starlingx/openstack-armada-app
Code Issues Proposed changes
f/antelope
openstack-armada-app/enhanced-policies/nova-policy-overrides.yml
Thiago Brito 207ee7e017 RBAC Patch 1: policies and common files 
This commit aims to suggest a set of default policies for user
management on stx-openstack. We suggest the creation of the project_admin
and project_readonly roles and provide some policies to fine tune the
access control over the Openstack services to those roles, as described
on README.md.

Also, we provide a set of tests to ensure the policies and permissions
are all working as expected on site for the cloud administrators.

Story: 2008910
Task: 42501

Signed-off-by: Heitor Matsui <heitorvieira.matsui@windriver.com>
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Co-authored-by: Miriam Yumi Peixoto <miriam.yumipeixoto@windriver.com>
Co-authored-by: Leonardo Zaccarias <leonardo.zaccarias@windriver.com>
Co-authored-by: Rogerio Oliveira Ferraz <rogeriooliveira.ferraz@windriver.com>
Change-Id: I4040fe9f7be94ea7e0eb208579b2d5aa7579a8b1
2021-06-01 14:00:32 -03:00

59 lines
4.2 KiB
YAML
Raw Permalink Blame History

conf:
policy:
admin_or_projectadmin_owner: rule:context_is_admin or rule:projectadmin_and_owner
admin_or_projectadmin_required: rule:context_is_admin or rule:projectadmin_required
admin_or_projectmember_owner: rule:context_is_admin or rule:projectmember_and_owner
admin_or_projectmember_required: rule:context_is_admin or rule:projectmember_required
context_is_admin: role:admin
os_compute_api:os-admin-password: rule:admin_or_projectadmin_owner
os_compute_api:os-attach-interfaces:create: rule:admin_or_projectadmin_owner
os_compute_api:os-attach-interfaces:delete: rule:admin_or_projectadmin_owner
os_compute_api:os-console-output: rule:admin_or_projectmember_owner
os_compute_api:os-consoles:create: rule:admin_or_projectmember_owner
os_compute_api:os-consoles:delete: rule:admin_or_projectmember_owner
os_compute_api:os-create-backup: rule:admin_or_projectadmin_owner
os_compute_api:os-deferred-delete: rule:admin_or_projectadmin_owner
os_compute_api:os-lock-server:lock: rule:admin_or_projectadmin_owner
os_compute_api:os-lock-server:unlock: rule:admin_or_projectadmin_owner
os_compute_api:os-pause-server:pause: rule:admin_or_projectadmin_owner
os_compute_api:os-pause-server:unpause: rule:admin_or_projectadmin_owner
os_compute_api:os-remote-consoles: rule:admin_or_projectmember_owner
os_compute_api:os-rescue: rule:admin_or_projectadmin_owner
os_compute_api:os-security-groups: rule:admin_or_projectadmin_owner
os_compute_api:os-server-groups:create: rule:admin_or_projectadmin_owner
os_compute_api:os-server-groups:delete: rule:admin_or_projectadmin_owner
os_compute_api:os-server-password: rule:admin_or_projectadmin_owner
os_compute_api:os-server-tags:delete: rule:admin_or_projectadmin_owner
os_compute_api:os-server-tags:delete_all: rule:admin_or_projectadmin_owner
os_compute_api:os-server-tags:update: rule:admin_or_projectadmin_owner
os_compute_api:os-server-tags:update_all: rule:admin_or_projectadmin_owner
os_compute_api:os-shelve:shelve: rule:admin_or_projectadmin_owner
os_compute_api:os-shelve:unshelve: rule:admin_or_projectadmin_owner
os_compute_api:os-suspend-server:resume: rule:admin_or_projectadmin_owner
os_compute_api:os-suspend-server:suspend: rule:admin_or_projectadmin_owner
os_compute_api:os-volumes-attachments:create: rule:admin_or_projectmember_owner
os_compute_api:os-volumes-attachments:delete: rule:admin_or_projectmember_owner
os_compute_api:os-volumes-attachments:update: rule:admin_or_projectadmin_required
os_compute_api:server-metadata:create: rule:admin_or_projectadmin_owner
os_compute_api:server-metadata:delete: rule:admin_or_projectadmin_owner
os_compute_api:server-metadata:update: rule:admin_or_projectadmin_owner
os_compute_api:server-metadata:update_all: rule:admin_or_projectadmin_owner
os_compute_api:servers:confirm_resize: rule:admin_or_projectadmin_owner
os_compute_api:servers:create: rule:admin_or_projectmember_owner
os_compute_api:servers:create_image: rule:admin_or_projectadmin_owner
os_compute_api:servers:delete: rule:admin_or_projectadmin_owner
os_compute_api:servers:reboot: rule:admin_or_projectadmin_owner
os_compute_api:servers:rebuild: rule:admin_or_projectadmin_owner
os_compute_api:servers:resize: rule:admin_or_projectadmin_owner
os_compute_api:servers:revert_resize: rule:admin_or_projectadmin_owner
os_compute_api:servers:start: rule:admin_or_projectadmin_owner
os_compute_api:servers:stop: rule:admin_or_projectadmin_owner
os_compute_api:servers:trigger_crash_dump: rule:admin_or_projectadmin_owner
os_compute_api:servers:update: rule:admin_or_projectadmin_owner
owner: project_id:%(project_id)s
projectadmin_and_owner: rule:projectadmin_required and rule:owner
projectadmin_required: role:project_admin
projectmember_and_owner: rule:projectmember_required and rule:owner
projectmember_required: role:project_admin or role:member
View Git Blame Copy Permalink