Use policy-generator to generate policy sample file
This change will avoid the maintenance of policy.sample file in every policy change. Change-Id: Ia460a5e3c44f1d9306866414edced53d29559d36
This commit is contained in:
liusheng
parent
acdb81876b
commit
f7b9a2a5b3
4
etc/mogan/README.policy.json.txt
Normal file
4
etc/mogan/README.policy.json.txt
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
To generate the sample policy.json file, run the following command from the top
|
||||||
|
level of the mogan directory:
|
||||||
|
|
||||||
|
tox -egenpolicy
|
||||||
@ -1,38 +0,0 @@
|
|||||||
# Legacy rule for cloud admin access
|
|
||||||
"admin_api": "role:admin or role:administrator"
|
|
||||||
# Internal flag for public API routes
|
|
||||||
"public_api": "is_public_api:True"
|
|
||||||
# Show or mask secrets within instance information in API responses
|
|
||||||
"show_instance_secrets": "!"
|
|
||||||
# any access will be passed
|
|
||||||
"allow": "@"
|
|
||||||
# all access will be forbidden
|
|
||||||
"deny": "!"
|
|
||||||
# Full read/write API access
|
|
||||||
"is_admin": "rule:admin_api or (rule:is_member and role:mogan_admin)"
|
|
||||||
# Admin or owner API access
|
|
||||||
"admin_or_owner": "is_admin:True or project_id:%(project_id)s"
|
|
||||||
# Admin or user API access
|
|
||||||
"admin_or_user": "is_admin:True or user_id:%(user_id)s"
|
|
||||||
# Default API access rule
|
|
||||||
"default": "rule:admin_or_owner"
|
|
||||||
# Retrieve Instance records
|
|
||||||
"mogan:instance:get": "rule:default"
|
|
||||||
# View Instance power and provision state
|
|
||||||
"mogan:instance:get_states": "rule:default"
|
|
||||||
# Create Instance records
|
|
||||||
"mogan:instance:create": "rule:allow"
|
|
||||||
# Delete Instance records
|
|
||||||
"mogan:instance:delete": "rule:default"
|
|
||||||
# Update Instance records
|
|
||||||
"mogan:instance:update": "rule:default"
|
|
||||||
# Start an instance
|
|
||||||
"mogan:instance:set_power_state:on": "rule:default"
|
|
||||||
# Stop an instance
|
|
||||||
"mogan:instance:set_power_state:off": "rule:default"
|
|
||||||
# Reboot an instance
|
|
||||||
"mogan:instance:set_power_state:reboot": "rule:default"
|
|
||||||
# Get Instance network information
|
|
||||||
"mogan:instance:get_networks": "rule:default"
|
|
||||||
# Associate floating IP to instance
|
|
||||||
"mogan:instance:associate_floatingip": "rule:default"
|
|
||||||
3
tools/config/mogan-policy-generator.conf
Normal file
3
tools/config/mogan-policy-generator.conf
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
[DEFAULT]
|
||||||
|
output_file = etc/mogan/policy.json.sample
|
||||||
|
namespace = mogan.api
|
||||||
2
tox.ini
2
tox.ini
@ -72,7 +72,7 @@ commands =
|
|||||||
sitepackages = False
|
sitepackages = False
|
||||||
envdir = {toxworkdir}/venv
|
envdir = {toxworkdir}/venv
|
||||||
commands =
|
commands =
|
||||||
oslopolicy-sample-generator --namespace=mogan.api --output-file=etc/mogan/policy.json.sample
|
oslopolicy-sample-generator --config-file=tools/config/mogan-policy-generator.conf
|
||||||
|
|
||||||
[testenv:api-ref]
|
[testenv:api-ref]
|
||||||
# This environment is called from CI scripts to test and publish
|
# This environment is called from CI scripts to test and publish
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user