openstack/openstack-helm
Code Issues Proposed changes

Security: Make policy fully configurable via helm values

Browse Source 
This PS moves the policy.json to be fully driven by gotpl,
allowing full configuration without editing the template.

Nova and Cinder are addressed in the seperate patchsets:
 * https://review.openstack.org/#/c/498215/
 * https://review.openstack.org/#/c/498216/

Change-Id: Ia2be5fb4e460d41034fdadbbefc1e48d0869e023
This commit is contained in:
Pete Birley 2017-08-26 17:50:22 -05:00
parent 27864cec04
commit 7cfd182929
24 changed files with 731 additions and 849 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
barbican/templates/configmap-etc.yaml
View File

@ -81,7 +81,7 @@ data:
api_audit_map.conf: |+
{{- tuple .Values.conf.audit_map "etc/_api_audit_map.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
policy.json: |+
{{- tuple .Values.conf.override "etc/_policy.json.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
{{ toJson .Values.conf.policy | indent 4 }}
barbican-api.ini: |+
{{- tuple .Values.conf.barbican_api "etc/_barbican-api.ini.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
{{- end }}

90
barbican/templates/etc/_policy.json.tpl
View File

@ -1,90 +0,0 @@
{
"admin": "role:admin",
"observer": "role:observer",
"creator": "role:creator",
"audit": "role:audit",
"service_admin": "role:key-manager:service-admin",
"admin_or_user_does_not_work": "project_id:%(project_id)s",
"admin_or_user": "rule:admin or project_id:%(project_id)s",
"admin_or_creator": "rule:admin or rule:creator",
"all_but_audit": "rule:admin or rule:observer or rule:creator",
"all_users": "rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin",
"secret_project_match": "project:%(target.secret.project_id)s",
"secret_acl_read": "'read':%(target.secret.read)s",
"secret_private_read": "'False':%(target.secret.read_project_access)s",
"secret_creator_user": "user:%(target.secret.creator_id)s",
"container_project_match": "project:%(target.container.project_id)s",
"container_acl_read": "'read':%(target.container.read)s",
"container_private_read": "'False':%(target.container.read_project_access)s",
"container_creator_user": "user:%(target.container.creator_id)s",
"secret_non_private_read": "rule:all_users and rule:secret_project_match and not rule:secret_private_read",
"secret_decrypt_non_private_read": "rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read",
"container_non_private_read": "rule:all_users and rule:container_project_match and not rule:container_private_read",
"secret_project_admin": "rule:admin and rule:secret_project_match",
"secret_project_creator": "rule:creator and rule:secret_project_match and rule:secret_creator_user",
"container_project_admin": "rule:admin and rule:container_project_match",
"container_project_creator": "rule:creator and rule:container_project_match and rule:container_creator_user",
"version:get": "@",
"secret:decrypt": "rule:secret_decrypt_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read",
"secret:get": "rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read",
"secret:put": "rule:admin_or_creator and rule:secret_project_match",
"secret:delete": "rule:secret_project_admin or rule:secret_project_creator",
"secrets:post": "rule:admin_or_creator",
"secrets:get": "rule:all_but_audit",
"orders:post": "rule:admin_or_creator",
"orders:get": "rule:all_but_audit",
"order:get": "rule:all_users",
"order:put": "rule:admin_or_creator",
"order:delete": "rule:admin",
"consumer:get": "rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read",
"consumers:get": "rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read",
"consumers:post": "rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read",
"consumers:delete": "rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read",
"containers:post": "rule:admin_or_creator",
"containers:get": "rule:all_but_audit",
"container:get": "rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read",
"container:delete": "rule:container_project_admin or rule:container_project_creator",
"container_secret:post": "rule:admin",
"container_secret:delete": "rule:admin",
"transport_key:get": "rule:all_users",
"transport_key:delete": "rule:admin",
"transport_keys:get": "rule:all_users",
"transport_keys:post": "rule:admin",
"certificate_authorities:get_limited": "rule:all_users",
"certificate_authorities:get_all": "rule:admin",
"certificate_authorities:post": "rule:admin",
"certificate_authorities:get_preferred_ca": "rule:all_users",
"certificate_authorities:get_global_preferred_ca": "rule:service_admin",
"certificate_authorities:unset_global_preferred": "rule:service_admin",
"certificate_authority:delete": "rule:admin",
"certificate_authority:get": "rule:all_users",
"certificate_authority:get_cacert": "rule:all_users",
"certificate_authority:get_ca_cert_chain": "rule:all_users",
"certificate_authority:get_projects": "rule:service_admin",
"certificate_authority:add_to_project": "rule:admin",
"certificate_authority:remove_from_project": "rule:admin",
"certificate_authority:set_preferred": "rule:admin",
"certificate_authority:set_global_preferred": "rule:service_admin",
"secret_acls:put_patch": "rule:secret_project_admin or rule:secret_project_creator",
"secret_acls:delete": "rule:secret_project_admin or rule:secret_project_creator",
"secret_acls:get": "rule:all_but_audit and rule:secret_project_match",
"container_acls:put_patch": "rule:container_project_admin or rule:container_project_creator",
"container_acls:delete": "rule:container_project_admin or rule:container_project_creator",
"container_acls:get": "rule:all_but_audit and rule:container_project_match",
"quotas:get": "rule:all_users",
"project_quotas:get": "rule:service_admin",
"project_quotas:put": "rule:service_admin",
"project_quotas:delete": "rule:service_admin",
"secret_meta:get": "rule:all_but_audit",
"secret_meta:post": "rule:admin_or_creator",
"secret_meta:put": "rule:admin_or_creator",
"secret_meta:delete": "rule:admin_or_creator",
"secretstores:get": "rule:admin",
"secretstores:get_global_default": "rule:admin",
"secretstores:get_preferred": "rule:admin",
"secretstore_preferred:post": "rule:admin",
"secretstore_preferred:delete": "rule:admin",
"secretstore:get": "rule:admin"
}

97
barbican/values.yaml
View File

@ -172,8 +172,101 @@ conf:
override:
append:
policy:
override:
append:
admin: role:admin
observer: role:observer
creator: role:creator
audit: role:audit
service_admin: role:key-manager:service-admin
admin_or_user_does_not_work: project_id:%(project_id)s
admin_or_user: rule:admin or project_id:%(project_id)s
admin_or_creator: rule:admin or rule:creator
all_but_audit: rule:admin or rule:observer or rule:creator
all_users: rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin
secret_project_match: project:%(target.secret.project_id)s
secret_acl_read: "'read':%(target.secret.read)s"
secret_private_read: "'False':%(target.secret.read_project_access)s"
secret_creator_user: user:%(target.secret.creator_id)s
container_project_match: project:%(target.container.project_id)s
container_acl_read: "'read':%(target.container.read)s"
container_private_read: "'False':%(target.container.read_project_access)s"
container_creator_user: user:%(target.container.creator_id)s
secret_non_private_read: rule:all_users and rule:secret_project_match and not rule:secret_private_read
secret_decrypt_non_private_read: rule:all_but_audit and rule:secret_project_match
and not rule:secret_private_read
container_non_private_read: rule:all_users and rule:container_project_match and not
rule:container_private_read
secret_project_admin: rule:admin and rule:secret_project_match
secret_project_creator: rule:creator and rule:secret_project_match and rule:secret_creator_user
container_project_admin: rule:admin and rule:container_project_match
container_project_creator: rule:creator and rule:container_project_match and rule:container_creator_user
version:get: "@"
secret:decrypt: rule:secret_decrypt_non_private_read or rule:secret_project_creator
or rule:secret_project_admin or rule:secret_acl_read
secret:get: rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin
or rule:secret_acl_read
secret:put: rule:admin_or_creator and rule:secret_project_match
secret:delete: rule:secret_project_admin or rule:secret_project_creator
secrets:post: rule:admin_or_creator
secrets:get: rule:all_but_audit
orders:post: rule:admin_or_creator
orders:get: rule:all_but_audit
order:get: rule:all_users
order:put: rule:admin_or_creator
order:delete: rule:admin
consumer:get: rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read
or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read
consumers:get: rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read
or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read
consumers:post: rule:admin or rule:container_non_private_read or rule:container_project_creator
or rule:container_project_admin or rule:container_acl_read
consumers:delete: rule:admin or rule:container_non_private_read or rule:container_project_creator
or rule:container_project_admin or rule:container_acl_read
containers:post: rule:admin_or_creator
containers:get: rule:all_but_audit
container:get: rule:container_non_private_read or rule:container_project_creator or
rule:container_project_admin or rule:container_acl_read
container:delete: rule:container_project_admin or rule:container_project_creator
container_secret:post: rule:admin
container_secret:delete: rule:admin
transport_key:get: rule:all_users
transport_key:delete: rule:admin
transport_keys:get: rule:all_users
transport_keys:post: rule:admin
certificate_authorities:get_limited: rule:all_users
certificate_authorities:get_all: rule:admin
certificate_authorities:post: rule:admin
certificate_authorities:get_preferred_ca: rule:all_users
certificate_authorities:get_global_preferred_ca: rule:service_admin
certificate_authorities:unset_global_preferred: rule:service_admin
certificate_authority:delete: rule:admin
certificate_authority:get: rule:all_users
certificate_authority:get_cacert: rule:all_users
certificate_authority:get_ca_cert_chain: rule:all_users
certificate_authority:get_projects: rule:service_admin
certificate_authority:add_to_project: rule:admin
certificate_authority:remove_from_project: rule:admin
certificate_authority:set_preferred: rule:admin
certificate_authority:set_global_preferred: rule:service_admin
secret_acls:put_patch: rule:secret_project_admin or rule:secret_project_creator
secret_acls:delete: rule:secret_project_admin or rule:secret_project_creator
secret_acls:get: rule:all_but_audit and rule:secret_project_match
container_acls:put_patch: rule:container_project_admin or rule:container_project_creator
container_acls:delete: rule:container_project_admin or rule:container_project_creator
container_acls:get: rule:all_but_audit and rule:container_project_match
quotas:get: rule:all_users
project_quotas:get: rule:service_admin
project_quotas:put: rule:service_admin
project_quotas:delete: rule:service_admin
secret_meta:get: rule:all_but_audit
secret_meta:post: rule:admin_or_creator
secret_meta:put: rule:admin_or_creator
secret_meta:delete: rule:admin_or_creator
secretstores:get: rule:admin
secretstores:get_global_default: rule:admin
secretstores:get_preferred: rule:admin
secretstore_preferred:post: rule:admin
secretstore_preferred:delete: rule:admin
secretstore:get: rule:admin
audit_map:
override:
append:

2
glance/templates/configmap-etc.yaml
View File

@ -135,5 +135,5 @@ data:
glance-registry-paste.ini: |+
{{- tuple .Values.conf.paste_registry "etc/_glance-registry-paste.ini.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
policy.json: |+
{{- tuple .Values.conf.policy "etc/_policy.json.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
{{ toJson .Values.conf.policy | indent 4 }}
{{- end }}

61
glance/templates/etc/_policy.json.tpl
View File

@ -1,61 +0,0 @@
{
"context_is_admin": "role:admin",
"default": "role:admin",
"add_image": "",
"delete_image": "",
"get_image": "",
"get_images": "",
"modify_image": "",
"publicize_image": "role:admin",
"copy_from": "",
"download_image": "",
"upload_image": "",
"delete_image_location": "",
"get_image_location": "",
"set_image_location": "",
"add_member": "",
"delete_member": "",
"get_member": "",
"get_members": "",
"modify_member": "",
"manage_image_cache": "role:admin",
"get_task": "role:admin",
"get_tasks": "role:admin",
"add_task": "role:admin",
"modify_task": "role:admin",
"deactivate": "",
"reactivate": "",
"get_metadef_namespace": "",
"get_metadef_namespaces":"",
"modify_metadef_namespace":"",
"add_metadef_namespace":"",
"get_metadef_object":"",
"get_metadef_objects":"",
"modify_metadef_object":"",
"add_metadef_object":"",
"list_metadef_resource_types":"",
"get_metadef_resource_type":"",
"add_metadef_resource_type_association":"",
"get_metadef_property":"",
"get_metadef_properties":"",
"modify_metadef_property":"",
"add_metadef_property":"",
"get_metadef_tag":"",
"get_metadef_tags":"",
"modify_metadef_tag":"",
"add_metadef_tag":"",
"add_metadef_tags":""
}

48
glance/values.yaml
View File

@ -76,8 +76,52 @@ conf:
override:
append:
policy:
override:
append:
context_is_admin: role:admin
default: role:admin
add_image: ''
delete_image: ''
get_image: ''
get_images: ''
modify_image: ''
publicize_image: role:admin
copy_from: ''
download_image: ''
upload_image: ''
delete_image_location: ''
get_image_location: ''
set_image_location: ''
add_member: ''
delete_member: ''
get_member: ''
get_members: ''
modify_member: ''
manage_image_cache: role:admin
get_task: role:admin
get_tasks: role:admin
add_task: role:admin
modify_task: role:admin
deactivate: ''
reactivate: ''
get_metadef_namespace: ''
get_metadef_namespaces: ''
modify_metadef_namespace: ''
add_metadef_namespace: ''
get_metadef_object: ''
get_metadef_objects: ''
modify_metadef_object: ''
add_metadef_object: ''
list_metadef_resource_types: ''
get_metadef_resource_type: ''
add_metadef_resource_type_association: ''
get_metadef_property: ''
get_metadef_properties: ''
modify_metadef_property: ''
add_metadef_property: ''
get_metadef_tag: ''
get_metadef_tags: ''
modify_metadef_tag: ''
add_metadef_tag: ''
add_metadef_tags: ''
glance:
override:
append:

2
heat/templates/configmap-etc.yaml
View File

@ -123,5 +123,5 @@ data:
api-paste.ini: |+
{{- tuple .Values.conf.paste "etc/_api-paste.ini.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
policy.json: |+
{{- tuple .Values.conf.policy "etc/_policy.json.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
{{ toJson .Values.conf.policy | indent 4 }}
{{- end }}

96
heat/templates/etc/_policy.json.tpl
View File

@ -1,96 +0,0 @@
{
"context_is_admin": "role:admin and is_admin_project:True",
"project_admin": "role:admin",
"deny_stack_user": "not role:heat_stack_user",
"deny_everybody": "!",
"cloudformation:ListStacks": "rule:deny_stack_user",
"cloudformation:CreateStack": "rule:deny_stack_user",
"cloudformation:DescribeStacks": "rule:deny_stack_user",
"cloudformation:DeleteStack": "rule:deny_stack_user",
"cloudformation:UpdateStack": "rule:deny_stack_user",
"cloudformation:CancelUpdateStack": "rule:deny_stack_user",
"cloudformation:DescribeStackEvents": "rule:deny_stack_user",
"cloudformation:ValidateTemplate": "rule:deny_stack_user",
"cloudformation:GetTemplate": "rule:deny_stack_user",
"cloudformation:EstimateTemplateCost": "rule:deny_stack_user",
"cloudformation:DescribeStackResource": "",
"cloudformation:DescribeStackResources": "rule:deny_stack_user",
"cloudformation:ListStackResources": "rule:deny_stack_user",
"cloudwatch:DeleteAlarms": "rule:deny_stack_user",
"cloudwatch:DescribeAlarmHistory": "rule:deny_stack_user",
"cloudwatch:DescribeAlarms": "rule:deny_stack_user",
"cloudwatch:DescribeAlarmsForMetric": "rule:deny_stack_user",
"cloudwatch:DisableAlarmActions": "rule:deny_stack_user",
"cloudwatch:EnableAlarmActions": "rule:deny_stack_user",
"cloudwatch:GetMetricStatistics": "rule:deny_stack_user",
"cloudwatch:ListMetrics": "rule:deny_stack_user",
"cloudwatch:PutMetricAlarm": "rule:deny_stack_user",
"cloudwatch:PutMetricData": "",
"cloudwatch:SetAlarmState": "rule:deny_stack_user",
"actions:action": "rule:deny_stack_user",
"build_info:build_info": "rule:deny_stack_user",
"events:index": "rule:deny_stack_user",
"events:show": "rule:deny_stack_user",
"resource:index": "rule:deny_stack_user",
"resource:metadata": "",
"resource:signal": "",
"resource:mark_unhealthy": "rule:deny_stack_user",
"resource:show": "rule:deny_stack_user",
"stacks:abandon": "rule:deny_stack_user",
"stacks:create": "rule:deny_stack_user",
"stacks:delete": "rule:deny_stack_user",
"stacks:detail": "rule:deny_stack_user",
"stacks:export": "rule:deny_stack_user",
"stacks:generate_template": "rule:deny_stack_user",
"stacks:global_index": "rule:deny_everybody",
"stacks:index": "rule:deny_stack_user",
"stacks:list_resource_types": "rule:deny_stack_user",
"stacks:list_template_versions": "rule:deny_stack_user",
"stacks:list_template_functions": "rule:deny_stack_user",
"stacks:lookup": "",
"stacks:preview": "rule:deny_stack_user",
"stacks:resource_schema": "rule:deny_stack_user",
"stacks:show": "rule:deny_stack_user",
"stacks:template": "rule:deny_stack_user",
"stacks:environment": "rule:deny_stack_user",
"stacks:files": "rule:deny_stack_user",
"stacks:update": "rule:deny_stack_user",
"stacks:update_patch": "rule:deny_stack_user",
"stacks:preview_update": "rule:deny_stack_user",
"stacks:preview_update_patch": "rule:deny_stack_user",
"stacks:validate_template": "rule:deny_stack_user",
"stacks:snapshot": "rule:deny_stack_user",
"stacks:show_snapshot": "rule:deny_stack_user",
"stacks:delete_snapshot": "rule:deny_stack_user",
"stacks:list_snapshots": "rule:deny_stack_user",
"stacks:restore_snapshot": "rule:deny_stack_user",
"stacks:list_outputs": "rule:deny_stack_user",
"stacks:show_output": "rule:deny_stack_user",
"software_configs:global_index": "rule:deny_everybody",
"software_configs:index": "rule:deny_stack_user",
"software_configs:create": "rule:deny_stack_user",
"software_configs:show": "rule:deny_stack_user",
"software_configs:delete": "rule:deny_stack_user",
"software_deployments:index": "rule:deny_stack_user",
"software_deployments:create": "rule:deny_stack_user",
"software_deployments:show": "rule:deny_stack_user",
"software_deployments:update": "rule:deny_stack_user",
"software_deployments:delete": "rule:deny_stack_user",
"software_deployments:metadata": "",
"service:index": "rule:context_is_admin",
"resource_types:OS::Nova::Flavor": "rule:project_admin",
"resource_types:OS::Cinder::EncryptedVolumeType": "rule:project_admin",
"resource_types:OS::Cinder::VolumeType": "rule:project_admin",
"resource_types:OS::Cinder::Quota": "rule:project_admin",
"resource_types:OS::Manila::ShareType": "rule:project_admin",
"resource_types:OS::Neutron::QoSPolicy": "rule:project_admin",
"resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:project_admin",
"resource_types:OS::Nova::HostAggregate": "rule:project_admin",
"resource_types:OS::Cinder::QoSSpecs": "rule:project_admin"
}

90
heat/values.yaml
View File

@ -42,8 +42,94 @@ conf:
override:
append:
policy:
override:
append:
context_is_admin: role:admin and is_admin_project:True
project_admin: role:admin
deny_stack_user: not role:heat_stack_user
deny_everybody: "!"
cloudformation:ListStacks: rule:deny_stack_user
cloudformation:CreateStack: rule:deny_stack_user
cloudformation:DescribeStacks: rule:deny_stack_user
cloudformation:DeleteStack: rule:deny_stack_user
cloudformation:UpdateStack: rule:deny_stack_user
cloudformation:CancelUpdateStack: rule:deny_stack_user
cloudformation:DescribeStackEvents: rule:deny_stack_user
cloudformation:ValidateTemplate: rule:deny_stack_user
cloudformation:GetTemplate: rule:deny_stack_user
cloudformation:EstimateTemplateCost: rule:deny_stack_user
cloudformation:DescribeStackResource: ''
cloudformation:DescribeStackResources: rule:deny_stack_user
cloudformation:ListStackResources: rule:deny_stack_user
cloudwatch:DeleteAlarms: rule:deny_stack_user
cloudwatch:DescribeAlarmHistory: rule:deny_stack_user
cloudwatch:DescribeAlarms: rule:deny_stack_user
cloudwatch:DescribeAlarmsForMetric: rule:deny_stack_user
cloudwatch:DisableAlarmActions: rule:deny_stack_user
cloudwatch:EnableAlarmActions: rule:deny_stack_user
cloudwatch:GetMetricStatistics: rule:deny_stack_user
cloudwatch:ListMetrics: rule:deny_stack_user
cloudwatch:PutMetricAlarm: rule:deny_stack_user
cloudwatch:PutMetricData: ''
cloudwatch:SetAlarmState: rule:deny_stack_user
actions:action: rule:deny_stack_user
build_info:build_info: rule:deny_stack_user
events:index: rule:deny_stack_user
events:show: rule:deny_stack_user
resource:index: rule:deny_stack_user
resource:metadata: ''
resource:signal: ''
resource:mark_unhealthy: rule:deny_stack_user
resource:show: rule:deny_stack_user
stacks:abandon: rule:deny_stack_user
stacks:create: rule:deny_stack_user
stacks:delete: rule:deny_stack_user
stacks:detail: rule:deny_stack_user
stacks:export: rule:deny_stack_user
stacks:generate_template: rule:deny_stack_user
stacks:global_index: rule:deny_everybody
stacks:index: rule:deny_stack_user
stacks:list_resource_types: rule:deny_stack_user
stacks:list_template_versions: rule:deny_stack_user
stacks:list_template_functions: rule:deny_stack_user
stacks:lookup: ''
stacks:preview: rule:deny_stack_user
stacks:resource_schema: rule:deny_stack_user
stacks:show: rule:deny_stack_user
stacks:template: rule:deny_stack_user
stacks:environment: rule:deny_stack_user
stacks:files: rule:deny_stack_user
stacks:update: rule:deny_stack_user
stacks:update_patch: rule:deny_stack_user
stacks:preview_update: rule:deny_stack_user
stacks:preview_update_patch: rule:deny_stack_user
stacks:validate_template: rule:deny_stack_user
stacks:snapshot: rule:deny_stack_user
stacks:show_snapshot: rule:deny_stack_user
stacks:delete_snapshot: rule:deny_stack_user
stacks:list_snapshots: rule:deny_stack_user
stacks:restore_snapshot: rule:deny_stack_user
stacks:list_outputs: rule:deny_stack_user
stacks:show_output: rule:deny_stack_user
software_configs:global_index: rule:deny_everybody
software_configs:index: rule:deny_stack_user
software_configs:create: rule:deny_stack_user
software_configs:show: rule:deny_stack_user
software_configs:delete: rule:deny_stack_user
software_deployments:index: rule:deny_stack_user
software_deployments:create: rule:deny_stack_user
software_deployments:show: rule:deny_stack_user
software_deployments:update: rule:deny_stack_user
software_deployments:delete: rule:deny_stack_user
software_deployments:metadata: ''
service:index: rule:context_is_admin
resource_types:OS::Nova::Flavor: rule:project_admin
resource_types:OS::Cinder::EncryptedVolumeType: rule:project_admin
resource_types:OS::Cinder::VolumeType: rule:project_admin
resource_types:OS::Cinder::Quota: rule:project_admin
resource_types:OS::Manila::ShareType: rule:project_admin
resource_types:OS::Neutron::QoSPolicy: rule:project_admin
resource_types:OS::Neutron::QoSBandwidthLimitRule: rule:project_admin
resource_types:OS::Nova::HostAggregate: rule:project_admin
resource_types:OS::Cinder::QoSSpecs: rule:project_admin
heat:
override:
append:

2
keystone/templates/configmap-etc.yaml
View File

@ -44,7 +44,7 @@ data:
keystone-paste.ini: |+
{{- tuple .Values.conf.paste "etc/_keystone-paste.ini.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
policy.json: |+
{{- tuple .Values.conf.policy "etc/_policy.json.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
{{ toJson .Values.conf.policy | indent 4 }}
mpm_event.conf: |+
{{- tuple .Values.conf.mpm_event "etc/_mpm_event.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
wsgi-keystone.conf: |+

199
keystone/templates/etc/_policy.json.tpl
View File

@ -1,199 +0,0 @@
{
"admin_required": "role:admin or is_admin:1",
"service_role": "role:service",
"service_or_admin": "rule:admin_required or rule:service_role",
"owner" : "user_id:%(user_id)s",
"admin_or_owner": "rule:admin_required or rule:owner",
"token_subject": "user_id:%(target.token.user_id)s",
"admin_or_token_subject": "rule:admin_required or rule:token_subject",
"service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject",
"default": "rule:admin_required",
"identity:get_region": "",
"identity:list_regions": "",
"identity:create_region": "rule:admin_required",
"identity:update_region": "rule:admin_required",
"identity:delete_region": "rule:admin_required",
"identity:get_service": "rule:admin_required",
"identity:list_services": "rule:admin_required",
"identity:create_service": "rule:admin_required",
"identity:update_service": "rule:admin_required",
"identity:delete_service": "rule:admin_required",
"identity:get_endpoint": "rule:admin_required",
"identity:list_endpoints": "rule:admin_required",
"identity:create_endpoint": "rule:admin_required",
"identity:update_endpoint": "rule:admin_required",
"identity:delete_endpoint": "rule:admin_required",
"identity:get_domain": "rule:admin_required or token.project.domain.id:%(target.domain.id)s",
"identity:list_domains": "rule:admin_required",
"identity:create_domain": "rule:admin_required",
"identity:update_domain": "rule:admin_required",
"identity:delete_domain": "rule:admin_required",
"identity:get_project": "rule:admin_required or project_id:%(target.project.id)s",
"identity:list_projects": "rule:admin_required",
"identity:list_user_projects": "rule:admin_or_owner",
"identity:create_project": "rule:admin_required",
"identity:update_project": "rule:admin_required",
"identity:delete_project": "rule:admin_required",
"identity:get_user": "rule:admin_or_owner",
"identity:list_users": "rule:admin_required",
"identity:create_user": "rule:admin_required",
"identity:update_user": "rule:admin_required",
"identity:delete_user": "rule:admin_required",
"identity:change_password": "rule:admin_or_owner",
"identity:get_group": "rule:admin_required",
"identity:list_groups": "rule:admin_required",
"identity:list_groups_for_user": "rule:admin_or_owner",
"identity:create_group": "rule:admin_required",
"identity:update_group": "rule:admin_required",
"identity:delete_group": "rule:admin_required",
"identity:list_users_in_group": "rule:admin_required",
"identity:remove_user_from_group": "rule:admin_required",
"identity:check_user_in_group": "rule:admin_required",
"identity:add_user_to_group": "rule:admin_required",
"identity:get_credential": "rule:admin_required",
"identity:list_credentials": "rule:admin_required",
"identity:create_credential": "rule:admin_required",
"identity:update_credential": "rule:admin_required",
"identity:delete_credential": "rule:admin_required",
"identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
"identity:ec2_list_credentials": "rule:admin_or_owner",
"identity:ec2_create_credential": "rule:admin_or_owner",
"identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
"identity:get_role": "rule:admin_required",
"identity:list_roles": "rule:admin_required",
"identity:create_role": "rule:admin_required",
"identity:update_role": "rule:admin_required",
"identity:delete_role": "rule:admin_required",
"identity:get_domain_role": "rule:admin_required",
"identity:list_domain_roles": "rule:admin_required",
"identity:create_domain_role": "rule:admin_required",
"identity:update_domain_role": "rule:admin_required",
"identity:delete_domain_role": "rule:admin_required",
"identity:get_implied_role": "rule:admin_required ",
"identity:list_implied_roles": "rule:admin_required",
"identity:create_implied_role": "rule:admin_required",
"identity:delete_implied_role": "rule:admin_required",
"identity:list_role_inference_rules": "rule:admin_required",
"identity:check_implied_role": "rule:admin_required",
"identity:check_grant": "rule:admin_required",
"identity:list_grants": "rule:admin_required",
"identity:create_grant": "rule:admin_required",
"identity:revoke_grant": "rule:admin_required",
"identity:list_role_assignments": "rule:admin_required",
"identity:list_role_assignments_for_tree": "rule:admin_required",
"identity:get_policy": "rule:admin_required",
"identity:list_policies": "rule:admin_required",
"identity:create_policy": "rule:admin_required",
"identity:update_policy": "rule:admin_required",
"identity:delete_policy": "rule:admin_required",
"identity:check_token": "rule:admin_or_token_subject",
"identity:validate_token": "rule:service_admin_or_token_subject",
"identity:validate_token_head": "rule:service_or_admin",
"identity:revocation_list": "rule:service_or_admin",
"identity:revoke_token": "rule:admin_or_token_subject",
"identity:create_trust": "user_id:%(trust.trustor_user_id)s",
"identity:list_trusts": "",
"identity:list_roles_for_trust": "",
"identity:get_role_for_trust": "",
"identity:delete_trust": "",
"identity:create_consumer": "rule:admin_required",
"identity:get_consumer": "rule:admin_required",
"identity:list_consumers": "rule:admin_required",
"identity:delete_consumer": "rule:admin_required",
"identity:update_consumer": "rule:admin_required",
"identity:authorize_request_token": "rule:admin_required",
"identity:list_access_token_roles": "rule:admin_required",
"identity:get_access_token_role": "rule:admin_required",
"identity:list_access_tokens": "rule:admin_required",
"identity:get_access_token": "rule:admin_required",
"identity:delete_access_token": "rule:admin_required",
"identity:list_projects_for_endpoint": "rule:admin_required",
"identity:add_endpoint_to_project": "rule:admin_required",
"identity:check_endpoint_in_project": "rule:admin_required",
"identity:list_endpoints_for_project": "rule:admin_required",
"identity:remove_endpoint_from_project": "rule:admin_required",
"identity:create_endpoint_group": "rule:admin_required",
"identity:list_endpoint_groups": "rule:admin_required",
"identity:get_endpoint_group": "rule:admin_required",
"identity:update_endpoint_group": "rule:admin_required",
"identity:delete_endpoint_group": "rule:admin_required",
"identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
"identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
"identity:get_endpoint_group_in_project": "rule:admin_required",
"identity:list_endpoint_groups_for_project": "rule:admin_required",
"identity:add_endpoint_group_to_project": "rule:admin_required",
"identity:remove_endpoint_group_from_project": "rule:admin_required",
"identity:create_identity_provider": "rule:admin_required",
"identity:list_identity_providers": "rule:admin_required",
"identity:get_identity_providers": "rule:admin_required",
"identity:update_identity_provider": "rule:admin_required",
"identity:delete_identity_provider": "rule:admin_required",
"identity:create_protocol": "rule:admin_required",
"identity:update_protocol": "rule:admin_required",
"identity:get_protocol": "rule:admin_required",
"identity:list_protocols": "rule:admin_required",
"identity:delete_protocol": "rule:admin_required",
"identity:create_mapping": "rule:admin_required",
"identity:get_mapping": "rule:admin_required",
"identity:list_mappings": "rule:admin_required",
"identity:delete_mapping": "rule:admin_required",
"identity:update_mapping": "rule:admin_required",
"identity:create_service_provider": "rule:admin_required",
"identity:list_service_providers": "rule:admin_required",
"identity:get_service_provider": "rule:admin_required",
"identity:update_service_provider": "rule:admin_required",
"identity:delete_service_provider": "rule:admin_required",
"identity:get_auth_catalog": "",
"identity:get_auth_projects": "",
"identity:get_auth_domains": "",
"identity:list_projects_for_user": "",
"identity:list_domains_for_user": "",
"identity:list_revoke_events": "",
"identity:create_policy_association_for_endpoint": "rule:admin_required",
"identity:check_policy_association_for_endpoint": "rule:admin_required",
"identity:delete_policy_association_for_endpoint": "rule:admin_required",
"identity:create_policy_association_for_service": "rule:admin_required",
"identity:check_policy_association_for_service": "rule:admin_required",
"identity:delete_policy_association_for_service": "rule:admin_required",
"identity:create_policy_association_for_region_and_service": "rule:admin_required",
"identity:check_policy_association_for_region_and_service": "rule:admin_required",
"identity:delete_policy_association_for_region_and_service": "rule:admin_required",
"identity:get_policy_for_endpoint": "rule:admin_required",
"identity:list_endpoints_for_policy": "rule:admin_required",
"identity:create_domain_config": "rule:admin_required",
"identity:get_domain_config": "rule:admin_required",
"identity:update_domain_config": "rule:admin_required",
"identity:delete_domain_config": "rule:admin_required",
"identity:get_domain_config_default": "rule:admin_required"
}

168
keystone/values.yaml
View File

@ -248,8 +248,172 @@ conf:
override:
append:
policy:
override:
append:
admin_required: role:admin or is_admin:1
service_role: role:service
service_or_admin: rule:admin_required or rule:service_role
owner: user_id:%(user_id)s
admin_or_owner: rule:admin_required or rule:owner
token_subject: user_id:%(target.token.user_id)s
admin_or_token_subject: rule:admin_required or rule:token_subject
service_admin_or_token_subject: rule:service_or_admin or rule:token_subject
default: rule:admin_required
identity:get_region: ''
identity:list_regions: ''
identity:create_region: rule:admin_required
identity:update_region: rule:admin_required
identity:delete_region: rule:admin_required
identity:get_service: rule:admin_required
identity:list_services: rule:admin_required
identity:create_service: rule:admin_required
identity:update_service: rule:admin_required
identity:delete_service: rule:admin_required
identity:get_endpoint: rule:admin_required
identity:list_endpoints: rule:admin_required
identity:create_endpoint: rule:admin_required
identity:update_endpoint: rule:admin_required
identity:delete_endpoint: rule:admin_required
identity:get_domain: rule:admin_required or token.project.domain.id:%(target.domain.id)s
identity:list_domains: rule:admin_required
identity:create_domain: rule:admin_required
identity:update_domain: rule:admin_required
identity:delete_domain: rule:admin_required
identity:get_project: rule:admin_required or project_id:%(target.project.id)s
identity:list_projects: rule:admin_required
identity:list_user_projects: rule:admin_or_owner
identity:create_project: rule:admin_required
identity:update_project: rule:admin_required
identity:delete_project: rule:admin_required
identity:get_user: rule:admin_or_owner
identity:list_users: rule:admin_required
identity:create_user: rule:admin_required
identity:update_user: rule:admin_required
identity:delete_user: rule:admin_required
identity:change_password: rule:admin_or_owner
identity:get_group: rule:admin_required
identity:list_groups: rule:admin_required
identity:list_groups_for_user: rule:admin_or_owner
identity:create_group: rule:admin_required
identity:update_group: rule:admin_required
identity:delete_group: rule:admin_required
identity:list_users_in_group: rule:admin_required
identity:remove_user_from_group: rule:admin_required
identity:check_user_in_group: rule:admin_required
identity:add_user_to_group: rule:admin_required
identity:get_credential: rule:admin_required
identity:list_credentials: rule:admin_required
identity:create_credential: rule:admin_required
identity:update_credential: rule:admin_required
identity:delete_credential: rule:admin_required
identity:ec2_get_credential: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)
identity:ec2_list_credentials: rule:admin_or_owner
identity:ec2_create_credential: rule:admin_or_owner
identity:ec2_delete_credential: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)
identity:get_role: rule:admin_required
identity:list_roles: rule:admin_required
identity:create_role: rule:admin_required
identity:update_role: rule:admin_required
identity:delete_role: rule:admin_required
identity:get_domain_role: rule:admin_required
identity:list_domain_roles: rule:admin_required
identity:create_domain_role: rule:admin_required
identity:update_domain_role: rule:admin_required
identity:delete_domain_role: rule:admin_required
identity:get_implied_role: 'rule:admin_required '
identity:list_implied_roles: rule:admin_required
identity:create_implied_role: rule:admin_required
identity:delete_implied_role: rule:admin_required
identity:list_role_inference_rules: rule:admin_required
identity:check_implied_role: rule:admin_required
identity:check_grant: rule:admin_required
identity:list_grants: rule:admin_required
identity:create_grant: rule:admin_required
identity:revoke_grant: rule:admin_required
identity:list_role_assignments: rule:admin_required
identity:list_role_assignments_for_tree: rule:admin_required
identity:get_policy: rule:admin_required
identity:list_policies: rule:admin_required
identity:create_policy: rule:admin_required
identity:update_policy: rule:admin_required
identity:delete_policy: rule:admin_required
identity:check_token: rule:admin_or_token_subject
identity:validate_token: rule:service_admin_or_token_subject
identity:validate_token_head: rule:service_or_admin
identity:revocation_list: rule:service_or_admin
identity:revoke_token: rule:admin_or_token_subject
identity:create_trust: user_id:%(trust.trustor_user_id)s
identity:list_trusts: ''
identity:list_roles_for_trust: ''
identity:get_role_for_trust: ''
identity:delete_trust: ''
identity:create_consumer: rule:admin_required
identity:get_consumer: rule:admin_required
identity:list_consumers: rule:admin_required
identity:delete_consumer: rule:admin_required
identity:update_consumer: rule:admin_required
identity:authorize_request_token: rule:admin_required
identity:list_access_token_roles: rule:admin_required
identity:get_access_token_role: rule:admin_required
identity:list_access_tokens: rule:admin_required
identity:get_access_token: rule:admin_required
identity:delete_access_token: rule:admin_required
identity:list_projects_for_endpoint: rule:admin_required
identity:add_endpoint_to_project: rule:admin_required
identity:check_endpoint_in_project: rule:admin_required
identity:list_endpoints_for_project: rule:admin_required
identity:remove_endpoint_from_project: rule:admin_required
identity:create_endpoint_group: rule:admin_required
identity:list_endpoint_groups: rule:admin_required
identity:get_endpoint_group: rule:admin_required
identity:update_endpoint_group: rule:admin_required
identity:delete_endpoint_group: rule:admin_required
identity:list_projects_associated_with_endpoint_group: rule:admin_required
identity:list_endpoints_associated_with_endpoint_group: rule:admin_required
identity:get_endpoint_group_in_project: rule:admin_required
identity:list_endpoint_groups_for_project: rule:admin_required
identity:add_endpoint_group_to_project: rule:admin_required
identity:remove_endpoint_group_from_project: rule:admin_required
identity:create_identity_provider: rule:admin_required
identity:list_identity_providers: rule:admin_required
identity:get_identity_providers: rule:admin_required
identity:update_identity_provider: rule:admin_required
identity:delete_identity_provider: rule:admin_required
identity:create_protocol: rule:admin_required
identity:update_protocol: rule:admin_required
identity:get_protocol: rule:admin_required
identity:list_protocols: rule:admin_required
identity:delete_protocol: rule:admin_required
identity:create_mapping: rule:admin_required
identity:get_mapping: rule:admin_required
identity:list_mappings: rule:admin_required
identity:delete_mapping: rule:admin_required
identity:update_mapping: rule:admin_required
identity:create_service_provider: rule:admin_required
identity:list_service_providers: rule:admin_required
identity:get_service_provider: rule:admin_required
identity:update_service_provider: rule:admin_required
identity:delete_service_provider: rule:admin_required
identity:get_auth_catalog: ''
identity:get_auth_projects: ''
identity:get_auth_domains: ''
identity:list_projects_for_user: ''
identity:list_domains_for_user: ''
identity:list_revoke_events: ''
identity:create_policy_association_for_endpoint: rule:admin_required
identity:check_policy_association_for_endpoint: rule:admin_required
identity:delete_policy_association_for_endpoint: rule:admin_required
identity:create_policy_association_for_service: rule:admin_required
identity:check_policy_association_for_service: rule:admin_required
identity:delete_policy_association_for_service: rule:admin_required
identity:create_policy_association_for_region_and_service: rule:admin_required
identity:check_policy_association_for_region_and_service: rule:admin_required
identity:delete_policy_association_for_region_and_service: rule:admin_required
identity:get_policy_for_endpoint: rule:admin_required
identity:list_endpoints_for_policy: rule:admin_required
identity:create_domain_config: rule:admin_required
identity:get_domain_config: rule:admin_required
identity:update_domain_config: rule:admin_required
identity:delete_domain_config: rule:admin_required
identity:get_domain_config_default: rule:admin_required
mpm_event:
override:
append:

2
magnum/templates/configmap-etc.yaml
View File

@ -75,5 +75,5 @@ data:
api-paste.ini: |+
{{- tuple .Values.conf.paste "etc/_api-paste.ini.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
policy.json: |+
{{- tuple .Values.conf.policy "etc/_policy.json.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
{{ toJson .Values.conf.policy | indent 4 }}
{{- end }}

51
magnum/templates/etc/_policy.json.tpl
View File

@ -1,51 +0,0 @@
{
"context_is_admin": "role:admin",
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
"default": "rule:admin_or_owner",
"admin_api": "rule:context_is_admin",
"admin_or_user": "is_admin:True or user_id:%(user_id)s",
"cluster_user": "user_id:%(trustee_user_id)s",
"deny_cluster_user": "not domain_id:%(trustee_domain_id)s",
"bay:create": "rule:deny_cluster_user",
"bay:delete": "rule:deny_cluster_user",
"bay:detail": "rule:deny_cluster_user",
"bay:get": "rule:deny_cluster_user",
"bay:get_all": "rule:deny_cluster_user",
"bay:update": "rule:deny_cluster_user",
"baymodel:create": "rule:deny_cluster_user",
"baymodel:delete": "rule:deny_cluster_user",
"baymodel:detail": "rule:deny_cluster_user",
"baymodel:get": "rule:deny_cluster_user",
"baymodel:get_all": "rule:deny_cluster_user",
"baymodel:update": "rule:deny_cluster_user",
"baymodel:publish": "rule:admin_or_owner",
"cluster:create": "rule:deny_cluster_user",
"cluster:delete": "rule:deny_cluster_user",
"cluster:detail": "rule:deny_cluster_user",
"cluster:get": "rule:deny_cluster_user",
"cluster:get_all": "rule:deny_cluster_user",
"cluster:update": "rule:deny_cluster_user",
"clustertemplate:create": "rule:deny_cluster_user",
"clustertemplate:delete": "rule:deny_cluster_user",
"clustertemplate:detail": "rule:deny_cluster_user",
"clustertemplate:get": "rule:deny_cluster_user",
"clustertemplate:get_all": "rule:deny_cluster_user",
"clustertemplate:update": "rule:deny_cluster_user",
"clustertemplate:publish": "rule:admin_or_owner",
"rc:create": "rule:default",
"rc:delete": "rule:default",
"rc:detail": "rule:default",
"rc:get": "rule:default",
"rc:get_all": "rule:default",
"rc:update": "rule:default",
"certificate:create": "rule:admin_or_user or rule:cluster_user",
"certificate:get": "rule:admin_or_user or rule:cluster_user",
"magnum-service:get_all": "rule:admin_api"
}

44
magnum/values.yaml
View File

@ -40,8 +40,48 @@ conf:
override:
append:
policy:
override:
append:
context_is_admin: role:admin
admin_or_owner: is_admin:True or project_id:%(project_id)s
default: rule:admin_or_owner
admin_api: rule:context_is_admin
admin_or_user: is_admin:True or user_id:%(user_id)s
cluster_user: user_id:%(trustee_user_id)s
deny_cluster_user: not domain_id:%(trustee_domain_id)s
bay:create: rule:deny_cluster_user
bay:delete: rule:deny_cluster_user
bay:detail: rule:deny_cluster_user
bay:get: rule:deny_cluster_user
bay:get_all: rule:deny_cluster_user
bay:update: rule:deny_cluster_user
baymodel:create: rule:deny_cluster_user
baymodel:delete: rule:deny_cluster_user
baymodel:detail: rule:deny_cluster_user
baymodel:get: rule:deny_cluster_user
baymodel:get_all: rule:deny_cluster_user
baymodel:update: rule:deny_cluster_user
baymodel:publish: rule:admin_or_owner
cluster:create: rule:deny_cluster_user
cluster:delete: rule:deny_cluster_user
cluster:detail: rule:deny_cluster_user
cluster:get: rule:deny_cluster_user
cluster:get_all: rule:deny_cluster_user
cluster:update: rule:deny_cluster_user
clustertemplate:create: rule:deny_cluster_user
clustertemplate:delete: rule:deny_cluster_user
clustertemplate:detail: rule:deny_cluster_user
clustertemplate:get: rule:deny_cluster_user
clustertemplate:get_all: rule:deny_cluster_user
clustertemplate:update: rule:deny_cluster_user
clustertemplate:publish: rule:admin_or_owner
rc:create: rule:default
rc:delete: rule:default
rc:detail: rule:default
rc:get: rule:default
rc:get_all: rule:default
rc:update: rule:default
certificate:create: rule:admin_or_user or rule:cluster_user
certificate:get: rule:admin_or_user or rule:cluster_user
magnum-service:get_all: rule:admin_api
magnum:
override:
append:

2
mistral/templates/configmap-etc.yaml
View File

@ -72,5 +72,5 @@ data:
mistral.conf: |+
{{- tuple .Values.conf.mistral "etc/_mistral.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
policy.json: |+
{{- tuple .Values.conf.policy "etc/_policy.json.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
{{ toJson .Values.conf.policy | indent 4 }}
{{- end }}

65
mistral/templates/etc/_policy.json.tpl
View File

@ -1,65 +0,0 @@
{
"admin_only": "is_admin:True",
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
"default": "rule:admin_or_owner",
"action_executions:delete": "rule:admin_or_owner",
"action_execution:create": "rule:admin_or_owner",
"action_executions:get": "rule:admin_or_owner",
"action_executions:list": "rule:admin_or_owner",
"action_executions:update": "rule:admin_or_owner",
"actions:create": "rule:admin_or_owner",
"actions:delete": "rule:admin_or_owner",
"actions:get": "rule:admin_or_owner",
"actions:list": "rule:admin_or_owner",
"actions:update": "rule:admin_or_owner",
"cron_triggers:create": "rule:admin_or_owner",
"cron_triggers:delete": "rule:admin_or_owner",
"cron_triggers:get": "rule:admin_or_owner",
"cron_triggers:list": "rule:admin_or_owner",
"environments:create": "rule:admin_or_owner",
"environments:delete": "rule:admin_or_owner",
"environments:get": "rule:admin_or_owner",
"environments:list": "rule:admin_or_owner",
"environments:update": "rule:admin_or_owner",
"executions:create": "rule:admin_or_owner",
"executions:delete": "rule:admin_or_owner",
"executions:get": "rule:admin_or_owner",
"executions:list": "rule:admin_or_owner",
"executions:update": "rule:admin_or_owner",
"members:create": "rule:admin_or_owner",
"members:delete": "rule:admin_or_owner",
"members:get": "rule:admin_or_owner",
"members:list": "rule:admin_or_owner",
"members:update": "rule:admin_or_owner",
"services:list": "rule:admin_or_owner",
"tasks:get": "rule:admin_or_owner",
"tasks:list": "rule:admin_or_owner",
"tasks:update": "rule:admin_or_owner",
"workbooks:create": "rule:admin_or_owner",
"workbooks:delete": "rule:admin_or_owner",
"workbooks:get": "rule:admin_or_owner",
"workbooks:list": "rule:admin_or_owner",
"workbooks:update": "rule:admin_or_owner",
"workflows:create": "rule:admin_or_owner",
"workflows:delete": "rule:admin_or_owner",
"workflows:get": "rule:admin_or_owner",
"workflows:list": "rule:admin_or_owner",
"workflows:update": "rule:admin_or_owner",
"event_triggers:create": "rule:admin_or_owner",
"event_triggers:delete": "rule:admin_or_owner",
"event_triggers:get": "rule:admin_or_owner",
"event_triggers:list": "rule:admin_or_owner",
"event_triggers:update": "rule:admin_or_owner"
}

53
mistral/values.yaml
View File

@ -211,8 +211,57 @@ endpoints:
conf:
policy:
override:
append:
admin_only: is_admin:True
admin_or_owner: is_admin:True or project_id:%(project_id)s
default: rule:admin_or_owner
action_executions:delete: rule:admin_or_owner
action_execution:create: rule:admin_or_owner
action_executions:get: rule:admin_or_owner
action_executions:list: rule:admin_or_owner
action_executions:update: rule:admin_or_owner
actions:create: rule:admin_or_owner
actions:delete: rule:admin_or_owner
actions:get: rule:admin_or_owner
actions:list: rule:admin_or_owner
actions:update: rule:admin_or_owner
cron_triggers:create: rule:admin_or_owner
cron_triggers:delete: rule:admin_or_owner
cron_triggers:get: rule:admin_or_owner
cron_triggers:list: rule:admin_or_owner
environments:create: rule:admin_or_owner
environments:delete: rule:admin_or_owner
environments:get: rule:admin_or_owner
environments:list: rule:admin_or_owner
environments:update: rule:admin_or_owner
executions:create: rule:admin_or_owner
executions:delete: rule:admin_or_owner
executions:get: rule:admin_or_owner
executions:list: rule:admin_or_owner
executions:update: rule:admin_or_owner
members:create: rule:admin_or_owner
members:delete: rule:admin_or_owner
members:get: rule:admin_or_owner
members:list: rule:admin_or_owner
members:update: rule:admin_or_owner
services:list: rule:admin_or_owner
tasks:get: rule:admin_or_owner
tasks:list: rule:admin_or_owner
tasks:update: rule:admin_or_owner
workbooks:create: rule:admin_or_owner
workbooks:delete: rule:admin_or_owner
workbooks:get: rule:admin_or_owner
workbooks:list: rule:admin_or_owner
workbooks:update: rule:admin_or_owner
workflows:create: rule:admin_or_owner
workflows:delete: rule:admin_or_owner
workflows:get: rule:admin_or_owner
workflows:list: rule:admin_or_owner
workflows:update: rule:admin_or_owner
event_triggers:create: rule:admin_or_owner
event_triggers:delete: rule:admin_or_owner
event_triggers:get: rule:admin_or_owner
event_triggers:list: rule:admin_or_owner
event_triggers:update: rule:admin_or_owner
mistral:
override:
append:

2
neutron/templates/configmap-etc.yaml
View File

@ -93,7 +93,7 @@ data:
api-paste.ini: |+
{{- tuple .Values.conf.paste "etc/_api-paste.ini.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
policy.json: |+
{{- tuple .Values.conf.policy "etc/_policy.json.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
{{ toJson .Values.conf.policy | indent 4 }}
dhcp_agent.ini: |+
{{- tuple .Values.conf.dhcp_agent "etc/_dhcp_agent.ini.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
l3_agent.ini: |+

214
neutron/templates/etc/_policy.json.tpl
View File

@ -1,214 +0,0 @@
{
"context_is_admin": "role:admin",
"owner": "tenant_id:%(tenant_id)s",
"admin_or_owner": "rule:context_is_admin or rule:owner",
"context_is_advsvc": "role:advsvc",
"admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
"admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner",
"admin_only": "rule:context_is_admin",
"regular_user": "",
"shared": "field:networks:shared=True",
"shared_subnetpools": "field:subnetpools:shared=True",
"shared_address_scopes": "field:address_scopes:shared=True",
"external": "field:networks:router:external=True",
"default": "rule:admin_or_owner",
"create_subnet": "rule:admin_or_network_owner",
"create_subnet:segment_id": "rule:admin_only",
"create_subnet:service_types": "rule:admin_only",
"get_subnet": "rule:admin_or_owner or rule:shared",
"get_subnet:segment_id": "rule:admin_only",
"update_subnet": "rule:admin_or_network_owner",
"update_subnet:service_types": "rule:admin_only",
"delete_subnet": "rule:admin_or_network_owner",
"create_subnetpool": "",
"create_subnetpool:shared": "rule:admin_only",
"create_subnetpool:is_default": "rule:admin_only",
"get_subnetpool": "rule:admin_or_owner or rule:shared_subnetpools",
"update_subnetpool": "rule:admin_or_owner",
"update_subnetpool:is_default": "rule:admin_only",
"delete_subnetpool": "rule:admin_or_owner",
"create_address_scope": "",
"create_address_scope:shared": "rule:admin_only",
"get_address_scope": "rule:admin_or_owner or rule:shared_address_scopes",
"update_address_scope": "rule:admin_or_owner",
"update_address_scope:shared": "rule:admin_only",
"delete_address_scope": "rule:admin_or_owner",
"create_network": "",
"get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc",
"get_network:router:external": "rule:regular_user",
"get_network:segments": "rule:admin_only",
"get_network:provider:network_type": "rule:admin_only",
"get_network:provider:physical_network": "rule:admin_only",
"get_network:provider:segmentation_id": "rule:admin_only",
"get_network:queue_id": "rule:admin_only",
"get_network_ip_availabilities": "rule:admin_only",
"get_network_ip_availability": "rule:admin_only",
"create_network:shared": "rule:admin_only",
"create_network:router:external": "rule:admin_only",
"create_network:is_default": "rule:admin_only",
"create_network:segments": "rule:admin_only",
"create_network:provider:network_type": "rule:admin_only",
"create_network:provider:physical_network": "rule:admin_only",
"create_network:provider:segmentation_id": "rule:admin_only",
"update_network": "rule:admin_or_owner",
"update_network:segments": "rule:admin_only",
"update_network:shared": "rule:admin_only",
"update_network:provider:network_type": "rule:admin_only",
"update_network:provider:physical_network": "rule:admin_only",
"update_network:provider:segmentation_id": "rule:admin_only",
"update_network:router:external": "rule:admin_only",
"delete_network": "rule:admin_or_owner",
"create_segment": "rule:admin_only",
"get_segment": "rule:admin_only",
"update_segment": "rule:admin_only",
"delete_segment": "rule:admin_only",
"network_device": "field:port:device_owner=~^network:",
"create_port": "",
"create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
"create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
"create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
"create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
"create_port:binding:host_id": "rule:admin_only",
"create_port:binding:profile": "rule:admin_only",
"create_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
"create_port:allowed_address_pairs": "rule:admin_or_network_owner",
"get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner",
"get_port:queue_id": "rule:admin_only",
"get_port:binding:vif_type": "rule:admin_only",
"get_port:binding:vif_details": "rule:admin_only",
"get_port:binding:host_id": "rule:admin_only",
"get_port:binding:profile": "rule:admin_only",
"update_port": "rule:admin_or_owner or rule:context_is_advsvc",
"update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
"update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",
"update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
"update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
"update_port:binding:host_id": "rule:admin_only",
"update_port:binding:profile": "rule:admin_only",
"update_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
"update_port:allowed_address_pairs": "rule:admin_or_network_owner",
"delete_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner",
"get_router:ha": "rule:admin_only",
"create_router": "rule:regular_user",
"create_router:external_gateway_info:enable_snat": "rule:admin_only",
"create_router:distributed": "rule:admin_only",
"create_router:ha": "rule:admin_only",
"get_router": "rule:admin_or_owner",
"get_router:distributed": "rule:admin_only",
"update_router:external_gateway_info:enable_snat": "rule:admin_only",
"update_router:distributed": "rule:admin_only",
"update_router:ha": "rule:admin_only",
"delete_router": "rule:admin_or_owner",
"add_router_interface": "rule:admin_or_owner",
"remove_router_interface": "rule:admin_or_owner",
"create_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
"update_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
"insert_rule": "rule:admin_or_owner",
"remove_rule": "rule:admin_or_owner",
"create_qos_queue": "rule:admin_only",
"get_qos_queue": "rule:admin_only",
"update_agent": "rule:admin_only",
"delete_agent": "rule:admin_only",
"get_agent": "rule:admin_only",
"create_dhcp-network": "rule:admin_only",
"delete_dhcp-network": "rule:admin_only",
"get_dhcp-networks": "rule:admin_only",
"create_l3-router": "rule:admin_only",
"delete_l3-router": "rule:admin_only",
"get_l3-routers": "rule:admin_only",
"get_dhcp-agents": "rule:admin_only",
"get_l3-agents": "rule:admin_only",
"get_loadbalancer-agent": "rule:admin_only",
"get_loadbalancer-pools": "rule:admin_only",
"get_agent-loadbalancers": "rule:admin_only",
"get_loadbalancer-hosting-agent": "rule:admin_only",
"create_floatingip": "rule:regular_user",
"create_floatingip:floating_ip_address": "rule:admin_only",
"update_floatingip": "rule:admin_or_owner",
"delete_floatingip": "rule:admin_or_owner",
"get_floatingip": "rule:admin_or_owner",
"create_network_profile": "rule:admin_only",
"update_network_profile": "rule:admin_only",
"delete_network_profile": "rule:admin_only",
"get_network_profiles": "",
"get_network_profile": "",
"update_policy_profiles": "rule:admin_only",
"get_policy_profiles": "",
"get_policy_profile": "",
"create_metering_label": "rule:admin_only",
"delete_metering_label": "rule:admin_only",
"get_metering_label": "rule:admin_only",
"create_metering_label_rule": "rule:admin_only",
"delete_metering_label_rule": "rule:admin_only",
"get_metering_label_rule": "rule:admin_only",
"get_service_provider": "rule:regular_user",
"get_lsn": "rule:admin_only",
"create_lsn": "rule:admin_only",
"create_flavor": "rule:admin_only",
"update_flavor": "rule:admin_only",
"delete_flavor": "rule:admin_only",
"get_flavors": "rule:regular_user",
"get_flavor": "rule:regular_user",
"create_service_profile": "rule:admin_only",
"update_service_profile": "rule:admin_only",
"delete_service_profile": "rule:admin_only",
"get_service_profiles": "rule:admin_only",
"get_service_profile": "rule:admin_only",
"get_policy": "rule:regular_user",
"create_policy": "rule:admin_only",
"update_policy": "rule:admin_only",
"delete_policy": "rule:admin_only",
"get_policy_bandwidth_limit_rule": "rule:regular_user",
"create_policy_bandwidth_limit_rule": "rule:admin_only",
"delete_policy_bandwidth_limit_rule": "rule:admin_only",
"update_policy_bandwidth_limit_rule": "rule:admin_only",
"get_policy_dscp_marking_rule": "rule:regular_user",
"create_policy_dscp_marking_rule": "rule:admin_only",
"delete_policy_dscp_marking_rule": "rule:admin_only",
"update_policy_dscp_marking_rule": "rule:admin_only",
"get_rule_type": "rule:regular_user",
"get_policy_minimum_bandwidth_rule": "rule:regular_user",
"create_policy_minimum_bandwidth_rule": "rule:admin_only",
"delete_policy_minimum_bandwidth_rule": "rule:admin_only",
"update_policy_minimum_bandwidth_rule": "rule:admin_only",
"restrict_wildcard": "(not field:rbac_policy:target_tenant=*) or rule:admin_only",
"create_rbac_policy": "",
"create_rbac_policy:target_tenant": "rule:restrict_wildcard",
"update_rbac_policy": "rule:admin_or_owner",
"update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner",
"get_rbac_policy": "rule:admin_or_owner",
"delete_rbac_policy": "rule:admin_or_owner",
"create_flavor_service_profile": "rule:admin_only",
"delete_flavor_service_profile": "rule:admin_only",
"get_flavor_service_profile": "rule:regular_user",
"get_auto_allocated_topology": "rule:admin_or_owner",
"create_trunk": "rule:regular_user",
"get_trunk": "rule:admin_or_owner",
"delete_trunk": "rule:admin_or_owner",
"get_subports": "",
"add_subports": "rule:admin_or_owner",
"remove_subports": "rule:admin_or_owner"
}

191
neutron/values.yaml
View File

@ -365,8 +365,195 @@ conf:
override:
append:
policy:
override:
append:
context_is_admin: role:admin
owner: tenant_id:%(tenant_id)s
admin_or_owner: rule:context_is_admin or rule:owner
context_is_advsvc: role:advsvc
admin_or_network_owner: rule:context_is_admin or tenant_id:%(network:tenant_id)s
admin_owner_or_network_owner: rule:owner or rule:admin_or_network_owner
admin_only: rule:context_is_admin
regular_user: ''
shared: field:networks:shared=True
shared_subnetpools: field:subnetpools:shared=True
shared_address_scopes: field:address_scopes:shared=True
external: field:networks:router:external=True
default: rule:admin_or_owner
create_subnet: rule:admin_or_network_owner
create_subnet:segment_id: rule:admin_only
create_subnet:service_types: rule:admin_only
get_subnet: rule:admin_or_owner or rule:shared
get_subnet:segment_id: rule:admin_only
update_subnet: rule:admin_or_network_owner
update_subnet:service_types: rule:admin_only
delete_subnet: rule:admin_or_network_owner
create_subnetpool: ''
create_subnetpool:shared: rule:admin_only
create_subnetpool:is_default: rule:admin_only
get_subnetpool: rule:admin_or_owner or rule:shared_subnetpools
update_subnetpool: rule:admin_or_owner
update_subnetpool:is_default: rule:admin_only
delete_subnetpool: rule:admin_or_owner
create_address_scope: ''
create_address_scope:shared: rule:admin_only
get_address_scope: rule:admin_or_owner or rule:shared_address_scopes
update_address_scope: rule:admin_or_owner
update_address_scope:shared: rule:admin_only
delete_address_scope: rule:admin_or_owner
create_network: ''
get_network: rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc
get_network:router:external: rule:regular_user
get_network:segments: rule:admin_only
get_network:provider:network_type: rule:admin_only
get_network:provider:physical_network: rule:admin_only
get_network:provider:segmentation_id: rule:admin_only
get_network:queue_id: rule:admin_only
get_network_ip_availabilities: rule:admin_only
get_network_ip_availability: rule:admin_only
create_network:shared: rule:admin_only
create_network:router:external: rule:admin_only
create_network:is_default: rule:admin_only
create_network:segments: rule:admin_only
create_network:provider:network_type: rule:admin_only
create_network:provider:physical_network: rule:admin_only
create_network:provider:segmentation_id: rule:admin_only
update_network: rule:admin_or_owner
update_network:segments: rule:admin_only
update_network:shared: rule:admin_only
update_network:provider:network_type: rule:admin_only
update_network:provider:physical_network: rule:admin_only
update_network:provider:segmentation_id: rule:admin_only
update_network:router:external: rule:admin_only
delete_network: rule:admin_or_owner
create_segment: rule:admin_only
get_segment: rule:admin_only
update_segment: rule:admin_only
delete_segment: rule:admin_only
network_device: 'field:port:device_owner=~^network:'
create_port: ''
create_port:device_owner: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner
create_port:mac_address: rule:context_is_advsvc or rule:admin_or_network_owner
create_port:fixed_ips: rule:context_is_advsvc or rule:admin_or_network_owner
create_port:port_security_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
create_port:binding:host_id: rule:admin_only
create_port:binding:profile: rule:admin_only
create_port:mac_learning_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
create_port:allowed_address_pairs: rule:admin_or_network_owner
get_port: rule:context_is_advsvc or rule:admin_owner_or_network_owner
get_port:queue_id: rule:admin_only
get_port:binding:vif_type: rule:admin_only
get_port:binding:vif_details: rule:admin_only
get_port:binding:host_id: rule:admin_only
get_port:binding:profile: rule:admin_only
update_port: rule:admin_or_owner or rule:context_is_advsvc
update_port:device_owner: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner
update_port:mac_address: rule:admin_only or rule:context_is_advsvc
update_port:fixed_ips: rule:context_is_advsvc or rule:admin_or_network_owner
update_port:port_security_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
update_port:binding:host_id: rule:admin_only
update_port:binding:profile: rule:admin_only
update_port:mac_learning_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
update_port:allowed_address_pairs: rule:admin_or_network_owner
delete_port: rule:context_is_advsvc or rule:admin_owner_or_network_owner
get_router:ha: rule:admin_only
create_router: rule:regular_user
create_router:external_gateway_info:enable_snat: rule:admin_only
create_router:distributed: rule:admin_only
create_router:ha: rule:admin_only
get_router: rule:admin_or_owner
get_router:distributed: rule:admin_only
update_router:external_gateway_info:enable_snat: rule:admin_only
update_router:distributed: rule:admin_only
update_router:ha: rule:admin_only
delete_router: rule:admin_or_owner
add_router_interface: rule:admin_or_owner
remove_router_interface: rule:admin_or_owner
create_router:external_gateway_info:external_fixed_ips: rule:admin_only
update_router:external_gateway_info:external_fixed_ips: rule:admin_only
insert_rule: rule:admin_or_owner
remove_rule: rule:admin_or_owner
create_qos_queue: rule:admin_only
get_qos_queue: rule:admin_only
update_agent: rule:admin_only
delete_agent: rule:admin_only
get_agent: rule:admin_only
create_dhcp-network: rule:admin_only
delete_dhcp-network: rule:admin_only
get_dhcp-networks: rule:admin_only
create_l3-router: rule:admin_only
delete_l3-router: rule:admin_only
get_l3-routers: rule:admin_only
get_dhcp-agents: rule:admin_only
get_l3-agents: rule:admin_only
get_loadbalancer-agent: rule:admin_only
get_loadbalancer-pools: rule:admin_only
get_agent-loadbalancers: rule:admin_only
get_loadbalancer-hosting-agent: rule:admin_only
create_floatingip: rule:regular_user
create_floatingip:floating_ip_address: rule:admin_only
update_floatingip: rule:admin_or_owner
delete_floatingip: rule:admin_or_owner
get_floatingip: rule:admin_or_owner
create_network_profile: rule:admin_only
update_network_profile: rule:admin_only
delete_network_profile: rule:admin_only
get_network_profiles: ''
get_network_profile: ''
update_policy_profiles: rule:admin_only
get_policy_profiles: ''
get_policy_profile: ''
create_metering_label: rule:admin_only
delete_metering_label: rule:admin_only
get_metering_label: rule:admin_only
create_metering_label_rule: rule:admin_only
delete_metering_label_rule: rule:admin_only
get_metering_label_rule: rule:admin_only
get_service_provider: rule:regular_user
get_lsn: rule:admin_only
create_lsn: rule:admin_only
create_flavor: rule:admin_only
update_flavor: rule:admin_only
delete_flavor: rule:admin_only
get_flavors: rule:regular_user
get_flavor: rule:regular_user
create_service_profile: rule:admin_only
update_service_profile: rule:admin_only
delete_service_profile: rule:admin_only
get_service_profiles: rule:admin_only
get_service_profile: rule:admin_only
get_policy: rule:regular_user
create_policy: rule:admin_only
update_policy: rule:admin_only
delete_policy: rule:admin_only
get_policy_bandwidth_limit_rule: rule:regular_user
create_policy_bandwidth_limit_rule: rule:admin_only
delete_policy_bandwidth_limit_rule: rule:admin_only
update_policy_bandwidth_limit_rule: rule:admin_only
get_policy_dscp_marking_rule: rule:regular_user
create_policy_dscp_marking_rule: rule:admin_only
delete_policy_dscp_marking_rule: rule:admin_only
update_policy_dscp_marking_rule: rule:admin_only
get_rule_type: rule:regular_user
get_policy_minimum_bandwidth_rule: rule:regular_user
create_policy_minimum_bandwidth_rule: rule:admin_only
delete_policy_minimum_bandwidth_rule: rule:admin_only
update_policy_minimum_bandwidth_rule: rule:admin_only
restrict_wildcard: "(not field:rbac_policy:target_tenant=*) or rule:admin_only"
create_rbac_policy: ''
create_rbac_policy:target_tenant: rule:restrict_wildcard
update_rbac_policy: rule:admin_or_owner
update_rbac_policy:target_tenant: rule:restrict_wildcard and rule:admin_or_owner
get_rbac_policy: rule:admin_or_owner
delete_rbac_policy: rule:admin_or_owner
create_flavor_service_profile: rule:admin_only
delete_flavor_service_profile: rule:admin_only
get_flavor_service_profile: rule:regular_user
get_auto_allocated_topology: rule:admin_or_owner
create_trunk: rule:regular_user
get_trunk: rule:admin_or_owner
delete_trunk: rule:admin_or_owner
get_subports: ''
add_subports: rule:admin_or_owner
remove_subports: rule:admin_or_owner
neutron_sudoers:
override:
append:

2
senlin/templates/configmap-etc.yaml
View File

@ -75,5 +75,5 @@ data:
api-paste.ini: |+
{{- tuple .Values.conf.paste "etc/_api-paste.ini.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
policy.json: |+
{{- tuple .Values.conf.policy "etc/_policy.json.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
{{ toJson .Values.conf.policy | indent 4 }}
{{- end }}

49
senlin/templates/etc/_policy.json.tpl
View File

@ -1,49 +0,0 @@
{
"context_is_admin": "role:admin",
"deny_everybody": "!",
"build_info:build_info": "",
"profile_types:index": "",
"profile_types:get": "",
"policy_types:index": "",
"policy_types:get": "",
"clusters:index": "",
"clusters:create": "",
"clusters:delete": "",
"clusters:get": "",
"clusters:action": "",
"clusters:update": "",
"clusters:collect": "",
"profiles:index": "",
"profiles:create": "",
"profiles:get": "",
"profiles:delete": "",
"profiles:update": "",
"profiles:validate": "",
"nodes:index": "",
"nodes:create": "",
"nodes:get": "",
"nodes:action": "",
"nodes:update": "",
"nodes:delete": "",
"policies:index": "",
"policies:create": "",
"policies:get": "",
"policies:update": "",
"policies:delete": "",
"policies:validate": "",
"cluster_policies:index": "",
"cluster_policies:attach": "",
"cluster_policies:detach": "",
"cluster_policies:update": "",
"cluster_policies:get": "",
"receivers:index": "",
"receivers:create": "",
"receivers:get": "",
"receivers:delete": "",
"actions:index": "",
"actions:get": "",
"events:index": "",
"events:get": "",
"webhooks:trigger": ""
}

48
senlin/values.yaml
View File

@ -40,8 +40,52 @@ conf:
override:
append:
policy:
override:
append:
context_is_admin: role:admin
deny_everybody: "!"
build_info:build_info: ''
profile_types:index: ''
profile_types:get: ''
policy_types:index: ''
policy_types:get: ''
clusters:index: ''
clusters:create: ''
clusters:delete: ''
clusters:get: ''
clusters:action: ''
clusters:update: ''
clusters:collect: ''
profiles:index: ''
profiles:create: ''
profiles:get: ''
profiles:delete: ''
profiles:update: ''
profiles:validate: ''
nodes:index: ''
nodes:create: ''
nodes:get: ''
nodes:action: ''
nodes:update: ''
nodes:delete: ''
policies:index: ''
policies:create: ''
policies:get: ''
policies:update: ''
policies:delete: ''
policies:validate: ''
cluster_policies:index: ''
cluster_policies:attach: ''
cluster_policies:detach: ''
cluster_policies:update: ''
cluster_policies:get: ''
receivers:index: ''
receivers:create: ''
receivers:get: ''
receivers:delete: ''
actions:index: ''
actions:get: ''
events:index: ''
events:get: ''
webhooks:trigger: ''
senlin:
override:
append: