openstack/nova
Code Issues Proposed changes

Remove 'create_rule_default'

Browse Source 
This is a simple wrapper for an oslo.policy function, so remove it.

Also fixes the alignment in the agents policy module to be like
all the others.

Change-Id: I8a45cff3b1abea98bf04f111bdd6a9ace91a9980
Implements: blueprint policy-docs
This commit is contained in:
Stephen Finucane
2017-07-03 11:14:10 +01:00
committed by Matt Riedemann
parent 622bba1ab9
commit 145b3cc7f0
72 changed files with 318 additions and 172 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
nova/policies/admin_actions.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ POLICY_ROOT = 'os_compute_api:os-admin-actions:%s'
admin_actions_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'reset_state',
base.RULE_ADMIN_API,
"Reset the state of a given server",
@@ -30,7 +32,7 @@ admin_actions_policies = [
'path': '/servers/{server_id}/action (os-resetState)'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'inject_network_info',
base.RULE_ADMIN_API,
"Inject network information into the server",
@@ -40,7 +42,7 @@ admin_actions_policies = [
'path': '/servers/{server_id}/action (injectNetworkInfo)'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'reset_network',
base.RULE_ADMIN_API,
"Reset networking on a server",

4
nova/policies/admin_password.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-admin-password'
admin_password_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"Change the administrative password for a server",

26
nova/policies/agents.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-agents'
agents_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_API,
"""Create, list, update, and delete guest agent builds
@@ -28,10 +30,24 @@ agents_policies = [
This is XenAPI driver specific. It is used to force the upgrade of the
XenAPI guest agent on instance boot.
""",
[{'path': '/os-agents', 'method': 'GET'},
{'path': '/os-agents', 'method': 'POST'},
{'path': '/os-agents/{agent_build_id}', 'method': 'PUT'},
{'path': '/os-agents/{agent_build_id}', 'method': 'DELETE'}]),
[
{
'path': '/os-agents',
'method': 'GET'
},
{
'path': '/os-agents',
'method': 'POST'
},
{
'path': '/os-agents/{agent_build_id}',
'method': 'PUT'
},
{
'path': '/os-agents/{agent_build_id}',
'method': 'DELETE'
}
]),
]

18
nova/policies/aggregates.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ POLICY_ROOT = 'os_compute_api:os-aggregates:%s'
aggregates_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'set_metadata',
base.RULE_ADMIN_API,
"Create or replace metadata for an aggregate",
@@ -30,7 +32,7 @@ aggregates_policies = [
'method': 'POST'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'add_host',
base.RULE_ADMIN_API,
"Add a host to an aggregate.",
@@ -40,7 +42,7 @@ aggregates_policies = [
'method': 'POST'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'create',
base.RULE_ADMIN_API,
"Create an aggregate",
@@ -50,7 +52,7 @@ aggregates_policies = [
'method': 'POST'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'remove_host',
base.RULE_ADMIN_API,
"Remove a host from an aggregate",
@@ -60,7 +62,7 @@ aggregates_policies = [
'method': 'POST'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'update',
base.RULE_ADMIN_API,
"Update name and/or availability zone for an aggregate",
@@ -70,7 +72,7 @@ aggregates_policies = [
'method': 'PUT'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'index',
base.RULE_ADMIN_API,
"List all aggregates",
@@ -80,7 +82,7 @@ aggregates_policies = [
'method': 'GET'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'delete',
base.RULE_ADMIN_API,
"Delete an aggregate",
@@ -90,7 +92,7 @@ aggregates_policies = [
'method': 'DELETE'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'show',
base.RULE_ADMIN_API,
"Show details for an aggregate.",

6
nova/policies/assisted_volume_snapshots.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ POLICY_ROOT = 'os_compute_api:os-assisted-volume-snapshots:%s'
assisted_volume_snapshots_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'create',
base.RULE_ADMIN_API,
"Create an assisted volume snapshot",
@@ -30,7 +32,7 @@ assisted_volume_snapshots_policies = [
'method': 'POST'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'delete',
base.RULE_ADMIN_API,
"Delete an assisted volume snapshot",

8
nova/policies/attach_interfaces.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -21,7 +23,7 @@ POLICY_ROOT = 'os_compute_api:os-attach-interfaces:%s'
attach_interfaces_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"List port interfaces or show details of a port \
@@ -36,7 +38,7 @@ interface attached to a server",
'path': '/servers/{server_id}/os-interface/{port_id}'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'create',
base.RULE_ADMIN_OR_OWNER,
'Attach an interface to a server',
@@ -46,7 +48,7 @@ interface attached to a server",
'path': '/servers/{server_id}/os-interface'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'delete',
base.RULE_ADMIN_OR_OWNER,
'Detach an interface from a server',

6
nova/policies/availability_zone.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ POLICY_ROOT = 'os_compute_api:os-availability-zone:%s'
availability_zone_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'list',
base.RULE_ADMIN_OR_OWNER,
"Lists availability zone information without host information",
@@ -30,7 +32,7 @@ availability_zone_policies = [
'path': 'os-availability-zone'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'detail',
base.RULE_ADMIN_API,
"Lists detailed availability zone information with host information",

4
nova/policies/baremetal_nodes.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-baremetal-nodes'
baremetal_nodes_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_API,
"""List and show details of bare metal nodes.

6
nova/policies/base.py
View File

@@ -28,11 +28,5 @@ rules = [
]
# TODO(johngarbutt) we can remove this now
def create_rule_default(name, check_str, description, operations):
return policy.DocumentedRuleDefault(name, check_str,
description, operations)
def list_rules():
return rules

12
nova/policies/cells.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -21,7 +23,7 @@ POLICY_ROOT = 'os_compute_api:os-cells:%s'
cells_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'update',
base.RULE_ADMIN_API,
'Update an existing cell',
@@ -31,7 +33,7 @@ cells_policies = [
'path': '/os-cells/{cell_id}'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'create',
base.RULE_ADMIN_API,
'Create a new cell',
@@ -41,7 +43,7 @@ cells_policies = [
'path': '/os-cells'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_API,
'List and get detailed info of a given cell or all cells',
@@ -67,7 +69,7 @@ cells_policies = [
'path': '/os-cells/{cell_id}'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'sync_instances',
base.RULE_ADMIN_API,
'Sync instances info in all cells',
@@ -77,7 +79,7 @@ cells_policies = [
'path': '/os-cells/sync_instances'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'delete',
base.RULE_ADMIN_API,
'Remove a cell',

4
nova/policies/config_drive.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-config-drive'
config_drive_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"""Add 'config_drive' attribute in the server response.""",

4
nova/policies/console_auth_tokens.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-console-auth-tokens'
console_auth_tokens_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_API,
'Show console connection information for a given console \

4
nova/policies/console_output.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-console-output'
console_output_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
'Show console output for a server',

10
nova/policies/consoles.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ POLICY_ROOT = 'os_compute_api:os-consoles:%s'
consoles_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'create',
base.RULE_ADMIN_OR_OWNER,
'Create a console for a server instance',
@@ -30,7 +32,7 @@ consoles_policies = [
'path': '/servers/{server_id}/consoles'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'show',
base.RULE_ADMIN_OR_OWNER,
'Show console details for a server instance',
@@ -40,7 +42,7 @@ consoles_policies = [
'path': '/servers/{server_id}/consoles/{console_id}'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'delete',
base.RULE_ADMIN_OR_OWNER,
'Delete a console for a server instance',
@@ -50,7 +52,7 @@ consoles_policies = [
'path': '/servers/{server_id}/consoles/{console_id}'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'index',
base.RULE_ADMIN_OR_OWNER,
'List all consoles for a server instance',

4
nova/policies/create_backup.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-create-backup'
create_backup_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
'Create a back up of a server',

4
nova/policies/deferred_delete.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-deferred-delete'
deferred_delete_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
'Restore a soft deleted server or force delete a server before \

4
nova/policies/evacuate.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-evacuate'
evacuate_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_API,
"Evacuate a server from a failed host to a new host",

4
nova/policies/extended_availability_zone.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-extended-availability-zone'
extended_availability_zone_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"Add `OS-EXT-AZ:availability_zone` into the server response.",

4
nova/policies/extended_server_attributes.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-extended-server-attributes'
extended_server_attributes_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_API,
"""Return extended attributes for server.

4
nova/policies/extended_status.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-extended-status'
extended_status_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"""Return extended status in the response of server.

4
nova/policies/extended_volumes.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-extended-volumes'
extended_volumes_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"Return 'os-extended-volumes:volumes_attached' in the response of "

4
nova/policies/extensions.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ BASE_POLICY_NAME = 'os_compute_api:extensions'
extensions_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"Lists available extensions and shows information for an extension "

4
nova/policies/fixed_ips.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-fixed-ips'
fixed_ips_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_API,
"""Shows details for, reserve and unreserve a fixed IP address.

8
nova/policies/flavor_access.py
View File

@@ -14,6 +14,8 @@
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -22,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-flavor-access:%s'
flavor_access_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'add_tenant_access',
base.RULE_ADMIN_API,
"Add flavor access to a tenant",
@@ -32,7 +34,7 @@ flavor_access_policies = [
'path': '/flavors/{flavor_id}/action (addTenantAccess)'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'remove_tenant_access',
base.RULE_ADMIN_API,
"Remove flavor access from a tenant",
@@ -42,7 +44,7 @@ flavor_access_policies = [
'path': '/flavors/{flavor_id}/action (removeTenantAccess)'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"""Allow the listing of flavor access information

12
nova/policies/flavor_extra_specs.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ POLICY_ROOT = 'os_compute_api:os-flavor-extra-specs:%s'
flavor_extra_specs_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'show',
base.RULE_ADMIN_OR_OWNER,
"Show an extra spec for a flavor",
@@ -32,7 +34,7 @@ flavor_extra_specs_policies = [
}
]
),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'create',
base.RULE_ADMIN_API,
"Create extra specs for a flavor",
@@ -43,7 +45,7 @@ flavor_extra_specs_policies = [
}
]
),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'update',
base.RULE_ADMIN_API,
"Update an extra spec for a flavor",
@@ -55,7 +57,7 @@ flavor_extra_specs_policies = [
}
]
),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'delete',
base.RULE_ADMIN_API,
"Delete an extra spec for a flavor",
@@ -67,7 +69,7 @@ flavor_extra_specs_policies = [
}
]
),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'index',
base.RULE_ADMIN_OR_OWNER,
"List extra specs for a flavor",

4
nova/policies/flavor_manage.py
View File

@@ -14,6 +14,8 @@
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -21,7 +23,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-flavor-manage'
flavor_manage_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_API,
"Create and delete Flavors",

4
nova/policies/flavor_rxtx.py
View File

@@ -14,6 +14,8 @@
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -21,7 +23,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-flavor-rxtx'
flavor_rxtx_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"Adds the rxtx_factor key into some Flavor APIs",

8
nova/policies/floating_ip_dns.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -21,7 +23,7 @@ POLICY_ROOT = 'os_compute_api:os-floating-ip-dns:%s'
floating_ip_dns_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"""List registered DNS domains, and CRUD actions on domain names.
@@ -49,7 +51,7 @@ Note this only works with nova-network and this API is deprecated.""",
'path': '/os-floating-ip-dns/{domain}/entries/{name}'
},
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'domain:update',
base.RULE_ADMIN_API,
"Create or update a DNS domain.",
@@ -59,7 +61,7 @@ Note this only works with nova-network and this API is deprecated.""",
'path': '/os-floating-ip-dns/{domain}'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'domain:delete',
base.RULE_ADMIN_API,
"Delete a DNS domain.",

4
nova/policies/floating_ip_pools.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-floating-ip-pools'
floating_ip_pools_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"List floating IP pools. This API is deprecated.",

4
nova/policies/floating_ips.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-floating-ips'
floating_ips_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"Manage a project's floating IPs. These APIs are all deprecated.",

4
nova/policies/floating_ips_bulk.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-floating-ips-bulk'
floating_ips_bulk_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_API,
"Bulk-create, delete, and list floating IPs. API is deprecated.",

6
nova/policies/fping.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -21,7 +23,7 @@ POLICY_ROOT = 'os_compute_api:os-fping:%s'
fping_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'all_tenants',
base.RULE_ADMIN_API,
"""Pings instances for all projects and reports which instances
@@ -35,7 +37,7 @@ which itself is deprecated.""",
'path': '/os-fping?all_tenants=true'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"""Pings instances, particular instance and reports which instances

4
nova/policies/hide_server_addresses.py
View File

@@ -13,13 +13,13 @@
# License for the specific language governing permissions and limitations
# under the License.
from nova.policies import base
from oslo_policy import policy
BASE_POLICY_NAME = 'os_compute_api:os-hide-server-addresses'
hide_server_addresses_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
'is_admin:False',
"""Hide server's 'addresses' key in the server response.

4
nova/policies/hosts.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-hosts'
hosts_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_API,
"""List, Show and Manage physical hosts.

4
nova/policies/hypervisors.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-hypervisors'
hypervisors_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_API,
"""Policy rule for hypervisor related APIs.

4
nova/policies/image_size.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ BASE_POLICY_NAME = 'os_compute_api:image-size'
image_size_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"""Add 'OS-EXT-IMG-SIZE:size' attribute in the image response.""",

6
nova/policies/instance_actions.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -21,7 +23,7 @@ POLICY_ROOT = 'os_compute_api:os-instance-actions:%s'
instance_actions_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'events',
base.RULE_ADMIN_API,
"""Add events details in action details for a server.
@@ -34,7 +36,7 @@ os_compute_api:os-instance-actions passes""",
'path': '/servers/{server_id}/os-instance-actions/{request_id}'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"""List actions and show action details for a server.""",

4
nova/policies/instance_usage_audit_log.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-instance-usage-audit-log'
instance_usage_audit_log_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_API,
"""Lists all usage audits and that occurred before a specified time

6
nova/policies/ips.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ POLICY_ROOT = 'os_compute_api:ips:%s'
ips_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'show',
base.RULE_ADMIN_OR_OWNER,
"""Shows IP addresses details for a network label of a server.""",
@@ -30,7 +32,7 @@ ips_policies = [
'path': '/servers/{server_id}/ips/{network_label}'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'index',
base.RULE_ADMIN_OR_OWNER,
"""Lists IP addresses that are assigned to a server.""",

12
nova/policies/keypairs.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -21,7 +23,7 @@ POLICY_ROOT = 'os_compute_api:os-keypairs:%s'
keypairs_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'index',
'rule:admin_api or user_id:%(user_id)s',
"List all keypairs",
@@ -31,7 +33,7 @@ keypairs_policies = [
'method': 'GET'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'create',
'rule:admin_api or user_id:%(user_id)s',
"Create a keypair",
@@ -41,7 +43,7 @@ keypairs_policies = [
'method': 'POST'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'delete',
'rule:admin_api or user_id:%(user_id)s',
"Delete a keypair",
@@ -51,7 +53,7 @@ keypairs_policies = [
'method': 'DELETE'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'show',
'rule:admin_api or user_id:%(user_id)s',
"Show details of a keypair",
@@ -61,7 +63,7 @@ keypairs_policies = [
'method': 'GET'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"Return 'key_name' in the response of server.",

4
nova/policies/limits.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ BASE_POLICY_NAME = 'os_compute_api:limits'
limits_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"""Shows rate and absolute limits for the project.""",

8
nova/policies/lock_server.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ POLICY_ROOT = 'os_compute_api:os-lock-server:%s'
lock_server_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'lock',
base.RULE_ADMIN_OR_OWNER,
"Lock a server",
@@ -31,7 +33,7 @@ lock_server_policies = [
}
]
),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'unlock',
base.RULE_ADMIN_OR_OWNER,
"Unlock a server",
@@ -42,7 +44,7 @@ lock_server_policies = [
}
]
),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'unlock:unlock_override',
base.RULE_ADMIN_API,
"""Unlock a server, regardless who locked the server.

6
nova/policies/migrate_server.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ POLICY_ROOT = 'os_compute_api:os-migrate-server:%s'
migrate_server_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'migrate',
base.RULE_ADMIN_API,
"Cold migrate a server to a host",
@@ -30,7 +32,7 @@ migrate_server_policies = [
'path': '/servers/{server_id}/action (migrate)'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'migrate_live',
base.RULE_ADMIN_API,
"Live migrate a server to a new host without a reboot",

4
nova/policies/migrations.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ POLICY_ROOT = 'os_compute_api:os-migrations:%s'
migrations_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'index',
base.RULE_ADMIN_API,
"List migrations",

4
nova/policies/multinic.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-multinic'
multinic_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"""Adds or Removes a fixed IP address from a server.

6
nova/policies/networks.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -21,7 +23,7 @@ POLICY_ROOT = 'os_compute_api:os-networks:%s'
networks_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_API,
"""Create and delete a network, add and disassociate a network
@@ -46,7 +48,7 @@ These APIs are only available with nova-network which is deprecated.""",
'path': '/os-networks/{network_id}/action (disassociate)'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'view',
base.RULE_ADMIN_OR_OWNER,
"""List networks for the project and show details for a network.

4
nova/policies/networks_associate.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-networks-associate'
networks_associate_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_API,
"""Associates and Disassociates a network from a host or project.

6
nova/policies/pause_server.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ POLICY_ROOT = 'os_compute_api:os-pause-server:%s'
pause_server_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'pause',
base.RULE_ADMIN_OR_OWNER,
"Pause a server.",
@@ -31,7 +33,7 @@ pause_server_policies = [
}
]
),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'unpause',
base.RULE_ADMIN_OR_OWNER,
"Unpause a paused server.",

6
nova/policies/quota_class_sets.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ POLICY_ROOT = 'os_compute_api:os-quota-class-sets:%s'
quota_class_sets_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'show',
'is_admin:True or quota_class:%(quota_class)s',
"List quotas for specific quota classs",
@@ -30,7 +32,7 @@ quota_class_sets_policies = [
'path': '/os-quota-class-sets/{quota_class}'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'update',
base.RULE_ADMIN_API,
'Update quotas for specific quota class',

12
nova/policies/quota_sets.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ POLICY_ROOT = 'os_compute_api:os-quota-sets:%s'
quota_sets_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'update',
base.RULE_ADMIN_API,
"Update the quotas",
@@ -30,7 +32,7 @@ quota_sets_policies = [
'path': '/os-quota-sets/{tenant_id}'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'defaults',
base.RULE_ANY,
"List default quotas",
@@ -40,7 +42,7 @@ quota_sets_policies = [
'path': '/os-quota-sets/{tenant_id}/defaults'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'show',
base.RULE_ADMIN_OR_OWNER,
"Show a quota",
@@ -50,7 +52,7 @@ quota_sets_policies = [
'path': '/os-quota-sets/{tenant_id}'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'delete',
base.RULE_ADMIN_API,
"Revert quotas to defaults",
@@ -60,7 +62,7 @@ quota_sets_policies = [
'path': '/os-quota-sets/{tenant_id}'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'detail',
base.RULE_ADMIN_API,
"Show the detail of quota",

4
nova/policies/remote_consoles.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-remote-consoles'
remote_consoles_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"Generates a URL to access remove server console",

4
nova/policies/rescue.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-rescue'
rescue_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"Rescue/unrescue a server",

4
nova/policies/security_group_default_rules.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-security-group-default-rules'
security_group_default_rules_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_API,
"""Lists, shows information for, creates and deletes default security

4
nova/policies/security_groups.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-security-groups'
security_groups_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"""This policy checks permission on security groups related APIs.

4
nova/policies/server_diagnostics.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-server-diagnostics'
server_diagnostics_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_API,
"Shows the usage data for a server",

4
nova/policies/server_external_events.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ POLICY_ROOT = 'os_compute_api:os-server-external-events:%s'
server_external_events_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'create',
base.RULE_ADMIN_API,
"Creates one or more external events",

8
nova/policies/server_groups.py
View File

@@ -29,7 +29,7 @@ server_groups_policies = [
name=BASE_POLICY_NAME,
check_str=base.RULE_ADMIN_OR_OWNER,
description='Deprecated in Pike and will be removed in next release'),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'create',
BASE_POLICY_RULE,
"Create a new server group",
@@ -40,7 +40,7 @@ server_groups_policies = [
}
]
),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'delete',
BASE_POLICY_RULE,
"Delete a server group",
@@ -51,7 +51,7 @@ server_groups_policies = [
}
]
),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'index',
BASE_POLICY_RULE,
"List all server groups",
@@ -62,7 +62,7 @@ server_groups_policies = [
}
]
),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'show',
BASE_POLICY_RULE,
"Show details of a server group",

14
nova/policies/server_metadata.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ POLICY_ROOT = 'os_compute_api:server-metadata:%s'
server_metadata_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'index',
base.RULE_ADMIN_OR_OWNER,
"List all metadata of a server",
@@ -31,7 +33,7 @@ server_metadata_policies = [
}
]
),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'show',
base.RULE_ADMIN_OR_OWNER,
"Show metadata for a server",
@@ -42,7 +44,7 @@ server_metadata_policies = [
}
]
),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'create',
base.RULE_ADMIN_OR_OWNER,
"Create metadata for a server",
@@ -53,7 +55,7 @@ server_metadata_policies = [
}
]
),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'update_all',
base.RULE_ADMIN_OR_OWNER,
"Replace metadata for a server",
@@ -64,7 +66,7 @@ server_metadata_policies = [
}
]
),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'update',
base.RULE_ADMIN_OR_OWNER,
"Update metadata from a server",
@@ -75,7 +77,7 @@ server_metadata_policies = [
}
]
),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'delete',
base.RULE_ADMIN_OR_OWNER,
"Delete metadata from a server",

4
nova/policies/server_password.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-server-password'
server_password_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"Show and clear the encrypted administrative password of a server",

14
nova/policies/server_tags.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ POLICY_ROOT = 'os_compute_api:os-server-tags:%s'
server_tags_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'delete_all',
base.RULE_ADMIN_OR_OWNER,
"Delete all the server tags",
@@ -30,7 +32,7 @@ server_tags_policies = [
'path': '/servers/{server_id}/tags'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'index',
base.RULE_ADMIN_OR_OWNER,
"List all tags for given server",
@@ -40,7 +42,7 @@ server_tags_policies = [
'path': '/servers/{server_id}/tags'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'update_all',
base.RULE_ADMIN_OR_OWNER,
"Replace all tags on specified server with the new set of tags.",
@@ -51,7 +53,7 @@ server_tags_policies = [
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'delete',
base.RULE_ADMIN_OR_OWNER,
"Delete a single tag from the specified server",
@@ -62,7 +64,7 @@ server_tags_policies = [
}
]
),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'update',
base.RULE_ADMIN_OR_OWNER,
"Add a single tag to the server if server has no specified tag",
@@ -73,7 +75,7 @@ server_tags_policies = [
}
]
),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'show',
base.RULE_ADMIN_OR_OWNER,
"Check tag existence on the server.",

4
nova/policies/server_usage.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-server-usage'
server_usage_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"""Add 'OS-SRV-USG:launched_at' & 'OS-SRV-USG:terminated_at' attribute

46
nova/policies/servers.py
View File

@@ -11,6 +11,8 @@
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -18,7 +20,7 @@ RULE_AOO = base.RULE_ADMIN_OR_OWNER
SERVERS = 'os_compute_api:servers:%s'
rules = [
base.create_rule_default(
policy.DocumentedRuleDefault(
SERVERS % 'index',
RULE_AOO,
"List all servers",
@@ -28,7 +30,7 @@ rules = [
'path': '/servers'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
SERVERS % 'detail',
RULE_AOO,
"List all servers with detailed information",
@@ -38,7 +40,7 @@ rules = [
'path': '/servers/detail'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
SERVERS % 'index:get_all_tenants',
base.RULE_ADMIN_API,
"List all servers for all projects",
@@ -48,7 +50,7 @@ rules = [
'path': '/servers'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
SERVERS % 'detail:get_all_tenants',
base.RULE_ADMIN_API,
"List all servers with detailed information for all projects",
@@ -58,7 +60,7 @@ rules = [
'path': '/servers/detail'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
SERVERS % 'show',
RULE_AOO,
"Show a server",
@@ -70,7 +72,7 @@ rules = [
]),
# the details in host_status are pretty sensitive, only admins
# should do that by default.
base.create_rule_default(
policy.DocumentedRuleDefault(
SERVERS % 'show:host_status',
base.RULE_ADMIN_API,
"Show a server with additional host status information",
@@ -84,7 +86,7 @@ rules = [
'path': '/servers/detail'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
SERVERS % 'create',
RULE_AOO,
"Create a server",
@@ -94,7 +96,7 @@ rules = [
'path': '/servers'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
SERVERS % 'create:forced_host',
base.RULE_ADMIN_API,
"Create a server on the specified host",
@@ -104,7 +106,7 @@ rules = [
'path': '/servers'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
SERVERS % 'create:attach_volume',
RULE_AOO,
"Create a server with the requested volume attached to it",
@@ -114,7 +116,7 @@ rules = [
'path': '/servers'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
SERVERS % 'create:attach_network',
RULE_AOO,
"Create a server with the requested network attached to it",
@@ -124,7 +126,7 @@ rules = [
'path': '/servers'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
SERVERS % 'delete',
RULE_AOO,
"Delete a server",
@@ -134,7 +136,7 @@ rules = [
'path': '/servers/{server_id}'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
SERVERS % 'update',
RULE_AOO,
"Update a server",
@@ -144,7 +146,7 @@ rules = [
'path': '/servers/{server_id}'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
SERVERS % 'confirm_resize',
RULE_AOO,
"Confirm a server resize",
@@ -154,7 +156,7 @@ rules = [
'path': '/servers/{server_id}/action (confirmResize)'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
SERVERS % 'revert_resize',
RULE_AOO,
"Revert a server resize",
@@ -164,7 +166,7 @@ rules = [
'path': '/servers/{server_id}/action (revertResize)'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
SERVERS % 'reboot',
RULE_AOO,
"Reboot a server",
@@ -174,7 +176,7 @@ rules = [
'path': '/servers/{server_id}/action (reboot)'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
SERVERS % 'resize',
RULE_AOO,
"Resize a server",
@@ -184,7 +186,7 @@ rules = [
'path': '/servers/{server_id}/action (resize)'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
SERVERS % 'rebuild',
RULE_AOO,
"Rebuild a server",
@@ -194,7 +196,7 @@ rules = [
'path': '/servers/{server_id}/action (rebuild)'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
SERVERS % 'create_image',
RULE_AOO,
"Create an image from a server",
@@ -204,7 +206,7 @@ rules = [
'path': '/servers/{server_id}/action (createImage)'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
SERVERS % 'create_image:allow_volume_backed',
RULE_AOO,
"Create an image from a volume backed server",
@@ -214,7 +216,7 @@ rules = [
'path': '/servers/{server_id}/action (createImage)'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
SERVERS % 'start',
RULE_AOO,
"Start a server",
@@ -224,7 +226,7 @@ rules = [
'path': '/servers/{server_id}/action (os-start)'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
SERVERS % 'stop',
RULE_AOO,
"Stop a server",
@@ -234,7 +236,7 @@ rules = [
'path': '/servers/{server_id}/action (os-stop)'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
SERVERS % 'trigger_crash_dump',
RULE_AOO,
"Trigger crash dump in a server",

10
nova/policies/servers_migrations.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ POLICY_ROOT = 'os_compute_api:servers:migrations:%s'
servers_migrations_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'show',
base.RULE_ADMIN_API,
"Show details for an in-progress live migration for a given server",
@@ -30,7 +32,7 @@ servers_migrations_policies = [
'path': '/servers/{server_id}/migrations/{migration_id}'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'force_complete',
base.RULE_ADMIN_API,
"Force an in-progress live migration for a given server to complete",
@@ -41,7 +43,7 @@ servers_migrations_policies = [
'/action (force_complete)'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'delete',
base.RULE_ADMIN_API,
"Delete(Abort) an in-progress live migration",
@@ -51,7 +53,7 @@ servers_migrations_policies = [
'path': '/servers/{server_id}/migrations/{migration_id}'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'index',
base.RULE_ADMIN_API,
"Lists in-progress live migrations for a given server",

4
nova/policies/services.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-services'
services_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_API,
"""Lists all running Compute services in a region, enables \

8
nova/policies/shelve.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ POLICY_ROOT = 'os_compute_api:os-shelve:%s'
shelve_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'shelve',
base.RULE_ADMIN_OR_OWNER,
"Shelve Server",
@@ -30,7 +32,7 @@ shelve_policies = [
'path': '/servers/{server_id}/action (shelve)'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'unshelve',
base.RULE_ADMIN_OR_OWNER,
"Unshelve (Restore) Shelved Server",
@@ -40,7 +42,7 @@ shelve_policies = [
'path': '/servers/{server_id}/action (unshelve)'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'shelve_offload',
base.RULE_ADMIN_API,
"Shelf-Offload (Remove) Server",

6
nova/policies/simple_tenant_usage.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ POLICY_ROOT = 'os_compute_api:os-simple-tenant-usage:%s'
simple_tenant_usage_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'show',
base.RULE_ADMIN_OR_OWNER,
"Show usage statistics for a specific tenant.",
@@ -30,7 +32,7 @@ simple_tenant_usage_policies = [
'path': '/os-simple-tenant-usage/{tenant_id}'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'list',
base.RULE_ADMIN_API,
"List per tenant usage statistics for all tenants.",

6
nova/policies/suspend_server.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ POLICY_ROOT = 'os_compute_api:os-suspend-server:%s'
suspend_server_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'resume',
base.RULE_ADMIN_OR_OWNER,
"Resume suspended server",
@@ -30,7 +32,7 @@ suspend_server_policies = [
'path': '/servers/{server_id}/action (resume)'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'suspend',
base.RULE_ADMIN_OR_OWNER,
"Suspend server",

4
nova/policies/tenant_networks.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-tenant-networks'
tenant_networks_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"""Creates, lists, shows information for, and deletes

4
nova/policies/used_limits.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -22,7 +24,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-used-limits'
used_limits_policies = [
# TODO(aunnam): Remove this rule after we seperate the scope check from
# policies, as this is only checking the scope.
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_API,
"""Shows rate and absolute limits for the project.

4
nova/policies/virtual_interfaces.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-virtual-interfaces'
virtual_interfaces_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"""List Virtual Interfaces.

4
nova/policies/volumes.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-volumes'
volumes_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
BASE_POLICY_NAME,
base.RULE_ADMIN_OR_OWNER,
"""Manages volumes for use with the Compute API.

12
nova/policies/volumes_attachments.py
View File

@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
@@ -20,7 +22,7 @@ POLICY_ROOT = 'os_compute_api:os-volumes-attachments:%s'
volumes_attachments_policies = [
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'index',
base.RULE_ADMIN_OR_OWNER,
"List volume attachments for an instance",
@@ -29,7 +31,7 @@ volumes_attachments_policies = [
'path': '/servers/{server_id}/os-volume_attachments'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'create',
base.RULE_ADMIN_OR_OWNER,
"Attach a volume to an instance",
@@ -39,7 +41,7 @@ volumes_attachments_policies = [
'path': '/servers/{server_id}/os-volume_attachments'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'show',
base.RULE_ADMIN_OR_OWNER,
"Show details of a volume attachment",
@@ -50,7 +52,7 @@ volumes_attachments_policies = [
'/servers/{server_id}/os-volume_attachments/{attachment_id}'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'update',
base.RULE_ADMIN_API,
"Update a volume attachment",
@@ -61,7 +63,7 @@ volumes_attachments_policies = [
'/servers/{server_id}/os-volume_attachments/{attachment_id}'
}
]),
base.create_rule_default(
policy.DocumentedRuleDefault(
POLICY_ROOT % 'delete',
base.RULE_ADMIN_OR_OWNER,
"Detach a volume from an instance",