openstack
/
placement
Code Issues Proposed changes
placement/placement/policies/base.py

51 lines
2.1 KiB
Python
Raw Blame History

# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
RULE_ADMIN_API = 'rule:admin_api'
# NOTE(lbragstad): We might consider converting these generic checks into
# RuleDefaults or DocumentedRuleDefaults, but we need to thoroughly vet the
# approach in oslo.policy and consume a new version. Until we have that done,
# let's continue using generic check strings.
SYSTEM_ADMIN = 'role:admin and system_scope:all'
SYSTEM_READER = 'role:reader and system_scope:all'
PROJECT_READER = 'role:reader and project_id:%(project_id)s'
PROJECT_READER_OR_SYSTEM_READER = f'({SYSTEM_READER}) or ({PROJECT_READER})'
rules = [
# "placement" is the default rule (action) used for all routes that do
# not yet have granular policy rules. It is used in
# PlacementHandler.__call__ and can be dropped once all routes have
# granular policy handling.
policy.RuleDefault(
"placement",
"role:admin",
description="This rule is used for all routes that do not yet "
"have granular policy rules. It will be replaced "
"with rule:admin_api.",
deprecated_for_removal=True,
deprecated_reason="This was a catch-all rule hard-coded into "
"the placement service and has been superseded by "
"granular policy rules per operation.",
deprecated_since="18.0.0"),
policy.RuleDefault(
"admin_api",
"role:admin",
description="Default rule for most placement APIs.",
scope_types=['system']),
]
def list_rules():
return rules
View Git Blame Copy Permalink