diff --git a/barbican/templates/configmap-etc.yaml b/barbican/templates/configmap-etc.yaml index b7695509af..450136fd23 100644 --- a/barbican/templates/configmap-etc.yaml +++ b/barbican/templates/configmap-etc.yaml @@ -81,7 +81,7 @@ data: api_audit_map.conf: |+ {{- tuple .Values.conf.audit_map "etc/_api_audit_map.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }} policy.json: |+ -{{- tuple .Values.conf.override "etc/_policy.json.tpl" . | include "helm-toolkit.utils.configmap_templater" }} +{{ toJson .Values.conf.policy | indent 4 }} barbican-api.ini: |+ {{- tuple .Values.conf.barbican_api "etc/_barbican-api.ini.tpl" . | include "helm-toolkit.utils.configmap_templater" }} {{- end }} diff --git a/barbican/templates/etc/_policy.json.tpl b/barbican/templates/etc/_policy.json.tpl deleted file mode 100644 index 723f1c1793..0000000000 --- a/barbican/templates/etc/_policy.json.tpl +++ /dev/null @@ -1,90 +0,0 @@ -{ - "admin": "role:admin", - "observer": "role:observer", - "creator": "role:creator", - "audit": "role:audit", - "service_admin": "role:key-manager:service-admin", - "admin_or_user_does_not_work": "project_id:%(project_id)s", - "admin_or_user": "rule:admin or project_id:%(project_id)s", - "admin_or_creator": "rule:admin or rule:creator", - "all_but_audit": "rule:admin or rule:observer or rule:creator", - "all_users": "rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin", - "secret_project_match": "project:%(target.secret.project_id)s", - "secret_acl_read": "'read':%(target.secret.read)s", - "secret_private_read": "'False':%(target.secret.read_project_access)s", - "secret_creator_user": "user:%(target.secret.creator_id)s", - "container_project_match": "project:%(target.container.project_id)s", - "container_acl_read": "'read':%(target.container.read)s", - "container_private_read": "'False':%(target.container.read_project_access)s", - "container_creator_user": "user:%(target.container.creator_id)s", - - "secret_non_private_read": "rule:all_users and rule:secret_project_match and not rule:secret_private_read", - "secret_decrypt_non_private_read": "rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read", - "container_non_private_read": "rule:all_users and rule:container_project_match and not rule:container_private_read", - "secret_project_admin": "rule:admin and rule:secret_project_match", - "secret_project_creator": "rule:creator and rule:secret_project_match and rule:secret_creator_user", - "container_project_admin": "rule:admin and rule:container_project_match", - "container_project_creator": "rule:creator and rule:container_project_match and rule:container_creator_user", - - "version:get": "@", - "secret:decrypt": "rule:secret_decrypt_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read", - "secret:get": "rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read", - "secret:put": "rule:admin_or_creator and rule:secret_project_match", - "secret:delete": "rule:secret_project_admin or rule:secret_project_creator", - "secrets:post": "rule:admin_or_creator", - "secrets:get": "rule:all_but_audit", - "orders:post": "rule:admin_or_creator", - "orders:get": "rule:all_but_audit", - "order:get": "rule:all_users", - "order:put": "rule:admin_or_creator", - "order:delete": "rule:admin", - "consumer:get": "rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read", - "consumers:get": "rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read", - "consumers:post": "rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read", - "consumers:delete": "rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read", - "containers:post": "rule:admin_or_creator", - "containers:get": "rule:all_but_audit", - "container:get": "rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read", - "container:delete": "rule:container_project_admin or rule:container_project_creator", - "container_secret:post": "rule:admin", - "container_secret:delete": "rule:admin", - "transport_key:get": "rule:all_users", - "transport_key:delete": "rule:admin", - "transport_keys:get": "rule:all_users", - "transport_keys:post": "rule:admin", - "certificate_authorities:get_limited": "rule:all_users", - "certificate_authorities:get_all": "rule:admin", - "certificate_authorities:post": "rule:admin", - "certificate_authorities:get_preferred_ca": "rule:all_users", - "certificate_authorities:get_global_preferred_ca": "rule:service_admin", - "certificate_authorities:unset_global_preferred": "rule:service_admin", - "certificate_authority:delete": "rule:admin", - "certificate_authority:get": "rule:all_users", - "certificate_authority:get_cacert": "rule:all_users", - "certificate_authority:get_ca_cert_chain": "rule:all_users", - "certificate_authority:get_projects": "rule:service_admin", - "certificate_authority:add_to_project": "rule:admin", - "certificate_authority:remove_from_project": "rule:admin", - "certificate_authority:set_preferred": "rule:admin", - "certificate_authority:set_global_preferred": "rule:service_admin", - "secret_acls:put_patch": "rule:secret_project_admin or rule:secret_project_creator", - "secret_acls:delete": "rule:secret_project_admin or rule:secret_project_creator", - "secret_acls:get": "rule:all_but_audit and rule:secret_project_match", - "container_acls:put_patch": "rule:container_project_admin or rule:container_project_creator", - "container_acls:delete": "rule:container_project_admin or rule:container_project_creator", - "container_acls:get": "rule:all_but_audit and rule:container_project_match", - "quotas:get": "rule:all_users", - "project_quotas:get": "rule:service_admin", - "project_quotas:put": "rule:service_admin", - "project_quotas:delete": "rule:service_admin", - "secret_meta:get": "rule:all_but_audit", - "secret_meta:post": "rule:admin_or_creator", - "secret_meta:put": "rule:admin_or_creator", - "secret_meta:delete": "rule:admin_or_creator", - "secretstores:get": "rule:admin", - "secretstores:get_global_default": "rule:admin", - "secretstores:get_preferred": "rule:admin", - "secretstore_preferred:post": "rule:admin", - "secretstore_preferred:delete": "rule:admin", - "secretstore:get": "rule:admin" -} diff --git a/barbican/values.yaml b/barbican/values.yaml index 02bd744d85..acd6789c31 100644 --- a/barbican/values.yaml +++ b/barbican/values.yaml @@ -172,8 +172,101 @@ conf: override: append: policy: - override: - append: + admin: role:admin + observer: role:observer + creator: role:creator + audit: role:audit + service_admin: role:key-manager:service-admin + admin_or_user_does_not_work: project_id:%(project_id)s + admin_or_user: rule:admin or project_id:%(project_id)s + admin_or_creator: rule:admin or rule:creator + all_but_audit: rule:admin or rule:observer or rule:creator + all_users: rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin + secret_project_match: project:%(target.secret.project_id)s + secret_acl_read: "'read':%(target.secret.read)s" + secret_private_read: "'False':%(target.secret.read_project_access)s" + secret_creator_user: user:%(target.secret.creator_id)s + container_project_match: project:%(target.container.project_id)s + container_acl_read: "'read':%(target.container.read)s" + container_private_read: "'False':%(target.container.read_project_access)s" + container_creator_user: user:%(target.container.creator_id)s + secret_non_private_read: rule:all_users and rule:secret_project_match and not rule:secret_private_read + secret_decrypt_non_private_read: rule:all_but_audit and rule:secret_project_match + and not rule:secret_private_read + container_non_private_read: rule:all_users and rule:container_project_match and not + rule:container_private_read + secret_project_admin: rule:admin and rule:secret_project_match + secret_project_creator: rule:creator and rule:secret_project_match and rule:secret_creator_user + container_project_admin: rule:admin and rule:container_project_match + container_project_creator: rule:creator and rule:container_project_match and rule:container_creator_user + version:get: "@" + secret:decrypt: rule:secret_decrypt_non_private_read or rule:secret_project_creator + or rule:secret_project_admin or rule:secret_acl_read + secret:get: rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin + or rule:secret_acl_read + secret:put: rule:admin_or_creator and rule:secret_project_match + secret:delete: rule:secret_project_admin or rule:secret_project_creator + secrets:post: rule:admin_or_creator + secrets:get: rule:all_but_audit + orders:post: rule:admin_or_creator + orders:get: rule:all_but_audit + order:get: rule:all_users + order:put: rule:admin_or_creator + order:delete: rule:admin + consumer:get: rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read + or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read + consumers:get: rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read + or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read + consumers:post: rule:admin or rule:container_non_private_read or rule:container_project_creator + or rule:container_project_admin or rule:container_acl_read + consumers:delete: rule:admin or rule:container_non_private_read or rule:container_project_creator + or rule:container_project_admin or rule:container_acl_read + containers:post: rule:admin_or_creator + containers:get: rule:all_but_audit + container:get: rule:container_non_private_read or rule:container_project_creator or + rule:container_project_admin or rule:container_acl_read + container:delete: rule:container_project_admin or rule:container_project_creator + container_secret:post: rule:admin + container_secret:delete: rule:admin + transport_key:get: rule:all_users + transport_key:delete: rule:admin + transport_keys:get: rule:all_users + transport_keys:post: rule:admin + certificate_authorities:get_limited: rule:all_users + certificate_authorities:get_all: rule:admin + certificate_authorities:post: rule:admin + certificate_authorities:get_preferred_ca: rule:all_users + certificate_authorities:get_global_preferred_ca: rule:service_admin + certificate_authorities:unset_global_preferred: rule:service_admin + certificate_authority:delete: rule:admin + certificate_authority:get: rule:all_users + certificate_authority:get_cacert: rule:all_users + certificate_authority:get_ca_cert_chain: rule:all_users + certificate_authority:get_projects: rule:service_admin + certificate_authority:add_to_project: rule:admin + certificate_authority:remove_from_project: rule:admin + certificate_authority:set_preferred: rule:admin + certificate_authority:set_global_preferred: rule:service_admin + secret_acls:put_patch: rule:secret_project_admin or rule:secret_project_creator + secret_acls:delete: rule:secret_project_admin or rule:secret_project_creator + secret_acls:get: rule:all_but_audit and rule:secret_project_match + container_acls:put_patch: rule:container_project_admin or rule:container_project_creator + container_acls:delete: rule:container_project_admin or rule:container_project_creator + container_acls:get: rule:all_but_audit and rule:container_project_match + quotas:get: rule:all_users + project_quotas:get: rule:service_admin + project_quotas:put: rule:service_admin + project_quotas:delete: rule:service_admin + secret_meta:get: rule:all_but_audit + secret_meta:post: rule:admin_or_creator + secret_meta:put: rule:admin_or_creator + secret_meta:delete: rule:admin_or_creator + secretstores:get: rule:admin + secretstores:get_global_default: rule:admin + secretstores:get_preferred: rule:admin + secretstore_preferred:post: rule:admin + secretstore_preferred:delete: rule:admin + secretstore:get: rule:admin audit_map: override: append: diff --git a/glance/templates/configmap-etc.yaml b/glance/templates/configmap-etc.yaml index 2d853c00e5..b1fd2d0eb8 100644 --- a/glance/templates/configmap-etc.yaml +++ b/glance/templates/configmap-etc.yaml @@ -135,5 +135,5 @@ data: glance-registry-paste.ini: |+ {{- tuple .Values.conf.paste_registry "etc/_glance-registry-paste.ini.tpl" . | include "helm-toolkit.utils.configmap_templater" }} policy.json: |+ -{{- tuple .Values.conf.policy "etc/_policy.json.tpl" . | include "helm-toolkit.utils.configmap_templater" }} +{{ toJson .Values.conf.policy | indent 4 }} {{- end }} diff --git a/glance/templates/etc/_policy.json.tpl b/glance/templates/etc/_policy.json.tpl deleted file mode 100644 index 0a058c1c5d..0000000000 --- a/glance/templates/etc/_policy.json.tpl +++ /dev/null @@ -1,61 +0,0 @@ -{ - "context_is_admin": "role:admin", - "default": "role:admin", - - "add_image": "", - "delete_image": "", - "get_image": "", - "get_images": "", - "modify_image": "", - "publicize_image": "role:admin", - "copy_from": "", - - "download_image": "", - "upload_image": "", - - "delete_image_location": "", - "get_image_location": "", - "set_image_location": "", - - "add_member": "", - "delete_member": "", - "get_member": "", - "get_members": "", - "modify_member": "", - - "manage_image_cache": "role:admin", - - "get_task": "role:admin", - "get_tasks": "role:admin", - "add_task": "role:admin", - "modify_task": "role:admin", - - "deactivate": "", - "reactivate": "", - - "get_metadef_namespace": "", - "get_metadef_namespaces":"", - "modify_metadef_namespace":"", - "add_metadef_namespace":"", - - "get_metadef_object":"", - "get_metadef_objects":"", - "modify_metadef_object":"", - "add_metadef_object":"", - - "list_metadef_resource_types":"", - "get_metadef_resource_type":"", - "add_metadef_resource_type_association":"", - - "get_metadef_property":"", - "get_metadef_properties":"", - "modify_metadef_property":"", - "add_metadef_property":"", - - "get_metadef_tag":"", - "get_metadef_tags":"", - "modify_metadef_tag":"", - "add_metadef_tag":"", - "add_metadef_tags":"" - -} diff --git a/glance/values.yaml b/glance/values.yaml index a24110896c..c74d32c029 100644 --- a/glance/values.yaml +++ b/glance/values.yaml @@ -76,8 +76,52 @@ conf: override: append: policy: - override: - append: + context_is_admin: role:admin + default: role:admin + add_image: '' + delete_image: '' + get_image: '' + get_images: '' + modify_image: '' + publicize_image: role:admin + copy_from: '' + download_image: '' + upload_image: '' + delete_image_location: '' + get_image_location: '' + set_image_location: '' + add_member: '' + delete_member: '' + get_member: '' + get_members: '' + modify_member: '' + manage_image_cache: role:admin + get_task: role:admin + get_tasks: role:admin + add_task: role:admin + modify_task: role:admin + deactivate: '' + reactivate: '' + get_metadef_namespace: '' + get_metadef_namespaces: '' + modify_metadef_namespace: '' + add_metadef_namespace: '' + get_metadef_object: '' + get_metadef_objects: '' + modify_metadef_object: '' + add_metadef_object: '' + list_metadef_resource_types: '' + get_metadef_resource_type: '' + add_metadef_resource_type_association: '' + get_metadef_property: '' + get_metadef_properties: '' + modify_metadef_property: '' + add_metadef_property: '' + get_metadef_tag: '' + get_metadef_tags: '' + modify_metadef_tag: '' + add_metadef_tag: '' + add_metadef_tags: '' glance: override: append: diff --git a/heat/templates/configmap-etc.yaml b/heat/templates/configmap-etc.yaml index 022c25fb91..54369beccd 100644 --- a/heat/templates/configmap-etc.yaml +++ b/heat/templates/configmap-etc.yaml @@ -123,5 +123,5 @@ data: api-paste.ini: |+ {{- tuple .Values.conf.paste "etc/_api-paste.ini.tpl" . | include "helm-toolkit.utils.configmap_templater" }} policy.json: |+ -{{- tuple .Values.conf.policy "etc/_policy.json.tpl" . | include "helm-toolkit.utils.configmap_templater" }} +{{ toJson .Values.conf.policy | indent 4 }} {{- end }} diff --git a/heat/templates/etc/_policy.json.tpl b/heat/templates/etc/_policy.json.tpl deleted file mode 100644 index c9aae5ff79..0000000000 --- a/heat/templates/etc/_policy.json.tpl +++ /dev/null @@ -1,96 +0,0 @@ -{ - "context_is_admin": "role:admin and is_admin_project:True", - "project_admin": "role:admin", - "deny_stack_user": "not role:heat_stack_user", - "deny_everybody": "!", - - "cloudformation:ListStacks": "rule:deny_stack_user", - "cloudformation:CreateStack": "rule:deny_stack_user", - "cloudformation:DescribeStacks": "rule:deny_stack_user", - "cloudformation:DeleteStack": "rule:deny_stack_user", - "cloudformation:UpdateStack": "rule:deny_stack_user", - "cloudformation:CancelUpdateStack": "rule:deny_stack_user", - "cloudformation:DescribeStackEvents": "rule:deny_stack_user", - "cloudformation:ValidateTemplate": "rule:deny_stack_user", - "cloudformation:GetTemplate": "rule:deny_stack_user", - "cloudformation:EstimateTemplateCost": "rule:deny_stack_user", - "cloudformation:DescribeStackResource": "", - "cloudformation:DescribeStackResources": "rule:deny_stack_user", - "cloudformation:ListStackResources": "rule:deny_stack_user", - - "cloudwatch:DeleteAlarms": "rule:deny_stack_user", - "cloudwatch:DescribeAlarmHistory": "rule:deny_stack_user", - "cloudwatch:DescribeAlarms": "rule:deny_stack_user", - "cloudwatch:DescribeAlarmsForMetric": "rule:deny_stack_user", - "cloudwatch:DisableAlarmActions": "rule:deny_stack_user", - "cloudwatch:EnableAlarmActions": "rule:deny_stack_user", - "cloudwatch:GetMetricStatistics": "rule:deny_stack_user", - "cloudwatch:ListMetrics": "rule:deny_stack_user", - "cloudwatch:PutMetricAlarm": "rule:deny_stack_user", - "cloudwatch:PutMetricData": "", - "cloudwatch:SetAlarmState": "rule:deny_stack_user", - - "actions:action": "rule:deny_stack_user", - "build_info:build_info": "rule:deny_stack_user", - "events:index": "rule:deny_stack_user", - "events:show": "rule:deny_stack_user", - "resource:index": "rule:deny_stack_user", - "resource:metadata": "", - "resource:signal": "", - "resource:mark_unhealthy": "rule:deny_stack_user", - "resource:show": "rule:deny_stack_user", - "stacks:abandon": "rule:deny_stack_user", - "stacks:create": "rule:deny_stack_user", - "stacks:delete": "rule:deny_stack_user", - "stacks:detail": "rule:deny_stack_user", - "stacks:export": "rule:deny_stack_user", - "stacks:generate_template": "rule:deny_stack_user", - "stacks:global_index": "rule:deny_everybody", - "stacks:index": "rule:deny_stack_user", - "stacks:list_resource_types": "rule:deny_stack_user", - "stacks:list_template_versions": "rule:deny_stack_user", - "stacks:list_template_functions": "rule:deny_stack_user", - "stacks:lookup": "", - "stacks:preview": "rule:deny_stack_user", - "stacks:resource_schema": "rule:deny_stack_user", - "stacks:show": "rule:deny_stack_user", - "stacks:template": "rule:deny_stack_user", - "stacks:environment": "rule:deny_stack_user", - "stacks:files": "rule:deny_stack_user", - "stacks:update": "rule:deny_stack_user", - "stacks:update_patch": "rule:deny_stack_user", - "stacks:preview_update": "rule:deny_stack_user", - "stacks:preview_update_patch": "rule:deny_stack_user", - "stacks:validate_template": "rule:deny_stack_user", - "stacks:snapshot": "rule:deny_stack_user", - "stacks:show_snapshot": "rule:deny_stack_user", - "stacks:delete_snapshot": "rule:deny_stack_user", - "stacks:list_snapshots": "rule:deny_stack_user", - "stacks:restore_snapshot": "rule:deny_stack_user", - "stacks:list_outputs": "rule:deny_stack_user", - "stacks:show_output": "rule:deny_stack_user", - - "software_configs:global_index": "rule:deny_everybody", - "software_configs:index": "rule:deny_stack_user", - "software_configs:create": "rule:deny_stack_user", - "software_configs:show": "rule:deny_stack_user", - "software_configs:delete": "rule:deny_stack_user", - "software_deployments:index": "rule:deny_stack_user", - "software_deployments:create": "rule:deny_stack_user", - "software_deployments:show": "rule:deny_stack_user", - "software_deployments:update": "rule:deny_stack_user", - "software_deployments:delete": "rule:deny_stack_user", - "software_deployments:metadata": "", - - "service:index": "rule:context_is_admin", - - "resource_types:OS::Nova::Flavor": "rule:project_admin", - "resource_types:OS::Cinder::EncryptedVolumeType": "rule:project_admin", - "resource_types:OS::Cinder::VolumeType": "rule:project_admin", - "resource_types:OS::Cinder::Quota": "rule:project_admin", - "resource_types:OS::Manila::ShareType": "rule:project_admin", - "resource_types:OS::Neutron::QoSPolicy": "rule:project_admin", - "resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:project_admin", - "resource_types:OS::Nova::HostAggregate": "rule:project_admin", - "resource_types:OS::Cinder::QoSSpecs": "rule:project_admin" -} diff --git a/heat/values.yaml b/heat/values.yaml index d647f28d99..26396e9f34 100644 --- a/heat/values.yaml +++ b/heat/values.yaml @@ -42,8 +42,94 @@ conf: override: append: policy: - override: - append: + context_is_admin: role:admin and is_admin_project:True + project_admin: role:admin + deny_stack_user: not role:heat_stack_user + deny_everybody: "!" + cloudformation:ListStacks: rule:deny_stack_user + cloudformation:CreateStack: rule:deny_stack_user + cloudformation:DescribeStacks: rule:deny_stack_user + cloudformation:DeleteStack: rule:deny_stack_user + cloudformation:UpdateStack: rule:deny_stack_user + cloudformation:CancelUpdateStack: rule:deny_stack_user + cloudformation:DescribeStackEvents: rule:deny_stack_user + cloudformation:ValidateTemplate: rule:deny_stack_user + cloudformation:GetTemplate: rule:deny_stack_user + cloudformation:EstimateTemplateCost: rule:deny_stack_user + cloudformation:DescribeStackResource: '' + cloudformation:DescribeStackResources: rule:deny_stack_user + cloudformation:ListStackResources: rule:deny_stack_user + cloudwatch:DeleteAlarms: rule:deny_stack_user + cloudwatch:DescribeAlarmHistory: rule:deny_stack_user + cloudwatch:DescribeAlarms: rule:deny_stack_user + cloudwatch:DescribeAlarmsForMetric: rule:deny_stack_user + cloudwatch:DisableAlarmActions: rule:deny_stack_user + cloudwatch:EnableAlarmActions: rule:deny_stack_user + cloudwatch:GetMetricStatistics: rule:deny_stack_user + cloudwatch:ListMetrics: rule:deny_stack_user + cloudwatch:PutMetricAlarm: rule:deny_stack_user + cloudwatch:PutMetricData: '' + cloudwatch:SetAlarmState: rule:deny_stack_user + actions:action: rule:deny_stack_user + build_info:build_info: rule:deny_stack_user + events:index: rule:deny_stack_user + events:show: rule:deny_stack_user + resource:index: rule:deny_stack_user + resource:metadata: '' + resource:signal: '' + resource:mark_unhealthy: rule:deny_stack_user + resource:show: rule:deny_stack_user + stacks:abandon: rule:deny_stack_user + stacks:create: rule:deny_stack_user + stacks:delete: rule:deny_stack_user + stacks:detail: rule:deny_stack_user + stacks:export: rule:deny_stack_user + stacks:generate_template: rule:deny_stack_user + stacks:global_index: rule:deny_everybody + stacks:index: rule:deny_stack_user + stacks:list_resource_types: rule:deny_stack_user + stacks:list_template_versions: rule:deny_stack_user + stacks:list_template_functions: rule:deny_stack_user + stacks:lookup: '' + stacks:preview: rule:deny_stack_user + stacks:resource_schema: rule:deny_stack_user + stacks:show: rule:deny_stack_user + stacks:template: rule:deny_stack_user + stacks:environment: rule:deny_stack_user + stacks:files: rule:deny_stack_user + stacks:update: rule:deny_stack_user + stacks:update_patch: rule:deny_stack_user + stacks:preview_update: rule:deny_stack_user + stacks:preview_update_patch: rule:deny_stack_user + stacks:validate_template: rule:deny_stack_user + stacks:snapshot: rule:deny_stack_user + stacks:show_snapshot: rule:deny_stack_user + stacks:delete_snapshot: rule:deny_stack_user + stacks:list_snapshots: rule:deny_stack_user + stacks:restore_snapshot: rule:deny_stack_user + stacks:list_outputs: rule:deny_stack_user + stacks:show_output: rule:deny_stack_user + software_configs:global_index: rule:deny_everybody + software_configs:index: rule:deny_stack_user + software_configs:create: rule:deny_stack_user + software_configs:show: rule:deny_stack_user + software_configs:delete: rule:deny_stack_user + software_deployments:index: rule:deny_stack_user + software_deployments:create: rule:deny_stack_user + software_deployments:show: rule:deny_stack_user + software_deployments:update: rule:deny_stack_user + software_deployments:delete: rule:deny_stack_user + software_deployments:metadata: '' + service:index: rule:context_is_admin + resource_types:OS::Nova::Flavor: rule:project_admin + resource_types:OS::Cinder::EncryptedVolumeType: rule:project_admin + resource_types:OS::Cinder::VolumeType: rule:project_admin + resource_types:OS::Cinder::Quota: rule:project_admin + resource_types:OS::Manila::ShareType: rule:project_admin + resource_types:OS::Neutron::QoSPolicy: rule:project_admin + resource_types:OS::Neutron::QoSBandwidthLimitRule: rule:project_admin + resource_types:OS::Nova::HostAggregate: rule:project_admin + resource_types:OS::Cinder::QoSSpecs: rule:project_admin heat: override: append: diff --git a/keystone/templates/configmap-etc.yaml b/keystone/templates/configmap-etc.yaml index 36207353a1..928bbf8db2 100644 --- a/keystone/templates/configmap-etc.yaml +++ b/keystone/templates/configmap-etc.yaml @@ -44,7 +44,7 @@ data: keystone-paste.ini: |+ {{- tuple .Values.conf.paste "etc/_keystone-paste.ini.tpl" . | include "helm-toolkit.utils.configmap_templater" }} policy.json: |+ -{{- tuple .Values.conf.policy "etc/_policy.json.tpl" . | include "helm-toolkit.utils.configmap_templater" }} +{{ toJson .Values.conf.policy | indent 4 }} mpm_event.conf: |+ {{- tuple .Values.conf.mpm_event "etc/_mpm_event.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }} wsgi-keystone.conf: |+ diff --git a/keystone/templates/etc/_policy.json.tpl b/keystone/templates/etc/_policy.json.tpl deleted file mode 100644 index f7e8a82963..0000000000 --- a/keystone/templates/etc/_policy.json.tpl +++ /dev/null @@ -1,199 +0,0 @@ -{ - "admin_required": "role:admin or is_admin:1", - "service_role": "role:service", - "service_or_admin": "rule:admin_required or rule:service_role", - "owner" : "user_id:%(user_id)s", - "admin_or_owner": "rule:admin_required or rule:owner", - "token_subject": "user_id:%(target.token.user_id)s", - "admin_or_token_subject": "rule:admin_required or rule:token_subject", - "service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject", - - "default": "rule:admin_required", - - "identity:get_region": "", - "identity:list_regions": "", - "identity:create_region": "rule:admin_required", - "identity:update_region": "rule:admin_required", - "identity:delete_region": "rule:admin_required", - - "identity:get_service": "rule:admin_required", - "identity:list_services": "rule:admin_required", - "identity:create_service": "rule:admin_required", - "identity:update_service": "rule:admin_required", - "identity:delete_service": "rule:admin_required", - - "identity:get_endpoint": "rule:admin_required", - "identity:list_endpoints": "rule:admin_required", - "identity:create_endpoint": "rule:admin_required", - "identity:update_endpoint": "rule:admin_required", - "identity:delete_endpoint": "rule:admin_required", - - "identity:get_domain": "rule:admin_required or token.project.domain.id:%(target.domain.id)s", - "identity:list_domains": "rule:admin_required", - "identity:create_domain": "rule:admin_required", - "identity:update_domain": "rule:admin_required", - "identity:delete_domain": "rule:admin_required", - - "identity:get_project": "rule:admin_required or project_id:%(target.project.id)s", - "identity:list_projects": "rule:admin_required", - "identity:list_user_projects": "rule:admin_or_owner", - "identity:create_project": "rule:admin_required", - "identity:update_project": "rule:admin_required", - "identity:delete_project": "rule:admin_required", - - "identity:get_user": "rule:admin_or_owner", - "identity:list_users": "rule:admin_required", - "identity:create_user": "rule:admin_required", - "identity:update_user": "rule:admin_required", - "identity:delete_user": "rule:admin_required", - "identity:change_password": "rule:admin_or_owner", - - "identity:get_group": "rule:admin_required", - "identity:list_groups": "rule:admin_required", - "identity:list_groups_for_user": "rule:admin_or_owner", - "identity:create_group": "rule:admin_required", - "identity:update_group": "rule:admin_required", - "identity:delete_group": "rule:admin_required", - "identity:list_users_in_group": "rule:admin_required", - "identity:remove_user_from_group": "rule:admin_required", - "identity:check_user_in_group": "rule:admin_required", - "identity:add_user_to_group": "rule:admin_required", - - "identity:get_credential": "rule:admin_required", - "identity:list_credentials": "rule:admin_required", - "identity:create_credential": "rule:admin_required", - "identity:update_credential": "rule:admin_required", - "identity:delete_credential": "rule:admin_required", - - "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)", - "identity:ec2_list_credentials": "rule:admin_or_owner", - "identity:ec2_create_credential": "rule:admin_or_owner", - "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)", - - "identity:get_role": "rule:admin_required", - "identity:list_roles": "rule:admin_required", - "identity:create_role": "rule:admin_required", - "identity:update_role": "rule:admin_required", - "identity:delete_role": "rule:admin_required", - "identity:get_domain_role": "rule:admin_required", - "identity:list_domain_roles": "rule:admin_required", - "identity:create_domain_role": "rule:admin_required", - "identity:update_domain_role": "rule:admin_required", - "identity:delete_domain_role": "rule:admin_required", - - "identity:get_implied_role": "rule:admin_required ", - "identity:list_implied_roles": "rule:admin_required", - "identity:create_implied_role": "rule:admin_required", - "identity:delete_implied_role": "rule:admin_required", - "identity:list_role_inference_rules": "rule:admin_required", - "identity:check_implied_role": "rule:admin_required", - - "identity:check_grant": "rule:admin_required", - "identity:list_grants": "rule:admin_required", - "identity:create_grant": "rule:admin_required", - "identity:revoke_grant": "rule:admin_required", - - "identity:list_role_assignments": "rule:admin_required", - "identity:list_role_assignments_for_tree": "rule:admin_required", - - "identity:get_policy": "rule:admin_required", - "identity:list_policies": "rule:admin_required", - "identity:create_policy": "rule:admin_required", - "identity:update_policy": "rule:admin_required", - "identity:delete_policy": "rule:admin_required", - - "identity:check_token": "rule:admin_or_token_subject", - "identity:validate_token": "rule:service_admin_or_token_subject", - "identity:validate_token_head": "rule:service_or_admin", - "identity:revocation_list": "rule:service_or_admin", - "identity:revoke_token": "rule:admin_or_token_subject", - - "identity:create_trust": "user_id:%(trust.trustor_user_id)s", - "identity:list_trusts": "", - "identity:list_roles_for_trust": "", - "identity:get_role_for_trust": "", - "identity:delete_trust": "", - - "identity:create_consumer": "rule:admin_required", - "identity:get_consumer": "rule:admin_required", - "identity:list_consumers": "rule:admin_required", - "identity:delete_consumer": "rule:admin_required", - "identity:update_consumer": "rule:admin_required", - - "identity:authorize_request_token": "rule:admin_required", - "identity:list_access_token_roles": "rule:admin_required", - "identity:get_access_token_role": "rule:admin_required", - "identity:list_access_tokens": "rule:admin_required", - "identity:get_access_token": "rule:admin_required", - "identity:delete_access_token": "rule:admin_required", - - "identity:list_projects_for_endpoint": "rule:admin_required", - "identity:add_endpoint_to_project": "rule:admin_required", - "identity:check_endpoint_in_project": "rule:admin_required", - "identity:list_endpoints_for_project": "rule:admin_required", - "identity:remove_endpoint_from_project": "rule:admin_required", - - "identity:create_endpoint_group": "rule:admin_required", - "identity:list_endpoint_groups": "rule:admin_required", - "identity:get_endpoint_group": "rule:admin_required", - "identity:update_endpoint_group": "rule:admin_required", - "identity:delete_endpoint_group": "rule:admin_required", - "identity:list_projects_associated_with_endpoint_group": "rule:admin_required", - "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required", - "identity:get_endpoint_group_in_project": "rule:admin_required", - "identity:list_endpoint_groups_for_project": "rule:admin_required", - "identity:add_endpoint_group_to_project": "rule:admin_required", - "identity:remove_endpoint_group_from_project": "rule:admin_required", - - "identity:create_identity_provider": "rule:admin_required", - "identity:list_identity_providers": "rule:admin_required", - "identity:get_identity_providers": "rule:admin_required", - "identity:update_identity_provider": "rule:admin_required", - "identity:delete_identity_provider": "rule:admin_required", - - "identity:create_protocol": "rule:admin_required", - "identity:update_protocol": "rule:admin_required", - "identity:get_protocol": "rule:admin_required", - "identity:list_protocols": "rule:admin_required", - "identity:delete_protocol": "rule:admin_required", - - "identity:create_mapping": "rule:admin_required", - "identity:get_mapping": "rule:admin_required", - "identity:list_mappings": "rule:admin_required", - "identity:delete_mapping": "rule:admin_required", - "identity:update_mapping": "rule:admin_required", - - "identity:create_service_provider": "rule:admin_required", - "identity:list_service_providers": "rule:admin_required", - "identity:get_service_provider": "rule:admin_required", - "identity:update_service_provider": "rule:admin_required", - "identity:delete_service_provider": "rule:admin_required", - - "identity:get_auth_catalog": "", - "identity:get_auth_projects": "", - "identity:get_auth_domains": "", - - "identity:list_projects_for_user": "", - "identity:list_domains_for_user": "", - - "identity:list_revoke_events": "", - - "identity:create_policy_association_for_endpoint": "rule:admin_required", - "identity:check_policy_association_for_endpoint": "rule:admin_required", - "identity:delete_policy_association_for_endpoint": "rule:admin_required", - "identity:create_policy_association_for_service": "rule:admin_required", - "identity:check_policy_association_for_service": "rule:admin_required", - "identity:delete_policy_association_for_service": "rule:admin_required", - "identity:create_policy_association_for_region_and_service": "rule:admin_required", - "identity:check_policy_association_for_region_and_service": "rule:admin_required", - "identity:delete_policy_association_for_region_and_service": "rule:admin_required", - "identity:get_policy_for_endpoint": "rule:admin_required", - "identity:list_endpoints_for_policy": "rule:admin_required", - - "identity:create_domain_config": "rule:admin_required", - "identity:get_domain_config": "rule:admin_required", - "identity:update_domain_config": "rule:admin_required", - "identity:delete_domain_config": "rule:admin_required", - "identity:get_domain_config_default": "rule:admin_required" - -} diff --git a/keystone/values.yaml b/keystone/values.yaml index 320cb0eada..7230219f67 100644 --- a/keystone/values.yaml +++ b/keystone/values.yaml @@ -248,8 +248,172 @@ conf: override: append: policy: - override: - append: + admin_required: role:admin or is_admin:1 + service_role: role:service + service_or_admin: rule:admin_required or rule:service_role + owner: user_id:%(user_id)s + admin_or_owner: rule:admin_required or rule:owner + token_subject: user_id:%(target.token.user_id)s + admin_or_token_subject: rule:admin_required or rule:token_subject + service_admin_or_token_subject: rule:service_or_admin or rule:token_subject + default: rule:admin_required + identity:get_region: '' + identity:list_regions: '' + identity:create_region: rule:admin_required + identity:update_region: rule:admin_required + identity:delete_region: rule:admin_required + identity:get_service: rule:admin_required + identity:list_services: rule:admin_required + identity:create_service: rule:admin_required + identity:update_service: rule:admin_required + identity:delete_service: rule:admin_required + identity:get_endpoint: rule:admin_required + identity:list_endpoints: rule:admin_required + identity:create_endpoint: rule:admin_required + identity:update_endpoint: rule:admin_required + identity:delete_endpoint: rule:admin_required + identity:get_domain: rule:admin_required or token.project.domain.id:%(target.domain.id)s + identity:list_domains: rule:admin_required + identity:create_domain: rule:admin_required + identity:update_domain: rule:admin_required + identity:delete_domain: rule:admin_required + identity:get_project: rule:admin_required or project_id:%(target.project.id)s + identity:list_projects: rule:admin_required + identity:list_user_projects: rule:admin_or_owner + identity:create_project: rule:admin_required + identity:update_project: rule:admin_required + identity:delete_project: rule:admin_required + identity:get_user: rule:admin_or_owner + identity:list_users: rule:admin_required + identity:create_user: rule:admin_required + identity:update_user: rule:admin_required + identity:delete_user: rule:admin_required + identity:change_password: rule:admin_or_owner + identity:get_group: rule:admin_required + identity:list_groups: rule:admin_required + identity:list_groups_for_user: rule:admin_or_owner + identity:create_group: rule:admin_required + identity:update_group: rule:admin_required + identity:delete_group: rule:admin_required + identity:list_users_in_group: rule:admin_required + identity:remove_user_from_group: rule:admin_required + identity:check_user_in_group: rule:admin_required + identity:add_user_to_group: rule:admin_required + identity:get_credential: rule:admin_required + identity:list_credentials: rule:admin_required + identity:create_credential: rule:admin_required + identity:update_credential: rule:admin_required + identity:delete_credential: rule:admin_required + identity:ec2_get_credential: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s) + identity:ec2_list_credentials: rule:admin_or_owner + identity:ec2_create_credential: rule:admin_or_owner + identity:ec2_delete_credential: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s) + identity:get_role: rule:admin_required + identity:list_roles: rule:admin_required + identity:create_role: rule:admin_required + identity:update_role: rule:admin_required + identity:delete_role: rule:admin_required + identity:get_domain_role: rule:admin_required + identity:list_domain_roles: rule:admin_required + identity:create_domain_role: rule:admin_required + identity:update_domain_role: rule:admin_required + identity:delete_domain_role: rule:admin_required + identity:get_implied_role: 'rule:admin_required ' + identity:list_implied_roles: rule:admin_required + identity:create_implied_role: rule:admin_required + identity:delete_implied_role: rule:admin_required + identity:list_role_inference_rules: rule:admin_required + identity:check_implied_role: rule:admin_required + identity:check_grant: rule:admin_required + identity:list_grants: rule:admin_required + identity:create_grant: rule:admin_required + identity:revoke_grant: rule:admin_required + identity:list_role_assignments: rule:admin_required + identity:list_role_assignments_for_tree: rule:admin_required + identity:get_policy: rule:admin_required + identity:list_policies: rule:admin_required + identity:create_policy: rule:admin_required + identity:update_policy: rule:admin_required + identity:delete_policy: rule:admin_required + identity:check_token: rule:admin_or_token_subject + identity:validate_token: rule:service_admin_or_token_subject + identity:validate_token_head: rule:service_or_admin + identity:revocation_list: rule:service_or_admin + identity:revoke_token: rule:admin_or_token_subject + identity:create_trust: user_id:%(trust.trustor_user_id)s + identity:list_trusts: '' + identity:list_roles_for_trust: '' + identity:get_role_for_trust: '' + identity:delete_trust: '' + identity:create_consumer: rule:admin_required + identity:get_consumer: rule:admin_required + identity:list_consumers: rule:admin_required + identity:delete_consumer: rule:admin_required + identity:update_consumer: rule:admin_required + identity:authorize_request_token: rule:admin_required + identity:list_access_token_roles: rule:admin_required + identity:get_access_token_role: rule:admin_required + identity:list_access_tokens: rule:admin_required + identity:get_access_token: rule:admin_required + identity:delete_access_token: rule:admin_required + identity:list_projects_for_endpoint: rule:admin_required + identity:add_endpoint_to_project: rule:admin_required + identity:check_endpoint_in_project: rule:admin_required + identity:list_endpoints_for_project: rule:admin_required + identity:remove_endpoint_from_project: rule:admin_required + identity:create_endpoint_group: rule:admin_required + identity:list_endpoint_groups: rule:admin_required + identity:get_endpoint_group: rule:admin_required + identity:update_endpoint_group: rule:admin_required + identity:delete_endpoint_group: rule:admin_required + identity:list_projects_associated_with_endpoint_group: rule:admin_required + identity:list_endpoints_associated_with_endpoint_group: rule:admin_required + identity:get_endpoint_group_in_project: rule:admin_required + identity:list_endpoint_groups_for_project: rule:admin_required + identity:add_endpoint_group_to_project: rule:admin_required + identity:remove_endpoint_group_from_project: rule:admin_required + identity:create_identity_provider: rule:admin_required + identity:list_identity_providers: rule:admin_required + identity:get_identity_providers: rule:admin_required + identity:update_identity_provider: rule:admin_required + identity:delete_identity_provider: rule:admin_required + identity:create_protocol: rule:admin_required + identity:update_protocol: rule:admin_required + identity:get_protocol: rule:admin_required + identity:list_protocols: rule:admin_required + identity:delete_protocol: rule:admin_required + identity:create_mapping: rule:admin_required + identity:get_mapping: rule:admin_required + identity:list_mappings: rule:admin_required + identity:delete_mapping: rule:admin_required + identity:update_mapping: rule:admin_required + identity:create_service_provider: rule:admin_required + identity:list_service_providers: rule:admin_required + identity:get_service_provider: rule:admin_required + identity:update_service_provider: rule:admin_required + identity:delete_service_provider: rule:admin_required + identity:get_auth_catalog: '' + identity:get_auth_projects: '' + identity:get_auth_domains: '' + identity:list_projects_for_user: '' + identity:list_domains_for_user: '' + identity:list_revoke_events: '' + identity:create_policy_association_for_endpoint: rule:admin_required + identity:check_policy_association_for_endpoint: rule:admin_required + identity:delete_policy_association_for_endpoint: rule:admin_required + identity:create_policy_association_for_service: rule:admin_required + identity:check_policy_association_for_service: rule:admin_required + identity:delete_policy_association_for_service: rule:admin_required + identity:create_policy_association_for_region_and_service: rule:admin_required + identity:check_policy_association_for_region_and_service: rule:admin_required + identity:delete_policy_association_for_region_and_service: rule:admin_required + identity:get_policy_for_endpoint: rule:admin_required + identity:list_endpoints_for_policy: rule:admin_required + identity:create_domain_config: rule:admin_required + identity:get_domain_config: rule:admin_required + identity:update_domain_config: rule:admin_required + identity:delete_domain_config: rule:admin_required + identity:get_domain_config_default: rule:admin_required mpm_event: override: append: diff --git a/magnum/templates/configmap-etc.yaml b/magnum/templates/configmap-etc.yaml index b6df5f066b..15b68f7c12 100644 --- a/magnum/templates/configmap-etc.yaml +++ b/magnum/templates/configmap-etc.yaml @@ -75,5 +75,5 @@ data: api-paste.ini: |+ {{- tuple .Values.conf.paste "etc/_api-paste.ini.tpl" . | include "helm-toolkit.utils.configmap_templater" }} policy.json: |+ -{{- tuple .Values.conf.policy "etc/_policy.json.tpl" . | include "helm-toolkit.utils.configmap_templater" }} +{{ toJson .Values.conf.policy | indent 4 }} {{- end }} diff --git a/magnum/templates/etc/_policy.json.tpl b/magnum/templates/etc/_policy.json.tpl deleted file mode 100644 index 437942adf9..0000000000 --- a/magnum/templates/etc/_policy.json.tpl +++ /dev/null @@ -1,51 +0,0 @@ -{ - "context_is_admin": "role:admin", - "admin_or_owner": "is_admin:True or project_id:%(project_id)s", - "default": "rule:admin_or_owner", - "admin_api": "rule:context_is_admin", - "admin_or_user": "is_admin:True or user_id:%(user_id)s", - "cluster_user": "user_id:%(trustee_user_id)s", - "deny_cluster_user": "not domain_id:%(trustee_domain_id)s", - - "bay:create": "rule:deny_cluster_user", - "bay:delete": "rule:deny_cluster_user", - "bay:detail": "rule:deny_cluster_user", - "bay:get": "rule:deny_cluster_user", - "bay:get_all": "rule:deny_cluster_user", - "bay:update": "rule:deny_cluster_user", - - "baymodel:create": "rule:deny_cluster_user", - "baymodel:delete": "rule:deny_cluster_user", - "baymodel:detail": "rule:deny_cluster_user", - "baymodel:get": "rule:deny_cluster_user", - "baymodel:get_all": "rule:deny_cluster_user", - "baymodel:update": "rule:deny_cluster_user", - "baymodel:publish": "rule:admin_or_owner", - - "cluster:create": "rule:deny_cluster_user", - "cluster:delete": "rule:deny_cluster_user", - "cluster:detail": "rule:deny_cluster_user", - "cluster:get": "rule:deny_cluster_user", - "cluster:get_all": "rule:deny_cluster_user", - "cluster:update": "rule:deny_cluster_user", - - "clustertemplate:create": "rule:deny_cluster_user", - "clustertemplate:delete": "rule:deny_cluster_user", - "clustertemplate:detail": "rule:deny_cluster_user", - "clustertemplate:get": "rule:deny_cluster_user", - "clustertemplate:get_all": "rule:deny_cluster_user", - "clustertemplate:update": "rule:deny_cluster_user", - "clustertemplate:publish": "rule:admin_or_owner", - - "rc:create": "rule:default", - "rc:delete": "rule:default", - "rc:detail": "rule:default", - "rc:get": "rule:default", - "rc:get_all": "rule:default", - "rc:update": "rule:default", - - "certificate:create": "rule:admin_or_user or rule:cluster_user", - "certificate:get": "rule:admin_or_user or rule:cluster_user", - - "magnum-service:get_all": "rule:admin_api" -} diff --git a/magnum/values.yaml b/magnum/values.yaml index a06725a537..b57f5b28e0 100644 --- a/magnum/values.yaml +++ b/magnum/values.yaml @@ -40,8 +40,48 @@ conf: override: append: policy: - override: - append: + context_is_admin: role:admin + admin_or_owner: is_admin:True or project_id:%(project_id)s + default: rule:admin_or_owner + admin_api: rule:context_is_admin + admin_or_user: is_admin:True or user_id:%(user_id)s + cluster_user: user_id:%(trustee_user_id)s + deny_cluster_user: not domain_id:%(trustee_domain_id)s + bay:create: rule:deny_cluster_user + bay:delete: rule:deny_cluster_user + bay:detail: rule:deny_cluster_user + bay:get: rule:deny_cluster_user + bay:get_all: rule:deny_cluster_user + bay:update: rule:deny_cluster_user + baymodel:create: rule:deny_cluster_user + baymodel:delete: rule:deny_cluster_user + baymodel:detail: rule:deny_cluster_user + baymodel:get: rule:deny_cluster_user + baymodel:get_all: rule:deny_cluster_user + baymodel:update: rule:deny_cluster_user + baymodel:publish: rule:admin_or_owner + cluster:create: rule:deny_cluster_user + cluster:delete: rule:deny_cluster_user + cluster:detail: rule:deny_cluster_user + cluster:get: rule:deny_cluster_user + cluster:get_all: rule:deny_cluster_user + cluster:update: rule:deny_cluster_user + clustertemplate:create: rule:deny_cluster_user + clustertemplate:delete: rule:deny_cluster_user + clustertemplate:detail: rule:deny_cluster_user + clustertemplate:get: rule:deny_cluster_user + clustertemplate:get_all: rule:deny_cluster_user + clustertemplate:update: rule:deny_cluster_user + clustertemplate:publish: rule:admin_or_owner + rc:create: rule:default + rc:delete: rule:default + rc:detail: rule:default + rc:get: rule:default + rc:get_all: rule:default + rc:update: rule:default + certificate:create: rule:admin_or_user or rule:cluster_user + certificate:get: rule:admin_or_user or rule:cluster_user + magnum-service:get_all: rule:admin_api magnum: override: append: diff --git a/mistral/templates/configmap-etc.yaml b/mistral/templates/configmap-etc.yaml index 05fe0d72f6..f9c50bf013 100644 --- a/mistral/templates/configmap-etc.yaml +++ b/mistral/templates/configmap-etc.yaml @@ -72,5 +72,5 @@ data: mistral.conf: |+ {{- tuple .Values.conf.mistral "etc/_mistral.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }} policy.json: |+ -{{- tuple .Values.conf.policy "etc/_policy.json.tpl" . | include "helm-toolkit.utils.configmap_templater" }} +{{ toJson .Values.conf.policy | indent 4 }} {{- end }} diff --git a/mistral/templates/etc/_policy.json.tpl b/mistral/templates/etc/_policy.json.tpl deleted file mode 100644 index a04e3bc1a9..0000000000 --- a/mistral/templates/etc/_policy.json.tpl +++ /dev/null @@ -1,65 +0,0 @@ - -{ - "admin_only": "is_admin:True", - "admin_or_owner": "is_admin:True or project_id:%(project_id)s", - "default": "rule:admin_or_owner", - - "action_executions:delete": "rule:admin_or_owner", - "action_execution:create": "rule:admin_or_owner", - "action_executions:get": "rule:admin_or_owner", - "action_executions:list": "rule:admin_or_owner", - "action_executions:update": "rule:admin_or_owner", - - "actions:create": "rule:admin_or_owner", - "actions:delete": "rule:admin_or_owner", - "actions:get": "rule:admin_or_owner", - "actions:list": "rule:admin_or_owner", - "actions:update": "rule:admin_or_owner", - - "cron_triggers:create": "rule:admin_or_owner", - "cron_triggers:delete": "rule:admin_or_owner", - "cron_triggers:get": "rule:admin_or_owner", - "cron_triggers:list": "rule:admin_or_owner", - - "environments:create": "rule:admin_or_owner", - "environments:delete": "rule:admin_or_owner", - "environments:get": "rule:admin_or_owner", - "environments:list": "rule:admin_or_owner", - "environments:update": "rule:admin_or_owner", - - "executions:create": "rule:admin_or_owner", - "executions:delete": "rule:admin_or_owner", - "executions:get": "rule:admin_or_owner", - "executions:list": "rule:admin_or_owner", - "executions:update": "rule:admin_or_owner", - - "members:create": "rule:admin_or_owner", - "members:delete": "rule:admin_or_owner", - "members:get": "rule:admin_or_owner", - "members:list": "rule:admin_or_owner", - "members:update": "rule:admin_or_owner", - - "services:list": "rule:admin_or_owner", - - "tasks:get": "rule:admin_or_owner", - "tasks:list": "rule:admin_or_owner", - "tasks:update": "rule:admin_or_owner", - - "workbooks:create": "rule:admin_or_owner", - "workbooks:delete": "rule:admin_or_owner", - "workbooks:get": "rule:admin_or_owner", - "workbooks:list": "rule:admin_or_owner", - "workbooks:update": "rule:admin_or_owner", - - "workflows:create": "rule:admin_or_owner", - "workflows:delete": "rule:admin_or_owner", - "workflows:get": "rule:admin_or_owner", - "workflows:list": "rule:admin_or_owner", - "workflows:update": "rule:admin_or_owner", - - "event_triggers:create": "rule:admin_or_owner", - "event_triggers:delete": "rule:admin_or_owner", - "event_triggers:get": "rule:admin_or_owner", - "event_triggers:list": "rule:admin_or_owner", - "event_triggers:update": "rule:admin_or_owner" -} diff --git a/mistral/values.yaml b/mistral/values.yaml index 80bf8bdea9..03ee733d5e 100644 --- a/mistral/values.yaml +++ b/mistral/values.yaml @@ -211,8 +211,57 @@ endpoints: conf: policy: - override: - append: + admin_only: is_admin:True + admin_or_owner: is_admin:True or project_id:%(project_id)s + default: rule:admin_or_owner + action_executions:delete: rule:admin_or_owner + action_execution:create: rule:admin_or_owner + action_executions:get: rule:admin_or_owner + action_executions:list: rule:admin_or_owner + action_executions:update: rule:admin_or_owner + actions:create: rule:admin_or_owner + actions:delete: rule:admin_or_owner + actions:get: rule:admin_or_owner + actions:list: rule:admin_or_owner + actions:update: rule:admin_or_owner + cron_triggers:create: rule:admin_or_owner + cron_triggers:delete: rule:admin_or_owner + cron_triggers:get: rule:admin_or_owner + cron_triggers:list: rule:admin_or_owner + environments:create: rule:admin_or_owner + environments:delete: rule:admin_or_owner + environments:get: rule:admin_or_owner + environments:list: rule:admin_or_owner + environments:update: rule:admin_or_owner + executions:create: rule:admin_or_owner + executions:delete: rule:admin_or_owner + executions:get: rule:admin_or_owner + executions:list: rule:admin_or_owner + executions:update: rule:admin_or_owner + members:create: rule:admin_or_owner + members:delete: rule:admin_or_owner + members:get: rule:admin_or_owner + members:list: rule:admin_or_owner + members:update: rule:admin_or_owner + services:list: rule:admin_or_owner + tasks:get: rule:admin_or_owner + tasks:list: rule:admin_or_owner + tasks:update: rule:admin_or_owner + workbooks:create: rule:admin_or_owner + workbooks:delete: rule:admin_or_owner + workbooks:get: rule:admin_or_owner + workbooks:list: rule:admin_or_owner + workbooks:update: rule:admin_or_owner + workflows:create: rule:admin_or_owner + workflows:delete: rule:admin_or_owner + workflows:get: rule:admin_or_owner + workflows:list: rule:admin_or_owner + workflows:update: rule:admin_or_owner + event_triggers:create: rule:admin_or_owner + event_triggers:delete: rule:admin_or_owner + event_triggers:get: rule:admin_or_owner + event_triggers:list: rule:admin_or_owner + event_triggers:update: rule:admin_or_owner mistral: override: append: diff --git a/neutron/templates/configmap-etc.yaml b/neutron/templates/configmap-etc.yaml index 6b81df7dff..47f02fca85 100644 --- a/neutron/templates/configmap-etc.yaml +++ b/neutron/templates/configmap-etc.yaml @@ -93,7 +93,7 @@ data: api-paste.ini: |+ {{- tuple .Values.conf.paste "etc/_api-paste.ini.tpl" . | include "helm-toolkit.utils.configmap_templater" }} policy.json: |+ -{{- tuple .Values.conf.policy "etc/_policy.json.tpl" . | include "helm-toolkit.utils.configmap_templater" }} +{{ toJson .Values.conf.policy | indent 4 }} dhcp_agent.ini: |+ {{- tuple .Values.conf.dhcp_agent "etc/_dhcp_agent.ini.tpl" . | include "helm-toolkit.utils.configmap_templater" }} l3_agent.ini: |+ diff --git a/neutron/templates/etc/_policy.json.tpl b/neutron/templates/etc/_policy.json.tpl deleted file mode 100644 index 49e1ae95ef..0000000000 --- a/neutron/templates/etc/_policy.json.tpl +++ /dev/null @@ -1,214 +0,0 @@ -{ - "context_is_admin": "role:admin", - "owner": "tenant_id:%(tenant_id)s", - "admin_or_owner": "rule:context_is_admin or rule:owner", - "context_is_advsvc": "role:advsvc", - "admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s", - "admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner", - "admin_only": "rule:context_is_admin", - "regular_user": "", - "shared": "field:networks:shared=True", - "shared_subnetpools": "field:subnetpools:shared=True", - "shared_address_scopes": "field:address_scopes:shared=True", - "external": "field:networks:router:external=True", - "default": "rule:admin_or_owner", - - "create_subnet": "rule:admin_or_network_owner", - "create_subnet:segment_id": "rule:admin_only", - "create_subnet:service_types": "rule:admin_only", - "get_subnet": "rule:admin_or_owner or rule:shared", - "get_subnet:segment_id": "rule:admin_only", - "update_subnet": "rule:admin_or_network_owner", - "update_subnet:service_types": "rule:admin_only", - "delete_subnet": "rule:admin_or_network_owner", - - "create_subnetpool": "", - "create_subnetpool:shared": "rule:admin_only", - "create_subnetpool:is_default": "rule:admin_only", - "get_subnetpool": "rule:admin_or_owner or rule:shared_subnetpools", - "update_subnetpool": "rule:admin_or_owner", - "update_subnetpool:is_default": "rule:admin_only", - "delete_subnetpool": "rule:admin_or_owner", - - "create_address_scope": "", - "create_address_scope:shared": "rule:admin_only", - "get_address_scope": "rule:admin_or_owner or rule:shared_address_scopes", - "update_address_scope": "rule:admin_or_owner", - "update_address_scope:shared": "rule:admin_only", - "delete_address_scope": "rule:admin_or_owner", - - "create_network": "", - "get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc", - "get_network:router:external": "rule:regular_user", - "get_network:segments": "rule:admin_only", - "get_network:provider:network_type": "rule:admin_only", - "get_network:provider:physical_network": "rule:admin_only", - "get_network:provider:segmentation_id": "rule:admin_only", - "get_network:queue_id": "rule:admin_only", - "get_network_ip_availabilities": "rule:admin_only", - "get_network_ip_availability": "rule:admin_only", - "create_network:shared": "rule:admin_only", - "create_network:router:external": "rule:admin_only", - "create_network:is_default": "rule:admin_only", - "create_network:segments": "rule:admin_only", - "create_network:provider:network_type": "rule:admin_only", - "create_network:provider:physical_network": "rule:admin_only", - "create_network:provider:segmentation_id": "rule:admin_only", - "update_network": "rule:admin_or_owner", - "update_network:segments": "rule:admin_only", - "update_network:shared": "rule:admin_only", - "update_network:provider:network_type": "rule:admin_only", - "update_network:provider:physical_network": "rule:admin_only", - "update_network:provider:segmentation_id": "rule:admin_only", - "update_network:router:external": "rule:admin_only", - "delete_network": "rule:admin_or_owner", - - "create_segment": "rule:admin_only", - "get_segment": "rule:admin_only", - "update_segment": "rule:admin_only", - "delete_segment": "rule:admin_only", - - "network_device": "field:port:device_owner=~^network:", - "create_port": "", - "create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner", - "create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner", - "create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner", - "create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner", - "create_port:binding:host_id": "rule:admin_only", - "create_port:binding:profile": "rule:admin_only", - "create_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner", - "create_port:allowed_address_pairs": "rule:admin_or_network_owner", - "get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner", - "get_port:queue_id": "rule:admin_only", - "get_port:binding:vif_type": "rule:admin_only", - "get_port:binding:vif_details": "rule:admin_only", - "get_port:binding:host_id": "rule:admin_only", - "get_port:binding:profile": "rule:admin_only", - "update_port": "rule:admin_or_owner or rule:context_is_advsvc", - "update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner", - "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc", - "update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner", - "update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner", - "update_port:binding:host_id": "rule:admin_only", - "update_port:binding:profile": "rule:admin_only", - "update_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner", - "update_port:allowed_address_pairs": "rule:admin_or_network_owner", - "delete_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner", - - "get_router:ha": "rule:admin_only", - "create_router": "rule:regular_user", - "create_router:external_gateway_info:enable_snat": "rule:admin_only", - "create_router:distributed": "rule:admin_only", - "create_router:ha": "rule:admin_only", - "get_router": "rule:admin_or_owner", - "get_router:distributed": "rule:admin_only", - "update_router:external_gateway_info:enable_snat": "rule:admin_only", - "update_router:distributed": "rule:admin_only", - "update_router:ha": "rule:admin_only", - "delete_router": "rule:admin_or_owner", - - "add_router_interface": "rule:admin_or_owner", - "remove_router_interface": "rule:admin_or_owner", - - "create_router:external_gateway_info:external_fixed_ips": "rule:admin_only", - "update_router:external_gateway_info:external_fixed_ips": "rule:admin_only", - - "insert_rule": "rule:admin_or_owner", - "remove_rule": "rule:admin_or_owner", - - "create_qos_queue": "rule:admin_only", - "get_qos_queue": "rule:admin_only", - - "update_agent": "rule:admin_only", - "delete_agent": "rule:admin_only", - "get_agent": "rule:admin_only", - - "create_dhcp-network": "rule:admin_only", - "delete_dhcp-network": "rule:admin_only", - "get_dhcp-networks": "rule:admin_only", - "create_l3-router": "rule:admin_only", - "delete_l3-router": "rule:admin_only", - "get_l3-routers": "rule:admin_only", - "get_dhcp-agents": "rule:admin_only", - "get_l3-agents": "rule:admin_only", - "get_loadbalancer-agent": "rule:admin_only", - "get_loadbalancer-pools": "rule:admin_only", - "get_agent-loadbalancers": "rule:admin_only", - "get_loadbalancer-hosting-agent": "rule:admin_only", - - "create_floatingip": "rule:regular_user", - "create_floatingip:floating_ip_address": "rule:admin_only", - "update_floatingip": "rule:admin_or_owner", - "delete_floatingip": "rule:admin_or_owner", - "get_floatingip": "rule:admin_or_owner", - - "create_network_profile": "rule:admin_only", - "update_network_profile": "rule:admin_only", - "delete_network_profile": "rule:admin_only", - "get_network_profiles": "", - "get_network_profile": "", - "update_policy_profiles": "rule:admin_only", - "get_policy_profiles": "", - "get_policy_profile": "", - - "create_metering_label": "rule:admin_only", - "delete_metering_label": "rule:admin_only", - "get_metering_label": "rule:admin_only", - - "create_metering_label_rule": "rule:admin_only", - "delete_metering_label_rule": "rule:admin_only", - "get_metering_label_rule": "rule:admin_only", - - "get_service_provider": "rule:regular_user", - "get_lsn": "rule:admin_only", - "create_lsn": "rule:admin_only", - - "create_flavor": "rule:admin_only", - "update_flavor": "rule:admin_only", - "delete_flavor": "rule:admin_only", - "get_flavors": "rule:regular_user", - "get_flavor": "rule:regular_user", - "create_service_profile": "rule:admin_only", - "update_service_profile": "rule:admin_only", - "delete_service_profile": "rule:admin_only", - "get_service_profiles": "rule:admin_only", - "get_service_profile": "rule:admin_only", - - "get_policy": "rule:regular_user", - "create_policy": "rule:admin_only", - "update_policy": "rule:admin_only", - "delete_policy": "rule:admin_only", - "get_policy_bandwidth_limit_rule": "rule:regular_user", - "create_policy_bandwidth_limit_rule": "rule:admin_only", - "delete_policy_bandwidth_limit_rule": "rule:admin_only", - "update_policy_bandwidth_limit_rule": "rule:admin_only", - "get_policy_dscp_marking_rule": "rule:regular_user", - "create_policy_dscp_marking_rule": "rule:admin_only", - "delete_policy_dscp_marking_rule": "rule:admin_only", - "update_policy_dscp_marking_rule": "rule:admin_only", - "get_rule_type": "rule:regular_user", - "get_policy_minimum_bandwidth_rule": "rule:regular_user", - "create_policy_minimum_bandwidth_rule": "rule:admin_only", - "delete_policy_minimum_bandwidth_rule": "rule:admin_only", - "update_policy_minimum_bandwidth_rule": "rule:admin_only", - - "restrict_wildcard": "(not field:rbac_policy:target_tenant=*) or rule:admin_only", - "create_rbac_policy": "", - "create_rbac_policy:target_tenant": "rule:restrict_wildcard", - "update_rbac_policy": "rule:admin_or_owner", - "update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner", - "get_rbac_policy": "rule:admin_or_owner", - "delete_rbac_policy": "rule:admin_or_owner", - - "create_flavor_service_profile": "rule:admin_only", - "delete_flavor_service_profile": "rule:admin_only", - "get_flavor_service_profile": "rule:regular_user", - "get_auto_allocated_topology": "rule:admin_or_owner", - - "create_trunk": "rule:regular_user", - "get_trunk": "rule:admin_or_owner", - "delete_trunk": "rule:admin_or_owner", - "get_subports": "", - "add_subports": "rule:admin_or_owner", - "remove_subports": "rule:admin_or_owner" -} diff --git a/neutron/values.yaml b/neutron/values.yaml index 251f4e2230..335c5d5d00 100644 --- a/neutron/values.yaml +++ b/neutron/values.yaml @@ -365,8 +365,195 @@ conf: override: append: policy: - override: - append: + context_is_admin: role:admin + owner: tenant_id:%(tenant_id)s + admin_or_owner: rule:context_is_admin or rule:owner + context_is_advsvc: role:advsvc + admin_or_network_owner: rule:context_is_admin or tenant_id:%(network:tenant_id)s + admin_owner_or_network_owner: rule:owner or rule:admin_or_network_owner + admin_only: rule:context_is_admin + regular_user: '' + shared: field:networks:shared=True + shared_subnetpools: field:subnetpools:shared=True + shared_address_scopes: field:address_scopes:shared=True + external: field:networks:router:external=True + default: rule:admin_or_owner + create_subnet: rule:admin_or_network_owner + create_subnet:segment_id: rule:admin_only + create_subnet:service_types: rule:admin_only + get_subnet: rule:admin_or_owner or rule:shared + get_subnet:segment_id: rule:admin_only + update_subnet: rule:admin_or_network_owner + update_subnet:service_types: rule:admin_only + delete_subnet: rule:admin_or_network_owner + create_subnetpool: '' + create_subnetpool:shared: rule:admin_only + create_subnetpool:is_default: rule:admin_only + get_subnetpool: rule:admin_or_owner or rule:shared_subnetpools + update_subnetpool: rule:admin_or_owner + update_subnetpool:is_default: rule:admin_only + delete_subnetpool: rule:admin_or_owner + create_address_scope: '' + create_address_scope:shared: rule:admin_only + get_address_scope: rule:admin_or_owner or rule:shared_address_scopes + update_address_scope: rule:admin_or_owner + update_address_scope:shared: rule:admin_only + delete_address_scope: rule:admin_or_owner + create_network: '' + get_network: rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc + get_network:router:external: rule:regular_user + get_network:segments: rule:admin_only + get_network:provider:network_type: rule:admin_only + get_network:provider:physical_network: rule:admin_only + get_network:provider:segmentation_id: rule:admin_only + get_network:queue_id: rule:admin_only + get_network_ip_availabilities: rule:admin_only + get_network_ip_availability: rule:admin_only + create_network:shared: rule:admin_only + create_network:router:external: rule:admin_only + create_network:is_default: rule:admin_only + create_network:segments: rule:admin_only + create_network:provider:network_type: rule:admin_only + create_network:provider:physical_network: rule:admin_only + create_network:provider:segmentation_id: rule:admin_only + update_network: rule:admin_or_owner + update_network:segments: rule:admin_only + update_network:shared: rule:admin_only + update_network:provider:network_type: rule:admin_only + update_network:provider:physical_network: rule:admin_only + update_network:provider:segmentation_id: rule:admin_only + update_network:router:external: rule:admin_only + delete_network: rule:admin_or_owner + create_segment: rule:admin_only + get_segment: rule:admin_only + update_segment: rule:admin_only + delete_segment: rule:admin_only + network_device: 'field:port:device_owner=~^network:' + create_port: '' + create_port:device_owner: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner + create_port:mac_address: rule:context_is_advsvc or rule:admin_or_network_owner + create_port:fixed_ips: rule:context_is_advsvc or rule:admin_or_network_owner + create_port:port_security_enabled: rule:context_is_advsvc or rule:admin_or_network_owner + create_port:binding:host_id: rule:admin_only + create_port:binding:profile: rule:admin_only + create_port:mac_learning_enabled: rule:context_is_advsvc or rule:admin_or_network_owner + create_port:allowed_address_pairs: rule:admin_or_network_owner + get_port: rule:context_is_advsvc or rule:admin_owner_or_network_owner + get_port:queue_id: rule:admin_only + get_port:binding:vif_type: rule:admin_only + get_port:binding:vif_details: rule:admin_only + get_port:binding:host_id: rule:admin_only + get_port:binding:profile: rule:admin_only + update_port: rule:admin_or_owner or rule:context_is_advsvc + update_port:device_owner: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner + update_port:mac_address: rule:admin_only or rule:context_is_advsvc + update_port:fixed_ips: rule:context_is_advsvc or rule:admin_or_network_owner + update_port:port_security_enabled: rule:context_is_advsvc or rule:admin_or_network_owner + update_port:binding:host_id: rule:admin_only + update_port:binding:profile: rule:admin_only + update_port:mac_learning_enabled: rule:context_is_advsvc or rule:admin_or_network_owner + update_port:allowed_address_pairs: rule:admin_or_network_owner + delete_port: rule:context_is_advsvc or rule:admin_owner_or_network_owner + get_router:ha: rule:admin_only + create_router: rule:regular_user + create_router:external_gateway_info:enable_snat: rule:admin_only + create_router:distributed: rule:admin_only + create_router:ha: rule:admin_only + get_router: rule:admin_or_owner + get_router:distributed: rule:admin_only + update_router:external_gateway_info:enable_snat: rule:admin_only + update_router:distributed: rule:admin_only + update_router:ha: rule:admin_only + delete_router: rule:admin_or_owner + add_router_interface: rule:admin_or_owner + remove_router_interface: rule:admin_or_owner + create_router:external_gateway_info:external_fixed_ips: rule:admin_only + update_router:external_gateway_info:external_fixed_ips: rule:admin_only + insert_rule: rule:admin_or_owner + remove_rule: rule:admin_or_owner + create_qos_queue: rule:admin_only + get_qos_queue: rule:admin_only + update_agent: rule:admin_only + delete_agent: rule:admin_only + get_agent: rule:admin_only + create_dhcp-network: rule:admin_only + delete_dhcp-network: rule:admin_only + get_dhcp-networks: rule:admin_only + create_l3-router: rule:admin_only + delete_l3-router: rule:admin_only + get_l3-routers: rule:admin_only + get_dhcp-agents: rule:admin_only + get_l3-agents: rule:admin_only + get_loadbalancer-agent: rule:admin_only + get_loadbalancer-pools: rule:admin_only + get_agent-loadbalancers: rule:admin_only + get_loadbalancer-hosting-agent: rule:admin_only + create_floatingip: rule:regular_user + create_floatingip:floating_ip_address: rule:admin_only + update_floatingip: rule:admin_or_owner + delete_floatingip: rule:admin_or_owner + get_floatingip: rule:admin_or_owner + create_network_profile: rule:admin_only + update_network_profile: rule:admin_only + delete_network_profile: rule:admin_only + get_network_profiles: '' + get_network_profile: '' + update_policy_profiles: rule:admin_only + get_policy_profiles: '' + get_policy_profile: '' + create_metering_label: rule:admin_only + delete_metering_label: rule:admin_only + get_metering_label: rule:admin_only + create_metering_label_rule: rule:admin_only + delete_metering_label_rule: rule:admin_only + get_metering_label_rule: rule:admin_only + get_service_provider: rule:regular_user + get_lsn: rule:admin_only + create_lsn: rule:admin_only + create_flavor: rule:admin_only + update_flavor: rule:admin_only + delete_flavor: rule:admin_only + get_flavors: rule:regular_user + get_flavor: rule:regular_user + create_service_profile: rule:admin_only + update_service_profile: rule:admin_only + delete_service_profile: rule:admin_only + get_service_profiles: rule:admin_only + get_service_profile: rule:admin_only + get_policy: rule:regular_user + create_policy: rule:admin_only + update_policy: rule:admin_only + delete_policy: rule:admin_only + get_policy_bandwidth_limit_rule: rule:regular_user + create_policy_bandwidth_limit_rule: rule:admin_only + delete_policy_bandwidth_limit_rule: rule:admin_only + update_policy_bandwidth_limit_rule: rule:admin_only + get_policy_dscp_marking_rule: rule:regular_user + create_policy_dscp_marking_rule: rule:admin_only + delete_policy_dscp_marking_rule: rule:admin_only + update_policy_dscp_marking_rule: rule:admin_only + get_rule_type: rule:regular_user + get_policy_minimum_bandwidth_rule: rule:regular_user + create_policy_minimum_bandwidth_rule: rule:admin_only + delete_policy_minimum_bandwidth_rule: rule:admin_only + update_policy_minimum_bandwidth_rule: rule:admin_only + restrict_wildcard: "(not field:rbac_policy:target_tenant=*) or rule:admin_only" + create_rbac_policy: '' + create_rbac_policy:target_tenant: rule:restrict_wildcard + update_rbac_policy: rule:admin_or_owner + update_rbac_policy:target_tenant: rule:restrict_wildcard and rule:admin_or_owner + get_rbac_policy: rule:admin_or_owner + delete_rbac_policy: rule:admin_or_owner + create_flavor_service_profile: rule:admin_only + delete_flavor_service_profile: rule:admin_only + get_flavor_service_profile: rule:regular_user + get_auto_allocated_topology: rule:admin_or_owner + create_trunk: rule:regular_user + get_trunk: rule:admin_or_owner + delete_trunk: rule:admin_or_owner + get_subports: '' + add_subports: rule:admin_or_owner + remove_subports: rule:admin_or_owner neutron_sudoers: override: append: diff --git a/senlin/templates/configmap-etc.yaml b/senlin/templates/configmap-etc.yaml index 73413a0826..9da8c5c6a8 100644 --- a/senlin/templates/configmap-etc.yaml +++ b/senlin/templates/configmap-etc.yaml @@ -75,5 +75,5 @@ data: api-paste.ini: |+ {{- tuple .Values.conf.paste "etc/_api-paste.ini.tpl" . | include "helm-toolkit.utils.configmap_templater" }} policy.json: |+ -{{- tuple .Values.conf.policy "etc/_policy.json.tpl" . | include "helm-toolkit.utils.configmap_templater" }} +{{ toJson .Values.conf.policy | indent 4 }} {{- end }} diff --git a/senlin/templates/etc/_policy.json.tpl b/senlin/templates/etc/_policy.json.tpl deleted file mode 100644 index d4e154600d..0000000000 --- a/senlin/templates/etc/_policy.json.tpl +++ /dev/null @@ -1,49 +0,0 @@ -{ - "context_is_admin": "role:admin", - "deny_everybody": "!", - - "build_info:build_info": "", - "profile_types:index": "", - "profile_types:get": "", - "policy_types:index": "", - "policy_types:get": "", - "clusters:index": "", - "clusters:create": "", - "clusters:delete": "", - "clusters:get": "", - "clusters:action": "", - "clusters:update": "", - "clusters:collect": "", - "profiles:index": "", - "profiles:create": "", - "profiles:get": "", - "profiles:delete": "", - "profiles:update": "", - "profiles:validate": "", - "nodes:index": "", - "nodes:create": "", - "nodes:get": "", - "nodes:action": "", - "nodes:update": "", - "nodes:delete": "", - "policies:index": "", - "policies:create": "", - "policies:get": "", - "policies:update": "", - "policies:delete": "", - "policies:validate": "", - "cluster_policies:index": "", - "cluster_policies:attach": "", - "cluster_policies:detach": "", - "cluster_policies:update": "", - "cluster_policies:get": "", - "receivers:index": "", - "receivers:create": "", - "receivers:get": "", - "receivers:delete": "", - "actions:index": "", - "actions:get": "", - "events:index": "", - "events:get": "", - "webhooks:trigger": "" -} diff --git a/senlin/values.yaml b/senlin/values.yaml index 7760872859..ab49e4b3e5 100644 --- a/senlin/values.yaml +++ b/senlin/values.yaml @@ -40,8 +40,52 @@ conf: override: append: policy: - override: - append: + context_is_admin: role:admin + deny_everybody: "!" + build_info:build_info: '' + profile_types:index: '' + profile_types:get: '' + policy_types:index: '' + policy_types:get: '' + clusters:index: '' + clusters:create: '' + clusters:delete: '' + clusters:get: '' + clusters:action: '' + clusters:update: '' + clusters:collect: '' + profiles:index: '' + profiles:create: '' + profiles:get: '' + profiles:delete: '' + profiles:update: '' + profiles:validate: '' + nodes:index: '' + nodes:create: '' + nodes:get: '' + nodes:action: '' + nodes:update: '' + nodes:delete: '' + policies:index: '' + policies:create: '' + policies:get: '' + policies:update: '' + policies:delete: '' + policies:validate: '' + cluster_policies:index: '' + cluster_policies:attach: '' + cluster_policies:detach: '' + cluster_policies:update: '' + cluster_policies:get: '' + receivers:index: '' + receivers:create: '' + receivers:get: '' + receivers:delete: '' + actions:index: '' + actions:get: '' + events:index: '' + events:get: '' + webhooks:trigger: '' senlin: override: append: