openstack
/
nova
Code Issues Proposed changes
nova/nova/policies
History
Ghanshyam Mann f9c1d1163d Complete phase-1 of RBAC community-wide goal 
After moving the nova APIs policy as per the new guidlines
where system scoped token will be only allowed to access
system level APIs and will not be allowed any operation
on project level APIs. With that we do not need below
base rules (who have hardcoded 'system_scope:all' check_str):
- system_admin_api
- system_reader_api
- system_admin_or_owner
- system_or_project_reader

At this stage (phase-1 target), we allow below roles as targeted
in phase-1 [1]
1. ADMIN(this is System Administrator with scope_type 'system'
when scope enabled otherwise legacy admin)
2. PROJECT_ADMIN
3. PROJECT_MEMBER
4. PROJECT_READER
 & below one specific to nova
5. PROJECT_READER_OR_ADMIN (to allow system admin and project reader
to list flavor extra specs)

This complete the phase-1 of RBAC community-wide goal[2] for nova.

Add release notes too.

[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#how-operator
[2] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#yoga-timeline-7th-mar-2022

Partial implement blueprint policy-defaults-refresh-2

Change-Id: I075005d13ff6bfe048bbb21d80d71bf1602e4c02
 		2022-02-24 16:33:34 +00:00
..
__init__.py api: Remove 'os-agents' API 2020-09-11 14:10:32 +01:00
admin_actions.py Server actions APIs scoped to project scope 2022-02-20 01:08:11 +00:00
admin_password.py Server actions APIs scoped to project scope 2022-02-20 01:08:11 +00:00
aggregates.py Convert SYSTEM_ADMIN|READER to Admin and system scope 2022-02-17 05:20:07 +00:00
assisted_volume_snapshots.py Modify remaining APIs as per RBAC new guidelines 2022-02-24 10:24:55 -06:00
attach_interfaces.py Make more project level APIs scoped to project only 2022-02-19 18:19:34 -06:00
availability_zone.py Convert SYSTEM_ADMIN|READER to Admin and system scope 2022-02-17 05:20:07 +00:00
baremetal_nodes.py Convert SYSTEM_ADMIN|READER to Admin and system scope 2022-02-17 05:20:07 +00:00
base.py Complete phase-1 of RBAC community-wide goal 2022-02-24 16:33:34 +00:00
console_auth_tokens.py Modify remaining APIs as per RBAC new guidelines 2022-02-24 10:24:55 -06:00
console_output.py Modify remaining APIs as per RBAC new guidelines 2022-02-24 10:24:55 -06:00
create_backup.py Modify remaining APIs as per RBAC new guidelines 2022-02-24 10:24:55 -06:00
deferred_delete.py Modify remaining APIs as per RBAC new guidelines 2022-02-24 10:24:55 -06:00
evacuate.py Server actions APIs scoped to project scope 2022-02-20 01:08:11 +00:00
extended_server_attributes.py Revert project-specific APIs for servers 2021-12-01 08:54:34 -08:00
extensions.py Add scope and new default roles in extensions policies 2020-08-17 09:40:02 -05:00
flavor_access.py Modify remaining APIs as per RBAC new guidelines 2022-02-24 10:24:55 -06:00
flavor_extra_specs.py Separate flavor extra specs policy for server APIs 2022-02-24 16:33:26 +00:00
flavor_manage.py Modify remaining APIs as per RBAC new guidelines 2022-02-24 10:24:55 -06:00
floating_ip_pools.py Correct the check_str and pass actual target in FIP pools policy 2020-07-20 16:53:02 -05:00
floating_ips.py Make more project level APIs scoped to project only 2022-02-19 18:19:34 -06:00
hosts.py Convert SYSTEM_ADMIN|READER to Admin and system scope 2022-02-17 05:20:07 +00:00
hypervisors.py Convert SYSTEM_ADMIN|READER to Admin and system scope 2022-02-17 05:20:07 +00:00
instance_actions.py Make more project level APIs scoped to project only 2022-02-19 18:19:34 -06:00
instance_usage_audit_log.py Modify remaining APIs as per RBAC new guidelines 2022-02-24 10:24:55 -06:00
ips.py Make more project level APIs scoped to project only 2022-02-19 18:19:34 -06:00
keypairs.py Modify remaining APIs as per RBAC new guidelines 2022-02-24 10:24:55 -06:00
limits.py Modify remaining APIs as per RBAC new guidelines 2022-02-24 10:24:55 -06:00
lock_server.py Server actions APIs scoped to project scope 2022-02-20 01:08:11 +00:00
migrate_server.py Modify remaining APIs as per RBAC new guidelines 2022-02-24 10:24:55 -06:00
migrations.py Modify remaining APIs as per RBAC new guidelines 2022-02-24 10:24:55 -06:00
multinic.py Server actions APIs scoped to project scope 2022-02-20 01:08:11 +00:00
networks.py Make more project level APIs scoped to project only 2022-02-19 18:19:34 -06:00
pause_server.py Server actions APIs scoped to project scope 2022-02-20 01:08:11 +00:00
quota_class_sets.py Convert SYSTEM_ADMIN|READER to Admin and system scope 2022-02-17 05:20:07 +00:00
quota_sets.py Make more project level APIs scoped to project only 2022-02-19 18:19:34 -06:00
remote_consoles.py Server actions APIs scoped to project scope 2022-02-20 01:08:11 +00:00
rescue.py Server actions APIs scoped to project scope 2022-02-20 01:08:11 +00:00
security_groups.py Make more project level APIs scoped to project only 2022-02-19 18:19:34 -06:00
server_diagnostics.py Modify remaining APIs as per RBAC new guidelines 2022-02-24 10:24:55 -06:00
server_external_events.py Modify remaining APIs as per RBAC new guidelines 2022-02-24 10:24:55 -06:00
server_groups.py Make more project level APIs scoped to project only 2022-02-19 18:19:34 -06:00
server_metadata.py Make more project level APIs scoped to project only 2022-02-19 18:19:34 -06:00
server_password.py Make more project level APIs scoped to project only 2022-02-19 18:19:34 -06:00
server_tags.py Make more project level APIs scoped to project only 2022-02-19 18:19:34 -06:00
server_topology.py Make more project level APIs scoped to project only 2022-02-19 18:19:34 -06:00
servers.py Separate flavor extra specs policy for server APIs 2022-02-24 16:33:26 +00:00
servers_migrations.py Modify remaining APIs as per RBAC new guidelines 2022-02-24 10:24:55 -06:00
services.py Convert SYSTEM_ADMIN|READER to Admin and system scope 2022-02-17 05:20:07 +00:00
shelve.py Server actions APIs scoped to project scope 2022-02-20 01:08:11 +00:00
simple_tenant_usage.py Make more project level APIs scoped to project only 2022-02-19 18:19:34 -06:00
suspend_server.py Server actions APIs scoped to project scope 2022-02-20 01:08:11 +00:00
tenant_networks.py Make more project level APIs scoped to project only 2022-02-19 18:19:34 -06:00
volumes.py Make more project level APIs scoped to project only 2022-02-19 18:19:34 -06:00
volumes_attachments.py Make more project level APIs scoped to project only 2022-02-19 18:19:34 -06:00