diff --git a/etc/nova/policy.json b/etc/nova/policy.json index fc3cbac2b98a..898ba356917c 100644 --- a/etc/nova/policy.json +++ b/etc/nova/policy.json @@ -14,42 +14,8 @@ "os_compute_api:servers:discoverable": "@", "os_compute_api:servers:migrations:index": "rule:admin_api", "os_compute_api:servers:migrations:show": "rule:admin_api", - "os_compute_api:os-remote-consoles": "rule:admin_or_owner", - "os_compute_api:os-remote-consoles:discoverable": "@", - "os_compute_api:os-pause-server:discoverable": "@", - "os_compute_api:os-pause-server:pause": "rule:admin_or_owner", - "os_compute_api:os-pause-server:unpause": "rule:admin_or_owner", - "os_compute_api:os-pci:pci_servers": "rule:admin_or_owner", - "os_compute_api:os-pci:discoverable": "@", - "os_compute_api:os-pci:index": "rule:admin_api", - "os_compute_api:os-pci:detail": "rule:admin_api", - "os_compute_api:os-pci:show": "rule:admin_api", - "os_compute_api:os-personality:discoverable": "@", - "os_compute_api:os-preserve-ephemeral-rebuild:discoverable": "@", - "os_compute_api:os-quota-sets:discoverable": "@", - "os_compute_api:os-quota-sets:show": "rule:admin_or_owner", - "os_compute_api:os-quota-sets:defaults": "@", - "os_compute_api:os-quota-sets:update": "rule:admin_api", - "os_compute_api:os-quota-sets:delete": "rule:admin_api", - "os_compute_api:os-quota-sets:detail": "rule:admin_api", - "os_compute_api:os-quota-class-sets:update": "rule:admin_api", - "os_compute_api:os-quota-class-sets:show": "is_admin:True or quota_class:%(quota_class)s", - "os_compute_api:os-quota-class-sets:discoverable": "@", - "os_compute_api:os-rescue": "rule:admin_or_owner", - "os_compute_api:os-rescue:discoverable": "@", - "os_compute_api:os-scheduler-hints:discoverable": "@", - "os_compute_api:os-security-group-default-rules:discoverable": "@", - "os_compute_api:os-security-group-default-rules": "rule:admin_api", - "os_compute_api:os-security-groups": "rule:admin_or_owner", - "os_compute_api:os-security-groups:discoverable": "@", - "os_compute_api:os-server-diagnostics": "rule:admin_api", - "os_compute_api:os-server-diagnostics:discoverable": "@", - "os_compute_api:os-server-password": "rule:admin_or_owner", - "os_compute_api:os-server-password:discoverable": "@", "os_compute_api:os-server-usage": "rule:admin_or_owner", "os_compute_api:os-server-usage:discoverable": "@", - "os_compute_api:os-server-groups": "rule:admin_or_owner", - "os_compute_api:os-server-groups:discoverable": "@", "os_compute_api:os-server-tags:index": "@", "os_compute_api:os-server-tags:show": "@", "os_compute_api:os-server-tags:update": "@", @@ -58,13 +24,6 @@ "os_compute_api:os-server-tags:delete_all": "@", "os_compute_api:os-services": "rule:admin_api", "os_compute_api:os-services:discoverable": "@", - "os_compute_api:server-metadata:discoverable": "@", - "os_compute_api:server-metadata:index": "rule:admin_or_owner", - "os_compute_api:server-metadata:show": "rule:admin_or_owner", - "os_compute_api:server-metadata:delete": "rule:admin_or_owner", - "os_compute_api:server-metadata:create": "rule:admin_or_owner", - "os_compute_api:server-metadata:update": "rule:admin_or_owner", - "os_compute_api:server-metadata:update_all": "rule:admin_or_owner", "os_compute_api:os-shelve:shelve": "rule:admin_or_owner", "os_compute_api:os-shelve:shelve:discoverable": "@", "os_compute_api:os-shelve:shelve_offload": "rule:admin_api", @@ -89,7 +48,5 @@ "os_compute_api:os-volumes-attachments:delete": "rule:admin_or_owner", "os_compute_api:os-volumes-attachments:discoverable": "@", "os_compute_api:os-used-limits": "rule:admin_api", - "os_compute_api:os-used-limits:discoverable": "@", - "os_compute_api:os-server-external-events:create": "rule:admin_api", - "os_compute_api:os-server-external-events:discoverable": "@" + "os_compute_api:os-used-limits:discoverable": "@" } diff --git a/nova/policies/__init__.py b/nova/policies/__init__.py index 53ae90646572..d877b11d49f4 100644 --- a/nova/policies/__init__.py +++ b/nova/policies/__init__.py @@ -67,6 +67,22 @@ from nova.policies import migrations from nova.policies import multinic from nova.policies import networks from nova.policies import networks_associate +from nova.policies import pause_server +from nova.policies import pci +from nova.policies import personality +from nova.policies import preserve_ephemeral_rebuild +from nova.policies import quota_class_sets +from nova.policies import quota_sets +from nova.policies import remote_consoles +from nova.policies import rescue +from nova.policies import scheduler_hints +from nova.policies import security_group_default_rules +from nova.policies import security_groups +from nova.policies import server_diagnostics +from nova.policies import server_external_events +from nova.policies import server_groups +from nova.policies import server_metadata +from nova.policies import server_password from nova.policies import servers @@ -126,5 +142,21 @@ def list_rules(): multinic.list_rules(), networks.list_rules(), networks_associate.list_rules(), + pause_server.list_rules(), + pci.list_rules(), + personality.list_rules(), + preserve_ephemeral_rebuild.list_rules(), + quota_class_sets.list_rules(), + quota_sets.list_rules(), + remote_consoles.list_rules(), + rescue.list_rules(), + scheduler_hints.list_rules(), + security_group_default_rules.list_rules(), + security_groups.list_rules(), + server_diagnostics.list_rules(), + server_external_events.list_rules(), + server_groups.list_rules(), + server_metadata.list_rules(), + server_password.list_rules(), servers.list_rules() ) diff --git a/nova/policies/pause_server.py b/nova/policies/pause_server.py new file mode 100644 index 000000000000..65c2f382ac67 --- /dev/null +++ b/nova/policies/pause_server.py @@ -0,0 +1,38 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +POLICY_ROOT = 'os_compute_api:os-pause-server:%s' + + +pause_server_policies = [ + policy.RuleDefault( + name=POLICY_ROOT % 'unpause', + check_str=base.RULE_ADMIN_OR_OWNER), + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), + policy.RuleDefault( + name=POLICY_ROOT % 'pause', + check_str=base.RULE_ADMIN_OR_OWNER), +] + + +def list_rules(): + return pause_server_policies diff --git a/nova/policies/pci.py b/nova/policies/pci.py new file mode 100644 index 000000000000..6bca116226c4 --- /dev/null +++ b/nova/policies/pci.py @@ -0,0 +1,44 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +POLICY_ROOT = 'os_compute_api:os-pci:%s' + + +pci_policies = [ + policy.RuleDefault( + name=POLICY_ROOT % 'index', + check_str=base.RULE_ADMIN_API), + policy.RuleDefault( + name=POLICY_ROOT % 'detail', + check_str=base.RULE_ADMIN_API), + policy.RuleDefault( + name=POLICY_ROOT % 'pci_servers', + check_str=base.RULE_ADMIN_OR_OWNER), + policy.RuleDefault( + name=POLICY_ROOT % 'show', + check_str=base.RULE_ADMIN_API), + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), +] + + +def list_rules(): + return pci_policies diff --git a/nova/policies/personality.py b/nova/policies/personality.py new file mode 100644 index 000000000000..81f3c2ea944a --- /dev/null +++ b/nova/policies/personality.py @@ -0,0 +1,32 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +POLICY_ROOT = 'os_compute_api:os-personality:%s' + + +personality_policies = [ + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), +] + + +def list_rules(): + return personality_policies diff --git a/nova/policies/preserve_ephemeral_rebuild.py b/nova/policies/preserve_ephemeral_rebuild.py new file mode 100644 index 000000000000..c0d842b7b8c3 --- /dev/null +++ b/nova/policies/preserve_ephemeral_rebuild.py @@ -0,0 +1,32 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +POLICY_ROOT = 'os_compute_api:os-preserve-ephemeral-rebuild:%s' + + +preserve_ephemeral_rebuild_policies = [ + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), +] + + +def list_rules(): + return preserve_ephemeral_rebuild_policies diff --git a/nova/policies/quota_class_sets.py b/nova/policies/quota_class_sets.py new file mode 100644 index 000000000000..95ffd7409552 --- /dev/null +++ b/nova/policies/quota_class_sets.py @@ -0,0 +1,38 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +POLICY_ROOT = 'os_compute_api:os-quota-class-sets:%s' + + +quota_class_sets_policies = [ + policy.RuleDefault( + name=POLICY_ROOT % 'show', + check_str='is_admin:True or quota_class:%(quota_class)s'), + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), + policy.RuleDefault( + name=POLICY_ROOT % 'update', + check_str=base.RULE_ADMIN_API), +] + + +def list_rules(): + return quota_class_sets_policies diff --git a/nova/policies/quota_sets.py b/nova/policies/quota_sets.py new file mode 100644 index 000000000000..aecd4e27af21 --- /dev/null +++ b/nova/policies/quota_sets.py @@ -0,0 +1,47 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +POLICY_ROOT = 'os_compute_api:os-quota-sets:%s' + + +quota_sets_policies = [ + policy.RuleDefault( + name=POLICY_ROOT % 'update', + check_str=base.RULE_ADMIN_API), + policy.RuleDefault( + name=POLICY_ROOT % 'defaults', + check_str=base.RULE_ANY), + policy.RuleDefault( + name=POLICY_ROOT % 'show', + check_str=base.RULE_ADMIN_OR_OWNER), + policy.RuleDefault( + name=POLICY_ROOT % 'delete', + check_str=base.RULE_ADMIN_API), + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), + policy.RuleDefault( + name=POLICY_ROOT % 'detail', + check_str=base.RULE_ADMIN_API), +] + + +def list_rules(): + return quota_sets_policies diff --git a/nova/policies/remote_consoles.py b/nova/policies/remote_consoles.py new file mode 100644 index 000000000000..43b7870dc48a --- /dev/null +++ b/nova/policies/remote_consoles.py @@ -0,0 +1,36 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +BASE_POLICY_NAME = 'os_compute_api:os-remote-consoles' +POLICY_ROOT = 'os_compute_api:os-remote-consoles:%s' + + +remote_consoles_policies = [ + policy.RuleDefault( + name=BASE_POLICY_NAME, + check_str=base.RULE_ADMIN_OR_OWNER), + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), +] + + +def list_rules(): + return remote_consoles_policies diff --git a/nova/policies/rescue.py b/nova/policies/rescue.py new file mode 100644 index 000000000000..274306397817 --- /dev/null +++ b/nova/policies/rescue.py @@ -0,0 +1,36 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +BASE_POLICY_NAME = 'os_compute_api:os-rescue' +POLICY_ROOT = 'os_compute_api:os-rescue:%s' + + +rescue_policies = [ + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), + policy.RuleDefault( + name=BASE_POLICY_NAME, + check_str=base.RULE_ADMIN_OR_OWNER), +] + + +def list_rules(): + return rescue_policies diff --git a/nova/policies/scheduler_hints.py b/nova/policies/scheduler_hints.py new file mode 100644 index 000000000000..d12e33f3cbad --- /dev/null +++ b/nova/policies/scheduler_hints.py @@ -0,0 +1,32 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +POLICY_ROOT = 'os_compute_api:os-scheduler-hints:%s' + + +scheduler_hints_policies = [ + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), +] + + +def list_rules(): + return scheduler_hints_policies diff --git a/nova/policies/security_group_default_rules.py b/nova/policies/security_group_default_rules.py new file mode 100644 index 000000000000..4fecc3a8d448 --- /dev/null +++ b/nova/policies/security_group_default_rules.py @@ -0,0 +1,36 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +BASE_POLICY_NAME = 'os_compute_api:os-security-group-default-rules' +POLICY_ROOT = 'os_compute_api:os-security-group-default-rules:%s' + + +security_group_default_rules_policies = [ + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), + policy.RuleDefault( + name=BASE_POLICY_NAME, + check_str=base.RULE_ADMIN_API), +] + + +def list_rules(): + return security_group_default_rules_policies diff --git a/nova/policies/security_groups.py b/nova/policies/security_groups.py new file mode 100644 index 000000000000..14cb6f795035 --- /dev/null +++ b/nova/policies/security_groups.py @@ -0,0 +1,36 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +BASE_POLICY_NAME = 'os_compute_api:os-security-groups' +POLICY_ROOT = 'os_compute_api:os-security-groups:%s' + + +security_groups_policies = [ + policy.RuleDefault( + name=BASE_POLICY_NAME, + check_str=base.RULE_ADMIN_OR_OWNER), + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), +] + + +def list_rules(): + return security_groups_policies diff --git a/nova/policies/server_diagnostics.py b/nova/policies/server_diagnostics.py new file mode 100644 index 000000000000..84643081619b --- /dev/null +++ b/nova/policies/server_diagnostics.py @@ -0,0 +1,36 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +BASE_POLICY_NAME = 'os_compute_api:os-server-diagnostics' +POLICY_ROOT = 'os_compute_api:os-server-diagnostics:%s' + + +server_diagnostics_policies = [ + policy.RuleDefault( + name=BASE_POLICY_NAME, + check_str=base.RULE_ADMIN_API), + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), +] + + +def list_rules(): + return server_diagnostics_policies diff --git a/nova/policies/server_external_events.py b/nova/policies/server_external_events.py new file mode 100644 index 000000000000..7c83f9843b91 --- /dev/null +++ b/nova/policies/server_external_events.py @@ -0,0 +1,35 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +POLICY_ROOT = 'os_compute_api:os-server-external-events:%s' + + +server_external_events_policies = [ + policy.RuleDefault( + name=POLICY_ROOT % 'create', + check_str=base.RULE_ADMIN_API), + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), +] + + +def list_rules(): + return server_external_events_policies diff --git a/nova/policies/server_groups.py b/nova/policies/server_groups.py new file mode 100644 index 000000000000..e8f79c5009d3 --- /dev/null +++ b/nova/policies/server_groups.py @@ -0,0 +1,36 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +BASE_POLICY_NAME = 'os_compute_api:os-server-groups' +POLICY_ROOT = 'os_compute_api:os-server-groups:%s' + + +server_groups_policies = [ + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), + policy.RuleDefault( + name=BASE_POLICY_NAME, + check_str=base.RULE_ADMIN_OR_OWNER), +] + + +def list_rules(): + return server_groups_policies diff --git a/nova/policies/server_metadata.py b/nova/policies/server_metadata.py new file mode 100644 index 000000000000..656de4d21383 --- /dev/null +++ b/nova/policies/server_metadata.py @@ -0,0 +1,50 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +POLICY_ROOT = 'os_compute_api:server-metadata:%s' + + +server_metadata_policies = [ + policy.RuleDefault( + name=POLICY_ROOT % 'index', + check_str=base.RULE_ADMIN_OR_OWNER), + policy.RuleDefault( + name=POLICY_ROOT % 'show', + check_str=base.RULE_ADMIN_OR_OWNER), + policy.RuleDefault( + name=POLICY_ROOT % 'create', + check_str=base.RULE_ADMIN_OR_OWNER), + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), + policy.RuleDefault( + name=POLICY_ROOT % 'update_all', + check_str=base.RULE_ADMIN_OR_OWNER), + policy.RuleDefault( + name=POLICY_ROOT % 'delete', + check_str=base.RULE_ADMIN_OR_OWNER), + policy.RuleDefault( + name=POLICY_ROOT % 'update', + check_str=base.RULE_ADMIN_OR_OWNER), +] + + +def list_rules(): + return server_metadata_policies diff --git a/nova/policies/server_password.py b/nova/policies/server_password.py new file mode 100644 index 000000000000..8c63df005a28 --- /dev/null +++ b/nova/policies/server_password.py @@ -0,0 +1,36 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +BASE_POLICY_NAME = 'os_compute_api:os-server-password' +POLICY_ROOT = 'os_compute_api:os-server-password:%s' + + +server_password_policies = [ + policy.RuleDefault( + name=BASE_POLICY_NAME, + check_str=base.RULE_ADMIN_OR_OWNER), + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), +] + + +def list_rules(): + return server_password_policies