openstack/openstack-helm
Code Issues Proposed changes
d2e2d58a5f
openstack-helm/horizon/values.yaml
guilhermesteinmuller 8f38a1c45f Update glance default policy values 
Currently, when users try to navigate through horizon
panels or use the command-line interface that contains
calls to /api/glance/metadefs it will pop up insufficient
permission errors due to the fact we are disabling [1]
the metadef APIs in glance addressing OSSN-0088 [2].

As a side effect on how we address the OSSN, all API calls
to metadefs will be forbidden for any user, which is not recommended
in production environments. However, we have the current
recommendation of the OSSN which allows CRUD of metadef to
admin only and provide read access to all users.

[1] aab5ee7711
[2] https://wiki.openstack.org/wiki/OSSN/OSSN-0088

Story: 2008761
Task: 42128
Change-Id: Ib1415cadbbfab874a8d44ac6b5c6fba3c7502242
2021-03-25 19:32:08 -03:00

2331 lines
109 KiB
YAML
Raw Blame History

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Default values for horizon.
# This is a YAML-formatted file.
# Declare name/value pairs to be passed into your templates.
# name: value
---
images:
tags:
db_init: docker.io/openstackhelm/heat:stein-ubuntu_bionic
horizon_db_sync: docker.io/openstackhelm/horizon:stein-ubuntu_bionic
db_drop: docker.io/openstackhelm/heat:stein-ubuntu_bionic
horizon: docker.io/openstackhelm/horizon:stein-ubuntu_bionic
test: docker.io/openstackhelm/osh-selenium:latest-ubuntu_bionic
dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
image_repo_sync: docker.io/docker:17.07.0
pull_policy: "IfNotPresent"
local_registry:
active: false
exclude:
- dep_check
- image_repo_sync
release_group: null
labels:
dashboard:
node_selector_key: openstack-control-plane
node_selector_value: enabled
job:
node_selector_key: openstack-control-plane
node_selector_value: enabled
test:
node_selector_key: openstack-control-plane
node_selector_value: enabled
network:
dashboard:
ingress:
public: true
classes:
namespace: "nginx"
cluster: "nginx-cluster"
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
external_policy_local: false
node_port:
enabled: false
port: 31000
conf:
software:
apache2:
binary: apache2
start_parameters: -DFOREGROUND
site_dir: /etc/apache2/sites-available
conf_dir: /etc/apache2/conf-available
mods_dir: /etc/apache2/mods-available
a2enmod:
- headers
- rewrite
a2dismod:
- status
horizon:
apache: |
<IfVersion < 2.4>
Listen 0.0.0.0:{{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
</IfVersion>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
<VirtualHost *:{{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}>
WSGIScriptReloading On
WSGIDaemonProcess horizon-http processes=5 threads=1 user=horizon group=horizon display-name=%{GROUP} python-path=/var/lib/kolla/venv/lib/python2.7/site-packages
WSGIProcessGroup horizon-http
WSGIScriptAlias / /var/www/cgi-bin/horizon/django.wsgi
WSGIPassAuthorization On
RewriteEngine on
RewriteCond %{REQUEST_METHOD} !^(POST|PUT|GET|DELETE|PATCH)
RewriteRule .* - [F]
<Location "/">
Require all granted
</Location>
Alias /static /var/www/html/horizon
<Location "/static">
SetHandler static
</Location>
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /dev/stdout
TransferLog /dev/stdout
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
</Virtualhost>
security: |
#
# Disable access to the entire file system except for the directories that
# are explicitly allowed later.
#
# This currently breaks the configurations that come with some web application
# Debian packages.
#
#<Directory />
# AllowOverride None
# Require all denied
#</Directory>
# Changing the following options will not really affect the security of the
# server, but might make attacks slightly more difficult in some cases.
#
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of: Full | OS | Minimal | Minor | Major | Prod
# where Full conveys the most information, and Prod the least.
ServerTokens Prod
#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
ServerSignature Off
#
# Allow TRACE method
#
# Set to "extended" to also reflect the request body (only for testing and
# diagnostic purposes).
#
# Set to one of: On | Off | extended
TraceEnable Off
#
# Forbid access to version control directories
#
# If you use version control systems in your document root, you should
# probably deny access to their directories. For example, for subversion:
#
#<DirectoryMatch "/\.svn">
# Require all denied
#</DirectoryMatch>
#Security-Settings
# Setting this header will prevent MSIE from interpreting files as something
# else than declared by the content type in the HTTP headers.
# Requires mod_headers to be enabled.
#
Header set X-Content-Type-Options: "nosniff"
Header set X-Permitted-Cross-Domain-Policies: "none"
# Setting this header will prevent other sites from embedding pages from this
# site as frames. This defends against clickjacking attacks.
# Requires mod_headers to be enabled.
#
local_settings:
config:
# Use "True" and "False" as Titlecase strings with quotes, boolean
# values will not work
horizon_secret_key: 9aee62c0-5253-4a86-b189-e0fb71fa503c
debug: "False"
use_ssl: "False"
keystone_multidomain_support: "True"
keystone_default_domain: Default
disable_password_reveal: "True"
csrf_cookie_secure: "False"
enforce_password_check: "True"
# Set enable_pwd_validator to true to enforce password validator settings.
enable_pwd_validator: false
pwd_validator_regex: '(?=.*[a-zA-Z])(?=.*\d).{8,}|(?=.*\d)(?=.*\W).{8,}|(?=.*\W)(?=.*[a-zA-Z]).{8,}'
pwd_validator_help_text: '_("Your password must be at least eight (8) characters in length and must include characters from at least two (2) of these groupings: alpha, numeric, and special characters.")'
session_cookie_secure: "False"
session_cookie_httponly: "False"
secure_proxy_ssl_header: false
password_autocomplete: "False"
disallow_iframe_embed: "False"
allowed_hosts:
- '*'
horizon_images_upload_mode: 'legacy'
openstack_cinder_features:
enable_backup: "True"
openstack_neutron_network:
enable_router: "True"
enable_quotas: "True"
enable_ipv6: "True"
enable_distributed_router: "False"
enable_ha_router: "False"
enable_lb: "True"
enable_firewall: "True"
enable_vpn: "True"
enable_fip_topology_check: "True"
auth:
sso:
enabled: False
initial_choice: "credentials"
idp_mapping:
- name: "acme_oidc"
label: "Acme Corporation - OpenID Connect"
idp: "myidp1"
protocol: "oidc"
- name: "acme_saml2"
label: "Acme Corporation - SAML2"
idp: "myidp2"
protocol: "saml2"
log_level: "DEBUG"
# Pass any settings to the end of local_settings.py
raw: {}
template: |
import os
from django.utils.translation import ugettext_lazy as _
from openstack_dashboard import exceptions
DEBUG = {{ .Values.conf.horizon.local_settings.config.debug }}
TEMPLATE_DEBUG = DEBUG
COMPRESS_OFFLINE = True
COMPRESS_CSS_HASHING_METHOD = "hash"
# WEBROOT is the location relative to Webserver root
# should end with a slash.
WEBROOT = '/'
# LOGIN_URL = WEBROOT + 'auth/login/'
# LOGOUT_URL = WEBROOT + 'auth/logout/'
#
# LOGIN_REDIRECT_URL can be used as an alternative for
# HORIZON_CONFIG.user_home, if user_home is not set.
# Do not set it to '/home/', as this will cause circular redirect loop
# LOGIN_REDIRECT_URL = WEBROOT
# Required for Django 1.5.
# If horizon is running in production (DEBUG is False), set this
# with the list of host/domain names that the application can serve.
# For more information see:
# https://docs.djangoproject.com/en/dev/ref/settings/#allowed-hosts
ALLOWED_HOSTS = [{{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.conf.horizon.local_settings.config.allowed_hosts }},'%s' % (os.environ.get("MY_POD_IP"))]
# Set SSL proxy settings:
# For Django 1.4+ pass this header from the proxy after terminating the SSL,
# and don't forget to strip it from the client's request.
# For more information see:
# https://docs.djangoproject.com/en/1.4/ref/settings/#secure-proxy-ssl-header
#SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOCOL', 'https')
# https://docs.djangoproject.com/en/1.5/ref/settings/#secure-proxy-ssl-header
{{- if .Values.conf.horizon.local_settings.config.secure_proxy_ssl_header }}
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
{{- end }}
# If Horizon is being served through SSL, then uncomment the following two
# settings to better secure the cookies from security exploits
USE_SSL = {{ .Values.conf.horizon.local_settings.config.use_ssl }}
CSRF_COOKIE_SECURE = {{ .Values.conf.horizon.local_settings.config.csrf_cookie_secure }}
SESSION_COOKIE_SECURE = {{ .Values.conf.horizon.local_settings.config.session_cookie_secure }}
SESSION_COOKIE_HTTPONLY = {{ .Values.conf.horizon.local_settings.config.session_cookie_httponly }}
# Overrides for OpenStack API versions. Use this setting to force the
# OpenStack dashboard to use a specific API version for a given service API.
# Versions specified here should be integers or floats, not strings.
# NOTE: The version should be formatted as it appears in the URL for the
# service API. For example, The identity service APIs have inconsistent
# use of the decimal point, so valid options would be 2.0 or 3.
#OPENSTACK_API_VERSIONS = {
# "data-processing": 1.1,
# "identity": 3,
# "volume": 2,
#}
OPENSTACK_API_VERSIONS = {
"identity": 3,
}
# Set this to True if running on multi-domain model. When this is enabled, it
# will require user to enter the Domain name in addition to username for login.
OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = '{{ .Values.conf.horizon.local_settings.config.keystone_multidomain_support }}'
# Overrides the default domain used when running on single-domain model
# with Keystone V3. All entities will be created in the default domain.
OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = '{{ .Values.conf.horizon.local_settings.config.keystone_default_domain }}'
# Set Console type:
# valid options are "AUTO"(default), "VNC", "SPICE", "RDP", "SERIAL" or None
# Set to None explicitly if you want to deactivate the console.
#CONSOLE_TYPE = "AUTO"
# Default OpenStack Dashboard configuration.
HORIZON_CONFIG = {
'user_home': 'openstack_dashboard.views.get_user_home',
'ajax_queue_limit': 10,
'auto_fade_alerts': {
'delay': 3000,
'fade_duration': 1500,
'types': ['alert-success', 'alert-info']
},
'help_url': "http://docs.openstack.org",
'exceptions': {'recoverable': exceptions.RECOVERABLE,
'not_found': exceptions.NOT_FOUND,
'unauthorized': exceptions.UNAUTHORIZED},
'modal_backdrop': 'static',
'angular_modules': [],
'js_files': [],
'js_spec_files': [],
}
{{- if .Values.conf.horizon.local_settings.config.enable_pwd_validator }}
# Specify a regular expression to validate user passwords.
HORIZON_CONFIG["password_validator"] = {
"regex": '{{ .Values.conf.horizon.local_settings.config.pwd_validator_regex }}',
"help_text": {{ .Values.conf.horizon.local_settings.config.pwd_validator_help_text }},
}
{{- end }}
# Disable simplified floating IP address management for deployments with
# multiple floating IP pools or complex network requirements.
#HORIZON_CONFIG["simple_ip_management"] = False
# Turn off browser autocompletion for forms including the login form and
# the database creation workflow if so desired.
HORIZON_CONFIG["password_autocomplete"] = '{{ .Values.conf.horizon.local_settings.config.password_autocomplete }}'
# Setting this to True will disable the reveal button for password fields,
# including on the login form.
HORIZON_CONFIG["disable_password_reveal"] = {{ .Values.conf.horizon.local_settings.config.disable_password_reveal }}
LOCAL_PATH = '/tmp'
# Set custom secret key:
# You can either set it to a specific value or you can let horizon generate a
# default secret key that is unique on this machine, e.i. regardless of the
# amount of Python WSGI workers (if used behind Apache+mod_wsgi): However,
# there may be situations where you would want to set this explicitly, e.g.
# when multiple dashboard instances are distributed on different machines
# (usually behind a load-balancer). Either you have to make sure that a session
# gets all requests routed to the same dashboard instance or you set the same
# SECRET_KEY for all of them.
SECRET_KEY='{{ .Values.conf.horizon.local_settings.config.horizon_secret_key }}'
CACHES = {
'default': {
'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
'LOCATION': '{{ tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}',
}
}
DATABASES = {
'default': {
# Database configuration here
'ENGINE': 'django.db.backends.mysql',
'NAME': '{{ .Values.endpoints.oslo_db.path | base }}',
'USER': '{{ .Values.endpoints.oslo_db.auth.horizon.username }}',
'PASSWORD': '{{ .Values.endpoints.oslo_db.auth.horizon.password }}',
'HOST': '{{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}',
'default-character-set': 'utf8',
{{- if .Values.manifests.certificates }}
'OPTIONS':{
'ssl': {
'ca': '/etc/mysql/certs/ca.crt',
'cert': '/etc/mysql/certs/tls.crt',
'key': '/etc/mysql/certs/tls.key'
}
},
{{- end }}
'PORT': '{{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}'
}
}
SESSION_ENGINE = 'django.contrib.sessions.backends.cached_db'
# Send email to the console by default
EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
# Or send them to /dev/null
#EMAIL_BACKEND = 'django.core.mail.backends.dummy.EmailBackend'
# Configure these for your outgoing email host
#EMAIL_HOST = 'smtp.my-company.com'
#EMAIL_PORT = 25\\
#EMAIL_HOST_USER = 'djangomail'
#EMAIL_HOST_PASSWORD = 'top-secret!'
# For multiple regions uncomment this configuration, and add (endpoint, title).
#AVAILABLE_REGIONS = [
# ('http://cluster1.example.com:5000/v2.0', 'cluster1'),
# ('http://cluster2.example.com:5000/v2.0', 'cluster2'),
#]
OPENSTACK_KEYSTONE_URL = "{{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}"
OPENSTACK_KEYSTONE_DEFAULT_ROLE = "member"
# This setting specifies the name of the header with remote IP address. If not present,
# then REMOTE_ADDR header is used. The commom value for this setting is HTTP_X_REAL_IP
# or HTTP_X_FORWARDED_FORx
SECURE_PROXY_ADDR_HEADER = 'HTTP_X_FORWARDED_FOR'
{{- if .Values.conf.horizon.local_settings.config.auth.sso.enabled }}
# Enables keystone web single-sign-on if set to True.
WEBSSO_ENABLED = True
# Determines which authentication choice to show as default.
WEBSSO_INITIAL_CHOICE = "{{ .Values.conf.horizon.local_settings.config.auth.sso.initial_choice }}"
# The list of authentication mechanisms
# which include keystone federation protocols.
# Current supported protocol IDs are 'saml2' and 'oidc'
# which represent SAML 2.0, OpenID Connect respectively.
# Do not remove the mandatory credentials mechanism.
WEBSSO_CHOICES = (
("credentials", _("Keystone Credentials")),
{{- range $i, $sso := .Values.conf.horizon.local_settings.config.auth.idp_mapping }}
({{ $sso.name | quote }}, {{ $sso.label | quote }}),
{{- end }}
)
WEBSSO_IDP_MAPPING = {
{{- range $i, $sso := .Values.conf.horizon.local_settings.config.auth.idp_mapping }}
{{ $sso.name | quote}}: ({{ $sso.idp | quote }}, {{ $sso.protocol | quote }}),
{{- end }}
}
{{- end }}
# Disable SSL certificate checks (useful for self-signed certificates):
#OPENSTACK_SSL_NO_VERIFY = True
{{- if .Values.manifests.certificates }}
# The CA certificate to use to verify SSL connections
OPENSTACK_SSL_CACERT = '/etc/openstack-dashboard/certs/ca.crt'
{{- end }}
# The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the
# capabilities of the auth backend for Keystone.
# If Keystone has been configured to use LDAP as the auth backend then set
# can_edit_user to False and name to 'ldap'.
#
# TODO(tres): Remove these once Keystone has an API to identify auth backend.
OPENSTACK_KEYSTONE_BACKEND = {
'name': 'native',
'can_edit_user': True,
'can_edit_group': True,
'can_edit_project': True,
'can_edit_domain': True,
'can_edit_role': True,
}
# Setting this to True, will add a new "Retrieve Password" action on instance,
# allowing Admin session password retrieval/decryption.
#OPENSTACK_ENABLE_PASSWORD_RETRIEVE = False
# The Launch Instance user experience has been significantly enhanced.
# You can choose whether to enable the new launch instance experience,
# the legacy experience, or both. The legacy experience will be removed
# in a future release, but is available as a temporary backup setting to ensure
# compatibility with existing deployments. Further development will not be
# done on the legacy experience. Please report any problems with the new
# experience via the StoryBoard tracking system.
#
# Toggle LAUNCH_INSTANCE_LEGACY_ENABLED and LAUNCH_INSTANCE_NG_ENABLED to
# determine the experience to enable. Set them both to true to enable
# both.
#LAUNCH_INSTANCE_LEGACY_ENABLED = True
#LAUNCH_INSTANCE_NG_ENABLED = False
# The Xen Hypervisor has the ability to set the mount point for volumes
# attached to instances (other Hypervisors currently do not). Setting
# can_set_mount_point to True will add the option to set the mount point
# from the UI.
OPENSTACK_HYPERVISOR_FEATURES = {
'can_set_mount_point': False,
'can_set_password': False,
}
# The OPENSTACK_CINDER_FEATURES settings can be used to enable optional
# services provided by cinder that is not exposed by its extension API.
OPENSTACK_CINDER_FEATURES = {
'enable_backup': {{ .Values.conf.horizon.local_settings.config.openstack_cinder_features.enable_backup }},
}
# The OPENSTACK_NEUTRON_NETWORK settings can be used to enable optional
# services provided by neutron. Options currently available are load
# balancer service, security groups, quotas, VPN service.
OPENSTACK_NEUTRON_NETWORK = {
'enable_router': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_router }},
'enable_quotas': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_quotas }},
'enable_ipv6': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_ipv6 }},
'enable_distributed_router': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_distributed_router }},
'enable_ha_router': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_ha_router }},
'enable_lb': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_lb }},
'enable_firewall': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_firewall }},
'enable_vpn': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_vpn }},
'enable_fip_topology_check': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_fip_topology_check }},
# The profile_support option is used to detect if an external router can be
# configured via the dashboard. When using specific plugins the
# profile_support can be turned on if needed.
'profile_support': None,
#'profile_support': 'cisco',
# Set which provider network types are supported. Only the network types
# in this list will be available to choose from when creating a network.
# Network types include local, flat, vlan, gre, and vxlan.
'supported_provider_types': ['*'],
# Set which VNIC types are supported for port binding. Only the VNIC
# types in this list will be available to choose from when creating a
# port.
# VNIC types include 'normal', 'macvtap' and 'direct'.
'supported_vnic_types': ['*']
}
# The OPENSTACK_IMAGE_BACKEND settings can be used to customize features
# in the OpenStack Dashboard related to the Image service, such as the list
# of supported image formats.
#OPENSTACK_IMAGE_BACKEND = {
# 'image_formats': [
# ('', _('Select format')),
# ('aki', _('AKI - Amazon Kernel Image')),
# ('ami', _('AMI - Amazon Machine Image')),
# ('ari', _('ARI - Amazon Ramdisk Image')),
# ('docker', _('Docker')),
# ('iso', _('ISO - Optical Disk Image')),
# ('ova', _('OVA - Open Virtual Appliance')),
# ('qcow2', _('QCOW2 - QEMU Emulator')),
# ('raw', _('Raw')),
# ('vdi', _('VDI - Virtual Disk Image')),
# ('vhd', ('VHD - Virtual Hard Disk')),
# ('vmdk', _('VMDK - Virtual Machine Disk')),
# ]
#}
# The IMAGE_CUSTOM_PROPERTY_TITLES settings is used to customize the titles for
# image custom property attributes that appear on image detail pages.
IMAGE_CUSTOM_PROPERTY_TITLES = {
"architecture": _("Architecture"),
"kernel_id": _("Kernel ID"),
"ramdisk_id": _("Ramdisk ID"),
"image_state": _("Euca2ools state"),
"project_id": _("Project ID"),
"image_type": _("Image Type"),
}
# The IMAGE_RESERVED_CUSTOM_PROPERTIES setting is used to specify which image
# custom properties should not be displayed in the Image Custom Properties
# table.
IMAGE_RESERVED_CUSTOM_PROPERTIES = []
# Set to 'legacy' or 'direct' to allow users to upload images to glance via
# Horizon server. When enabled, a file form field will appear on the create
# image form. If set to 'off', there will be no file form field on the create
# image form. See documentation for deployment considerations.
HORIZON_IMAGES_UPLOAD_MODE = '{{ .Values.conf.horizon.local_settings.config.horizon_images_upload_mode }}'
# OPENSTACK_ENDPOINT_TYPE specifies the endpoint type to use for the endpoints
# in the Keystone service catalog. Use this setting when Horizon is running
# external to the OpenStack environment. The default is 'publicURL'.
OPENSTACK_ENDPOINT_TYPE = "internalURL"
# SECONDARY_ENDPOINT_TYPE specifies the fallback endpoint type to use in the
# case that OPENSTACK_ENDPOINT_TYPE is not present in the endpoints
# in the Keystone service catalog. Use this setting when Horizon is running
# external to the OpenStack environment. The default is None. This
# value should differ from OPENSTACK_ENDPOINT_TYPE if used.
SECONDARY_ENDPOINT_TYPE = "publicURL"
# The number of objects (Swift containers/objects or images) to display
# on a single page before providing a paging element (a "more" link)
# to paginate results.
API_RESULT_LIMIT = 1000
API_RESULT_PAGE_SIZE = 20
# The size of chunk in bytes for downloading objects from Swift
SWIFT_FILE_TRANSFER_CHUNK_SIZE = 512 * 1024
# Specify a maximum number of items to display in a dropdown.
DROPDOWN_MAX_ITEMS = 30
# The timezone of the server. This should correspond with the timezone
# of your entire OpenStack installation, and hopefully be in UTC.
TIME_ZONE = "UTC"
# When launching an instance, the menu of available flavors is
# sorted by RAM usage, ascending. If you would like a different sort order,
# you can provide another flavor attribute as sorting key. Alternatively, you
# can provide a custom callback method to use for sorting. You can also provide
# a flag for reverse sort. For more info, see
# http://docs.python.org/2/library/functions.html#sorted
#CREATE_INSTANCE_FLAVOR_SORT = {
# 'key': 'name',
# # or
# 'key': my_awesome_callback_method,
# 'reverse': False,
#}
# Set this to True to display an 'Admin Password' field on the Change Password
# form to verify that it is indeed the admin logged-in who wants to change
# the password.
ENFORCE_PASSWORD_CHECK = {{ .Values.conf.horizon.local_settings.config.enforce_password_check }}
# Modules that provide /auth routes that can be used to handle different types
# of user authentication. Add auth plugins that require extra route handling to
# this list.
#AUTHENTICATION_URLS = [
# 'openstack_auth.urls',
#]
# The Horizon Policy Enforcement engine uses these values to load per service
# policy rule files. The content of these files should match the files the
# OpenStack services are using to determine role based access control in the
# target installation.
# Path to directory containing policy.json files
POLICY_FILES_PATH = '/etc/openstack-dashboard'
# Map of local copy of service policy files
#POLICY_FILES = {
# 'identity': 'keystone_policy.json',
# 'compute': 'nova_policy.json',
# 'volume': 'cinder_policy.json',
# 'image': 'glance_policy.json',
# 'orchestration': 'heat_policy.json',
# 'network': 'neutron_policy.json',
# 'telemetry': 'ceilometer_policy.json',
#}
# Trove user and database extension support. By default support for
# creating users and databases on database instances is turned on.
# To disable these extensions set the permission here to something
# unusable such as ["!"].
# TROVE_ADD_USER_PERMS = []
# TROVE_ADD_DATABASE_PERMS = []
# Change this patch to the appropriate static directory containing
# two files: _variables.scss and _styles.scss
#CUSTOM_THEME_PATH = 'static/themes/default'
LOGGING = {
'version': 1,
# When set to True this will disable all logging except
# for loggers specified in this configuration dictionary. Note that
# if nothing is specified here and disable_existing_loggers is True,
# django.db.backends will still log unless it is disabled explicitly.
'disable_existing_loggers': False,
'handlers': {
'null': {
'level': 'DEBUG',
'class': 'logging.NullHandler',
},
'console': {
# Set the level to "DEBUG" for verbose output logging.
'level': 'INFO',
'class': 'logging.StreamHandler',
},
},
'loggers': {
# Logging from django.db.backends is VERY verbose, send to null
# by default.
'django.db.backends': {
'handlers': ['null'],
'propagate': False,
},
'requests': {
'handlers': ['null'],
'propagate': False,
},
'horizon': {
'handlers': ['console'],
'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
'propagate': False,
},
'openstack_dashboard': {
'handlers': ['console'],
'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
'propagate': False,
},
'novaclient': {
'handlers': ['console'],
'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
'propagate': False,
},
'cinderclient': {
'handlers': ['console'],
'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
'propagate': False,
},
'glanceclient': {
'handlers': ['console'],
'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
'propagate': False,
},
'glanceclient': {
'handlers': ['console'],
'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
'propagate': False,
},
'neutronclient': {
'handlers': ['console'],
'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
'propagate': False,
},
'heatclient': {
'handlers': ['console'],
'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
'propagate': False,
},
'ceilometerclient': {
'handlers': ['console'],
'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
'propagate': False,
},
'troveclient': {
'handlers': ['console'],
'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
'propagate': False,
},
'swiftclient': {
'handlers': ['console'],
'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
'propagate': False,
},
'openstack_auth': {
'handlers': ['console'],
'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
'propagate': False,
},
'nose.plugins.manager': {
'handlers': ['console'],
'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
'propagate': False,
},
'django': {
'handlers': ['console'],
'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
'propagate': False,
},
'iso8601': {
'handlers': ['null'],
'propagate': False,
},
'scss': {
'handlers': ['null'],
'propagate': False,
},
}
}
# 'direction' should not be specified for all_tcp/udp/icmp.
# It is specified in the form.
SECURITY_GROUP_RULES = {
'all_tcp': {
'name': _('All TCP'),
'ip_protocol': 'tcp',
'from_port': '1',
'to_port': '65535',
},
'all_udp': {
'name': _('All UDP'),
'ip_protocol': 'udp',
'from_port': '1',
'to_port': '65535',
},
'all_icmp': {
'name': _('All ICMP'),
'ip_protocol': 'icmp',
'from_port': '-1',
'to_port': '-1',
},
'ssh': {
'name': 'SSH',
'ip_protocol': 'tcp',
'from_port': '22',
'to_port': '22',
},
'smtp': {
'name': 'SMTP',
'ip_protocol': 'tcp',
'from_port': '25',
'to_port': '25',
},
'dns': {
'name': 'DNS',
'ip_protocol': 'tcp',
'from_port': '53',
'to_port': '53',
},
'http': {
'name': 'HTTP',
'ip_protocol': 'tcp',
'from_port': '80',
'to_port': '80',
},
'pop3': {
'name': 'POP3',
'ip_protocol': 'tcp',
'from_port': '110',
'to_port': '110',
},
'imap': {
'name': 'IMAP',
'ip_protocol': 'tcp',
'from_port': '143',
'to_port': '143',
},
'ldap': {
'name': 'LDAP',
'ip_protocol': 'tcp',
'from_port': '389',
'to_port': '389',
},
'https': {
'name': 'HTTPS',
'ip_protocol': 'tcp',
'from_port': '443',
'to_port': '443',
},
'smtps': {
'name': 'SMTPS',
'ip_protocol': 'tcp',
'from_port': '465',
'to_port': '465',
},
'imaps': {
'name': 'IMAPS',
'ip_protocol': 'tcp',
'from_port': '993',
'to_port': '993',
},
'pop3s': {
'name': 'POP3S',
'ip_protocol': 'tcp',
'from_port': '995',
'to_port': '995',
},
'ms_sql': {
'name': 'MS SQL',
'ip_protocol': 'tcp',
'from_port': '1433',
'to_port': '1433',
},
'mysql': {
'name': 'MYSQL',
'ip_protocol': 'tcp',
'from_port': '3306',
'to_port': '3306',
},
'rdp': {
'name': 'RDP',
'ip_protocol': 'tcp',
'from_port': '3389',
'to_port': '3389',
},
}
# Deprecation Notice:
#
# The setting FLAVOR_EXTRA_KEYS has been deprecated.
# Please load extra spec metadata into the Glance Metadata Definition Catalog.
#
# The sample quota definitions can be found in:
# <glance_source>/etc/metadefs/compute-quota.json
#
# The metadata definition catalog supports CLI and API:
# $glance --os-image-api-version 2 help md-namespace-import
# $glance-manage db_load_metadefs <directory_with_definition_files>
#
# See Metadata Definitions on: https://docs.openstack.org/glance/latest/
# Indicate to the Sahara data processing service whether or not
# automatic floating IP allocation is in effect. If it is not
# in effect, the user will be prompted to choose a floating IP
# pool for use in their cluster. False by default. You would want
# to set this to True if you were running Nova Networking with
# auto_assign_floating_ip = True.
#SAHARA_AUTO_IP_ALLOCATION_ENABLED = False
# The hash algorithm to use for authentication tokens. This must
# match the hash algorithm that the identity server and the
# auth_token middleware are using. Allowed values are the
# algorithms supported by Python's hashlib library.
#OPENSTACK_TOKEN_HASH_ALGORITHM = 'md5'
# AngularJS requires some settings to be made available to
# the client side. Some settings are required by in-tree / built-in horizon
# features. These settings must be added to REST_API_REQUIRED_SETTINGS in the
# form of ['SETTING_1','SETTING_2'], etc.
#
# You may remove settings from this list for security purposes, but do so at
# the risk of breaking a built-in horizon feature. These settings are required
# for horizon to function properly. Only remove them if you know what you
# are doing. These settings may in the future be moved to be defined within
# the enabled panel configuration.
# You should not add settings to this list for out of tree extensions.
# See: https://wiki.openstack.org/wiki/Horizon/RESTAPI
REST_API_REQUIRED_SETTINGS = ['OPENSTACK_HYPERVISOR_FEATURES',
'LAUNCH_INSTANCE_DEFAULTS',
'OPENSTACK_IMAGE_FORMATS']
# Additional settings can be made available to the client side for
# extensibility by specifying them in REST_API_ADDITIONAL_SETTINGS
# !! Please use extreme caution as the settings are transferred via HTTP/S
# and are not encrypted on the browser. This is an experimental API and
# may be deprecated in the future without notice.
#REST_API_ADDITIONAL_SETTINGS = []
# DISALLOW_IFRAME_EMBED can be used to prevent Horizon from being embedded
# within an iframe. Legacy browsers are still vulnerable to a Cross-Frame
# Scripting (XFS) vulnerability, so this option allows extra security hardening
# where iframes are not used in deployment. Default setting is True.
# For more information see:
# http://tinyurl.com/anticlickjack
DISALLOW_IFRAME_EMBED = {{ .Values.conf.horizon.local_settings.config.disallow_iframe_embed }}
STATIC_ROOT = '/var/www/html/horizon'
{{- range $option, $value := .Values.conf.horizon.local_settings.config.raw }}
{{ $option }} = {{ toJson $value }}
{{- end }}
policy:
ceilometer:
context_is_admin: 'role:admin'
context_is_owner: 'user_id:%(target.user_id)s'
context_is_project: 'project_id:%(target.project_id)s'
segregation: 'rule:context_is_admin'
cinder:
admin_api: 'is_admin:True'
admin_or_owner: 'is_admin:True or project_id:%(project_id)s'
'backup:backup-export': 'rule:admin_api'
'backup:backup-import': 'rule:admin_api'
'backup:create': ''
'backup:delete': 'rule:admin_or_owner'
'backup:get': 'rule:admin_or_owner'
'backup:get_all': 'rule:admin_or_owner'
'backup:restore': 'rule:admin_or_owner'
'consistencygroup:create': 'group:nobody'
'consistencygroup:create_cgsnapshot': 'group:nobody'
'consistencygroup:delete': 'group:nobody'
'consistencygroup:delete_cgsnapshot': 'group:nobody'
'consistencygroup:get': 'group:nobody'
'consistencygroup:get_all': 'group:nobody'
'consistencygroup:get_all_cgsnapshots': 'group:nobody'
'consistencygroup:get_cgsnapshot': 'group:nobody'
'consistencygroup:update': 'group:nobody'
context_is_admin: 'role:admin'
default: 'rule:admin_or_owner'
'message:delete': 'rule:admin_or_owner'
'message:get': 'rule:admin_or_owner'
'message:get_all': 'rule:admin_or_owner'
'scheduler_extension:scheduler_stats:get_pools': 'rule:admin_api'
'snapshot_extension:snapshot_actions:update_snapshot_status': ''
'snapshot_extension:snapshot_manage': 'rule:admin_api'
'snapshot_extension:snapshot_unmanage': 'rule:admin_api'
'volume:accept_transfer': ''
'volume:create': ''
'volume:create_snapshot': 'rule:admin_or_owner'
'volume:create_transfer': 'rule:admin_or_owner'
'volume:delete': 'rule:admin_or_owner'
'volume:delete_snapshot': 'rule:admin_or_owner'
'volume:delete_snapshot_metadata': 'rule:admin_or_owner'
'volume:delete_transfer': 'rule:admin_or_owner'
'volume:delete_volume_metadata': 'rule:admin_or_owner'
'volume:extend': 'rule:admin_or_owner'
'volume:failover_host': 'rule:admin_api'
'volume:freeze_host': 'rule:admin_api'
'volume:get': 'rule:admin_or_owner'
'volume:get_all': 'rule:admin_or_owner'
'volume:get_all_snapshots': 'rule:admin_or_owner'
'volume:get_all_transfers': 'rule:admin_or_owner'
'volume:get_snapshot': 'rule:admin_or_owner'
'volume:get_snapshot_metadata': 'rule:admin_or_owner'
'volume:get_transfer': 'rule:admin_or_owner'
'volume:get_volume_admin_metadata': 'rule:admin_api'
'volume:get_volume_metadata': 'rule:admin_or_owner'
'volume:retype': 'rule:admin_or_owner'
'volume:thaw_host': 'rule:admin_api'
'volume:update': 'rule:admin_or_owner'
'volume:update_readonly_flag': 'rule:admin_or_owner'
'volume:update_snapshot': 'rule:admin_or_owner'
'volume:update_snapshot_metadata': 'rule:admin_or_owner'
'volume:update_volume_admin_metadata': 'rule:admin_api'
'volume:update_volume_metadata': 'rule:admin_or_owner'
'volume_extension:access_types_extra_specs': 'rule:admin_api'
'volume_extension:access_types_qos_specs_id': 'rule:admin_api'
'volume_extension:backup_admin_actions:force_delete': 'rule:admin_api'
'volume_extension:backup_admin_actions:reset_status': 'rule:admin_api'
'volume_extension:capabilities': 'rule:admin_api'
'volume_extension:extended_snapshot_attributes': 'rule:admin_or_owner'
'volume_extension:hosts': 'rule:admin_api'
'volume_extension:quota_classes': 'rule:admin_api'
'volume_extension:quota_classes:validate_setup_for_nested_quota_use': 'rule:admin_api'
'volume_extension:quotas:delete': 'rule:admin_api'
'volume_extension:quotas:show': ''
'volume_extension:quotas:update': 'rule:admin_api'
'volume_extension:replication:promote': 'rule:admin_api'
'volume_extension:replication:reenable': 'rule:admin_api'
'volume_extension:services:index': 'rule:admin_api'
'volume_extension:services:update': 'rule:admin_api'
'volume_extension:snapshot_admin_actions:force_delete': 'rule:admin_api'
'volume_extension:snapshot_admin_actions:reset_status': 'rule:admin_api'
'volume_extension:types_extra_specs': 'rule:admin_api'
'volume_extension:types_manage': 'rule:admin_api'
'volume_extension:volume_actions:upload_image': 'rule:admin_or_owner'
'volume_extension:volume_actions:upload_public': 'rule:admin_api'
'volume_extension:volume_admin_actions:force_delete': 'rule:admin_api'
'volume_extension:volume_admin_actions:force_detach': 'rule:admin_api'
'volume_extension:volume_admin_actions:migrate_volume': 'rule:admin_api'
'volume_extension:volume_admin_actions:migrate_volume_completion': 'rule:admin_api'
'volume_extension:volume_admin_actions:reset_status': 'rule:admin_api'
'volume_extension:volume_encryption_metadata': 'rule:admin_or_owner'
'volume_extension:volume_host_attribute': 'rule:admin_api'
'volume_extension:volume_image_metadata': 'rule:admin_or_owner'
'volume_extension:volume_manage': 'rule:admin_api'
'volume_extension:volume_mig_status_attribute': 'rule:admin_api'
'volume_extension:volume_tenant_attribute': 'rule:admin_or_owner'
'volume_extension:volume_type_access': 'rule:admin_or_owner'
'volume_extension:volume_type_access:addProjectAccess': 'rule:admin_api'
'volume_extension:volume_type_access:removeProjectAccess': 'rule:admin_api'
'volume_extension:volume_type_encryption': 'rule:admin_api'
'volume_extension:volume_unmanage': 'rule:admin_api'
glance:
metadef_default: ''
metadef_admin: 'role:admin'
get_metadef_namespace: 'rule:metadef_default'
get_metadef_namespaces: 'rule:metadef_default'
modify_metadef_namespace: 'rule:metadef_admin'
add_metadef_namespace: 'rule:metadef_admin'
delete_metadef_namespace: 'rule:metadef_admin'
get_metadef_object: 'rule:metadef_default'
get_metadef_objects: 'rule:metadef_default'
modify_metadef_object: 'rule:metadef_admin'
add_metadef_object: 'rule:metadef_admin'
delete_metadef_object: 'rule:metadef_admin'
list_metadef_resource_types: 'rule:metadef_default'
get_metadef_resource_type: 'rule:metadef_default'
add_metadef_resource_type_association: 'rule:metadef_admin'
remove_metadef_resource_type_association: 'rule:metadef_admin'
get_metadef_property: 'rule:metadef_default'
get_metadef_properties: 'rule:metadef_default'
modify_metadef_property: 'rule:metadef_admin'
add_metadef_property: 'rule:metadef_admin'
remove_metadef_property: 'rule:metadef_admin'
get_metadef_tag: 'rule:metadef_default'
get_metadef_tags: 'rule:metadef_default'
modify_metadef_tag: 'rule:metadef_admin'
add_metadef_tag: 'rule:metadef_admin'
add_metadef_tags: 'rule:metadef_admin'
delete_metadef_tag: 'rule:metadef_admin'
delete_metadef_tags: 'rule:metadef_admin'
add_image: ''
add_member: ''
add_task: ''
admin_or_owner: 'is_admin:True or project_id:%(project_id)s'
context_is_admin: 'role:admin'
copy_from: ''
default: 'rule:admin_or_owner'
delete_image: 'rule:admin_or_owner'
delete_image_location: ''
delete_member: ''
download_image: ''
get_image: ''
get_image_location: ''
get_images: ''
get_member: ''
get_members: ''
get_task: ''
get_tasks: ''
manage_image_cache: 'role:admin'
modify_image: 'rule:admin_or_owner'
modify_member: ''
modify_task: ''
publicize_image: ''
set_image_location: ''
upload_image: ''
heat:
'actions:action': 'rule:deny_stack_user'
'build_info:build_info': 'rule:deny_stack_user'
'cloudformation:CancelUpdateStack': 'rule:deny_stack_user'
'cloudformation:CreateStack': 'rule:deny_stack_user'
'cloudformation:DeleteStack': 'rule:deny_stack_user'
'cloudformation:DescribeStackEvents': 'rule:deny_stack_user'
'cloudformation:DescribeStackResource': ''
'cloudformation:DescribeStackResources': 'rule:deny_stack_user'
'cloudformation:DescribeStacks': 'rule:deny_stack_user'
'cloudformation:EstimateTemplateCost': 'rule:deny_stack_user'
'cloudformation:GetTemplate': 'rule:deny_stack_user'
'cloudformation:ListStackResources': 'rule:deny_stack_user'
'cloudformation:ListStacks': 'rule:deny_stack_user'
'cloudformation:UpdateStack': 'rule:deny_stack_user'
'cloudformation:ValidateTemplate': 'rule:deny_stack_user'
'cloudwatch:DeleteAlarms': 'rule:deny_stack_user'
'cloudwatch:DescribeAlarmHistory': 'rule:deny_stack_user'
'cloudwatch:DescribeAlarms': 'rule:deny_stack_user'
'cloudwatch:DescribeAlarmsForMetric': 'rule:deny_stack_user'
'cloudwatch:DisableAlarmActions': 'rule:deny_stack_user'
'cloudwatch:EnableAlarmActions': 'rule:deny_stack_user'
'cloudwatch:GetMetricStatistics': 'rule:deny_stack_user'
'cloudwatch:ListMetrics': 'rule:deny_stack_user'
'cloudwatch:PutMetricAlarm': 'rule:deny_stack_user'
'cloudwatch:PutMetricData': ''
'cloudwatch:SetAlarmState': 'rule:deny_stack_user'
context_is_admin: 'role:admin'
deny_everybody: '!'
deny_stack_user: 'not role:heat_stack_user'
'events:index': 'rule:deny_stack_user'
'events:show': 'rule:deny_stack_user'
'resource:index': 'rule:deny_stack_user'
'resource:mark_unhealthy': 'rule:deny_stack_user'
'resource:metadata': ''
'resource:show': 'rule:deny_stack_user'
'resource:signal': ''
'resource_types:OS::Cinder::EncryptedVolumeType': 'rule:context_is_admin'
'resource_types:OS::Cinder::VolumeType': 'rule:context_is_admin'
'resource_types:OS::Manila::ShareType': 'rule:context_is_admin'
'resource_types:OS::Neutron::QoSBandwidthLimitRule': 'rule:context_is_admin'
'resource_types:OS::Neutron::QoSPolicy': 'rule:context_is_admin'
'resource_types:OS::Nova::Flavor': 'rule:context_is_admin'
'resource_types:OS::Nova::HostAggregate': 'rule:context_is_admin'
'service:index': 'rule:context_is_admin'
'software_configs:create': 'rule:deny_stack_user'
'software_configs:delete': 'rule:deny_stack_user'
'software_configs:global_index': 'rule:deny_everybody'
'software_configs:index': 'rule:deny_stack_user'
'software_configs:show': 'rule:deny_stack_user'
'software_deployments:create': 'rule:deny_stack_user'
'software_deployments:delete': 'rule:deny_stack_user'
'software_deployments:index': 'rule:deny_stack_user'
'software_deployments:metadata': ''
'software_deployments:show': 'rule:deny_stack_user'
'software_deployments:update': 'rule:deny_stack_user'
'stacks:abandon': 'rule:deny_stack_user'
'stacks:create': 'rule:deny_stack_user'
'stacks:delete': 'rule:deny_stack_user'
'stacks:delete_snapshot': 'rule:deny_stack_user'
'stacks:detail': 'rule:deny_stack_user'
'stacks:environment': 'rule:deny_stack_user'
'stacks:export': 'rule:deny_stack_user'
'stacks:generate_template': 'rule:deny_stack_user'
'stacks:global_index': 'rule:deny_everybody'
'stacks:index': 'rule:deny_stack_user'
'stacks:list_outputs': 'rule:deny_stack_user'
'stacks:list_resource_types': 'rule:deny_stack_user'
'stacks:list_snapshots': 'rule:deny_stack_user'
'stacks:list_template_functions': 'rule:deny_stack_user'
'stacks:list_template_versions': 'rule:deny_stack_user'
'stacks:lookup': ''
'stacks:preview': 'rule:deny_stack_user'
'stacks:preview_update': 'rule:deny_stack_user'
'stacks:preview_update_patch': 'rule:deny_stack_user'
'stacks:resource_schema': 'rule:deny_stack_user'
'stacks:restore_snapshot': 'rule:deny_stack_user'
'stacks:show': 'rule:deny_stack_user'
'stacks:show_output': 'rule:deny_stack_user'
'stacks:show_snapshot': 'rule:deny_stack_user'
'stacks:snapshot': 'rule:deny_stack_user'
'stacks:template': 'rule:deny_stack_user'
'stacks:update': 'rule:deny_stack_user'
'stacks:update_patch': 'rule:deny_stack_user'
'stacks:validate_template': 'rule:deny_stack_user'
keystone:
admin_or_owner: 'rule:admin_required or rule:owner'
admin_or_token_subject: 'rule:admin_required or rule:token_subject'
admin_required: 'role:admin or is_admin:1'
default: 'rule:admin_required'
'identity:add_endpoint_group_to_project': 'rule:admin_required'
'identity:add_endpoint_to_project': 'rule:admin_required'
'identity:add_user_to_group': 'rule:admin_required'
'identity:authorize_request_token': 'rule:admin_required'
'identity:change_password': 'rule:admin_or_owner'
'identity:check_endpoint_in_project': 'rule:admin_required'
'identity:check_grant': 'rule:admin_required'
'identity:check_implied_role': 'rule:admin_required'
'identity:check_policy_association_for_endpoint': 'rule:admin_required'
'identity:check_policy_association_for_region_and_service': 'rule:admin_required'
'identity:check_policy_association_for_service': 'rule:admin_required'
'identity:check_token': 'rule:admin_or_token_subject'
'identity:check_user_in_group': 'rule:admin_required'
'identity:create_consumer': 'rule:admin_required'
'identity:create_credential': 'rule:admin_required'
'identity:create_domain': 'rule:admin_required'
'identity:create_domain_config': 'rule:admin_required'
'identity:create_domain_role': 'rule:admin_required'
'identity:create_endpoint': 'rule:admin_required'
'identity:create_endpoint_group': 'rule:admin_required'
'identity:create_grant': 'rule:admin_required'
'identity:create_group': 'rule:admin_required'
'identity:create_identity_provider': 'rule:admin_required'
'identity:create_implied_role': 'rule:admin_required'
'identity:create_mapping': 'rule:admin_required'
'identity:create_policy': 'rule:admin_required'
'identity:create_policy_association_for_endpoint': 'rule:admin_required'
'identity:create_policy_association_for_region_and_service': 'rule:admin_required'
'identity:create_policy_association_for_service': 'rule:admin_required'
'identity:create_project': 'rule:admin_required'
'identity:create_protocol': 'rule:admin_required'
'identity:create_region': 'rule:admin_required'
'identity:create_role': 'rule:admin_required'
'identity:create_service': 'rule:admin_required'
'identity:create_service_provider': 'rule:admin_required'
'identity:create_trust': 'user_id:%(trust.trustor_user_id)s'
'identity:create_user': 'rule:admin_required'
'identity:delete_access_token': 'rule:admin_required'
'identity:delete_consumer': 'rule:admin_required'
'identity:delete_credential': 'rule:admin_required'
'identity:delete_domain': 'rule:admin_required'
'identity:delete_domain_config': 'rule:admin_required'
'identity:delete_domain_role': 'rule:admin_required'
'identity:delete_endpoint': 'rule:admin_required'
'identity:delete_endpoint_group': 'rule:admin_required'
'identity:delete_group': 'rule:admin_required'
'identity:delete_identity_provider': 'rule:admin_required'
'identity:delete_implied_role': 'rule:admin_required'
'identity:delete_mapping': 'rule:admin_required'
'identity:delete_policy': 'rule:admin_required'
'identity:delete_policy_association_for_endpoint': 'rule:admin_required'
'identity:delete_policy_association_for_region_and_service': 'rule:admin_required'
'identity:delete_policy_association_for_service': 'rule:admin_required'
'identity:delete_project': 'rule:admin_required'
'identity:delete_protocol': 'rule:admin_required'
'identity:delete_region': 'rule:admin_required'
'identity:delete_role': 'rule:admin_required'
'identity:delete_service': 'rule:admin_required'
'identity:delete_service_provider': 'rule:admin_required'
'identity:delete_trust': ''
'identity:delete_user': 'rule:admin_required'
'identity:ec2_create_credential': 'rule:admin_or_owner'
'identity:ec2_delete_credential': 'rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)'
'identity:ec2_get_credential': 'rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)'
'identity:ec2_list_credentials': 'rule:admin_or_owner'
'identity:get_access_token': 'rule:admin_required'
'identity:get_access_token_role': 'rule:admin_required'
'identity:get_auth_catalog': ''
'identity:get_auth_domains': ''
'identity:get_auth_projects': ''
'identity:get_consumer': 'rule:admin_required'
'identity:get_credential': 'rule:admin_required'
'identity:get_domain': 'rule:admin_required'
'identity:get_domain_config': 'rule:admin_required'
'identity:get_domain_config_default': 'rule:admin_required'
'identity:get_domain_role': 'rule:admin_required'
'identity:get_endpoint': 'rule:admin_required'
'identity:get_endpoint_group': 'rule:admin_required'
'identity:get_endpoint_group_in_project': 'rule:admin_required'
'identity:get_group': 'rule:admin_required'
'identity:get_identity_providers': 'rule:admin_required'
'identity:get_implied_role': 'rule:admin_required '
'identity:get_mapping': 'rule:admin_required'
'identity:get_policy': 'rule:admin_required'
'identity:get_policy_for_endpoint': 'rule:admin_required'
'identity:get_project': 'rule:admin_required or project_id:%(target.project.id)s'
'identity:get_protocol': 'rule:admin_required'
'identity:get_region': ''
'identity:get_role': 'rule:admin_required'
'identity:get_role_for_trust': ''
'identity:get_service': 'rule:admin_required'
'identity:get_service_provider': 'rule:admin_required'
'identity:get_user': 'rule:admin_required'
'identity:list_access_token_roles': 'rule:admin_required'
'identity:list_access_tokens': 'rule:admin_required'
'identity:list_consumers': 'rule:admin_required'
'identity:list_credentials': 'rule:admin_required'
'identity:list_domain_roles': 'rule:admin_required'
'identity:list_domains': 'rule:admin_required'
'identity:list_domains_for_groups': ''
'identity:list_endpoint_groups': 'rule:admin_required'
'identity:list_endpoint_groups_for_project': 'rule:admin_required'
'identity:list_endpoints': 'rule:admin_required'
'identity:list_endpoints_associated_with_endpoint_group': 'rule:admin_required'
'identity:list_endpoints_for_policy': 'rule:admin_required'
'identity:list_endpoints_for_project': 'rule:admin_required'
'identity:list_grants': 'rule:admin_required'
'identity:list_groups': 'rule:admin_required'
'identity:list_groups_for_user': 'rule:admin_or_owner'
'identity:list_identity_providers': 'rule:admin_required'
'identity:list_implied_roles': 'rule:admin_required'
'identity:list_mappings': 'rule:admin_required'
'identity:list_policies': 'rule:admin_required'
'identity:list_projects': 'rule:admin_required'
'identity:list_projects_associated_with_endpoint_group': 'rule:admin_required'
'identity:list_projects_for_endpoint': 'rule:admin_required'
'identity:list_projects_for_groups': ''
'identity:list_protocols': 'rule:admin_required'
'identity:list_regions': ''
'identity:list_revoke_events': ''
'identity:list_role_assignments': 'rule:admin_required'
'identity:list_role_assignments_for_tree': 'rule:admin_required'
'identity:list_role_inference_rules': 'rule:admin_required'
'identity:list_roles': 'rule:admin_required'
'identity:list_roles_for_trust': ''
'identity:list_service_providers': 'rule:admin_required'
'identity:list_services': 'rule:admin_required'
'identity:list_trusts': ''
'identity:list_user_projects': 'rule:admin_or_owner'
'identity:list_users': 'rule:admin_required'
'identity:list_users_in_group': 'rule:admin_required'
'identity:remove_endpoint_from_project': 'rule:admin_required'
'identity:remove_endpoint_group_from_project': 'rule:admin_required'
'identity:remove_user_from_group': 'rule:admin_required'
'identity:revocation_list': 'rule:service_or_admin'
'identity:revoke_grant': 'rule:admin_required'
'identity:revoke_token': 'rule:admin_or_token_subject'
'identity:update_consumer': 'rule:admin_required'
'identity:update_credential': 'rule:admin_required'
'identity:update_domain': 'rule:admin_required'
'identity:update_domain_config': 'rule:admin_required'
'identity:update_domain_role': 'rule:admin_required'
'identity:update_endpoint': 'rule:admin_required'
'identity:update_endpoint_group': 'rule:admin_required'
'identity:update_group': 'rule:admin_required'
'identity:update_identity_provider': 'rule:admin_required'
'identity:update_mapping': 'rule:admin_required'
'identity:update_policy': 'rule:admin_required'
'identity:update_project': 'rule:admin_required'
'identity:update_protocol': 'rule:admin_required'
'identity:update_region': 'rule:admin_required'
'identity:update_role': 'rule:admin_required'
'identity:update_service': 'rule:admin_required'
'identity:update_service_provider': 'rule:admin_required'
'identity:update_user': 'rule:admin_required'
'identity:validate_token': 'rule:service_admin_or_token_subject'
'identity:validate_token_head': 'rule:service_or_admin'
owner: 'user_id:%(user_id)s'
service_admin_or_token_subject: 'rule:service_or_admin or rule:token_subject'
service_or_admin: 'rule:admin_required or rule:service_role'
service_role: 'role:service'
token_subject: 'user_id:%(target.token.user_id)s'
neutron:
add_router_interface: 'rule:admin_or_owner'
admin_only: 'rule:context_is_admin'
admin_or_network_owner: 'rule:context_is_admin or tenant_id:%(network:tenant_id)s'
admin_or_owner: 'rule:context_is_admin or rule:owner'
admin_owner_or_network_owner: 'rule:owner or rule:admin_or_network_owner'
context_is_admin: 'role:admin'
context_is_advsvc: 'role:advsvc'
create_address_scope: ''
'create_address_scope:shared': 'rule:admin_only'
create_dhcp-network: 'rule:admin_only'
create_firewall: ''
'create_firewall:shared': 'rule:admin_only'
create_firewall_policy: ''
'create_firewall_policy:shared': 'rule:admin_or_owner'
create_firewall_rule: ''
create_flavor: 'rule:admin_only'
create_flavor_service_profile: 'rule:admin_only'
create_floatingip: 'rule:regular_user'
'create_floatingip:floating_ip_address': 'rule:admin_only'
create_l3-router: 'rule:admin_only'
create_lsn: 'rule:admin_only'
create_metering_label: 'rule:admin_only'
create_metering_label_rule: 'rule:admin_only'
create_network: ''
'create_network:is_default': 'rule:admin_only'
'create_network:provider:network_type': 'rule:admin_only'
'create_network:provider:physical_network': 'rule:admin_only'
'create_network:provider:segmentation_id': 'rule:admin_only'
'create_network:router:external': 'rule:admin_only'
'create_network:segments': 'rule:admin_only'
'create_network:shared': 'rule:admin_only'
create_network_profile: 'rule:admin_only'
create_policy: 'rule:admin_only'
create_policy_bandwidth_limit_rule: 'rule:admin_only'
create_policy_dscp_marking_rule: 'rule:admin_only'
create_port: ''
'create_port:allowed_address_pairs': 'rule:admin_or_network_owner'
'create_port:binding:host_id': 'rule:admin_only'
'create_port:binding:profile': 'rule:admin_only'
'create_port:device_owner': 'not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner'
'create_port:fixed_ips': 'rule:context_is_advsvc or rule:admin_or_network_owner'
'create_port:mac_address': 'rule:context_is_advsvc or rule:admin_or_network_owner'
'create_port:mac_learning_enabled': 'rule:context_is_advsvc or rule:admin_or_network_owner'
'create_port:port_security_enabled': 'rule:context_is_advsvc or rule:admin_or_network_owner'
create_qos_queue: 'rule:admin_only'
create_rbac_policy: ''
'create_rbac_policy:target_tenant': 'rule:restrict_wildcard'
create_router: 'rule:regular_user'
'create_router:distributed': 'rule:admin_only'
'create_router:external_gateway_info:enable_snat': 'rule:admin_only'
'create_router:external_gateway_info:external_fixed_ips': 'rule:admin_only'
'create_router:ha': 'rule:admin_only'
create_segment: 'rule:admin_only'
create_service_profile: 'rule:admin_only'
create_subnet: 'rule:admin_or_network_owner'
'create_subnet:segment_id': 'rule:admin_only'
create_subnetpool: ''
'create_subnetpool:is_default': 'rule:admin_only'
'create_subnetpool:shared': 'rule:admin_only'
default: 'rule:admin_or_owner'
delete_address_scope: 'rule:admin_or_owner'
delete_agent: 'rule:admin_only'
delete_dhcp-network: 'rule:admin_only'
delete_firewall: 'rule:admin_or_owner'
delete_firewall_policy: 'rule:admin_or_owner'
delete_firewall_rule: 'rule:admin_or_owner'
delete_flavor: 'rule:admin_only'
delete_flavor_service_profile: 'rule:admin_only'
delete_floatingip: 'rule:admin_or_owner'
delete_l3-router: 'rule:admin_only'
delete_metering_label: 'rule:admin_only'
delete_metering_label_rule: 'rule:admin_only'
delete_network: 'rule:admin_or_owner'
delete_network_profile: 'rule:admin_only'
delete_policy: 'rule:admin_only'
delete_policy_bandwidth_limit_rule: 'rule:admin_only'
delete_policy_dscp_marking_rule: 'rule:admin_only'
delete_port: 'rule:context_is_advsvc or rule:admin_owner_or_network_owner'
delete_rbac_policy: 'rule:admin_or_owner'
delete_router: 'rule:admin_or_owner'
delete_segment: 'rule:admin_only'
delete_service_profile: 'rule:admin_only'
delete_subnet: 'rule:admin_or_network_owner'
delete_subnetpool: 'rule:admin_or_owner'
external: 'field:networks:router:external=True'
get_address_scope: 'rule:admin_or_owner or rule:shared_address_scopes'
get_agent: 'rule:admin_only'
get_agent-loadbalancers: 'rule:admin_only'
get_auto_allocated_topology: 'rule:admin_or_owner'
get_dhcp-agents: 'rule:admin_only'
get_dhcp-networks: 'rule:admin_only'
get_firewall: 'rule:admin_or_owner'
'get_firewall:shared': 'rule:admin_only'
get_firewall_policy: 'rule:admin_or_owner or rule:shared_firewall_policies'
get_firewall_rule: 'rule:admin_or_owner or rule:shared_firewalls'
get_flavor: 'rule:regular_user'
get_flavor_service_profile: 'rule:regular_user'
get_flavors: 'rule:regular_user'
get_floatingip: 'rule:admin_or_owner'
get_l3-agents: 'rule:admin_only'
get_l3-routers: 'rule:admin_only'
get_loadbalancer-agent: 'rule:admin_only'
get_loadbalancer-hosting-agent: 'rule:admin_only'
get_loadbalancer-pools: 'rule:admin_only'
get_lsn: 'rule:admin_only'
get_metering_label: 'rule:admin_only'
get_metering_label_rule: 'rule:admin_only'
get_network: 'rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc'
'get_network:provider:network_type': 'rule:admin_only'
'get_network:provider:physical_network': 'rule:admin_only'
'get_network:provider:segmentation_id': 'rule:admin_only'
'get_network:queue_id': 'rule:admin_only'
'get_network:router:external': 'rule:regular_user'
'get_network:segments': 'rule:admin_only'
get_network_ip_availabilities: 'rule:admin_only'
get_network_ip_availability: 'rule:admin_only'
get_network_profile: ''
get_network_profiles: ''
get_policy: 'rule:regular_user'
get_policy_bandwidth_limit_rule: 'rule:regular_user'
get_policy_dscp_marking_rule: 'rule:regular_user'
get_policy_profile: ''
get_policy_profiles: ''
get_port: 'rule:context_is_advsvc or rule:admin_owner_or_network_owner'
'get_port:binding:host_id': 'rule:admin_only'
'get_port:binding:profile': 'rule:admin_only'
'get_port:binding:vif_details': 'rule:admin_only'
'get_port:binding:vif_type': 'rule:admin_only'
'get_port:queue_id': 'rule:admin_only'
get_qos_queue: 'rule:admin_only'
get_rbac_policy: 'rule:admin_or_owner'
get_router: 'rule:admin_or_owner'
'get_router:distributed': 'rule:admin_only'
'get_router:ha': 'rule:admin_only'
get_rule_type: 'rule:regular_user'
get_segment: 'rule:admin_only'
get_service_profile: 'rule:admin_only'
get_service_profiles: 'rule:admin_only'
get_service_provider: 'rule:regular_user'
get_subnet: 'rule:admin_or_owner or rule:shared'
'get_subnet:segment_id': 'rule:admin_only'
get_subnetpool: 'rule:admin_or_owner or rule:shared_subnetpools'
insert_rule: 'rule:admin_or_owner'
network_device: 'field:port:device_owner=~^network:'
owner: 'tenant_id:%(tenant_id)s'
regular_user: ''
remove_router_interface: 'rule:admin_or_owner'
remove_rule: 'rule:admin_or_owner'
restrict_wildcard: '(not field:rbac_policy:target_tenant=*) or rule:admin_only'
shared: 'field:networks:shared=True'
shared_address_scopes: 'field:address_scopes:shared=True'
shared_firewall_policies: 'field:firewall_policies:shared=True'
shared_firewalls: 'field:firewalls:shared=True'
shared_subnetpools: 'field:subnetpools:shared=True'
update_address_scope: 'rule:admin_or_owner'
'update_address_scope:shared': 'rule:admin_only'
update_agent: 'rule:admin_only'
update_firewall: 'rule:admin_or_owner'
'update_firewall:shared': 'rule:admin_only'
update_firewall_policy: 'rule:admin_or_owner'
update_firewall_rule: 'rule:admin_or_owner'
update_flavor: 'rule:admin_only'
update_floatingip: 'rule:admin_or_owner'
update_network: 'rule:admin_or_owner'
'update_network:provider:network_type': 'rule:admin_only'
'update_network:provider:physical_network': 'rule:admin_only'
'update_network:provider:segmentation_id': 'rule:admin_only'
'update_network:router:external': 'rule:admin_only'
'update_network:segments': 'rule:admin_only'
'update_network:shared': 'rule:admin_only'
update_network_profile: 'rule:admin_only'
update_policy: 'rule:admin_only'
update_policy_bandwidth_limit_rule: 'rule:admin_only'
update_policy_dscp_marking_rule: 'rule:admin_only'
update_policy_profiles: 'rule:admin_only'
update_port: 'rule:admin_or_owner or rule:context_is_advsvc'
'update_port:allowed_address_pairs': 'rule:admin_or_network_owner'
'update_port:binding:host_id': 'rule:admin_only'
'update_port:binding:profile': 'rule:admin_only'
'update_port:device_owner': 'not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner'
'update_port:fixed_ips': 'rule:context_is_advsvc or rule:admin_or_network_owner'
'update_port:mac_address': 'rule:admin_only or rule:context_is_advsvc'
'update_port:mac_learning_enabled': 'rule:context_is_advsvc or rule:admin_or_network_owner'
'update_port:port_security_enabled': 'rule:context_is_advsvc or rule:admin_or_network_owner'
update_rbac_policy: 'rule:admin_or_owner'
'update_rbac_policy:target_tenant': 'rule:restrict_wildcard and rule:admin_or_owner'
'update_router:distributed': 'rule:admin_only'
'update_router:external_gateway_info:enable_snat': 'rule:admin_only'
'update_router:external_gateway_info:external_fixed_ips': 'rule:admin_only'
'update_router:ha': 'rule:admin_only'
update_segment: 'rule:admin_only'
update_service_profile: 'rule:admin_only'
update_subnet: 'rule:admin_or_network_owner'
update_subnetpool: 'rule:admin_or_owner'
'update_subnetpool:is_default': 'rule:admin_only'
nova:
admin_api: 'is_admin:True'
admin_or_owner: 'is_admin:True or project_id:%(project_id)s'
'cells_scheduler_filter:TargetCellFilter': 'is_admin:True'
'compute:add_fixed_ip': 'rule:admin_or_owner'
'compute:attach_interface': 'rule:admin_or_owner'
'compute:attach_volume': 'rule:admin_or_owner'
'compute:backup': 'rule:admin_or_owner'
'compute:confirm_resize': 'rule:admin_or_owner'
'compute:create': 'rule:admin_or_owner'
'compute:create:attach_network': 'rule:admin_or_owner'
'compute:create:attach_volume': 'rule:admin_or_owner'
'compute:create:forced_host': 'is_admin:True'
'compute:delete': 'rule:admin_or_owner'
'compute:delete_instance_metadata': 'rule:admin_or_owner'
'compute:detach_interface': 'rule:admin_or_owner'
'compute:detach_volume': 'rule:admin_or_owner'
'compute:force_delete': 'rule:admin_or_owner'
'compute:get': 'rule:admin_or_owner'
'compute:get_all': 'rule:admin_or_owner'
'compute:get_all_instance_metadata': 'rule:admin_or_owner'
'compute:get_all_instance_system_metadata': 'rule:admin_or_owner'
'compute:get_all_tenants': 'is_admin:True'
'compute:get_console_output': 'rule:admin_or_owner'
'compute:get_diagnostics': 'rule:admin_or_owner'
'compute:get_instance_diagnostics': 'rule:admin_or_owner'
'compute:get_instance_metadata': 'rule:admin_or_owner'
'compute:get_mks_console': 'rule:admin_or_owner'
'compute:get_rdp_console': 'rule:admin_or_owner'
'compute:get_serial_console': 'rule:admin_or_owner'
'compute:get_spice_console': 'rule:admin_or_owner'
'compute:get_vnc_console': 'rule:admin_or_owner'
'compute:inject_network_info': 'rule:admin_or_owner'
'compute:lock': 'rule:admin_or_owner'
'compute:pause': 'rule:admin_or_owner'
'compute:reboot': 'rule:admin_or_owner'
'compute:rebuild': 'rule:admin_or_owner'
'compute:remove_fixed_ip': 'rule:admin_or_owner'
'compute:rescue': 'rule:admin_or_owner'
'compute:reset_network': 'rule:admin_or_owner'
'compute:resize': 'rule:admin_or_owner'
'compute:restore': 'rule:admin_or_owner'
'compute:resume': 'rule:admin_or_owner'
'compute:revert_resize': 'rule:admin_or_owner'
'compute:security_groups:add_to_instance': 'rule:admin_or_owner'
'compute:security_groups:remove_from_instance': 'rule:admin_or_owner'
'compute:set_admin_password': 'rule:admin_or_owner'
'compute:shelve': 'rule:admin_or_owner'
'compute:shelve_offload': 'rule:admin_or_owner'
'compute:snapshot': 'rule:admin_or_owner'
'compute:snapshot_volume_backed': 'rule:admin_or_owner'
'compute:soft_delete': 'rule:admin_or_owner'
'compute:start': 'rule:admin_or_owner'
'compute:stop': 'rule:admin_or_owner'
'compute:suspend': 'rule:admin_or_owner'
'compute:swap_volume': 'rule:admin_api'
'compute:unlock': 'rule:admin_or_owner'
'compute:unlock_override': 'rule:admin_api'
'compute:unpause': 'rule:admin_or_owner'
'compute:unrescue': 'rule:admin_or_owner'
'compute:unshelve': 'rule:admin_or_owner'
'compute:update': 'rule:admin_or_owner'
'compute:update_instance_metadata': 'rule:admin_or_owner'
'compute:volume_snapshot_create': 'rule:admin_or_owner'
'compute:volume_snapshot_delete': 'rule:admin_or_owner'
'compute_extension:accounts': 'rule:admin_api'
'compute_extension:admin_actions': 'rule:admin_api'
'compute_extension:admin_actions:createBackup': 'rule:admin_or_owner'
'compute_extension:admin_actions:injectNetworkInfo': 'rule:admin_api'
'compute_extension:admin_actions:lock': 'rule:admin_or_owner'
'compute_extension:admin_actions:migrate': 'rule:admin_api'
'compute_extension:admin_actions:migrateLive': 'rule:admin_api'
'compute_extension:admin_actions:pause': 'rule:admin_or_owner'
'compute_extension:admin_actions:resetNetwork': 'rule:admin_api'
'compute_extension:admin_actions:resetState': 'rule:admin_api'
'compute_extension:admin_actions:resume': 'rule:admin_or_owner'
'compute_extension:admin_actions:suspend': 'rule:admin_or_owner'
'compute_extension:admin_actions:unlock': 'rule:admin_or_owner'
'compute_extension:admin_actions:unpause': 'rule:admin_or_owner'
'compute_extension:agents': 'rule:admin_api'
'compute_extension:aggregates': 'rule:admin_api'
'compute_extension:attach_interfaces': 'rule:admin_or_owner'
'compute_extension:availability_zone:detail': 'rule:admin_api'
'compute_extension:availability_zone:list': 'rule:admin_or_owner'
'compute_extension:baremetal_nodes': 'rule:admin_api'
'compute_extension:cells': 'rule:admin_api'
'compute_extension:cells:create': 'rule:admin_api'
'compute_extension:cells:delete': 'rule:admin_api'
'compute_extension:cells:sync_instances': 'rule:admin_api'
'compute_extension:cells:update': 'rule:admin_api'
'compute_extension:certificates': 'rule:admin_or_owner'
'compute_extension:cloudpipe': 'rule:admin_api'
'compute_extension:cloudpipe_update': 'rule:admin_api'
'compute_extension:config_drive': 'rule:admin_or_owner'
'compute_extension:console_auth_tokens': 'rule:admin_api'
'compute_extension:console_output': 'rule:admin_or_owner'
'compute_extension:consoles': 'rule:admin_or_owner'
'compute_extension:createserverext': 'rule:admin_or_owner'
'compute_extension:deferred_delete': 'rule:admin_or_owner'
'compute_extension:disk_config': 'rule:admin_or_owner'
'compute_extension:evacuate': 'rule:admin_api'
'compute_extension:extended_availability_zone': 'rule:admin_or_owner'
'compute_extension:extended_ips': 'rule:admin_or_owner'
'compute_extension:extended_ips_mac': 'rule:admin_or_owner'
'compute_extension:extended_server_attributes': 'rule:admin_api'
'compute_extension:extended_status': 'rule:admin_or_owner'
'compute_extension:extended_vif_net': 'rule:admin_or_owner'
'compute_extension:extended_volumes': 'rule:admin_or_owner'
'compute_extension:fixed_ips': 'rule:admin_api'
'compute_extension:flavor_access': 'rule:admin_or_owner'
'compute_extension:flavor_access:addTenantAccess': 'rule:admin_api'
'compute_extension:flavor_access:removeTenantAccess': 'rule:admin_api'
'compute_extension:flavor_disabled': 'rule:admin_or_owner'
'compute_extension:flavor_rxtx': 'rule:admin_or_owner'
'compute_extension:flavor_swap': 'rule:admin_or_owner'
'compute_extension:flavorextradata': 'rule:admin_or_owner'
'compute_extension:flavorextraspecs:create': 'rule:admin_api'
'compute_extension:flavorextraspecs:delete': 'rule:admin_api'
'compute_extension:flavorextraspecs:index': 'rule:admin_or_owner'
'compute_extension:flavorextraspecs:show': 'rule:admin_or_owner'
'compute_extension:flavorextraspecs:update': 'rule:admin_api'
'compute_extension:flavormanage': 'rule:admin_api'
'compute_extension:floating_ip_dns': 'rule:admin_or_owner'
'compute_extension:floating_ip_pools': 'rule:admin_or_owner'
'compute_extension:floating_ips': 'rule:admin_or_owner'
'compute_extension:floating_ips_bulk': 'rule:admin_api'
'compute_extension:fping': 'rule:admin_or_owner'
'compute_extension:fping:all_tenants': 'rule:admin_api'
'compute_extension:hide_server_addresses': 'is_admin:False'
'compute_extension:hosts': 'rule:admin_api'
'compute_extension:hypervisors': 'rule:admin_api'
'compute_extension:image_size': 'rule:admin_or_owner'
'compute_extension:instance_actions': 'rule:admin_or_owner'
'compute_extension:instance_actions:events': 'rule:admin_api'
'compute_extension:instance_usage_audit_log': 'rule:admin_api'
'compute_extension:keypairs': 'rule:admin_or_owner'
'compute_extension:keypairs:create': 'rule:admin_or_owner'
'compute_extension:keypairs:delete': 'rule:admin_or_owner'
'compute_extension:keypairs:index': 'rule:admin_or_owner'
'compute_extension:keypairs:show': 'rule:admin_or_owner'
'compute_extension:migrations:index': 'rule:admin_api'
'compute_extension:multinic': 'rule:admin_or_owner'
'compute_extension:networks': 'rule:admin_api'
'compute_extension:networks:view': 'rule:admin_or_owner'
'compute_extension:networks_associate': 'rule:admin_api'
'compute_extension:os-assisted-volume-snapshots:create': 'rule:admin_api'
'compute_extension:os-assisted-volume-snapshots:delete': 'rule:admin_api'
'compute_extension:os-server-external-events:create': 'rule:admin_api'
'compute_extension:os-tenant-networks': 'rule:admin_or_owner'
'compute_extension:quota_classes': 'rule:admin_or_owner'
'compute_extension:quotas:delete': 'rule:admin_api'
'compute_extension:quotas:show': 'rule:admin_or_owner'
'compute_extension:quotas:update': 'rule:admin_api'
'compute_extension:rescue': 'rule:admin_or_owner'
'compute_extension:security_group_default_rules': 'rule:admin_api'
'compute_extension:security_groups': 'rule:admin_or_owner'
'compute_extension:server_diagnostics': 'rule:admin_api'
'compute_extension:server_groups': 'rule:admin_or_owner'
'compute_extension:server_password': 'rule:admin_or_owner'
'compute_extension:server_usage': 'rule:admin_or_owner'
'compute_extension:services': 'rule:admin_api'
'compute_extension:shelve': 'rule:admin_or_owner'
'compute_extension:shelveOffload': 'rule:admin_api'
'compute_extension:simple_tenant_usage:list': 'rule:admin_api'
'compute_extension:simple_tenant_usage:show': 'rule:admin_or_owner'
'compute_extension:unshelve': 'rule:admin_or_owner'
'compute_extension:used_limits_for_admin': 'rule:admin_api'
'compute_extension:users': 'rule:admin_api'
'compute_extension:virtual_interfaces': 'rule:admin_or_owner'
'compute_extension:virtual_storage_arrays': 'rule:admin_or_owner'
'compute_extension:volume_attachments:create': 'rule:admin_or_owner'
'compute_extension:volume_attachments:delete': 'rule:admin_or_owner'
'compute_extension:volume_attachments:index': 'rule:admin_or_owner'
'compute_extension:volume_attachments:show': 'rule:admin_or_owner'
'compute_extension:volume_attachments:update': 'rule:admin_api'
'compute_extension:volumes': 'rule:admin_or_owner'
'compute_extension:volumetypes': 'rule:admin_or_owner'
context_is_admin: 'role:admin'
default: 'rule:admin_or_owner'
'network:add_dns_entry': 'rule:admin_or_owner'
'network:add_fixed_ip_to_instance': 'rule:admin_or_owner'
'network:add_network_to_project': 'rule:admin_or_owner'
'network:allocate_floating_ip': 'rule:admin_or_owner'
'network:allocate_for_instance': 'rule:admin_or_owner'
'network:associate': 'rule:admin_or_owner'
'network:associate_floating_ip': 'rule:admin_or_owner'
'network:attach_external_network': 'rule:admin_api'
'network:create': 'rule:admin_or_owner'
'network:create_private_dns_domain': 'rule:admin_or_owner'
'network:create_public_dns_domain': 'rule:admin_or_owner'
'network:deallocate_for_instance': 'rule:admin_or_owner'
'network:delete': 'rule:admin_or_owner'
'network:delete_dns_domain': 'rule:admin_or_owner'
'network:delete_dns_entry': 'rule:admin_or_owner'
'network:disassociate': 'rule:admin_or_owner'
'network:disassociate_floating_ip': 'rule:admin_or_owner'
'network:get': 'rule:admin_or_owner'
'network:get_all': 'rule:admin_or_owner'
'network:get_backdoor_port': 'rule:admin_or_owner'
'network:get_dns_domains': 'rule:admin_or_owner'
'network:get_dns_entries_by_address': 'rule:admin_or_owner'
'network:get_dns_entries_by_name': 'rule:admin_or_owner'
'network:get_fixed_ip': 'rule:admin_or_owner'
'network:get_fixed_ip_by_address': 'rule:admin_or_owner'
'network:get_floating_ip': 'rule:admin_or_owner'
'network:get_floating_ip_by_address': 'rule:admin_or_owner'
'network:get_floating_ip_pools': 'rule:admin_or_owner'
'network:get_floating_ips_by_fixed_address': 'rule:admin_or_owner'
'network:get_floating_ips_by_project': 'rule:admin_or_owner'
'network:get_instance_id_by_floating_address': 'rule:admin_or_owner'
'network:get_instance_nw_info': 'rule:admin_or_owner'
'network:get_instance_uuids_by_ip_filter': 'rule:admin_or_owner'
'network:get_vif_by_mac_address': 'rule:admin_or_owner'
'network:get_vifs_by_instance': 'rule:admin_or_owner'
'network:migrate_instance_finish': 'rule:admin_or_owner'
'network:migrate_instance_start': 'rule:admin_or_owner'
'network:modify_dns_entry': 'rule:admin_or_owner'
'network:release_floating_ip': 'rule:admin_or_owner'
'network:remove_fixed_ip_from_instance': 'rule:admin_or_owner'
'network:setup_networks_on_host': 'rule:admin_or_owner'
'network:validate_networks': 'rule:admin_or_owner'
'os_compute_api:extension_info:discoverable': '@'
'os_compute_api:extensions': 'rule:admin_or_owner'
'os_compute_api:extensions:discoverable': '@'
'os_compute_api:flavors': 'rule:admin_or_owner'
'os_compute_api:flavors:discoverable': '@'
'os_compute_api:image-size': 'rule:admin_or_owner'
'os_compute_api:image-size:discoverable': '@'
'os_compute_api:images:discoverable': '@'
'os_compute_api:ips:discoverable': '@'
'os_compute_api:ips:index': 'rule:admin_or_owner'
'os_compute_api:ips:show': 'rule:admin_or_owner'
'os_compute_api:limits': '@'
'os_compute_api:limits:discoverable': '@'
'os_compute_api:os-access-ips': 'rule:admin_or_owner'
'os_compute_api:os-access-ips:discoverable': '@'
'os_compute_api:os-admin-actions': 'rule:admin_api'
'os_compute_api:os-admin-actions:discoverable': '@'
'os_compute_api:os-admin-actions:inject_network_info': 'rule:admin_api'
'os_compute_api:os-admin-actions:reset_network': 'rule:admin_api'
'os_compute_api:os-admin-actions:reset_state': 'rule:admin_api'
'os_compute_api:os-admin-password': 'rule:admin_or_owner'
'os_compute_api:os-admin-password:discoverable': '@'
'os_compute_api:os-agents': 'rule:admin_api'
'os_compute_api:os-agents:discoverable': '@'
'os_compute_api:os-aggregates:add_host': 'rule:admin_api'
'os_compute_api:os-aggregates:create': 'rule:admin_api'
'os_compute_api:os-aggregates:delete': 'rule:admin_api'
'os_compute_api:os-aggregates:discoverable': '@'
'os_compute_api:os-aggregates:index': 'rule:admin_api'
'os_compute_api:os-aggregates:remove_host': 'rule:admin_api'
'os_compute_api:os-aggregates:set_metadata': 'rule:admin_api'
'os_compute_api:os-aggregates:show': 'rule:admin_api'
'os_compute_api:os-aggregates:update': 'rule:admin_api'
'os_compute_api:os-assisted-volume-snapshots:create': 'rule:admin_api'
'os_compute_api:os-assisted-volume-snapshots:delete': 'rule:admin_api'
'os_compute_api:os-assisted-volume-snapshots:discoverable': '@'
'os_compute_api:os-attach-interfaces': 'rule:admin_or_owner'
'os_compute_api:os-attach-interfaces:discoverable': '@'
'os_compute_api:os-availability-zone:detail': 'rule:admin_api'
'os_compute_api:os-availability-zone:discoverable': '@'
'os_compute_api:os-availability-zone:list': '@'
'os_compute_api:os-baremetal-nodes': 'rule:admin_api'
'os_compute_api:os-baremetal-nodes:discoverable': '@'
'os_compute_api:os-block-device-mapping-v1:discoverable': '@'
'os_compute_api:os-cells': 'rule:admin_api'
'os_compute_api:os-cells:create': 'rule:admin_api'
'os_compute_api:os-cells:delete': 'rule:admin_api'
'os_compute_api:os-cells:discoverable': '@'
'os_compute_api:os-cells:sync_instances': 'rule:admin_api'
'os_compute_api:os-cells:update': 'rule:admin_api'
'os_compute_api:os-certificates:create': 'rule:admin_or_owner'
'os_compute_api:os-certificates:discoverable': '@'
'os_compute_api:os-certificates:show': 'rule:admin_or_owner'
'os_compute_api:os-cloudpipe': 'rule:admin_api'
'os_compute_api:os-cloudpipe:discoverable': '@'
'os_compute_api:os-config-drive': 'rule:admin_or_owner'
'os_compute_api:os-config-drive:discoverable': '@'
'os_compute_api:os-console-auth-tokens': 'rule:admin_api'
'os_compute_api:os-console-auth-tokens:discoverable': '@'
'os_compute_api:os-console-output': 'rule:admin_or_owner'
'os_compute_api:os-console-output:discoverable': '@'
'os_compute_api:os-consoles:create': 'rule:admin_or_owner'
'os_compute_api:os-consoles:delete': 'rule:admin_or_owner'
'os_compute_api:os-consoles:discoverable': '@'
'os_compute_api:os-consoles:index': 'rule:admin_or_owner'
'os_compute_api:os-consoles:show': 'rule:admin_or_owner'
'os_compute_api:os-create-backup': 'rule:admin_or_owner'
'os_compute_api:os-create-backup:discoverable': '@'
'os_compute_api:os-deferred-delete': 'rule:admin_or_owner'
'os_compute_api:os-deferred-delete:discoverable': '@'
'os_compute_api:os-disk-config': 'rule:admin_or_owner'
'os_compute_api:os-disk-config:discoverable': '@'
'os_compute_api:os-evacuate': 'rule:admin_api'
'os_compute_api:os-evacuate:discoverable': '@'
'os_compute_api:os-extended-availability-zone': 'rule:admin_or_owner'
'os_compute_api:os-extended-availability-zone:discoverable': '@'
'os_compute_api:os-extended-server-attributes': 'rule:admin_api'
'os_compute_api:os-extended-server-attributes:discoverable': '@'
'os_compute_api:os-extended-status': 'rule:admin_or_owner'
'os_compute_api:os-extended-status:discoverable': '@'
'os_compute_api:os-extended-volumes': 'rule:admin_or_owner'
'os_compute_api:os-extended-volumes:discoverable': '@'
'os_compute_api:os-fixed-ips': 'rule:admin_api'
'os_compute_api:os-fixed-ips:discoverable': '@'
'os_compute_api:os-flavor-access': 'rule:admin_or_owner'
'os_compute_api:os-flavor-access:add_tenant_access': 'rule:admin_api'
'os_compute_api:os-flavor-access:discoverable': '@'
'os_compute_api:os-flavor-access:remove_tenant_access': 'rule:admin_api'
'os_compute_api:os-flavor-extra-specs:create': 'rule:admin_api'
'os_compute_api:os-flavor-extra-specs:delete': 'rule:admin_api'
'os_compute_api:os-flavor-extra-specs:discoverable': '@'
'os_compute_api:os-flavor-extra-specs:index': 'rule:admin_or_owner'
'os_compute_api:os-flavor-extra-specs:show': 'rule:admin_or_owner'
'os_compute_api:os-flavor-extra-specs:update': 'rule:admin_api'
'os_compute_api:os-flavor-manage': 'rule:admin_api'
'os_compute_api:os-flavor-manage:discoverable': '@'
'os_compute_api:os-flavor-rxtx': 'rule:admin_or_owner'
'os_compute_api:os-flavor-rxtx:discoverable': '@'
'os_compute_api:os-floating-ip-dns': 'rule:admin_or_owner'
'os_compute_api:os-floating-ip-dns:discoverable': '@'
'os_compute_api:os-floating-ip-dns:domain:delete': 'rule:admin_api'
'os_compute_api:os-floating-ip-dns:domain:update': 'rule:admin_api'
'os_compute_api:os-floating-ip-pools': 'rule:admin_or_owner'
'os_compute_api:os-floating-ip-pools:discoverable': '@'
'os_compute_api:os-floating-ips': 'rule:admin_or_owner'
'os_compute_api:os-floating-ips-bulk': 'rule:admin_api'
'os_compute_api:os-floating-ips-bulk:discoverable': '@'
'os_compute_api:os-floating-ips:discoverable': '@'
'os_compute_api:os-fping': 'rule:admin_or_owner'
'os_compute_api:os-fping:all_tenants': 'rule:admin_api'
'os_compute_api:os-fping:discoverable': '@'
'os_compute_api:os-hide-server-addresses': 'is_admin:False'
'os_compute_api:os-hide-server-addresses:discoverable': '@'
'os_compute_api:os-hosts': 'rule:admin_api'
'os_compute_api:os-hosts:discoverable': '@'
'os_compute_api:os-hypervisors': 'rule:admin_api'
'os_compute_api:os-hypervisors:discoverable': '@'
'os_compute_api:os-instance-actions': 'rule:admin_or_owner'
'os_compute_api:os-instance-actions:discoverable': '@'
'os_compute_api:os-instance-actions:events': 'rule:admin_api'
'os_compute_api:os-instance-usage-audit-log': 'rule:admin_api'
'os_compute_api:os-instance-usage-audit-log:discoverable': '@'
'os_compute_api:os-keypairs': 'rule:admin_or_owner'
'os_compute_api:os-keypairs:create': 'rule:admin_api or user_id:%(user_id)s'
'os_compute_api:os-keypairs:delete': 'rule:admin_api or user_id:%(user_id)s'
'os_compute_api:os-keypairs:discoverable': '@'
'os_compute_api:os-keypairs:index': 'rule:admin_api or user_id:%(user_id)s'
'os_compute_api:os-keypairs:show': 'rule:admin_api or user_id:%(user_id)s'
'os_compute_api:os-lock-server:discoverable': '@'
'os_compute_api:os-lock-server:lock': 'rule:admin_or_owner'
'os_compute_api:os-lock-server:unlock': 'rule:admin_or_owner'
'os_compute_api:os-lock-server:unlock:unlock_override': 'rule:admin_api'
'os_compute_api:os-migrate-server:discoverable': '@'
'os_compute_api:os-migrate-server:migrate': 'rule:admin_api'
'os_compute_api:os-migrate-server:migrate_live': 'rule:admin_api'
'os_compute_api:os-migrations:discoverable': '@'
'os_compute_api:os-migrations:index': 'rule:admin_api'
'os_compute_api:os-multinic': 'rule:admin_or_owner'
'os_compute_api:os-multinic:discoverable': '@'
'os_compute_api:os-networks': 'rule:admin_api'
'os_compute_api:os-networks-associate': 'rule:admin_api'
'os_compute_api:os-networks-associate:discoverable': '@'
'os_compute_api:os-networks:discoverable': '@'
'os_compute_api:os-networks:view': 'rule:admin_or_owner'
'os_compute_api:os-pause-server:discoverable': '@'
'os_compute_api:os-pause-server:pause': 'rule:admin_or_owner'
'os_compute_api:os-pause-server:unpause': 'rule:admin_or_owner'
'os_compute_api:os-pci:detail': 'rule:admin_api'
'os_compute_api:os-pci:discoverable': '@'
'os_compute_api:os-pci:index': 'rule:admin_api'
'os_compute_api:os-pci:pci_servers': 'rule:admin_or_owner'
'os_compute_api:os-pci:show': 'rule:admin_api'
'os_compute_api:os-personality:discoverable': '@'
'os_compute_api:os-preserve-ephemeral-rebuild:discoverable': '@'
'os_compute_api:os-quota-class-sets:discoverable': '@'
'os_compute_api:os-quota-class-sets:show': 'is_admin:True or quota_class:%(quota_class)s'
'os_compute_api:os-quota-class-sets:update': 'rule:admin_api'
'os_compute_api:os-quota-sets:defaults': '@'
'os_compute_api:os-quota-sets:delete': 'rule:admin_api'
'os_compute_api:os-quota-sets:detail': 'rule:admin_api'
'os_compute_api:os-quota-sets:discoverable': '@'
'os_compute_api:os-quota-sets:show': 'rule:admin_or_owner'
'os_compute_api:os-quota-sets:update': 'rule:admin_api'
'os_compute_api:os-remote-consoles': 'rule:admin_or_owner'
'os_compute_api:os-remote-consoles:discoverable': '@'
'os_compute_api:os-rescue': 'rule:admin_or_owner'
'os_compute_api:os-rescue:discoverable': '@'
'os_compute_api:os-scheduler-hints:discoverable': '@'
'os_compute_api:os-security-group-default-rules': 'rule:admin_api'
'os_compute_api:os-security-group-default-rules:discoverable': '@'
'os_compute_api:os-security-groups': 'rule:admin_or_owner'
'os_compute_api:os-security-groups:discoverable': '@'
'os_compute_api:os-server-diagnostics': 'rule:admin_api'
'os_compute_api:os-server-diagnostics:discoverable': '@'
'os_compute_api:os-server-external-events:create': 'rule:admin_api'
'os_compute_api:os-server-external-events:discoverable': '@'
'os_compute_api:os-server-groups': 'rule:admin_or_owner'
'os_compute_api:os-server-groups:discoverable': '@'
'os_compute_api:os-server-password': 'rule:admin_or_owner'
'os_compute_api:os-server-password:discoverable': '@'
'os_compute_api:os-server-tags:delete': '@'
'os_compute_api:os-server-tags:delete_all': '@'
'os_compute_api:os-server-tags:index': '@'
'os_compute_api:os-server-tags:show': '@'
'os_compute_api:os-server-tags:update': '@'
'os_compute_api:os-server-tags:update_all': '@'
'os_compute_api:os-server-usage': 'rule:admin_or_owner'
'os_compute_api:os-server-usage:discoverable': '@'
'os_compute_api:os-services': 'rule:admin_api'
'os_compute_api:os-services:discoverable': '@'
'os_compute_api:os-shelve:shelve': 'rule:admin_or_owner'
'os_compute_api:os-shelve:shelve:discoverable': '@'
'os_compute_api:os-shelve:shelve_offload': 'rule:admin_api'
'os_compute_api:os-shelve:unshelve': 'rule:admin_or_owner'
'os_compute_api:os-simple-tenant-usage:discoverable': '@'
'os_compute_api:os-simple-tenant-usage:list': 'rule:admin_api'
'os_compute_api:os-simple-tenant-usage:show': 'rule:admin_or_owner'
'os_compute_api:os-suspend-server:discoverable': '@'
'os_compute_api:os-suspend-server:resume': 'rule:admin_or_owner'
'os_compute_api:os-suspend-server:suspend': 'rule:admin_or_owner'
'os_compute_api:os-tenant-networks': 'rule:admin_or_owner'
'os_compute_api:os-tenant-networks:discoverable': '@'
'os_compute_api:os-used-limits': 'rule:admin_api'
'os_compute_api:os-used-limits:discoverable': '@'
'os_compute_api:os-user-data:discoverable': '@'
'os_compute_api:os-virtual-interfaces': 'rule:admin_or_owner'
'os_compute_api:os-virtual-interfaces:discoverable': '@'
'os_compute_api:os-volumes': 'rule:admin_or_owner'
'os_compute_api:os-volumes-attachments:create': 'rule:admin_or_owner'
'os_compute_api:os-volumes-attachments:delete': 'rule:admin_or_owner'
'os_compute_api:os-volumes-attachments:discoverable': '@'
'os_compute_api:os-volumes-attachments:index': 'rule:admin_or_owner'
'os_compute_api:os-volumes-attachments:show': 'rule:admin_or_owner'
'os_compute_api:os-volumes-attachments:update': 'rule:admin_api'
'os_compute_api:os-volumes:discoverable': '@'
'os_compute_api:server-metadata:create': 'rule:admin_or_owner'
'os_compute_api:server-metadata:delete': 'rule:admin_or_owner'
'os_compute_api:server-metadata:discoverable': '@'
'os_compute_api:server-metadata:index': 'rule:admin_or_owner'
'os_compute_api:server-metadata:show': 'rule:admin_or_owner'
'os_compute_api:server-metadata:update': 'rule:admin_or_owner'
'os_compute_api:server-metadata:update_all': 'rule:admin_or_owner'
'os_compute_api:servers:confirm_resize': 'rule:admin_or_owner'
'os_compute_api:servers:create': 'rule:admin_or_owner'
'os_compute_api:servers:create:attach_network': 'rule:admin_or_owner'
'os_compute_api:servers:create:attach_volume': 'rule:admin_or_owner'
'os_compute_api:servers:create:forced_host': 'rule:admin_api'
'os_compute_api:servers:create_image': 'rule:admin_or_owner'
'os_compute_api:servers:create_image:allow_volume_backed': 'rule:admin_or_owner'
'os_compute_api:servers:delete': 'rule:admin_or_owner'
'os_compute_api:servers:detail': 'rule:admin_or_owner'
'os_compute_api:servers:detail:get_all_tenants': 'is_admin:True'
'os_compute_api:servers:discoverable': '@'
'os_compute_api:servers:index': 'rule:admin_or_owner'
'os_compute_api:servers:index:get_all_tenants': 'is_admin:True'
'os_compute_api:servers:migrations:delete': 'rule:admin_api'
'os_compute_api:servers:migrations:force_complete': 'rule:admin_api'
'os_compute_api:servers:migrations:index': 'rule:admin_api'
'os_compute_api:servers:migrations:show': 'rule:admin_api'
'os_compute_api:servers:reboot': 'rule:admin_or_owner'
'os_compute_api:servers:rebuild': 'rule:admin_or_owner'
'os_compute_api:servers:resize': 'rule:admin_or_owner'
'os_compute_api:servers:revert_resize': 'rule:admin_or_owner'
'os_compute_api:servers:show': 'rule:admin_or_owner'
'os_compute_api:servers:show:host_status': 'rule:admin_api'
'os_compute_api:servers:start': 'rule:admin_or_owner'
'os_compute_api:servers:stop': 'rule:admin_or_owner'
'os_compute_api:servers:trigger_crash_dump': 'rule:admin_or_owner'
'os_compute_api:servers:update': 'rule:admin_or_owner'
# list of panels to enable for horizon
# this requires that the panels are already installed in the horizon image, if they are not
# nothing will be added
# the name of the panel should be the name of the dir where the panel is installed
# for example heat_dashboard, cloudkittydashboard or neutron_taas_dashboard
extra_panels:
- heat_dashboard
- neutron_taas_dashboard
dependencies:
dynamic:
common:
local_image_registry:
jobs:
- horizon-image-repo-sync
services:
- endpoint: node
service: local_image_registry
static:
dashboard:
jobs:
- horizon-db-sync
services:
- endpoint: internal
service: oslo_cache
- endpoint: internal
service: oslo_db
- endpoint: internal
service: identity
db_drop:
services:
- endpoint: internal
service: oslo_db
db_init:
services:
- endpoint: internal
service: oslo_db
db_sync:
jobs:
- horizon-db-init
services:
- endpoint: internal
service: oslo_db
image_repo_sync:
services:
- endpoint: internal
service: local_image_registry
tests:
services:
- endpoint: internal
service: dashboard
pod:
security_context:
horizon:
pod:
runAsUser: 42424
container:
horizon:
readOnlyRootFilesystem: false
allowPrivilegeEscalation: false
runAsUser: 0
db_sync:
pod:
runAsUser: 42424
container:
horizon_db_sync:
readOnlyRootFilesystem: false
allowPrivilegeEscalation: false
runAsUser: 0
test:
pod:
runAsUser: 42424
container:
horizon_test:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
affinity:
anti:
type:
default: preferredDuringSchedulingIgnoredDuringExecution
topologyKey:
default: kubernetes.io/hostname
weight:
default: 10
mounts:
horizon_db_init:
init_container: null
horizon_db_init:
volumeMounts:
volumes:
horizon_db_sync:
init_container: null
horizon_db_sync:
volumeMounts:
volumes:
horizon:
init_container: null
horizon:
volumeMounts:
volumes:
horizon_tests:
init_container: null
horizon_tests:
volumeMounts:
volumes:
replicas:
server: 1
lifecycle:
upgrades:
deployments:
revision_history: 3
pod_replacement_strategy: RollingUpdate
rolling_update:
max_unavailable: 1
max_surge: 3
disruption_budget:
horizon:
min_available: 0
termination_grace_period:
horizon:
timeout: 30
resources:
enabled: false
server:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
jobs:
db_init:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_drop:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
image_repo_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
tests:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
# Names of secrets used by bootstrap and environmental checks
secrets:
identity:
admin: horizon-keystone-admin
oslo_db:
admin: horizon-db-admin
horizon: horizon-db-user
tls:
dashboard:
dashboard:
public: horizon-tls-public
internal: horizon-tls-web
# typically overridden by environmental
# values, but should include all endpoints
# required by this chart
endpoints:
cluster_domain_suffix: cluster.local
local_image_registry:
name: docker-registry
namespace: docker-registry
hosts:
default: localhost
internal: docker-registry
node: localhost
host_fqdn_override:
default: null
port:
registry:
node: 5000
identity:
name: keystone
auth:
admin:
region_name: RegionOne
username: admin
password: password
project_name: admin
user_domain_name: default
project_domain_name: default
hosts:
default: keystone
internal: keystone-api
host_fqdn_override:
default: null
path:
default: /v3
scheme:
default: http
port:
api:
default: 80
internal: 5000
oslo_cache:
hosts:
default: memcached
host_fqdn_override:
default: null
port:
memcache:
default: 11211
dashboard:
name: horizon
hosts:
default: horizon-int
public: horizon
host_fqdn_override:
default: null
# NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
# endpoints using the following format:
# public:
# host: null
# tls:
# crt: null
# key: null
path:
default: null
scheme:
default: http
port:
web:
default: 80
oslo_db:
auth:
admin:
username: root
password: password
secret:
tls:
internal: mariadb-tls-direct
horizon:
username: horizon
password: password
hosts:
default: mariadb
host_fqdn_override:
default: null
path: /horizon
scheme: mysql+pymysql
port:
mysql:
default: 3306
# NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
# They are using to enable the Egress K8s network policy.
kube_dns:
namespace: kube-system
name: kubernetes-dns
hosts:
default: kube-dns
host_fqdn_override:
default: null
path:
default: null
scheme: http
port:
dns:
default: 53
protocol: UDP
ingress:
namespace: null
name: ingress
hosts:
default: ingress
port:
ingress:
default: 80
network_policy:
horizon:
ingress:
- {}
egress:
- {}
manifests:
certificates: false
configmap_bin: true
configmap_etc: true
deployment: true
ingress_api: true
job_db_init: true
job_db_sync: true
job_db_drop: false
job_image_repo_sync: true
pdb: true
pod_helm_test: true
network_policy: false
secret_db: true
secret_ingress_tls: true
secret_keystone: true
service_ingress: true
service: true
...
View Git Blame Copy Permalink