Convert policy.json into policy-in-code
This commit introduces a framework for policy-in-code support in the neutron stadium and converts the existing policy.json in the neutron repository into the policy-in-code style. NOTES: 1) This commit tries not to change the existing policy behavior provided by the neutron repository even if there are some stale policies or policies to be defined in a neutron-related project. They should be clean up later in Stein release. 2) 'default' policy should be dropped from the default policies as all default policies should be defined in the code (as many projects which already completed policy-in-code do). However, dropping 'default' policy potentially affects policy behavior in neutron-related projects, so it needs to be visit carefully. Considering this, this commit decides to keep the 'default' policy. Partially Implements: blueprint neutron-policy-in-code Change-Id: I6a61079da4d4f5080ee32d640144e6bdb14735fa
This commit is contained in:
parent
7a2b4dcff1
commit
f8984c6699
@ -22,17 +22,17 @@
|
||||
|
||||
|
||||
Authorization Policy Enforcement
|
||||
==================================
|
||||
================================
|
||||
|
||||
As most OpenStack projects, Neutron leverages oslo_policy [#]_. However, since
|
||||
Neutron loves to be special and complicate every developer's life, it also
|
||||
"augments" oslo_policy capabilities by:
|
||||
|
||||
* A wrapper module with its own API: neutron.policy;
|
||||
* The ability of adding fine-grained checks on attributes for resources in
|
||||
request bodies;
|
||||
* The ability of using the policy engine to filter out attributes in responses;
|
||||
* Adding some custom rule checks beyond those defined in oslo_policy;
|
||||
* A wrapper module with its own API: neutron.policy;
|
||||
* The ability of adding fine-grained checks on attributes for resources in
|
||||
request bodies;
|
||||
* The ability of using the policy engine to filter out attributes in responses;
|
||||
* Adding some custom rule checks beyond those defined in oslo_policy;
|
||||
|
||||
This document discusses Neutron-specific aspects of policy enforcement, and in
|
||||
particular how the enforcement logic is wired into API processing.
|
||||
@ -40,19 +40,19 @@ For any other information please refer to the developer documentation for
|
||||
oslo_policy [#]_.
|
||||
|
||||
Authorization workflow
|
||||
-----------------------
|
||||
----------------------
|
||||
|
||||
The Neutron API controllers perform policy checks in two phases during the
|
||||
processing of an API request:
|
||||
|
||||
* Request authorization, immediately before dispatching the request to the
|
||||
plugin layer for ``POST``, ``PUT``, and ``DELETE``, and immediately after
|
||||
returning from the plugin layer for ``GET`` requests;
|
||||
* Response filtering, when building the response to be returned to the API
|
||||
consumer.
|
||||
* Request authorization, immediately before dispatching the request to the
|
||||
plugin layer for ``POST``, ``PUT``, and ``DELETE``, and immediately after
|
||||
returning from the plugin layer for ``GET`` requests;
|
||||
* Response filtering, when building the response to be returned to the API
|
||||
consumer.
|
||||
|
||||
Request authorization
|
||||
~~~~~~~~~~~~~~~~~~~~~~
|
||||
~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
The aim of this step is to authorize processing for a request or reject it
|
||||
with an error status code.
|
||||
@ -60,11 +60,11 @@ This step uses the ``neutron.policy.enforce`` routine. This routine raises
|
||||
``oslo_policy.PolicyNotAuthorized`` when policy enforcement fails. The Neutron
|
||||
REST API controllers catch this exception and return:
|
||||
|
||||
* A 403 response code on a ``POST`` request or an ``PUT`` request for an
|
||||
object owned by the project submitting the request;
|
||||
* A 403 response for failures while authorizing API actions such as
|
||||
``add_router_interface``;
|
||||
* A 404 response for ``DELETE``, ``GET`` and all other ``PUT`` requests.
|
||||
* A 403 response code on a ``POST`` request or an ``PUT`` request for an
|
||||
object owned by the project submitting the request;
|
||||
* A 403 response for failures while authorizing API actions such as
|
||||
``add_router_interface``;
|
||||
* A 404 response for ``DELETE``, ``GET`` and all other ``PUT`` requests.
|
||||
|
||||
For ``DELETE`` operations the resource must first be fetched. This is done
|
||||
invoking the same ``_item`` [#]_ method used for processing ``GET`` requests.
|
||||
@ -73,33 +73,33 @@ This is also true for ``PUT`` operations, since the Neutron API implements
|
||||
The criteria to evaluate are built in the ``_build_match_rule`` [#]_ routine.
|
||||
This routine takes in input the following parameters:
|
||||
|
||||
* The action to be performed, in the ``<operation>_<resource>`` form,
|
||||
``e.g.: create_network``
|
||||
* The data to use for performing checks. For ``POST`` operations this could
|
||||
be a partial specification of the object, whereas it is always a full
|
||||
specification for ``GET``, ``PUT``, and ``DELETE`` requests, as resource
|
||||
data are retrieved before dispatching the call to the plugin layer.
|
||||
* The collection name for the resource specified in the previous parameter;
|
||||
for instance, for a network it would be the "networks".
|
||||
* The action to be performed, in the ``<operation>_<resource>`` form,
|
||||
``e.g.: create_network``
|
||||
* The data to use for performing checks. For ``POST`` operations this could
|
||||
be a partial specification of the object, whereas it is always a full
|
||||
specification for ``GET``, ``PUT``, and ``DELETE`` requests, as resource
|
||||
data are retrieved before dispatching the call to the plugin layer.
|
||||
* The collection name for the resource specified in the previous parameter;
|
||||
for instance, for a network it would be the "networks".
|
||||
|
||||
The ``_build_match_rule`` routine returns a ``oslo_policy.RuleCheck`` instance
|
||||
built in the following way:
|
||||
|
||||
* Always add a check for the action being performed. This will match
|
||||
a policy like create_network in ``policy.json``;
|
||||
* Return for ``GET`` operations; more detailed checks will be performed anyway
|
||||
when building the response;
|
||||
* For each attribute which has been explicitly specified in the request
|
||||
create a rule matching policy names in the form
|
||||
``<operation>_<resource>:<attribute>`` rule, and link it with the
|
||||
previous rule with an 'And' relationship (using ``oslo_policy.AndCheck``);
|
||||
this step will be performed only if the enforce_policy flag is set to
|
||||
True in the resource attribute descriptor (usually found in a data
|
||||
structure called ``RESOURCE_ATTRIBUTE_MAP``);
|
||||
* If the attribute is a composite one then further rules will be created;
|
||||
These will match policy names in the form ``<operation>_<resource>:
|
||||
<attribute>:<sub_attribute>``. An 'And' relationship will be used in this
|
||||
case too.
|
||||
* Always add a check for the action being performed. This will match
|
||||
a policy like create_network in ``policy.json``;
|
||||
* Return for ``GET`` operations; more detailed checks will be performed anyway
|
||||
when building the response;
|
||||
* For each attribute which has been explicitly specified in the request
|
||||
create a rule matching policy names in the form
|
||||
``<operation>_<resource>:<attribute>`` rule, and link it with the
|
||||
previous rule with an 'And' relationship (using ``oslo_policy.AndCheck``);
|
||||
this step will be performed only if the enforce_policy flag is set to
|
||||
True in the resource attribute descriptor (usually found in a data
|
||||
structure called ``RESOURCE_ATTRIBUTE_MAP``);
|
||||
* If the attribute is a composite one then further rules will be created;
|
||||
These will match policy names in the form ``<operation>_<resource>:
|
||||
<attribute>:<sub_attribute>``. An 'And' relationship will be used in this
|
||||
case too.
|
||||
|
||||
As all the rules to verify are linked by 'And' relationships, all the policy
|
||||
checks should succeed in order for a request to be authorized. Rule
|
||||
@ -107,7 +107,7 @@ verification is performed by ``oslo_policy`` with no "customization" from the
|
||||
Neutron side.
|
||||
|
||||
Response Filtering
|
||||
~~~~~~~~~~~~~~~~~~~
|
||||
~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Some Neutron extensions, like the provider networks one, add some attribute
|
||||
to resources which are however not meant to be consumed by all clients. This
|
||||
@ -126,7 +126,7 @@ is added to a list of attributes that should be removed from the response
|
||||
before returning it to the API client.
|
||||
|
||||
The neutron.policy API
|
||||
------------------------
|
||||
----------------------
|
||||
|
||||
The ``neutron.policy`` module exposes a simple API whose main goal if to allow the
|
||||
REST API controllers to implement the authorization workflow discussed in this
|
||||
@ -137,35 +137,35 @@ defies Neutron tenet of being backend agnostic.
|
||||
|
||||
The neutron.policy API exposes the following routines:
|
||||
|
||||
* ``init``
|
||||
Initializes the policy engine loading rules from the json policy (files).
|
||||
This method can safely be called several times.
|
||||
* ``reset``
|
||||
Clears all the rules currently configured in the policy engine. It is
|
||||
called in unit tests and at the end of the initialization of core API
|
||||
router [#]_ in order to ensure rules are loaded after all the extensions
|
||||
are loaded.
|
||||
* ``refresh``
|
||||
Combines init and reset. Called when a SIGHUP signal is sent to an API
|
||||
worker.
|
||||
* ``set_rules``
|
||||
Explicitly set policy engine's rules. Used only in unit tests.
|
||||
* ``check``
|
||||
Perform a check using the policy engine. Builds match rules as described
|
||||
in this document, and then evaluates the resulting rule using oslo_policy's
|
||||
policy engine. Returns True if the checks succeeds, false otherwise.
|
||||
* ``enforce``
|
||||
Operates like the check routine but raises if the check in oslo_policy
|
||||
fails.
|
||||
* ``check_is_admin``
|
||||
Enforce the predefined context_is_admin rule; used to determine the is_admin
|
||||
property for a neutron context.
|
||||
* ``check_is_advsvc``
|
||||
Enforce the predefined context_is_advsvc rule; used to determine the
|
||||
is_advsvc property for a neutron context.
|
||||
* ``init``
|
||||
Initializes the policy engine loading rules from the json policy (files).
|
||||
This method can safely be called several times.
|
||||
* ``reset``
|
||||
Clears all the rules currently configured in the policy engine. It is
|
||||
called in unit tests and at the end of the initialization of core API
|
||||
router [#]_ in order to ensure rules are loaded after all the extensions
|
||||
are loaded.
|
||||
* ``refresh``
|
||||
Combines init and reset. Called when a SIGHUP signal is sent to an API
|
||||
worker.
|
||||
* ``set_rules``
|
||||
Explicitly set policy engine's rules. Used only in unit tests.
|
||||
* ``check``
|
||||
Perform a check using the policy engine. Builds match rules as described
|
||||
in this document, and then evaluates the resulting rule using oslo_policy's
|
||||
policy engine. Returns True if the checks succeeds, false otherwise.
|
||||
* ``enforce``
|
||||
Operates like the check routine but raises if the check in oslo_policy
|
||||
fails.
|
||||
* ``check_is_admin``
|
||||
Enforce the predefined context_is_admin rule; used to determine the is_admin
|
||||
property for a neutron context.
|
||||
* ``check_is_advsvc``
|
||||
Enforce the predefined context_is_advsvc rule; used to determine the
|
||||
is_advsvc property for a neutron context.
|
||||
|
||||
Neutron specific policy rules
|
||||
------------------------------
|
||||
-----------------------------
|
||||
|
||||
Neutron provides two additional policy rule classes in order to support the
|
||||
"augmented" authorization capabilities it provides. They both extend
|
||||
@ -190,30 +190,30 @@ plugin name which were registered in neutron-lib into
|
||||
|
||||
The check, performed in the ``__call__`` method, works as follows:
|
||||
|
||||
* verify if the target field is already in the target data. If yes, then
|
||||
simply verify whether the value for the target field in target data
|
||||
is equal to value for the same field in credentials, just like
|
||||
``oslo_policy.GeneriCheck`` would do. This is also the most frequent case
|
||||
as the target field is usually ``tenant_id``;
|
||||
* if the previous check failed, extract a parent resource type and a
|
||||
parent field name from the target field. For instance
|
||||
``networks:tenant_id`` identifies the ``tenant_id`` attribute of the
|
||||
``network`` resource. For extension parent resource case,
|
||||
``ext_parent:tenant_id`` identifies the ``tenant_id`` attribute of the
|
||||
registered extension resource in ``EXT_PARENT_RESOURCE_MAPPING``;
|
||||
* if no parent resource or target field could be identified raise a
|
||||
``PolicyCheckError`` exception;
|
||||
* Retrieve a 'parent foreign key' from the ``_RESOURCE_FOREIGN_KEYS`` data
|
||||
structure in ``neutron.policy``. This foreign key is simply the
|
||||
attribute acting as a primary key in the parent resource. A
|
||||
``PolicyCheckError`` exception will be raised if such 'parent foreign key'
|
||||
cannot be retrieved;
|
||||
* Using the core plugin, retrieve an instance of the resource having
|
||||
'parent foreign key' as an identifier;
|
||||
* Finally, verify whether the target field in this resource matches the
|
||||
one in the initial request data. For instance, for a port create request,
|
||||
verify whether the ``tenant_id`` of the port data structure matches the
|
||||
``tenant_id`` of the network where this port is being created.
|
||||
* verify if the target field is already in the target data. If yes, then
|
||||
simply verify whether the value for the target field in target data
|
||||
is equal to value for the same field in credentials, just like
|
||||
``oslo_policy.GeneriCheck`` would do. This is also the most frequent case
|
||||
as the target field is usually ``tenant_id``;
|
||||
* if the previous check failed, extract a parent resource type and a
|
||||
parent field name from the target field. For instance
|
||||
``networks:tenant_id`` identifies the ``tenant_id`` attribute of the
|
||||
``network`` resource. For extension parent resource case,
|
||||
``ext_parent:tenant_id`` identifies the ``tenant_id`` attribute of the
|
||||
registered extension resource in ``EXT_PARENT_RESOURCE_MAPPING``;
|
||||
* if no parent resource or target field could be identified raise a
|
||||
``PolicyCheckError`` exception;
|
||||
* Retrieve a 'parent foreign key' from the ``_RESOURCE_FOREIGN_KEYS`` data
|
||||
structure in ``neutron.policy``. This foreign key is simply the
|
||||
attribute acting as a primary key in the parent resource. A
|
||||
``PolicyCheckError`` exception will be raised if such 'parent foreign key'
|
||||
cannot be retrieved;
|
||||
* Using the core plugin, retrieve an instance of the resource having
|
||||
'parent foreign key' as an identifier;
|
||||
* Finally, verify whether the target field in this resource matches the
|
||||
one in the initial request data. For instance, for a port create request,
|
||||
verify whether the ``tenant_id`` of the port data structure matches the
|
||||
``tenant_id`` of the network where this port is being created.
|
||||
|
||||
|
||||
FieldCheck: Verify Resource Attributes
|
||||
@ -235,70 +235,111 @@ to ``<value>`` or return ``False`` is the ``<field>`` either is not equal to
|
||||
|
||||
|
||||
Guidance for API developers
|
||||
----------------------------
|
||||
---------------------------
|
||||
|
||||
When developing REST APIs for Neutron it is important to be aware of how the
|
||||
policy engine will authorize these requests. This is true both for APIs
|
||||
served by Neutron "core" and for the APIs served by the various Neutron
|
||||
"stadium" services.
|
||||
|
||||
* If an attribute of a resource might be subject to authorization checks
|
||||
then the ``enforce_policy`` attribute should be set to ``True``. While
|
||||
setting this flag to ``True`` for each attribute is a viable strategy,
|
||||
it is worth noting that this will require a call to the policy engine
|
||||
for each attribute, thus consistently increasing the time required to
|
||||
complete policy checks for a resource. This could result in a scalability
|
||||
issue, especially in the case of list operations retrieving a large
|
||||
number of resources;
|
||||
* Some resource attributes, even if not directly used in policy checks
|
||||
might still be required by the policy engine. This is for instance the
|
||||
case of the ``tenant_id`` attribute. For these attributes the
|
||||
``required_by_policy`` attribute should always set to ``True``. This will
|
||||
ensure that the attribute is included in the resource data sent to the
|
||||
policy engine for evaluation;
|
||||
* The ``tenant_id`` attribute is a fundamental one in Neutron API request
|
||||
authorization. The default policy, ``admin_or_owner``, uses it to validate
|
||||
if a project owns the resource it is trying to operate on. To this aim,
|
||||
if a resource without a tenant_id is created, it is important to ensure
|
||||
that ad-hoc authZ policies are specified for this resource.
|
||||
* There is still only one check which is hardcoded in Neutron's API layer:
|
||||
the check to verify that a project owns the network on which it is creating
|
||||
a port. This check is hardcoded and is always executed when creating a
|
||||
port, unless the network is shared. Unfortunately a solution for performing
|
||||
this check in an efficient way through the policy engine has not yet been
|
||||
found. Due to its nature, there is no way to override this check using the
|
||||
policy engine.
|
||||
* It is strongly advised to not perform policy checks in the plugin or in
|
||||
the database management classes. This might lead to divergent API
|
||||
behaviours across plugins. Also, it might leave the Neutron DB in an
|
||||
inconsistent state if a request is not authorized after it has already
|
||||
been dispatched to the backend.
|
||||
* If an attribute of a resource might be subject to authorization checks
|
||||
then the ``enforce_policy`` attribute should be set to ``True``. While
|
||||
setting this flag to ``True`` for each attribute is a viable strategy,
|
||||
it is worth noting that this will require a call to the policy engine
|
||||
for each attribute, thus consistently increasing the time required to
|
||||
complete policy checks for a resource. This could result in a scalability
|
||||
issue, especially in the case of list operations retrieving a large
|
||||
number of resources;
|
||||
* Some resource attributes, even if not directly used in policy checks
|
||||
might still be required by the policy engine. This is for instance the
|
||||
case of the ``tenant_id`` attribute. For these attributes the
|
||||
``required_by_policy`` attribute should always set to ``True``. This will
|
||||
ensure that the attribute is included in the resource data sent to the
|
||||
policy engine for evaluation;
|
||||
* The ``tenant_id`` attribute is a fundamental one in Neutron API request
|
||||
authorization. The default policy, ``admin_or_owner``, uses it to validate
|
||||
if a project owns the resource it is trying to operate on. To this aim,
|
||||
if a resource without a tenant_id is created, it is important to ensure
|
||||
that ad-hoc authZ policies are specified for this resource.
|
||||
* There is still only one check which is hardcoded in Neutron's API layer:
|
||||
the check to verify that a project owns the network on which it is creating
|
||||
a port. This check is hardcoded and is always executed when creating a
|
||||
port, unless the network is shared. Unfortunately a solution for performing
|
||||
this check in an efficient way through the policy engine has not yet been
|
||||
found. Due to its nature, there is no way to override this check using the
|
||||
policy engine.
|
||||
* It is strongly advised to not perform policy checks in the plugin or in
|
||||
the database management classes. This might lead to divergent API
|
||||
behaviours across plugins. Also, it might leave the Neutron DB in an
|
||||
inconsistent state if a request is not authorized after it has already
|
||||
been dispatched to the backend.
|
||||
|
||||
|
||||
Notes
|
||||
-----------------------
|
||||
-----
|
||||
|
||||
* No authorization checks are performed for requests coming from the RPC over
|
||||
AMQP channel. For all these requests a neutron admin context is built, and
|
||||
the plugins will process them as such.
|
||||
* For ``PUT`` and ``DELETE`` requests a 404 error is returned on request
|
||||
authorization failures rather than a 403, unless the project submitting the
|
||||
request own the resource to update or delete. This is to avoid conditions
|
||||
in which an API client might try and find out other projects' resource
|
||||
identifiers by sending out ``PUT`` and ``DELETE`` requests for random
|
||||
resource identifiers.
|
||||
* There is no way at the moment to specify an ``OR`` relationship between two
|
||||
attributes of a given resource (eg.: ``port.name == 'meh' or
|
||||
port.status == 'DOWN'``), unless the rule with the or condition is explicitly
|
||||
added to the policy.json file.
|
||||
* ``OwnerCheck`` performs a plugin access; this will likely require a database
|
||||
access, but since the behaviour is implementation specific it might also
|
||||
imply a round-trip to the backend. This class of checks, when involving
|
||||
retrieving attributes for 'parent' resources should be used very sparingly.
|
||||
* In order for ``OwnerCheck`` rules to work, parent resources should have an
|
||||
entry in ``neutron.policy._RESOURCE_FOREIGN_KEYS``; moreover the
|
||||
resource must be managed by the 'core' plugin (ie: the one defined in the
|
||||
core_plugin configuration variable)
|
||||
* No authorization checks are performed for requests coming from the RPC over
|
||||
AMQP channel. For all these requests a neutron admin context is built, and
|
||||
the plugins will process them as such.
|
||||
* For ``PUT`` and ``DELETE`` requests a 404 error is returned on request
|
||||
authorization failures rather than a 403, unless the project submitting the
|
||||
request own the resource to update or delete. This is to avoid conditions
|
||||
in which an API client might try and find out other projects' resource
|
||||
identifiers by sending out ``PUT`` and ``DELETE`` requests for random
|
||||
resource identifiers.
|
||||
* There is no way at the moment to specify an ``OR`` relationship between two
|
||||
attributes of a given resource (eg.: ``port.name == 'meh' or
|
||||
port.status == 'DOWN'``), unless the rule with the or condition is explicitly
|
||||
added to the policy.json file.
|
||||
* ``OwnerCheck`` performs a plugin access; this will likely require a database
|
||||
access, but since the behaviour is implementation specific it might also
|
||||
imply a round-trip to the backend. This class of checks, when involving
|
||||
retrieving attributes for 'parent' resources should be used very sparingly.
|
||||
* In order for ``OwnerCheck`` rules to work, parent resources should have an
|
||||
entry in ``neutron.policy._RESOURCE_FOREIGN_KEYS``; moreover the
|
||||
resource must be managed by the 'core' plugin (ie: the one defined in the
|
||||
core_plugin configuration variable)
|
||||
|
||||
Policy-in-Code support
|
||||
----------------------
|
||||
|
||||
Policy-in-code support in neutron is a bit different from other projects
|
||||
because the neutron server needs to load policies in code from multiple
|
||||
projects. Each neutron related project should register the following two entry
|
||||
points ``oslo.policy.policies`` and ``neutron.policies`` in ``setup.cfg`` like
|
||||
below:
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
oslo.policy.policies =
|
||||
neutron = neutron.conf.policies:list_rules
|
||||
neutron.policies =
|
||||
neutron = neutron.conf.policies:list_rules
|
||||
|
||||
The above two entries are same, but they have different purposes.
|
||||
|
||||
* The first entry point is a normal entry point defined by oslo.policy and it
|
||||
is used to generate a sample policy file [#]_ [#]_.
|
||||
* The second one is specific to neutron. It is used by ``neutron.policy``
|
||||
module to load policies of neutron related projects.
|
||||
|
||||
``oslo.policy.policies`` entry point is used by all projects which adopt
|
||||
oslo.policy, so we cannot determine which projects are neutron related
|
||||
projects, so the second entry point is required.
|
||||
|
||||
The recommended entry point name is a repository name: For example,
|
||||
'neutron-fwaas' for FWaaS and 'networking-sfc' for SFC:
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
oslo.policy.policies =
|
||||
neutron-fwaas = neutron_fwaas.policies:list_rules
|
||||
neutron.policies =
|
||||
neutron-fwaas = neutron_fwaas.policies:list_rules
|
||||
|
||||
Except registering the ``neutron.policies`` entry point, other steps to be done
|
||||
in each neutron related project for policy-in-code support are same for all
|
||||
OpenStack projects.
|
||||
|
||||
References
|
||||
----------
|
||||
@ -320,3 +361,6 @@ References
|
||||
.. [#] Policy reset_ in neutron.api.v2.router
|
||||
|
||||
.. _reset: http://git.openstack.org/cgit/openstack/neutron/tree/neutron/api/v2/router.py?id=2015.1.1#n122
|
||||
|
||||
.. [#] https://docs.openstack.org/oslo.policy/latest/user/usage.html#sample-file-generation
|
||||
.. [#] https://docs.openstack.org/oslo.policy/latest/cli/index.html#oslopolicy-sample-generator
|
||||
|
4
etc/README.policy.json.txt
Normal file
4
etc/README.policy.json.txt
Normal file
@ -0,0 +1,4 @@
|
||||
To generate the sample policy.json file, run the following command from the top
|
||||
level of the neutron directory:
|
||||
|
||||
tox -e genpolicy
|
3
etc/oslo-policy-generator/policy.conf
Normal file
3
etc/oslo-policy-generator/policy.conf
Normal file
@ -0,0 +1,3 @@
|
||||
[DEFAULT]
|
||||
output_file = etc/policy.yaml.sample
|
||||
namespace = neutron
|
262
etc/policy.json
262
etc/policy.json
@ -1,262 +0,0 @@
|
||||
{
|
||||
"context_is_admin": "role:admin",
|
||||
"owner": "tenant_id:%(tenant_id)s",
|
||||
"admin_or_owner": "rule:context_is_admin or rule:owner",
|
||||
"context_is_advsvc": "role:advsvc",
|
||||
"admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
|
||||
"admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner",
|
||||
"admin_only": "rule:context_is_admin",
|
||||
"regular_user": "",
|
||||
"admin_or_data_plane_int": "rule:context_is_admin or role:data_plane_integrator",
|
||||
"shared": "field:networks:shared=True",
|
||||
"shared_subnetpools": "field:subnetpools:shared=True",
|
||||
"shared_address_scopes": "field:address_scopes:shared=True",
|
||||
"external": "field:networks:router:external=True",
|
||||
"default": "rule:admin_or_owner",
|
||||
"admin_or_ext_parent_owner": "rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s",
|
||||
|
||||
"create_subnet": "rule:admin_or_network_owner",
|
||||
"create_subnet:segment_id": "rule:admin_only",
|
||||
"create_subnet:service_types": "rule:admin_only",
|
||||
"get_subnet": "rule:admin_or_owner or rule:shared",
|
||||
"get_subnet:segment_id": "rule:admin_only",
|
||||
"update_subnet": "rule:admin_or_network_owner",
|
||||
"update_subnet:service_types": "rule:admin_only",
|
||||
"delete_subnet": "rule:admin_or_network_owner",
|
||||
|
||||
"create_subnetpool": "",
|
||||
"create_subnetpool:shared": "rule:admin_only",
|
||||
"create_subnetpool:is_default": "rule:admin_only",
|
||||
"get_subnetpool": "rule:admin_or_owner or rule:shared_subnetpools",
|
||||
"update_subnetpool": "rule:admin_or_owner",
|
||||
"update_subnetpool:is_default": "rule:admin_only",
|
||||
"delete_subnetpool": "rule:admin_or_owner",
|
||||
|
||||
"create_address_scope": "",
|
||||
"create_address_scope:shared": "rule:admin_only",
|
||||
"get_address_scope": "rule:admin_or_owner or rule:shared_address_scopes",
|
||||
"update_address_scope": "rule:admin_or_owner",
|
||||
"update_address_scope:shared": "rule:admin_only",
|
||||
"delete_address_scope": "rule:admin_or_owner",
|
||||
|
||||
"create_network": "",
|
||||
"create_network:shared": "rule:admin_only",
|
||||
"create_network:router:external": "rule:admin_only",
|
||||
"create_network:is_default": "rule:admin_only",
|
||||
"create_network:segments": "rule:admin_only",
|
||||
"create_network:provider:network_type": "rule:admin_only",
|
||||
"create_network:provider:physical_network": "rule:admin_only",
|
||||
"create_network:provider:segmentation_id": "rule:admin_only",
|
||||
"get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc",
|
||||
"get_network:router:external": "rule:regular_user",
|
||||
"get_network:segments": "rule:admin_only",
|
||||
"get_network:provider:network_type": "rule:admin_only",
|
||||
"get_network:provider:physical_network": "rule:admin_only",
|
||||
"get_network:provider:segmentation_id": "rule:admin_only",
|
||||
"get_network:queue_id": "rule:admin_only",
|
||||
"get_network_ip_availabilities": "rule:admin_only",
|
||||
"get_network_ip_availability": "rule:admin_only",
|
||||
"get_availability_zone": "",
|
||||
"update_network": "rule:admin_or_owner",
|
||||
"update_network:segments": "rule:admin_only",
|
||||
"update_network:shared": "rule:admin_only",
|
||||
"update_network:provider:network_type": "rule:admin_only",
|
||||
"update_network:provider:physical_network": "rule:admin_only",
|
||||
"update_network:provider:segmentation_id": "rule:admin_only",
|
||||
"update_network:router:external": "rule:admin_only",
|
||||
"delete_network": "rule:admin_or_owner",
|
||||
|
||||
"create_segment": "rule:admin_only",
|
||||
"get_segment": "rule:admin_only",
|
||||
"update_segment": "rule:admin_only",
|
||||
"delete_segment": "rule:admin_only",
|
||||
|
||||
"network_device": "field:port:device_owner=~^network:",
|
||||
"create_port": "",
|
||||
"create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
|
||||
"create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"create_port:binding:host_id": "rule:admin_only",
|
||||
"create_port:binding:profile": "rule:admin_only",
|
||||
"create_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"create_port:allowed_address_pairs": "rule:admin_or_network_owner",
|
||||
"get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner",
|
||||
"get_port:queue_id": "rule:admin_only",
|
||||
"get_port:binding:vif_type": "rule:admin_only",
|
||||
"get_port:binding:vif_details": "rule:admin_only",
|
||||
"get_port:binding:host_id": "rule:admin_only",
|
||||
"get_port:binding:profile": "rule:admin_only",
|
||||
"update_port": "rule:admin_or_owner or rule:context_is_advsvc",
|
||||
"update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",
|
||||
"update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"update_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"update_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
|
||||
"update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"update_port:binding:host_id": "rule:admin_only",
|
||||
"update_port:binding:profile": "rule:admin_only",
|
||||
"update_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"update_port:allowed_address_pairs": "rule:admin_or_network_owner",
|
||||
"update_port:data_plane_status": "rule:admin_or_data_plane_int",
|
||||
"delete_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner",
|
||||
|
||||
"create_router": "rule:regular_user",
|
||||
"create_router:external_gateway_info": "rule:admin_or_owner",
|
||||
"create_router:external_gateway_info:network_id": "rule:admin_or_owner",
|
||||
"create_router:external_gateway_info:enable_snat": "rule:admin_only",
|
||||
"create_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
|
||||
"create_router:distributed": "rule:admin_only",
|
||||
"create_router:ha": "rule:admin_only",
|
||||
"get_router": "rule:admin_or_owner",
|
||||
"get_router:ha": "rule:admin_only",
|
||||
"get_router:distributed": "rule:admin_only",
|
||||
"update_router": "rule:admin_or_owner",
|
||||
"update_router:external_gateway_info": "rule:admin_or_owner",
|
||||
"update_router:external_gateway_info:network_id": "rule:admin_or_owner",
|
||||
"update_router:external_gateway_info:enable_snat": "rule:admin_only",
|
||||
"update_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
|
||||
"update_router:distributed": "rule:admin_only",
|
||||
"update_router:ha": "rule:admin_only",
|
||||
"delete_router": "rule:admin_or_owner",
|
||||
|
||||
"add_router_interface": "rule:admin_or_owner",
|
||||
"remove_router_interface": "rule:admin_or_owner",
|
||||
|
||||
"create_qos_queue": "rule:admin_only",
|
||||
"get_qos_queue": "rule:admin_only",
|
||||
|
||||
"get_agent": "rule:admin_only",
|
||||
"update_agent": "rule:admin_only",
|
||||
"delete_agent": "rule:admin_only",
|
||||
|
||||
"create_dhcp-network": "rule:admin_only",
|
||||
"get_dhcp-networks": "rule:admin_only",
|
||||
"delete_dhcp-network": "rule:admin_only",
|
||||
|
||||
"create_l3-router": "rule:admin_only",
|
||||
"get_l3-routers": "rule:admin_only",
|
||||
"delete_l3-router": "rule:admin_only",
|
||||
|
||||
"get_dhcp-agents": "rule:admin_only",
|
||||
"get_l3-agents": "rule:admin_only",
|
||||
|
||||
"get_loadbalancer-agent": "rule:admin_only",
|
||||
"get_loadbalancer-pools": "rule:admin_only",
|
||||
"get_agent-loadbalancers": "rule:admin_only",
|
||||
"get_loadbalancer-hosting-agent": "rule:admin_only",
|
||||
|
||||
"create_floatingip": "rule:regular_user",
|
||||
"create_floatingip:floating_ip_address": "rule:admin_only",
|
||||
"get_floatingip": "rule:admin_or_owner",
|
||||
"get_floatingip_pool": "rule:regular_user",
|
||||
"update_floatingip": "rule:admin_or_owner",
|
||||
"delete_floatingip": "rule:admin_or_owner",
|
||||
|
||||
"create_network_profile": "rule:admin_only",
|
||||
"get_network_profiles": "",
|
||||
"get_network_profile": "",
|
||||
"update_network_profile": "rule:admin_only",
|
||||
"delete_network_profile": "rule:admin_only",
|
||||
|
||||
"get_policy_profiles": "",
|
||||
"get_policy_profile": "",
|
||||
"update_policy_profiles": "rule:admin_only",
|
||||
|
||||
"create_metering_label": "rule:admin_only",
|
||||
"get_metering_label": "rule:admin_only",
|
||||
"delete_metering_label": "rule:admin_only",
|
||||
|
||||
"create_metering_label_rule": "rule:admin_only",
|
||||
"get_metering_label_rule": "rule:admin_only",
|
||||
"delete_metering_label_rule": "rule:admin_only",
|
||||
|
||||
"create_lsn": "rule:admin_only",
|
||||
"get_lsn": "rule:admin_only",
|
||||
|
||||
"get_service_provider": "rule:regular_user",
|
||||
|
||||
"create_flavor": "rule:admin_only",
|
||||
"get_flavors": "rule:regular_user",
|
||||
"get_flavor": "rule:regular_user",
|
||||
"update_flavor": "rule:admin_only",
|
||||
"delete_flavor": "rule:admin_only",
|
||||
|
||||
"create_service_profile": "rule:admin_only",
|
||||
"get_service_profiles": "rule:admin_only",
|
||||
"get_service_profile": "rule:admin_only",
|
||||
"update_service_profile": "rule:admin_only",
|
||||
"delete_service_profile": "rule:admin_only",
|
||||
|
||||
"create_policy": "rule:admin_only",
|
||||
"get_policy": "rule:regular_user",
|
||||
"update_policy": "rule:admin_only",
|
||||
"delete_policy": "rule:admin_only",
|
||||
|
||||
"create_policy_bandwidth_limit_rule": "rule:admin_only",
|
||||
"get_policy_bandwidth_limit_rule": "rule:regular_user",
|
||||
"update_policy_bandwidth_limit_rule": "rule:admin_only",
|
||||
"delete_policy_bandwidth_limit_rule": "rule:admin_only",
|
||||
|
||||
"create_policy_dscp_marking_rule": "rule:admin_only",
|
||||
"get_policy_dscp_marking_rule": "rule:regular_user",
|
||||
"update_policy_dscp_marking_rule": "rule:admin_only",
|
||||
"delete_policy_dscp_marking_rule": "rule:admin_only",
|
||||
|
||||
"get_rule_type": "rule:regular_user",
|
||||
|
||||
"create_policy_minimum_bandwidth_rule": "rule:admin_only",
|
||||
"get_policy_minimum_bandwidth_rule": "rule:regular_user",
|
||||
"update_policy_minimum_bandwidth_rule": "rule:admin_only",
|
||||
"delete_policy_minimum_bandwidth_rule": "rule:admin_only",
|
||||
|
||||
"restrict_wildcard": "(not field:rbac_policy:target_tenant=*) or rule:admin_only",
|
||||
"create_rbac_policy": "",
|
||||
"create_rbac_policy:target_tenant": "rule:restrict_wildcard",
|
||||
"get_rbac_policy": "rule:admin_or_owner",
|
||||
"update_rbac_policy": "rule:admin_or_owner",
|
||||
"update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner",
|
||||
"delete_rbac_policy": "rule:admin_or_owner",
|
||||
|
||||
"create_flavor_service_profile": "rule:admin_only",
|
||||
"get_flavor_service_profile": "rule:regular_user",
|
||||
"delete_flavor_service_profile": "rule:admin_only",
|
||||
|
||||
"get_auto_allocated_topology": "rule:admin_or_owner",
|
||||
"delete_auto_allocated_topology": "rule:admin_or_owner",
|
||||
|
||||
"create_trunk": "rule:regular_user",
|
||||
"get_trunk": "rule:admin_or_owner",
|
||||
"delete_trunk": "rule:admin_or_owner",
|
||||
|
||||
"add_subports": "rule:admin_or_owner",
|
||||
"get_subports": "",
|
||||
"remove_subports": "rule:admin_or_owner",
|
||||
|
||||
"create_security_group": "rule:admin_or_owner",
|
||||
"get_security_groups": "rule:admin_or_owner",
|
||||
"get_security_group": "rule:admin_or_owner",
|
||||
"update_security_group": "rule:admin_or_owner",
|
||||
"delete_security_group": "rule:admin_or_owner",
|
||||
|
||||
"create_security_group_rule": "rule:admin_or_owner",
|
||||
"get_security_group_rules": "rule:admin_or_owner",
|
||||
"get_security_group_rule": "rule:admin_or_owner",
|
||||
"delete_security_group_rule": "rule:admin_or_owner",
|
||||
|
||||
"get_loggable_resources": "rule:admin_only",
|
||||
|
||||
"create_log": "rule:admin_only",
|
||||
"get_log": "rule:admin_only",
|
||||
"get_logs": "rule:admin_only",
|
||||
"update_log": "rule:admin_only",
|
||||
"delete_log": "rule:admin_only",
|
||||
|
||||
"create_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner",
|
||||
"get_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner",
|
||||
"get_floatingip_port_forwardings": "rule:admin_or_ext_parent_owner",
|
||||
"update_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner",
|
||||
"delete_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner"
|
||||
}
|
81
neutron/conf/policies/__init__.py
Normal file
81
neutron/conf/policies/__init__.py
Normal file
@ -0,0 +1,81 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
import inspect
|
||||
import itertools
|
||||
|
||||
import six
|
||||
|
||||
from neutron.conf.policies import address_scope
|
||||
from neutron.conf.policies import agent
|
||||
from neutron.conf.policies import auto_allocated_topology
|
||||
from neutron.conf.policies import availability_zone
|
||||
from neutron.conf.policies import base
|
||||
from neutron.conf.policies import cisco_plugin
|
||||
from neutron.conf.policies import flavor
|
||||
from neutron.conf.policies import floatingip
|
||||
from neutron.conf.policies import floatingip_pools
|
||||
from neutron.conf.policies import floatingip_port_forwarding
|
||||
from neutron.conf.policies import logging
|
||||
from neutron.conf.policies import metering
|
||||
from neutron.conf.policies import network
|
||||
from neutron.conf.policies import network_ip_availability
|
||||
from neutron.conf.policies import port
|
||||
from neutron.conf.policies import qos
|
||||
from neutron.conf.policies import rbac
|
||||
from neutron.conf.policies import router
|
||||
from neutron.conf.policies import security_group
|
||||
from neutron.conf.policies import segment
|
||||
from neutron.conf.policies import service_type
|
||||
from neutron.conf.policies import subnet
|
||||
from neutron.conf.policies import subnetpool
|
||||
from neutron.conf.policies import trunk
|
||||
from neutron.conf.policies import vmware_plugin
|
||||
|
||||
|
||||
def list_rules():
|
||||
return itertools.chain(
|
||||
base.list_rules(),
|
||||
address_scope.list_rules(),
|
||||
agent.list_rules(),
|
||||
auto_allocated_topology.list_rules(),
|
||||
availability_zone.list_rules(),
|
||||
cisco_plugin.list_rules(),
|
||||
flavor.list_rules(),
|
||||
floatingip.list_rules(),
|
||||
floatingip_pools.list_rules(),
|
||||
floatingip_port_forwarding.list_rules(),
|
||||
logging.list_rules(),
|
||||
metering.list_rules(),
|
||||
network.list_rules(),
|
||||
network_ip_availability.list_rules(),
|
||||
port.list_rules(),
|
||||
qos.list_rules(),
|
||||
rbac.list_rules(),
|
||||
router.list_rules(),
|
||||
security_group.list_rules(),
|
||||
segment.list_rules(),
|
||||
service_type.list_rules(),
|
||||
subnet.list_rules(),
|
||||
subnetpool.list_rules(),
|
||||
trunk.list_rules(),
|
||||
vmware_plugin.list_rules(),
|
||||
)
|
||||
|
||||
|
||||
def reload_default_policies():
|
||||
for name, module in globals().items():
|
||||
if (inspect.ismodule(module) and
|
||||
module.__name__.startswith(__package__)):
|
||||
# NOTE: pylint checks function args wrongly.
|
||||
# pylint: disable=too-many-function-args
|
||||
six.moves.reload_module(module)
|
44
neutron/conf/policies/address_scope.py
Normal file
44
neutron/conf/policies/address_scope.py
Normal file
@ -0,0 +1,44 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault('shared_address_scopes',
|
||||
'field:address_scopes:shared=True',
|
||||
description='Rule of shared address scope'),
|
||||
policy.RuleDefault('create_address_scope',
|
||||
'',
|
||||
description='Access rule for creating address scope'),
|
||||
policy.RuleDefault('create_address_scope:shared',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for creating '
|
||||
'shared address scope')),
|
||||
policy.RuleDefault('get_address_scope',
|
||||
'rule:admin_or_owner or rule:shared_address_scopes',
|
||||
description='Access rule for getting address scope'),
|
||||
policy.RuleDefault('update_address_scope',
|
||||
'rule:admin_or_owner',
|
||||
description='Access rule for updating address scope'),
|
||||
policy.RuleDefault('update_address_scope:shared',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for updating '
|
||||
'shared attribute of address scope')),
|
||||
policy.RuleDefault('delete_address_scope',
|
||||
'rule:admin_or_owner',
|
||||
description='Access rule for deleting address scope')
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
80
neutron/conf/policies/agent.py
Normal file
80
neutron/conf/policies/agent.py
Normal file
@ -0,0 +1,80 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault('get_agent',
|
||||
'rule:admin_only',
|
||||
description='Access rule for getting agent'),
|
||||
policy.RuleDefault('update_agent',
|
||||
'rule:admin_only',
|
||||
description='Access rule for updating agent'),
|
||||
policy.RuleDefault('delete_agent',
|
||||
'rule:admin_only',
|
||||
description='Access rule for deleting agent'),
|
||||
policy.RuleDefault('create_dhcp-network',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for adding '
|
||||
'network to dhcp agent')),
|
||||
policy.RuleDefault('get_dhcp-networks',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for listing '
|
||||
'networks on the dhcp agent')),
|
||||
policy.RuleDefault('delete_dhcp-network',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for removing '
|
||||
'network from dhcp agent')),
|
||||
policy.RuleDefault('create_l3-router',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for adding '
|
||||
'router to l3 agent')),
|
||||
policy.RuleDefault('get_l3-routers',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for listing '
|
||||
'routers on the l3 agent')),
|
||||
policy.RuleDefault('delete_l3-router',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for deleting '
|
||||
'router from l3 agent')),
|
||||
policy.RuleDefault('get_dhcp-agents',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for listing '
|
||||
'dhcp agents hosting the network')),
|
||||
policy.RuleDefault('get_l3-agents',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for listing '
|
||||
'l3 agents hosting the router')),
|
||||
# TODO(amotoki): Remove LBaaS related policies once neutron-lbaas
|
||||
# is retired.
|
||||
policy.RuleDefault('get_loadbalancer-agent',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for getting '
|
||||
'lbaas agent hosting the pool')),
|
||||
policy.RuleDefault('get_loadbalancer-pools',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for listing '
|
||||
'pools on the lbaas agent')),
|
||||
policy.RuleDefault('get_agent-loadbalancers',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for listing '
|
||||
'loadbalancers on the lbaasv2 agent')),
|
||||
policy.RuleDefault('get_loadbalancer-hosting-agent',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for getting '
|
||||
'lbaasv2 agent hosting the loadbalancer')),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
31
neutron/conf/policies/auto_allocated_topology.py
Normal file
31
neutron/conf/policies/auto_allocated_topology.py
Normal file
@ -0,0 +1,31 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
'get_auto_allocated_topology',
|
||||
'rule:admin_or_owner',
|
||||
description=("Access rule for getting a project's "
|
||||
"auto-allocated topology")),
|
||||
policy.RuleDefault(
|
||||
'delete_auto_allocated_topology',
|
||||
'rule:admin_or_owner',
|
||||
description=("Access rule for deleting a project's "
|
||||
"auto-allocated topology")),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
25
neutron/conf/policies/availability_zone.py
Normal file
25
neutron/conf/policies/availability_zone.py
Normal file
@ -0,0 +1,25 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
'get_availability_zone',
|
||||
'',
|
||||
description='Access rule for getting availability zone'),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
67
neutron/conf/policies/base.py
Normal file
67
neutron/conf/policies/base.py
Normal file
@ -0,0 +1,67 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
'context_is_admin',
|
||||
'role:admin',
|
||||
description='Rule for cloud admin access'),
|
||||
policy.RuleDefault(
|
||||
'owner',
|
||||
'tenant_id:%(tenant_id)s',
|
||||
description='Rule for resource owner access'),
|
||||
policy.RuleDefault(
|
||||
'admin_or_owner',
|
||||
'rule:context_is_admin or rule:owner',
|
||||
description='Rule for admin or owner access'),
|
||||
policy.RuleDefault(
|
||||
'context_is_advsvc',
|
||||
'role:advsvc',
|
||||
description='Rule for advsvc role access'),
|
||||
policy.RuleDefault(
|
||||
'admin_or_network_owner',
|
||||
'rule:context_is_admin or tenant_id:%(network:tenant_id)s',
|
||||
description='Rule for admin or network owner access'),
|
||||
policy.RuleDefault(
|
||||
'admin_owner_or_network_owner',
|
||||
'rule:owner or rule:admin_or_network_owner',
|
||||
description=('Rule for resource owner, '
|
||||
'admin or network owner access')),
|
||||
policy.RuleDefault(
|
||||
'admin_only',
|
||||
'rule:context_is_admin',
|
||||
description='Rule only for admin access'),
|
||||
policy.RuleDefault(
|
||||
'regular_user',
|
||||
'',
|
||||
description='Rule for regular user access'),
|
||||
# TODO(amotoki): Should be renamed to shared_network? It seems clearer.
|
||||
policy.RuleDefault(
|
||||
'shared',
|
||||
'field:networks:shared=True',
|
||||
description='Rule of shared network'),
|
||||
policy.RuleDefault(
|
||||
'default',
|
||||
'rule:admin_or_owner',
|
||||
description='Default access rule'),
|
||||
policy.RuleDefault(
|
||||
'admin_or_ext_parent_owner',
|
||||
'rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s',
|
||||
description='Rule for common parent owner check'),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
46
neutron/conf/policies/cisco_plugin.py
Normal file
46
neutron/conf/policies/cisco_plugin.py
Normal file
@ -0,0 +1,46 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
# TODO(amotoki): Move Cisco related policy rules to networking-cisco
|
||||
rules = [
|
||||
policy.RuleDefault('create_network_profile',
|
||||
'rule:admin_only',
|
||||
description='Access rule for creating network profile'),
|
||||
policy.RuleDefault('get_network_profiles',
|
||||
'',
|
||||
description='Access rule for listing network profiles'),
|
||||
policy.RuleDefault('get_network_profile',
|
||||
'',
|
||||
description='Access rule for getting network profile'),
|
||||
policy.RuleDefault('update_network_profile',
|
||||
'rule:admin_only',
|
||||
description='Access rule for updating network profile'),
|
||||
policy.RuleDefault('delete_network_profile',
|
||||
'rule:admin_only',
|
||||
description='Access rule for deleting network profile'),
|
||||
policy.RuleDefault('get_policy_profiles',
|
||||
'',
|
||||
description='Access rule for listing policy profile'),
|
||||
policy.RuleDefault('get_policy_profile',
|
||||
'',
|
||||
description='Access rule for getting policy prodile'),
|
||||
policy.RuleDefault('update_policy_profiles',
|
||||
'rule:admin_only',
|
||||
description='Access rule for updating policy profile'),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
78
neutron/conf/policies/flavor.py
Normal file
78
neutron/conf/policies/flavor.py
Normal file
@ -0,0 +1,78 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
'create_flavor',
|
||||
'rule:admin_only',
|
||||
description='Access rule for creating flavor'),
|
||||
policy.RuleDefault(
|
||||
'get_flavors',
|
||||
'rule:regular_user',
|
||||
description='Access rule for listing flavors'),
|
||||
policy.RuleDefault(
|
||||
'get_flavor',
|
||||
'rule:regular_user',
|
||||
description='Access rule for getting flavor'),
|
||||
policy.RuleDefault(
|
||||
'update_flavor',
|
||||
'rule:admin_only',
|
||||
description='Access rule for updating flavor'),
|
||||
policy.RuleDefault(
|
||||
'delete_flavor',
|
||||
'rule:admin_only',
|
||||
description='Access rule for deleting flavor'),
|
||||
|
||||
policy.RuleDefault(
|
||||
'create_service_profile',
|
||||
'rule:admin_only',
|
||||
description='Access rule for creating service profile'),
|
||||
policy.RuleDefault(
|
||||
'get_service_profiles',
|
||||
'rule:admin_only',
|
||||
description='Access rule for listing service profiles'),
|
||||
policy.RuleDefault(
|
||||
'get_service_profile',
|
||||
'rule:admin_only',
|
||||
description='Access rule for getting service profile'),
|
||||
policy.RuleDefault(
|
||||
'update_service_profile',
|
||||
'rule:admin_only',
|
||||
description='Access rule for updating service profile'),
|
||||
policy.RuleDefault(
|
||||
'delete_service_profile',
|
||||
'rule:admin_only',
|
||||
description='Access rule for deleting service profile'),
|
||||
|
||||
policy.RuleDefault(
|
||||
'create_flavor_service_profile',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for associating '
|
||||
'flavor with service profile')),
|
||||
policy.RuleDefault(
|
||||
'delete_flavor_service_profile',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for disassociating '
|
||||
'flavor with service profile')),
|
||||
policy.RuleDefault(
|
||||
'get_flavor_service_profile',
|
||||
'rule:regular_user',
|
||||
description=('Access rule for getting flavor associating '
|
||||
'with the given service profiles')),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
37
neutron/conf/policies/floatingip.py
Normal file
37
neutron/conf/policies/floatingip.py
Normal file
@ -0,0 +1,37 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault('create_floatingip',
|
||||
'rule:regular_user',
|
||||
description='Access rule for creating floating IP'),
|
||||
policy.RuleDefault('create_floatingip:floating_ip_address',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for creating floating IP '
|
||||
'with a specific IP address')),
|
||||
policy.RuleDefault('get_floatingip',
|
||||
'rule:admin_or_owner',
|
||||
description='Access rule for getting floating IP'),
|
||||
policy.RuleDefault('update_floatingip',
|
||||
'rule:admin_or_owner',
|
||||
description='Access rule for updating floating IP'),
|
||||
policy.RuleDefault('delete_floatingip',
|
||||
'rule:admin_or_owner',
|
||||
description='Access rule for deleting floating IP'),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
25
neutron/conf/policies/floatingip_pools.py
Normal file
25
neutron/conf/policies/floatingip_pools.py
Normal file
@ -0,0 +1,25 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
'get_floatingip_pool',
|
||||
'rule:regular_user',
|
||||
description='Access rule for getting floating IP pools'),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
42
neutron/conf/policies/floatingip_port_forwarding.py
Normal file
42
neutron/conf/policies/floatingip_port_forwarding.py
Normal file
@ -0,0 +1,42 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
'create_floatingip_port_forwarding',
|
||||
'rule:admin_or_ext_parent_owner',
|
||||
description='Access rule for creating floating IP port forwarding'),
|
||||
policy.RuleDefault(
|
||||
'get_floatingip_port_forwarding',
|
||||
'rule:admin_or_ext_parent_owner',
|
||||
description='Access rule for getting floating IP port forwarding'),
|
||||
# TOOD(amotoki): get_floatingip_port_forwardings looks unnecessary.
|
||||
policy.RuleDefault(
|
||||
'get_floatingip_port_forwardings',
|
||||
'rule:admin_or_ext_parent_owner',
|
||||
description='Access rule for listing floating IP port forwardings'),
|
||||
policy.RuleDefault(
|
||||
'update_floatingip_port_forwarding',
|
||||
'rule:admin_or_ext_parent_owner',
|
||||
description='Access rule for updating floating IP port forwarding'),
|
||||
policy.RuleDefault(
|
||||
'delete_floatingip_port_forwarding',
|
||||
'rule:admin_or_ext_parent_owner',
|
||||
description='Access rule for deleting floating IP port forwarding'),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
45
neutron/conf/policies/logging.py
Normal file
45
neutron/conf/policies/logging.py
Normal file
@ -0,0 +1,45 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
'get_loggable_resources',
|
||||
'rule:admin_only',
|
||||
description='Access rule for getting loggable resources'),
|
||||
policy.RuleDefault(
|
||||
'create_log',
|
||||
'rule:admin_only',
|
||||
description='Access rule for creating network log'),
|
||||
policy.RuleDefault(
|
||||
'get_log',
|
||||
'rule:admin_only',
|
||||
description='Access rule for getting network log'),
|
||||
policy.RuleDefault(
|
||||
'get_logs',
|
||||
'rule:admin_only',
|
||||
description='Access rule for listing network logs'),
|
||||
policy.RuleDefault(
|
||||
'update_log',
|
||||
'rule:admin_only',
|
||||
description='Access rule for updating network log'),
|
||||
policy.RuleDefault(
|
||||
'delete_log',
|
||||
'rule:admin_only',
|
||||
description='Access rule for deleting network log'),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
42
neutron/conf/policies/metering.py
Normal file
42
neutron/conf/policies/metering.py
Normal file
@ -0,0 +1,42 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault('create_metering_label',
|
||||
'rule:admin_only',
|
||||
description='Access rule for creating metering label'),
|
||||
policy.RuleDefault('get_metering_label',
|
||||
'rule:admin_only',
|
||||
description='Access rule for getting metering label'),
|
||||
policy.RuleDefault('delete_metering_label',
|
||||
'rule:admin_only',
|
||||
description='Access rule for deleting metering label'),
|
||||
policy.RuleDefault('create_metering_label_rule',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for creating '
|
||||
'metering label rule')),
|
||||
policy.RuleDefault('get_metering_label_rule',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for getting '
|
||||
'metering label rule')),
|
||||
policy.RuleDefault('delete_metering_label_rule',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for deleting '
|
||||
'metering label rule'))
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
133
neutron/conf/policies/network.py
Normal file
133
neutron/conf/policies/network.py
Normal file
@ -0,0 +1,133 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
'external',
|
||||
'field:networks:router:external=True',
|
||||
description='Rule of external network'),
|
||||
|
||||
policy.RuleDefault(
|
||||
'create_network',
|
||||
'',
|
||||
description='Access rule for creating network'),
|
||||
policy.RuleDefault(
|
||||
'create_network:shared',
|
||||
'rule:admin_only',
|
||||
description='Access rule for creating shared network'),
|
||||
policy.RuleDefault(
|
||||
'create_network:router:external',
|
||||
'rule:admin_only',
|
||||
description='Access rule for creating external network'),
|
||||
policy.RuleDefault(
|
||||
'create_network:is_default',
|
||||
'rule:admin_only',
|
||||
description='Access rule for creating network with is_default'),
|
||||
policy.RuleDefault(
|
||||
'create_network:segments',
|
||||
'rule:admin_only',
|
||||
description='Access rule for creating network with segments'),
|
||||
policy.RuleDefault(
|
||||
'create_network:provider:network_type',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for creating network '
|
||||
'with provider network_type')),
|
||||
policy.RuleDefault(
|
||||
'create_network:provider:physical_network',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for creating network '
|
||||
'with provider physical_network')),
|
||||
policy.RuleDefault(
|
||||
'create_network:provider:segmentation_id',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for creating network '
|
||||
'with provider segmentation_id')),
|
||||
|
||||
policy.RuleDefault(
|
||||
'get_network',
|
||||
('rule:admin_or_owner or rule:shared or '
|
||||
'rule:external or rule:context_is_advsvc'),
|
||||
description='Access rule for getting shared network'),
|
||||
policy.RuleDefault(
|
||||
'get_network:router:external',
|
||||
'rule:regular_user',
|
||||
description='Access rule for getting external network'),
|
||||
policy.RuleDefault(
|
||||
'get_network:segments',
|
||||
'rule:admin_only',
|
||||
description='Access rule for getting segments of network'),
|
||||
policy.RuleDefault(
|
||||
'get_network:provider:network_type',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for getting provider '
|
||||
'network_type of network')),
|
||||
policy.RuleDefault(
|
||||
'get_network:provider:physical_network',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for getting provider '
|
||||
'physical_network of network')),
|
||||
policy.RuleDefault(
|
||||
'get_network:provider:segmentation_id',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for getting provider '
|
||||
'segmentation_id of network')),
|
||||
# TODO(amotoki): Move queue_id to vmware-nsx plugin
|
||||
policy.RuleDefault(
|
||||
'get_network:queue_id',
|
||||
'rule:admin_only',
|
||||
description='Access rule for getting queue_id of network'),
|
||||
|
||||
policy.RuleDefault(
|
||||
'update_network',
|
||||
'rule:admin_or_owner',
|
||||
description='Access rule for updating network'),
|
||||
policy.RuleDefault(
|
||||
'update_network:segments',
|
||||
'rule:admin_only',
|
||||
description='Access rule for updating segments of network'),
|
||||
policy.RuleDefault(
|
||||
'update_network:shared',
|
||||
'rule:admin_only',
|
||||
description='Access rule for updating shared attribute of network'),
|
||||
policy.RuleDefault(
|
||||
'update_network:provider:network_type',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for updating provider '
|
||||
'network_type of network')),
|
||||
policy.RuleDefault(
|
||||
'update_network:provider:physical_network',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for updating provider '
|
||||
'physical_network of network')),
|
||||
policy.RuleDefault(
|
||||
'update_network:provider:segmentation_id',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for updating provider '
|
||||
'segmentation_id of network')),
|
||||
policy.RuleDefault(
|
||||
'update_network:router:external',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for updating router:external attribute '
|
||||
'of network')),
|
||||
|
||||
policy.RuleDefault(
|
||||
'delete_network',
|
||||
'rule:admin_or_owner',
|
||||
description='Access rule for deleting network'),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|