From 2202412db3039005704db329c6c5ae3c5800b595 Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Wed, 22 Sep 2021 17:29:50 +0000 Subject: [PATCH] Implement project personas in custom neutron policy file This commit updates the default neutron policies in enable-secure-rbac.yaml to implement consistent support for project personas (project-admin, project-member, and project-reader) with other OpenStack services. The project-admin is still considered a system administrator. This behavior will change in future releases (likely Yoga) when we have a community wide goal to finish system-scope adoption. At that point, we can remove these overrides and use the defaults in neutron, which adhere to system and project personas and we'll get more functionality without these overrides. Change-Id: Ie2273adbdf0dda7947e570933aaca661aa8a67da --- environments/enable-secure-rbac.yaml | 417 ++++++++++++++------------- 1 file changed, 210 insertions(+), 207 deletions(-) diff --git a/environments/enable-secure-rbac.yaml b/environments/enable-secure-rbac.yaml index 8677263479..707e198580 100644 --- a/environments/enable-secure-rbac.yaml +++ b/environments/enable-secure-rbac.yaml @@ -801,6 +801,9 @@ parameter_defaults: neutron-admin_only: key: "admin_only" value: "rule:context_is_admin" + neutron-admin_api: + key: "admin_api" + value: "role:admin" neutron-regular_user: key: "regular_user" value: "" @@ -824,271 +827,271 @@ parameter_defaults: value: "field:address_groups:shared=True" neutron-get_address_group: key: "get_address_group" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared_address_groups" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:shared_address_groups" neutron-shared_address_scopes: key: "shared_address_scopes" value: "field:address_scopes:shared=True" neutron-create_address_scope: key: "create_address_scope" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-create_address_scope_shared: key: "create_address_scope:shared" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_address_scope: key: "get_address_scope" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared_address_scopes" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:shared_address_scopes" neutron-update_address_scope: key: "update_address_scope" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-update_address_scope_shared: key: "update_address_scope:shared" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-delete_address_scope: key: "delete_address_scope" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-get_agent: key: "get_agent" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-update_agent: key: "update_agent" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-delete_agent: key: "delete_agent" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-create_dhcp-network: key: "create_dhcp-network" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_dhcp-networks: key: "get_dhcp-networks" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-delete_dhcp-network: key: "delete_dhcp-network" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-create_l3-router: key: "create_l3-router" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_l3-routers: key: "get_l3-routers" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-delete_l3-router: key: "delete_l3-router" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_dhcp-agents: key: "get_dhcp-agents" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-get_l3-agents: key: "get_l3-agents" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-get_auto_allocated_topology: key: "get_auto_allocated_topology" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s)" neutron-delete_auto_allocated_topology: key: "delete_auto_allocated_topology" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-get_availability_zone: key: "get_availability_zone" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-create_flavor: key: "create_flavor" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_flavor: key: "get_flavor" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s)" neutron-update_flavor: key: "update_flavor" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-delete_flavor: key: "delete_flavor" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-create_service_profile: key: "create_service_profile" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_service_profile: key: "get_service_profile" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-update_service_profile: key: "update_service_profile" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-delete_service_profile: key: "delete_service_profile" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_flavor_service_profile: key: "get_flavor_service_profile" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s)" neutron-create_flavor_service_profile: key: "create_flavor_service_profile" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-delete_flavor_service_profile: key: "delete_flavor_service_profile" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-create_floatingip: key: "create_floatingip" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-create_floatingip_floating_ip_address: key: "create_floatingip:floating_ip_address" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_floatingip: key: "get_floatingip" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s)" neutron-update_floatingip: key: "update_floatingip" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-delete_floatingip: key: "delete_floatingip" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-get_floatingip_pool: key: "get_floatingip_pool" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s)" neutron-create_floatingip_port_forwarding: key: "create_floatingip_port_forwarding" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" + value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" neutron-get_floatingip_port_forwarding: key: "get_floatingip_port_forwarding" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner" neutron-update_floatingip_port_forwarding: key: "update_floatingip_port_forwarding" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" + value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" neutron-delete_floatingip_port_forwarding: key: "delete_floatingip_port_forwarding" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" + value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" neutron-create_router_conntrack_helper: key: "create_router_conntrack_helper" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" + value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" neutron-get_router_conntrack_helper: key: "get_router_conntrack_helper" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner" neutron-update_router_conntrack_helper: key: "update_router_conntrack_helper" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" + value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" neutron-delete_router_conntrack_helper: key: "delete_router_conntrack_helper" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" + value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" neutron-get_loggable_resource: key: "get_loggable_resource" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-create_log: key: "create_log" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_log: key: "get_log" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-update_log: key: "update_log" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-delete_log: key: "delete_log" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-create_metering_label: key: "create_metering_label" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_metering_label: key: "get_metering_label" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-delete_metering_label: key: "delete_metering_label" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-create_metering_label_rule: key: "create_metering_label_rule" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_metering_label_rule: key: "get_metering_label_rule" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-delete_metering_label_rule: key: "delete_metering_label_rule" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-external: key: "external" value: "field:networks:router:external=True" neutron-create_network: key: "create_network" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-create_network_shared: key: "create_network:shared" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-create_network_router_external: key: "create_network:router:external" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-create_network_is_default: key: "create_network:is_default" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-create_network_port_security_enabled: key: "create_network:port_security_enabled" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-create_network_segments: key: "create_network:segments" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-create_network_provider_network_type: key: "create_network:provider:network_type" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-create_network_provider_physical_network: key: "create_network:provider:physical_network" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-create_network_provider_segmentation_id: key: "create_network:provider:segmentation_id" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_network: key: "get_network" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared or rule:external or rule:context_is_advsvc" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:shared or rule:external or rule:context_is_advsvc" neutron-get_network_router_external: key: "get_network:router:external" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s)" neutron-get_network_segments: key: "get_network:segments" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-get_network_provider_network_type: key: "get_network:provider:network_type" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-get_network_provider_physical_network: key: "get_network:provider:physical_network" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-get_network_provider_segmentation_id: key: "get_network:provider:segmentation_id" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-update_network: key: "update_network" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-update_network_segments: key: "update_network:segments" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-update_network_shared: key: "update_network:shared" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-update_network_provider_network_type: key: "update_network:provider:network_type" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-update_network_provider_physical_network: key: "update_network:provider:physical_network" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-update_network_provider_segmentation_id: key: "update_network:provider:segmentation_id" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-update_network_router_external: key: "update_network:router:external" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-update_network_is_default: key: "update_network:is_default" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-update_network_port_security_enabled: key: "update_network:port_security_enabled" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-delete_network: key: "delete_network" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-get_network_ip_availability: key: "get_network_ip_availability" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-create_network_segment_range: key: "create_network_segment_range" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_network_segment_range: key: "get_network_segment_range" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-update_network_segment_range: key: "update_network_segment_range" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-delete_network_segment_range: key: "delete_network_segment_range" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-network_device: key: "network_device" value: "field:port:device_owner=~^network:" @@ -1097,157 +1100,157 @@ parameter_defaults: value: "rule:context_is_admin or role:data_plane_integrator" neutron-create_port: key: "create_port" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-create_port_device_owner: key: "create_port:device_owner" - value: "not rule:network_device or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:context_is_advsvc or rule:network_owner" + value: "not rule:network_device or rule:admin_api or rule:context_is_advsvc or rule:network_owner" neutron-create_port_mac_address: key: "create_port:mac_address" - value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s" + value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api" neutron-create_port_fixed_ips: key: "create_port:fixed_ips" - value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:shared" + value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api or rule:shared" neutron-create_port_fixed_ips_ip_address: key: "create_port:fixed_ips:ip_address" - value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s" + value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api" neutron-create_port_fixed_ips_subnet_id: key: "create_port:fixed_ips:subnet_id" - value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:shared" + value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api or rule:shared" neutron-create_port_port_security_enabled: key: "create_port:port_security_enabled" - value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s" + value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api" neutron-create_port_binding_host_id: key: "create_port:binding:host_id" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-create_port_binding_profile: key: "create_port:binding:profile" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-create_port_binding_vnic_type: key: "create_port:binding:vnic_type" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-create_port_allowed_address_pairs: key: "create_port:allowed_address_pairs" - value: "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner" + value: "rule:admin_api or rule:network_owner" neutron-create_port_allowed_address_pairs_mac_address: key: "create_port:allowed_address_pairs:mac_address" - value: "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner" + value: "rule:admin_api or rule:network_owner" neutron-create_port_allowed_address_pairs_ip_address: key: "create_port:allowed_address_pairs:ip_address" - value: "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner" + value: "rule:admin_api or rule:network_owner" neutron-get_port: key: "get_port" - value: "rule:context_is_advsvc or (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + value: "rule:context_is_advsvc or rule:admin_api or (role:reader and project_id:%(project_id)s)" neutron-get_port_binding_vif_type: key: "get_port:binding:vif_type" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-get_port_binding_vif_details: key: "get_port:binding:vif_details" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-get_port_binding_host_id: key: "get_port:binding:host_id" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-get_port_binding_profile: key: "get_port:binding:profile" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-get_port_resource_request: key: "get_port:resource_request" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-update_port: key: "update_port" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc" + value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc" neutron-update_port_device_owner: key: "update_port:device_owner" - value: "not rule:network_device or rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s" + value: "not rule:network_device or rule:context_is_advsvc or rule:network_owner or rule:admin_api" neutron-update_port_mac_address: key: "update_port:mac_address" - value: "role:admin and system_scope:all or rule:context_is_advsvc" + value: "rule:admin_api or rule:context_is_advsvc" neutron-update_port_fixed_ips: key: "update_port:fixed_ips" - value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s" + value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api" neutron-update_port_fixed_ips_ip_address: key: "update_port:fixed_ips:ip_address" - value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s" + value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api" neutron-update_port_fixed_ips_subnet_id: key: "update_port:fixed_ips:subnet_id" - value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:shared" + value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api or rule:shared" neutron-update_port_port_security_enabled: key: "update_port:port_security_enabled" - value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s" + value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api" neutron-update_port_binding_host_id: key: "update_port:binding:host_id" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-update_port_binding_profile: key: "update_port:binding:profile" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-update_port_binding_vnic_type: key: "update_port:binding:vnic_type" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc" + value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc" neutron-update_port_allowed_address_pairs: key: "update_port:allowed_address_pairs" - value: "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner" + value: "rule:admin_api or rule:network_owner" neutron-update_port_allowed_address_pairs_mac_address: key: "update_port:allowed_address_pairs:mac_address" - value: "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner" + value: "rule:admin_api or rule:network_owner" neutron-update_port_allowed_address_pairs_ip_address: key: "update_port:allowed_address_pairs:ip_address" - value: "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner" + value: "rule:admin_api or rule:network_owner" neutron-update_port_data_plane_status: key: "update_port:data_plane_status" - value: "role:admin and system_scope:all or role:data_plane_integrator" + value: "rule:admin_api or role:data_plane_integrator" neutron-delete_port: key: "delete_port" - value: "rule:context_is_advsvc or (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:context_is_advsvc or rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-get_policy: key: "get_policy" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s)" neutron-create_policy: key: "create_policy" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-update_policy: key: "update_policy" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-delete_policy: key: "delete_policy" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_rule_type: key: "get_rule_type" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s)" neutron-get_policy_bandwidth_limit_rule: key: "get_policy_bandwidth_limit_rule" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s)" neutron-create_policy_bandwidth_limit_rule: key: "create_policy_bandwidth_limit_rule" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-update_policy_bandwidth_limit_rule: key: "update_policy_bandwidth_limit_rule" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-delete_policy_bandwidth_limit_rule: key: "delete_policy_bandwidth_limit_rule" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_policy_dscp_marking_rule: key: "get_policy_dscp_marking_rule" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s)" neutron-create_policy_dscp_marking_rule: key: "create_policy_dscp_marking_rule" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-update_policy_dscp_marking_rule: key: "update_policy_dscp_marking_rule" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-delete_policy_dscp_marking_rule: key: "delete_policy_dscp_marking_rule" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_policy_minimum_bandwidth_rule: key: "get_policy_minimum_bandwidth_rule" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s)" neutron-create_policy_minimum_bandwidth_rule: key: "create_policy_minimum_bandwidth_rule" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-update_policy_minimum_bandwidth_rule: key: "update_policy_minimum_bandwidth_rule" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-delete_policy_minimum_bandwidth_rule: key: "delete_policy_minimum_bandwidth_rule" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_alias_bandwidth_limit_rule: key: "get_alias_bandwidth_limit_rule" value: "rule:get_policy_bandwidth_limit_rule" @@ -1277,100 +1280,100 @@ parameter_defaults: value: "rule:delete_policy_minimum_bandwidth_rule" neutron-get_quota: key: "get_quota" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-update_quota: key: "update_quota" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-delete_quota: key: "delete_quota" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-restrict_wildcard: key: "restrict_wildcard" - value: "(not field:rbac_policy:target_tenant=*) or rule:admin_only" + value: "(not field:rbac_policy:target_tenant=*) or rule:admin_api" neutron-create_rbac_policy: key: "create_rbac_policy" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-create_rbac_policy_target_tenant: key: "create_rbac_policy:target_tenant" - value: "role:admin and system_scope:all or (not field:rbac_policy:target_tenant=*)" + value: "rule:admin_api or (not field:rbac_policy:target_tenant=*)" neutron-update_rbac_policy: key: "update_rbac_policy" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-update_rbac_policy_target_tenant: key: "update_rbac_policy:target_tenant" - value: "role:admin and system_scope:all or (not field:rbac_policy:target_tenant=*)" + value: "rule:admin_api or (not field:rbac_policy:target_tenant=*)" neutron-get_rbac_policy: key: "get_rbac_policy" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s)" neutron-delete_rbac_policy: key: "delete_rbac_policy" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-create_router: key: "create_router" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-create_router_distributed: key: "create_router:distributed" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-create_router_ha: key: "create_router:ha" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-create_router_external_gateway_info: key: "create_router:external_gateway_info" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-create_router_external_gateway_info_network_id: key: "create_router:external_gateway_info:network_id" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-create_router_external_gateway_info_enable_snat: key: "create_router:external_gateway_info:enable_snat" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-create_router_external_gateway_info_external_fixed_ips: key: "create_router:external_gateway_info:external_fixed_ips" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_router: key: "get_router" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s)" neutron-get_router_distributed: key: "get_router:distributed" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-get_router_ha: key: "get_router:ha" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-update_router: key: "update_router" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-update_router_distributed: key: "update_router:distributed" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-update_router_ha: key: "update_router:ha" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-update_router_external_gateway_info: key: "update_router:external_gateway_info" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-update_router_external_gateway_info_network_id: key: "update_router:external_gateway_info:network_id" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-update_router_external_gateway_info_enable_snat: key: "update_router:external_gateway_info:enable_snat" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-update_router_external_gateway_info_external_fixed_ips: key: "update_router:external_gateway_info:external_fixed_ips" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-delete_router: key: "delete_router" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-add_router_interface: key: "add_router_interface" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-remove_router_interface: key: "remove_router_interface" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-add_extraroutes: key: "add_extraroutes" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-remove_extraroutes: key: "remove_extraroutes" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-admin_or_sg_owner: key: "admin_or_sg_owner" value: "rule:context_is_admin or tenant_id:%(security_group:tenant_id)s" @@ -1379,121 +1382,121 @@ parameter_defaults: value: "rule:owner or rule:admin_or_sg_owner" neutron-create_security_group: key: "create_security_group" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-get_security_group: key: "get_security_group" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s)" neutron-update_security_group: key: "update_security_group" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-delete_security_group: key: "delete_security_group" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-create_security_group_rule: key: "create_security_group_rule" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-get_security_group_rule: key: "get_security_group_rule" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:sg_owner" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:sg_owner" neutron-delete_security_group_rule: key: "delete_security_group_rule" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-create_segment: key: "create_segment" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_segment: key: "get_segment" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-update_segment: key: "update_segment" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-delete_segment: key: "delete_segment" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_service_provider: key: "get_service_provider" value: "role:reader" neutron-create_subnet: key: "create_subnet" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:network_owner" + value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:network_owner" neutron-create_subnet_segment_id: key: "create_subnet:segment_id" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-create_subnet_service_types: key: "create_subnet:service_types" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_subnet: key: "get_subnet" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:shared" neutron-get_subnet_segment_id: key: "get_subnet:segment_id" - value: "role:reader and system_scope:all" + value: "rule:admin_api" neutron-update_subnet: key: "update_subnet" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:network_owner" + value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:network_owner" neutron-update_subnet_segment_id: key: "update_subnet:segment_id" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-update_subnet_service_types: key: "update_subnet:service_types" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-delete_subnet: key: "delete_subnet" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:network_owner" + value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:network_owner" neutron-shared_subnetpools: key: "shared_subnetpools" value: "field:subnetpools:shared=True" neutron-create_subnetpool: key: "create_subnetpool" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-create_subnetpool_shared: key: "create_subnetpool:shared" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-create_subnetpool_is_default: key: "create_subnetpool:is_default" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-get_subnetpool: key: "get_subnetpool" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared_subnetpools" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:shared_subnetpools" neutron-update_subnetpool: key: "update_subnetpool" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-update_subnetpool_is_default: key: "update_subnetpool:is_default" - value: "role:admin and system_scope:all" + value: "rule:admin_api" neutron-delete_subnetpool: key: "delete_subnetpool" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-onboard_network_subnets: key: "onboard_network_subnets" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-add_prefixes: key: "add_prefixes" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-remove_prefixes: key: "remove_prefixes" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-create_trunk: key: "create_trunk" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-get_trunk: key: "get_trunk" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s)" neutron-update_trunk: key: "update_trunk" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-delete_trunk: key: "delete_trunk" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-get_subports: key: "get_subports" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s)" neutron-add_subports: key: "add_subports" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-remove_subports: key: "remove_subports" - value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + value: "rule:admin_api or (role:member and project_id:%(project_id)s)" # The glance policies in Xena implement project-personas by default, so these # policies do not need to change. However, keeping them defined here with # GlanceApiPolicies will put them in /etc/glance/policy.yaml which will be