diff --git a/etc/nova/policy.json b/etc/nova/policy.json index 9408a6dcf91f..fc3cbac2b98a 100644 --- a/etc/nova/policy.json +++ b/etc/nova/policy.json @@ -16,39 +16,6 @@ "os_compute_api:servers:migrations:show": "rule:admin_api", "os_compute_api:os-remote-consoles": "rule:admin_or_owner", "os_compute_api:os-remote-consoles:discoverable": "@", - "os_compute_api:images:discoverable": "@", - "os_compute_api:image-size": "rule:admin_or_owner", - "os_compute_api:image-size:discoverable": "@", - "os_compute_api:os-instance-actions": "rule:admin_or_owner", - "os_compute_api:os-instance-actions:discoverable": "@", - "os_compute_api:os-instance-actions:events": "rule:admin_api", - "os_compute_api:os-instance-usage-audit-log": "rule:admin_api", - "os_compute_api:os-instance-usage-audit-log:discoverable": "@", - "os_compute_api:ips:discoverable": "@", - "os_compute_api:ips:index": "rule:admin_or_owner", - "os_compute_api:ips:show": "rule:admin_or_owner", - "os_compute_api:os-keypairs:discoverable": "@", - "os_compute_api:os-keypairs": "rule:admin_or_owner", - "os_compute_api:os-keypairs:index": "rule:admin_api or user_id:%(user_id)s", - "os_compute_api:os-keypairs:show": "rule:admin_api or user_id:%(user_id)s", - "os_compute_api:os-keypairs:create": "rule:admin_api or user_id:%(user_id)s", - "os_compute_api:os-keypairs:delete": "rule:admin_api or user_id:%(user_id)s", - "os_compute_api:limits:discoverable": "@", - "os_compute_api:limits": "rule:admin_or_owner", - "os_compute_api:os-lock-server:discoverable": "@", - "os_compute_api:os-lock-server:lock": "rule:admin_or_owner", - "os_compute_api:os-lock-server:unlock": "rule:admin_or_owner", - "os_compute_api:os-lock-server:unlock:unlock_override": "rule:admin_api", - "os_compute_api:os-migrate-server:discoverable": "@", - "os_compute_api:os-migrate-server:migrate": "rule:admin_api", - "os_compute_api:os-migrate-server:migrate_live": "rule:admin_api", - "os_compute_api:os-multinic": "rule:admin_or_owner", - "os_compute_api:os-multinic:discoverable": "@", - "os_compute_api:os-networks": "rule:admin_api", - "os_compute_api:os-networks:view": "rule:admin_or_owner", - "os_compute_api:os-networks:discoverable": "@", - "os_compute_api:os-networks-associate": "rule:admin_api", - "os_compute_api:os-networks-associate:discoverable": "@", "os_compute_api:os-pause-server:discoverable": "@", "os_compute_api:os-pause-server:pause": "rule:admin_or_owner", "os_compute_api:os-pause-server:unpause": "rule:admin_or_owner", @@ -123,8 +90,6 @@ "os_compute_api:os-volumes-attachments:discoverable": "@", "os_compute_api:os-used-limits": "rule:admin_api", "os_compute_api:os-used-limits:discoverable": "@", - "os_compute_api:os-migrations:index": "rule:admin_api", - "os_compute_api:os-migrations:discoverable": "@", "os_compute_api:os-server-external-events:create": "rule:admin_api", "os_compute_api:os-server-external-events:discoverable": "@" } diff --git a/nova/policies/__init__.py b/nova/policies/__init__.py index 972834bf184e..53ae90646572 100644 --- a/nova/policies/__init__.py +++ b/nova/policies/__init__.py @@ -54,6 +54,19 @@ from nova.policies import fping from nova.policies import hide_server_addresses from nova.policies import hosts from nova.policies import hypervisors +from nova.policies import image_size +from nova.policies import images +from nova.policies import instance_actions +from nova.policies import instance_usage_audit_log +from nova.policies import ips +from nova.policies import keypairs +from nova.policies import limits +from nova.policies import lock_server +from nova.policies import migrate_server +from nova.policies import migrations +from nova.policies import multinic +from nova.policies import networks +from nova.policies import networks_associate from nova.policies import servers @@ -100,5 +113,18 @@ def list_rules(): hide_server_addresses.list_rules(), hosts.list_rules(), hypervisors.list_rules(), + image_size.list_rules(), + images.list_rules(), + instance_actions.list_rules(), + instance_usage_audit_log.list_rules(), + ips.list_rules(), + keypairs.list_rules(), + limits.list_rules(), + lock_server.list_rules(), + migrate_server.list_rules(), + migrations.list_rules(), + multinic.list_rules(), + networks.list_rules(), + networks_associate.list_rules(), servers.list_rules() ) diff --git a/nova/policies/image_size.py b/nova/policies/image_size.py new file mode 100644 index 000000000000..f1505314eef3 --- /dev/null +++ b/nova/policies/image_size.py @@ -0,0 +1,36 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +BASE_POLICY_NAME = 'os_compute_api:image-size' +POLICY_ROOT = 'os_compute_api:image-size:%s' + + +image_size_policies = [ + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), + policy.RuleDefault( + name=BASE_POLICY_NAME, + check_str=base.RULE_ADMIN_OR_OWNER), +] + + +def list_rules(): + return image_size_policies diff --git a/nova/policies/images.py b/nova/policies/images.py new file mode 100644 index 000000000000..80a0ab92f7c1 --- /dev/null +++ b/nova/policies/images.py @@ -0,0 +1,32 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +POLICY_ROOT = 'os_compute_api:images:%s' + + +images_policies = [ + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), +] + + +def list_rules(): + return images_policies diff --git a/nova/policies/instance_actions.py b/nova/policies/instance_actions.py new file mode 100644 index 000000000000..db219b0730d5 --- /dev/null +++ b/nova/policies/instance_actions.py @@ -0,0 +1,39 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +BASE_POLICY_NAME = 'os_compute_api:os-instance-actions' +POLICY_ROOT = 'os_compute_api:os-instance-actions:%s' + + +instance_actions_policies = [ + policy.RuleDefault( + name=POLICY_ROOT % 'events', + check_str=base.RULE_ADMIN_API), + policy.RuleDefault( + name=BASE_POLICY_NAME, + check_str=base.RULE_ADMIN_OR_OWNER), + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), +] + + +def list_rules(): + return instance_actions_policies diff --git a/nova/policies/instance_usage_audit_log.py b/nova/policies/instance_usage_audit_log.py new file mode 100644 index 000000000000..f224b4f53201 --- /dev/null +++ b/nova/policies/instance_usage_audit_log.py @@ -0,0 +1,36 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +BASE_POLICY_NAME = 'os_compute_api:os-instance-usage-audit-log' +POLICY_ROOT = 'os_compute_api:os-instance-usage-audit-log:%s' + + +instance_usage_audit_log_policies = [ + policy.RuleDefault( + name=BASE_POLICY_NAME, + check_str=base.RULE_ADMIN_API), + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), +] + + +def list_rules(): + return instance_usage_audit_log_policies diff --git a/nova/policies/ips.py b/nova/policies/ips.py new file mode 100644 index 000000000000..298840e1c9ab --- /dev/null +++ b/nova/policies/ips.py @@ -0,0 +1,38 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +POLICY_ROOT = 'os_compute_api:ips:%s' + + +ips_policies = [ + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), + policy.RuleDefault( + name=POLICY_ROOT % 'show', + check_str=base.RULE_ADMIN_OR_OWNER), + policy.RuleDefault( + name=POLICY_ROOT % 'index', + check_str=base.RULE_ADMIN_OR_OWNER), +] + + +def list_rules(): + return ips_policies diff --git a/nova/policies/keypairs.py b/nova/policies/keypairs.py new file mode 100644 index 000000000000..0cf7372d914b --- /dev/null +++ b/nova/policies/keypairs.py @@ -0,0 +1,48 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +BASE_POLICY_NAME = 'os_compute_api:os-keypairs' +POLICY_ROOT = 'os_compute_api:os-keypairs:%s' + + +keypairs_policies = [ + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), + policy.RuleDefault( + name=POLICY_ROOT % 'index', + check_str='rule:admin_api or user_id:%(user_id)s'), + policy.RuleDefault( + name=POLICY_ROOT % 'create', + check_str='rule:admin_api or user_id:%(user_id)s'), + policy.RuleDefault( + name=POLICY_ROOT % 'delete', + check_str='rule:admin_api or user_id:%(user_id)s'), + policy.RuleDefault( + name=POLICY_ROOT % 'show', + check_str='rule:admin_api or user_id:%(user_id)s'), + policy.RuleDefault( + name=BASE_POLICY_NAME, + check_str=base.RULE_ADMIN_OR_OWNER), +] + + +def list_rules(): + return keypairs_policies diff --git a/nova/policies/limits.py b/nova/policies/limits.py new file mode 100644 index 000000000000..bc1edd6fb04e --- /dev/null +++ b/nova/policies/limits.py @@ -0,0 +1,36 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +BASE_POLICY_NAME = 'os_compute_api:limits' +POLICY_ROOT = 'os_compute_api:limits:%s' + + +limits_policies = [ + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), + policy.RuleDefault( + name=BASE_POLICY_NAME, + check_str=base.RULE_ADMIN_OR_OWNER), +] + + +def list_rules(): + return limits_policies diff --git a/nova/policies/lock_server.py b/nova/policies/lock_server.py new file mode 100644 index 000000000000..5efbcf45f4aa --- /dev/null +++ b/nova/policies/lock_server.py @@ -0,0 +1,41 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +POLICY_ROOT = 'os_compute_api:os-lock-server:%s' + + +lock_server_policies = [ + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), + policy.RuleDefault( + name=POLICY_ROOT % 'lock', + check_str=base.RULE_ADMIN_OR_OWNER), + policy.RuleDefault( + name=POLICY_ROOT % 'unlock:unlock_override', + check_str=base.RULE_ADMIN_API), + policy.RuleDefault( + name=POLICY_ROOT % 'unlock', + check_str=base.RULE_ADMIN_OR_OWNER), +] + + +def list_rules(): + return lock_server_policies diff --git a/nova/policies/migrate_server.py b/nova/policies/migrate_server.py new file mode 100644 index 000000000000..1574edd6000d --- /dev/null +++ b/nova/policies/migrate_server.py @@ -0,0 +1,38 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +POLICY_ROOT = 'os_compute_api:os-migrate-server:%s' + + +migrate_server_policies = [ + policy.RuleDefault( + name=POLICY_ROOT % 'migrate', + check_str=base.RULE_ADMIN_API), + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), + policy.RuleDefault( + name=POLICY_ROOT % 'migrate_live', + check_str=base.RULE_ADMIN_API), +] + + +def list_rules(): + return migrate_server_policies diff --git a/nova/policies/migrations.py b/nova/policies/migrations.py new file mode 100644 index 000000000000..20d2e2d90b36 --- /dev/null +++ b/nova/policies/migrations.py @@ -0,0 +1,35 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +POLICY_ROOT = 'os_compute_api:os-migrations:%s' + + +migrations_policies = [ + policy.RuleDefault( + name=POLICY_ROOT % 'index', + check_str=base.RULE_ADMIN_API), + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), +] + + +def list_rules(): + return migrations_policies diff --git a/nova/policies/multinic.py b/nova/policies/multinic.py new file mode 100644 index 000000000000..3efa9538e3f0 --- /dev/null +++ b/nova/policies/multinic.py @@ -0,0 +1,36 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +BASE_POLICY_NAME = 'os_compute_api:os-multinic' +POLICY_ROOT = 'os_compute_api:os-multinic:%s' + + +multinic_policies = [ + policy.RuleDefault( + name=BASE_POLICY_NAME, + check_str=base.RULE_ADMIN_OR_OWNER), + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), +] + + +def list_rules(): + return multinic_policies diff --git a/nova/policies/networks.py b/nova/policies/networks.py new file mode 100644 index 000000000000..6bc14f2404cf --- /dev/null +++ b/nova/policies/networks.py @@ -0,0 +1,39 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +BASE_POLICY_NAME = 'os_compute_api:os-networks' +POLICY_ROOT = 'os_compute_api:os-networks:%s' + + +networks_policies = [ + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), + policy.RuleDefault( + name=BASE_POLICY_NAME, + check_str=base.RULE_ADMIN_API), + policy.RuleDefault( + name=POLICY_ROOT % 'view', + check_str=base.RULE_ADMIN_OR_OWNER), +] + + +def list_rules(): + return networks_policies diff --git a/nova/policies/networks_associate.py b/nova/policies/networks_associate.py new file mode 100644 index 000000000000..cf29e87af439 --- /dev/null +++ b/nova/policies/networks_associate.py @@ -0,0 +1,36 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +BASE_POLICY_NAME = 'os_compute_api:os-networks-associate' +POLICY_ROOT = 'os_compute_api:os-networks-associate:%s' + + +networks_associate_policies = [ + policy.RuleDefault( + name=BASE_POLICY_NAME, + check_str=base.RULE_ADMIN_API), + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), +] + + +def list_rules(): + return networks_associate_policies