Merge "Implement project personas in custom ironic policy file" into stable/wallaby

changes/49/822249/1
Zuul 12 months ago committed by Gerrit Code Review
commit 91ab5c0f89
  1. 177
      environments/enable-secure-rbac.yaml

@ -4087,7 +4087,7 @@ parameter_defaults:
IronicApiPolicies:
ironic-admin_api:
key: "admin_api"
value: "role:admin or role:administrator"
value: "role:admin"
ironic-public_api:
key: "public_api"
value: "is_public_api:True"
@ -4117,217 +4117,208 @@ parameter_defaults:
value: "project_id:%(allocation.owner)s"
ironic-baremetal_node_create:
key: "baremetal:node:create"
value: "role:admin and system_scope:all"
value: "rule:admin_api"
ironic-baremetal_node_list:
key: "baremetal:node:list"
value: "role:reader"
value: "rule:admin_api or (role:reader and project_id:%(node.owner)s)"
ironic-baremetal_node_list_all:
key: "baremetal:node:list_all"
value: "role:reader and system_scope:all"
value: "rule:admin_api"
ironic-baremetal_node_get:
key: "baremetal:node:get"
value: "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
ironic-baremetal_node_get_filter_threshold:
key: "baremetal:node:get:filter_threshold"
value: "role:reader and system_scope:all"
value: "rule:admin_api"
ironic-baremetal_node_get_last_error:
key: "baremetal:node:get:last_error"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"
value: "rule:admin_api or (role:reader and project_id:%(node.owner)s)"
ironic-baremetal_node_get_reservation:
key: "baremetal:node:get:reservation"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"
value: "rule:admin_api or (role:reader and project_id:%(node.owner)s)"
ironic-baremetal_node_get_driver_internal_info:
key: "baremetal:node:get:driver_internal_info"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"
value: "rule:admin_api or (role:reader and project_id:%(node.owner)s)"
ironic-baremetal_node_get_driver_info:
key: "baremetal:node:get:driver_info"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"
value: "rule:admin_api or (role:reader and project_id:%(node.owner)s)"
ironic-baremetal_node_update_driver_info:
key: "baremetal:node:update:driver_info"
value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
ironic-baremetal_node_update:
key: "baremetal:node:update"
value: "rule:baremetal:node:update:driver_info"
ironic-baremetal_node_update_properties:
key: "baremetal:node:update:properties"
value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
ironic-baremetal_node_update_chassis_uuid:
key: "baremetal:node:update:chassis_uuid"
value: "role:admin and system_scope:all"
value: "rule:admin_api"
ironic-baremetal_node_update_instance_uuid:
key: "baremetal:node:update:instance_uuid"
value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
ironic-baremetal_node_update_lessee:
key: "baremetal:node:update:lessee"
value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
ironic-baremetal_node_update_owner:
key: "baremetal:node:update:owner"
value: "role:member and system_scope:all"
value: "rule:admin_api"
ironic-baremetal_node_update_driver_interfaces:
key: "baremetal:node:update:driver_interfaces"
value: "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"
value: "rule:admin_api "
ironic-baremetal_node_update_network_data:
key: "baremetal:node:update:network_data"
value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
ironic-baremetal_node_update_conductor_group:
key: "baremetal:node:update:conductor_group"
value: "role:member and system_scope:all"
value: "rule:admin_api"
ironic-baremetal_node_update_name:
key: "baremetal:node:update:name"
value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
ironic-baremetal_node_update_retired:
key: "baremetal:node:update:retired"
value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
ironic-baremetal_node_update_extra:
key: "baremetal:node:update_extra"
value: "(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
value: "rule:admin_api or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
ironic-baremetal_node_update_instance_info:
key: "baremetal:node:update_instance_info"
value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
ironic-baremetal_node_update_owner_provisioned:
key: "baremetal:node:update_owner_provisioned"
value: "role:admin and system_scope:all"
value: "rule:admin_api"
ironic-baremetal_node_delete:
key: "baremetal:node:delete"
value: "role:admin and system_scope:all"
value: "rule:admin_api"
ironic-baremetal_node_validate:
key: "baremetal:node:validate"
value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
ironic-baremetal_node_set_maintenance:
key: "baremetal:node:set_maintenance"
value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
ironic-baremetal_node_clear_maintenance:
key: "baremetal:node:clear_maintenance"
value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
ironic-baremetal_node_get_boot_device:
key: "baremetal:node:get_boot_device"
value: "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"
value: "rule:admin_api "
ironic-baremetal_node_set_boot_device:
key: "baremetal:node:set_boot_device"
value: "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"
value: "rule:admin_api "
ironic-baremetal_node_get_indicator_state:
key: "baremetal:node:get_indicator_state"
value: "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
ironic-baremetal_node_set_indicator_state:
key: "baremetal:node:set_indicator_state"
value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
ironic-baremetal_node_inject_nmi:
key: "baremetal:node:inject_nmi"
value: "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"
value: "rule:admin_api "
ironic-baremetal_node_get_states:
key: "baremetal:node:get_states"
value: "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
ironic-baremetal_node_set_power_state:
key: "baremetal:node:set_power_state"
value: "(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
ironic-baremetal_node_set_boot_mode:
key: "baremetal:node:set_boot_mode"
value: "(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
ironic-baremetal_node_set_secure_boot:
key: "baremetal:node:set_secure_boot"
value: "(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
value: "rule:admin_api or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
ironic-baremetal_node_set_provision_state:
key: "baremetal:node:set_provision_state"
value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
ironic-baremetal_node_set_raid_state:
key: "baremetal:node:set_raid_state"
value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
ironic-baremetal_node_get_console:
key: "baremetal:node:get_console"
value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
ironic-baremetal_node_set_console_state:
key: "baremetal:node:set_console_state"
value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
ironic-baremetal_node_vif_list:
key: "baremetal:node:vif:list"
value: "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
ironic-baremetal_node_vif_attach:
key: "baremetal:node:vif:attach"
value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
ironic-baremetal_node_vif_detach:
key: "baremetal:node:vif:detach"
value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
ironic-baremetal_node_traits_list:
key: "baremetal:node:traits:list"
value: "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
ironic-baremetal_node_traits_set:
key: "baremetal:node:traits:set"
value: "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"
value: "rule:admin_api "
ironic-baremetal_node_traits_delete:
key: "baremetal:node:traits:delete"
value: "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"
value: "rule:admin_api "
ironic-baremetal_node_bios_get:
key: "baremetal:node:bios:get"
value: "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
ironic-baremetal_node_disable_cleaning:
key: "baremetal:node:disable_cleaning"
value: "role:admin and system_scope:all"
ironic-baremetal_node_history_get:
key: "baremetal:node:history:get"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"
value: "rule:admin_api"
ironic-baremetal_port_get:
key: "baremetal:port:get"
value: "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
ironic-baremetal_port_list:
key: "baremetal:port:list"
value: "role:reader"
ironic-baremetal_port_list_all:
key: "baremetal:port:list_all"
value: "role:reader and system_scope:all"
value: "rule:admin_api"
ironic-baremetal_port_create:
key: "baremetal:port:create"
value: "(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)"
value: "rule:admin_api "
ironic-baremetal_port_delete:
key: "baremetal:port:delete"
value: "(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)"
value: "rule:admin_api "
ironic-baremetal_port_update:
key: "baremetal:port:update"
value: "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"
value: "rule:admin_api "
ironic-baremetal_portgroup_get:
key: "baremetal:portgroup:get"
value: "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
ironic-baremetal_portgroup_create:
key: "baremetal:portgroup:create"
value: "(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)"
value: "rule:admin_api "
ironic-baremetal_portgroup_delete:
key: "baremetal:portgroup:delete"
value: "(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)"
value: "rule:admin_api "
ironic-baremetal_portgroup_update:
key: "baremetal:portgroup:update"
value: "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"
value: "rule:admin_api "
ironic-baremetal_portgroup_list:
key: "baremetal:portgroup:list"
value: "role:reader"
ironic-baremetal_portgroup_list_all:
key: "baremetal:portgroup:list_all"
value: "role:reader and system_scope:all"
value: "rule:admin_api"
ironic-baremetal_chassis_get:
key: "baremetal:chassis:get"
value: "role:reader and system_scope:all"
value: "rule:admin_api"
ironic-baremetal_chassis_create:
key: "baremetal:chassis:create"
value: "role:admin and system_scope:all"
value: "rule:admin_api"
ironic-baremetal_chassis_delete:
key: "baremetal:chassis:delete"
value: "role:admin and system_scope:all"
value: "rule:admin_api"
ironic-baremetal_chassis_update:
key: "baremetal:chassis:update"
value: "role:member and system_scope:all"
value: "rule:admin_api"
ironic-baremetal_driver_get:
key: "baremetal:driver:get"
value: "role:reader and system_scope:all"
value: "rule:admin_api"
ironic-baremetal_driver_get_properties:
key: "baremetal:driver:get_properties"
value: "role:reader and system_scope:all"
value: "rule:admin_api"
ironic-baremetal_driver_get_raid_logical_disk_properties:
key: "baremetal:driver:get_raid_logical_disk_properties"
value: "role:reader and system_scope:all"
value: "rule:admin_api"
ironic-baremetal_node_vendor_passthru:
key: "baremetal:node:vendor_passthru"
value: "role:admin and system_scope:all"
value: "rule:admin_api"
ironic-baremetal_driver_vendor_passthru:
key: "baremetal:driver:vendor_passthru"
value: "role:admin and system_scope:all"
value: "rule:admin_api"
ironic-baremetal_node_ipa_heartbeat:
key: "baremetal:node:ipa_heartbeat"
value: ""
@ -4336,7 +4327,7 @@ parameter_defaults:
value: ""
ironic-baremetal_volume_list_all:
key: "baremetal:volume:list_all"
value: "role:reader and system_scope:all"
value: "rule:admin_api"
ironic-baremetal_volume_get:
key: "baremetal:volume:get"
value: "rule:baremetal:volume:list_all"
@ -4345,56 +4336,56 @@ parameter_defaults:
value: "role:reader"
ironic-baremetal_volume_create:
key: "baremetal:volume:create"
value: "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"
value: "rule:admin_api"
ironic-baremetal_volume_delete:
key: "baremetal:volume:delete"
value: "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"
value: "rule:admin_api"
ironic-baremetal_volume_update:
key: "baremetal:volume:update"
value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
ironic-baremetal_volume_view_target_properties:
key: "baremetal:volume:view_target_properties"
value: "(role:reader and system_scope:all) or (role:admin)"
value: "rule:admin_api"
ironic-baremetal_conductor_get:
key: "baremetal:conductor:get"
value: "role:reader and system_scope:all"
value: "rule:admin_api"
ironic-baremetal_allocation_get:
key: "baremetal:allocation:get"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(allocation.owner)s)"
value: "rule:admin_api or (role:reader and project_id:%(allocation.owner)s)"
ironic-baremetal_allocation_list:
key: "baremetal:allocation:list"
value: "role:reader"
ironic-baremetal_allocation_list_all:
key: "baremetal:allocation:list_all"
value: "role:reader and system_scope:all"
value: "rule:admin_api"
ironic-baremetal_allocation_create:
key: "baremetal:allocation:create"
value: "(role:member and system_scope:all) or (role:member)"
value: "rule:admin_api or (role:member and project_id:%(allocation.owner)s)"
ironic-baremetal_allocation_create_restricted:
key: "baremetal:allocation:create_restricted"
value: "role:member and system_scope:all"
value: "rule:admin_api"
ironic-baremetal_allocation_delete:
key: "baremetal:allocation:delete"
value: "(role:member and system_scope:all) or (role:member and project_id:%(allocation.owner)s)"
value: "rule:admin_api or (role:member and project_id:%(allocation.owner)s)"
ironic-baremetal_allocation_update:
key: "baremetal:allocation:update"
value: "(role:member and system_scope:all) or (role:member and project_id:%(allocation.owner)s)"
value: "rule:admin_api or (role:member and project_id:%(allocation.owner)s)"
ironic-baremetal_allocation_create_pre_rbac:
key: "baremetal:allocation:create_pre_rbac"
value: "(rule:is_member and role:baremetal_admin) or (is_admin_project:True and role:admin)"
value: "rule:admin_api"
ironic-baremetal_events_post:
key: "baremetal:events:post"
value: "role:admin and system_scope:all"
value: "rule:admin_api"
ironic-baremetal_deploy_template_get:
key: "baremetal:deploy_template:get"
value: "role:reader and system_scope:all"
value: "rule:admin_api"
ironic-baremetal_deploy_template_create:
key: "baremetal:deploy_template:create"
value: "role:admin and system_scope:all"
value: "rule:admin_api"
ironic-baremetal_deploy_template_delete:
key: "baremetal:deploy_template:delete"
value: "role:admin and system_scope:all"
value: "rule:admin_api"
ironic-baremetal_deploy_template_update:
key: "baremetal:deploy_template:update"
value: "role:admin and system_scope:all"
value: "rule:admin_api"

Loading…
Cancel
Save