diff --git a/environments/enable-secure-rbac.yaml b/environments/enable-secure-rbac.yaml index 8c9503c704..58347fee11 100644 --- a/environments/enable-secure-rbac.yaml +++ b/environments/enable-secure-rbac.yaml @@ -4087,7 +4087,7 @@ parameter_defaults: IronicApiPolicies: ironic-admin_api: key: "admin_api" - value: "role:admin or role:administrator" + value: "role:admin" ironic-public_api: key: "public_api" value: "is_public_api:True" @@ -4117,217 +4117,208 @@ parameter_defaults: value: "project_id:%(allocation.owner)s" ironic-baremetal_node_create: key: "baremetal:node:create" - value: "role:admin and system_scope:all" + value: "rule:admin_api" ironic-baremetal_node_list: key: "baremetal:node:list" - value: "role:reader" + value: "rule:admin_api or (role:reader and project_id:%(node.owner)s)" ironic-baremetal_node_list_all: key: "baremetal:node:list_all" - value: "role:reader and system_scope:all" + value: "rule:admin_api" ironic-baremetal_node_get: key: "baremetal:node:get" - value: "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" + value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" ironic-baremetal_node_get_filter_threshold: key: "baremetal:node:get:filter_threshold" - value: "role:reader and system_scope:all" + value: "rule:admin_api" ironic-baremetal_node_get_last_error: key: "baremetal:node:get:last_error" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)" + value: "rule:admin_api or (role:reader and project_id:%(node.owner)s)" ironic-baremetal_node_get_reservation: key: "baremetal:node:get:reservation" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)" + value: "rule:admin_api or (role:reader and project_id:%(node.owner)s)" ironic-baremetal_node_get_driver_internal_info: key: "baremetal:node:get:driver_internal_info" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)" + value: "rule:admin_api or (role:reader and project_id:%(node.owner)s)" ironic-baremetal_node_get_driver_info: key: "baremetal:node:get:driver_info" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)" + value: "rule:admin_api or (role:reader and project_id:%(node.owner)s)" ironic-baremetal_node_update_driver_info: key: "baremetal:node:update:driver_info" - value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" + value: "rule:admin_api or (role:member and project_id:%(node.owner)s)" ironic-baremetal_node_update: key: "baremetal:node:update" value: "rule:baremetal:node:update:driver_info" ironic-baremetal_node_update_properties: key: "baremetal:node:update:properties" - value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" + value: "rule:admin_api or (role:member and project_id:%(node.owner)s)" ironic-baremetal_node_update_chassis_uuid: key: "baremetal:node:update:chassis_uuid" - value: "role:admin and system_scope:all" + value: "rule:admin_api" ironic-baremetal_node_update_instance_uuid: key: "baremetal:node:update:instance_uuid" - value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" + value: "rule:admin_api or (role:member and project_id:%(node.owner)s)" ironic-baremetal_node_update_lessee: key: "baremetal:node:update:lessee" - value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" + value: "rule:admin_api or (role:member and project_id:%(node.owner)s)" ironic-baremetal_node_update_owner: key: "baremetal:node:update:owner" - value: "role:member and system_scope:all" + value: "rule:admin_api" ironic-baremetal_node_update_driver_interfaces: key: "baremetal:node:update:driver_interfaces" - value: "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)" + value: "rule:admin_api " ironic-baremetal_node_update_network_data: key: "baremetal:node:update:network_data" - value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" + value: "rule:admin_api or (role:member and project_id:%(node.owner)s)" ironic-baremetal_node_update_conductor_group: key: "baremetal:node:update:conductor_group" - value: "role:member and system_scope:all" + value: "rule:admin_api" ironic-baremetal_node_update_name: key: "baremetal:node:update:name" - value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" + value: "rule:admin_api or (role:member and project_id:%(node.owner)s)" ironic-baremetal_node_update_retired: key: "baremetal:node:update:retired" - value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" + value: "rule:admin_api or (role:member and project_id:%(node.owner)s)" ironic-baremetal_node_update_extra: key: "baremetal:node:update_extra" - value: "(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" + value: "rule:admin_api or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" ironic-baremetal_node_update_instance_info: key: "baremetal:node:update_instance_info" - value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)" + value: "rule:admin_api or (role:member and project_id:%(node.owner)s)" ironic-baremetal_node_update_owner_provisioned: key: "baremetal:node:update_owner_provisioned" - value: "role:admin and system_scope:all" + value: "rule:admin_api" ironic-baremetal_node_delete: key: "baremetal:node:delete" - value: "role:admin and system_scope:all" + value: "rule:admin_api" ironic-baremetal_node_validate: key: "baremetal:node:validate" - value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)" + value: "rule:admin_api or (role:member and project_id:%(node.owner)s)" ironic-baremetal_node_set_maintenance: key: "baremetal:node:set_maintenance" - value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)" + value: "rule:admin_api or (role:member and project_id:%(node.owner)s)" ironic-baremetal_node_clear_maintenance: key: "baremetal:node:clear_maintenance" - value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)" + value: "rule:admin_api or (role:member and project_id:%(node.owner)s)" ironic-baremetal_node_get_boot_device: key: "baremetal:node:get_boot_device" - value: "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)" + value: "rule:admin_api " ironic-baremetal_node_set_boot_device: key: "baremetal:node:set_boot_device" - value: "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)" + value: "rule:admin_api " ironic-baremetal_node_get_indicator_state: key: "baremetal:node:get_indicator_state" - value: "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" + value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" ironic-baremetal_node_set_indicator_state: key: "baremetal:node:set_indicator_state" - value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" + value: "rule:admin_api or (role:member and project_id:%(node.owner)s)" ironic-baremetal_node_inject_nmi: key: "baremetal:node:inject_nmi" - value: "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)" + value: "rule:admin_api " ironic-baremetal_node_get_states: key: "baremetal:node:get_states" - value: "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" + value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" ironic-baremetal_node_set_power_state: key: "baremetal:node:set_power_state" - value: "(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" - ironic-baremetal_node_set_boot_mode: - key: "baremetal:node:set_boot_mode" - value: "(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" - ironic-baremetal_node_set_secure_boot: - key: "baremetal:node:set_secure_boot" - value: "(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" + value: "rule:admin_api or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" ironic-baremetal_node_set_provision_state: key: "baremetal:node:set_provision_state" - value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)" + value: "rule:admin_api or (role:member and project_id:%(node.owner)s)" ironic-baremetal_node_set_raid_state: key: "baremetal:node:set_raid_state" - value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" + value: "rule:admin_api or (role:member and project_id:%(node.owner)s)" ironic-baremetal_node_get_console: key: "baremetal:node:get_console" - value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" + value: "rule:admin_api or (role:member and project_id:%(node.owner)s)" ironic-baremetal_node_set_console_state: key: "baremetal:node:set_console_state" - value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" + value: "rule:admin_api or (role:member and project_id:%(node.owner)s)" ironic-baremetal_node_vif_list: key: "baremetal:node:vif:list" - value: "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" + value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" ironic-baremetal_node_vif_attach: key: "baremetal:node:vif:attach" - value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)" + value: "rule:admin_api or (role:member and project_id:%(node.owner)s)" ironic-baremetal_node_vif_detach: key: "baremetal:node:vif:detach" - value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)" + value: "rule:admin_api or (role:member and project_id:%(node.owner)s)" ironic-baremetal_node_traits_list: key: "baremetal:node:traits:list" - value: "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" + value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" ironic-baremetal_node_traits_set: key: "baremetal:node:traits:set" - value: "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)" + value: "rule:admin_api " ironic-baremetal_node_traits_delete: key: "baremetal:node:traits:delete" - value: "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)" + value: "rule:admin_api " ironic-baremetal_node_bios_get: key: "baremetal:node:bios:get" - value: "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" + value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" ironic-baremetal_node_disable_cleaning: key: "baremetal:node:disable_cleaning" - value: "role:admin and system_scope:all" - ironic-baremetal_node_history_get: - key: "baremetal:node:history:get" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)" + value: "rule:admin_api" ironic-baremetal_port_get: key: "baremetal:port:get" - value: "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" + value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" ironic-baremetal_port_list: key: "baremetal:port:list" value: "role:reader" ironic-baremetal_port_list_all: key: "baremetal:port:list_all" - value: "role:reader and system_scope:all" + value: "rule:admin_api" ironic-baremetal_port_create: key: "baremetal:port:create" - value: "(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)" + value: "rule:admin_api " ironic-baremetal_port_delete: key: "baremetal:port:delete" - value: "(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)" + value: "rule:admin_api " ironic-baremetal_port_update: key: "baremetal:port:update" - value: "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)" + value: "rule:admin_api " ironic-baremetal_portgroup_get: key: "baremetal:portgroup:get" - value: "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" + value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" ironic-baremetal_portgroup_create: key: "baremetal:portgroup:create" - value: "(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)" + value: "rule:admin_api " ironic-baremetal_portgroup_delete: key: "baremetal:portgroup:delete" - value: "(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)" + value: "rule:admin_api " ironic-baremetal_portgroup_update: key: "baremetal:portgroup:update" - value: "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)" + value: "rule:admin_api " ironic-baremetal_portgroup_list: key: "baremetal:portgroup:list" value: "role:reader" ironic-baremetal_portgroup_list_all: key: "baremetal:portgroup:list_all" - value: "role:reader and system_scope:all" + value: "rule:admin_api" ironic-baremetal_chassis_get: key: "baremetal:chassis:get" - value: "role:reader and system_scope:all" + value: "rule:admin_api" ironic-baremetal_chassis_create: key: "baremetal:chassis:create" - value: "role:admin and system_scope:all" + value: "rule:admin_api" ironic-baremetal_chassis_delete: key: "baremetal:chassis:delete" - value: "role:admin and system_scope:all" + value: "rule:admin_api" ironic-baremetal_chassis_update: key: "baremetal:chassis:update" - value: "role:member and system_scope:all" + value: "rule:admin_api" ironic-baremetal_driver_get: key: "baremetal:driver:get" - value: "role:reader and system_scope:all" + value: "rule:admin_api" ironic-baremetal_driver_get_properties: key: "baremetal:driver:get_properties" - value: "role:reader and system_scope:all" + value: "rule:admin_api" ironic-baremetal_driver_get_raid_logical_disk_properties: key: "baremetal:driver:get_raid_logical_disk_properties" - value: "role:reader and system_scope:all" + value: "rule:admin_api" ironic-baremetal_node_vendor_passthru: key: "baremetal:node:vendor_passthru" - value: "role:admin and system_scope:all" + value: "rule:admin_api" ironic-baremetal_driver_vendor_passthru: key: "baremetal:driver:vendor_passthru" - value: "role:admin and system_scope:all" + value: "rule:admin_api" ironic-baremetal_node_ipa_heartbeat: key: "baremetal:node:ipa_heartbeat" value: "" @@ -4336,7 +4327,7 @@ parameter_defaults: value: "" ironic-baremetal_volume_list_all: key: "baremetal:volume:list_all" - value: "role:reader and system_scope:all" + value: "rule:admin_api" ironic-baremetal_volume_get: key: "baremetal:volume:get" value: "rule:baremetal:volume:list_all" @@ -4345,56 +4336,56 @@ parameter_defaults: value: "role:reader" ironic-baremetal_volume_create: key: "baremetal:volume:create" - value: "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)" + value: "rule:admin_api" ironic-baremetal_volume_delete: key: "baremetal:volume:delete" - value: "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)" + value: "rule:admin_api" ironic-baremetal_volume_update: key: "baremetal:volume:update" - value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)" + value: "rule:admin_api or (role:member and project_id:%(node.owner)s)" ironic-baremetal_volume_view_target_properties: key: "baremetal:volume:view_target_properties" - value: "(role:reader and system_scope:all) or (role:admin)" + value: "rule:admin_api" ironic-baremetal_conductor_get: key: "baremetal:conductor:get" - value: "role:reader and system_scope:all" + value: "rule:admin_api" ironic-baremetal_allocation_get: key: "baremetal:allocation:get" - value: "(role:reader and system_scope:all) or (role:reader and project_id:%(allocation.owner)s)" + value: "rule:admin_api or (role:reader and project_id:%(allocation.owner)s)" ironic-baremetal_allocation_list: key: "baremetal:allocation:list" value: "role:reader" ironic-baremetal_allocation_list_all: key: "baremetal:allocation:list_all" - value: "role:reader and system_scope:all" + value: "rule:admin_api" ironic-baremetal_allocation_create: key: "baremetal:allocation:create" - value: "(role:member and system_scope:all) or (role:member)" + value: "rule:admin_api or (role:member and project_id:%(allocation.owner)s)" ironic-baremetal_allocation_create_restricted: key: "baremetal:allocation:create_restricted" - value: "role:member and system_scope:all" + value: "rule:admin_api" ironic-baremetal_allocation_delete: key: "baremetal:allocation:delete" - value: "(role:member and system_scope:all) or (role:member and project_id:%(allocation.owner)s)" + value: "rule:admin_api or (role:member and project_id:%(allocation.owner)s)" ironic-baremetal_allocation_update: key: "baremetal:allocation:update" - value: "(role:member and system_scope:all) or (role:member and project_id:%(allocation.owner)s)" + value: "rule:admin_api or (role:member and project_id:%(allocation.owner)s)" ironic-baremetal_allocation_create_pre_rbac: key: "baremetal:allocation:create_pre_rbac" - value: "(rule:is_member and role:baremetal_admin) or (is_admin_project:True and role:admin)" + value: "rule:admin_api" ironic-baremetal_events_post: key: "baremetal:events:post" - value: "role:admin and system_scope:all" + value: "rule:admin_api" ironic-baremetal_deploy_template_get: key: "baremetal:deploy_template:get" - value: "role:reader and system_scope:all" + value: "rule:admin_api" ironic-baremetal_deploy_template_create: key: "baremetal:deploy_template:create" - value: "role:admin and system_scope:all" + value: "rule:admin_api" ironic-baremetal_deploy_template_delete: key: "baremetal:deploy_template:delete" - value: "role:admin and system_scope:all" + value: "rule:admin_api" ironic-baremetal_deploy_template_update: key: "baremetal:deploy_template:update" - value: "role:admin and system_scope:all" + value: "rule:admin_api"