Implement project personas in custom octavia policy file

This change updates the default octavia policies to implement consistent
support for project personas (project-admin, project-member, and
project-reader) with other OpenStack services. The project-admin is
still considered a system administrator.

This behavior will change in future releases when more OpenStack
services adopt system-scope. At that time, we can go back to use the
default octavia policies or update them to use system scope.

Change-Id: I768fc10144a634ea6058b7b48a1862be9d70da79
(cherry picked from commit 43a685e4bc)
This commit is contained in:
Lance Bragstad 2021-09-22 15:13:59 +00:00
parent 697805ef25
commit 8b43104926
1 changed files with 7 additions and 271 deletions

View File

@ -3802,291 +3802,27 @@ parameter_defaults:
key: "share_access_metadata:delete" key: "share_access_metadata:delete"
value: "(rule:system-admin) or (rule:project-member)" value: "(rule:system-admin) or (rule:project-member)"
OctaviaApiPolicies: OctaviaApiPolicies:
octavia-system-admin:
key: "system-admin"
value: "role:admin and system_scope:all"
octavia-system-reader:
key: "system-reader"
value: "role:reader and system_scope:all"
octavia-project-member:
key: "project-member"
value: "role:member and project_id:%(project_id)s"
octavia-project-reader:
key: "project-reader"
value: "role:reader and project_id:%(project_id)s"
octavia-context_is_admin:
key: "context_is_admin"
value: "role:load-balancer_admin or rule:system-admin"
octavia-load-balancer_owner:
key: "load-balancer:owner"
value: "project_id:%(project_id)s"
octavia-load-balancer_observer_and_owner:
key: "load-balancer:observer_and_owner"
value: "role:load-balancer_observer and rule:project-reader"
octavia-load-balancer_global_observer:
key: "load-balancer:global_observer"
value: "role:load-balancer_global_observer or rule:system-reader"
octavia-load-balancer_member_and_owner:
key: "load-balancer:member_and_owner"
value: "role:load-balancer_member and rule:project-member"
octavia-load-balancer_admin: octavia-load-balancer_admin:
key: "load-balancer:admin" key: "load-balancer:admin"
value: "is_admin:True or role:load-balancer_admin or rule:system-admin" value: "role:admin"
octavia-load-balancer_read: octavia-load-balancer_read:
key: "load-balancer:read" key: "load-balancer:read"
value: "rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or rule:load-balancer:admin" value: "role:admin or rule:project-reader"
octavia-load-balancer_read-global: octavia-load-balancer_read-global:
key: "load-balancer:read-global" key: "load-balancer:read-global"
value: "rule:load-balancer:global_observer or rule:load-balancer:admin" value: "role:admin"
octavia-load-balancer_write: octavia-load-balancer_write:
key: "load-balancer:write" key: "load-balancer:write"
value: "rule:load-balancer:member_and_owner or rule:load-balancer:admin" value: "role:admin or rule:project-member"
octavia-load-balancer_read-quota: octavia-load-balancer_read-quota:
key: "load-balancer:read-quota" key: "load-balancer:read-quota"
value: "rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or role:load-balancer_quota_admin or rule:load-balancer:admin" value: "role:admin or rule:project-reader"
octavia-load-balancer_read-quota-global: octavia-load-balancer_read-quota-global:
key: "load-balancer:read-quota-global" key: "load-balancer:read-quota-global"
value: "rule:load-balancer:global_observer or role:load-balancer_quota_admin or rule:load-balancer:admin" value: "role:admin"
octavia-load-balancer_write-quota: octavia-load-balancer_write-quota:
key: "load-balancer:write-quota" key: "load-balancer:write-quota"
value: "role:load-balancer_quota_admin or rule:load-balancer:admin" value: "role:admin"
octavia-os_load-balancer_api_flavor_get_all:
key: "os_load-balancer_api:flavor:get_all"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_flavor_post:
key: "os_load-balancer_api:flavor:post"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_flavor_put:
key: "os_load-balancer_api:flavor:put"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_flavor_get_one:
key: "os_load-balancer_api:flavor:get_one"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_flavor_delete:
key: "os_load-balancer_api:flavor:delete"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_flavor-profile_get_all:
key: "os_load-balancer_api:flavor-profile:get_all"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_flavor-profile_post:
key: "os_load-balancer_api:flavor-profile:post"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_flavor-profile_put:
key: "os_load-balancer_api:flavor-profile:put"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_flavor-profile_get_one:
key: "os_load-balancer_api:flavor-profile:get_one"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_flavor-profile_delete:
key: "os_load-balancer_api:flavor-profile:delete"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_availability-zone_get_all:
key: "os_load-balancer_api:availability-zone:get_all"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_availability-zone_post:
key: "os_load-balancer_api:availability-zone:post"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_availability-zone_put:
key: "os_load-balancer_api:availability-zone:put"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_availability-zone_get_one:
key: "os_load-balancer_api:availability-zone:get_one"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_availability-zone_delete:
key: "os_load-balancer_api:availability-zone:delete"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_availability-zone-profile_get_all:
key: "os_load-balancer_api:availability-zone-profile:get_all"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_availability-zone-profile_post:
key: "os_load-balancer_api:availability-zone-profile:post"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_availability-zone-profile_put:
key: "os_load-balancer_api:availability-zone-profile:put"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_availability-zone-profile_get_one:
key: "os_load-balancer_api:availability-zone-profile:get_one"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_availability-zone-profile_delete:
key: "os_load-balancer_api:availability-zone-profile:delete"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_healthmonitor_get_all:
key: "os_load-balancer_api:healthmonitor:get_all"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_healthmonitor_get_all-global:
key: "os_load-balancer_api:healthmonitor:get_all-global"
value: "rule:load-balancer:read-global"
octavia-os_load-balancer_api_healthmonitor_post:
key: "os_load-balancer_api:healthmonitor:post"
value: "rule:load-balancer:write"
octavia-os_load-balancer_api_healthmonitor_get_one:
key: "os_load-balancer_api:healthmonitor:get_one"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_healthmonitor_put:
key: "os_load-balancer_api:healthmonitor:put"
value: "rule:load-balancer:write"
octavia-os_load-balancer_api_healthmonitor_delete:
key: "os_load-balancer_api:healthmonitor:delete"
value: "rule:load-balancer:write"
octavia-os_load-balancer_api_l7policy_get_all:
key: "os_load-balancer_api:l7policy:get_all"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_l7policy_get_all-global:
key: "os_load-balancer_api:l7policy:get_all-global"
value: "rule:load-balancer:read-global"
octavia-os_load-balancer_api_l7policy_post:
key: "os_load-balancer_api:l7policy:post"
value: "rule:load-balancer:write"
octavia-os_load-balancer_api_l7policy_get_one:
key: "os_load-balancer_api:l7policy:get_one"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_l7policy_put:
key: "os_load-balancer_api:l7policy:put"
value: "rule:load-balancer:write"
octavia-os_load-balancer_api_l7policy_delete:
key: "os_load-balancer_api:l7policy:delete"
value: "rule:load-balancer:write"
octavia-os_load-balancer_api_l7rule_get_all:
key: "os_load-balancer_api:l7rule:get_all"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_l7rule_post:
key: "os_load-balancer_api:l7rule:post"
value: "rule:load-balancer:write"
octavia-os_load-balancer_api_l7rule_get_one:
key: "os_load-balancer_api:l7rule:get_one"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_l7rule_put:
key: "os_load-balancer_api:l7rule:put"
value: "rule:load-balancer:write"
octavia-os_load-balancer_api_l7rule_delete:
key: "os_load-balancer_api:l7rule:delete"
value: "rule:load-balancer:write"
octavia-os_load-balancer_api_listener_get_all:
key: "os_load-balancer_api:listener:get_all"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_listener_get_all-global:
key: "os_load-balancer_api:listener:get_all-global"
value: "rule:load-balancer:read-global"
octavia-os_load-balancer_api_listener_post:
key: "os_load-balancer_api:listener:post"
value: "rule:load-balancer:write"
octavia-os_load-balancer_api_listener_get_one:
key: "os_load-balancer_api:listener:get_one"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_listener_put:
key: "os_load-balancer_api:listener:put"
value: "rule:load-balancer:write"
octavia-os_load-balancer_api_listener_delete:
key: "os_load-balancer_api:listener:delete"
value: "rule:load-balancer:write"
octavia-os_load-balancer_api_listener_get_stats:
key: "os_load-balancer_api:listener:get_stats"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_loadbalancer_get_all:
key: "os_load-balancer_api:loadbalancer:get_all"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_loadbalancer_get_all-global:
key: "os_load-balancer_api:loadbalancer:get_all-global"
value: "rule:load-balancer:read-global"
octavia-os_load-balancer_api_loadbalancer_post:
key: "os_load-balancer_api:loadbalancer:post"
value: "rule:load-balancer:write"
octavia-os_load-balancer_api_loadbalancer_get_one:
key: "os_load-balancer_api:loadbalancer:get_one"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_loadbalancer_put:
key: "os_load-balancer_api:loadbalancer:put"
value: "rule:load-balancer:write"
octavia-os_load-balancer_api_loadbalancer_delete:
key: "os_load-balancer_api:loadbalancer:delete"
value: "rule:load-balancer:write"
octavia-os_load-balancer_api_loadbalancer_get_stats:
key: "os_load-balancer_api:loadbalancer:get_stats"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_loadbalancer_get_status:
key: "os_load-balancer_api:loadbalancer:get_status"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_loadbalancer_put_failover:
key: "os_load-balancer_api:loadbalancer:put_failover"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_member_get_all:
key: "os_load-balancer_api:member:get_all"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_member_post:
key: "os_load-balancer_api:member:post"
value: "rule:load-balancer:write"
octavia-os_load-balancer_api_member_get_one:
key: "os_load-balancer_api:member:get_one"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_member_put:
key: "os_load-balancer_api:member:put"
value: "rule:load-balancer:write"
octavia-os_load-balancer_api_member_delete:
key: "os_load-balancer_api:member:delete"
value: "rule:load-balancer:write"
octavia-os_load-balancer_api_pool_get_all:
key: "os_load-balancer_api:pool:get_all"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_pool_get_all-global:
key: "os_load-balancer_api:pool:get_all-global"
value: "rule:load-balancer:read-global"
octavia-os_load-balancer_api_pool_post:
key: "os_load-balancer_api:pool:post"
value: "rule:load-balancer:write"
octavia-os_load-balancer_api_pool_get_one:
key: "os_load-balancer_api:pool:get_one"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_pool_put:
key: "os_load-balancer_api:pool:put"
value: "rule:load-balancer:write"
octavia-os_load-balancer_api_pool_delete:
key: "os_load-balancer_api:pool:delete"
value: "rule:load-balancer:write"
octavia-os_load-balancer_api_provider_get_all:
key: "os_load-balancer_api:provider:get_all"
value: "rule:load-balancer:read"
octavia-os_load-balancer_api_quota_get_all:
key: "os_load-balancer_api:quota:get_all"
value: "rule:load-balancer:read-quota"
octavia-os_load-balancer_api_quota_get_all-global:
key: "os_load-balancer_api:quota:get_all-global"
value: "rule:load-balancer:read-quota-global"
octavia-os_load-balancer_api_quota_get_one:
key: "os_load-balancer_api:quota:get_one"
value: "rule:load-balancer:read-quota"
octavia-os_load-balancer_api_quota_put:
key: "os_load-balancer_api:quota:put"
value: "rule:load-balancer:write-quota"
octavia-os_load-balancer_api_quota_delete:
key: "os_load-balancer_api:quota:delete"
value: "rule:load-balancer:write-quota"
octavia-os_load-balancer_api_quota_get_defaults:
key: "os_load-balancer_api:quota:get_defaults"
value: "rule:load-balancer:read-quota"
octavia-os_load-balancer_api_amphora_get_all:
key: "os_load-balancer_api:amphora:get_all"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_amphora_get_one:
key: "os_load-balancer_api:amphora:get_one"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_amphora_delete:
key: "os_load-balancer_api:amphora:delete"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_amphora_put_config:
key: "os_load-balancer_api:amphora:put_config"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_amphora_put_failover:
key: "os_load-balancer_api:amphora:put_failover"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_amphora_get_stats:
key: "os_load-balancer_api:amphora:get_stats"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_provider-flavor_get_all:
key: "os_load-balancer_api:provider-flavor:get_all"
value: "rule:load-balancer:admin"
octavia-os_load-balancer_api_provider-availability-zone_get_all:
key: "os_load-balancer_api:provider-availability-zone:get_all"
value: "rule:load-balancer:admin"
IronicApiPolicies: IronicApiPolicies:
ironic-admin_api: ironic-admin_api:
key: "admin_api" key: "admin_api"