From 7b14dda9fae7f61aae3ade43209bd803abdd52cb Mon Sep 17 00:00:00 2001 From: "Kevin L. Mitchell" Date: Fri, 12 Oct 2012 14:35:42 -0500 Subject: [PATCH] Update policies Merge in update openstack-common policy code. Updates Quantum-specific policy glue code to eliminate deprecated openstack-common policy interfaces. Also cleans up policy code to allow for returning fine-grained policy values. Change-Id: I2951a0de3751bd2ec868e7a661070fed624e4af2 --- etc/policy.json | 68 ++++++++++++++++++++++++------------------------- 1 file changed, 34 insertions(+), 34 deletions(-) diff --git a/etc/policy.json b/etc/policy.json index e4d9ad24..d5641de4 100644 --- a/etc/policy.json +++ b/etc/policy.json @@ -1,42 +1,42 @@ { - "admin_or_owner": [["role:admin"], ["tenant_id:%(tenant_id)s"]], - "admin_or_network_owner": [["role:admin"], ["tenant_id:%(network_tenant_id)s"]], - "admin_only": [["role:admin"]], - "regular_user": [], - "shared": [["field:networks:shared=True"]], - "external": [["field:networks:router:external=True"]], - "default": [["rule:admin_or_owner"]], + "admin_or_owner": "role:admin or tenant_id:%(tenant_id)s", + "admin_or_network_owner": "role:admin or tenant_id:%(network_tenant_id)s", + "admin_only": "role:admin", + "regular_user": "", + "shared": "field:networks:shared=True", + "external": "field:networks:router:external=True", + "default": "rule:admin_or_owner", - "extension:provider_network:view": [["rule:admin_only"]], - "extension:provider_network:set": [["rule:admin_only"]], + "extension:provider_network:view": "rule:admin_only", + "extension:provider_network:set": "rule:admin_only", - "extension:router:view": [["rule:regular_user"]], - "extension:router:set": [["rule:admin_only"]], - "extension:router:add_router_interface": [["rule:admin_or_owner"]], - "extension:router:remove_router_interface": [["rule:admin_or_owner"]], + "extension:router:view": "rule:regular_user", + "extension:router:set": "rule:admin_only", + "extension:router:add_router_interface": "rule:admin_or_owner", + "extension:router:remove_router_interface": "rule:admin_or_owner", - "subnets:private:read": [["rule:admin_or_owner"]], - "subnets:private:write": [["rule:admin_or_owner"]], - "subnets:shared:read": [["rule:regular_user"]], - "subnets:shared:write": [["rule:admin_only"]], + "subnets:private:read": "rule:admin_or_owner", + "subnets:private:write": "rule:admin_or_owner", + "subnets:shared:read": "rule:regular_user", + "subnets:shared:write": "rule:admin_only", - "create_subnet": [["rule:admin_or_network_owner"]], - "get_subnet": [["rule:admin_or_owner"], ["rule:shared"]], - "update_subnet": [["rule:admin_or_network_owner"]], - "delete_subnet": [["rule:admin_or_network_owner"]], + "create_subnet": "rule:admin_or_network_owner", + "get_subnet": "rule:admin_or_owner or rule:shared", + "update_subnet": "rule:admin_or_network_owner", + "delete_subnet": "rule:admin_or_network_owner", - "create_network": [], - "get_network": [["rule:admin_or_owner"], ["rule:shared"], ["rule:external"]], - "create_network:shared": [["rule:admin_only"]], - "create_network:router:external": [["rule:admin_only"]], - "update_network": [["rule:admin_or_owner"]], - "delete_network": [["rule:admin_or_owner"]], + "create_network": "", + "get_network": "rule:admin_or_owner or rule:shared or rule:external", + "create_network:shared": "rule:admin_only", + "create_network:router:external": "rule:admin_only", + "update_network": "rule:admin_or_owner", + "delete_network": "rule:admin_or_owner", - "create_port": [], - "create_port:mac_address": [["rule:admin_or_network_owner"]], - "create_port:fixed_ips": [["rule:admin_or_network_owner"]], - "get_port": [["rule:admin_or_owner"]], - "update_port": [["rule:admin_or_owner"]], - "update_port:fixed_ips": [["rule:admin_or_network_owner"]], - "delete_port": [["rule:admin_or_owner"]] + "create_port": "", + "create_port:mac_address": "rule:admin_or_network_owner", + "create_port:fixed_ips": "rule:admin_or_network_owner", + "get_port": "rule:admin_or_owner", + "update_port": "rule:admin_or_owner", + "update_port:fixed_ips": "rule:admin_or_network_owner", + "delete_port": "rule:admin_or_owner" }