doc: Use DocumentedRuleDefault
Partially Implements: blueprint neutron-policy-in-code Change-Id: Id66b30b6722b24bd33d491588a9541cd74372e8c
This commit is contained in:
parent
b86fa161ed
commit
e2bb27fc34
@ -15,31 +15,87 @@ from oslo_policy import policy
|
||||
from neutron.conf.policies import base
|
||||
|
||||
|
||||
COLLECTION_PATH = '/address-scopes'
|
||||
RESOURCE_PATH = '/address-scopes/{id}'
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault('shared_address_scopes',
|
||||
'field:address_scopes:shared=True',
|
||||
description='Rule of shared address scope'),
|
||||
policy.RuleDefault('create_address_scope',
|
||||
base.RULE_ANY,
|
||||
description='Access rule for creating address scope'),
|
||||
policy.RuleDefault('create_address_scope:shared',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for creating '
|
||||
'shared address scope')),
|
||||
policy.RuleDefault('get_address_scope',
|
||||
base.policy_or(base.RULE_ADMIN_OR_OWNER,
|
||||
'rule:shared_address_scopes'),
|
||||
description='Access rule for getting address scope'),
|
||||
policy.RuleDefault('update_address_scope',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
description='Access rule for updating address scope'),
|
||||
policy.RuleDefault('update_address_scope:shared',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for updating '
|
||||
'shared attribute of address scope')),
|
||||
policy.RuleDefault('delete_address_scope',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
description='Access rule for deleting address scope')
|
||||
policy.RuleDefault(
|
||||
'shared_address_scopes',
|
||||
'field:address_scopes:shared=True',
|
||||
'Definition of a shared address scope'
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_address_scope',
|
||||
base.RULE_ANY,
|
||||
'Create an address scope',
|
||||
[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': COLLECTION_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_address_scope:shared',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Create a shared address scope',
|
||||
[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': COLLECTION_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_address_scope',
|
||||
base.policy_or(base.RULE_ADMIN_OR_OWNER,
|
||||
'rule:shared_address_scopes'),
|
||||
'Get an address scope',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': COLLECTION_PATH,
|
||||
},
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_address_scope',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
'Update an address scope',
|
||||
[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_address_scope:shared',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Update ``shared`` attribute of an address scope',
|
||||
[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'delete_address_scope',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
'Delete an address scope',
|
||||
[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
]
|
||||
|
||||
|
||||
|
@ -15,66 +15,161 @@ from oslo_policy import policy
|
||||
from neutron.conf.policies import base
|
||||
|
||||
|
||||
COLLECTION_PATH = '/agents'
|
||||
RESOURCE_PATH = '/agents/{id}'
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault('get_agent',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description='Access rule for getting agent'),
|
||||
policy.RuleDefault('update_agent',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description='Access rule for updating agent'),
|
||||
policy.RuleDefault('delete_agent',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description='Access rule for deleting agent'),
|
||||
policy.RuleDefault('create_dhcp-network',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for adding '
|
||||
'network to dhcp agent')),
|
||||
policy.RuleDefault('get_dhcp-networks',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for listing '
|
||||
'networks on the dhcp agent')),
|
||||
policy.RuleDefault('delete_dhcp-network',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for removing '
|
||||
'network from dhcp agent')),
|
||||
policy.RuleDefault('create_l3-router',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for adding '
|
||||
'router to l3 agent')),
|
||||
policy.RuleDefault('get_l3-routers',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for listing '
|
||||
'routers on the l3 agent')),
|
||||
policy.RuleDefault('delete_l3-router',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for deleting '
|
||||
'router from l3 agent')),
|
||||
policy.RuleDefault('get_dhcp-agents',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for listing '
|
||||
'dhcp agents hosting the network')),
|
||||
policy.RuleDefault('get_l3-agents',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for listing '
|
||||
'l3 agents hosting the router')),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_agent',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Get an agent',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': COLLECTION_PATH,
|
||||
},
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_agent',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Update an agent',
|
||||
[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'delete_agent',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Delete an agent',
|
||||
[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_dhcp-network',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Add a network to a DHCP agent',
|
||||
[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/agents/{agent_id}/dhcp-networks',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_dhcp-networks',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'List networks on a DHCP agent',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/agents/{agent_id}/dhcp-networks',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'delete_dhcp-network',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Remove a network from a DHCP agent',
|
||||
[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': '/agents/{agent_id}/dhcp-networks/{network_id}',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_l3-router',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Add a router to an L3 agent',
|
||||
[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/agents/{agent_id}/l3-routers',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_l3-routers',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'List routers on an L3 agent',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/agents/{agent_id}/l3-routers',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'delete_l3-router',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Remove a router from an L3 agent',
|
||||
[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': '/agents/{agent_id}/l3-routers/{router_id}',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_dhcp-agents',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'List DHCP agents hosting a network',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/networks/{network_id}/dhcp-agents',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_l3-agents',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'List L3 agents hosting a router',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/routers/{router_id}/l3-agents',
|
||||
},
|
||||
]
|
||||
),
|
||||
# TODO(amotoki): Remove LBaaS related policies once neutron-lbaas
|
||||
# is retired.
|
||||
policy.RuleDefault('get_loadbalancer-agent',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for getting '
|
||||
'lbaas agent hosting the pool')),
|
||||
policy.RuleDefault('get_loadbalancer-pools',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for listing '
|
||||
'pools on the lbaas agent')),
|
||||
policy.RuleDefault('get_agent-loadbalancers',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for listing '
|
||||
'loadbalancers on the lbaasv2 agent')),
|
||||
policy.RuleDefault('get_loadbalancer-hosting-agent',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for getting '
|
||||
'lbaasv2 agent hosting the loadbalancer')),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_agent-loadbalancers',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'List load balancers on an LBaaS v2 agent',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/agents/{agent_id}/agent-loadbalancers',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_loadbalancer-hosting-agent',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'List LBaaS v2 agents hosting a load balancer',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': ('/lbaas/loadbalancers/{load_balancer_id}/'
|
||||
'loadbalancer-hosting-agent'),
|
||||
},
|
||||
]
|
||||
),
|
||||
]
|
||||
|
||||
|
||||
|
@ -15,17 +15,32 @@ from oslo_policy import policy
|
||||
from neutron.conf.policies import base
|
||||
|
||||
|
||||
RESOURCE_PATH = '/auto-allocated-topology/{project_id}'
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_auto_allocated_topology',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
description=("Access rule for getting a project's "
|
||||
"auto-allocated topology")),
|
||||
policy.RuleDefault(
|
||||
"Get a project's auto-allocated topology",
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'delete_auto_allocated_topology',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
description=("Access rule for deleting a project's "
|
||||
"auto-allocated topology")),
|
||||
"Delete a project's auto-allocated topology",
|
||||
[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
]
|
||||
|
||||
|
||||
|
@ -16,10 +16,17 @@ from neutron.conf.policies import base
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_availability_zone',
|
||||
base.RULE_ANY,
|
||||
description='Access rule for getting availability zone'),
|
||||
'List availability zones',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/availability_zones',
|
||||
},
|
||||
]
|
||||
),
|
||||
]
|
||||
|
||||
|
||||
|
@ -66,7 +66,7 @@ rules = [
|
||||
policy.RuleDefault(
|
||||
'admin_only',
|
||||
'rule:context_is_admin',
|
||||
description='Rule only for admin access'),
|
||||
description='Rule for admin-only access'),
|
||||
policy.RuleDefault(
|
||||
'regular_user',
|
||||
'',
|
||||
|
@ -15,56 +15,144 @@ from oslo_policy import policy
|
||||
from neutron.conf.policies import base
|
||||
|
||||
|
||||
FLAVOR_COLLECTION_PATH = '/flavors'
|
||||
FLAVOR_RESOURCE_PATH = '/flavors/{id}'
|
||||
PROFILE_COLLECTION_PATH = '/service_profiles'
|
||||
PROFILE_RESOURCE_PATH = '/service_profiles/{id}'
|
||||
ASSOC_COLLECTION_PATH = '/flavors/{flavor_id}/service_profiles'
|
||||
ASSOC_RESOURCE_PATH = '/flavors/{flavor_id}/service_profiles/{profile_id}'
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_flavor',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description='Access rule for creating flavor'),
|
||||
policy.RuleDefault(
|
||||
'Create a flavor',
|
||||
[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': FLAVOR_COLLECTION_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_flavor',
|
||||
base.RULE_ANY,
|
||||
description='Access rule for getting flavor'),
|
||||
policy.RuleDefault(
|
||||
'Get a flavor',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': FLAVOR_COLLECTION_PATH,
|
||||
},
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': FLAVOR_RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_flavor',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description='Access rule for updating flavor'),
|
||||
policy.RuleDefault(
|
||||
'Update a flavor',
|
||||
[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': FLAVOR_RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'delete_flavor',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description='Access rule for deleting flavor'),
|
||||
'Delete a flavor',
|
||||
[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': FLAVOR_RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
|
||||
policy.RuleDefault(
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_service_profile',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description='Access rule for creating service profile'),
|
||||
policy.RuleDefault(
|
||||
'Create a service profile',
|
||||
[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': PROFILE_COLLECTION_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_service_profile',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description='Access rule for getting service profile'),
|
||||
policy.RuleDefault(
|
||||
'Get a service profile',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': PROFILE_COLLECTION_PATH,
|
||||
},
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': PROFILE_RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_service_profile',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description='Access rule for updating service profile'),
|
||||
policy.RuleDefault(
|
||||
'Update a service profile',
|
||||
[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': PROFILE_RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'delete_service_profile',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description='Access rule for deleting service profile'),
|
||||
'Delete a service profile',
|
||||
[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': PROFILE_RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
|
||||
policy.RuleDefault(
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_flavor_service_profile',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for associating '
|
||||
'flavor with service profile')),
|
||||
policy.RuleDefault(
|
||||
'Associate a flavor with a service profile',
|
||||
[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': ASSOC_COLLECTION_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'delete_flavor_service_profile',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for disassociating '
|
||||
'flavor with service profile')),
|
||||
policy.RuleDefault(
|
||||
'get_flavor_service_profile',
|
||||
base.RULE_ANY,
|
||||
description=('Access rule for getting flavor associating '
|
||||
'with the given service profiles')),
|
||||
'Disassociate a flavor with a service profile',
|
||||
[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': ASSOC_RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
# TODO(amotoki): GET /flavors/{flavor_id}/service_profiles/{profile_id}
|
||||
# does not work and leads to an internal server error.
|
||||
# It is not defined in the API reference either.
|
||||
# It needs investigation and temporarily commented out.
|
||||
# policy.RuleDefault(
|
||||
# 'get_flavor_service_profile',
|
||||
# base.RULE_ANY,
|
||||
# 'Get a flavor associate with a given service profiles',
|
||||
# ),
|
||||
]
|
||||
|
||||
|
||||
|
@ -15,23 +15,70 @@ from oslo_policy import policy
|
||||
from neutron.conf.policies import base
|
||||
|
||||
|
||||
COLLECTION_PATH = '/floatingips'
|
||||
RESOURCE_PATH = '/floatingips/{id}'
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault('create_floatingip',
|
||||
base.RULE_ANY,
|
||||
description='Access rule for creating floating IP'),
|
||||
policy.RuleDefault('create_floatingip:floating_ip_address',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for creating floating IP '
|
||||
'with a specific IP address')),
|
||||
policy.RuleDefault('get_floatingip',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
description='Access rule for getting floating IP'),
|
||||
policy.RuleDefault('update_floatingip',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
description='Access rule for updating floating IP'),
|
||||
policy.RuleDefault('delete_floatingip',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
description='Access rule for deleting floating IP'),
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_floatingip',
|
||||
base.RULE_ANY,
|
||||
'Create a floating IP',
|
||||
[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': COLLECTION_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_floatingip:floating_ip_address',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Create a floating IP with a specific IP address',
|
||||
[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': COLLECTION_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_floatingip',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
'Get a floating IP',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': COLLECTION_PATH,
|
||||
},
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_floatingip',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
'Update a floating IP',
|
||||
[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'delete_floatingip',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
'Delete a floating IP',
|
||||
[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
]
|
||||
|
||||
|
||||
|
@ -16,10 +16,17 @@ from neutron.conf.policies import base
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_floatingip_pool',
|
||||
base.RULE_ANY,
|
||||
description='Access rule for getting floating IP pools'),
|
||||
'Get floating IP pools',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/floatingip_pools',
|
||||
},
|
||||
]
|
||||
),
|
||||
]
|
||||
|
||||
|
||||
|
@ -15,23 +15,60 @@ from oslo_policy import policy
|
||||
from neutron.conf.policies import base
|
||||
|
||||
|
||||
COLLECTION_PATH = '/floatingips/{floatingip_id}/port_forwardings'
|
||||
RESOURCE_PATH = ('/floatingips/{floatingip_id}'
|
||||
'/port_forwardings/{port_forwarding_id}')
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_floatingip_port_forwarding',
|
||||
base.RULE_ADMIN_OR_PARENT_OWNER,
|
||||
description='Access rule for creating floating IP port forwarding'),
|
||||
policy.RuleDefault(
|
||||
'Create a floating IP port forwarding',
|
||||
[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': COLLECTION_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_floatingip_port_forwarding',
|
||||
base.RULE_ADMIN_OR_PARENT_OWNER,
|
||||
description='Access rule for getting floating IP port forwarding'),
|
||||
policy.RuleDefault(
|
||||
'Get a floating IP port forwarding',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': COLLECTION_PATH,
|
||||
},
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_floatingip_port_forwarding',
|
||||
base.RULE_ADMIN_OR_PARENT_OWNER,
|
||||
description='Access rule for updating floating IP port forwarding'),
|
||||
policy.RuleDefault(
|
||||
'Update a floating IP port forwarding',
|
||||
[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'delete_floatingip_port_forwarding',
|
||||
base.RULE_ADMIN_OR_PARENT_OWNER,
|
||||
description='Access rule for deleting floating IP port forwarding'),
|
||||
'Delete a floating IP port forwarding',
|
||||
[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
]
|
||||
|
||||
|
||||
|
@ -15,27 +15,70 @@ from oslo_policy import policy
|
||||
from neutron.conf.policies import base
|
||||
|
||||
|
||||
COLLECTION_PATH = '/log/logs'
|
||||
RESOURCE_PATH = '/log/logs/{id}'
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_loggable_resource',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description='Access rule for getting loggable resource'),
|
||||
policy.RuleDefault(
|
||||
'Get loggable resources',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/log/loggable-resources',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_log',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description='Access rule for creating network log'),
|
||||
policy.RuleDefault(
|
||||
'Create a network log',
|
||||
[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': COLLECTION_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_log',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description='Access rule for getting network log'),
|
||||
policy.RuleDefault(
|
||||
'Get a network log',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': COLLECTION_PATH,
|
||||
},
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_log',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description='Access rule for updating network log'),
|
||||
policy.RuleDefault(
|
||||
'Update a network log',
|
||||
[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'delete_log',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description='Access rule for deleting network log'),
|
||||
'Delete a network log',
|
||||
[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
]
|
||||
|
||||
|
||||
|
@ -15,28 +15,88 @@ from oslo_policy import policy
|
||||
from neutron.conf.policies import base
|
||||
|
||||
|
||||
LABEL_COLLECTION_PATH = '/metering/metering-labels'
|
||||
LABEL_RESOURCE_PATH = '/metering/metering-labels/{id}'
|
||||
|
||||
RULE_COLLECTION_PATH = '/metering/metering-label-rules'
|
||||
RULE_RESOURCE_PATH = '/metering/metering-label-rules/{id}'
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault('create_metering_label',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description='Access rule for creating metering label'),
|
||||
policy.RuleDefault('get_metering_label',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description='Access rule for getting metering label'),
|
||||
policy.RuleDefault('delete_metering_label',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description='Access rule for deleting metering label'),
|
||||
policy.RuleDefault('create_metering_label_rule',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for creating '
|
||||
'metering label rule')),
|
||||
policy.RuleDefault('get_metering_label_rule',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for getting '
|
||||
'metering label rule')),
|
||||
policy.RuleDefault('delete_metering_label_rule',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for deleting '
|
||||
'metering label rule'))
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_metering_label',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Create a metering label',
|
||||
[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': LABEL_COLLECTION_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_metering_label',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Get a metering label',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': LABEL_COLLECTION_PATH,
|
||||
},
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': LABEL_RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'delete_metering_label',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Delete a metering label',
|
||||
[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': LABEL_RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_metering_label_rule',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Create a metering label rule',
|
||||
[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': RULE_COLLECTION_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_metering_label_rule',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Get a metering label rule',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': RULE_COLLECTION_PATH,
|
||||
},
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': RULE_RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'delete_metering_label_rule',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Delete a metering label rule',
|
||||
[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': RULE_RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
)
|
||||
]
|
||||
|
||||
|
||||
|
@ -15,131 +15,186 @@ from oslo_policy import policy
|
||||
from neutron.conf.policies import base
|
||||
|
||||
|
||||
COLLECTION_PATH = '/networks'
|
||||
RESOURCE_PATH = '/networks/{id}'
|
||||
|
||||
ACTION_POST = [
|
||||
{'method': 'POST', 'path': COLLECTION_PATH},
|
||||
]
|
||||
ACTION_PUT = [
|
||||
{'method': 'PUT', 'path': RESOURCE_PATH},
|
||||
]
|
||||
ACTION_DELETE = [
|
||||
{'method': 'DELETE', 'path': RESOURCE_PATH},
|
||||
]
|
||||
ACTION_GET = [
|
||||
{'method': 'GET', 'path': COLLECTION_PATH},
|
||||
{'method': 'GET', 'path': RESOURCE_PATH},
|
||||
]
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
'external',
|
||||
'field:networks:router:external=True',
|
||||
description='Rule of external network'),
|
||||
'Definition of an external network'),
|
||||
|
||||
policy.RuleDefault(
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_network',
|
||||
base.RULE_ANY,
|
||||
description='Access rule for creating network'),
|
||||
policy.RuleDefault(
|
||||
'Create a network',
|
||||
ACTION_POST
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_network:shared',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description='Access rule for creating shared network'),
|
||||
policy.RuleDefault(
|
||||
'Create a shared network',
|
||||
ACTION_POST
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_network:router:external',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description='Access rule for creating external network'),
|
||||
policy.RuleDefault(
|
||||
'Create an external network',
|
||||
ACTION_POST
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_network:is_default',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description='Access rule for creating network with is_default'),
|
||||
policy.RuleDefault(
|
||||
'Specify ``is_default`` attribute when creating a network',
|
||||
ACTION_POST
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_network:port_security_enabled',
|
||||
base.RULE_ANY,
|
||||
description=('Access rule for creating network '
|
||||
'with port_security_enabled')),
|
||||
policy.RuleDefault(
|
||||
'Specify ``port_security_enabled`` attribute when creating a network',
|
||||
ACTION_POST
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_network:segments',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description='Access rule for creating network with segments'),
|
||||
policy.RuleDefault(
|
||||
'Specify ``segments`` attribute when creating a network',
|
||||
ACTION_POST
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_network:provider:network_type',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for creating network '
|
||||
'with provider network_type')),
|
||||
policy.RuleDefault(
|
||||
'Specify ``provider:network_type`` when creating a network',
|
||||
ACTION_POST
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_network:provider:physical_network',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for creating network '
|
||||
'with provider physical_network')),
|
||||
policy.RuleDefault(
|
||||
'Specify ``provider:physical_network`` when creating a network',
|
||||
ACTION_POST
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_network:provider:segmentation_id',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for creating network '
|
||||
'with provider segmentation_id')),
|
||||
'Specify ``provider:segmentation_id`` when creating a network',
|
||||
ACTION_POST
|
||||
),
|
||||
|
||||
policy.RuleDefault(
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_network',
|
||||
base.policy_or(base.RULE_ADMIN_OR_OWNER,
|
||||
'rule:shared',
|
||||
'rule:external',
|
||||
base.RULE_ADVSVC),
|
||||
description='Access rule for getting shared network'),
|
||||
policy.RuleDefault(
|
||||
'Get a network',
|
||||
ACTION_GET
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_network:router:external',
|
||||
base.RULE_ANY,
|
||||
description='Access rule for getting external network'),
|
||||
policy.RuleDefault(
|
||||
'Get ``router:external`` attribute of a network',
|
||||
ACTION_GET
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_network:segments',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description='Access rule for getting segments of network'),
|
||||
policy.RuleDefault(
|
||||
'Get ``segments`` attribute of a network',
|
||||
ACTION_GET
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_network:provider:network_type',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for getting provider '
|
||||
'network_type of network')),
|
||||
policy.RuleDefault(
|
||||
'Get ``provider:network_type`` attribute of a network',
|
||||
ACTION_GET
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_network:provider:physical_network',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for getting provider '
|
||||
'physical_network of network')),
|
||||
policy.RuleDefault(
|
||||
'Get ``provider:physical_network`` attribute of a network',
|
||||
ACTION_GET
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_network:provider:segmentation_id',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for getting provider '
|
||||
'segmentation_id of network')),
|
||||
'Get ``provider:segmentation_id`` attribute of a network',
|
||||
ACTION_GET
|
||||
),
|
||||
|
||||
policy.RuleDefault(
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_network',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
description='Access rule for updating network'),
|
||||
policy.RuleDefault(
|
||||
'Update a network',
|
||||
ACTION_PUT
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_network:segments',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description='Access rule for updating segments of network'),
|
||||
policy.RuleDefault(
|
||||
'Update ``segments`` attribute of a network',
|
||||
ACTION_PUT
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_network:shared',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description='Access rule for updating shared attribute of network'),
|
||||
policy.RuleDefault(
|
||||
'Update ``shared`` attribute of a network',
|
||||
ACTION_PUT
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_network:provider:network_type',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for updating provider '
|
||||
'network_type of network')),
|
||||
policy.RuleDefault(
|
||||
'Update ``provider:network_type`` attribute of a network',
|
||||
ACTION_PUT
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_network:provider:physical_network',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for updating provider '
|
||||
'physical_network of network')),
|
||||
policy.RuleDefault(
|
||||
'Update ``provider:physical_network`` attribute of a network',
|
||||
ACTION_PUT
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_network:provider:segmentation_id',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for updating provider '
|
||||
'segmentation_id of network')),
|
||||
policy.RuleDefault(
|
||||
'Update ``provider:segmentation_id`` attribute of a network',
|
||||
ACTION_PUT
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_network:router:external',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for updating router:external attribute '
|
||||
'of network')),
|
||||
policy.RuleDefault(
|
||||
'Update ``router:external`` attribute of a network',
|
||||
ACTION_PUT
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_network:is_default',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for updating is_default attribute '
|
||||
'of network')),
|
||||
policy.RuleDefault(
|
||||
'Update ``is_default`` attribute of a network',
|
||||
ACTION_PUT
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_network:port_security_enabled',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
description=('Access rule for updating port_security_enabled '
|
||||
'attribute of network')),
|
||||
'Update ``port_security_enabled`` attribute of a network',
|
||||
ACTION_PUT
|
||||
),
|
||||
|
||||
policy.RuleDefault(
|
||||
policy.DocumentedRuleDefault(
|
||||
'delete_network',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
description='Access rule for deleting network'),
|
||||
'Delete a network',
|
||||
ACTION_DELETE
|
||||
),
|
||||
]
|
||||
|
||||
|
||||
|
@ -16,10 +16,21 @@ from neutron.conf.policies import base
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_network_ip_availability',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description='Access rule for getting network IP availability'),
|
||||
'Get network IP availability',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/network-ip-availabilities',
|
||||
},
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/network-ip-availabilities/{network_id}',
|
||||
},
|
||||
]
|
||||
),
|
||||
]
|
||||
|
||||
|
||||
|
@ -15,171 +15,240 @@ from oslo_policy import policy
|
||||
from neutron.conf.policies import base
|
||||
|
||||
|
||||
COLLECTION_PATH = '/ports'
|
||||
RESOURCE_PATH = '/ports/{id}'
|
||||
|
||||
ACTION_POST = [
|
||||
{'method': 'POST', 'path': COLLECTION_PATH},
|
||||
]
|
||||
ACTION_PUT = [
|
||||
{'method': 'PUT', 'path': RESOURCE_PATH},
|
||||
]
|
||||
ACTION_DELETE = [
|
||||
{'method': 'DELETE', 'path': RESOURCE_PATH},
|
||||
]
|
||||
ACTION_GET = [
|
||||
{'method': 'GET', 'path': COLLECTION_PATH},
|
||||
{'method': 'GET', 'path': RESOURCE_PATH},
|
||||
]
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
'network_device',
|
||||
'field:port:device_owner=~^network:',
|
||||
description='Rule of port with network device_owner'),
|
||||
'Definition of port with network device_owner'),
|
||||
policy.RuleDefault(
|
||||
'admin_or_data_plane_int',
|
||||
base.policy_or('rule:context_is_admin',
|
||||
'role:data_plane_integrator'),
|
||||
description='Rule for data plane integration'),
|
||||
'Rule for data plane integration'),
|
||||
|
||||
policy.RuleDefault(
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_port',
|
||||
base.RULE_ANY,
|
||||
description='Access rule for creating port'),
|
||||
policy.RuleDefault(
|
||||
'Create a port',
|
||||
ACTION_POST
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_port:device_owner',
|
||||
base.policy_or('not rule:network_device',
|
||||
base.RULE_ADVSVC,
|
||||
base.RULE_ADMIN_OR_NET_OWNER),
|
||||
description='Access rule for creating port with device_owner'),
|
||||
policy.RuleDefault(
|
||||
'Specify ``device_owner`` attribute when creting a port',
|
||||
ACTION_POST
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_port:mac_address',
|
||||
base.policy_or(base.RULE_ADVSVC,
|
||||
base.RULE_ADMIN_OR_NET_OWNER),
|
||||
description=('Access rule for creating port with mac_address')),
|
||||
policy.RuleDefault(
|
||||
'Specify ``mac_address`` attribute when creating a port',
|
||||
ACTION_POST
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_port:fixed_ips',
|
||||
base.policy_or(base.RULE_ADVSVC,
|
||||
base.RULE_ADMIN_OR_NET_OWNER),
|
||||
description='Access rule for creating port with fixed_ips'),
|
||||
policy.RuleDefault(
|
||||
'Specify ``fixed_ips`` information when creating a port',
|
||||
ACTION_POST
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_port:fixed_ips:ip_address',
|
||||
base.policy_or(base.RULE_ADVSVC,
|
||||
base.RULE_ADMIN_OR_NET_OWNER),
|
||||
description=('Access rule for creating port specifying IP address in '
|
||||
'fixed_ips')),
|
||||
policy.RuleDefault(
|
||||
'Specify IP address in ``fixed_ips`` when creating a port',
|
||||
ACTION_POST
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_port:fixed_ips:subnet_id',
|
||||
base.policy_or(base.RULE_ADVSVC,
|
||||
base.RULE_ADMIN_OR_NET_OWNER,
|
||||
'rule:shared'),
|
||||
description=('Access rule for creating port specifying subnet ID in '
|
||||
'fixed_ips')),
|
||||
policy.RuleDefault(
|
||||
'Specify subnet ID in ``fixed_ips`` when creating a port',
|
||||
ACTION_POST
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_port:port_security_enabled',
|
||||
base.policy_or(base.RULE_ADVSVC,
|
||||
base.RULE_ADMIN_OR_NET_OWNER),
|
||||
description=('Access rule for creating '
|
||||
'port with port_security_enabled')),
|
||||
policy.RuleDefault(
|
||||
'Specify ``port_security_enabled`` attribute when creating a port',
|
||||
ACTION_POST
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_port:binding:host_id',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for creating '
|
||||
'port with binging host_id')),
|
||||
policy.RuleDefault(
|
||||
'Specify ``binding:host_id`` attribute when creating a port',
|
||||
ACTION_POST
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_port:binding:profile',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for creating '
|
||||
'port with binding profile')),
|
||||
policy.RuleDefault(
|
||||
'Specify ``binding:profile`` attribute when creating a port',
|
||||
ACTION_POST
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_port:binding:vnic_type',
|
||||
base.RULE_ANY,
|
||||
description=('Access rule for creating '
|
||||
'port with binding vnic_type')),
|
||||
policy.RuleDefault(
|
||||
'Specify ``binding:vnic_type`` attribute when creating a port',
|
||||
ACTION_POST
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_port:allowed_address_pairs',
|
||||
base.RULE_ADMIN_OR_NET_OWNER,
|
||||
description=('Access rule for creating port '
|
||||
'with allowed_address_pairs attribute')),
|
||||
'Specify ``allowed_address_pairs`` attribute when creating a port',
|
||||
ACTION_POST
|
||||
),
|
||||
|
||||
policy.RuleDefault(
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_port',
|
||||
base.policy_or(base.RULE_ADVSVC,
|
||||
'rule:admin_owner_or_network_owner'),
|
||||
description='Access rule for getting port'),
|
||||
policy.RuleDefault(
|
||||
'Get a port',
|
||||
ACTION_GET
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_port:binding:vif_type',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description='Access rule for getting binding vif_type of port'),
|
||||
policy.RuleDefault(
|
||||
'Get ``binding:vif_type`` attribute of a port',
|
||||
ACTION_GET
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_port:binding:vif_details',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description='Access rule for getting binding vif_details of port'),
|
||||
policy.RuleDefault(
|
||||
'Get ``binding:vif_details`` attribute of a port',
|
||||
ACTION_GET
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_port:binding:host_id',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description='Access rule for getting binding host_id of port'),
|
||||
policy.RuleDefault(
|
||||
'Get ``binding:host_id`` attribute of a port',
|
||||
ACTION_GET
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_port:binding:profile',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description='Access rule for getting binding profile of port'),
|
||||
policy.RuleDefault(
|
||||
'Get ``binding:profile`` attribute of a port',
|
||||
ACTION_GET
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_port:resource_request',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description='Access rule for getting resource request of port'),
|
||||
'Get ``resource_request`` attribute of a port',
|
||||
ACTION_GET
|
||||
),
|
||||
# TODO(amotoki): Add get_port:binding:vnic_type
|
||||
# TODO(amotoki): Add get_port:binding:data_plane_status
|
||||
|
||||
policy.RuleDefault(
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_port',
|
||||
base.policy_or(base.RULE_ADMIN_OR_OWNER,
|
||||
base.RULE_ADVSVC),
|
||||
description='Access rule for updating port'),
|
||||
policy.RuleDefault(
|
||||
'Update a port',
|
||||
ACTION_PUT
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_port:device_owner',
|
||||
base.policy_or('not rule:network_device',
|
||||
base.RULE_ADVSVC,
|
||||
base.RULE_ADMIN_OR_NET_OWNER),
|
||||
description='Access rule for updating device_owner of port'),
|
||||
policy.RuleDefault(
|
||||
'Update ``device_owner`` attribute of a port',
|
||||
ACTION_PUT
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_port:mac_address',
|
||||
base.policy_or(base.RULE_ADMIN_ONLY,
|
||||
base.RULE_ADVSVC),
|
||||
description='Access rule for updating mac_address of port'),
|
||||
policy.RuleDefault(
|
||||
'Update ``mac_address`` attribute of a port',
|
||||
ACTION_PUT
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_port:fixed_ips',
|
||||
base.policy_or(base.RULE_ADVSVC,
|
||||
base.RULE_ADMIN_OR_NET_OWNER),
|
||||
description='Access rule for updating fixed_ips of port'),
|
||||
policy.RuleDefault(
|
||||
'Specify ``fixed_ips`` information when updating a port',
|
||||
ACTION_PUT
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_port:fixed_ips:ip_address',
|
||||
base.policy_or(base.RULE_ADVSVC,
|
||||
base.RULE_ADMIN_OR_NET_OWNER),
|
||||
description=('Access rule for updating port specifying IP address in '
|
||||
'fixed_ips')),
|
||||
policy.RuleDefault(
|
||||
'Specify IP address in ``fixed_ips`` information when updating a port',
|
||||
ACTION_PUT
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_port:fixed_ips:subnet_id',
|
||||
base.policy_or(base.RULE_ADVSVC,
|
||||
base.RULE_ADMIN_OR_NET_OWNER,
|
||||
'rule:shared'),
|
||||
description=('Access rule for updating port specifying subnet ID in '
|
||||
'fixed_ips')),
|
||||
policy.RuleDefault(
|
||||
'Specify subnet ID in ``fixed_ips`` information when updating a port',
|
||||
ACTION_PUT
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_port:port_security_enabled',
|
||||
base.policy_or(base.RULE_ADVSVC,
|
||||
base.RULE_ADMIN_OR_NET_OWNER),
|
||||
description='Access rule for updating port_security_enabled of port'),
|
||||
policy.RuleDefault(
|
||||
'Update ``port_security_enabled`` attribute of a port',
|
||||
ACTION_PUT
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_port:binding:host_id',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description='Access rule for updating binding host_id of port'),
|
||||
policy.RuleDefault(
|
||||
'Update ``binding:host_id`` attribute of a port',
|
||||
ACTION_PUT
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_port:binding:profile',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description='Access rule for updating binding profile of port'),
|
||||
policy.RuleDefault(
|
||||
'Update ``binding:profile`` attribute of a port',
|
||||
ACTION_PUT
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_port:binding:vnic_type',
|
||||
base.policy_or(base.RULE_ADMIN_OR_OWNER,
|
||||
base.RULE_ADVSVC),
|
||||
description='Access rule for updating binding vnic_type of port'),
|
||||
policy.RuleDefault(
|
||||
'Update ``binding:vnic_type`` attribute of a port',
|
||||
ACTION_PUT
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_port:allowed_address_pairs',
|
||||
base.RULE_ADMIN_OR_NET_OWNER,
|
||||
description='Access rule for updating allowed_address_pairs of port'),
|
||||
policy.RuleDefault(
|
||||
'Update ``allowed_address_pairs`` attribute of a port',
|
||||
ACTION_PUT
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_port:data_plane_status',
|
||||
'rule:admin_or_data_plane_int',
|
||||
description='Access rule for updating data_plane_status of port'),
|
||||
'Update ``data_plane_status`` attribute of a port',
|
||||
ACTION_PUT
|
||||
),
|
||||
|
||||
policy.RuleDefault(
|
||||
policy.DocumentedRuleDefault(
|
||||
'delete_port',
|
||||
base.policy_or(base.RULE_ADVSVC,
|
||||
'rule:admin_owner_or_network_owner'),
|
||||
description='Access rule for deleting port'),
|
||||
'Delete a port',
|
||||
ACTION_DELETE
|
||||
),
|
||||
]
|
||||
|
||||
|
||||
|
@ -16,74 +16,226 @@ from neutron.conf.policies import base
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault('get_policy',
|
||||
base.RULE_ANY,
|
||||
description='Access rule for getting QoS policy'),
|
||||
policy.RuleDefault('create_policy',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description='Access rule for creating QoS policy'),
|
||||
policy.RuleDefault('update_policy',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description='Access rule for updating QoS policy'),
|
||||
policy.RuleDefault('delete_policy',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description='Access rule for deleting QoS policy'),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_policy',
|
||||
base.RULE_ANY,
|
||||
'Get QoS policies',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/qos/policies',
|
||||
},
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/qos/policies/{id}',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_policy',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Create a QoS policy',
|
||||
[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/qos/policies',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_policy',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Update a QoS policy',
|
||||
[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': '/qos/policies/{id}',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'delete_policy',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Delete a QoS policy',
|
||||
[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': '/qos/policies/{id}',
|
||||
},
|
||||
]
|
||||
),
|
||||
|
||||
policy.RuleDefault('get_rule_type',
|
||||
base.RULE_ANY,
|
||||
description=('Access rule for getting '
|
||||
'all available QoS rule types')),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_rule_type',
|
||||
base.RULE_ANY,
|
||||
'Get available QoS rule types',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/qos/rule-types',
|
||||
},
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/qos/rule-types/{rule_type}',
|
||||
},
|
||||
]
|
||||
),
|
||||
|
||||
policy.RuleDefault('get_policy_bandwidth_limit_rule',
|
||||
base.RULE_ANY,
|
||||
description=('Access rule for getting '
|
||||
'QoS bandwidth limit rule')),
|
||||
policy.RuleDefault('create_policy_bandwidth_limit_rule',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for creating '
|
||||
'QoS bandwidth limit rule')),
|
||||
policy.RuleDefault('update_policy_bandwidth_limit_rule',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for updating '
|
||||
'QoS bandwidth limit rule')),
|
||||
policy.RuleDefault('delete_policy_bandwidth_limit_rule',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for deleting '
|
||||
'QoS bandwidth limit rule')),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_policy_bandwidth_limit_rule',
|
||||
base.RULE_ANY,
|
||||
'Get a QoS bandwidth limit rule',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/qos/policies/{policy_id}/bandwidth_limit_rules',
|
||||
},
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': ('/qos/policies/{policy_id}/'
|
||||
'bandwidth_limit_rules/{rule_id}'),
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_policy_bandwidth_limit_rule',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Create a QoS bandwidth limit rule',
|
||||
[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/qos/policies/{policy_id}/bandwidth_limit_rules',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_policy_bandwidth_limit_rule',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Update a QoS bandwidth limit rule',
|
||||
[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': ('/qos/policies/{policy_id}/'
|
||||
'bandwidth_limit_rules/{rule_id}'),
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'delete_policy_bandwidth_limit_rule',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Delete a QoS bandwidth limit rule',
|
||||
[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': ('/qos/policies/{policy_id}/'
|
||||
'bandwidth_limit_rules/{rule_id}'),
|
||||
},
|
||||
]
|
||||
),
|
||||
|
||||
policy.RuleDefault('get_policy_dscp_marking_rule',
|
||||
base.RULE_ANY,
|
||||
description=('Access rule for getting '
|
||||
'QoS dscp marking rule')),
|
||||
policy.RuleDefault('create_policy_dscp_marking_rule',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for creating '
|
||||
'QoS dscp marking rule')),
|
||||
policy.RuleDefault('update_policy_dscp_marking_rule',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for updating '
|
||||
'QoS dscp marking rule')),
|
||||
policy.RuleDefault('delete_policy_dscp_marking_rule',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for deleting '
|
||||
'QoS dscp marking rule')),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_policy_dscp_marking_rule',
|
||||
base.RULE_ANY,
|
||||
'Get a QoS DSCP marking rule',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/qos/policies/{policy_id}/dscp_marking_rules',
|
||||
},
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': ('/qos/policies/{policy_id}/'
|
||||
'dscp_marking_rules/{rule_id}'),
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_policy_dscp_marking_rule',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Create a QoS DSCP marking rule',
|
||||
[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/qos/policies/{policy_id}/dscp_marking_rules',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_policy_dscp_marking_rule',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Update a QoS DSCP marking rule',
|
||||
[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': ('/qos/policies/{policy_id}/'
|
||||
'dscp_marking_rules/{rule_id}'),
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'delete_policy_dscp_marking_rule',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Delete a QoS DSCP marking rule',
|
||||
[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': ('/qos/policies/{policy_id}/'
|
||||
'dscp_marking_rules/{rule_id}'),
|
||||
},
|
||||
]
|
||||
),
|
||||
|
||||
policy.RuleDefault('get_policy_minimum_bandwidth_rule',
|
||||
base.RULE_ANY,
|
||||
description=('Access rule for getting '
|
||||
'QoS minimum bandwidth rule')),
|
||||
policy.RuleDefault('create_policy_minimum_bandwidth_rule',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for creating '
|
||||
'QoS minimum bandwidth rule')),
|
||||
policy.RuleDefault('update_policy_minimum_bandwidth_rule',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for updating '
|
||||
'QoS minimum bandwidth rule')),
|
||||
policy.RuleDefault('delete_policy_minimum_bandwidth_rule',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for deleting '
|
||||
'QoS minimum bandwidth rule')),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_policy_minimum_bandwidth_rule',
|
||||
base.RULE_ANY,
|
||||
'Get a QoS minimum bandwidth rule',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/qos/policies/{policy_id}/minimum_bandwidth_rules',
|
||||
},
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': ('/qos/policies/{policy_id}/'
|
||||
'minimum_bandwidth_rules/{rule_id}'),
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_policy_minimum_bandwidth_rule',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Create a QoS minimum bandwidth rule',
|
||||
[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/qos/policies/{policy_id}/minimum_bandwidth_rules',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_policy_minimum_bandwidth_rule',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Update a QoS minimum bandwidth rule',
|
||||
[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': ('/qos/policies/{policy_id}/'
|
||||
'minimum_bandwidth_rules/{rule_id}'),
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'delete_policy_minimum_bandwidth_rule',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Delete a QoS minimum bandwidth rule',
|
||||
[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': ('/qos/policies/{policy_id}/'
|
||||
'minimum_bandwidth_rules/{rule_id}'),
|
||||
},
|
||||
]
|
||||
),
|
||||
]
|
||||
|
||||
|
||||
|
@ -15,40 +15,88 @@ from oslo_policy import policy
|
||||
from neutron.conf.policies import base
|
||||
|
||||
|
||||
COLLECTION_PATH = '/rbac-policies'
|
||||
RESOURCE_PATH = '/rbac-policies/{id}'
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
'restrict_wildcard',
|
||||
base.policy_or('(not field:rbac_policy:target_tenant=*)',
|
||||
base.RULE_ADMIN_ONLY),
|
||||
description='Rule of restrict wildcard'),
|
||||
'Definition of a wildcard target_tenant'),
|
||||
|
||||
policy.RuleDefault(
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_rbac_policy',
|
||||
base.RULE_ANY,
|
||||
description='Access rule for creating RBAC policy'),
|
||||
policy.RuleDefault(
|
||||
'Create an RBAC policy',
|
||||
[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': COLLECTION_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_rbac_policy:target_tenant',
|
||||
'rule:restrict_wildcard',
|
||||
description=('Access rule for creating RBAC '
|
||||
'policy with a specific target tenant')),
|
||||
policy.RuleDefault(
|
||||
'Specify ``target_tenant`` when creating an RBAC policy',
|
||||
[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': COLLECTION_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_rbac_policy',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
description='Access rule for updating RBAC policy'),
|
||||
policy.RuleDefault(
|
||||
'Update an RBAC policy',
|
||||
[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_rbac_policy:target_tenant',
|
||||
base.policy_and('rule:restrict_wildcard',
|
||||
base.RULE_ADMIN_OR_OWNER),
|
||||
description=('Access rule for updating target_tenant '
|
||||
'attribute of RBAC policy')),
|
||||
policy.RuleDefault(
|
||||
'Update ``target_tenant`` attribute of an RBAC policy',
|
||||
[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_rbac_policy',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
description='Access rule for getting RBAC policy'),
|
||||
policy.RuleDefault(
|
||||
'Get an RBAC policy',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': COLLECTION_PATH,
|
||||
},
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'delete_rbac_policy',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
description='Access rule for deleting RBAC policy'),
|
||||
'Delete an RBAC policy',
|
||||
[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
]
|
||||
|
||||
|
||||
|
@ -15,105 +15,165 @@ from oslo_policy import policy
|
||||
from neutron.conf.policies import base
|
||||
|
||||
|
||||
COLLECTION_PATH = '/routers'
|
||||
RESOURCE_PATH = '/routers/{id}'
|
||||
|
||||
ACTION_POST = [
|
||||
{'method': 'POST', 'path': COLLECTION_PATH},
|
||||
]
|
||||
ACTION_PUT = [
|
||||
{'method': 'PUT', 'path': RESOURCE_PATH},
|
||||
]
|
||||
ACTION_DELETE = [
|
||||
{'method': 'DELETE', 'path': RESOURCE_PATH},
|
||||
]
|
||||
ACTION_GET = [
|
||||
{'method': 'GET', 'path': COLLECTION_PATH},
|
||||
{'method': 'GET', 'path': RESOURCE_PATH},
|
||||
]
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_router',
|
||||
base.RULE_ANY,
|
||||
description='Access rule for creating router'),
|
||||
policy.RuleDefault(
|
||||
'Create a router',
|
||||
ACTION_POST
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_router:distributed',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for creating '
|
||||
'router with distributed attribute')),
|
||||
policy.RuleDefault(
|
||||
'Specify ``distributed`` attribute when creating a router',
|
||||
ACTION_POST
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_router:ha',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for creating '
|
||||
'router with ha attribute')),
|
||||
policy.RuleDefault(
|
||||
'Specify ``ha`` attribute when creating a router',
|
||||
ACTION_POST
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_router:external_gateway_info',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
description=('Access rule for creating router with '
|
||||
'external_gateway_info information')),
|
||||
policy.RuleDefault(
|
||||
'Specify ``external_gateway_info`` information when creating a router',
|
||||
ACTION_POST
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_router:external_gateway_info:network_id',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
description=('Access rule for creating router with network_id '
|
||||
'attribute of external_gateway_info information')),
|
||||
policy.RuleDefault(
|
||||
('Specify ``network_id`` in ``external_gateway_info`` information '
|
||||
'when creating a router'),
|
||||
ACTION_POST
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_router:external_gateway_info:enable_snat',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for creating router with enable_snat '
|
||||
'attribute of external_gateway_info information')),
|
||||
policy.RuleDefault(
|
||||
('Specify ``enable_snat`` in ``external_gateway_info`` information '
|
||||
'when creating a router'),
|
||||
ACTION_POST
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_router:external_gateway_info:external_fixed_ips',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for creating router with '
|
||||
'external_fixed_ips attribute of '
|
||||
'external_gateway_info information')),
|
||||
('Specify ``external_fixed_ips`` in ``external_gateway_info`` '
|
||||
'information when creating a router'),
|
||||
ACTION_POST
|
||||
),
|
||||
|
||||
policy.RuleDefault(
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_router',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
description='Access rule for getting router'),
|
||||
policy.RuleDefault(
|
||||
'Get a router',
|
||||
ACTION_GET
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_router:distributed',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for getting distributed attribute of '
|
||||
'router')),
|
||||
policy.RuleDefault(
|
||||
'Get ``distributed`` attribute of a router',
|
||||
ACTION_GET
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_router:ha',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description='Access rule for getting ha attribute of router'),
|
||||
'Get ``ha`` attribute of a router',
|
||||
ACTION_GET
|
||||
),
|
||||
|
||||
policy.RuleDefault(
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_router',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
description='Access rule for updating router'),
|
||||
policy.RuleDefault(
|
||||
'Update a router',
|
||||
ACTION_PUT
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_router:distributed',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for updating distributed attribute '
|
||||
'of router')),
|
||||
policy.RuleDefault(
|
||||
'Update ``distributed`` attribute of a router',
|
||||
ACTION_PUT
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_router:ha',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description='Access rule for updating ha attribute of router'),
|
||||
policy.RuleDefault(
|
||||
'Update ``ha`` attribute of a router',
|
||||
ACTION_PUT
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_router:external_gateway_info',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
description=('Access rule for updating external_gateway_info '
|
||||
'information of router')),
|
||||
policy.RuleDefault(
|
||||
'Update ``external_gateway_info`` information of a router',
|
||||
ACTION_PUT
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_router:external_gateway_info:network_id',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
description=('Access rule for updating network_id attribute of '
|
||||
'external_gateway_info information of router')),
|
||||
policy.RuleDefault(
|
||||
('Update ``network_id`` attribute of ``external_gateway_info`` '
|
||||
'information of a router'),
|
||||
ACTION_PUT
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_router:external_gateway_info:enable_snat',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for updating enable_snat attribute of '
|
||||
'external_gateway_info information of router')),
|
||||
policy.RuleDefault(
|
||||
('Update ``enable_snat`` attribute of ``external_gateway_info`` '
|
||||
'information of a router'),
|
||||
ACTION_PUT
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_router:external_gateway_info:external_fixed_ips',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for updating external_fixed_ips '
|
||||
'attribute of external_gateway_info information '
|
||||
'of router')),
|
||||
('Update ``external_fixed_ips`` attribute of '
|
||||
'``external_gateway_info`` information of a router'),
|
||||
ACTION_PUT
|
||||
),
|
||||
|
||||
policy.RuleDefault(
|
||||
policy.DocumentedRuleDefault(
|
||||
'delete_router',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
description='Access rule for deleting router'),
|
||||
'Delete a router',
|
||||
ACTION_DELETE
|
||||
),
|
||||
|
||||
policy.RuleDefault(
|
||||
policy.DocumentedRuleDefault(
|
||||
'add_router_interface',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
description='Access rule for adding router interface'),
|
||||
policy.RuleDefault(
|
||||
'Add an interface to a router',
|
||||
[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': '/routers/{id}/add_router_interface',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'remove_router_interface',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
description='Access rule for removing router interface'),
|
||||
'Remove an interface from a router',
|
||||
[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': '/routers/{id}/remove_router_interface',
|
||||
},
|
||||
]
|
||||
),
|
||||
]
|
||||
|
||||
|
||||
|
@ -15,40 +15,103 @@ from oslo_policy import policy
|
||||
from neutron.conf.policies import base
|
||||
|
||||
|
||||
SG_COLLECTION_PATH = '/security-groups'
|
||||
SG_RESOURCE_PATH = '/security-groups/{id}'
|
||||
RULE_COLLECTION_PATH = '/security-group-rules'
|
||||
RULE_RESOURCE_PATH = '/security-group-rules/{id}'
|
||||
|
||||
|
||||
rules = [
|
||||
# TODO(amotoki): admin_or_owner is the right rule?
|
||||
# Does an empty string make more sense for create_security_group?
|
||||
policy.RuleDefault(
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_security_group',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
description='Access rule for creating security group'),
|
||||
policy.RuleDefault(
|
||||
'Create a security group',
|
||||
[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': SG_COLLECTION_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_security_group',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
description='Access rule for getting security group'),
|
||||
policy.RuleDefault(
|
||||
'Get a security group',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': SG_COLLECTION_PATH,
|
||||
},
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': SG_RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_security_group',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
description='Access rule for updating security group'),
|
||||
policy.RuleDefault(
|
||||
'Update a security group',
|
||||
[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': SG_RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'delete_security_group',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
description='Access rule for deleting security group'),
|
||||
'Delete a security group',
|
||||
[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': SG_RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
|
||||
# TODO(amotoki): admin_or_owner is the right rule?
|
||||
# Does an empty string make more sense for create_security_group_rule?
|
||||
policy.RuleDefault(
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_security_group_rule',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
description='Access rule for creating security group rule'),
|
||||
policy.RuleDefault(
|
||||
'Create a security group rule',
|
||||
[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': RULE_COLLECTION_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_security_group_rule',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
description='Access rule for getting security group rule'),
|
||||
policy.RuleDefault(
|
||||
'Get a security group rule',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': RULE_COLLECTION_PATH,
|
||||
},
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': RULE_RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'delete_security_group_rule',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
description='Access rule for deleting security group rule'),
|
||||
'Delete a security group rule',
|
||||
[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': RULE_RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
]
|
||||
|
||||
|
||||
|
@ -15,19 +15,59 @@ from oslo_policy import policy
|
||||
from neutron.conf.policies import base
|
||||
|
||||
|
||||
COLLECTION_PATH = '/segments'
|
||||
RESOURCE_PATH = '/segments/{id}'
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault('create_segment',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description='Access rule for creating segment'),
|
||||
policy.RuleDefault('get_segment',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description='Access rule for getting segment'),
|
||||
policy.RuleDefault('update_segment',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description='Access rule for updating segment'),
|
||||
policy.RuleDefault('delete_segment',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description='Access rule for deleting segment'),
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_segment',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Create a segment',
|
||||
[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': COLLECTION_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_segment',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Get a segment',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': COLLECTION_PATH,
|
||||
},
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_segment',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Update a segment',
|
||||
[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'delete_segment',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Delete a segment',
|
||||
[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
]
|
||||
|
||||
|
||||
|
@ -16,10 +16,17 @@ from neutron.conf.policies import base
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_service_provider',
|
||||
base.RULE_ANY,
|
||||
description='Access rule for listing all service providers'),
|
||||
'Get service providers',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/service-providers',
|
||||
},
|
||||
]
|
||||
),
|
||||
]
|
||||
|
||||
|
||||
|
@ -15,40 +15,80 @@ from oslo_policy import policy
|
||||
from neutron.conf.policies import base
|
||||
|
||||
|
||||
COLLECTION_PATH = '/subnets'
|
||||
RESOURCE_PATH = '/subnets/{id}'
|
||||
|
||||
ACTION_POST = [
|
||||
{'method': 'POST', 'path': COLLECTION_PATH},
|
||||
]
|
||||
ACTION_PUT = [
|
||||
{'method': 'PUT', 'path': RESOURCE_PATH},
|
||||
]
|
||||
ACTION_DELETE = [
|
||||
{'method': 'DELETE', 'path': RESOURCE_PATH},
|
||||
]
|
||||
ACTION_GET = [
|
||||
{'method': 'GET', 'path': COLLECTION_PATH},
|
||||
{'method': 'GET', 'path': RESOURCE_PATH},
|
||||
]
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault('create_subnet',
|
||||
base.RULE_ADMIN_OR_NET_OWNER,
|
||||
description='Access rule for creating subnet'),
|
||||
policy.RuleDefault('create_subnet:segment_id',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for creating '
|
||||
'subnet with segment_id')),
|
||||
policy.RuleDefault('create_subnet:service_types',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for creating '
|
||||
'subnet with service_type')),
|
||||
policy.RuleDefault('get_subnet',
|
||||
base.policy_or(base.RULE_ADMIN_OR_OWNER,
|
||||
'rule:shared'),
|
||||
description='Access rule for getting subnet'),
|
||||
policy.RuleDefault('get_subnet:segment_id',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for getting '
|
||||
'segment_id of subnet')),
|
||||
policy.RuleDefault('update_subnet',
|
||||
base.RULE_ADMIN_OR_NET_OWNER,
|
||||
description='Access rule for updating subnet'),
|
||||
policy.RuleDefault('update_subnet:segment_id',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for updating segment_id '
|
||||
'attribute of subnet')),
|
||||
policy.RuleDefault('update_subnet:service_types',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for updating '
|
||||
'service_types of subnet')),
|
||||
policy.RuleDefault('delete_subnet',
|
||||
base.RULE_ADMIN_OR_NET_OWNER,
|
||||
description='Access rule for deleting subnet')
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_subnet',
|
||||
base.RULE_ADMIN_OR_NET_OWNER,
|
||||
'Create a subnet',
|
||||
ACTION_POST
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_subnet:segment_id',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Specify ``segment_id`` attribute when creating a subnet',
|
||||
ACTION_POST
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_subnet:service_types',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Specify ``service_types`` attribute when creating a subnet',
|
||||
ACTION_POST
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_subnet',
|
||||
base.policy_or(base.RULE_ADMIN_OR_OWNER,
|
||||
'rule:shared'),
|
||||
'Get a subnet',
|
||||
ACTION_GET
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_subnet:segment_id',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Get ``segment_id`` attribute of a subnet',
|
||||
ACTION_GET
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_subnet',
|
||||
base.RULE_ADMIN_OR_NET_OWNER,
|
||||
'Update a subnet',
|
||||
ACTION_PUT
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_subnet:segment_id',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Update ``segment_id`` attribute of a subnet',
|
||||
ACTION_PUT
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_subnet:service_types',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Update ``service_types`` attribute of a subnet',
|
||||
ACTION_PUT
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'delete_subnet',
|
||||
base.RULE_ADMIN_OR_NET_OWNER,
|
||||
'Delete a subnet',
|
||||
ACTION_DELETE,
|
||||
),
|
||||
]
|
||||
|
||||
|
||||
|
@ -15,35 +15,98 @@ from oslo_policy import policy
|
||||
from neutron.conf.policies import base
|
||||
|
||||
|
||||
COLLECTION_PATH = '/subnetpools'
|
||||
RESOURCE_PATH = '/subnetpools/{id}'
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault('shared_subnetpools',
|
||||
'field:subnetpools:shared=True',
|
||||
description='Rule of shared subnetpool'),
|
||||
policy.RuleDefault('create_subnetpool',
|
||||
base.RULE_ANY,
|
||||
description='Access rule for creating subnetpool'),
|
||||
policy.RuleDefault('create_subnetpool:shared',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for creating '
|
||||
'shared subnetpool')),
|
||||
policy.RuleDefault('create_subnetpool:is_default',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for creating '
|
||||
'subnetpool with is_default')),
|
||||
policy.RuleDefault('get_subnetpool',
|
||||
base.policy_or(base.RULE_ADMIN_OR_OWNER,
|
||||
'rule:shared_subnetpools'),
|
||||
description='Access rule for getting subnetpool'),
|
||||
policy.RuleDefault('update_subnetpool',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
description='Access rule for updating subnetpool'),
|
||||
policy.RuleDefault('update_subnetpool:is_default',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
description=('Access rule for updating '
|
||||
'is_default of subnetpool')),
|
||||
policy.RuleDefault('delete_subnetpool',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
description='Access rule for deleting subnetpool')
|
||||
policy.RuleDefault(
|
||||
'shared_subnetpools',
|
||||
'field:subnetpools:shared=True',
|
||||
'Definition of a shared subnetpool'
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_subnetpool',
|
||||
base.RULE_ANY,
|
||||
'Create a subnetpool',
|
||||
[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': COLLECTION_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_subnetpool:shared',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Create a shared subnetpool',
|
||||
[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': COLLECTION_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_subnetpool:is_default',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Specify ``is_default`` attribute when creating a subnetpool',
|
||||
[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': COLLECTION_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_subnetpool',
|
||||
base.policy_or(base.RULE_ADMIN_OR_OWNER,
|
||||
'rule:shared_subnetpools'),
|
||||
'Get a subnetpool',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': COLLECTION_PATH,
|
||||
},
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_subnetpool',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
'Update a subnetpool',
|
||||
[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_subnetpool:is_default',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Update ``is_default`` attribute of a subnetpool',
|
||||
[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'delete_subnetpool',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
'Delete a subnetpool',
|
||||
[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
)
|
||||
]
|
||||
|
||||
|
||||
|
@ -15,31 +15,92 @@ from oslo_policy import policy
|
||||
from neutron.conf.policies import base
|
||||
|
||||
|
||||
COLLECTION_PATH = '/trunks'
|
||||
RESOURCE_PATH = '/trunks/{id}'
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_trunk',
|
||||
base.RULE_ANY,
|
||||
description='Access rule for creating trunk'),
|
||||
policy.RuleDefault(
|
||||
'Create a trunk',
|
||||
[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': COLLECTION_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_trunk',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
description='Access rule for getting trunk'),
|
||||
policy.RuleDefault(
|
||||
'Get a trunk',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': COLLECTION_PATH,
|
||||
},
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_trunk',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
'Update a trunk',
|
||||
[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'delete_trunk',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
description='Access rule for deleting trunk'),
|
||||
policy.RuleDefault(
|
||||
'Delete a trunk',
|
||||
[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_subports',
|
||||
base.RULE_ANY,
|
||||
description='Access rule for listing subports attached to a trunk'),
|
||||
policy.RuleDefault(
|
||||
'List subports attached to a trunk',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/trunks/{id}/get_subports',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'add_subports',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
description='Access rule for adding subports to a trunk'),
|
||||
policy.RuleDefault(
|
||||
'Add subports to a trunk',
|
||||
[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': '/trunks/{id}/add_subports',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'remove_subports',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
description='Access rule for deleting subports from a trunk'),
|
||||
'Delete subports from a trunk',
|
||||
[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': '/trunks/{id}/remove_subports',
|
||||
},
|
||||
]
|
||||
),
|
||||
]
|
||||
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user