horizon/openstack_dashboard/conf/cinder_policy.yaml
Akihiro Motoki b7bb76eb20 Support policy-in-code and deprecated policy
This commit allows horizon to handle deprecated policy rules.
The approach is explained in the document updated by this change.

oslo.policy requirement is updated. oslo.policy 3.2.0 is chosen
just because it is the first release in Victoria cycle.
requirements.txt and lower-constraints.txt are updated accordingly
including oslo.policy dependencies.

Change-Id: If5059d03f6bd7e94796065aa1b51c0c23ac85f5e
2021-01-27 14:02:27 +00:00

647 lines
20 KiB
YAML

# Decides what is required for the 'is_admin:True' check to succeed.
#"context_is_admin": "role:admin"
# Default rule for most non-Admin APIs.
#"admin_or_owner": "is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s"
# Default rule for most Admin APIs.
#"admin_api": "is_admin:True or (role:admin and is_admin_project:True)"
# Create attachment.
# POST /attachments
#"volume:attachment_create": ""
# Update attachment.
# PUT /attachments/{attachment_id}
#"volume:attachment_update": "rule:admin_or_owner"
# Delete attachment.
# DELETE /attachments/{attachment_id}
#"volume:attachment_delete": "rule:admin_or_owner"
# Mark a volume attachment process as completed (in-use)
# POST /attachments/{attachment_id}/action (os-complete)
#"volume:attachment_complete": "rule:admin_or_owner"
# Allow multiattach of bootable volumes.
# POST /attachments
#"volume:multiattach_bootable_volume": "rule:admin_or_owner"
# List messages.
# GET /messages
#"message:get_all": "rule:admin_or_owner"
# Show message.
# GET /messages/{message_id}
#"message:get": "rule:admin_or_owner"
# Delete message.
# DELETE /messages/{message_id}
#"message:delete": "rule:admin_or_owner"
# List clusters.
# GET /clusters
# GET /clusters/detail
#"clusters:get_all": "rule:admin_api"
# Show cluster.
# GET /clusters/{cluster_id}
#"clusters:get": "rule:admin_api"
# Update cluster.
# PUT /clusters/{cluster_id}
#"clusters:update": "rule:admin_api"
# Clean up workers.
# POST /workers/cleanup
#"workers:cleanup": "rule:admin_api"
# Show snapshot's metadata or one specified metadata with a given key.
# GET /snapshots/{snapshot_id}/metadata
# GET /snapshots/{snapshot_id}/metadata/{key}
#"volume:get_snapshot_metadata": "rule:admin_or_owner"
# Update snapshot's metadata or one specified metadata with a given
# key.
# PUT /snapshots/{snapshot_id}/metadata
# PUT /snapshots/{snapshot_id}/metadata/{key}
#"volume:update_snapshot_metadata": "rule:admin_or_owner"
# Delete snapshot's specified metadata with a given key.
# DELETE /snapshots/{snapshot_id}/metadata/{key}
#"volume:delete_snapshot_metadata": "rule:admin_or_owner"
# List snapshots.
# GET /snapshots
# GET /snapshots/detail
#"volume:get_all_snapshots": "rule:admin_or_owner"
# List or show snapshots with extended attributes.
# GET /snapshots/{snapshot_id}
# GET /snapshots/detail
#"volume_extension:extended_snapshot_attributes": "rule:admin_or_owner"
# Create snapshot.
# POST /snapshots
#"volume:create_snapshot": "rule:admin_or_owner"
# Show snapshot.
# GET /snapshots/{snapshot_id}
#"volume:get_snapshot": "rule:admin_or_owner"
# Update snapshot.
# PUT /snapshots/{snapshot_id}
#"volume:update_snapshot": "rule:admin_or_owner"
# Delete snapshot.
# DELETE /snapshots/{snapshot_id}
#"volume:delete_snapshot": "rule:admin_or_owner"
# Reset status of a snapshot.
# POST /snapshots/{snapshot_id}/action (os-reset_status)
#"volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api"
# Update database fields of snapshot.
# POST /snapshots/{snapshot_id}/action (update_snapshot_status)
#"snapshot_extension:snapshot_actions:update_snapshot_status": ""
# Force delete a snapshot.
# POST /snapshots/{snapshot_id}/action (os-force_delete)
#"volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api"
# List (in detail) of snapshots which are available to manage.
# GET /manageable_snapshots
# GET /manageable_snapshots/detail
#"snapshot_extension:list_manageable": "rule:admin_api"
# Manage an existing snapshot.
# POST /manageable_snapshots
#"snapshot_extension:snapshot_manage": "rule:admin_api"
# Stop managing a snapshot.
# POST /snapshots/{snapshot_id}/action (os-unmanage)
#"snapshot_extension:snapshot_unmanage": "rule:admin_api"
# List backups.
# GET /backups
# GET /backups/detail
#"backup:get_all": "rule:admin_or_owner"
# List backups or show backup with project attributes.
# GET /backups/{backup_id}
# GET /backups/detail
#"backup:backup_project_attribute": "rule:admin_api"
# Create backup.
# POST /backups
#"backup:create": ""
# Show backup.
# GET /backups/{backup_id}
#"backup:get": "rule:admin_or_owner"
# Update backup.
# PUT /backups/{backup_id}
#"backup:update": "rule:admin_or_owner"
# Delete backup.
# DELETE /backups/{backup_id}
#"backup:delete": "rule:admin_or_owner"
# Restore backup.
# POST /backups/{backup_id}/restore
#"backup:restore": "rule:admin_or_owner"
# Import backup.
# POST /backups/{backup_id}/import_record
#"backup:backup-import": "rule:admin_api"
# Export backup.
# POST /backups/{backup_id}/export_record
#"backup:export-import": "rule:admin_api"
# Reset status of a backup.
# POST /backups/{backup_id}/action (os-reset_status)
#"volume_extension:backup_admin_actions:reset_status": "rule:admin_api"
# Force delete a backup.
# POST /backups/{backup_id}/action (os-force_delete)
#"volume_extension:backup_admin_actions:force_delete": "rule:admin_api"
# List groups.
# GET /groups
# GET /groups/detail
#"group:get_all": "rule:admin_or_owner"
# Create group.
# POST /groups
#"group:create": ""
# Show group.
# GET /groups/{group_id}
#"group:get": "rule:admin_or_owner"
# Update group.
# PUT /groups/{group_id}
#"group:update": "rule:admin_or_owner"
# List groups or show group with project attributes.
# GET /groups/{group_id}
# GET /groups/detail
#"group:group_project_attribute": "rule:admin_api"
# Create, update or delete a group type.
# POST /group_types/
# PUT /group_types/{group_type_id}
# DELETE /group_types/{group_type_id}
#"group:group_types_manage": "rule:admin_api"
# Show group type with type specs attributes.
# GET /group_types/{group_type_id}
#"group:access_group_types_specs": "rule:admin_api"
# Create, show, update and delete group type spec.
# GET /group_types/{group_type_id}/group_specs/{g_spec_id}
# GET /group_types/{group_type_id}/group_specs
# POST /group_types/{group_type_id}/group_specs
# PUT /group_types/{group_type_id}/group_specs/{g_spec_id}
# DELETE /group_types/{group_type_id}/group_specs/{g_spec_id}
#"group:group_types_specs": "rule:admin_api"
# List group snapshots.
# GET /group_snapshots
# GET /group_snapshots/detail
#"group:get_all_group_snapshots": "rule:admin_or_owner"
# Create group snapshot.
# POST /group_snapshots
#"group:create_group_snapshot": ""
# Show group snapshot.
# GET /group_snapshots/{group_snapshot_id}
#"group:get_group_snapshot": "rule:admin_or_owner"
# Delete group snapshot.
# DELETE /group_snapshots/{group_snapshot_id}
#"group:delete_group_snapshot": "rule:admin_or_owner"
# Update group snapshot.
# PUT /group_snapshots/{group_snapshot_id}
#"group:update_group_snapshot": "rule:admin_or_owner"
# List group snapshots or show group snapshot with project attributes.
# GET /group_snapshots/{group_snapshot_id}
# GET /group_snapshots/detail
#"group:group_snapshot_project_attribute": "rule:admin_api"
# Reset status of group snapshot.
# POST /group_snapshots/{g_snapshot_id}/action (reset_status)
#"group:reset_group_snapshot_status": "rule:admin_or_owner"
# Delete group.
# POST /groups/{group_id}/action (delete)
#"group:delete": "rule:admin_or_owner"
# Reset status of group.
# POST /groups/{group_id}/action (reset_status)
#"group:reset_status": "rule:admin_api"
# Enable replication.
# POST /groups/{group_id}/action (enable_replication)
#"group:enable_replication": "rule:admin_or_owner"
# Disable replication.
# POST /groups/{group_id}/action (disable_replication)
#"group:disable_replication": "rule:admin_or_owner"
# Fail over replication.
# POST /groups/{group_id}/action (failover_replication)
#"group:failover_replication": "rule:admin_or_owner"
# List failover replication.
# POST /groups/{group_id}/action (list_replication_targets)
#"group:list_replication_targets": "rule:admin_or_owner"
# List qos specs or list all associations.
# GET /qos-specs
# GET /qos-specs/{qos_id}/associations
#"volume_extension:qos_specs_manage:get_all": "rule:admin_api"
# Show qos specs.
# GET /qos-specs/{qos_id}
#"volume_extension:qos_specs_manage:get": "rule:admin_api"
# Create qos specs.
# POST /qos-specs
#"volume_extension:qos_specs_manage:create": "rule:admin_api"
# Update qos specs (including updating association).
# PUT /qos-specs/{qos_id}
# GET /qos-specs/{qos_id}/disassociate_all
# GET /qos-specs/{qos_id}/associate
# GET /qos-specs/{qos_id}/disassociate
#"volume_extension:qos_specs_manage:update": "rule:admin_api"
# delete qos specs or unset one specified qos key.
# DELETE /qos-specs/{qos_id}
# PUT /qos-specs/{qos_id}/delete_keys
#"volume_extension:qos_specs_manage:delete": "rule:admin_api"
# Show or update project quota class.
# GET /os-quota-class-sets/{project_id}
# PUT /os-quota-class-sets/{project_id}
#"volume_extension:quota_classes": "rule:admin_api"
# Show project quota (including usage and default).
# GET /os-quota-sets/{project_id}
# GET /os-quota-sets/{project_id}/default
# GET /os-quota-sets/{project_id}?usage=True
#"volume_extension:quotas:show": "rule:admin_or_owner"
# Update project quota.
# PUT /os-quota-sets/{project_id}
#"volume_extension:quotas:update": "rule:admin_api"
# Delete project quota.
# DELETE /os-quota-sets/{project_id}
#"volume_extension:quotas:delete": "rule:admin_api"
# Validate setup for nested quota.
# GET /os-quota-sets/validate_setup_for_nested_quota_use
#"volume_extension:quota_classes:validate_setup_for_nested_quota_use": "rule:admin_api"
# Show backend capabilities.
# GET /capabilities/{host_name}
#"volume_extension:capabilities": "rule:admin_api"
# List all services.
# GET /os-services
#"volume_extension:services:index": "rule:admin_api"
# Update service, including failover_host, thaw, freeze, disable,
# enable, set-log and get-log actions.
# PUT /os-services/{action}
#"volume_extension:services:update": "rule:admin_api"
# Freeze a backend host.
# PUT /os-services/freeze
#"volume:freeze_host": "rule:admin_api"
# Thaw a backend host.
# PUT /os-services/thaw
#"volume:thaw_host": "rule:admin_api"
# Failover a backend host.
# PUT /os-services/failover_host
#"volume:failover_host": "rule:admin_api"
# List all backend pools.
# GET /scheduler-stats/get_pools
#"scheduler_extension:scheduler_stats:get_pools": "rule:admin_api"
# List, update or show hosts for a project.
# GET /os-hosts
# PUT /os-hosts/{host_name}
# GET /os-hosts/{host_id}
#"volume_extension:hosts": "rule:admin_api"
# Show limits with used limit attributes.
# GET /limits
#"limits_extension:used_limits": "rule:admin_or_owner"
# List (in detail) of volumes which are available to manage.
# GET /manageable_volumes
# GET /manageable_volumes/detail
#"volume_extension:list_manageable": "rule:admin_api"
# Manage existing volumes.
# POST /manageable_volumes
#"volume_extension:volume_manage": "rule:admin_api"
# Stop managing a volume.
# POST /volumes/{volume_id}/action (os-unmanage)
#"volume_extension:volume_unmanage": "rule:admin_api"
# Create, update and delete volume type.
# POST /types
# PUT /types
# DELETE /types
#"volume_extension:types_manage": "rule:admin_api"
# Get one specific volume type.
# GET /types/{type_id}
#"volume_extension:type_get": ""
# List volume types.
# GET /types/
#"volume_extension:type_get_all": ""
# Base policy for all volume type encryption type operations. This
# can be used to set the policies for a volume type's encryption type
# create, show, update, and delete actions in one place, or any of
# those may be set individually using the following policy targets for
# finer grained control.
# POST /types/{type_id}/encryption
# PUT /types/{type_id}/encryption/{encryption_id}
# GET /types/{type_id}/encryption
# GET /types/{type_id}/encryption/{key}
# DELETE /types/{type_id}/encryption/{encryption_id}
#"volume_extension:volume_type_encryption": "rule:admin_api"
# Create volume type encryption.
# POST /types/{type_id}/encryption
#"volume_extension:volume_type_encryption:create": "rule:volume_extension:volume_type_encryption"
# Show a volume type's encryption type, show an encryption specs item.
# GET /types/{type_id}/encryption
# GET /types/{type_id}/encryption/{key}
#"volume_extension:volume_type_encryption:get": "rule:volume_extension:volume_type_encryption"
# Update volume type encryption.
# PUT /types/{type_id}/encryption/{encryption_id}
#"volume_extension:volume_type_encryption:update": "rule:volume_extension:volume_type_encryption"
# Delete volume type encryption.
# DELETE /types/{type_id}/encryption/{encryption_id}
#"volume_extension:volume_type_encryption:delete": "rule:volume_extension:volume_type_encryption"
# List or show volume type with access type extra specs attribute.
# GET /types/{type_id}
# GET /types
#"volume_extension:access_types_extra_specs": "rule:admin_api"
# List or show volume type with access type qos specs id attribute.
# GET /types/{type_id}
# GET /types
#"volume_extension:access_types_qos_specs_id": "rule:admin_api"
# Volume type access related APIs.
# GET /types
# GET /types/detail
# GET /types/{type_id}
# POST /types
#"volume_extension:volume_type_access": "rule:admin_or_owner"
# Add volume type access for project.
# POST /types/{type_id}/action (addProjectAccess)
#"volume_extension:volume_type_access:addProjectAccess": "rule:admin_api"
# Remove volume type access for project.
# POST /types/{type_id}/action (removeProjectAccess)
#"volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api"
# Extend a volume.
# POST /volumes/{volume_id}/action (os-extend)
#"volume:extend": "rule:admin_or_owner"
# Extend a attached volume.
# POST /volumes/{volume_id}/action (os-extend)
#"volume:extend_attached_volume": "rule:admin_or_owner"
# Revert a volume to a snapshot.
# POST /volumes/{volume_id}/action (revert)
#"volume:revert_to_snapshot": "rule:admin_or_owner"
# Reset status of a volume.
# POST /volumes/{volume_id}/action (os-reset_status)
#"volume_extension:volume_admin_actions:reset_status": "rule:admin_api"
# Retype a volume.
# POST /volumes/{volume_id}/action (os-retype)
#"volume:retype": "rule:admin_or_owner"
# Update a volume's readonly flag.
# POST /volumes/{volume_id}/action (os-update_readonly_flag)
#"volume:update_readonly_flag": "rule:admin_or_owner"
# Force delete a volume.
# POST /volumes/{volume_id}/action (os-force_delete)
#"volume_extension:volume_admin_actions:force_delete": "rule:admin_api"
# Upload a volume to image with public visibility.
# POST /volumes/{volume_id}/action (os-volume_upload_image)
#"volume_extension:volume_actions:upload_public": "rule:admin_api"
# Upload a volume to image.
# POST /volumes/{volume_id}/action (os-volume_upload_image)
#"volume_extension:volume_actions:upload_image": "rule:admin_or_owner"
# Force detach a volume.
# POST /volumes/{volume_id}/action (os-force_detach)
#"volume_extension:volume_admin_actions:force_detach": "rule:admin_api"
# migrate a volume to a specified host.
# POST /volumes/{volume_id}/action (os-migrate_volume)
#"volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api"
# Complete a volume migration.
# POST /volumes/{volume_id}/action (os-migrate_volume_completion)
#"volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api"
# Initialize volume attachment.
# POST /volumes/{volume_id}/action (os-initialize_connection)
#"volume_extension:volume_actions:initialize_connection": "rule:admin_or_owner"
# Terminate volume attachment.
# POST /volumes/{volume_id}/action (os-terminate_connection)
#"volume_extension:volume_actions:terminate_connection": "rule:admin_or_owner"
# Roll back volume status to 'in-use'.
# POST /volumes/{volume_id}/action (os-roll_detaching)
#"volume_extension:volume_actions:roll_detaching": "rule:admin_or_owner"
# Mark volume as reserved.
# POST /volumes/{volume_id}/action (os-reserve)
#"volume_extension:volume_actions:reserve": "rule:admin_or_owner"
# Unmark volume as reserved.
# POST /volumes/{volume_id}/action (os-unreserve)
#"volume_extension:volume_actions:unreserve": "rule:admin_or_owner"
# Begin detach volumes.
# POST /volumes/{volume_id}/action (os-begin_detaching)
#"volume_extension:volume_actions:begin_detaching": "rule:admin_or_owner"
# Add attachment metadata.
# POST /volumes/{volume_id}/action (os-attach)
#"volume_extension:volume_actions:attach": "rule:admin_or_owner"
# Clear attachment metadata.
# POST /volumes/{volume_id}/action (os-detach)
#"volume_extension:volume_actions:detach": "rule:admin_or_owner"
# List volume transfer.
# GET /os-volume-transfer
# GET /os-volume-transfer/detail
# GET /volume_transfers
# GET /volume-transfers/detail
#"volume:get_all_transfers": "rule:admin_or_owner"
# Create a volume transfer.
# POST /os-volume-transfer
# POST /volume_transfers
#"volume:create_transfer": "rule:admin_or_owner"
# Show one specified volume transfer.
# GET /os-volume-transfer/{transfer_id}
# GET /volume-transfers/{transfer_id}
#"volume:get_transfer": "rule:admin_or_owner"
# Accept a volume transfer.
# POST /os-volume-transfer/{transfer_id}/accept
# POST /volume-transfers/{transfer_id}/accept
#"volume:accept_transfer": ""
# Delete volume transfer.
# DELETE /os-volume-transfer/{transfer_id}
# DELETE /volume-transfers/{transfer_id}
#"volume:delete_transfer": "rule:admin_or_owner"
# Show volume's metadata or one specified metadata with a given key.
# GET /volumes/{volume_id}/metadata
# GET /volumes/{volume_id}/metadata/{key}
#"volume:get_volume_metadata": "rule:admin_or_owner"
# Create volume metadata.
# POST /volumes/{volume_id}/metadata
#"volume:create_volume_metadata": "rule:admin_or_owner"
# Update volume's metadata or one specified metadata with a given key.
# PUT /volumes/{volume_id}/metadata
# PUT /volumes/{volume_id}/metadata/{key}
#"volume:update_volume_metadata": "rule:admin_or_owner"
# Delete volume's specified metadata with a given key.
# DELETE /volumes/{volume_id}/metadata/{key}
#"volume:delete_volume_metadata": "rule:admin_or_owner"
# Volume's image metadata related operation, create, delete, show and
# list.
# GET /volumes/detail
# GET /volumes/{volume_id}
# POST /volumes/{volume_id}/action (os-set_image_metadata)
# POST /volumes/{volume_id}/action (os-unset_image_metadata)
#"volume_extension:volume_image_metadata": "rule:admin_or_owner"
# Update volume admin metadata. It's used in `attach` and `os-
# update_readonly_flag` APIs
# POST /volumes/{volume_id}/action (os-update_readonly_flag)
# POST /volumes/{volume_id}/action (os-attach)
#"volume:update_volume_admin_metadata": "rule:admin_api"
# List type extra specs.
# GET /types/{type_id}/extra_specs
#"volume_extension:types_extra_specs:index": "rule:admin_api"
# Create type extra specs.
# POST /types/{type_id}/extra_specs
#"volume_extension:types_extra_specs:create": "rule:admin_api"
# Show one specified type extra specs.
# GET /types/{type_id}/extra_specs/{extra_spec_key}
#"volume_extension:types_extra_specs:show": "rule:admin_api"
# Update type extra specs.
# PUT /types/{type_id}/extra_specs/{extra_spec_key}
#"volume_extension:types_extra_specs:update": "rule:admin_api"
# Delete type extra specs.
# DELETE /types/{type_id}/extra_specs/{extra_spec_key}
#"volume_extension:types_extra_specs:delete": "rule:admin_api"
# Create volume.
# POST /volumes
#"volume:create": ""
# Create volume from image.
# POST /volumes
#"volume:create_from_image": ""
# Show volume.
# GET /volumes/{volume_id}
#"volume:get": "rule:admin_or_owner"
# List volumes or get summary of volumes.
# GET /volumes
# GET /volumes/detail
# GET /volumes/summary
#"volume:get_all": "rule:admin_or_owner"
# Update volume or update a volume's bootable status.
# PUT /volumes
# POST /volumes/{volume_id}/action (os-set_bootable)
#"volume:update": "rule:admin_or_owner"
# Delete volume.
# DELETE /volumes/{volume_id}
#"volume:delete": "rule:admin_or_owner"
# Force Delete a volume.
# DELETE /volumes/{volume_id}
#"volume:force_delete": "rule:admin_api"
# List or show volume with host attribute.
# GET /volumes/{volume_id}
# GET /volumes/detail
#"volume_extension:volume_host_attribute": "rule:admin_api"
# List or show volume with tenant attribute.
# GET /volumes/{volume_id}
# GET /volumes/detail
#"volume_extension:volume_tenant_attribute": "rule:admin_or_owner"
# List or show volume with migration status attribute.
# GET /volumes/{volume_id}
# GET /volumes/detail
#"volume_extension:volume_mig_status_attribute": "rule:admin_api"
# Show volume's encryption metadata.
# GET /volumes/{volume_id}/encryption
# GET /volumes/{volume_id}/encryption/{encryption_key}
#"volume_extension:volume_encryption_metadata": "rule:admin_or_owner"
# Create multiattach capable volume.
# POST /volumes
#"volume:multiattach": "rule:admin_or_owner"