diff --git a/environments/enable-secure-rbac.yaml b/environments/enable-secure-rbac.yaml new file mode 100644 index 0000000000..efdcb0ba23 --- /dev/null +++ b/environments/enable-secure-rbac.yaml @@ -0,0 +1,4403 @@ +parameter_defaults: + EnforceSecureRbac: false + NovaApiPolicies: + nova-context_is_admin: + key: "context_is_admin" + value: "role:admin" + nova-admin_or_owner: + key: "admin_or_owner" + value: "is_admin:True or project_id:%(project_id)s" + nova-admin_api: + key: "admin_api" + value: "is_admin:True" + nova-system_admin_api: + key: "system_admin_api" + value: "role:admin and system_scope:all" + nova-rule_admin_api: + key: "rule:admin_api" + value: "rule:system_admin_api" + nova-system_reader_api: + key: "system_reader_api" + value: "role:reader and system_scope:all" + nova-project_admin_api: + key: "project_admin_api" + value: "role:admin and project_id:%(project_id)s" + nova-project_member_api: + key: "project_member_api" + value: "role:member and project_id:%(project_id)s" + nova-rule_admin_or_owner: + key: "rule:admin_or_owner" + value: "rule:project_member_api" + nova-project_reader_api: + key: "project_reader_api" + value: "role:reader and project_id:%(project_id)s" + nova-system_admin_or_owner: + key: "system_admin_or_owner" + value: "rule:system_admin_api or rule:project_member_api" + nova-system_or_project_reader: + key: "system_or_project_reader" + value: "rule:system_reader_api or rule:project_reader_api" + nova-os_compute_api_os-admin-actions_reset_state: + key: "os_compute_api:os-admin-actions:reset_state" + value: "rule:system_admin_api" + nova-os_compute_api_os-admin-actions_inject_network_info: + key: "os_compute_api:os-admin-actions:inject_network_info" + value: "rule:system_admin_api" + nova-os_compute_api_os-admin-password: + key: "os_compute_api:os-admin-password" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-aggregates_set_metadata: + key: "os_compute_api:os-aggregates:set_metadata" + value: "rule:system_admin_api" + nova-os_compute_api_os-aggregates_add_host: + key: "os_compute_api:os-aggregates:add_host" + value: "rule:system_admin_api" + nova-os_compute_api_os-aggregates_create: + key: "os_compute_api:os-aggregates:create" + value: "rule:system_admin_api" + nova-os_compute_api_os-aggregates_remove_host: + key: "os_compute_api:os-aggregates:remove_host" + value: "rule:system_admin_api" + nova-os_compute_api_os-aggregates_update: + key: "os_compute_api:os-aggregates:update" + value: "rule:system_admin_api" + nova-os_compute_api_os-aggregates_index: + key: "os_compute_api:os-aggregates:index" + value: "rule:system_reader_api" + nova-os_compute_api_os-aggregates_delete: + key: "os_compute_api:os-aggregates:delete" + value: "rule:system_admin_api" + nova-os_compute_api_os-aggregates_show: + key: "os_compute_api:os-aggregates:show" + value: "rule:system_reader_api" + nova-compute_aggregates_images: + key: "compute:aggregates:images" + value: "rule:system_admin_api" + nova-os_compute_api_os-assisted-volume-snapshots_create: + key: "os_compute_api:os-assisted-volume-snapshots:create" + value: "rule:system_admin_api" + nova-os_compute_api_os-assisted-volume-snapshots_delete: + key: "os_compute_api:os-assisted-volume-snapshots:delete" + value: "rule:system_admin_api" + nova-os_compute_api_os-attach-interfaces_list: + key: "os_compute_api:os-attach-interfaces:list" + value: "rule:system_or_project_reader" + nova-os_compute_api_os-attach-interfaces: + key: "os_compute_api:os-attach-interfaces" + value: "rule:os_compute_api:os-attach-interfaces:list" + nova-os_compute_api_os-attach-interfaces_show: + key: "os_compute_api:os-attach-interfaces:show" + value: "rule:system_or_project_reader" + nova-os_compute_api_os-attach-interfaces_create: + key: "os_compute_api:os-attach-interfaces:create" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-attach-interfaces_delete: + key: "os_compute_api:os-attach-interfaces:delete" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-availability-zone_list: + key: "os_compute_api:os-availability-zone:list" + value: "@" + nova-os_compute_api_os-availability-zone_detail: + key: "os_compute_api:os-availability-zone:detail" + value: "rule:system_reader_api" + nova-os_compute_api_os-baremetal-nodes_list: + key: "os_compute_api:os-baremetal-nodes:list" + value: "rule:system_reader_api" + nova-os_compute_api_os-baremetal-nodes: + key: "os_compute_api:os-baremetal-nodes" + value: "rule:os_compute_api:os-baremetal-nodes:list" + nova-os_compute_api_os-baremetal-nodes_show: + key: "os_compute_api:os-baremetal-nodes:show" + value: "rule:system_reader_api" + nova-os_compute_api_os-console-auth-tokens: + key: "os_compute_api:os-console-auth-tokens" + value: "rule:system_reader_api" + nova-os_compute_api_os-console-output: + key: "os_compute_api:os-console-output" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-create-backup: + key: "os_compute_api:os-create-backup" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-deferred-delete_restore: + key: "os_compute_api:os-deferred-delete:restore" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-deferred-delete: + key: "os_compute_api:os-deferred-delete" + value: "rule:os_compute_api:os-deferred-delete:restore" + nova-os_compute_api_os-deferred-delete_force: + key: "os_compute_api:os-deferred-delete:force" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-evacuate: + key: "os_compute_api:os-evacuate" + value: "rule:system_admin_api" + nova-os_compute_api_os-extended-server-attributes: + key: "os_compute_api:os-extended-server-attributes" + value: "rule:system_admin_api" + nova-os_compute_api_extensions: + key: "os_compute_api:extensions" + value: "@" + nova-os_compute_api_os-flavor-access_add_tenant_access: + key: "os_compute_api:os-flavor-access:add_tenant_access" + value: "rule:system_admin_api" + nova-os_compute_api_os-flavor-access_remove_tenant_access: + key: "os_compute_api:os-flavor-access:remove_tenant_access" + value: "rule:system_admin_api" + nova-os_compute_api_os-flavor-access: + key: "os_compute_api:os-flavor-access" + value: "rule:system_reader_api" + nova-os_compute_api_os-flavor-extra-specs_show: + key: "os_compute_api:os-flavor-extra-specs:show" + value: "rule:system_or_project_reader" + nova-os_compute_api_os-flavor-extra-specs_create: + key: "os_compute_api:os-flavor-extra-specs:create" + value: "rule:system_admin_api" + nova-os_compute_api_os-flavor-extra-specs_update: + key: "os_compute_api:os-flavor-extra-specs:update" + value: "rule:system_admin_api" + nova-os_compute_api_os-flavor-extra-specs_delete: + key: "os_compute_api:os-flavor-extra-specs:delete" + value: "rule:system_admin_api" + nova-os_compute_api_os-flavor-extra-specs_index: + key: "os_compute_api:os-flavor-extra-specs:index" + value: "rule:system_or_project_reader" + nova-os_compute_api_os-flavor-manage_create: + key: "os_compute_api:os-flavor-manage:create" + value: "rule:system_admin_api" + nova-os_compute_api_os-flavor-manage_update: + key: "os_compute_api:os-flavor-manage:update" + value: "rule:system_admin_api" + nova-os_compute_api_os-flavor-manage_delete: + key: "os_compute_api:os-flavor-manage:delete" + value: "rule:system_admin_api" + nova-os_compute_api_os-floating-ip-pools: + key: "os_compute_api:os-floating-ip-pools" + value: "@" + nova-os_compute_api_os-floating-ips_add: + key: "os_compute_api:os-floating-ips:add" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-floating-ips: + key: "os_compute_api:os-floating-ips" + value: "rule:os_compute_api:os-floating-ips:add" + nova-os_compute_api_os-floating-ips_remove: + key: "os_compute_api:os-floating-ips:remove" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-floating-ips_list: + key: "os_compute_api:os-floating-ips:list" + value: "rule:system_or_project_reader" + nova-os_compute_api_os-floating-ips_create: + key: "os_compute_api:os-floating-ips:create" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-floating-ips_show: + key: "os_compute_api:os-floating-ips:show" + value: "rule:system_or_project_reader" + nova-os_compute_api_os-floating-ips_delete: + key: "os_compute_api:os-floating-ips:delete" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-hosts_list: + key: "os_compute_api:os-hosts:list" + value: "rule:system_reader_api" + nova-os_compute_api_os-hosts: + key: "os_compute_api:os-hosts" + value: "rule:os_compute_api:os-hosts:list" + nova-os_compute_api_os-hosts_show: + key: "os_compute_api:os-hosts:show" + value: "rule:system_reader_api" + nova-os_compute_api_os-hosts_update: + key: "os_compute_api:os-hosts:update" + value: "rule:system_admin_api" + nova-os_compute_api_os-hosts_reboot: + key: "os_compute_api:os-hosts:reboot" + value: "rule:system_admin_api" + nova-os_compute_api_os-hosts_shutdown: + key: "os_compute_api:os-hosts:shutdown" + value: "rule:system_admin_api" + nova-os_compute_api_os-hosts_start: + key: "os_compute_api:os-hosts:start" + value: "rule:system_admin_api" + nova-os_compute_api_os-hypervisors_list: + key: "os_compute_api:os-hypervisors:list" + value: "rule:system_reader_api" + nova-os_compute_api_os-hypervisors: + key: "os_compute_api:os-hypervisors" + value: "rule:os_compute_api:os-hypervisors:list" + nova-os_compute_api_os-hypervisors_list-detail: + key: "os_compute_api:os-hypervisors:list-detail" + value: "rule:system_reader_api" + nova-os_compute_api_os-hypervisors_statistics: + key: "os_compute_api:os-hypervisors:statistics" + value: "rule:system_reader_api" + nova-os_compute_api_os-hypervisors_show: + key: "os_compute_api:os-hypervisors:show" + value: "rule:system_reader_api" + nova-os_compute_api_os-hypervisors_uptime: + key: "os_compute_api:os-hypervisors:uptime" + value: "rule:system_reader_api" + nova-os_compute_api_os-hypervisors_search: + key: "os_compute_api:os-hypervisors:search" + value: "rule:system_reader_api" + nova-os_compute_api_os-hypervisors_servers: + key: "os_compute_api:os-hypervisors:servers" + value: "rule:system_reader_api" + nova-os_compute_api_os-instance-actions_events_details: + key: "os_compute_api:os-instance-actions:events:details" + value: "rule:system_reader_api" + nova-os_compute_api_os-instance-actions_events: + key: "os_compute_api:os-instance-actions:events" + value: "rule:system_reader_api" + nova-os_compute_api_os-instance-actions_list: + key: "os_compute_api:os-instance-actions:list" + value: "rule:system_or_project_reader" + nova-os_compute_api_os-instance-actions: + key: "os_compute_api:os-instance-actions" + value: "rule:os_compute_api:os-instance-actions:list" + nova-os_compute_api_os-instance-actions_show: + key: "os_compute_api:os-instance-actions:show" + value: "rule:system_or_project_reader" + nova-os_compute_api_os-instance-usage-audit-log_list: + key: "os_compute_api:os-instance-usage-audit-log:list" + value: "rule:system_reader_api" + nova-os_compute_api_os-instance-usage-audit-log: + key: "os_compute_api:os-instance-usage-audit-log" + value: "rule:os_compute_api:os-instance-usage-audit-log:list" + nova-os_compute_api_os-instance-usage-audit-log_show: + key: "os_compute_api:os-instance-usage-audit-log:show" + value: "rule:system_reader_api" + nova-os_compute_api_ips_show: + key: "os_compute_api:ips:show" + value: "rule:system_or_project_reader" + nova-os_compute_api_ips_index: + key: "os_compute_api:ips:index" + value: "rule:system_or_project_reader" + nova-os_compute_api_os-keypairs_index: + key: "os_compute_api:os-keypairs:index" + value: "(rule:system_reader_api) or user_id:%(user_id)s" + nova-os_compute_api_os-keypairs_create: + key: "os_compute_api:os-keypairs:create" + value: "(rule:system_admin_api) or user_id:%(user_id)s" + nova-os_compute_api_os-keypairs_delete: + key: "os_compute_api:os-keypairs:delete" + value: "(rule:system_admin_api) or user_id:%(user_id)s" + nova-os_compute_api_os-keypairs_show: + key: "os_compute_api:os-keypairs:show" + value: "(rule:system_reader_api) or user_id:%(user_id)s" + nova-os_compute_api_limits: + key: "os_compute_api:limits" + value: "@" + nova-os_compute_api_limits_other_project: + key: "os_compute_api:limits:other_project" + value: "rule:system_reader_api" + nova-os_compute_api_os-used-limits: + key: "os_compute_api:os-used-limits" + value: "rule:os_compute_api:limits:other_project" + nova-os_compute_api_os-lock-server_lock: + key: "os_compute_api:os-lock-server:lock" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-lock-server_unlock: + key: "os_compute_api:os-lock-server:unlock" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-lock-server_unlock_unlock_override: + key: "os_compute_api:os-lock-server:unlock:unlock_override" + value: "rule:system_admin_api" + nova-os_compute_api_os-migrate-server_migrate: + key: "os_compute_api:os-migrate-server:migrate" + value: "rule:system_admin_api" + nova-os_compute_api_os-migrate-server_migrate_live: + key: "os_compute_api:os-migrate-server:migrate_live" + value: "rule:system_admin_api" + nova-os_compute_api_os-migrations_index: + key: "os_compute_api:os-migrations:index" + value: "rule:system_reader_api" + nova-os_compute_api_os-multinic_add: + key: "os_compute_api:os-multinic:add" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-multinic: + key: "os_compute_api:os-multinic" + value: "rule:os_compute_api:os-multinic:add" + nova-os_compute_api_os-multinic_remove: + key: "os_compute_api:os-multinic:remove" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-networks_list: + key: "os_compute_api:os-networks:list" + value: "rule:system_or_project_reader" + nova-os_compute_api_os-networks_view: + key: "os_compute_api:os-networks:view" + value: "rule:os_compute_api:os-networks:list" + nova-os_compute_api_os-networks_show: + key: "os_compute_api:os-networks:show" + value: "rule:system_or_project_reader" + nova-os_compute_api_os-pause-server_pause: + key: "os_compute_api:os-pause-server:pause" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-pause-server_unpause: + key: "os_compute_api:os-pause-server:unpause" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-quota-class-sets_show: + key: "os_compute_api:os-quota-class-sets:show" + value: "rule:system_reader_api" + nova-os_compute_api_os-quota-class-sets_update: + key: "os_compute_api:os-quota-class-sets:update" + value: "rule:system_admin_api" + nova-os_compute_api_os-quota-sets_update: + key: "os_compute_api:os-quota-sets:update" + value: "rule:system_admin_api" + nova-os_compute_api_os-quota-sets_defaults: + key: "os_compute_api:os-quota-sets:defaults" + value: "@" + nova-os_compute_api_os-quota-sets_show: + key: "os_compute_api:os-quota-sets:show" + value: "rule:system_or_project_reader" + nova-os_compute_api_os-quota-sets_delete: + key: "os_compute_api:os-quota-sets:delete" + value: "rule:system_admin_api" + nova-os_compute_api_os-quota-sets_detail: + key: "os_compute_api:os-quota-sets:detail" + value: "rule:system_or_project_reader" + nova-os_compute_api_os-remote-consoles: + key: "os_compute_api:os-remote-consoles" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-rescue: + key: "os_compute_api:os-rescue" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-unrescue: + key: "os_compute_api:os-unrescue" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-security-groups_get: + key: "os_compute_api:os-security-groups:get" + value: "rule:system_or_project_reader" + nova-os_compute_api_os-security-groups: + key: "os_compute_api:os-security-groups" + value: "rule:os_compute_api:os-security-groups:get" + nova-os_compute_api_os-security-groups_show: + key: "os_compute_api:os-security-groups:show" + value: "rule:system_or_project_reader" + nova-os_compute_api_os-security-groups_create: + key: "os_compute_api:os-security-groups:create" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-security-groups_update: + key: "os_compute_api:os-security-groups:update" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-security-groups_delete: + key: "os_compute_api:os-security-groups:delete" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-security-groups_rule_create: + key: "os_compute_api:os-security-groups:rule:create" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-security-groups_rule_delete: + key: "os_compute_api:os-security-groups:rule:delete" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-security-groups_list: + key: "os_compute_api:os-security-groups:list" + value: "rule:system_or_project_reader" + nova-os_compute_api_os-security-groups_add: + key: "os_compute_api:os-security-groups:add" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-security-groups_remove: + key: "os_compute_api:os-security-groups:remove" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-server-diagnostics: + key: "os_compute_api:os-server-diagnostics" + value: "rule:system_admin_api" + nova-os_compute_api_os-server-external-events_create: + key: "os_compute_api:os-server-external-events:create" + value: "rule:system_admin_api" + nova-os_compute_api_os-server-groups_create: + key: "os_compute_api:os-server-groups:create" + value: "rule:project_member_api" + nova-os_compute_api_os-server-groups_delete: + key: "os_compute_api:os-server-groups:delete" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-server-groups_index: + key: "os_compute_api:os-server-groups:index" + value: "rule:system_or_project_reader" + nova-os_compute_api_os-server-groups_index_all_projects: + key: "os_compute_api:os-server-groups:index:all_projects" + value: "rule:system_reader_api" + nova-os_compute_api_os-server-groups_show: + key: "os_compute_api:os-server-groups:show" + value: "rule:system_or_project_reader" + nova-os_compute_api_server-metadata_index: + key: "os_compute_api:server-metadata:index" + value: "rule:system_or_project_reader" + nova-os_compute_api_server-metadata_show: + key: "os_compute_api:server-metadata:show" + value: "rule:system_or_project_reader" + nova-os_compute_api_server-metadata_create: + key: "os_compute_api:server-metadata:create" + value: "rule:system_admin_or_owner" + nova-os_compute_api_server-metadata_update_all: + key: "os_compute_api:server-metadata:update_all" + value: "rule:system_admin_or_owner" + nova-os_compute_api_server-metadata_update: + key: "os_compute_api:server-metadata:update" + value: "rule:system_admin_or_owner" + nova-os_compute_api_server-metadata_delete: + key: "os_compute_api:server-metadata:delete" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-server-password_show: + key: "os_compute_api:os-server-password:show" + value: "rule:system_or_project_reader" + nova-os_compute_api_os-server-password: + key: "os_compute_api:os-server-password" + value: "rule:os_compute_api:os-server-password:show" + nova-os_compute_api_os-server-password_clear: + key: "os_compute_api:os-server-password:clear" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-server-tags_delete_all: + key: "os_compute_api:os-server-tags:delete_all" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-server-tags_index: + key: "os_compute_api:os-server-tags:index" + value: "rule:system_or_project_reader" + nova-os_compute_api_os-server-tags_update_all: + key: "os_compute_api:os-server-tags:update_all" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-server-tags_delete: + key: "os_compute_api:os-server-tags:delete" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-server-tags_update: + key: "os_compute_api:os-server-tags:update" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-server-tags_show: + key: "os_compute_api:os-server-tags:show" + value: "rule:system_or_project_reader" + nova-compute_server_topology_index: + key: "compute:server:topology:index" + value: "rule:system_or_project_reader" + nova-compute_server_topology_host_index: + key: "compute:server:topology:host:index" + value: "rule:system_reader_api" + nova-os_compute_api_servers_index: + key: "os_compute_api:servers:index" + value: "rule:system_or_project_reader" + nova-os_compute_api_servers_detail: + key: "os_compute_api:servers:detail" + value: "rule:system_or_project_reader" + nova-os_compute_api_servers_index_get_all_tenants: + key: "os_compute_api:servers:index:get_all_tenants" + value: "rule:system_reader_api" + nova-os_compute_api_servers_detail_get_all_tenants: + key: "os_compute_api:servers:detail:get_all_tenants" + value: "rule:system_reader_api" + nova-os_compute_api_servers_allow_all_filters: + key: "os_compute_api:servers:allow_all_filters" + value: "rule:system_reader_api" + nova-os_compute_api_servers_show: + key: "os_compute_api:servers:show" + value: "rule:system_or_project_reader" + nova-os_compute_api_servers_show_host_status: + key: "os_compute_api:servers:show:host_status" + value: "rule:system_admin_api" + nova-os_compute_api_servers_show_host_status_unknown-only: + key: "os_compute_api:servers:show:host_status:unknown-only" + value: "rule:system_admin_api" + nova-os_compute_api_servers_create: + key: "os_compute_api:servers:create" + value: "rule:project_member_api" + nova-os_compute_api_servers_create_forced_host: + key: "os_compute_api:servers:create:forced_host" + value: "rule:project_admin_api" + nova-compute_servers_create_requested_destination: + key: "compute:servers:create:requested_destination" + value: "rule:project_admin_api" + nova-os_compute_api_servers_create_attach_volume: + key: "os_compute_api:servers:create:attach_volume" + value: "rule:project_member_api" + nova-os_compute_api_servers_create_attach_network: + key: "os_compute_api:servers:create:attach_network" + value: "rule:project_member_api" + nova-os_compute_api_servers_create_trusted_certs: + key: "os_compute_api:servers:create:trusted_certs" + value: "rule:project_member_api" + nova-os_compute_api_servers_create_zero_disk_flavor: + key: "os_compute_api:servers:create:zero_disk_flavor" + value: "rule:project_admin_api" + nova-network_attach_external_network: + key: "network:attach_external_network" + value: "rule:project_admin_api" + nova-os_compute_api_servers_delete: + key: "os_compute_api:servers:delete" + value: "rule:system_admin_or_owner" + nova-os_compute_api_servers_update: + key: "os_compute_api:servers:update" + value: "rule:system_admin_or_owner" + nova-os_compute_api_servers_confirm_resize: + key: "os_compute_api:servers:confirm_resize" + value: "rule:system_admin_or_owner" + nova-os_compute_api_servers_revert_resize: + key: "os_compute_api:servers:revert_resize" + value: "rule:system_admin_or_owner" + nova-os_compute_api_servers_reboot: + key: "os_compute_api:servers:reboot" + value: "rule:system_admin_or_owner" + nova-os_compute_api_servers_resize: + key: "os_compute_api:servers:resize" + value: "rule:system_admin_or_owner" + nova-compute_servers_resize_cross_cell: + key: "compute:servers:resize:cross_cell" + value: "!" + nova-os_compute_api_servers_rebuild: + key: "os_compute_api:servers:rebuild" + value: "rule:system_admin_or_owner" + nova-os_compute_api_servers_rebuild_trusted_certs: + key: "os_compute_api:servers:rebuild:trusted_certs" + value: "rule:system_admin_or_owner" + nova-os_compute_api_servers_create_image: + key: "os_compute_api:servers:create_image" + value: "rule:system_admin_or_owner" + nova-os_compute_api_servers_create_image_allow_volume_backed: + key: "os_compute_api:servers:create_image:allow_volume_backed" + value: "rule:system_admin_or_owner" + nova-os_compute_api_servers_start: + key: "os_compute_api:servers:start" + value: "rule:system_admin_or_owner" + nova-os_compute_api_servers_stop: + key: "os_compute_api:servers:stop" + value: "rule:system_admin_or_owner" + nova-os_compute_api_servers_trigger_crash_dump: + key: "os_compute_api:servers:trigger_crash_dump" + value: "rule:system_admin_or_owner" + nova-os_compute_api_servers_migrations_show: + key: "os_compute_api:servers:migrations:show" + value: "rule:system_reader_api" + nova-os_compute_api_servers_migrations_force_complete: + key: "os_compute_api:servers:migrations:force_complete" + value: "rule:system_admin_api" + nova-os_compute_api_servers_migrations_delete: + key: "os_compute_api:servers:migrations:delete" + value: "rule:system_admin_api" + nova-os_compute_api_servers_migrations_index: + key: "os_compute_api:servers:migrations:index" + value: "rule:system_reader_api" + nova-os_compute_api_os-services_list: + key: "os_compute_api:os-services:list" + value: "rule:system_reader_api" + nova-os_compute_api_os-services: + key: "os_compute_api:os-services" + value: "rule:os_compute_api:os-services:list" + nova-os_compute_api_os-services_update: + key: "os_compute_api:os-services:update" + value: "rule:system_admin_api" + nova-os_compute_api_os-services_delete: + key: "os_compute_api:os-services:delete" + value: "rule:system_admin_api" + nova-os_compute_api_os-shelve_shelve: + key: "os_compute_api:os-shelve:shelve" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-shelve_unshelve: + key: "os_compute_api:os-shelve:unshelve" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-shelve_shelve_offload: + key: "os_compute_api:os-shelve:shelve_offload" + value: "rule:system_admin_api" + nova-os_compute_api_os-simple-tenant-usage_show: + key: "os_compute_api:os-simple-tenant-usage:show" + value: "rule:system_or_project_reader" + nova-os_compute_api_os-simple-tenant-usage_list: + key: "os_compute_api:os-simple-tenant-usage:list" + value: "rule:system_reader_api" + nova-os_compute_api_os-suspend-server_resume: + key: "os_compute_api:os-suspend-server:resume" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-suspend-server_suspend: + key: "os_compute_api:os-suspend-server:suspend" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-tenant-networks_list: + key: "os_compute_api:os-tenant-networks:list" + value: "rule:system_or_project_reader" + nova-os_compute_api_os-tenant-networks: + key: "os_compute_api:os-tenant-networks" + value: "rule:os_compute_api:os-tenant-networks:list" + nova-os_compute_api_os-tenant-networks_show: + key: "os_compute_api:os-tenant-networks:show" + value: "rule:system_or_project_reader" + nova-os_compute_api_os-volumes_list: + key: "os_compute_api:os-volumes:list" + value: "rule:system_or_project_reader" + nova-os_compute_api_os-volumes: + key: "os_compute_api:os-volumes" + value: "rule:os_compute_api:os-volumes:list" + nova-os_compute_api_os-volumes_create: + key: "os_compute_api:os-volumes:create" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-volumes_detail: + key: "os_compute_api:os-volumes:detail" + value: "rule:system_or_project_reader" + nova-os_compute_api_os-volumes_show: + key: "os_compute_api:os-volumes:show" + value: "rule:system_or_project_reader" + nova-os_compute_api_os-volumes_delete: + key: "os_compute_api:os-volumes:delete" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-volumes_snapshots_list: + key: "os_compute_api:os-volumes:snapshots:list" + value: "rule:system_or_project_reader" + nova-os_compute_api_os-volumes_snapshots_create: + key: "os_compute_api:os-volumes:snapshots:create" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-volumes_snapshots_detail: + key: "os_compute_api:os-volumes:snapshots:detail" + value: "rule:system_or_project_reader" + nova-os_compute_api_os-volumes_snapshots_show: + key: "os_compute_api:os-volumes:snapshots:show" + value: "rule:system_or_project_reader" + nova-os_compute_api_os-volumes_snapshots_delete: + key: "os_compute_api:os-volumes:snapshots:delete" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-volumes-attachments_index: + key: "os_compute_api:os-volumes-attachments:index" + value: "rule:system_or_project_reader" + nova-os_compute_api_os-volumes-attachments_create: + key: "os_compute_api:os-volumes-attachments:create" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-volumes-attachments_show: + key: "os_compute_api:os-volumes-attachments:show" + value: "rule:system_or_project_reader" + nova-os_compute_api_os-volumes-attachments_update: + key: "os_compute_api:os-volumes-attachments:update" + value: "rule:system_admin_or_owner" + nova-os_compute_api_os-volumes-attachments_swap: + key: "os_compute_api:os-volumes-attachments:swap" + value: "rule:system_admin_api" + nova-os_compute_api_os-volumes-attachments_delete: + key: "os_compute_api:os-volumes-attachments:delete" + value: "rule:system_admin_or_owner" + PlacementPolicies: + placement-admin_api: + key: "admin_api" + value: "role:admin" + placement-system_admin_api: + key: "system_admin_api" + value: "role:admin and system_scope:all" + placement-rule_admin_api: + key: "rule:admin_api" + value: "rule:system_admin_api" + placement-system_reader_api: + key: "system_reader_api" + value: "role:reader and system_scope:all" + placement-project_reader_api: + key: "project_reader_api" + value: "role:reader and project_id:%(project_id)s" + placement-system_or_project_reader: + key: "system_or_project_reader" + value: "rule:system_reader_api or rule:project_reader_api" + placement-placement_resource_providers_list: + key: "placement:resource_providers:list" + value: "rule:system_reader_api" + placement-placement_resource_providers_create: + key: "placement:resource_providers:create" + value: "rule:system_admin_api" + placement-placement_resource_providers_show: + key: "placement:resource_providers:show" + value: "rule:system_reader_api" + placement-placement_resource_providers_update: + key: "placement:resource_providers:update" + value: "rule:system_admin_api" + placement-placement_resource_providers_delete: + key: "placement:resource_providers:delete" + value: "rule:system_admin_api" + placement-placement_resource_classes_list: + key: "placement:resource_classes:list" + value: "rule:system_reader_api" + placement-placement_resource_classes_create: + key: "placement:resource_classes:create" + value: "rule:system_admin_api" + placement-placement_resource_classes_show: + key: "placement:resource_classes:show" + value: "rule:system_reader_api" + placement-placement_resource_classes_update: + key: "placement:resource_classes:update" + value: "rule:system_admin_api" + placement-placement_resource_classes_delete: + key: "placement:resource_classes:delete" + value: "rule:system_admin_api" + placement-placement_resource_providers_inventories_list: + key: "placement:resource_providers:inventories:list" + value: "rule:system_reader_api" + placement-placement_resource_providers_inventories_create: + key: "placement:resource_providers:inventories:create" + value: "rule:system_admin_api" + placement-placement_resource_providers_inventories_show: + key: "placement:resource_providers:inventories:show" + value: "rule:system_reader_api" + placement-placement_resource_providers_inventories_update: + key: "placement:resource_providers:inventories:update" + value: "rule:system_admin_api" + placement-placement_resource_providers_inventories_delete: + key: "placement:resource_providers:inventories:delete" + value: "rule:system_admin_api" + placement-placement_resource_providers_aggregates_list: + key: "placement:resource_providers:aggregates:list" + value: "rule:system_reader_api" + placement-placement_resource_providers_aggregates_update: + key: "placement:resource_providers:aggregates:update" + value: "rule:system_admin_api" + placement-placement_resource_providers_usages: + key: "placement:resource_providers:usages" + value: "rule:system_reader_api" + placement-placement_usages: + key: "placement:usages" + value: "rule:system_or_project_reader" + placement-placement_traits_list: + key: "placement:traits:list" + value: "rule:system_reader_api" + placement-placement_traits_show: + key: "placement:traits:show" + value: "rule:system_reader_api" + placement-placement_traits_update: + key: "placement:traits:update" + value: "rule:system_admin_api" + placement-placement_traits_delete: + key: "placement:traits:delete" + value: "rule:system_admin_api" + placement-placement_resource_providers_traits_list: + key: "placement:resource_providers:traits:list" + value: "rule:system_reader_api" + placement-placement_resource_providers_traits_update: + key: "placement:resource_providers:traits:update" + value: "rule:system_admin_api" + placement-placement_resource_providers_traits_delete: + key: "placement:resource_providers:traits:delete" + value: "rule:system_admin_api" + placement-placement_allocations_manage: + key: "placement:allocations:manage" + value: "rule:system_admin_api" + placement-placement_allocations_list: + key: "placement:allocations:list" + value: "rule:system_reader_api" + placement-placement_allocations_update: + key: "placement:allocations:update" + value: "rule:system_admin_api" + placement-placement_allocations_delete: + key: "placement:allocations:delete" + value: "rule:system_admin_api" + placement-placement_resource_providers_allocations_list: + key: "placement:resource_providers:allocations:list" + value: "rule:system_reader_api" + placement-placement_allocation_candidates_list: + key: "placement:allocation_candidates:list" + value: "rule:system_reader_api" + placement-placement_reshaper_reshape: + key: "placement:reshaper:reshape" + value: "rule:system_admin_api" + NeutronApiPolicies: + neutron-context_is_admin: + key: "context_is_admin" + value: "role:admin" + neutron-owner: + key: "owner" + value: "tenant_id:%(tenant_id)s" + neutron-admin_or_owner: + key: "admin_or_owner" + value: "rule:context_is_admin or rule:owner" + neutron-context_is_advsvc: + key: "context_is_advsvc" + value: "role:advsvc" + neutron-admin_or_network_owner: + key: "admin_or_network_owner" + value: "rule:context_is_admin or tenant_id:%(network:tenant_id)s" + neutron-admin_owner_or_network_owner: + key: "admin_owner_or_network_owner" + value: "rule:owner or rule:admin_or_network_owner" + neutron-network_owner: + key: "network_owner" + value: "tenant_id:%(network:tenant_id)s" + neutron-admin_only: + key: "admin_only" + value: "rule:context_is_admin" + neutron-regular_user: + key: "regular_user" + value: "" + neutron-shared: + key: "shared" + value: "field:networks:shared=True" + neutron-default: + key: "default" + value: "rule:admin_or_owner" + neutron-admin_or_ext_parent_owner: + key: "admin_or_ext_parent_owner" + value: "rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s" + neutron-ext_parent_owner: + key: "ext_parent_owner" + value: "tenant_id:%(ext_parent:tenant_id)s" + neutron-sg_owner: + key: "sg_owner" + value: "tenant_id:%(security_group:tenant_id)s" + neutron-shared_address_groups: + key: "shared_address_groups" + value: "field:address_groups:shared=True" + neutron-get_address_group: + key: "get_address_group" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared_address_groups" + neutron-shared_address_scopes: + key: "shared_address_scopes" + value: "field:address_scopes:shared=True" + neutron-create_address_scope: + key: "create_address_scope" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-create_address_scope_shared: + key: "create_address_scope:shared" + value: "role:admin and system_scope:all" + neutron-get_address_scope: + key: "get_address_scope" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared_address_scopes" + neutron-update_address_scope: + key: "update_address_scope" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-update_address_scope_shared: + key: "update_address_scope:shared" + value: "role:admin and system_scope:all" + neutron-delete_address_scope: + key: "delete_address_scope" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-get_agent: + key: "get_agent" + value: "role:reader and system_scope:all" + neutron-update_agent: + key: "update_agent" + value: "role:admin and system_scope:all" + neutron-delete_agent: + key: "delete_agent" + value: "role:admin and system_scope:all" + neutron-create_dhcp-network: + key: "create_dhcp-network" + value: "role:admin and system_scope:all" + neutron-get_dhcp-networks: + key: "get_dhcp-networks" + value: "role:reader and system_scope:all" + neutron-delete_dhcp-network: + key: "delete_dhcp-network" + value: "role:admin and system_scope:all" + neutron-create_l3-router: + key: "create_l3-router" + value: "role:admin and system_scope:all" + neutron-get_l3-routers: + key: "get_l3-routers" + value: "role:reader and system_scope:all" + neutron-delete_l3-router: + key: "delete_l3-router" + value: "role:admin and system_scope:all" + neutron-get_dhcp-agents: + key: "get_dhcp-agents" + value: "role:reader and system_scope:all" + neutron-get_l3-agents: + key: "get_l3-agents" + value: "role:reader and system_scope:all" + neutron-get_auto_allocated_topology: + key: "get_auto_allocated_topology" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + neutron-delete_auto_allocated_topology: + key: "delete_auto_allocated_topology" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-get_availability_zone: + key: "get_availability_zone" + value: "role:reader and system_scope:all" + neutron-create_flavor: + key: "create_flavor" + value: "role:admin and system_scope:all" + neutron-get_flavor: + key: "get_flavor" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + neutron-update_flavor: + key: "update_flavor" + value: "role:admin and system_scope:all" + neutron-delete_flavor: + key: "delete_flavor" + value: "role:admin and system_scope:all" + neutron-create_service_profile: + key: "create_service_profile" + value: "role:admin and system_scope:all" + neutron-get_service_profile: + key: "get_service_profile" + value: "role:reader and system_scope:all" + neutron-update_service_profile: + key: "update_service_profile" + value: "role:admin and system_scope:all" + neutron-delete_service_profile: + key: "delete_service_profile" + value: "role:admin and system_scope:all" + neutron-get_flavor_service_profile: + key: "get_flavor_service_profile" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + neutron-create_flavor_service_profile: + key: "create_flavor_service_profile" + value: "role:admin and system_scope:all" + neutron-delete_flavor_service_profile: + key: "delete_flavor_service_profile" + value: "role:admin and system_scope:all" + neutron-create_floatingip: + key: "create_floatingip" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-create_floatingip_floating_ip_address: + key: "create_floatingip:floating_ip_address" + value: "role:admin and system_scope:all" + neutron-get_floatingip: + key: "get_floatingip" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + neutron-update_floatingip: + key: "update_floatingip" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-delete_floatingip: + key: "delete_floatingip" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-get_floatingip_pool: + key: "get_floatingip_pool" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + neutron-create_floatingip_port_forwarding: + key: "create_floatingip_port_forwarding" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" + neutron-get_floatingip_port_forwarding: + key: "get_floatingip_port_forwarding" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner" + neutron-update_floatingip_port_forwarding: + key: "update_floatingip_port_forwarding" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" + neutron-delete_floatingip_port_forwarding: + key: "delete_floatingip_port_forwarding" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" + neutron-create_router_conntrack_helper: + key: "create_router_conntrack_helper" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" + neutron-get_router_conntrack_helper: + key: "get_router_conntrack_helper" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner" + neutron-update_router_conntrack_helper: + key: "update_router_conntrack_helper" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" + neutron-delete_router_conntrack_helper: + key: "delete_router_conntrack_helper" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" + neutron-get_loggable_resource: + key: "get_loggable_resource" + value: "role:reader and system_scope:all" + neutron-create_log: + key: "create_log" + value: "role:admin and system_scope:all" + neutron-get_log: + key: "get_log" + value: "role:reader and system_scope:all" + neutron-update_log: + key: "update_log" + value: "role:admin and system_scope:all" + neutron-delete_log: + key: "delete_log" + value: "role:admin and system_scope:all" + neutron-create_metering_label: + key: "create_metering_label" + value: "role:admin and system_scope:all" + neutron-get_metering_label: + key: "get_metering_label" + value: "role:reader and system_scope:all" + neutron-delete_metering_label: + key: "delete_metering_label" + value: "role:admin and system_scope:all" + neutron-create_metering_label_rule: + key: "create_metering_label_rule" + value: "role:admin and system_scope:all" + neutron-get_metering_label_rule: + key: "get_metering_label_rule" + value: "role:reader and system_scope:all" + neutron-delete_metering_label_rule: + key: "delete_metering_label_rule" + value: "role:admin and system_scope:all" + neutron-external: + key: "external" + value: "field:networks:router:external=True" + neutron-create_network: + key: "create_network" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-create_network_shared: + key: "create_network:shared" + value: "role:admin and system_scope:all" + neutron-create_network_router_external: + key: "create_network:router:external" + value: "role:admin and system_scope:all" + neutron-create_network_is_default: + key: "create_network:is_default" + value: "role:admin and system_scope:all" + neutron-create_network_port_security_enabled: + key: "create_network:port_security_enabled" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-create_network_segments: + key: "create_network:segments" + value: "role:admin and system_scope:all" + neutron-create_network_provider_network_type: + key: "create_network:provider:network_type" + value: "role:admin and system_scope:all" + neutron-create_network_provider_physical_network: + key: "create_network:provider:physical_network" + value: "role:admin and system_scope:all" + neutron-create_network_provider_segmentation_id: + key: "create_network:provider:segmentation_id" + value: "role:admin and system_scope:all" + neutron-get_network: + key: "get_network" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared or rule:external or rule:context_is_advsvc" + neutron-get_network_router_external: + key: "get_network:router:external" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + neutron-get_network_segments: + key: "get_network:segments" + value: "role:reader and system_scope:all" + neutron-get_network_provider_network_type: + key: "get_network:provider:network_type" + value: "role:reader and system_scope:all" + neutron-get_network_provider_physical_network: + key: "get_network:provider:physical_network" + value: "role:reader and system_scope:all" + neutron-get_network_provider_segmentation_id: + key: "get_network:provider:segmentation_id" + value: "role:reader and system_scope:all" + neutron-update_network: + key: "update_network" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-update_network_segments: + key: "update_network:segments" + value: "role:admin and system_scope:all" + neutron-update_network_shared: + key: "update_network:shared" + value: "role:admin and system_scope:all" + neutron-update_network_provider_network_type: + key: "update_network:provider:network_type" + value: "role:admin and system_scope:all" + neutron-update_network_provider_physical_network: + key: "update_network:provider:physical_network" + value: "role:admin and system_scope:all" + neutron-update_network_provider_segmentation_id: + key: "update_network:provider:segmentation_id" + value: "role:admin and system_scope:all" + neutron-update_network_router_external: + key: "update_network:router:external" + value: "role:admin and system_scope:all" + neutron-update_network_is_default: + key: "update_network:is_default" + value: "role:admin and system_scope:all" + neutron-update_network_port_security_enabled: + key: "update_network:port_security_enabled" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-delete_network: + key: "delete_network" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-get_network_ip_availability: + key: "get_network_ip_availability" + value: "role:reader and system_scope:all" + neutron-create_network_segment_range: + key: "create_network_segment_range" + value: "role:admin and system_scope:all" + neutron-get_network_segment_range: + key: "get_network_segment_range" + value: "role:reader and system_scope:all" + neutron-update_network_segment_range: + key: "update_network_segment_range" + value: "role:admin and system_scope:all" + neutron-delete_network_segment_range: + key: "delete_network_segment_range" + value: "role:admin and system_scope:all" + neutron-network_device: + key: "network_device" + value: "field:port:device_owner=~^network:" + neutron-admin_or_data_plane_int: + key: "admin_or_data_plane_int" + value: "rule:context_is_admin or role:data_plane_integrator" + neutron-create_port: + key: "create_port" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-create_port_device_owner: + key: "create_port:device_owner" + value: "not rule:network_device or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:context_is_advsvc or rule:network_owner" + neutron-create_port_mac_address: + key: "create_port:mac_address" + value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s" + neutron-create_port_fixed_ips: + key: "create_port:fixed_ips" + value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:shared" + neutron-create_port_fixed_ips_ip_address: + key: "create_port:fixed_ips:ip_address" + value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s" + neutron-create_port_fixed_ips_subnet_id: + key: "create_port:fixed_ips:subnet_id" + value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:shared" + neutron-create_port_port_security_enabled: + key: "create_port:port_security_enabled" + value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s" + neutron-create_port_binding_host_id: + key: "create_port:binding:host_id" + value: "role:admin and system_scope:all" + neutron-create_port_binding_profile: + key: "create_port:binding:profile" + value: "role:admin and system_scope:all" + neutron-create_port_binding_vnic_type: + key: "create_port:binding:vnic_type" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-create_port_allowed_address_pairs: + key: "create_port:allowed_address_pairs" + value: "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner" + neutron-create_port_allowed_address_pairs_mac_address: + key: "create_port:allowed_address_pairs:mac_address" + value: "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner" + neutron-create_port_allowed_address_pairs_ip_address: + key: "create_port:allowed_address_pairs:ip_address" + value: "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner" + neutron-get_port: + key: "get_port" + value: "rule:context_is_advsvc or (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + neutron-get_port_binding_vif_type: + key: "get_port:binding:vif_type" + value: "role:reader and system_scope:all" + neutron-get_port_binding_vif_details: + key: "get_port:binding:vif_details" + value: "role:reader and system_scope:all" + neutron-get_port_binding_host_id: + key: "get_port:binding:host_id" + value: "role:reader and system_scope:all" + neutron-get_port_binding_profile: + key: "get_port:binding:profile" + value: "role:reader and system_scope:all" + neutron-get_port_resource_request: + key: "get_port:resource_request" + value: "role:reader and system_scope:all" + neutron-update_port: + key: "update_port" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc" + neutron-update_port_device_owner: + key: "update_port:device_owner" + value: "not rule:network_device or rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s" + neutron-update_port_mac_address: + key: "update_port:mac_address" + value: "role:admin and system_scope:all or rule:context_is_advsvc" + neutron-update_port_fixed_ips: + key: "update_port:fixed_ips" + value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s" + neutron-update_port_fixed_ips_ip_address: + key: "update_port:fixed_ips:ip_address" + value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s" + neutron-update_port_fixed_ips_subnet_id: + key: "update_port:fixed_ips:subnet_id" + value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:shared" + neutron-update_port_port_security_enabled: + key: "update_port:port_security_enabled" + value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s" + neutron-update_port_binding_host_id: + key: "update_port:binding:host_id" + value: "role:admin and system_scope:all" + neutron-update_port_binding_profile: + key: "update_port:binding:profile" + value: "role:admin and system_scope:all" + neutron-update_port_binding_vnic_type: + key: "update_port:binding:vnic_type" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc" + neutron-update_port_allowed_address_pairs: + key: "update_port:allowed_address_pairs" + value: "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner" + neutron-update_port_allowed_address_pairs_mac_address: + key: "update_port:allowed_address_pairs:mac_address" + value: "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner" + neutron-update_port_allowed_address_pairs_ip_address: + key: "update_port:allowed_address_pairs:ip_address" + value: "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner" + neutron-update_port_data_plane_status: + key: "update_port:data_plane_status" + value: "role:admin and system_scope:all or role:data_plane_integrator" + neutron-delete_port: + key: "delete_port" + value: "rule:context_is_advsvc or (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-get_policy: + key: "get_policy" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + neutron-create_policy: + key: "create_policy" + value: "role:admin and system_scope:all" + neutron-update_policy: + key: "update_policy" + value: "role:admin and system_scope:all" + neutron-delete_policy: + key: "delete_policy" + value: "role:admin and system_scope:all" + neutron-get_rule_type: + key: "get_rule_type" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + neutron-get_policy_bandwidth_limit_rule: + key: "get_policy_bandwidth_limit_rule" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + neutron-create_policy_bandwidth_limit_rule: + key: "create_policy_bandwidth_limit_rule" + value: "role:admin and system_scope:all" + neutron-update_policy_bandwidth_limit_rule: + key: "update_policy_bandwidth_limit_rule" + value: "role:admin and system_scope:all" + neutron-delete_policy_bandwidth_limit_rule: + key: "delete_policy_bandwidth_limit_rule" + value: "role:admin and system_scope:all" + neutron-get_policy_dscp_marking_rule: + key: "get_policy_dscp_marking_rule" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + neutron-create_policy_dscp_marking_rule: + key: "create_policy_dscp_marking_rule" + value: "role:admin and system_scope:all" + neutron-update_policy_dscp_marking_rule: + key: "update_policy_dscp_marking_rule" + value: "role:admin and system_scope:all" + neutron-delete_policy_dscp_marking_rule: + key: "delete_policy_dscp_marking_rule" + value: "role:admin and system_scope:all" + neutron-get_policy_minimum_bandwidth_rule: + key: "get_policy_minimum_bandwidth_rule" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + neutron-create_policy_minimum_bandwidth_rule: + key: "create_policy_minimum_bandwidth_rule" + value: "role:admin and system_scope:all" + neutron-update_policy_minimum_bandwidth_rule: + key: "update_policy_minimum_bandwidth_rule" + value: "role:admin and system_scope:all" + neutron-delete_policy_minimum_bandwidth_rule: + key: "delete_policy_minimum_bandwidth_rule" + value: "role:admin and system_scope:all" + neutron-get_alias_bandwidth_limit_rule: + key: "get_alias_bandwidth_limit_rule" + value: "rule:get_policy_bandwidth_limit_rule" + neutron-update_alias_bandwidth_limit_rule: + key: "update_alias_bandwidth_limit_rule" + value: "rule:update_policy_bandwidth_limit_rule" + neutron-delete_alias_bandwidth_limit_rule: + key: "delete_alias_bandwidth_limit_rule" + value: "rule:delete_policy_bandwidth_limit_rule" + neutron-get_alias_dscp_marking_rule: + key: "get_alias_dscp_marking_rule" + value: "rule:get_policy_dscp_marking_rule" + neutron-update_alias_dscp_marking_rule: + key: "update_alias_dscp_marking_rule" + value: "rule:update_policy_dscp_marking_rule" + neutron-delete_alias_dscp_marking_rule: + key: "delete_alias_dscp_marking_rule" + value: "rule:delete_policy_dscp_marking_rule" + neutron-get_alias_minimum_bandwidth_rule: + key: "get_alias_minimum_bandwidth_rule" + value: "rule:get_policy_minimum_bandwidth_rule" + neutron-update_alias_minimum_bandwidth_rule: + key: "update_alias_minimum_bandwidth_rule" + value: "rule:update_policy_minimum_bandwidth_rule" + neutron-delete_alias_minimum_bandwidth_rule: + key: "delete_alias_minimum_bandwidth_rule" + value: "rule:delete_policy_minimum_bandwidth_rule" + neutron-get_quota: + key: "get_quota" + value: "role:reader and system_scope:all" + neutron-update_quota: + key: "update_quota" + value: "role:admin and system_scope:all" + neutron-delete_quota: + key: "delete_quota" + value: "role:admin and system_scope:all" + neutron-restrict_wildcard: + key: "restrict_wildcard" + value: "(not field:rbac_policy:target_tenant=*) or rule:admin_only" + neutron-create_rbac_policy: + key: "create_rbac_policy" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-create_rbac_policy_target_tenant: + key: "create_rbac_policy:target_tenant" + value: "role:admin and system_scope:all or (not field:rbac_policy:target_tenant=*)" + neutron-update_rbac_policy: + key: "update_rbac_policy" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-update_rbac_policy_target_tenant: + key: "update_rbac_policy:target_tenant" + value: "role:admin and system_scope:all or (not field:rbac_policy:target_tenant=*)" + neutron-get_rbac_policy: + key: "get_rbac_policy" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + neutron-delete_rbac_policy: + key: "delete_rbac_policy" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-create_router: + key: "create_router" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-create_router_distributed: + key: "create_router:distributed" + value: "role:admin and system_scope:all" + neutron-create_router_ha: + key: "create_router:ha" + value: "role:admin and system_scope:all" + neutron-create_router_external_gateway_info: + key: "create_router:external_gateway_info" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-create_router_external_gateway_info_network_id: + key: "create_router:external_gateway_info:network_id" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-create_router_external_gateway_info_enable_snat: + key: "create_router:external_gateway_info:enable_snat" + value: "role:admin and system_scope:all" + neutron-create_router_external_gateway_info_external_fixed_ips: + key: "create_router:external_gateway_info:external_fixed_ips" + value: "role:admin and system_scope:all" + neutron-get_router: + key: "get_router" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + neutron-get_router_distributed: + key: "get_router:distributed" + value: "role:reader and system_scope:all" + neutron-get_router_ha: + key: "get_router:ha" + value: "role:reader and system_scope:all" + neutron-update_router: + key: "update_router" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-update_router_distributed: + key: "update_router:distributed" + value: "role:admin and system_scope:all" + neutron-update_router_ha: + key: "update_router:ha" + value: "role:admin and system_scope:all" + neutron-update_router_external_gateway_info: + key: "update_router:external_gateway_info" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-update_router_external_gateway_info_network_id: + key: "update_router:external_gateway_info:network_id" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-update_router_external_gateway_info_enable_snat: + key: "update_router:external_gateway_info:enable_snat" + value: "role:admin and system_scope:all" + neutron-update_router_external_gateway_info_external_fixed_ips: + key: "update_router:external_gateway_info:external_fixed_ips" + value: "role:admin and system_scope:all" + neutron-delete_router: + key: "delete_router" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-add_router_interface: + key: "add_router_interface" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-remove_router_interface: + key: "remove_router_interface" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-add_extraroutes: + key: "add_extraroutes" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-remove_extraroutes: + key: "remove_extraroutes" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-admin_or_sg_owner: + key: "admin_or_sg_owner" + value: "rule:context_is_admin or tenant_id:%(security_group:tenant_id)s" + neutron-admin_owner_or_sg_owner: + key: "admin_owner_or_sg_owner" + value: "rule:owner or rule:admin_or_sg_owner" + neutron-create_security_group: + key: "create_security_group" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-get_security_group: + key: "get_security_group" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + neutron-update_security_group: + key: "update_security_group" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-delete_security_group: + key: "delete_security_group" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-create_security_group_rule: + key: "create_security_group_rule" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-get_security_group_rule: + key: "get_security_group_rule" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:sg_owner" + neutron-delete_security_group_rule: + key: "delete_security_group_rule" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-create_segment: + key: "create_segment" + value: "role:admin and system_scope:all" + neutron-get_segment: + key: "get_segment" + value: "role:reader and system_scope:all" + neutron-update_segment: + key: "update_segment" + value: "role:admin and system_scope:all" + neutron-delete_segment: + key: "delete_segment" + value: "role:admin and system_scope:all" + neutron-get_service_provider: + key: "get_service_provider" + value: "role:reader" + neutron-create_subnet: + key: "create_subnet" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:network_owner" + neutron-create_subnet_segment_id: + key: "create_subnet:segment_id" + value: "role:admin and system_scope:all" + neutron-create_subnet_service_types: + key: "create_subnet:service_types" + value: "role:admin and system_scope:all" + neutron-get_subnet: + key: "get_subnet" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared" + neutron-get_subnet_segment_id: + key: "get_subnet:segment_id" + value: "role:reader and system_scope:all" + neutron-update_subnet: + key: "update_subnet" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:network_owner" + neutron-update_subnet_segment_id: + key: "update_subnet:segment_id" + value: "role:admin and system_scope:all" + neutron-update_subnet_service_types: + key: "update_subnet:service_types" + value: "role:admin and system_scope:all" + neutron-delete_subnet: + key: "delete_subnet" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:network_owner" + neutron-shared_subnetpools: + key: "shared_subnetpools" + value: "field:subnetpools:shared=True" + neutron-create_subnetpool: + key: "create_subnetpool" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-create_subnetpool_shared: + key: "create_subnetpool:shared" + value: "role:admin and system_scope:all" + neutron-create_subnetpool_is_default: + key: "create_subnetpool:is_default" + value: "role:admin and system_scope:all" + neutron-get_subnetpool: + key: "get_subnetpool" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared_subnetpools" + neutron-update_subnetpool: + key: "update_subnetpool" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-update_subnetpool_is_default: + key: "update_subnetpool:is_default" + value: "role:admin and system_scope:all" + neutron-delete_subnetpool: + key: "delete_subnetpool" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-onboard_network_subnets: + key: "onboard_network_subnets" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-add_prefixes: + key: "add_prefixes" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-remove_prefixes: + key: "remove_prefixes" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-create_trunk: + key: "create_trunk" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-get_trunk: + key: "get_trunk" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + neutron-update_trunk: + key: "update_trunk" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-delete_trunk: + key: "delete_trunk" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-get_subports: + key: "get_subports" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + neutron-add_subports: + key: "add_subports" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + neutron-remove_subports: + key: "remove_subports" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + GlanceApiPolicies: + glance-default: + key: "default" + value: "" + glance-context_is_admin: + key: "context_is_admin" + value: "role:admin" + glance-add_image: + key: "add_image" + value: "role:admin or (role:member and project_id:%(project_id)s and project_id:%(owner)s)" + glance-delete_image: + key: "delete_image" + value: "role:admin or (role:member and project_id:%(project_id)s)" + glance-get_image: + key: "get_image" + value: "role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))" + glance-get_images: + key: "get_images" + value: "role:admin or (role:reader and project_id:%(project_id)s)" + glance-modify_image: + key: "modify_image" + value: "role:admin or (role:member and project_id:%(project_id)s)" + glance-publicize_image: + key: "publicize_image" + value: "role:admin" + glance-communitize_image: + key: "communitize_image" + value: "role:admin or (role:member and project_id:%(project_id)s)" + glance-download_image: + key: "download_image" + value: "role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))" + glance-upload_image: + key: "upload_image" + value: "role:admin or (role:member and project_id:%(project_id)s)" + glance-delete_image_location: + key: "delete_image_location" + value: "role:admin" + glance-get_image_location: + key: "get_image_location" + value: "role:admin or (role:reader and project_id:%(project_id)s)" + glance-set_image_location: + key: "set_image_location" + value: "role:admin or (role:member and project_id:%(project_id)s)" + glance-add_member: + key: "add_member" + value: "role:admin or (role:member and project_id:%(project_id)s)" + glance-delete_member: + key: "delete_member" + value: "role:admin or (role:member and project_id:%(project_id)s)" + glance-get_member: + key: "get_member" + value: "role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)" + glance-get_members: + key: "get_members" + value: "role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)" + glance-modify_member: + key: "modify_member" + value: "role:admin or (role:member and project_id:%(member_id)s)" + glance-manage_image_cache: + key: "manage_image_cache" + value: "role:admin" + glance-deactivate: + key: "deactivate" + value: "role:admin or (role:member and project_id:%(project_id)s)" + glance-reactivate: + key: "reactivate" + value: "role:admin or (role:member and project_id:%(project_id)s)" + glance-copy_image: + key: "copy_image" + value: "role:admin" + glance-get_task: + key: "get_task" + value: "rule:default" + glance-get_tasks: + key: "get_tasks" + value: "rule:default" + glance-add_task: + key: "add_task" + value: "rule:default" + glance-modify_task: + key: "modify_task" + value: "rule:default" + glance-tasks_api_access: + key: "tasks_api_access" + value: "role:admin" + glance-metadef_default: + key: "metadef_default" + value: "" + glance-metadef_admin: + key: "metadef_admin" + value: "role:admin" + glance-get_metadef_namespace: + key: "get_metadef_namespace" + value: "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" + glance-get_metadef_namespaces: + key: "get_metadef_namespaces" + value: "role:admin or (role:reader and project_id:%(project_id)s)" + glance-modify_metadef_namespace: + key: "modify_metadef_namespace" + value: "rule:metadef_admin" + glance-add_metadef_namespace: + key: "add_metadef_namespace" + value: "rule:metadef_admin" + glance-delete_metadef_namespace: + key: "delete_metadef_namespace" + value: "rule:metadef_admin" + glance-get_metadef_object: + key: "get_metadef_object" + value: "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" + glance-get_metadef_objects: + key: "get_metadef_objects" + value: "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" + glance-modify_metadef_object: + key: "modify_metadef_object" + value: "rule:metadef_admin" + glance-add_metadef_object: + key: "add_metadef_object" + value: "rule:metadef_admin" + glance-delete_metadef_object: + key: "delete_metadef_object" + value: "rule:metadef_admin" + glance-list_metadef_resource_types: + key: "list_metadef_resource_types" + value: "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" + glance-get_metadef_resource_type: + key: "get_metadef_resource_type" + value: "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" + glance-add_metadef_resource_type_association: + key: "add_metadef_resource_type_association" + value: "rule:metadef_admin" + glance-remove_metadef_resource_type_association: + key: "remove_metadef_resource_type_association" + value: "rule:metadef_admin" + glance-get_metadef_property: + key: "get_metadef_property" + value: "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" + glance-get_metadef_properties: + key: "get_metadef_properties" + value: "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" + glance-modify_metadef_property: + key: "modify_metadef_property" + value: "rule:metadef_admin" + glance-add_metadef_property: + key: "add_metadef_property" + value: "rule:metadef_admin" + glance-remove_metadef_property: + key: "remove_metadef_property" + value: "rule:metadef_admin" + glance-get_metadef_tag: + key: "get_metadef_tag" + value: "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" + glance-get_metadef_tags: + key: "get_metadef_tags" + value: "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" + glance-modify_metadef_tag: + key: "modify_metadef_tag" + value: "rule:metadef_admin" + glance-add_metadef_tag: + key: "add_metadef_tag" + value: "rule:metadef_admin" + glance-add_metadef_tags: + key: "add_metadef_tags" + value: "rule:metadef_admin" + glance-delete_metadef_tag: + key: "delete_metadef_tag" + value: "rule:metadef_admin" + glance-delete_metadef_tags: + key: "delete_metadef_tags" + value: "rule:metadef_admin" + DesignateApiPolicies: + designate-admin: + key: "admin" + value: "role:admin or is_admin:True" + designate-primary_zone: + key: "primary_zone" + value: "target.zone_type:SECONDARY" + designate-owner: + key: "owner" + value: "tenant:%(tenant_id)s" + designate-admin_or_owner: + key: "admin_or_owner" + value: "rule:admin or rule:owner" + designate-default: + key: "default" + value: "rule:admin_or_owner" + designate-target: + key: "target" + value: "tenant:%(target_tenant_id)s" + designate-owner_or_target: + key: "owner_or_target" + value: "rule:target or rule:owner" + designate-admin_or_owner_or_target: + key: "admin_or_owner_or_target" + value: "rule:owner_or_target or rule:admin" + designate-admin_or_target: + key: "admin_or_target" + value: "rule:admin or rule:target" + designate-zone_primary_or_admin: + key: "zone_primary_or_admin" + value: "('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)" + designate-create_blacklist: + key: "create_blacklist" + value: "role:admin and system_scope:all" + designate-find_blacklist: + key: "find_blacklist" + value: "role:reader and system_scope:all" + designate-find_blacklists: + key: "find_blacklists" + value: "role:reader and system_scope:all" + designate-get_blacklist: + key: "get_blacklist" + value: "role:reader and system_scope:all" + designate-update_blacklist: + key: "update_blacklist" + value: "role:admin and system_scope:all" + designate-delete_blacklist: + key: "delete_blacklist" + value: "role:admin and system_scope:all" + designate-use_blacklisted_zone: + key: "use_blacklisted_zone" + value: "role:admin and system_scope:all" + designate-all_tenants: + key: "all_tenants" + value: "rule:admin" + designate-edit_managed_records: + key: "edit_managed_records" + value: "rule:admin" + designate-use_low_ttl: + key: "use_low_ttl" + value: "rule:admin" + designate-use_sudo: + key: "use_sudo" + value: "rule:admin" + designate-diagnostics_ping: + key: "diagnostics_ping" + value: "rule:admin" + designate-diagnostics_sync_zones: + key: "diagnostics_sync_zones" + value: "rule:admin" + designate-diagnostics_sync_zone: + key: "diagnostics_sync_zone" + value: "rule:admin" + designate-diagnostics_sync_record: + key: "diagnostics_sync_record" + value: "rule:admin" + designate-create_pool: + key: "create_pool" + value: "role:admin and system_scope:all" + designate-find_pools: + key: "find_pools" + value: "role:reader and system_scope:all" + designate-find_pool: + key: "find_pool" + value: "role:reader and system_scope:all" + designate-get_pool: + key: "get_pool" + value: "role:reader and system_scope:all" + designate-update_pool: + key: "update_pool" + value: "role:admin and system_scope:all" + designate-delete_pool: + key: "delete_pool" + value: "role:admin and system_scope:all" + designate-zone_create_forced_pool: + key: "zone_create_forced_pool" + value: "role:admin and system_scope:all" + designate-get_quotas: + key: "get_quotas" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + designate-get_quota: + key: "get_quota" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + designate-set_quota: + key: "set_quota" + value: "role:admin and system_scope:all" + designate-reset_quotas: + key: "reset_quotas" + value: "role:admin and system_scope:all" + designate-find_records: + key: "find_records" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + designate-count_records: + key: "count_records" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + designate-create_recordset: + key: "create_recordset" + value: "(role:admin and system_scope:all) and ('SECONDARY':%(zone_type)s)" + designate-get_recordsets: + key: "get_recordsets" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + designate-get_recordset: + key: "get_recordset" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + designate-update_recordset: + key: "update_recordset" + value: "(role:admin and system_scope:all) and ('SECONDARY':%(zone_type)s)" + designate-delete_recordset: + key: "delete_recordset" + value: "(role:admin and system_scope:all) and ('SECONDARY':%(zone_type)s)" + designate-count_recordset: + key: "count_recordset" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + designate-find_service_status: + key: "find_service_status" + value: "role:reader and system_scope:all" + designate-find_service_statuses: + key: "find_service_statuses" + value: "role:reader and system_scope:all" + designate-update_service_status: + key: "update_service_status" + value: "role:admin and system_scope:all" + designate-find_tenants: + key: "find_tenants" + value: "role:reader and system_scope:all" + designate-get_tenant: + key: "get_tenant" + value: "role:reader and system_scope:all" + designate-count_tenants: + key: "count_tenants" + value: "role:reader and system_scope:all" + designate-create_tld: + key: "create_tld" + value: "role:admin and system_scope:all" + designate-find_tlds: + key: "find_tlds" + value: "role:reader and system_scope:all" + designate-get_tld: + key: "get_tld" + value: "role:reader and system_scope:all" + designate-update_tld: + key: "update_tld" + value: "role:admin and system_scope:all" + designate-delete_tld: + key: "delete_tld" + value: "role:admin and system_scope:all" + designate-create_tsigkey: + key: "create_tsigkey" + value: "role:admin and system_scope:all" + designate-find_tsigkeys: + key: "find_tsigkeys" + value: "role:reader and system_scope:all" + designate-get_tsigkey: + key: "get_tsigkey" + value: "role:reader and system_scope:all" + designate-update_tsigkey: + key: "update_tsigkey" + value: "role:admin and system_scope:all" + designate-delete_tsigkey: + key: "delete_tsigkey" + value: "role:admin and system_scope:all" + designate-create_zone: + key: "create_zone" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + designate-get_zones: + key: "get_zones" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + designate-get_zone: + key: "get_zone" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + designate-get_zone_servers: + key: "get_zone_servers" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + designate-find_zones: + key: "find_zones" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + designate-update_zone: + key: "update_zone" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + designate-delete_zone: + key: "delete_zone" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + designate-xfr_zone: + key: "xfr_zone" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + designate-abandon_zone: + key: "abandon_zone" + value: "role:admin and system_scope:all" + designate-count_zones: + key: "count_zones" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + designate-count_zones_pending_notify: + key: "count_zones_pending_notify" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + designate-purge_zones: + key: "purge_zones" + value: "role:admin and system_scope:all" + designate-touch_zone: + key: "touch_zone" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + designate-zone_export: + key: "zone_export" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + designate-create_zone_export: + key: "create_zone_export" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + designate-find_zone_exports: + key: "find_zone_exports" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + designate-get_zone_export: + key: "get_zone_export" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + designate-update_zone_export: + key: "update_zone_export" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + designate-create_zone_import: + key: "create_zone_import" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + designate-find_zone_imports: + key: "find_zone_imports" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + designate-get_zone_import: + key: "get_zone_import" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + designate-update_zone_import: + key: "update_zone_import" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + designate-delete_zone_import: + key: "delete_zone_import" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + designate-create_zone_transfer_accept: + key: "create_zone_transfer_accept" + value: "rule:admin_or_owner OR tenant:%(target_tenant_id)s OR None:%(target_tenant_id)s" + designate-get_zone_transfer_accept: + key: "get_zone_transfer_accept" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + designate-find_zone_transfer_accepts: + key: "find_zone_transfer_accepts" + value: "role:reader and system_scope:all" + designate-find_zone_transfer_accept: + key: "find_zone_transfer_accept" + value: "role:reader and system_scope:all" + designate-update_zone_transfer_accept: + key: "update_zone_transfer_accept" + value: "role:admin and system_scope:all" + designate-delete_zone_transfer_accept: + key: "delete_zone_transfer_accept" + value: "role:admin and system_scope:all" + designate-create_zone_transfer_request: + key: "create_zone_transfer_request" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + designate-get_zone_transfer_request: + key: "get_zone_transfer_request" + value: "rule:admin_or_owner OR tenant:%(target_tenant_id)s OR None:%(target_tenant_id)s" + designate-get_zone_transfer_request_detailed: + key: "get_zone_transfer_request_detailed" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + designate-find_zone_transfer_requests: + key: "find_zone_transfer_requests" + value: "@" + designate-find_zone_transfer_request: + key: "find_zone_transfer_request" + value: "@" + designate-update_zone_transfer_request: + key: "update_zone_transfer_request" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + designate-delete_zone_transfer_request: + key: "delete_zone_transfer_request" + value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + CinderApiPolicies: + cinder-admin_or_owner: + key: "admin_or_owner" + value: "is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s" + cinder-system_or_domain_or_project_admin: + key: "system_or_domain_or_project_admin" + value: "(role:admin and system_scope:all) or (role:admin and domain_id:%(domain_id)s) or (role:admin and project_id:%(project_id)s)" + cinder-context_is_admin: + key: "context_is_admin" + value: "role:admin" + cinder-admin_api: + key: "admin_api" + value: "is_admin:True or (role:admin and is_admin_project:True)" + cinder-xena_system_admin_or_project_reader: + key: "xena_system_admin_or_project_reader" + value: "(role:admin) or (role:reader and project_id:%(project_id)s)" + cinder-xena_system_admin_or_project_member: + key: "xena_system_admin_or_project_member" + value: "(role:admin) or (role:member and project_id:%(project_id)s)" + cinder-volume_attachment_create: + key: "volume:attachment_create" + value: "rule:xena_system_admin_or_project_member" + cinder-volume_attachment_update: + key: "volume:attachment_update" + value: "rule:xena_system_admin_or_project_member" + cinder-volume_attachment_delete: + key: "volume:attachment_delete" + value: "rule:xena_system_admin_or_project_member" + cinder-volume_attachment_complete: + key: "volume:attachment_complete" + value: "rule:xena_system_admin_or_project_member" + cinder-volume_multiattach_bootable_volume: + key: "volume:multiattach_bootable_volume" + value: "rule:xena_system_admin_or_project_member" + cinder-message_get_all: + key: "message:get_all" + value: "rule:xena_system_admin_or_project_reader" + cinder-message_get: + key: "message:get" + value: "rule:message:get_all" + cinder-message_delete: + key: "message:delete" + value: "rule:xena_system_admin_or_project_member" + cinder-clusters_get_all: + key: "clusters:get_all" + value: "rule:admin_api" + cinder-clusters_get: + key: "clusters:get" + value: "rule:admin_api" + cinder-clusters_update: + key: "clusters:update" + value: "rule:admin_api" + cinder-workers_cleanup: + key: "workers:cleanup" + value: "rule:admin_api" + cinder-volume_get_snapshot_metadata: + key: "volume:get_snapshot_metadata" + value: "rule:xena_system_admin_or_project_reader" + cinder-volume_update_snapshot_metadata: + key: "volume:update_snapshot_metadata" + value: "rule:xena_system_admin_or_project_member" + cinder-volume_delete_snapshot_metadata: + key: "volume:delete_snapshot_metadata" + value: "rule:xena_system_admin_or_project_member" + cinder-volume_get_all_snapshots: + key: "volume:get_all_snapshots" + value: "rule:xena_system_admin_or_project_reader" + cinder-volume_extension_extended_snapshot_attributes: + key: "volume_extension:extended_snapshot_attributes" + value: "rule:xena_system_admin_or_project_reader" + cinder-volume_create_snapshot: + key: "volume:create_snapshot" + value: "rule:xena_system_admin_or_project_member" + cinder-volume_get_snapshot: + key: "volume:get_snapshot" + value: "rule:xena_system_admin_or_project_reader" + cinder-volume_update_snapshot: + key: "volume:update_snapshot" + value: "rule:xena_system_admin_or_project_member" + cinder-volume_delete_snapshot: + key: "volume:delete_snapshot" + value: "rule:xena_system_admin_or_project_member" + cinder-volume_extension_snapshot_admin_actions_reset_status: + key: "volume_extension:snapshot_admin_actions:reset_status" + value: "rule:admin_api" + cinder-snapshot_extension_snapshot_actions_update_snapshot_status: + key: "snapshot_extension:snapshot_actions:update_snapshot_status" + value: "rule:xena_system_admin_or_project_member" + cinder-volume_extension_snapshot_admin_actions_force_delete: + key: "volume_extension:snapshot_admin_actions:force_delete" + value: "rule:admin_api" + cinder-snapshot_extension_list_manageable: + key: "snapshot_extension:list_manageable" + value: "rule:admin_api" + cinder-snapshot_extension_snapshot_manage: + key: "snapshot_extension:snapshot_manage" + value: "rule:admin_api" + cinder-snapshot_extension_snapshot_unmanage: + key: "snapshot_extension:snapshot_unmanage" + value: "rule:admin_api" + cinder-backup_get_all: + key: "backup:get_all" + value: "rule:xena_system_admin_or_project_reader" + cinder-backup_backup_project_attribute: + key: "backup:backup_project_attribute" + value: "rule:admin_api" + cinder-backup_create: + key: "backup:create" + value: "rule:xena_system_admin_or_project_member" + cinder-backup_get: + key: "backup:get" + value: "rule:xena_system_admin_or_project_reader" + cinder-backup_update: + key: "backup:update" + value: "rule:xena_system_admin_or_project_member" + cinder-backup_delete: + key: "backup:delete" + value: "rule:xena_system_admin_or_project_member" + cinder-backup_restore: + key: "backup:restore" + value: "rule:xena_system_admin_or_project_member" + cinder-backup_backup-import: + key: "backup:backup-import" + value: "rule:admin_api" + cinder-backup_export-import: + key: "backup:export-import" + value: "rule:admin_api" + cinder-volume_extension_backup_admin_actions_reset_status: + key: "volume_extension:backup_admin_actions:reset_status" + value: "rule:admin_api" + cinder-volume_extension_backup_admin_actions_force_delete: + key: "volume_extension:backup_admin_actions:force_delete" + value: "rule:admin_api" + cinder-group_get_all: + key: "group:get_all" + value: "rule:xena_system_admin_or_project_reader" + cinder-group_create: + key: "group:create" + value: "rule:xena_system_admin_or_project_member" + cinder-group_get: + key: "group:get" + value: "rule:xena_system_admin_or_project_reader" + cinder-group_update: + key: "group:update" + value: "rule:xena_system_admin_or_project_member" + cinder-group_group_project_attribute: + key: "group:group_project_attribute" + value: "rule:admin_api" + cinder-group_group_types_create: + key: "group:group_types:create" + value: "rule:admin_api" + cinder-group_group_types_manage: + key: "group:group_types_manage" + value: "rule:group:group_types:create" + cinder-group_group_types_update: + key: "group:group_types:update" + value: "rule:admin_api" + cinder-group_group_types_delete: + key: "group:group_types:delete" + value: "rule:admin_api" + cinder-group_access_group_types_specs: + key: "group:access_group_types_specs" + value: "rule:admin_api" + cinder-group_group_types_specs_get: + key: "group:group_types_specs:get" + value: "rule:admin_api" + cinder-group_group_types_specs: + key: "group:group_types_specs" + value: "rule:group:group_types_specs:get" + cinder-group_group_types_specs_get_all: + key: "group:group_types_specs:get_all" + value: "rule:admin_api" + cinder-group_group_types_specs_create: + key: "group:group_types_specs:create" + value: "rule:admin_api" + cinder-group_group_types_specs_update: + key: "group:group_types_specs:update" + value: "rule:admin_api" + cinder-group_group_types_specs_delete: + key: "group:group_types_specs:delete" + value: "rule:admin_api" + cinder-group_get_all_group_snapshots: + key: "group:get_all_group_snapshots" + value: "rule:xena_system_admin_or_project_reader" + cinder-group_create_group_snapshot: + key: "group:create_group_snapshot" + value: "rule:xena_system_admin_or_project_member" + cinder-group_get_group_snapshot: + key: "group:get_group_snapshot" + value: "rule:xena_system_admin_or_project_reader" + cinder-group_delete_group_snapshot: + key: "group:delete_group_snapshot" + value: "rule:xena_system_admin_or_project_member" + cinder-group_update_group_snapshot: + key: "group:update_group_snapshot" + value: "rule:xena_system_admin_or_project_member" + cinder-group_group_snapshot_project_attribute: + key: "group:group_snapshot_project_attribute" + value: "rule:admin_api" + cinder-group_reset_group_snapshot_status: + key: "group:reset_group_snapshot_status" + value: "rule:admin_api" + cinder-group_delete: + key: "group:delete" + value: "rule:xena_system_admin_or_project_member" + cinder-group_reset_status: + key: "group:reset_status" + value: "rule:admin_api" + cinder-group_enable_replication: + key: "group:enable_replication" + value: "rule:xena_system_admin_or_project_member" + cinder-group_disable_replication: + key: "group:disable_replication" + value: "rule:xena_system_admin_or_project_member" + cinder-group_failover_replication: + key: "group:failover_replication" + value: "rule:xena_system_admin_or_project_member" + cinder-group_list_replication_targets: + key: "group:list_replication_targets" + value: "rule:xena_system_admin_or_project_member" + cinder-volume_extension_qos_specs_manage_get_all: + key: "volume_extension:qos_specs_manage:get_all" + value: "rule:admin_api" + cinder-volume_extension_qos_specs_manage_get: + key: "volume_extension:qos_specs_manage:get" + value: "rule:admin_api" + cinder-volume_extension_qos_specs_manage_create: + key: "volume_extension:qos_specs_manage:create" + value: "rule:admin_api" + cinder-volume_extension_qos_specs_manage_update: + key: "volume_extension:qos_specs_manage:update" + value: "rule:admin_api" + cinder-volume_extension_qos_specs_manage_delete: + key: "volume_extension:qos_specs_manage:delete" + value: "rule:admin_api" + cinder-volume_extension_quota_classes_get: + key: "volume_extension:quota_classes:get" + value: "rule:admin_api" + cinder-volume_extension_quota_classes: + key: "volume_extension:quota_classes" + value: "rule:volume_extension:quota_classes:get" + cinder-volume_extension_quota_classes_update: + key: "volume_extension:quota_classes:update" + value: "rule:admin_api" + cinder-volume_extension_quotas_show: + key: "volume_extension:quotas:show" + value: "rule:xena_system_admin_or_project_reader" + cinder-volume_extension_quotas_update: + key: "volume_extension:quotas:update" + value: "rule:admin_api" + cinder-volume_extension_quotas_delete: + key: "volume_extension:quotas:delete" + value: "rule:admin_api" + cinder-volume_extension_capabilities: + key: "volume_extension:capabilities" + value: "rule:admin_api" + cinder-volume_extension_services_index: + key: "volume_extension:services:index" + value: "rule:admin_api" + cinder-volume_extension_services_update: + key: "volume_extension:services:update" + value: "rule:admin_api" + cinder-volume_freeze_host: + key: "volume:freeze_host" + value: "rule:admin_api" + cinder-volume_thaw_host: + key: "volume:thaw_host" + value: "rule:admin_api" + cinder-volume_failover_host: + key: "volume:failover_host" + value: "rule:admin_api" + cinder-scheduler_extension_scheduler_stats_get_pools: + key: "scheduler_extension:scheduler_stats:get_pools" + value: "rule:admin_api" + cinder-volume_extension_hosts: + key: "volume_extension:hosts" + value: "rule:admin_api" + cinder-limits_extension_used_limits: + key: "limits_extension:used_limits" + value: "rule:xena_system_admin_or_project_reader" + cinder-volume_extension_list_manageable: + key: "volume_extension:list_manageable" + value: "rule:admin_api" + cinder-volume_extension_volume_manage: + key: "volume_extension:volume_manage" + value: "rule:admin_api" + cinder-volume_extension_volume_unmanage: + key: "volume_extension:volume_unmanage" + value: "rule:admin_api" + cinder-volume_extension_type_create: + key: "volume_extension:type_create" + value: "rule:admin_api" + cinder-volume_extension_types_manage: + key: "volume_extension:types_manage" + value: "rule:volume_extension:type_create" + cinder-volume_extension_type_update: + key: "volume_extension:type_update" + value: "rule:admin_api" + cinder-volume_extension_type_delete: + key: "volume_extension:type_delete" + value: "rule:admin_api" + cinder-volume_extension_type_get: + key: "volume_extension:type_get" + value: "rule:xena_system_admin_or_project_reader" + cinder-volume_extension_type_get_all: + key: "volume_extension:type_get_all" + value: "rule:xena_system_admin_or_project_reader" + cinder-volume_extension_access_types_extra_specs: + key: "volume_extension:access_types_extra_specs" + value: "rule:xena_system_admin_or_project_reader" + cinder-volume_extension_access_types_qos_specs_id: + key: "volume_extension:access_types_qos_specs_id" + value: "rule:admin_api" + cinder-volume_extension_volume_type_encryption: + key: "volume_extension:volume_type_encryption" + value: "rule:admin_api" + cinder-volume_extension_volume_type_encryption_create: + key: "volume_extension:volume_type_encryption:create" + value: "rule:admin_api" + cinder-volume_extension_volume_type_encryption_get: + key: "volume_extension:volume_type_encryption:get" + value: "rule:admin_api" + cinder-volume_extension_volume_type_encryption_update: + key: "volume_extension:volume_type_encryption:update" + value: "rule:admin_api" + cinder-volume_extension_volume_type_encryption_delete: + key: "volume_extension:volume_type_encryption:delete" + value: "rule:admin_api" + cinder-volume_extension_volume_type_access: + key: "volume_extension:volume_type_access" + value: "rule:xena_system_admin_or_project_member" + cinder-volume_extension_volume_type_access_addProjectAccess: + key: "volume_extension:volume_type_access:addProjectAccess" + value: "rule:admin_api" + cinder-volume_extension_volume_type_access_removeProjectAccess: + key: "volume_extension:volume_type_access:removeProjectAccess" + value: "rule:admin_api" + cinder-volume_extension_volume_type_access_get_all_for_type: + key: "volume_extension:volume_type_access:get_all_for_type" + value: "rule:admin_api" + cinder-volume_extend: + key: "volume:extend" + value: "rule:xena_system_admin_or_project_member" + cinder-volume_extend_attached_volume: + key: "volume:extend_attached_volume" + value: "rule:xena_system_admin_or_project_member" + cinder-volume_revert_to_snapshot: + key: "volume:revert_to_snapshot" + value: "rule:xena_system_admin_or_project_member" + cinder-volume_extension_volume_admin_actions_reset_status: + key: "volume_extension:volume_admin_actions:reset_status" + value: "rule:admin_api" + cinder-volume_retype: + key: "volume:retype" + value: "rule:xena_system_admin_or_project_member" + cinder-volume_update_readonly_flag: + key: "volume:update_readonly_flag" + value: "rule:xena_system_admin_or_project_member" + cinder-volume_extension_volume_admin_actions_force_delete: + key: "volume_extension:volume_admin_actions:force_delete" + value: "rule:admin_api" + cinder-volume_extension_volume_actions_upload_public: + key: "volume_extension:volume_actions:upload_public" + value: "rule:admin_api" + cinder-volume_extension_volume_actions_upload_image: + key: "volume_extension:volume_actions:upload_image" + value: "rule:xena_system_admin_or_project_member" + cinder-volume_extension_volume_admin_actions_force_detach: + key: "volume_extension:volume_admin_actions:force_detach" + value: "rule:admin_api" + cinder-volume_extension_volume_admin_actions_migrate_volume: + key: "volume_extension:volume_admin_actions:migrate_volume" + value: "rule:admin_api" + cinder-volume_extension_volume_admin_actions_migrate_volume_completion: + key: "volume_extension:volume_admin_actions:migrate_volume_completion" + value: "rule:admin_api" + cinder-volume_extension_volume_actions_initialize_connection: + key: "volume_extension:volume_actions:initialize_connection" + value: "rule:xena_system_admin_or_project_member" + cinder-volume_extension_volume_actions_terminate_connection: + key: "volume_extension:volume_actions:terminate_connection" + value: "rule:xena_system_admin_or_project_member" + cinder-volume_extension_volume_actions_roll_detaching: + key: "volume_extension:volume_actions:roll_detaching" + value: "rule:xena_system_admin_or_project_member" + cinder-volume_extension_volume_actions_reserve: + key: "volume_extension:volume_actions:reserve" + value: "rule:xena_system_admin_or_project_member" + cinder-volume_extension_volume_actions_unreserve: + key: "volume_extension:volume_actions:unreserve" + value: "rule:xena_system_admin_or_project_member" + cinder-volume_extension_volume_actions_begin_detaching: + key: "volume_extension:volume_actions:begin_detaching" + value: "rule:xena_system_admin_or_project_member" + cinder-volume_extension_volume_actions_attach: + key: "volume_extension:volume_actions:attach" + value: "rule:xena_system_admin_or_project_member" + cinder-volume_extension_volume_actions_detach: + key: "volume_extension:volume_actions:detach" + value: "rule:xena_system_admin_or_project_member" + cinder-volume_get_all_transfers: + key: "volume:get_all_transfers" + value: "rule:xena_system_admin_or_project_reader" + cinder-volume_create_transfer: + key: "volume:create_transfer" + value: "rule:xena_system_admin_or_project_member" + cinder-volume_get_transfer: + key: "volume:get_transfer" + value: "rule:xena_system_admin_or_project_reader" + cinder-volume_accept_transfer: + key: "volume:accept_transfer" + value: "rule:xena_system_admin_or_project_member" + cinder-volume_delete_transfer: + key: "volume:delete_transfer" + value: "rule:xena_system_admin_or_project_member" + cinder-volume_get_volume_metadata: + key: "volume:get_volume_metadata" + value: "rule:xena_system_admin_or_project_reader" + cinder-volume_create_volume_metadata: + key: "volume:create_volume_metadata" + value: "rule:xena_system_admin_or_project_member" + cinder-volume_update_volume_metadata: + key: "volume:update_volume_metadata" + value: "rule:xena_system_admin_or_project_member" + cinder-volume_delete_volume_metadata: + key: "volume:delete_volume_metadata" + value: "rule:xena_system_admin_or_project_member" + cinder-volume_extension_volume_image_metadata_show: + key: "volume_extension:volume_image_metadata:show" + value: "rule:xena_system_admin_or_project_reader" + cinder-volume_extension_volume_image_metadata: + key: "volume_extension:volume_image_metadata" + value: "rule:volume_extension:volume_image_metadata:show" + cinder-volume_extension_volume_image_metadata_set: + key: "volume_extension:volume_image_metadata:set" + value: "rule:xena_system_admin_or_project_member" + cinder-volume_extension_volume_image_metadata_remove: + key: "volume_extension:volume_image_metadata:remove" + value: "rule:xena_system_admin_or_project_member" + cinder-volume_update_volume_admin_metadata: + key: "volume:update_volume_admin_metadata" + value: "rule:admin_api" + cinder-volume_extension_types_extra_specs_index: + key: "volume_extension:types_extra_specs:index" + value: "rule:xena_system_admin_or_project_reader" + cinder-volume_extension_types_extra_specs_create: + key: "volume_extension:types_extra_specs:create" + value: "rule:admin_api" + cinder-volume_extension_types_extra_specs_show: + key: "volume_extension:types_extra_specs:show" + value: "rule:xena_system_admin_or_project_reader" + cinder-volume_extension_types_extra_specs_read_sensitive: + key: "volume_extension:types_extra_specs:read_sensitive" + value: "rule:admin_api" + cinder-volume_extension_types_extra_specs_update: + key: "volume_extension:types_extra_specs:update" + value: "rule:admin_api" + cinder-volume_extension_types_extra_specs_delete: + key: "volume_extension:types_extra_specs:delete" + value: "rule:admin_api" + cinder-volume_create: + key: "volume:create" + value: "rule:xena_system_admin_or_project_member" + cinder-volume_create_from_image: + key: "volume:create_from_image" + value: "rule:xena_system_admin_or_project_member" + cinder-volume_get: + key: "volume:get" + value: "rule:xena_system_admin_or_project_reader" + cinder-volume_get_all: + key: "volume:get_all" + value: "rule:xena_system_admin_or_project_reader" + cinder-volume_update: + key: "volume:update" + value: "rule:xena_system_admin_or_project_member" + cinder-volume_delete: + key: "volume:delete" + value: "rule:xena_system_admin_or_project_member" + cinder-volume_force_delete: + key: "volume:force_delete" + value: "rule:admin_api" + cinder-volume_extension_volume_host_attribute: + key: "volume_extension:volume_host_attribute" + value: "rule:admin_api" + cinder-volume_extension_volume_tenant_attribute: + key: "volume_extension:volume_tenant_attribute" + value: "rule:xena_system_admin_or_project_reader" + cinder-volume_extension_volume_mig_status_attribute: + key: "volume_extension:volume_mig_status_attribute" + value: "rule:admin_api" + cinder-volume_extension_volume_encryption_metadata: + key: "volume_extension:volume_encryption_metadata" + value: "rule:xena_system_admin_or_project_reader" + cinder-volume_multiattach: + key: "volume:multiattach" + value: "rule:xena_system_admin_or_project_member" + cinder-volume_extension_default_set_or_update: + key: "volume_extension:default_set_or_update" + value: "rule:admin_api" + cinder-volume_extension_default_get: + key: "volume_extension:default_get" + value: "rule:admin_api" + cinder-volume_extension_default_get_all: + key: "volume_extension:default_get_all" + value: "rule:admin_api" + cinder-volume_extension_default_unset: + key: "volume_extension:default_unset" + value: "rule:admin_api" + KeystonePolicies: + keystone-admin_required: + key: "admin_required" + value: "role:admin or is_admin:1" + keystone-service_role: + key: "service_role" + value: "role:service" + keystone-service_or_admin: + key: "service_or_admin" + value: "rule:admin_required or rule:service_role" + keystone-owner: + key: "owner" + value: "user_id:%(user_id)s" + keystone-admin_or_owner: + key: "admin_or_owner" + value: "rule:admin_required or rule:owner" + keystone-token_subject: + key: "token_subject" + value: "user_id:%(target.token.user_id)s" + keystone-admin_or_token_subject: + key: "admin_or_token_subject" + value: "rule:admin_required or rule:token_subject" + keystone-service_admin_or_token_subject: + key: "service_admin_or_token_subject" + value: "rule:service_or_admin or rule:token_subject" + keystone-identity_get_access_rule: + key: "identity:get_access_rule" + value: "(role:reader and system_scope:all) or user_id:%(target.user.id)s" + keystone-identity_list_access_rules: + key: "identity:list_access_rules" + value: "(role:reader and system_scope:all) or user_id:%(target.user.id)s" + keystone-identity_delete_access_rule: + key: "identity:delete_access_rule" + value: "(role:admin and system_scope:all) or user_id:%(target.user.id)s" + keystone-identity_authorize_request_token: + key: "identity:authorize_request_token" + value: "rule:admin_required" + keystone-identity_get_access_token: + key: "identity:get_access_token" + value: "rule:admin_required" + keystone-identity_get_access_token_role: + key: "identity:get_access_token_role" + value: "rule:admin_required" + keystone-identity_list_access_tokens: + key: "identity:list_access_tokens" + value: "rule:admin_required" + keystone-identity_list_access_token_roles: + key: "identity:list_access_token_roles" + value: "rule:admin_required" + keystone-identity_delete_access_token: + key: "identity:delete_access_token" + value: "rule:admin_required" + keystone-identity_get_application_credential: + key: "identity:get_application_credential" + value: "(role:reader and system_scope:all) or rule:owner" + keystone-identity_get_application_credentials: + key: "identity:get_application_credentials" + value: "rule:identity:get_application_credential" + keystone-identity_list_application_credentials: + key: "identity:list_application_credentials" + value: "(role:reader and system_scope:all) or rule:owner" + keystone-identity_create_application_credential: + key: "identity:create_application_credential" + value: "user_id:%(user_id)s" + keystone-identity_delete_application_credential: + key: "identity:delete_application_credential" + value: "(role:admin and system_scope:all) or rule:owner" + keystone-identity_delete_application_credentials: + key: "identity:delete_application_credentials" + value: "rule:identity:delete_application_credential" + keystone-identity_get_auth_catalog: + key: "identity:get_auth_catalog" + value: "" + keystone-identity_get_auth_projects: + key: "identity:get_auth_projects" + value: "" + keystone-identity_get_auth_domains: + key: "identity:get_auth_domains" + value: "" + keystone-identity_get_auth_system: + key: "identity:get_auth_system" + value: "" + keystone-identity_get_consumer: + key: "identity:get_consumer" + value: "role:reader and system_scope:all" + keystone-identity_list_consumers: + key: "identity:list_consumers" + value: "role:reader and system_scope:all" + keystone-identity_create_consumer: + key: "identity:create_consumer" + value: "role:admin and system_scope:all" + keystone-identity_update_consumer: + key: "identity:update_consumer" + value: "role:admin and system_scope:all" + keystone-identity_delete_consumer: + key: "identity:delete_consumer" + value: "role:admin and system_scope:all" + keystone-identity_get_credential: + key: "identity:get_credential" + value: "(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s" + keystone-identity_list_credentials: + key: "identity:list_credentials" + value: "(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s" + keystone-identity_create_credential: + key: "identity:create_credential" + value: "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s" + keystone-identity_update_credential: + key: "identity:update_credential" + value: "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s" + keystone-identity_delete_credential: + key: "identity:delete_credential" + value: "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s" + keystone-identity_get_domain: + key: "identity:get_domain" + value: "(role:reader and system_scope:all) or token.domain.id:%(target.domain.id)s or token.project.domain.id:%(target.domain.id)s" + keystone-identity_list_domains: + key: "identity:list_domains" + value: "role:reader and system_scope:all" + keystone-identity_create_domain: + key: "identity:create_domain" + value: "role:admin and system_scope:all" + keystone-identity_update_domain: + key: "identity:update_domain" + value: "role:admin and system_scope:all" + keystone-identity_delete_domain: + key: "identity:delete_domain" + value: "role:admin and system_scope:all" + keystone-identity_create_domain_config: + key: "identity:create_domain_config" + value: "role:admin and system_scope:all" + keystone-identity_get_domain_config: + key: "identity:get_domain_config" + value: "role:reader and system_scope:all" + keystone-identity_get_security_compliance_domain_config: + key: "identity:get_security_compliance_domain_config" + value: "" + keystone-identity_update_domain_config: + key: "identity:update_domain_config" + value: "role:admin and system_scope:all" + keystone-identity_delete_domain_config: + key: "identity:delete_domain_config" + value: "role:admin and system_scope:all" + keystone-identity_get_domain_config_default: + key: "identity:get_domain_config_default" + value: "role:reader and system_scope:all" + keystone-identity_ec2_get_credential: + key: "identity:ec2_get_credential" + value: "(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s" + keystone-identity_ec2_list_credentials: + key: "identity:ec2_list_credentials" + value: "(role:reader and system_scope:all) or rule:owner" + keystone-identity_ec2_create_credential: + key: "identity:ec2_create_credential" + value: "(role:admin and system_scope:all) or rule:owner" + keystone-identity_ec2_create_credentials: + key: "identity:ec2_create_credentials" + value: "rule:identity:ec2_create_credential" + keystone-identity_ec2_delete_credential: + key: "identity:ec2_delete_credential" + value: "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s" + keystone-identity_ec2_delete_credentials: + key: "identity:ec2_delete_credentials" + value: "rule:identity:ec2_delete_credential" + keystone-identity_get_endpoint: + key: "identity:get_endpoint" + value: "role:reader and system_scope:all" + keystone-identity_list_endpoints: + key: "identity:list_endpoints" + value: "role:reader and system_scope:all" + keystone-identity_create_endpoint: + key: "identity:create_endpoint" + value: "role:admin and system_scope:all" + keystone-identity_update_endpoint: + key: "identity:update_endpoint" + value: "role:admin and system_scope:all" + keystone-identity_delete_endpoint: + key: "identity:delete_endpoint" + value: "role:admin and system_scope:all" + keystone-identity_create_endpoint_group: + key: "identity:create_endpoint_group" + value: "role:admin and system_scope:all" + keystone-identity_list_endpoint_groups: + key: "identity:list_endpoint_groups" + value: "role:reader and system_scope:all" + keystone-identity_get_endpoint_group: + key: "identity:get_endpoint_group" + value: "role:reader and system_scope:all" + keystone-identity_update_endpoint_group: + key: "identity:update_endpoint_group" + value: "role:admin and system_scope:all" + keystone-identity_delete_endpoint_group: + key: "identity:delete_endpoint_group" + value: "role:admin and system_scope:all" + keystone-identity_list_projects_associated_with_endpoint_group: + key: "identity:list_projects_associated_with_endpoint_group" + value: "role:reader and system_scope:all" + keystone-identity_list_endpoints_associated_with_endpoint_group: + key: "identity:list_endpoints_associated_with_endpoint_group" + value: "role:reader and system_scope:all" + keystone-identity_get_endpoint_group_in_project: + key: "identity:get_endpoint_group_in_project" + value: "role:reader and system_scope:all" + keystone-identity_list_endpoint_groups_for_project: + key: "identity:list_endpoint_groups_for_project" + value: "role:reader and system_scope:all" + keystone-identity_add_endpoint_group_to_project: + key: "identity:add_endpoint_group_to_project" + value: "role:admin and system_scope:all" + keystone-identity_remove_endpoint_group_from_project: + key: "identity:remove_endpoint_group_from_project" + value: "role:admin and system_scope:all" + keystone-identity_check_grant: + key: "identity:check_grant" + value: "(role:reader and system_scope:all) or ((role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)" + keystone-identity_list_grants: + key: "identity:list_grants" + value: "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)" + keystone-identity_create_grant: + key: "identity:create_grant" + value: "(role:admin and system_scope:all) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)" + keystone-identity_revoke_grant: + key: "identity:revoke_grant" + value: "(role:admin and system_scope:all) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)" + keystone-identity_list_system_grants_for_user: + key: "identity:list_system_grants_for_user" + value: "role:reader and system_scope:all" + keystone-identity_check_system_grant_for_user: + key: "identity:check_system_grant_for_user" + value: "role:reader and system_scope:all" + keystone-identity_create_system_grant_for_user: + key: "identity:create_system_grant_for_user" + value: "role:admin and system_scope:all" + keystone-identity_revoke_system_grant_for_user: + key: "identity:revoke_system_grant_for_user" + value: "role:admin and system_scope:all" + keystone-identity_list_system_grants_for_group: + key: "identity:list_system_grants_for_group" + value: "role:reader and system_scope:all" + keystone-identity_check_system_grant_for_group: + key: "identity:check_system_grant_for_group" + value: "role:reader and system_scope:all" + keystone-identity_create_system_grant_for_group: + key: "identity:create_system_grant_for_group" + value: "role:admin and system_scope:all" + keystone-identity_revoke_system_grant_for_group: + key: "identity:revoke_system_grant_for_group" + value: "role:admin and system_scope:all" + keystone-identity_get_group: + key: "identity:get_group" + value: "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)" + keystone-identity_list_groups: + key: "identity:list_groups" + value: "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)" + keystone-identity_list_groups_for_user: + key: "identity:list_groups_for_user" + value: "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(user_id)s" + keystone-identity_create_group: + key: "identity:create_group" + value: "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)" + keystone-identity_update_group: + key: "identity:update_group" + value: "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)" + keystone-identity_delete_group: + key: "identity:delete_group" + value: "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)" + keystone-identity_list_users_in_group: + key: "identity:list_users_in_group" + value: "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)" + keystone-identity_remove_user_from_group: + key: "identity:remove_user_from_group" + value: "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)" + keystone-identity_check_user_in_group: + key: "identity:check_user_in_group" + value: "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)" + keystone-identity_add_user_to_group: + key: "identity:add_user_to_group" + value: "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)" + keystone-identity_create_identity_provider: + key: "identity:create_identity_provider" + value: "role:admin and system_scope:all" + keystone-identity_list_identity_providers: + key: "identity:list_identity_providers" + value: "role:reader and system_scope:all" + keystone-identity_get_identity_provider: + key: "identity:get_identity_provider" + value: "role:reader and system_scope:all" + keystone-identity_update_identity_provider: + key: "identity:update_identity_provider" + value: "role:admin and system_scope:all" + keystone-identity_delete_identity_provider: + key: "identity:delete_identity_provider" + value: "role:admin and system_scope:all" + keystone-identity_get_implied_role: + key: "identity:get_implied_role" + value: "role:reader and system_scope:all" + keystone-identity_list_implied_roles: + key: "identity:list_implied_roles" + value: "role:reader and system_scope:all" + keystone-identity_create_implied_role: + key: "identity:create_implied_role" + value: "role:admin and system_scope:all" + keystone-identity_delete_implied_role: + key: "identity:delete_implied_role" + value: "role:admin and system_scope:all" + keystone-identity_list_role_inference_rules: + key: "identity:list_role_inference_rules" + value: "role:reader and system_scope:all" + keystone-identity_check_implied_role: + key: "identity:check_implied_role" + value: "role:reader and system_scope:all" + keystone-identity_get_limit_model: + key: "identity:get_limit_model" + value: "" + keystone-identity_get_limit: + key: "identity:get_limit" + value: "(role:reader and system_scope:all) or (domain_id:%(target.limit.domain.id)s or domain_id:%(target.limit.project.domain_id)s) or (project_id:%(target.limit.project_id)s and not None:%(target.limit.project_id)s)" + keystone-identity_list_limits: + key: "identity:list_limits" + value: "" + keystone-identity_create_limits: + key: "identity:create_limits" + value: "role:admin and system_scope:all" + keystone-identity_update_limit: + key: "identity:update_limit" + value: "role:admin and system_scope:all" + keystone-identity_delete_limit: + key: "identity:delete_limit" + value: "role:admin and system_scope:all" + keystone-identity_create_mapping: + key: "identity:create_mapping" + value: "role:admin and system_scope:all" + keystone-identity_get_mapping: + key: "identity:get_mapping" + value: "role:reader and system_scope:all" + keystone-identity_list_mappings: + key: "identity:list_mappings" + value: "role:reader and system_scope:all" + keystone-identity_delete_mapping: + key: "identity:delete_mapping" + value: "role:admin and system_scope:all" + keystone-identity_update_mapping: + key: "identity:update_mapping" + value: "role:admin and system_scope:all" + keystone-identity_get_policy: + key: "identity:get_policy" + value: "role:reader and system_scope:all" + keystone-identity_list_policies: + key: "identity:list_policies" + value: "role:reader and system_scope:all" + keystone-identity_create_policy: + key: "identity:create_policy" + value: "role:admin and system_scope:all" + keystone-identity_update_policy: + key: "identity:update_policy" + value: "role:admin and system_scope:all" + keystone-identity_delete_policy: + key: "identity:delete_policy" + value: "role:admin and system_scope:all" + keystone-identity_create_policy_association_for_endpoint: + key: "identity:create_policy_association_for_endpoint" + value: "role:admin and system_scope:all" + keystone-identity_check_policy_association_for_endpoint: + key: "identity:check_policy_association_for_endpoint" + value: "role:reader and system_scope:all" + keystone-identity_delete_policy_association_for_endpoint: + key: "identity:delete_policy_association_for_endpoint" + value: "role:admin and system_scope:all" + keystone-identity_create_policy_association_for_service: + key: "identity:create_policy_association_for_service" + value: "role:admin and system_scope:all" + keystone-identity_check_policy_association_for_service: + key: "identity:check_policy_association_for_service" + value: "role:reader and system_scope:all" + keystone-identity_delete_policy_association_for_service: + key: "identity:delete_policy_association_for_service" + value: "role:admin and system_scope:all" + keystone-identity_create_policy_association_for_region_and_service: + key: "identity:create_policy_association_for_region_and_service" + value: "role:admin and system_scope:all" + keystone-identity_check_policy_association_for_region_and_service: + key: "identity:check_policy_association_for_region_and_service" + value: "role:reader and system_scope:all" + keystone-identity_delete_policy_association_for_region_and_service: + key: "identity:delete_policy_association_for_region_and_service" + value: "role:admin and system_scope:all" + keystone-identity_get_policy_for_endpoint: + key: "identity:get_policy_for_endpoint" + value: "role:reader and system_scope:all" + keystone-identity_list_endpoints_for_policy: + key: "identity:list_endpoints_for_policy" + value: "role:reader and system_scope:all" + keystone-identity_get_project: + key: "identity:get_project" + value: "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s" + keystone-identity_list_projects: + key: "identity:list_projects" + value: "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)" + keystone-identity_list_user_projects: + key: "identity:list_user_projects" + value: "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(target.user.id)s" + keystone-identity_create_project: + key: "identity:create_project" + value: "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)" + keystone-identity_update_project: + key: "identity:update_project" + value: "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)" + keystone-identity_delete_project: + key: "identity:delete_project" + value: "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)" + keystone-identity_list_project_tags: + key: "identity:list_project_tags" + value: "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s" + keystone-identity_get_project_tag: + key: "identity:get_project_tag" + value: "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s" + keystone-identity_update_project_tags: + key: "identity:update_project_tags" + value: "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" + keystone-identity_create_project_tag: + key: "identity:create_project_tag" + value: "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" + keystone-identity_delete_project_tags: + key: "identity:delete_project_tags" + value: "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" + keystone-identity_delete_project_tag: + key: "identity:delete_project_tag" + value: "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" + keystone-identity_list_projects_for_endpoint: + key: "identity:list_projects_for_endpoint" + value: "role:reader and system_scope:all" + keystone-identity_add_endpoint_to_project: + key: "identity:add_endpoint_to_project" + value: "role:admin and system_scope:all" + keystone-identity_check_endpoint_in_project: + key: "identity:check_endpoint_in_project" + value: "role:reader and system_scope:all" + keystone-identity_list_endpoints_for_project: + key: "identity:list_endpoints_for_project" + value: "role:reader and system_scope:all" + keystone-identity_remove_endpoint_from_project: + key: "identity:remove_endpoint_from_project" + value: "role:admin and system_scope:all" + keystone-identity_create_protocol: + key: "identity:create_protocol" + value: "role:admin and system_scope:all" + keystone-identity_update_protocol: + key: "identity:update_protocol" + value: "role:admin and system_scope:all" + keystone-identity_get_protocol: + key: "identity:get_protocol" + value: "role:reader and system_scope:all" + keystone-identity_list_protocols: + key: "identity:list_protocols" + value: "role:reader and system_scope:all" + keystone-identity_delete_protocol: + key: "identity:delete_protocol" + value: "role:admin and system_scope:all" + keystone-identity_get_region: + key: "identity:get_region" + value: "" + keystone-identity_list_regions: + key: "identity:list_regions" + value: "" + keystone-identity_create_region: + key: "identity:create_region" + value: "role:admin and system_scope:all" + keystone-identity_update_region: + key: "identity:update_region" + value: "role:admin and system_scope:all" + keystone-identity_delete_region: + key: "identity:delete_region" + value: "role:admin and system_scope:all" + keystone-identity_get_registered_limit: + key: "identity:get_registered_limit" + value: "" + keystone-identity_list_registered_limits: + key: "identity:list_registered_limits" + value: "" + keystone-identity_create_registered_limits: + key: "identity:create_registered_limits" + value: "role:admin and system_scope:all" + keystone-identity_update_registered_limit: + key: "identity:update_registered_limit" + value: "role:admin and system_scope:all" + keystone-identity_delete_registered_limit: + key: "identity:delete_registered_limit" + value: "role:admin and system_scope:all" + keystone-identity_list_revoke_events: + key: "identity:list_revoke_events" + value: "rule:service_or_admin" + keystone-identity_get_role: + key: "identity:get_role" + value: "role:reader and system_scope:all" + keystone-identity_list_roles: + key: "identity:list_roles" + value: "role:reader and system_scope:all" + keystone-identity_create_role: + key: "identity:create_role" + value: "role:admin and system_scope:all" + keystone-identity_update_role: + key: "identity:update_role" + value: "role:admin and system_scope:all" + keystone-identity_delete_role: + key: "identity:delete_role" + value: "role:admin and system_scope:all" + keystone-identity_get_domain_role: + key: "identity:get_domain_role" + value: "role:reader and system_scope:all" + keystone-identity_list_domain_roles: + key: "identity:list_domain_roles" + value: "role:reader and system_scope:all" + keystone-identity_create_domain_role: + key: "identity:create_domain_role" + value: "role:admin and system_scope:all" + keystone-identity_update_domain_role: + key: "identity:update_domain_role" + value: "role:admin and system_scope:all" + keystone-identity_delete_domain_role: + key: "identity:delete_domain_role" + value: "role:admin and system_scope:all" + keystone-identity_list_role_assignments: + key: "identity:list_role_assignments" + value: "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)" + keystone-identity_list_role_assignments_for_tree: + key: "identity:list_role_assignments_for_tree" + value: "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" + keystone-identity_get_service: + key: "identity:get_service" + value: "role:reader and system_scope:all" + keystone-identity_list_services: + key: "identity:list_services" + value: "role:reader and system_scope:all" + keystone-identity_create_service: + key: "identity:create_service" + value: "role:admin and system_scope:all" + keystone-identity_update_service: + key: "identity:update_service" + value: "role:admin and system_scope:all" + keystone-identity_delete_service: + key: "identity:delete_service" + value: "role:admin and system_scope:all" + keystone-identity_create_service_provider: + key: "identity:create_service_provider" + value: "role:admin and system_scope:all" + keystone-identity_list_service_providers: + key: "identity:list_service_providers" + value: "role:reader and system_scope:all" + keystone-identity_get_service_provider: + key: "identity:get_service_provider" + value: "role:reader and system_scope:all" + keystone-identity_update_service_provider: + key: "identity:update_service_provider" + value: "role:admin and system_scope:all" + keystone-identity_delete_service_provider: + key: "identity:delete_service_provider" + value: "role:admin and system_scope:all" + keystone-identity_revocation_list: + key: "identity:revocation_list" + value: "rule:service_or_admin" + keystone-identity_check_token: + key: "identity:check_token" + value: "(role:reader and system_scope:all) or rule:token_subject" + keystone-identity_validate_token: + key: "identity:validate_token" + value: "(role:reader and system_scope:all) or rule:service_role or rule:token_subject" + keystone-identity_revoke_token: + key: "identity:revoke_token" + value: "(role:admin and system_scope:all) or rule:token_subject" + keystone-identity_create_trust: + key: "identity:create_trust" + value: "user_id:%(trust.trustor_user_id)s" + keystone-identity_list_trusts: + key: "identity:list_trusts" + value: "role:reader and system_scope:all" + keystone-identity_list_trusts_for_trustor: + key: "identity:list_trusts_for_trustor" + value: "role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s" + keystone-identity_list_trusts_for_trustee: + key: "identity:list_trusts_for_trustee" + value: "role:reader and system_scope:all or user_id:%(target.trust.trustee_user_id)s" + keystone-identity_list_roles_for_trust: + key: "identity:list_roles_for_trust" + value: "role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s" + keystone-identity_get_role_for_trust: + key: "identity:get_role_for_trust" + value: "role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s" + keystone-identity_delete_trust: + key: "identity:delete_trust" + value: "role:admin and system_scope:all or user_id:%(target.trust.trustor_user_id)s" + keystone-identity_get_trust: + key: "identity:get_trust" + value: "role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s" + keystone-identity_get_user: + key: "identity:get_user" + value: "(role:reader and system_scope:all) or (role:reader and token.domain.id:%(target.user.domain_id)s) or user_id:%(target.user.id)s" + keystone-identity_list_users: + key: "identity:list_users" + value: "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)" + keystone-identity_list_projects_for_user: + key: "identity:list_projects_for_user" + value: "" + keystone-identity_list_domains_for_user: + key: "identity:list_domains_for_user" + value: "" + keystone-identity_create_user: + key: "identity:create_user" + value: "(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)" + keystone-identity_update_user: + key: "identity:update_user" + value: "(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)" + keystone-identity_delete_user: + key: "identity:delete_user" + value: "(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)" + BarbicanPolicies: + barbican-admin: + key: "admin" + value: "role:admin" + barbican-observer: + key: "observer" + value: "role:observer" + barbican-creator: + key: "creator" + value: "role:creator" + barbican-audit: + key: "audit" + value: "role:audit" + barbican-service_admin: + key: "service_admin" + value: "role:key-manager:service-admin" + barbican-admin_or_creator: + key: "admin_or_creator" + value: "rule:admin or rule:creator" + barbican-all_but_audit: + key: "all_but_audit" + value: "rule:admin or rule:observer or rule:creator" + barbican-all_users: + key: "all_users" + value: "rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin" + barbican-secret_project_match: + key: "secret_project_match" + value: "project_id:%(target.secret.project_id)s" + barbican-secret_acl_read: + key: "secret_acl_read" + value: "'read':%(target.secret.read)s" + barbican-secret_private_read: + key: "secret_private_read" + value: "'False':%(target.secret.read_project_access)s" + barbican-secret_creator_user: + key: "secret_creator_user" + value: "user_id:%(target.secret.creator_id)s" + barbican-container_project_match: + key: "container_project_match" + value: "project_id:%(target.container.project_id)s" + barbican-container_acl_read: + key: "container_acl_read" + value: "'read':%(target.container.read)s" + barbican-container_private_read: + key: "container_private_read" + value: "'False':%(target.container.read_project_access)s" + barbican-container_creator_user: + key: "container_creator_user" + value: "user_id:%(target.container.creator_id)s" + barbican-secret_non_private_read: + key: "secret_non_private_read" + value: "rule:all_users and rule:secret_project_match and not rule:secret_private_read" + barbican-secret_decrypt_non_private_read: + key: "secret_decrypt_non_private_read" + value: "rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read" + barbican-container_non_private_read: + key: "container_non_private_read" + value: "rule:all_users and rule:container_project_match and not rule:container_private_read" + barbican-secret_project_admin: + key: "secret_project_admin" + value: "rule:admin and rule:secret_project_match" + barbican-secret_project_creator: + key: "secret_project_creator" + value: "rule:creator and rule:secret_project_match and rule:secret_creator_user" + barbican-container_project_admin: + key: "container_project_admin" + value: "rule:admin and rule:container_project_match" + barbican-container_project_creator: + key: "container_project_creator" + value: "rule:creator and rule:container_project_match and rule:container_creator_user" + barbican-secret_acls_get: + key: "secret_acls:get" + value: "(rule:all_but_audit and rule:secret_project_match) or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s" + barbican-secret_acls_delete: + key: "secret_acls:delete" + value: "rule:secret_project_admin or rule:secret_project_creator or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s" + barbican-secret_acls_put_patch: + key: "secret_acls:put_patch" + value: "rule:secret_project_admin or rule:secret_project_creator or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s" + barbican-container_acls_get: + key: "container_acls:get" + value: "(rule:all_but_audit and rule:container_project_match) or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s" + barbican-container_acls_delete: + key: "container_acls:delete" + value: "rule:container_project_admin or rule:container_project_creator or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s" + barbican-container_acls_put_patch: + key: "container_acls:put_patch" + value: "rule:container_project_admin or rule:container_project_creator or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s" + barbican-consumer_get: + key: "consumer:get" + value: "rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s or role:admin and system_scope:all" + barbican-consumers_get: + key: "consumers:get" + value: "rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s or role:admin and system_scope:all" + barbican-consumers_post: + key: "consumers:post" + value: "rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s or role:admin and system_scope:all" + barbican-consumers_delete: + key: "consumers:delete" + value: "rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s or role:admin and system_scope:all" + barbican-containers_post: + key: "containers:post" + value: "rule:admin_or_creator or role:member" + barbican-containers_get: + key: "containers:get" + value: "rule:all_but_audit or role:member" + barbican-container_get: + key: "container:get" + value: "rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s" + barbican-container_delete: + key: "container:delete" + value: "rule:container_project_admin or rule:container_project_creator or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s" + barbican-container_secret_post: + key: "container_secret:post" + value: "rule:admin or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s" + barbican-container_secret_delete: + key: "container_secret:delete" + value: "rule:admin or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s" + barbican-orders_get: + key: "orders:get" + value: "rule:all_but_audit or role:member" + barbican-orders_post: + key: "orders:post" + value: "rule:admin_or_creator or role:member" + barbican-orders_put: + key: "orders:put" + value: "rule:admin_or_creator or role:member" + barbican-order_get: + key: "order:get" + value: "rule:all_users or role:member" + barbican-order_delete: + key: "order:delete" + value: "rule:admin or role:member" + barbican-quotas_get: + key: "quotas:get" + value: "rule:all_users or role:reader" + barbican-project_quotas_get: + key: "project_quotas:get" + value: "rule:service_admin or role:reader and system_scope:all" + barbican-project_quotas_put: + key: "project_quotas:put" + value: "rule:service_admin or role:admin and system_scope:all" + barbican-project_quotas_delete: + key: "project_quotas:delete" + value: "rule:service_admin or role:admin and system_scope:all" + barbican-secret_meta_get: + key: "secret_meta:get" + value: "rule:all_but_audit or role:member" + barbican-secret_meta_post: + key: "secret_meta:post" + value: "rule:admin_or_creator or role:member" + barbican-secret_meta_put: + key: "secret_meta:put" + value: "rule:admin_or_creator or role:member" + barbican-secret_meta_delete: + key: "secret_meta:delete" + value: "rule:admin_or_creator or role:member" + barbican-secret_decrypt: + key: "secret:decrypt" + value: "rule:secret_decrypt_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s" + barbican-secret_get: + key: "secret:get" + value: "rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s" + barbican-secret_put: + key: "secret:put" + value: "rule:admin_or_creator and rule:secret_project_match or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s" + barbican-secret_delete: + key: "secret:delete" + value: "rule:secret_project_admin or rule:secret_project_creator or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s" + barbican-secrets_post: + key: "secrets:post" + value: "rule:admin_or_creator or role:member" + barbican-secrets_get: + key: "secrets:get" + value: "rule:all_but_audit or role:member" + barbican-secretstores_get: + key: "secretstores:get" + value: "rule:all_users or role:reader" + barbican-secretstores_get_global_default: + key: "secretstores:get_global_default" + value: "rule:all_users or role:reader" + barbican-secretstores_get_preferred: + key: "secretstores:get_preferred" + value: "rule:all_users or role:reader" + barbican-secretstore_preferred_post: + key: "secretstore_preferred:post" + value: "rule:admin" + barbican-secretstore_preferred_delete: + key: "secretstore_preferred:delete" + value: "rule:admin" + barbican-secretstore_get: + key: "secretstore:get" + value: "rule:all_users or role:reader" + barbican-transport_key_get: + key: "transport_key:get" + value: "rule:all_users or role:reader" + barbican-transport_key_delete: + key: "transport_key:delete" + value: "role:admin and system_scope:all" + barbican-transport_keys_get: + key: "transport_keys:get" + value: "rule:all_users or role:reader" + barbican-transport_keys_post: + key: "transport_keys:post" + value: "role:admin and system_scope:all" + ManilaApiPolicies: + manila-system-admin: + key: "system-admin" + value: "role:admin and system_scope:all" + manila-system-member: + key: "system-member" + value: "role:member and system_scope:all" + manila-system-reader: + key: "system-reader" + value: "role:reader and system_scope:all" + manila-project-admin: + key: "project-admin" + value: "role:admin and project_id:%(project_id)s" + manila-project-member: + key: "project-member" + value: "role:member and project_id:%(project_id)s" + manila-project-reader: + key: "project-reader" + value: "role:reader and project_id:%(project_id)s" + manila-context_is_admin: + key: "context_is_admin" + value: "rule:system-admin" + manila-admin_or_owner: + key: "admin_or_owner" + value: "is_admin:True or project_id:%(project_id)s" + manila-default: + key: "default" + value: "rule:admin_or_owner" + manila-admin_api: + key: "admin_api" + value: "is_admin:True" + manila-availability_zone_index: + key: "availability_zone:index" + value: "(rule:system-reader) or (rule:project-reader)" + manila-scheduler_stats_pools_index: + key: "scheduler_stats:pools:index" + value: "rule:system-reader" + manila-scheduler_stats_pools_detail: + key: "scheduler_stats:pools:detail" + value: "rule:system-reader" + manila-share_create: + key: "share:create" + value: "(rule:system-admin) or (rule:project-member)" + manila-share_create_public_share: + key: "share:create_public_share" + value: "rule:system-admin" + manila-share_get: + key: "share:get" + value: "(rule:system-reader) or (rule:project-reader)" + manila-share_get_all: + key: "share:get_all" + value: "(rule:system-reader) or (rule:project-reader)" + manila-share_update: + key: "share:update" + value: "(rule:system-admin) or (rule:project-member)" + manila-share_set_public_share: + key: "share:set_public_share" + value: "rule:system-admin" + manila-share_delete: + key: "share:delete" + value: "(rule:system-admin) or (rule:project-member)" + manila-share_force_delete: + key: "share:force_delete" + value: "(rule:system-admin) or (rule:project-admin)" + manila-share_manage: + key: "share:manage" + value: "rule:system-admin" + manila-share_unmanage: + key: "share:unmanage" + value: "rule:system-admin" + manila-share_list_by_host: + key: "share:list_by_host" + value: "rule:system-reader" + manila-share_list_by_share_server_id: + key: "share:list_by_share_server_id" + value: "rule:system-reader" + manila-share_access_get: + key: "share:access_get" + value: "(rule:system-reader) or (rule:project-reader)" + manila-share_access_get_all: + key: "share:access_get_all" + value: "(rule:system-reader) or (rule:project-reader)" + manila-share_extend: + key: "share:extend" + value: "(rule:system-admin) or (rule:project-member)" + manila-share_force_extend: + key: "share:force_extend" + value: "(rule:system-admin) or (rule:project-admin)" + manila-share_shrink: + key: "share:shrink" + value: "(rule:system-admin) or (rule:project-member)" + manila-share_migration_start: + key: "share:migration_start" + value: "rule:system-admin" + manila-share_migration_complete: + key: "share:migration_complete" + value: "rule:system-admin" + manila-share_migration_cancel: + key: "share:migration_cancel" + value: "rule:system-admin" + manila-share_migration_get_progress: + key: "share:migration_get_progress" + value: "rule:system-reader" + manila-share_reset_task_state: + key: "share:reset_task_state" + value: "(rule:system-admin) or (rule:project-admin)" + manila-share_reset_status: + key: "share:reset_status" + value: "(rule:system-admin) or (rule:project-admin)" + manila-share_revert_to_snapshot: + key: "share:revert_to_snapshot" + value: "(rule:system-admin) or (rule:project-member)" + manila-share_allow_access: + key: "share:allow_access" + value: "(rule:system-admin) or (rule:project-member)" + manila-share_deny_access: + key: "share:deny_access" + value: "(rule:system-admin) or (rule:project-member)" + manila-share_update_share_metadata: + key: "share:update_share_metadata" + value: "(rule:system-admin) or (rule:project-member)" + manila-share_delete_share_metadata: + key: "share:delete_share_metadata" + value: "(rule:system-admin) or (rule:project-member)" + manila-share_get_share_metadata: + key: "share:get_share_metadata" + value: "(rule:system-reader) or (rule:project-reader)" + manila-share_create_snapshot: + key: "share:create_snapshot" + value: "(rule:system-admin) or (rule:project-member)" + manila-share_delete_snapshot: + key: "share:delete_snapshot" + value: "(rule:system-admin) or (rule:project-member)" + manila-share_snapshot_update: + key: "share:snapshot_update" + value: "(rule:system-admin) or (rule:project-member)" + manila-share_instance_export_location_index: + key: "share_instance_export_location:index" + value: "rule:system-reader" + manila-share_instance_export_location_show: + key: "share_instance_export_location:show" + value: "rule:system-reader" + manila-share_type_create: + key: "share_type:create" + value: "rule:system-admin" + manila-share_type_update: + key: "share_type:update" + value: "rule:system-admin" + manila-share_type_show: + key: "share_type:show" + value: "(rule:system-reader) or (rule:project-reader)" + manila-share_type_index: + key: "share_type:index" + value: "(rule:system-reader) or (rule:project-reader)" + manila-share_type_default: + key: "share_type:default" + value: "(rule:system-reader) or (rule:project-reader)" + manila-share_type_delete: + key: "share_type:delete" + value: "rule:system-admin" + manila-share_type_list_project_access: + key: "share_type:list_project_access" + value: "rule:system-reader" + manila-share_type_add_project_access: + key: "share_type:add_project_access" + value: "rule:system-admin" + manila-share_type_remove_project_access: + key: "share_type:remove_project_access" + value: "rule:system-admin" + manila-share_types_extra_spec_create: + key: "share_types_extra_spec:create" + value: "rule:system-admin" + manila-share_types_extra_spec_show: + key: "share_types_extra_spec:show" + value: "rule:system-reader" + manila-share_types_extra_spec_index: + key: "share_types_extra_spec:index" + value: "rule:system-reader" + manila-share_types_extra_spec_update: + key: "share_types_extra_spec:update" + value: "rule:system-admin" + manila-share_types_extra_spec_delete: + key: "share_types_extra_spec:delete" + value: "rule:system-admin" + manila-share_snapshot_get_snapshot: + key: "share_snapshot:get_snapshot" + value: "(rule:system-reader) or (rule:project-reader)" + manila-share_snapshot_get_all_snapshots: + key: "share_snapshot:get_all_snapshots" + value: "(rule:system-reader) or (rule:project-reader)" + manila-share_snapshot_force_delete: + key: "share_snapshot:force_delete" + value: "(rule:system-admin) or (rule:project-admin)" + manila-share_snapshot_manage_snapshot: + key: "share_snapshot:manage_snapshot" + value: "rule:system-admin" + manila-share_snapshot_unmanage_snapshot: + key: "share_snapshot:unmanage_snapshot" + value: "rule:system-admin" + manila-share_snapshot_reset_status: + key: "share_snapshot:reset_status" + value: "(rule:system-admin) or (rule:project-admin)" + manila-share_snapshot_access_list: + key: "share_snapshot:access_list" + value: "(rule:system-reader) or (rule:project-reader)" + manila-share_snapshot_allow_access: + key: "share_snapshot:allow_access" + value: "(rule:system-admin) or (rule:project-member)" + manila-share_snapshot_deny_access: + key: "share_snapshot:deny_access" + value: "(rule:system-admin) or (rule:project-member)" + manila-share_snapshot_export_location_index: + key: "share_snapshot_export_location:index" + value: "(rule:system-reader) or (rule:project-reader)" + manila-share_snapshot_export_location_show: + key: "share_snapshot_export_location:show" + value: "(rule:system-reader) or (rule:project-reader)" + manila-share_snapshot_instance_show: + key: "share_snapshot_instance:show" + value: "rule:system-reader" + manila-share_snapshot_instance_index: + key: "share_snapshot_instance:index" + value: "rule:system-reader" + manila-share_snapshot_instance_detail: + key: "share_snapshot_instance:detail" + value: "rule:system-reader" + manila-share_snapshot_instance_reset_status: + key: "share_snapshot_instance:reset_status" + value: "rule:system-admin" + manila-share_snapshot_instance_export_location_index: + key: "share_snapshot_instance_export_location:index" + value: "rule:system-reader" + manila-share_snapshot_instance_export_location_show: + key: "share_snapshot_instance_export_location:show" + value: "rule:system-reader" + manila-share_server_index: + key: "share_server:index" + value: "rule:system-reader" + manila-share_server_show: + key: "share_server:show" + value: "rule:system-reader" + manila-share_server_details: + key: "share_server:details" + value: "rule:system-reader" + manila-share_server_delete: + key: "share_server:delete" + value: "rule:system-admin" + manila-share_server_manage_share_server: + key: "share_server:manage_share_server" + value: "rule:system-admin" + manila-share_server_unmanage_share_server: + key: "share_server:unmanage_share_server" + value: "rule:system-admin" + manila-share_server_reset_status: + key: "share_server:reset_status" + value: "rule:system-admin" + manila-share_server_share_server_migration_start: + key: "share_server:share_server_migration_start" + value: "rule:system-admin" + manila-share_server_share_server_migration_check: + key: "share_server:share_server_migration_check" + value: "rule:system-reader" + manila-share_server_share_server_migration_complete: + key: "share_server:share_server_migration_complete" + value: "rule:system-admin" + manila-share_server_share_server_migration_cancel: + key: "share_server:share_server_migration_cancel" + value: "rule:system-admin" + manila-share_server_share_server_migration_get_progress: + key: "share_server:share_server_migration_get_progress" + value: "rule:system-reader" + manila-share_server_share_server_reset_task_state: + key: "share_server:share_server_reset_task_state" + value: "rule:system-admin" + manila-service_index: + key: "service:index" + value: "rule:system-reader" + manila-service_update: + key: "service:update" + value: "rule:system-admin" + manila-quota_set_update: + key: "quota_set:update" + value: "rule:system-admin" + manila-quota_set_show: + key: "quota_set:show" + value: "(rule:system-reader) or (rule:project-reader)" + manila-quota_set_delete: + key: "quota_set:delete" + value: "rule:system-admin" + manila-quota_class_set_update: + key: "quota_class_set:update" + value: "rule:system-admin" + manila-quota_class_set_show: + key: "quota_class_set:show" + value: "(rule:system-reader) or (rule:project-reader)" + manila-share_group_types_spec_create: + key: "share_group_types_spec:create" + value: "rule:system-admin" + manila-share_group_types_spec_index: + key: "share_group_types_spec:index" + value: "rule:system-reader" + manila-share_group_types_spec_show: + key: "share_group_types_spec:show" + value: "rule:system-reader" + manila-share_group_types_spec_update: + key: "share_group_types_spec:update" + value: "rule:system-admin" + manila-share_group_types_spec_delete: + key: "share_group_types_spec:delete" + value: "rule:system-admin" + manila-share_group_type_create: + key: "share_group_type:create" + value: "rule:system-admin" + manila-share_group_type_index: + key: "share_group_type:index" + value: "(rule:system-reader) or (rule:project-reader)" + manila-share_group_type_show: + key: "share_group_type:show" + value: "(rule:system-reader) or (rule:project-reader)" + manila-share_group_type_default: + key: "share_group_type:default" + value: "(rule:system-reader) or (rule:project-reader)" + manila-share_group_type_delete: + key: "share_group_type:delete" + value: "rule:system-admin" + manila-share_group_type_list_project_access: + key: "share_group_type:list_project_access" + value: "rule:system-reader" + manila-share_group_type_add_project_access: + key: "share_group_type:add_project_access" + value: "rule:system-admin" + manila-share_group_type_remove_project_access: + key: "share_group_type:remove_project_access" + value: "rule:system-admin" + manila-share_group_snapshot_create: + key: "share_group_snapshot:create" + value: "(rule:system-admin) or (rule:project-member)" + manila-share_group_snapshot_get: + key: "share_group_snapshot:get" + value: "(rule:system-reader) or (rule:project-reader)" + manila-share_group_snapshot_get_all: + key: "share_group_snapshot:get_all" + value: "(rule:system-reader) or (rule:project-reader)" + manila-share_group_snapshot_update: + key: "share_group_snapshot:update" + value: "(rule:system-admin) or (rule:project-member)" + manila-share_group_snapshot_delete: + key: "share_group_snapshot:delete" + value: "(rule:system-admin) or (rule:project-member)" + manila-share_group_snapshot_force_delete: + key: "share_group_snapshot:force_delete" + value: "(rule:system-admin) or (rule:project-admin)" + manila-share_group_snapshot_reset_status: + key: "share_group_snapshot:reset_status" + value: "(rule:system-admin) or (rule:project-admin)" + manila-share_group_create: + key: "share_group:create" + value: "(rule:system-admin) or (rule:project-member)" + manila-share_group_get: + key: "share_group:get" + value: "(rule:system-reader) or (rule:project-reader)" + manila-share_group_get_all: + key: "share_group:get_all" + value: "(rule:system-reader) or (rule:project-reader)" + manila-share_group_update: + key: "share_group:update" + value: "(rule:system-admin) or (rule:project-member)" + manila-share_group_delete: + key: "share_group:delete" + value: "(rule:system-admin) or (rule:project-member)" + manila-share_group_force_delete: + key: "share_group:force_delete" + value: "(rule:system-admin) or (rule:project-admin)" + manila-share_group_reset_status: + key: "share_group:reset_status" + value: "(rule:system-admin) or (rule:project-admin)" + manila-share_replica_create: + key: "share_replica:create" + value: "(rule:system-admin) or (rule:project-member)" + manila-share_replica_get_all: + key: "share_replica:get_all" + value: "(rule:system-reader) or (rule:project-reader)" + manila-share_replica_show: + key: "share_replica:show" + value: "(rule:system-reader) or (rule:project-reader)" + manila-share_replica_delete: + key: "share_replica:delete" + value: "(rule:system-admin) or (rule:project-member)" + manila-share_replica_force_delete: + key: "share_replica:force_delete" + value: "(rule:system-admin) or (rule:project-admin)" + manila-share_replica_promote: + key: "share_replica:promote" + value: "(rule:system-admin) or (rule:project-member)" + manila-share_replica_resync: + key: "share_replica:resync" + value: "(rule:system-admin) or (rule:project-admin)" + manila-share_replica_reset_replica_state: + key: "share_replica:reset_replica_state" + value: "(rule:system-admin) or (rule:project-admin)" + manila-share_replica_reset_status: + key: "share_replica:reset_status" + value: "(rule:system-admin) or (rule:project-admin)" + manila-share_replica_export_location_index: + key: "share_replica_export_location:index" + value: "(rule:system-reader) or (rule:project-reader)" + manila-share_replica_export_location_show: + key: "share_replica_export_location:show" + value: "(rule:system-reader) or (rule:project-reader)" + manila-share_network_create: + key: "share_network:create" + value: "(rule:system-admin) or (rule:project-member)" + manila-share_network_show: + key: "share_network:show" + value: "(rule:system-reader) or (rule:project-reader)" + manila-share_network_index: + key: "share_network:index" + value: "(rule:system-reader) or (rule:project-reader)" + manila-share_network_detail: + key: "share_network:detail" + value: "(rule:system-reader) or (rule:project-reader)" + manila-share_network_update: + key: "share_network:update" + value: "(rule:system-admin) or (rule:project-member)" + manila-share_network_delete: + key: "share_network:delete" + value: "(rule:system-admin) or (rule:project-member)" + manila-share_network_add_security_service: + key: "share_network:add_security_service" + value: "(rule:system-admin) or (rule:project-member)" + manila-share_network_add_security_service_check: + key: "share_network:add_security_service_check" + value: "(rule:system-admin) or (rule:project-member)" + manila-share_network_remove_security_service: + key: "share_network:remove_security_service" + value: "(rule:system-admin) or (rule:project-member)" + manila-share_network_update_security_service: + key: "share_network:update_security_service" + value: "(rule:system-admin) or (rule:project-member)" + manila-share_network_update_security_service_check: + key: "share_network:update_security_service_check" + value: "(rule:system-admin) or (rule:project-member)" + manila-share_network_reset_status: + key: "share_network:reset_status" + value: "(rule:system-admin) or (rule:project-admin)" + manila-share_network_get_all_share_networks: + key: "share_network:get_all_share_networks" + value: "rule:system-reader" + manila-share_network_subnet_create: + key: "share_network_subnet:create" + value: "(rule:system-admin) or (rule:project-member)" + manila-share_network_subnet_delete: + key: "share_network_subnet:delete" + value: "(rule:system-admin) or (rule:project-member)" + manila-share_network_subnet_show: + key: "share_network_subnet:show" + value: "(rule:system-reader) or (rule:project-reader)" + manila-share_network_subnet_index: + key: "share_network_subnet:index" + value: "(rule:system-reader) or (rule:project-reader)" + manila-security_service_create: + key: "security_service:create" + value: "(rule:system-admin) or (rule:project-member)" + manila-security_service_show: + key: "security_service:show" + value: "(rule:system-reader) or (rule:project-reader)" + manila-security_service_detail: + key: "security_service:detail" + value: "(rule:system-reader) or (rule:project-reader)" + manila-security_service_index: + key: "security_service:index" + value: "(rule:system-reader) or (rule:project-reader)" + manila-security_service_update: + key: "security_service:update" + value: "(rule:system-admin) or (rule:project-member)" + manila-security_service_delete: + key: "security_service:delete" + value: "(rule:system-admin) or (rule:project-member)" + manila-security_service_get_all_security_services: + key: "security_service:get_all_security_services" + value: "rule:system-reader" + manila-share_export_location_index: + key: "share_export_location:index" + value: "(rule:system-reader) or (rule:project-reader)" + manila-share_export_location_show: + key: "share_export_location:show" + value: "(rule:system-reader) or (rule:project-reader)" + manila-share_instance_index: + key: "share_instance:index" + value: "rule:system-reader" + manila-share_instance_show: + key: "share_instance:show" + value: "rule:system-reader" + manila-share_instance_force_delete: + key: "share_instance:force_delete" + value: "rule:system-admin" + manila-share_instance_reset_status: + key: "share_instance:reset_status" + value: "rule:system-admin" + manila-message_get: + key: "message:get" + value: "(rule:system-reader) or (rule:project-reader)" + manila-message_get_all: + key: "message:get_all" + value: "(rule:system-reader) or (rule:project-reader)" + manila-message_delete: + key: "message:delete" + value: "(rule:system-admin) or (rule:project-member)" + manila-share_access_rule_get: + key: "share_access_rule:get" + value: "(rule:system-reader) or (rule:project-reader)" + manila-share_access_rule_index: + key: "share_access_rule:index" + value: "(rule:system-reader) or (rule:project-reader)" + manila-share_access_metadata_update: + key: "share_access_metadata:update" + value: "(rule:system-admin) or (rule:project-member)" + manila-share_access_metadata_delete: + key: "share_access_metadata:delete" + value: "(rule:system-admin) or (rule:project-member)" + OctaviaApiPolicies: + octavia-system-admin: + key: "system-admin" + value: "role:admin and system_scope:all" + octavia-system-reader: + key: "system-reader" + value: "role:reader and system_scope:all" + octavia-project-member: + key: "project-member" + value: "role:member and project_id:%(project_id)s" + octavia-project-reader: + key: "project-reader" + value: "role:reader and project_id:%(project_id)s" + octavia-context_is_admin: + key: "context_is_admin" + value: "role:load-balancer_admin or rule:system-admin" + octavia-load-balancer_owner: + key: "load-balancer:owner" + value: "project_id:%(project_id)s" + octavia-load-balancer_observer_and_owner: + key: "load-balancer:observer_and_owner" + value: "role:load-balancer_observer and rule:project-reader" + octavia-load-balancer_global_observer: + key: "load-balancer:global_observer" + value: "role:load-balancer_global_observer or rule:system-reader" + octavia-load-balancer_member_and_owner: + key: "load-balancer:member_and_owner" + value: "role:load-balancer_member and rule:project-member" + octavia-load-balancer_admin: + key: "load-balancer:admin" + value: "is_admin:True or role:load-balancer_admin or rule:system-admin" + octavia-load-balancer_read: + key: "load-balancer:read" + value: "rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or rule:load-balancer:admin" + octavia-load-balancer_read-global: + key: "load-balancer:read-global" + value: "rule:load-balancer:global_observer or rule:load-balancer:admin" + octavia-load-balancer_write: + key: "load-balancer:write" + value: "rule:load-balancer:member_and_owner or rule:load-balancer:admin" + octavia-load-balancer_read-quota: + key: "load-balancer:read-quota" + value: "rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or role:load-balancer_quota_admin or rule:load-balancer:admin" + octavia-load-balancer_read-quota-global: + key: "load-balancer:read-quota-global" + value: "rule:load-balancer:global_observer or role:load-balancer_quota_admin or rule:load-balancer:admin" + octavia-load-balancer_write-quota: + key: "load-balancer:write-quota" + value: "role:load-balancer_quota_admin or rule:load-balancer:admin" + octavia-os_load-balancer_api_flavor_get_all: + key: "os_load-balancer_api:flavor:get_all" + value: "rule:load-balancer:read" + octavia-os_load-balancer_api_flavor_post: + key: "os_load-balancer_api:flavor:post" + value: "rule:load-balancer:admin" + octavia-os_load-balancer_api_flavor_put: + key: "os_load-balancer_api:flavor:put" + value: "rule:load-balancer:admin" + octavia-os_load-balancer_api_flavor_get_one: + key: "os_load-balancer_api:flavor:get_one" + value: "rule:load-balancer:read" + octavia-os_load-balancer_api_flavor_delete: + key: "os_load-balancer_api:flavor:delete" + value: "rule:load-balancer:admin" + octavia-os_load-balancer_api_flavor-profile_get_all: + key: "os_load-balancer_api:flavor-profile:get_all" + value: "rule:load-balancer:admin" + octavia-os_load-balancer_api_flavor-profile_post: + key: "os_load-balancer_api:flavor-profile:post" + value: "rule:load-balancer:admin" + octavia-os_load-balancer_api_flavor-profile_put: + key: "os_load-balancer_api:flavor-profile:put" + value: "rule:load-balancer:admin" + octavia-os_load-balancer_api_flavor-profile_get_one: + key: "os_load-balancer_api:flavor-profile:get_one" + value: "rule:load-balancer:admin" + octavia-os_load-balancer_api_flavor-profile_delete: + key: "os_load-balancer_api:flavor-profile:delete" + value: "rule:load-balancer:admin" + octavia-os_load-balancer_api_availability-zone_get_all: + key: "os_load-balancer_api:availability-zone:get_all" + value: "rule:load-balancer:read" + octavia-os_load-balancer_api_availability-zone_post: + key: "os_load-balancer_api:availability-zone:post" + value: "rule:load-balancer:admin" + octavia-os_load-balancer_api_availability-zone_put: + key: "os_load-balancer_api:availability-zone:put" + value: "rule:load-balancer:admin" + octavia-os_load-balancer_api_availability-zone_get_one: + key: "os_load-balancer_api:availability-zone:get_one" + value: "rule:load-balancer:read" + octavia-os_load-balancer_api_availability-zone_delete: + key: "os_load-balancer_api:availability-zone:delete" + value: "rule:load-balancer:admin" + octavia-os_load-balancer_api_availability-zone-profile_get_all: + key: "os_load-balancer_api:availability-zone-profile:get_all" + value: "rule:load-balancer:admin" + octavia-os_load-balancer_api_availability-zone-profile_post: + key: "os_load-balancer_api:availability-zone-profile:post" + value: "rule:load-balancer:admin" + octavia-os_load-balancer_api_availability-zone-profile_put: + key: "os_load-balancer_api:availability-zone-profile:put" + value: "rule:load-balancer:admin" + octavia-os_load-balancer_api_availability-zone-profile_get_one: + key: "os_load-balancer_api:availability-zone-profile:get_one" + value: "rule:load-balancer:admin" + octavia-os_load-balancer_api_availability-zone-profile_delete: + key: "os_load-balancer_api:availability-zone-profile:delete" + value: "rule:load-balancer:admin" + octavia-os_load-balancer_api_healthmonitor_get_all: + key: "os_load-balancer_api:healthmonitor:get_all" + value: "rule:load-balancer:read" + octavia-os_load-balancer_api_healthmonitor_get_all-global: + key: "os_load-balancer_api:healthmonitor:get_all-global" + value: "rule:load-balancer:read-global" + octavia-os_load-balancer_api_healthmonitor_post: + key: "os_load-balancer_api:healthmonitor:post" + value: "rule:load-balancer:write" + octavia-os_load-balancer_api_healthmonitor_get_one: + key: "os_load-balancer_api:healthmonitor:get_one" + value: "rule:load-balancer:read" + octavia-os_load-balancer_api_healthmonitor_put: + key: "os_load-balancer_api:healthmonitor:put" + value: "rule:load-balancer:write" + octavia-os_load-balancer_api_healthmonitor_delete: + key: "os_load-balancer_api:healthmonitor:delete" + value: "rule:load-balancer:write" + octavia-os_load-balancer_api_l7policy_get_all: + key: "os_load-balancer_api:l7policy:get_all" + value: "rule:load-balancer:read" + octavia-os_load-balancer_api_l7policy_get_all-global: + key: "os_load-balancer_api:l7policy:get_all-global" + value: "rule:load-balancer:read-global" + octavia-os_load-balancer_api_l7policy_post: + key: "os_load-balancer_api:l7policy:post" + value: "rule:load-balancer:write" + octavia-os_load-balancer_api_l7policy_get_one: + key: "os_load-balancer_api:l7policy:get_one" + value: "rule:load-balancer:read" + octavia-os_load-balancer_api_l7policy_put: + key: "os_load-balancer_api:l7policy:put" + value: "rule:load-balancer:write" + octavia-os_load-balancer_api_l7policy_delete: + key: "os_load-balancer_api:l7policy:delete" + value: "rule:load-balancer:write" + octavia-os_load-balancer_api_l7rule_get_all: + key: "os_load-balancer_api:l7rule:get_all" + value: "rule:load-balancer:read" + octavia-os_load-balancer_api_l7rule_post: + key: "os_load-balancer_api:l7rule:post" + value: "rule:load-balancer:write" + octavia-os_load-balancer_api_l7rule_get_one: + key: "os_load-balancer_api:l7rule:get_one" + value: "rule:load-balancer:read" + octavia-os_load-balancer_api_l7rule_put: + key: "os_load-balancer_api:l7rule:put" + value: "rule:load-balancer:write" + octavia-os_load-balancer_api_l7rule_delete: + key: "os_load-balancer_api:l7rule:delete" + value: "rule:load-balancer:write" + octavia-os_load-balancer_api_listener_get_all: + key: "os_load-balancer_api:listener:get_all" + value: "rule:load-balancer:read" + octavia-os_load-balancer_api_listener_get_all-global: + key: "os_load-balancer_api:listener:get_all-global" + value: "rule:load-balancer:read-global" + octavia-os_load-balancer_api_listener_post: + key: "os_load-balancer_api:listener:post" + value: "rule:load-balancer:write" + octavia-os_load-balancer_api_listener_get_one: + key: "os_load-balancer_api:listener:get_one" + value: "rule:load-balancer:read" + octavia-os_load-balancer_api_listener_put: + key: "os_load-balancer_api:listener:put" + value: "rule:load-balancer:write" + octavia-os_load-balancer_api_listener_delete: + key: "os_load-balancer_api:listener:delete" + value: "rule:load-balancer:write" + octavia-os_load-balancer_api_listener_get_stats: + key: "os_load-balancer_api:listener:get_stats" + value: "rule:load-balancer:read" + octavia-os_load-balancer_api_loadbalancer_get_all: + key: "os_load-balancer_api:loadbalancer:get_all" + value: "rule:load-balancer:read" + octavia-os_load-balancer_api_loadbalancer_get_all-global: + key: "os_load-balancer_api:loadbalancer:get_all-global" + value: "rule:load-balancer:read-global" + octavia-os_load-balancer_api_loadbalancer_post: + key: "os_load-balancer_api:loadbalancer:post" + value: "rule:load-balancer:write" + octavia-os_load-balancer_api_loadbalancer_get_one: + key: "os_load-balancer_api:loadbalancer:get_one" + value: "rule:load-balancer:read" + octavia-os_load-balancer_api_loadbalancer_put: + key: "os_load-balancer_api:loadbalancer:put" + value: "rule:load-balancer:write" + octavia-os_load-balancer_api_loadbalancer_delete: + key: "os_load-balancer_api:loadbalancer:delete" + value: "rule:load-balancer:write" + octavia-os_load-balancer_api_loadbalancer_get_stats: + key: "os_load-balancer_api:loadbalancer:get_stats" + value: "rule:load-balancer:read" + octavia-os_load-balancer_api_loadbalancer_get_status: + key: "os_load-balancer_api:loadbalancer:get_status" + value: "rule:load-balancer:read" + octavia-os_load-balancer_api_loadbalancer_put_failover: + key: "os_load-balancer_api:loadbalancer:put_failover" + value: "rule:load-balancer:admin" + octavia-os_load-balancer_api_member_get_all: + key: "os_load-balancer_api:member:get_all" + value: "rule:load-balancer:read" + octavia-os_load-balancer_api_member_post: + key: "os_load-balancer_api:member:post" + value: "rule:load-balancer:write" + octavia-os_load-balancer_api_member_get_one: + key: "os_load-balancer_api:member:get_one" + value: "rule:load-balancer:read" + octavia-os_load-balancer_api_member_put: + key: "os_load-balancer_api:member:put" + value: "rule:load-balancer:write" + octavia-os_load-balancer_api_member_delete: + key: "os_load-balancer_api:member:delete" + value: "rule:load-balancer:write" + octavia-os_load-balancer_api_pool_get_all: + key: "os_load-balancer_api:pool:get_all" + value: "rule:load-balancer:read" + octavia-os_load-balancer_api_pool_get_all-global: + key: "os_load-balancer_api:pool:get_all-global" + value: "rule:load-balancer:read-global" + octavia-os_load-balancer_api_pool_post: + key: "os_load-balancer_api:pool:post" + value: "rule:load-balancer:write" + octavia-os_load-balancer_api_pool_get_one: + key: "os_load-balancer_api:pool:get_one" + value: "rule:load-balancer:read" + octavia-os_load-balancer_api_pool_put: + key: "os_load-balancer_api:pool:put" + value: "rule:load-balancer:write" + octavia-os_load-balancer_api_pool_delete: + key: "os_load-balancer_api:pool:delete" + value: "rule:load-balancer:write" + octavia-os_load-balancer_api_provider_get_all: + key: "os_load-balancer_api:provider:get_all" + value: "rule:load-balancer:read" + octavia-os_load-balancer_api_quota_get_all: + key: "os_load-balancer_api:quota:get_all" + value: "rule:load-balancer:read-quota" + octavia-os_load-balancer_api_quota_get_all-global: + key: "os_load-balancer_api:quota:get_all-global" + value: "rule:load-balancer:read-quota-global" + octavia-os_load-balancer_api_quota_get_one: + key: "os_load-balancer_api:quota:get_one" + value: "rule:load-balancer:read-quota" + octavia-os_load-balancer_api_quota_put: + key: "os_load-balancer_api:quota:put" + value: "rule:load-balancer:write-quota" + octavia-os_load-balancer_api_quota_delete: + key: "os_load-balancer_api:quota:delete" + value: "rule:load-balancer:write-quota" + octavia-os_load-balancer_api_quota_get_defaults: + key: "os_load-balancer_api:quota:get_defaults" + value: "rule:load-balancer:read-quota" + octavia-os_load-balancer_api_amphora_get_all: + key: "os_load-balancer_api:amphora:get_all" + value: "rule:load-balancer:admin" + octavia-os_load-balancer_api_amphora_get_one: + key: "os_load-balancer_api:amphora:get_one" + value: "rule:load-balancer:admin" + octavia-os_load-balancer_api_amphora_delete: + key: "os_load-balancer_api:amphora:delete" + value: "rule:load-balancer:admin" + octavia-os_load-balancer_api_amphora_put_config: + key: "os_load-balancer_api:amphora:put_config" + value: "rule:load-balancer:admin" + octavia-os_load-balancer_api_amphora_put_failover: + key: "os_load-balancer_api:amphora:put_failover" + value: "rule:load-balancer:admin" + octavia-os_load-balancer_api_amphora_get_stats: + key: "os_load-balancer_api:amphora:get_stats" + value: "rule:load-balancer:admin" + octavia-os_load-balancer_api_provider-flavor_get_all: + key: "os_load-balancer_api:provider-flavor:get_all" + value: "rule:load-balancer:admin" + octavia-os_load-balancer_api_provider-availability-zone_get_all: + key: "os_load-balancer_api:provider-availability-zone:get_all" + value: "rule:load-balancer:admin" + IronicApiPolicies: + ironic-admin_api: + key: "admin_api" + value: "role:admin or role:administrator" + ironic-public_api: + key: "public_api" + value: "is_public_api:True" + ironic-show_password: + key: "show_password" + value: "!" + ironic-show_instance_secrets: + key: "show_instance_secrets" + value: "!" + ironic-is_member: + key: "is_member" + value: "(project_domain_id:default or project_domain_id:None) and (project_name:demo or project_name:baremetal)" + ironic-is_observer: + key: "is_observer" + value: "rule:is_member and (role:observer or role:baremetal_observer)" + ironic-is_admin: + key: "is_admin" + value: "rule:admin_api or (rule:is_member and role:baremetal_admin)" + ironic-is_node_owner: + key: "is_node_owner" + value: "project_id:%(node.owner)s" + ironic-is_node_lessee: + key: "is_node_lessee" + value: "project_id:%(node.lessee)s" + ironic-is_allocation_owner: + key: "is_allocation_owner" + value: "project_id:%(allocation.owner)s" + ironic-baremetal_node_create: + key: "baremetal:node:create" + value: "role:admin and system_scope:all" + ironic-baremetal_node_list: + key: "baremetal:node:list" + value: "role:reader" + ironic-baremetal_node_list_all: + key: "baremetal:node:list_all" + value: "role:reader and system_scope:all" + ironic-baremetal_node_get: + key: "baremetal:node:get" + value: "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" + ironic-baremetal_node_get_filter_threshold: + key: "baremetal:node:get:filter_threshold" + value: "role:reader and system_scope:all" + ironic-baremetal_node_get_last_error: + key: "baremetal:node:get:last_error" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)" + ironic-baremetal_node_get_reservation: + key: "baremetal:node:get:reservation" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)" + ironic-baremetal_node_get_driver_internal_info: + key: "baremetal:node:get:driver_internal_info" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)" + ironic-baremetal_node_get_driver_info: + key: "baremetal:node:get:driver_info" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)" + ironic-baremetal_node_update_driver_info: + key: "baremetal:node:update:driver_info" + value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" + ironic-baremetal_node_update: + key: "baremetal:node:update" + value: "rule:baremetal:node:update:driver_info" + ironic-baremetal_node_update_properties: + key: "baremetal:node:update:properties" + value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" + ironic-baremetal_node_update_chassis_uuid: + key: "baremetal:node:update:chassis_uuid" + value: "role:admin and system_scope:all" + ironic-baremetal_node_update_instance_uuid: + key: "baremetal:node:update:instance_uuid" + value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" + ironic-baremetal_node_update_lessee: + key: "baremetal:node:update:lessee" + value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" + ironic-baremetal_node_update_owner: + key: "baremetal:node:update:owner" + value: "role:member and system_scope:all" + ironic-baremetal_node_update_driver_interfaces: + key: "baremetal:node:update:driver_interfaces" + value: "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)" + ironic-baremetal_node_update_network_data: + key: "baremetal:node:update:network_data" + value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" + ironic-baremetal_node_update_conductor_group: + key: "baremetal:node:update:conductor_group" + value: "role:member and system_scope:all" + ironic-baremetal_node_update_name: + key: "baremetal:node:update:name" + value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" + ironic-baremetal_node_update_retired: + key: "baremetal:node:update:retired" + value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" + ironic-baremetal_node_update_extra: + key: "baremetal:node:update_extra" + value: "(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" + ironic-baremetal_node_update_instance_info: + key: "baremetal:node:update_instance_info" + value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)" + ironic-baremetal_node_update_owner_provisioned: + key: "baremetal:node:update_owner_provisioned" + value: "role:admin and system_scope:all" + ironic-baremetal_node_delete: + key: "baremetal:node:delete" + value: "role:admin and system_scope:all" + ironic-baremetal_node_validate: + key: "baremetal:node:validate" + value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)" + ironic-baremetal_node_set_maintenance: + key: "baremetal:node:set_maintenance" + value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)" + ironic-baremetal_node_clear_maintenance: + key: "baremetal:node:clear_maintenance" + value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)" + ironic-baremetal_node_get_boot_device: + key: "baremetal:node:get_boot_device" + value: "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)" + ironic-baremetal_node_set_boot_device: + key: "baremetal:node:set_boot_device" + value: "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)" + ironic-baremetal_node_get_indicator_state: + key: "baremetal:node:get_indicator_state" + value: "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" + ironic-baremetal_node_set_indicator_state: + key: "baremetal:node:set_indicator_state" + value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" + ironic-baremetal_node_inject_nmi: + key: "baremetal:node:inject_nmi" + value: "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)" + ironic-baremetal_node_get_states: + key: "baremetal:node:get_states" + value: "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" + ironic-baremetal_node_set_power_state: + key: "baremetal:node:set_power_state" + value: "(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" + ironic-baremetal_node_set_boot_mode: + key: "baremetal:node:set_boot_mode" + value: "(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" + ironic-baremetal_node_set_secure_boot: + key: "baremetal:node:set_secure_boot" + value: "(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" + ironic-baremetal_node_set_provision_state: + key: "baremetal:node:set_provision_state" + value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)" + ironic-baremetal_node_set_raid_state: + key: "baremetal:node:set_raid_state" + value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" + ironic-baremetal_node_get_console: + key: "baremetal:node:get_console" + value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" + ironic-baremetal_node_set_console_state: + key: "baremetal:node:set_console_state" + value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" + ironic-baremetal_node_vif_list: + key: "baremetal:node:vif:list" + value: "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" + ironic-baremetal_node_vif_attach: + key: "baremetal:node:vif:attach" + value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)" + ironic-baremetal_node_vif_detach: + key: "baremetal:node:vif:detach" + value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)" + ironic-baremetal_node_traits_list: + key: "baremetal:node:traits:list" + value: "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" + ironic-baremetal_node_traits_set: + key: "baremetal:node:traits:set" + value: "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)" + ironic-baremetal_node_traits_delete: + key: "baremetal:node:traits:delete" + value: "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)" + ironic-baremetal_node_bios_get: + key: "baremetal:node:bios:get" + value: "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" + ironic-baremetal_node_disable_cleaning: + key: "baremetal:node:disable_cleaning" + value: "role:admin and system_scope:all" + ironic-baremetal_node_history_get: + key: "baremetal:node:history:get" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)" + ironic-baremetal_port_get: + key: "baremetal:port:get" + value: "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" + ironic-baremetal_port_list: + key: "baremetal:port:list" + value: "role:reader" + ironic-baremetal_port_list_all: + key: "baremetal:port:list_all" + value: "role:reader and system_scope:all" + ironic-baremetal_port_create: + key: "baremetal:port:create" + value: "(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)" + ironic-baremetal_port_delete: + key: "baremetal:port:delete" + value: "(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)" + ironic-baremetal_port_update: + key: "baremetal:port:update" + value: "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)" + ironic-baremetal_portgroup_get: + key: "baremetal:portgroup:get" + value: "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" + ironic-baremetal_portgroup_create: + key: "baremetal:portgroup:create" + value: "(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)" + ironic-baremetal_portgroup_delete: + key: "baremetal:portgroup:delete" + value: "(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)" + ironic-baremetal_portgroup_update: + key: "baremetal:portgroup:update" + value: "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)" + ironic-baremetal_portgroup_list: + key: "baremetal:portgroup:list" + value: "role:reader" + ironic-baremetal_portgroup_list_all: + key: "baremetal:portgroup:list_all" + value: "role:reader and system_scope:all" + ironic-baremetal_chassis_get: + key: "baremetal:chassis:get" + value: "role:reader and system_scope:all" + ironic-baremetal_chassis_create: + key: "baremetal:chassis:create" + value: "role:admin and system_scope:all" + ironic-baremetal_chassis_delete: + key: "baremetal:chassis:delete" + value: "role:admin and system_scope:all" + ironic-baremetal_chassis_update: + key: "baremetal:chassis:update" + value: "role:member and system_scope:all" + ironic-baremetal_driver_get: + key: "baremetal:driver:get" + value: "role:reader and system_scope:all" + ironic-baremetal_driver_get_properties: + key: "baremetal:driver:get_properties" + value: "role:reader and system_scope:all" + ironic-baremetal_driver_get_raid_logical_disk_properties: + key: "baremetal:driver:get_raid_logical_disk_properties" + value: "role:reader and system_scope:all" + ironic-baremetal_node_vendor_passthru: + key: "baremetal:node:vendor_passthru" + value: "role:admin and system_scope:all" + ironic-baremetal_driver_vendor_passthru: + key: "baremetal:driver:vendor_passthru" + value: "role:admin and system_scope:all" + ironic-baremetal_node_ipa_heartbeat: + key: "baremetal:node:ipa_heartbeat" + value: "" + ironic-baremetal_driver_ipa_lookup: + key: "baremetal:driver:ipa_lookup" + value: "" + ironic-baremetal_volume_list_all: + key: "baremetal:volume:list_all" + value: "role:reader and system_scope:all" + ironic-baremetal_volume_get: + key: "baremetal:volume:get" + value: "rule:baremetal:volume:list_all" + ironic-baremetal_volume_list: + key: "baremetal:volume:list" + value: "role:reader" + ironic-baremetal_volume_create: + key: "baremetal:volume:create" + value: "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)" + ironic-baremetal_volume_delete: + key: "baremetal:volume:delete" + value: "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)" + ironic-baremetal_volume_update: + key: "baremetal:volume:update" + value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)" + ironic-baremetal_volume_view_target_properties: + key: "baremetal:volume:view_target_properties" + value: "(role:reader and system_scope:all) or (role:admin)" + ironic-baremetal_conductor_get: + key: "baremetal:conductor:get" + value: "role:reader and system_scope:all" + ironic-baremetal_allocation_get: + key: "baremetal:allocation:get" + value: "(role:reader and system_scope:all) or (role:reader and project_id:%(allocation.owner)s)" + ironic-baremetal_allocation_list: + key: "baremetal:allocation:list" + value: "role:reader" + ironic-baremetal_allocation_list_all: + key: "baremetal:allocation:list_all" + value: "role:reader and system_scope:all" + ironic-baremetal_allocation_create: + key: "baremetal:allocation:create" + value: "(role:member and system_scope:all) or (role:member)" + ironic-baremetal_allocation_create_restricted: + key: "baremetal:allocation:create_restricted" + value: "role:member and system_scope:all" + ironic-baremetal_allocation_delete: + key: "baremetal:allocation:delete" + value: "(role:member and system_scope:all) or (role:member and project_id:%(allocation.owner)s)" + ironic-baremetal_allocation_update: + key: "baremetal:allocation:update" + value: "(role:member and system_scope:all) or (role:member and project_id:%(allocation.owner)s)" + ironic-baremetal_allocation_create_pre_rbac: + key: "baremetal:allocation:create_pre_rbac" + value: "(rule:is_member and role:baremetal_admin) or (is_admin_project:True and role:admin)" + ironic-baremetal_events_post: + key: "baremetal:events:post" + value: "role:admin and system_scope:all" + ironic-baremetal_deploy_template_get: + key: "baremetal:deploy_template:get" + value: "role:reader and system_scope:all" + ironic-baremetal_deploy_template_create: + key: "baremetal:deploy_template:create" + value: "role:admin and system_scope:all" + ironic-baremetal_deploy_template_delete: + key: "baremetal:deploy_template:delete" + value: "role:admin and system_scope:all" + ironic-baremetal_deploy_template_update: + key: "baremetal:deploy_template:update" + value: "role:admin and system_scope:all" + diff --git a/tools/convert_policy_yaml_to_heat_template.py b/tools/convert_policy_yaml_to_heat_template.py new file mode 100755 index 0000000000..81519620f2 --- /dev/null +++ b/tools/convert_policy_yaml_to_heat_template.py @@ -0,0 +1,73 @@ +#!/usr/bin/env python3 +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +import argparse +import os + +import ruamel.yaml +from ruamel.yaml import YAML + +# Not all policy variables across services in THT are consistent. This mapping +# assoicates the service name to the right THT variable. +_SERVICE_MAP = { + 'barbican': 'BarbicanPolicies', + 'cinder': 'CinderApiPolicies', + 'designate': 'DesignateApiPolicies', + 'glance': 'GlanceApiPolicies', + 'ironic': 'IronicApiPolicies', + 'keystone': 'KeystonePolicies', + 'manila': 'ManilaApiPolicies', + 'neutron': 'NeutronApiPolicies', + 'nova': 'NovaApiPolicies', + 'octavia': 'OctaviaApiPolicies', + 'placement': 'PlacementPolicies' +} +_SCALAR = ruamel.yaml.scalarstring.DoubleQuotedScalarString + +parser = argparse.ArgumentParser() +parser.add_argument( + '-d', '--policy-dir', required=True, + help=( + 'Directory containing policy.yaml files for OpenStack services. ' + 'This script expects files to be named $SERVICE.yaml. For example ' + 'nova.yaml for nova\'s policies.' + ) +) +args = parser.parse_args() + +heat_template = {'parameter_defaults': {'EnforceSecureRbac': False}} +for filename in os.listdir(args.policy_dir): + service = filename.split('.')[0] + tht_var_name = _SERVICE_MAP.get(service) + filepath = os.path.join(args.policy_dir, filename) + with open(filepath, 'r') as f: + safe_handler = YAML(typ='safe') + # A lot of policy files have duplicate keys, which violates YAML. Allow + # duplicate keys for the time being. + safe_handler.allow_duplicate_keys = True + policies = safe_handler.load(f) + + template = {} + for name, value in policies.items(): + rule = name.split(':')[-1] + rule = name.replace(':', '_') + key = service + '-' + rule + template[key] = {'key': _SCALAR(name), 'value': _SCALAR(value)} + heat_template['parameter_defaults'][tht_var_name] = template + +print( + ruamel.yaml.dump( + heat_template, Dumper=ruamel.yaml.RoundTripDumper, width=500 + ) +)