83 lines
2.5 KiB
ReStructuredText
83 lines
2.5 KiB
ReStructuredText
================
|
|
Octavia Policies
|
|
================
|
|
|
|
The default policy is to not allow access unless the auth_strategy is 'noauth'.
|
|
|
|
Users must be a member of one of the following roles to have access to
|
|
the load-balancer API:
|
|
|
|
.. glossary::
|
|
|
|
role:load-balancer_observer
|
|
User has access to load-balancer read-only APIs.
|
|
|
|
role:load-balancer_global_observer
|
|
User has access to load-balancer read-only APIs including resources
|
|
owned by others.
|
|
|
|
role:load-balancer_member
|
|
User has access to load-balancer read and write APIs.
|
|
|
|
role:load-balancer_quota_admin
|
|
User is considered an admin for quota APIs only.
|
|
|
|
role:load-balancer_admin
|
|
User is considered an admin for all load-balnacer APIs including
|
|
resources owned by others.
|
|
|
|
role:admin
|
|
User is admin to all APIs.
|
|
|
|
.. note::
|
|
|
|
'is_admin:True' is a policy rule that takes into account the
|
|
auth_strategy == noauth configuration setting.
|
|
It is equivalent to 'rule:context_is_admin or {auth_strategy == noauth}'
|
|
if that would be valid syntax.
|
|
|
|
Legacy Admin or Owner Policy
|
|
----------------------------
|
|
|
|
An alternate policy file has been provided in octavia/etc/policy called
|
|
admin_or_owner-policy.yaml that removes the load-balancer RBAC role
|
|
requirement. Please see the README.rst in that directory for more information.
|
|
|
|
Sample File Generation
|
|
----------------------
|
|
|
|
To generate a sample policy.yaml file from the Octavia defaults, run the
|
|
oslo policy generation script::
|
|
|
|
oslopolicy-sample-generator
|
|
--config-file etc/policy/octavia-policy-generator.conf
|
|
--output-file policy.yaml.sample
|
|
|
|
Merged File Generation
|
|
----------------------
|
|
|
|
This will output a policy file which includes all registered policy defaults
|
|
and all policies configured with a policy file. This file shows the effective
|
|
policy in use by the project::
|
|
|
|
oslopolicy-policy-generator
|
|
--config-file etc/policy/octavia-policy-generator.conf
|
|
|
|
This tool uses the output_file path from the config-file.
|
|
|
|
List Redundant Configurations
|
|
-----------------------------
|
|
|
|
This will output a list of matches for policy rules that are defined in a
|
|
configuration file where the rule does not differ from a registered default
|
|
rule. These are rules that can be removed from the policy file with no change
|
|
in effective policy::
|
|
|
|
oslopolicy-list-redundant
|
|
--config-file etc/policy/octavia-policy-generator.conf
|
|
|
|
Default Octavia Policies
|
|
------------------------
|
|
|
|
.. literalinclude:: _static/octavia.policy.yaml.sample
|