    "shared": "field:networks:shared=True",
-    "default": "rule:admin_or_owner",
-    "admin_or_ext_parent_owner": "rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s",
-    "shared_address_scopes": "field:address_scopes:shared=True",
-    "create_address_scope": "rule:regular_user",
-    "create_address_scope:shared": "rule:admin_only",
-    "get_address_scope": "rule:admin_or_owner or rule:shared_address_scopes",
-    "update_address_scope": "rule:admin_or_owner",
-    "update_address_scope:shared": "rule:admin_only",
-    "delete_address_scope": "rule:admin_or_owner",
-    "get_agent": "rule:admin_only",
-    "update_agent": "rule:admin_only",
-    "delete_agent": "rule:admin_only",
-    "create_dhcp-network": "rule:admin_only",
-    "get_dhcp-networks": "rule:admin_only",
-    "delete_dhcp-network": "rule:admin_only",
-    "create_l3-router": "rule:admin_only",
-    "get_l3-routers": "rule:admin_only",
-    "delete_l3-router": "rule:admin_only",
-    "get_dhcp-agents": "rule:admin_only",
-    "get_l3-agents": "rule:admin_only",
-    "get_agent-loadbalancers": "rule:admin_only",
-    "get_loadbalancer-hosting-agent": "rule:admin_only",
-    "get_auto_allocated_topology": "rule:admin_or_owner",
-    "delete_auto_allocated_topology": "rule:admin_or_owner",
-    "get_availability_zone": "rule:regular_user",
-    "create_flavor": "rule:admin_only",
-    "get_flavor": "rule:regular_user",
-    "update_flavor": "rule:admin_only",
-    "delete_flavor": "rule:admin_only",
-    "create_service_profile": "rule:admin_only",
-    "get_service_profile": "rule:admin_only",
-    "update_service_profile": "rule:admin_only",
-    "delete_service_profile": "rule:admin_only",
-    "create_flavor_service_profile": "rule:admin_only",
-    "delete_flavor_service_profile": "rule:admin_only",
-    "create_floatingip": "rule:regular_user",
-    "create_floatingip:floating_ip_address": "rule:admin_only",
-    "get_floatingip": "rule:admin_or_owner",
-    "update_floatingip": "rule:admin_or_owner",
-    "delete_floatingip": "rule:admin_or_owner",
-    "get_floatingip_pool": "rule:regular_user",
-    "create_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner",
-    "get_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner",
-    "update_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner",
-    "delete_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner",
-    "get_loggable_resource": "rule:admin_only",
-    "create_log": "rule:admin_only",
-    "get_log": "rule:admin_only",
-    "update_log": "rule:admin_only",
-    "delete_log": "rule:admin_only",
-    "create_metering_label": "rule:admin_only",
-    "get_metering_label": "rule:admin_only",
-    "delete_metering_label": "rule:admin_only",
-    "create_metering_label_rule": "rule:admin_only",
-    "get_metering_label_rule": "rule:admin_only",
-    "delete_metering_label_rule": "rule:admin_only",
-    "external": "field:networks:router:external=True",
-    "create_network": "rule:regular_user",
-    "create_network:shared": "rule:admin_only",
-    "create_network:router:external": "rule:admin_only",
-    "create_network:is_default": "rule:admin_only",
-    "create_network:port_security_enabled": "rule:regular_user",
-    "create_network:segments": "rule:admin_only",
-    "create_network:provider:network_type": "rule:admin_only",
-    "create_network:provider:physical_network": "rule:admin_only",
-    "create_network:provider:segmentation_id": "rule:admin_only",
-    "get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc",
-    "get_network:router:external": "rule:regular_user",
-    "get_network:segments": "rule:admin_only",
-    "get_network:provider:network_type": "rule:admin_only",
-    "get_network:provider:physical_network": "rule:admin_only",
-    "get_network:provider:segmentation_id": "rule:admin_only",
-    "update_network": "rule:admin_or_owner",
-    "update_network:segments": "rule:admin_only",
-    "update_network:shared": "rule:admin_only",
-    "update_network:provider:network_type": "rule:admin_only",
-    "update_network:provider:physical_network": "rule:admin_only",
-    "update_network:provider:segmentation_id": "rule:admin_only",
-    "update_network:router:external": "rule:admin_only",
-    "update_network:is_default": "rule:admin_only",
-    "update_network:port_security_enabled": "rule:admin_or_owner",
-    "delete_network": "rule:admin_or_owner",
-    "get_network_ip_availability": "rule:admin_only",
-    "create_network_segment_range": "rule:admin_only",
-    "get_network_segment_range": "rule:admin_only",
-    "update_network_segment_range": "rule:admin_only",
-    "delete_network_segment_range": "rule:admin_only",
-    "network_device": "field:port:device_owner=~^network:",
-    "admin_or_data_plane_int": "rule:context_is_admin or role:data_plane_integrator",
-    "create_port": "rule:regular_user",
-    "create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
-    "create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
-    "create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
-    "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
-    "create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
-    "create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
-    "create_port:binding:host_id": "rule:admin_only",
-    "create_port:binding:profile": "rule:admin_only",
-    "create_port:binding:vnic_type": "rule:regular_user",
-    "create_port:allowed_address_pairs": "rule:admin_or_network_owner",
-    "get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner",
-    "get_port:binding:vif_type": "rule:admin_only",
-    "get_port:binding:vif_details": "rule:admin_only",
-    "get_port:binding:host_id": "rule:admin_only",
-    "get_port:binding:profile": "rule:admin_only",
-    "get_port:resource_request": "rule:admin_only",
-    "update_port": "rule:admin_or_owner or rule:context_is_advsvc",
-    "update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
-    "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",
-    "update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
-    "update_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
-    "update_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
-    "update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
-    "update_port:binding:host_id": "rule:admin_only",
-    "update_port:binding:profile": "rule:admin_only",
-    "update_port:binding:vnic_type": "rule:admin_or_owner or rule:context_is_advsvc",
-    "update_port:allowed_address_pairs": "rule:admin_or_network_owner",
-    "update_port:data_plane_status": "rule:admin_or_data_plane_int",
-    "delete_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner",
-    "get_policy": "rule:regular_user",
-    "create_policy": "rule:admin_only",
-    "update_policy": "rule:admin_only",
-    "delete_policy": "rule:admin_only",
-    "get_rule_type": "rule:regular_user",
-    "get_policy_bandwidth_limit_rule": "rule:regular_user",
-    "create_policy_bandwidth_limit_rule": "rule:admin_only",
-    "update_policy_bandwidth_limit_rule": "rule:admin_only",
-    "delete_policy_bandwidth_limit_rule": "rule:admin_only",
-    "get_policy_dscp_marking_rule": "rule:regular_user",
-    "create_policy_dscp_marking_rule": "rule:admin_only",
-    "update_policy_dscp_marking_rule": "rule:admin_only",
-    "delete_policy_dscp_marking_rule": "rule:admin_only",
-    "get_policy_minimum_bandwidth_rule": "rule:regular_user",
-    "create_policy_minimum_bandwidth_rule": "rule:admin_only",
-    "update_policy_minimum_bandwidth_rule": "rule:admin_only",
-    "delete_policy_minimum_bandwidth_rule": "rule:admin_only",
-    "get_alias_bandwidth_limit_rule": "rule:get_policy_bandwidth_limit_rule",
-    "update_alias_bandwidth_limit_rule": "rule:update_policy_bandwidth_limit_rule",
-    "delete_alias_bandwidth_limit_rule": "rule:delete_policy_bandwidth_limit_rule",
-    "get_alias_dscp_marking_rule": "rule:get_policy_dscp_marking_rule",
-    "update_alias_dscp_marking_rule": "rule:update_policy_dscp_marking_rule",
-    "delete_alias_dscp_marking_rule": "rule:delete_policy_dscp_marking_rule",
-    "get_alias_minimum_bandwidth_rule": "rule:get_policy_minimum_bandwidth_rule",
-    "update_alias_minimum_bandwidth_rule": "rule:update_policy_minimum_bandwidth_rule",
-    "delete_alias_minimum_bandwidth_rule": "rule:delete_policy_minimum_bandwidth_rule",
-    "restrict_wildcard": "(not field:rbac_policy:target_tenant=*) or rule:admin_only",
-    "create_rbac_policy": "rule:regular_user",
-    "create_rbac_policy:target_tenant": "rule:restrict_wildcard",
-    "update_rbac_policy": "rule:admin_or_owner",
-    "update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner",
-    "get_rbac_policy": "rule:admin_or_owner",
-    "delete_rbac_policy": "rule:admin_or_owner",
-    "create_router": "rule:regular_user",
-    "create_router:distributed": "rule:admin_only",
-    "create_router:ha": "rule:admin_only",
-    "create_router:external_gateway_info": "rule:admin_or_owner",
-    "create_router:external_gateway_info:network_id": "rule:admin_or_owner",
-    "create_router:external_gateway_info:enable_snat": "rule:admin_only",
-    "create_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
-    "get_router": "rule:admin_or_owner",
-    "get_router:distributed": "rule:admin_only",
-    "get_router:ha": "rule:admin_only",
-    "update_router": "rule:admin_or_owner",
-    "update_router:distributed": "rule:admin_only",
-    "update_router:ha": "rule:admin_only",
-    "update_router:external_gateway_info": "rule:admin_or_owner",
-    "update_router:external_gateway_info:network_id": "rule:admin_or_owner",
-    "update_router:external_gateway_info:enable_snat": "rule:admin_only",
-    "update_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
-    "delete_router": "rule:admin_or_owner",
-    "add_router_interface": "rule:admin_or_owner",
-    "remove_router_interface": "rule:admin_or_owner",
-    "create_security_group": "rule:admin_or_owner",
-    "get_security_group": "rule:regular_user",
-    "update_security_group": "rule:admin_or_owner",
-    "delete_security_group": "rule:admin_or_owner",
-    "create_security_group_rule": "rule:admin_or_owner",
-    "get_security_group_rule": "rule:admin_or_owner",
-    "delete_security_group_rule": "rule:admin_or_owner",
-    "create_segment": "rule:admin_only",
-    "get_segment": "rule:admin_only",
-    "update_segment": "rule:admin_only",
-    "delete_segment": "rule:admin_only",
-    "get_service_provider": "rule:regular_user",
-    "create_subnet": "rule:admin_or_network_owner",
-    "create_subnet:segment_id": "rule:admin_only",
-    "create_subnet:service_types": "rule:admin_only",
-    "get_subnet": "rule:admin_or_owner or rule:shared",
-    "get_subnet:segment_id": "rule:admin_only",
-    "update_subnet": "rule:admin_or_network_owner",
-    "update_subnet:segment_id": "rule:admin_only",
-    "update_subnet:service_types": "rule:admin_only",
-    "delete_subnet": "rule:admin_or_network_owner",
-    "shared_subnetpools": "field:subnetpools:shared=True",
-    "create_subnetpool": "rule:regular_user",
-    "create_subnetpool:shared": "rule:admin_only",
-    "create_subnetpool:is_default": "rule:admin_only",
-    "get_subnetpool": "rule:admin_or_owner or rule:shared_subnetpools",
-    "update_subnetpool": "rule:admin_or_owner",
-    "update_subnetpool:is_default": "rule:admin_only",
-    "delete_subnetpool": "rule:admin_or_owner",
-    "onboard_network_subnets": "rule:admin_or_owner",
-    "create_trunk": "rule:regular_user",
-    "get_trunk": "rule:admin_or_owner",
-    "update_trunk": "rule:admin_or_owner",
-    "delete_trunk": "rule:admin_or_owner",
-    "get_subports": "rule:regular_user",
-    "add_subports": "rule:admin_or_owner",
-    "remove_subports": "rule:admin_or_owner"
-}

openstack_dashboard/conf/neutron_policy.yaml

@@ -0,0 +1,961 @@
+# Rule for cloud admin access
+#"context_is_admin": "role:admin"
+
+# Rule for resource owner access
+#"owner": "tenant_id:%(tenant_id)s"
+
+# Rule for admin or owner access
+#"admin_or_owner": "rule:context_is_admin or rule:owner"
+
+# Rule for advsvc role access
+#"context_is_advsvc": "role:advsvc"
+
+# Rule for admin or network owner access
+#"admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s"
+
+# Rule for resource owner, admin or network owner access
+#"admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner"
+
+# Rule for admin-only access
+#"admin_only": "rule:context_is_admin"
+
+# Rule for regular user access
+#"regular_user": ""
+
+# Rule of shared network
+#"shared": "field:networks:shared=True"
+
+# Default access rule
+#"default": "rule:admin_or_owner"
+
+# Rule for common parent owner check
+#"admin_or_ext_parent_owner": "rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s"
+
+# Definition of a shared address scope
+#"shared_address_scopes": "field:address_scopes:shared=True"
+
+# Create an address scope
+# POST  /address-scopes
+#"create_address_scope": "rule:regular_user"
+
+# Create a shared address scope
+# POST  /address-scopes
+#"create_address_scope:shared": "rule:admin_only"
+
+# Get an address scope
+# GET  /address-scopes
+# GET  /address-scopes/{id}
+#"get_address_scope": "rule:admin_or_owner or rule:shared_address_scopes"
+
+# Update an address scope
+# PUT  /address-scopes/{id}
+#"update_address_scope": "rule:admin_or_owner"
+
+# Update ``shared`` attribute of an address scope
+# PUT  /address-scopes/{id}
+#"update_address_scope:shared": "rule:admin_only"
+
+# Delete an address scope
+# DELETE  /address-scopes/{id}
+#"delete_address_scope": "rule:admin_or_owner"
+
+# Get an agent
+# GET  /agents
+# GET  /agents/{id}
+#"get_agent": "rule:admin_only"
+
+# Update an agent
+# PUT  /agents/{id}
+#"update_agent": "rule:admin_only"
+
+# Delete an agent
+# DELETE  /agents/{id}
+#"delete_agent": "rule:admin_only"
+
+# Add a network to a DHCP agent
+# POST  /agents/{agent_id}/dhcp-networks
+#"create_dhcp-network": "rule:admin_only"
+
+# List networks on a DHCP agent
+# GET  /agents/{agent_id}/dhcp-networks
+#"get_dhcp-networks": "rule:admin_only"
+
+# Remove a network from a DHCP agent
+# DELETE  /agents/{agent_id}/dhcp-networks/{network_id}
+#"delete_dhcp-network": "rule:admin_only"
+
+# Add a router to an L3 agent
+# POST  /agents/{agent_id}/l3-routers
+#"create_l3-router": "rule:admin_only"
+
+# List routers on an L3 agent
+# GET  /agents/{agent_id}/l3-routers
+#"get_l3-routers": "rule:admin_only"
+
+# Remove a router from an L3 agent
+# DELETE  /agents/{agent_id}/l3-routers/{router_id}
+#"delete_l3-router": "rule:admin_only"
+
+# List DHCP agents hosting a network
+# GET  /networks/{network_id}/dhcp-agents
+#"get_dhcp-agents": "rule:admin_only"
+
+# List L3 agents hosting a router
+# GET  /routers/{router_id}/l3-agents
+#"get_l3-agents": "rule:admin_only"
+
+# Get a project's auto-allocated topology
+# GET  /auto-allocated-topology/{project_id}
+#"get_auto_allocated_topology": "rule:admin_or_owner"
+
+# Delete a project's auto-allocated topology
+# DELETE  /auto-allocated-topology/{project_id}
+#"delete_auto_allocated_topology": "rule:admin_or_owner"
+
+# List availability zones
+# GET  /availability_zones
+#"get_availability_zone": "rule:regular_user"
+
+# Create a flavor
+# POST  /flavors
+#"create_flavor": "rule:admin_only"
+
+# Get a flavor
+# GET  /flavors
+# GET  /flavors/{id}
+#"get_flavor": "rule:regular_user"
+
+# Update a flavor
+# PUT  /flavors/{id}
+#"update_flavor": "rule:admin_only"
+
+# Delete a flavor
+# DELETE  /flavors/{id}
+#"delete_flavor": "rule:admin_only"
+
+# Create a service profile
+# POST  /service_profiles
+#"create_service_profile": "rule:admin_only"
+
+# Get a service profile
+# GET  /service_profiles
+# GET  /service_profiles/{id}
+#"get_service_profile": "rule:admin_only"
+
+# Update a service profile
+# PUT  /service_profiles/{id}
+#"update_service_profile": "rule:admin_only"
+
+# Delete a service profile
+# DELETE  /service_profiles/{id}
+#"delete_service_profile": "rule:admin_only"
+
+# Get a flavor associated with a given service profiles. There is no
+# corresponding GET operations in API currently. This rule is
+# currently referred only in the DELETE of flavor_service_profile.
+#"get_flavor_service_profile": "rule:regular_user"
+
+# Associate a flavor with a service profile
+# POST  /flavors/{flavor_id}/service_profiles
+#"create_flavor_service_profile": "rule:admin_only"
+
+# Disassociate a flavor with a service profile
+# DELETE  /flavors/{flavor_id}/service_profiles/{profile_id}
+#"delete_flavor_service_profile": "rule:admin_only"
+
+# Create a floating IP
+# POST  /floatingips
+#"create_floatingip": "rule:regular_user"
+
+# Create a floating IP with a specific IP address
+# POST  /floatingips
+#"create_floatingip:floating_ip_address": "rule:admin_only"
+
+# Get a floating IP
+# GET  /floatingips
+# GET  /floatingips/{id}
+#"get_floatingip": "rule:admin_or_owner"
+
+# Update a floating IP
+# PUT  /floatingips/{id}
+#"update_floatingip": "rule:admin_or_owner"
+
+# Delete a floating IP
+# DELETE  /floatingips/{id}
+#"delete_floatingip": "rule:admin_or_owner"
+
+# Get floating IP pools
+# GET  /floatingip_pools
+#"get_floatingip_pool": "rule:regular_user"
+
+# Create a floating IP port forwarding
+# POST  /floatingips/{floatingip_id}/port_forwardings
+#"create_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner"
+
+# Get a floating IP port forwarding
+# GET  /floatingips/{floatingip_id}/port_forwardings
+# GET  /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}
+#"get_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner"
+
+# Update a floating IP port forwarding
+# PUT  /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}
+#"update_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner"
+
+# Delete a floating IP port forwarding
+# DELETE  /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}
+#"delete_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner"
+
+# Create a router conntrack helper
+# POST  /routers/{router_id}/conntrack_helpers
+#"create_router_conntrack_helper": "rule:admin_or_ext_parent_owner"
+
+# Get a router conntrack helper
+# GET  /routers/{router_id}/conntrack_helpers
+# GET  /routers/{router_id}/conntrack_helpers/{conntrack_helper_id}
+#"get_router_conntrack_helper": "rule:admin_or_ext_parent_owner"
+
+# Update a router conntrack helper
+# PUT  /routers/{router_id}/conntrack_helpers/{conntrack_helper_id}
+#"update_router_conntrack_helper": "rule:admin_or_ext_parent_owner"
+
+# Delete a router conntrack helper
+# DELETE  /routers/{router_id}/conntrack_helpers/{conntrack_helper_id}
+#"delete_router_conntrack_helper": "rule:admin_or_ext_parent_owner"
+
+# Get loggable resources
+# GET  /log/loggable-resources
+#"get_loggable_resource": "rule:admin_only"
+
+# Create a network log
+# POST  /log/logs
+#"create_log": "rule:admin_only"
+
+# Get a network log
+# GET  /log/logs
+# GET  /log/logs/{id}
+#"get_log": "rule:admin_only"
+
+# Update a network log
+# PUT  /log/logs/{id}
+#"update_log": "rule:admin_only"
+
+# Delete a network log
+# DELETE  /log/logs/{id}
+#"delete_log": "rule:admin_only"
+
+# Create a metering label
+# POST  /metering/metering-labels
+#"create_metering_label": "rule:admin_only"
+
+# Get a metering label
+# GET  /metering/metering-labels
+# GET  /metering/metering-labels/{id}
+#"get_metering_label": "rule:admin_only"
+
+# Delete a metering label
+# DELETE  /metering/metering-labels/{id}
+#"delete_metering_label": "rule:admin_only"
+
+# Create a metering label rule
+# POST  /metering/metering-label-rules
+#"create_metering_label_rule": "rule:admin_only"
+
+# Get a metering label rule
+# GET  /metering/metering-label-rules
+# GET  /metering/metering-label-rules/{id}
+#"get_metering_label_rule": "rule:admin_only"
+
+# Delete a metering label rule
+# DELETE  /metering/metering-label-rules/{id}
+#"delete_metering_label_rule": "rule:admin_only"
+
+# Definition of an external network
+#"external": "field:networks:router:external=True"
+
+# Create a network
+# POST  /networks
+#"create_network": "rule:regular_user"
+
+# Create a shared network
+# POST  /networks
+#"create_network:shared": "rule:admin_only"
+
+# Create an external network
+# POST  /networks
+#"create_network:router:external": "rule:admin_only"
+
+# Specify ``is_default`` attribute when creating a network
+# POST  /networks
+#"create_network:is_default": "rule:admin_only"
+
+# Specify ``port_security_enabled`` attribute when creating a network
+# POST  /networks
+#"create_network:port_security_enabled": "rule:regular_user"
+
+# Specify ``segments`` attribute when creating a network
+# POST  /networks
+#"create_network:segments": "rule:admin_only"
+
+# Specify ``provider:network_type`` when creating a network
+# POST  /networks
+#"create_network:provider:network_type": "rule:admin_only"
+
+# Specify ``provider:physical_network`` when creating a network
+# POST  /networks
+#"create_network:provider:physical_network": "rule:admin_only"
+
+# Specify ``provider:segmentation_id`` when creating a network
+# POST  /networks
+#"create_network:provider:segmentation_id": "rule:admin_only"
+
+# Get a network
+# GET  /networks
+# GET  /networks/{id}
+#"get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc"
+
+# Get ``router:external`` attribute of a network
+# GET  /networks
+# GET  /networks/{id}
+#"get_network:router:external": "rule:regular_user"
+
+# Get ``segments`` attribute of a network
+# GET  /networks
+# GET  /networks/{id}
+#"get_network:segments": "rule:admin_only"
+
+# Get ``provider:network_type`` attribute of a network
+# GET  /networks
+# GET  /networks/{id}
+#"get_network:provider:network_type": "rule:admin_only"
+
+# Get ``provider:physical_network`` attribute of a network
+# GET  /networks
+# GET  /networks/{id}
+#"get_network:provider:physical_network": "rule:admin_only"
+
+# Get ``provider:segmentation_id`` attribute of a network
+# GET  /networks
+# GET  /networks/{id}
+#"get_network:provider:segmentation_id": "rule:admin_only"
+
+# Update a network
+# PUT  /networks/{id}
+#"update_network": "rule:admin_or_owner"
+
+# Update ``segments`` attribute of a network
+# PUT  /networks/{id}
+#"update_network:segments": "rule:admin_only"
+
+# Update ``shared`` attribute of a network
+# PUT  /networks/{id}
+#"update_network:shared": "rule:admin_only"
+
+# Update ``provider:network_type`` attribute of a network
+# PUT  /networks/{id}
+#"update_network:provider:network_type": "rule:admin_only"
+
+# Update ``provider:physical_network`` attribute of a network
+# PUT  /networks/{id}
+#"update_network:provider:physical_network": "rule:admin_only"
+
+# Update ``provider:segmentation_id`` attribute of a network
+# PUT  /networks/{id}
+#"update_network:provider:segmentation_id": "rule:admin_only"
+
+# Update ``router:external`` attribute of a network
+# PUT  /networks/{id}
+#"update_network:router:external": "rule:admin_only"
+
+# Update ``is_default`` attribute of a network
+# PUT  /networks/{id}
+#"update_network:is_default": "rule:admin_only"
+
+# Update ``port_security_enabled`` attribute of a network
+# PUT  /networks/{id}
+#"update_network:port_security_enabled": "rule:admin_or_owner"
+
+# Delete a network
+# DELETE  /networks/{id}
+#"delete_network": "rule:admin_or_owner"
+
+# Get network IP availability
+# GET  /network-ip-availabilities
+# GET  /network-ip-availabilities/{network_id}
+#"get_network_ip_availability": "rule:admin_only"
+
+# Create a network segment range
+# POST  /network_segment_ranges
+#"create_network_segment_range": "rule:admin_only"
+
+# Get a network segment range
+# GET  /network_segment_ranges
+# GET  /network_segment_ranges/{id}
+#"get_network_segment_range": "rule:admin_only"
+
+# Update a network segment range
+# PUT  /network_segment_ranges/{id}
+#"update_network_segment_range": "rule:admin_only"
+
+# Delete a network segment range
+# DELETE  /network_segment_ranges/{id}
+#"delete_network_segment_range": "rule:admin_only"
+
+# Definition of port with network device_owner
+#"network_device": "field:port:device_owner=~^network:"
+
+# Rule for data plane integration
+#"admin_or_data_plane_int": "rule:context_is_admin or role:data_plane_integrator"
+
+# Create a port
+# POST  /ports
+#"create_port": "rule:regular_user"
+
+# Specify ``device_owner`` attribute when creting a port
+# POST  /ports
+#"create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner"
+
+# Specify ``mac_address`` attribute when creating a port
+# POST  /ports
+#"create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner"
+
+# Specify ``fixed_ips`` information when creating a port
+# POST  /ports
+#"create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared"
+
+# Specify IP address in ``fixed_ips`` when creating a port
+# POST  /ports
+#"create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner"
+
+# Specify subnet ID in ``fixed_ips`` when creating a port
+# POST  /ports
+#"create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared"
+
+# Specify ``port_security_enabled`` attribute when creating a port
+# POST  /ports
+#"create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner"
+
+# Specify ``binding:host_id`` attribute when creating a port
+# POST  /ports
+#"create_port:binding:host_id": "rule:admin_only"
+
+# Specify ``binding:profile`` attribute when creating a port
+# POST  /ports
+#"create_port:binding:profile": "rule:admin_only"
+
+# Specify ``binding:vnic_type`` attribute when creating a port
+# POST  /ports
+#"create_port:binding:vnic_type": "rule:regular_user"
+
+# Specify ``allowed_address_pairs`` attribute when creating a port
+# POST  /ports
+#"create_port:allowed_address_pairs": "rule:admin_or_network_owner"
+
+# Specify ``mac_address` of `allowed_address_pairs`` attribute when
+# creating a port
+# POST  /ports
+#"create_port:allowed_address_pairs:mac_address": "rule:admin_or_network_owner"
+
+# Specify ``ip_address`` of ``allowed_address_pairs`` attribute when
+# creating a port
+# POST  /ports
+#"create_port:allowed_address_pairs:ip_address": "rule:admin_or_network_owner"
+
+# Get a port
+# GET  /ports
+# GET  /ports/{id}
+#"get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner"
+
+# Get ``binding:vif_type`` attribute of a port
+# GET  /ports
+# GET  /ports/{id}
+#"get_port:binding:vif_type": "rule:admin_only"
+
+# Get ``binding:vif_details`` attribute of a port
+# GET  /ports
+# GET  /ports/{id}
+#"get_port:binding:vif_details": "rule:admin_only"
+
+# Get ``binding:host_id`` attribute of a port
+# GET  /ports
+# GET  /ports/{id}
+#"get_port:binding:host_id": "rule:admin_only"
+
+# Get ``binding:profile`` attribute of a port
+# GET  /ports
+# GET  /ports/{id}
+#"get_port:binding:profile": "rule:admin_only"
+
+# Get ``resource_request`` attribute of a port
+# GET  /ports
+# GET  /ports/{id}
+#"get_port:resource_request": "rule:admin_only"
+
+# Update a port
+# PUT  /ports/{id}
+#"update_port": "rule:admin_or_owner or rule:context_is_advsvc"
+
+# Update ``device_owner`` attribute of a port
+# PUT  /ports/{id}
+#"update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner"
+
+# Update ``mac_address`` attribute of a port
+# PUT  /ports/{id}
+#"update_port:mac_address": "rule:admin_only or rule:context_is_advsvc"
+
+# Specify ``fixed_ips`` information when updating a port
+# PUT  /ports/{id}
+#"update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner"
+
+# Specify IP address in ``fixed_ips`` information when updating a port
+# PUT  /ports/{id}
+#"update_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner"
+
+# Specify subnet ID in ``fixed_ips`` information when updating a port
+# PUT  /ports/{id}
+#"update_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared"
+
+# Update ``port_security_enabled`` attribute of a port
+# PUT  /ports/{id}
+#"update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner"
+
+# Update ``binding:host_id`` attribute of a port
+# PUT  /ports/{id}
+#"update_port:binding:host_id": "rule:admin_only"
+
+# Update ``binding:profile`` attribute of a port
+# PUT  /ports/{id}
+#"update_port:binding:profile": "rule:admin_only"
+
+# Update ``binding:vnic_type`` attribute of a port
+# PUT  /ports/{id}
+#"update_port:binding:vnic_type": "rule:admin_or_owner or rule:context_is_advsvc"
+
+# Update ``allowed_address_pairs`` attribute of a port
+# PUT  /ports/{id}
+#"update_port:allowed_address_pairs": "rule:admin_or_network_owner"
+
+# Update ``mac_address`` of ``allowed_address_pairs`` attribute of a
+# port
+# PUT  /ports/{id}
+#"update_port:allowed_address_pairs:mac_address": "rule:admin_or_network_owner"
+
+# Update ``ip_address`` of ``allowed_address_pairs`` attribute of a
+# port
+# PUT  /ports/{id}
+#"update_port:allowed_address_pairs:ip_address": "rule:admin_or_network_owner"
+
+# Update ``data_plane_status`` attribute of a port
+# PUT  /ports/{id}
+#"update_port:data_plane_status": "rule:admin_or_data_plane_int"
+
+# Delete a port
+# DELETE  /ports/{id}
+#"delete_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner"
+
+# Get QoS policies
+# GET  /qos/policies
+# GET  /qos/policies/{id}
+#"get_policy": "rule:regular_user"
+
+# Create a QoS policy
+# POST  /qos/policies
+#"create_policy": "rule:admin_only"
+
+# Update a QoS policy
+# PUT  /qos/policies/{id}
+#"update_policy": "rule:admin_only"
+
+# Delete a QoS policy
+# DELETE  /qos/policies/{id}
+#"delete_policy": "rule:admin_only"
+
+# Get available QoS rule types
+# GET  /qos/rule-types
+# GET  /qos/rule-types/{rule_type}
+#"get_rule_type": "rule:regular_user"
+
+# Get a QoS bandwidth limit rule
+# GET  /qos/policies/{policy_id}/bandwidth_limit_rules
+# GET  /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}
+#"get_policy_bandwidth_limit_rule": "rule:regular_user"
+
+# Create a QoS bandwidth limit rule
+# POST  /qos/policies/{policy_id}/bandwidth_limit_rules
+#"create_policy_bandwidth_limit_rule": "rule:admin_only"
+
+# Update a QoS bandwidth limit rule
+# PUT  /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}
+#"update_policy_bandwidth_limit_rule": "rule:admin_only"
+
+# Delete a QoS bandwidth limit rule
+# DELETE  /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}
+#"delete_policy_bandwidth_limit_rule": "rule:admin_only"
+
+# Get a QoS DSCP marking rule
+# GET  /qos/policies/{policy_id}/dscp_marking_rules
+# GET  /qos/policies/{policy_id}/dscp_marking_rules/{rule_id}
+#"get_policy_dscp_marking_rule": "rule:regular_user"
+
+# Create a QoS DSCP marking rule
+# POST  /qos/policies/{policy_id}/dscp_marking_rules
+#"create_policy_dscp_marking_rule": "rule:admin_only"
+
+# Update a QoS DSCP marking rule
+# PUT  /qos/policies/{policy_id}/dscp_marking_rules/{rule_id}
+#"update_policy_dscp_marking_rule": "rule:admin_only"
+
+# Delete a QoS DSCP marking rule
+# DELETE  /qos/policies/{policy_id}/dscp_marking_rules/{rule_id}
+#"delete_policy_dscp_marking_rule": "rule:admin_only"
+
+# Get a QoS minimum bandwidth rule
+# GET  /qos/policies/{policy_id}/minimum_bandwidth_rules
+# GET  /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}
+#"get_policy_minimum_bandwidth_rule": "rule:regular_user"
+
+# Create a QoS minimum bandwidth rule
+# POST  /qos/policies/{policy_id}/minimum_bandwidth_rules
+#"create_policy_minimum_bandwidth_rule": "rule:admin_only"
+
+# Update a QoS minimum bandwidth rule
+# PUT  /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}
+#"update_policy_minimum_bandwidth_rule": "rule:admin_only"
+
+# Delete a QoS minimum bandwidth rule
+# DELETE  /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}
+#"delete_policy_minimum_bandwidth_rule": "rule:admin_only"
+
+# Get a QoS bandwidth limit rule through alias
+# GET  /qos/alias_bandwidth_limit_rules/{rule_id}/
+#"get_alias_bandwidth_limit_rule": "rule:get_policy_bandwidth_limit_rule"
+
+# Update a QoS bandwidth limit rule through alias
+# PUT  /qos/alias_bandwidth_limit_rules/{rule_id}/
+#"update_alias_bandwidth_limit_rule": "rule:update_policy_bandwidth_limit_rule"
+
+# Delete a QoS bandwidth limit rule through alias
+# DELETE  /qos/alias_bandwidth_limit_rules/{rule_id}/
+#"delete_alias_bandwidth_limit_rule": "rule:delete_policy_bandwidth_limit_rule"
+
+# Get a QoS DSCP marking rule through alias
+# GET  /qos/alias_dscp_marking_rules/{rule_id}/
+#"get_alias_dscp_marking_rule": "rule:get_policy_dscp_marking_rule"
+
+# Update a QoS DSCP marking rule through alias
+# PUT  /qos/alias_dscp_marking_rules/{rule_id}/
+#"update_alias_dscp_marking_rule": "rule:update_policy_dscp_marking_rule"
+
+# Delete a QoS DSCP marking rule through alias
+# DELETE  /qos/alias_dscp_marking_rules/{rule_id}/
+#"delete_alias_dscp_marking_rule": "rule:delete_policy_dscp_marking_rule"
+
+# Get a QoS minimum bandwidth rule through alias
+# GET  /qos/alias_minimum_bandwidth_rules/{rule_id}/
+#"get_alias_minimum_bandwidth_rule": "rule:get_policy_minimum_bandwidth_rule"
+
+# Update a QoS minimum bandwidth rule through alias
+# PUT  /qos/alias_minimum_bandwidth_rules/{rule_id}/
+#"update_alias_minimum_bandwidth_rule": "rule:update_policy_minimum_bandwidth_rule"
+
+# Delete a QoS minimum bandwidth rule through alias
+# DELETE  /qos/alias_minimum_bandwidth_rules/{rule_id}/
+#"delete_alias_minimum_bandwidth_rule": "rule:delete_policy_minimum_bandwidth_rule"
+
+# Get a resource quota
+# GET  /quota
+# GET  /quota/{id}
+#"get_quota": "rule:admin_only"
+
+# Update a resource quota
+# PUT  /quota/{id}
+#"update_quota": "rule:admin_only"
+
+# Delete a resource quota
+# DELETE  /quota/{id}
+#"delete_quota": "rule:admin_only"
+
+# Definition of a wildcard target_tenant
+#"restrict_wildcard": "(not field:rbac_policy:target_tenant=*) or rule:admin_only"
+
+# Create an RBAC policy
+# POST  /rbac-policies
+#"create_rbac_policy": "rule:regular_user"
+
+# Specify ``target_tenant`` when creating an RBAC policy
+# POST  /rbac-policies
+#"create_rbac_policy:target_tenant": "rule:restrict_wildcard"
+
+# Update an RBAC policy
+# PUT  /rbac-policies/{id}
+#"update_rbac_policy": "rule:admin_or_owner"
+
+# Update ``target_tenant`` attribute of an RBAC policy
+# PUT  /rbac-policies/{id}
+#"update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner"
+
+# Get an RBAC policy
+# GET  /rbac-policies
+# GET  /rbac-policies/{id}
+#"get_rbac_policy": "rule:admin_or_owner"
+
+# Delete an RBAC policy
+# DELETE  /rbac-policies/{id}
+#"delete_rbac_policy": "rule:admin_or_owner"
+
+# Create a router
+# POST  /routers
+#"create_router": "rule:regular_user"
+
+# Specify ``distributed`` attribute when creating a router
+# POST  /routers
+#"create_router:distributed": "rule:admin_only"
+
+# Specify ``ha`` attribute when creating a router
+# POST  /routers
+#"create_router:ha": "rule:admin_only"
+
+# Specify ``external_gateway_info`` information when creating a router
+# POST  /routers
+#"create_router:external_gateway_info": "rule:admin_or_owner"
+
+# Specify ``network_id`` in ``external_gateway_info`` information when
+# creating a router
+# POST  /routers
+#"create_router:external_gateway_info:network_id": "rule:admin_or_owner"
+
+# Specify ``enable_snat`` in ``external_gateway_info`` information
+# when creating a router
+# POST  /routers
+#"create_router:external_gateway_info:enable_snat": "rule:admin_only"
+
+# Specify ``external_fixed_ips`` in ``external_gateway_info``
+# information when creating a router
+# POST  /routers
+#"create_router:external_gateway_info:external_fixed_ips": "rule:admin_only"
+
+# Get a router
+# GET  /routers
+# GET  /routers/{id}
+#"get_router": "rule:admin_or_owner"
+
+# Get ``distributed`` attribute of a router
+# GET  /routers
+# GET  /routers/{id}
+#"get_router:distributed": "rule:admin_only"
+
+# Get ``ha`` attribute of a router
+# GET  /routers
+# GET  /routers/{id}
+#"get_router:ha": "rule:admin_only"
+
+# Update a router
+# PUT  /routers/{id}
+#"update_router": "rule:admin_or_owner"
+
+# Update ``distributed`` attribute of a router
+# PUT  /routers/{id}
+#"update_router:distributed": "rule:admin_only"
+
+# Update ``ha`` attribute of a router
+# PUT  /routers/{id}
+#"update_router:ha": "rule:admin_only"
+
+# Update ``external_gateway_info`` information of a router
+# PUT  /routers/{id}
+#"update_router:external_gateway_info": "rule:admin_or_owner"
+
+# Update ``network_id`` attribute of ``external_gateway_info``
+# information of a router
+# PUT  /routers/{id}
+#"update_router:external_gateway_info:network_id": "rule:admin_or_owner"
+
+# Update ``enable_snat`` attribute of ``external_gateway_info``
+# information of a router
+# PUT  /routers/{id}
+#"update_router:external_gateway_info:enable_snat": "rule:admin_only"
+
+# Update ``external_fixed_ips`` attribute of ``external_gateway_info``
+# information of a router
+# PUT  /routers/{id}
+#"update_router:external_gateway_info:external_fixed_ips": "rule:admin_only"
+
+# Delete a router
+# DELETE  /routers/{id}
+#"delete_router": "rule:admin_or_owner"
+
+# Add an interface to a router
+# PUT  /routers/{id}/add_router_interface
+#"add_router_interface": "rule:admin_or_owner"
+
+# Remove an interface from a router
+# PUT  /routers/{id}/remove_router_interface
+#"remove_router_interface": "rule:admin_or_owner"
+
+# Rule for admin or security group owner access
+#"admin_or_sg_owner": "rule:context_is_admin or tenant_id:%(security_group:tenant_id)s"
+
+# Rule for resource owner, admin or security group owner access
+#"admin_owner_or_sg_owner": "rule:owner or rule:admin_or_sg_owner"
+
+# Create a security group
+# POST  /security-groups
+#"create_security_group": "rule:admin_or_owner"
+
+# Get a security group
+# GET  /security-groups
+# GET  /security-groups/{id}
+#"get_security_group": "rule:regular_user"
+
+# Update a security group
+# PUT  /security-groups/{id}
+#"update_security_group": "rule:admin_or_owner"
+
+# Delete a security group
+# DELETE  /security-groups/{id}
+#"delete_security_group": "rule:admin_or_owner"
+
+# Create a security group rule
+# POST  /security-group-rules
+#"create_security_group_rule": "rule:admin_or_owner"
+
+# Get a security group rule
+# GET  /security-group-rules
+# GET  /security-group-rules/{id}
+#"get_security_group_rule": "rule:admin_owner_or_sg_owner"
+
+# Delete a security group rule
+# DELETE  /security-group-rules/{id}
+#"delete_security_group_rule": "rule:admin_or_owner"
+
+# Create a segment
+# POST  /segments
+#"create_segment": "rule:admin_only"
+
+# Get a segment
+# GET  /segments
+# GET  /segments/{id}
+#"get_segment": "rule:admin_only"
+
+# Update a segment
+# PUT  /segments/{id}
+#"update_segment": "rule:admin_only"
+
+# Delete a segment
+# DELETE  /segments/{id}
+#"delete_segment": "rule:admin_only"
+
+# Get service providers
+# GET  /service-providers
+#"get_service_provider": "rule:regular_user"
+
+# Create a subnet
+# POST  /subnets
+#"create_subnet": "rule:admin_or_network_owner"
+
+# Specify ``segment_id`` attribute when creating a subnet
+# POST  /subnets
+#"create_subnet:segment_id": "rule:admin_only"
+
+# Specify ``service_types`` attribute when creating a subnet
+# POST  /subnets
+#"create_subnet:service_types": "rule:admin_only"
+
+# Get a subnet
+# GET  /subnets
+# GET  /subnets/{id}
+#"get_subnet": "rule:admin_or_owner or rule:shared"
+
+# Get ``segment_id`` attribute of a subnet
+# GET  /subnets
+# GET  /subnets/{id}
+#"get_subnet:segment_id": "rule:admin_only"
+
+# Update a subnet
+# PUT  /subnets/{id}
+#"update_subnet": "rule:admin_or_network_owner"
+
+# Update ``segment_id`` attribute of a subnet
+# PUT  /subnets/{id}
+#"update_subnet:segment_id": "rule:admin_only"
+
+# Update ``service_types`` attribute of a subnet
+# PUT  /subnets/{id}
+#"update_subnet:service_types": "rule:admin_only"
+
+# Delete a subnet
+# DELETE  /subnets/{id}
+#"delete_subnet": "rule:admin_or_network_owner"
+
+# Definition of a shared subnetpool
+#"shared_subnetpools": "field:subnetpools:shared=True"
+
+# Create a subnetpool
+# POST  /subnetpools
+#"create_subnetpool": "rule:regular_user"
+
+# Create a shared subnetpool
+# POST  /subnetpools
+#"create_subnetpool:shared": "rule:admin_only"
+
+# Specify ``is_default`` attribute when creating a subnetpool
+# POST  /subnetpools
+#"create_subnetpool:is_default": "rule:admin_only"
+
+# Get a subnetpool
+# GET  /subnetpools
+# GET  /subnetpools/{id}
+#"get_subnetpool": "rule:admin_or_owner or rule:shared_subnetpools"
+
+# Update a subnetpool
+# PUT  /subnetpools/{id}
+#"update_subnetpool": "rule:admin_or_owner"
+
+# Update ``is_default`` attribute of a subnetpool
+# PUT  /subnetpools/{id}
+#"update_subnetpool:is_default": "rule:admin_only"
+
+# Delete a subnetpool
+# DELETE  /subnetpools/{id}
+#"delete_subnetpool": "rule:admin_or_owner"
+
+# Onboard existing subnet into a subnetpool
+# Put  /subnetpools/{id}/onboard_network_subnets
+#"onboard_network_subnets": "rule:admin_or_owner"
+
+# Add prefixes to a subnetpool
+# Put  /subnetpools/{id}/add_prefixes
+#"add_prefixes": "rule:admin_or_owner"
+
+# Remove unallocated prefixes from a subnetpool
+# Put  /subnetpools/{id}/remove_prefixes
+#"remove_prefixes": "rule:admin_or_owner"
+
+# Create a trunk
+# POST  /trunks
+#"create_trunk": "rule:regular_user"
+
+# Get a trunk
+# GET  /trunks
+# GET  /trunks/{id}
+#"get_trunk": "rule:admin_or_owner"
+
+# Update a trunk
+# PUT  /trunks/{id}
+#"update_trunk": "rule:admin_or_owner"
+
+# Delete a trunk
+# DELETE  /trunks/{id}
+#"delete_trunk": "rule:admin_or_owner"
+
+# List subports attached to a trunk
+# GET  /trunks/{id}/get_subports
+#"get_subports": "rule:regular_user"
+
+# Add subports to a trunk
+# PUT  /trunks/{id}/add_subports
+#"add_subports": "rule:admin_or_owner"
+
+# Delete subports from a trunk
+# PUT  /trunks/{id}/remove_subports
+#"remove_subports": "rule:admin_or_owner"
+

openstack_dashboard/conf/nova_policy.json

@@ -1,158 +0,0 @@
-{
-    "context_is_admin": "role:admin",
-    "admin_or_owner": "is_admin:True or project_id:%(project_id)s",
-    "admin_api": "is_admin:True",
-    "os_compute_api:os-admin-actions:reset_state": "rule:admin_api",
-    "os_compute_api:os-admin-actions:inject_network_info": "rule:admin_api",
-    "os_compute_api:os-admin-actions:reset_network": "rule:admin_api",
-    "os_compute_api:os-admin-password": "rule:admin_or_owner",
-    "os_compute_api:os-agents": "rule:admin_api",
-    "os_compute_api:os-aggregates:set_metadata": "rule:admin_api",
-    "os_compute_api:os-aggregates:add_host": "rule:admin_api",
-    "os_compute_api:os-aggregates:create": "rule:admin_api",
-    "os_compute_api:os-aggregates:remove_host": "rule:admin_api",
-    "os_compute_api:os-aggregates:update": "rule:admin_api",
-    "os_compute_api:os-aggregates:index": "rule:admin_api",
-    "os_compute_api:os-aggregates:delete": "rule:admin_api",
-    "os_compute_api:os-aggregates:show": "rule:admin_api",
-    "os_compute_api:os-assisted-volume-snapshots:create": "rule:admin_api",
-    "os_compute_api:os-assisted-volume-snapshots:delete": "rule:admin_api",
-    "os_compute_api:os-attach-interfaces": "rule:admin_or_owner",
-    "os_compute_api:os-attach-interfaces:create": "rule:admin_or_owner",
-    "os_compute_api:os-attach-interfaces:delete": "rule:admin_or_owner",
-    "os_compute_api:os-availability-zone:list": "rule:admin_or_owner",
-    "os_compute_api:os-availability-zone:detail": "rule:admin_api",
-    "os_compute_api:os-baremetal-nodes": "rule:admin_api",
-    "os_compute_api:os-cells:update": "rule:admin_api",
-    "os_compute_api:os-cells:create": "rule:admin_api",
-    "os_compute_api:os-cells": "rule:admin_api",
-    "os_compute_api:os-cells:sync_instances": "rule:admin_api",
-    "os_compute_api:os-cells:delete": "rule:admin_api",
-    "cells_scheduler_filter:DifferentCellFilter": "is_admin:True",
-    "cells_scheduler_filter:TargetCellFilter": "is_admin:True",
-    "os_compute_api:os-console-auth-tokens": "rule:admin_api",
-    "os_compute_api:os-console-output": "rule:admin_or_owner",
-    "os_compute_api:os-consoles:create": "rule:admin_or_owner",
-    "os_compute_api:os-consoles:show": "rule:admin_or_owner",
-    "os_compute_api:os-consoles:delete": "rule:admin_or_owner",
-    "os_compute_api:os-consoles:index": "rule:admin_or_owner",
-    "os_compute_api:os-create-backup": "rule:admin_or_owner",
-    "os_compute_api:os-deferred-delete": "rule:admin_or_owner",
-    "os_compute_api:os-evacuate": "rule:admin_api",
-    "os_compute_api:os-extended-server-attributes": "rule:admin_api",
-    "os_compute_api:extensions": "rule:admin_or_owner",
-    "os_compute_api:os-flavor-access:add_tenant_access": "rule:admin_api",
-    "os_compute_api:os-flavor-access:remove_tenant_access": "rule:admin_api",
-    "os_compute_api:os-flavor-access": "rule:admin_or_owner",
-    "os_compute_api:os-flavor-extra-specs:show": "rule:admin_or_owner",
-    "os_compute_api:os-flavor-extra-specs:create": "rule:admin_api",
-    "os_compute_api:os-flavor-extra-specs:update": "rule:admin_api",
-    "os_compute_api:os-flavor-extra-specs:delete": "rule:admin_api",
-    "os_compute_api:os-flavor-extra-specs:index": "rule:admin_or_owner",
-    "os_compute_api:os-flavor-manage:create": "rule:admin_api",
-    "os_compute_api:os-flavor-manage:update": "rule:admin_api",
-    "os_compute_api:os-flavor-manage:delete": "rule:admin_api",
-    "os_compute_api:os-floating-ip-pools": "rule:admin_or_owner",
-    "os_compute_api:os-floating-ips": "rule:admin_or_owner",
-    "os_compute_api:os-hosts": "rule:admin_api",
-    "os_compute_api:os-hypervisors": "rule:admin_api",
-    "os_compute_api:os-instance-actions:events": "rule:admin_api",
-    "os_compute_api:os-instance-actions": "rule:admin_or_owner",
-    "os_compute_api:os-instance-usage-audit-log": "rule:admin_api",
-    "os_compute_api:ips:show": "rule:admin_or_owner",
-    "os_compute_api:ips:index": "rule:admin_or_owner",
-    "os_compute_api:os-keypairs:index": "rule:admin_api or user_id:%(user_id)s",
-    "os_compute_api:os-keypairs:create": "rule:admin_api or user_id:%(user_id)s",
-    "os_compute_api:os-keypairs:delete": "rule:admin_api or user_id:%(user_id)s",
-    "os_compute_api:os-keypairs:show": "rule:admin_api or user_id:%(user_id)s",
-    "os_compute_api:limits": "rule:admin_or_owner",
-    "os_compute_api:os-lock-server:lock": "rule:admin_or_owner",
-    "os_compute_api:os-lock-server:unlock": "rule:admin_or_owner",
-    "os_compute_api:os-lock-server:unlock:unlock_override": "rule:admin_api",
-    "os_compute_api:os-migrate-server:migrate": "rule:admin_api",
-    "os_compute_api:os-migrate-server:migrate_live": "rule:admin_api",
-    "os_compute_api:os-migrations:index": "rule:admin_api",
-    "os_compute_api:os-multinic": "rule:admin_or_owner",
-    "os_compute_api:os-networks": "rule:admin_api",
-    "os_compute_api:os-networks:view": "rule:admin_or_owner",
-    "os_compute_api:os-networks-associate": "rule:admin_api",
-    "os_compute_api:os-pause-server:pause": "rule:admin_or_owner",
-    "os_compute_api:os-pause-server:unpause": "rule:admin_or_owner",
-    "os_compute_api:os-quota-class-sets:show": "is_admin:True or quota_class:%(quota_class)s",
-    "os_compute_api:os-quota-class-sets:update": "rule:admin_api",
-    "os_compute_api:os-quota-sets:update": "rule:admin_api",
-    "os_compute_api:os-quota-sets:defaults": "@",
-    "os_compute_api:os-quota-sets:show": "rule:admin_or_owner",
-    "os_compute_api:os-quota-sets:delete": "rule:admin_api",
-    "os_compute_api:os-quota-sets:detail": "rule:admin_or_owner",
-    "os_compute_api:os-remote-consoles": "rule:admin_or_owner",
-    "os_compute_api:os-rescue": "rule:admin_or_owner",
-    "os_compute_api:os-security-group-default-rules": "rule:admin_api",
-    "os_compute_api:os-security-groups": "rule:admin_or_owner",
-    "os_compute_api:os-server-diagnostics": "rule:admin_api",
-    "os_compute_api:os-server-external-events:create": "rule:admin_api",
-    "os_compute_api:os-server-groups:create": "rule:admin_or_owner",
-    "os_compute_api:os-server-groups:delete": "rule:admin_or_owner",
-    "os_compute_api:os-server-groups:index": "rule:admin_or_owner",
-    "os_compute_api:os-server-groups:show": "rule:admin_or_owner",
-    "os_compute_api:server-metadata:index": "rule:admin_or_owner",
-    "os_compute_api:server-metadata:show": "rule:admin_or_owner",
-    "os_compute_api:server-metadata:create": "rule:admin_or_owner",
-    "os_compute_api:server-metadata:update_all": "rule:admin_or_owner",
-    "os_compute_api:server-metadata:update": "rule:admin_or_owner",
-    "os_compute_api:server-metadata:delete": "rule:admin_or_owner",
-    "os_compute_api:os-server-password": "rule:admin_or_owner",
-    "os_compute_api:os-server-tags:delete_all": "rule:admin_or_owner",
-    "os_compute_api:os-server-tags:index": "rule:admin_or_owner",
-    "os_compute_api:os-server-tags:update_all": "rule:admin_or_owner",
-    "os_compute_api:os-server-tags:delete": "rule:admin_or_owner",
-    "os_compute_api:os-server-tags:update": "rule:admin_or_owner",
-    "os_compute_api:os-server-tags:show": "rule:admin_or_owner",
-    "os_compute_api:servers:index": "rule:admin_or_owner",
-    "os_compute_api:servers:detail": "rule:admin_or_owner",
-    "os_compute_api:servers:index:get_all_tenants": "rule:admin_api",
-    "os_compute_api:servers:detail:get_all_tenants": "rule:admin_api",
-    "os_compute_api:servers:allow_all_filters": "rule:admin_api",
-    "os_compute_api:servers:show": "rule:admin_or_owner",
-    "os_compute_api:servers:show:host_status": "rule:admin_api",
-    "os_compute_api:servers:create": "rule:admin_or_owner",
-    "os_compute_api:servers:create:forced_host": "rule:admin_api",
-    "os_compute_api:servers:create:attach_volume": "rule:admin_or_owner",
-    "os_compute_api:servers:create:attach_network": "rule:admin_or_owner",
-    "os_compute_api:servers:create:trusted_certs": "rule:admin_or_owner",
-    "os_compute_api:servers:create:zero_disk_flavor": "rule:admin_api",
-    "network:attach_external_network": "is_admin:True",
-    "os_compute_api:servers:delete": "rule:admin_or_owner",
-    "os_compute_api:servers:update": "rule:admin_or_owner",
-    "os_compute_api:servers:confirm_resize": "rule:admin_or_owner",
-    "os_compute_api:servers:revert_resize": "rule:admin_or_owner",
-    "os_compute_api:servers:reboot": "rule:admin_or_owner",
-    "os_compute_api:servers:resize": "rule:admin_or_owner",
-    "os_compute_api:servers:rebuild": "rule:admin_or_owner",
-    "os_compute_api:servers:rebuild:trusted_certs": "rule:admin_or_owner",
-    "os_compute_api:servers:create_image": "rule:admin_or_owner",
-    "os_compute_api:servers:create_image:allow_volume_backed": "rule:admin_or_owner",
-    "os_compute_api:servers:start": "rule:admin_or_owner",
-    "os_compute_api:servers:stop": "rule:admin_or_owner",
-    "os_compute_api:servers:trigger_crash_dump": "rule:admin_or_owner",
-    "os_compute_api:servers:migrations:show": "rule:admin_api",
-    "os_compute_api:servers:migrations:force_complete": "rule:admin_api",
-    "os_compute_api:servers:migrations:delete": "rule:admin_api",
-    "os_compute_api:servers:migrations:index": "rule:admin_api",
-    "os_compute_api:os-services": "rule:admin_api",
-    "os_compute_api:os-shelve:shelve": "rule:admin_or_owner",
-    "os_compute_api:os-shelve:unshelve": "rule:admin_or_owner",
-    "os_compute_api:os-shelve:shelve_offload": "rule:admin_api",
-    "os_compute_api:os-simple-tenant-usage:show": "rule:admin_or_owner",
-    "os_compute_api:os-simple-tenant-usage:list": "rule:admin_api",
-    "os_compute_api:os-suspend-server:resume": "rule:admin_or_owner",
-    "os_compute_api:os-suspend-server:suspend": "rule:admin_or_owner",
-    "os_compute_api:os-tenant-networks": "rule:admin_or_owner",
-    "os_compute_api:os-used-limits": "rule:admin_api",
-    "os_compute_api:os-volumes": "rule:admin_or_owner",
-    "os_compute_api:os-volumes-attachments:index": "rule:admin_or_owner",
-    "os_compute_api:os-volumes-attachments:create": "rule:admin_or_owner",
-    "os_compute_api:os-volumes-attachments:show": "rule:admin_or_owner",
-    "os_compute_api:os-volumes-attachments:update": "rule:admin_api",
-    "os_compute_api:os-volumes-attachments:delete": "rule:admin_or_owner"
-}

openstack_dashboard/defaults.py

@@ -73,11 +73,11 @@ POLICY_FILES_PATH = os.path.join(_get_root_path(), "conf")
 # Having matching policy files on the Horizon and Keystone servers is essential
 # for normal operation. This holds true for all services and their policy files.
 POLICY_FILES = {
-    'identity': 'keystone_policy.json',
-    'compute': 'nova_policy.json',
-    'volume': 'cinder_policy.json',
-    'image': 'glance_policy.json',
-    'network': 'neutron_policy.json',
+    'identity': 'keystone_policy.yaml',
+    'compute': 'nova_policy.yaml',
+    'volume': 'cinder_policy.yaml',
+    'image': 'glance_policy.yaml',
+    'network': 'neutron_policy.yaml',
 }
 # Services for which horizon has extra policies are defined
 # in POLICY_DIRS by default.
@@ -85,6 +85,13 @@ POLICY_DIRS = {
     'compute': ['nova_policy.d'],
     'volume': ['cinder_policy.d'],
 }
+DEFAULT_POLICY_FILES = {
+    'identity': 'default_policies/keystone.yaml',
+    'compute': 'default_policies/nova.yaml',
+    'volume': 'default_policies/cinder.yaml',
+    'image': 'default_policies/glance.yaml',
+    'network': 'default_policies/neutron.yaml',
+}
 POLICY_CHECK_FUNCTION = 'openstack_auth.policy.check'
 
 SITE_BRANDING = 'OpenStack Dashboard'

openstack_dashboard/management/commands/dump_default_policies.py

@@ -0,0 +1,82 @@
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+import logging
+import sys
+
+from django.core.management.base import BaseCommand
+from oslo_policy import generator
+import yaml
+
+
+LOG = logging.getLogger(__name__)
+
+
+def _load_default_policies(namespace):
+    defaults = generator.get_policies_dict([namespace])
+    return defaults.get(namespace)
+
+
+def _format_default_policy(default):
+    data = {
+        'name': default.name,
+        'check_str': default.check_str,
+        'description': default.description,
+    }
+    data['operations'] = getattr(default, 'operations', [])
+    data['scope_types'] = getattr(default, 'scope_types', None)
+
+    if default.deprecated_for_removal:
+        data['deprecated_for_removal'] = True
+        data['deprecated_since'] = default.deprecated_since
+        data['deprecated_reason'] = default.deprecated_reason
+
+    if default.deprecated_rule:
+        data['deprecated_rule'] = {
+            'name': default.deprecated_rule.name,
+            'check_str': default.deprecated_rule.check_str,
+        }
+        data['deprecated_since'] = default.deprecated_since
+        data['deprecated_reason'] = default.deprecated_reason
+
+    return data
+
+
+def _write_yaml_file(policies, output_file):
+    stream = open(output_file, 'w') if output_file else sys.stdout
+    yaml.dump(policies, stream=stream)
+    if output_file:
+        stream.close()
+
+
+class Command(BaseCommand):
+    help = ("Dump default policies of back-end services defined in codes "
+            "as YAML file so that horizon can load default policies.")
+
+    def add_arguments(self, parser):
+        parser.add_argument(
+            '--namespace',
+            required=True,
+            help='Namespace under "oslo.policy.policies" to query.')
+        parser.add_argument(
+            '--output-file',
+            help='Path of the file to write to. Defaults to stdout.')
+
+    def handle(self, *args, **options):
+        namespace = options['namespace']
+        defaults = _load_default_policies(namespace)
+        if defaults is None:
+            LOG.error('The requested namespace "%s" is not found.', namespace)
+            sys.exit(1)
+
+        policies = [_format_default_policy(default) for default in defaults]
+        _write_yaml_file(policies, options['output_file'])

releasenotes/notes/policy-in-code-support-f79d559c25976215.yaml

@@ -0,0 +1,22 @@
+---
+features:
+  - |
+    Horizon supports the registered default policies and operators now
+    only need to define policies which they would like to override in policy
+    files in ``POLICY_FILES`` setting. (Previously the policy files need to
+    contain all defined policies including default policies.)
+    The registered default policies are defined in files under
+    ``DEFAULT_POLICY_FILES`` and they are synced with registered defaults
+    of back-end services before the horizon release.
+issues:
+  - |
+    Policies with the system scoped token (``system_scope:all``) are not
+    supported in horizon yet. The horizon team recognizes it as an important
+    feature gap and would like to support it in near future.
+upgrade:
+  - |
+    The format of the policy files under ``POLICY_FILES`` is changed to YAML
+    and all contents of these files are commented out now. You only need to
+    define policies which you would like to modify from the default.
+    You can still use policy files with JSON format. If you continue to use
+    JSON format, configure ``POLICY_FILES`` setting to point JSON files.

requirements.txt

@@ -23,10 +23,10 @@ netaddr>=0.7.18 # BSD
 oslo.concurrency>=3.26.0 # Apache-2.0
 oslo.config>=5.2.0 # Apache-2.0
 oslo.i18n>=3.15.3 # Apache-2.0
-oslo.policy>=1.30.0 # Apache-2.0
+oslo.policy>=3.2.0 # Apache-2.0
 oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0
 oslo.upgradecheck>=0.1.1 # Apache-2.0
-oslo.utils>=3.33.0 # Apache-2.0
+oslo.utils>=3.40.0 # Apache-2.0
 osprofiler>=2.3.0 # Apache-2.0
 pymongo!=3.1,>=3.0.2 # Apache-2.0
 pyScss>=1.3.7 # MIT License