openstack/horizon
Code Issues Proposed changes
d710db0bbc
horizon/openstack_dashboard/conf/default_policies/glance.yaml
manchandavishal 316c24c5af Sync default policy rules 
This patch updates default policy-in-code rules in horizon based on
nova/neutron/glance RC deliverables. It doesn't update policy
rules for cinder and keystone as I have found no changes in their
policy rules. Horizon needs to update default policy-in-code rules
for all backend services before releasing the horizon[1].

[1] https://docs.openstack.org/horizon/latest/contributor/policies/releasing.html#things-to-do-before-releasing

Change-Id: Ia636b32d0eeec9a4d399fcdbb4d4db1aeaa4fdab
2023-09-06 20:01:59 +05:30

729 lines
20 KiB
YAML
Raw Blame History

- check_str: ''
deprecated_reason: null
deprecated_rule:
check_str: rule:context_is_admin
name: default
deprecated_since: null
description: Defines the default rule used for policies that historically had an
empty policy in the supplied policy.json file.
name: default
operations: []
scope_types: null
- check_str: role:admin
description: Defines the rule for the is_admin:True check.
name: context_is_admin
operations: []
scope_types: null
- check_str: rule:context_is_admin or (role:member and project_id:%(project_id)s and
project_id:%(owner)s)
deprecated_reason: null
deprecated_rule:
check_str: rule:default
name: add_image
deprecated_since: null
description: Create new image
name: add_image
operations:
- method: POST
path: /v2/images
scope_types:
- project
- check_str: rule:context_is_admin or (role:member and project_id:%(project_id)s)
deprecated_reason: null
deprecated_rule:
check_str: rule:default
name: delete_image
deprecated_since: null
description: Deletes the image
name: delete_image
operations:
- method: DELETE
path: /v2/images/{image_id}
scope_types:
- project
- check_str: rule:context_is_admin or (role:reader and (project_id:%(project_id)s
or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s
or 'shared':%(visibility)s))
deprecated_reason: null
deprecated_rule:
check_str: rule:default
name: get_image
deprecated_since: null
description: Get specified image
name: get_image
operations:
- method: GET
path: /v2/images/{image_id}
scope_types:
- project
- check_str: rule:context_is_admin or (role:reader and project_id:%(project_id)s)
deprecated_reason: null
deprecated_rule:
check_str: rule:default
name: get_images
deprecated_since: null
description: Get all available images
name: get_images
operations:
- method: GET
path: /v2/images
scope_types:
- project
- check_str: rule:context_is_admin or (role:member and project_id:%(project_id)s)
deprecated_reason: null
deprecated_rule:
check_str: rule:default
name: modify_image
deprecated_since: null
description: Updates given image
name: modify_image
operations:
- method: PATCH
path: /v2/images/{image_id}
scope_types:
- project
- check_str: rule:context_is_admin
description: Publicize given image
name: publicize_image
operations:
- method: PATCH
path: /v2/images/{image_id}
scope_types:
- project
- check_str: rule:context_is_admin or (role:member and project_id:%(project_id)s)
deprecated_reason: null
deprecated_rule:
check_str: rule:default
name: communitize_image
deprecated_since: null
description: Communitize given image
name: communitize_image
operations:
- method: PATCH
path: /v2/images/{image_id}
scope_types:
- project
- check_str: rule:context_is_admin or (role:member and (project_id:%(project_id)s
or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s
or 'shared':%(visibility)s))
deprecated_reason: null
deprecated_rule:
check_str: rule:default
name: download_image
deprecated_since: null
description: Downloads given image
name: download_image
operations:
- method: GET
path: /v2/images/{image_id}/file
scope_types:
- project
- check_str: rule:context_is_admin or (role:member and project_id:%(project_id)s)
deprecated_reason: null
deprecated_rule:
check_str: rule:default
name: upload_image
deprecated_since: null
description: Uploads data to specified image
name: upload_image
operations:
- method: PUT
path: /v2/images/{image_id}/file
scope_types:
- project
- check_str: rule:context_is_admin
deprecated_reason: null
deprecated_rule:
check_str: rule:default
name: delete_image_location
deprecated_since: null
description: Deletes the location of given image
name: delete_image_location
operations:
- method: PATCH
path: /v2/images/{image_id}
scope_types:
- project
- check_str: rule:context_is_admin or (role:reader and project_id:%(project_id)s)
deprecated_reason: null
deprecated_rule:
check_str: rule:default
name: get_image_location
deprecated_since: null
description: Reads the location of the image
name: get_image_location
operations:
- method: GET
path: /v2/images/{image_id}
scope_types:
- project
- check_str: rule:context_is_admin or (role:member and project_id:%(project_id)s)
deprecated_reason: null
deprecated_rule:
check_str: rule:default
name: set_image_location
deprecated_since: null
description: Sets location URI to given image
name: set_image_location
operations:
- method: PATCH
path: /v2/images/{image_id}
scope_types:
- project
- check_str: rule:context_is_admin or (role:member and project_id:%(project_id)s)
deprecated_reason: null
deprecated_rule:
check_str: rule:default
name: add_member
deprecated_since: null
description: Create image member
name: add_member
operations:
- method: POST
path: /v2/images/{image_id}/members
scope_types:
- project
- check_str: rule:context_is_admin or (role:member and project_id:%(project_id)s)
deprecated_reason: null
deprecated_rule:
check_str: rule:default
name: delete_member
deprecated_since: null
description: Delete image member
name: delete_member
operations:
- method: DELETE
path: /v2/images/{image_id}/members/{member_id}
scope_types:
- project
- check_str: rule:context_is_admin or role:reader and (project_id:%(project_id)s or
project_id:%(member_id)s)
deprecated_reason: null
deprecated_rule:
check_str: rule:default
name: get_member
deprecated_since: null
description: Show image member details
name: get_member
operations:
- method: GET
path: /v2/images/{image_id}/members/{member_id}
scope_types:
- project
- check_str: rule:context_is_admin or role:reader and (project_id:%(project_id)s or
project_id:%(member_id)s)
deprecated_reason: null
deprecated_rule:
check_str: rule:default
name: get_members
deprecated_since: null
description: List image members
name: get_members
operations:
- method: GET
path: /v2/images/{image_id}/members
scope_types:
- project
- check_str: rule:context_is_admin or (role:member and project_id:%(member_id)s)
deprecated_reason: null
deprecated_rule:
check_str: rule:default
name: modify_member
deprecated_since: null
description: Update image member
name: modify_member
operations:
- method: PUT
path: /v2/images/{image_id}/members/{member_id}
scope_types:
- project
- check_str: rule:context_is_admin
description: Manage image cache
name: manage_image_cache
operations: []
scope_types:
- project
- check_str: rule:context_is_admin or (role:member and project_id:%(project_id)s)
deprecated_reason: null
deprecated_rule:
check_str: rule:default
name: deactivate
deprecated_since: null
description: Deactivate image
name: deactivate
operations:
- method: POST
path: /v2/images/{image_id}/actions/deactivate
scope_types:
- project
- check_str: rule:context_is_admin or (role:member and project_id:%(project_id)s)
deprecated_reason: null
deprecated_rule:
check_str: rule:default
name: reactivate
deprecated_since: null
description: Reactivate image
name: reactivate
operations:
- method: POST
path: /v2/images/{image_id}/actions/reactivate
scope_types:
- project
- check_str: rule:context_is_admin
description: Copy existing image to other stores
name: copy_image
operations:
- method: POST
path: /v2/images/{image_id}/import
scope_types:
- project
- check_str: rule:default
deprecated_reason: null
deprecated_rule:
check_str: rule:default
name: get_task
deprecated_since: null
description: 'Get an image task.
This granular policy controls access to tasks, both from the tasks API as well
as internal locations in Glance that use tasks (like import). Practically this
cannot be more restrictive than the policy that controls import or things will
break, and changing it from the default is almost certainly not what you want.
Access to the external tasks API should be restricted as desired by the
tasks_api_access policy. This may change in the future.
'
name: get_task
operations:
- method: GET
path: /v2/tasks/{task_id}
scope_types:
- project
- check_str: rule:default
deprecated_reason: null
deprecated_rule:
check_str: rule:default
name: get_tasks
deprecated_since: null
description: 'List tasks for all images.
This granular policy controls access to tasks, both from the tasks API as well
as internal locations in Glance that use tasks (like import). Practically this
cannot be more restrictive than the policy that controls import or things will
break, and changing it from the default is almost certainly not what you want.
Access to the external tasks API should be restricted as desired by the
tasks_api_access policy. This may change in the future.
'
name: get_tasks
operations:
- method: GET
path: /v2/tasks
scope_types:
- project
- check_str: rule:default
deprecated_reason: null
deprecated_rule:
check_str: rule:default
name: add_task
deprecated_since: null
description: 'List tasks for all images.
This granular policy controls access to tasks, both from the tasks API as well
as internal locations in Glance that use tasks (like import). Practically this
cannot be more restrictive than the policy that controls import or things will
break, and changing it from the default is almost certainly not what you want.
Access to the external tasks API should be restricted as desired by the
tasks_api_access policy. This may change in the future.
'
name: add_task
operations:
- method: POST
path: /v2/tasks
scope_types:
- project
- check_str: rule:default
deprecated_for_removal: true
deprecated_reason: '
This policy check has never been honored by the API. It will be removed in a
future release.
'
deprecated_since: W
description: This policy is not used.
name: modify_task
operations:
- method: DELETE
path: /v2/tasks/{task_id}
scope_types:
- project
- check_str: rule:context_is_admin
description: '
This is a generic blanket policy for protecting all task APIs. It is not
granular and will not allow you to separate writable and readable task
operations into different roles.
'
name: tasks_api_access
operations:
- method: GET
path: /v2/tasks/{task_id}
- method: GET
path: /v2/tasks
- method: POST
path: /v2/tasks
- method: DELETE
path: /v2/tasks/{task_id}
scope_types:
- project
- check_str: ''
description: null
name: metadef_default
operations: []
scope_types: null
- check_str: rule:context_is_admin
description: null
name: metadef_admin
operations: []
scope_types: null
- check_str: rule:context_is_admin or (role:reader and (project_id:%(project_id)s
or 'public':%(visibility)s))
deprecated_reason: null
deprecated_rule:
check_str: rule:metadef_default
name: get_metadef_namespace
deprecated_since: null
description: Get a specific namespace.
name: get_metadef_namespace
operations:
- method: GET
path: /v2/metadefs/namespaces/{namespace_name}
scope_types:
- project
- check_str: rule:context_is_admin or (role:reader and project_id:%(project_id)s)
deprecated_reason: null
deprecated_rule:
check_str: rule:metadef_default
name: get_metadef_namespaces
deprecated_since: null
description: List namespace.
name: get_metadef_namespaces
operations:
- method: GET
path: /v2/metadefs/namespaces
scope_types:
- project
- check_str: rule:metadef_admin
description: Modify an existing namespace.
name: modify_metadef_namespace
operations:
- method: PUT
path: /v2/metadefs/namespaces/{namespace_name}
scope_types:
- project
- check_str: rule:metadef_admin
description: Create a namespace.
name: add_metadef_namespace
operations:
- method: POST
path: /v2/metadefs/namespaces
scope_types:
- project
- check_str: rule:metadef_admin
description: Delete a namespace.
name: delete_metadef_namespace
operations:
- method: DELETE
path: /v2/metadefs/namespaces/{namespace_name}
scope_types:
- project
- check_str: rule:context_is_admin or (role:reader and (project_id:%(project_id)s
or 'public':%(visibility)s))
deprecated_reason: null
deprecated_rule:
check_str: rule:metadef_default
name: get_metadef_object
deprecated_since: null
description: Get a specific object from a namespace.
name: get_metadef_object
operations:
- method: GET
path: /v2/metadefs/namespaces/{namespace_name}/objects/{object_name}
scope_types:
- project
- check_str: rule:context_is_admin or (role:reader and (project_id:%(project_id)s
or 'public':%(visibility)s))
deprecated_reason: null
deprecated_rule:
check_str: rule:metadef_default
name: get_metadef_objects
deprecated_since: null
description: Get objects from a namespace.
name: get_metadef_objects
operations:
- method: GET
path: /v2/metadefs/namespaces/{namespace_name}/objects
scope_types:
- project
- check_str: rule:metadef_admin
description: Update an object within a namespace.
name: modify_metadef_object
operations:
- method: PUT
path: /v2/metadefs/namespaces/{namespace_name}/objects/{object_name}
scope_types:
- project
- check_str: rule:metadef_admin
description: Create an object within a namespace.
name: add_metadef_object
operations:
- method: POST
path: /v2/metadefs/namespaces/{namespace_name}/objects
scope_types:
- project
- check_str: rule:metadef_admin
description: Delete an object within a namespace.
name: delete_metadef_object
operations:
- method: DELETE
path: /v2/metadefs/namespaces/{namespace_name}/objects/{object_name}
scope_types:
- project
- check_str: rule:context_is_admin or (role:reader and (project_id:%(project_id)s
or 'public':%(visibility)s))
deprecated_reason: null
deprecated_rule:
check_str: rule:metadef_default
name: list_metadef_resource_types
deprecated_since: null
description: List meta definition resource types.
name: list_metadef_resource_types
operations:
- method: GET
path: /v2/metadefs/resource_types
scope_types:
- project
- check_str: rule:context_is_admin or (role:reader and (project_id:%(project_id)s
or 'public':%(visibility)s))
deprecated_reason: null
deprecated_rule:
check_str: rule:metadef_default
name: get_metadef_resource_type
deprecated_since: null
description: Get meta definition resource types associations.
name: get_metadef_resource_type
operations:
- method: GET
path: /v2/metadefs/namespaces/{namespace_name}/resource_types
scope_types:
- project
- check_str: rule:metadef_admin
description: Create meta definition resource types association.
name: add_metadef_resource_type_association
operations:
- method: POST
path: /v2/metadefs/namespaces/{namespace_name}/resource_types
scope_types:
- project
- check_str: rule:metadef_admin
description: Delete meta definition resource types association.
name: remove_metadef_resource_type_association
operations:
- method: POST
path: /v2/metadefs/namespaces/{namespace_name}/resource_types/{name}
scope_types:
- project
- check_str: rule:context_is_admin or (role:reader and (project_id:%(project_id)s
or 'public':%(visibility)s))
deprecated_reason: null
deprecated_rule:
check_str: rule:metadef_default
name: get_metadef_property
deprecated_since: null
description: Get a specific meta definition property.
name: get_metadef_property
operations:
- method: GET
path: /v2/metadefs/namespaces/{namespace_name}/properties/{property_name}
scope_types:
- project
- check_str: rule:context_is_admin or (role:reader and (project_id:%(project_id)s
or 'public':%(visibility)s))
deprecated_reason: null
deprecated_rule:
check_str: rule:metadef_default
name: get_metadef_properties
deprecated_since: null
description: List meta definition properties.
name: get_metadef_properties
operations:
- method: GET
path: /v2/metadefs/namespaces/{namespace_name}/properties
scope_types:
- project
- check_str: rule:metadef_admin
description: Update meta definition property.
name: modify_metadef_property
operations:
- method: GET
path: /v2/metadefs/namespaces/{namespace_name}/properties/{property_name}
scope_types:
- project
- check_str: rule:metadef_admin
description: Create meta definition property.
name: add_metadef_property
operations:
- method: POST
path: /v2/metadefs/namespaces/{namespace_name}/properties
scope_types:
- project
- check_str: rule:metadef_admin
description: Delete meta definition property.
name: remove_metadef_property
operations:
- method: DELETE
path: /v2/metadefs/namespaces/{namespace_name}/properties/{property_name}
scope_types:
- project
- check_str: rule:context_is_admin or (role:reader and (project_id:%(project_id)s
or 'public':%(visibility)s))
deprecated_reason: null
deprecated_rule:
check_str: rule:metadef_default
name: get_metadef_tag
deprecated_since: null
description: Get tag definition.
name: get_metadef_tag
operations:
- method: GET
path: /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}
scope_types:
- project
- check_str: rule:context_is_admin or (role:reader and (project_id:%(project_id)s
or 'public':%(visibility)s))
deprecated_reason: null
deprecated_rule:
check_str: rule:metadef_default
name: get_metadef_tags
deprecated_since: null
description: List tag definitions.
name: get_metadef_tags
operations:
- method: GET
path: /v2/metadefs/namespaces/{namespace_name}/tags
scope_types:
- project
- check_str: rule:metadef_admin
description: Update tag definition.
name: modify_metadef_tag
operations:
- method: PUT
path: /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}
scope_types:
- project
- check_str: rule:metadef_admin
description: Add tag definition.
name: add_metadef_tag
operations:
- method: POST
path: /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}
scope_types:
- project
- check_str: rule:metadef_admin
description: Create tag definitions.
name: add_metadef_tags
operations:
- method: POST
path: /v2/metadefs/namespaces/{namespace_name}/tags
scope_types:
- project
- check_str: rule:metadef_admin
description: Delete tag definition.
name: delete_metadef_tag
operations:
- method: DELETE
path: /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}
scope_types:
- project
- check_str: rule:metadef_admin
description: Delete tag definitions.
name: delete_metadef_tags
operations:
- method: DELETE
path: /v2/metadefs/namespaces/{namespace_name}/tags
scope_types:
- project
- check_str: rule:context_is_admin
deprecated_reason: null
deprecated_rule:
check_str: rule:manage_image_cache
name: cache_image
deprecated_since: null
description: Queue image for caching
name: cache_image
operations:
- method: PUT
path: /v2/cache/{image_id}
scope_types:
- project
- check_str: rule:context_is_admin
deprecated_reason: null
deprecated_rule:
check_str: rule:manage_image_cache
name: cache_list
deprecated_since: null
description: List cache status
name: cache_list
operations:
- method: GET
path: /v2/cache
scope_types:
- project
- check_str: rule:context_is_admin
deprecated_reason: null
deprecated_rule:
check_str: rule:manage_image_cache
name: cache_delete
deprecated_since: null
description: Delete image(s) from cache and/or queue
name: cache_delete
operations:
- method: DELETE
path: /v2/cache
- method: DELETE
path: /v2/cache/{image_id}
scope_types:
- project
- check_str: rule:context_is_admin
description: Expose store specific information
name: stores_info_detail
operations:
- method: GET
path: /v2/info/stores/detail
scope_types:
- project
View Git Blame Copy Permalink