Merge "Implement project personas in custom neutron policy file"
This commit is contained in:
Zuul
Gerrit Code Review
commit
5a7abf2ea4
|
|
@ -783,6 +783,9 @@ parameter_defaults:
|
|||
neutron-admin_only:
|
||||
key: "admin_only"
|
||||
value: "rule:context_is_admin"
|
||||
neutron-admin_api:
|
||||
key: "admin_api"
|
||||
value: "role:admin"
|
||||
neutron-regular_user:
|
||||
key: "regular_user"
|
||||
value: ""
|
||||
|
|
@ -806,271 +809,271 @@ parameter_defaults:
|
|||
value: "field:address_groups:shared=True"
|
||||
neutron-get_address_group:
|
||||
key: "get_address_group"
|
||||
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared_address_groups"
|
||||
value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:shared_address_groups"
|
||||
neutron-shared_address_scopes:
|
||||
key: "shared_address_scopes"
|
||||
value: "field:address_scopes:shared=True"
|
||||
neutron-create_address_scope:
|
||||
key: "create_address_scope"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-create_address_scope_shared:
|
||||
key: "create_address_scope:shared"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-get_address_scope:
|
||||
key: "get_address_scope"
|
||||
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared_address_scopes"
|
||||
value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:shared_address_scopes"
|
||||
neutron-update_address_scope:
|
||||
key: "update_address_scope"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-update_address_scope_shared:
|
||||
key: "update_address_scope:shared"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-delete_address_scope:
|
||||
key: "delete_address_scope"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-get_agent:
|
||||
key: "get_agent"
|
||||
value: "role:reader and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-update_agent:
|
||||
key: "update_agent"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-delete_agent:
|
||||
key: "delete_agent"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-create_dhcp-network:
|
||||
key: "create_dhcp-network"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-get_dhcp-networks:
|
||||
key: "get_dhcp-networks"
|
||||
value: "role:reader and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-delete_dhcp-network:
|
||||
key: "delete_dhcp-network"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-create_l3-router:
|
||||
key: "create_l3-router"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-get_l3-routers:
|
||||
key: "get_l3-routers"
|
||||
value: "role:reader and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-delete_l3-router:
|
||||
key: "delete_l3-router"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-get_dhcp-agents:
|
||||
key: "get_dhcp-agents"
|
||||
value: "role:reader and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-get_l3-agents:
|
||||
key: "get_l3-agents"
|
||||
value: "role:reader and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-get_auto_allocated_topology:
|
||||
key: "get_auto_allocated_topology"
|
||||
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
|
||||
neutron-delete_auto_allocated_topology:
|
||||
key: "delete_auto_allocated_topology"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-get_availability_zone:
|
||||
key: "get_availability_zone"
|
||||
value: "role:reader and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-create_flavor:
|
||||
key: "create_flavor"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-get_flavor:
|
||||
key: "get_flavor"
|
||||
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
|
||||
neutron-update_flavor:
|
||||
key: "update_flavor"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-delete_flavor:
|
||||
key: "delete_flavor"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-create_service_profile:
|
||||
key: "create_service_profile"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-get_service_profile:
|
||||
key: "get_service_profile"
|
||||
value: "role:reader and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-update_service_profile:
|
||||
key: "update_service_profile"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-delete_service_profile:
|
||||
key: "delete_service_profile"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-get_flavor_service_profile:
|
||||
key: "get_flavor_service_profile"
|
||||
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
|
||||
neutron-create_flavor_service_profile:
|
||||
key: "create_flavor_service_profile"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-delete_flavor_service_profile:
|
||||
key: "delete_flavor_service_profile"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-create_floatingip:
|
||||
key: "create_floatingip"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-create_floatingip_floating_ip_address:
|
||||
key: "create_floatingip:floating_ip_address"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-get_floatingip:
|
||||
key: "get_floatingip"
|
||||
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
|
||||
neutron-update_floatingip:
|
||||
key: "update_floatingip"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-delete_floatingip:
|
||||
key: "delete_floatingip"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-get_floatingip_pool:
|
||||
key: "get_floatingip_pool"
|
||||
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
|
||||
neutron-create_floatingip_port_forwarding:
|
||||
key: "create_floatingip_port_forwarding"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner"
|
||||
neutron-get_floatingip_port_forwarding:
|
||||
key: "get_floatingip_port_forwarding"
|
||||
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner"
|
||||
value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner"
|
||||
neutron-update_floatingip_port_forwarding:
|
||||
key: "update_floatingip_port_forwarding"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner"
|
||||
neutron-delete_floatingip_port_forwarding:
|
||||
key: "delete_floatingip_port_forwarding"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner"
|
||||
neutron-create_router_conntrack_helper:
|
||||
key: "create_router_conntrack_helper"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner"
|
||||
neutron-get_router_conntrack_helper:
|
||||
key: "get_router_conntrack_helper"
|
||||
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner"
|
||||
value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner"
|
||||
neutron-update_router_conntrack_helper:
|
||||
key: "update_router_conntrack_helper"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner"
|
||||
neutron-delete_router_conntrack_helper:
|
||||
key: "delete_router_conntrack_helper"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner"
|
||||
neutron-get_loggable_resource:
|
||||
key: "get_loggable_resource"
|
||||
value: "role:reader and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-create_log:
|
||||
key: "create_log"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-get_log:
|
||||
key: "get_log"
|
||||
value: "role:reader and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-update_log:
|
||||
key: "update_log"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-delete_log:
|
||||
key: "delete_log"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-create_metering_label:
|
||||
key: "create_metering_label"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-get_metering_label:
|
||||
key: "get_metering_label"
|
||||
value: "role:reader and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-delete_metering_label:
|
||||
key: "delete_metering_label"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-create_metering_label_rule:
|
||||
key: "create_metering_label_rule"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-get_metering_label_rule:
|
||||
key: "get_metering_label_rule"
|
||||
value: "role:reader and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-delete_metering_label_rule:
|
||||
key: "delete_metering_label_rule"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-external:
|
||||
key: "external"
|
||||
value: "field:networks:router:external=True"
|
||||
neutron-create_network:
|
||||
key: "create_network"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-create_network_shared:
|
||||
key: "create_network:shared"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-create_network_router_external:
|
||||
key: "create_network:router:external"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-create_network_is_default:
|
||||
key: "create_network:is_default"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-create_network_port_security_enabled:
|
||||
key: "create_network:port_security_enabled"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-create_network_segments:
|
||||
key: "create_network:segments"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-create_network_provider_network_type:
|
||||
key: "create_network:provider:network_type"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-create_network_provider_physical_network:
|
||||
key: "create_network:provider:physical_network"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-create_network_provider_segmentation_id:
|
||||
key: "create_network:provider:segmentation_id"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-get_network:
|
||||
key: "get_network"
|
||||
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared or rule:external or rule:context_is_advsvc"
|
||||
value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:shared or rule:external or rule:context_is_advsvc"
|
||||
neutron-get_network_router_external:
|
||||
key: "get_network:router:external"
|
||||
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
|
||||
neutron-get_network_segments:
|
||||
key: "get_network:segments"
|
||||
value: "role:reader and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-get_network_provider_network_type:
|
||||
key: "get_network:provider:network_type"
|
||||
value: "role:reader and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-get_network_provider_physical_network:
|
||||
key: "get_network:provider:physical_network"
|
||||
value: "role:reader and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-get_network_provider_segmentation_id:
|
||||
key: "get_network:provider:segmentation_id"
|
||||
value: "role:reader and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-update_network:
|
||||
key: "update_network"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-update_network_segments:
|
||||
key: "update_network:segments"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-update_network_shared:
|
||||
key: "update_network:shared"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-update_network_provider_network_type:
|
||||
key: "update_network:provider:network_type"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-update_network_provider_physical_network:
|
||||
key: "update_network:provider:physical_network"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-update_network_provider_segmentation_id:
|
||||
key: "update_network:provider:segmentation_id"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-update_network_router_external:
|
||||
key: "update_network:router:external"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-update_network_is_default:
|
||||
key: "update_network:is_default"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-update_network_port_security_enabled:
|
||||
key: "update_network:port_security_enabled"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-delete_network:
|
||||
key: "delete_network"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-get_network_ip_availability:
|
||||
key: "get_network_ip_availability"
|
||||
value: "role:reader and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-create_network_segment_range:
|
||||
key: "create_network_segment_range"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-get_network_segment_range:
|
||||
key: "get_network_segment_range"
|
||||
value: "role:reader and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-update_network_segment_range:
|
||||
key: "update_network_segment_range"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-delete_network_segment_range:
|
||||
key: "delete_network_segment_range"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-network_device:
|
||||
key: "network_device"
|
||||
value: "field:port:device_owner=~^network:"
|
||||
|
|
@ -1079,157 +1082,157 @@ parameter_defaults:
|
|||
value: "rule:context_is_admin or role:data_plane_integrator"
|
||||
neutron-create_port:
|
||||
key: "create_port"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-create_port_device_owner:
|
||||
key: "create_port:device_owner"
|
||||
value: "not rule:network_device or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:context_is_advsvc or rule:network_owner"
|
||||
value: "not rule:network_device or rule:admin_api or rule:context_is_advsvc or rule:network_owner"
|
||||
neutron-create_port_mac_address:
|
||||
key: "create_port:mac_address"
|
||||
value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s"
|
||||
value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api"
|
||||
neutron-create_port_fixed_ips:
|
||||
key: "create_port:fixed_ips"
|
||||
value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:shared"
|
||||
value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api or rule:shared"
|
||||
neutron-create_port_fixed_ips_ip_address:
|
||||
key: "create_port:fixed_ips:ip_address"
|
||||
value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s"
|
||||
value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api"
|
||||
neutron-create_port_fixed_ips_subnet_id:
|
||||
key: "create_port:fixed_ips:subnet_id"
|
||||
value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:shared"
|
||||
value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api or rule:shared"
|
||||
neutron-create_port_port_security_enabled:
|
||||
key: "create_port:port_security_enabled"
|
||||
value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s"
|
||||
value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api"
|
||||
neutron-create_port_binding_host_id:
|
||||
key: "create_port:binding:host_id"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-create_port_binding_profile:
|
||||
key: "create_port:binding:profile"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-create_port_binding_vnic_type:
|
||||
key: "create_port:binding:vnic_type"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-create_port_allowed_address_pairs:
|
||||
key: "create_port:allowed_address_pairs"
|
||||
value: "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner"
|
||||
value: "rule:admin_api or rule:network_owner"
|
||||
neutron-create_port_allowed_address_pairs_mac_address:
|
||||
key: "create_port:allowed_address_pairs:mac_address"
|
||||
value: "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner"
|
||||
value: "rule:admin_api or rule:network_owner"
|
||||
neutron-create_port_allowed_address_pairs_ip_address:
|
||||
key: "create_port:allowed_address_pairs:ip_address"
|
||||
value: "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner"
|
||||
value: "rule:admin_api or rule:network_owner"
|
||||
neutron-get_port:
|
||||
key: "get_port"
|
||||
value: "rule:context_is_advsvc or (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||
value: "rule:context_is_advsvc or rule:admin_api or (role:reader and project_id:%(project_id)s)"
|
||||
neutron-get_port_binding_vif_type:
|
||||
key: "get_port:binding:vif_type"
|
||||
value: "role:reader and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-get_port_binding_vif_details:
|
||||
key: "get_port:binding:vif_details"
|
||||
value: "role:reader and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-get_port_binding_host_id:
|
||||
key: "get_port:binding:host_id"
|
||||
value: "role:reader and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-get_port_binding_profile:
|
||||
key: "get_port:binding:profile"
|
||||
value: "role:reader and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-get_port_resource_request:
|
||||
key: "get_port:resource_request"
|
||||
value: "role:reader and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-update_port:
|
||||
key: "update_port"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc"
|
||||
neutron-update_port_device_owner:
|
||||
key: "update_port:device_owner"
|
||||
value: "not rule:network_device or rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s"
|
||||
value: "not rule:network_device or rule:context_is_advsvc or rule:network_owner or rule:admin_api"
|
||||
neutron-update_port_mac_address:
|
||||
key: "update_port:mac_address"
|
||||
value: "role:admin and system_scope:all or rule:context_is_advsvc"
|
||||
value: "rule:admin_api or rule:context_is_advsvc"
|
||||
neutron-update_port_fixed_ips:
|
||||
key: "update_port:fixed_ips"
|
||||
value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s"
|
||||
value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api"
|
||||
neutron-update_port_fixed_ips_ip_address:
|
||||
key: "update_port:fixed_ips:ip_address"
|
||||
value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s"
|
||||
value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api"
|
||||
neutron-update_port_fixed_ips_subnet_id:
|
||||
key: "update_port:fixed_ips:subnet_id"
|
||||
value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:shared"
|
||||
value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api or rule:shared"
|
||||
neutron-update_port_port_security_enabled:
|
||||
key: "update_port:port_security_enabled"
|
||||
value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s"
|
||||
value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api"
|
||||
neutron-update_port_binding_host_id:
|
||||
key: "update_port:binding:host_id"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-update_port_binding_profile:
|
||||
key: "update_port:binding:profile"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-update_port_binding_vnic_type:
|
||||
key: "update_port:binding:vnic_type"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc"
|
||||
neutron-update_port_allowed_address_pairs:
|
||||
key: "update_port:allowed_address_pairs"
|
||||
value: "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner"
|
||||
value: "rule:admin_api or rule:network_owner"
|
||||
neutron-update_port_allowed_address_pairs_mac_address:
|
||||
key: "update_port:allowed_address_pairs:mac_address"
|
||||
value: "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner"
|
||||
value: "rule:admin_api or rule:network_owner"
|
||||
neutron-update_port_allowed_address_pairs_ip_address:
|
||||
key: "update_port:allowed_address_pairs:ip_address"
|
||||
value: "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner"
|
||||
value: "rule:admin_api or rule:network_owner"
|
||||
neutron-update_port_data_plane_status:
|
||||
key: "update_port:data_plane_status"
|
||||
value: "role:admin and system_scope:all or role:data_plane_integrator"
|
||||
value: "rule:admin_api or role:data_plane_integrator"
|
||||
neutron-delete_port:
|
||||
key: "delete_port"
|
||||
value: "rule:context_is_advsvc or (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:context_is_advsvc or rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-get_policy:
|
||||
key: "get_policy"
|
||||
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
|
||||
neutron-create_policy:
|
||||
key: "create_policy"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-update_policy:
|
||||
key: "update_policy"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-delete_policy:
|
||||
key: "delete_policy"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-get_rule_type:
|
||||
key: "get_rule_type"
|
||||
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
|
||||
neutron-get_policy_bandwidth_limit_rule:
|
||||
key: "get_policy_bandwidth_limit_rule"
|
||||
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
|
||||
neutron-create_policy_bandwidth_limit_rule:
|
||||
key: "create_policy_bandwidth_limit_rule"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-update_policy_bandwidth_limit_rule:
|
||||
key: "update_policy_bandwidth_limit_rule"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-delete_policy_bandwidth_limit_rule:
|
||||
key: "delete_policy_bandwidth_limit_rule"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-get_policy_dscp_marking_rule:
|
||||
key: "get_policy_dscp_marking_rule"
|
||||
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
|
||||
neutron-create_policy_dscp_marking_rule:
|
||||
key: "create_policy_dscp_marking_rule"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-update_policy_dscp_marking_rule:
|
||||
key: "update_policy_dscp_marking_rule"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-delete_policy_dscp_marking_rule:
|
||||
key: "delete_policy_dscp_marking_rule"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-get_policy_minimum_bandwidth_rule:
|
||||
key: "get_policy_minimum_bandwidth_rule"
|
||||
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
|
||||
neutron-create_policy_minimum_bandwidth_rule:
|
||||
key: "create_policy_minimum_bandwidth_rule"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-update_policy_minimum_bandwidth_rule:
|
||||
key: "update_policy_minimum_bandwidth_rule"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-delete_policy_minimum_bandwidth_rule:
|
||||
key: "delete_policy_minimum_bandwidth_rule"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-get_alias_bandwidth_limit_rule:
|
||||
key: "get_alias_bandwidth_limit_rule"
|
||||
value: "rule:get_policy_bandwidth_limit_rule"
|
||||
|
|
@ -1259,100 +1262,100 @@ parameter_defaults:
|
|||
value: "rule:delete_policy_minimum_bandwidth_rule"
|
||||
neutron-get_quota:
|
||||
key: "get_quota"
|
||||
value: "role:reader and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-update_quota:
|
||||
key: "update_quota"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-delete_quota:
|
||||
key: "delete_quota"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-restrict_wildcard:
|
||||
key: "restrict_wildcard"
|
||||
value: "(not field:rbac_policy:target_tenant=*) or rule:admin_only"
|
||||
value: "(not field:rbac_policy:target_tenant=*) or rule:admin_api"
|
||||
neutron-create_rbac_policy:
|
||||
key: "create_rbac_policy"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-create_rbac_policy_target_tenant:
|
||||
key: "create_rbac_policy:target_tenant"
|
||||
value: "role:admin and system_scope:all or (not field:rbac_policy:target_tenant=*)"
|
||||
value: "rule:admin_api or (not field:rbac_policy:target_tenant=*)"
|
||||
neutron-update_rbac_policy:
|
||||
key: "update_rbac_policy"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-update_rbac_policy_target_tenant:
|
||||
key: "update_rbac_policy:target_tenant"
|
||||
value: "role:admin and system_scope:all or (not field:rbac_policy:target_tenant=*)"
|
||||
value: "rule:admin_api or (not field:rbac_policy:target_tenant=*)"
|
||||
neutron-get_rbac_policy:
|
||||
key: "get_rbac_policy"
|
||||
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
|
||||
neutron-delete_rbac_policy:
|
||||
key: "delete_rbac_policy"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-create_router:
|
||||
key: "create_router"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-create_router_distributed:
|
||||
key: "create_router:distributed"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-create_router_ha:
|
||||
key: "create_router:ha"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-create_router_external_gateway_info:
|
||||
key: "create_router:external_gateway_info"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-create_router_external_gateway_info_network_id:
|
||||
key: "create_router:external_gateway_info:network_id"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-create_router_external_gateway_info_enable_snat:
|
||||
key: "create_router:external_gateway_info:enable_snat"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-create_router_external_gateway_info_external_fixed_ips:
|
||||
key: "create_router:external_gateway_info:external_fixed_ips"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-get_router:
|
||||
key: "get_router"
|
||||
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
|
||||
neutron-get_router_distributed:
|
||||
key: "get_router:distributed"
|
||||
value: "role:reader and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-get_router_ha:
|
||||
key: "get_router:ha"
|
||||
value: "role:reader and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-update_router:
|
||||
key: "update_router"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-update_router_distributed:
|
||||
key: "update_router:distributed"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-update_router_ha:
|
||||
key: "update_router:ha"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-update_router_external_gateway_info:
|
||||
key: "update_router:external_gateway_info"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-update_router_external_gateway_info_network_id:
|
||||
key: "update_router:external_gateway_info:network_id"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-update_router_external_gateway_info_enable_snat:
|
||||
key: "update_router:external_gateway_info:enable_snat"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-update_router_external_gateway_info_external_fixed_ips:
|
||||
key: "update_router:external_gateway_info:external_fixed_ips"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-delete_router:
|
||||
key: "delete_router"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-add_router_interface:
|
||||
key: "add_router_interface"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-remove_router_interface:
|
||||
key: "remove_router_interface"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-add_extraroutes:
|
||||
key: "add_extraroutes"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-remove_extraroutes:
|
||||
key: "remove_extraroutes"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-admin_or_sg_owner:
|
||||
key: "admin_or_sg_owner"
|
||||
value: "rule:context_is_admin or tenant_id:%(security_group:tenant_id)s"
|
||||
|
|
@ -1361,121 +1364,121 @@ parameter_defaults:
|
|||
value: "rule:owner or rule:admin_or_sg_owner"
|
||||
neutron-create_security_group:
|
||||
key: "create_security_group"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-get_security_group:
|
||||
key: "get_security_group"
|
||||
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
|
||||
neutron-update_security_group:
|
||||
key: "update_security_group"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-delete_security_group:
|
||||
key: "delete_security_group"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-create_security_group_rule:
|
||||
key: "create_security_group_rule"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-get_security_group_rule:
|
||||
key: "get_security_group_rule"
|
||||
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:sg_owner"
|
||||
value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:sg_owner"
|
||||
neutron-delete_security_group_rule:
|
||||
key: "delete_security_group_rule"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-create_segment:
|
||||
key: "create_segment"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-get_segment:
|
||||
key: "get_segment"
|
||||
value: "role:reader and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-update_segment:
|
||||
key: "update_segment"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-delete_segment:
|
||||
key: "delete_segment"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-get_service_provider:
|
||||
key: "get_service_provider"
|
||||
value: "role:reader"
|
||||
neutron-create_subnet:
|
||||
key: "create_subnet"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:network_owner"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:network_owner"
|
||||
neutron-create_subnet_segment_id:
|
||||
key: "create_subnet:segment_id"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-create_subnet_service_types:
|
||||
key: "create_subnet:service_types"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-get_subnet:
|
||||
key: "get_subnet"
|
||||
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared"
|
||||
value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:shared"
|
||||
neutron-get_subnet_segment_id:
|
||||
key: "get_subnet:segment_id"
|
||||
value: "role:reader and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-update_subnet:
|
||||
key: "update_subnet"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:network_owner"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:network_owner"
|
||||
neutron-update_subnet_segment_id:
|
||||
key: "update_subnet:segment_id"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-update_subnet_service_types:
|
||||
key: "update_subnet:service_types"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-delete_subnet:
|
||||
key: "delete_subnet"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:network_owner"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:network_owner"
|
||||
neutron-shared_subnetpools:
|
||||
key: "shared_subnetpools"
|
||||
value: "field:subnetpools:shared=True"
|
||||
neutron-create_subnetpool:
|
||||
key: "create_subnetpool"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-create_subnetpool_shared:
|
||||
key: "create_subnetpool:shared"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-create_subnetpool_is_default:
|
||||
key: "create_subnetpool:is_default"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-get_subnetpool:
|
||||
key: "get_subnetpool"
|
||||
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared_subnetpools"
|
||||
value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:shared_subnetpools"
|
||||
neutron-update_subnetpool:
|
||||
key: "update_subnetpool"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-update_subnetpool_is_default:
|
||||
key: "update_subnetpool:is_default"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
neutron-delete_subnetpool:
|
||||
key: "delete_subnetpool"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-onboard_network_subnets:
|
||||
key: "onboard_network_subnets"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-add_prefixes:
|
||||
key: "add_prefixes"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-remove_prefixes:
|
||||
key: "remove_prefixes"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-create_trunk:
|
||||
key: "create_trunk"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-get_trunk:
|
||||
key: "get_trunk"
|
||||
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
|
||||
neutron-update_trunk:
|
||||
key: "update_trunk"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-delete_trunk:
|
||||
key: "delete_trunk"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-get_subports:
|
||||
key: "get_subports"
|
||||
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
|
||||
neutron-add_subports:
|
||||
key: "add_subports"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
neutron-remove_subports:
|
||||
key: "remove_subports"
|
||||
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
|
||||
# The glance policies in Xena implement project-personas by default, so these
|
||||
# policies do not need to change. However, keeping them defined here with
|
||||
# GlanceApiPolicies will put them in /etc/glance/policy.yaml which will be
|
||||
|
|
|
|||
Loading…
Reference in New Issue