Comment the default values in policy.json.sample
This updates etc/ironic/policy.json.sample so that the default rules/values are commented out (since they don't need to be specified). The change was done by oslo-config-generator, the utility that generates this sample. Change-Id: I1df564992336862c00e3b7213e230f32cba3d789
This commit is contained in:
Ruby Loo
@@ -1,90 +1,135 @@
|
||||
# Legacy rule for cloud admin access
|
||||
"admin_api": "role:admin or role:administrator"
|
||||
#"admin_api": "role:admin or role:administrator"
|
||||
|
||||
# Internal flag for public API routes
|
||||
"public_api": "is_public_api:True"
|
||||
#"public_api": "is_public_api:True"
|
||||
|
||||
# Show or mask secrets within node driver information in API responses
|
||||
"show_password": "!"
|
||||
#"show_password": "!"
|
||||
|
||||
# Show or mask secrets within instance information in API responses
|
||||
"show_instance_secrets": "!"
|
||||
#"show_instance_secrets": "!"
|
||||
|
||||
# May be used to restrict access to specific projects
|
||||
"is_member": "(project_domain_id:default or project_domain_id:None) and (project_name:demo or project_name:baremetal)"
|
||||
#"is_member": "(project_domain_id:default or project_domain_id:None) and (project_name:demo or project_name:baremetal)"
|
||||
|
||||
# Read-only API access
|
||||
"is_observer": "rule:is_member and (role:observer or role:baremetal_observer)"
|
||||
#"is_observer": "rule:is_member and (role:observer or role:baremetal_observer)"
|
||||
|
||||
# Full read/write API access
|
||||
"is_admin": "rule:admin_api or (rule:is_member and role:baremetal_admin)"
|
||||
#"is_admin": "rule:admin_api or (rule:is_member and role:baremetal_admin)"
|
||||
|
||||
# Retrieve Node records
|
||||
"baremetal:node:get": "rule:is_admin or rule:is_observer"
|
||||
#"baremetal:node:get": "rule:is_admin or rule:is_observer"
|
||||
|
||||
# Retrieve Node boot device metadata
|
||||
"baremetal:node:get_boot_device": "rule:is_admin or rule:is_observer"
|
||||
#"baremetal:node:get_boot_device": "rule:is_admin or rule:is_observer"
|
||||
|
||||
# View Node power and provision state
|
||||
"baremetal:node:get_states": "rule:is_admin or rule:is_observer"
|
||||
#"baremetal:node:get_states": "rule:is_admin or rule:is_observer"
|
||||
|
||||
# Create Node records
|
||||
"baremetal:node:create": "rule:is_admin"
|
||||
#"baremetal:node:create": "rule:is_admin"
|
||||
|
||||
# Delete Node records
|
||||
"baremetal:node:delete": "rule:is_admin"
|
||||
#"baremetal:node:delete": "rule:is_admin"
|
||||
|
||||
# Update Node records
|
||||
"baremetal:node:update": "rule:is_admin"
|
||||
#"baremetal:node:update": "rule:is_admin"
|
||||
|
||||
# Request active validation of Nodes
|
||||
"baremetal:node:validate": "rule:is_admin"
|
||||
#"baremetal:node:validate": "rule:is_admin"
|
||||
|
||||
# Set maintenance flag, taking a Node out of service
|
||||
"baremetal:node:set_maintenance": "rule:is_admin"
|
||||
#"baremetal:node:set_maintenance": "rule:is_admin"
|
||||
|
||||
# Clear maintenance flag, placing the Node into service again
|
||||
"baremetal:node:clear_maintenance": "rule:is_admin"
|
||||
#"baremetal:node:clear_maintenance": "rule:is_admin"
|
||||
|
||||
# Change Node boot device
|
||||
"baremetal:node:set_boot_device": "rule:is_admin"
|
||||
#"baremetal:node:set_boot_device": "rule:is_admin"
|
||||
|
||||
# Change Node power status
|
||||
"baremetal:node:set_power_state": "rule:is_admin"
|
||||
#"baremetal:node:set_power_state": "rule:is_admin"
|
||||
|
||||
# Change Node provision status
|
||||
"baremetal:node:set_provision_state": "rule:is_admin"
|
||||
#"baremetal:node:set_provision_state": "rule:is_admin"
|
||||
|
||||
# Change Node RAID status
|
||||
"baremetal:node:set_raid_state": "rule:is_admin"
|
||||
#"baremetal:node:set_raid_state": "rule:is_admin"
|
||||
|
||||
# Get Node console connection information
|
||||
"baremetal:node:get_console": "rule:is_admin"
|
||||
#"baremetal:node:get_console": "rule:is_admin"
|
||||
|
||||
# Change Node console status
|
||||
"baremetal:node:set_console_state": "rule:is_admin"
|
||||
#"baremetal:node:set_console_state": "rule:is_admin"
|
||||
|
||||
# List VIFs attached to node
|
||||
"baremetal:node:vif:list": "rule:is_admin"
|
||||
#"baremetal:node:vif:list": "rule:is_admin"
|
||||
|
||||
# Attach a VIF to a node
|
||||
"baremetal:node:vif:attach": "rule:is_admin"
|
||||
#"baremetal:node:vif:attach": "rule:is_admin"
|
||||
|
||||
# Detach a VIF from a node
|
||||
"baremetal:node:vif:detach": "rule:is_admin"
|
||||
#"baremetal:node:vif:detach": "rule:is_admin"
|
||||
|
||||
# Inject NMI for a node
|
||||
"baremetal:node:inject_nmi": "rule:is_admin"
|
||||
#"baremetal:node:inject_nmi": "rule:is_admin"
|
||||
|
||||
# Retrieve Port records
|
||||
"baremetal:port:get": "rule:is_admin or rule:is_observer"
|
||||
#"baremetal:port:get": "rule:is_admin or rule:is_observer"
|
||||
|
||||
# Create Port records
|
||||
"baremetal:port:create": "rule:is_admin"
|
||||
#"baremetal:port:create": "rule:is_admin"
|
||||
|
||||
# Delete Port records
|
||||
"baremetal:port:delete": "rule:is_admin"
|
||||
#"baremetal:port:delete": "rule:is_admin"
|
||||
|
||||
# Update Port records
|
||||
"baremetal:port:update": "rule:is_admin"
|
||||
#"baremetal:port:update": "rule:is_admin"
|
||||
|
||||
# Retrieve Portgroup records
|
||||
"baremetal:portgroup:get": "rule:is_admin or rule:is_observer"
|
||||
#"baremetal:portgroup:get": "rule:is_admin or rule:is_observer"
|
||||
|
||||
# Create Portgroup records
|
||||
"baremetal:portgroup:create": "rule:is_admin"
|
||||
#"baremetal:portgroup:create": "rule:is_admin"
|
||||
|
||||
# Delete Portgroup records
|
||||
"baremetal:portgroup:delete": "rule:is_admin"
|
||||
#"baremetal:portgroup:delete": "rule:is_admin"
|
||||
|
||||
# Update Portgroup records
|
||||
"baremetal:portgroup:update": "rule:is_admin"
|
||||
#"baremetal:portgroup:update": "rule:is_admin"
|
||||
|
||||
# Retrieve Chassis records
|
||||
"baremetal:chassis:get": "rule:is_admin or rule:is_observer"
|
||||
#"baremetal:chassis:get": "rule:is_admin or rule:is_observer"
|
||||
|
||||
# Create Chassis records
|
||||
"baremetal:chassis:create": "rule:is_admin"
|
||||
#"baremetal:chassis:create": "rule:is_admin"
|
||||
|
||||
# Delete Chassis records
|
||||
"baremetal:chassis:delete": "rule:is_admin"
|
||||
#"baremetal:chassis:delete": "rule:is_admin"
|
||||
|
||||
# Update Chassis records
|
||||
"baremetal:chassis:update": "rule:is_admin"
|
||||
#"baremetal:chassis:update": "rule:is_admin"
|
||||
|
||||
# View list of available drivers
|
||||
"baremetal:driver:get": "rule:is_admin or rule:is_observer"
|
||||
#"baremetal:driver:get": "rule:is_admin or rule:is_observer"
|
||||
|
||||
# View driver-specific properties
|
||||
"baremetal:driver:get_properties": "rule:is_admin or rule:is_observer"
|
||||
#"baremetal:driver:get_properties": "rule:is_admin or rule:is_observer"
|
||||
|
||||
# View driver-specific RAID metadata
|
||||
"baremetal:driver:get_raid_logical_disk_properties": "rule:is_admin or rule:is_observer"
|
||||
#"baremetal:driver:get_raid_logical_disk_properties": "rule:is_admin or rule:is_observer"
|
||||
|
||||
# Access vendor-specific Node functions
|
||||
"baremetal:node:vendor_passthru": "rule:is_admin"
|
||||
#"baremetal:node:vendor_passthru": "rule:is_admin"
|
||||
|
||||
# Access vendor-specific Driver functions
|
||||
"baremetal:driver:vendor_passthru": "rule:is_admin"
|
||||
#"baremetal:driver:vendor_passthru": "rule:is_admin"
|
||||
|
||||
# Send heartbeats from IPA ramdisk
|
||||
"baremetal:node:ipa_heartbeat": "rule:public_api"
|
||||
#"baremetal:node:ipa_heartbeat": "rule:public_api"
|
||||
|
||||
# Access IPA ramdisk functions
|
||||
"baremetal:driver:ipa_lookup": "rule:public_api"
|
||||
#"baremetal:driver:ipa_lookup": "rule:public_api"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user