Implement project personas in custom octavia policy file
This change updates the default octavia policies to implement consistent support for project personas (project-admin, project-member, and project-reader) with other OpenStack services. The project-admin is still considered a system administrator. This behavior will change in future releases when more OpenStack services adopt system-scope. At that time, we can go back to use the default octavia policies or update them to use system scope. Change-Id: I768fc10144a634ea6058b7b48a1862be9d70da79
This commit is contained in:
parent
c9635bf92e
commit
43a685e4bc
@ -3802,291 +3802,27 @@ parameter_defaults:
|
|||||||
key: "share_access_metadata:delete"
|
key: "share_access_metadata:delete"
|
||||||
value: "(rule:system-admin) or (rule:project-member)"
|
value: "(rule:system-admin) or (rule:project-member)"
|
||||||
OctaviaApiPolicies:
|
OctaviaApiPolicies:
|
||||||
octavia-system-admin:
|
|
||||||
key: "system-admin"
|
|
||||||
value: "role:admin and system_scope:all"
|
|
||||||
octavia-system-reader:
|
|
||||||
key: "system-reader"
|
|
||||||
value: "role:reader and system_scope:all"
|
|
||||||
octavia-project-member:
|
|
||||||
key: "project-member"
|
|
||||||
value: "role:member and project_id:%(project_id)s"
|
|
||||||
octavia-project-reader:
|
|
||||||
key: "project-reader"
|
|
||||||
value: "role:reader and project_id:%(project_id)s"
|
|
||||||
octavia-context_is_admin:
|
|
||||||
key: "context_is_admin"
|
|
||||||
value: "role:load-balancer_admin or rule:system-admin"
|
|
||||||
octavia-load-balancer_owner:
|
|
||||||
key: "load-balancer:owner"
|
|
||||||
value: "project_id:%(project_id)s"
|
|
||||||
octavia-load-balancer_observer_and_owner:
|
|
||||||
key: "load-balancer:observer_and_owner"
|
|
||||||
value: "role:load-balancer_observer and rule:project-reader"
|
|
||||||
octavia-load-balancer_global_observer:
|
|
||||||
key: "load-balancer:global_observer"
|
|
||||||
value: "role:load-balancer_global_observer or rule:system-reader"
|
|
||||||
octavia-load-balancer_member_and_owner:
|
|
||||||
key: "load-balancer:member_and_owner"
|
|
||||||
value: "role:load-balancer_member and rule:project-member"
|
|
||||||
octavia-load-balancer_admin:
|
octavia-load-balancer_admin:
|
||||||
key: "load-balancer:admin"
|
key: "load-balancer:admin"
|
||||||
value: "is_admin:True or role:load-balancer_admin or rule:system-admin"
|
value: "role:admin"
|
||||||
octavia-load-balancer_read:
|
octavia-load-balancer_read:
|
||||||
key: "load-balancer:read"
|
key: "load-balancer:read"
|
||||||
value: "rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or rule:load-balancer:admin"
|
value: "role:admin or rule:project-reader"
|
||||||
octavia-load-balancer_read-global:
|
octavia-load-balancer_read-global:
|
||||||
key: "load-balancer:read-global"
|
key: "load-balancer:read-global"
|
||||||
value: "rule:load-balancer:global_observer or rule:load-balancer:admin"
|
value: "role:admin"
|
||||||
octavia-load-balancer_write:
|
octavia-load-balancer_write:
|
||||||
key: "load-balancer:write"
|
key: "load-balancer:write"
|
||||||
value: "rule:load-balancer:member_and_owner or rule:load-balancer:admin"
|
value: "role:admin or rule:project-member"
|
||||||
octavia-load-balancer_read-quota:
|
octavia-load-balancer_read-quota:
|
||||||
key: "load-balancer:read-quota"
|
key: "load-balancer:read-quota"
|
||||||
value: "rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or role:load-balancer_quota_admin or rule:load-balancer:admin"
|
value: "role:admin or rule:project-reader"
|
||||||
octavia-load-balancer_read-quota-global:
|
octavia-load-balancer_read-quota-global:
|
||||||
key: "load-balancer:read-quota-global"
|
key: "load-balancer:read-quota-global"
|
||||||
value: "rule:load-balancer:global_observer or role:load-balancer_quota_admin or rule:load-balancer:admin"
|
value: "role:admin"
|
||||||
octavia-load-balancer_write-quota:
|
octavia-load-balancer_write-quota:
|
||||||
key: "load-balancer:write-quota"
|
key: "load-balancer:write-quota"
|
||||||
value: "role:load-balancer_quota_admin or rule:load-balancer:admin"
|
value: "role:admin"
|
||||||
octavia-os_load-balancer_api_flavor_get_all:
|
|
||||||
key: "os_load-balancer_api:flavor:get_all"
|
|
||||||
value: "rule:load-balancer:read"
|
|
||||||
octavia-os_load-balancer_api_flavor_post:
|
|
||||||
key: "os_load-balancer_api:flavor:post"
|
|
||||||
value: "rule:load-balancer:admin"
|
|
||||||
octavia-os_load-balancer_api_flavor_put:
|
|
||||||
key: "os_load-balancer_api:flavor:put"
|
|
||||||
value: "rule:load-balancer:admin"
|
|
||||||
octavia-os_load-balancer_api_flavor_get_one:
|
|
||||||
key: "os_load-balancer_api:flavor:get_one"
|
|
||||||
value: "rule:load-balancer:read"
|
|
||||||
octavia-os_load-balancer_api_flavor_delete:
|
|
||||||
key: "os_load-balancer_api:flavor:delete"
|
|
||||||
value: "rule:load-balancer:admin"
|
|
||||||
octavia-os_load-balancer_api_flavor-profile_get_all:
|
|
||||||
key: "os_load-balancer_api:flavor-profile:get_all"
|
|
||||||
value: "rule:load-balancer:admin"
|
|
||||||
octavia-os_load-balancer_api_flavor-profile_post:
|
|
||||||
key: "os_load-balancer_api:flavor-profile:post"
|
|
||||||
value: "rule:load-balancer:admin"
|
|
||||||
octavia-os_load-balancer_api_flavor-profile_put:
|
|
||||||
key: "os_load-balancer_api:flavor-profile:put"
|
|
||||||
value: "rule:load-balancer:admin"
|
|
||||||
octavia-os_load-balancer_api_flavor-profile_get_one:
|
|
||||||
key: "os_load-balancer_api:flavor-profile:get_one"
|
|
||||||
value: "rule:load-balancer:admin"
|
|
||||||
octavia-os_load-balancer_api_flavor-profile_delete:
|
|
||||||
key: "os_load-balancer_api:flavor-profile:delete"
|
|
||||||
value: "rule:load-balancer:admin"
|
|
||||||
octavia-os_load-balancer_api_availability-zone_get_all:
|
|
||||||
key: "os_load-balancer_api:availability-zone:get_all"
|
|
||||||
value: "rule:load-balancer:read"
|
|
||||||
octavia-os_load-balancer_api_availability-zone_post:
|
|
||||||
key: "os_load-balancer_api:availability-zone:post"
|
|
||||||
value: "rule:load-balancer:admin"
|
|
||||||
octavia-os_load-balancer_api_availability-zone_put:
|
|
||||||
key: "os_load-balancer_api:availability-zone:put"
|
|
||||||
value: "rule:load-balancer:admin"
|
|
||||||
octavia-os_load-balancer_api_availability-zone_get_one:
|
|
||||||
key: "os_load-balancer_api:availability-zone:get_one"
|
|
||||||
value: "rule:load-balancer:read"
|
|
||||||
octavia-os_load-balancer_api_availability-zone_delete:
|
|
||||||
key: "os_load-balancer_api:availability-zone:delete"
|
|
||||||
value: "rule:load-balancer:admin"
|
|
||||||
octavia-os_load-balancer_api_availability-zone-profile_get_all:
|
|
||||||
key: "os_load-balancer_api:availability-zone-profile:get_all"
|
|
||||||
value: "rule:load-balancer:admin"
|
|
||||||
octavia-os_load-balancer_api_availability-zone-profile_post:
|
|
||||||
key: "os_load-balancer_api:availability-zone-profile:post"
|
|
||||||
value: "rule:load-balancer:admin"
|
|
||||||
octavia-os_load-balancer_api_availability-zone-profile_put:
|
|
||||||
key: "os_load-balancer_api:availability-zone-profile:put"
|
|
||||||
value: "rule:load-balancer:admin"
|
|
||||||
octavia-os_load-balancer_api_availability-zone-profile_get_one:
|
|
||||||
key: "os_load-balancer_api:availability-zone-profile:get_one"
|
|
||||||
value: "rule:load-balancer:admin"
|
|
||||||
octavia-os_load-balancer_api_availability-zone-profile_delete:
|
|
||||||
key: "os_load-balancer_api:availability-zone-profile:delete"
|
|
||||||
value: "rule:load-balancer:admin"
|
|
||||||
octavia-os_load-balancer_api_healthmonitor_get_all:
|
|
||||||
key: "os_load-balancer_api:healthmonitor:get_all"
|
|
||||||
value: "rule:load-balancer:read"
|
|
||||||
octavia-os_load-balancer_api_healthmonitor_get_all-global:
|
|
||||||
key: "os_load-balancer_api:healthmonitor:get_all-global"
|
|
||||||
value: "rule:load-balancer:read-global"
|
|
||||||
octavia-os_load-balancer_api_healthmonitor_post:
|
|
||||||
key: "os_load-balancer_api:healthmonitor:post"
|
|
||||||
value: "rule:load-balancer:write"
|
|
||||||
octavia-os_load-balancer_api_healthmonitor_get_one:
|
|
||||||
key: "os_load-balancer_api:healthmonitor:get_one"
|
|
||||||
value: "rule:load-balancer:read"
|
|
||||||
octavia-os_load-balancer_api_healthmonitor_put:
|
|
||||||
key: "os_load-balancer_api:healthmonitor:put"
|
|
||||||
value: "rule:load-balancer:write"
|
|
||||||
octavia-os_load-balancer_api_healthmonitor_delete:
|
|
||||||
key: "os_load-balancer_api:healthmonitor:delete"
|
|
||||||
value: "rule:load-balancer:write"
|
|
||||||
octavia-os_load-balancer_api_l7policy_get_all:
|
|
||||||
key: "os_load-balancer_api:l7policy:get_all"
|
|
||||||
value: "rule:load-balancer:read"
|
|
||||||
octavia-os_load-balancer_api_l7policy_get_all-global:
|
|
||||||
key: "os_load-balancer_api:l7policy:get_all-global"
|
|
||||||
value: "rule:load-balancer:read-global"
|
|
||||||
octavia-os_load-balancer_api_l7policy_post:
|
|
||||||
key: "os_load-balancer_api:l7policy:post"
|
|
||||||
value: "rule:load-balancer:write"
|
|
||||||
octavia-os_load-balancer_api_l7policy_get_one:
|
|
||||||
key: "os_load-balancer_api:l7policy:get_one"
|
|
||||||
value: "rule:load-balancer:read"
|
|
||||||
octavia-os_load-balancer_api_l7policy_put:
|
|
||||||
key: "os_load-balancer_api:l7policy:put"
|
|
||||||
value: "rule:load-balancer:write"
|
|
||||||
octavia-os_load-balancer_api_l7policy_delete:
|
|
||||||
key: "os_load-balancer_api:l7policy:delete"
|
|
||||||
value: "rule:load-balancer:write"
|
|
||||||
octavia-os_load-balancer_api_l7rule_get_all:
|
|
||||||
key: "os_load-balancer_api:l7rule:get_all"
|
|
||||||
value: "rule:load-balancer:read"
|
|
||||||
octavia-os_load-balancer_api_l7rule_post:
|
|
||||||
key: "os_load-balancer_api:l7rule:post"
|
|
||||||
value: "rule:load-balancer:write"
|
|
||||||
octavia-os_load-balancer_api_l7rule_get_one:
|
|
||||||
key: "os_load-balancer_api:l7rule:get_one"
|
|
||||||
value: "rule:load-balancer:read"
|
|
||||||
octavia-os_load-balancer_api_l7rule_put:
|
|
||||||
key: "os_load-balancer_api:l7rule:put"
|
|
||||||
value: "rule:load-balancer:write"
|
|
||||||
octavia-os_load-balancer_api_l7rule_delete:
|
|
||||||
key: "os_load-balancer_api:l7rule:delete"
|
|
||||||
value: "rule:load-balancer:write"
|
|
||||||
octavia-os_load-balancer_api_listener_get_all:
|
|
||||||
key: "os_load-balancer_api:listener:get_all"
|
|
||||||
value: "rule:load-balancer:read"
|
|
||||||
octavia-os_load-balancer_api_listener_get_all-global:
|
|
||||||
key: "os_load-balancer_api:listener:get_all-global"
|
|
||||||
value: "rule:load-balancer:read-global"
|
|
||||||
octavia-os_load-balancer_api_listener_post:
|
|
||||||
key: "os_load-balancer_api:listener:post"
|
|
||||||
value: "rule:load-balancer:write"
|
|
||||||
octavia-os_load-balancer_api_listener_get_one:
|
|
||||||
key: "os_load-balancer_api:listener:get_one"
|
|
||||||
value: "rule:load-balancer:read"
|
|
||||||
octavia-os_load-balancer_api_listener_put:
|
|
||||||
key: "os_load-balancer_api:listener:put"
|
|
||||||
value: "rule:load-balancer:write"
|
|
||||||
octavia-os_load-balancer_api_listener_delete:
|
|
||||||
key: "os_load-balancer_api:listener:delete"
|
|
||||||
value: "rule:load-balancer:write"
|
|
||||||
octavia-os_load-balancer_api_listener_get_stats:
|
|
||||||
key: "os_load-balancer_api:listener:get_stats"
|
|
||||||
value: "rule:load-balancer:read"
|
|
||||||
octavia-os_load-balancer_api_loadbalancer_get_all:
|
|
||||||
key: "os_load-balancer_api:loadbalancer:get_all"
|
|
||||||
value: "rule:load-balancer:read"
|
|
||||||
octavia-os_load-balancer_api_loadbalancer_get_all-global:
|
|
||||||
key: "os_load-balancer_api:loadbalancer:get_all-global"
|
|
||||||
value: "rule:load-balancer:read-global"
|
|
||||||
octavia-os_load-balancer_api_loadbalancer_post:
|
|
||||||
key: "os_load-balancer_api:loadbalancer:post"
|
|
||||||
value: "rule:load-balancer:write"
|
|
||||||
octavia-os_load-balancer_api_loadbalancer_get_one:
|
|
||||||
key: "os_load-balancer_api:loadbalancer:get_one"
|
|
||||||
value: "rule:load-balancer:read"
|
|
||||||
octavia-os_load-balancer_api_loadbalancer_put:
|
|
||||||
key: "os_load-balancer_api:loadbalancer:put"
|
|
||||||
value: "rule:load-balancer:write"
|
|
||||||
octavia-os_load-balancer_api_loadbalancer_delete:
|
|
||||||
key: "os_load-balancer_api:loadbalancer:delete"
|
|
||||||
value: "rule:load-balancer:write"
|
|
||||||
octavia-os_load-balancer_api_loadbalancer_get_stats:
|
|
||||||
key: "os_load-balancer_api:loadbalancer:get_stats"
|
|
||||||
value: "rule:load-balancer:read"
|
|
||||||
octavia-os_load-balancer_api_loadbalancer_get_status:
|
|
||||||
key: "os_load-balancer_api:loadbalancer:get_status"
|
|
||||||
value: "rule:load-balancer:read"
|
|
||||||
octavia-os_load-balancer_api_loadbalancer_put_failover:
|
|
||||||
key: "os_load-balancer_api:loadbalancer:put_failover"
|
|
||||||
value: "rule:load-balancer:admin"
|
|
||||||
octavia-os_load-balancer_api_member_get_all:
|
|
||||||
key: "os_load-balancer_api:member:get_all"
|
|
||||||
value: "rule:load-balancer:read"
|
|
||||||
octavia-os_load-balancer_api_member_post:
|
|
||||||
key: "os_load-balancer_api:member:post"
|
|
||||||
value: "rule:load-balancer:write"
|
|
||||||
octavia-os_load-balancer_api_member_get_one:
|
|
||||||
key: "os_load-balancer_api:member:get_one"
|
|
||||||
value: "rule:load-balancer:read"
|
|
||||||
octavia-os_load-balancer_api_member_put:
|
|
||||||
key: "os_load-balancer_api:member:put"
|
|
||||||
value: "rule:load-balancer:write"
|
|
||||||
octavia-os_load-balancer_api_member_delete:
|
|
||||||
key: "os_load-balancer_api:member:delete"
|
|
||||||
value: "rule:load-balancer:write"
|
|
||||||
octavia-os_load-balancer_api_pool_get_all:
|
|
||||||
key: "os_load-balancer_api:pool:get_all"
|
|
||||||
value: "rule:load-balancer:read"
|
|
||||||
octavia-os_load-balancer_api_pool_get_all-global:
|
|
||||||
key: "os_load-balancer_api:pool:get_all-global"
|
|
||||||
value: "rule:load-balancer:read-global"
|
|
||||||
octavia-os_load-balancer_api_pool_post:
|
|
||||||
key: "os_load-balancer_api:pool:post"
|
|
||||||
value: "rule:load-balancer:write"
|
|
||||||
octavia-os_load-balancer_api_pool_get_one:
|
|
||||||
key: "os_load-balancer_api:pool:get_one"
|
|
||||||
value: "rule:load-balancer:read"
|
|
||||||
octavia-os_load-balancer_api_pool_put:
|
|
||||||
key: "os_load-balancer_api:pool:put"
|
|
||||||
value: "rule:load-balancer:write"
|
|
||||||
octavia-os_load-balancer_api_pool_delete:
|
|
||||||
key: "os_load-balancer_api:pool:delete"
|
|
||||||
value: "rule:load-balancer:write"
|
|
||||||
octavia-os_load-balancer_api_provider_get_all:
|
|
||||||
key: "os_load-balancer_api:provider:get_all"
|
|
||||||
value: "rule:load-balancer:read"
|
|
||||||
octavia-os_load-balancer_api_quota_get_all:
|
|
||||||
key: "os_load-balancer_api:quota:get_all"
|
|
||||||
value: "rule:load-balancer:read-quota"
|
|
||||||
octavia-os_load-balancer_api_quota_get_all-global:
|
|
||||||
key: "os_load-balancer_api:quota:get_all-global"
|
|
||||||
value: "rule:load-balancer:read-quota-global"
|
|
||||||
octavia-os_load-balancer_api_quota_get_one:
|
|
||||||
key: "os_load-balancer_api:quota:get_one"
|
|
||||||
value: "rule:load-balancer:read-quota"
|
|
||||||
octavia-os_load-balancer_api_quota_put:
|
|
||||||
key: "os_load-balancer_api:quota:put"
|
|
||||||
value: "rule:load-balancer:write-quota"
|
|
||||||
octavia-os_load-balancer_api_quota_delete:
|
|
||||||
key: "os_load-balancer_api:quota:delete"
|
|
||||||
value: "rule:load-balancer:write-quota"
|
|
||||||
octavia-os_load-balancer_api_quota_get_defaults:
|
|
||||||
key: "os_load-balancer_api:quota:get_defaults"
|
|
||||||
value: "rule:load-balancer:read-quota"
|
|
||||||
octavia-os_load-balancer_api_amphora_get_all:
|
|
||||||
key: "os_load-balancer_api:amphora:get_all"
|
|
||||||
value: "rule:load-balancer:admin"
|
|
||||||
octavia-os_load-balancer_api_amphora_get_one:
|
|
||||||
key: "os_load-balancer_api:amphora:get_one"
|
|
||||||
value: "rule:load-balancer:admin"
|
|
||||||
octavia-os_load-balancer_api_amphora_delete:
|
|
||||||
key: "os_load-balancer_api:amphora:delete"
|
|
||||||
value: "rule:load-balancer:admin"
|
|
||||||
octavia-os_load-balancer_api_amphora_put_config:
|
|
||||||
key: "os_load-balancer_api:amphora:put_config"
|
|
||||||
value: "rule:load-balancer:admin"
|
|
||||||
octavia-os_load-balancer_api_amphora_put_failover:
|
|
||||||
key: "os_load-balancer_api:amphora:put_failover"
|
|
||||||
value: "rule:load-balancer:admin"
|
|
||||||
octavia-os_load-balancer_api_amphora_get_stats:
|
|
||||||
key: "os_load-balancer_api:amphora:get_stats"
|
|
||||||
value: "rule:load-balancer:admin"
|
|
||||||
octavia-os_load-balancer_api_provider-flavor_get_all:
|
|
||||||
key: "os_load-balancer_api:provider-flavor:get_all"
|
|
||||||
value: "rule:load-balancer:admin"
|
|
||||||
octavia-os_load-balancer_api_provider-availability-zone_get_all:
|
|
||||||
key: "os_load-balancer_api:provider-availability-zone:get_all"
|
|
||||||
value: "rule:load-balancer:admin"
|
|
||||||
IronicApiPolicies:
|
IronicApiPolicies:
|
||||||
ironic-admin_api:
|
ironic-admin_api:
|
||||||
key: "admin_api"
|
key: "admin_api"
|
||||||
|
Loading…
Reference in New Issue
Block a user