baha/skyline-apiserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor: Register rule and apirule into enforcer

Browse Source 
1. We register both apirule and rule into enforcer, so we can keep
the rule in the check_str
2. We re-generate all the services' policy, we just use the original
policy of them. If users want to change, they can change them by
themselves.
3. Adjust the post_install.sh, we install the service packages with
dependencies.
4. Split the ironic and ironic_inspector policy, they can not be in
the same policy file.

Change-Id: I9e152e33be4eef60432fb2030d388b3bec4c082e
This commit is contained in:
zhu.boxiang 2022-05-31 20:21:20 +08:00
parent 32990f9269
commit 32a00a6529
21 changed files with 3318 additions and 7150 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
requirements.txt
View File

@ -14,9 +14,9 @@ aiosqlite<=0.17.0 # MIT
loguru<=0.5.3 # MIT
PyYAML>=5.4.1,<=6.0 # MIT
immutables>=0.16 # Apache-2.0
alembic>=1.7.5,<=1.7.7 # MIT
alembic>=1.7.5 # MIT
httpx>=0.16.1 # BSD License (3 clause)
SQLAlchemy>=1.3.24,<=1.4.36 # MIT
SQLAlchemy>=1.3.24 # MIT
PyMySQL>=0.9.3,<=1.0.2 # MIT
dnspython>=2.1.0,<=2.2.1 # ISC
click>=7.1.2,<=8.1.3 # BSD License (3 clause)

47
skyline_apiserver/api/v1/policy.py
View File

@ -14,6 +14,8 @@
from __future__ import annotations
from typing import Dict
from fastapi import APIRouter, Depends, HTTPException, status
from skyline_apiserver import schemas
@ -25,6 +27,41 @@ from skyline_apiserver.schemas import Policies, PoliciesRules, common
router = APIRouter()
def _generate_target(profile: schemas.Profile) -> Dict[str, str]:
return {
"user_id": profile.user.id,
"project_id": profile.project.id,
# trove
"tenant": profile.project.id,
# keystone
"trust.trustor_user_id": profile.user.id,
"target.user.id": profile.user.id,
"target.user.domain_id": profile.user.domain.id,
"target.project.domain_id": profile.project.domain.id,
"target.project.id": profile.project.id,
"target.trust.trustor_user_id": profile.user.id,
"target.trust.trustee_user_id": profile.user.id,
"target.token.user_id": profile.user.id,
"target.domain.id": profile.project.domain.id,
"target.domain_id": profile.project.domain.id,
"target.credential.user_id": profile.user.id,
"target.role.domain_id": profile.project.domain.id,
"target.group.domain_id": profile.project.domain.id,
"target.limit.domain.id": profile.project.domain.id,
"target.limit.project_id": profile.project.domain.id,
"target.limit.project.domain_id": profile.project.domain.id,
# ironic
"allocation.owner": profile.project.id,
"node.lessee": profile.project.id,
"node.owner": profile.project.id,
# glance
"member_id": profile.project.id,
"owner": profile.project.id,
# cinder
"domain_id": profile.project.domain.id,
}
@router.get(
"/policies",
description="List policies and permissions",
@ -43,10 +80,7 @@ async def list_policies(
session = await generate_session(profile)
access = await get_access(session)
user_context = UserContext(access)
target = {
"user_id": profile.user.id,
"project_id": profile.project.id,
}
target = _generate_target(profile)
result = [
{"rule": rule, "allowed": ENFORCER.authorize(rule, target, user_context)}
for rule in ENFORCER.rules
@ -74,10 +108,7 @@ async def check_policies(
session = await generate_session(profile)
access = await get_access(session)
user_context = UserContext(access)
target = {
"user_id": profile.user.id,
"project_id": profile.project.id,
}
target = _generate_target(profile)
try:
result = [
{"rule": rule, "allowed": ENFORCER.authorize(rule, target, user_context)}

64
skyline_apiserver/cmd/policy_manager.py
View File

@ -136,33 +136,39 @@ def generate_conf(dir: str, desc: str) -> None:
f.write(f"# {desc}\n\n")
for rule in rules:
rule_yaml = rule.format_into_yaml()
if service in constants.PREFIX_MAPPINGS:
rule_yaml = rule_yaml.replace(constants.PREFIX_MAPPINGS[service], "")
f.writelines(rule_yaml)
LOG.info("Generate policy successful")
@click.command(help="Generate service rule code.")
@click.argument("entry_point")
def generate_rule(entry_point: str) -> None:
ep_rules_func = load_list_rules_func(constants.POLICY_NS, entry_point)
if ep_rules_func is None:
raise Exception(
f"Not found entry point '{entry_point}' in oslo.policy.policies namespace.",
)
ep_rules = [item for item in ep_rules_func()]
@click.argument("service")
def generate_rule(service: str) -> None:
entry_points = constants.SUPPORTED_SERVICE_EPS.get(service, [])
if not entry_points:
LOG.error(f"Service {service} is not supported.")
return
rules = []
api_rules = []
for rule in ep_rules:
if isinstance(rule, DocumentedRuleDefault):
api_rules.append(APIRule.from_oslo(rule))
elif isinstance(rule, RuleDefault):
rules.append(Rule.from_oslo(rule))
for entry_point in entry_points:
ep_rules_func = load_list_rules_func(constants.POLICY_NS, entry_point)
if ep_rules_func is None:
raise Exception(
f"Not found entry point '{entry_point}' in oslo.policy.policies namespace.",
)
ep_rules = [item for item in ep_rules_func()]
for rule in ep_rules:
if isinstance(rule, DocumentedRuleDefault):
api_rules.append(APIRule.from_oslo(rule))
elif isinstance(rule, RuleDefault):
rules.append(Rule.from_oslo(rule))
header_str = """\
# flake8: noqa
# fmt: off
header_str = """
from . import base
list_rules = ("""
@ -175,9 +181,7 @@ list_rules = ("""
" description={description},\n"
" ),"
)
rule_mappings = {}
for r in rules:
rule_mappings[f"rule:{r.name}"] = r.check_str
print(
rule_format_str.format(
name=json.dumps(r.name),
@ -196,26 +200,10 @@ list_rules = ("""
" ),"
)
for r in api_rules:
name = constants.PREFIX_MAPPINGS.get(entry_point, "") + r.name
check_str = r.check_str
tries = 0
while "rule:" in check_str:
tries += 1
for k, v in rule_mappings.items():
if k + " " in check_str or check_str.endswith(k):
check_str = check_str.replace(k, f"({v})")
elif "(" + k + ")" in check_str:
check_str = check_str.replace(k, v)
if tries > 10:
raise Exception(f"Can't replace rule name in {r.name}")
# Fix for Trove, replace 'project_id:%(tenant)s' with 'project_id:%(project_id)s'
if entry_point == "trove":
check_str = check_str.replace("project_id:%(tenant)s", "project_id:%(project_id)s")
print(
apirule_format_str.format(
name=json.dumps(name),
check_str=json.dumps(check_str),
name=json.dumps(r.name),
check_str=json.dumps(r.check_str),
description=json.dumps(r.description),
scope_types=json.dumps(r.scope_types),
operations=json.dumps(r.operations),
@ -224,7 +212,7 @@ list_rules = ("""
footer_str = """)
__all__ = ("list_rules",)
__all__ = ("list_rules",)\
"""
print(footer_str)

17
skyline_apiserver/policy/__init__.py
View File

@ -14,9 +14,10 @@
from __future__ import annotations
from oslo_policy import _parser # type: ignore
from .base import Enforcer, UserContext
from .manager import get_service_rules
from .manager.base import APIRule
ENFORCER = Enforcer()
@ -24,8 +25,18 @@ ENFORCER = Enforcer()
def setup() -> None:
service_rules = get_service_rules()
all_api_rules = []
for rules in service_rules.values():
api_rules = [rule for rule in rules if isinstance(rule, APIRule)]
for service, rules in service_rules.items():
api_rules = []
for rule in rules:
# Update rule name with prefix service.
rule.name = f"{service}:{rule.name}"
# Update check
rule.check_str = rule.check_str.replace("rule:", f"rule:{service}:")
rule.check = _parser.parse_rule(rule.check_str)
# Update basic check
rule.basic_check_str = rule.basic_check_str.replace("rule:", f"rule:{service}:")
rule.basic_check = _parser.parse_rule(rule.basic_check_str)
api_rules.append(rule)
all_api_rules.extend(api_rules)
ENFORCER.register_rules(all_api_rules)

972
skyline_apiserver/policy/manager/cinder.py
View File

File diff suppressed because it is too large Load Diff

389
skyline_apiserver/policy/manager/glance.py
View File

@ -1,4 +1,5 @@
# flake8: noqa
# fmt: off
from . import base
@ -28,140 +29,9 @@ list_rules = (
check_str=("role:admin"),
description="No description",
),
base.Rule(
name="get_metadef_namespace",
check_str=("rule:metadef_default"),
description="No description",
),
base.Rule(
name="get_metadef_namespaces",
check_str=("rule:metadef_default"),
description="No description",
),
base.Rule(
name="modify_metadef_namespace",
check_str=("rule:metadef_admin"),
description="No description",
),
base.Rule(
name="add_metadef_namespace",
check_str=("rule:metadef_admin"),
description="No description",
),
base.Rule(
name="delete_metadef_namespace",
check_str=("rule:metadef_admin"),
description="No description",
),
base.Rule(
name="get_metadef_object",
check_str=("rule:metadef_default"),
description="No description",
),
base.Rule(
name="get_metadef_objects",
check_str=("rule:metadef_default"),
description="No description",
),
base.Rule(
name="modify_metadef_object",
check_str=("rule:metadef_admin"),
description="No description",
),
base.Rule(
name="add_metadef_object",
check_str=("rule:metadef_admin"),
description="No description",
),
base.Rule(
name="delete_metadef_object",
check_str=("rule:metadef_admin"),
description="No description",
),
base.Rule(
name="list_metadef_resource_types",
check_str=("rule:metadef_default"),
description="No description",
),
base.Rule(
name="get_metadef_resource_type",
check_str=("rule:metadef_default"),
description="No description",
),
base.Rule(
name="add_metadef_resource_type_association",
check_str=("rule:metadef_admin"),
description="No description",
),
base.Rule(
name="remove_metadef_resource_type_association",
check_str=("rule:metadef_admin"),
description="No description",
),
base.Rule(
name="get_metadef_property",
check_str=("rule:metadef_default"),
description="No description",
),
base.Rule(
name="get_metadef_properties",
check_str=("rule:metadef_default"),
description="No description",
),
base.Rule(
name="modify_metadef_property",
check_str=("rule:metadef_admin"),
description="No description",
),
base.Rule(
name="add_metadef_property",
check_str=("rule:metadef_admin"),
description="No description",
),
base.Rule(
name="remove_metadef_property",
check_str=("rule:metadef_admin"),
description="No description",
),
base.Rule(
name="get_metadef_tag",
check_str=("rule:metadef_default"),
description="No description",
),
base.Rule(
name="get_metadef_tags",
check_str=("rule:metadef_default"),
description="No description",
),
base.Rule(
name="modify_metadef_tag",
check_str=("rule:metadef_admin"),
description="No description",
),
base.Rule(
name="add_metadef_tag",
check_str=("rule:metadef_admin"),
description="No description",
),
base.Rule(
name="add_metadef_tags",
check_str=("rule:metadef_admin"),
description="No description",
),
base.Rule(
name="delete_metadef_tag",
check_str=("rule:metadef_admin"),
description="No description",
),
base.Rule(
name="delete_metadef_tags",
check_str=("rule:metadef_admin"),
description="No description",
),
base.APIRule(
name="add_image",
check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
basic_check_str=("role:admin or role:admin or role:member"),
check_str=("role:admin or (role:member and project_id:%(project_id)s and project_id:%(owner)s)"),
description="Create new image",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v2/images"}],
@ -169,17 +39,13 @@ list_rules = (
base.APIRule(
name="delete_image",
check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
basic_check_str=("role:admin or role:admin or role:member"),
description="Deletes the image",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/v2/images/{image_id}"}],
),
base.APIRule(
name="get_image",
check_str=(
'role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or "community":%(visibility)s or "public":%(visibility)s))'
),
basic_check_str=("role:admin or role:reader or role:admin or role:member or role:reader"),
check_str=("role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))"),
description="Get specified image",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/images/{image_id}"}],
@ -187,7 +53,6 @@ list_rules = (
base.APIRule(
name="get_images",
check_str=("role:admin or (role:reader and project_id:%(project_id)s)"),
basic_check_str=("role:admin or role:reader or role:admin or role:member or role:reader"),
description="Get all available images",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/images"}],
@ -195,7 +60,6 @@ list_rules = (
base.APIRule(
name="modify_image",
check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
basic_check_str=("role:admin or role:admin or role:member"),
description="Updates given image",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}],
@ -203,7 +67,6 @@ list_rules = (
base.APIRule(
name="publicize_image",
check_str=("role:admin"),
basic_check_str=("role:admin"),
description="Publicize given image",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}],
@ -211,17 +74,13 @@ list_rules = (
base.APIRule(
name="communitize_image",
check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
basic_check_str=("!"),
description="Communitize given image",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}],
),
base.APIRule(
name="download_image",
check_str=(
'role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or "community":%(visibility)s or "public":%(visibility)s))'
),
basic_check_str=("role:admin or role:admin or role:member"),
check_str=("role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))"),
description="Downloads given image",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/images/{image_id}/file"}],
@ -229,7 +88,6 @@ list_rules = (
base.APIRule(
name="upload_image",
check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
basic_check_str=("role:admin or role:admin or role:member"),
description="Uploads data to specified image",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/v2/images/{image_id}/file"}],
@ -237,7 +95,6 @@ list_rules = (
base.APIRule(
name="delete_image_location",
check_str=("role:admin"),
basic_check_str=("role:admin"),
description="Deletes the location of given image",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}],
@ -245,7 +102,6 @@ list_rules = (
base.APIRule(
name="get_image_location",
check_str=("role:admin or (role:reader and project_id:%(project_id)s)"),
basic_check_str=("role:admin or role:reader or role:admin or role:member or role:reader"),
description="Reads the location of the image",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/images/{image_id}"}],
@ -253,7 +109,6 @@ list_rules = (
base.APIRule(
name="set_image_location",
check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
basic_check_str=("role:admin"),
description="Sets location URI to given image",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}],
@ -261,7 +116,6 @@ list_rules = (
base.APIRule(
name="add_member",
check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
basic_check_str=("role:admin or role:admin or role:member"),
description="Create image member",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v2/images/{image_id}/members"}],
@ -269,31 +123,27 @@ list_rules = (
base.APIRule(
name="delete_member",
check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
basic_check_str=("role:admin or role:admin or role:member"),
description="Delete image member",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/v2/images/{image_id}/members/{member_id}"}],
),
base.APIRule(
name="get_member",
check_str=("role:admin or (role:reader and project_id:%(project_id)s)"),
basic_check_str=("role:admin or role:reader or role:admin or role:member or role:reader"),
check_str=("role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)"),
description="Show image member details",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/images/{image_id}/members/{member_id}"}],
),
base.APIRule(
name="get_members",
check_str=("role:admin or (role:reader and project_id:%(project_id)s)"),
basic_check_str=("role:admin or role:reader or role:admin or role:member or role:reader"),
check_str=("role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)"),
description="List image members",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/images/{image_id}/members"}],
),
base.APIRule(
name="modify_member",
check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
basic_check_str=("role:admin or role:admin or role:member"),
check_str=("role:admin or (role:member and project_id:%(member_id)s)"),
description="Update image member",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/v2/images/{image_id}/members/{member_id}"}],
@ -301,7 +151,6 @@ list_rules = (
base.APIRule(
name="deactivate",
check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
basic_check_str=("role:admin or role:admin or role:member"),
description="Deactivate image",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v2/images/{image_id}/actions/deactivate"}],
@ -309,7 +158,6 @@ list_rules = (
base.APIRule(
name="reactivate",
check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
basic_check_str=("role:admin or role:admin or role:member"),
description="Reactivate image",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v2/images/{image_id}/actions/reactivate"}],
@ -317,7 +165,6 @@ list_rules = (
base.APIRule(
name="copy_image",
check_str=("role:admin"),
basic_check_str=("@"),
description="Copy existing image to other stores",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v2/images/{image_id}/import"}],
@ -325,7 +172,6 @@ list_rules = (
base.APIRule(
name="get_task",
check_str=("rule:default"),
basic_check_str=("!"),
description="Get an image task.\n#\n#This granular policy controls access to tasks, both from the tasks API as well\n#as internal locations in Glance that use tasks (like import). Practically this\n#cannot be more restrictive than the policy that controls import or things will\n#break, and changing it from the default is almost certainly not what you want.\n#Access to the external tasks API should be restricted as desired by the\n#tasks_api_access policy. This may change in the future.\n#",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/tasks/{task_id}"}],
@ -333,7 +179,6 @@ list_rules = (
base.APIRule(
name="get_tasks",
check_str=("rule:default"),
basic_check_str=("!"),
description="List tasks for all images.\n#\n#This granular policy controls access to tasks, both from the tasks API as well\n#as internal locations in Glance that use tasks (like import). Practically this\n#cannot be more restrictive than the policy that controls import or things will\n#break, and changing it from the default is almost certainly not what you want.\n#Access to the external tasks API should be restricted as desired by the\n#tasks_api_access policy. This may change in the future.\n#",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/tasks"}],
@ -341,7 +186,6 @@ list_rules = (
base.APIRule(
name="add_task",
check_str=("rule:default"),
basic_check_str=("!"),
description="List tasks for all images.\n#\n#This granular policy controls access to tasks, both from the tasks API as well\n#as internal locations in Glance that use tasks (like import). Practically this\n#cannot be more restrictive than the policy that controls import or things will\n#break, and changing it from the default is almost certainly not what you want.\n#Access to the external tasks API should be restricted as desired by the\n#tasks_api_access policy. This may change in the future.\n#",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v2/tasks"}],
@ -349,7 +193,6 @@ list_rules = (
base.APIRule(
name="modify_task",
check_str=("rule:default"),
basic_check_str=("!"),
description="This policy is not used.",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/v2/tasks/{task_id}"}],
@ -357,15 +200,219 @@ list_rules = (
base.APIRule(
name="tasks_api_access",
check_str=("role:admin"),
basic_check_str=("!"),
description="\n#This is a generic blanket policy for protecting all task APIs. It is not\n#granular and will not allow you to separate writable and readable task\n#operations into different roles.\n#",
scope_types=["system", "project"],
operations=[
{"method": "GET", "path": "/v2/tasks/{task_id}"},
{"method": "GET", "path": "/v2/tasks"},
{"method": "POST", "path": "/v2/tasks"},
{"method": "DELETE", "path": "/v2/tasks/{task_id}"},
],
operations=[{"method": "GET", "path": "/v2/tasks/{task_id}"}, {"method": "GET", "path": "/v2/tasks"}, {"method": "POST", "path": "/v2/tasks"}, {"method": "DELETE", "path": "/v2/tasks/{task_id}"}],
),
base.APIRule(
name="get_metadef_namespace",
check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"),
description="Get a specific namespace.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}"}],
),
base.APIRule(
name="get_metadef_namespaces",
check_str=("role:admin or (role:reader and project_id:%(project_id)s)"),
description="List namespace.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/metadefs/namespaces"}],
),
base.APIRule(
name="modify_metadef_namespace",
check_str=("rule:metadef_admin"),
description="Modify an existing namespace.",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/v2/metadefs/namespaces/{namespace_name}"}],
),
base.APIRule(
name="add_metadef_namespace",
check_str=("rule:metadef_admin"),
description="Create a namespace.",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v2/metadefs/namespaces"}],
),
base.APIRule(
name="delete_metadef_namespace",
check_str=("rule:metadef_admin"),
description="Delete a namespace.",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/v2/metadefs/namespaces/{namespace_name}"}],
),
base.APIRule(
name="get_metadef_object",
check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"),
description="Get a specific object from a namespace.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/objects/{object_name}"}],
),
base.APIRule(
name="get_metadef_objects",
check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"),
description="Get objects from a namespace.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/objects"}],
),
base.APIRule(
name="modify_metadef_object",
check_str=("rule:metadef_admin"),
description="Update an object within a namespace.",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/v2/metadefs/namespaces/{namespace_name}/objects/{object_name}"}],
),
base.APIRule(
name="add_metadef_object",
check_str=("rule:metadef_admin"),
description="Create an object within a namespace.",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v2/metadefs/namespaces/{namespace_name}/objects"}],
),
base.APIRule(
name="delete_metadef_object",
check_str=("rule:metadef_admin"),
description="Delete an object within a namespace.",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/v2/metadefs/namespaces/{namespace_name}/objects/{object_name}"}],
),
base.APIRule(
name="list_metadef_resource_types",
check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"),
description="List meta definition resource types.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/metadefs/resource_types"}],
),
base.APIRule(
name="get_metadef_resource_type",
check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"),
description="Get meta definition resource types associations.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/resource_types"}],
),
base.APIRule(
name="add_metadef_resource_type_association",
check_str=("rule:metadef_admin"),
description="Create meta definition resource types association.",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v2/metadefs/namespaces/{namespace_name}/resource_types"}],
),
base.APIRule(
name="remove_metadef_resource_type_association",
check_str=("rule:metadef_admin"),
description="Delete meta definition resource types association.",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v2/metadefs/namespaces/{namespace_name}/resource_types/{name}"}],
),
base.APIRule(
name="get_metadef_property",
check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"),
description="Get a specific meta definition property.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/properties/{property_name}"}],
),
base.APIRule(
name="get_metadef_properties",
check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"),
description="List meta definition properties.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/properties"}],
),
base.APIRule(
name="modify_metadef_property",
check_str=("rule:metadef_admin"),
description="Update meta definition property.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/properties/{property_name}"}],
),
base.APIRule(
name="add_metadef_property",
check_str=("rule:metadef_admin"),
description="Create meta definition property.",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v2/metadefs/namespaces/{namespace_name}/properties"}],
),
base.APIRule(
name="remove_metadef_property",
check_str=("rule:metadef_admin"),
description="Delete meta definition property.",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/v2/metadefs/namespaces/{namespace_name}/properties/{property_name}"}],
),
base.APIRule(
name="get_metadef_tag",
check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"),
description="Get tag definition.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}"}],
),
base.APIRule(
name="get_metadef_tags",
check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"),
description="List tag definitions.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/tags"}],
),
base.APIRule(
name="modify_metadef_tag",
check_str=("rule:metadef_admin"),
description="Update tag definition.",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}"}],
),
base.APIRule(
name="add_metadef_tag",
check_str=("rule:metadef_admin"),
description="Add tag definition.",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}"}],
),
base.APIRule(
name="add_metadef_tags",
check_str=("rule:metadef_admin"),
description="Create tag definitions.",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v2/metadefs/namespaces/{namespace_name}/tags"}],
),
base.APIRule(
name="delete_metadef_tag",
check_str=("rule:metadef_admin"),
description="Delete tag definition.",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}"}],
),
base.APIRule(
name="delete_metadef_tags",
check_str=("rule:metadef_admin"),
description="Delete tag definitions.",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/v2/metadefs/namespaces/{namespace_name}/tags"}],
),
base.APIRule(
name="cache_image",
check_str=("role:admin"),
description="Queue image for caching",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2/cache/{image_id}"}],
),
base.APIRule(
name="cache_list",
check_str=("role:admin"),
description="List cache status",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/cache"}],
),
base.APIRule(
name="cache_delete",
check_str=("role:admin"),
description="Delete image(s) from cache and/or queue",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/cache"}, {"method": "DELETE", "path": "/v2/cache/{image_id}"}],
),
base.APIRule(
name="stores_info_detail",
check_str=("role:admin"),
description="Expose store specific information",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/info/stores/detail"}],
),
)

616
skyline_apiserver/policy/manager/heat.py
View File

@ -1,4 +1,5 @@
# flake8: noqa
# fmt: off
from . import base
@ -30,93 +31,67 @@ list_rules = (
),
base.Rule(
name="cloudformation:ListStacks",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="No description",
),
base.Rule(
name="cloudformation:CreateStack",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
description="No description",
),
base.Rule(
name="cloudformation:DescribeStacks",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="No description",
),
base.Rule(
name="cloudformation:DeleteStack",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
description="No description",
),
base.Rule(
name="cloudformation:UpdateStack",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
description="No description",
),
base.Rule(
name="cloudformation:CancelUpdateStack",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
description="No description",
),
base.Rule(
name="cloudformation:DescribeStackEvents",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="No description",
),
base.Rule(
name="cloudformation:ValidateTemplate",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="No description",
),
base.Rule(
name="cloudformation:GetTemplate",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="No description",
),
base.Rule(
name="cloudformation:EstimateTemplateCost",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="No description",
),
base.Rule(
name="cloudformation:DescribeStackResource",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"
),
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"),
description="No description",
),
base.Rule(
name="cloudformation:DescribeStackResources",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="No description",
),
base.Rule(
name="cloudformation:ListStackResources",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="No description",
),
base.Rule(
@ -231,783 +206,402 @@ list_rules = (
),
base.APIRule(
name="actions:action",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
description="Performs non-lifecycle operations on the stack (Snapshot, Resume, Cancel update, or check stack resources). This is the default for all actions but can be overridden by more specific policies for individual actions.",
scope_types=["project"],
operations=[
{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"},
],
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}],
),
base.APIRule(
name="actions:snapshot",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
description="Create stack snapshot",
scope_types=["system", "project"],
operations=[
{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"},
],
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}],
),
base.APIRule(
name="actions:suspend",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
description="Suspend a stack.",
scope_types=["system", "project"],
operations=[
{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"},
],
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}],
),
base.APIRule(
name="actions:resume",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
description="Resume a suspended stack.",
scope_types=["system", "project"],
operations=[
{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"},
],
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}],
),
base.APIRule(
name="actions:check",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="Check stack resources.",
scope_types=["system", "project"],
operations=[
{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"},
],
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}],
),
base.APIRule(
name="actions:cancel_update",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
description="Cancel stack operation and roll back.",
scope_types=["system", "project"],
operations=[
{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"},
],
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}],
),
base.APIRule(
name="actions:cancel_without_rollback",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
description="Cancel stack operation without rolling back.",
scope_types=["system", "project"],
operations=[
{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"},
],
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}],
),
base.APIRule(
name="build_info:build_info",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=("@"),
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="Show build information.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/build_info"}],
),
base.APIRule(
name="events:index",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="List events.",
scope_types=["system", "project"],
operations=[
{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/events"},
],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/events"}],
),
base.APIRule(
name="events:show",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="Show event.",
scope_types=["system", "project"],
operations=[
{
"method": "GET",
"path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/events/{event_id}",
},
],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/events/{event_id}"}],
),
base.APIRule(
name="resource:index",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="List resources.",
scope_types=["system", "project"],
operations=[
{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources"},
],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources"}],
),
base.APIRule(
name="resource:metadata",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s or role:heat_stack_user"
),
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"),
description="Show resource metadata.",
scope_types=["system", "project"],
operations=[
{
"method": "GET",
"path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/metadata",
},
],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/metadata"}],
),
base.APIRule(
name="resource:signal",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:heat_stack_user"
),
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"),
description="Signal resource.",
scope_types=["system", "project"],
operations=[
{
"method": "POST",
"path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/signal",
},
],
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/signal"}],
),
base.APIRule(
name="resource:mark_unhealthy",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
description="Mark resource as unhealthy.",
scope_types=["system", "project"],
operations=[
{
"method": "PATCH",
"path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name_or_physical_id}",
},
],
operations=[{"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name_or_physical_id}"}],
),
base.APIRule(
name="resource:show",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="Show resource.",
scope_types=["system", "project"],
operations=[
{
"method": "GET",
"path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}",
},
],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}"}],
),
base.APIRule(
name="software_configs:global_index",
check_str=("role:reader and system_scope:all"),
basic_check_str=("role:admin or role:reader"),
description="List configs globally.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/software_configs"}],
),
base.APIRule(
name="software_configs:index",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="List configs.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/software_configs"}],
),
base.APIRule(
name="software_configs:create",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="Create config.",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v1/{tenant_id}/software_configs"}],
),
base.APIRule(
name="software_configs:show",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="Show config details.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/software_configs/{config_id}"}],
),
base.APIRule(
name="software_configs:delete",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
description="Delete config.",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/v1/{tenant_id}/software_configs/{config_id}"}],
),
base.APIRule(
name="software_deployments:index",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="List deployments.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/software_deployments"}],
),
base.APIRule(
name="software_deployments:create",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
description="Create deployment.",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v1/{tenant_id}/software_deployments"}],
),
base.APIRule(
name="software_deployments:show",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="Show deployment details.",
scope_types=["system", "project"],
operations=[
{"method": "GET", "path": "/v1/{tenant_id}/software_deployments/{deployment_id}"},
],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/software_deployments/{deployment_id}"}],
),
base.APIRule(
name="software_deployments:update",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
description="Update deployment.",
scope_types=["system", "project"],
operations=[
{"method": "PUT", "path": "/v1/{tenant_id}/software_deployments/{deployment_id}"},
],
operations=[{"method": "PUT", "path": "/v1/{tenant_id}/software_deployments/{deployment_id}"}],
),
base.APIRule(
name="software_deployments:delete",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
description="Delete deployment.",
scope_types=["system", "project"],
operations=[
{"method": "DELETE", "path": "/v1/{tenant_id}/software_deployments/{deployment_id}"},
],
operations=[{"method": "DELETE", "path": "/v1/{tenant_id}/software_deployments/{deployment_id}"}],
),
base.APIRule(
name="software_deployments:metadata",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s or role:heat_stack_user"
),
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"),
description="Show server configuration metadata.",
scope_types=["system", "project"],
operations=[
{
"method": "GET",
"path": "/v1/{tenant_id}/software_deployments/metadata/{server_id}",
},
],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/software_deployments/metadata/{server_id}"}],
),
base.APIRule(
name="stacks:abandon",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
description="Abandon stack.",
scope_types=["system", "project"],
operations=[
{
"method": "DELETE",
"path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/abandon",
},
],
operations=[{"method": "DELETE", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/abandon"}],
),
base.APIRule(
name="stacks:create",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
description="Create stack.",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks"}],
),
base.APIRule(
name="stacks:delete",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
description="Delete stack.",
scope_types=["system", "project"],
operations=[
{"method": "DELETE", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"},
],
operations=[{"method": "DELETE", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"}],
),
base.APIRule(
name="stacks:detail",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="List stacks in detail.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks"}],
),
base.APIRule(
name="stacks:export",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
description="Export stack.",
scope_types=["system", "project"],
operations=[
{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/export"},
],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/export"}],
),
base.APIRule(
name="stacks:generate_template",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
description="Generate stack template.",
scope_types=["system", "project"],
operations=[
{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/template"},
],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/template"}],
),
base.APIRule(
name="stacks:global_index",
check_str=("role:reader and system_scope:all"),
basic_check_str=("role:admin or role:reader"),
description="List stacks globally.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks"}],
),
base.APIRule(
name="stacks:index",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="List stacks.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks"}],
),
base.APIRule(
name="stacks:list_resource_types",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=("@"),
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="List resource types.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/resource_types"}],
),
base.APIRule(
name="stacks:list_template_versions",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=("@"),
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="List template versions.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/template_versions"}],
),
base.APIRule(
name="stacks:list_template_functions",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=("@"),
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="List template functions.",
scope_types=["system", "project"],
operations=[
{
"method": "GET",
"path": "/v1/{tenant_id}/template_versions/{template_version}/functions",
},
],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/template_versions/{template_version}/functions"}],
),
base.APIRule(
name="stacks:lookup",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s or role:heat_stack_user"
),
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"),
description="Find stack.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_identity}"}],
),
base.APIRule(
name="stacks:preview",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="Preview stack.",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/preview"}],
),
base.APIRule(
name="stacks:resource_schema",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=("@"),
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="Show resource type schema.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/resource_types/{type_name}"}],
),
base.APIRule(
name="stacks:show",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="Show stack.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_identity}"}],
),
base.APIRule(
name="stacks:template",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="Get stack template.",
scope_types=["system", "project"],
operations=[
{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/template"},
],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/template"}],
),
base.APIRule(
name="stacks:environment",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="Get stack environment.",
scope_types=["system", "project"],
operations=[
{
"method": "GET",
"path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/environment",
},
],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/environment"}],
),
base.APIRule(
name="stacks:files",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="Get stack files.",
scope_types=["system", "project"],
operations=[
{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/files"},
],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/files"}],
),
base.APIRule(
name="stacks:update",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
description="Update stack.",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"}],
),
base.APIRule(
name="stacks:update_patch",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
description="Update stack (PATCH).",
scope_types=["system", "project"],
operations=[
{"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"},
],
operations=[{"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"}],
),
base.APIRule(
name="stacks:update_no_change",
check_str=("rule:stacks:update_patch"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Update stack (PATCH) with no changes.",
scope_types=["system", "project"],
operations=[
{"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"},
],
operations=[{"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"}],
),
base.APIRule(
name="stacks:preview_update",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
description="Preview update stack.",
scope_types=["system", "project"],
operations=[
{"method": "PUT", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/preview"},
],
operations=[{"method": "PUT", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/preview"}],
),
base.APIRule(
name="stacks:preview_update_patch",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
description="Preview update stack (PATCH).",
scope_types=["system", "project"],
operations=[
{"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/preview"},
],
operations=[{"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/preview"}],
),
base.APIRule(
name="stacks:validate_template",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
description="Validate template.",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v1/{tenant_id}/validate"}],
),
base.APIRule(
name="stacks:snapshot",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
description="Snapshot Stack.",
scope_types=["system", "project"],
operations=[
{
"method": "POST",
"path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots",
},
],
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots"}],
),
base.APIRule(
name="stacks:show_snapshot",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="Show snapshot.",
scope_types=["system", "project"],
operations=[
{
"method": "GET",
"path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}",
},
],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}"}],
),
base.APIRule(
name="stacks:delete_snapshot",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
description="Delete snapshot.",
scope_types=["system", "project"],
operations=[
{
"method": "DELETE",
"path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}",
},
],
operations=[{"method": "DELETE", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}"}],
),
base.APIRule(
name="stacks:list_snapshots",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="List snapshots.",
scope_types=["system", "project"],
operations=[
{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots"},
],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots"}],
),
base.APIRule(
name="stacks:restore_snapshot",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
description="Restore snapshot.",
scope_types=["system", "project"],
operations=[
{
"method": "POST",
"path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}/restore",
},
],
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}/restore"}],
),
base.APIRule(
name="stacks:list_outputs",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="List outputs.",
scope_types=["system", "project"],
operations=[
{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/outputs"},
],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/outputs"}],
),
base.APIRule(
name="stacks:show_output",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
description="Show outputs.",
scope_types=["system", "project"],
operations=[
{
"method": "GET",
"path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/outputs/{output_key}",
},
],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/outputs/{output_key}"}],
),
)

529
skyline_apiserver/policy/manager/ironic.py
View File

File diff suppressed because it is too large Load Diff

106
skyline_apiserver/policy/manager/ironic_inspector.py Normal file
View File

@ -0,0 +1,106 @@
# flake8: noqa
# fmt: off
from . import base
list_rules = (
base.Rule(
name="is_admin",
check_str=("role:admin or role:administrator or role:baremetal_admin"),
description="Full read/write API access",
),
base.Rule(
name="is_observer",
check_str=("role:baremetal_observer"),
description="Read-only API access",
),
base.Rule(
name="public_api",
check_str=("is_public_api:True"),
description="Internal flag for public API routes",
),
base.Rule(
name="default",
check_str=("!"),
description="Default API access policy",
),
base.APIRule(
name="introspection",
check_str=("rule:public_api"),
description="Access the API root for available versions information",
scope_types=["project"],
operations=[{"method": "GET", "path": "/"}],
),
base.APIRule(
name="introspection:version",
check_str=("rule:public_api"),
description="Access the versioned API root for version information",
scope_types=["project"],
operations=[{"method": "GET", "path": "/{version}"}],
),
base.APIRule(
name="introspection:continue",
check_str=("rule:public_api"),
description="Ramdisk callback to continue introspection",
scope_types=["project"],
operations=[{"method": "POST", "path": "/continue"}],
),
base.APIRule(
name="introspection:status",
check_str=("role:reader and system_scope:all"),
description="Get introspection status",
scope_types=["project"],
operations=[{"method": "GET", "path": "/introspection"}, {"method": "GET", "path": "/introspection/{node_id}"}],
),
base.APIRule(
name="introspection:start",
check_str=("role:admin and system_scope:all"),
description="Start introspection",
scope_types=["project"],
operations=[{"method": "POST", "path": "/introspection/{node_id}"}],
),
base.APIRule(
name="introspection:abort",
check_str=("role:admin and system_scope:all"),
description="Abort introspection",
scope_types=["project"],
operations=[{"method": "POST", "path": "/introspection/{node_id}/abort"}],
),
base.APIRule(
name="introspection:data",
check_str=("role:admin and system_scope:all"),
description="Get introspection data",
scope_types=["project"],
operations=[{"method": "GET", "path": "/introspection/{node_id}/data"}],
),
base.APIRule(
name="introspection:reapply",
check_str=("role:admin and system_scope:all"),
description="Reapply introspection on stored data",
scope_types=["project"],
operations=[{"method": "POST", "path": "/introspection/{node_id}/data/unprocessed"}],
),
base.APIRule(
name="introspection:rule:get",
check_str=("role:admin and system_scope:all"),
description="Get introspection rule(s)",
scope_types=["project"],
operations=[{"method": "GET", "path": "/rules"}, {"method": "GET", "path": "/rules/{rule_id}"}],
),
base.APIRule(
name="introspection:rule:delete",
check_str=("role:admin and system_scope:all"),
description="Delete introspection rule(s)",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/rules"}, {"method": "DELETE", "path": "/rules/{rule_id}"}],
),
base.APIRule(
name="introspection:rule:create",
check_str=("role:admin and system_scope:all"),
description="Create introspection rule",
scope_types=["project"],
operations=[{"method": "POST", "path": "/rules"}],
),
)
__all__ = ("list_rules",)

1104
skyline_apiserver/policy/manager/keystone.py
View File

File diff suppressed because it is too large Load Diff

277
skyline_apiserver/policy/manager/magnum.py
View File

@ -1,3 +1,6 @@
# flake8: noqa
# fmt: off
from . import base
list_rules = (
@ -32,457 +35,445 @@ list_rules = (
description="No description",
),
base.APIRule(
name="magnum:bay:create",
check_str=("(not domain_id:%(trustee_domain_id)s)"),
name="bay:create",
check_str=("rule:deny_cluster_user"),
description="Create a new bay.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/bays"}],
),
base.APIRule(
name="magnum:bay:delete",
check_str=("(not domain_id:%(trustee_domain_id)s)"),
name="bay:delete",
check_str=("rule:deny_cluster_user"),
description="Delete a bay.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/bays/{bay_ident}"}],
),
base.APIRule(
name="magnum:bay:detail",
check_str=("(not domain_id:%(trustee_domain_id)s)"),
name="bay:detail",
check_str=("rule:deny_cluster_user"),
description="Retrieve a list of bays with detail.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/bays"}],
),
base.APIRule(
name="magnum:bay:get",
check_str=("(not domain_id:%(trustee_domain_id)s)"),
name="bay:get",
check_str=("rule:deny_cluster_user"),
description="Retrieve information about the given bay.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/bays/{bay_ident}"}],
),
base.APIRule(
name="magnum:bay:get_all",
check_str=("(not domain_id:%(trustee_domain_id)s)"),
name="bay:get_all",
check_str=("rule:deny_cluster_user"),
description="Retrieve a list of bays.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/bays/"}],
),
base.APIRule(
name="magnum:bay:update",
check_str=("(not domain_id:%(trustee_domain_id)s)"),
name="bay:update",
check_str=("rule:deny_cluster_user"),
description="Update an existing bay.",
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v1/bays/{bay_ident}"}],
),
base.APIRule(
name="magnum:baymodel:create",
check_str=("(not domain_id:%(trustee_domain_id)s)"),
name="baymodel:create",
check_str=("rule:deny_cluster_user"),
description="Create a new baymodel.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/baymodels"}],
),
base.APIRule(
name="magnum:baymodel:delete",
check_str=("(not domain_id:%(trustee_domain_id)s)"),
name="baymodel:delete",
check_str=("rule:deny_cluster_user"),
description="Delete a baymodel.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/baymodels/{baymodel_ident}"}],
),
base.APIRule(
name="magnum:baymodel:detail",
check_str=("(not domain_id:%(trustee_domain_id)s)"),
name="baymodel:detail",
check_str=("rule:deny_cluster_user"),
description="Retrieve a list of baymodel with detail.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/baymodels"}],
),
base.APIRule(
name="magnum:baymodel:get",
check_str=("(not domain_id:%(trustee_domain_id)s)"),
name="baymodel:get",
check_str=("rule:deny_cluster_user"),
description="Retrieve information about the given baymodel.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/baymodels/{baymodel_ident}"}],
),
base.APIRule(
name="magnum:baymodel:get_all",
check_str=("(not domain_id:%(trustee_domain_id)s)"),
name="baymodel:get_all",
check_str=("rule:deny_cluster_user"),
description="Retrieve a list of baymodel.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/baymodels"}],
),
base.APIRule(
name="magnum:baymodel:update",
check_str=("(not domain_id:%(trustee_domain_id)s)"),
name="baymodel:update",
check_str=("rule:deny_cluster_user"),
description="Update an existing baymodel.",
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v1/baymodels/{baymodel_ident}"}],
),
base.APIRule(
name="magnum:baymodel:publish",
check_str=("(role:admin)"),
name="baymodel:publish",
check_str=("rule:admin_api"),
description="Publish an existing baymodel.",
scope_types=["project"],
operations=[
{"method": "POST", "path": "/v1/baymodels"},
{"method": "PATCH", "path": "/v1/baymodels"},
],
operations=[{"method": "POST", "path": "/v1/baymodels"}, {"method": "PATCH", "path": "/v1/baymodels"}],
),
base.APIRule(
name="magnum:certificate:create",
check_str=("(is_admin:True or user_id:%(user_id)s) or (user_id:%(trustee_user_id)s)"),
name="certificate:create",
check_str=("rule:admin_or_user or rule:cluster_user"),
description="Sign a new certificate by the CA.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/certificates"}],
),
base.APIRule(
name="magnum:certificate:get",
check_str=("(is_admin:True or user_id:%(user_id)s) or (user_id:%(trustee_user_id)s)"),
name="certificate:get",
check_str=("rule:admin_or_user or rule:cluster_user"),
description="Retrieve CA information about the given bay/cluster.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/certificates/{bay_uuid/cluster_uuid}"}],
),
base.APIRule(
name="magnum:certificate:rotate_ca",
check_str=("(is_admin:True or project_id:%(project_id)s)"),
name="certificate:rotate_ca",
check_str=("rule:admin_or_owner"),
description="Rotate the CA certificate on the given bay/cluster.",
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v1/certificates/{bay_uuid/cluster_uuid}"}],
),
base.APIRule(
name="magnum:cluster:create",
check_str=("(not domain_id:%(trustee_domain_id)s)"),
name="cluster:create",
check_str=("rule:deny_cluster_user"),
description="Create a new cluster.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/clusters"}],
),
base.APIRule(
name="magnum:cluster:delete",
check_str=("(not domain_id:%(trustee_domain_id)s)"),
name="cluster:delete",
check_str=("rule:deny_cluster_user"),
description="Delete a cluster.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/clusters/{cluster_ident}"}],
),
base.APIRule(
name="magnum:cluster:delete_all_projects",
check_str=("(role:admin)"),
name="cluster:delete_all_projects",
check_str=("rule:admin_api"),
description="Delete a cluster from any project.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/clusters/{cluster_ident}"}],
),
base.APIRule(
name="magnum:cluster:detail",
check_str=("(not domain_id:%(trustee_domain_id)s)"),
name="cluster:detail",
check_str=("rule:deny_cluster_user"),
description="Retrieve a list of clusters with detail.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clusters"}],
),
base.APIRule(
name="magnum:cluster:detail_all_projects",
check_str=("(role:admin)"),
name="cluster:detail_all_projects",
check_str=("rule:admin_api"),
description="Retrieve a list of clusters with detail across projects.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clusters"}],
),
base.APIRule(
name="magnum:cluster:get",
check_str=("(not domain_id:%(trustee_domain_id)s)"),
name="cluster:get",
check_str=("rule:deny_cluster_user"),
description="Retrieve information about the given cluster.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clusters/{cluster_ident}"}],
),
base.APIRule(
name="magnum:cluster:get_one_all_projects",
check_str=("(role:admin)"),
name="cluster:get_one_all_projects",
check_str=("rule:admin_api"),
description="Retrieve information about the given cluster across projects.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clusters/{cluster_ident}"}],
),
base.APIRule(
name="magnum:cluster:get_all",
check_str=("(not domain_id:%(trustee_domain_id)s)"),
name="cluster:get_all",
check_str=("rule:deny_cluster_user"),
description="Retrieve a list of clusters.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clusters/"}],
),
base.APIRule(
name="magnum:cluster:get_all_all_projects",
check_str=("(role:admin)"),
name="cluster:get_all_all_projects",
check_str=("rule:admin_api"),
description="Retrieve a list of all clusters across projects.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clusters/"}],
),
base.APIRule(
name="magnum:cluster:update",
check_str=("(not domain_id:%(trustee_domain_id)s)"),
name="cluster:update",
check_str=("rule:deny_cluster_user"),
description="Update an existing cluster.",
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v1/clusters/{cluster_ident}"}],
),
base.APIRule(
name="magnum:cluster:update_health_status",
check_str=("(is_admin:True or user_id:%(user_id)s) or (user_id:%(trustee_user_id)s)"),
name="cluster:update_health_status",
check_str=("rule:admin_or_user or rule:cluster_user"),
description="Update the health status of an existing cluster.",
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v1/clusters/{cluster_ident}"}],
),
base.APIRule(
name="magnum:cluster:update_all_projects",
check_str=("(role:admin)"),
name="cluster:update_all_projects",
check_str=("rule:admin_api"),
description="Update an existing cluster.",
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v1/clusters/{cluster_ident}"}],
),
base.APIRule(
name="magnum:cluster:resize",
check_str=("(not domain_id:%(trustee_domain_id)s)"),
name="cluster:resize",
check_str=("rule:deny_cluster_user"),
description="Resize an existing cluster.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/clusters/{cluster_ident}/actions/resize"}],
),
base.APIRule(
name="magnum:cluster:upgrade",
check_str=("(not domain_id:%(trustee_domain_id)s)"),
name="cluster:upgrade",
check_str=("rule:deny_cluster_user"),
description="Upgrade an existing cluster.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/clusters/{cluster_ident}/actions/upgrade"}],
),
base.APIRule(
name="magnum:cluster:upgrade_all_projects",
check_str=("(role:admin)"),
name="cluster:upgrade_all_projects",
check_str=("rule:admin_api"),
description="Upgrade an existing cluster across all projects.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/clusters/{cluster_ident}/actions/upgrade"}],
),
base.APIRule(
name="magnum:clustertemplate:create",
check_str=("(not domain_id:%(trustee_domain_id)s)"),
name="clustertemplate:create",
check_str=("rule:deny_cluster_user"),
description="Create a new cluster template.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/clustertemplates"}],
),
base.APIRule(
name="magnum:clustertemplate:delete",
check_str=("(is_admin:True or project_id:%(project_id)s)"),
name="clustertemplate:delete",
check_str=("rule:admin_or_owner"),
description="Delete a cluster template.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/clustertemplate/{clustertemplate_ident}"}],
),
base.APIRule(
name="magnum:clustertemplate:delete_all_projects",
check_str=("(role:admin)"),
name="clustertemplate:delete_all_projects",
check_str=("rule:admin_api"),
description="Delete a cluster template from any project.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/clustertemplate/{clustertemplate_ident}"}],
),
base.APIRule(
name="magnum:clustertemplate:detail_all_projects",
check_str=("(role:admin)"),
name="clustertemplate:detail_all_projects",
check_str=("rule:admin_api"),
description="Retrieve a list of cluster templates with detail across projects.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clustertemplates"}],
),
base.APIRule(
name="magnum:clustertemplate:detail",
check_str=("(not domain_id:%(trustee_domain_id)s)"),
name="clustertemplate:detail",
check_str=("rule:deny_cluster_user"),
description="Retrieve a list of cluster templates with detail.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clustertemplates"}],
),
base.APIRule(
name="magnum:clustertemplate:get",
check_str=("(not domain_id:%(trustee_domain_id)s)"),
name="clustertemplate:get",
check_str=("rule:deny_cluster_user"),
description="Retrieve information about the given cluster template.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clustertemplate/{clustertemplate_ident}"}],
),
base.APIRule(
name="magnum:clustertemplate:get_one_all_projects",
check_str=("(role:admin)"),
name="clustertemplate:get_one_all_projects",
check_str=("rule:admin_api"),
description="Retrieve information about the given cluster template across project.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clustertemplate/{clustertemplate_ident}"}],
),
base.APIRule(
name="magnum:clustertemplate:get_all",
check_str=("(not domain_id:%(trustee_domain_id)s)"),
name="clustertemplate:get_all",
check_str=("rule:deny_cluster_user"),
description="Retrieve a list of cluster templates.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clustertemplates"}],
),
base.APIRule(
name="magnum:clustertemplate:get_all_all_projects",
check_str=("(role:admin)"),
name="clustertemplate:get_all_all_projects",
check_str=("rule:admin_api"),
description="Retrieve a list of cluster templates across projects.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clustertemplates"}],
),
base.APIRule(
name="magnum:clustertemplate:update",
check_str=("(is_admin:True or project_id:%(project_id)s)"),
name="clustertemplate:update",
check_str=("rule:admin_or_owner"),
description="Update an existing cluster template.",
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v1/clustertemplate/{clustertemplate_ident}"}],
),
base.APIRule(
name="magnum:clustertemplate:update_all_projects",
check_str=("(role:admin)"),
name="clustertemplate:update_all_projects",
check_str=("rule:admin_api"),
description="Update an existing cluster template.",
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v1/clustertemplate/{clustertemplate_ident}"}],
),
base.APIRule(
name="magnum:clustertemplate:publish",
check_str=("(role:admin)"),
name="clustertemplate:publish",
check_str=("rule:admin_api"),
description="Publish an existing cluster template.",
scope_types=["project"],
operations=[
{"method": "POST", "path": "/v1/clustertemplates"},
{"method": "PATCH", "path": "/v1/clustertemplates"},
],
operations=[{"method": "POST", "path": "/v1/clustertemplates"}, {"method": "PATCH", "path": "/v1/clustertemplates"}],
),
base.APIRule(
name="magnum:federation:create",
check_str=("(not domain_id:%(trustee_domain_id)s)"),
name="federation:create",
check_str=("rule:deny_cluster_user"),
description="Create a new federation.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/federations"}],
),
base.APIRule(
name="magnum:federation:delete",
check_str=("(not domain_id:%(trustee_domain_id)s)"),
name="federation:delete",
check_str=("rule:deny_cluster_user"),
description="Delete a federation.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/federations/{federation_ident}"}],
),
base.APIRule(
name="magnum:federation:detail",
check_str=("(not domain_id:%(trustee_domain_id)s)"),
name="federation:detail",
check_str=("rule:deny_cluster_user"),
description="Retrieve a list of federations with detail.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/federations"}],
),
base.APIRule(
name="magnum:federation:get",
check_str=("(not domain_id:%(trustee_domain_id)s)"),
name="federation:get",
check_str=("rule:deny_cluster_user"),
description="Retrieve information about the given federation.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/federations/{federation_ident}"}],
),
base.APIRule(
name="magnum:federation:get_all",
check_str=("(not domain_id:%(trustee_domain_id)s)"),
name="federation:get_all",
check_str=("rule:deny_cluster_user"),
description="Retrieve a list of federations.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/federations/"}],
),
base.APIRule(
name="magnum:federation:update",
check_str=("(not domain_id:%(trustee_domain_id)s)"),
name="federation:update",
check_str=("rule:deny_cluster_user"),
description="Update an existing federation.",
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v1/federations/{federation_ident}"}],
),
base.APIRule(
name="magnum:magnum-service:get_all",
check_str=("(role:admin)"),
name="magnum-service:get_all",
check_str=("rule:admin_api"),
description="Retrieve a list of magnum-services.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/mservices"}],
),
base.APIRule(
name="magnum:quota:create",
check_str=("(role:admin)"),
name="quota:create",
check_str=("rule:admin_api"),
description="Create quota.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/quotas"}],
),
base.APIRule(
name="magnum:quota:delete",
check_str=("(role:admin)"),
name="quota:delete",
check_str=("rule:admin_api"),
description="Delete quota for a given project_id and resource.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/quotas/{project_id}/{resource}"}],
),
base.APIRule(
name="magnum:quota:get",
check_str=("(is_admin:True or project_id:%(project_id)s)"),
name="quota:get",
check_str=("rule:admin_or_owner"),
description="Retrieve Quota information for the given project_id.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/quotas/{project_id}/{resource}"}],
),
base.APIRule(
name="magnum:quota:get_all",
check_str=("(role:admin)"),
name="quota:get_all",
check_str=("rule:admin_api"),
description="Retrieve a list of quotas.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/quotas"}],
),
base.APIRule(
name="magnum:quota:update",
check_str=("(role:admin)"),
name="quota:update",
check_str=("rule:admin_api"),
description="Update quota for a given project_id.",
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v1/quotas/{project_id}/{resource}"}],
),
base.APIRule(
name="magnum:stats:get_all",
check_str=("(is_admin:True or project_id:%(project_id)s)"),
name="stats:get_all",
check_str=("rule:admin_or_owner"),
description="Retrieve magnum stats.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/stats"}],
),
base.APIRule(
name="magnum:nodegroup:get",
check_str=("(is_admin:True or project_id:%(project_id)s)"),
name="nodegroup:get",
check_str=("rule:admin_or_owner"),
description="Retrieve information about the given nodegroup.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clusters/{cluster_id}/nodegroup/{nodegroup}"}],
),
base.APIRule(
name="magnum:nodegroup:get_all",
check_str=("(is_admin:True or project_id:%(project_id)s)"),
name="nodegroup:get_all",
check_str=("rule:admin_or_owner"),
description="Retrieve a list of nodegroups that belong to a cluster.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clusters/{cluster_id}/nodegroups/"}],
),
base.APIRule(
name="magnum:nodegroup:get_all_all_projects",
check_str=("(role:admin)"),
name="nodegroup:get_all_all_projects",
check_str=("rule:admin_api"),
description="Retrieve a list of nodegroups across projects.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clusters/{cluster_id}/nodegroups/"}],
),
base.APIRule(
name="magnum:nodegroup:get_one_all_projects",
check_str=("(role:admin)"),
name="nodegroup:get_one_all_projects",
check_str=("rule:admin_api"),
description="Retrieve infornation for a given nodegroup.",
scope_types=["project"],
operations=[
{"method": "GET", "path": "/v1/clusters/{cluster_id}/nodegroups/{nodegroup}"},
],
operations=[{"method": "GET", "path": "/v1/clusters/{cluster_id}/nodegroups/{nodegroup}"}],
),
base.APIRule(
name="magnum:nodegroup:create",
check_str=("(is_admin:True or project_id:%(project_id)s)"),
name="nodegroup:create",
check_str=("rule:admin_or_owner"),
description="Create a new nodegroup.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/clusters/{cluster_id}/nodegroups/"}],
),
base.APIRule(
name="magnum:nodegroup:delete",
check_str=("(is_admin:True or project_id:%(project_id)s)"),
name="nodegroup:delete",
check_str=("rule:admin_or_owner"),
description="Delete a nodegroup.",
scope_types=["project"],
operations=[
{"method": "DELETE", "path": "/v1/clusters/{cluster_id}/nodegroups/{nodegroup}"},
],
operations=[{"method": "DELETE", "path": "/v1/clusters/{cluster_id}/nodegroups/{nodegroup}"}],
),
base.APIRule(
name="magnum:nodegroup:update",
check_str=("(is_admin:True or project_id:%(project_id)s)"),
name="nodegroup:update",
check_str=("rule:admin_or_owner"),
description="Update an existing nodegroup.",
scope_types=["project"],
operations=[
{"method": "PATCH", "path": "/v1/clusters/{cluster_id}/nodegroups/{nodegroup}"},
],
operations=[{"method": "PATCH", "path": "/v1/clusters/{cluster_id}/nodegroups/{nodegroup}"}],
),
)

1198
skyline_apiserver/policy/manager/manila.py
View File

File diff suppressed because it is too large Load Diff

1810
skyline_apiserver/policy/manager/neutron.py
View File

File diff suppressed because it is too large Load Diff

1232
skyline_apiserver/policy/manager/nova.py
View File

File diff suppressed because it is too large Load Diff

256
skyline_apiserver/policy/manager/octavia.py
View File

@ -1,4 +1,5 @@
# flake8: noqa
# fmt: off
from . import base
@ -55,9 +56,7 @@ list_rules = (
),
base.Rule(
name="load-balancer:read",
check_str=(
"rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or rule:load-balancer:admin"
),
check_str=("rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or rule:load-balancer:admin"),
description="No description",
),
base.Rule(
@ -72,16 +71,12 @@ list_rules = (
),
base.Rule(
name="load-balancer:read-quota",
check_str=(
"rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or role:load-balancer_quota_admin or rule:load-balancer:admin"
),
check_str=("rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or role:load-balancer_quota_admin or rule:load-balancer:admin"),
description="No description",
),
base.Rule(
name="load-balancer:read-quota-global",
check_str=(
"rule:load-balancer:global_observer or role:load-balancer_quota_admin or rule:load-balancer:admin"
),
check_str=("rule:load-balancer:global_observer or role:load-balancer_quota_admin or rule:load-balancer:admin"),
description="No description",
),
base.Rule(
@ -92,9 +87,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:flavor:get_all",
check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="List Flavors",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2.0/lbaas/flavors"}],
@ -102,7 +94,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:flavor:post",
check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin"),
description="Create a Flavor",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2.0/lbaas/flavors"}],
@ -110,7 +101,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:flavor:put",
check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin"),
description="Update a Flavor",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2.0/lbaas/flavors/{flavor_id}"}],
@ -118,9 +108,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:flavor:get_one",
check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Show Flavor details",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2.0/lbaas/flavors/{flavor_id}"}],
@ -128,7 +115,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:flavor:delete",
check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin"),
description="Remove a Flavor",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2.0/lbaas/flavors/{flavor_id}"}],
@ -136,7 +122,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:flavor-profile:get_all",
check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin or role:reader"),
description="List Flavor Profiles",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2.0/lbaas/flavorprofiles"}],
@ -144,7 +129,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:flavor-profile:post",
check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin"),
description="Create a Flavor Profile",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2.0/lbaas/flavorprofiles"}],
@ -152,7 +136,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:flavor-profile:put",
check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin"),
description="Update a Flavor Profile",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2.0/lbaas/flavorprofiles/{flavor_profile_id}"}],
@ -160,7 +143,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:flavor-profile:get_one",
check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin or role:reader"),
description="Show Flavor Profile details",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2.0/lbaas/flavorprofiles/{flavor_profile_id}"}],
@ -168,19 +150,13 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:flavor-profile:delete",
check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin"),
description="Remove a Flavor Profile",
scope_types=["project"],
operations=[
{"method": "DELETE", "path": "/v2.0/lbaas/flavorprofiles/{flavor_profile_id}"},
],
operations=[{"method": "DELETE", "path": "/v2.0/lbaas/flavorprofiles/{flavor_profile_id}"}],
),
base.APIRule(
name="os_load-balancer_api:availability-zone:get_all",
check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="List Availability Zones",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2.0/lbaas/availabilityzones"}],
@ -188,7 +164,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:availability-zone:post",
check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin"),
description="Create an Availability Zone",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2.0/lbaas/availabilityzones"}],
@ -196,39 +171,27 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:availability-zone:put",
check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin"),
description="Update an Availability Zone",
scope_types=["project"],
operations=[
{"method": "PUT", "path": "/v2.0/lbaas/availabilityzones/{availability_zone_id}"},
],
operations=[{"method": "PUT", "path": "/v2.0/lbaas/availabilityzones/{availability_zone_id}"}],
),
base.APIRule(
name="os_load-balancer_api:availability-zone:get_one",
check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Show Availability Zone details",
scope_types=["project"],
operations=[
{"method": "GET", "path": "/v2.0/lbaas/availabilityzones/{availability_zone_id}"},
],
operations=[{"method": "GET", "path": "/v2.0/lbaas/availabilityzones/{availability_zone_id}"}],
),
base.APIRule(
name="os_load-balancer_api:availability-zone:delete",
check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin"),
description="Remove an Availability Zone",
scope_types=["project"],
operations=[
{"method": "DELETE", "path": "/v2.0/lbaas/availabilityzones/{availability_zone_id}"},
],
operations=[{"method": "DELETE", "path": "/v2.0/lbaas/availabilityzones/{availability_zone_id}"}],
),
base.APIRule(
name="os_load-balancer_api:availability-zone-profile:get_all",
check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin or role:reader"),
description="List Availability Zones",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2.0/lbaas/availabilityzoneprofiles"}],
@ -236,7 +199,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:availability-zone-profile:post",
check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin"),
description="Create an Availability Zone",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2.0/lbaas/availabilityzoneprofiles"}],
@ -244,48 +206,27 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:availability-zone-profile:put",
check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin"),
description="Update an Availability Zone",
scope_types=["project"],
operations=[
{
"method": "PUT",
"path": "/v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}",
},
],
operations=[{"method": "PUT", "path": "/v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}"}],
),
base.APIRule(
name="os_load-balancer_api:availability-zone-profile:get_one",
check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin or role:reader"),
description="Show Availability Zone details",
scope_types=["project"],
operations=[
{
"method": "GET",
"path": "/v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}",
},
],
operations=[{"method": "GET", "path": "/v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}"}],
),
base.APIRule(
name="os_load-balancer_api:availability-zone-profile:delete",
check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin"),
description="Remove an Availability Zone",
scope_types=["project"],
operations=[
{
"method": "DELETE",
"path": "/v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}",
},
],
operations=[{"method": "DELETE", "path": "/v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}"}],
),
base.APIRule(
name="os_load-balancer_api:healthmonitor:get_all",
check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="List Health Monitors of a Pool",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/healthmonitors"}],
@ -293,7 +234,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:healthmonitor:get_all-global",
check_str=("rule:load-balancer:read-global"),
basic_check_str=("role:admin or role:reader"),
description="List Health Monitors including resources owned by others",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/healthmonitors"}],
@ -301,9 +241,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:healthmonitor:post",
check_str=("rule:load-balancer:write"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Create a Health Monitor",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/lbaas/healthmonitors"}],
@ -311,9 +248,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:healthmonitor:get_one",
check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Show Health Monitor details",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/healthmonitors/{healthmonitor_id}"}],
@ -321,9 +255,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:healthmonitor:put",
check_str=("rule:load-balancer:write"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Update a Health Monitor",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2/lbaas/healthmonitors/{healthmonitor_id}"}],
@ -331,9 +262,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:healthmonitor:delete",
check_str=("rule:load-balancer:write"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Remove a Health Monitor",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/lbaas/healthmonitors/{healthmonitor_id}"}],
@ -341,9 +269,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:l7policy:get_all",
check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="List L7 Policys",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/l7policies"}],
@ -351,7 +276,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:l7policy:get_all-global",
check_str=("rule:load-balancer:read-global"),
basic_check_str=("role:admin or role:reader"),
description="List L7 Policys including resources owned by others",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/l7policies"}],
@ -359,9 +283,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:l7policy:post",
check_str=("rule:load-balancer:write"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Create a L7 Policy",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/lbaas/l7policies"}],
@ -369,9 +290,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:l7policy:get_one",
check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Show L7 Policy details",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/l7policies/{l7policy_id}"}],
@ -379,9 +297,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:l7policy:put",
check_str=("rule:load-balancer:write"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Update a L7 Policy",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2/lbaas/l7policies/{l7policy_id}"}],
@ -389,9 +304,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:l7policy:delete",
check_str=("rule:load-balancer:write"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Remove a L7 Policy",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/lbaas/l7policies/{l7policy_id}"}],
@ -399,9 +311,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:l7rule:get_all",
check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="List L7 Rules",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/l7policies/{l7policy_id}/rules"}],
@ -409,9 +318,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:l7rule:post",
check_str=("rule:load-balancer:write"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Create a L7 Rule",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/lbaas/l7policies/{l7policy_id}/rules"}],
@ -419,45 +325,27 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:l7rule:get_one",
check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Show L7 Rule details",
scope_types=["project"],
operations=[
{"method": "GET", "path": "/v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}"},
],
operations=[{"method": "GET", "path": "/v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}"}],
),
base.APIRule(
name="os_load-balancer_api:l7rule:put",
check_str=("rule:load-balancer:write"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Update a L7 Rule",
scope_types=["project"],
operations=[
{"method": "PUT", "path": "/v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}"},
],
operations=[{"method": "PUT", "path": "/v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}"}],
),
base.APIRule(
name="os_load-balancer_api:l7rule:delete",
check_str=("rule:load-balancer:write"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Remove a L7 Rule",
scope_types=["project"],
operations=[
{"method": "DELETE", "path": "/v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}"},
],
operations=[{"method": "DELETE", "path": "/v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}"}],
),
base.APIRule(
name="os_load-balancer_api:listener:get_all",
check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="List Listeners",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/listeners"}],
@ -465,7 +353,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:listener:get_all-global",
check_str=("rule:load-balancer:read-global"),
basic_check_str=("role:admin or role:reader"),
description="List Listeners including resources owned by others",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/listeners"}],
@ -473,9 +360,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:listener:post",
check_str=("rule:load-balancer:write"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Create a Listener",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/lbaas/listeners"}],
@ -483,9 +367,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:listener:get_one",
check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Show Listener details",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/listeners/{listener_id}"}],
@ -493,9 +374,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:listener:put",
check_str=("rule:load-balancer:write"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Update a Listener",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2/lbaas/listeners/{listener_id}"}],
@ -503,9 +381,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:listener:delete",
check_str=("rule:load-balancer:write"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Remove a Listener",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/lbaas/listeners/{listener_id}"}],
@ -513,9 +388,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:listener:get_stats",
check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Show Listener statistics",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/listeners/{listener_id}/stats"}],
@ -523,9 +395,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:loadbalancer:get_all",
check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="List Load Balancers",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/loadbalancers"}],
@ -533,7 +402,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:loadbalancer:get_all-global",
check_str=("rule:load-balancer:read-global"),
basic_check_str=("role:admin or role:reader"),
description="List Load Balancers including resources owned by others",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/loadbalancers"}],
@ -541,9 +409,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:loadbalancer:post",
check_str=("rule:load-balancer:write"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Create a Load Balancer",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/lbaas/loadbalancers"}],
@ -551,9 +416,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:loadbalancer:get_one",
check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Show Load Balancer details",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/loadbalancers/{loadbalancer_id}"}],
@ -561,9 +423,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:loadbalancer:put",
check_str=("rule:load-balancer:write"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Update a Load Balancer",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2/lbaas/loadbalancers/{loadbalancer_id}"}],
@ -571,9 +430,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:loadbalancer:delete",
check_str=("rule:load-balancer:write"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Remove a Load Balancer",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/lbaas/loadbalancers/{loadbalancer_id}"}],
@ -581,9 +437,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:loadbalancer:get_stats",
check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Show Load Balancer statistics",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/loadbalancers/{loadbalancer_id}/stats"}],
@ -591,31 +444,20 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:loadbalancer:get_status",
check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Show Load Balancer status",
scope_types=["project"],
operations=[
{"method": "GET", "path": "/v2/lbaas/loadbalancers/{loadbalancer_id}/status"},
],
operations=[{"method": "GET", "path": "/v2/lbaas/loadbalancers/{loadbalancer_id}/status"}],
),
base.APIRule(
name="os_load-balancer_api:loadbalancer:put_failover",
check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin"),
description="Failover a Load Balancer",
scope_types=["project"],
operations=[
{"method": "PUT", "path": "/v2/lbaas/loadbalancers/{loadbalancer_id}/failover"},
],
operations=[{"method": "PUT", "path": "/v2/lbaas/loadbalancers/{loadbalancer_id}/failover"}],
),
base.APIRule(
name="os_load-balancer_api:member:get_all",
check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="List Members of a Pool",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/pools/{pool_id}/members"}],
@ -623,9 +465,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:member:post",
check_str=("rule:load-balancer:write"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Create a Member",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/lbaas/pools/{pool_id}/members"}],
@ -633,9 +472,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:member:get_one",
check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Show Member details",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/pools/{pool_id}/members/{member_id}"}],
@ -643,9 +479,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:member:put",
check_str=("rule:load-balancer:write"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Update a Member",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2/lbaas/pools/{pool_id}/members/{member_id}"}],
@ -653,21 +486,13 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:member:delete",
check_str=("rule:load-balancer:write"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Remove a Member",
scope_types=["project"],
operations=[
{"method": "DELETE", "path": "/v2/lbaas/pools/{pool_id}/members/{member_id}"},
],
operations=[{"method": "DELETE", "path": "/v2/lbaas/pools/{pool_id}/members/{member_id}"}],
),
base.APIRule(
name="os_load-balancer_api:pool:get_all",
check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="List Pools",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/pools"}],
@ -675,7 +500,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:pool:get_all-global",
check_str=("rule:load-balancer:read-global"),
basic_check_str=("role:admin or role:reader"),
description="List Pools including resources owned by others",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/pools"}],
@ -683,9 +507,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:pool:post",
check_str=("rule:load-balancer:write"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Create a Pool",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/lbaas/pools"}],
@ -693,9 +514,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:pool:get_one",
check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Show Pool details",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/pools/{pool_id}"}],
@ -703,9 +521,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:pool:put",
check_str=("rule:load-balancer:write"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Update a Pool",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2/lbaas/pools/{pool_id}"}],
@ -713,9 +528,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:pool:delete",
check_str=("rule:load-balancer:write"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Remove a Pool",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/lbaas/pools/{pool_id}"}],
@ -723,9 +535,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:provider:get_all",
check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="List enabled providers",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/providers"}],
@ -733,9 +542,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:quota:get_all",
check_str=("rule:load-balancer:read-quota"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="List Quotas",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/quotas"}],
@ -743,7 +549,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:quota:get_all-global",
check_str=("rule:load-balancer:read-quota-global"),
basic_check_str=("role:admin or role:reader"),
description="List Quotas including resources owned by others",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/quotas"}],
@ -751,9 +556,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:quota:get_one",
check_str=("rule:load-balancer:read-quota"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Show Quota details",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/quotas/{project_id}"}],
@ -761,7 +563,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:quota:put",
check_str=("rule:load-balancer:write-quota"),
basic_check_str=("role:admin"),
description="Update a Quota",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2/lbaas/quotas/{project_id}"}],
@ -769,7 +570,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:quota:delete",
check_str=("rule:load-balancer:write-quota"),
basic_check_str=("role:admin"),
description="Reset a Quota",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/lbaas/quotas/{project_id}"}],
@ -777,9 +577,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:quota:get_defaults",
check_str=("rule:load-balancer:read-quota"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Show Default Quota for a Project",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/quotas/{project_id}/default"}],
@ -787,7 +584,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:amphora:get_all",
check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin or role:reader"),
description="List Amphorae",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/octavia/amphorae"}],
@ -795,7 +591,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:amphora:get_one",
check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin or role:reader"),
description="Show Amphora details",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/octavia/amphorae/{amphora_id}"}],
@ -803,7 +598,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:amphora:delete",
check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin"),
description="Delete an Amphora",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/octavia/amphorae/{amphora_id}"}],
@ -811,7 +605,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:amphora:put_config",
check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin"),
description="Update Amphora Agent Configuration",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2/octavia/amphorae/{amphora_id}/config"}],
@ -819,7 +612,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:amphora:put_failover",
check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin"),
description="Failover Amphora",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2/octavia/amphorae/{amphora_id}/failover"}],
@ -827,7 +619,6 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:amphora:get_stats",
check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin or role:reader"),
description="Show Amphora statistics",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/octavia/amphorae/{amphora_id}/stats"}],
@ -835,25 +626,16 @@ list_rules = (
base.APIRule(
name="os_load-balancer_api:provider-flavor:get_all",
check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin or role:reader"),
description="List the provider flavor capabilities.",
scope_types=["project"],
operations=[
{"method": "GET", "path": "/v2/lbaas/providers/{provider}/flavor_capabilities"},
],
operations=[{"method": "GET", "path": "/v2/lbaas/providers/{provider}/flavor_capabilities"}],
),
base.APIRule(
name="os_load-balancer_api:provider-availability-zone:get_all",
check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin or role:reader"),
description="List the provider availability zone capabilities.",
scope_types=["project"],
operations=[
{
"method": "GET",
"path": "/v2/lbaas/providers/{provider}/availability_zone_capabilities",
},
],
operations=[{"method": "GET", "path": "/v2/lbaas/providers/{provider}/availability_zone_capabilities"}],
),
)

9
skyline_apiserver/policy/manager/panko.py
View File

@ -1,4 +1,5 @@
# flake8: noqa
# fmt: off
from . import base
@ -11,18 +12,13 @@ list_rules = (
base.APIRule(
name="segregation",
check_str=("role:admin and system_scope:all"),
basic_check_str=("role:admin or role:reader"),
description="Return the user and project the requestshould be limited to",
scope_types=["system"],
operations=[
{"method": "GET", "path": "/v2/events"},
{"method": "GET", "path": "/v2/events/{message_id}"},
],
operations=[{"method": "GET", "path": "/v2/events"}, {"method": "GET", "path": "/v2/events/{message_id}"}],
),
base.APIRule(
name="telemetry:events:index",
check_str=(""),
basic_check_str=("@"),
description="Return all events matching the query filters.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/events"}],
@ -30,7 +26,6 @@ list_rules = (
base.APIRule(
name="telemetry:events:show",
check_str=(""),
basic_check_str=("@"),
description="Return a single event with the given message id.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/events/{message_id}"}],

139
skyline_apiserver/policy/manager/placement.py
View File

@ -1,4 +1,5 @@
# flake8: noqa
# fmt: off
from . import base
@ -8,279 +9,253 @@ list_rules = (
check_str=("role:admin"),
description="Default rule for most placement APIs.",
),
base.Rule(
name="system_admin_api",
check_str=("role:admin and system_scope:all"),
description="Default rule for System Admin APIs.",
),
base.Rule(
name="system_reader_api",
check_str=("role:reader and system_scope:all"),
description="Default rule for System level read only APIs.",
),
base.Rule(
name="project_reader_api",
check_str=("role:reader and project_id:%(project_id)s"),
description="Default rule for Project level read only APIs.",
),
base.Rule(
name="system_or_project_reader",
check_str=("rule:system_reader_api or rule:project_reader_api"),
description="Default rule for System+Project read only APIs.",
),
base.APIRule(
name="placement:resource_providers:list",
check_str=("role:reader and system_scope:all"),
basic_check_str=("role:admin or role:reader"),
check_str=("rule:system_reader_api"),
description="List resource providers.",
scope_types=["system"],
operations=[{"method": "GET", "path": "/resource_providers"}],
),
base.APIRule(
name="placement:resource_providers:create",
check_str=("role:admin and system_scope:all"),
basic_check_str=("role:admin"),
check_str=("rule:system_admin_api"),
description="Create resource provider.",
scope_types=["system"],
operations=[{"method": "POST", "path": "/resource_providers"}],
),
base.APIRule(
name="placement:resource_providers:show",
check_str=("role:reader and system_scope:all"),
basic_check_str=("role:admin or role:reader"),
check_str=("rule:system_reader_api"),
description="Show resource provider.",
scope_types=["system"],
operations=[{"method": "GET", "path": "/resource_providers/{uuid}"}],
),
base.APIRule(
name="placement:resource_providers:update",
check_str=("role:admin and system_scope:all"),
basic_check_str=("role:admin"),
check_str=("rule:system_admin_api"),
description="Update resource provider.",
scope_types=["system"],
operations=[{"method": "PUT", "path": "/resource_providers/{uuid}"}],
),
base.APIRule(
name="placement:resource_providers:delete",
check_str=("role:admin and system_scope:all"),
basic_check_str=("role:admin"),
check_str=("rule:system_admin_api"),
description="Delete resource provider.",
scope_types=["system"],
operations=[{"method": "DELETE", "path": "/resource_providers/{uuid}"}],
),
base.APIRule(
name="placement:resource_classes:list",
check_str=("role:reader and system_scope:all"),
basic_check_str=("role:admin or role:reader"),
check_str=("rule:system_reader_api"),
description="List resource classes.",
scope_types=["system"],
operations=[{"method": "GET", "path": "/resource_classes"}],
),
base.APIRule(
name="placement:resource_classes:create",
check_str=("role:admin and system_scope:all"),
basic_check_str=("role:admin"),
check_str=("rule:system_admin_api"),
description="Create resource class.",
scope_types=["system"],
operations=[{"method": "POST", "path": "/resource_classes"}],
),
base.APIRule(
name="placement:resource_classes:show",
check_str=("role:reader and system_scope:all"),
basic_check_str=("role:admin or role:reader"),
check_str=("rule:system_reader_api"),
description="Show resource class.",
scope_types=["system"],
operations=[{"method": "GET", "path": "/resource_classes/{name}"}],
),
base.APIRule(
name="placement:resource_classes:update",
check_str=("role:admin and system_scope:all"),
basic_check_str=("role:admin"),
check_str=("rule:system_admin_api"),
description="Update resource class.",
scope_types=["system"],
operations=[{"method": "PUT", "path": "/resource_classes/{name}"}],
),
base.APIRule(
name="placement:resource_classes:delete",
check_str=("role:admin and system_scope:all"),
basic_check_str=("role:admin"),
check_str=("rule:system_admin_api"),
description="Delete resource class.",
scope_types=["system"],
operations=[{"method": "DELETE", "path": "/resource_classes/{name}"}],
),
base.APIRule(
name="placement:resource_providers:inventories:list",
check_str=("role:reader and system_scope:all"),
basic_check_str=("role:admin or role:reader"),
check_str=("rule:system_reader_api"),
description="List resource provider inventories.",
scope_types=["system"],
operations=[{"method": "GET", "path": "/resource_providers/{uuid}/inventories"}],
),
base.APIRule(
name="placement:resource_providers:inventories:create",
check_str=("role:admin and system_scope:all"),
basic_check_str=("role:admin"),
check_str=("rule:system_admin_api"),
description="Create one resource provider inventory.",
scope_types=["system"],
operations=[{"method": "POST", "path": "/resource_providers/{uuid}/inventories"}],
),
base.APIRule(
name="placement:resource_providers:inventories:show",
check_str=("role:reader and system_scope:all"),
basic_check_str=("role:admin or role:reader"),
check_str=("rule:system_reader_api"),
description="Show resource provider inventory.",
scope_types=["system"],
operations=[
{"method": "GET", "path": "/resource_providers/{uuid}/inventories/{resource_class}"},
],
operations=[{"method": "GET", "path": "/resource_providers/{uuid}/inventories/{resource_class}"}],
),
base.APIRule(
name="placement:resource_providers:inventories:update",
check_str=("role:admin and system_scope:all"),
basic_check_str=("role:admin"),
check_str=("rule:system_admin_api"),
description="Update resource provider inventory.",
scope_types=["system"],
operations=[
{"method": "PUT", "path": "/resource_providers/{uuid}/inventories"},
{"method": "PUT", "path": "/resource_providers/{uuid}/inventories/{resource_class}"},
],
operations=[{"method": "PUT", "path": "/resource_providers/{uuid}/inventories"}, {"method": "PUT", "path": "/resource_providers/{uuid}/inventories/{resource_class}"}],
),
base.APIRule(
name="placement:resource_providers:inventories:delete",
check_str=("role:admin and system_scope:all"),
basic_check_str=("role:admin"),
check_str=("rule:system_admin_api"),
description="Delete resource provider inventory.",
scope_types=["system"],
operations=[
{"method": "DELETE", "path": "/resource_providers/{uuid}/inventories"},
{
"method": "DELETE",
"path": "/resource_providers/{uuid}/inventories/{resource_class}",
},
],
operations=[{"method": "DELETE", "path": "/resource_providers/{uuid}/inventories"}, {"method": "DELETE", "path": "/resource_providers/{uuid}/inventories/{resource_class}"}],
),
base.APIRule(
name="placement:resource_providers:aggregates:list",
check_str=("role:reader and system_scope:all"),
basic_check_str=("role:admin or role:reader"),
check_str=("rule:system_reader_api"),
description="List resource provider aggregates.",
scope_types=["system"],
operations=[{"method": "GET", "path": "/resource_providers/{uuid}/aggregates"}],
),
base.APIRule(
name="placement:resource_providers:aggregates:update",
check_str=("role:admin and system_scope:all"),
basic_check_str=("role:admin"),
check_str=("rule:system_admin_api"),
description="Update resource provider aggregates.",
scope_types=["system"],
operations=[{"method": "PUT", "path": "/resource_providers/{uuid}/aggregates"}],
),
base.APIRule(
name="placement:resource_providers:usages",
check_str=("role:reader and system_scope:all"),
basic_check_str=("role:admin or role:reader"),
check_str=("rule:system_reader_api"),
description="List resource provider usages.",
scope_types=["system"],
operations=[{"method": "GET", "path": "/resource_providers/{uuid}/usages"}],
),
base.APIRule(
name="placement:usages",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=("role:admin or role:reader"),
check_str=("rule:system_or_project_reader"),
description="List total resource usages for a given project.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/usages"}],
),
base.APIRule(
name="placement:traits:list",
check_str=("role:reader and system_scope:all"),
basic_check_str=("role:admin or role:reader"),
check_str=("rule:system_reader_api"),
description="List traits.",
scope_types=["system"],
operations=[{"method": "GET", "path": "/traits"}],
),
base.APIRule(
name="placement:traits:show",
check_str=("role:reader and system_scope:all"),
basic_check_str=("role:admin or role:reader"),
check_str=("rule:system_reader_api"),
description="Show trait.",
scope_types=["system"],
operations=[{"method": "GET", "path": "/traits/{name}"}],
),
base.APIRule(
name="placement:traits:update",
check_str=("role:admin and system_scope:all"),
basic_check_str=("role:admin"),
check_str=("rule:system_admin_api"),
description="Update trait.",
scope_types=["system"],
operations=[{"method": "PUT", "path": "/traits/{name}"}],
),
base.APIRule(
name="placement:traits:delete",
check_str=("role:admin and system_scope:all"),
basic_check_str=("role:admin"),
check_str=("rule:system_admin_api"),
description="Delete trait.",
scope_types=["system"],
operations=[{"method": "DELETE", "path": "/traits/{name}"}],
),
base.APIRule(
name="placement:resource_providers:traits:list",
check_str=("role:reader and system_scope:all"),
basic_check_str=("role:admin or role:reader"),
check_str=("rule:system_reader_api"),
description="List resource provider traits.",
scope_types=["system"],
operations=[{"method": "GET", "path": "/resource_providers/{uuid}/traits"}],
),
base.APIRule(
name="placement:resource_providers:traits:update",
check_str=("role:admin and system_scope:all"),
basic_check_str=("role:admin"),
check_str=("rule:system_admin_api"),
description="Update resource provider traits.",
scope_types=["system"],
operations=[{"method": "PUT", "path": "/resource_providers/{uuid}/traits"}],
),
base.APIRule(
name="placement:resource_providers:traits:delete",
check_str=("role:admin and system_scope:all"),
basic_check_str=("role:admin"),
check_str=("rule:system_admin_api"),
description="Delete resource provider traits.",
scope_types=["system"],
operations=[{"method": "DELETE", "path": "/resource_providers/{uuid}/traits"}],
),
base.APIRule(
name="placement:allocations:manage",
check_str=("role:admin and system_scope:all"),
basic_check_str=("role:admin"),
check_str=("rule:system_admin_api"),
description="Manage allocations.",
scope_types=["system"],
operations=[{"method": "POST", "path": "/allocations"}],
),
base.APIRule(
name="placement:allocations:list",
check_str=("role:reader and system_scope:all"),
basic_check_str=("role:admin or role:reader"),
check_str=("rule:system_reader_api"),
description="List allocations.",
scope_types=["system"],
operations=[{"method": "GET", "path": "/allocations/{consumer_uuid}"}],
),
base.APIRule(
name="placement:allocations:update",
check_str=("role:admin and system_scope:all"),
basic_check_str=("role:admin"),
check_str=("rule:system_admin_api"),
description="Update allocations.",
scope_types=["system"],
operations=[{"method": "PUT", "path": "/allocations/{consumer_uuid}"}],
),
base.APIRule(
name="placement:allocations:delete",
check_str=("role:admin and system_scope:all"),
basic_check_str=("role:admin"),
check_str=("rule:system_admin_api"),
description="Delete allocations.",
scope_types=["system"],
operations=[{"method": "DELETE", "path": "/allocations/{consumer_uuid}"}],
),
base.APIRule(
name="placement:resource_providers:allocations:list",
check_str=("role:reader and system_scope:all"),
basic_check_str=("role:admin or role:reader"),
check_str=("rule:system_reader_api"),
description="List resource provider allocations.",
scope_types=["system"],
operations=[{"method": "GET", "path": "/resource_providers/{uuid}/allocations"}],
),
base.APIRule(
name="placement:allocation_candidates:list",
check_str=("role:reader and system_scope:all"),
basic_check_str=("role:admin or role:reader"),
check_str=("rule:system_reader_api"),
description="List allocation candidates.",
scope_types=["system"],
operations=[{"method": "GET", "path": "/allocation_candidates"}],
),
base.APIRule(
name="placement:reshaper:reshape",
check_str=("role:admin and system_scope:all"),
basic_check_str=("role:admin"),
check_str=("rule:system_admin_api"),
description="Reshape Inventory and Allocations.",
scope_types=["system"],
operations=[{"method": "POST", "path": "/reshaper"}],

1368
skyline_apiserver/policy/manager/trove.py
View File

File diff suppressed because it is too large Load Diff

300
skyline_apiserver/policy/manager/zun.py
View File

@ -1,3 +1,6 @@
# flake8: noqa
# fmt: off
from . import base
list_rules = (
@ -22,593 +25,546 @@ list_rules = (
description="Default rule for deny everybody.",
),
base.APIRule(
name="zun:container:create",
name="container:create",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Create a new container.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers"}],
),
base.APIRule(
name="zun:container:create:runtime",
check_str=("(role:admin)"),
name="container:create:runtime",
check_str=("rule:context_is_admin"),
description="Create a new container with specified runtime.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers"}],
),
base.APIRule(
name="zun:container:create:privileged",
check_str=("(!)"),
description="Create a new privileged container.Warning: the privileged container has a big security risk so be caution if you want to enable this feature", # noqa
name="container:create:privileged",
check_str=("rule:deny_everybody"),
description="Create a new privileged container.Warning: the privileged container has a big security risk so be caution if you want to enable this feature",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers"}],
),
base.APIRule(
name="zun:container:create:requested_destination",
check_str=("(role:admin)"),
name="container:create:requested_destination",
check_str=("rule:context_is_admin"),
description="Create a container on the requested compute host.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers"}],
),
base.APIRule(
name="zun:container:create:image_pull_policy",
check_str=("(role:admin)"),
name="container:create:image_pull_policy",
check_str=("rule:context_is_admin"),
description="Create a new container with specified image pull policy.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers"}],
),
base.APIRule(
name="zun:container:delete",
name="container:delete",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Delete a container.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/containers/{container_ident}"}],
),
base.APIRule(
name="zun:container:delete_all_projects",
check_str=("(role:admin)"),
name="container:delete_all_projects",
check_str=("rule:context_is_admin"),
description="Delete a container from all projects.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/containers/{container_ident}"}],
),
base.APIRule(
name="zun:container:delete_force",
check_str=("(role:admin)"),
name="container:delete_force",
check_str=("rule:context_is_admin"),
description="Forcibly delete a container.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/containers/{container_ident}"}],
),
base.APIRule(
name="zun:container:get_one",
name="container:get_one",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Retrieve the details of a specific container.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/containers/{container_ident}"}],
),
base.APIRule(
name="zun:container:get_one:host",
check_str=("(role:admin)"),
name="container:get_one:host",
check_str=("rule:context_is_admin"),
description="Retrieve the host field of containers.",
scope_types=["project"],
operations=[
{"method": "GET", "path": "/v1/containers/{container_ident}"},
{"method": "GET", "path": "/v1/containers"},
{"method": "POST", "path": "/v1/containers"},
{"method": "PATCH", "path": "/v1/containers/{container_ident}"},
],
operations=[{"method": "GET", "path": "/v1/containers/{container_ident}"}, {"method": "GET", "path": "/v1/containers"}, {"method": "POST", "path": "/v1/containers"}, {"method": "PATCH", "path": "/v1/containers/{container_ident}"}],
),
base.APIRule(
name="zun:container:get_one:image_pull_policy",
check_str=("(role:admin)"),
name="container:get_one:image_pull_policy",
check_str=("rule:context_is_admin"),
description="Retrieve the image_pull_policy field of containers.",
scope_types=["project"],
operations=[
{"method": "GET", "path": "/v1/containers/{container_ident}"},
{"method": "GET", "path": "/v1/containers"},
{"method": "POST", "path": "/v1/containers"},
{"method": "PATCH", "path": "/v1/containers/{container_ident}"},
],
operations=[{"method": "GET", "path": "/v1/containers/{container_ident}"}, {"method": "GET", "path": "/v1/containers"}, {"method": "POST", "path": "/v1/containers"}, {"method": "PATCH", "path": "/v1/containers/{container_ident}"}],
),
base.APIRule(
name="zun:container:get_one:privileged",
check_str=("(role:admin)"),
name="container:get_one:privileged",
check_str=("rule:context_is_admin"),
description="Retrieve the privileged field of containers.",
scope_types=["project"],
operations=[
{"method": "GET", "path": "/v1/containers/{container_ident}"},
{"method": "GET", "path": "/v1/containers"},
{"method": "POST", "path": "/v1/containers"},
{"method": "PATCH", "path": "/v1/containers/{container_ident}"},
],
operations=[{"method": "GET", "path": "/v1/containers/{container_ident}"}, {"method": "GET", "path": "/v1/containers"}, {"method": "POST", "path": "/v1/containers"}, {"method": "PATCH", "path": "/v1/containers/{container_ident}"}],
),
base.APIRule(
name="zun:container:get_one:runtime",
check_str=("(role:admin)"),
name="container:get_one:runtime",
check_str=("rule:context_is_admin"),
description="Retrieve the runtime field of containers.",
scope_types=["project"],
operations=[
{"method": "GET", "path": "/v1/containers/{container_ident}"},
{"method": "GET", "path": "/v1/containers"},
{"method": "POST", "path": "/v1/containers"},
{"method": "PATCH", "path": "/v1/containers/{container_ident}"},
],
operations=[{"method": "GET", "path": "/v1/containers/{container_ident}"}, {"method": "GET", "path": "/v1/containers"}, {"method": "POST", "path": "/v1/containers"}, {"method": "PATCH", "path": "/v1/containers/{container_ident}"}],
),
base.APIRule(
name="zun:container:get_one_all_projects",
check_str=("(role:admin)"),
name="container:get_one_all_projects",
check_str=("rule:context_is_admin"),
description="Retrieve the details of a specific container from all projects.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/containers/{container_ident}"}],
),
base.APIRule(
name="zun:container:get_all",
name="container:get_all",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Retrieve the details of all containers.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/containers"}],
),
base.APIRule(
name="zun:container:get_all_all_projects",
check_str=("(role:admin)"),
name="container:get_all_all_projects",
check_str=("rule:context_is_admin"),
description="Retrieve the details of all containers across projects.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/containers"}],
),
base.APIRule(
name="zun:container:update",
name="container:update",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Update a container.",
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v1/containers/{container_ident}"}],
),
base.APIRule(
name="zun:container:start",
name="container:start",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Start a container.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/start"}],
),
base.APIRule(
name="zun:container:stop",
name="container:stop",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Stop a container.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/stop"}],
),
base.APIRule(
name="zun:container:reboot",
name="container:reboot",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Reboot a container.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/reboot"}],
),
base.APIRule(
name="zun:container:pause",
name="container:pause",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Pause a container.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/pause"}],
),
base.APIRule(
name="zun:container:unpause",
name="container:unpause",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Unpause a container.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/unpause"}],
),
base.APIRule(
name="zun:container:logs",
name="container:logs",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Get the log of a container",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/containers/{container_ident}/logs"}],
),
base.APIRule(
name="zun:container:execute",
name="container:execute",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Execute command in a running container",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/execute"}],
),
base.APIRule(
name="zun:container:execute_resize",
name="container:execute_resize",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Resize the TTY used by an execute command.",
scope_types=["project"],
operations=[
{"method": "POST", "path": "/v1/containers/{container_ident}/execute_resize"}
],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/execute_resize"}],
),
base.APIRule(
name="zun:container:kill",
name="container:kill",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Kill a running container",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/kill"}],
),
base.APIRule(
name="zun:container:rename",
name="container:rename",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Rename a container.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/rename"}],
),
base.APIRule(
name="zun:container:attach",
name="container:attach",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Attach to a running container",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/containers/{container_ident}/attach"}],
),
base.APIRule(
name="zun:container:resize",
name="container:resize",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Resize a container.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/resize"}],
),
base.APIRule(
name="zun:container:top",
name="container:top",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Display the running processes inside the container.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/containers/{container_ident}/top"}],
),
base.APIRule(
name="zun:container:get_archive",
name="container:get_archive",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Get a tar archive of a path of container.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/containers/{container_ident}/get_archive"}],
),
base.APIRule(
name="zun:container:put_archive",
name="container:put_archive",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Put a tar archive to be extracted to a path of container",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v1/containers/{container_ident}/put_archive"}],
),
base.APIRule(
name="zun:container:stats",
name="container:stats",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Display the statistics of a container",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/containers/{container_ident}/stats"}],
),
base.APIRule(
name="zun:container:commit",
name="container:commit",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Commit a container",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/commit"}],
),
base.APIRule(
name="zun:container:add_security_group",
name="container:add_security_group",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Add a security group to a specific container.",
scope_types=["project"],
operations=[
{"method": "POST", "path": "/v1/containers/{container_ident}/add_security_group"}
],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/add_security_group"}],
),
base.APIRule(
name="zun:container:network_detach",
name="container:network_detach",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Detach a network from a container.",
scope_types=["project"],
operations=[
{"method": "POST", "path": "/v1/containers/{container_ident}/network_detach"}
],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/network_detach"}],
),
base.APIRule(
name="zun:container:network_attach",
name="container:network_attach",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Attach a network from a container.",
scope_types=["project"],
operations=[
{"method": "POST", "path": "/v1/containers/{container_ident}/network_attach"}
],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/network_attach"}],
),
base.APIRule(
name="zun:container:remove_security_group",
name="container:remove_security_group",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Remove security group from a specific container.",
scope_types=["project"],
operations=[
{"method": "POST", "path": "/v1/containers/{container_ident}/remove_security_group"}
],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/remove_security_group"}],
),
base.APIRule(
name="zun:container:rebuild",
name="container:rebuild",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Rebuild a container.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/rebuild"}],
),
base.APIRule(
name="zun:container:resize_container",
name="container:resize_container",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Resize an existing container.",
scope_types=["project"],
operations=[
{"method": "POST", "path": "/v1/containers/{container_ident}/resize_container"}
],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/resize_container"}],
),
base.APIRule(
name="zun:image:pull",
check_str=("(role:admin)"),
name="image:pull",
check_str=("rule:context_is_admin"),
description="Pull an image.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/images"}],
),
base.APIRule(
name="zun:image:get_all",
check_str=("(role:admin)"),
name="image:get_all",
check_str=("rule:context_is_admin"),
description="Print a list of available images.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/images"}],
),
base.APIRule(
name="zun:image:get_one",
check_str=("(role:admin)"),
name="image:get_one",
check_str=("rule:context_is_admin"),
description="Retrieve the details of a specific image.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/images/{image_id}"}],
),
base.APIRule(
name="zun:image:search",
name="image:search",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Search an image.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/images/{image_ident}/search"}],
),
base.APIRule(
name="zun:image:delete",
check_str=("(role:admin)"),
name="image:delete",
check_str=("rule:context_is_admin"),
description="Delete an image.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/images/{image_ident}"}],
),
base.APIRule(
name="zun:zun-service:delete",
check_str=("(role:admin)"),
name="zun-service:delete",
check_str=("rule:context_is_admin"),
description="Delete a service.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/services"}],
),
base.APIRule(
name="zun:zun-service:disable",
check_str=("(role:admin)"),
name="zun-service:disable",
check_str=("rule:context_is_admin"),
description="Disable a service.",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v1/services/disable"}],
),
base.APIRule(
name="zun:zun-service:enable",
check_str=("(role:admin)"),
name="zun-service:enable",
check_str=("rule:context_is_admin"),
description="Enable a service.",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v1/services/enable"}],
),
base.APIRule(
name="zun:zun-service:force_down",
check_str=("(role:admin)"),
name="zun-service:force_down",
check_str=("rule:context_is_admin"),
description="Forcibly shutdown a service.",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v1/services/force_down"}],
),
base.APIRule(
name="zun:zun-service:get_all",
check_str=("(role:admin)"),
name="zun-service:get_all",
check_str=("rule:context_is_admin"),
description="Show the status of a service.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/services"}],
),
base.APIRule(
name="zun:host:get_all",
check_str=("(role:admin)"),
name="host:get_all",
check_str=("rule:context_is_admin"),
description="List all compute hosts.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/hosts"}],
),
base.APIRule(
name="zun:host:get",
check_str=("(role:admin)"),
name="host:get",
check_str=("rule:context_is_admin"),
description="Show the details of a specific compute host.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/hosts/{host_ident}"}],
),
base.APIRule(
name="zun:capsule:create",
name="capsule:create",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Create a capsule",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/capsules/"}],
),
base.APIRule(
name="zun:capsule:delete",
name="capsule:delete",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Delete a capsule",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/capsules/{capsule_ident}"}],
),
base.APIRule(
name="zun:capsule:delete_all_projects",
check_str=("(role:admin)"),
name="capsule:delete_all_projects",
check_str=("rule:context_is_admin"),
description="Delete a container in any project.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/capsules/{capsule_ident}"}],
),
base.APIRule(
name="zun:capsule:get",
name="capsule:get",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Retrieve the details of a capsule.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/capsules/{capsule_ident}"}],
),
base.APIRule(
name="zun:capsule:get:host",
check_str=("(role:admin)"),
name="capsule:get:host",
check_str=("rule:context_is_admin"),
description="Retrieve the host field of a capsule.",
scope_types=["project"],
operations=[
{"method": "GET", "path": "/v1/capsules/{capsule_ident}"},
{"method": "GET", "path": "/v1/capsules"},
{"method": "POST", "path": "/v1/capsules"},
],
operations=[{"method": "GET", "path": "/v1/capsules/{capsule_ident}"}, {"method": "GET", "path": "/v1/capsules"}, {"method": "POST", "path": "/v1/capsules"}],
),
base.APIRule(
name="zun:capsule:get_one_all_projects",
check_str=("(role:admin)"),
name="capsule:get_one_all_projects",
check_str=("rule:context_is_admin"),
description="Retrieve the details of a capsule in any project.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/capsules/{capsule_ident}"}],
),
base.APIRule(
name="zun:capsule:get_all",
name="capsule:get_all",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="List all capsules.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/capsules/"}],
),
base.APIRule(
name="zun:capsule:get_all_all_projects",
check_str=("(role:admin)"),
name="capsule:get_all_all_projects",
check_str=("rule:context_is_admin"),
description="List all capsules across projects.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/capsules/"}],
),
base.APIRule(
name="zun:network:attach_external_network",
name="network:attach_external_network",
check_str=("role:admin"),
description="Attach an unshared external network to a container",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers"}],
),
base.APIRule(
name="zun:network:create",
name="network:create",
check_str=("role:admin"),
description="Create a network",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/networks"}],
),
base.APIRule(
name="zun:network:delete",
name="network:delete",
check_str=("role:admin"),
description="Delete a network",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/networks"}],
),
base.APIRule(
name="zun:container:actions",
name="container:actions",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="List actions and show action details for a container",
scope_types=["project"],
operations=[
{"method": "GET", "path": "/v1/containers/{container_ident}/container_actions/"},
{
"method": "GET",
"path": "/v1/containers/{container_ident}/container_actions/{request_id}",
},
],
operations=[{"method": "GET", "path": "/v1/containers/{container_ident}/container_actions/"}, {"method": "GET", "path": "/v1/containers/{container_ident}/container_actions/{request_id}"}],
),
base.APIRule(
name="zun:container:action:events",
check_str=("(role:admin)"),
name="container:action:events",
check_str=("rule:context_is_admin"),
description="Add events details in action details for a container.",
scope_types=["project"],
operations=[
{
"method": "GET",
"path": "/v1/containers/{container_ident}/container_actions/{request_id}",
}
],
operations=[{"method": "GET", "path": "/v1/containers/{container_ident}/container_actions/{request_id}"}],
),
base.APIRule(
name="zun:availability_zones:get_all",
name="availability_zones:get_all",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="List availability zone",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/availability_zones"}],
),
base.APIRule(
name="zun:quota:update",
check_str=("(role:admin)"),
name="quota:update",
check_str=("rule:context_is_admin"),
description="Update quotas for a project",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v1/quotas/{project_id}"}],
),
base.APIRule(
name="zun:quota:delete",
check_str=("(role:admin)"),
name="quota:delete",
check_str=("rule:context_is_admin"),
description="Delete quotas for a project",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/quotas/{project_id}"}],
),
base.APIRule(
name="zun:quota:get",
name="quota:get",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Get quotas for a project",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/quotas/{project_id}"}],
),
base.APIRule(
name="zun:quota:get_default",
name="quota:get_default",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Get default quotas for a project",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/quotas/defaults"}],
),
base.APIRule(
name="zun:quota_class:update",
check_str=("(role:admin)"),
name="quota_class:update",
check_str=("rule:context_is_admin"),
description="Update quotas for specific quota class",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v1/quota_classes/{quota_class_name}"}],
),
base.APIRule(
name="zun:quota_class:get",
check_str=("(role:admin)"),
name="quota_class:get",
check_str=("rule:context_is_admin"),
description="List quotas for specific quota class",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/quota_classes/{quota_class_name}"}],
),
base.APIRule(
name="zun:registry:create",
name="registry:create",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Create a new registry.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/registries"}],
),
base.APIRule(
name="zun:registry:delete",
name="registry:delete",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Delete a registry.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/registries/{registry_ident}"}],
),
base.APIRule(
name="zun:registry:get_one",
name="registry:get_one",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Retrieve the details of a specific registry.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/registries/{registry_ident}"}],
),
base.APIRule(
name="zun:registry:get_all",
name="registry:get_all",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Retrieve the details of all registries.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/registries"}],
),
base.APIRule(
name="zun:registry:get_all_all_projects",
check_str=("(role:admin)"),
name="registry:get_all_all_projects",
check_str=("rule:context_is_admin"),
description="Retrieve the details of all registries across projects.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/registries"}],
),
base.APIRule(
name="zun:registry:update",
name="registry:update",
check_str=("is_admin:True or project_id:%(project_id)s"),
description="Update a registry.",
scope_types=["project"],

8
skyline_apiserver/types/constants.py
View File

@ -48,10 +48,12 @@ SUPPORTED_SERVICE_EPS = {
"cinder": ["cinder"],
"glance": ["glance"],
"heat": ["heat"],
"ironic": ["ironic.api", "ironic_inspector.api"],
"ironic": ["ironic.api"],
"ironic_inspector": ["ironic_inspector.api"],
"keystone": ["keystone"],
"neutron": ["neutron", "neutron-vpnaas"],
"magnum": ["magnum"],
"manila": ["manila"],
"neutron": ["neutron", "neutron-vpnaas"],
"nova": ["nova"],
"octavia": ["octavia"],
"panko": ["panko"],
@ -59,5 +61,3 @@ SUPPORTED_SERVICE_EPS = {
"trove": ["trove"],
"zun": ["zun"],
}
PREFIX_MAPPINGS = {"trove": "trove:", "manila": "manila:", "zun": "zun:"}

23
tools/post_install.sh
View File

@ -1,7 +1,7 @@
#!/usr/bin/env bash
# Install openstack service package
pip install --no-deps \
pip install -U \
keystone \
openstack-placement \
nova \
@ -10,25 +10,10 @@ pip install --no-deps \
trove \
neutron neutron-vpnaas \
openstack-heat \
ironic-lib ironic ironic-inspector \
octavia-lib octavia \
ironic \
ironic-inspector \
octavia \
panko \
manila \
magnum \
zun
# Patch cinder
patch_path="$(python3 -c 'import sysconfig; print(sysconfig.get_paths()["purelib"])')/cinder/__init__.py"
sed -i 's/\(.*eventlet.*\)/# \1/g' $patch_path
# Patch neutron
patch_path="$(python3 -c 'import sysconfig; print(sysconfig.get_paths()["purelib"])')/neutron/conf/policies/floatingip_pools.py"
sed -i 's/admin/system/g' $patch_path
# Patch ironic
patch_path="$(python3 -c 'import sysconfig; print(sysconfig.get_paths()["purelib"])')/ironic/common/policy.py"
sed -i 's/\(.*lockutils.*\)/# \1/g' $patch_path
# Patch ironic_inspector
patch_path="$(python3 -c 'import sysconfig; print(sysconfig.get_paths()["purelib"])')/ironic_inspector/policy.py"
sed -i 's/\(.*lockutils.*\)/# \1/g' $patch_path