diff --git a/environments/enable-secure-rbac.yaml b/environments/enable-secure-rbac.yaml index efdcb0ba23..12ca8ac0e7 100644 --- a/environments/enable-secure-rbac.yaml +++ b/environments/enable-secure-rbac.yaml @@ -3802,291 +3802,27 @@ parameter_defaults: key: "share_access_metadata:delete" value: "(rule:system-admin) or (rule:project-member)" OctaviaApiPolicies: - octavia-system-admin: - key: "system-admin" - value: "role:admin and system_scope:all" - octavia-system-reader: - key: "system-reader" - value: "role:reader and system_scope:all" - octavia-project-member: - key: "project-member" - value: "role:member and project_id:%(project_id)s" - octavia-project-reader: - key: "project-reader" - value: "role:reader and project_id:%(project_id)s" - octavia-context_is_admin: - key: "context_is_admin" - value: "role:load-balancer_admin or rule:system-admin" - octavia-load-balancer_owner: - key: "load-balancer:owner" - value: "project_id:%(project_id)s" - octavia-load-balancer_observer_and_owner: - key: "load-balancer:observer_and_owner" - value: "role:load-balancer_observer and rule:project-reader" - octavia-load-balancer_global_observer: - key: "load-balancer:global_observer" - value: "role:load-balancer_global_observer or rule:system-reader" - octavia-load-balancer_member_and_owner: - key: "load-balancer:member_and_owner" - value: "role:load-balancer_member and rule:project-member" octavia-load-balancer_admin: key: "load-balancer:admin" - value: "is_admin:True or role:load-balancer_admin or rule:system-admin" + value: "role:admin" octavia-load-balancer_read: key: "load-balancer:read" - value: "rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or rule:load-balancer:admin" + value: "role:admin or rule:project-reader" octavia-load-balancer_read-global: key: "load-balancer:read-global" - value: "rule:load-balancer:global_observer or rule:load-balancer:admin" + value: "role:admin" octavia-load-balancer_write: key: "load-balancer:write" - value: "rule:load-balancer:member_and_owner or rule:load-balancer:admin" + value: "role:admin or rule:project-member" octavia-load-balancer_read-quota: key: "load-balancer:read-quota" - value: "rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or role:load-balancer_quota_admin or rule:load-balancer:admin" + value: "role:admin or rule:project-reader" octavia-load-balancer_read-quota-global: key: "load-balancer:read-quota-global" - value: "rule:load-balancer:global_observer or role:load-balancer_quota_admin or rule:load-balancer:admin" + value: "role:admin" octavia-load-balancer_write-quota: key: "load-balancer:write-quota" - value: "role:load-balancer_quota_admin or rule:load-balancer:admin" - octavia-os_load-balancer_api_flavor_get_all: - key: "os_load-balancer_api:flavor:get_all" - value: "rule:load-balancer:read" - octavia-os_load-balancer_api_flavor_post: - key: "os_load-balancer_api:flavor:post" - value: "rule:load-balancer:admin" - octavia-os_load-balancer_api_flavor_put: - key: "os_load-balancer_api:flavor:put" - value: "rule:load-balancer:admin" - octavia-os_load-balancer_api_flavor_get_one: - key: "os_load-balancer_api:flavor:get_one" - value: "rule:load-balancer:read" - octavia-os_load-balancer_api_flavor_delete: - key: "os_load-balancer_api:flavor:delete" - value: "rule:load-balancer:admin" - octavia-os_load-balancer_api_flavor-profile_get_all: - key: "os_load-balancer_api:flavor-profile:get_all" - value: "rule:load-balancer:admin" - octavia-os_load-balancer_api_flavor-profile_post: - key: "os_load-balancer_api:flavor-profile:post" - value: "rule:load-balancer:admin" - octavia-os_load-balancer_api_flavor-profile_put: - key: "os_load-balancer_api:flavor-profile:put" - value: "rule:load-balancer:admin" - octavia-os_load-balancer_api_flavor-profile_get_one: - key: "os_load-balancer_api:flavor-profile:get_one" - value: "rule:load-balancer:admin" - octavia-os_load-balancer_api_flavor-profile_delete: - key: "os_load-balancer_api:flavor-profile:delete" - value: "rule:load-balancer:admin" - octavia-os_load-balancer_api_availability-zone_get_all: - key: "os_load-balancer_api:availability-zone:get_all" - value: "rule:load-balancer:read" - octavia-os_load-balancer_api_availability-zone_post: - key: "os_load-balancer_api:availability-zone:post" - value: "rule:load-balancer:admin" - octavia-os_load-balancer_api_availability-zone_put: - key: "os_load-balancer_api:availability-zone:put" - value: "rule:load-balancer:admin" - octavia-os_load-balancer_api_availability-zone_get_one: - key: "os_load-balancer_api:availability-zone:get_one" - value: "rule:load-balancer:read" - octavia-os_load-balancer_api_availability-zone_delete: - key: "os_load-balancer_api:availability-zone:delete" - value: "rule:load-balancer:admin" - octavia-os_load-balancer_api_availability-zone-profile_get_all: - key: "os_load-balancer_api:availability-zone-profile:get_all" - value: "rule:load-balancer:admin" - octavia-os_load-balancer_api_availability-zone-profile_post: - key: "os_load-balancer_api:availability-zone-profile:post" - value: "rule:load-balancer:admin" - octavia-os_load-balancer_api_availability-zone-profile_put: - key: "os_load-balancer_api:availability-zone-profile:put" - value: "rule:load-balancer:admin" - octavia-os_load-balancer_api_availability-zone-profile_get_one: - key: "os_load-balancer_api:availability-zone-profile:get_one" - value: "rule:load-balancer:admin" - octavia-os_load-balancer_api_availability-zone-profile_delete: - key: "os_load-balancer_api:availability-zone-profile:delete" - value: "rule:load-balancer:admin" - octavia-os_load-balancer_api_healthmonitor_get_all: - key: "os_load-balancer_api:healthmonitor:get_all" - value: "rule:load-balancer:read" - octavia-os_load-balancer_api_healthmonitor_get_all-global: - key: "os_load-balancer_api:healthmonitor:get_all-global" - value: "rule:load-balancer:read-global" - octavia-os_load-balancer_api_healthmonitor_post: - key: "os_load-balancer_api:healthmonitor:post" - value: "rule:load-balancer:write" - octavia-os_load-balancer_api_healthmonitor_get_one: - key: "os_load-balancer_api:healthmonitor:get_one" - value: "rule:load-balancer:read" - octavia-os_load-balancer_api_healthmonitor_put: - key: "os_load-balancer_api:healthmonitor:put" - value: "rule:load-balancer:write" - octavia-os_load-balancer_api_healthmonitor_delete: - key: "os_load-balancer_api:healthmonitor:delete" - value: "rule:load-balancer:write" - octavia-os_load-balancer_api_l7policy_get_all: - key: "os_load-balancer_api:l7policy:get_all" - value: "rule:load-balancer:read" - octavia-os_load-balancer_api_l7policy_get_all-global: - key: "os_load-balancer_api:l7policy:get_all-global" - value: "rule:load-balancer:read-global" - octavia-os_load-balancer_api_l7policy_post: - key: "os_load-balancer_api:l7policy:post" - value: "rule:load-balancer:write" - octavia-os_load-balancer_api_l7policy_get_one: - key: "os_load-balancer_api:l7policy:get_one" - value: "rule:load-balancer:read" - octavia-os_load-balancer_api_l7policy_put: - key: "os_load-balancer_api:l7policy:put" - value: "rule:load-balancer:write" - octavia-os_load-balancer_api_l7policy_delete: - key: "os_load-balancer_api:l7policy:delete" - value: "rule:load-balancer:write" - octavia-os_load-balancer_api_l7rule_get_all: - key: "os_load-balancer_api:l7rule:get_all" - value: "rule:load-balancer:read" - octavia-os_load-balancer_api_l7rule_post: - key: "os_load-balancer_api:l7rule:post" - value: "rule:load-balancer:write" - octavia-os_load-balancer_api_l7rule_get_one: - key: "os_load-balancer_api:l7rule:get_one" - value: "rule:load-balancer:read" - octavia-os_load-balancer_api_l7rule_put: - key: "os_load-balancer_api:l7rule:put" - value: "rule:load-balancer:write" - octavia-os_load-balancer_api_l7rule_delete: - key: "os_load-balancer_api:l7rule:delete" - value: "rule:load-balancer:write" - octavia-os_load-balancer_api_listener_get_all: - key: "os_load-balancer_api:listener:get_all" - value: "rule:load-balancer:read" - octavia-os_load-balancer_api_listener_get_all-global: - key: "os_load-balancer_api:listener:get_all-global" - value: "rule:load-balancer:read-global" - octavia-os_load-balancer_api_listener_post: - key: "os_load-balancer_api:listener:post" - value: "rule:load-balancer:write" - octavia-os_load-balancer_api_listener_get_one: - key: "os_load-balancer_api:listener:get_one" - value: "rule:load-balancer:read" - octavia-os_load-balancer_api_listener_put: - key: "os_load-balancer_api:listener:put" - value: "rule:load-balancer:write" - octavia-os_load-balancer_api_listener_delete: - key: "os_load-balancer_api:listener:delete" - value: "rule:load-balancer:write" - octavia-os_load-balancer_api_listener_get_stats: - key: "os_load-balancer_api:listener:get_stats" - value: "rule:load-balancer:read" - octavia-os_load-balancer_api_loadbalancer_get_all: - key: "os_load-balancer_api:loadbalancer:get_all" - value: "rule:load-balancer:read" - octavia-os_load-balancer_api_loadbalancer_get_all-global: - key: "os_load-balancer_api:loadbalancer:get_all-global" - value: "rule:load-balancer:read-global" - octavia-os_load-balancer_api_loadbalancer_post: - key: "os_load-balancer_api:loadbalancer:post" - value: "rule:load-balancer:write" - octavia-os_load-balancer_api_loadbalancer_get_one: - key: "os_load-balancer_api:loadbalancer:get_one" - value: "rule:load-balancer:read" - octavia-os_load-balancer_api_loadbalancer_put: - key: "os_load-balancer_api:loadbalancer:put" - value: "rule:load-balancer:write" - octavia-os_load-balancer_api_loadbalancer_delete: - key: "os_load-balancer_api:loadbalancer:delete" - value: "rule:load-balancer:write" - octavia-os_load-balancer_api_loadbalancer_get_stats: - key: "os_load-balancer_api:loadbalancer:get_stats" - value: "rule:load-balancer:read" - octavia-os_load-balancer_api_loadbalancer_get_status: - key: "os_load-balancer_api:loadbalancer:get_status" - value: "rule:load-balancer:read" - octavia-os_load-balancer_api_loadbalancer_put_failover: - key: "os_load-balancer_api:loadbalancer:put_failover" - value: "rule:load-balancer:admin" - octavia-os_load-balancer_api_member_get_all: - key: "os_load-balancer_api:member:get_all" - value: "rule:load-balancer:read" - octavia-os_load-balancer_api_member_post: - key: "os_load-balancer_api:member:post" - value: "rule:load-balancer:write" - octavia-os_load-balancer_api_member_get_one: - key: "os_load-balancer_api:member:get_one" - value: "rule:load-balancer:read" - octavia-os_load-balancer_api_member_put: - key: "os_load-balancer_api:member:put" - value: "rule:load-balancer:write" - octavia-os_load-balancer_api_member_delete: - key: "os_load-balancer_api:member:delete" - value: "rule:load-balancer:write" - octavia-os_load-balancer_api_pool_get_all: - key: "os_load-balancer_api:pool:get_all" - value: "rule:load-balancer:read" - octavia-os_load-balancer_api_pool_get_all-global: - key: "os_load-balancer_api:pool:get_all-global" - value: "rule:load-balancer:read-global" - octavia-os_load-balancer_api_pool_post: - key: "os_load-balancer_api:pool:post" - value: "rule:load-balancer:write" - octavia-os_load-balancer_api_pool_get_one: - key: "os_load-balancer_api:pool:get_one" - value: "rule:load-balancer:read" - octavia-os_load-balancer_api_pool_put: - key: "os_load-balancer_api:pool:put" - value: "rule:load-balancer:write" - octavia-os_load-balancer_api_pool_delete: - key: "os_load-balancer_api:pool:delete" - value: "rule:load-balancer:write" - octavia-os_load-balancer_api_provider_get_all: - key: "os_load-balancer_api:provider:get_all" - value: "rule:load-balancer:read" - octavia-os_load-balancer_api_quota_get_all: - key: "os_load-balancer_api:quota:get_all" - value: "rule:load-balancer:read-quota" - octavia-os_load-balancer_api_quota_get_all-global: - key: "os_load-balancer_api:quota:get_all-global" - value: "rule:load-balancer:read-quota-global" - octavia-os_load-balancer_api_quota_get_one: - key: "os_load-balancer_api:quota:get_one" - value: "rule:load-balancer:read-quota" - octavia-os_load-balancer_api_quota_put: - key: "os_load-balancer_api:quota:put" - value: "rule:load-balancer:write-quota" - octavia-os_load-balancer_api_quota_delete: - key: "os_load-balancer_api:quota:delete" - value: "rule:load-balancer:write-quota" - octavia-os_load-balancer_api_quota_get_defaults: - key: "os_load-balancer_api:quota:get_defaults" - value: "rule:load-balancer:read-quota" - octavia-os_load-balancer_api_amphora_get_all: - key: "os_load-balancer_api:amphora:get_all" - value: "rule:load-balancer:admin" - octavia-os_load-balancer_api_amphora_get_one: - key: "os_load-balancer_api:amphora:get_one" - value: "rule:load-balancer:admin" - octavia-os_load-balancer_api_amphora_delete: - key: "os_load-balancer_api:amphora:delete" - value: "rule:load-balancer:admin" - octavia-os_load-balancer_api_amphora_put_config: - key: "os_load-balancer_api:amphora:put_config" - value: "rule:load-balancer:admin" - octavia-os_load-balancer_api_amphora_put_failover: - key: "os_load-balancer_api:amphora:put_failover" - value: "rule:load-balancer:admin" - octavia-os_load-balancer_api_amphora_get_stats: - key: "os_load-balancer_api:amphora:get_stats" - value: "rule:load-balancer:admin" - octavia-os_load-balancer_api_provider-flavor_get_all: - key: "os_load-balancer_api:provider-flavor:get_all" - value: "rule:load-balancer:admin" - octavia-os_load-balancer_api_provider-availability-zone_get_all: - key: "os_load-balancer_api:provider-availability-zone:get_all" - value: "rule:load-balancer:admin" + value: "role:admin" IronicApiPolicies: ironic-admin_api: key: "admin_api"