Merge "Implement project personas in custom ironic policy file" into stable/wallaby
This commit is contained in:
commit
91ab5c0f89
|
@ -4087,7 +4087,7 @@ parameter_defaults:
|
|||
IronicApiPolicies:
|
||||
ironic-admin_api:
|
||||
key: "admin_api"
|
||||
value: "role:admin or role:administrator"
|
||||
value: "role:admin"
|
||||
ironic-public_api:
|
||||
key: "public_api"
|
||||
value: "is_public_api:True"
|
||||
|
@ -4117,217 +4117,208 @@ parameter_defaults:
|
|||
value: "project_id:%(allocation.owner)s"
|
||||
ironic-baremetal_node_create:
|
||||
key: "baremetal:node:create"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
ironic-baremetal_node_list:
|
||||
key: "baremetal:node:list"
|
||||
value: "role:reader"
|
||||
value: "rule:admin_api or (role:reader and project_id:%(node.owner)s)"
|
||||
ironic-baremetal_node_list_all:
|
||||
key: "baremetal:node:list_all"
|
||||
value: "role:reader and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
ironic-baremetal_node_get:
|
||||
key: "baremetal:node:get"
|
||||
value: "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
|
||||
value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
|
||||
ironic-baremetal_node_get_filter_threshold:
|
||||
key: "baremetal:node:get:filter_threshold"
|
||||
value: "role:reader and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
ironic-baremetal_node_get_last_error:
|
||||
key: "baremetal:node:get:last_error"
|
||||
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"
|
||||
value: "rule:admin_api or (role:reader and project_id:%(node.owner)s)"
|
||||
ironic-baremetal_node_get_reservation:
|
||||
key: "baremetal:node:get:reservation"
|
||||
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"
|
||||
value: "rule:admin_api or (role:reader and project_id:%(node.owner)s)"
|
||||
ironic-baremetal_node_get_driver_internal_info:
|
||||
key: "baremetal:node:get:driver_internal_info"
|
||||
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"
|
||||
value: "rule:admin_api or (role:reader and project_id:%(node.owner)s)"
|
||||
ironic-baremetal_node_get_driver_info:
|
||||
key: "baremetal:node:get:driver_info"
|
||||
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"
|
||||
value: "rule:admin_api or (role:reader and project_id:%(node.owner)s)"
|
||||
ironic-baremetal_node_update_driver_info:
|
||||
key: "baremetal:node:update:driver_info"
|
||||
value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
|
||||
ironic-baremetal_node_update:
|
||||
key: "baremetal:node:update"
|
||||
value: "rule:baremetal:node:update:driver_info"
|
||||
ironic-baremetal_node_update_properties:
|
||||
key: "baremetal:node:update:properties"
|
||||
value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
|
||||
ironic-baremetal_node_update_chassis_uuid:
|
||||
key: "baremetal:node:update:chassis_uuid"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
ironic-baremetal_node_update_instance_uuid:
|
||||
key: "baremetal:node:update:instance_uuid"
|
||||
value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
|
||||
ironic-baremetal_node_update_lessee:
|
||||
key: "baremetal:node:update:lessee"
|
||||
value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
|
||||
ironic-baremetal_node_update_owner:
|
||||
key: "baremetal:node:update:owner"
|
||||
value: "role:member and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
ironic-baremetal_node_update_driver_interfaces:
|
||||
key: "baremetal:node:update:driver_interfaces"
|
||||
value: "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"
|
||||
value: "rule:admin_api "
|
||||
ironic-baremetal_node_update_network_data:
|
||||
key: "baremetal:node:update:network_data"
|
||||
value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
|
||||
ironic-baremetal_node_update_conductor_group:
|
||||
key: "baremetal:node:update:conductor_group"
|
||||
value: "role:member and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
ironic-baremetal_node_update_name:
|
||||
key: "baremetal:node:update:name"
|
||||
value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
|
||||
ironic-baremetal_node_update_retired:
|
||||
key: "baremetal:node:update:retired"
|
||||
value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
|
||||
ironic-baremetal_node_update_extra:
|
||||
key: "baremetal:node:update_extra"
|
||||
value: "(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
|
||||
value: "rule:admin_api or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
|
||||
ironic-baremetal_node_update_instance_info:
|
||||
key: "baremetal:node:update_instance_info"
|
||||
value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
|
||||
ironic-baremetal_node_update_owner_provisioned:
|
||||
key: "baremetal:node:update_owner_provisioned"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
ironic-baremetal_node_delete:
|
||||
key: "baremetal:node:delete"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
ironic-baremetal_node_validate:
|
||||
key: "baremetal:node:validate"
|
||||
value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
|
||||
ironic-baremetal_node_set_maintenance:
|
||||
key: "baremetal:node:set_maintenance"
|
||||
value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
|
||||
ironic-baremetal_node_clear_maintenance:
|
||||
key: "baremetal:node:clear_maintenance"
|
||||
value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
|
||||
ironic-baremetal_node_get_boot_device:
|
||||
key: "baremetal:node:get_boot_device"
|
||||
value: "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"
|
||||
value: "rule:admin_api "
|
||||
ironic-baremetal_node_set_boot_device:
|
||||
key: "baremetal:node:set_boot_device"
|
||||
value: "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"
|
||||
value: "rule:admin_api "
|
||||
ironic-baremetal_node_get_indicator_state:
|
||||
key: "baremetal:node:get_indicator_state"
|
||||
value: "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
|
||||
value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
|
||||
ironic-baremetal_node_set_indicator_state:
|
||||
key: "baremetal:node:set_indicator_state"
|
||||
value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
|
||||
ironic-baremetal_node_inject_nmi:
|
||||
key: "baremetal:node:inject_nmi"
|
||||
value: "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"
|
||||
value: "rule:admin_api "
|
||||
ironic-baremetal_node_get_states:
|
||||
key: "baremetal:node:get_states"
|
||||
value: "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
|
||||
value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
|
||||
ironic-baremetal_node_set_power_state:
|
||||
key: "baremetal:node:set_power_state"
|
||||
value: "(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
|
||||
ironic-baremetal_node_set_boot_mode:
|
||||
key: "baremetal:node:set_boot_mode"
|
||||
value: "(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
|
||||
ironic-baremetal_node_set_secure_boot:
|
||||
key: "baremetal:node:set_secure_boot"
|
||||
value: "(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
|
||||
value: "rule:admin_api or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
|
||||
ironic-baremetal_node_set_provision_state:
|
||||
key: "baremetal:node:set_provision_state"
|
||||
value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
|
||||
ironic-baremetal_node_set_raid_state:
|
||||
key: "baremetal:node:set_raid_state"
|
||||
value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
|
||||
ironic-baremetal_node_get_console:
|
||||
key: "baremetal:node:get_console"
|
||||
value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
|
||||
ironic-baremetal_node_set_console_state:
|
||||
key: "baremetal:node:set_console_state"
|
||||
value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
|
||||
ironic-baremetal_node_vif_list:
|
||||
key: "baremetal:node:vif:list"
|
||||
value: "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
|
||||
value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
|
||||
ironic-baremetal_node_vif_attach:
|
||||
key: "baremetal:node:vif:attach"
|
||||
value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
|
||||
ironic-baremetal_node_vif_detach:
|
||||
key: "baremetal:node:vif:detach"
|
||||
value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
|
||||
ironic-baremetal_node_traits_list:
|
||||
key: "baremetal:node:traits:list"
|
||||
value: "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
|
||||
value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
|
||||
ironic-baremetal_node_traits_set:
|
||||
key: "baremetal:node:traits:set"
|
||||
value: "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"
|
||||
value: "rule:admin_api "
|
||||
ironic-baremetal_node_traits_delete:
|
||||
key: "baremetal:node:traits:delete"
|
||||
value: "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"
|
||||
value: "rule:admin_api "
|
||||
ironic-baremetal_node_bios_get:
|
||||
key: "baremetal:node:bios:get"
|
||||
value: "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
|
||||
value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
|
||||
ironic-baremetal_node_disable_cleaning:
|
||||
key: "baremetal:node:disable_cleaning"
|
||||
value: "role:admin and system_scope:all"
|
||||
ironic-baremetal_node_history_get:
|
||||
key: "baremetal:node:history:get"
|
||||
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"
|
||||
value: "rule:admin_api"
|
||||
ironic-baremetal_port_get:
|
||||
key: "baremetal:port:get"
|
||||
value: "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
|
||||
value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
|
||||
ironic-baremetal_port_list:
|
||||
key: "baremetal:port:list"
|
||||
value: "role:reader"
|
||||
ironic-baremetal_port_list_all:
|
||||
key: "baremetal:port:list_all"
|
||||
value: "role:reader and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
ironic-baremetal_port_create:
|
||||
key: "baremetal:port:create"
|
||||
value: "(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)"
|
||||
value: "rule:admin_api "
|
||||
ironic-baremetal_port_delete:
|
||||
key: "baremetal:port:delete"
|
||||
value: "(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)"
|
||||
value: "rule:admin_api "
|
||||
ironic-baremetal_port_update:
|
||||
key: "baremetal:port:update"
|
||||
value: "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"
|
||||
value: "rule:admin_api "
|
||||
ironic-baremetal_portgroup_get:
|
||||
key: "baremetal:portgroup:get"
|
||||
value: "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
|
||||
value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
|
||||
ironic-baremetal_portgroup_create:
|
||||
key: "baremetal:portgroup:create"
|
||||
value: "(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)"
|
||||
value: "rule:admin_api "
|
||||
ironic-baremetal_portgroup_delete:
|
||||
key: "baremetal:portgroup:delete"
|
||||
value: "(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)"
|
||||
value: "rule:admin_api "
|
||||
ironic-baremetal_portgroup_update:
|
||||
key: "baremetal:portgroup:update"
|
||||
value: "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"
|
||||
value: "rule:admin_api "
|
||||
ironic-baremetal_portgroup_list:
|
||||
key: "baremetal:portgroup:list"
|
||||
value: "role:reader"
|
||||
ironic-baremetal_portgroup_list_all:
|
||||
key: "baremetal:portgroup:list_all"
|
||||
value: "role:reader and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
ironic-baremetal_chassis_get:
|
||||
key: "baremetal:chassis:get"
|
||||
value: "role:reader and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
ironic-baremetal_chassis_create:
|
||||
key: "baremetal:chassis:create"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
ironic-baremetal_chassis_delete:
|
||||
key: "baremetal:chassis:delete"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
ironic-baremetal_chassis_update:
|
||||
key: "baremetal:chassis:update"
|
||||
value: "role:member and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
ironic-baremetal_driver_get:
|
||||
key: "baremetal:driver:get"
|
||||
value: "role:reader and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
ironic-baremetal_driver_get_properties:
|
||||
key: "baremetal:driver:get_properties"
|
||||
value: "role:reader and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
ironic-baremetal_driver_get_raid_logical_disk_properties:
|
||||
key: "baremetal:driver:get_raid_logical_disk_properties"
|
||||
value: "role:reader and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
ironic-baremetal_node_vendor_passthru:
|
||||
key: "baremetal:node:vendor_passthru"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
ironic-baremetal_driver_vendor_passthru:
|
||||
key: "baremetal:driver:vendor_passthru"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
ironic-baremetal_node_ipa_heartbeat:
|
||||
key: "baremetal:node:ipa_heartbeat"
|
||||
value: ""
|
||||
|
@ -4336,7 +4327,7 @@ parameter_defaults:
|
|||
value: ""
|
||||
ironic-baremetal_volume_list_all:
|
||||
key: "baremetal:volume:list_all"
|
||||
value: "role:reader and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
ironic-baremetal_volume_get:
|
||||
key: "baremetal:volume:get"
|
||||
value: "rule:baremetal:volume:list_all"
|
||||
|
@ -4345,56 +4336,56 @@ parameter_defaults:
|
|||
value: "role:reader"
|
||||
ironic-baremetal_volume_create:
|
||||
key: "baremetal:volume:create"
|
||||
value: "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"
|
||||
value: "rule:admin_api"
|
||||
ironic-baremetal_volume_delete:
|
||||
key: "baremetal:volume:delete"
|
||||
value: "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"
|
||||
value: "rule:admin_api"
|
||||
ironic-baremetal_volume_update:
|
||||
key: "baremetal:volume:update"
|
||||
value: "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
|
||||
ironic-baremetal_volume_view_target_properties:
|
||||
key: "baremetal:volume:view_target_properties"
|
||||
value: "(role:reader and system_scope:all) or (role:admin)"
|
||||
value: "rule:admin_api"
|
||||
ironic-baremetal_conductor_get:
|
||||
key: "baremetal:conductor:get"
|
||||
value: "role:reader and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
ironic-baremetal_allocation_get:
|
||||
key: "baremetal:allocation:get"
|
||||
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(allocation.owner)s)"
|
||||
value: "rule:admin_api or (role:reader and project_id:%(allocation.owner)s)"
|
||||
ironic-baremetal_allocation_list:
|
||||
key: "baremetal:allocation:list"
|
||||
value: "role:reader"
|
||||
ironic-baremetal_allocation_list_all:
|
||||
key: "baremetal:allocation:list_all"
|
||||
value: "role:reader and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
ironic-baremetal_allocation_create:
|
||||
key: "baremetal:allocation:create"
|
||||
value: "(role:member and system_scope:all) or (role:member)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(allocation.owner)s)"
|
||||
ironic-baremetal_allocation_create_restricted:
|
||||
key: "baremetal:allocation:create_restricted"
|
||||
value: "role:member and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
ironic-baremetal_allocation_delete:
|
||||
key: "baremetal:allocation:delete"
|
||||
value: "(role:member and system_scope:all) or (role:member and project_id:%(allocation.owner)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(allocation.owner)s)"
|
||||
ironic-baremetal_allocation_update:
|
||||
key: "baremetal:allocation:update"
|
||||
value: "(role:member and system_scope:all) or (role:member and project_id:%(allocation.owner)s)"
|
||||
value: "rule:admin_api or (role:member and project_id:%(allocation.owner)s)"
|
||||
ironic-baremetal_allocation_create_pre_rbac:
|
||||
key: "baremetal:allocation:create_pre_rbac"
|
||||
value: "(rule:is_member and role:baremetal_admin) or (is_admin_project:True and role:admin)"
|
||||
value: "rule:admin_api"
|
||||
ironic-baremetal_events_post:
|
||||
key: "baremetal:events:post"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
ironic-baremetal_deploy_template_get:
|
||||
key: "baremetal:deploy_template:get"
|
||||
value: "role:reader and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
ironic-baremetal_deploy_template_create:
|
||||
key: "baremetal:deploy_template:create"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
ironic-baremetal_deploy_template_delete:
|
||||
key: "baremetal:deploy_template:delete"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
ironic-baremetal_deploy_template_update:
|
||||
key: "baremetal:deploy_template:update"
|
||||
value: "role:admin and system_scope:all"
|
||||
value: "rule:admin_api"
|
||||
|
||||
|
|
Loading…
Reference in New Issue