863815153e
As per the community goal of migrating the policy file the format from JSON to YAML[1], we need to do two things: 1. Change the default value of '[oslo_policy] policy_file'' config option from 'policy.json' to 'policy.yaml' with upgrade checks. 2. Deprecate the JSON formatted policy file on the project side via warning in doc and releasenotes. Also replace policy.json to policy.yaml ref from doc and tests. [1]https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html Change-Id: I207c02ba71fe60635fd3406c9c9364c11f259bae
4.5 KiB
Policies
Warning
JSON formatted policy file is deprecated since Watcher 6.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.
Watcher's public API calls may be restricted to certain sets of users using a policy configuration file. This document explains exactly how policies are configured and what they apply to.
A policy is composed of a set of rules that are used in determining if a particular action may be performed by the authorized tenant.
Constructing a Policy Configuration File
A policy configuration file is a simply JSON object that contain sets of rules. Each top-level key is the name of a rule. Each rule is a string that describes an action that may be performed in the Watcher API.
The actions that may have a rule enforced on them are:
strategy:get_all,strategy:detail- List available strategiesGET /v1/strategiesGET /v1/strategies/detail
strategy:get- Retrieve a specific strategy entityGET /v1/strategies/<STRATEGY_UUID>GET /v1/strategies/<STRATEGY_NAME>
goal:get_all,goal:detail- List available goalsGET /v1/goalsGET /v1/goals/detail
goal:get- Retrieve a specific goal entityGET /v1/goals/<GOAL_UUID>GET /v1/goals/<GOAL_NAME>
audit_template:get_all,audit_template:detail- List available audit_templatesGET /v1/audit_templatesGET /v1/audit_templates/detail
audit_template:get- Retrieve a specific audit template entityGET /v1/audit_templates/<AUDIT_TEMPLATE_UUID>GET /v1/audit_templates/<AUDIT_TEMPLATE_NAME>
audit_template:create- Create an audit template entityPOST /v1/audit_templates
audit_template:delete- Delete an audit template entityDELETE /v1/audit_templates/<AUDIT_TEMPLATE_UUID>DELETE /v1/audit_templates/<AUDIT_TEMPLATE_NAME>
audit_template:update- Update an audit template entityPATCH /v1/audit_templates/<AUDIT_TEMPLATE_UUID>PATCH /v1/audit_templates/<AUDIT_TEMPLATE_NAME>
audit:get_all,audit:detail- List available auditsGET /v1/auditsGET /v1/audits/detail
audit:get- Retrieve a specific audit entityGET /v1/audits/<AUDIT_UUID>
audit:create- Create an audit entityPOST /v1/audits
audit:delete- Delete an audit entityDELETE /v1/audits/<AUDIT_UUID>
audit:update- Update an audit entityPATCH /v1/audits/<AUDIT_UUID>
action_plan:get_all,action_plan:detail- List available action plansGET /v1/action_plansGET /v1/action_plans/detail
action_plan:get- Retrieve a specific action plan entityGET /v1/action_plans/<ACTION_PLAN_UUID>
action_plan:delete- Delete an action plan entityDELETE /v1/action_plans/<ACTION_PLAN_UUID>
action_plan:update- Update an action plan entityPATCH /v1/audits/<ACTION_PLAN_UUID>
action:get_all,action:detail- List available actionGET /v1/actionsGET /v1/actions/detail
action:get- Retrieve a specific action plan entityGET /v1/actions/<ACTION_UUID>
service:get_all,service:detail- List available Watcher servicesGET /v1/servicesGET /v1/services/detail
service:get- Retrieve a specific Watcher service entityGET /v1/services/<SERVICE_ID>
To limit an action to a particular role or roles, you list the roles like so :
{
"audit:create": ["role:admin", "role:superuser"]
}The above would add a rule that only allowed users that had roles of either "admin" or "superuser" to launch an audit.