# This policy YAML file will revert the Octavia API to follow the keystone
# "default role" RBAC policies.
#
# The [oslo_policy] enforce_scope and enforce_new_defaults must be True.
#
# Users will not be required to be a member of the load-balancer_* roles
# to take action on Octavia resources.
# Keystone token scoping and "default roles"/personas will still be enforced.

# Role Rules
"system_admin": "role:admin"
"system_reader": "role:admin"
"project_reader": "role:reader and project_id:%(project_id)s"
"project_member": "role:member and project_id:%(project_id)s"

"context_is_admin": "role:admin"

# API Rules
"load-balancer:admin": "is_admin:True or
                        rule:system_admin or
                        role:load-balancer_admin"

"load-balancer:read": "is_admin:True or
                       rule:system_reader or
                       rule:project_reader"

"load-balancer:read-global": "is_admin:True or rule:system_reader"

"load-balancer:write": "is_admin:True or rule:project_member"

"load-balancer:read-quota": "is_admin:True or
                             rule:system_reader or
                             rule:project_reader"

"load-balancer:read-quota-global": "is_admin:True or rule:system_reader"

"load-balancer:write-quota": "is_admin:True"