OpenStack Networking (Neutron)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

policy.json 12KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259
  1. {
  2. "context_is_admin": "role:admin",
  3. "owner": "tenant_id:%(tenant_id)s",
  4. "admin_or_owner": "rule:context_is_admin or rule:owner",
  5. "context_is_advsvc": "role:advsvc",
  6. "admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
  7. "admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner",
  8. "admin_only": "rule:context_is_admin",
  9. "regular_user": "",
  10. "admin_or_data_plane_int": "rule:context_is_admin or role:data_plane_integrator",
  11. "shared": "field:networks:shared=True",
  12. "shared_subnetpools": "field:subnetpools:shared=True",
  13. "shared_address_scopes": "field:address_scopes:shared=True",
  14. "external": "field:networks:router:external=True",
  15. "default": "rule:admin_or_owner",
  16. "admin_or_ext_parent_owner": "rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s",
  17. "create_subnet": "rule:admin_or_network_owner",
  18. "create_subnet:segment_id": "rule:admin_only",
  19. "create_subnet:service_types": "rule:admin_only",
  20. "get_subnet": "rule:admin_or_owner or rule:shared",
  21. "get_subnet:segment_id": "rule:admin_only",
  22. "update_subnet": "rule:admin_or_network_owner",
  23. "update_subnet:service_types": "rule:admin_only",
  24. "delete_subnet": "rule:admin_or_network_owner",
  25. "create_subnetpool": "",
  26. "create_subnetpool:shared": "rule:admin_only",
  27. "create_subnetpool:is_default": "rule:admin_only",
  28. "get_subnetpool": "rule:admin_or_owner or rule:shared_subnetpools",
  29. "update_subnetpool": "rule:admin_or_owner",
  30. "update_subnetpool:is_default": "rule:admin_only",
  31. "delete_subnetpool": "rule:admin_or_owner",
  32. "create_address_scope": "",
  33. "create_address_scope:shared": "rule:admin_only",
  34. "get_address_scope": "rule:admin_or_owner or rule:shared_address_scopes",
  35. "update_address_scope": "rule:admin_or_owner",
  36. "update_address_scope:shared": "rule:admin_only",
  37. "delete_address_scope": "rule:admin_or_owner",
  38. "create_network": "",
  39. "create_network:shared": "rule:admin_only",
  40. "create_network:router:external": "rule:admin_only",
  41. "create_network:is_default": "rule:admin_only",
  42. "create_network:segments": "rule:admin_only",
  43. "create_network:provider:network_type": "rule:admin_only",
  44. "create_network:provider:physical_network": "rule:admin_only",
  45. "create_network:provider:segmentation_id": "rule:admin_only",
  46. "get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc",
  47. "get_network:router:external": "rule:regular_user",
  48. "get_network:segments": "rule:admin_only",
  49. "get_network:provider:network_type": "rule:admin_only",
  50. "get_network:provider:physical_network": "rule:admin_only",
  51. "get_network:provider:segmentation_id": "rule:admin_only",
  52. "get_network:queue_id": "rule:admin_only",
  53. "get_network_ip_availabilities": "rule:admin_only",
  54. "get_network_ip_availability": "rule:admin_only",
  55. "update_network": "rule:admin_or_owner",
  56. "update_network:segments": "rule:admin_only",
  57. "update_network:shared": "rule:admin_only",
  58. "update_network:provider:network_type": "rule:admin_only",
  59. "update_network:provider:physical_network": "rule:admin_only",
  60. "update_network:provider:segmentation_id": "rule:admin_only",
  61. "update_network:router:external": "rule:admin_only",
  62. "delete_network": "rule:admin_or_owner",
  63. "create_segment": "rule:admin_only",
  64. "get_segment": "rule:admin_only",
  65. "update_segment": "rule:admin_only",
  66. "delete_segment": "rule:admin_only",
  67. "network_device": "field:port:device_owner=~^network:",
  68. "create_port": "",
  69. "create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
  70. "create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
  71. "create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
  72. "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
  73. "create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
  74. "create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
  75. "create_port:binding:host_id": "rule:admin_only",
  76. "create_port:binding:profile": "rule:admin_only",
  77. "create_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
  78. "create_port:allowed_address_pairs": "rule:admin_or_network_owner",
  79. "get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner",
  80. "get_port:queue_id": "rule:admin_only",
  81. "get_port:binding:vif_type": "rule:admin_only",
  82. "get_port:binding:vif_details": "rule:admin_only",
  83. "get_port:binding:host_id": "rule:admin_only",
  84. "get_port:binding:profile": "rule:admin_only",
  85. "update_port": "rule:admin_or_owner or rule:context_is_advsvc",
  86. "update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
  87. "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",
  88. "update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
  89. "update_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
  90. "update_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
  91. "update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
  92. "update_port:binding:host_id": "rule:admin_only",
  93. "update_port:binding:profile": "rule:admin_only",
  94. "update_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
  95. "update_port:allowed_address_pairs": "rule:admin_or_network_owner",
  96. "update_port:data_plane_status": "rule:admin_or_data_plane_int",
  97. "delete_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner",
  98. "create_router": "rule:regular_user",
  99. "create_router:external_gateway_info": "rule:admin_or_owner",
  100. "create_router:external_gateway_info:network_id": "rule:admin_or_owner",
  101. "create_router:external_gateway_info:enable_snat": "rule:admin_only",
  102. "create_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
  103. "create_router:distributed": "rule:admin_only",
  104. "create_router:ha": "rule:admin_only",
  105. "get_router": "rule:admin_or_owner",
  106. "get_router:ha": "rule:admin_only",
  107. "get_router:distributed": "rule:admin_only",
  108. "update_router": "rule:admin_or_owner",
  109. "update_router:external_gateway_info": "rule:admin_or_owner",
  110. "update_router:external_gateway_info:network_id": "rule:admin_or_owner",
  111. "update_router:external_gateway_info:enable_snat": "rule:admin_only",
  112. "update_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
  113. "update_router:distributed": "rule:admin_only",
  114. "update_router:ha": "rule:admin_only",
  115. "delete_router": "rule:admin_or_owner",
  116. "add_router_interface": "rule:admin_or_owner",
  117. "remove_router_interface": "rule:admin_or_owner",
  118. "create_qos_queue": "rule:admin_only",
  119. "get_qos_queue": "rule:admin_only",
  120. "get_agent": "rule:admin_only",
  121. "update_agent": "rule:admin_only",
  122. "delete_agent": "rule:admin_only",
  123. "create_dhcp-network": "rule:admin_only",
  124. "get_dhcp-networks": "rule:admin_only",
  125. "delete_dhcp-network": "rule:admin_only",
  126. "create_l3-router": "rule:admin_only",
  127. "get_l3-routers": "rule:admin_only",
  128. "delete_l3-router": "rule:admin_only",
  129. "get_dhcp-agents": "rule:admin_only",
  130. "get_l3-agents": "rule:admin_only",
  131. "get_loadbalancer-agent": "rule:admin_only",
  132. "get_loadbalancer-pools": "rule:admin_only",
  133. "get_agent-loadbalancers": "rule:admin_only",
  134. "get_loadbalancer-hosting-agent": "rule:admin_only",
  135. "create_floatingip": "rule:regular_user",
  136. "create_floatingip:floating_ip_address": "rule:admin_only",
  137. "get_floatingip": "rule:admin_or_owner",
  138. "update_floatingip": "rule:admin_or_owner",
  139. "delete_floatingip": "rule:admin_or_owner",
  140. "create_network_profile": "rule:admin_only",
  141. "get_network_profiles": "",
  142. "get_network_profile": "",
  143. "update_network_profile": "rule:admin_only",
  144. "delete_network_profile": "rule:admin_only",
  145. "get_policy_profiles": "",
  146. "get_policy_profile": "",
  147. "update_policy_profiles": "rule:admin_only",
  148. "create_metering_label": "rule:admin_only",
  149. "get_metering_label": "rule:admin_only",
  150. "delete_metering_label": "rule:admin_only",
  151. "create_metering_label_rule": "rule:admin_only",
  152. "get_metering_label_rule": "rule:admin_only",
  153. "delete_metering_label_rule": "rule:admin_only",
  154. "create_lsn": "rule:admin_only",
  155. "get_lsn": "rule:admin_only",
  156. "get_service_provider": "rule:regular_user",
  157. "create_flavor": "rule:admin_only",
  158. "get_flavors": "rule:regular_user",
  159. "get_flavor": "rule:regular_user",
  160. "update_flavor": "rule:admin_only",
  161. "delete_flavor": "rule:admin_only",
  162. "create_service_profile": "rule:admin_only",
  163. "get_service_profiles": "rule:admin_only",
  164. "get_service_profile": "rule:admin_only",
  165. "update_service_profile": "rule:admin_only",
  166. "delete_service_profile": "rule:admin_only",
  167. "create_policy": "rule:admin_only",
  168. "get_policy": "rule:regular_user",
  169. "update_policy": "rule:admin_only",
  170. "delete_policy": "rule:admin_only",
  171. "create_policy_bandwidth_limit_rule": "rule:admin_only",
  172. "get_policy_bandwidth_limit_rule": "rule:regular_user",
  173. "update_policy_bandwidth_limit_rule": "rule:admin_only",
  174. "delete_policy_bandwidth_limit_rule": "rule:admin_only",
  175. "create_policy_dscp_marking_rule": "rule:admin_only",
  176. "get_policy_dscp_marking_rule": "rule:regular_user",
  177. "update_policy_dscp_marking_rule": "rule:admin_only",
  178. "delete_policy_dscp_marking_rule": "rule:admin_only",
  179. "get_rule_type": "rule:regular_user",
  180. "create_policy_minimum_bandwidth_rule": "rule:admin_only",
  181. "get_policy_minimum_bandwidth_rule": "rule:regular_user",
  182. "update_policy_minimum_bandwidth_rule": "rule:admin_only",
  183. "delete_policy_minimum_bandwidth_rule": "rule:admin_only",
  184. "restrict_wildcard": "(not field:rbac_policy:target_tenant=*) or rule:admin_only",
  185. "create_rbac_policy": "",
  186. "create_rbac_policy:target_tenant": "rule:restrict_wildcard",
  187. "get_rbac_policy": "rule:admin_or_owner",
  188. "update_rbac_policy": "rule:admin_or_owner",
  189. "update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner",
  190. "delete_rbac_policy": "rule:admin_or_owner",
  191. "create_flavor_service_profile": "rule:admin_only",
  192. "get_flavor_service_profile": "rule:regular_user",
  193. "delete_flavor_service_profile": "rule:admin_only",
  194. "get_auto_allocated_topology": "rule:admin_or_owner",
  195. "create_trunk": "rule:regular_user",
  196. "get_trunk": "rule:admin_or_owner",
  197. "delete_trunk": "rule:admin_or_owner",
  198. "add_subports": "rule:admin_or_owner",
  199. "get_subports": "",
  200. "remove_subports": "rule:admin_or_owner",
  201. "create_security_group": "rule:admin_or_owner",
  202. "get_security_groups": "rule:admin_or_owner",
  203. "get_security_group": "rule:admin_or_owner",
  204. "update_security_group": "rule:admin_or_owner",
  205. "delete_security_group": "rule:admin_or_owner",
  206. "create_security_group_rule": "rule:admin_or_owner",
  207. "get_security_group_rules": "rule:admin_or_owner",
  208. "get_security_group_rule": "rule:admin_or_owner",
  209. "delete_security_group_rule": "rule:admin_or_owner",
  210. "get_loggable_resources": "rule:admin_only",
  211. "create_log": "rule:admin_only",
  212. "get_log": "rule:admin_only",
  213. "get_logs": "rule:admin_only",
  214. "update_log": "rule:admin_only",
  215. "delete_log": "rule:admin_only",
  216. "create_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner",
  217. "get_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner",
  218. "get_floatingip_port_forwardings": "rule:admin_or_ext_parent_owner",
  219. "update_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner",
  220. "delete_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner"
  221. }