diff --git a/environments/enable-secure-rbac.yaml b/environments/enable-secure-rbac.yaml index 08405ebfbc..52e1d11744 100644 --- a/environments/enable-secure-rbac.yaml +++ b/environments/enable-secure-rbac.yaml @@ -783,6 +783,9 @@ parameter_defaults: neutron-admin_only: key: "admin_only" value: "rule:context_is_admin" + neutron-admin_api: + key: "admin_api" + value: "role:admin" neutron-regular_user: key: "regular_user" value: "" @@ -806,271 +809,271 @@ parameter_defaults: value: "field:address_groups:shared=True" neutron-get_address_group: key: "get_address_group" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared_address_groups" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:shared_address_groups" neutron-shared_address_scopes: key: "shared_address_scopes" value: "field:address_scopes:shared=True" neutron-create_address_scope: key: "create_address_scope" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-create_address_scope_shared: key: "create_address_scope:shared" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_address_scope: key: "get_address_scope" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared_address_scopes" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:shared_address_scopes" neutron-update_address_scope: key: "update_address_scope" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-update_address_scope_shared: key: "update_address_scope:shared" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-delete_address_scope: key: "delete_address_scope" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-get_agent: key: "get_agent" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-update_agent: key: "update_agent" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-delete_agent: key: "delete_agent" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-create_dhcp-network: key: "create_dhcp-network" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_dhcp-networks: key: "get_dhcp-networks" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-delete_dhcp-network: key: "delete_dhcp-network" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-create_l3-router: key: "create_l3-router" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_l3-routers: key: "get_l3-routers" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-delete_l3-router: key: "delete_l3-router" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_dhcp-agents: key: "get_dhcp-agents" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-get_l3-agents: key: "get_l3-agents" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-get_auto_allocated_topology: key: "get_auto_allocated_topology" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s)" neutron-delete_auto_allocated_topology: key: "delete_auto_allocated_topology" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-get_availability_zone: key: "get_availability_zone" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-create_flavor: key: "create_flavor" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_flavor: key: "get_flavor" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s)" neutron-update_flavor: key: "update_flavor" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-delete_flavor: key: "delete_flavor" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-create_service_profile: key: "create_service_profile" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_service_profile: key: "get_service_profile" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-update_service_profile: key: "update_service_profile" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-delete_service_profile: key: "delete_service_profile" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_flavor_service_profile: key: "get_flavor_service_profile" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s)" neutron-create_flavor_service_profile: key: "create_flavor_service_profile" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-delete_flavor_service_profile: key: "delete_flavor_service_profile" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-create_floatingip: key: "create_floatingip" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-create_floatingip_floating_ip_address: key: "create_floatingip:floating_ip_address" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_floatingip: key: "get_floatingip" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s)" neutron-update_floatingip: key: "update_floatingip" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-delete_floatingip: key: "delete_floatingip" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-get_floatingip_pool: key: "get_floatingip_pool" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s)" neutron-create_floatingip_port_forwarding: key: "create_floatingip_port_forwarding" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" + value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" neutron-get_floatingip_port_forwarding: key: "get_floatingip_port_forwarding" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner" neutron-update_floatingip_port_forwarding: key: "update_floatingip_port_forwarding" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" + value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" neutron-delete_floatingip_port_forwarding: key: "delete_floatingip_port_forwarding" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" + value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" neutron-create_router_conntrack_helper: key: "create_router_conntrack_helper" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" + value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" neutron-get_router_conntrack_helper: key: "get_router_conntrack_helper" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner" neutron-update_router_conntrack_helper: key: "update_router_conntrack_helper" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" + value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" neutron-delete_router_conntrack_helper: key: "delete_router_conntrack_helper" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" + value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" neutron-get_loggable_resource: key: "get_loggable_resource" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-create_log: key: "create_log" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_log: key: "get_log" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-update_log: key: "update_log" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-delete_log: key: "delete_log" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-create_metering_label: key: "create_metering_label" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_metering_label: key: "get_metering_label" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-delete_metering_label: key: "delete_metering_label" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-create_metering_label_rule: key: "create_metering_label_rule" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_metering_label_rule: key: "get_metering_label_rule" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-delete_metering_label_rule: key: "delete_metering_label_rule" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-external: key: "external" value: "field:networks:router:external=True" neutron-create_network: key: "create_network" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-create_network_shared: key: "create_network:shared" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-create_network_router_external: key: "create_network:router:external" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-create_network_is_default: key: "create_network:is_default" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-create_network_port_security_enabled: key: "create_network:port_security_enabled" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-create_network_segments: key: "create_network:segments" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-create_network_provider_network_type: key: "create_network:provider:network_type" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-create_network_provider_physical_network: key: "create_network:provider:physical_network" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-create_network_provider_segmentation_id: key: "create_network:provider:segmentation_id" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_network: key: "get_network" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared or rule:external or rule:context_is_advsvc" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:shared or rule:external or rule:context_is_advsvc" neutron-get_network_router_external: key: "get_network:router:external" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s)" neutron-get_network_segments: key: "get_network:segments" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-get_network_provider_network_type: key: "get_network:provider:network_type" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-get_network_provider_physical_network: key: "get_network:provider:physical_network" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-get_network_provider_segmentation_id: key: "get_network:provider:segmentation_id" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-update_network: key: "update_network" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-update_network_segments: key: "update_network:segments" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-update_network_shared: key: "update_network:shared" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-update_network_provider_network_type: key: "update_network:provider:network_type" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-update_network_provider_physical_network: key: "update_network:provider:physical_network" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-update_network_provider_segmentation_id: key: "update_network:provider:segmentation_id" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-update_network_router_external: key: "update_network:router:external" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-update_network_is_default: key: "update_network:is_default" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-update_network_port_security_enabled: key: "update_network:port_security_enabled" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-delete_network: key: "delete_network" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-get_network_ip_availability: key: "get_network_ip_availability" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-create_network_segment_range: key: "create_network_segment_range" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_network_segment_range: key: "get_network_segment_range" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-update_network_segment_range: key: "update_network_segment_range" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-delete_network_segment_range: key: "delete_network_segment_range" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-network_device: key: "network_device" value: "field:port:device_owner=~^network:" @@ -1079,157 +1082,157 @@ parameter_defaults: value: "rule:context_is_admin or role:data_plane_integrator" neutron-create_port: key: "create_port" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-create_port_device_owner: key: "create_port:device_owner" - value: "not rule:network_device or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:context_is_advsvc or rule:network_owner" + value: "not rule:network_device or rule:admin_api or rule:context_is_advsvc or rule:network_owner" neutron-create_port_mac_address: key: "create_port:mac_address" - value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s" + value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api" neutron-create_port_fixed_ips: key: "create_port:fixed_ips" - value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:shared" + value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api or rule:shared" neutron-create_port_fixed_ips_ip_address: key: "create_port:fixed_ips:ip_address" - value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s" + value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api" neutron-create_port_fixed_ips_subnet_id: key: "create_port:fixed_ips:subnet_id" - value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:shared" + value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api or rule:shared" neutron-create_port_port_security_enabled: key: "create_port:port_security_enabled" - value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s" + value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api" neutron-create_port_binding_host_id: key: "create_port:binding:host_id" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-create_port_binding_profile: key: "create_port:binding:profile" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-create_port_binding_vnic_type: key: "create_port:binding:vnic_type" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-create_port_allowed_address_pairs: key: "create_port:allowed_address_pairs" - value: "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner" + value: "rule:admin_api or rule:network_owner" neutron-create_port_allowed_address_pairs_mac_address: key: "create_port:allowed_address_pairs:mac_address" - value: "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner" + value: "rule:admin_api or rule:network_owner" neutron-create_port_allowed_address_pairs_ip_address: key: "create_port:allowed_address_pairs:ip_address" - value: "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner" + value: "rule:admin_api or rule:network_owner" neutron-get_port: key: "get_port" - value: "rule:context_is_advsvc or (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + value: "rule:context_is_advsvc or rule:admin_api or (role:reader and project_id:%(project_id)s)" neutron-get_port_binding_vif_type: key: "get_port:binding:vif_type" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-get_port_binding_vif_details: key: "get_port:binding:vif_details" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-get_port_binding_host_id: key: "get_port:binding:host_id" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-get_port_binding_profile: key: "get_port:binding:profile" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-get_port_resource_request: key: "get_port:resource_request" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-update_port: key: "update_port" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc" + value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc" neutron-update_port_device_owner: key: "update_port:device_owner" - value: "not rule:network_device or rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s" + value: "not rule:network_device or rule:context_is_advsvc or rule:network_owner or rule:admin_api" neutron-update_port_mac_address: key: "update_port:mac_address" - value: "role:admin and system_scope:all or rule:context_is_advsvc" + value: "rule:admin_api or rule:context_is_advsvc" neutron-update_port_fixed_ips: key: "update_port:fixed_ips" - value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s" + value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api" neutron-update_port_fixed_ips_ip_address: key: "update_port:fixed_ips:ip_address" - value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s" + value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api" neutron-update_port_fixed_ips_subnet_id: key: "update_port:fixed_ips:subnet_id" - value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:shared" + value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api or rule:shared" neutron-update_port_port_security_enabled: key: "update_port:port_security_enabled" - value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s" + value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api" neutron-update_port_binding_host_id: key: "update_port:binding:host_id" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-update_port_binding_profile: key: "update_port:binding:profile" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-update_port_binding_vnic_type: key: "update_port:binding:vnic_type" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc" + value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc" neutron-update_port_allowed_address_pairs: key: "update_port:allowed_address_pairs" - value: "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner" + value: "rule:admin_api or rule:network_owner" neutron-update_port_allowed_address_pairs_mac_address: key: "update_port:allowed_address_pairs:mac_address" - value: "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner" + value: "rule:admin_api or rule:network_owner" neutron-update_port_allowed_address_pairs_ip_address: key: "update_port:allowed_address_pairs:ip_address" - value: "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner" + value: "rule:admin_api or rule:network_owner" neutron-update_port_data_plane_status: key: "update_port:data_plane_status" - value: "role:admin and system_scope:all or role:data_plane_integrator" + value: "rule:admin_api or role:data_plane_integrator" neutron-delete_port: key: "delete_port" - value: "rule:context_is_advsvc or (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:context_is_advsvc or rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-get_policy: key: "get_policy" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s)" neutron-create_policy: key: "create_policy" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-update_policy: key: "update_policy" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-delete_policy: key: "delete_policy" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_rule_type: key: "get_rule_type" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s)" neutron-get_policy_bandwidth_limit_rule: key: "get_policy_bandwidth_limit_rule" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s)" neutron-create_policy_bandwidth_limit_rule: key: "create_policy_bandwidth_limit_rule" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-update_policy_bandwidth_limit_rule: key: "update_policy_bandwidth_limit_rule" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-delete_policy_bandwidth_limit_rule: key: "delete_policy_bandwidth_limit_rule" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_policy_dscp_marking_rule: key: "get_policy_dscp_marking_rule" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s)" neutron-create_policy_dscp_marking_rule: key: "create_policy_dscp_marking_rule" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-update_policy_dscp_marking_rule: key: "update_policy_dscp_marking_rule" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-delete_policy_dscp_marking_rule: key: "delete_policy_dscp_marking_rule" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_policy_minimum_bandwidth_rule: key: "get_policy_minimum_bandwidth_rule" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s)" neutron-create_policy_minimum_bandwidth_rule: key: "create_policy_minimum_bandwidth_rule" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-update_policy_minimum_bandwidth_rule: key: "update_policy_minimum_bandwidth_rule" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-delete_policy_minimum_bandwidth_rule: key: "delete_policy_minimum_bandwidth_rule" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_alias_bandwidth_limit_rule: key: "get_alias_bandwidth_limit_rule" value: "rule:get_policy_bandwidth_limit_rule" @@ -1259,100 +1262,100 @@ parameter_defaults: value: "rule:delete_policy_minimum_bandwidth_rule" neutron-get_quota: key: "get_quota" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-update_quota: key: "update_quota" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-delete_quota: key: "delete_quota" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-restrict_wildcard: key: "restrict_wildcard" - value: "(not field:rbac_policy:target_tenant=*) or rule:admin_only" + value: "(not field:rbac_policy:target_tenant=*) or rule:admin_api" neutron-create_rbac_policy: key: "create_rbac_policy" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-create_rbac_policy_target_tenant: key: "create_rbac_policy:target_tenant" - value: "role:admin and system_scope:all or (not field:rbac_policy:target_tenant=*)" + value: "rule:admin_api or (not field:rbac_policy:target_tenant=*)" neutron-update_rbac_policy: key: "update_rbac_policy" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-update_rbac_policy_target_tenant: key: "update_rbac_policy:target_tenant" - value: "role:admin and system_scope:all or (not field:rbac_policy:target_tenant=*)" + value: "rule:admin_api or (not field:rbac_policy:target_tenant=*)" neutron-get_rbac_policy: key: "get_rbac_policy" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s)" neutron-delete_rbac_policy: key: "delete_rbac_policy" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-create_router: key: "create_router" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-create_router_distributed: key: "create_router:distributed" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-create_router_ha: key: "create_router:ha" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-create_router_external_gateway_info: key: "create_router:external_gateway_info" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-create_router_external_gateway_info_network_id: key: "create_router:external_gateway_info:network_id" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-create_router_external_gateway_info_enable_snat: key: "create_router:external_gateway_info:enable_snat" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-create_router_external_gateway_info_external_fixed_ips: key: "create_router:external_gateway_info:external_fixed_ips" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_router: key: "get_router" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s)" neutron-get_router_distributed: key: "get_router:distributed" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-get_router_ha: key: "get_router:ha" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-update_router: key: "update_router" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-update_router_distributed: key: "update_router:distributed" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-update_router_ha: key: "update_router:ha" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-update_router_external_gateway_info: key: "update_router:external_gateway_info" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-update_router_external_gateway_info_network_id: key: "update_router:external_gateway_info:network_id" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-update_router_external_gateway_info_enable_snat: key: "update_router:external_gateway_info:enable_snat" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-update_router_external_gateway_info_external_fixed_ips: key: "update_router:external_gateway_info:external_fixed_ips" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-delete_router: key: "delete_router" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-add_router_interface: key: "add_router_interface" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-remove_router_interface: key: "remove_router_interface" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-add_extraroutes: key: "add_extraroutes" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-remove_extraroutes: key: "remove_extraroutes" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-admin_or_sg_owner: key: "admin_or_sg_owner" value: "rule:context_is_admin or tenant_id:%(security_group:tenant_id)s" @@ -1361,121 +1364,121 @@ parameter_defaults: value: "rule:owner or rule:admin_or_sg_owner" neutron-create_security_group: key: "create_security_group" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-get_security_group: key: "get_security_group" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s)" neutron-update_security_group: key: "update_security_group" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-delete_security_group: key: "delete_security_group" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-create_security_group_rule: key: "create_security_group_rule" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-get_security_group_rule: key: "get_security_group_rule" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:sg_owner" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:sg_owner" neutron-delete_security_group_rule: key: "delete_security_group_rule" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-create_segment: key: "create_segment" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_segment: key: "get_segment" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-update_segment: key: "update_segment" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-delete_segment: key: "delete_segment" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_service_provider: key: "get_service_provider" value: "role:reader" neutron-create_subnet: key: "create_subnet" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:network_owner" + value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:network_owner" neutron-create_subnet_segment_id: key: "create_subnet:segment_id" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-create_subnet_service_types: key: "create_subnet:service_types" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_subnet: key: "get_subnet" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:shared" neutron-get_subnet_segment_id: key: "get_subnet:segment_id" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-update_subnet: key: "update_subnet" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:network_owner" + value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:network_owner" neutron-update_subnet_segment_id: key: "update_subnet:segment_id" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-update_subnet_service_types: key: "update_subnet:service_types" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-delete_subnet: key: "delete_subnet" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:network_owner" + value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:network_owner" neutron-shared_subnetpools: key: "shared_subnetpools" value: "field:subnetpools:shared=True" neutron-create_subnetpool: key: "create_subnetpool" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-create_subnetpool_shared: key: "create_subnetpool:shared" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-create_subnetpool_is_default: key: "create_subnetpool:is_default" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_subnetpool: key: "get_subnetpool" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared_subnetpools" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:shared_subnetpools" neutron-update_subnetpool: key: "update_subnetpool" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-update_subnetpool_is_default: key: "update_subnetpool:is_default" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-delete_subnetpool: key: "delete_subnetpool" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-onboard_network_subnets: key: "onboard_network_subnets" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-add_prefixes: key: "add_prefixes" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-remove_prefixes: key: "remove_prefixes" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-create_trunk: key: "create_trunk" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-get_trunk: key: "get_trunk" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s)" neutron-update_trunk: key: "update_trunk" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-delete_trunk: key: "delete_trunk" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-get_subports: key: "get_subports" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s)" neutron-add_subports: key: "add_subports" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-remove_subports: key: "remove_subports" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" # The glance policies in Xena implement project-personas by default, so these # policies do not need to change. However, keeping them defined here with # GlanceApiPolicies will put them in /etc/glance/policy.yaml which will be