Fix oslo policy DeprecatedRule warnings
Since 3.7.0, oslo policy started the DeprecationWarning[1] if deprecated_reason and deprecated_since param are not passed in DeprecatedRule or they are passed in RuleDefault object. [1] https://github.com/openstack/oslo.policy/blob/3.7.0/oslo_policy/policy.py#L1538 Change-Id: Idbbc203c6ae65aee29f9463a4911bae2bb541f41
This commit is contained in:
parent
e7a7fd51d1
commit
dfda0c0482
|
@ -76,7 +76,7 @@ oslo.i18n==5.0.1
|
||||||
oslo.log==4.4.0
|
oslo.log==4.4.0
|
||||||
oslo.messaging==10.3.0
|
oslo.messaging==10.3.0
|
||||||
oslo.middleware==3.31.0
|
oslo.middleware==3.31.0
|
||||||
oslo.policy==3.6.0
|
oslo.policy==3.7.0
|
||||||
oslo.privsep==2.4.0
|
oslo.privsep==2.4.0
|
||||||
oslo.reports==1.18.0
|
oslo.reports==1.18.0
|
||||||
oslo.rootwrap==5.8.0
|
oslo.rootwrap==5.8.0
|
||||||
|
|
|
@ -20,10 +20,6 @@ from nova.policies import base
|
||||||
|
|
||||||
BASE_POLICY_NAME = 'os_compute_api:os-attach-interfaces'
|
BASE_POLICY_NAME = 'os_compute_api:os-attach-interfaces'
|
||||||
POLICY_ROOT = 'os_compute_api:os-attach-interfaces:%s'
|
POLICY_ROOT = 'os_compute_api:os-attach-interfaces:%s'
|
||||||
DEPRECATED_INTERFACES_POLICY = policy.DeprecatedRule(
|
|
||||||
BASE_POLICY_NAME,
|
|
||||||
base.RULE_ADMIN_OR_OWNER,
|
|
||||||
)
|
|
||||||
|
|
||||||
DEPRECATED_REASON = """
|
DEPRECATED_REASON = """
|
||||||
Nova API policies are introducing new default roles with scope_type
|
Nova API policies are introducing new default roles with scope_type
|
||||||
|
@ -31,6 +27,13 @@ capabilities. Old policies are deprecated and silently going to be ignored
|
||||||
in nova 23.0.0 release.
|
in nova 23.0.0 release.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
DEPRECATED_INTERFACES_POLICY = policy.DeprecatedRule(
|
||||||
|
BASE_POLICY_NAME,
|
||||||
|
base.RULE_ADMIN_OR_OWNER,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since='21.0.0',
|
||||||
|
)
|
||||||
|
|
||||||
attach_interfaces_policies = [
|
attach_interfaces_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=POLICY_ROOT % 'list',
|
name=POLICY_ROOT % 'list',
|
||||||
|
@ -43,9 +46,7 @@ attach_interfaces_policies = [
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=DEPRECATED_INTERFACES_POLICY,
|
deprecated_rule=DEPRECATED_INTERFACES_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='21.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=POLICY_ROOT % 'show',
|
name=POLICY_ROOT % 'show',
|
||||||
check_str=base.PROJECT_READER_OR_SYSTEM_READER,
|
check_str=base.PROJECT_READER_OR_SYSTEM_READER,
|
||||||
|
@ -57,9 +58,7 @@ attach_interfaces_policies = [
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=DEPRECATED_INTERFACES_POLICY,
|
deprecated_rule=DEPRECATED_INTERFACES_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='21.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=POLICY_ROOT % 'create',
|
name=POLICY_ROOT % 'create',
|
||||||
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
||||||
|
@ -71,9 +70,7 @@ attach_interfaces_policies = [
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=DEPRECATED_INTERFACES_POLICY,
|
deprecated_rule=DEPRECATED_INTERFACES_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='21.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=POLICY_ROOT % 'delete',
|
name=POLICY_ROOT % 'delete',
|
||||||
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
||||||
|
@ -85,9 +82,7 @@ attach_interfaces_policies = [
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=DEPRECATED_INTERFACES_POLICY,
|
deprecated_rule=DEPRECATED_INTERFACES_POLICY)
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='21.0.0')
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -21,17 +21,19 @@ from nova.policies import base
|
||||||
ROOT_POLICY = 'os_compute_api:os-baremetal-nodes'
|
ROOT_POLICY = 'os_compute_api:os-baremetal-nodes'
|
||||||
BASE_POLICY_NAME = 'os_compute_api:os-baremetal-nodes:%s'
|
BASE_POLICY_NAME = 'os_compute_api:os-baremetal-nodes:%s'
|
||||||
|
|
||||||
DEPRECATED_BAREMETAL_POLICY = policy.DeprecatedRule(
|
|
||||||
ROOT_POLICY,
|
|
||||||
base.RULE_ADMIN_API,
|
|
||||||
)
|
|
||||||
|
|
||||||
DEPRECATED_REASON = """
|
DEPRECATED_REASON = """
|
||||||
Nova API policies are introducing new default roles with scope_type
|
Nova API policies are introducing new default roles with scope_type
|
||||||
capabilities. Old policies are deprecated and silently going to be ignored
|
capabilities. Old policies are deprecated and silently going to be ignored
|
||||||
in nova 23.0.0 release.
|
in nova 23.0.0 release.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
DEPRECATED_BAREMETAL_POLICY = policy.DeprecatedRule(
|
||||||
|
ROOT_POLICY,
|
||||||
|
base.RULE_ADMIN_API,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since='22.0.0'
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
baremetal_nodes_policies = [
|
baremetal_nodes_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
|
@ -48,9 +50,7 @@ These APIs are proxy calls to the Ironic service and are deprecated.
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
scope_types=['system'],
|
scope_types=['system'],
|
||||||
deprecated_rule=DEPRECATED_BAREMETAL_POLICY,
|
deprecated_rule=DEPRECATED_BAREMETAL_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='22.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=BASE_POLICY_NAME % 'show',
|
name=BASE_POLICY_NAME % 'show',
|
||||||
check_str=base.SYSTEM_READER,
|
check_str=base.SYSTEM_READER,
|
||||||
|
@ -62,9 +62,7 @@ These APIs are proxy calls to the Ironic service and are deprecated.
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
scope_types=['system'],
|
scope_types=['system'],
|
||||||
deprecated_rule=DEPRECATED_BAREMETAL_POLICY,
|
deprecated_rule=DEPRECATED_BAREMETAL_POLICY)
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='22.0.0')
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -17,22 +17,26 @@ RULE_ADMIN_API = 'rule:admin_api' # Allow only users with the admin role
|
||||||
RULE_ANY = '@' # Any user is allowed to perform the action.
|
RULE_ANY = '@' # Any user is allowed to perform the action.
|
||||||
RULE_NOBODY = '!' # No users are allowed to perform the action.
|
RULE_NOBODY = '!' # No users are allowed to perform the action.
|
||||||
|
|
||||||
DEPRECATED_ADMIN_POLICY = policy.DeprecatedRule(
|
|
||||||
name=RULE_ADMIN_API,
|
|
||||||
check_str='is_admin:True',
|
|
||||||
)
|
|
||||||
|
|
||||||
DEPRECATED_ADMIN_OR_OWNER_POLICY = policy.DeprecatedRule(
|
|
||||||
name=RULE_ADMIN_OR_OWNER,
|
|
||||||
check_str='is_admin:True or project_id:%(project_id)s',
|
|
||||||
)
|
|
||||||
|
|
||||||
DEPRECATED_REASON = """
|
DEPRECATED_REASON = """
|
||||||
Nova API policies are introducing new default roles with scope_type
|
Nova API policies are introducing new default roles with scope_type
|
||||||
capabilities. Old policies are deprecated and silently going to be ignored
|
capabilities. Old policies are deprecated and silently going to be ignored
|
||||||
in nova 23.0.0 release.
|
in nova 23.0.0 release.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
DEPRECATED_ADMIN_POLICY = policy.DeprecatedRule(
|
||||||
|
name=RULE_ADMIN_API,
|
||||||
|
check_str='is_admin:True',
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since='21.0.0'
|
||||||
|
)
|
||||||
|
|
||||||
|
DEPRECATED_ADMIN_OR_OWNER_POLICY = policy.DeprecatedRule(
|
||||||
|
name=RULE_ADMIN_OR_OWNER,
|
||||||
|
check_str='is_admin:True or project_id:%(project_id)s',
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since='21.0.0'
|
||||||
|
)
|
||||||
|
|
||||||
# TODO(gmann): # Special string ``system_scope:all`` is added for system
|
# TODO(gmann): # Special string ``system_scope:all`` is added for system
|
||||||
# scoped policies for backwards compatibility where ``nova.conf [oslo_policy]
|
# scoped policies for backwards compatibility where ``nova.conf [oslo_policy]
|
||||||
# enforce_scope = False``.
|
# enforce_scope = False``.
|
||||||
|
@ -103,30 +107,22 @@ rules = [
|
||||||
name="system_admin_api",
|
name="system_admin_api",
|
||||||
check_str='role:admin and system_scope:all',
|
check_str='role:admin and system_scope:all',
|
||||||
description="Default rule for System Admin APIs.",
|
description="Default rule for System Admin APIs.",
|
||||||
deprecated_rule=DEPRECATED_ADMIN_POLICY,
|
deprecated_rule=DEPRECATED_ADMIN_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='21.0.0'),
|
|
||||||
policy.RuleDefault(
|
policy.RuleDefault(
|
||||||
name="system_reader_api",
|
name="system_reader_api",
|
||||||
check_str="role:reader and system_scope:all",
|
check_str="role:reader and system_scope:all",
|
||||||
description="Default rule for System level read only APIs.",
|
description="Default rule for System level read only APIs.",
|
||||||
deprecated_rule=DEPRECATED_ADMIN_POLICY,
|
deprecated_rule=DEPRECATED_ADMIN_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='21.0.0'),
|
|
||||||
policy.RuleDefault(
|
policy.RuleDefault(
|
||||||
"project_admin_api",
|
"project_admin_api",
|
||||||
"role:admin and project_id:%(project_id)s",
|
"role:admin and project_id:%(project_id)s",
|
||||||
"Default rule for Project level admin APIs.",
|
"Default rule for Project level admin APIs.",
|
||||||
deprecated_rule=DEPRECATED_ADMIN_POLICY,
|
deprecated_rule=DEPRECATED_ADMIN_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='21.0.0'),
|
|
||||||
policy.RuleDefault(
|
policy.RuleDefault(
|
||||||
"project_member_api",
|
"project_member_api",
|
||||||
"role:member and project_id:%(project_id)s",
|
"role:member and project_id:%(project_id)s",
|
||||||
"Default rule for Project level non admin APIs.",
|
"Default rule for Project level non admin APIs.",
|
||||||
deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY,
|
deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='21.0.0'),
|
|
||||||
policy.RuleDefault(
|
policy.RuleDefault(
|
||||||
"project_reader_api",
|
"project_reader_api",
|
||||||
"role:reader and project_id:%(project_id)s",
|
"role:reader and project_id:%(project_id)s",
|
||||||
|
@ -135,16 +131,12 @@ rules = [
|
||||||
name="system_admin_or_owner",
|
name="system_admin_or_owner",
|
||||||
check_str="rule:system_admin_api or rule:project_member_api",
|
check_str="rule:system_admin_api or rule:project_member_api",
|
||||||
description="Default rule for System admin+owner APIs.",
|
description="Default rule for System admin+owner APIs.",
|
||||||
deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY,
|
deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='21.0.0'),
|
|
||||||
policy.RuleDefault(
|
policy.RuleDefault(
|
||||||
"system_or_project_reader",
|
"system_or_project_reader",
|
||||||
"rule:system_reader_api or rule:project_reader_api",
|
"rule:system_reader_api or rule:project_reader_api",
|
||||||
"Default rule for System+Project read only APIs.",
|
"Default rule for System+Project read only APIs.",
|
||||||
deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY,
|
deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY)
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='21.0.0')
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -20,17 +20,19 @@ from nova.policies import base
|
||||||
|
|
||||||
BASE_POLICY_NAME = 'os_compute_api:os-deferred-delete:%s'
|
BASE_POLICY_NAME = 'os_compute_api:os-deferred-delete:%s'
|
||||||
|
|
||||||
DEPRECATED_POLICY = policy.DeprecatedRule(
|
|
||||||
'os_compute_api:os-deferred-delete',
|
|
||||||
base.RULE_ADMIN_OR_OWNER,
|
|
||||||
)
|
|
||||||
|
|
||||||
DEPRECATED_REASON = """
|
DEPRECATED_REASON = """
|
||||||
Nova API policies are introducing new default roles with scope_type
|
Nova API policies are introducing new default roles with scope_type
|
||||||
capabilities. Old policies are deprecated and silently going to be ignored
|
capabilities. Old policies are deprecated and silently going to be ignored
|
||||||
in nova 23.0.0 release.
|
in nova 23.0.0 release.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
DEPRECATED_POLICY = policy.DeprecatedRule(
|
||||||
|
'os_compute_api:os-deferred-delete',
|
||||||
|
base.RULE_ADMIN_OR_OWNER,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since='21.0.0'
|
||||||
|
)
|
||||||
|
|
||||||
deferred_delete_policies = [
|
deferred_delete_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=BASE_POLICY_NAME % 'restore',
|
name=BASE_POLICY_NAME % 'restore',
|
||||||
|
@ -43,9 +45,7 @@ deferred_delete_policies = [
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='21.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=BASE_POLICY_NAME % 'force',
|
name=BASE_POLICY_NAME % 'force',
|
||||||
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
||||||
|
@ -57,9 +57,7 @@ deferred_delete_policies = [
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY)
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='21.0.0')
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -29,17 +29,19 @@ POLICY_ROOT = 'os_compute_api:os-flavor-access:%s'
|
||||||
# SYSTEM_READER rule in base class is defined with the deprecated rule of admin
|
# SYSTEM_READER rule in base class is defined with the deprecated rule of admin
|
||||||
# not admin or owner which is the main reason that we need to explicitly
|
# not admin or owner which is the main reason that we need to explicitly
|
||||||
# deprecate this policy here.
|
# deprecate this policy here.
|
||||||
DEPRECATED_FLAVOR_ACCESS_POLICY = policy.DeprecatedRule(
|
|
||||||
BASE_POLICY_NAME,
|
|
||||||
base.RULE_ADMIN_OR_OWNER,
|
|
||||||
)
|
|
||||||
|
|
||||||
DEPRECATED_REASON = """
|
DEPRECATED_REASON = """
|
||||||
Nova API policies are introducing new default roles with scope_type
|
Nova API policies are introducing new default roles with scope_type
|
||||||
capabilities. Old policies are deprecated and silently going to be ignored
|
capabilities. Old policies are deprecated and silently going to be ignored
|
||||||
in nova 23.0.0 release.
|
in nova 23.0.0 release.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
DEPRECATED_FLAVOR_ACCESS_POLICY = policy.DeprecatedRule(
|
||||||
|
BASE_POLICY_NAME,
|
||||||
|
base.RULE_ADMIN_OR_OWNER,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since='21.0.0'
|
||||||
|
)
|
||||||
|
|
||||||
flavor_access_policies = [
|
flavor_access_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=POLICY_ROOT % 'add_tenant_access',
|
name=POLICY_ROOT % 'add_tenant_access',
|
||||||
|
@ -78,9 +80,7 @@ to a flavor via an os-flavor-access API.
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
scope_types=['system'],
|
scope_types=['system'],
|
||||||
deprecated_rule=DEPRECATED_FLAVOR_ACCESS_POLICY,
|
deprecated_rule=DEPRECATED_FLAVOR_ACCESS_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='21.0.0'),
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -21,17 +21,19 @@ from nova.policies import base
|
||||||
ROOT_POLICY = 'os_compute_api:os-floating-ips'
|
ROOT_POLICY = 'os_compute_api:os-floating-ips'
|
||||||
BASE_POLICY_NAME = 'os_compute_api:os-floating-ips:%s'
|
BASE_POLICY_NAME = 'os_compute_api:os-floating-ips:%s'
|
||||||
|
|
||||||
DEPRECATED_FIP_POLICY = policy.DeprecatedRule(
|
|
||||||
ROOT_POLICY,
|
|
||||||
base.RULE_ADMIN_OR_OWNER,
|
|
||||||
)
|
|
||||||
|
|
||||||
DEPRECATED_REASON = """
|
DEPRECATED_REASON = """
|
||||||
Nova API policies are introducing new default roles with scope_type
|
Nova API policies are introducing new default roles with scope_type
|
||||||
capabilities. Old policies are deprecated and silently going to be ignored
|
capabilities. Old policies are deprecated and silently going to be ignored
|
||||||
in nova 23.0.0 release.
|
in nova 23.0.0 release.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
DEPRECATED_FIP_POLICY = policy.DeprecatedRule(
|
||||||
|
ROOT_POLICY,
|
||||||
|
base.RULE_ADMIN_OR_OWNER,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since='22.0.0'
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
floating_ips_policies = [
|
floating_ips_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
|
@ -46,9 +48,7 @@ floating_ips_policies = [
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=DEPRECATED_FIP_POLICY,
|
deprecated_rule=DEPRECATED_FIP_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='22.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=BASE_POLICY_NAME % 'remove',
|
name=BASE_POLICY_NAME % 'remove',
|
||||||
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
||||||
|
@ -61,9 +61,7 @@ floating_ips_policies = [
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=DEPRECATED_FIP_POLICY,
|
deprecated_rule=DEPRECATED_FIP_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='22.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=BASE_POLICY_NAME % 'list',
|
name=BASE_POLICY_NAME % 'list',
|
||||||
check_str=base.PROJECT_READER_OR_SYSTEM_READER,
|
check_str=base.PROJECT_READER_OR_SYSTEM_READER,
|
||||||
|
@ -75,9 +73,7 @@ floating_ips_policies = [
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=DEPRECATED_FIP_POLICY,
|
deprecated_rule=DEPRECATED_FIP_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='22.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=BASE_POLICY_NAME % 'create',
|
name=BASE_POLICY_NAME % 'create',
|
||||||
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
||||||
|
@ -89,9 +85,7 @@ floating_ips_policies = [
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=DEPRECATED_FIP_POLICY,
|
deprecated_rule=DEPRECATED_FIP_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='22.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=BASE_POLICY_NAME % 'show',
|
name=BASE_POLICY_NAME % 'show',
|
||||||
check_str=base.PROJECT_READER_OR_SYSTEM_READER,
|
check_str=base.PROJECT_READER_OR_SYSTEM_READER,
|
||||||
|
@ -103,9 +97,7 @@ floating_ips_policies = [
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=DEPRECATED_FIP_POLICY,
|
deprecated_rule=DEPRECATED_FIP_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='22.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=BASE_POLICY_NAME % 'delete',
|
name=BASE_POLICY_NAME % 'delete',
|
||||||
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
||||||
|
@ -117,9 +109,7 @@ floating_ips_policies = [
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=DEPRECATED_FIP_POLICY,
|
deprecated_rule=DEPRECATED_FIP_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='22.0.0'),
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -22,17 +22,19 @@ BASE_POLICY_NAME = 'os_compute_api:os-hosts'
|
||||||
|
|
||||||
POLICY_NAME = 'os_compute_api:os-hosts:%s'
|
POLICY_NAME = 'os_compute_api:os-hosts:%s'
|
||||||
|
|
||||||
DEPRECATED_POLICY = policy.DeprecatedRule(
|
|
||||||
BASE_POLICY_NAME,
|
|
||||||
base.RULE_ADMIN_API,
|
|
||||||
)
|
|
||||||
|
|
||||||
DEPRECATED_REASON = """
|
DEPRECATED_REASON = """
|
||||||
Nova API policies are introducing new default roles with scope_type
|
Nova API policies are introducing new default roles with scope_type
|
||||||
capabilities. Old policies are deprecated and silently going to be ignored
|
capabilities. Old policies are deprecated and silently going to be ignored
|
||||||
in nova 23.0.0 release.
|
in nova 23.0.0 release.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
DEPRECATED_POLICY = policy.DeprecatedRule(
|
||||||
|
BASE_POLICY_NAME,
|
||||||
|
base.RULE_ADMIN_API,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since='22.0.0'
|
||||||
|
)
|
||||||
|
|
||||||
hosts_policies = [
|
hosts_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=POLICY_NAME % 'list',
|
name=POLICY_NAME % 'list',
|
||||||
|
@ -47,9 +49,7 @@ This API is deprecated in favor of os-hypervisors and os-services.""",
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
scope_types=['system'],
|
scope_types=['system'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='22.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=POLICY_NAME % 'show',
|
name=POLICY_NAME % 'show',
|
||||||
check_str=base.SYSTEM_READER,
|
check_str=base.SYSTEM_READER,
|
||||||
|
@ -63,9 +63,7 @@ This API is deprecated in favor of os-hypervisors and os-services.""",
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
scope_types=['system'],
|
scope_types=['system'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='22.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=POLICY_NAME % 'update',
|
name=POLICY_NAME % 'update',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
@ -79,9 +77,7 @@ This API is deprecated in favor of os-hypervisors and os-services.""",
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
scope_types=['system'],
|
scope_types=['system'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='22.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=POLICY_NAME % 'reboot',
|
name=POLICY_NAME % 'reboot',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
@ -95,9 +91,7 @@ This API is deprecated in favor of os-hypervisors and os-services.""",
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
scope_types=['system'],
|
scope_types=['system'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='22.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=POLICY_NAME % 'shutdown',
|
name=POLICY_NAME % 'shutdown',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
@ -111,9 +105,7 @@ This API is deprecated in favor of os-hypervisors and os-services.""",
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
scope_types=['system'],
|
scope_types=['system'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='22.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=POLICY_NAME % 'start',
|
name=POLICY_NAME % 'start',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
@ -127,9 +119,7 @@ This API is deprecated in favor of os-hypervisors and os-services.""",
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
scope_types=['system'],
|
scope_types=['system'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='22.0.0'),
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -20,17 +20,20 @@ from nova.policies import base
|
||||||
|
|
||||||
BASE_POLICY_NAME = 'os_compute_api:os-hypervisors:%s'
|
BASE_POLICY_NAME = 'os_compute_api:os-hypervisors:%s'
|
||||||
|
|
||||||
DEPRECATED_POLICY = policy.DeprecatedRule(
|
|
||||||
'os_compute_api:os-hypervisors',
|
|
||||||
base.RULE_ADMIN_API,
|
|
||||||
)
|
|
||||||
|
|
||||||
DEPRECATED_REASON = """
|
DEPRECATED_REASON = """
|
||||||
Nova API policies are introducing new default roles with scope_type
|
Nova API policies are introducing new default roles with scope_type
|
||||||
capabilities. Old policies are deprecated and silently going to be ignored
|
capabilities. Old policies are deprecated and silently going to be ignored
|
||||||
in nova 23.0.0 release.
|
in nova 23.0.0 release.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
DEPRECATED_POLICY = policy.DeprecatedRule(
|
||||||
|
'os_compute_api:os-hypervisors',
|
||||||
|
base.RULE_ADMIN_API,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since='21.0.0'
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
hypervisors_policies = [
|
hypervisors_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=BASE_POLICY_NAME % 'list',
|
name=BASE_POLICY_NAME % 'list',
|
||||||
|
@ -43,9 +46,7 @@ hypervisors_policies = [
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
scope_types=['system'],
|
scope_types=['system'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='21.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=BASE_POLICY_NAME % 'list-detail',
|
name=BASE_POLICY_NAME % 'list-detail',
|
||||||
check_str=base.SYSTEM_READER,
|
check_str=base.SYSTEM_READER,
|
||||||
|
@ -57,9 +58,7 @@ hypervisors_policies = [
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
scope_types=['system'],
|
scope_types=['system'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='21.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=BASE_POLICY_NAME % 'statistics',
|
name=BASE_POLICY_NAME % 'statistics',
|
||||||
check_str=base.SYSTEM_READER,
|
check_str=base.SYSTEM_READER,
|
||||||
|
@ -72,9 +71,7 @@ hypervisors_policies = [
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
scope_types=['system'],
|
scope_types=['system'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='21.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=BASE_POLICY_NAME % 'show',
|
name=BASE_POLICY_NAME % 'show',
|
||||||
check_str=base.SYSTEM_READER,
|
check_str=base.SYSTEM_READER,
|
||||||
|
@ -86,9 +83,7 @@ hypervisors_policies = [
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
scope_types=['system'],
|
scope_types=['system'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='21.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=BASE_POLICY_NAME % 'uptime',
|
name=BASE_POLICY_NAME % 'uptime',
|
||||||
check_str=base.SYSTEM_READER,
|
check_str=base.SYSTEM_READER,
|
||||||
|
@ -100,9 +95,7 @@ hypervisors_policies = [
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
scope_types=['system'],
|
scope_types=['system'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='21.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=BASE_POLICY_NAME % 'search',
|
name=BASE_POLICY_NAME % 'search',
|
||||||
check_str=base.SYSTEM_READER,
|
check_str=base.SYSTEM_READER,
|
||||||
|
@ -114,9 +107,7 @@ hypervisors_policies = [
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
scope_types=['system'],
|
scope_types=['system'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='21.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=BASE_POLICY_NAME % 'servers',
|
name=BASE_POLICY_NAME % 'servers',
|
||||||
check_str=base.SYSTEM_READER,
|
check_str=base.SYSTEM_READER,
|
||||||
|
@ -130,9 +121,7 @@ hypervisors_policies = [
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
scope_types=['system'],
|
scope_types=['system'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='21.0.0',
|
|
||||||
),
|
),
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
|
@ -21,17 +21,20 @@ from nova.policies import base
|
||||||
ROOT_POLICY = 'os_compute_api:os-instance-actions'
|
ROOT_POLICY = 'os_compute_api:os-instance-actions'
|
||||||
BASE_POLICY_NAME = 'os_compute_api:os-instance-actions:%s'
|
BASE_POLICY_NAME = 'os_compute_api:os-instance-actions:%s'
|
||||||
|
|
||||||
DEPRECATED_INSTANCE_ACTION_POLICY = policy.DeprecatedRule(
|
|
||||||
ROOT_POLICY,
|
|
||||||
base.RULE_ADMIN_OR_OWNER,
|
|
||||||
)
|
|
||||||
|
|
||||||
DEPRECATED_REASON = """
|
DEPRECATED_REASON = """
|
||||||
Nova API policies are introducing new default roles with scope_type
|
Nova API policies are introducing new default roles with scope_type
|
||||||
capabilities. Old policies are deprecated and silently going to be ignored
|
capabilities. Old policies are deprecated and silently going to be ignored
|
||||||
in nova 23.0.0 release.
|
in nova 23.0.0 release.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
DEPRECATED_INSTANCE_ACTION_POLICY = policy.DeprecatedRule(
|
||||||
|
ROOT_POLICY,
|
||||||
|
base.RULE_ADMIN_OR_OWNER,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since='21.0.0',
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
instance_actions_policies = [
|
instance_actions_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=BASE_POLICY_NAME % 'events:details',
|
name=BASE_POLICY_NAME % 'events:details',
|
||||||
|
@ -82,9 +85,7 @@ passes, the name of the host.""",
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=DEPRECATED_INSTANCE_ACTION_POLICY,
|
deprecated_rule=DEPRECATED_INSTANCE_ACTION_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='21.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=BASE_POLICY_NAME % 'show',
|
name=BASE_POLICY_NAME % 'show',
|
||||||
check_str=base.PROJECT_READER_OR_SYSTEM_READER,
|
check_str=base.PROJECT_READER_OR_SYSTEM_READER,
|
||||||
|
@ -96,9 +97,7 @@ passes, the name of the host.""",
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=DEPRECATED_INSTANCE_ACTION_POLICY,
|
deprecated_rule=DEPRECATED_INSTANCE_ACTION_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='21.0.0'),
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -20,17 +20,19 @@ from nova.policies import base
|
||||||
|
|
||||||
BASE_POLICY_NAME = 'os_compute_api:os-instance-usage-audit-log:%s'
|
BASE_POLICY_NAME = 'os_compute_api:os-instance-usage-audit-log:%s'
|
||||||
|
|
||||||
DEPRECATED_POLICY = policy.DeprecatedRule(
|
|
||||||
'os_compute_api:os-instance-usage-audit-log',
|
|
||||||
base.RULE_ADMIN_API,
|
|
||||||
)
|
|
||||||
|
|
||||||
DEPRECATED_REASON = """
|
DEPRECATED_REASON = """
|
||||||
Nova API policies are introducing new default roles with scope_type
|
Nova API policies are introducing new default roles with scope_type
|
||||||
capabilities. Old policies are deprecated and silently going to be ignored
|
capabilities. Old policies are deprecated and silently going to be ignored
|
||||||
in nova 23.0.0 release.
|
in nova 23.0.0 release.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
DEPRECATED_POLICY = policy.DeprecatedRule(
|
||||||
|
'os_compute_api:os-instance-usage-audit-log',
|
||||||
|
base.RULE_ADMIN_API,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since='21.0.0'
|
||||||
|
)
|
||||||
|
|
||||||
instance_usage_audit_log_policies = [
|
instance_usage_audit_log_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=BASE_POLICY_NAME % 'list',
|
name=BASE_POLICY_NAME % 'list',
|
||||||
|
@ -43,9 +45,7 @@ instance_usage_audit_log_policies = [
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
scope_types=['system'],
|
scope_types=['system'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='21.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=BASE_POLICY_NAME % 'show',
|
name=BASE_POLICY_NAME % 'show',
|
||||||
check_str=base.SYSTEM_READER,
|
check_str=base.SYSTEM_READER,
|
||||||
|
@ -60,9 +60,7 @@ instance_usage_audit_log_policies = [
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
scope_types=['system'],
|
scope_types=['system'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='21.0.0'),
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -20,10 +20,6 @@ from nova.policies import base
|
||||||
|
|
||||||
BASE_POLICY_NAME = 'os_compute_api:limits'
|
BASE_POLICY_NAME = 'os_compute_api:limits'
|
||||||
OTHER_PROJECT_LIMIT_POLICY_NAME = 'os_compute_api:limits:other_project'
|
OTHER_PROJECT_LIMIT_POLICY_NAME = 'os_compute_api:limits:other_project'
|
||||||
DEPRECATED_POLICY = policy.DeprecatedRule(
|
|
||||||
'os_compute_api:os-used-limits',
|
|
||||||
base.RULE_ADMIN_API,
|
|
||||||
)
|
|
||||||
|
|
||||||
DEPRECATED_REASON = """
|
DEPRECATED_REASON = """
|
||||||
Nova API policies are introducing new default roles with scope_type
|
Nova API policies are introducing new default roles with scope_type
|
||||||
|
@ -31,6 +27,13 @@ capabilities. Old policies are deprecated and silently going to be ignored
|
||||||
in nova 23.0.0 release.
|
in nova 23.0.0 release.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
DEPRECATED_POLICY = policy.DeprecatedRule(
|
||||||
|
'os_compute_api:os-used-limits',
|
||||||
|
base.RULE_ADMIN_API,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since='21.0.0'
|
||||||
|
)
|
||||||
|
|
||||||
limits_policies = [
|
limits_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=BASE_POLICY_NAME,
|
name=BASE_POLICY_NAME,
|
||||||
|
@ -59,9 +62,7 @@ os_compute_api:limits passes""",
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
scope_types=['system'],
|
scope_types=['system'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='21.0.0'),
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -21,17 +21,19 @@ from nova.policies import base
|
||||||
ROOT_POLICY = 'os_compute_api:os-multinic'
|
ROOT_POLICY = 'os_compute_api:os-multinic'
|
||||||
BASE_POLICY_NAME = 'os_compute_api:os-multinic:%s'
|
BASE_POLICY_NAME = 'os_compute_api:os-multinic:%s'
|
||||||
|
|
||||||
DEPRECATED_POLICY = policy.DeprecatedRule(
|
|
||||||
ROOT_POLICY,
|
|
||||||
base.RULE_ADMIN_OR_OWNER,
|
|
||||||
)
|
|
||||||
|
|
||||||
DEPRECATED_REASON = """
|
DEPRECATED_REASON = """
|
||||||
Nova API policies are introducing new default roles with scope_type
|
Nova API policies are introducing new default roles with scope_type
|
||||||
capabilities. Old policies are deprecated and silently going to be ignored
|
capabilities. Old policies are deprecated and silently going to be ignored
|
||||||
in nova 23.0.0 release.
|
in nova 23.0.0 release.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
DEPRECATED_POLICY = policy.DeprecatedRule(
|
||||||
|
ROOT_POLICY,
|
||||||
|
base.RULE_ADMIN_OR_OWNER,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since='22.0.0'
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
multinic_policies = [
|
multinic_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
|
@ -48,9 +50,7 @@ deprecated.""",
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='22.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=BASE_POLICY_NAME % 'remove',
|
name=BASE_POLICY_NAME % 'remove',
|
||||||
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
||||||
|
@ -65,9 +65,7 @@ deprecated.""",
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='22.0.0'),
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -21,17 +21,19 @@ from nova.policies import base
|
||||||
POLICY_ROOT = 'os_compute_api:os-networks:%s'
|
POLICY_ROOT = 'os_compute_api:os-networks:%s'
|
||||||
BASE_POLICY_NAME = 'os_compute_api:os-networks:view'
|
BASE_POLICY_NAME = 'os_compute_api:os-networks:view'
|
||||||
|
|
||||||
DEPRECATED_POLICY = policy.DeprecatedRule(
|
|
||||||
BASE_POLICY_NAME,
|
|
||||||
base.RULE_ADMIN_OR_OWNER,
|
|
||||||
)
|
|
||||||
|
|
||||||
DEPRECATED_REASON = """
|
DEPRECATED_REASON = """
|
||||||
Nova API policies are introducing new default roles with scope_type
|
Nova API policies are introducing new default roles with scope_type
|
||||||
capabilities. Old policies are deprecated and silently going to be ignored
|
capabilities. Old policies are deprecated and silently going to be ignored
|
||||||
in nova 23.0.0 release.
|
in nova 23.0.0 release.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
DEPRECATED_POLICY = policy.DeprecatedRule(
|
||||||
|
BASE_POLICY_NAME,
|
||||||
|
base.RULE_ADMIN_OR_OWNER,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since='22.0.0'
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
networks_policies = [
|
networks_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
|
@ -47,9 +49,7 @@ This API is proxy calls to the Network service. This is deprecated.""",
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='22.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=POLICY_ROOT % 'show',
|
name=POLICY_ROOT % 'show',
|
||||||
check_str=base.PROJECT_READER_OR_SYSTEM_READER,
|
check_str=base.PROJECT_READER_OR_SYSTEM_READER,
|
||||||
|
@ -63,9 +63,7 @@ This API is proxy calls to the Network service. This is deprecated.""",
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='22.0.0'),
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -21,16 +21,18 @@ from nova.policies import base
|
||||||
BASE_POLICY_NAME = 'os_compute_api:os-rescue'
|
BASE_POLICY_NAME = 'os_compute_api:os-rescue'
|
||||||
UNRESCUE_POLICY_NAME = 'os_compute_api:os-unrescue'
|
UNRESCUE_POLICY_NAME = 'os_compute_api:os-unrescue'
|
||||||
|
|
||||||
DEPRECATED_POLICY = policy.DeprecatedRule(
|
|
||||||
'os_compute_api:os-rescue',
|
|
||||||
base.RULE_ADMIN_OR_OWNER,
|
|
||||||
)
|
|
||||||
|
|
||||||
DEPRECATED_REASON = """
|
DEPRECATED_REASON = """
|
||||||
Rescue/Unrescue API policies are made granular with new policy
|
Rescue/Unrescue API policies are made granular with new policy
|
||||||
for unrescue and keeping old policy for rescue.
|
for unrescue and keeping old policy for rescue.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
DEPRECATED_POLICY = policy.DeprecatedRule(
|
||||||
|
'os_compute_api:os-rescue',
|
||||||
|
base.RULE_ADMIN_OR_OWNER,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since='21.0.0'
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
rescue_policies = [
|
rescue_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
|
@ -55,9 +57,7 @@ rescue_policies = [
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='21.0.0'
|
|
||||||
),
|
),
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
|
@ -22,17 +22,19 @@ BASE_POLICY_NAME = 'os_compute_api:os-security-groups'
|
||||||
|
|
||||||
POLICY_NAME = 'os_compute_api:os-security-groups:%s'
|
POLICY_NAME = 'os_compute_api:os-security-groups:%s'
|
||||||
|
|
||||||
DEPRECATED_POLICY = policy.DeprecatedRule(
|
|
||||||
BASE_POLICY_NAME,
|
|
||||||
base.RULE_ADMIN_OR_OWNER,
|
|
||||||
)
|
|
||||||
|
|
||||||
DEPRECATED_REASON = """
|
DEPRECATED_REASON = """
|
||||||
Nova API policies are introducing new default roles with scope_type
|
Nova API policies are introducing new default roles with scope_type
|
||||||
capabilities. Old policies are deprecated and silently going to be ignored
|
capabilities. Old policies are deprecated and silently going to be ignored
|
||||||
in nova 23.0.0 release.
|
in nova 23.0.0 release.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
DEPRECATED_POLICY = policy.DeprecatedRule(
|
||||||
|
BASE_POLICY_NAME,
|
||||||
|
base.RULE_ADMIN_OR_OWNER,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since='22.0.0'
|
||||||
|
)
|
||||||
|
|
||||||
security_groups_policies = [
|
security_groups_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=POLICY_NAME % 'get',
|
name=POLICY_NAME % 'get',
|
||||||
|
@ -45,9 +47,7 @@ security_groups_policies = [
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='22.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=POLICY_NAME % 'show',
|
name=POLICY_NAME % 'show',
|
||||||
check_str=base.PROJECT_READER_OR_SYSTEM_READER,
|
check_str=base.PROJECT_READER_OR_SYSTEM_READER,
|
||||||
|
@ -59,9 +59,7 @@ security_groups_policies = [
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='22.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=POLICY_NAME % 'create',
|
name=POLICY_NAME % 'create',
|
||||||
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
||||||
|
@ -73,9 +71,7 @@ security_groups_policies = [
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='22.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=POLICY_NAME % 'update',
|
name=POLICY_NAME % 'update',
|
||||||
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
||||||
|
@ -87,9 +83,7 @@ security_groups_policies = [
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='22.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=POLICY_NAME % 'delete',
|
name=POLICY_NAME % 'delete',
|
||||||
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
||||||
|
@ -101,9 +95,7 @@ security_groups_policies = [
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='22.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=POLICY_NAME % 'rule:create',
|
name=POLICY_NAME % 'rule:create',
|
||||||
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
||||||
|
@ -115,9 +107,7 @@ security_groups_policies = [
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='22.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=POLICY_NAME % 'rule:delete',
|
name=POLICY_NAME % 'rule:delete',
|
||||||
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
||||||
|
@ -129,9 +119,7 @@ security_groups_policies = [
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='22.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=POLICY_NAME % 'list',
|
name=POLICY_NAME % 'list',
|
||||||
check_str=base.PROJECT_READER_OR_SYSTEM_READER,
|
check_str=base.PROJECT_READER_OR_SYSTEM_READER,
|
||||||
|
@ -143,9 +131,7 @@ security_groups_policies = [
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='21.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=POLICY_NAME % 'add',
|
name=POLICY_NAME % 'add',
|
||||||
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
||||||
|
@ -157,9 +143,7 @@ security_groups_policies = [
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='21.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=POLICY_NAME % 'remove',
|
name=POLICY_NAME % 'remove',
|
||||||
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
||||||
|
@ -171,9 +155,7 @@ security_groups_policies = [
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='21.0.0'),
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -20,17 +20,19 @@ from nova.policies import base
|
||||||
|
|
||||||
BASE_POLICY_NAME = 'os_compute_api:os-server-password:%s'
|
BASE_POLICY_NAME = 'os_compute_api:os-server-password:%s'
|
||||||
|
|
||||||
DEPRECATED_POLICY = policy.DeprecatedRule(
|
|
||||||
'os_compute_api:os-server-password',
|
|
||||||
base.RULE_ADMIN_OR_OWNER,
|
|
||||||
)
|
|
||||||
|
|
||||||
DEPRECATED_REASON = """
|
DEPRECATED_REASON = """
|
||||||
Nova API policies are introducing new default roles with scope_type
|
Nova API policies are introducing new default roles with scope_type
|
||||||
capabilities. Old policies are deprecated and silently going to be ignored
|
capabilities. Old policies are deprecated and silently going to be ignored
|
||||||
in nova 23.0.0 release.
|
in nova 23.0.0 release.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
DEPRECATED_POLICY = policy.DeprecatedRule(
|
||||||
|
'os_compute_api:os-server-password',
|
||||||
|
base.RULE_ADMIN_OR_OWNER,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since='21.0.0'
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
server_password_policies = [
|
server_password_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
|
@ -45,9 +47,7 @@ server_password_policies = [
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='21.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=BASE_POLICY_NAME % 'clear',
|
name=BASE_POLICY_NAME % 'clear',
|
||||||
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
||||||
|
@ -60,9 +60,7 @@ server_password_policies = [
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='21.0.0'),
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -19,10 +19,6 @@ from nova.policies import base
|
||||||
|
|
||||||
|
|
||||||
BASE_POLICY_NAME = 'os_compute_api:os-services:%s'
|
BASE_POLICY_NAME = 'os_compute_api:os-services:%s'
|
||||||
DEPRECATED_SERVICE_POLICY = policy.DeprecatedRule(
|
|
||||||
'os_compute_api:os-services',
|
|
||||||
base.RULE_ADMIN_API,
|
|
||||||
)
|
|
||||||
|
|
||||||
DEPRECATED_REASON = """
|
DEPRECATED_REASON = """
|
||||||
Nova API policies are introducing new default roles with scope_type
|
Nova API policies are introducing new default roles with scope_type
|
||||||
|
@ -30,6 +26,14 @@ capabilities. Old policies are deprecated and silently going to be ignored
|
||||||
in nova 23.0.0 release.
|
in nova 23.0.0 release.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
DEPRECATED_SERVICE_POLICY = policy.DeprecatedRule(
|
||||||
|
'os_compute_api:os-services',
|
||||||
|
base.RULE_ADMIN_API,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since='21.0.0',
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
services_policies = [
|
services_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=BASE_POLICY_NAME % 'list',
|
name=BASE_POLICY_NAME % 'list',
|
||||||
|
@ -42,9 +46,7 @@ services_policies = [
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
scope_types=['system'],
|
scope_types=['system'],
|
||||||
deprecated_rule=DEPRECATED_SERVICE_POLICY,
|
deprecated_rule=DEPRECATED_SERVICE_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='21.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=BASE_POLICY_NAME % 'update',
|
name=BASE_POLICY_NAME % 'update',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
@ -57,9 +59,7 @@ services_policies = [
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
scope_types=['system'],
|
scope_types=['system'],
|
||||||
deprecated_rule=DEPRECATED_SERVICE_POLICY,
|
deprecated_rule=DEPRECATED_SERVICE_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='21.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=BASE_POLICY_NAME % 'delete',
|
name=BASE_POLICY_NAME % 'delete',
|
||||||
check_str=base.SYSTEM_ADMIN,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
|
@ -71,9 +71,7 @@ services_policies = [
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
scope_types=['system'],
|
scope_types=['system'],
|
||||||
deprecated_rule=DEPRECATED_SERVICE_POLICY,
|
deprecated_rule=DEPRECATED_SERVICE_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='21.0.0'),
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -21,17 +21,19 @@ from nova.policies import base
|
||||||
BASE_POLICY_NAME = 'os_compute_api:os-tenant-networks'
|
BASE_POLICY_NAME = 'os_compute_api:os-tenant-networks'
|
||||||
POLICY_NAME = 'os_compute_api:os-tenant-networks:%s'
|
POLICY_NAME = 'os_compute_api:os-tenant-networks:%s'
|
||||||
|
|
||||||
DEPRECATED_POLICY = policy.DeprecatedRule(
|
|
||||||
BASE_POLICY_NAME,
|
|
||||||
base.RULE_ADMIN_OR_OWNER,
|
|
||||||
)
|
|
||||||
|
|
||||||
DEPRECATED_REASON = """
|
DEPRECATED_REASON = """
|
||||||
Nova API policies are introducing new default roles with scope_type
|
Nova API policies are introducing new default roles with scope_type
|
||||||
capabilities. Old policies are deprecated and silently going to be ignored
|
capabilities. Old policies are deprecated and silently going to be ignored
|
||||||
in nova 23.0.0 release.
|
in nova 23.0.0 release.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
DEPRECATED_POLICY = policy.DeprecatedRule(
|
||||||
|
BASE_POLICY_NAME,
|
||||||
|
base.RULE_ADMIN_OR_OWNER,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since='22.0.0'
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
tenant_networks_policies = [
|
tenant_networks_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
|
@ -47,9 +49,7 @@ This API is proxy calls to the Network service. This is deprecated.""",
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='22.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=POLICY_NAME % 'show',
|
name=POLICY_NAME % 'show',
|
||||||
check_str=base.PROJECT_READER_OR_SYSTEM_READER,
|
check_str=base.PROJECT_READER_OR_SYSTEM_READER,
|
||||||
|
@ -63,9 +63,7 @@ This API is proxy calls to the Network service. This is deprecated.""",
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='22.0.0'),
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -21,17 +21,19 @@ from nova.policies import base
|
||||||
BASE_POLICY_NAME = 'os_compute_api:os-volumes'
|
BASE_POLICY_NAME = 'os_compute_api:os-volumes'
|
||||||
POLICY_NAME = 'os_compute_api:os-volumes:%s'
|
POLICY_NAME = 'os_compute_api:os-volumes:%s'
|
||||||
|
|
||||||
DEPRECATED_POLICY = policy.DeprecatedRule(
|
|
||||||
BASE_POLICY_NAME,
|
|
||||||
base.RULE_ADMIN_OR_OWNER,
|
|
||||||
)
|
|
||||||
|
|
||||||
DEPRECATED_REASON = """
|
DEPRECATED_REASON = """
|
||||||
Nova API policies are introducing new default roles with scope_type
|
Nova API policies are introducing new default roles with scope_type
|
||||||
capabilities. Old policies are deprecated and silently going to be ignored
|
capabilities. Old policies are deprecated and silently going to be ignored
|
||||||
in nova 23.0.0 release.
|
in nova 23.0.0 release.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
DEPRECATED_POLICY = policy.DeprecatedRule(
|
||||||
|
BASE_POLICY_NAME,
|
||||||
|
base.RULE_ADMIN_OR_OWNER,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since='22.0.0'
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
volumes_policies = [
|
volumes_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
|
@ -47,9 +49,7 @@ This API is a proxy call to the Volume service. It is deprecated.""",
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='22.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=POLICY_NAME % 'create',
|
name=POLICY_NAME % 'create',
|
||||||
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
||||||
|
@ -63,9 +63,7 @@ This API is a proxy call to the Volume service. It is deprecated.""",
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='22.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=POLICY_NAME % 'detail',
|
name=POLICY_NAME % 'detail',
|
||||||
check_str=base.PROJECT_READER_OR_SYSTEM_READER,
|
check_str=base.PROJECT_READER_OR_SYSTEM_READER,
|
||||||
|
@ -79,9 +77,7 @@ This API is a proxy call to the Volume service. It is deprecated.""",
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='22.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=POLICY_NAME % 'show',
|
name=POLICY_NAME % 'show',
|
||||||
check_str=base.PROJECT_READER_OR_SYSTEM_READER,
|
check_str=base.PROJECT_READER_OR_SYSTEM_READER,
|
||||||
|
@ -95,9 +91,7 @@ This API is a proxy call to the Volume service. It is deprecated.""",
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='22.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=POLICY_NAME % 'delete',
|
name=POLICY_NAME % 'delete',
|
||||||
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
||||||
|
@ -111,9 +105,7 @@ This API is a proxy call to the Volume service. It is deprecated.""",
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='22.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=POLICY_NAME % 'snapshots:list',
|
name=POLICY_NAME % 'snapshots:list',
|
||||||
check_str=base.PROJECT_READER_OR_SYSTEM_READER,
|
check_str=base.PROJECT_READER_OR_SYSTEM_READER,
|
||||||
|
@ -127,9 +119,7 @@ This API is a proxy call to the Volume service. It is deprecated.""",
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='22.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=POLICY_NAME % 'snapshots:create',
|
name=POLICY_NAME % 'snapshots:create',
|
||||||
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
||||||
|
@ -143,9 +133,7 @@ This API is a proxy call to the Volume service. It is deprecated.""",
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='22.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=POLICY_NAME % 'snapshots:detail',
|
name=POLICY_NAME % 'snapshots:detail',
|
||||||
check_str=base.PROJECT_READER_OR_SYSTEM_READER,
|
check_str=base.PROJECT_READER_OR_SYSTEM_READER,
|
||||||
|
@ -159,9 +147,7 @@ This API is a proxy call to the Volume service. It is deprecated.""",
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='22.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=POLICY_NAME % 'snapshots:show',
|
name=POLICY_NAME % 'snapshots:show',
|
||||||
check_str=base.PROJECT_READER_OR_SYSTEM_READER,
|
check_str=base.PROJECT_READER_OR_SYSTEM_READER,
|
||||||
|
@ -175,9 +161,7 @@ This API is a proxy call to the Volume service. It is deprecated.""",
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='22.0.0'),
|
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=POLICY_NAME % 'snapshots:delete',
|
name=POLICY_NAME % 'snapshots:delete',
|
||||||
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
||||||
|
@ -191,9 +175,7 @@ This API is a proxy call to the Volume service. It is deprecated.""",
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
scope_types=['system', 'project'],
|
scope_types=['system', 'project'],
|
||||||
deprecated_rule=DEPRECATED_POLICY,
|
deprecated_rule=DEPRECATED_POLICY),
|
||||||
deprecated_reason=DEPRECATED_REASON,
|
|
||||||
deprecated_since='22.0.0'),
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -43,7 +43,7 @@ oslo.utils>=4.8.0 # Apache-2.0
|
||||||
oslo.db>=4.44.0 # Apache-2.0
|
oslo.db>=4.44.0 # Apache-2.0
|
||||||
oslo.rootwrap>=5.8.0 # Apache-2.0
|
oslo.rootwrap>=5.8.0 # Apache-2.0
|
||||||
oslo.messaging>=10.3.0 # Apache-2.0
|
oslo.messaging>=10.3.0 # Apache-2.0
|
||||||
oslo.policy>=3.6.0 # Apache-2.0
|
oslo.policy>=3.7.0 # Apache-2.0
|
||||||
oslo.privsep>=2.4.0 # Apache-2.0
|
oslo.privsep>=2.4.0 # Apache-2.0
|
||||||
oslo.i18n>=5.0.1 # Apache-2.0
|
oslo.i18n>=5.0.1 # Apache-2.0
|
||||||
oslo.service>=2.5.0 # Apache-2.0
|
oslo.service>=2.5.0 # Apache-2.0
|
||||||
|
|
Loading…
Reference in New Issue