Merge "Document policy rule using the description parameter" into stable/wallaby

This commit is contained in:
Zuul 2021-04-22 13:59:56 +00:00 committed by Gerrit Code Review
commit 770c6f00a8
1 changed files with 17 additions and 15 deletions

View File

@ -82,53 +82,48 @@ SYSTEM_OR_PROJECT_READER = (
rules = [ rules = [
# ***Default OpenStack scoped personas*** # # ***Default OpenStack scoped personas*** #
# System scoped Administrator
policy.RuleDefault( policy.RuleDefault(
name='system-admin', name='system-admin',
check_str='role:admin and ' check_str='role:admin and '
'system_scope:all', 'system_scope:all',
description='System scoped Administrator',
scope_types=['system']), scope_types=['system']),
# System scoped Member
policy.RuleDefault( policy.RuleDefault(
name='system-member', name='system-member',
check_str='role:member and ' check_str='role:member and '
'system_scope:all', 'system_scope:all',
description='System scoped Member',
scope_types=['system']), scope_types=['system']),
# System scoped Reader
policy.RuleDefault( policy.RuleDefault(
name='system-reader', name='system-reader',
check_str='role:reader and ' check_str='role:reader and '
'system_scope:all', 'system_scope:all',
description='System scoped Reader',
scope_types=['system']), scope_types=['system']),
# Project scoped Administrator
policy.RuleDefault( policy.RuleDefault(
name='project-admin', name='project-admin',
check_str='role:admin and ' check_str='role:admin and '
'project_id:%(project_id)s', 'project_id:%(project_id)s',
description='Project scoped Administrator',
scope_types=['project']), scope_types=['project']),
# Project scoped Member
policy.RuleDefault( policy.RuleDefault(
name='project-member', name='project-member',
check_str='role:member and ' check_str='role:member and '
'project_id:%(project_id)s', 'project_id:%(project_id)s',
description='Project scoped Member',
scope_types=['project']), scope_types=['project']),
# Project scoped Reader
policy.RuleDefault( policy.RuleDefault(
name='project-reader', name='project-reader',
check_str='role:reader and ' check_str='role:reader and '
'project_id:%(project_id)s', 'project_id:%(project_id)s',
description='Project scoped Reader',
scope_types=['project']), scope_types=['project']),
# ***Special personas for Manila*** # # ***Special personas for Manila*** #
# Privileged users checked via "context.is_admin"
policy.RuleDefault( policy.RuleDefault(
name='context_is_admin', name='context_is_admin',
check_str='rule:system-admin', check_str='rule:system-admin',
description='Privileged users checked via "context.is_admin"',
deprecated_rule=DEPRECATED_CONTEXT_IS_ADMIN, deprecated_rule=DEPRECATED_CONTEXT_IS_ADMIN,
scope_types=['system']), scope_types=['system']),
@ -136,9 +131,16 @@ rules = [
# can be removed after "enforce_scope" defaults to True in oslo.policy # can be removed after "enforce_scope" defaults to True in oslo.policy
policy.RuleDefault( policy.RuleDefault(
name='admin_or_owner', name='admin_or_owner',
check_str='is_admin:True or project_id:%(project_id)s'), check_str='is_admin:True or project_id:%(project_id)s',
policy.RuleDefault(name='default', check_str=RULE_ADMIN_OR_OWNER), description='Administrator or Member of the project'),
policy.RuleDefault(name='admin_api', check_str='is_admin:True'), policy.RuleDefault(
name='default',
check_str=RULE_ADMIN_OR_OWNER,
description='Default rule for most non-Admin APIs'),
policy.RuleDefault(
name='admin_api',
check_str='is_admin:True',
description='Default rule for most Admin APIs.'),
] ]