openstack
/
tripleo-heat-templates
Code Issues Proposed changes

Merge "Implement project personas in custom cinder policy file"

This commit is contained in:
Zuul 2021-10-12 01:12:54 +00:00 committed by Gerrit Code Review
parent c793e9174f 3d2fec12b9
commit 36d706d80d
1 changed files with 87 additions and 102 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

189
environments/enable-secure-rbac.yaml
View File

@ -1955,36 +1955,36 @@ parameter_defaults:
cinder-admin_api:
key: "admin_api"
value: "is_admin:True or (role:admin and is_admin_project:True)"
cinder-xena_system_admin_or_project_reader:
key: "xena_system_admin_or_project_reader"
value: "(role:admin) or (role:reader and project_id:%(project_id)s)"
cinder-xena_system_admin_or_project_member:
key: "xena_system_admin_or_project_member"
value: "(role:admin) or (role:member and project_id:%(project_id)s)"
cinder-system_admin_or_project_member:
key: "system_admin_or_project_member"
value: "role:admin or (role:member and project_id:%(project_id)s)"
cinder-system_admin_or_project_reader:
key: "system_admin_or_project_reader"
value: "role:admin or (role:reader and project_id:%(project_id)s)"
cinder-volume_attachment_create:
key: "volume:attachment_create"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-volume_attachment_update:
key: "volume:attachment_update"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-volume_attachment_delete:
key: "volume:attachment_delete"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-volume_attachment_complete:
key: "volume:attachment_complete"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-volume_multiattach_bootable_volume:
key: "volume:multiattach_bootable_volume"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-message_get_all:
key: "message:get_all"
value: "rule:xena_system_admin_or_project_reader"
value: "rule:system_admin_or_project_reader"
cinder-message_get:
key: "message:get"
value: "rule:message:get_all"
value: "rule:system_admin_or_project_reader"
cinder-message_delete:
key: "message:delete"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-clusters_get_all:
key: "clusters:get_all"
value: "rule:admin_api"
@ -1999,37 +1999,37 @@ parameter_defaults:
value: "rule:admin_api"
cinder-volume_get_snapshot_metadata:
key: "volume:get_snapshot_metadata"
value: "rule:xena_system_admin_or_project_reader"
value: "rule:system_admin_or_project_reader"
cinder-volume_update_snapshot_metadata:
key: "volume:update_snapshot_metadata"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-volume_delete_snapshot_metadata:
key: "volume:delete_snapshot_metadata"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-volume_get_all_snapshots:
key: "volume:get_all_snapshots"
value: "rule:xena_system_admin_or_project_reader"
value: "rule:system_admin_or_project_reader"
cinder-volume_extension_extended_snapshot_attributes:
key: "volume_extension:extended_snapshot_attributes"
value: "rule:xena_system_admin_or_project_reader"
value: "rule:system_admin_or_project_reader"
cinder-volume_create_snapshot:
key: "volume:create_snapshot"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-volume_get_snapshot:
key: "volume:get_snapshot"
value: "rule:xena_system_admin_or_project_reader"
value: "rule:system_admin_or_project_reader"
cinder-volume_update_snapshot:
key: "volume:update_snapshot"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-volume_delete_snapshot:
key: "volume:delete_snapshot"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-volume_extension_snapshot_admin_actions_reset_status:
key: "volume_extension:snapshot_admin_actions:reset_status"
value: "rule:admin_api"
cinder-snapshot_extension_snapshot_actions_update_snapshot_status:
key: "snapshot_extension:snapshot_actions:update_snapshot_status"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-volume_extension_snapshot_admin_actions_force_delete:
key: "volume_extension:snapshot_admin_actions:force_delete"
value: "rule:admin_api"
@ -2044,25 +2044,25 @@ parameter_defaults:
value: "rule:admin_api"
cinder-backup_get_all:
key: "backup:get_all"
value: "rule:xena_system_admin_or_project_reader"
value: "rule:system_admin_or_project_reader"
cinder-backup_backup_project_attribute:
key: "backup:backup_project_attribute"
value: "rule:admin_api"
cinder-backup_create:
key: "backup:create"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-backup_get:
key: "backup:get"
value: "rule:xena_system_admin_or_project_reader"
value: "rule:system_admin_or_project_reader"
cinder-backup_update:
key: "backup:update"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-backup_delete:
key: "backup:delete"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-backup_restore:
key: "backup:restore"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-backup_backup-import:
key: "backup:backup-import"
value: "rule:admin_api"
@ -2077,25 +2077,22 @@ parameter_defaults:
value: "rule:admin_api"
cinder-group_get_all:
key: "group:get_all"
value: "rule:xena_system_admin_or_project_reader"
value: "rule:system_admin_or_project_reader"
cinder-group_create:
key: "group:create"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-group_get:
key: "group:get"
value: "rule:xena_system_admin_or_project_reader"
value: "rule:system_admin_or_project_reader"
cinder-group_update:
key: "group:update"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-group_group_project_attribute:
key: "group:group_project_attribute"
value: "rule:admin_api"
cinder-group_group_types_create:
key: "group:group_types:create"
value: "rule:admin_api"
cinder-group_group_types_manage:
key: "group:group_types_manage"
value: "rule:group:group_types:create"
cinder-group_group_types_update:
key: "group:group_types:update"
value: "rule:admin_api"
@ -2108,9 +2105,6 @@ parameter_defaults:
cinder-group_group_types_specs_get:
key: "group:group_types_specs:get"
value: "rule:admin_api"
cinder-group_group_types_specs:
key: "group:group_types_specs"
value: "rule:group:group_types_specs:get"
cinder-group_group_types_specs_get_all:
key: "group:group_types_specs:get_all"
value: "rule:admin_api"
@ -2125,19 +2119,19 @@ parameter_defaults:
value: "rule:admin_api"
cinder-group_get_all_group_snapshots:
key: "group:get_all_group_snapshots"
value: "rule:xena_system_admin_or_project_reader"
value: "rule:system_admin_or_project_reader"
cinder-group_create_group_snapshot:
key: "group:create_group_snapshot"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-group_get_group_snapshot:
key: "group:get_group_snapshot"
value: "rule:xena_system_admin_or_project_reader"
value: "rule:system_admin_or_project_reader"
cinder-group_delete_group_snapshot:
key: "group:delete_group_snapshot"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-group_update_group_snapshot:
key: "group:update_group_snapshot"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-group_group_snapshot_project_attribute:
key: "group:group_snapshot_project_attribute"
value: "rule:admin_api"
@ -2146,22 +2140,22 @@ parameter_defaults:
value: "rule:admin_api"
cinder-group_delete:
key: "group:delete"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-group_reset_status:
key: "group:reset_status"
value: "rule:admin_api"
cinder-group_enable_replication:
key: "group:enable_replication"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-group_disable_replication:
key: "group:disable_replication"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-group_failover_replication:
key: "group:failover_replication"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-group_list_replication_targets:
key: "group:list_replication_targets"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-volume_extension_qos_specs_manage_get_all:
key: "volume_extension:qos_specs_manage:get_all"
value: "rule:admin_api"
@ -2180,15 +2174,12 @@ parameter_defaults:
cinder-volume_extension_quota_classes_get:
key: "volume_extension:quota_classes:get"
value: "rule:admin_api"
cinder-volume_extension_quota_classes:
key: "volume_extension:quota_classes"
value: "rule:volume_extension:quota_classes:get"
cinder-volume_extension_quota_classes_update:
key: "volume_extension:quota_classes:update"
value: "rule:admin_api"
cinder-volume_extension_quotas_show:
key: "volume_extension:quotas:show"
value: "rule:xena_system_admin_or_project_reader"
value: "rule:system_admin_or_project_reader"
cinder-volume_extension_quotas_update:
key: "volume_extension:quotas:update"
value: "rule:admin_api"
@ -2221,7 +2212,7 @@ parameter_defaults:
value: "rule:admin_api"
cinder-limits_extension_used_limits:
key: "limits_extension:used_limits"
value: "rule:xena_system_admin_or_project_reader"
value: "rule:system_admin_or_project_reader"
cinder-volume_extension_list_manageable:
key: "volume_extension:list_manageable"
value: "rule:admin_api"
@ -2234,9 +2225,6 @@ parameter_defaults:
cinder-volume_extension_type_create:
key: "volume_extension:type_create"
value: "rule:admin_api"
cinder-volume_extension_types_manage:
key: "volume_extension:types_manage"
value: "rule:volume_extension:type_create"
cinder-volume_extension_type_update:
key: "volume_extension:type_update"
value: "rule:admin_api"
@ -2245,13 +2233,13 @@ parameter_defaults:
value: "rule:admin_api"
cinder-volume_extension_type_get:
key: "volume_extension:type_get"
value: "rule:xena_system_admin_or_project_reader"
value: "rule:system_admin_or_project_reader"
cinder-volume_extension_type_get_all:
key: "volume_extension:type_get_all"
value: "rule:xena_system_admin_or_project_reader"
value: "rule:system_admin_or_project_reader"
cinder-volume_extension_access_types_extra_specs:
key: "volume_extension:access_types_extra_specs"
value: "rule:xena_system_admin_or_project_reader"
value: "rule:system_admin_or_project_reader"
cinder-volume_extension_access_types_qos_specs_id:
key: "volume_extension:access_types_qos_specs_id"
value: "rule:admin_api"
@ -2272,7 +2260,7 @@ parameter_defaults:
value: "rule:admin_api"
cinder-volume_extension_volume_type_access:
key: "volume_extension:volume_type_access"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-volume_extension_volume_type_access_addProjectAccess:
key: "volume_extension:volume_type_access:addProjectAccess"
value: "rule:admin_api"
@ -2284,22 +2272,22 @@ parameter_defaults:
value: "rule:admin_api"
cinder-volume_extend:
key: "volume:extend"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-volume_extend_attached_volume:
key: "volume:extend_attached_volume"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-volume_revert_to_snapshot:
key: "volume:revert_to_snapshot"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-volume_extension_volume_admin_actions_reset_status:
key: "volume_extension:volume_admin_actions:reset_status"
value: "rule:admin_api"
cinder-volume_retype:
key: "volume:retype"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-volume_update_readonly_flag:
key: "volume:update_readonly_flag"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-volume_extension_volume_admin_actions_force_delete:
key: "volume_extension:volume_admin_actions:force_delete"
value: "rule:admin_api"
@ -2308,7 +2296,7 @@ parameter_defaults:
value: "rule:admin_api"
cinder-volume_extension_volume_actions_upload_image:
key: "volume_extension:volume_actions:upload_image"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-volume_extension_volume_admin_actions_force_detach:
key: "volume_extension:volume_admin_actions:force_detach"
value: "rule:admin_api"
@ -2320,79 +2308,76 @@ parameter_defaults:
value: "rule:admin_api"
cinder-volume_extension_volume_actions_initialize_connection:
key: "volume_extension:volume_actions:initialize_connection"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-volume_extension_volume_actions_terminate_connection:
key: "volume_extension:volume_actions:terminate_connection"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-volume_extension_volume_actions_roll_detaching:
key: "volume_extension:volume_actions:roll_detaching"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-volume_extension_volume_actions_reserve:
key: "volume_extension:volume_actions:reserve"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-volume_extension_volume_actions_unreserve:
key: "volume_extension:volume_actions:unreserve"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-volume_extension_volume_actions_begin_detaching:
key: "volume_extension:volume_actions:begin_detaching"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-volume_extension_volume_actions_attach:
key: "volume_extension:volume_actions:attach"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-volume_extension_volume_actions_detach:
key: "volume_extension:volume_actions:detach"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-volume_get_all_transfers:
key: "volume:get_all_transfers"
value: "rule:xena_system_admin_or_project_reader"
value: "rule:system_admin_or_project_reader"
cinder-volume_create_transfer:
key: "volume:create_transfer"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-volume_get_transfer:
key: "volume:get_transfer"
value: "rule:xena_system_admin_or_project_reader"
value: "rule:system_admin_or_project_reader"
cinder-volume_accept_transfer:
key: "volume:accept_transfer"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-volume_delete_transfer:
key: "volume:delete_transfer"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-volume_get_volume_metadata:
key: "volume:get_volume_metadata"
value: "rule:xena_system_admin_or_project_reader"
value: "rule:system_admin_or_project_reader"
cinder-volume_create_volume_metadata:
key: "volume:create_volume_metadata"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-volume_update_volume_metadata:
key: "volume:update_volume_metadata"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-volume_delete_volume_metadata:
key: "volume:delete_volume_metadata"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-volume_extension_volume_image_metadata_show:
key: "volume_extension:volume_image_metadata:show"
value: "rule:xena_system_admin_or_project_reader"
cinder-volume_extension_volume_image_metadata:
key: "volume_extension:volume_image_metadata"
value: "rule:volume_extension:volume_image_metadata:show"
value: "rule:system_admin_or_project_reader"
cinder-volume_extension_volume_image_metadata_set:
key: "volume_extension:volume_image_metadata:set"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-volume_extension_volume_image_metadata_remove:
key: "volume_extension:volume_image_metadata:remove"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-volume_update_volume_admin_metadata:
key: "volume:update_volume_admin_metadata"
value: "rule:admin_api"
cinder-volume_extension_types_extra_specs_index:
key: "volume_extension:types_extra_specs:index"
value: "rule:xena_system_admin_or_project_reader"
value: "rule:system_admin_or_project_reader"
cinder-volume_extension_types_extra_specs_create:
key: "volume_extension:types_extra_specs:create"
value: "rule:admin_api"
cinder-volume_extension_types_extra_specs_show:
key: "volume_extension:types_extra_specs:show"
value: "rule:xena_system_admin_or_project_reader"
value: "rule:system_admin_or_project_reader"
cinder-volume_extension_types_extra_specs_read_sensitive:
key: "volume_extension:types_extra_specs:read_sensitive"
value: "rule:admin_api"
@ -2404,22 +2389,22 @@ parameter_defaults:
value: "rule:admin_api"
cinder-volume_create:
key: "volume:create"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-volume_create_from_image:
key: "volume:create_from_image"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-volume_get:
key: "volume:get"
value: "rule:xena_system_admin_or_project_reader"
value: "rule:system_admin_or_project_reader"
cinder-volume_get_all:
key: "volume:get_all"
value: "rule:xena_system_admin_or_project_reader"
value: "rule:system_admin_or_project_reader"
cinder-volume_update:
key: "volume:update"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-volume_delete:
key: "volume:delete"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-volume_force_delete:
key: "volume:force_delete"
value: "rule:admin_api"
@ -2428,16 +2413,16 @@ parameter_defaults:
value: "rule:admin_api"
cinder-volume_extension_volume_tenant_attribute:
key: "volume_extension:volume_tenant_attribute"
value: "rule:xena_system_admin_or_project_reader"
value: "rule:system_admin_or_project_reader"
cinder-volume_extension_volume_mig_status_attribute:
key: "volume_extension:volume_mig_status_attribute"
value: "rule:admin_api"
cinder-volume_extension_volume_encryption_metadata:
key: "volume_extension:volume_encryption_metadata"
value: "rule:xena_system_admin_or_project_reader"
value: "rule:system_admin_or_project_reader"
cinder-volume_multiattach:
key: "volume:multiattach"
value: "rule:xena_system_admin_or_project_member"
value: "rule:system_admin_or_project_member"
cinder-volume_extension_default_set_or_update:
key: "volume_extension:default_set_or_update"
value: "rule:admin_api"