b129837eaa
This change allows enabling the WEBSSO login screen on horizon,
which allows to choose from one or more configured SSO providers.
Example configuration
local_settings:
auth:
sso:
enable: true
initial_choice: "acme_oidc"
idp_mapping:
- name: "acme_oidc"
label: "Acme Corporation - OpenID Connect"
idp: "myidp1"
protocol: "oidc"
- name: "acme_saml2"
label: "Acme Corporation - SAML2"
idp: "myidp2"
protocol: "saml2"
The initial_choice defaults to "credentials" which is the default
Keystone Credential authentication.
The values for idp: and protocol: will be used to construct the redirect
URL for keystone, which will look like:
/v3/OS-FEDERATION/identity_providers/<idp>/protocols/<protocol>/auth
Change-Id: I44e11880292176114753274f965bcd0c2cd01302
1313 lines
59 KiB
YAML
1313 lines
59 KiB
YAML
# Copyright 2017 The Openstack-Helm Authors.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
# Default values for horizon.
|
|
# This is a YAML-formatted file.
|
|
# Declare name/value pairs to be passed into your templates.
|
|
# name: value
|
|
|
|
images:
|
|
tags:
|
|
db_init: docker.io/openstackhelm/heat:newton
|
|
horizon_db_sync: docker.io/openstackhelm/horizon:newton
|
|
db_drop: docker.io/openstackhelm/heat:newton
|
|
horizon: docker.io/openstackhelm/horizon:newton
|
|
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1
|
|
pull_policy: "IfNotPresent"
|
|
|
|
release_group: null
|
|
|
|
labels:
|
|
dashboard:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
job:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
|
|
network:
|
|
port: 80
|
|
dashboard:
|
|
ingress:
|
|
public: true
|
|
annotations:
|
|
kubernetes.io/ingress.class: "nginx"
|
|
nginx.ingress.kubernetes.io/rewrite-target: /
|
|
external_policy_local: false
|
|
node_port:
|
|
enabled: false
|
|
port: 31000
|
|
|
|
# Use "True" and "False" as Titlecase strings with quotes, boolean
|
|
# values will not work
|
|
local_settings:
|
|
horizon_secret_key: 9aee62c0-5253-4a86-b189-e0fb71fa503c
|
|
debug: "True"
|
|
openstack_cinder_features:
|
|
enable_backup: "True"
|
|
openstack_neutron_network:
|
|
enable_router: "True"
|
|
enable_quotas: "True"
|
|
enable_ipv6: "True"
|
|
enable_distributed_router: "False"
|
|
enable_ha_router: "False"
|
|
enable_lb: "True"
|
|
enable_firewall: "True"
|
|
enable_vpn: "True"
|
|
enable_fip_topology_check: "True"
|
|
auth:
|
|
sso:
|
|
enabled: False
|
|
initial_choice: "credentials"
|
|
idp_mapping:
|
|
- name: "acme_oidc"
|
|
label: "Acme Corporation - OpenID Connect"
|
|
idp: "myidp1"
|
|
protocol: "oidc"
|
|
- name: "acme_saml2"
|
|
label: "Acme Corporation - SAML2"
|
|
idp: "myidp2"
|
|
protocol: "saml2"
|
|
|
|
conf:
|
|
ceilometer_policy:
|
|
context_is_admin: role:admin
|
|
context_is_project: project_id:%(target.project_id)s
|
|
context_is_owner: user_id:%(target.user_id)s
|
|
segregation: rule:context_is_admin
|
|
cinder_policy:
|
|
context_is_admin: role:admin
|
|
admin_or_owner: is_admin:True or project_id:%(project_id)s
|
|
default: rule:admin_or_owner
|
|
admin_api: is_admin:True
|
|
volume:create: ''
|
|
volume:delete: rule:admin_or_owner
|
|
volume:get: rule:admin_or_owner
|
|
volume:get_all: rule:admin_or_owner
|
|
volume:get_volume_metadata: rule:admin_or_owner
|
|
volume:delete_volume_metadata: rule:admin_or_owner
|
|
volume:update_volume_metadata: rule:admin_or_owner
|
|
volume:get_volume_admin_metadata: rule:admin_api
|
|
volume:update_volume_admin_metadata: rule:admin_api
|
|
volume:get_snapshot: rule:admin_or_owner
|
|
volume:get_all_snapshots: rule:admin_or_owner
|
|
volume:create_snapshot: rule:admin_or_owner
|
|
volume:delete_snapshot: rule:admin_or_owner
|
|
volume:update_snapshot: rule:admin_or_owner
|
|
volume:get_snapshot_metadata: rule:admin_or_owner
|
|
volume:delete_snapshot_metadata: rule:admin_or_owner
|
|
volume:update_snapshot_metadata: rule:admin_or_owner
|
|
volume:extend: rule:admin_or_owner
|
|
volume:update_readonly_flag: rule:admin_or_owner
|
|
volume:retype: rule:admin_or_owner
|
|
volume:update: rule:admin_or_owner
|
|
volume_extension:types_manage: rule:admin_api
|
|
volume_extension:types_extra_specs: rule:admin_api
|
|
volume_extension:access_types_qos_specs_id: rule:admin_api
|
|
volume_extension:access_types_extra_specs: rule:admin_api
|
|
volume_extension:volume_type_access: rule:admin_or_owner
|
|
volume_extension:volume_type_access:addProjectAccess: rule:admin_api
|
|
volume_extension:volume_type_access:removeProjectAccess: rule:admin_api
|
|
volume_extension:volume_type_encryption: rule:admin_api
|
|
volume_extension:volume_encryption_metadata: rule:admin_or_owner
|
|
volume_extension:extended_snapshot_attributes: rule:admin_or_owner
|
|
volume_extension:volume_image_metadata: rule:admin_or_owner
|
|
volume_extension:quotas:show: ''
|
|
volume_extension:quotas:update: rule:admin_api
|
|
volume_extension:quotas:delete: rule:admin_api
|
|
volume_extension:quota_classes: rule:admin_api
|
|
volume_extension:quota_classes:validate_setup_for_nested_quota_use: rule:admin_api
|
|
volume_extension:volume_admin_actions:reset_status: rule:admin_api
|
|
volume_extension:snapshot_admin_actions:reset_status: rule:admin_api
|
|
volume_extension:backup_admin_actions:reset_status: rule:admin_api
|
|
volume_extension:volume_admin_actions:force_delete: rule:admin_api
|
|
volume_extension:volume_admin_actions:force_detach: rule:admin_api
|
|
volume_extension:snapshot_admin_actions:force_delete: rule:admin_api
|
|
volume_extension:backup_admin_actions:force_delete: rule:admin_api
|
|
volume_extension:volume_admin_actions:migrate_volume: rule:admin_api
|
|
volume_extension:volume_admin_actions:migrate_volume_completion: rule:admin_api
|
|
volume_extension:volume_actions:upload_public: rule:admin_api
|
|
volume_extension:volume_actions:upload_image: rule:admin_or_owner
|
|
volume_extension:volume_host_attribute: rule:admin_api
|
|
volume_extension:volume_tenant_attribute: rule:admin_or_owner
|
|
volume_extension:volume_mig_status_attribute: rule:admin_api
|
|
volume_extension:hosts: rule:admin_api
|
|
volume_extension:services:index: rule:admin_api
|
|
volume_extension:services:update: rule:admin_api
|
|
volume_extension:volume_manage: rule:admin_api
|
|
volume_extension:volume_unmanage: rule:admin_api
|
|
volume_extension:capabilities: rule:admin_api
|
|
volume:create_transfer: rule:admin_or_owner
|
|
volume:accept_transfer: ''
|
|
volume:delete_transfer: rule:admin_or_owner
|
|
volume:get_transfer: rule:admin_or_owner
|
|
volume:get_all_transfers: rule:admin_or_owner
|
|
volume_extension:replication:promote: rule:admin_api
|
|
volume_extension:replication:reenable: rule:admin_api
|
|
volume:failover_host: rule:admin_api
|
|
volume:freeze_host: rule:admin_api
|
|
volume:thaw_host: rule:admin_api
|
|
backup:create: ''
|
|
backup:delete: rule:admin_or_owner
|
|
backup:get: rule:admin_or_owner
|
|
backup:get_all: rule:admin_or_owner
|
|
backup:restore: rule:admin_or_owner
|
|
backup:backup-import: rule:admin_api
|
|
backup:backup-export: rule:admin_api
|
|
snapshot_extension:snapshot_actions:update_snapshot_status: ''
|
|
snapshot_extension:snapshot_manage: rule:admin_api
|
|
snapshot_extension:snapshot_unmanage: rule:admin_api
|
|
consistencygroup:create: group:nobody
|
|
consistencygroup:delete: group:nobody
|
|
consistencygroup:update: group:nobody
|
|
consistencygroup:get: group:nobody
|
|
consistencygroup:get_all: group:nobody
|
|
consistencygroup:create_cgsnapshot: group:nobody
|
|
consistencygroup:delete_cgsnapshot: group:nobody
|
|
consistencygroup:get_cgsnapshot: group:nobody
|
|
consistencygroup:get_all_cgsnapshots: group:nobody
|
|
scheduler_extension:scheduler_stats:get_pools: rule:admin_api
|
|
message:delete: rule:admin_or_owner
|
|
message:get: rule:admin_or_owner
|
|
message:get_all: rule:admin_or_owner
|
|
glance_policy:
|
|
context_is_admin: role:admin
|
|
admin_or_owner: is_admin:True or project_id:%(project_id)s
|
|
default: rule:admin_or_owner
|
|
add_image: ''
|
|
delete_image: rule:admin_or_owner
|
|
get_image: ''
|
|
get_images: ''
|
|
modify_image: rule:admin_or_owner
|
|
publicize_image: ''
|
|
copy_from: ''
|
|
download_image: ''
|
|
upload_image: ''
|
|
delete_image_location: ''
|
|
get_image_location: ''
|
|
set_image_location: ''
|
|
add_member: ''
|
|
delete_member: ''
|
|
get_member: ''
|
|
get_members: ''
|
|
modify_member: ''
|
|
manage_image_cache: role:admin
|
|
get_task: ''
|
|
get_tasks: ''
|
|
add_task: ''
|
|
modify_task: ''
|
|
get_metadef_namespace: ''
|
|
get_metadef_namespaces: ''
|
|
modify_metadef_namespace: ''
|
|
add_metadef_namespace: ''
|
|
delete_metadef_namespace: ''
|
|
get_metadef_object: ''
|
|
get_metadef_objects: ''
|
|
modify_metadef_object: ''
|
|
add_metadef_object: ''
|
|
list_metadef_resource_types: ''
|
|
add_metadef_resource_type_association: ''
|
|
get_metadef_property: ''
|
|
get_metadef_properties: ''
|
|
modify_metadef_property: ''
|
|
add_metadef_property: ''
|
|
heat_policy:
|
|
context_is_admin: role:admin
|
|
deny_stack_user: not role:heat_stack_user
|
|
deny_everybody: "!"
|
|
cloudformation:ListStacks: rule:deny_stack_user
|
|
cloudformation:CreateStack: rule:deny_stack_user
|
|
cloudformation:DescribeStacks: rule:deny_stack_user
|
|
cloudformation:DeleteStack: rule:deny_stack_user
|
|
cloudformation:UpdateStack: rule:deny_stack_user
|
|
cloudformation:CancelUpdateStack: rule:deny_stack_user
|
|
cloudformation:DescribeStackEvents: rule:deny_stack_user
|
|
cloudformation:ValidateTemplate: rule:deny_stack_user
|
|
cloudformation:GetTemplate: rule:deny_stack_user
|
|
cloudformation:EstimateTemplateCost: rule:deny_stack_user
|
|
cloudformation:DescribeStackResource: ''
|
|
cloudformation:DescribeStackResources: rule:deny_stack_user
|
|
cloudformation:ListStackResources: rule:deny_stack_user
|
|
cloudwatch:DeleteAlarms: rule:deny_stack_user
|
|
cloudwatch:DescribeAlarmHistory: rule:deny_stack_user
|
|
cloudwatch:DescribeAlarms: rule:deny_stack_user
|
|
cloudwatch:DescribeAlarmsForMetric: rule:deny_stack_user
|
|
cloudwatch:DisableAlarmActions: rule:deny_stack_user
|
|
cloudwatch:EnableAlarmActions: rule:deny_stack_user
|
|
cloudwatch:GetMetricStatistics: rule:deny_stack_user
|
|
cloudwatch:ListMetrics: rule:deny_stack_user
|
|
cloudwatch:PutMetricAlarm: rule:deny_stack_user
|
|
cloudwatch:PutMetricData: ''
|
|
cloudwatch:SetAlarmState: rule:deny_stack_user
|
|
actions:action: rule:deny_stack_user
|
|
build_info:build_info: rule:deny_stack_user
|
|
events:index: rule:deny_stack_user
|
|
events:show: rule:deny_stack_user
|
|
resource:index: rule:deny_stack_user
|
|
resource:metadata: ''
|
|
resource:signal: ''
|
|
resource:mark_unhealthy: rule:deny_stack_user
|
|
resource:show: rule:deny_stack_user
|
|
stacks:abandon: rule:deny_stack_user
|
|
stacks:create: rule:deny_stack_user
|
|
stacks:delete: rule:deny_stack_user
|
|
stacks:detail: rule:deny_stack_user
|
|
stacks:export: rule:deny_stack_user
|
|
stacks:generate_template: rule:deny_stack_user
|
|
stacks:global_index: rule:deny_everybody
|
|
stacks:index: rule:deny_stack_user
|
|
stacks:list_resource_types: rule:deny_stack_user
|
|
stacks:list_template_versions: rule:deny_stack_user
|
|
stacks:list_template_functions: rule:deny_stack_user
|
|
stacks:lookup: ''
|
|
stacks:preview: rule:deny_stack_user
|
|
stacks:resource_schema: rule:deny_stack_user
|
|
stacks:show: rule:deny_stack_user
|
|
stacks:template: rule:deny_stack_user
|
|
stacks:environment: rule:deny_stack_user
|
|
stacks:update: rule:deny_stack_user
|
|
stacks:update_patch: rule:deny_stack_user
|
|
stacks:preview_update: rule:deny_stack_user
|
|
stacks:preview_update_patch: rule:deny_stack_user
|
|
stacks:validate_template: rule:deny_stack_user
|
|
stacks:snapshot: rule:deny_stack_user
|
|
stacks:show_snapshot: rule:deny_stack_user
|
|
stacks:delete_snapshot: rule:deny_stack_user
|
|
stacks:list_snapshots: rule:deny_stack_user
|
|
stacks:restore_snapshot: rule:deny_stack_user
|
|
stacks:list_outputs: rule:deny_stack_user
|
|
stacks:show_output: rule:deny_stack_user
|
|
software_configs:global_index: rule:deny_everybody
|
|
software_configs:index: rule:deny_stack_user
|
|
software_configs:create: rule:deny_stack_user
|
|
software_configs:show: rule:deny_stack_user
|
|
software_configs:delete: rule:deny_stack_user
|
|
software_deployments:index: rule:deny_stack_user
|
|
software_deployments:create: rule:deny_stack_user
|
|
software_deployments:show: rule:deny_stack_user
|
|
software_deployments:update: rule:deny_stack_user
|
|
software_deployments:delete: rule:deny_stack_user
|
|
software_deployments:metadata: ''
|
|
service:index: rule:context_is_admin
|
|
resource_types:OS::Nova::Flavor: rule:context_is_admin
|
|
resource_types:OS::Cinder::EncryptedVolumeType: rule:context_is_admin
|
|
resource_types:OS::Cinder::VolumeType: rule:context_is_admin
|
|
resource_types:OS::Manila::ShareType: rule:context_is_admin
|
|
resource_types:OS::Neutron::QoSPolicy: rule:context_is_admin
|
|
resource_types:OS::Neutron::QoSBandwidthLimitRule: rule:context_is_admin
|
|
resource_types:OS::Nova::HostAggregate: rule:context_is_admin
|
|
keystone_policy:
|
|
admin_required: role:admin or is_admin:1
|
|
service_role: role:service
|
|
service_or_admin: rule:admin_required or rule:service_role
|
|
owner: user_id:%(user_id)s
|
|
admin_or_owner: rule:admin_required or rule:owner
|
|
token_subject: user_id:%(target.token.user_id)s
|
|
admin_or_token_subject: rule:admin_required or rule:token_subject
|
|
service_admin_or_token_subject: rule:service_or_admin or rule:token_subject
|
|
default: rule:admin_required
|
|
identity:get_region: ''
|
|
identity:list_regions: ''
|
|
identity:create_region: rule:admin_required
|
|
identity:update_region: rule:admin_required
|
|
identity:delete_region: rule:admin_required
|
|
identity:get_service: rule:admin_required
|
|
identity:list_services: rule:admin_required
|
|
identity:create_service: rule:admin_required
|
|
identity:update_service: rule:admin_required
|
|
identity:delete_service: rule:admin_required
|
|
identity:get_endpoint: rule:admin_required
|
|
identity:list_endpoints: rule:admin_required
|
|
identity:create_endpoint: rule:admin_required
|
|
identity:update_endpoint: rule:admin_required
|
|
identity:delete_endpoint: rule:admin_required
|
|
identity:get_domain: rule:admin_required
|
|
identity:list_domains: rule:admin_required
|
|
identity:create_domain: rule:admin_required
|
|
identity:update_domain: rule:admin_required
|
|
identity:delete_domain: rule:admin_required
|
|
identity:get_project: rule:admin_required or project_id:%(target.project.id)s
|
|
identity:list_projects: rule:admin_required
|
|
identity:list_user_projects: rule:admin_or_owner
|
|
identity:create_project: rule:admin_required
|
|
identity:update_project: rule:admin_required
|
|
identity:delete_project: rule:admin_required
|
|
identity:get_user: rule:admin_required
|
|
identity:list_users: rule:admin_required
|
|
identity:create_user: rule:admin_required
|
|
identity:update_user: rule:admin_required
|
|
identity:delete_user: rule:admin_required
|
|
identity:change_password: rule:admin_or_owner
|
|
identity:get_group: rule:admin_required
|
|
identity:list_groups: rule:admin_required
|
|
identity:list_groups_for_user: rule:admin_or_owner
|
|
identity:create_group: rule:admin_required
|
|
identity:update_group: rule:admin_required
|
|
identity:delete_group: rule:admin_required
|
|
identity:list_users_in_group: rule:admin_required
|
|
identity:remove_user_from_group: rule:admin_required
|
|
identity:check_user_in_group: rule:admin_required
|
|
identity:add_user_to_group: rule:admin_required
|
|
identity:get_credential: rule:admin_required
|
|
identity:list_credentials: rule:admin_required
|
|
identity:create_credential: rule:admin_required
|
|
identity:update_credential: rule:admin_required
|
|
identity:delete_credential: rule:admin_required
|
|
identity:ec2_get_credential: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)
|
|
identity:ec2_list_credentials: rule:admin_or_owner
|
|
identity:ec2_create_credential: rule:admin_or_owner
|
|
identity:ec2_delete_credential: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)
|
|
identity:get_role: rule:admin_required
|
|
identity:list_roles: rule:admin_required
|
|
identity:create_role: rule:admin_required
|
|
identity:update_role: rule:admin_required
|
|
identity:delete_role: rule:admin_required
|
|
identity:get_domain_role: rule:admin_required
|
|
identity:list_domain_roles: rule:admin_required
|
|
identity:create_domain_role: rule:admin_required
|
|
identity:update_domain_role: rule:admin_required
|
|
identity:delete_domain_role: rule:admin_required
|
|
identity:get_implied_role: 'rule:admin_required '
|
|
identity:list_implied_roles: rule:admin_required
|
|
identity:create_implied_role: rule:admin_required
|
|
identity:delete_implied_role: rule:admin_required
|
|
identity:list_role_inference_rules: rule:admin_required
|
|
identity:check_implied_role: rule:admin_required
|
|
identity:check_grant: rule:admin_required
|
|
identity:list_grants: rule:admin_required
|
|
identity:create_grant: rule:admin_required
|
|
identity:revoke_grant: rule:admin_required
|
|
identity:list_role_assignments: rule:admin_required
|
|
identity:list_role_assignments_for_tree: rule:admin_required
|
|
identity:get_policy: rule:admin_required
|
|
identity:list_policies: rule:admin_required
|
|
identity:create_policy: rule:admin_required
|
|
identity:update_policy: rule:admin_required
|
|
identity:delete_policy: rule:admin_required
|
|
identity:check_token: rule:admin_or_token_subject
|
|
identity:validate_token: rule:service_admin_or_token_subject
|
|
identity:validate_token_head: rule:service_or_admin
|
|
identity:revocation_list: rule:service_or_admin
|
|
identity:revoke_token: rule:admin_or_token_subject
|
|
identity:create_trust: user_id:%(trust.trustor_user_id)s
|
|
identity:list_trusts: ''
|
|
identity:list_roles_for_trust: ''
|
|
identity:get_role_for_trust: ''
|
|
identity:delete_trust: ''
|
|
identity:create_consumer: rule:admin_required
|
|
identity:get_consumer: rule:admin_required
|
|
identity:list_consumers: rule:admin_required
|
|
identity:delete_consumer: rule:admin_required
|
|
identity:update_consumer: rule:admin_required
|
|
identity:authorize_request_token: rule:admin_required
|
|
identity:list_access_token_roles: rule:admin_required
|
|
identity:get_access_token_role: rule:admin_required
|
|
identity:list_access_tokens: rule:admin_required
|
|
identity:get_access_token: rule:admin_required
|
|
identity:delete_access_token: rule:admin_required
|
|
identity:list_projects_for_endpoint: rule:admin_required
|
|
identity:add_endpoint_to_project: rule:admin_required
|
|
identity:check_endpoint_in_project: rule:admin_required
|
|
identity:list_endpoints_for_project: rule:admin_required
|
|
identity:remove_endpoint_from_project: rule:admin_required
|
|
identity:create_endpoint_group: rule:admin_required
|
|
identity:list_endpoint_groups: rule:admin_required
|
|
identity:get_endpoint_group: rule:admin_required
|
|
identity:update_endpoint_group: rule:admin_required
|
|
identity:delete_endpoint_group: rule:admin_required
|
|
identity:list_projects_associated_with_endpoint_group: rule:admin_required
|
|
identity:list_endpoints_associated_with_endpoint_group: rule:admin_required
|
|
identity:get_endpoint_group_in_project: rule:admin_required
|
|
identity:list_endpoint_groups_for_project: rule:admin_required
|
|
identity:add_endpoint_group_to_project: rule:admin_required
|
|
identity:remove_endpoint_group_from_project: rule:admin_required
|
|
identity:create_identity_provider: rule:admin_required
|
|
identity:list_identity_providers: rule:admin_required
|
|
identity:get_identity_providers: rule:admin_required
|
|
identity:update_identity_provider: rule:admin_required
|
|
identity:delete_identity_provider: rule:admin_required
|
|
identity:create_protocol: rule:admin_required
|
|
identity:update_protocol: rule:admin_required
|
|
identity:get_protocol: rule:admin_required
|
|
identity:list_protocols: rule:admin_required
|
|
identity:delete_protocol: rule:admin_required
|
|
identity:create_mapping: rule:admin_required
|
|
identity:get_mapping: rule:admin_required
|
|
identity:list_mappings: rule:admin_required
|
|
identity:delete_mapping: rule:admin_required
|
|
identity:update_mapping: rule:admin_required
|
|
identity:create_service_provider: rule:admin_required
|
|
identity:list_service_providers: rule:admin_required
|
|
identity:get_service_provider: rule:admin_required
|
|
identity:update_service_provider: rule:admin_required
|
|
identity:delete_service_provider: rule:admin_required
|
|
identity:get_auth_catalog: ''
|
|
identity:get_auth_projects: ''
|
|
identity:get_auth_domains: ''
|
|
identity:list_projects_for_groups: ''
|
|
identity:list_domains_for_groups: ''
|
|
identity:list_revoke_events: ''
|
|
identity:create_policy_association_for_endpoint: rule:admin_required
|
|
identity:check_policy_association_for_endpoint: rule:admin_required
|
|
identity:delete_policy_association_for_endpoint: rule:admin_required
|
|
identity:create_policy_association_for_service: rule:admin_required
|
|
identity:check_policy_association_for_service: rule:admin_required
|
|
identity:delete_policy_association_for_service: rule:admin_required
|
|
identity:create_policy_association_for_region_and_service: rule:admin_required
|
|
identity:check_policy_association_for_region_and_service: rule:admin_required
|
|
identity:delete_policy_association_for_region_and_service: rule:admin_required
|
|
identity:get_policy_for_endpoint: rule:admin_required
|
|
identity:list_endpoints_for_policy: rule:admin_required
|
|
identity:create_domain_config: rule:admin_required
|
|
identity:get_domain_config: rule:admin_required
|
|
identity:update_domain_config: rule:admin_required
|
|
identity:delete_domain_config: rule:admin_required
|
|
identity:get_domain_config_default: rule:admin_required
|
|
neutron_policy:
|
|
context_is_admin: role:admin
|
|
owner: tenant_id:%(tenant_id)s
|
|
admin_or_owner: rule:context_is_admin or rule:owner
|
|
context_is_advsvc: role:advsvc
|
|
admin_or_network_owner: rule:context_is_admin or tenant_id:%(network:tenant_id)s
|
|
admin_owner_or_network_owner: rule:owner or rule:admin_or_network_owner
|
|
admin_only: rule:context_is_admin
|
|
regular_user: ''
|
|
shared: field:networks:shared=True
|
|
shared_firewalls: field:firewalls:shared=True
|
|
shared_firewall_policies: field:firewall_policies:shared=True
|
|
shared_subnetpools: field:subnetpools:shared=True
|
|
shared_address_scopes: field:address_scopes:shared=True
|
|
external: field:networks:router:external=True
|
|
default: rule:admin_or_owner
|
|
create_subnet: rule:admin_or_network_owner
|
|
create_subnet:segment_id: rule:admin_only
|
|
get_subnet: rule:admin_or_owner or rule:shared
|
|
get_subnet:segment_id: rule:admin_only
|
|
update_subnet: rule:admin_or_network_owner
|
|
delete_subnet: rule:admin_or_network_owner
|
|
create_subnetpool: ''
|
|
create_subnetpool:shared: rule:admin_only
|
|
create_subnetpool:is_default: rule:admin_only
|
|
get_subnetpool: rule:admin_or_owner or rule:shared_subnetpools
|
|
update_subnetpool: rule:admin_or_owner
|
|
update_subnetpool:is_default: rule:admin_only
|
|
delete_subnetpool: rule:admin_or_owner
|
|
create_address_scope: ''
|
|
create_address_scope:shared: rule:admin_only
|
|
get_address_scope: rule:admin_or_owner or rule:shared_address_scopes
|
|
update_address_scope: rule:admin_or_owner
|
|
update_address_scope:shared: rule:admin_only
|
|
delete_address_scope: rule:admin_or_owner
|
|
create_network: ''
|
|
get_network: rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc
|
|
get_network:router:external: rule:regular_user
|
|
get_network:segments: rule:admin_only
|
|
get_network:provider:network_type: rule:admin_only
|
|
get_network:provider:physical_network: rule:admin_only
|
|
get_network:provider:segmentation_id: rule:admin_only
|
|
get_network:queue_id: rule:admin_only
|
|
get_network_ip_availabilities: rule:admin_only
|
|
get_network_ip_availability: rule:admin_only
|
|
create_network:shared: rule:admin_only
|
|
create_network:router:external: rule:admin_only
|
|
create_network:is_default: rule:admin_only
|
|
create_network:segments: rule:admin_only
|
|
create_network:provider:network_type: rule:admin_only
|
|
create_network:provider:physical_network: rule:admin_only
|
|
create_network:provider:segmentation_id: rule:admin_only
|
|
update_network: rule:admin_or_owner
|
|
update_network:segments: rule:admin_only
|
|
update_network:shared: rule:admin_only
|
|
update_network:provider:network_type: rule:admin_only
|
|
update_network:provider:physical_network: rule:admin_only
|
|
update_network:provider:segmentation_id: rule:admin_only
|
|
update_network:router:external: rule:admin_only
|
|
delete_network: rule:admin_or_owner
|
|
create_segment: rule:admin_only
|
|
get_segment: rule:admin_only
|
|
update_segment: rule:admin_only
|
|
delete_segment: rule:admin_only
|
|
network_device: 'field:port:device_owner=~^network:'
|
|
create_port: ''
|
|
create_port:device_owner: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner
|
|
create_port:mac_address: rule:context_is_advsvc or rule:admin_or_network_owner
|
|
create_port:fixed_ips: rule:context_is_advsvc or rule:admin_or_network_owner
|
|
create_port:port_security_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
|
|
create_port:binding:host_id: rule:admin_only
|
|
create_port:binding:profile: rule:admin_only
|
|
create_port:mac_learning_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
|
|
create_port:allowed_address_pairs: rule:admin_or_network_owner
|
|
get_port: rule:context_is_advsvc or rule:admin_owner_or_network_owner
|
|
get_port:queue_id: rule:admin_only
|
|
get_port:binding:vif_type: rule:admin_only
|
|
get_port:binding:vif_details: rule:admin_only
|
|
get_port:binding:host_id: rule:admin_only
|
|
get_port:binding:profile: rule:admin_only
|
|
update_port: rule:admin_or_owner or rule:context_is_advsvc
|
|
update_port:device_owner: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner
|
|
update_port:mac_address: rule:admin_only or rule:context_is_advsvc
|
|
update_port:fixed_ips: rule:context_is_advsvc or rule:admin_or_network_owner
|
|
update_port:port_security_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
|
|
update_port:binding:host_id: rule:admin_only
|
|
update_port:binding:profile: rule:admin_only
|
|
update_port:mac_learning_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
|
|
update_port:allowed_address_pairs: rule:admin_or_network_owner
|
|
delete_port: rule:context_is_advsvc or rule:admin_owner_or_network_owner
|
|
get_router:ha: rule:admin_only
|
|
create_router: rule:regular_user
|
|
create_router:external_gateway_info:enable_snat: rule:admin_only
|
|
create_router:distributed: rule:admin_only
|
|
create_router:ha: rule:admin_only
|
|
get_router: rule:admin_or_owner
|
|
get_router:distributed: rule:admin_only
|
|
update_router:external_gateway_info:enable_snat: rule:admin_only
|
|
update_router:distributed: rule:admin_only
|
|
update_router:ha: rule:admin_only
|
|
delete_router: rule:admin_or_owner
|
|
add_router_interface: rule:admin_or_owner
|
|
remove_router_interface: rule:admin_or_owner
|
|
create_router:external_gateway_info:external_fixed_ips: rule:admin_only
|
|
update_router:external_gateway_info:external_fixed_ips: rule:admin_only
|
|
create_firewall: ''
|
|
get_firewall: rule:admin_or_owner
|
|
create_firewall:shared: rule:admin_only
|
|
get_firewall:shared: rule:admin_only
|
|
update_firewall: rule:admin_or_owner
|
|
update_firewall:shared: rule:admin_only
|
|
delete_firewall: rule:admin_or_owner
|
|
create_firewall_policy: ''
|
|
get_firewall_policy: rule:admin_or_owner or rule:shared_firewall_policies
|
|
create_firewall_policy:shared: rule:admin_or_owner
|
|
update_firewall_policy: rule:admin_or_owner
|
|
delete_firewall_policy: rule:admin_or_owner
|
|
insert_rule: rule:admin_or_owner
|
|
remove_rule: rule:admin_or_owner
|
|
create_firewall_rule: ''
|
|
get_firewall_rule: rule:admin_or_owner or rule:shared_firewalls
|
|
update_firewall_rule: rule:admin_or_owner
|
|
delete_firewall_rule: rule:admin_or_owner
|
|
create_qos_queue: rule:admin_only
|
|
get_qos_queue: rule:admin_only
|
|
update_agent: rule:admin_only
|
|
delete_agent: rule:admin_only
|
|
get_agent: rule:admin_only
|
|
create_dhcp-network: rule:admin_only
|
|
delete_dhcp-network: rule:admin_only
|
|
get_dhcp-networks: rule:admin_only
|
|
create_l3-router: rule:admin_only
|
|
delete_l3-router: rule:admin_only
|
|
get_l3-routers: rule:admin_only
|
|
get_dhcp-agents: rule:admin_only
|
|
get_l3-agents: rule:admin_only
|
|
get_loadbalancer-agent: rule:admin_only
|
|
get_loadbalancer-pools: rule:admin_only
|
|
get_agent-loadbalancers: rule:admin_only
|
|
get_loadbalancer-hosting-agent: rule:admin_only
|
|
create_floatingip: rule:regular_user
|
|
create_floatingip:floating_ip_address: rule:admin_only
|
|
update_floatingip: rule:admin_or_owner
|
|
delete_floatingip: rule:admin_or_owner
|
|
get_floatingip: rule:admin_or_owner
|
|
create_network_profile: rule:admin_only
|
|
update_network_profile: rule:admin_only
|
|
delete_network_profile: rule:admin_only
|
|
get_network_profiles: ''
|
|
get_network_profile: ''
|
|
update_policy_profiles: rule:admin_only
|
|
get_policy_profiles: ''
|
|
get_policy_profile: ''
|
|
create_metering_label: rule:admin_only
|
|
delete_metering_label: rule:admin_only
|
|
get_metering_label: rule:admin_only
|
|
create_metering_label_rule: rule:admin_only
|
|
delete_metering_label_rule: rule:admin_only
|
|
get_metering_label_rule: rule:admin_only
|
|
get_service_provider: rule:regular_user
|
|
get_lsn: rule:admin_only
|
|
create_lsn: rule:admin_only
|
|
create_flavor: rule:admin_only
|
|
update_flavor: rule:admin_only
|
|
delete_flavor: rule:admin_only
|
|
get_flavors: rule:regular_user
|
|
get_flavor: rule:regular_user
|
|
create_service_profile: rule:admin_only
|
|
update_service_profile: rule:admin_only
|
|
delete_service_profile: rule:admin_only
|
|
get_service_profiles: rule:admin_only
|
|
get_service_profile: rule:admin_only
|
|
get_policy: rule:regular_user
|
|
create_policy: rule:admin_only
|
|
update_policy: rule:admin_only
|
|
delete_policy: rule:admin_only
|
|
get_policy_bandwidth_limit_rule: rule:regular_user
|
|
create_policy_bandwidth_limit_rule: rule:admin_only
|
|
delete_policy_bandwidth_limit_rule: rule:admin_only
|
|
update_policy_bandwidth_limit_rule: rule:admin_only
|
|
get_policy_dscp_marking_rule: rule:regular_user
|
|
create_policy_dscp_marking_rule: rule:admin_only
|
|
delete_policy_dscp_marking_rule: rule:admin_only
|
|
update_policy_dscp_marking_rule: rule:admin_only
|
|
get_rule_type: rule:regular_user
|
|
restrict_wildcard: "(not field:rbac_policy:target_tenant=*) or rule:admin_only"
|
|
create_rbac_policy: ''
|
|
create_rbac_policy:target_tenant: rule:restrict_wildcard
|
|
update_rbac_policy: rule:admin_or_owner
|
|
update_rbac_policy:target_tenant: rule:restrict_wildcard and rule:admin_or_owner
|
|
get_rbac_policy: rule:admin_or_owner
|
|
delete_rbac_policy: rule:admin_or_owner
|
|
create_flavor_service_profile: rule:admin_only
|
|
delete_flavor_service_profile: rule:admin_only
|
|
get_flavor_service_profile: rule:regular_user
|
|
get_auto_allocated_topology: rule:admin_or_owner
|
|
nova_policy:
|
|
context_is_admin: role:admin
|
|
admin_or_owner: is_admin:True or project_id:%(project_id)s
|
|
default: rule:admin_or_owner
|
|
cells_scheduler_filter:TargetCellFilter: is_admin:True
|
|
compute:create: rule:admin_or_owner
|
|
compute:create:attach_network: rule:admin_or_owner
|
|
compute:create:attach_volume: rule:admin_or_owner
|
|
compute:create:forced_host: is_admin:True
|
|
compute:get: rule:admin_or_owner
|
|
compute:get_all: rule:admin_or_owner
|
|
compute:get_all_tenants: is_admin:True
|
|
compute:update: rule:admin_or_owner
|
|
compute:get_instance_metadata: rule:admin_or_owner
|
|
compute:get_all_instance_metadata: rule:admin_or_owner
|
|
compute:get_all_instance_system_metadata: rule:admin_or_owner
|
|
compute:update_instance_metadata: rule:admin_or_owner
|
|
compute:delete_instance_metadata: rule:admin_or_owner
|
|
compute:get_diagnostics: rule:admin_or_owner
|
|
compute:get_instance_diagnostics: rule:admin_or_owner
|
|
compute:start: rule:admin_or_owner
|
|
compute:stop: rule:admin_or_owner
|
|
compute:lock: rule:admin_or_owner
|
|
compute:unlock: rule:admin_or_owner
|
|
compute:unlock_override: rule:admin_api
|
|
compute:get_vnc_console: rule:admin_or_owner
|
|
compute:get_spice_console: rule:admin_or_owner
|
|
compute:get_rdp_console: rule:admin_or_owner
|
|
compute:get_serial_console: rule:admin_or_owner
|
|
compute:get_mks_console: rule:admin_or_owner
|
|
compute:get_console_output: rule:admin_or_owner
|
|
compute:reset_network: rule:admin_or_owner
|
|
compute:inject_network_info: rule:admin_or_owner
|
|
compute:add_fixed_ip: rule:admin_or_owner
|
|
compute:remove_fixed_ip: rule:admin_or_owner
|
|
compute:attach_volume: rule:admin_or_owner
|
|
compute:detach_volume: rule:admin_or_owner
|
|
compute:swap_volume: rule:admin_api
|
|
compute:attach_interface: rule:admin_or_owner
|
|
compute:detach_interface: rule:admin_or_owner
|
|
compute:set_admin_password: rule:admin_or_owner
|
|
compute:rescue: rule:admin_or_owner
|
|
compute:unrescue: rule:admin_or_owner
|
|
compute:suspend: rule:admin_or_owner
|
|
compute:resume: rule:admin_or_owner
|
|
compute:pause: rule:admin_or_owner
|
|
compute:unpause: rule:admin_or_owner
|
|
compute:shelve: rule:admin_or_owner
|
|
compute:shelve_offload: rule:admin_or_owner
|
|
compute:unshelve: rule:admin_or_owner
|
|
compute:snapshot: rule:admin_or_owner
|
|
compute:snapshot_volume_backed: rule:admin_or_owner
|
|
compute:backup: rule:admin_or_owner
|
|
compute:resize: rule:admin_or_owner
|
|
compute:confirm_resize: rule:admin_or_owner
|
|
compute:revert_resize: rule:admin_or_owner
|
|
compute:rebuild: rule:admin_or_owner
|
|
compute:reboot: rule:admin_or_owner
|
|
compute:delete: rule:admin_or_owner
|
|
compute:soft_delete: rule:admin_or_owner
|
|
compute:force_delete: rule:admin_or_owner
|
|
compute:security_groups:add_to_instance: rule:admin_or_owner
|
|
compute:security_groups:remove_from_instance: rule:admin_or_owner
|
|
compute:restore: rule:admin_or_owner
|
|
compute:volume_snapshot_create: rule:admin_or_owner
|
|
compute:volume_snapshot_delete: rule:admin_or_owner
|
|
admin_api: is_admin:True
|
|
compute_extension:accounts: rule:admin_api
|
|
compute_extension:admin_actions: rule:admin_api
|
|
compute_extension:admin_actions:pause: rule:admin_or_owner
|
|
compute_extension:admin_actions:unpause: rule:admin_or_owner
|
|
compute_extension:admin_actions:suspend: rule:admin_or_owner
|
|
compute_extension:admin_actions:resume: rule:admin_or_owner
|
|
compute_extension:admin_actions:lock: rule:admin_or_owner
|
|
compute_extension:admin_actions:unlock: rule:admin_or_owner
|
|
compute_extension:admin_actions:resetNetwork: rule:admin_api
|
|
compute_extension:admin_actions:injectNetworkInfo: rule:admin_api
|
|
compute_extension:admin_actions:createBackup: rule:admin_or_owner
|
|
compute_extension:admin_actions:migrateLive: rule:admin_api
|
|
compute_extension:admin_actions:resetState: rule:admin_api
|
|
compute_extension:admin_actions:migrate: rule:admin_api
|
|
compute_extension:aggregates: rule:admin_api
|
|
compute_extension:agents: rule:admin_api
|
|
compute_extension:attach_interfaces: rule:admin_or_owner
|
|
compute_extension:baremetal_nodes: rule:admin_api
|
|
compute_extension:cells: rule:admin_api
|
|
compute_extension:cells:create: rule:admin_api
|
|
compute_extension:cells:delete: rule:admin_api
|
|
compute_extension:cells:update: rule:admin_api
|
|
compute_extension:cells:sync_instances: rule:admin_api
|
|
compute_extension:certificates: rule:admin_or_owner
|
|
compute_extension:cloudpipe: rule:admin_api
|
|
compute_extension:cloudpipe_update: rule:admin_api
|
|
compute_extension:config_drive: rule:admin_or_owner
|
|
compute_extension:console_output: rule:admin_or_owner
|
|
compute_extension:consoles: rule:admin_or_owner
|
|
compute_extension:createserverext: rule:admin_or_owner
|
|
compute_extension:deferred_delete: rule:admin_or_owner
|
|
compute_extension:disk_config: rule:admin_or_owner
|
|
compute_extension:evacuate: rule:admin_api
|
|
compute_extension:extended_server_attributes: rule:admin_api
|
|
compute_extension:extended_status: rule:admin_or_owner
|
|
compute_extension:extended_availability_zone: rule:admin_or_owner
|
|
compute_extension:extended_ips: rule:admin_or_owner
|
|
compute_extension:extended_ips_mac: rule:admin_or_owner
|
|
compute_extension:extended_vif_net: rule:admin_or_owner
|
|
compute_extension:extended_volumes: rule:admin_or_owner
|
|
compute_extension:fixed_ips: rule:admin_api
|
|
compute_extension:flavor_access: rule:admin_or_owner
|
|
compute_extension:flavor_access:addTenantAccess: rule:admin_api
|
|
compute_extension:flavor_access:removeTenantAccess: rule:admin_api
|
|
compute_extension:flavor_disabled: rule:admin_or_owner
|
|
compute_extension:flavor_rxtx: rule:admin_or_owner
|
|
compute_extension:flavor_swap: rule:admin_or_owner
|
|
compute_extension:flavorextradata: rule:admin_or_owner
|
|
compute_extension:flavorextraspecs:index: rule:admin_or_owner
|
|
compute_extension:flavorextraspecs:show: rule:admin_or_owner
|
|
compute_extension:flavorextraspecs:create: rule:admin_api
|
|
compute_extension:flavorextraspecs:update: rule:admin_api
|
|
compute_extension:flavorextraspecs:delete: rule:admin_api
|
|
compute_extension:flavormanage: rule:admin_api
|
|
compute_extension:floating_ip_dns: rule:admin_or_owner
|
|
compute_extension:floating_ip_pools: rule:admin_or_owner
|
|
compute_extension:floating_ips: rule:admin_or_owner
|
|
compute_extension:floating_ips_bulk: rule:admin_api
|
|
compute_extension:fping: rule:admin_or_owner
|
|
compute_extension:fping:all_tenants: rule:admin_api
|
|
compute_extension:hide_server_addresses: is_admin:False
|
|
compute_extension:hosts: rule:admin_api
|
|
compute_extension:hypervisors: rule:admin_api
|
|
compute_extension:image_size: rule:admin_or_owner
|
|
compute_extension:instance_actions: rule:admin_or_owner
|
|
compute_extension:instance_actions:events: rule:admin_api
|
|
compute_extension:instance_usage_audit_log: rule:admin_api
|
|
compute_extension:keypairs: rule:admin_or_owner
|
|
compute_extension:keypairs:index: rule:admin_or_owner
|
|
compute_extension:keypairs:show: rule:admin_or_owner
|
|
compute_extension:keypairs:create: rule:admin_or_owner
|
|
compute_extension:keypairs:delete: rule:admin_or_owner
|
|
compute_extension:multinic: rule:admin_or_owner
|
|
compute_extension:networks: rule:admin_api
|
|
compute_extension:networks:view: rule:admin_or_owner
|
|
compute_extension:networks_associate: rule:admin_api
|
|
compute_extension:os-tenant-networks: rule:admin_or_owner
|
|
compute_extension:quotas:show: rule:admin_or_owner
|
|
compute_extension:quotas:update: rule:admin_api
|
|
compute_extension:quotas:delete: rule:admin_api
|
|
compute_extension:quota_classes: rule:admin_or_owner
|
|
compute_extension:rescue: rule:admin_or_owner
|
|
compute_extension:security_group_default_rules: rule:admin_api
|
|
compute_extension:security_groups: rule:admin_or_owner
|
|
compute_extension:server_diagnostics: rule:admin_api
|
|
compute_extension:server_groups: rule:admin_or_owner
|
|
compute_extension:server_password: rule:admin_or_owner
|
|
compute_extension:server_usage: rule:admin_or_owner
|
|
compute_extension:services: rule:admin_api
|
|
compute_extension:shelve: rule:admin_or_owner
|
|
compute_extension:shelveOffload: rule:admin_api
|
|
compute_extension:simple_tenant_usage:show: rule:admin_or_owner
|
|
compute_extension:simple_tenant_usage:list: rule:admin_api
|
|
compute_extension:unshelve: rule:admin_or_owner
|
|
compute_extension:users: rule:admin_api
|
|
compute_extension:virtual_interfaces: rule:admin_or_owner
|
|
compute_extension:virtual_storage_arrays: rule:admin_or_owner
|
|
compute_extension:volumes: rule:admin_or_owner
|
|
compute_extension:volume_attachments:index: rule:admin_or_owner
|
|
compute_extension:volume_attachments:show: rule:admin_or_owner
|
|
compute_extension:volume_attachments:create: rule:admin_or_owner
|
|
compute_extension:volume_attachments:update: rule:admin_api
|
|
compute_extension:volume_attachments:delete: rule:admin_or_owner
|
|
compute_extension:volumetypes: rule:admin_or_owner
|
|
compute_extension:availability_zone:list: rule:admin_or_owner
|
|
compute_extension:availability_zone:detail: rule:admin_api
|
|
compute_extension:used_limits_for_admin: rule:admin_api
|
|
compute_extension:migrations:index: rule:admin_api
|
|
compute_extension:os-assisted-volume-snapshots:create: rule:admin_api
|
|
compute_extension:os-assisted-volume-snapshots:delete: rule:admin_api
|
|
compute_extension:console_auth_tokens: rule:admin_api
|
|
compute_extension:os-server-external-events:create: rule:admin_api
|
|
network:get_all: rule:admin_or_owner
|
|
network:get: rule:admin_or_owner
|
|
network:create: rule:admin_or_owner
|
|
network:delete: rule:admin_or_owner
|
|
network:associate: rule:admin_or_owner
|
|
network:disassociate: rule:admin_or_owner
|
|
network:get_vifs_by_instance: rule:admin_or_owner
|
|
network:allocate_for_instance: rule:admin_or_owner
|
|
network:deallocate_for_instance: rule:admin_or_owner
|
|
network:validate_networks: rule:admin_or_owner
|
|
network:get_instance_uuids_by_ip_filter: rule:admin_or_owner
|
|
network:get_instance_id_by_floating_address: rule:admin_or_owner
|
|
network:setup_networks_on_host: rule:admin_or_owner
|
|
network:get_backdoor_port: rule:admin_or_owner
|
|
network:get_floating_ip: rule:admin_or_owner
|
|
network:get_floating_ip_pools: rule:admin_or_owner
|
|
network:get_floating_ip_by_address: rule:admin_or_owner
|
|
network:get_floating_ips_by_project: rule:admin_or_owner
|
|
network:get_floating_ips_by_fixed_address: rule:admin_or_owner
|
|
network:allocate_floating_ip: rule:admin_or_owner
|
|
network:associate_floating_ip: rule:admin_or_owner
|
|
network:disassociate_floating_ip: rule:admin_or_owner
|
|
network:release_floating_ip: rule:admin_or_owner
|
|
network:migrate_instance_start: rule:admin_or_owner
|
|
network:migrate_instance_finish: rule:admin_or_owner
|
|
network:get_fixed_ip: rule:admin_or_owner
|
|
network:get_fixed_ip_by_address: rule:admin_or_owner
|
|
network:add_fixed_ip_to_instance: rule:admin_or_owner
|
|
network:remove_fixed_ip_from_instance: rule:admin_or_owner
|
|
network:add_network_to_project: rule:admin_or_owner
|
|
network:get_instance_nw_info: rule:admin_or_owner
|
|
network:get_dns_domains: rule:admin_or_owner
|
|
network:add_dns_entry: rule:admin_or_owner
|
|
network:modify_dns_entry: rule:admin_or_owner
|
|
network:delete_dns_entry: rule:admin_or_owner
|
|
network:get_dns_entries_by_address: rule:admin_or_owner
|
|
network:get_dns_entries_by_name: rule:admin_or_owner
|
|
network:create_private_dns_domain: rule:admin_or_owner
|
|
network:create_public_dns_domain: rule:admin_or_owner
|
|
network:delete_dns_domain: rule:admin_or_owner
|
|
network:attach_external_network: rule:admin_api
|
|
network:get_vif_by_mac_address: rule:admin_or_owner
|
|
os_compute_api:servers:detail:get_all_tenants: is_admin:True
|
|
os_compute_api:servers:index:get_all_tenants: is_admin:True
|
|
os_compute_api:servers:confirm_resize: rule:admin_or_owner
|
|
os_compute_api:servers:create: rule:admin_or_owner
|
|
os_compute_api:servers:create:attach_network: rule:admin_or_owner
|
|
os_compute_api:servers:create:attach_volume: rule:admin_or_owner
|
|
os_compute_api:servers:create:forced_host: rule:admin_api
|
|
os_compute_api:servers:delete: rule:admin_or_owner
|
|
os_compute_api:servers:update: rule:admin_or_owner
|
|
os_compute_api:servers:detail: rule:admin_or_owner
|
|
os_compute_api:servers:index: rule:admin_or_owner
|
|
os_compute_api:servers:reboot: rule:admin_or_owner
|
|
os_compute_api:servers:rebuild: rule:admin_or_owner
|
|
os_compute_api:servers:resize: rule:admin_or_owner
|
|
os_compute_api:servers:revert_resize: rule:admin_or_owner
|
|
os_compute_api:servers:show: rule:admin_or_owner
|
|
os_compute_api:servers:show:host_status: rule:admin_api
|
|
os_compute_api:servers:create_image: rule:admin_or_owner
|
|
os_compute_api:servers:create_image:allow_volume_backed: rule:admin_or_owner
|
|
os_compute_api:servers:start: rule:admin_or_owner
|
|
os_compute_api:servers:stop: rule:admin_or_owner
|
|
os_compute_api:servers:trigger_crash_dump: rule:admin_or_owner
|
|
os_compute_api:servers:migrations:force_complete: rule:admin_api
|
|
os_compute_api:servers:migrations:delete: rule:admin_api
|
|
os_compute_api:servers:discoverable: "@"
|
|
os_compute_api:servers:migrations:index: rule:admin_api
|
|
os_compute_api:servers:migrations:show: rule:admin_api
|
|
os_compute_api:os-access-ips:discoverable: "@"
|
|
os_compute_api:os-access-ips: rule:admin_or_owner
|
|
os_compute_api:os-admin-actions: rule:admin_api
|
|
os_compute_api:os-admin-actions:discoverable: "@"
|
|
os_compute_api:os-admin-actions:reset_network: rule:admin_api
|
|
os_compute_api:os-admin-actions:inject_network_info: rule:admin_api
|
|
os_compute_api:os-admin-actions:reset_state: rule:admin_api
|
|
os_compute_api:os-admin-password: rule:admin_or_owner
|
|
os_compute_api:os-admin-password:discoverable: "@"
|
|
os_compute_api:os-aggregates:discoverable: "@"
|
|
os_compute_api:os-aggregates:index: rule:admin_api
|
|
os_compute_api:os-aggregates:create: rule:admin_api
|
|
os_compute_api:os-aggregates:show: rule:admin_api
|
|
os_compute_api:os-aggregates:update: rule:admin_api
|
|
os_compute_api:os-aggregates:delete: rule:admin_api
|
|
os_compute_api:os-aggregates:add_host: rule:admin_api
|
|
os_compute_api:os-aggregates:remove_host: rule:admin_api
|
|
os_compute_api:os-aggregates:set_metadata: rule:admin_api
|
|
os_compute_api:os-agents: rule:admin_api
|
|
os_compute_api:os-agents:discoverable: "@"
|
|
os_compute_api:os-attach-interfaces: rule:admin_or_owner
|
|
os_compute_api:os-attach-interfaces:discoverable: "@"
|
|
os_compute_api:os-baremetal-nodes: rule:admin_api
|
|
os_compute_api:os-baremetal-nodes:discoverable: "@"
|
|
os_compute_api:os-block-device-mapping-v1:discoverable: "@"
|
|
os_compute_api:os-cells: rule:admin_api
|
|
os_compute_api:os-cells:create: rule:admin_api
|
|
os_compute_api:os-cells:delete: rule:admin_api
|
|
os_compute_api:os-cells:update: rule:admin_api
|
|
os_compute_api:os-cells:sync_instances: rule:admin_api
|
|
os_compute_api:os-cells:discoverable: "@"
|
|
os_compute_api:os-certificates:create: rule:admin_or_owner
|
|
os_compute_api:os-certificates:show: rule:admin_or_owner
|
|
os_compute_api:os-certificates:discoverable: "@"
|
|
os_compute_api:os-cloudpipe: rule:admin_api
|
|
os_compute_api:os-cloudpipe:discoverable: "@"
|
|
os_compute_api:os-config-drive: rule:admin_or_owner
|
|
os_compute_api:os-config-drive:discoverable: "@"
|
|
os_compute_api:os-consoles:discoverable: "@"
|
|
os_compute_api:os-consoles:create: rule:admin_or_owner
|
|
os_compute_api:os-consoles:delete: rule:admin_or_owner
|
|
os_compute_api:os-consoles:index: rule:admin_or_owner
|
|
os_compute_api:os-consoles:show: rule:admin_or_owner
|
|
os_compute_api:os-console-output:discoverable: "@"
|
|
os_compute_api:os-console-output: rule:admin_or_owner
|
|
os_compute_api:os-remote-consoles: rule:admin_or_owner
|
|
os_compute_api:os-remote-consoles:discoverable: "@"
|
|
os_compute_api:os-create-backup:discoverable: "@"
|
|
os_compute_api:os-create-backup: rule:admin_or_owner
|
|
os_compute_api:os-deferred-delete: rule:admin_or_owner
|
|
os_compute_api:os-deferred-delete:discoverable: "@"
|
|
os_compute_api:os-disk-config: rule:admin_or_owner
|
|
os_compute_api:os-disk-config:discoverable: "@"
|
|
os_compute_api:os-evacuate: rule:admin_api
|
|
os_compute_api:os-evacuate:discoverable: "@"
|
|
os_compute_api:os-extended-server-attributes: rule:admin_api
|
|
os_compute_api:os-extended-server-attributes:discoverable: "@"
|
|
os_compute_api:os-extended-status: rule:admin_or_owner
|
|
os_compute_api:os-extended-status:discoverable: "@"
|
|
os_compute_api:os-extended-availability-zone: rule:admin_or_owner
|
|
os_compute_api:os-extended-availability-zone:discoverable: "@"
|
|
os_compute_api:extensions: rule:admin_or_owner
|
|
os_compute_api:extensions:discoverable: "@"
|
|
os_compute_api:extension_info:discoverable: "@"
|
|
os_compute_api:os-extended-volumes: rule:admin_or_owner
|
|
os_compute_api:os-extended-volumes:discoverable: "@"
|
|
os_compute_api:os-fixed-ips: rule:admin_api
|
|
os_compute_api:os-fixed-ips:discoverable: "@"
|
|
os_compute_api:os-flavor-access: rule:admin_or_owner
|
|
os_compute_api:os-flavor-access:discoverable: "@"
|
|
os_compute_api:os-flavor-access:remove_tenant_access: rule:admin_api
|
|
os_compute_api:os-flavor-access:add_tenant_access: rule:admin_api
|
|
os_compute_api:os-flavor-rxtx: rule:admin_or_owner
|
|
os_compute_api:os-flavor-rxtx:discoverable: "@"
|
|
os_compute_api:flavors: rule:admin_or_owner
|
|
os_compute_api:flavors:discoverable: "@"
|
|
os_compute_api:os-flavor-extra-specs:discoverable: "@"
|
|
os_compute_api:os-flavor-extra-specs:index: rule:admin_or_owner
|
|
os_compute_api:os-flavor-extra-specs:show: rule:admin_or_owner
|
|
os_compute_api:os-flavor-extra-specs:create: rule:admin_api
|
|
os_compute_api:os-flavor-extra-specs:update: rule:admin_api
|
|
os_compute_api:os-flavor-extra-specs:delete: rule:admin_api
|
|
os_compute_api:os-flavor-manage:discoverable: "@"
|
|
os_compute_api:os-flavor-manage: rule:admin_api
|
|
os_compute_api:os-floating-ip-dns: rule:admin_or_owner
|
|
os_compute_api:os-floating-ip-dns:discoverable: "@"
|
|
os_compute_api:os-floating-ip-dns:domain:update: rule:admin_api
|
|
os_compute_api:os-floating-ip-dns:domain:delete: rule:admin_api
|
|
os_compute_api:os-floating-ip-pools: rule:admin_or_owner
|
|
os_compute_api:os-floating-ip-pools:discoverable: "@"
|
|
os_compute_api:os-floating-ips: rule:admin_or_owner
|
|
os_compute_api:os-floating-ips:discoverable: "@"
|
|
os_compute_api:os-floating-ips-bulk: rule:admin_api
|
|
os_compute_api:os-floating-ips-bulk:discoverable: "@"
|
|
os_compute_api:os-fping: rule:admin_or_owner
|
|
os_compute_api:os-fping:discoverable: "@"
|
|
os_compute_api:os-fping:all_tenants: rule:admin_api
|
|
os_compute_api:os-hide-server-addresses: is_admin:False
|
|
os_compute_api:os-hide-server-addresses:discoverable: "@"
|
|
os_compute_api:os-hosts: rule:admin_api
|
|
os_compute_api:os-hosts:discoverable: "@"
|
|
os_compute_api:os-hypervisors: rule:admin_api
|
|
os_compute_api:os-hypervisors:discoverable: "@"
|
|
os_compute_api:images:discoverable: "@"
|
|
os_compute_api:image-size: rule:admin_or_owner
|
|
os_compute_api:image-size:discoverable: "@"
|
|
os_compute_api:os-instance-actions: rule:admin_or_owner
|
|
os_compute_api:os-instance-actions:discoverable: "@"
|
|
os_compute_api:os-instance-actions:events: rule:admin_api
|
|
os_compute_api:os-instance-usage-audit-log: rule:admin_api
|
|
os_compute_api:os-instance-usage-audit-log:discoverable: "@"
|
|
os_compute_api:ips:discoverable: "@"
|
|
os_compute_api:ips:index: rule:admin_or_owner
|
|
os_compute_api:ips:show: rule:admin_or_owner
|
|
os_compute_api:os-keypairs:discoverable: "@"
|
|
os_compute_api:os-keypairs: rule:admin_or_owner
|
|
os_compute_api:os-keypairs:index: rule:admin_api or user_id:%(user_id)s
|
|
os_compute_api:os-keypairs:show: rule:admin_api or user_id:%(user_id)s
|
|
os_compute_api:os-keypairs:create: rule:admin_api or user_id:%(user_id)s
|
|
os_compute_api:os-keypairs:delete: rule:admin_api or user_id:%(user_id)s
|
|
os_compute_api:limits:discoverable: "@"
|
|
os_compute_api:limits: rule:admin_or_owner
|
|
os_compute_api:os-lock-server:discoverable: "@"
|
|
os_compute_api:os-lock-server:lock: rule:admin_or_owner
|
|
os_compute_api:os-lock-server:unlock: rule:admin_or_owner
|
|
os_compute_api:os-lock-server:unlock:unlock_override: rule:admin_api
|
|
os_compute_api:os-migrate-server:discoverable: "@"
|
|
os_compute_api:os-migrate-server:migrate: rule:admin_api
|
|
os_compute_api:os-migrate-server:migrate_live: rule:admin_api
|
|
os_compute_api:os-multinic: rule:admin_or_owner
|
|
os_compute_api:os-multinic:discoverable: "@"
|
|
os_compute_api:os-networks: rule:admin_api
|
|
os_compute_api:os-networks:view: rule:admin_or_owner
|
|
os_compute_api:os-networks:discoverable: "@"
|
|
os_compute_api:os-networks-associate: rule:admin_api
|
|
os_compute_api:os-networks-associate:discoverable: "@"
|
|
os_compute_api:os-pause-server:discoverable: "@"
|
|
os_compute_api:os-pause-server:pause: rule:admin_or_owner
|
|
os_compute_api:os-pause-server:unpause: rule:admin_or_owner
|
|
os_compute_api:os-pci:pci_servers: rule:admin_or_owner
|
|
os_compute_api:os-pci:discoverable: "@"
|
|
os_compute_api:os-pci:index: rule:admin_api
|
|
os_compute_api:os-pci:detail: rule:admin_api
|
|
os_compute_api:os-pci:show: rule:admin_api
|
|
os_compute_api:os-personality:discoverable: "@"
|
|
os_compute_api:os-preserve-ephemeral-rebuild:discoverable: "@"
|
|
os_compute_api:os-quota-sets:discoverable: "@"
|
|
os_compute_api:os-quota-sets:show: rule:admin_or_owner
|
|
os_compute_api:os-quota-sets:defaults: "@"
|
|
os_compute_api:os-quota-sets:update: rule:admin_api
|
|
os_compute_api:os-quota-sets:delete: rule:admin_api
|
|
os_compute_api:os-quota-sets:detail: rule:admin_api
|
|
os_compute_api:os-quota-class-sets:update: rule:admin_api
|
|
os_compute_api:os-quota-class-sets:show: is_admin:True or quota_class:%(quota_class)s
|
|
os_compute_api:os-quota-class-sets:discoverable: "@"
|
|
os_compute_api:os-rescue: rule:admin_or_owner
|
|
os_compute_api:os-rescue:discoverable: "@"
|
|
os_compute_api:os-scheduler-hints:discoverable: "@"
|
|
os_compute_api:os-security-group-default-rules:discoverable: "@"
|
|
os_compute_api:os-security-group-default-rules: rule:admin_api
|
|
os_compute_api:os-security-groups: rule:admin_or_owner
|
|
os_compute_api:os-security-groups:discoverable: "@"
|
|
os_compute_api:os-server-diagnostics: rule:admin_api
|
|
os_compute_api:os-server-diagnostics:discoverable: "@"
|
|
os_compute_api:os-server-password: rule:admin_or_owner
|
|
os_compute_api:os-server-password:discoverable: "@"
|
|
os_compute_api:os-server-usage: rule:admin_or_owner
|
|
os_compute_api:os-server-usage:discoverable: "@"
|
|
os_compute_api:os-server-groups: rule:admin_or_owner
|
|
os_compute_api:os-server-groups:discoverable: "@"
|
|
os_compute_api:os-server-tags:index: "@"
|
|
os_compute_api:os-server-tags:show: "@"
|
|
os_compute_api:os-server-tags:update: "@"
|
|
os_compute_api:os-server-tags:update_all: "@"
|
|
os_compute_api:os-server-tags:delete: "@"
|
|
os_compute_api:os-server-tags:delete_all: "@"
|
|
os_compute_api:os-services: rule:admin_api
|
|
os_compute_api:os-services:discoverable: "@"
|
|
os_compute_api:server-metadata:discoverable: "@"
|
|
os_compute_api:server-metadata:index: rule:admin_or_owner
|
|
os_compute_api:server-metadata:show: rule:admin_or_owner
|
|
os_compute_api:server-metadata:delete: rule:admin_or_owner
|
|
os_compute_api:server-metadata:create: rule:admin_or_owner
|
|
os_compute_api:server-metadata:update: rule:admin_or_owner
|
|
os_compute_api:server-metadata:update_all: rule:admin_or_owner
|
|
os_compute_api:os-shelve:shelve: rule:admin_or_owner
|
|
os_compute_api:os-shelve:shelve:discoverable: "@"
|
|
os_compute_api:os-shelve:shelve_offload: rule:admin_api
|
|
os_compute_api:os-simple-tenant-usage:discoverable: "@"
|
|
os_compute_api:os-simple-tenant-usage:show: rule:admin_or_owner
|
|
os_compute_api:os-simple-tenant-usage:list: rule:admin_api
|
|
os_compute_api:os-suspend-server:discoverable: "@"
|
|
os_compute_api:os-suspend-server:suspend: rule:admin_or_owner
|
|
os_compute_api:os-suspend-server:resume: rule:admin_or_owner
|
|
os_compute_api:os-tenant-networks: rule:admin_or_owner
|
|
os_compute_api:os-tenant-networks:discoverable: "@"
|
|
os_compute_api:os-shelve:unshelve: rule:admin_or_owner
|
|
os_compute_api:os-user-data:discoverable: "@"
|
|
os_compute_api:os-virtual-interfaces: rule:admin_or_owner
|
|
os_compute_api:os-virtual-interfaces:discoverable: "@"
|
|
os_compute_api:os-volumes: rule:admin_or_owner
|
|
os_compute_api:os-volumes:discoverable: "@"
|
|
os_compute_api:os-volumes-attachments:index: rule:admin_or_owner
|
|
os_compute_api:os-volumes-attachments:show: rule:admin_or_owner
|
|
os_compute_api:os-volumes-attachments:create: rule:admin_or_owner
|
|
os_compute_api:os-volumes-attachments:update: rule:admin_api
|
|
os_compute_api:os-volumes-attachments:delete: rule:admin_or_owner
|
|
os_compute_api:os-volumes-attachments:discoverable: "@"
|
|
os_compute_api:os-availability-zone:list: rule:admin_or_owner
|
|
os_compute_api:os-availability-zone:discoverable: "@"
|
|
os_compute_api:os-availability-zone:detail: rule:admin_api
|
|
os_compute_api:os-used-limits: rule:admin_api
|
|
os_compute_api:os-used-limits:discoverable: "@"
|
|
os_compute_api:os-migrations:index: rule:admin_api
|
|
os_compute_api:os-migrations:discoverable: "@"
|
|
os_compute_api:os-assisted-volume-snapshots:create: rule:admin_api
|
|
os_compute_api:os-assisted-volume-snapshots:delete: rule:admin_api
|
|
os_compute_api:os-assisted-volume-snapshots:discoverable: "@"
|
|
os_compute_api:os-console-auth-tokens: rule:admin_api
|
|
os_compute_api:os-console-auth-tokens:discoverable: "@"
|
|
os_compute_api:os-server-external-events:create: rule:admin_api
|
|
os_compute_api:os-server-external-events:discoverable: "@"
|
|
|
|
dependencies:
|
|
static:
|
|
dashboard:
|
|
jobs:
|
|
- horizon-db-sync
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_cache
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
db_drop:
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
db_init:
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
db_sync:
|
|
jobs:
|
|
- horizon-db-init
|
|
services:
|
|
- endpoint: internal
|
|
service: oslo_db
|
|
|
|
pod:
|
|
affinity:
|
|
anti:
|
|
type:
|
|
default: preferredDuringSchedulingIgnoredDuringExecution
|
|
topologyKey:
|
|
default: kubernetes.io/hostname
|
|
mounts:
|
|
horizon_db_init:
|
|
init_container: null
|
|
horizon_db_init:
|
|
horizon_db_sync:
|
|
init_container: null
|
|
horizon_db_sync:
|
|
horizon:
|
|
init_container: null
|
|
horizon:
|
|
replicas:
|
|
server: 1
|
|
lifecycle:
|
|
upgrades:
|
|
deployments:
|
|
revision_history: 3
|
|
pod_replacement_strategy: RollingUpdate
|
|
rolling_update:
|
|
max_unavailable: 1
|
|
max_surge: 3
|
|
disruption_budget:
|
|
horizon:
|
|
min_available: 0
|
|
termination_grace_period:
|
|
horizon:
|
|
timeout: 30
|
|
resources:
|
|
enabled: false
|
|
server:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1204Mi"
|
|
cpu: "2000m"
|
|
jobs:
|
|
db_init:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
db_sync:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
db_drop:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
|
|
# Names of secrets used by bootstrap and environmental checks
|
|
secrets:
|
|
oslo_db:
|
|
admin: horizon-db-admin
|
|
horizon: horizon-db-user
|
|
|
|
# typically overriden by environmental
|
|
# values, but should include all endpoints
|
|
# required by this chart
|
|
endpoints:
|
|
cluster_domain_suffix: cluster.local
|
|
identity:
|
|
name: keystone
|
|
hosts:
|
|
default: keystone-api
|
|
public: keystone
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: /v3
|
|
scheme:
|
|
default: http
|
|
port:
|
|
admin:
|
|
default: 35357
|
|
api:
|
|
default: 80
|
|
oslo_cache:
|
|
hosts:
|
|
default: memcached
|
|
host_fqdn_override:
|
|
default: null
|
|
port:
|
|
memcache:
|
|
default: 11211
|
|
dashboard:
|
|
name: horizon
|
|
hosts:
|
|
default: horizon-int
|
|
public: horizon
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: null
|
|
scheme:
|
|
default: http
|
|
port:
|
|
web:
|
|
default: 80
|
|
oslo_db:
|
|
auth:
|
|
admin:
|
|
username: root
|
|
password: password
|
|
horizon:
|
|
username: horizon
|
|
password: password
|
|
hosts:
|
|
default: mariadb
|
|
host_fqdn_override:
|
|
default: null
|
|
path: /horizon
|
|
scheme: mysql+pymysql
|
|
port:
|
|
mysql:
|
|
default: 3306
|
|
|
|
manifests:
|
|
configmap_bin: true
|
|
configmap_etc: true
|
|
deployment: true
|
|
ingress_api: true
|
|
job_db_init: true
|
|
job_db_sync: true
|
|
job_db_drop: false
|
|
pdb: true
|
|
secret_db: true
|
|
service_ingress: true
|
|
service: true
|