Merge "Implement project personas in custom octavia policy file" into stable/wallaby

changes/49/822249/1
Zuul 9 months ago committed by Gerrit Code Review
commit 842036f987
  1. 278
      environments/enable-secure-rbac.yaml

@ -3799,291 +3799,27 @@ parameter_defaults:
key: "share_access_metadata:delete"
value: "(rule:admin_api) or (rule:project-member)"
OctaviaApiPolicies:
octavia-system-admin:
key: "system-admin"
value: "role:admin and system_scope:all"
octavia-system-reader:
key: "system-reader"
value: "role:reader and system_scope:all"
octavia-project-member:
key: "project-member"
value: "role:member and project_id:%(project_id)s"
octavia-project-reader:
key: "project-reader"
value: "role:reader and project_id:%(project_id)s"
octavia-context_is_admin:
key: "context_is_admin"
value: "role:load-balancer_admin or rule:system-admin"
octavia-load-balancer_owner:
key: "load-balancer:owner"
value: "project_id:%(project_id)s"
octavia-load-balancer_observer_and_owner:
key: "load-balancer:observer_and_owner"
value: "role:load-balancer_observer and rule:project-reader"
octavia-load-balancer_global_observer:
key: "load-balancer:global_observer"
value: "role:load-balancer_global_observer or rule:system-reader"
octavia-load-balancer_member_and_owner:
key: "load-balancer:member_and_owner"
value: "role:load-balancer_member and rule:project-member"
octavia-load-balancer_admin:
key: "load-balancer:admin"
value: "is_admin:True or role:load-balancer_admin or rule:system-admin"
value: "role:admin"
octavia-load-balancer_read:
key: "load-balancer:read"
value: "rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or rule:load-balancer:admin"
value: "role:admin or rule:project-reader"
octavia-load-balancer_read-global:
key: "load-balancer:read-global"
value: "rule:load-balancer:global_observer or rule:load-balancer:admin"
value: "role:admin"
octavia-load-balancer_write:
key: "load-balancer:write"
value: "rule:load-balancer:member_and_owner or rule:load-balancer:admin"
value: "role:admin or rule:project-member"
octavia-load-balancer_read-quota:
key: "load-balancer:read-quota"
value: "rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or role:load-balancer_quota_admin or rule:load-balancer:admin"
value: "role:admin or rule:project-reader"
octavia-load-balancer_read-quota-global:
key: "load-balancer:read-quota-global"
value: "rule:load-balancer:global_observer or role:load-balancer_quota_admin or rule:load-balancer:admin"
value: "role:admin"
octavia-load-balancer_write-quota:
key: "load-balancer:write-quota"
value: "role:load-balancer_quota_admin or rule:load-balancer:admin"
octavia-os_load-balancer_api_flavor_get_all:
key: "os_load-balancer_api:flavor:get_all"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_flavor_post:
key: "os_load-balancer_api:flavor:post"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_flavor_put:
key: "os_load-balancer_api:flavor:put"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_flavor_get_one:
key: "os_load-balancer_api:flavor:get_one"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_flavor_delete:
key: "os_load-balancer_api:flavor:delete"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_flavor-profile_get_all:
key: "os_load-balancer_api:flavor-profile:get_all"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_flavor-profile_post:
key: "os_load-balancer_api:flavor-profile:post"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_flavor-profile_put:
key: "os_load-balancer_api:flavor-profile:put"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_flavor-profile_get_one:
key: "os_load-balancer_api:flavor-profile:get_one"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_flavor-profile_delete:
key: "os_load-balancer_api:flavor-profile:delete"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_availability-zone_get_all:
key: "os_load-balancer_api:availability-zone:get_all"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_availability-zone_post:
key: "os_load-balancer_api:availability-zone:post"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_availability-zone_put:
key: "os_load-balancer_api:availability-zone:put"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_availability-zone_get_one:
key: "os_load-balancer_api:availability-zone:get_one"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_availability-zone_delete:
key: "os_load-balancer_api:availability-zone:delete"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_availability-zone-profile_get_all:
key: "os_load-balancer_api:availability-zone-profile:get_all"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_availability-zone-profile_post:
key: "os_load-balancer_api:availability-zone-profile:post"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_availability-zone-profile_put:
key: "os_load-balancer_api:availability-zone-profile:put"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_availability-zone-profile_get_one:
key: "os_load-balancer_api:availability-zone-profile:get_one"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_availability-zone-profile_delete:
key: "os_load-balancer_api:availability-zone-profile:delete"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_healthmonitor_get_all:
key: "os_load-balancer_api:healthmonitor:get_all"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_healthmonitor_get_all-global:
key: "os_load-balancer_api:healthmonitor:get_all-global"
value: "rule:load-balancer:read-global"
octavia-os_load-balancer_api_healthmonitor_post:
key: "os_load-balancer_api:healthmonitor:post"
value: "rule:load-balancer:write"
octavia-os_load-balancer_api_healthmonitor_get_one:
key: "os_load-balancer_api:healthmonitor:get_one"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_healthmonitor_put:
key: "os_load-balancer_api:healthmonitor:put"
value: "rule:load-balancer:write"
octavia-os_load-balancer_api_healthmonitor_delete:
key: "os_load-balancer_api:healthmonitor:delete"
value: "rule:load-balancer:write"
octavia-os_load-balancer_api_l7policy_get_all:
key: "os_load-balancer_api:l7policy:get_all"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_l7policy_get_all-global:
key: "os_load-balancer_api:l7policy:get_all-global"
value: "rule:load-balancer:read-global"
octavia-os_load-balancer_api_l7policy_post:
key: "os_load-balancer_api:l7policy:post"
value: "rule:load-balancer:write"
octavia-os_load-balancer_api_l7policy_get_one:
key: "os_load-balancer_api:l7policy:get_one"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_l7policy_put:
key: "os_load-balancer_api:l7policy:put"
value: "rule:load-balancer:write"
octavia-os_load-balancer_api_l7policy_delete:
key: "os_load-balancer_api:l7policy:delete"
value: "rule:load-balancer:write"
octavia-os_load-balancer_api_l7rule_get_all:
key: "os_load-balancer_api:l7rule:get_all"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_l7rule_post:
key: "os_load-balancer_api:l7rule:post"
value: "rule:load-balancer:write"
octavia-os_load-balancer_api_l7rule_get_one:
key: "os_load-balancer_api:l7rule:get_one"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_l7rule_put:
key: "os_load-balancer_api:l7rule:put"
value: "rule:load-balancer:write"
octavia-os_load-balancer_api_l7rule_delete:
key: "os_load-balancer_api:l7rule:delete"
value: "rule:load-balancer:write"
octavia-os_load-balancer_api_listener_get_all:
key: "os_load-balancer_api:listener:get_all"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_listener_get_all-global:
key: "os_load-balancer_api:listener:get_all-global"
value: "rule:load-balancer:read-global"
octavia-os_load-balancer_api_listener_post:
key: "os_load-balancer_api:listener:post"
value: "rule:load-balancer:write"
octavia-os_load-balancer_api_listener_get_one:
key: "os_load-balancer_api:listener:get_one"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_listener_put:
key: "os_load-balancer_api:listener:put"
value: "rule:load-balancer:write"
octavia-os_load-balancer_api_listener_delete:
key: "os_load-balancer_api:listener:delete"
value: "rule:load-balancer:write"
octavia-os_load-balancer_api_listener_get_stats:
key: "os_load-balancer_api:listener:get_stats"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_loadbalancer_get_all:
key: "os_load-balancer_api:loadbalancer:get_all"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_loadbalancer_get_all-global:
key: "os_load-balancer_api:loadbalancer:get_all-global"
value: "rule:load-balancer:read-global"
octavia-os_load-balancer_api_loadbalancer_post:
key: "os_load-balancer_api:loadbalancer:post"
value: "rule:load-balancer:write"
octavia-os_load-balancer_api_loadbalancer_get_one:
key: "os_load-balancer_api:loadbalancer:get_one"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_loadbalancer_put:
key: "os_load-balancer_api:loadbalancer:put"
value: "rule:load-balancer:write"
octavia-os_load-balancer_api_loadbalancer_delete:
key: "os_load-balancer_api:loadbalancer:delete"
value: "rule:load-balancer:write"
octavia-os_load-balancer_api_loadbalancer_get_stats:
key: "os_load-balancer_api:loadbalancer:get_stats"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_loadbalancer_get_status:
key: "os_load-balancer_api:loadbalancer:get_status"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_loadbalancer_put_failover:
key: "os_load-balancer_api:loadbalancer:put_failover"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_member_get_all:
key: "os_load-balancer_api:member:get_all"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_member_post:
key: "os_load-balancer_api:member:post"
value: "rule:load-balancer:write"
octavia-os_load-balancer_api_member_get_one:
key: "os_load-balancer_api:member:get_one"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_member_put:
key: "os_load-balancer_api:member:put"
value: "rule:load-balancer:write"
octavia-os_load-balancer_api_member_delete:
key: "os_load-balancer_api:member:delete"
value: "rule:load-balancer:write"
octavia-os_load-balancer_api_pool_get_all:
key: "os_load-balancer_api:pool:get_all"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_pool_get_all-global:
key: "os_load-balancer_api:pool:get_all-global"
value: "rule:load-balancer:read-global"
octavia-os_load-balancer_api_pool_post:
key: "os_load-balancer_api:pool:post"
value: "rule:load-balancer:write"
octavia-os_load-balancer_api_pool_get_one:
key: "os_load-balancer_api:pool:get_one"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_pool_put:
key: "os_load-balancer_api:pool:put"
value: "rule:load-balancer:write"
octavia-os_load-balancer_api_pool_delete:
key: "os_load-balancer_api:pool:delete"
value: "rule:load-balancer:write"
octavia-os_load-balancer_api_provider_get_all:
key: "os_load-balancer_api:provider:get_all"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_quota_get_all:
key: "os_load-balancer_api:quota:get_all"
value: "rule:load-balancer:read-quota"
octavia-os_load-balancer_api_quota_get_all-global:
key: "os_load-balancer_api:quota:get_all-global"
value: "rule:load-balancer:read-quota-global"
octavia-os_load-balancer_api_quota_get_one:
key: "os_load-balancer_api:quota:get_one"
value: "rule:load-balancer:read-quota"
octavia-os_load-balancer_api_quota_put:
key: "os_load-balancer_api:quota:put"
value: "rule:load-balancer:write-quota"
octavia-os_load-balancer_api_quota_delete:
key: "os_load-balancer_api:quota:delete"
value: "rule:load-balancer:write-quota"
octavia-os_load-balancer_api_quota_get_defaults:
key: "os_load-balancer_api:quota:get_defaults"
value: "rule:load-balancer:read-quota"
octavia-os_load-balancer_api_amphora_get_all:
key: "os_load-balancer_api:amphora:get_all"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_amphora_get_one:
key: "os_load-balancer_api:amphora:get_one"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_amphora_delete:
key: "os_load-balancer_api:amphora:delete"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_amphora_put_config:
key: "os_load-balancer_api:amphora:put_config"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_amphora_put_failover:
key: "os_load-balancer_api:amphora:put_failover"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_amphora_get_stats:
key: "os_load-balancer_api:amphora:get_stats"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_provider-flavor_get_all:
key: "os_load-balancer_api:provider-flavor:get_all"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_provider-availability-zone_get_all:
key: "os_load-balancer_api:provider-availability-zone:get_all"
value: "rule:load-balancer:admin"
value: "role:admin"
IronicApiPolicies:
ironic-admin_api:
key: "admin_api"

Loading…
Cancel
Save