diff --git a/skyline_apiserver/policy/manager/neutron.py b/skyline_apiserver/policy/manager/neutron.py index 44a8d57..0b24ed9 100644 --- a/skyline_apiserver/policy/manager/neutron.py +++ b/skyline_apiserver/policy/manager/neutron.py @@ -86,7 +86,7 @@ list_rules = ( ), base.Rule( name="get_flavor_service_profile", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), + check_str=("(rule:admin_only) or (role:reader and project_id:%(project_id)s)"), description="Get a flavor associated with a given service profiles. There is no corresponding GET operations in API currently. This rule is currently referred only in the DELETE of flavor_service_profile.", ), base.Rule( @@ -175,77 +175,77 @@ list_rules = ( ), base.APIRule( name="get_agent", - check_str=("role:reader and system_scope:all"), + check_str=("rule:admin_only"), description="Get an agent", scope_types=["system"], operations=[{"method": "GET", "path": "/agents"}, {"method": "GET", "path": "/agents/{id}"}], ), base.APIRule( name="update_agent", - check_str=("role:admin and system_scope:all"), + check_str=("rule:admin_only"), description="Update an agent", scope_types=["system"], operations=[{"method": "PUT", "path": "/agents/{id}"}], ), base.APIRule( name="delete_agent", - check_str=("role:admin and system_scope:all"), + check_str=("rule:admin_only"), description="Delete an agent", scope_types=["system"], operations=[{"method": "DELETE", "path": "/agents/{id}"}], ), base.APIRule( name="create_dhcp-network", - check_str=("role:admin and system_scope:all"), + check_str=("rule:admin_only"), description="Add a network to a DHCP agent", scope_types=["system"], operations=[{"method": "POST", "path": "/agents/{agent_id}/dhcp-networks"}], ), base.APIRule( name="get_dhcp-networks", - check_str=("role:reader and system_scope:all"), + check_str=("rule:admin_only"), description="List networks on a DHCP agent", scope_types=["system"], operations=[{"method": "GET", "path": "/agents/{agent_id}/dhcp-networks"}], ), base.APIRule( name="delete_dhcp-network", - check_str=("role:admin and system_scope:all"), + check_str=("rule:admin_only"), description="Remove a network from a DHCP agent", scope_types=["system"], operations=[{"method": "DELETE", "path": "/agents/{agent_id}/dhcp-networks/{network_id}"}], ), base.APIRule( name="create_l3-router", - check_str=("role:admin and system_scope:all"), + check_str=("rule:admin_only"), description="Add a router to an L3 agent", scope_types=["system"], operations=[{"method": "POST", "path": "/agents/{agent_id}/l3-routers"}], ), base.APIRule( name="get_l3-routers", - check_str=("role:reader and system_scope:all"), + check_str=("rule:admin_only"), description="List routers on an L3 agent", scope_types=["system"], operations=[{"method": "GET", "path": "/agents/{agent_id}/l3-routers"}], ), base.APIRule( name="delete_l3-router", - check_str=("role:admin and system_scope:all"), + check_str=("rule:admin_only"), description="Remove a router from an L3 agent", scope_types=["system"], operations=[{"method": "DELETE", "path": "/agents/{agent_id}/l3-routers/{router_id}"}], ), base.APIRule( name="get_dhcp-agents", - check_str=("role:reader and system_scope:all"), + check_str=("rule:admin_only"), description="List DHCP agents hosting a network", scope_types=["system"], operations=[{"method": "GET", "path": "/networks/{network_id}/dhcp-agents"}], ), base.APIRule( name="get_l3-agents", - check_str=("role:reader and system_scope:all"), + check_str=("rule:admin_only"), description="List L3 agents hosting a router", scope_types=["system"], operations=[{"method": "GET", "path": "/routers/{router_id}/l3-agents"}], @@ -266,77 +266,77 @@ list_rules = ( ), base.APIRule( name="get_availability_zone", - check_str=("role:reader and system_scope:all"), + check_str=("rule:admin_only"), description="List availability zones", scope_types=["system"], operations=[{"method": "GET", "path": "/availability_zones"}], ), base.APIRule( name="create_flavor", - check_str=("role:admin and system_scope:all"), + check_str=("rule:admin_only"), description="Create a flavor", scope_types=["system"], operations=[{"method": "POST", "path": "/flavors"}], ), base.APIRule( name="get_flavor", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), + check_str=("(rule:admin_only) or (role:reader and project_id:%(project_id)s)"), description="Get a flavor", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/flavors"}, {"method": "GET", "path": "/flavors/{id}"}], ), base.APIRule( name="update_flavor", - check_str=("role:admin and system_scope:all"), + check_str=("rule:admin_only"), description="Update a flavor", scope_types=["system"], operations=[{"method": "PUT", "path": "/flavors/{id}"}], ), base.APIRule( name="delete_flavor", - check_str=("role:admin and system_scope:all"), + check_str=("rule:admin_only"), description="Delete a flavor", scope_types=["system"], operations=[{"method": "DELETE", "path": "/flavors/{id}"}], ), base.APIRule( name="create_service_profile", - check_str=("role:admin and system_scope:all"), + check_str=("rule:admin_only"), description="Create a service profile", scope_types=["system"], operations=[{"method": "POST", "path": "/service_profiles"}], ), base.APIRule( name="get_service_profile", - check_str=("role:reader and system_scope:all"), + check_str=("rule:admin_only"), description="Get a service profile", scope_types=["system"], operations=[{"method": "GET", "path": "/service_profiles"}, {"method": "GET", "path": "/service_profiles/{id}"}], ), base.APIRule( name="update_service_profile", - check_str=("role:admin and system_scope:all"), + check_str=("rule:admin_only"), description="Update a service profile", scope_types=["system"], operations=[{"method": "PUT", "path": "/service_profiles/{id}"}], ), base.APIRule( name="delete_service_profile", - check_str=("role:admin and system_scope:all"), + check_str=("rule:admin_only"), description="Delete a service profile", scope_types=["system"], operations=[{"method": "DELETE", "path": "/service_profiles/{id}"}], ), base.APIRule( name="create_flavor_service_profile", - check_str=("role:admin and system_scope:all"), + check_str=("rule:admin_only"), description="Associate a flavor with a service profile", scope_types=["system"], operations=[{"method": "POST", "path": "/flavors/{flavor_id}/service_profiles"}], ), base.APIRule( name="delete_flavor_service_profile", - check_str=("role:admin and system_scope:all"), + check_str=("rule:admin_only"), description="Disassociate a flavor with a service profile", scope_types=["system"], operations=[{"method": "DELETE", "path": "/flavors/{flavor_id}/service_profiles/{profile_id}"}], @@ -490,35 +490,35 @@ list_rules = ( ), base.APIRule( name="get_loggable_resource", - check_str=("role:reader and system_scope:all"), + check_str=("rule:admin_only"), description="Get loggable resources", scope_types=["system"], operations=[{"method": "GET", "path": "/log/loggable-resources"}], ), base.APIRule( name="create_log", - check_str=("role:admin and system_scope:all"), + check_str=("rule:admin_only"), description="Create a network log", scope_types=["system"], operations=[{"method": "POST", "path": "/log/logs"}], ), base.APIRule( name="get_log", - check_str=("role:reader and system_scope:all"), + check_str=("rule:admin_only"), description="Get a network log", scope_types=["system"], operations=[{"method": "GET", "path": "/log/logs"}, {"method": "GET", "path": "/log/logs/{id}"}], ), base.APIRule( name="update_log", - check_str=("role:admin and system_scope:all"), + check_str=("rule:admin_only"), description="Update a network log", scope_types=["system"], operations=[{"method": "PUT", "path": "/log/logs/{id}"}], ), base.APIRule( name="delete_log", - check_str=("role:admin and system_scope:all"), + check_str=("rule:admin_only"), description="Delete a network log", scope_types=["system"], operations=[{"method": "DELETE", "path": "/log/logs/{id}"}], @@ -770,35 +770,35 @@ list_rules = ( ), base.APIRule( name="get_network_ip_availability", - check_str=("role:reader and system_scope:all"), + check_str=("rule:admin_only"), description="Get network IP availability", scope_types=["system"], operations=[{"method": "GET", "path": "/network-ip-availabilities"}, {"method": "GET", "path": "/network-ip-availabilities/{network_id}"}], ), base.APIRule( name="create_network_segment_range", - check_str=("role:admin and system_scope:all"), + check_str=("rule:admin_only"), description="Create a network segment range", scope_types=["system"], operations=[{"method": "POST", "path": "/network_segment_ranges"}], ), base.APIRule( name="get_network_segment_range", - check_str=("role:reader and system_scope:all"), + check_str=("rule:admin_only"), description="Get a network segment range", scope_types=["system"], operations=[{"method": "GET", "path": "/network_segment_ranges"}, {"method": "GET", "path": "/network_segment_ranges/{id}"}], ), base.APIRule( name="update_network_segment_range", - check_str=("role:admin and system_scope:all"), + check_str=("rule:admin_only"), description="Update a network segment range", scope_types=["system"], operations=[{"method": "PUT", "path": "/network_segment_ranges/{id}"}], ), base.APIRule( name="delete_network_segment_range", - check_str=("role:admin and system_scope:all"), + check_str=("rule:admin_only"), description="Delete a network segment range", scope_types=["system"], operations=[{"method": "DELETE", "path": "/network_segment_ranges/{id}"}], @@ -813,7 +813,7 @@ list_rules = ( base.APIRule( name="create_port:device_owner", check_str=("not rule:network_device or role:admin and project_id:%(project_id)s or rule:context_is_advsvc or rule:network_owner"), - description="Specify ``device_owner`` attribute when creting a port", + description="Specify ``device_owner`` attribute when creating a port", scope_types=["project"], operations=[{"method": "POST", "path": "/ports"}], ), @@ -1071,7 +1071,7 @@ list_rules = ( ), base.APIRule( name="get_rule_type", - check_str=("role:admin or role:reader and system_scope:all"), + check_str=("rule:admin_only"), description="Get available QoS rule types", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/qos/rule-types"}, {"method": "GET", "path": "/qos/rule-types/{rule_type}"}], @@ -1274,21 +1274,21 @@ list_rules = ( ), base.APIRule( name="get_quota", - check_str=("role:reader and system_scope:all"), + check_str=("rule:admin_only"), description="Get a resource quota", scope_types=["system"], operations=[{"method": "GET", "path": "/quota"}, {"method": "GET", "path": "/quota/{id}"}], ), base.APIRule( name="update_quota", - check_str=("role:admin and system_scope:all"), + check_str=("rule:admin_only"), description="Update a resource quota", scope_types=["system"], operations=[{"method": "PUT", "path": "/quota/{id}"}], ), base.APIRule( name="delete_quota", - check_str=("role:admin and system_scope:all"), + check_str=("rule:admin_only"), description="Delete a resource quota", scope_types=["system"], operations=[{"method": "DELETE", "path": "/quota/{id}"}], @@ -1540,28 +1540,28 @@ list_rules = ( ), base.APIRule( name="create_segment", - check_str=("role:admin and system_scope:all"), + check_str=("rule:admin_only"), description="Create a segment", scope_types=["system"], operations=[{"method": "POST", "path": "/segments"}], ), base.APIRule( name="get_segment", - check_str=("role:reader and system_scope:all"), + check_str=("rule:admin_only"), description="Get a segment", scope_types=["system"], operations=[{"method": "GET", "path": "/segments"}, {"method": "GET", "path": "/segments/{id}"}], ), base.APIRule( name="update_segment", - check_str=("role:admin and system_scope:all"), + check_str=("rule:admin_only"), description="Update a segment", scope_types=["system"], operations=[{"method": "PUT", "path": "/segments/{id}"}], ), base.APIRule( name="delete_segment", - check_str=("role:admin and system_scope:all"), + check_str=("rule:admin_only"), description="Delete a segment", scope_types=["system"], operations=[{"method": "DELETE", "path": "/segments/{id}"}], diff --git a/tools/post_install.sh b/tools/post_install.sh index c73405f..23c0baa 100755 --- a/tools/post_install.sh +++ b/tools/post_install.sh @@ -1,19 +1,33 @@ #!/usr/bin/env bash -# Install openstack service package -pip install -U \ - keystone \ - openstack-placement \ +set -ex + +# Some projects have been DEPRECATED. +# panko: https://opendev.org/openstack/panko +INSTALL_DEPRECATED_PROJECTS="panko" + +INSTALL_PROJECTS="keystone \ + placement \ nova \ cinder \ glance \ trove \ neutron neutron-vpnaas \ - openstack-heat \ + heat \ ironic \ ironic-inspector \ octavia \ - panko \ manila \ magnum \ - zun + zun" +BRANCH=`git rev-parse --abbrev-ref HEAD` + +for project in ${INSTALL_PROJECTS} +do + pip install -U git+https://opendev.org/openstack/${project}@${BRANCH} +done + +for deprecated_project in ${INSTALL_DEPRECATED_PROJECTS} +do + pip install -U ${deprecated_project} +done