492 lines
17 KiB
Python
492 lines
17 KiB
Python
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
|
|
from oslo_policy import policy
|
|
|
|
from nova.policies import base
|
|
|
|
|
|
SERVERS = 'os_compute_api:servers:%s'
|
|
NETWORK_ATTACH_EXTERNAL = 'network:attach_external_network'
|
|
ZERO_DISK_FLAVOR = SERVERS % 'create:zero_disk_flavor'
|
|
REQUESTED_DESTINATION = 'compute:servers:create:requested_destination'
|
|
CROSS_CELL_RESIZE = 'compute:servers:resize:cross_cell'
|
|
|
|
rules = [
|
|
policy.DocumentedRuleDefault(
|
|
name=SERVERS % 'index',
|
|
check_str=base.PROJECT_READER_OR_SYSTEM_READER,
|
|
description="List all servers",
|
|
operations=[
|
|
{
|
|
'method': 'GET',
|
|
'path': '/servers'
|
|
}
|
|
],
|
|
scope_types=['system', 'project']),
|
|
policy.DocumentedRuleDefault(
|
|
name=SERVERS % 'detail',
|
|
check_str=base.PROJECT_READER_OR_SYSTEM_READER,
|
|
description="List all servers with detailed information",
|
|
operations=[
|
|
{
|
|
'method': 'GET',
|
|
'path': '/servers/detail'
|
|
}
|
|
],
|
|
scope_types=['system', 'project']),
|
|
policy.DocumentedRuleDefault(
|
|
name=SERVERS % 'index:get_all_tenants',
|
|
check_str=base.SYSTEM_READER,
|
|
description="List all servers for all projects",
|
|
operations=[
|
|
{
|
|
'method': 'GET',
|
|
'path': '/servers'
|
|
}
|
|
],
|
|
scope_types=['system']),
|
|
policy.DocumentedRuleDefault(
|
|
name=SERVERS % 'detail:get_all_tenants',
|
|
check_str=base.SYSTEM_READER,
|
|
description="List all servers with detailed information for "
|
|
" all projects",
|
|
operations=[
|
|
{
|
|
'method': 'GET',
|
|
'path': '/servers/detail'
|
|
}
|
|
],
|
|
scope_types=['system']),
|
|
policy.DocumentedRuleDefault(
|
|
name=SERVERS % 'allow_all_filters',
|
|
check_str=base.SYSTEM_READER,
|
|
description="Allow all filters when listing servers",
|
|
operations=[
|
|
{
|
|
'method': 'GET',
|
|
'path': '/servers'
|
|
},
|
|
{
|
|
'method': 'GET',
|
|
'path': '/servers/detail'
|
|
}
|
|
],
|
|
scope_types=['system']),
|
|
policy.DocumentedRuleDefault(
|
|
name=SERVERS % 'show',
|
|
check_str=base.PROJECT_READER_OR_SYSTEM_READER,
|
|
description="Show a server",
|
|
operations=[
|
|
{
|
|
'method': 'GET',
|
|
'path': '/servers/{server_id}'
|
|
}
|
|
],
|
|
scope_types=['system', 'project']),
|
|
# the details in host_status are pretty sensitive, only admins
|
|
# should do that by default.
|
|
policy.DocumentedRuleDefault(
|
|
name=SERVERS % 'show:host_status',
|
|
check_str=base.SYSTEM_ADMIN,
|
|
description="""
|
|
Show a server with additional host status information.
|
|
|
|
This means host_status will be shown irrespective of status value. If showing
|
|
only host_status UNKNOWN is desired, use the
|
|
``os_compute_api:servers:show:host_status:unknown-only`` policy rule.
|
|
|
|
Microvision 2.75 added the ``host_status`` attribute in the
|
|
``PUT /servers/{server_id}`` and ``POST /servers/{server_id}/action (rebuild)``
|
|
API responses which are also controlled by this policy rule, like the
|
|
``GET /servers*`` APIs.
|
|
""",
|
|
operations=[
|
|
{
|
|
'method': 'GET',
|
|
'path': '/servers/{server_id}'
|
|
},
|
|
{
|
|
'method': 'GET',
|
|
'path': '/servers/detail'
|
|
},
|
|
{
|
|
'method': 'PUT',
|
|
'path': '/servers/{server_id}'
|
|
},
|
|
{
|
|
'method': 'POST',
|
|
'path': '/servers/{server_id}/action (rebuild)'
|
|
}
|
|
],
|
|
scope_types=['system', 'project']),
|
|
policy.DocumentedRuleDefault(
|
|
name=SERVERS % 'show:host_status:unknown-only',
|
|
check_str=base.SYSTEM_ADMIN,
|
|
description="""
|
|
Show a server with additional host status information, only if host status is
|
|
UNKNOWN.
|
|
|
|
This policy rule will only be enforced when the
|
|
``os_compute_api:servers:show:host_status`` policy rule does not pass for the
|
|
request. An example policy configuration could be where the
|
|
``os_compute_api:servers:show:host_status`` rule is set to allow admin-only and
|
|
the ``os_compute_api:servers:show:host_status:unknown-only`` rule is set to
|
|
allow everyone.
|
|
""",
|
|
operations=[
|
|
{
|
|
'method': 'GET',
|
|
'path': '/servers/{server_id}'
|
|
},
|
|
{
|
|
'method': 'GET',
|
|
'path': '/servers/detail'
|
|
},
|
|
{
|
|
'method': 'PUT',
|
|
'path': '/servers/{server_id}'
|
|
},
|
|
{
|
|
'method': 'POST',
|
|
'path': '/servers/{server_id}/action (rebuild)'
|
|
}
|
|
],
|
|
scope_types=['system', 'project'],),
|
|
policy.DocumentedRuleDefault(
|
|
name=SERVERS % 'create',
|
|
check_str=base.PROJECT_MEMBER,
|
|
description="Create a server",
|
|
operations=[
|
|
{
|
|
'method': 'POST',
|
|
'path': '/servers'
|
|
}
|
|
],
|
|
scope_types=['project']),
|
|
policy.DocumentedRuleDefault(
|
|
name=SERVERS % 'create:forced_host',
|
|
# TODO(gmann): We need to make it SYSTEM_ADMIN.
|
|
# PROJECT_ADMIN is added for now because create server
|
|
# policy is project scoped and there is no way to
|
|
# pass the project_id in request body for system scoped
|
|
# roles so that create server for other project with force host.
|
|
# To achieve that, we need to update the create server API to
|
|
# accept the project_id for whom the server needs to be created
|
|
# and then change the scope of this policy to system-only
|
|
# Because that is API change it needs to be done with new
|
|
# microversion.
|
|
check_str=base.PROJECT_ADMIN,
|
|
description="""
|
|
Create a server on the specified host and/or node.
|
|
|
|
In this case, the server is forced to launch on the specified
|
|
host and/or node by bypassing the scheduler filters unlike the
|
|
``compute:servers:create:requested_destination`` rule.
|
|
""",
|
|
operations=[
|
|
{
|
|
'method': 'POST',
|
|
'path': '/servers'
|
|
}
|
|
],
|
|
scope_types=['system', 'project']),
|
|
policy.DocumentedRuleDefault(
|
|
name=REQUESTED_DESTINATION,
|
|
# TODO(gmann): We need to make it SYSTEM_ADMIN.
|
|
# PROJECT_ADMIN is added for now because create server
|
|
# policy is project scoped and there is no way to
|
|
# pass the project_id in request body for system scoped
|
|
# roles so that create server for other project with requested
|
|
# destination.
|
|
# To achieve that, we need to update the create server API to
|
|
# accept the project_id for whom the server needs to be created
|
|
# and then change the scope of this policy to system-only
|
|
# Because that is API change it needs to be done with new
|
|
# microversion.
|
|
check_str=base.PROJECT_ADMIN,
|
|
description="""
|
|
Create a server on the requested compute service host and/or
|
|
hypervisor_hostname.
|
|
|
|
In this case, the requested host and/or hypervisor_hostname is
|
|
validated by the scheduler filters unlike the
|
|
``os_compute_api:servers:create:forced_host`` rule.
|
|
""",
|
|
operations=[
|
|
{
|
|
'method': 'POST',
|
|
'path': '/servers'
|
|
}
|
|
],
|
|
scope_types=['system', 'project']),
|
|
policy.DocumentedRuleDefault(
|
|
name=SERVERS % 'create:attach_volume',
|
|
check_str=base.PROJECT_MEMBER,
|
|
description="Create a server with the requested volume attached to it",
|
|
operations=[
|
|
{
|
|
'method': 'POST',
|
|
'path': '/servers'
|
|
}
|
|
],
|
|
scope_types=['project']),
|
|
policy.DocumentedRuleDefault(
|
|
name=SERVERS % 'create:attach_network',
|
|
check_str=base.PROJECT_MEMBER,
|
|
description="Create a server with the requested network attached "
|
|
" to it",
|
|
operations=[
|
|
{
|
|
'method': 'POST',
|
|
'path': '/servers'
|
|
}
|
|
],
|
|
scope_types=['project']),
|
|
policy.DocumentedRuleDefault(
|
|
name=SERVERS % 'create:trusted_certs',
|
|
check_str=base.PROJECT_MEMBER,
|
|
description="Create a server with trusted image certificate IDs",
|
|
operations=[
|
|
{
|
|
'method': 'POST',
|
|
'path': '/servers'
|
|
}
|
|
],
|
|
scope_types=['project']),
|
|
policy.DocumentedRuleDefault(
|
|
name=ZERO_DISK_FLAVOR,
|
|
# TODO(gmann): We need to make it SYSTEM_ADMIN.
|
|
# PROJECT_ADMIN is added for now because create server
|
|
# policy is project scoped and there is no way to
|
|
# pass the project_id in request body for system scoped
|
|
# roles so that create server for other project with zero disk flavor.
|
|
# To achieve that, we need to update the create server API to
|
|
# accept the project_id for whom the server needs to be created
|
|
# and then change the scope of this policy to system-only
|
|
# Because that is API change it needs to be done with new
|
|
# microversion.
|
|
check_str=base.PROJECT_ADMIN,
|
|
description="""
|
|
This rule controls the compute API validation behavior of creating a server
|
|
with a flavor that has 0 disk, indicating the server should be volume-backed.
|
|
|
|
For a flavor with disk=0, the root disk will be set to exactly the size of the
|
|
image used to deploy the instance. However, in this case the filter_scheduler
|
|
cannot select the compute host based on the virtual image size. Therefore, 0
|
|
should only be used for volume booted instances or for testing purposes.
|
|
|
|
WARNING: It is a potential security exposure to enable this policy rule
|
|
if users can upload their own images since repeated attempts to
|
|
create a disk=0 flavor instance with a large image can exhaust
|
|
the local disk of the compute (or shared storage cluster). See bug
|
|
https://bugs.launchpad.net/nova/+bug/1739646 for details.
|
|
""",
|
|
operations=[
|
|
{
|
|
'method': 'POST',
|
|
'path': '/servers'
|
|
}
|
|
],
|
|
scope_types=['system', 'project']),
|
|
policy.DocumentedRuleDefault(
|
|
name=NETWORK_ATTACH_EXTERNAL,
|
|
# TODO(gmann): We need to make it SYSTEM_ADMIN.
|
|
# PROJECT_ADMIN is added for now because create server
|
|
# policy is project scoped and there is no way to
|
|
# pass the project_id in request body for system scoped
|
|
# roles so that create server for other project or attach the
|
|
# external network. To achieve that, we need to update the
|
|
# create server API to accept the project_id for whom the
|
|
# server needs to be created and then change the scope of this
|
|
# policy to system-only Because that is API change it needs to
|
|
# be done with new microversion.
|
|
check_str=base.PROJECT_ADMIN,
|
|
description="Attach an unshared external network to a server",
|
|
operations=[
|
|
# Create a server with a requested network or port.
|
|
{
|
|
'method': 'POST',
|
|
'path': '/servers'
|
|
},
|
|
# Attach a network or port to an existing server.
|
|
{
|
|
'method': 'POST',
|
|
'path': '/servers/{server_id}/os-interface'
|
|
}
|
|
],
|
|
scope_types=['system', 'project']),
|
|
policy.DocumentedRuleDefault(
|
|
name=SERVERS % 'delete',
|
|
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
|
description="Delete a server",
|
|
operations=[
|
|
{
|
|
'method': 'DELETE',
|
|
'path': '/servers/{server_id}'
|
|
}
|
|
],
|
|
scope_types=['system', 'project']),
|
|
policy.DocumentedRuleDefault(
|
|
name=SERVERS % 'update',
|
|
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
|
description="Update a server",
|
|
operations=[
|
|
{
|
|
'method': 'PUT',
|
|
'path': '/servers/{server_id}'
|
|
}
|
|
],
|
|
scope_types=['system', 'project']),
|
|
policy.DocumentedRuleDefault(
|
|
name=SERVERS % 'confirm_resize',
|
|
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
|
description="Confirm a server resize",
|
|
operations=[
|
|
{
|
|
'method': 'POST',
|
|
'path': '/servers/{server_id}/action (confirmResize)'
|
|
}
|
|
],
|
|
scope_types=['system', 'project']),
|
|
policy.DocumentedRuleDefault(
|
|
name=SERVERS % 'revert_resize',
|
|
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
|
description="Revert a server resize",
|
|
operations=[
|
|
{
|
|
'method': 'POST',
|
|
'path': '/servers/{server_id}/action (revertResize)'
|
|
}
|
|
],
|
|
scope_types=['system', 'project']),
|
|
policy.DocumentedRuleDefault(
|
|
name=SERVERS % 'reboot',
|
|
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
|
description="Reboot a server",
|
|
operations=[
|
|
{
|
|
'method': 'POST',
|
|
'path': '/servers/{server_id}/action (reboot)'
|
|
}
|
|
],
|
|
scope_types=['system', 'project']),
|
|
policy.DocumentedRuleDefault(
|
|
name=SERVERS % 'resize',
|
|
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
|
description="Resize a server",
|
|
operations=[
|
|
{
|
|
'method': 'POST',
|
|
'path': '/servers/{server_id}/action (resize)'
|
|
}
|
|
],
|
|
scope_types=['system', 'project']),
|
|
policy.DocumentedRuleDefault(
|
|
name=CROSS_CELL_RESIZE,
|
|
check_str=base.RULE_NOBODY,
|
|
description="Resize a server across cells. By default, this is "
|
|
"disabled for all users and recommended to be tested in a "
|
|
"deployment for admin users before opening it up to non-admin users. "
|
|
"Resizing within a cell is the default preferred behavior even if "
|
|
"this is enabled. ",
|
|
operations=[
|
|
{
|
|
'method': 'POST',
|
|
'path': '/servers/{server_id}/action (resize)'
|
|
}
|
|
],
|
|
scope_types=['system', 'project']),
|
|
policy.DocumentedRuleDefault(
|
|
name=SERVERS % 'rebuild',
|
|
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
|
description="Rebuild a server",
|
|
operations=[
|
|
{
|
|
'method': 'POST',
|
|
'path': '/servers/{server_id}/action (rebuild)'
|
|
}
|
|
],
|
|
scope_types=['system', 'project']),
|
|
policy.DocumentedRuleDefault(
|
|
name=SERVERS % 'rebuild:trusted_certs',
|
|
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
|
description="Rebuild a server with trusted image certificate IDs",
|
|
operations=[
|
|
{
|
|
'method': 'POST',
|
|
'path': '/servers/{server_id}/action (rebuild)'
|
|
}
|
|
],
|
|
scope_types=['system', 'project']),
|
|
policy.DocumentedRuleDefault(
|
|
name=SERVERS % 'create_image',
|
|
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
|
description="Create an image from a server",
|
|
operations=[
|
|
{
|
|
'method': 'POST',
|
|
'path': '/servers/{server_id}/action (createImage)'
|
|
}
|
|
],
|
|
scope_types=['system', 'project']),
|
|
policy.DocumentedRuleDefault(
|
|
name=SERVERS % 'create_image:allow_volume_backed',
|
|
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
|
description="Create an image from a volume backed server",
|
|
operations=[
|
|
{
|
|
'method': 'POST',
|
|
'path': '/servers/{server_id}/action (createImage)'
|
|
}
|
|
],
|
|
scope_types=['system', 'project']),
|
|
policy.DocumentedRuleDefault(
|
|
name=SERVERS % 'start',
|
|
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
|
description="Start a server",
|
|
operations=[
|
|
{
|
|
'method': 'POST',
|
|
'path': '/servers/{server_id}/action (os-start)'
|
|
}
|
|
],
|
|
scope_types=['system', 'project']),
|
|
policy.DocumentedRuleDefault(
|
|
name=SERVERS % 'stop',
|
|
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
|
description="Stop a server",
|
|
operations=[
|
|
{
|
|
'method': 'POST',
|
|
'path': '/servers/{server_id}/action (os-stop)'
|
|
}
|
|
],
|
|
scope_types=['system', 'project']),
|
|
policy.DocumentedRuleDefault(
|
|
name=SERVERS % 'trigger_crash_dump',
|
|
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
|
description="Trigger crash dump in a server",
|
|
operations=[
|
|
{
|
|
'method': 'POST',
|
|
'path': '/servers/{server_id}/action (trigger_crash_dump)'
|
|
}
|
|
],
|
|
scope_types=['system', 'project']),
|
|
]
|
|
|
|
|
|
def list_rules():
|
|
return rules
|