diff --git a/requirements.txt b/requirements.txt index d4ff1bc..807c61c 100644 --- a/requirements.txt +++ b/requirements.txt @@ -14,9 +14,9 @@ aiosqlite<=0.17.0 # MIT loguru<=0.5.3 # MIT PyYAML>=5.4.1,<=6.0 # MIT immutables>=0.16 # Apache-2.0 -alembic>=1.7.5,<=1.7.7 # MIT +alembic>=1.7.5 # MIT httpx>=0.16.1 # BSD License (3 clause) -SQLAlchemy>=1.3.24,<=1.4.36 # MIT +SQLAlchemy>=1.3.24 # MIT PyMySQL>=0.9.3,<=1.0.2 # MIT dnspython>=2.1.0,<=2.2.1 # ISC click>=7.1.2,<=8.1.3 # BSD License (3 clause) diff --git a/skyline_apiserver/api/v1/policy.py b/skyline_apiserver/api/v1/policy.py index 418fc0b..a1c6158 100644 --- a/skyline_apiserver/api/v1/policy.py +++ b/skyline_apiserver/api/v1/policy.py @@ -14,6 +14,8 @@ from __future__ import annotations +from typing import Dict + from fastapi import APIRouter, Depends, HTTPException, status from skyline_apiserver import schemas @@ -25,6 +27,41 @@ from skyline_apiserver.schemas import Policies, PoliciesRules, common router = APIRouter() +def _generate_target(profile: schemas.Profile) -> Dict[str, str]: + return { + "user_id": profile.user.id, + "project_id": profile.project.id, + # trove + "tenant": profile.project.id, + # keystone + "trust.trustor_user_id": profile.user.id, + "target.user.id": profile.user.id, + "target.user.domain_id": profile.user.domain.id, + "target.project.domain_id": profile.project.domain.id, + "target.project.id": profile.project.id, + "target.trust.trustor_user_id": profile.user.id, + "target.trust.trustee_user_id": profile.user.id, + "target.token.user_id": profile.user.id, + "target.domain.id": profile.project.domain.id, + "target.domain_id": profile.project.domain.id, + "target.credential.user_id": profile.user.id, + "target.role.domain_id": profile.project.domain.id, + "target.group.domain_id": profile.project.domain.id, + "target.limit.domain.id": profile.project.domain.id, + "target.limit.project_id": profile.project.domain.id, + "target.limit.project.domain_id": profile.project.domain.id, + # ironic + "allocation.owner": profile.project.id, + "node.lessee": profile.project.id, + "node.owner": profile.project.id, + # glance + "member_id": profile.project.id, + "owner": profile.project.id, + # cinder + "domain_id": profile.project.domain.id, + } + + @router.get( "/policies", description="List policies and permissions", @@ -43,10 +80,7 @@ async def list_policies( session = await generate_session(profile) access = await get_access(session) user_context = UserContext(access) - target = { - "user_id": profile.user.id, - "project_id": profile.project.id, - } + target = _generate_target(profile) result = [ {"rule": rule, "allowed": ENFORCER.authorize(rule, target, user_context)} for rule in ENFORCER.rules @@ -74,10 +108,7 @@ async def check_policies( session = await generate_session(profile) access = await get_access(session) user_context = UserContext(access) - target = { - "user_id": profile.user.id, - "project_id": profile.project.id, - } + target = _generate_target(profile) try: result = [ {"rule": rule, "allowed": ENFORCER.authorize(rule, target, user_context)} diff --git a/skyline_apiserver/cmd/policy_manager.py b/skyline_apiserver/cmd/policy_manager.py index a0a8bf0..b6a610d 100644 --- a/skyline_apiserver/cmd/policy_manager.py +++ b/skyline_apiserver/cmd/policy_manager.py @@ -136,33 +136,39 @@ def generate_conf(dir: str, desc: str) -> None: f.write(f"# {desc}\n\n") for rule in rules: rule_yaml = rule.format_into_yaml() - if service in constants.PREFIX_MAPPINGS: - rule_yaml = rule_yaml.replace(constants.PREFIX_MAPPINGS[service], "") f.writelines(rule_yaml) LOG.info("Generate policy successful") @click.command(help="Generate service rule code.") -@click.argument("entry_point") -def generate_rule(entry_point: str) -> None: - ep_rules_func = load_list_rules_func(constants.POLICY_NS, entry_point) - if ep_rules_func is None: - raise Exception( - f"Not found entry point '{entry_point}' in oslo.policy.policies namespace.", - ) - - ep_rules = [item for item in ep_rules_func()] +@click.argument("service") +def generate_rule(service: str) -> None: + entry_points = constants.SUPPORTED_SERVICE_EPS.get(service, []) + if not entry_points: + LOG.error(f"Service {service} is not supported.") + return rules = [] api_rules = [] - for rule in ep_rules: - if isinstance(rule, DocumentedRuleDefault): - api_rules.append(APIRule.from_oslo(rule)) - elif isinstance(rule, RuleDefault): - rules.append(Rule.from_oslo(rule)) + for entry_point in entry_points: + ep_rules_func = load_list_rules_func(constants.POLICY_NS, entry_point) + if ep_rules_func is None: + raise Exception( + f"Not found entry point '{entry_point}' in oslo.policy.policies namespace.", + ) + + ep_rules = [item for item in ep_rules_func()] + for rule in ep_rules: + if isinstance(rule, DocumentedRuleDefault): + api_rules.append(APIRule.from_oslo(rule)) + elif isinstance(rule, RuleDefault): + rules.append(Rule.from_oslo(rule)) + + header_str = """\ +# flake8: noqa +# fmt: off - header_str = """ from . import base list_rules = (""" @@ -175,9 +181,7 @@ list_rules = (""" " description={description},\n" " )," ) - rule_mappings = {} for r in rules: - rule_mappings[f"rule:{r.name}"] = r.check_str print( rule_format_str.format( name=json.dumps(r.name), @@ -196,26 +200,10 @@ list_rules = (""" " )," ) for r in api_rules: - name = constants.PREFIX_MAPPINGS.get(entry_point, "") + r.name - check_str = r.check_str - tries = 0 - while "rule:" in check_str: - tries += 1 - for k, v in rule_mappings.items(): - if k + " " in check_str or check_str.endswith(k): - check_str = check_str.replace(k, f"({v})") - elif "(" + k + ")" in check_str: - check_str = check_str.replace(k, v) - if tries > 10: - raise Exception(f"Can't replace rule name in {r.name}") - - # Fix for Trove, replace 'project_id:%(tenant)s' with 'project_id:%(project_id)s' - if entry_point == "trove": - check_str = check_str.replace("project_id:%(tenant)s", "project_id:%(project_id)s") print( apirule_format_str.format( - name=json.dumps(name), - check_str=json.dumps(check_str), + name=json.dumps(r.name), + check_str=json.dumps(r.check_str), description=json.dumps(r.description), scope_types=json.dumps(r.scope_types), operations=json.dumps(r.operations), @@ -224,7 +212,7 @@ list_rules = (""" footer_str = """) -__all__ = ("list_rules",) +__all__ = ("list_rules",)\ """ print(footer_str) diff --git a/skyline_apiserver/policy/__init__.py b/skyline_apiserver/policy/__init__.py index 6e889c4..b0cfc41 100644 --- a/skyline_apiserver/policy/__init__.py +++ b/skyline_apiserver/policy/__init__.py @@ -14,9 +14,10 @@ from __future__ import annotations +from oslo_policy import _parser # type: ignore + from .base import Enforcer, UserContext from .manager import get_service_rules -from .manager.base import APIRule ENFORCER = Enforcer() @@ -24,8 +25,18 @@ ENFORCER = Enforcer() def setup() -> None: service_rules = get_service_rules() all_api_rules = [] - for rules in service_rules.values(): - api_rules = [rule for rule in rules if isinstance(rule, APIRule)] + for service, rules in service_rules.items(): + api_rules = [] + for rule in rules: + # Update rule name with prefix service. + rule.name = f"{service}:{rule.name}" + # Update check + rule.check_str = rule.check_str.replace("rule:", f"rule:{service}:") + rule.check = _parser.parse_rule(rule.check_str) + # Update basic check + rule.basic_check_str = rule.basic_check_str.replace("rule:", f"rule:{service}:") + rule.basic_check = _parser.parse_rule(rule.basic_check_str) + api_rules.append(rule) all_api_rules.extend(api_rules) ENFORCER.register_rules(all_api_rules) diff --git a/skyline_apiserver/policy/manager/cinder.py b/skyline_apiserver/policy/manager/cinder.py index c2c97ae..68eeed7 100644 --- a/skyline_apiserver/policy/manager/cinder.py +++ b/skyline_apiserver/policy/manager/cinder.py @@ -1,108 +1,96 @@ # flake8: noqa +# fmt: off from . import base list_rules = ( + base.Rule( + name="admin_or_owner", + check_str=("is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s"), + description="DEPRECATED: This rule will be removed in the Yoga release. Default rule for most non-Admin APIs.", + ), + base.Rule( + name="system_or_domain_or_project_admin", + check_str=("(role:admin and system_scope:all) or (role:admin and domain_id:%(domain_id)s) or (role:admin and project_id:%(project_id)s)"), + description="DEPRECATED: This rule will be removed in the Yoga release. Default rule for admins of cloud, domain or a project.", + ), base.Rule( name="context_is_admin", check_str=("role:admin"), description="Decides what is required for the 'is_admin:True' check to succeed.", ), - base.Rule( - name="admin_or_owner", - check_str=( - "is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s" - ), - description="Default rule for most non-Admin APIs.", - ), base.Rule( name="admin_api", check_str=("is_admin:True or (role:admin and is_admin_project:True)"), description="Default rule for most Admin APIs.", ), base.Rule( - name="system_or_domain_or_project_admin", - check_str=( - "(role:admin and system_scope:all) or (role:admin and domain_id:%(domain_id)s) or (role:admin and project_id:%(project_id)s)" - ), - description="Default rule for admins of cloud, domain or a project.", + name="xena_system_admin_or_project_reader", + check_str=("(role:admin) or (role:reader and project_id:%(project_id)s)"), + description="NOTE: this purely role-based rule recognizes only project scope", + ), + base.Rule( + name="xena_system_admin_or_project_member", + check_str=("(role:admin) or (role:member and project_id:%(project_id)s)"), + description="NOTE: this purely role-based rule recognizes only project scope", + ), + base.Rule( + name="volume_extension:volume_type_encryption", + check_str=("rule:admin_api"), + description="DEPRECATED: This rule will be removed in the Yoga release.", ), base.APIRule( name="volume:attachment_create", - check_str=(""), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Create attachment.", scope_types=["project"], operations=[{"method": "POST", "path": "/attachments"}], ), base.APIRule( name="volume:attachment_update", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Update attachment.", scope_types=["project"], operations=[{"method": "PUT", "path": "/attachments/{attachment_id}"}], ), base.APIRule( name="volume:attachment_delete", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Delete attachment.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/attachments/{attachment_id}"}], ), base.APIRule( name="volume:attachment_complete", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Mark a volume attachment process as completed (in-use)", scope_types=["project"], - operations=[ - {"method": "POST", "path": "/attachments/{attachment_id}/action (os-complete)"}, - ], + operations=[{"method": "POST", "path": "/attachments/{attachment_id}/action (os-complete)"}], ), base.APIRule( name="volume:multiattach_bootable_volume", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Allow multiattach of bootable volumes.", scope_types=["project"], operations=[{"method": "POST", "path": "/attachments"}], ), base.APIRule( name="message:get_all", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_reader"), description="List messages.", scope_types=["project"], operations=[{"method": "GET", "path": "/messages"}], ), base.APIRule( name="message:get", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_reader"), description="Show message.", scope_types=["project"], operations=[{"method": "GET", "path": "/messages/{message_id}"}], ), base.APIRule( name="message:delete", - check_str=("rule:admin_or_owner"), - basic_check_str=("role:admin"), + check_str=("rule:xena_system_admin_or_project_member"), description="Delete message.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/messages/{message_id}"}], @@ -110,18 +98,13 @@ list_rules = ( base.APIRule( name="clusters:get_all", check_str=("rule:admin_api"), - basic_check_str=("role:admin or role:reader"), description="List clusters.", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/clusters"}, - {"method": "GET", "path": "/clusters/detail"}, - ], + operations=[{"method": "GET", "path": "/clusters"}, {"method": "GET", "path": "/clusters/detail"}], ), base.APIRule( name="clusters:get", check_str=("rule:admin_api"), - basic_check_str=("role:admin or role:reader"), description="Show cluster.", scope_types=["project"], operations=[{"method": "GET", "path": "/clusters/{cluster_id}"}], @@ -129,7 +112,6 @@ list_rules = ( base.APIRule( name="clusters:update", check_str=("rule:admin_api"), - basic_check_str=("role:admin"), description="Update cluster.", scope_types=["project"], operations=[{"method": "PUT", "path": "/clusters/{cluster_id}"}], @@ -137,109 +119,69 @@ list_rules = ( base.APIRule( name="workers:cleanup", check_str=("rule:admin_api"), - basic_check_str=("role:admin"), description="Clean up workers.", scope_types=["project"], operations=[{"method": "POST", "path": "/workers/cleanup"}], ), base.APIRule( name="volume:get_snapshot_metadata", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_reader"), description="Show snapshot's metadata or one specified metadata with a given key.", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/snapshots/{snapshot_id}/metadata"}, - {"method": "GET", "path": "/snapshots/{snapshot_id}/metadata/{key}"}, - ], + operations=[{"method": "GET", "path": "/snapshots/{snapshot_id}/metadata"}, {"method": "GET", "path": "/snapshots/{snapshot_id}/metadata/{key}"}], ), base.APIRule( name="volume:update_snapshot_metadata", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Update snapshot's metadata or one specified metadata with a given key.", scope_types=["project"], - operations=[ - {"method": "PUT", "path": "/snapshots/{snapshot_id}/metadata"}, - {"method": "PUT", "path": "/snapshots/{snapshot_id}/metadata/{key}"}, - ], + operations=[{"method": "POST", "path": "/snapshots/{snapshot_id}/metadata"}, {"method": "PUT", "path": "/snapshots/{snapshot_id}/metadata/{key}"}], ), base.APIRule( name="volume:delete_snapshot_metadata", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Delete snapshot's specified metadata with a given key.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/snapshots/{snapshot_id}/metadata/{key}"}], ), base.APIRule( name="volume:get_all_snapshots", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_reader"), description="List snapshots.", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/snapshots"}, - {"method": "GET", "path": "/snapshots/detail"}, - ], + operations=[{"method": "GET", "path": "/snapshots"}, {"method": "GET", "path": "/snapshots/detail"}], ), base.APIRule( name="volume_extension:extended_snapshot_attributes", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_reader"), description="List or show snapshots with extended attributes.", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/snapshots/{snapshot_id}"}, - {"method": "GET", "path": "/snapshots/detail"}, - ], + operations=[{"method": "GET", "path": "/snapshots/{snapshot_id}"}, {"method": "GET", "path": "/snapshots/detail"}], ), base.APIRule( name="volume:create_snapshot", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Create snapshot.", scope_types=["project"], operations=[{"method": "POST", "path": "/snapshots"}], ), base.APIRule( name="volume:get_snapshot", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_reader"), description="Show snapshot.", scope_types=["project"], operations=[{"method": "GET", "path": "/snapshots/{snapshot_id}"}], ), base.APIRule( name="volume:update_snapshot", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Update snapshot.", scope_types=["project"], operations=[{"method": "PUT", "path": "/snapshots/{snapshot_id}"}], ), base.APIRule( name="volume:delete_snapshot", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Delete snapshot.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/snapshots/{snapshot_id}"}], @@ -247,51 +189,34 @@ list_rules = ( base.APIRule( name="volume_extension:snapshot_admin_actions:reset_status", check_str=("rule:admin_api"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s"), description="Reset status of a snapshot.", scope_types=["project"], - operations=[ - {"method": "POST", "path": "/snapshots/{snapshot_id}/action (os-reset_status)"}, - ], + operations=[{"method": "POST", "path": "/snapshots/{snapshot_id}/action (os-reset_status)"}], ), base.APIRule( name="snapshot_extension:snapshot_actions:update_snapshot_status", - check_str=(""), - basic_check_str=("@"), + check_str=("rule:xena_system_admin_or_project_member"), description="Update database fields of snapshot.", scope_types=["project"], - operations=[ - { - "method": "POST", - "path": "/snapshots/{snapshot_id}/action (update_snapshot_status)", - }, - ], + operations=[{"method": "POST", "path": "/snapshots/{snapshot_id}/action (update_snapshot_status)"}], ), base.APIRule( name="volume_extension:snapshot_admin_actions:force_delete", check_str=("rule:admin_api"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s"), description="Force delete a snapshot.", scope_types=["project"], - operations=[ - {"method": "POST", "path": "/snapshots/{snapshot_id}/action (os-force_delete)"}, - ], + operations=[{"method": "POST", "path": "/snapshots/{snapshot_id}/action (os-force_delete)"}], ), base.APIRule( name="snapshot_extension:list_manageable", check_str=("rule:admin_api"), - basic_check_str=("role:admin or role:reader"), description="List (in detail) of snapshots which are available to manage.", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/manageable_snapshots"}, - {"method": "GET", "path": "/manageable_snapshots/detail"}, - ], + operations=[{"method": "GET", "path": "/manageable_snapshots"}, {"method": "GET", "path": "/manageable_snapshots/detail"}], ), base.APIRule( name="snapshot_extension:snapshot_manage", check_str=("rule:admin_api"), - basic_check_str=("role:admin"), description="Manage an existing snapshot.", scope_types=["project"], operations=[{"method": "POST", "path": "/manageable_snapshots"}], @@ -299,81 +224,55 @@ list_rules = ( base.APIRule( name="snapshot_extension:snapshot_unmanage", check_str=("rule:admin_api"), - basic_check_str=("role:admin"), description="Stop managing a snapshot.", scope_types=["project"], operations=[{"method": "POST", "path": "/snapshots/{snapshot_id}/action (os-unmanage)"}], ), base.APIRule( name="backup:get_all", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_reader"), description="List backups.", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/backups"}, - {"method": "GET", "path": "/backups/detail"}, - ], + operations=[{"method": "GET", "path": "/backups"}, {"method": "GET", "path": "/backups/detail"}], ), base.APIRule( name="backup:backup_project_attribute", check_str=("rule:admin_api"), - basic_check_str=("role:admin or role:reader"), description="List backups or show backup with project attributes.", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/backups/{backup_id}"}, - {"method": "GET", "path": "/backups/detail"}, - ], + operations=[{"method": "GET", "path": "/backups/{backup_id}"}, {"method": "GET", "path": "/backups/detail"}], ), base.APIRule( name="backup:create", - check_str=(""), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Create backup.", scope_types=["project"], operations=[{"method": "POST", "path": "/backups"}], ), base.APIRule( name="backup:get", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_reader"), description="Show backup.", scope_types=["project"], operations=[{"method": "GET", "path": "/backups/{backup_id}"}], ), base.APIRule( name="backup:update", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Update backup.", scope_types=["project"], operations=[{"method": "PUT", "path": "/backups/{backup_id}"}], ), base.APIRule( name="backup:delete", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Delete backup.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/backups/{backup_id}"}], ), base.APIRule( name="backup:restore", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Restore backup.", scope_types=["project"], operations=[{"method": "POST", "path": "/backups/{backup_id}/restore"}], @@ -381,7 +280,6 @@ list_rules = ( base.APIRule( name="backup:backup-import", check_str=("rule:admin_api"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s"), description="Import backup.", scope_types=["project"], operations=[{"method": "POST", "path": "/backups/{backup_id}/import_record"}], @@ -389,7 +287,6 @@ list_rules = ( base.APIRule( name="backup:export-import", check_str=("rule:admin_api"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s"), description="Export backup.", scope_types=["project"], operations=[{"method": "POST", "path": "/backups/{backup_id}/export_record"}], @@ -397,7 +294,6 @@ list_rules = ( base.APIRule( name="volume_extension:backup_admin_actions:reset_status", check_str=("rule:admin_api"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s"), description="Reset status of a backup.", scope_types=["project"], operations=[{"method": "POST", "path": "/backups/{backup_id}/action (os-reset_status)"}], @@ -405,50 +301,34 @@ list_rules = ( base.APIRule( name="volume_extension:backup_admin_actions:force_delete", check_str=("rule:admin_api"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s"), description="Force delete a backup.", scope_types=["project"], operations=[{"method": "POST", "path": "/backups/{backup_id}/action (os-force_delete)"}], ), base.APIRule( name="group:get_all", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_reader"), description="List groups.", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/groups"}, - {"method": "GET", "path": "/groups/detail"}, - ], + operations=[{"method": "GET", "path": "/groups"}, {"method": "GET", "path": "/groups/detail"}], ), base.APIRule( name="group:create", - check_str=(""), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Create group.", scope_types=["project"], operations=[{"method": "POST", "path": "/groups"}], ), base.APIRule( name="group:get", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_reader"), description="Show group.", scope_types=["project"], operations=[{"method": "GET", "path": "/groups/{group_id}"}], ), base.APIRule( name="group:update", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Update group.", scope_types=["project"], operations=[{"method": "PUT", "path": "/groups/{group_id}"}], @@ -456,97 +336,104 @@ list_rules = ( base.APIRule( name="group:group_project_attribute", check_str=("rule:admin_api"), - basic_check_str=("role:admin or role:reader"), description="List groups or show group with project attributes.", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/groups/{group_id}"}, - {"method": "GET", "path": "/groups/detail"}, - ], + operations=[{"method": "GET", "path": "/groups/{group_id}"}, {"method": "GET", "path": "/groups/detail"}], ), base.APIRule( - name="group:group_types_manage", + name="group:group_types:create", check_str=("rule:admin_api"), - basic_check_str=("role:admin"), - description="Create, update or delete a group type.", + description="Create a group type.", scope_types=["project"], - operations=[ - {"method": "POST", "path": "/group_types/"}, - {"method": "PUT", "path": "/group_types/{group_type_id}"}, - {"method": "DELETE", "path": "/group_types/{group_type_id}"}, - ], + operations=[{"method": "POST", "path": "/group_types/"}], + ), + base.APIRule( + name="group:group_types:update", + check_str=("rule:admin_api"), + description="Update a group type.", + scope_types=["project"], + operations=[{"method": "PUT", "path": "/group_types/{group_type_id}"}], + ), + base.APIRule( + name="group:group_types:delete", + check_str=("rule:admin_api"), + description="Delete a group type.", + scope_types=["project"], + operations=[{"method": "DELETE", "path": "/group_types/{group_type_id}"}], ), base.APIRule( name="group:access_group_types_specs", check_str=("rule:admin_api"), - basic_check_str=("role:admin or role:reader"), description="Show group type with type specs attributes.", scope_types=["project"], operations=[{"method": "GET", "path": "/group_types/{group_type_id}"}], ), base.APIRule( - name="group:group_types_specs", + name="group:group_types_specs:get", check_str=("rule:admin_api"), - basic_check_str=("role:admin"), - description="Create, show, update and delete group type spec.", + description="Show a group type spec.", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/group_types/{group_type_id}/group_specs/{g_spec_id}"}, - {"method": "GET", "path": "/group_types/{group_type_id}/group_specs"}, - {"method": "POST", "path": "/group_types/{group_type_id}/group_specs"}, - {"method": "PUT", "path": "/group_types/{group_type_id}/group_specs/{g_spec_id}"}, - {"method": "DELETE", "path": "/group_types/{group_type_id}/group_specs/{g_spec_id}"}, - ], + operations=[{"method": "GET", "path": "/group_types/{group_type_id}/group_specs/{g_spec_id}"}], + ), + base.APIRule( + name="group:group_types_specs:get_all", + check_str=("rule:admin_api"), + description="List group type specs.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/group_types/{group_type_id}/group_specs"}], + ), + base.APIRule( + name="group:group_types_specs:create", + check_str=("rule:admin_api"), + description="Create a group type spec.", + scope_types=["project"], + operations=[{"method": "POST", "path": "/group_types/{group_type_id}/group_specs"}], + ), + base.APIRule( + name="group:group_types_specs:update", + check_str=("rule:admin_api"), + description="Update a group type spec.", + scope_types=["project"], + operations=[{"method": "PUT", "path": "/group_types/{group_type_id}/group_specs/{g_spec_id}"}], + ), + base.APIRule( + name="group:group_types_specs:delete", + check_str=("rule:admin_api"), + description="Delete a group type spec.", + scope_types=["project"], + operations=[{"method": "DELETE", "path": "/group_types/{group_type_id}/group_specs/{g_spec_id}"}], ), base.APIRule( name="group:get_all_group_snapshots", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_reader"), description="List group snapshots.", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/group_snapshots"}, - {"method": "GET", "path": "/group_snapshots/detail"}, - ], + operations=[{"method": "GET", "path": "/group_snapshots"}, {"method": "GET", "path": "/group_snapshots/detail"}], ), base.APIRule( name="group:create_group_snapshot", - check_str=(""), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Create group snapshot.", scope_types=["project"], operations=[{"method": "POST", "path": "/group_snapshots"}], ), base.APIRule( name="group:get_group_snapshot", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_reader"), description="Show group snapshot.", scope_types=["project"], operations=[{"method": "GET", "path": "/group_snapshots/{group_snapshot_id}"}], ), base.APIRule( name="group:delete_group_snapshot", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Delete group snapshot.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/group_snapshots/{group_snapshot_id}"}], ), base.APIRule( name="group:update_group_snapshot", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Update group snapshot.", scope_types=["project"], operations=[{"method": "PUT", "path": "/group_snapshots/{group_snapshot_id}"}], @@ -554,30 +441,20 @@ list_rules = ( base.APIRule( name="group:group_snapshot_project_attribute", check_str=("rule:admin_api"), - basic_check_str=("role:admin or role:reader"), description="List group snapshots or show group snapshot with project attributes.", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/group_snapshots/{group_snapshot_id}"}, - {"method": "GET", "path": "/group_snapshots/detail"}, - ], + operations=[{"method": "GET", "path": "/group_snapshots/{group_snapshot_id}"}, {"method": "GET", "path": "/group_snapshots/detail"}], ), base.APIRule( name="group:reset_group_snapshot_status", check_str=("rule:admin_api"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s"), description="Reset status of group snapshot.", scope_types=["project"], - operations=[ - {"method": "POST", "path": "/group_snapshots/{g_snapshot_id}/action (reset_status)"}, - ], + operations=[{"method": "POST", "path": "/group_snapshots/{g_snapshot_id}/action (reset_status)"}], ), base.APIRule( name="group:delete", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Delete group.", scope_types=["project"], operations=[{"method": "POST", "path": "/groups/{group_id}/action (delete)"}], @@ -585,72 +462,48 @@ list_rules = ( base.APIRule( name="group:reset_status", check_str=("rule:admin_api"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s"), description="Reset status of group.", scope_types=["project"], operations=[{"method": "POST", "path": "/groups/{group_id}/action (reset_status)"}], ), base.APIRule( name="group:enable_replication", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Enable replication.", scope_types=["project"], operations=[{"method": "POST", "path": "/groups/{group_id}/action (enable_replication)"}], ), base.APIRule( name="group:disable_replication", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Disable replication.", scope_types=["project"], - operations=[ - {"method": "POST", "path": "/groups/{group_id}/action (disable_replication)"}, - ], + operations=[{"method": "POST", "path": "/groups/{group_id}/action (disable_replication)"}], ), base.APIRule( name="group:failover_replication", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Fail over replication.", scope_types=["project"], - operations=[ - {"method": "POST", "path": "/groups/{group_id}/action (failover_replication)"}, - ], + operations=[{"method": "POST", "path": "/groups/{group_id}/action (failover_replication)"}], ), base.APIRule( name="group:list_replication_targets", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="List failover replication.", scope_types=["project"], - operations=[ - {"method": "POST", "path": "/groups/{group_id}/action (list_replication_targets)"}, - ], + operations=[{"method": "POST", "path": "/groups/{group_id}/action (list_replication_targets)"}], ), base.APIRule( name="volume_extension:qos_specs_manage:get_all", check_str=("rule:admin_api"), - basic_check_str=("role:admin or role:reader"), description="List qos specs or list all associations.", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/qos-specs"}, - {"method": "GET", "path": "/qos-specs/{qos_id}/associations"}, - ], + operations=[{"method": "GET", "path": "/qos-specs"}, {"method": "GET", "path": "/qos-specs/{qos_id}/associations"}], ), base.APIRule( name="volume_extension:qos_specs_manage:get", check_str=("rule:admin_api"), - basic_check_str=("role:admin or role:reader"), description="Show qos specs.", scope_types=["project"], operations=[{"method": "GET", "path": "/qos-specs/{qos_id}"}], @@ -658,7 +511,6 @@ list_rules = ( base.APIRule( name="volume_extension:qos_specs_manage:create", check_str=("rule:admin_api"), - basic_check_str=("role:admin"), description="Create qos specs.", scope_types=["project"], operations=[{"method": "POST", "path": "/qos-specs"}], @@ -666,56 +518,41 @@ list_rules = ( base.APIRule( name="volume_extension:qos_specs_manage:update", check_str=("rule:admin_api"), - basic_check_str=("role:admin"), description="Update qos specs (including updating association).", scope_types=["project"], - operations=[ - {"method": "PUT", "path": "/qos-specs/{qos_id}"}, - {"method": "GET", "path": "/qos-specs/{qos_id}/disassociate_all"}, - {"method": "GET", "path": "/qos-specs/{qos_id}/associate"}, - {"method": "GET", "path": "/qos-specs/{qos_id}/disassociate"}, - ], + operations=[{"method": "PUT", "path": "/qos-specs/{qos_id}"}, {"method": "GET", "path": "/qos-specs/{qos_id}/disassociate_all"}, {"method": "GET", "path": "/qos-specs/{qos_id}/associate"}, {"method": "GET", "path": "/qos-specs/{qos_id}/disassociate"}], ), base.APIRule( name="volume_extension:qos_specs_manage:delete", check_str=("rule:admin_api"), - basic_check_str=("role:admin"), description="delete qos specs or unset one specified qos key.", scope_types=["project"], - operations=[ - {"method": "DELETE", "path": "/qos-specs/{qos_id}"}, - {"method": "PUT", "path": "/qos-specs/{qos_id}/delete_keys"}, - ], + operations=[{"method": "DELETE", "path": "/qos-specs/{qos_id}"}, {"method": "PUT", "path": "/qos-specs/{qos_id}/delete_keys"}], ), base.APIRule( - name="volume_extension:quota_classes", + name="volume_extension:quota_classes:get", check_str=("rule:admin_api"), - basic_check_str=("role:admin"), - description="Show or update project quota class.", + description="Show project quota class.", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/os-quota-class-sets/{project_id}"}, - {"method": "PUT", "path": "/os-quota-class-sets/{project_id}"}, - ], + operations=[{"method": "GET", "path": "/os-quota-class-sets/{project_id}"}], + ), + base.APIRule( + name="volume_extension:quota_classes:update", + check_str=("rule:admin_api"), + description="Update project quota class.", + scope_types=["project"], + operations=[{"method": "PUT", "path": "/os-quota-class-sets/{project_id}"}], ), base.APIRule( name="volume_extension:quotas:show", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_reader"), description="Show project quota (including usage and default).", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/os-quota-sets/{project_id}"}, - {"method": "GET", "path": "/os-quota-sets/{project_id}/default"}, - {"method": "GET", "path": "/os-quota-sets/{project_id}?usage=True"}, - ], + operations=[{"method": "GET", "path": "/os-quota-sets/{project_id}"}, {"method": "GET", "path": "/os-quota-sets/{project_id}/default"}, {"method": "GET", "path": "/os-quota-sets/{project_id}?usage=True"}], ), base.APIRule( name="volume_extension:quotas:update", check_str=("rule:admin_api"), - basic_check_str=("role:admin"), description="Update project quota.", scope_types=["project"], operations=[{"method": "PUT", "path": "/os-quota-sets/{project_id}"}], @@ -723,7 +560,6 @@ list_rules = ( base.APIRule( name="volume_extension:quotas:delete", check_str=("rule:admin_api"), - basic_check_str=("role:admin"), description="Delete project quota.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/os-quota-sets/{project_id}"}], @@ -731,7 +567,6 @@ list_rules = ( base.APIRule( name="volume_extension:capabilities", check_str=("rule:admin_api"), - basic_check_str=("role:admin or role:reader"), description="Show backend capabilities.", scope_types=["project"], operations=[{"method": "GET", "path": "/capabilities/{host_name}"}], @@ -739,7 +574,6 @@ list_rules = ( base.APIRule( name="volume_extension:services:index", check_str=("rule:admin_api"), - basic_check_str=("role:admin or role:reader"), description="List all services.", scope_types=["project"], operations=[{"method": "GET", "path": "/os-services"}], @@ -747,7 +581,6 @@ list_rules = ( base.APIRule( name="volume_extension:services:update", check_str=("rule:admin_api"), - basic_check_str=("role:admin"), description="Update service, including failover_host, thaw, freeze, disable, enable, set-log and get-log actions.", scope_types=["project"], operations=[{"method": "PUT", "path": "/os-services/{action}"}], @@ -755,7 +588,6 @@ list_rules = ( base.APIRule( name="volume:freeze_host", check_str=("rule:admin_api"), - basic_check_str=("role:admin"), description="Freeze a backend host.", scope_types=["project"], operations=[{"method": "PUT", "path": "/os-services/freeze"}], @@ -763,7 +595,6 @@ list_rules = ( base.APIRule( name="volume:thaw_host", check_str=("rule:admin_api"), - basic_check_str=("role:admin"), description="Thaw a backend host.", scope_types=["project"], operations=[{"method": "PUT", "path": "/os-services/thaw"}], @@ -771,7 +602,6 @@ list_rules = ( base.APIRule( name="volume:failover_host", check_str=("rule:admin_api"), - basic_check_str=("role:admin"), description="Failover a backend host.", scope_types=["project"], operations=[{"method": "PUT", "path": "/os-services/failover_host"}], @@ -779,7 +609,6 @@ list_rules = ( base.APIRule( name="scheduler_extension:scheduler_stats:get_pools", check_str=("rule:admin_api"), - basic_check_str=("role:admin or role:reader"), description="List all backend pools.", scope_types=["project"], operations=[{"method": "GET", "path": "/scheduler-stats/get_pools"}], @@ -787,21 +616,13 @@ list_rules = ( base.APIRule( name="volume_extension:hosts", check_str=("rule:admin_api"), - basic_check_str=("role:admin"), description="List, update or show hosts for a project.", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/os-hosts"}, - {"method": "PUT", "path": "/os-hosts/{host_name}"}, - {"method": "GET", "path": "/os-hosts/{host_id}"}, - ], + operations=[{"method": "GET", "path": "/os-hosts"}, {"method": "PUT", "path": "/os-hosts/{host_name}"}, {"method": "GET", "path": "/os-hosts/{host_id}"}], ), base.APIRule( name="limits_extension:used_limits", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_reader"), description="Show limits with used limit attributes.", scope_types=["project"], operations=[{"method": "GET", "path": "/limits"}], @@ -809,18 +630,13 @@ list_rules = ( base.APIRule( name="volume_extension:list_manageable", check_str=("rule:admin_api"), - basic_check_str=("role:admin or role:reader"), description="List (in detail) of volumes which are available to manage.", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/manageable_volumes"}, - {"method": "GET", "path": "/manageable_volumes/detail"}, - ], + operations=[{"method": "GET", "path": "/manageable_volumes"}, {"method": "GET", "path": "/manageable_volumes/detail"}], ), base.APIRule( name="volume_extension:volume_manage", check_str=("rule:admin_api"), - basic_check_str=("role:admin"), description="Manage existing volumes.", scope_types=["project"], operations=[{"method": "POST", "path": "/manageable_volumes"}], @@ -828,135 +644,97 @@ list_rules = ( base.APIRule( name="volume_extension:volume_unmanage", check_str=("rule:admin_api"), - basic_check_str=("role:admin"), description="Stop managing a volume.", scope_types=["project"], operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-unmanage)"}], ), base.APIRule( - name="volume_extension:types_manage", + name="volume_extension:type_create", check_str=("rule:admin_api"), - basic_check_str=("role:admin"), - description="Create, update and delete volume type.", + description="Create volume type.", scope_types=["project"], - operations=[ - {"method": "POST", "path": "/types"}, - {"method": "PUT", "path": "/types"}, - {"method": "DELETE", "path": "/types"}, - ], + operations=[{"method": "POST", "path": "/types"}], + ), + base.APIRule( + name="volume_extension:type_update", + check_str=("rule:admin_api"), + description="Update volume type.", + scope_types=["project"], + operations=[{"method": "PUT", "path": "/types"}], + ), + base.APIRule( + name="volume_extension:type_delete", + check_str=("rule:admin_api"), + description="Delete volume type.", + scope_types=["project"], + operations=[{"method": "DELETE", "path": "/types"}], ), base.APIRule( name="volume_extension:type_get", - check_str=(""), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_reader"), description="Get one specific volume type.", scope_types=["project"], operations=[{"method": "GET", "path": "/types/{type_id}"}], ), base.APIRule( name="volume_extension:type_get_all", - check_str=(""), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_reader"), description="List volume types.", scope_types=["project"], operations=[{"method": "GET", "path": "/types/"}], ), base.APIRule( - name="volume_extension:volume_type_encryption", - check_str=("rule:admin_api"), - basic_check_str=("role:admin"), - description="Base policy for all volume type encryption type operations. This can be used to set the policies for a volume type's encryption type create, show, update, and delete actions in one place, or any of those may be set individually using the following policy targets for finer grained control.", + name="volume_extension:access_types_extra_specs", + check_str=("rule:xena_system_admin_or_project_reader"), + description="Include the volume type's extra_specs attribute in the volume type list or show requests. The ability to make these calls is governed by other policies.", scope_types=["project"], - operations=[ - {"method": "POST", "path": "/types/{type_id}/encryption"}, - {"method": "PUT", "path": "/types/{type_id}/encryption/{encryption_id}"}, - {"method": "GET", "path": "/types/{type_id}/encryption"}, - {"method": "GET", "path": "/types/{type_id}/encryption/{key}"}, - {"method": "DELETE", "path": "/types/{type_id}/encryption/{encryption_id}"}, - ], + operations=[{"method": "GET", "path": "/types/{type_id}"}, {"method": "GET", "path": "/types"}], + ), + base.APIRule( + name="volume_extension:access_types_qos_specs_id", + check_str=("rule:admin_api"), + description="Include the volume type's QoS specifications ID attribute in the volume type list or show requests. The ability to make these calls is governed by other policies.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/types/{type_id}"}, {"method": "GET", "path": "/types"}], ), base.APIRule( name="volume_extension:volume_type_encryption:create", - check_str=("rule:volume_extension:volume_type_encryption"), - basic_check_str=("role:admin"), + check_str=("rule:admin_api"), description="Create volume type encryption.", scope_types=["project"], operations=[{"method": "POST", "path": "/types/{type_id}/encryption"}], ), base.APIRule( name="volume_extension:volume_type_encryption:get", - check_str=("rule:volume_extension:volume_type_encryption"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:admin_api"), description="Show a volume type's encryption type, show an encryption specs item.", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/types/{type_id}/encryption"}, - {"method": "GET", "path": "/types/{type_id}/encryption/{key}"}, - ], + operations=[{"method": "GET", "path": "/types/{type_id}/encryption"}, {"method": "GET", "path": "/types/{type_id}/encryption/{key}"}], ), base.APIRule( name="volume_extension:volume_type_encryption:update", - check_str=("rule:volume_extension:volume_type_encryption"), - basic_check_str=("role:admin"), + check_str=("rule:admin_api"), description="Update volume type encryption.", scope_types=["project"], operations=[{"method": "PUT", "path": "/types/{type_id}/encryption/{encryption_id}"}], ), base.APIRule( name="volume_extension:volume_type_encryption:delete", - check_str=("rule:volume_extension:volume_type_encryption"), - basic_check_str=("role:admin"), + check_str=("rule:admin_api"), description="Delete volume type encryption.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/types/{type_id}/encryption/{encryption_id}"}], ), - base.APIRule( - name="volume_extension:access_types_extra_specs", - check_str=("rule:admin_api"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), - description="List or show volume type with access type extra specs attribute.", - scope_types=["project"], - operations=[ - {"method": "GET", "path": "/types/{type_id}"}, - {"method": "GET", "path": "/types"}, - ], - ), - base.APIRule( - name="volume_extension:access_types_qos_specs_id", - check_str=("rule:admin_api"), - basic_check_str=("role:admin or role:reader"), - description="List or show volume type with access type qos specs id attribute.", - scope_types=["project"], - operations=[ - {"method": "GET", "path": "/types/{type_id}"}, - {"method": "GET", "path": "/types"}, - ], - ), base.APIRule( name="volume_extension:volume_type_access", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), - description="Volume type access related APIs.", + check_str=("rule:xena_system_admin_or_project_member"), + description="Adds the boolean field 'os-volume-type-access:is_public' to the responses for these API calls. The ability to make these calls is governed by other policies.", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/types"}, - {"method": "GET", "path": "/types/detail"}, - {"method": "GET", "path": "/types/{type_id}"}, - {"method": "POST", "path": "/types"}, - ], + operations=[{"method": "GET", "path": "/types"}, {"method": "GET", "path": "/types/{type_id}"}, {"method": "POST", "path": "/types"}], ), base.APIRule( name="volume_extension:volume_type_access:addProjectAccess", check_str=("rule:admin_api"), - basic_check_str=("role:admin"), description="Add volume type access for project.", scope_types=["project"], operations=[{"method": "POST", "path": "/types/{type_id}/action (addProjectAccess)"}], @@ -964,37 +742,34 @@ list_rules = ( base.APIRule( name="volume_extension:volume_type_access:removeProjectAccess", check_str=("rule:admin_api"), - basic_check_str=("role:admin"), description="Remove volume type access for project.", scope_types=["project"], operations=[{"method": "POST", "path": "/types/{type_id}/action (removeProjectAccess)"}], ), + base.APIRule( + name="volume_extension:volume_type_access:get_all_for_type", + check_str=("rule:admin_api"), + description="List private volume type access detail, that is, list the projects that have access to this volume type.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/types/{type_id}/os-volume-type-access"}], + ), base.APIRule( name="volume:extend", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Extend a volume.", scope_types=["project"], operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-extend)"}], ), base.APIRule( name="volume:extend_attached_volume", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Extend a attached volume.", scope_types=["project"], operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-extend)"}], ), base.APIRule( name="volume:revert_to_snapshot", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Revert a volume to a snapshot.", scope_types=["project"], operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (revert)"}], @@ -1002,37 +777,27 @@ list_rules = ( base.APIRule( name="volume_extension:volume_admin_actions:reset_status", check_str=("rule:admin_api"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s"), description="Reset status of a volume.", scope_types=["project"], operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-reset_status)"}], ), base.APIRule( name="volume:retype", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Retype a volume.", scope_types=["project"], operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-retype)"}], ), base.APIRule( name="volume:update_readonly_flag", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Update a volume's readonly flag.", scope_types=["project"], - operations=[ - {"method": "POST", "path": "/volumes/{volume_id}/action (os-update_readonly_flag)"}, - ], + operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-update_readonly_flag)"}], ), base.APIRule( name="volume_extension:volume_admin_actions:force_delete", check_str=("rule:admin_api"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s"), description="Force delete a volume.", scope_types=["project"], operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-force_delete)"}], @@ -1040,29 +805,20 @@ list_rules = ( base.APIRule( name="volume_extension:volume_actions:upload_public", check_str=("rule:admin_api"), - basic_check_str=("role:admin"), description="Upload a volume to image with public visibility.", scope_types=["project"], - operations=[ - {"method": "POST", "path": "/volumes/{volume_id}/action (os-volume_upload_image)"}, - ], + operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-volume_upload_image)"}], ), base.APIRule( name="volume_extension:volume_actions:upload_image", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Upload a volume to image.", scope_types=["project"], - operations=[ - {"method": "POST", "path": "/volumes/{volume_id}/action (os-volume_upload_image)"}, - ], + operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-volume_upload_image)"}], ), base.APIRule( name="volume_extension:volume_admin_actions:force_detach", check_str=("rule:admin_api"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s"), description="Force detach a volume.", scope_types=["project"], operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-force_detach)"}], @@ -1070,255 +826,181 @@ list_rules = ( base.APIRule( name="volume_extension:volume_admin_actions:migrate_volume", check_str=("rule:admin_api"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s"), description="migrate a volume to a specified host.", scope_types=["project"], - operations=[ - {"method": "POST", "path": "/volumes/{volume_id}/action (os-migrate_volume)"}, - ], + operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-migrate_volume)"}], ), base.APIRule( name="volume_extension:volume_admin_actions:migrate_volume_completion", check_str=("rule:admin_api"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s"), description="Complete a volume migration.", scope_types=["project"], - operations=[ - { - "method": "POST", - "path": "/volumes/{volume_id}/action (os-migrate_volume_completion)", - }, - ], + operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-migrate_volume_completion)"}], ), base.APIRule( name="volume_extension:volume_actions:initialize_connection", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Initialize volume attachment.", scope_types=["project"], - operations=[ - {"method": "POST", "path": "/volumes/{volume_id}/action (os-initialize_connection)"}, - ], + operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-initialize_connection)"}], ), base.APIRule( name="volume_extension:volume_actions:terminate_connection", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Terminate volume attachment.", scope_types=["project"], - operations=[ - {"method": "POST", "path": "/volumes/{volume_id}/action (os-terminate_connection)"}, - ], + operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-terminate_connection)"}], ), base.APIRule( name="volume_extension:volume_actions:roll_detaching", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Roll back volume status to 'in-use'.", scope_types=["project"], - operations=[ - {"method": "POST", "path": "/volumes/{volume_id}/action (os-roll_detaching)"}, - ], + operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-roll_detaching)"}], ), base.APIRule( name="volume_extension:volume_actions:reserve", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Mark volume as reserved.", scope_types=["project"], operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-reserve)"}], ), base.APIRule( name="volume_extension:volume_actions:unreserve", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Unmark volume as reserved.", scope_types=["project"], operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-unreserve)"}], ), base.APIRule( name="volume_extension:volume_actions:begin_detaching", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Begin detach volumes.", scope_types=["project"], - operations=[ - {"method": "POST", "path": "/volumes/{volume_id}/action (os-begin_detaching)"}, - ], + operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-begin_detaching)"}], ), base.APIRule( name="volume_extension:volume_actions:attach", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Add attachment metadata.", scope_types=["project"], operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-attach)"}], ), base.APIRule( name="volume_extension:volume_actions:detach", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Clear attachment metadata.", scope_types=["project"], operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-detach)"}], ), + base.APIRule( + name="volume:reimage", + check_str=("rule:xena_system_admin_or_project_member"), + description="Reimage a volume in 'available' or 'error' status.", + scope_types=["project"], + operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-reimage)"}], + ), + base.APIRule( + name="volume:reimage_reserved", + check_str=("rule:xena_system_admin_or_project_member"), + description="Reimage a volume in 'reserved' status.", + scope_types=["project"], + operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-reimage)"}], + ), base.APIRule( name="volume:get_all_transfers", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_reader"), description="List volume transfer.", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/os-volume-transfer"}, - {"method": "GET", "path": "/os-volume-transfer/detail"}, - {"method": "GET", "path": "/volume_transfers"}, - {"method": "GET", "path": "/volume-transfers/detail"}, - ], + operations=[{"method": "GET", "path": "/os-volume-transfer"}, {"method": "GET", "path": "/os-volume-transfer/detail"}, {"method": "GET", "path": "/volume_transfers"}, {"method": "GET", "path": "/volume-transfers/detail"}], ), base.APIRule( name="volume:create_transfer", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Create a volume transfer.", scope_types=["project"], - operations=[ - {"method": "POST", "path": "/os-volume-transfer"}, - {"method": "POST", "path": "/volume_transfers"}, - ], + operations=[{"method": "POST", "path": "/os-volume-transfer"}, {"method": "POST", "path": "/volume_transfers"}], ), base.APIRule( name="volume:get_transfer", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_reader"), description="Show one specified volume transfer.", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/os-volume-transfer/{transfer_id}"}, - {"method": "GET", "path": "/volume-transfers/{transfer_id}"}, - ], + operations=[{"method": "GET", "path": "/os-volume-transfer/{transfer_id}"}, {"method": "GET", "path": "/volume-transfers/{transfer_id}"}], ), base.APIRule( name="volume:accept_transfer", - check_str=(""), - basic_check_str=("@"), + check_str=("rule:xena_system_admin_or_project_member"), description="Accept a volume transfer.", scope_types=["project"], - operations=[ - {"method": "POST", "path": "/os-volume-transfer/{transfer_id}/accept"}, - {"method": "POST", "path": "/volume-transfers/{transfer_id}/accept"}, - ], + operations=[{"method": "POST", "path": "/os-volume-transfer/{transfer_id}/accept"}, {"method": "POST", "path": "/volume-transfers/{transfer_id}/accept"}], ), base.APIRule( name="volume:delete_transfer", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Delete volume transfer.", scope_types=["project"], - operations=[ - {"method": "DELETE", "path": "/os-volume-transfer/{transfer_id}"}, - {"method": "DELETE", "path": "/volume-transfers/{transfer_id}"}, - ], + operations=[{"method": "DELETE", "path": "/os-volume-transfer/{transfer_id}"}, {"method": "DELETE", "path": "/volume-transfers/{transfer_id}"}], ), base.APIRule( name="volume:get_volume_metadata", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_reader"), description="Show volume's metadata or one specified metadata with a given key.", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/volumes/{volume_id}/metadata"}, - {"method": "GET", "path": "/volumes/{volume_id}/metadata/{key}"}, - ], + operations=[{"method": "GET", "path": "/volumes/{volume_id}/metadata"}, {"method": "GET", "path": "/volumes/{volume_id}/metadata/{key}"}, {"method": "POST", "path": "/volumes/{volume_id}/action (os-show_image_metadata)"}], ), base.APIRule( name="volume:create_volume_metadata", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Create volume metadata.", scope_types=["project"], operations=[{"method": "POST", "path": "/volumes/{volume_id}/metadata"}], ), base.APIRule( name="volume:update_volume_metadata", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), - description="Update volume's metadata or one specified metadata with a given key.", + check_str=("rule:xena_system_admin_or_project_member"), + description="Replace a volume's metadata dictionary or update a single metadatum with a given key.", scope_types=["project"], - operations=[ - {"method": "PUT", "path": "/volumes/{volume_id}/metadata"}, - {"method": "PUT", "path": "/volumes/{volume_id}/metadata/{key}"}, - ], + operations=[{"method": "PUT", "path": "/volumes/{volume_id}/metadata"}, {"method": "PUT", "path": "/volumes/{volume_id}/metadata/{key}"}], ), base.APIRule( name="volume:delete_volume_metadata", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), - description="Delete volume's specified metadata with a given key.", + check_str=("rule:xena_system_admin_or_project_member"), + description="Delete a volume's metadatum with the given key.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/volumes/{volume_id}/metadata/{key}"}], ), base.APIRule( - name="volume_extension:volume_image_metadata", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), - description="Volume's image metadata related operation, create, delete, show and list.", + name="volume_extension:volume_image_metadata:show", + check_str=("rule:xena_system_admin_or_project_reader"), + description="Include a volume's image metadata in volume detail responses. The ability to make these calls is governed by other policies.", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/volumes/detail"}, - {"method": "GET", "path": "/volumes/{volume_id}"}, - {"method": "POST", "path": "/volumes/{volume_id}/action (os-set_image_metadata)"}, - {"method": "POST", "path": "/volumes/{volume_id}/action (os-unset_image_metadata)"}, - ], + operations=[{"method": "GET", "path": "/volumes/detail"}, {"method": "GET", "path": "/volumes/{volume_id}"}], + ), + base.APIRule( + name="volume_extension:volume_image_metadata:set", + check_str=("rule:xena_system_admin_or_project_member"), + description="Set image metadata for a volume", + scope_types=["project"], + operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-set_image_metadata)"}], + ), + base.APIRule( + name="volume_extension:volume_image_metadata:remove", + check_str=("rule:xena_system_admin_or_project_member"), + description="Remove specific image metadata from a volume", + scope_types=["project"], + operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-unset_image_metadata)"}], ), base.APIRule( name="volume:update_volume_admin_metadata", check_str=("rule:admin_api"), - basic_check_str=("role:admin"), - description="Update volume admin metadata. It's used in `attach` and `os-update_readonly_flag` APIs", + description="Update volume admin metadata. This permission is required to complete these API calls, though the ability to make these calls is governed by other policies.", scope_types=["project"], - operations=[ - {"method": "POST", "path": "/volumes/{volume_id}/action (os-update_readonly_flag)"}, - {"method": "POST", "path": "/volumes/{volume_id}/action (os-attach)"}, - ], + operations=[{"method": "POST", "path": "/volumes/{volume_id}/action (os-update_readonly_flag)"}, {"method": "POST", "path": "/volumes/{volume_id}/action (os-attach)"}], ), base.APIRule( name="volume_extension:types_extra_specs:index", - check_str=("rule:admin_api"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:xena_system_admin_or_project_reader"), description="List type extra specs.", scope_types=["project"], operations=[{"method": "GET", "path": "/types/{type_id}/extra_specs"}], @@ -1326,23 +1008,27 @@ list_rules = ( base.APIRule( name="volume_extension:types_extra_specs:create", check_str=("rule:admin_api"), - basic_check_str=("role:admin"), description="Create type extra specs.", scope_types=["project"], operations=[{"method": "POST", "path": "/types/{type_id}/extra_specs"}], ), base.APIRule( name="volume_extension:types_extra_specs:show", - check_str=("rule:admin_api"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:xena_system_admin_or_project_reader"), description="Show one specified type extra specs.", scope_types=["project"], operations=[{"method": "GET", "path": "/types/{type_id}/extra_specs/{extra_spec_key}"}], ), + base.APIRule( + name="volume_extension:types_extra_specs:read_sensitive", + check_str=("rule:admin_api"), + description="Include extra_specs fields that may reveal sensitive information about the deployment that should not be exposed to end users in various volume-type responses that show extra_specs. The ability to make these calls is governed by other policies.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/types"}, {"method": "GET", "path": "/types/{type_id}"}, {"method": "GET", "path": "/types/{type_id}/extra_specs"}, {"method": "GET", "path": "/types/{type_id}/extra_specs/{extra_spec_key}"}], + ), base.APIRule( name="volume_extension:types_extra_specs:update", check_str=("rule:admin_api"), - basic_check_str=("role:admin"), description="Update type extra specs.", scope_types=["project"], operations=[{"method": "PUT", "path": "/types/{type_id}/extra_specs/{extra_spec_key}"}], @@ -1350,76 +1036,48 @@ list_rules = ( base.APIRule( name="volume_extension:types_extra_specs:delete", check_str=("rule:admin_api"), - basic_check_str=("role:admin"), description="Delete type extra specs.", scope_types=["project"], - operations=[ - {"method": "DELETE", "path": "/types/{type_id}/extra_specs/{extra_spec_key}"}, - ], + operations=[{"method": "DELETE", "path": "/types/{type_id}/extra_specs/{extra_spec_key}"}], ), base.APIRule( name="volume:create", - check_str=(""), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Create volume.", scope_types=["project"], operations=[{"method": "POST", "path": "/volumes"}], ), base.APIRule( name="volume:create_from_image", - check_str=(""), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Create volume from image.", scope_types=["project"], operations=[{"method": "POST", "path": "/volumes"}], ), base.APIRule( name="volume:get", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_reader"), description="Show volume.", scope_types=["project"], operations=[{"method": "GET", "path": "/volumes/{volume_id}"}], ), base.APIRule( name="volume:get_all", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_reader"), description="List volumes or get summary of volumes.", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/volumes"}, - {"method": "GET", "path": "/volumes/detail"}, - {"method": "GET", "path": "/volumes/summary"}, - ], + operations=[{"method": "GET", "path": "/volumes"}, {"method": "GET", "path": "/volumes/detail"}, {"method": "GET", "path": "/volumes/summary"}], ), base.APIRule( name="volume:update", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Update volume or update a volume's bootable status.", scope_types=["project"], - operations=[ - {"method": "PUT", "path": "/volumes"}, - {"method": "POST", "path": "/volumes/{volume_id}/action (os-set_bootable)"}, - ], + operations=[{"method": "PUT", "path": "/volumes"}, {"method": "POST", "path": "/volumes/{volume_id}/action (os-set_bootable)"}], ), base.APIRule( name="volume:delete", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Delete volume.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/volumes/{volume_id}"}], @@ -1427,7 +1085,6 @@ list_rules = ( base.APIRule( name="volume:force_delete", check_str=("rule:admin_api"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s"), description="Force Delete a volume.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/volumes/{volume_id}"}], @@ -1435,91 +1092,64 @@ list_rules = ( base.APIRule( name="volume_extension:volume_host_attribute", check_str=("rule:admin_api"), - basic_check_str=("role:admin or role:reader"), description="List or show volume with host attribute.", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/volumes/{volume_id}"}, - {"method": "GET", "path": "/volumes/detail"}, - ], + operations=[{"method": "GET", "path": "/volumes/{volume_id}"}, {"method": "GET", "path": "/volumes/detail"}], ), base.APIRule( name="volume_extension:volume_tenant_attribute", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_reader"), description="List or show volume with tenant attribute.", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/volumes/{volume_id}"}, - {"method": "GET", "path": "/volumes/detail"}, - ], + operations=[{"method": "GET", "path": "/volumes/{volume_id}"}, {"method": "GET", "path": "/volumes/detail"}], ), base.APIRule( name="volume_extension:volume_mig_status_attribute", check_str=("rule:admin_api"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s"), description="List or show volume with migration status attribute.", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/volumes/{volume_id}"}, - {"method": "GET", "path": "/volumes/detail"}, - ], + operations=[{"method": "GET", "path": "/volumes/{volume_id}"}, {"method": "GET", "path": "/volumes/detail"}], ), base.APIRule( name="volume_extension:volume_encryption_metadata", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_reader"), description="Show volume's encryption metadata.", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/volumes/{volume_id}/encryption"}, - {"method": "GET", "path": "/volumes/{volume_id}/encryption/{encryption_key}"}, - ], + operations=[{"method": "GET", "path": "/volumes/{volume_id}/encryption"}, {"method": "GET", "path": "/volumes/{volume_id}/encryption/{encryption_key}"}], ), base.APIRule( name="volume:multiattach", - check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:xena_system_admin_or_project_member"), description="Create multiattach capable volume.", scope_types=["project"], operations=[{"method": "POST", "path": "/volumes"}], ), base.APIRule( name="volume_extension:default_set_or_update", - check_str=("rule:system_or_domain_or_project_admin"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s"), + check_str=("rule:admin_api"), description="Set or update default volume type.", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/default-types"}], ), base.APIRule( name="volume_extension:default_get", - check_str=("rule:system_or_domain_or_project_admin"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s"), + check_str=("rule:admin_api"), description="Get default types.", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "GET", "path": "/default-types/{project-id}"}], ), base.APIRule( name="volume_extension:default_get_all", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s"), + check_str=("rule:admin_api"), description="Get all default types. WARNING: Changing this might open up too much information regarding cloud deployment.", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "GET", "path": "/default-types/"}], ), base.APIRule( name="volume_extension:default_unset", - check_str=("rule:system_or_domain_or_project_admin"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s"), + check_str=("rule:admin_api"), description="Unset default type.", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "DELETE", "path": "/default-types/{project-id}"}], ), ) diff --git a/skyline_apiserver/policy/manager/glance.py b/skyline_apiserver/policy/manager/glance.py index ca2addd..a780f89 100644 --- a/skyline_apiserver/policy/manager/glance.py +++ b/skyline_apiserver/policy/manager/glance.py @@ -1,4 +1,5 @@ # flake8: noqa +# fmt: off from . import base @@ -28,140 +29,9 @@ list_rules = ( check_str=("role:admin"), description="No description", ), - base.Rule( - name="get_metadef_namespace", - check_str=("rule:metadef_default"), - description="No description", - ), - base.Rule( - name="get_metadef_namespaces", - check_str=("rule:metadef_default"), - description="No description", - ), - base.Rule( - name="modify_metadef_namespace", - check_str=("rule:metadef_admin"), - description="No description", - ), - base.Rule( - name="add_metadef_namespace", - check_str=("rule:metadef_admin"), - description="No description", - ), - base.Rule( - name="delete_metadef_namespace", - check_str=("rule:metadef_admin"), - description="No description", - ), - base.Rule( - name="get_metadef_object", - check_str=("rule:metadef_default"), - description="No description", - ), - base.Rule( - name="get_metadef_objects", - check_str=("rule:metadef_default"), - description="No description", - ), - base.Rule( - name="modify_metadef_object", - check_str=("rule:metadef_admin"), - description="No description", - ), - base.Rule( - name="add_metadef_object", - check_str=("rule:metadef_admin"), - description="No description", - ), - base.Rule( - name="delete_metadef_object", - check_str=("rule:metadef_admin"), - description="No description", - ), - base.Rule( - name="list_metadef_resource_types", - check_str=("rule:metadef_default"), - description="No description", - ), - base.Rule( - name="get_metadef_resource_type", - check_str=("rule:metadef_default"), - description="No description", - ), - base.Rule( - name="add_metadef_resource_type_association", - check_str=("rule:metadef_admin"), - description="No description", - ), - base.Rule( - name="remove_metadef_resource_type_association", - check_str=("rule:metadef_admin"), - description="No description", - ), - base.Rule( - name="get_metadef_property", - check_str=("rule:metadef_default"), - description="No description", - ), - base.Rule( - name="get_metadef_properties", - check_str=("rule:metadef_default"), - description="No description", - ), - base.Rule( - name="modify_metadef_property", - check_str=("rule:metadef_admin"), - description="No description", - ), - base.Rule( - name="add_metadef_property", - check_str=("rule:metadef_admin"), - description="No description", - ), - base.Rule( - name="remove_metadef_property", - check_str=("rule:metadef_admin"), - description="No description", - ), - base.Rule( - name="get_metadef_tag", - check_str=("rule:metadef_default"), - description="No description", - ), - base.Rule( - name="get_metadef_tags", - check_str=("rule:metadef_default"), - description="No description", - ), - base.Rule( - name="modify_metadef_tag", - check_str=("rule:metadef_admin"), - description="No description", - ), - base.Rule( - name="add_metadef_tag", - check_str=("rule:metadef_admin"), - description="No description", - ), - base.Rule( - name="add_metadef_tags", - check_str=("rule:metadef_admin"), - description="No description", - ), - base.Rule( - name="delete_metadef_tag", - check_str=("rule:metadef_admin"), - description="No description", - ), - base.Rule( - name="delete_metadef_tags", - check_str=("rule:metadef_admin"), - description="No description", - ), base.APIRule( name="add_image", - check_str=("role:admin or (role:member and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:admin or role:member"), + check_str=("role:admin or (role:member and project_id:%(project_id)s and project_id:%(owner)s)"), description="Create new image", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/v2/images"}], @@ -169,17 +39,13 @@ list_rules = ( base.APIRule( name="delete_image", check_str=("role:admin or (role:member and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:admin or role:member"), description="Deletes the image", scope_types=["system", "project"], operations=[{"method": "DELETE", "path": "/v2/images/{image_id}"}], ), base.APIRule( name="get_image", - check_str=( - 'role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or "community":%(visibility)s or "public":%(visibility)s))' - ), - basic_check_str=("role:admin or role:reader or role:admin or role:member or role:reader"), + check_str=("role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))"), description="Get specified image", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/v2/images/{image_id}"}], @@ -187,7 +53,6 @@ list_rules = ( base.APIRule( name="get_images", check_str=("role:admin or (role:reader and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:reader or role:admin or role:member or role:reader"), description="Get all available images", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/v2/images"}], @@ -195,7 +60,6 @@ list_rules = ( base.APIRule( name="modify_image", check_str=("role:admin or (role:member and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:admin or role:member"), description="Updates given image", scope_types=["system", "project"], operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}], @@ -203,7 +67,6 @@ list_rules = ( base.APIRule( name="publicize_image", check_str=("role:admin"), - basic_check_str=("role:admin"), description="Publicize given image", scope_types=["system", "project"], operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}], @@ -211,17 +74,13 @@ list_rules = ( base.APIRule( name="communitize_image", check_str=("role:admin or (role:member and project_id:%(project_id)s)"), - basic_check_str=("!"), description="Communitize given image", scope_types=["system", "project"], operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}], ), base.APIRule( name="download_image", - check_str=( - 'role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or "community":%(visibility)s or "public":%(visibility)s))' - ), - basic_check_str=("role:admin or role:admin or role:member"), + check_str=("role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))"), description="Downloads given image", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/v2/images/{image_id}/file"}], @@ -229,7 +88,6 @@ list_rules = ( base.APIRule( name="upload_image", check_str=("role:admin or (role:member and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:admin or role:member"), description="Uploads data to specified image", scope_types=["system", "project"], operations=[{"method": "PUT", "path": "/v2/images/{image_id}/file"}], @@ -237,7 +95,6 @@ list_rules = ( base.APIRule( name="delete_image_location", check_str=("role:admin"), - basic_check_str=("role:admin"), description="Deletes the location of given image", scope_types=["system", "project"], operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}], @@ -245,7 +102,6 @@ list_rules = ( base.APIRule( name="get_image_location", check_str=("role:admin or (role:reader and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:reader or role:admin or role:member or role:reader"), description="Reads the location of the image", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/v2/images/{image_id}"}], @@ -253,7 +109,6 @@ list_rules = ( base.APIRule( name="set_image_location", check_str=("role:admin or (role:member and project_id:%(project_id)s)"), - basic_check_str=("role:admin"), description="Sets location URI to given image", scope_types=["system", "project"], operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}], @@ -261,7 +116,6 @@ list_rules = ( base.APIRule( name="add_member", check_str=("role:admin or (role:member and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:admin or role:member"), description="Create image member", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/v2/images/{image_id}/members"}], @@ -269,31 +123,27 @@ list_rules = ( base.APIRule( name="delete_member", check_str=("role:admin or (role:member and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:admin or role:member"), description="Delete image member", scope_types=["system", "project"], operations=[{"method": "DELETE", "path": "/v2/images/{image_id}/members/{member_id}"}], ), base.APIRule( name="get_member", - check_str=("role:admin or (role:reader and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:reader or role:admin or role:member or role:reader"), + check_str=("role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)"), description="Show image member details", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/v2/images/{image_id}/members/{member_id}"}], ), base.APIRule( name="get_members", - check_str=("role:admin or (role:reader and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:reader or role:admin or role:member or role:reader"), + check_str=("role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)"), description="List image members", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/v2/images/{image_id}/members"}], ), base.APIRule( name="modify_member", - check_str=("role:admin or (role:member and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:admin or role:member"), + check_str=("role:admin or (role:member and project_id:%(member_id)s)"), description="Update image member", scope_types=["system", "project"], operations=[{"method": "PUT", "path": "/v2/images/{image_id}/members/{member_id}"}], @@ -301,7 +151,6 @@ list_rules = ( base.APIRule( name="deactivate", check_str=("role:admin or (role:member and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:admin or role:member"), description="Deactivate image", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/v2/images/{image_id}/actions/deactivate"}], @@ -309,7 +158,6 @@ list_rules = ( base.APIRule( name="reactivate", check_str=("role:admin or (role:member and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:admin or role:member"), description="Reactivate image", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/v2/images/{image_id}/actions/reactivate"}], @@ -317,7 +165,6 @@ list_rules = ( base.APIRule( name="copy_image", check_str=("role:admin"), - basic_check_str=("@"), description="Copy existing image to other stores", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/v2/images/{image_id}/import"}], @@ -325,7 +172,6 @@ list_rules = ( base.APIRule( name="get_task", check_str=("rule:default"), - basic_check_str=("!"), description="Get an image task.\n#\n#This granular policy controls access to tasks, both from the tasks API as well\n#as internal locations in Glance that use tasks (like import). Practically this\n#cannot be more restrictive than the policy that controls import or things will\n#break, and changing it from the default is almost certainly not what you want.\n#Access to the external tasks API should be restricted as desired by the\n#tasks_api_access policy. This may change in the future.\n#", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/v2/tasks/{task_id}"}], @@ -333,7 +179,6 @@ list_rules = ( base.APIRule( name="get_tasks", check_str=("rule:default"), - basic_check_str=("!"), description="List tasks for all images.\n#\n#This granular policy controls access to tasks, both from the tasks API as well\n#as internal locations in Glance that use tasks (like import). Practically this\n#cannot be more restrictive than the policy that controls import or things will\n#break, and changing it from the default is almost certainly not what you want.\n#Access to the external tasks API should be restricted as desired by the\n#tasks_api_access policy. This may change in the future.\n#", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/v2/tasks"}], @@ -341,7 +186,6 @@ list_rules = ( base.APIRule( name="add_task", check_str=("rule:default"), - basic_check_str=("!"), description="List tasks for all images.\n#\n#This granular policy controls access to tasks, both from the tasks API as well\n#as internal locations in Glance that use tasks (like import). Practically this\n#cannot be more restrictive than the policy that controls import or things will\n#break, and changing it from the default is almost certainly not what you want.\n#Access to the external tasks API should be restricted as desired by the\n#tasks_api_access policy. This may change in the future.\n#", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/v2/tasks"}], @@ -349,7 +193,6 @@ list_rules = ( base.APIRule( name="modify_task", check_str=("rule:default"), - basic_check_str=("!"), description="This policy is not used.", scope_types=["system", "project"], operations=[{"method": "DELETE", "path": "/v2/tasks/{task_id}"}], @@ -357,15 +200,219 @@ list_rules = ( base.APIRule( name="tasks_api_access", check_str=("role:admin"), - basic_check_str=("!"), description="\n#This is a generic blanket policy for protecting all task APIs. It is not\n#granular and will not allow you to separate writable and readable task\n#operations into different roles.\n#", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/v2/tasks/{task_id}"}, - {"method": "GET", "path": "/v2/tasks"}, - {"method": "POST", "path": "/v2/tasks"}, - {"method": "DELETE", "path": "/v2/tasks/{task_id}"}, - ], + operations=[{"method": "GET", "path": "/v2/tasks/{task_id}"}, {"method": "GET", "path": "/v2/tasks"}, {"method": "POST", "path": "/v2/tasks"}, {"method": "DELETE", "path": "/v2/tasks/{task_id}"}], + ), + base.APIRule( + name="get_metadef_namespace", + check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"), + description="Get a specific namespace.", + scope_types=["system", "project"], + operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}"}], + ), + base.APIRule( + name="get_metadef_namespaces", + check_str=("role:admin or (role:reader and project_id:%(project_id)s)"), + description="List namespace.", + scope_types=["system", "project"], + operations=[{"method": "GET", "path": "/v2/metadefs/namespaces"}], + ), + base.APIRule( + name="modify_metadef_namespace", + check_str=("rule:metadef_admin"), + description="Modify an existing namespace.", + scope_types=["system", "project"], + operations=[{"method": "PUT", "path": "/v2/metadefs/namespaces/{namespace_name}"}], + ), + base.APIRule( + name="add_metadef_namespace", + check_str=("rule:metadef_admin"), + description="Create a namespace.", + scope_types=["system", "project"], + operations=[{"method": "POST", "path": "/v2/metadefs/namespaces"}], + ), + base.APIRule( + name="delete_metadef_namespace", + check_str=("rule:metadef_admin"), + description="Delete a namespace.", + scope_types=["system", "project"], + operations=[{"method": "DELETE", "path": "/v2/metadefs/namespaces/{namespace_name}"}], + ), + base.APIRule( + name="get_metadef_object", + check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"), + description="Get a specific object from a namespace.", + scope_types=["system", "project"], + operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/objects/{object_name}"}], + ), + base.APIRule( + name="get_metadef_objects", + check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"), + description="Get objects from a namespace.", + scope_types=["system", "project"], + operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/objects"}], + ), + base.APIRule( + name="modify_metadef_object", + check_str=("rule:metadef_admin"), + description="Update an object within a namespace.", + scope_types=["system", "project"], + operations=[{"method": "PUT", "path": "/v2/metadefs/namespaces/{namespace_name}/objects/{object_name}"}], + ), + base.APIRule( + name="add_metadef_object", + check_str=("rule:metadef_admin"), + description="Create an object within a namespace.", + scope_types=["system", "project"], + operations=[{"method": "POST", "path": "/v2/metadefs/namespaces/{namespace_name}/objects"}], + ), + base.APIRule( + name="delete_metadef_object", + check_str=("rule:metadef_admin"), + description="Delete an object within a namespace.", + scope_types=["system", "project"], + operations=[{"method": "DELETE", "path": "/v2/metadefs/namespaces/{namespace_name}/objects/{object_name}"}], + ), + base.APIRule( + name="list_metadef_resource_types", + check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"), + description="List meta definition resource types.", + scope_types=["system", "project"], + operations=[{"method": "GET", "path": "/v2/metadefs/resource_types"}], + ), + base.APIRule( + name="get_metadef_resource_type", + check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"), + description="Get meta definition resource types associations.", + scope_types=["system", "project"], + operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/resource_types"}], + ), + base.APIRule( + name="add_metadef_resource_type_association", + check_str=("rule:metadef_admin"), + description="Create meta definition resource types association.", + scope_types=["system", "project"], + operations=[{"method": "POST", "path": "/v2/metadefs/namespaces/{namespace_name}/resource_types"}], + ), + base.APIRule( + name="remove_metadef_resource_type_association", + check_str=("rule:metadef_admin"), + description="Delete meta definition resource types association.", + scope_types=["system", "project"], + operations=[{"method": "POST", "path": "/v2/metadefs/namespaces/{namespace_name}/resource_types/{name}"}], + ), + base.APIRule( + name="get_metadef_property", + check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"), + description="Get a specific meta definition property.", + scope_types=["system", "project"], + operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/properties/{property_name}"}], + ), + base.APIRule( + name="get_metadef_properties", + check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"), + description="List meta definition properties.", + scope_types=["system", "project"], + operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/properties"}], + ), + base.APIRule( + name="modify_metadef_property", + check_str=("rule:metadef_admin"), + description="Update meta definition property.", + scope_types=["system", "project"], + operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/properties/{property_name}"}], + ), + base.APIRule( + name="add_metadef_property", + check_str=("rule:metadef_admin"), + description="Create meta definition property.", + scope_types=["system", "project"], + operations=[{"method": "POST", "path": "/v2/metadefs/namespaces/{namespace_name}/properties"}], + ), + base.APIRule( + name="remove_metadef_property", + check_str=("rule:metadef_admin"), + description="Delete meta definition property.", + scope_types=["system", "project"], + operations=[{"method": "DELETE", "path": "/v2/metadefs/namespaces/{namespace_name}/properties/{property_name}"}], + ), + base.APIRule( + name="get_metadef_tag", + check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"), + description="Get tag definition.", + scope_types=["system", "project"], + operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}"}], + ), + base.APIRule( + name="get_metadef_tags", + check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"), + description="List tag definitions.", + scope_types=["system", "project"], + operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/tags"}], + ), + base.APIRule( + name="modify_metadef_tag", + check_str=("rule:metadef_admin"), + description="Update tag definition.", + scope_types=["system", "project"], + operations=[{"method": "PUT", "path": "/v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}"}], + ), + base.APIRule( + name="add_metadef_tag", + check_str=("rule:metadef_admin"), + description="Add tag definition.", + scope_types=["system", "project"], + operations=[{"method": "POST", "path": "/v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}"}], + ), + base.APIRule( + name="add_metadef_tags", + check_str=("rule:metadef_admin"), + description="Create tag definitions.", + scope_types=["system", "project"], + operations=[{"method": "POST", "path": "/v2/metadefs/namespaces/{namespace_name}/tags"}], + ), + base.APIRule( + name="delete_metadef_tag", + check_str=("rule:metadef_admin"), + description="Delete tag definition.", + scope_types=["system", "project"], + operations=[{"method": "DELETE", "path": "/v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}"}], + ), + base.APIRule( + name="delete_metadef_tags", + check_str=("rule:metadef_admin"), + description="Delete tag definitions.", + scope_types=["system", "project"], + operations=[{"method": "DELETE", "path": "/v2/metadefs/namespaces/{namespace_name}/tags"}], + ), + base.APIRule( + name="cache_image", + check_str=("role:admin"), + description="Queue image for caching", + scope_types=["project"], + operations=[{"method": "PUT", "path": "/v2/cache/{image_id}"}], + ), + base.APIRule( + name="cache_list", + check_str=("role:admin"), + description="List cache status", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v2/cache"}], + ), + base.APIRule( + name="cache_delete", + check_str=("role:admin"), + description="Delete image(s) from cache and/or queue", + scope_types=["project"], + operations=[{"method": "DELETE", "path": "/v2/cache"}, {"method": "DELETE", "path": "/v2/cache/{image_id}"}], + ), + base.APIRule( + name="stores_info_detail", + check_str=("role:admin"), + description="Expose store specific information", + scope_types=["system", "project"], + operations=[{"method": "GET", "path": "/v2/info/stores/detail"}], ), ) diff --git a/skyline_apiserver/policy/manager/heat.py b/skyline_apiserver/policy/manager/heat.py index ff1711e..42dcbe8 100644 --- a/skyline_apiserver/policy/manager/heat.py +++ b/skyline_apiserver/policy/manager/heat.py @@ -1,4 +1,5 @@ # flake8: noqa +# fmt: off from . import base @@ -30,93 +31,67 @@ list_rules = ( ), base.Rule( name="cloudformation:ListStacks", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), description="No description", ), base.Rule( name="cloudformation:CreateStack", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), description="No description", ), base.Rule( name="cloudformation:DescribeStacks", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), description="No description", ), base.Rule( name="cloudformation:DeleteStack", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), description="No description", ), base.Rule( name="cloudformation:UpdateStack", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), description="No description", ), base.Rule( name="cloudformation:CancelUpdateStack", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), description="No description", ), base.Rule( name="cloudformation:DescribeStackEvents", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), description="No description", ), base.Rule( name="cloudformation:ValidateTemplate", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), description="No description", ), base.Rule( name="cloudformation:GetTemplate", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), description="No description", ), base.Rule( name="cloudformation:EstimateTemplateCost", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), description="No description", ), base.Rule( name="cloudformation:DescribeStackResource", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)" - ), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"), description="No description", ), base.Rule( name="cloudformation:DescribeStackResources", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), description="No description", ), base.Rule( name="cloudformation:ListStackResources", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), description="No description", ), base.Rule( @@ -231,783 +206,402 @@ list_rules = ( ), base.APIRule( name="actions:action", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), description="Performs non-lifecycle operations on the stack (Snapshot, Resume, Cancel update, or check stack resources). This is the default for all actions but can be overridden by more specific policies for individual actions.", scope_types=["project"], - operations=[ - {"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}, - ], + operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}], ), base.APIRule( name="actions:snapshot", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), description="Create stack snapshot", scope_types=["system", "project"], - operations=[ - {"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}, - ], + operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}], ), base.APIRule( name="actions:suspend", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), description="Suspend a stack.", scope_types=["system", "project"], - operations=[ - {"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}, - ], + operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}], ), base.APIRule( name="actions:resume", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), description="Resume a suspended stack.", scope_types=["system", "project"], - operations=[ - {"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}, - ], + operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}], ), base.APIRule( name="actions:check", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), description="Check stack resources.", scope_types=["system", "project"], - operations=[ - {"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}, - ], + operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}], ), base.APIRule( name="actions:cancel_update", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), description="Cancel stack operation and roll back.", scope_types=["system", "project"], - operations=[ - {"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}, - ], + operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}], ), base.APIRule( name="actions:cancel_without_rollback", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), description="Cancel stack operation without rolling back.", scope_types=["system", "project"], - operations=[ - {"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}, - ], + operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}], ), base.APIRule( name="build_info:build_info", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=("@"), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), description="Show build information.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/v1/{tenant_id}/build_info"}], ), base.APIRule( name="events:index", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), description="List events.", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/events"}, - ], + operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/events"}], ), base.APIRule( name="events:show", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), description="Show event.", scope_types=["system", "project"], - operations=[ - { - "method": "GET", - "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/events/{event_id}", - }, - ], + operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/events/{event_id}"}], ), base.APIRule( name="resource:index", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), description="List resources.", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources"}, - ], + operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources"}], ), base.APIRule( name="resource:metadata", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s or role:heat_stack_user" - ), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"), description="Show resource metadata.", scope_types=["system", "project"], - operations=[ - { - "method": "GET", - "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/metadata", - }, - ], + operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/metadata"}], ), base.APIRule( name="resource:signal", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:heat_stack_user" - ), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"), description="Signal resource.", scope_types=["system", "project"], - operations=[ - { - "method": "POST", - "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/signal", - }, - ], + operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/signal"}], ), base.APIRule( name="resource:mark_unhealthy", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), description="Mark resource as unhealthy.", scope_types=["system", "project"], - operations=[ - { - "method": "PATCH", - "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name_or_physical_id}", - }, - ], + operations=[{"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name_or_physical_id}"}], ), base.APIRule( name="resource:show", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), description="Show resource.", scope_types=["system", "project"], - operations=[ - { - "method": "GET", - "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}", - }, - ], + operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}"}], ), base.APIRule( name="software_configs:global_index", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="List configs globally.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/v1/{tenant_id}/software_configs"}], ), base.APIRule( name="software_configs:index", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), description="List configs.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/v1/{tenant_id}/software_configs"}], ), base.APIRule( name="software_configs:create", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), description="Create config.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/v1/{tenant_id}/software_configs"}], ), base.APIRule( name="software_configs:show", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), description="Show config details.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/v1/{tenant_id}/software_configs/{config_id}"}], ), base.APIRule( name="software_configs:delete", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), description="Delete config.", scope_types=["system", "project"], operations=[{"method": "DELETE", "path": "/v1/{tenant_id}/software_configs/{config_id}"}], ), base.APIRule( name="software_deployments:index", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), description="List deployments.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/v1/{tenant_id}/software_deployments"}], ), base.APIRule( name="software_deployments:create", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), description="Create deployment.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/v1/{tenant_id}/software_deployments"}], ), base.APIRule( name="software_deployments:show", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), description="Show deployment details.", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/v1/{tenant_id}/software_deployments/{deployment_id}"}, - ], + operations=[{"method": "GET", "path": "/v1/{tenant_id}/software_deployments/{deployment_id}"}], ), base.APIRule( name="software_deployments:update", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), description="Update deployment.", scope_types=["system", "project"], - operations=[ - {"method": "PUT", "path": "/v1/{tenant_id}/software_deployments/{deployment_id}"}, - ], + operations=[{"method": "PUT", "path": "/v1/{tenant_id}/software_deployments/{deployment_id}"}], ), base.APIRule( name="software_deployments:delete", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), description="Delete deployment.", scope_types=["system", "project"], - operations=[ - {"method": "DELETE", "path": "/v1/{tenant_id}/software_deployments/{deployment_id}"}, - ], + operations=[{"method": "DELETE", "path": "/v1/{tenant_id}/software_deployments/{deployment_id}"}], ), base.APIRule( name="software_deployments:metadata", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s or role:heat_stack_user" - ), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"), description="Show server configuration metadata.", scope_types=["system", "project"], - operations=[ - { - "method": "GET", - "path": "/v1/{tenant_id}/software_deployments/metadata/{server_id}", - }, - ], + operations=[{"method": "GET", "path": "/v1/{tenant_id}/software_deployments/metadata/{server_id}"}], ), base.APIRule( name="stacks:abandon", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), description="Abandon stack.", scope_types=["system", "project"], - operations=[ - { - "method": "DELETE", - "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/abandon", - }, - ], + operations=[{"method": "DELETE", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/abandon"}], ), base.APIRule( name="stacks:create", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), description="Create stack.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks"}], ), base.APIRule( name="stacks:delete", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), description="Delete stack.", scope_types=["system", "project"], - operations=[ - {"method": "DELETE", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"}, - ], + operations=[{"method": "DELETE", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"}], ), base.APIRule( name="stacks:detail", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), description="List stacks in detail.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks"}], ), base.APIRule( name="stacks:export", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), description="Export stack.", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/export"}, - ], + operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/export"}], ), base.APIRule( name="stacks:generate_template", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), description="Generate stack template.", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/template"}, - ], + operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/template"}], ), base.APIRule( name="stacks:global_index", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="List stacks globally.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks"}], ), base.APIRule( name="stacks:index", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), description="List stacks.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks"}], ), base.APIRule( name="stacks:list_resource_types", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=("@"), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), description="List resource types.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/v1/{tenant_id}/resource_types"}], ), base.APIRule( name="stacks:list_template_versions", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=("@"), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), description="List template versions.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/v1/{tenant_id}/template_versions"}], ), base.APIRule( name="stacks:list_template_functions", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=("@"), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), description="List template functions.", scope_types=["system", "project"], - operations=[ - { - "method": "GET", - "path": "/v1/{tenant_id}/template_versions/{template_version}/functions", - }, - ], + operations=[{"method": "GET", "path": "/v1/{tenant_id}/template_versions/{template_version}/functions"}], ), base.APIRule( name="stacks:lookup", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s or role:heat_stack_user" - ), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"), description="Find stack.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_identity}"}], ), base.APIRule( name="stacks:preview", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), description="Preview stack.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/preview"}], ), base.APIRule( name="stacks:resource_schema", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=("@"), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), description="Show resource type schema.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/v1/{tenant_id}/resource_types/{type_name}"}], ), base.APIRule( name="stacks:show", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), description="Show stack.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_identity}"}], ), base.APIRule( name="stacks:template", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), description="Get stack template.", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/template"}, - ], + operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/template"}], ), base.APIRule( name="stacks:environment", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), description="Get stack environment.", scope_types=["system", "project"], - operations=[ - { - "method": "GET", - "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/environment", - }, - ], + operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/environment"}], ), base.APIRule( name="stacks:files", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), description="Get stack files.", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/files"}, - ], + operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/files"}], ), base.APIRule( name="stacks:update", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), description="Update stack.", scope_types=["system", "project"], operations=[{"method": "PUT", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"}], ), base.APIRule( name="stacks:update_patch", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), description="Update stack (PATCH).", scope_types=["system", "project"], - operations=[ - {"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"}, - ], + operations=[{"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"}], ), base.APIRule( name="stacks:update_no_change", check_str=("rule:stacks:update_patch"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="Update stack (PATCH) with no changes.", scope_types=["system", "project"], - operations=[ - {"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"}, - ], + operations=[{"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"}], ), base.APIRule( name="stacks:preview_update", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), description="Preview update stack.", scope_types=["system", "project"], - operations=[ - {"method": "PUT", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/preview"}, - ], + operations=[{"method": "PUT", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/preview"}], ), base.APIRule( name="stacks:preview_update_patch", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), description="Preview update stack (PATCH).", scope_types=["system", "project"], - operations=[ - {"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/preview"}, - ], + operations=[{"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/preview"}], ), base.APIRule( name="stacks:validate_template", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), description="Validate template.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/v1/{tenant_id}/validate"}], ), base.APIRule( name="stacks:snapshot", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), description="Snapshot Stack.", scope_types=["system", "project"], - operations=[ - { - "method": "POST", - "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots", - }, - ], + operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots"}], ), base.APIRule( name="stacks:show_snapshot", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), description="Show snapshot.", scope_types=["system", "project"], - operations=[ - { - "method": "GET", - "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}", - }, - ], + operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}"}], ), base.APIRule( name="stacks:delete_snapshot", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), description="Delete snapshot.", scope_types=["system", "project"], - operations=[ - { - "method": "DELETE", - "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}", - }, - ], + operations=[{"method": "DELETE", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}"}], ), base.APIRule( name="stacks:list_snapshots", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), description="List snapshots.", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots"}, - ], + operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots"}], ), base.APIRule( name="stacks:restore_snapshot", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), description="Restore snapshot.", scope_types=["system", "project"], - operations=[ - { - "method": "POST", - "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}/restore", - }, - ], + operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}/restore"}], ), base.APIRule( name="stacks:list_outputs", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), description="List outputs.", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/outputs"}, - ], + operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/outputs"}], ), base.APIRule( name="stacks:show_output", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), description="Show outputs.", scope_types=["system", "project"], - operations=[ - { - "method": "GET", - "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/outputs/{output_key}", - }, - ], + operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/outputs/{output_key}"}], ), ) diff --git a/skyline_apiserver/policy/manager/ironic.py b/skyline_apiserver/policy/manager/ironic.py index 100fa6f..5527de1 100644 --- a/skyline_apiserver/policy/manager/ironic.py +++ b/skyline_apiserver/policy/manager/ironic.py @@ -1,4 +1,5 @@ # flake8: noqa +# fmt: off from . import base @@ -25,9 +26,7 @@ list_rules = ( ), base.Rule( name="is_member", - check_str=( - "(project_domain_id:default or project_domain_id:None) and (project_name:demo or project_name:baremetal)" - ), + check_str=("(project_domain_id:default or project_domain_id:None) and (project_name:demo or project_name:baremetal)"), description="May be used to restrict access to specific projects", ), base.Rule( @@ -58,7 +57,6 @@ list_rules = ( base.APIRule( name="baremetal:node:create", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Create Node records", scope_types=["system"], operations=[{"method": "POST", "path": "/nodes"}], @@ -66,31 +64,20 @@ list_rules = ( base.APIRule( name="baremetal:node:list", check_str=("role:reader"), - basic_check_str=("role:admin or role:reader"), description="Retrieve multiple Node records, filtered by an explicit owner or the client project_id", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/nodes"}, - {"method": "GET", "path": "/nodes/detail"}, - ], + operations=[{"method": "GET", "path": "/nodes"}, {"method": "GET", "path": "/nodes/detail"}], ), base.APIRule( name="baremetal:node:list_all", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="Retrieve multiple Node records", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/nodes"}, - {"method": "GET", "path": "/nodes/detail"}, - ], + operations=[{"method": "GET", "path": "/nodes"}, {"method": "GET", "path": "/nodes/detail"}], ), base.APIRule( name="baremetal:node:get", - check_str=( - "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" - ), - basic_check_str=("role:admin or role:reader"), + check_str=("(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"), description="Retrieve a single Node record", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/nodes/{node_ident}"}], @@ -98,67 +85,48 @@ list_rules = ( base.APIRule( name="baremetal:node:get:filter_threshold", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="Filter to allow operators to govern the threshold where information should be filtered. Non-authorized users will be subjected to additional API policy checks for API content response bodies.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/nodes/{node_ident}"}], ), base.APIRule( name="baremetal:node:get:last_error", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)" - ), - basic_check_str=("role:admin or role:reader"), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"), description="Governs if the node last_error field is masked from APIclients with insufficent privileges.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/nodes/{node_ident}"}], ), base.APIRule( name="baremetal:node:get:reservation", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)" - ), - basic_check_str=("role:admin or role:reader"), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"), description="Governs if the node reservation field is masked from APIclients with insufficent privileges.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/nodes/{node_ident}"}], ), base.APIRule( name="baremetal:node:get:driver_internal_info", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)" - ), - basic_check_str=("role:admin or role:reader"), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"), description="Governs if the node driver_internal_info field is masked from API clients with insufficent privileges.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/nodes/{node_ident}"}], ), base.APIRule( name="baremetal:node:get:driver_info", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)" - ), - basic_check_str=("role:admin or role:reader"), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"), description="Governs if the driver_info field is masked from APIclients with insufficent privileges.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/nodes/{node_ident}"}], ), base.APIRule( name="baremetal:node:update:driver_info", - check_str=( - "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"), description="Governs if node driver_info field can be updated via the API clients.", scope_types=["system", "project"], operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}], ), base.APIRule( name="baremetal:node:update:properties", - check_str=( - "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"), description="Governs if node properties field can be updated via the API clients.", scope_types=["system", "project"], operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}], @@ -166,27 +134,20 @@ list_rules = ( base.APIRule( name="baremetal:node:update:chassis_uuid", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Governs if node chassis_uuid field can be updated via the API clients.", scope_types=["system", "project"], operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}], ), base.APIRule( name="baremetal:node:update:instance_uuid", - check_str=( - "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"), description="Governs if node instance_uuid field can be updated via the API clients.", scope_types=["system", "project"], operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}], ), base.APIRule( name="baremetal:node:update:lessee", - check_str=( - "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"), description="Governs if node lessee field can be updated via the API clients.", scope_types=["system", "project"], operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}], @@ -194,27 +155,20 @@ list_rules = ( base.APIRule( name="baremetal:node:update:owner", check_str=("role:member and system_scope:all"), - basic_check_str=("role:admin"), description="Governs if node owner field can be updated via the API clients.", scope_types=["system", "project"], operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}], ), base.APIRule( name="baremetal:node:update:driver_interfaces", - check_str=( - "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"), description="Governs if node driver and driver interfaces field can be updated via the API clients.", scope_types=["system", "project"], operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}], ), base.APIRule( name="baremetal:node:update:network_data", - check_str=( - "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"), description="Governs if node driver_info field can be updated via the API clients.", scope_types=["system", "project"], operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}], @@ -222,57 +176,41 @@ list_rules = ( base.APIRule( name="baremetal:node:update:conductor_group", check_str=("role:member and system_scope:all"), - basic_check_str=("role:admin"), description="Governs if node conductor_group field can be updated via the API clients.", scope_types=["system", "project"], operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}], ), base.APIRule( name="baremetal:node:update:name", - check_str=( - "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"), description="Governs if node name field can be updated via the API clients.", scope_types=["system", "project"], operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}], ), base.APIRule( name="baremetal:node:update:retired", - check_str=( - "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"), description="Governs if node retired and retired reason can be updated by API clients.", scope_types=["system", "project"], operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}], ), base.APIRule( name="baremetal:node:update", - check_str=( - "(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" - ), - basic_check_str=("role:admin"), + check_str=("(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"), description="Generalized update of node records", scope_types=["system", "project"], operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}], ), base.APIRule( name="baremetal:node:update_extra", - check_str=( - "(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" - ), - basic_check_str=("role:admin"), + check_str=("(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"), description="Update Node extra field", scope_types=["system", "project"], operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}], ), base.APIRule( name="baremetal:node:update_instance_info", - check_str=( - "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"), description="Update Node instance_info field", scope_types=["system", "project"], operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}], @@ -280,7 +218,6 @@ list_rules = ( base.APIRule( name="baremetal:node:update_owner_provisioned", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Update Node owner even when Node is provisioned", scope_types=["system"], operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}], @@ -288,362 +225,251 @@ list_rules = ( base.APIRule( name="baremetal:node:delete", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Delete Node records", scope_types=["system", "project"], operations=[{"method": "DELETE", "path": "/nodes/{node_ident}"}], ), base.APIRule( name="baremetal:node:validate", - check_str=( - "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"), description="Request active validation of Nodes", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/nodes/{node_ident}/validate"}], ), base.APIRule( name="baremetal:node:set_maintenance", - check_str=( - "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"), description="Set maintenance flag, taking a Node out of service", scope_types=["system", "project"], operations=[{"method": "PUT", "path": "/nodes/{node_ident}/maintenance"}], ), base.APIRule( name="baremetal:node:clear_maintenance", - check_str=( - "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"), description="Clear maintenance flag, placing the Node into service again", scope_types=["system", "project"], operations=[{"method": "DELETE", "path": "/nodes/{node_ident}/maintenance"}], ), base.APIRule( name="baremetal:node:get_boot_device", - check_str=( - "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)" - ), - basic_check_str=("role:admin or role:reader"), + check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"), description="Retrieve Node boot device metadata", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/nodes/{node_ident}/management/boot_device"}, - {"method": "GET", "path": "/nodes/{node_ident}/management/boot_device/supported"}, - ], + operations=[{"method": "GET", "path": "/nodes/{node_ident}/management/boot_device"}, {"method": "GET", "path": "/nodes/{node_ident}/management/boot_device/supported"}], ), base.APIRule( name="baremetal:node:set_boot_device", - check_str=( - "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"), description="Change Node boot device", scope_types=["system", "project"], operations=[{"method": "PUT", "path": "/nodes/{node_ident}/management/boot_device"}], ), base.APIRule( name="baremetal:node:get_indicator_state", - check_str=( - "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" - ), - basic_check_str=("role:admin or role:reader"), + check_str=("(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"), description="Retrieve Node indicators and their states", scope_types=["system", "project"], - operations=[ - { - "method": "GET", - "path": "/nodes/{node_ident}/management/indicators/{component}/{indicator}", - }, - {"method": "GET", "path": "/nodes/{node_ident}/management/indicators"}, - ], + operations=[{"method": "GET", "path": "/nodes/{node_ident}/management/indicators/{component}/{indicator}"}, {"method": "GET", "path": "/nodes/{node_ident}/management/indicators"}], ), base.APIRule( name="baremetal:node:set_indicator_state", - check_str=( - "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"), description="Change Node indicator state", scope_types=["system", "project"], - operations=[ - { - "method": "PUT", - "path": "/nodes/{node_ident}/management/indicators/{component}/{indicator}", - }, - ], + operations=[{"method": "PUT", "path": "/nodes/{node_ident}/management/indicators/{component}/{indicator}"}], ), base.APIRule( name="baremetal:node:inject_nmi", - check_str=( - "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"), description="Inject NMI for a node", scope_types=["system", "project"], operations=[{"method": "PUT", "path": "/nodes/{node_ident}/management/inject_nmi"}], ), base.APIRule( name="baremetal:node:get_states", - check_str=( - "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" - ), - basic_check_str=("role:admin or role:reader"), + check_str=("(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"), description="View Node power and provision state", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/nodes/{node_ident}/states"}], ), base.APIRule( name="baremetal:node:set_power_state", - check_str=( - "(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" - ), - basic_check_str=("role:admin"), + check_str=("(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"), description="Change Node power status", scope_types=["system", "project"], operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/power"}], ), + base.APIRule( + name="baremetal:node:set_boot_mode", + check_str=("(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"), + description="Change Node boot mode", + scope_types=["system", "project"], + operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/boot_mode"}], + ), + base.APIRule( + name="baremetal:node:set_secure_boot", + check_str=("(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"), + description="Change Node secure boot state", + scope_types=["system", "project"], + operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/secure_boot"}], + ), base.APIRule( name="baremetal:node:set_provision_state", - check_str=( - "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"), description="Change Node provision status", scope_types=["system", "project"], operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/provision"}], ), base.APIRule( name="baremetal:node:set_raid_state", - check_str=( - "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"), description="Change Node RAID status", scope_types=["system", "project"], operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/raid"}], ), base.APIRule( name="baremetal:node:get_console", - check_str=( - "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"), description="Get Node console connection information", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/nodes/{node_ident}/states/console"}], ), base.APIRule( name="baremetal:node:set_console_state", - check_str=( - "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"), description="Change Node console status", scope_types=["system", "project"], operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/console"}], ), base.APIRule( name="baremetal:node:vif:list", - check_str=( - "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" - ), - basic_check_str=("role:admin"), + check_str=("(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"), description="List VIFs attached to node", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/nodes/{node_ident}/vifs"}], ), base.APIRule( name="baremetal:node:vif:attach", - check_str=( - "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"), description="Attach a VIF to a node", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/nodes/{node_ident}/vifs"}], ), base.APIRule( name="baremetal:node:vif:detach", - check_str=( - "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"), description="Detach a VIF from a node", scope_types=["system", "project"], operations=[{"method": "DELETE", "path": "/nodes/{node_ident}/vifs/{node_vif_ident}"}], ), base.APIRule( name="baremetal:node:traits:list", - check_str=( - "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" - ), - basic_check_str=("role:admin or role:reader"), + check_str=("(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"), description="List node traits", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/nodes/{node_ident}/traits"}], ), base.APIRule( name="baremetal:node:traits:set", - check_str=( - "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"), description="Add a trait to, or replace all traits of, a node", scope_types=["system", "project"], - operations=[ - {"method": "PUT", "path": "/nodes/{node_ident}/traits"}, - {"method": "PUT", "path": "/nodes/{node_ident}/traits/{trait}"}, - ], + operations=[{"method": "PUT", "path": "/nodes/{node_ident}/traits"}, {"method": "PUT", "path": "/nodes/{node_ident}/traits/{trait}"}], ), base.APIRule( name="baremetal:node:traits:delete", - check_str=( - "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"), description="Remove one or all traits from a node", scope_types=["system", "project"], - operations=[ - {"method": "DELETE", "path": "/nodes/{node_ident}/traits"}, - {"method": "DELETE", "path": "/nodes/{node_ident}/traits/{trait}"}, - ], + operations=[{"method": "DELETE", "path": "/nodes/{node_ident}/traits"}, {"method": "DELETE", "path": "/nodes/{node_ident}/traits/{trait}"}], ), base.APIRule( name="baremetal:node:bios:get", - check_str=( - "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" - ), - basic_check_str=("role:admin or role:reader"), + check_str=("(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"), description="Retrieve Node BIOS information", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/nodes/{node_ident}/bios"}, - {"method": "GET", "path": "/nodes/{node_ident}/bios/{setting}"}, - ], + operations=[{"method": "GET", "path": "/nodes/{node_ident}/bios"}, {"method": "GET", "path": "/nodes/{node_ident}/bios/{setting}"}], ), base.APIRule( name="baremetal:node:disable_cleaning", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Disable Node disk cleaning", scope_types=["system"], operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}], ), + base.APIRule( + name="baremetal:node:history:get", + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"), + description="Filter to allow operators to retreive history records for a node.", + scope_types=["system", "project"], + operations=[{"method": "GET", "path": "/nodes/{node_ident}/history"}, {"method": "GET", "path": "/nodes/{node_ident}/history/{event_ident}"}], + ), base.APIRule( name="baremetal:port:get", - check_str=( - "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" - ), - basic_check_str=("role:admin or role:reader"), + check_str=("(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"), description="Retrieve Port records", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/ports/{port_id}"}, - {"method": "GET", "path": "/nodes/{node_ident}/ports"}, - {"method": "GET", "path": "/nodes/{node_ident}/ports/detail"}, - {"method": "GET", "path": "/portgroups/{portgroup_ident}/ports"}, - {"method": "GET", "path": "/portgroups/{portgroup_ident}/ports/detail"}, - ], + operations=[{"method": "GET", "path": "/ports/{port_id}"}, {"method": "GET", "path": "/nodes/{node_ident}/ports"}, {"method": "GET", "path": "/nodes/{node_ident}/ports/detail"}, {"method": "GET", "path": "/portgroups/{portgroup_ident}/ports"}, {"method": "GET", "path": "/portgroups/{portgroup_ident}/ports/detail"}], ), base.APIRule( name="baremetal:port:list", check_str=("role:reader"), - basic_check_str=("role:admin or role:reader"), description="Retrieve multiple Port records, filtered by owner", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/ports"}, - {"method": "GET", "path": "/ports/detail"}, - ], + operations=[{"method": "GET", "path": "/ports"}, {"method": "GET", "path": "/ports/detail"}], ), base.APIRule( name="baremetal:port:list_all", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="Retrieve multiple Port records", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/ports"}, - {"method": "GET", "path": "/ports/detail"}, - ], + operations=[{"method": "GET", "path": "/ports"}, {"method": "GET", "path": "/ports/detail"}], ), base.APIRule( name="baremetal:port:create", - check_str=( - "(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)"), description="Create Port records", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/ports"}], ), base.APIRule( name="baremetal:port:delete", - check_str=( - "(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)"), description="Delete Port records", scope_types=["system", "project"], operations=[{"method": "DELETE", "path": "/ports/{port_id}"}], ), base.APIRule( name="baremetal:port:update", - check_str=( - "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"), description="Update Port records", scope_types=["system", "project"], operations=[{"method": "PATCH", "path": "/ports/{port_id}"}], ), base.APIRule( name="baremetal:portgroup:get", - check_str=( - "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" - ), - basic_check_str=("role:admin or role:reader"), + check_str=("(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"), description="Retrieve Portgroup records", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/portgroups"}, - {"method": "GET", "path": "/portgroups/detail"}, - {"method": "GET", "path": "/portgroups/{portgroup_ident}"}, - {"method": "GET", "path": "/nodes/{node_ident}/portgroups"}, - {"method": "GET", "path": "/nodes/{node_ident}/portgroups/detail"}, - ], + operations=[{"method": "GET", "path": "/portgroups"}, {"method": "GET", "path": "/portgroups/detail"}, {"method": "GET", "path": "/portgroups/{portgroup_ident}"}, {"method": "GET", "path": "/nodes/{node_ident}/portgroups"}, {"method": "GET", "path": "/nodes/{node_ident}/portgroups/detail"}], ), base.APIRule( name="baremetal:portgroup:create", - check_str=( - "(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)"), description="Create Portgroup records", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/portgroups"}], ), base.APIRule( name="baremetal:portgroup:delete", - check_str=( - "(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)"), description="Delete Portgroup records", scope_types=["system", "project"], operations=[{"method": "DELETE", "path": "/portgroups/{portgroup_ident}"}], ), base.APIRule( name="baremetal:portgroup:update", - check_str=( - "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"), description="Update Portgroup records", scope_types=["system", "project"], operations=[{"method": "PATCH", "path": "/portgroups/{portgroup_ident}"}], @@ -651,41 +477,27 @@ list_rules = ( base.APIRule( name="baremetal:portgroup:list", check_str=("role:reader"), - basic_check_str=("role:admin or role:reader"), description="Retrieve multiple Port records, filtered by owner", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/portgroups"}, - {"method": "GET", "path": "/portgroups/detail"}, - ], + operations=[{"method": "GET", "path": "/portgroups"}, {"method": "GET", "path": "/portgroups/detail"}], ), base.APIRule( name="baremetal:portgroup:list_all", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="Retrieve multiple Port records", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/portgroups"}, - {"method": "GET", "path": "/portgroups/detail"}, - ], + operations=[{"method": "GET", "path": "/portgroups"}, {"method": "GET", "path": "/portgroups/detail"}], ), base.APIRule( name="baremetal:chassis:get", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="Retrieve Chassis records", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/chassis"}, - {"method": "GET", "path": "/chassis/detail"}, - {"method": "GET", "path": "/chassis/{chassis_id}"}, - ], + operations=[{"method": "GET", "path": "/chassis"}, {"method": "GET", "path": "/chassis/detail"}, {"method": "GET", "path": "/chassis/{chassis_id}"}], ), base.APIRule( name="baremetal:chassis:create", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Create Chassis records", scope_types=["system"], operations=[{"method": "POST", "path": "/chassis"}], @@ -693,7 +505,6 @@ list_rules = ( base.APIRule( name="baremetal:chassis:delete", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Delete Chassis records", scope_types=["system"], operations=[{"method": "DELETE", "path": "/chassis/{chassis_id}"}], @@ -701,7 +512,6 @@ list_rules = ( base.APIRule( name="baremetal:chassis:update", check_str=("role:member and system_scope:all"), - basic_check_str=("role:admin"), description="Update Chassis records", scope_types=["system"], operations=[{"method": "PATCH", "path": "/chassis/{chassis_id}"}], @@ -709,18 +519,13 @@ list_rules = ( base.APIRule( name="baremetal:driver:get", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="View list of available drivers", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/drivers"}, - {"method": "GET", "path": "/drivers/{driver_name}"}, - ], + operations=[{"method": "GET", "path": "/drivers"}, {"method": "GET", "path": "/drivers/{driver_name}"}], ), base.APIRule( name="baremetal:driver:get_properties", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="View driver-specific properties", scope_types=["system"], operations=[{"method": "GET", "path": "/drivers/{driver_name}/properties"}], @@ -728,68 +533,27 @@ list_rules = ( base.APIRule( name="baremetal:driver:get_raid_logical_disk_properties", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="View driver-specific RAID metadata", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/drivers/{driver_name}/raid/logical_disk_properties"}, - ], + operations=[{"method": "GET", "path": "/drivers/{driver_name}/raid/logical_disk_properties"}], ), base.APIRule( name="baremetal:node:vendor_passthru", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Access vendor-specific Node functions", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "nodes/{node_ident}/vendor_passthru/methods"}, - {"method": "GET", "path": "nodes/{node_ident}/vendor_passthru?method={method_name}"}, - {"method": "PUT", "path": "nodes/{node_ident}/vendor_passthru?method={method_name}"}, - {"method": "POST", "path": "nodes/{node_ident}/vendor_passthru?method={method_name}"}, - { - "method": "PATCH", - "path": "nodes/{node_ident}/vendor_passthru?method={method_name}", - }, - { - "method": "DELETE", - "path": "nodes/{node_ident}/vendor_passthru?method={method_name}", - }, - ], + operations=[{"method": "GET", "path": "nodes/{node_ident}/vendor_passthru/methods"}, {"method": "GET", "path": "nodes/{node_ident}/vendor_passthru?method={method_name}"}, {"method": "PUT", "path": "nodes/{node_ident}/vendor_passthru?method={method_name}"}, {"method": "POST", "path": "nodes/{node_ident}/vendor_passthru?method={method_name}"}, {"method": "PATCH", "path": "nodes/{node_ident}/vendor_passthru?method={method_name}"}, {"method": "DELETE", "path": "nodes/{node_ident}/vendor_passthru?method={method_name}"}], ), base.APIRule( name="baremetal:driver:vendor_passthru", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Access vendor-specific Driver functions", scope_types=["system"], - operations=[ - {"method": "GET", "path": "drivers/{driver_name}/vendor_passthru/methods"}, - { - "method": "GET", - "path": "drivers/{driver_name}/vendor_passthru?method={method_name}", - }, - { - "method": "PUT", - "path": "drivers/{driver_name}/vendor_passthru?method={method_name}", - }, - { - "method": "POST", - "path": "drivers/{driver_name}/vendor_passthru?method={method_name}", - }, - { - "method": "PATCH", - "path": "drivers/{driver_name}/vendor_passthru?method={method_name}", - }, - { - "method": "DELETE", - "path": "drivers/{driver_name}/vendor_passthru?method={method_name}", - }, - ], + operations=[{"method": "GET", "path": "drivers/{driver_name}/vendor_passthru/methods"}, {"method": "GET", "path": "drivers/{driver_name}/vendor_passthru?method={method_name}"}, {"method": "PUT", "path": "drivers/{driver_name}/vendor_passthru?method={method_name}"}, {"method": "POST", "path": "drivers/{driver_name}/vendor_passthru?method={method_name}"}, {"method": "PATCH", "path": "drivers/{driver_name}/vendor_passthru?method={method_name}"}, {"method": "DELETE", "path": "drivers/{driver_name}/vendor_passthru?method={method_name}"}], ), base.APIRule( name="baremetal:node:ipa_heartbeat", check_str=(""), - basic_check_str=("@"), description="Receive heartbeats from IPA ramdisk", scope_types=["project"], operations=[{"method": "POST", "path": "/heartbeat/{node_ident}"}], @@ -797,7 +561,6 @@ list_rules = ( base.APIRule( name="baremetal:driver:ipa_lookup", check_str=(""), - basic_check_str=("@"), description="Access IPA ramdisk functions", scope_types=["project"], operations=[{"method": "GET", "path": "/lookup"}], @@ -805,126 +568,69 @@ list_rules = ( base.APIRule( name="baremetal:volume:list_all", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="Retrieve a list of all Volume connector and target records", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/volume/connectors"}, - {"method": "GET", "path": "/volume/targets"}, - {"method": "GET", "path": "/nodes/{node_ident}/volume/connectors"}, - {"method": "GET", "path": "/nodes/{node_ident}/volume/targets"}, - ], + operations=[{"method": "GET", "path": "/volume/connectors"}, {"method": "GET", "path": "/volume/targets"}, {"method": "GET", "path": "/nodes/{node_ident}/volume/connectors"}, {"method": "GET", "path": "/nodes/{node_ident}/volume/targets"}], ), base.APIRule( name="baremetal:volume:list", check_str=("role:reader"), - basic_check_str=("role:admin or role:reader"), description="Retrieve a list of Volume connector and target records", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/volume/connectors"}, - {"method": "GET", "path": "/volume/targets"}, - {"method": "GET", "path": "/nodes/{node_ident}/volume/connectors"}, - {"method": "GET", "path": "/nodes/{node_ident}/volume/targets"}, - ], + operations=[{"method": "GET", "path": "/volume/connectors"}, {"method": "GET", "path": "/volume/targets"}, {"method": "GET", "path": "/nodes/{node_ident}/volume/connectors"}, {"method": "GET", "path": "/nodes/{node_ident}/volume/targets"}], ), base.APIRule( name="baremetal:volume:get", - check_str=( - "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" - ), - basic_check_str=("role:admin or role:reader"), + check_str=("(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"), description="Retrieve Volume connector and target records", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/volume"}, - {"method": "GET", "path": "/volume/connectors"}, - {"method": "GET", "path": "/volume/connectors/{volume_connector_id}"}, - {"method": "GET", "path": "/volume/targets"}, - {"method": "GET", "path": "/volume/targets/{volume_target_id}"}, - {"method": "GET", "path": "/nodes/{node_ident}/volume"}, - {"method": "GET", "path": "/nodes/{node_ident}/volume/connectors"}, - {"method": "GET", "path": "/nodes/{node_ident}/volume/targets"}, - ], + operations=[{"method": "GET", "path": "/volume"}, {"method": "GET", "path": "/volume/connectors"}, {"method": "GET", "path": "/volume/connectors/{volume_connector_id}"}, {"method": "GET", "path": "/volume/targets"}, {"method": "GET", "path": "/volume/targets/{volume_target_id}"}, {"method": "GET", "path": "/nodes/{node_ident}/volume"}, {"method": "GET", "path": "/nodes/{node_ident}/volume/connectors"}, {"method": "GET", "path": "/nodes/{node_ident}/volume/targets"}], ), base.APIRule( name="baremetal:volume:create", - check_str=( - "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"), description="Create Volume connector and target records", scope_types=["system", "project"], - operations=[ - {"method": "POST", "path": "/volume/connectors"}, - {"method": "POST", "path": "/volume/targets"}, - ], + operations=[{"method": "POST", "path": "/volume/connectors"}, {"method": "POST", "path": "/volume/targets"}], ), base.APIRule( name="baremetal:volume:delete", - check_str=( - "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"), description="Delete Volume connector and target records", scope_types=["system", "project"], - operations=[ - {"method": "DELETE", "path": "/volume/connectors/{volume_connector_id}"}, - {"method": "DELETE", "path": "/volume/targets/{volume_target_id}"}, - ], + operations=[{"method": "DELETE", "path": "/volume/connectors/{volume_connector_id}"}, {"method": "DELETE", "path": "/volume/targets/{volume_target_id}"}], ), base.APIRule( name="baremetal:volume:update", - check_str=( - "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"), description="Update Volume connector and target records", scope_types=["system", "project"], - operations=[ - {"method": "PATCH", "path": "/volume/connectors/{volume_connector_id}"}, - {"method": "PATCH", "path": "/volume/targets/{volume_target_id}"}, - ], + operations=[{"method": "PATCH", "path": "/volume/connectors/{volume_connector_id}"}, {"method": "PATCH", "path": "/volume/targets/{volume_target_id}"}], ), base.APIRule( name="baremetal:volume:view_target_properties", check_str=("(role:reader and system_scope:all) or (role:admin)"), - basic_check_str=("role:admin or role:reader"), description="Ability to view volume target properties", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/volume/connectors/{volume_connector_id}"}, - {"method": "GET", "path": "/volume/targets/{volume_target_id}"}, - ], + operations=[{"method": "GET", "path": "/volume/connectors/{volume_connector_id}"}, {"method": "GET", "path": "/volume/targets/{volume_target_id}"}], ), base.APIRule( name="baremetal:conductor:get", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="Retrieve Conductor records", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/conductors"}, - {"method": "GET", "path": "/conductors/{hostname}"}, - ], + operations=[{"method": "GET", "path": "/conductors"}, {"method": "GET", "path": "/conductors/{hostname}"}], ), base.APIRule( name="baremetal:allocation:get", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(allocation.owner)s)" - ), - basic_check_str=("role:admin or role:reader"), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(allocation.owner)s)"), description="Retrieve Allocation records", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/allocations/{allocation_id}"}, - {"method": "GET", "path": "/nodes/{node_ident}/allocation"}, - ], + operations=[{"method": "GET", "path": "/allocations/{allocation_id}"}, {"method": "GET", "path": "/nodes/{node_ident}/allocation"}], ), base.APIRule( name="baremetal:allocation:list", check_str=("role:reader"), - basic_check_str=("role:admin or role:reader"), description="Retrieve multiple Allocation records, filtered by owner", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/allocations"}], @@ -932,7 +638,6 @@ list_rules = ( base.APIRule( name="baremetal:allocation:list_all", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="Retrieve multiple Allocation records", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/allocations"}], @@ -940,7 +645,6 @@ list_rules = ( base.APIRule( name="baremetal:allocation:create", check_str=("(role:member and system_scope:all) or (role:member)"), - basic_check_str=("role:admin"), description="Create Allocation records", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/allocations"}], @@ -948,40 +652,27 @@ list_rules = ( base.APIRule( name="baremetal:allocation:create_restricted", check_str=("role:member and system_scope:all"), - basic_check_str=("role:admin"), description="Create Allocation records with a specific owner.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/allocations"}], ), base.APIRule( name="baremetal:allocation:delete", - check_str=( - "(role:member and system_scope:all) or (role:member and project_id:%(allocation.owner)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:member and system_scope:all) or (role:member and project_id:%(allocation.owner)s)"), description="Delete Allocation records", scope_types=["system", "project"], - operations=[ - {"method": "DELETE", "path": "/allocations/{allocation_id}"}, - {"method": "DELETE", "path": "/nodes/{node_ident}/allocation"}, - ], + operations=[{"method": "DELETE", "path": "/allocations/{allocation_id}"}, {"method": "DELETE", "path": "/nodes/{node_ident}/allocation"}], ), base.APIRule( name="baremetal:allocation:update", - check_str=( - "(role:member and system_scope:all) or (role:member and project_id:%(allocation.owner)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:member and system_scope:all) or (role:member and project_id:%(allocation.owner)s)"), description="Change name and extra fields of an allocation", scope_types=["system", "project"], operations=[{"method": "PATCH", "path": "/allocations/{allocation_id}"}], ), base.APIRule( name="baremetal:allocation:create_pre_rbac", - check_str=( - "(rule:is_member and role:baremetal_admin) or (is_admin_project:True and role:admin)" - ), - basic_check_str=("role:admin"), + check_str=("(rule:is_member and role:baremetal_admin) or (is_admin_project:True and role:admin)"), description="Logical restrictor to prevent legacy allocation rule missuse - Requires blank allocations to originate from the legacy baremetal_admin.", scope_types=["project"], operations=[{"method": "PATCH", "path": "/allocations/{allocation_id}"}], @@ -989,7 +680,6 @@ list_rules = ( base.APIRule( name="baremetal:events:post", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Post events", scope_types=["system"], operations=[{"method": "POST", "path": "/events"}], @@ -997,18 +687,13 @@ list_rules = ( base.APIRule( name="baremetal:deploy_template:get", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="Retrieve Deploy Template records", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/deploy_templates"}, - {"method": "GET", "path": "/deploy_templates/{deploy_template_ident}"}, - ], + operations=[{"method": "GET", "path": "/deploy_templates"}, {"method": "GET", "path": "/deploy_templates/{deploy_template_ident}"}], ), base.APIRule( name="baremetal:deploy_template:create", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Create Deploy Template records", scope_types=["system"], operations=[{"method": "POST", "path": "/deploy_templates"}], @@ -1016,7 +701,6 @@ list_rules = ( base.APIRule( name="baremetal:deploy_template:delete", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Delete Deploy Template records", scope_types=["system"], operations=[{"method": "DELETE", "path": "/deploy_templates/{deploy_template_ident}"}], @@ -1024,7 +708,6 @@ list_rules = ( base.APIRule( name="baremetal:deploy_template:update", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Update Deploy Template records", scope_types=["system"], operations=[{"method": "PATCH", "path": "/deploy_templates/{deploy_template_ident}"}], diff --git a/skyline_apiserver/policy/manager/ironic_inspector.py b/skyline_apiserver/policy/manager/ironic_inspector.py new file mode 100644 index 0000000..8a1c8a2 --- /dev/null +++ b/skyline_apiserver/policy/manager/ironic_inspector.py @@ -0,0 +1,106 @@ +# flake8: noqa +# fmt: off + +from . import base + +list_rules = ( + base.Rule( + name="is_admin", + check_str=("role:admin or role:administrator or role:baremetal_admin"), + description="Full read/write API access", + ), + base.Rule( + name="is_observer", + check_str=("role:baremetal_observer"), + description="Read-only API access", + ), + base.Rule( + name="public_api", + check_str=("is_public_api:True"), + description="Internal flag for public API routes", + ), + base.Rule( + name="default", + check_str=("!"), + description="Default API access policy", + ), + base.APIRule( + name="introspection", + check_str=("rule:public_api"), + description="Access the API root for available versions information", + scope_types=["project"], + operations=[{"method": "GET", "path": "/"}], + ), + base.APIRule( + name="introspection:version", + check_str=("rule:public_api"), + description="Access the versioned API root for version information", + scope_types=["project"], + operations=[{"method": "GET", "path": "/{version}"}], + ), + base.APIRule( + name="introspection:continue", + check_str=("rule:public_api"), + description="Ramdisk callback to continue introspection", + scope_types=["project"], + operations=[{"method": "POST", "path": "/continue"}], + ), + base.APIRule( + name="introspection:status", + check_str=("role:reader and system_scope:all"), + description="Get introspection status", + scope_types=["project"], + operations=[{"method": "GET", "path": "/introspection"}, {"method": "GET", "path": "/introspection/{node_id}"}], + ), + base.APIRule( + name="introspection:start", + check_str=("role:admin and system_scope:all"), + description="Start introspection", + scope_types=["project"], + operations=[{"method": "POST", "path": "/introspection/{node_id}"}], + ), + base.APIRule( + name="introspection:abort", + check_str=("role:admin and system_scope:all"), + description="Abort introspection", + scope_types=["project"], + operations=[{"method": "POST", "path": "/introspection/{node_id}/abort"}], + ), + base.APIRule( + name="introspection:data", + check_str=("role:admin and system_scope:all"), + description="Get introspection data", + scope_types=["project"], + operations=[{"method": "GET", "path": "/introspection/{node_id}/data"}], + ), + base.APIRule( + name="introspection:reapply", + check_str=("role:admin and system_scope:all"), + description="Reapply introspection on stored data", + scope_types=["project"], + operations=[{"method": "POST", "path": "/introspection/{node_id}/data/unprocessed"}], + ), + base.APIRule( + name="introspection:rule:get", + check_str=("role:admin and system_scope:all"), + description="Get introspection rule(s)", + scope_types=["project"], + operations=[{"method": "GET", "path": "/rules"}, {"method": "GET", "path": "/rules/{rule_id}"}], + ), + base.APIRule( + name="introspection:rule:delete", + check_str=("role:admin and system_scope:all"), + description="Delete introspection rule(s)", + scope_types=["project"], + operations=[{"method": "DELETE", "path": "/rules"}, {"method": "DELETE", "path": "/rules/{rule_id}"}], + ), + base.APIRule( + name="introspection:rule:create", + check_str=("role:admin and system_scope:all"), + description="Create introspection rule", + scope_types=["project"], + operations=[{"method": "POST", "path": "/rules"}], + ), +) + +__all__ = ("list_rules",) diff --git a/skyline_apiserver/policy/manager/keystone.py b/skyline_apiserver/policy/manager/keystone.py index 45d2aa3..584e810 100644 --- a/skyline_apiserver/policy/manager/keystone.py +++ b/skyline_apiserver/policy/manager/keystone.py @@ -1,4 +1,5 @@ # flake8: noqa +# fmt: off from . import base @@ -46,39 +47,27 @@ list_rules = ( base.APIRule( name="identity:get_access_rule", check_str=("(role:reader and system_scope:all) or user_id:%(target.user.id)s"), - basic_check_str=("role:admin or role:reader or user_id:%(user_id)s"), description="Show access rule details.", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/v3/users/{user_id}/access_rules/{access_rule_id}"}, - {"method": "HEAD", "path": "/v3/users/{user_id}/access_rules/{access_rule_id}"}, - ], + operations=[{"method": "GET", "path": "/v3/users/{user_id}/access_rules/{access_rule_id}"}, {"method": "HEAD", "path": "/v3/users/{user_id}/access_rules/{access_rule_id}"}], ), base.APIRule( name="identity:list_access_rules", check_str=("(role:reader and system_scope:all) or user_id:%(target.user.id)s"), - basic_check_str=("role:admin or role:reader or user_id:%(user_id)s"), description="List access rules for a user.", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/v3/users/{user_id}/access_rules"}, - {"method": "HEAD", "path": "/v3/users/{user_id}/access_rules"}, - ], + operations=[{"method": "GET", "path": "/v3/users/{user_id}/access_rules"}, {"method": "HEAD", "path": "/v3/users/{user_id}/access_rules"}], ), base.APIRule( name="identity:delete_access_rule", check_str=("(role:admin and system_scope:all) or user_id:%(target.user.id)s"), - basic_check_str=("role:admin or user_id:%(user_id)s"), description="Delete an access_rule.", scope_types=["system", "project"], - operations=[ - {"method": "DELETE", "path": "/v3/users/{user_id}/access_rules/{access_rule_id}"}, - ], + operations=[{"method": "DELETE", "path": "/v3/users/{user_id}/access_rules/{access_rule_id}"}], ), base.APIRule( name="identity:authorize_request_token", check_str=("rule:admin_required"), - basic_check_str=("!"), description="Authorize OAUTH1 request token.", scope_types=["project"], operations=[{"method": "PUT", "path": "/v3/OS-OAUTH1/authorize/{request_token_id}"}], @@ -86,33 +75,20 @@ list_rules = ( base.APIRule( name="identity:get_access_token", check_str=("rule:admin_required"), - basic_check_str=("!"), description="Get OAUTH1 access token for user by access token ID.", scope_types=["project"], - operations=[ - { - "method": "GET", - "path": "/v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}", - }, - ], + operations=[{"method": "GET", "path": "/v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}"}], ), base.APIRule( name="identity:get_access_token_role", check_str=("rule:admin_required"), - basic_check_str=("!"), description="Get role for user OAUTH1 access token.", scope_types=["project"], - operations=[ - { - "method": "GET", - "path": "/v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id}", - }, - ], + operations=[{"method": "GET", "path": "/v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id}"}], ), base.APIRule( name="identity:list_access_tokens", check_str=("rule:admin_required"), - basic_check_str=("!"), description="List OAUTH1 access tokens for user.", scope_types=["project"], operations=[{"method": "GET", "path": "/v3/users/{user_id}/OS-OAUTH1/access_tokens"}], @@ -120,61 +96,34 @@ list_rules = ( base.APIRule( name="identity:list_access_token_roles", check_str=("rule:admin_required"), - basic_check_str=("!"), description="List OAUTH1 access token roles.", scope_types=["project"], - operations=[ - { - "method": "GET", - "path": "/v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles", - }, - ], + operations=[{"method": "GET", "path": "/v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles"}], ), base.APIRule( name="identity:delete_access_token", check_str=("rule:admin_required"), - basic_check_str=("!"), description="Delete OAUTH1 access token.", scope_types=["project"], - operations=[ - { - "method": "DELETE", - "path": "/v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}", - }, - ], + operations=[{"method": "DELETE", "path": "/v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}"}], ), base.APIRule( name="identity:get_application_credential", check_str=("(role:reader and system_scope:all) or rule:owner"), - basic_check_str=("role:admin or role:reader or user_id:%(user_id)s"), description="Show application credential details.", scope_types=["system", "project"], - operations=[ - { - "method": "GET", - "path": "/v3/users/{user_id}/application_credentials/{application_credential_id}", - }, - { - "method": "HEAD", - "path": "/v3/users/{user_id}/application_credentials/{application_credential_id}", - }, - ], + operations=[{"method": "GET", "path": "/v3/users/{user_id}/application_credentials/{application_credential_id}"}, {"method": "HEAD", "path": "/v3/users/{user_id}/application_credentials/{application_credential_id}"}], ), base.APIRule( name="identity:list_application_credentials", check_str=("(role:reader and system_scope:all) or rule:owner"), - basic_check_str=("role:admin or role:reader or user_id:%(user_id)s"), description="List application credentials for a user.", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/v3/users/{user_id}/application_credentials"}, - {"method": "HEAD", "path": "/v3/users/{user_id}/application_credentials"}, - ], + operations=[{"method": "GET", "path": "/v3/users/{user_id}/application_credentials"}, {"method": "HEAD", "path": "/v3/users/{user_id}/application_credentials"}], ), base.APIRule( name="identity:create_application_credential", check_str=("user_id:%(user_id)s"), - basic_check_str=("role:admin or user_id:%(user_id)s"), description="Create an application credential.", scope_types=["project"], operations=[{"method": "POST", "path": "/v3/users/{user_id}/application_credentials"}], @@ -182,64 +131,41 @@ list_rules = ( base.APIRule( name="identity:delete_application_credential", check_str=("(role:admin and system_scope:all) or rule:owner"), - basic_check_str=("role:admin or user_id:%(user_id)s"), description="Delete an application credential.", scope_types=["system", "project"], - operations=[ - { - "method": "DELETE", - "path": "/v3/users/{user_id}/application_credentials/{application_credential_id}", - }, - ], + operations=[{"method": "DELETE", "path": "/v3/users/{user_id}/application_credentials/{application_credential_id}"}], ), base.APIRule( name="identity:get_auth_catalog", check_str=(""), - basic_check_str=("@"), description="Get service catalog.", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/v3/auth/catalog"}, - {"method": "HEAD", "path": "/v3/auth/catalog"}, - ], + operations=[{"method": "GET", "path": "/v3/auth/catalog"}, {"method": "HEAD", "path": "/v3/auth/catalog"}], ), base.APIRule( name="identity:get_auth_projects", check_str=(""), - basic_check_str=("@"), description="List all projects a user has access to via role assignments.", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/v3/auth/projects"}, - {"method": "HEAD", "path": "/v3/auth/projects"}, - ], + operations=[{"method": "GET", "path": "/v3/auth/projects"}, {"method": "HEAD", "path": "/v3/auth/projects"}], ), base.APIRule( name="identity:get_auth_domains", check_str=(""), - basic_check_str=("@"), description="List all domains a user has access to via role assignments.", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/v3/auth/domains"}, - {"method": "HEAD", "path": "/v3/auth/domains"}, - ], + operations=[{"method": "GET", "path": "/v3/auth/domains"}, {"method": "HEAD", "path": "/v3/auth/domains"}], ), base.APIRule( name="identity:get_auth_system", check_str=(""), - basic_check_str=("@"), description="List systems a user has access to via role assignments.", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/v3/auth/system"}, - {"method": "HEAD", "path": "/v3/auth/system"}, - ], + operations=[{"method": "GET", "path": "/v3/auth/system"}, {"method": "HEAD", "path": "/v3/auth/system"}], ), base.APIRule( name="identity:get_consumer", check_str=("role:reader and system_scope:all"), - basic_check_str=("!"), description="Show OAUTH1 consumer details.", scope_types=["system"], operations=[{"method": "GET", "path": "/v3/OS-OAUTH1/consumers/{consumer_id}"}], @@ -247,7 +173,6 @@ list_rules = ( base.APIRule( name="identity:list_consumers", check_str=("role:reader and system_scope:all"), - basic_check_str=("!"), description="List OAUTH1 consumers.", scope_types=["system"], operations=[{"method": "GET", "path": "/v3/OS-OAUTH1/consumers"}], @@ -255,7 +180,6 @@ list_rules = ( base.APIRule( name="identity:create_consumer", check_str=("role:admin and system_scope:all"), - basic_check_str=("!"), description="Create OAUTH1 consumer.", scope_types=["system"], operations=[{"method": "POST", "path": "/v3/OS-OAUTH1/consumers"}], @@ -263,7 +187,6 @@ list_rules = ( base.APIRule( name="identity:update_consumer", check_str=("role:admin and system_scope:all"), - basic_check_str=("!"), description="Update OAUTH1 consumer.", scope_types=["system"], operations=[{"method": "PATCH", "path": "/v3/OS-OAUTH1/consumers/{consumer_id}"}], @@ -271,7 +194,6 @@ list_rules = ( base.APIRule( name="identity:delete_consumer", check_str=("role:admin and system_scope:all"), - basic_check_str=("!"), description="Delete OAUTH1 consumer.", scope_types=["system"], operations=[{"method": "DELETE", "path": "/v3/OS-OAUTH1/consumers/{consumer_id}"}], @@ -279,7 +201,6 @@ list_rules = ( base.APIRule( name="identity:get_credential", check_str=("(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s"), - basic_check_str=("role:admin or role:reader or user_id:%(user_id)s"), description="Show credentials details.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/v3/credentials/{credential_id}"}], @@ -287,7 +208,6 @@ list_rules = ( base.APIRule( name="identity:list_credentials", check_str=("(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s"), - basic_check_str=("role:admin or role:reader or user_id:%(user_id)s"), description="List credentials.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/v3/credentials"}], @@ -295,7 +215,6 @@ list_rules = ( base.APIRule( name="identity:create_credential", check_str=("(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s"), - basic_check_str=("role:admin or user_id:%(user_id)s"), description="Create credential.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/v3/credentials"}], @@ -303,7 +222,6 @@ list_rules = ( base.APIRule( name="identity:update_credential", check_str=("(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s"), - basic_check_str=("role:admin or user_id:%(user_id)s"), description="Update credential.", scope_types=["system", "project"], operations=[{"method": "PATCH", "path": "/v3/credentials/{credential_id}"}], @@ -311,19 +229,13 @@ list_rules = ( base.APIRule( name="identity:delete_credential", check_str=("(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s"), - basic_check_str=("role:admin or user_id:%(user_id)s"), description="Delete credential.", scope_types=["system", "project"], operations=[{"method": "DELETE", "path": "/v3/credentials/{credential_id}"}], ), base.APIRule( name="identity:get_domain", - check_str=( - "(role:reader and system_scope:all) or token.domain.id:%(target.domain.id)s or token.project.domain.id:%(target.domain.id)s" - ), - basic_check_str=( - "role:admin or role:reader or user_id:%(user_id)s or project_id:%(project_id)s" - ), + check_str=("(role:reader and system_scope:all) or token.domain.id:%(target.domain.id)s or token.project.domain.id:%(target.domain.id)s"), description="Show domain details.", scope_types=["system", "domain", "project"], operations=[{"method": "GET", "path": "/v3/domains/{domain_id}"}], @@ -331,7 +243,6 @@ list_rules = ( base.APIRule( name="identity:list_domains", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="List domains.", scope_types=["system"], operations=[{"method": "GET", "path": "/v3/domains"}], @@ -339,7 +250,6 @@ list_rules = ( base.APIRule( name="identity:create_domain", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Create domain.", scope_types=["system"], operations=[{"method": "POST", "path": "/v3/domains"}], @@ -347,7 +257,6 @@ list_rules = ( base.APIRule( name="identity:update_domain", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Update domain.", scope_types=["system"], operations=[{"method": "PATCH", "path": "/v3/domains/{domain_id}"}], @@ -355,7 +264,6 @@ list_rules = ( base.APIRule( name="identity:delete_domain", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Delete domain.", scope_types=["system"], operations=[{"method": "DELETE", "path": "/v3/domains/{domain_id}"}], @@ -363,7 +271,6 @@ list_rules = ( base.APIRule( name="identity:create_domain_config", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Create domain configuration.", scope_types=["system"], operations=[{"method": "PUT", "path": "/v3/domains/{domain_id}/config"}], @@ -371,90 +278,48 @@ list_rules = ( base.APIRule( name="identity:get_domain_config", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="Get the entire domain configuration for a domain, an option group within a domain, or a specific configuration option within a group for a domain.", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/v3/domains/{domain_id}/config"}, - {"method": "HEAD", "path": "/v3/domains/{domain_id}/config"}, - {"method": "GET", "path": "/v3/domains/{domain_id}/config/{group}"}, - {"method": "HEAD", "path": "/v3/domains/{domain_id}/config/{group}"}, - {"method": "GET", "path": "/v3/domains/{domain_id}/config/{group}/{option}"}, - {"method": "HEAD", "path": "/v3/domains/{domain_id}/config/{group}/{option}"}, - ], + operations=[{"method": "GET", "path": "/v3/domains/{domain_id}/config"}, {"method": "HEAD", "path": "/v3/domains/{domain_id}/config"}, {"method": "GET", "path": "/v3/domains/{domain_id}/config/{group}"}, {"method": "HEAD", "path": "/v3/domains/{domain_id}/config/{group}"}, {"method": "GET", "path": "/v3/domains/{domain_id}/config/{group}/{option}"}, {"method": "HEAD", "path": "/v3/domains/{domain_id}/config/{group}/{option}"}], ), base.APIRule( name="identity:get_security_compliance_domain_config", check_str=(""), - basic_check_str=("@"), description="Get security compliance domain configuration for either a domain or a specific option in a domain.", scope_types=["system", "domain", "project"], - operations=[ - {"method": "GET", "path": "/v3/domains/{domain_id}/config/security_compliance"}, - {"method": "HEAD", "path": "/v3/domains/{domain_id}/config/security_compliance"}, - { - "method": "GET", - "path": "v3/domains/{domain_id}/config/security_compliance/{option}", - }, - { - "method": "HEAD", - "path": "v3/domains/{domain_id}/config/security_compliance/{option}", - }, - ], + operations=[{"method": "GET", "path": "/v3/domains/{domain_id}/config/security_compliance"}, {"method": "HEAD", "path": "/v3/domains/{domain_id}/config/security_compliance"}, {"method": "GET", "path": "/v3/domains/{domain_id}/config/security_compliance/{option}"}, {"method": "HEAD", "path": "/v3/domains/{domain_id}/config/security_compliance/{option}"}], ), base.APIRule( name="identity:update_domain_config", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Update domain configuration for either a domain, specific group or a specific option in a group.", scope_types=["system"], - operations=[ - {"method": "PATCH", "path": "/v3/domains/{domain_id}/config"}, - {"method": "PATCH", "path": "/v3/domains/{domain_id}/config/{group}"}, - {"method": "PATCH", "path": "/v3/domains/{domain_id}/config/{group}/{option}"}, - ], + operations=[{"method": "PATCH", "path": "/v3/domains/{domain_id}/config"}, {"method": "PATCH", "path": "/v3/domains/{domain_id}/config/{group}"}, {"method": "PATCH", "path": "/v3/domains/{domain_id}/config/{group}/{option}"}], ), base.APIRule( name="identity:delete_domain_config", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Delete domain configuration for either a domain, specific group or a specific option in a group.", scope_types=["system"], - operations=[ - {"method": "DELETE", "path": "/v3/domains/{domain_id}/config"}, - {"method": "DELETE", "path": "/v3/domains/{domain_id}/config/{group}"}, - {"method": "DELETE", "path": "/v3/domains/{domain_id}/config/{group}/{option}"}, - ], + operations=[{"method": "DELETE", "path": "/v3/domains/{domain_id}/config"}, {"method": "DELETE", "path": "/v3/domains/{domain_id}/config/{group}"}, {"method": "DELETE", "path": "/v3/domains/{domain_id}/config/{group}/{option}"}], ), base.APIRule( name="identity:get_domain_config_default", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="Get domain configuration default for either a domain, specific group or a specific option in a group.", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/v3/domains/config/default"}, - {"method": "HEAD", "path": "/v3/domains/config/default"}, - {"method": "GET", "path": "/v3/domains/config/{group}/default"}, - {"method": "HEAD", "path": "/v3/domains/config/{group}/default"}, - {"method": "GET", "path": "/v3/domains/config/{group}/{option}/default"}, - {"method": "HEAD", "path": "/v3/domains/config/{group}/{option}/default"}, - ], + operations=[{"method": "GET", "path": "/v3/domains/config/default"}, {"method": "HEAD", "path": "/v3/domains/config/default"}, {"method": "GET", "path": "/v3/domains/config/{group}/default"}, {"method": "HEAD", "path": "/v3/domains/config/{group}/default"}, {"method": "GET", "path": "/v3/domains/config/{group}/{option}/default"}, {"method": "HEAD", "path": "/v3/domains/config/{group}/{option}/default"}], ), base.APIRule( name="identity:ec2_get_credential", check_str=("(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s"), - basic_check_str=("role:admin or user_id:%(user_id)s"), description="Show ec2 credential details.", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/v3/users/{user_id}/credentials/OS-EC2/{credential_id}"}, - ], + operations=[{"method": "GET", "path": "/v3/users/{user_id}/credentials/OS-EC2/{credential_id}"}], ), base.APIRule( name="identity:ec2_list_credentials", check_str=("(role:reader and system_scope:all) or rule:owner"), - basic_check_str=("role:admin or role:reader or user_id:%(user_id)s"), description="List ec2 credentials.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/v3/users/{user_id}/credentials/OS-EC2"}], @@ -462,7 +327,6 @@ list_rules = ( base.APIRule( name="identity:ec2_create_credential", check_str=("(role:admin and system_scope:all) or rule:owner"), - basic_check_str=("role:admin or user_id:%(user_id)s"), description="Create ec2 credential.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/v3/users/{user_id}/credentials/OS-EC2"}], @@ -470,20 +334,13 @@ list_rules = ( base.APIRule( name="identity:ec2_delete_credential", check_str=("(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s"), - basic_check_str=("role:admin or user_id:%(user_id)s"), description="Delete ec2 credential.", scope_types=["system", "project"], - operations=[ - { - "method": "DELETE", - "path": "/v3/users/{user_id}/credentials/OS-EC2/{credential_id}", - }, - ], + operations=[{"method": "DELETE", "path": "/v3/users/{user_id}/credentials/OS-EC2/{credential_id}"}], ), base.APIRule( name="identity:get_endpoint", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="Show endpoint details.", scope_types=["system"], operations=[{"method": "GET", "path": "/v3/endpoints/{endpoint_id}"}], @@ -491,7 +348,6 @@ list_rules = ( base.APIRule( name="identity:list_endpoints", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="List endpoints.", scope_types=["system"], operations=[{"method": "GET", "path": "/v3/endpoints"}], @@ -499,7 +355,6 @@ list_rules = ( base.APIRule( name="identity:create_endpoint", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Create endpoint.", scope_types=["system"], operations=[{"method": "POST", "path": "/v3/endpoints"}], @@ -507,7 +362,6 @@ list_rules = ( base.APIRule( name="identity:update_endpoint", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Update endpoint.", scope_types=["system"], operations=[{"method": "PATCH", "path": "/v3/endpoints/{endpoint_id}"}], @@ -515,7 +369,6 @@ list_rules = ( base.APIRule( name="identity:delete_endpoint", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Delete endpoint.", scope_types=["system"], operations=[{"method": "DELETE", "path": "/v3/endpoints/{endpoint_id}"}], @@ -523,7 +376,6 @@ list_rules = ( base.APIRule( name="identity:create_endpoint_group", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Create endpoint group.", scope_types=["system"], operations=[{"method": "POST", "path": "/v3/OS-EP-FILTER/endpoint_groups"}], @@ -531,7 +383,6 @@ list_rules = ( base.APIRule( name="identity:list_endpoint_groups", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin"), description="List endpoint groups.", scope_types=["system"], operations=[{"method": "GET", "path": "/v3/OS-EP-FILTER/endpoint_groups"}], @@ -539,318 +390,111 @@ list_rules = ( base.APIRule( name="identity:get_endpoint_group", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin"), description="Get endpoint group.", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}"}, - {"method": "HEAD", "path": "/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}"}, - ], + operations=[{"method": "GET", "path": "/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}"}, {"method": "HEAD", "path": "/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}"}], ), base.APIRule( name="identity:update_endpoint_group", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Update endpoint group.", scope_types=["system"], - operations=[ - {"method": "PATCH", "path": "/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}"}, - ], + operations=[{"method": "PATCH", "path": "/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}"}], ), base.APIRule( name="identity:delete_endpoint_group", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Delete endpoint group.", scope_types=["system"], - operations=[ - {"method": "DELETE", "path": "/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}"}, - ], + operations=[{"method": "DELETE", "path": "/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}"}], ), base.APIRule( name="identity:list_projects_associated_with_endpoint_group", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin"), description="List all projects associated with a specific endpoint group.", scope_types=["system"], - operations=[ - { - "method": "GET", - "path": "/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects", - }, - ], + operations=[{"method": "GET", "path": "/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects"}], ), base.APIRule( name="identity:list_endpoints_associated_with_endpoint_group", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin"), description="List all endpoints associated with an endpoint group.", scope_types=["system"], - operations=[ - { - "method": "GET", - "path": "/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints", - }, - ], + operations=[{"method": "GET", "path": "/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints"}], ), base.APIRule( name="identity:get_endpoint_group_in_project", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin"), description="Check if an endpoint group is associated with a project.", scope_types=["system"], - operations=[ - { - "method": "GET", - "path": "/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}", - }, - { - "method": "HEAD", - "path": "/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}", - }, - ], + operations=[{"method": "GET", "path": "/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}"}, {"method": "HEAD", "path": "/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}"}], ), base.APIRule( name="identity:list_endpoint_groups_for_project", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin"), description="List endpoint groups associated with a specific project.", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/v3/OS-EP-FILTER/projects/{project_id}/endpoint_groups"}, - ], + operations=[{"method": "GET", "path": "/v3/OS-EP-FILTER/projects/{project_id}/endpoint_groups"}], ), base.APIRule( name="identity:add_endpoint_group_to_project", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Allow a project to access an endpoint group.", scope_types=["system"], - operations=[ - { - "method": "PUT", - "path": "/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}", - }, - ], + operations=[{"method": "PUT", "path": "/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}"}], ), base.APIRule( name="identity:remove_endpoint_group_from_project", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Remove endpoint group from project.", scope_types=["system"], - operations=[ - { - "method": "DELETE", - "path": "/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}", - }, - ], + operations=[{"method": "DELETE", "path": "/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}"}], ), base.APIRule( name="identity:check_grant", - check_str=( - "(role:reader and system_scope:all) or ((role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)" - ), - basic_check_str=("role:admin or role:reader or project_id:%(project_id)s"), + check_str=("(role:reader and system_scope:all) or ((role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)"), description="Check a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all projects in the subtree, if applicable.", scope_types=["system", "domain"], - operations=[ - { - "method": "HEAD", - "path": "/v3/projects/{project_id}/users/{user_id}/roles/{role_id}", - }, - { - "method": "GET", - "path": "/v3/projects/{project_id}/users/{user_id}/roles/{role_id}", - }, - { - "method": "HEAD", - "path": "/v3/projects/{project_id}/groups/{group_id}/roles/{role_id}", - }, - { - "method": "GET", - "path": "/v3/projects/{project_id}/groups/{group_id}/roles/{role_id}", - }, - {"method": "HEAD", "path": "/v3/domains/{domain_id}/users/{user_id}/roles/{role_id}"}, - {"method": "GET", "path": "/v3/domains/{domain_id}/users/{user_id}/roles/{role_id}"}, - { - "method": "HEAD", - "path": "/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}", - }, - { - "method": "GET", - "path": "/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}", - }, - { - "method": "HEAD", - "path": "/v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects", - }, - { - "method": "GET", - "path": "/v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects", - }, - { - "method": "HEAD", - "path": "/v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects", - }, - { - "method": "GET", - "path": "/v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects", - }, - { - "method": "HEAD", - "path": "/v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects", - }, - { - "method": "GET", - "path": "/v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects", - }, - { - "method": "HEAD", - "path": "/v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects", - }, - { - "method": "GET", - "path": "/v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects", - }, - ], + operations=[{"method": "HEAD", "path": "/v3/projects/{project_id}/users/{user_id}/roles/{role_id}"}, {"method": "GET", "path": "/v3/projects/{project_id}/users/{user_id}/roles/{role_id}"}, {"method": "HEAD", "path": "/v3/projects/{project_id}/groups/{group_id}/roles/{role_id}"}, {"method": "GET", "path": "/v3/projects/{project_id}/groups/{group_id}/roles/{role_id}"}, {"method": "HEAD", "path": "/v3/domains/{domain_id}/users/{user_id}/roles/{role_id}"}, {"method": "GET", "path": "/v3/domains/{domain_id}/users/{user_id}/roles/{role_id}"}, {"method": "HEAD", "path": "/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}"}, {"method": "GET", "path": "/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}"}, {"method": "HEAD", "path": "/v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects"}, {"method": "GET", "path": "/v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects"}, {"method": "HEAD", "path": "/v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects"}, {"method": "GET", "path": "/v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects"}, {"method": "HEAD", "path": "/v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects"}, {"method": "GET", "path": "/v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects"}, {"method": "HEAD", "path": "/v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects"}, {"method": "GET", "path": "/v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects"}], ), base.APIRule( name="identity:list_grants", - check_str=( - "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)" - ), - basic_check_str=("role:admin or role:reader or project_id:%(project_id)s"), + check_str=("(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)"), description="List roles granted to an actor on a target. A target can be either a domain or a project. An actor can be either a user or a group. For the OS-INHERIT APIs, it is possible to list inherited role grants for actors on domains, where grants are inherited to all projects in the specified domain.", scope_types=["system", "domain"], - operations=[ - {"method": "GET", "path": "/v3/projects/{project_id}/users/{user_id}/roles"}, - {"method": "HEAD", "path": "/v3/projects/{project_id}/users/{user_id}/roles"}, - {"method": "GET", "path": "/v3/projects/{project_id}/groups/{group_id}/roles"}, - {"method": "HEAD", "path": "/v3/projects/{project_id}/groups/{group_id}/roles"}, - {"method": "GET", "path": "/v3/domains/{domain_id}/users/{user_id}/roles"}, - {"method": "HEAD", "path": "/v3/domains/{domain_id}/users/{user_id}/roles"}, - {"method": "GET", "path": "/v3/domains/{domain_id}/groups/{group_id}/roles"}, - {"method": "HEAD", "path": "/v3/domains/{domain_id}/groups/{group_id}/roles"}, - { - "method": "GET", - "path": "/v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects", - }, - { - "method": "GET", - "path": "/v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects", - }, - ], + operations=[{"method": "GET", "path": "/v3/projects/{project_id}/users/{user_id}/roles"}, {"method": "HEAD", "path": "/v3/projects/{project_id}/users/{user_id}/roles"}, {"method": "GET", "path": "/v3/projects/{project_id}/groups/{group_id}/roles"}, {"method": "HEAD", "path": "/v3/projects/{project_id}/groups/{group_id}/roles"}, {"method": "GET", "path": "/v3/domains/{domain_id}/users/{user_id}/roles"}, {"method": "HEAD", "path": "/v3/domains/{domain_id}/users/{user_id}/roles"}, {"method": "GET", "path": "/v3/domains/{domain_id}/groups/{group_id}/roles"}, {"method": "HEAD", "path": "/v3/domains/{domain_id}/groups/{group_id}/roles"}, {"method": "GET", "path": "/v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects"}, {"method": "GET", "path": "/v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects"}], ), base.APIRule( name="identity:create_grant", - check_str=( - "(role:admin and system_scope:all) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)" - ), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s"), + check_str=("(role:admin and system_scope:all) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)"), description="Create a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all projects in the subtree, if applicable.", scope_types=["system", "domain"], - operations=[ - { - "method": "PUT", - "path": "/v3/projects/{project_id}/users/{user_id}/roles/{role_id}", - }, - { - "method": "PUT", - "path": "/v3/projects/{project_id}/groups/{group_id}/roles/{role_id}", - }, - {"method": "PUT", "path": "/v3/domains/{domain_id}/users/{user_id}/roles/{role_id}"}, - { - "method": "PUT", - "path": "/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}", - }, - { - "method": "PUT", - "path": "/v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects", - }, - { - "method": "PUT", - "path": "/v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects", - }, - { - "method": "PUT", - "path": "/v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects", - }, - { - "method": "PUT", - "path": "/v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects", - }, - ], + operations=[{"method": "PUT", "path": "/v3/projects/{project_id}/users/{user_id}/roles/{role_id}"}, {"method": "PUT", "path": "/v3/projects/{project_id}/groups/{group_id}/roles/{role_id}"}, {"method": "PUT", "path": "/v3/domains/{domain_id}/users/{user_id}/roles/{role_id}"}, {"method": "PUT", "path": "/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}"}, {"method": "PUT", "path": "/v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects"}, {"method": "PUT", "path": "/v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects"}, {"method": "PUT", "path": "/v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects"}, {"method": "PUT", "path": "/v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects"}], ), base.APIRule( name="identity:revoke_grant", - check_str=( - "(role:admin and system_scope:all) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)" - ), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s"), + check_str=("(role:admin and system_scope:all) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)"), description="Revoke a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all projects in the subtree, if applicable. In that case, revoking the role grant in the target would remove the logical effect of inheriting it to the target's projects subtree.", scope_types=["system", "domain"], - operations=[ - { - "method": "DELETE", - "path": "/v3/projects/{project_id}/users/{user_id}/roles/{role_id}", - }, - { - "method": "DELETE", - "path": "/v3/projects/{project_id}/groups/{group_id}/roles/{role_id}", - }, - { - "method": "DELETE", - "path": "/v3/domains/{domain_id}/users/{user_id}/roles/{role_id}", - }, - { - "method": "DELETE", - "path": "/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}", - }, - { - "method": "DELETE", - "path": "/v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects", - }, - { - "method": "DELETE", - "path": "/v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects", - }, - { - "method": "DELETE", - "path": "/v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects", - }, - { - "method": "DELETE", - "path": "/v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects", - }, - ], + operations=[{"method": "DELETE", "path": "/v3/projects/{project_id}/users/{user_id}/roles/{role_id}"}, {"method": "DELETE", "path": "/v3/projects/{project_id}/groups/{group_id}/roles/{role_id}"}, {"method": "DELETE", "path": "/v3/domains/{domain_id}/users/{user_id}/roles/{role_id}"}, {"method": "DELETE", "path": "/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}"}, {"method": "DELETE", "path": "/v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects"}, {"method": "DELETE", "path": "/v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects"}, {"method": "DELETE", "path": "/v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects"}, {"method": "DELETE", "path": "/v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects"}], ), base.APIRule( name="identity:list_system_grants_for_user", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="List all grants a specific user has on the system.", scope_types=["system"], - operations=[ - {"method": "HEAD", "path": "/v3/system/users/{user_id}/roles"}, - {"method": "GET", "path": "/v3/system/users/{user_id}/roles"}, - ], + operations=[{"method": "HEAD", "path": "/v3/system/users/{user_id}/roles"}, {"method": "GET", "path": "/v3/system/users/{user_id}/roles"}], ), base.APIRule( name="identity:check_system_grant_for_user", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="Check if a user has a role on the system.", scope_types=["system"], - operations=[ - {"method": "HEAD", "path": "/v3/system/users/{user_id}/roles/{role_id}"}, - {"method": "GET", "path": "/v3/system/users/{user_id}/roles/{role_id}"}, - ], + operations=[{"method": "HEAD", "path": "/v3/system/users/{user_id}/roles/{role_id}"}, {"method": "GET", "path": "/v3/system/users/{user_id}/roles/{role_id}"}], ), base.APIRule( name="identity:create_system_grant_for_user", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Grant a user a role on the system.", scope_types=["system"], operations=[{"method": "PUT", "path": "/v3/system/users/{user_id}/roles/{role_id}"}], @@ -858,7 +502,6 @@ list_rules = ( base.APIRule( name="identity:revoke_system_grant_for_user", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Remove a role from a user on the system.", scope_types=["system"], operations=[{"method": "DELETE", "path": "/v3/system/users/{user_id}/roles/{role_id}"}], @@ -866,29 +509,20 @@ list_rules = ( base.APIRule( name="identity:list_system_grants_for_group", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="List all grants a specific group has on the system.", scope_types=["system"], - operations=[ - {"method": "HEAD", "path": "/v3/system/groups/{group_id}/roles"}, - {"method": "GET", "path": "/v3/system/groups/{group_id}/roles"}, - ], + operations=[{"method": "HEAD", "path": "/v3/system/groups/{group_id}/roles"}, {"method": "GET", "path": "/v3/system/groups/{group_id}/roles"}], ), base.APIRule( name="identity:check_system_grant_for_group", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="Check if a group has a role on the system.", scope_types=["system"], - operations=[ - {"method": "HEAD", "path": "/v3/system/groups/{group_id}/roles/{role_id}"}, - {"method": "GET", "path": "/v3/system/groups/{group_id}/roles/{role_id}"}, - ], + operations=[{"method": "HEAD", "path": "/v3/system/groups/{group_id}/roles/{role_id}"}, {"method": "GET", "path": "/v3/system/groups/{group_id}/roles/{role_id}"}], ), base.APIRule( name="identity:create_system_grant_for_group", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Grant a group a role on the system.", scope_types=["system"], operations=[{"method": "PUT", "path": "/v3/system/groups/{group_id}/roles/{role_id}"}], @@ -896,122 +530,76 @@ list_rules = ( base.APIRule( name="identity:revoke_system_grant_for_group", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Remove a role from a group on the system.", scope_types=["system"], operations=[{"method": "DELETE", "path": "/v3/system/groups/{group_id}/roles/{role_id}"}], ), base.APIRule( name="identity:get_group", - check_str=( - "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)" - ), - basic_check_str=("role:admin or role:reader"), + check_str=("(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)"), description="Show group details.", scope_types=["system", "domain"], - operations=[ - {"method": "GET", "path": "/v3/groups/{group_id}"}, - {"method": "HEAD", "path": "/v3/groups/{group_id}"}, - ], + operations=[{"method": "GET", "path": "/v3/groups/{group_id}"}, {"method": "HEAD", "path": "/v3/groups/{group_id}"}], ), base.APIRule( name="identity:list_groups", - check_str=( - "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)" - ), - basic_check_str=("role:admin or role:reader"), + check_str=("(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)"), description="List groups.", scope_types=["system", "domain"], - operations=[ - {"method": "GET", "path": "/v3/groups"}, - {"method": "HEAD", "path": "/v3/groups"}, - ], + operations=[{"method": "GET", "path": "/v3/groups"}, {"method": "HEAD", "path": "/v3/groups"}], ), base.APIRule( name="identity:list_groups_for_user", - check_str=( - "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(user_id)s" - ), - basic_check_str=("role:admin or role:reader or user_id:%(user_id)s"), + check_str=("(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(user_id)s"), description="List groups to which a user belongs.", scope_types=["system", "domain", "project"], - operations=[ - {"method": "GET", "path": "/v3/users/{user_id}/groups"}, - {"method": "HEAD", "path": "/v3/users/{user_id}/groups"}, - ], + operations=[{"method": "GET", "path": "/v3/users/{user_id}/groups"}, {"method": "HEAD", "path": "/v3/users/{user_id}/groups"}], ), base.APIRule( name="identity:create_group", - check_str=( - "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)"), description="Create group.", scope_types=["system", "domain"], operations=[{"method": "POST", "path": "/v3/groups"}], ), base.APIRule( name="identity:update_group", - check_str=( - "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)"), description="Update group.", scope_types=["system", "domain"], operations=[{"method": "PATCH", "path": "/v3/groups/{group_id}"}], ), base.APIRule( name="identity:delete_group", - check_str=( - "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)"), description="Delete group.", scope_types=["system", "domain"], operations=[{"method": "DELETE", "path": "/v3/groups/{group_id}"}], ), base.APIRule( name="identity:list_users_in_group", - check_str=( - "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)" - ), - basic_check_str=("role:admin or role:reader"), + check_str=("(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)"), description="List members of a specific group.", scope_types=["system", "domain"], - operations=[ - {"method": "GET", "path": "/v3/groups/{group_id}/users"}, - {"method": "HEAD", "path": "/v3/groups/{group_id}/users"}, - ], + operations=[{"method": "GET", "path": "/v3/groups/{group_id}/users"}, {"method": "HEAD", "path": "/v3/groups/{group_id}/users"}], ), base.APIRule( name="identity:remove_user_from_group", - check_str=( - "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)"), description="Remove user from group.", scope_types=["system", "domain"], operations=[{"method": "DELETE", "path": "/v3/groups/{group_id}/users/{user_id}"}], ), base.APIRule( name="identity:check_user_in_group", - check_str=( - "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)" - ), - basic_check_str=("role:admin or role:reader"), + check_str=("(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)"), description="Check whether a user is a member of a group.", scope_types=["system", "domain"], - operations=[ - {"method": "HEAD", "path": "/v3/groups/{group_id}/users/{user_id}"}, - {"method": "GET", "path": "/v3/groups/{group_id}/users/{user_id}"}, - ], + operations=[{"method": "HEAD", "path": "/v3/groups/{group_id}/users/{user_id}"}, {"method": "GET", "path": "/v3/groups/{group_id}/users/{user_id}"}], ), base.APIRule( name="identity:add_user_to_group", - check_str=( - "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)"), description="Add user to group.", scope_types=["system", "domain"], operations=[{"method": "PUT", "path": "/v3/groups/{group_id}/users/{user_id}"}], @@ -1019,7 +607,6 @@ list_rules = ( base.APIRule( name="identity:create_identity_provider", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Create identity provider.", scope_types=["system"], operations=[{"method": "PUT", "path": "/v3/OS-FEDERATION/identity_providers/{idp_id}"}], @@ -1027,29 +614,20 @@ list_rules = ( base.APIRule( name="identity:list_identity_providers", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="List identity providers.", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/v3/OS-FEDERATION/identity_providers"}, - {"method": "HEAD", "path": "/v3/OS-FEDERATION/identity_providers"}, - ], + operations=[{"method": "GET", "path": "/v3/OS-FEDERATION/identity_providers"}, {"method": "HEAD", "path": "/v3/OS-FEDERATION/identity_providers"}], ), base.APIRule( name="identity:get_identity_provider", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="Get identity provider.", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/v3/OS-FEDERATION/identity_providers/{idp_id}"}, - {"method": "HEAD", "path": "/v3/OS-FEDERATION/identity_providers/{idp_id}"}, - ], + operations=[{"method": "GET", "path": "/v3/OS-FEDERATION/identity_providers/{idp_id}"}, {"method": "HEAD", "path": "/v3/OS-FEDERATION/identity_providers/{idp_id}"}], ), base.APIRule( name="identity:update_identity_provider", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Update identity provider.", scope_types=["system"], operations=[{"method": "PATCH", "path": "/v3/OS-FEDERATION/identity_providers/{idp_id}"}], @@ -1057,114 +635,76 @@ list_rules = ( base.APIRule( name="identity:delete_identity_provider", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Delete identity provider.", scope_types=["system"], - operations=[ - {"method": "DELETE", "path": "/v3/OS-FEDERATION/identity_providers/{idp_id}"}, - ], + operations=[{"method": "DELETE", "path": "/v3/OS-FEDERATION/identity_providers/{idp_id}"}], ), base.APIRule( name="identity:get_implied_role", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="Get information about an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/v3/roles/{prior_role_id}/implies/{implied_role_id}"}, - ], + operations=[{"method": "GET", "path": "/v3/roles/{prior_role_id}/implies/{implied_role_id}"}], ), base.APIRule( name="identity:list_implied_roles", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="List associations between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. This will return all the implied roles that would be assumed by the user who gets the specified prior role.", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/v3/roles/{prior_role_id}/implies"}, - {"method": "HEAD", "path": "/v3/roles/{prior_role_id}/implies"}, - ], + operations=[{"method": "GET", "path": "/v3/roles/{prior_role_id}/implies"}, {"method": "HEAD", "path": "/v3/roles/{prior_role_id}/implies"}], ), base.APIRule( name="identity:create_implied_role", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Create an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.", scope_types=["system"], - operations=[ - {"method": "PUT", "path": "/v3/roles/{prior_role_id}/implies/{implied_role_id}"}, - ], + operations=[{"method": "PUT", "path": "/v3/roles/{prior_role_id}/implies/{implied_role_id}"}], ), base.APIRule( name="identity:delete_implied_role", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Delete the association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. Removing the association will cause that effect to be eliminated.", scope_types=["system"], - operations=[ - {"method": "DELETE", "path": "/v3/roles/{prior_role_id}/implies/{implied_role_id}"}, - ], + operations=[{"method": "DELETE", "path": "/v3/roles/{prior_role_id}/implies/{implied_role_id}"}], ), base.APIRule( name="identity:list_role_inference_rules", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="List all associations between two roles in the system. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/v3/role_inferences"}, - {"method": "HEAD", "path": "/v3/role_inferences"}, - ], + operations=[{"method": "GET", "path": "/v3/role_inferences"}, {"method": "HEAD", "path": "/v3/role_inferences"}], ), base.APIRule( name="identity:check_implied_role", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="Check an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.", scope_types=["system"], - operations=[ - {"method": "HEAD", "path": "/v3/roles/{prior_role_id}/implies/{implied_role_id}"}, - ], + operations=[{"method": "HEAD", "path": "/v3/roles/{prior_role_id}/implies/{implied_role_id}"}], ), base.APIRule( name="identity:get_limit_model", check_str=(""), - basic_check_str=("@"), description="Get limit enforcement model.", scope_types=["system", "domain", "project"], - operations=[ - {"method": "GET", "path": "/v3/limits/model"}, - {"method": "HEAD", "path": "/v3/limits/model"}, - ], + operations=[{"method": "GET", "path": "/v3/limits/model"}, {"method": "HEAD", "path": "/v3/limits/model"}], ), base.APIRule( name="identity:get_limit", - check_str=( - "(role:reader and system_scope:all) or (domain_id:%(target.limit.domain.id)s or domain_id:%(target.limit.project.domain_id)s) or (project_id:%(target.limit.project_id)s and not None:%(target.limit.project_id)s)" - ), - basic_check_str=("@"), + check_str=("(role:reader and system_scope:all) or (domain_id:%(target.limit.domain.id)s or domain_id:%(target.limit.project.domain_id)s) or (project_id:%(target.limit.project_id)s and not None:%(target.limit.project_id)s)"), description="Show limit details.", scope_types=["system", "domain", "project"], - operations=[ - {"method": "GET", "path": "/v3/limits/{limit_id}"}, - {"method": "HEAD", "path": "/v3/limits/{limit_id}"}, - ], + operations=[{"method": "GET", "path": "/v3/limits/{limit_id}"}, {"method": "HEAD", "path": "/v3/limits/{limit_id}"}], ), base.APIRule( name="identity:list_limits", check_str=(""), - basic_check_str=("@"), description="List limits.", scope_types=["system", "domain", "project"], - operations=[ - {"method": "GET", "path": "/v3/limits"}, - {"method": "HEAD", "path": "/v3/limits"}, - ], + operations=[{"method": "GET", "path": "/v3/limits"}, {"method": "HEAD", "path": "/v3/limits"}], ), base.APIRule( name="identity:create_limits", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Create limits.", scope_types=["system"], operations=[{"method": "POST", "path": "/v3/limits"}], @@ -1172,7 +712,6 @@ list_rules = ( base.APIRule( name="identity:update_limit", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Update limit.", scope_types=["system"], operations=[{"method": "PATCH", "path": "/v3/limits/{limit_id}"}], @@ -1180,7 +719,6 @@ list_rules = ( base.APIRule( name="identity:delete_limit", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Delete limit.", scope_types=["system"], operations=[{"method": "DELETE", "path": "/v3/limits/{limit_id}"}], @@ -1188,7 +726,6 @@ list_rules = ( base.APIRule( name="identity:create_mapping", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Create a new federated mapping containing one or more sets of rules.", scope_types=["system"], operations=[{"method": "PUT", "path": "/v3/OS-FEDERATION/mappings/{mapping_id}"}], @@ -1196,29 +733,20 @@ list_rules = ( base.APIRule( name="identity:get_mapping", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="Get a federated mapping.", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/v3/OS-FEDERATION/mappings/{mapping_id}"}, - {"method": "HEAD", "path": "/v3/OS-FEDERATION/mappings/{mapping_id}"}, - ], + operations=[{"method": "GET", "path": "/v3/OS-FEDERATION/mappings/{mapping_id}"}, {"method": "HEAD", "path": "/v3/OS-FEDERATION/mappings/{mapping_id}"}], ), base.APIRule( name="identity:list_mappings", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="List federated mappings.", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/v3/OS-FEDERATION/mappings"}, - {"method": "HEAD", "path": "/v3/OS-FEDERATION/mappings"}, - ], + operations=[{"method": "GET", "path": "/v3/OS-FEDERATION/mappings"}, {"method": "HEAD", "path": "/v3/OS-FEDERATION/mappings"}], ), base.APIRule( name="identity:delete_mapping", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Delete a federated mapping.", scope_types=["system"], operations=[{"method": "DELETE", "path": "/v3/OS-FEDERATION/mappings/{mapping_id}"}], @@ -1226,7 +754,6 @@ list_rules = ( base.APIRule( name="identity:update_mapping", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Update a federated mapping.", scope_types=["system"], operations=[{"method": "PATCH", "path": "/v3/OS-FEDERATION/mappings/{mapping_id}"}], @@ -1234,7 +761,6 @@ list_rules = ( base.APIRule( name="identity:get_policy", check_str=("role:reader and system_scope:all"), - basic_check_str=("!"), description="Show policy details.", scope_types=["system"], operations=[{"method": "GET", "path": "/v3/policies/{policy_id}"}], @@ -1242,7 +768,6 @@ list_rules = ( base.APIRule( name="identity:list_policies", check_str=("role:reader and system_scope:all"), - basic_check_str=("!"), description="List policies.", scope_types=["system"], operations=[{"method": "GET", "path": "/v3/policies"}], @@ -1250,7 +775,6 @@ list_rules = ( base.APIRule( name="identity:create_policy", check_str=("role:admin and system_scope:all"), - basic_check_str=("!"), description="Create policy.", scope_types=["system"], operations=[{"method": "POST", "path": "/v3/policies"}], @@ -1258,7 +782,6 @@ list_rules = ( base.APIRule( name="identity:update_policy", check_str=("role:admin and system_scope:all"), - basic_check_str=("!"), description="Update policy.", scope_types=["system"], operations=[{"method": "PATCH", "path": "/v3/policies/{policy_id}"}], @@ -1266,7 +789,6 @@ list_rules = ( base.APIRule( name="identity:delete_policy", check_str=("role:admin and system_scope:all"), - basic_check_str=("!"), description="Delete policy.", scope_types=["system"], operations=[{"method": "DELETE", "path": "/v3/policies/{policy_id}"}], @@ -1274,275 +796,160 @@ list_rules = ( base.APIRule( name="identity:create_policy_association_for_endpoint", check_str=("role:admin and system_scope:all"), - basic_check_str=("!"), description="Associate a policy to a specific endpoint.", scope_types=["system"], - operations=[ - { - "method": "PUT", - "path": "/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}", - }, - ], + operations=[{"method": "PUT", "path": "/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}"}], ), base.APIRule( name="identity:check_policy_association_for_endpoint", check_str=("role:reader and system_scope:all"), - basic_check_str=("!"), description="Check policy association for endpoint.", scope_types=["system"], - operations=[ - { - "method": "GET", - "path": "/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}", - }, - { - "method": "HEAD", - "path": "/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}", - }, - ], + operations=[{"method": "GET", "path": "/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}"}, {"method": "HEAD", "path": "/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}"}], ), base.APIRule( name="identity:delete_policy_association_for_endpoint", check_str=("role:admin and system_scope:all"), - basic_check_str=("!"), description="Delete policy association for endpoint.", scope_types=["system"], - operations=[ - { - "method": "DELETE", - "path": "/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}", - }, - ], + operations=[{"method": "DELETE", "path": "/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}"}], ), base.APIRule( name="identity:create_policy_association_for_service", check_str=("role:admin and system_scope:all"), - basic_check_str=("!"), description="Associate a policy to a specific service.", scope_types=["system"], - operations=[ - { - "method": "PUT", - "path": "/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}", - }, - ], + operations=[{"method": "PUT", "path": "/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}"}], ), base.APIRule( name="identity:check_policy_association_for_service", check_str=("role:reader and system_scope:all"), - basic_check_str=("!"), description="Check policy association for service.", scope_types=["system"], - operations=[ - { - "method": "GET", - "path": "/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}", - }, - { - "method": "HEAD", - "path": "/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}", - }, - ], + operations=[{"method": "GET", "path": "/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}"}, {"method": "HEAD", "path": "/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}"}], ), base.APIRule( name="identity:delete_policy_association_for_service", check_str=("role:admin and system_scope:all"), - basic_check_str=("!"), description="Delete policy association for service.", scope_types=["system"], - operations=[ - { - "method": "DELETE", - "path": "/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}", - }, - ], + operations=[{"method": "DELETE", "path": "/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}"}], ), base.APIRule( name="identity:create_policy_association_for_region_and_service", check_str=("role:admin and system_scope:all"), - basic_check_str=("!"), description="Associate a policy to a specific region and service combination.", scope_types=["system"], - operations=[ - { - "method": "PUT", - "path": "/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}", - }, - ], + operations=[{"method": "PUT", "path": "/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}"}], ), base.APIRule( name="identity:check_policy_association_for_region_and_service", check_str=("role:reader and system_scope:all"), - basic_check_str=("!"), description="Check policy association for region and service.", scope_types=["system"], - operations=[ - { - "method": "GET", - "path": "/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}", - }, - { - "method": "HEAD", - "path": "/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}", - }, - ], + operations=[{"method": "GET", "path": "/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}"}, {"method": "HEAD", "path": "/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}"}], ), base.APIRule( name="identity:delete_policy_association_for_region_and_service", check_str=("role:admin and system_scope:all"), - basic_check_str=("!"), description="Delete policy association for region and service.", scope_types=["system"], - operations=[ - { - "method": "DELETE", - "path": "/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}", - }, - ], + operations=[{"method": "DELETE", "path": "/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}"}], ), base.APIRule( name="identity:get_policy_for_endpoint", check_str=("role:reader and system_scope:all"), - basic_check_str=("!"), description="Get policy for endpoint.", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy"}, - {"method": "HEAD", "path": "/v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy"}, - ], + operations=[{"method": "GET", "path": "/v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy"}, {"method": "HEAD", "path": "/v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy"}], ), base.APIRule( name="identity:list_endpoints_for_policy", check_str=("role:reader and system_scope:all"), - basic_check_str=("!"), description="List endpoints for policy.", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints"}, - ], + operations=[{"method": "GET", "path": "/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints"}], ), base.APIRule( name="identity:get_project", - check_str=( - "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s" - ), - basic_check_str=("role:admin or role:reader or project_id:%(project_id)s"), + check_str=("(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s"), description="Show project details.", scope_types=["system", "domain", "project"], operations=[{"method": "GET", "path": "/v3/projects/{project_id}"}], ), base.APIRule( name="identity:list_projects", - check_str=( - "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)" - ), - basic_check_str=("role:admin or role:reader"), + check_str=("(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)"), description="List projects.", scope_types=["system", "domain"], operations=[{"method": "GET", "path": "/v3/projects"}], ), base.APIRule( name="identity:list_user_projects", - check_str=( - "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(target.user.id)s" - ), - basic_check_str=("role:admin or role:reader or user_id:%(user_id)s"), + check_str=("(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(target.user.id)s"), description="List projects for user.", scope_types=["system", "domain", "project"], operations=[{"method": "GET", "path": "/v3/users/{user_id}/projects"}], ), base.APIRule( name="identity:create_project", - check_str=( - "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)"), description="Create project.", scope_types=["system", "domain"], operations=[{"method": "POST", "path": "/v3/projects"}], ), base.APIRule( name="identity:update_project", - check_str=( - "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)"), description="Update project.", scope_types=["system", "domain"], operations=[{"method": "PATCH", "path": "/v3/projects/{project_id}"}], ), base.APIRule( name="identity:delete_project", - check_str=( - "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)"), description="Delete project.", scope_types=["system", "domain"], operations=[{"method": "DELETE", "path": "/v3/projects/{project_id}"}], ), base.APIRule( name="identity:list_project_tags", - check_str=( - "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s" - ), - basic_check_str=("role:admin or role:reader or project_id:%(project_id)s"), + check_str=("(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s"), description="List tags for a project.", scope_types=["system", "domain", "project"], - operations=[ - {"method": "GET", "path": "/v3/projects/{project_id}/tags"}, - {"method": "HEAD", "path": "/v3/projects/{project_id}/tags"}, - ], + operations=[{"method": "GET", "path": "/v3/projects/{project_id}/tags"}, {"method": "HEAD", "path": "/v3/projects/{project_id}/tags"}], ), base.APIRule( name="identity:get_project_tag", - check_str=( - "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s" - ), - basic_check_str=("role:admin or role:reader or project_id:%(project_id)s"), + check_str=("(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s"), description="Check if project contains a tag.", scope_types=["system", "domain", "project"], - operations=[ - {"method": "GET", "path": "/v3/projects/{project_id}/tags/{value}"}, - {"method": "HEAD", "path": "/v3/projects/{project_id}/tags/{value}"}, - ], + operations=[{"method": "GET", "path": "/v3/projects/{project_id}/tags/{value}"}, {"method": "HEAD", "path": "/v3/projects/{project_id}/tags/{value}"}], ), base.APIRule( name="identity:update_project_tags", - check_str=( - "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)"), description="Replace all tags on a project with the new set of tags.", scope_types=["system", "domain", "project"], operations=[{"method": "PUT", "path": "/v3/projects/{project_id}/tags"}], ), base.APIRule( name="identity:create_project_tag", - check_str=( - "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)"), description="Add a single tag to a project.", scope_types=["system", "domain", "project"], operations=[{"method": "PUT", "path": "/v3/projects/{project_id}/tags/{value}"}], ), base.APIRule( name="identity:delete_project_tags", - check_str=( - "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)"), description="Remove all tags from a project.", scope_types=["system", "domain", "project"], operations=[{"method": "DELETE", "path": "/v3/projects/{project_id}/tags"}], ), base.APIRule( name="identity:delete_project_tag", - check_str=( - "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)"), description="Delete a specified tag from project.", scope_types=["system", "domain", "project"], operations=[{"method": "DELETE", "path": "/v3/projects/{project_id}/tags/{value}"}], @@ -1550,165 +957,97 @@ list_rules = ( base.APIRule( name="identity:list_projects_for_endpoint", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="List projects allowed to access an endpoint.", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects"}, - ], + operations=[{"method": "GET", "path": "/v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects"}], ), base.APIRule( name="identity:add_endpoint_to_project", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Allow project to access an endpoint.", scope_types=["system"], - operations=[ - { - "method": "PUT", - "path": "/v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}", - }, - ], + operations=[{"method": "PUT", "path": "/v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}"}], ), base.APIRule( name="identity:check_endpoint_in_project", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="Check if a project is allowed to access an endpoint.", scope_types=["system"], - operations=[ - { - "method": "GET", - "path": "/v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}", - }, - { - "method": "HEAD", - "path": "/v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}", - }, - ], + operations=[{"method": "GET", "path": "/v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}"}, {"method": "HEAD", "path": "/v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}"}], ), base.APIRule( name="identity:list_endpoints_for_project", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="List the endpoints a project is allowed to access.", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/v3/OS-EP-FILTER/projects/{project_id}/endpoints"}, - ], + operations=[{"method": "GET", "path": "/v3/OS-EP-FILTER/projects/{project_id}/endpoints"}], ), base.APIRule( name="identity:remove_endpoint_from_project", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Remove access to an endpoint from a project that has previously been given explicit access.", scope_types=["system"], - operations=[ - { - "method": "DELETE", - "path": "/v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}", - }, - ], + operations=[{"method": "DELETE", "path": "/v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}"}], ), base.APIRule( name="identity:create_protocol", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Create federated protocol.", scope_types=["system"], - operations=[ - { - "method": "PUT", - "path": "/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}", - }, - ], + operations=[{"method": "PUT", "path": "/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}"}], ), base.APIRule( name="identity:update_protocol", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Update federated protocol.", scope_types=["system"], - operations=[ - { - "method": "PATCH", - "path": "/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}", - }, - ], + operations=[{"method": "PATCH", "path": "/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}"}], ), base.APIRule( name="identity:get_protocol", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="Get federated protocol.", scope_types=["system"], - operations=[ - { - "method": "GET", - "path": "/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}", - }, - ], + operations=[{"method": "GET", "path": "/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}"}], ), base.APIRule( name="identity:list_protocols", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="List federated protocols.", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols"}, - ], + operations=[{"method": "GET", "path": "/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols"}], ), base.APIRule( name="identity:delete_protocol", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Delete federated protocol.", scope_types=["system"], - operations=[ - { - "method": "DELETE", - "path": "/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}", - }, - ], + operations=[{"method": "DELETE", "path": "/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}"}], ), base.APIRule( name="identity:get_region", check_str=(""), - basic_check_str=("@"), description="Show region details.", scope_types=["system", "domain", "project"], - operations=[ - {"method": "GET", "path": "/v3/regions/{region_id}"}, - {"method": "HEAD", "path": "/v3/regions/{region_id}"}, - ], + operations=[{"method": "GET", "path": "/v3/regions/{region_id}"}, {"method": "HEAD", "path": "/v3/regions/{region_id}"}], ), base.APIRule( name="identity:list_regions", check_str=(""), - basic_check_str=("@"), description="List regions.", scope_types=["system", "domain", "project"], - operations=[ - {"method": "GET", "path": "/v3/regions"}, - {"method": "HEAD", "path": "/v3/regions"}, - ], + operations=[{"method": "GET", "path": "/v3/regions"}, {"method": "HEAD", "path": "/v3/regions"}], ), base.APIRule( name="identity:create_region", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Create region.", scope_types=["system"], - operations=[ - {"method": "POST", "path": "/v3/regions"}, - {"method": "PUT", "path": "/v3/regions/{region_id}"}, - ], + operations=[{"method": "POST", "path": "/v3/regions"}, {"method": "PUT", "path": "/v3/regions/{region_id}"}], ), base.APIRule( name="identity:update_region", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Update region.", scope_types=["system"], operations=[{"method": "PATCH", "path": "/v3/regions/{region_id}"}], @@ -1716,7 +1055,6 @@ list_rules = ( base.APIRule( name="identity:delete_region", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Delete region.", scope_types=["system"], operations=[{"method": "DELETE", "path": "/v3/regions/{region_id}"}], @@ -1724,29 +1062,20 @@ list_rules = ( base.APIRule( name="identity:get_registered_limit", check_str=(""), - basic_check_str=("@"), description="Show registered limit details.", scope_types=["system", "domain", "project"], - operations=[ - {"method": "GET", "path": "/v3/registered_limits/{registered_limit_id}"}, - {"method": "HEAD", "path": "/v3/registered_limits/{registered_limit_id}"}, - ], + operations=[{"method": "GET", "path": "/v3/registered_limits/{registered_limit_id}"}, {"method": "HEAD", "path": "/v3/registered_limits/{registered_limit_id}"}], ), base.APIRule( name="identity:list_registered_limits", check_str=(""), - basic_check_str=("@"), description="List registered limits.", scope_types=["system", "domain", "project"], - operations=[ - {"method": "GET", "path": "/v3/registered_limits"}, - {"method": "HEAD", "path": "/v3/registered_limits"}, - ], + operations=[{"method": "GET", "path": "/v3/registered_limits"}, {"method": "HEAD", "path": "/v3/registered_limits"}], ), base.APIRule( name="identity:create_registered_limits", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Create registered limits.", scope_types=["system"], operations=[{"method": "POST", "path": "/v3/registered_limits"}], @@ -1754,7 +1083,6 @@ list_rules = ( base.APIRule( name="identity:update_registered_limit", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Update registered limit.", scope_types=["system"], operations=[{"method": "PATCH", "path": "/v3/registered_limits/{registered_limit_id}"}], @@ -1762,7 +1090,6 @@ list_rules = ( base.APIRule( name="identity:delete_registered_limit", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Delete registered limit.", scope_types=["system"], operations=[{"method": "DELETE", "path": "/v3/registered_limits/{registered_limit_id}"}], @@ -1770,7 +1097,6 @@ list_rules = ( base.APIRule( name="identity:list_revoke_events", check_str=("rule:service_or_admin"), - basic_check_str=("role:admin"), description="List revocation events.", scope_types=["system"], operations=[{"method": "GET", "path": "/v3/OS-REVOKE/events"}], @@ -1778,29 +1104,20 @@ list_rules = ( base.APIRule( name="identity:get_role", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="Show role details.", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/v3/roles/{role_id}"}, - {"method": "HEAD", "path": "/v3/roles/{role_id}"}, - ], + operations=[{"method": "GET", "path": "/v3/roles/{role_id}"}, {"method": "HEAD", "path": "/v3/roles/{role_id}"}], ), base.APIRule( name="identity:list_roles", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="List roles.", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/v3/roles"}, - {"method": "HEAD", "path": "/v3/roles"}, - ], + operations=[{"method": "GET", "path": "/v3/roles"}, {"method": "HEAD", "path": "/v3/roles"}], ), base.APIRule( name="identity:create_role", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Create role.", scope_types=["system"], operations=[{"method": "POST", "path": "/v3/roles"}], @@ -1808,7 +1125,6 @@ list_rules = ( base.APIRule( name="identity:update_role", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Update role.", scope_types=["system"], operations=[{"method": "PATCH", "path": "/v3/roles/{role_id}"}], @@ -1816,7 +1132,6 @@ list_rules = ( base.APIRule( name="identity:delete_role", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Delete role.", scope_types=["system"], operations=[{"method": "DELETE", "path": "/v3/roles/{role_id}"}], @@ -1824,29 +1139,20 @@ list_rules = ( base.APIRule( name="identity:get_domain_role", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="Show domain role.", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/v3/roles/{role_id}"}, - {"method": "HEAD", "path": "/v3/roles/{role_id}"}, - ], + operations=[{"method": "GET", "path": "/v3/roles/{role_id}"}, {"method": "HEAD", "path": "/v3/roles/{role_id}"}], ), base.APIRule( name="identity:list_domain_roles", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="List domain roles.", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/v3/roles?domain_id={domain_id}"}, - {"method": "HEAD", "path": "/v3/roles?domain_id={domain_id}"}, - ], + operations=[{"method": "GET", "path": "/v3/roles?domain_id={domain_id}"}, {"method": "HEAD", "path": "/v3/roles?domain_id={domain_id}"}], ), base.APIRule( name="identity:create_domain_role", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Create domain role.", scope_types=["system"], operations=[{"method": "POST", "path": "/v3/roles"}], @@ -1854,7 +1160,6 @@ list_rules = ( base.APIRule( name="identity:update_domain_role", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Update domain role.", scope_types=["system"], operations=[{"method": "PATCH", "path": "/v3/roles/{role_id}"}], @@ -1862,43 +1167,27 @@ list_rules = ( base.APIRule( name="identity:delete_domain_role", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Delete domain role.", scope_types=["system"], operations=[{"method": "DELETE", "path": "/v3/roles/{role_id}"}], ), base.APIRule( name="identity:list_role_assignments", - check_str=( - "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)" - ), - basic_check_str=( - "role:admin or role:reader or project_id:%(project_id)s or user_id:%(user_id)s" - ), + check_str=("(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)"), description="List role assignments.", scope_types=["system", "domain"], - operations=[ - {"method": "GET", "path": "/v3/role_assignments"}, - {"method": "HEAD", "path": "/v3/role_assignments"}, - ], + operations=[{"method": "GET", "path": "/v3/role_assignments"}, {"method": "HEAD", "path": "/v3/role_assignments"}], ), base.APIRule( name="identity:list_role_assignments_for_tree", - check_str=( - "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" - ), - basic_check_str=("role:admin or role:reader"), + check_str=("(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)"), description="List all role assignments for a given tree of hierarchical projects.", scope_types=["system", "domain", "project"], - operations=[ - {"method": "GET", "path": "/v3/role_assignments?include_subtree"}, - {"method": "HEAD", "path": "/v3/role_assignments?include_subtree"}, - ], + operations=[{"method": "GET", "path": "/v3/role_assignments?include_subtree"}, {"method": "HEAD", "path": "/v3/role_assignments?include_subtree"}], ), base.APIRule( name="identity:get_service", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="Show service details.", scope_types=["system"], operations=[{"method": "GET", "path": "/v3/services/{service_id}"}], @@ -1906,7 +1195,6 @@ list_rules = ( base.APIRule( name="identity:list_services", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="List services.", scope_types=["system"], operations=[{"method": "GET", "path": "/v3/services"}], @@ -1914,7 +1202,6 @@ list_rules = ( base.APIRule( name="identity:create_service", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Create service.", scope_types=["system"], operations=[{"method": "POST", "path": "/v3/services"}], @@ -1922,7 +1209,6 @@ list_rules = ( base.APIRule( name="identity:update_service", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Update service.", scope_types=["system"], operations=[{"method": "PATCH", "path": "/v3/services/{service_id}"}], @@ -1930,7 +1216,6 @@ list_rules = ( base.APIRule( name="identity:delete_service", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Delete service.", scope_types=["system"], operations=[{"method": "DELETE", "path": "/v3/services/{service_id}"}], @@ -1938,74 +1223,41 @@ list_rules = ( base.APIRule( name="identity:create_service_provider", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Create federated service provider.", scope_types=["system"], - operations=[ - { - "method": "PUT", - "path": "/v3/OS-FEDERATION/service_providers/{service_provider_id}", - }, - ], + operations=[{"method": "PUT", "path": "/v3/OS-FEDERATION/service_providers/{service_provider_id}"}], ), base.APIRule( name="identity:list_service_providers", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="List federated service providers.", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/v3/OS-FEDERATION/service_providers"}, - {"method": "HEAD", "path": "/v3/OS-FEDERATION/service_providers"}, - ], + operations=[{"method": "GET", "path": "/v3/OS-FEDERATION/service_providers"}, {"method": "HEAD", "path": "/v3/OS-FEDERATION/service_providers"}], ), base.APIRule( name="identity:get_service_provider", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="Get federated service provider.", scope_types=["system"], - operations=[ - { - "method": "GET", - "path": "/v3/OS-FEDERATION/service_providers/{service_provider_id}", - }, - { - "method": "HEAD", - "path": "/v3/OS-FEDERATION/service_providers/{service_provider_id}", - }, - ], + operations=[{"method": "GET", "path": "/v3/OS-FEDERATION/service_providers/{service_provider_id}"}, {"method": "HEAD", "path": "/v3/OS-FEDERATION/service_providers/{service_provider_id}"}], ), base.APIRule( name="identity:update_service_provider", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Update federated service provider.", scope_types=["system"], - operations=[ - { - "method": "PATCH", - "path": "/v3/OS-FEDERATION/service_providers/{service_provider_id}", - }, - ], + operations=[{"method": "PATCH", "path": "/v3/OS-FEDERATION/service_providers/{service_provider_id}"}], ), base.APIRule( name="identity:delete_service_provider", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Delete federated service provider.", scope_types=["system"], - operations=[ - { - "method": "DELETE", - "path": "/v3/OS-FEDERATION/service_providers/{service_provider_id}", - }, - ], + operations=[{"method": "DELETE", "path": "/v3/OS-FEDERATION/service_providers/{service_provider_id}"}], ), base.APIRule( name="identity:revocation_list", check_str=("rule:service_or_admin"), - basic_check_str=("!"), description="List revoked PKI tokens.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/v3/auth/tokens/OS-PKI/revoked"}], @@ -2013,17 +1265,13 @@ list_rules = ( base.APIRule( name="identity:check_token", check_str=("(role:reader and system_scope:all) or rule:token_subject"), - basic_check_str=("role:admin or role:reader or user_id:%(user_id)s"), description="Check a token.", scope_types=["system", "domain", "project"], operations=[{"method": "HEAD", "path": "/v3/auth/tokens"}], ), base.APIRule( name="identity:validate_token", - check_str=( - "(role:reader and system_scope:all) or rule:service_role or rule:token_subject" - ), - basic_check_str=("role:admin or role:reader or user_id:%(user_id)s"), + check_str=("(role:reader and system_scope:all) or rule:service_role or rule:token_subject"), description="Validate a token.", scope_types=["system", "domain", "project"], operations=[{"method": "GET", "path": "/v3/auth/tokens"}], @@ -2031,7 +1279,6 @@ list_rules = ( base.APIRule( name="identity:revoke_token", check_str=("(role:admin and system_scope:all) or rule:token_subject"), - basic_check_str=("role:admin or user_id:%(user_id)s"), description="Revoke a token.", scope_types=["system", "domain", "project"], operations=[{"method": "DELETE", "path": "/v3/auth/tokens"}], @@ -2039,7 +1286,6 @@ list_rules = ( base.APIRule( name="identity:create_trust", check_str=("user_id:%(trust.trustor_user_id)s"), - basic_check_str=("role:admin or user_id:%(user_id)s"), description="Create trust.", scope_types=["project"], operations=[{"method": "POST", "path": "/v3/OS-TRUST/trusts"}], @@ -2047,117 +1293,69 @@ list_rules = ( base.APIRule( name="identity:list_trusts", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="List trusts.", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/v3/OS-TRUST/trusts"}, - {"method": "HEAD", "path": "/v3/OS-TRUST/trusts"}, - ], + operations=[{"method": "GET", "path": "/v3/OS-TRUST/trusts"}, {"method": "HEAD", "path": "/v3/OS-TRUST/trusts"}], ), base.APIRule( name="identity:list_trusts_for_trustor", - check_str=( - "role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s" - ), - basic_check_str=("role:admin or role:reader or user_id:%(user_id)s"), + check_str=("role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s"), description="List trusts for trustor.", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id}"}, - {"method": "HEAD", "path": "/v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id}"}, - ], + operations=[{"method": "GET", "path": "/v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id}"}, {"method": "HEAD", "path": "/v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id}"}], ), base.APIRule( name="identity:list_trusts_for_trustee", - check_str=( - "role:reader and system_scope:all or user_id:%(target.trust.trustee_user_id)s" - ), - basic_check_str=("role:admin or role:reader or user_id:%(user_id)s"), + check_str=("role:reader and system_scope:all or user_id:%(target.trust.trustee_user_id)s"), description="List trusts for trustee.", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id}"}, - {"method": "HEAD", "path": "/v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id}"}, - ], + operations=[{"method": "GET", "path": "/v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id}"}, {"method": "HEAD", "path": "/v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id}"}], ), base.APIRule( name="identity:list_roles_for_trust", - check_str=( - "role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s" - ), - basic_check_str=("role:admin or role:reader or user_id:%(user_id)s"), + check_str=("role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s"), description="List roles delegated by a trust.", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/v3/OS-TRUST/trusts/{trust_id}/roles"}, - {"method": "HEAD", "path": "/v3/OS-TRUST/trusts/{trust_id}/roles"}, - ], + operations=[{"method": "GET", "path": "/v3/OS-TRUST/trusts/{trust_id}/roles"}, {"method": "HEAD", "path": "/v3/OS-TRUST/trusts/{trust_id}/roles"}], ), base.APIRule( name="identity:get_role_for_trust", - check_str=( - "role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s" - ), - basic_check_str=("role:admin or role:reader or user_id:%(user_id)s"), + check_str=("role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s"), description="Check if trust delegates a particular role.", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}"}, - {"method": "HEAD", "path": "/v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}"}, - ], + operations=[{"method": "GET", "path": "/v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}"}, {"method": "HEAD", "path": "/v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}"}], ), base.APIRule( name="identity:delete_trust", check_str=("role:admin and system_scope:all or user_id:%(target.trust.trustor_user_id)s"), - basic_check_str=("role:admin or user_id:%(user_id)s"), description="Revoke trust.", scope_types=["system", "project"], operations=[{"method": "DELETE", "path": "/v3/OS-TRUST/trusts/{trust_id}"}], ), base.APIRule( name="identity:get_trust", - check_str=( - "role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s" - ), - basic_check_str=("role:admin or role:reader or user_id:%(user_id)s"), + check_str=("role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s"), description="Get trust.", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/v3/OS-TRUST/trusts/{trust_id}"}, - {"method": "HEAD", "path": "/v3/OS-TRUST/trusts/{trust_id}"}, - ], + operations=[{"method": "GET", "path": "/v3/OS-TRUST/trusts/{trust_id}"}, {"method": "HEAD", "path": "/v3/OS-TRUST/trusts/{trust_id}"}], ), base.APIRule( name="identity:get_user", - check_str=( - "(role:reader and system_scope:all) or (role:reader and token.domain.id:%(target.user.domain_id)s) or user_id:%(target.user.id)s" - ), - basic_check_str=("role:admin or role:reader or user_id:%(user_id)s"), + check_str=("(role:reader and system_scope:all) or (role:reader and token.domain.id:%(target.user.domain_id)s) or user_id:%(target.user.id)s"), description="Show user details.", scope_types=["system", "domain", "project"], - operations=[ - {"method": "GET", "path": "/v3/users/{user_id}"}, - {"method": "HEAD", "path": "/v3/users/{user_id}"}, - ], + operations=[{"method": "GET", "path": "/v3/users/{user_id}"}, {"method": "HEAD", "path": "/v3/users/{user_id}"}], ), base.APIRule( name="identity:list_users", - check_str=( - "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)" - ), - basic_check_str=("role:admin or role:reader"), + check_str=("(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)"), description="List users.", scope_types=["system", "domain"], - operations=[ - {"method": "GET", "path": "/v3/users"}, - {"method": "HEAD", "path": "/v3/users"}, - ], + operations=[{"method": "GET", "path": "/v3/users"}, {"method": "HEAD", "path": "/v3/users"}], ), base.APIRule( name="identity:list_projects_for_user", check_str=(""), - basic_check_str=("@"), description="List all projects a user has access to via role assignments.", scope_types=["project"], operations=[{"method": "GET", "path": " /v3/auth/projects"}], @@ -2165,37 +1363,27 @@ list_rules = ( base.APIRule( name="identity:list_domains_for_user", check_str=(""), - basic_check_str=("@"), description="List all domains a user has access to via role assignments.", scope_types=["project"], operations=[{"method": "GET", "path": "/v3/auth/domains"}], ), base.APIRule( name="identity:create_user", - check_str=( - "(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)"), description="Create a user.", scope_types=["system", "domain"], operations=[{"method": "POST", "path": "/v3/users"}], ), base.APIRule( name="identity:update_user", - check_str=( - "(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)"), description="Update a user, including administrative password resets.", scope_types=["system", "domain"], operations=[{"method": "PATCH", "path": "/v3/users/{user_id}"}], ), base.APIRule( name="identity:delete_user", - check_str=( - "(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)" - ), - basic_check_str=("role:admin"), + check_str=("(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)"), description="Delete a user.", scope_types=["system", "domain"], operations=[{"method": "DELETE", "path": "/v3/users/{user_id}"}], diff --git a/skyline_apiserver/policy/manager/magnum.py b/skyline_apiserver/policy/manager/magnum.py index f9afb81..2c49a92 100644 --- a/skyline_apiserver/policy/manager/magnum.py +++ b/skyline_apiserver/policy/manager/magnum.py @@ -1,3 +1,6 @@ +# flake8: noqa +# fmt: off + from . import base list_rules = ( @@ -32,457 +35,445 @@ list_rules = ( description="No description", ), base.APIRule( - name="magnum:bay:create", - check_str=("(not domain_id:%(trustee_domain_id)s)"), + name="bay:create", + check_str=("rule:deny_cluster_user"), description="Create a new bay.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/bays"}], ), base.APIRule( - name="magnum:bay:delete", - check_str=("(not domain_id:%(trustee_domain_id)s)"), + name="bay:delete", + check_str=("rule:deny_cluster_user"), description="Delete a bay.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v1/bays/{bay_ident}"}], ), base.APIRule( - name="magnum:bay:detail", - check_str=("(not domain_id:%(trustee_domain_id)s)"), + name="bay:detail", + check_str=("rule:deny_cluster_user"), description="Retrieve a list of bays with detail.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/bays"}], ), base.APIRule( - name="magnum:bay:get", - check_str=("(not domain_id:%(trustee_domain_id)s)"), + name="bay:get", + check_str=("rule:deny_cluster_user"), description="Retrieve information about the given bay.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/bays/{bay_ident}"}], ), base.APIRule( - name="magnum:bay:get_all", - check_str=("(not domain_id:%(trustee_domain_id)s)"), + name="bay:get_all", + check_str=("rule:deny_cluster_user"), description="Retrieve a list of bays.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/bays/"}], ), base.APIRule( - name="magnum:bay:update", - check_str=("(not domain_id:%(trustee_domain_id)s)"), + name="bay:update", + check_str=("rule:deny_cluster_user"), description="Update an existing bay.", scope_types=["project"], operations=[{"method": "PATCH", "path": "/v1/bays/{bay_ident}"}], ), base.APIRule( - name="magnum:baymodel:create", - check_str=("(not domain_id:%(trustee_domain_id)s)"), + name="baymodel:create", + check_str=("rule:deny_cluster_user"), description="Create a new baymodel.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/baymodels"}], ), base.APIRule( - name="magnum:baymodel:delete", - check_str=("(not domain_id:%(trustee_domain_id)s)"), + name="baymodel:delete", + check_str=("rule:deny_cluster_user"), description="Delete a baymodel.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v1/baymodels/{baymodel_ident}"}], ), base.APIRule( - name="magnum:baymodel:detail", - check_str=("(not domain_id:%(trustee_domain_id)s)"), + name="baymodel:detail", + check_str=("rule:deny_cluster_user"), description="Retrieve a list of baymodel with detail.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/baymodels"}], ), base.APIRule( - name="magnum:baymodel:get", - check_str=("(not domain_id:%(trustee_domain_id)s)"), + name="baymodel:get", + check_str=("rule:deny_cluster_user"), description="Retrieve information about the given baymodel.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/baymodels/{baymodel_ident}"}], ), base.APIRule( - name="magnum:baymodel:get_all", - check_str=("(not domain_id:%(trustee_domain_id)s)"), + name="baymodel:get_all", + check_str=("rule:deny_cluster_user"), description="Retrieve a list of baymodel.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/baymodels"}], ), base.APIRule( - name="magnum:baymodel:update", - check_str=("(not domain_id:%(trustee_domain_id)s)"), + name="baymodel:update", + check_str=("rule:deny_cluster_user"), description="Update an existing baymodel.", scope_types=["project"], operations=[{"method": "PATCH", "path": "/v1/baymodels/{baymodel_ident}"}], ), base.APIRule( - name="magnum:baymodel:publish", - check_str=("(role:admin)"), + name="baymodel:publish", + check_str=("rule:admin_api"), description="Publish an existing baymodel.", scope_types=["project"], - operations=[ - {"method": "POST", "path": "/v1/baymodels"}, - {"method": "PATCH", "path": "/v1/baymodels"}, - ], + operations=[{"method": "POST", "path": "/v1/baymodels"}, {"method": "PATCH", "path": "/v1/baymodels"}], ), base.APIRule( - name="magnum:certificate:create", - check_str=("(is_admin:True or user_id:%(user_id)s) or (user_id:%(trustee_user_id)s)"), + name="certificate:create", + check_str=("rule:admin_or_user or rule:cluster_user"), description="Sign a new certificate by the CA.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/certificates"}], ), base.APIRule( - name="magnum:certificate:get", - check_str=("(is_admin:True or user_id:%(user_id)s) or (user_id:%(trustee_user_id)s)"), + name="certificate:get", + check_str=("rule:admin_or_user or rule:cluster_user"), description="Retrieve CA information about the given bay/cluster.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/certificates/{bay_uuid/cluster_uuid}"}], ), base.APIRule( - name="magnum:certificate:rotate_ca", - check_str=("(is_admin:True or project_id:%(project_id)s)"), + name="certificate:rotate_ca", + check_str=("rule:admin_or_owner"), description="Rotate the CA certificate on the given bay/cluster.", scope_types=["project"], operations=[{"method": "PATCH", "path": "/v1/certificates/{bay_uuid/cluster_uuid}"}], ), base.APIRule( - name="magnum:cluster:create", - check_str=("(not domain_id:%(trustee_domain_id)s)"), + name="cluster:create", + check_str=("rule:deny_cluster_user"), description="Create a new cluster.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/clusters"}], ), base.APIRule( - name="magnum:cluster:delete", - check_str=("(not domain_id:%(trustee_domain_id)s)"), + name="cluster:delete", + check_str=("rule:deny_cluster_user"), description="Delete a cluster.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v1/clusters/{cluster_ident}"}], ), base.APIRule( - name="magnum:cluster:delete_all_projects", - check_str=("(role:admin)"), + name="cluster:delete_all_projects", + check_str=("rule:admin_api"), description="Delete a cluster from any project.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v1/clusters/{cluster_ident}"}], ), base.APIRule( - name="magnum:cluster:detail", - check_str=("(not domain_id:%(trustee_domain_id)s)"), + name="cluster:detail", + check_str=("rule:deny_cluster_user"), description="Retrieve a list of clusters with detail.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/clusters"}], ), base.APIRule( - name="magnum:cluster:detail_all_projects", - check_str=("(role:admin)"), + name="cluster:detail_all_projects", + check_str=("rule:admin_api"), description="Retrieve a list of clusters with detail across projects.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/clusters"}], ), base.APIRule( - name="magnum:cluster:get", - check_str=("(not domain_id:%(trustee_domain_id)s)"), + name="cluster:get", + check_str=("rule:deny_cluster_user"), description="Retrieve information about the given cluster.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/clusters/{cluster_ident}"}], ), base.APIRule( - name="magnum:cluster:get_one_all_projects", - check_str=("(role:admin)"), + name="cluster:get_one_all_projects", + check_str=("rule:admin_api"), description="Retrieve information about the given cluster across projects.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/clusters/{cluster_ident}"}], ), base.APIRule( - name="magnum:cluster:get_all", - check_str=("(not domain_id:%(trustee_domain_id)s)"), + name="cluster:get_all", + check_str=("rule:deny_cluster_user"), description="Retrieve a list of clusters.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/clusters/"}], ), base.APIRule( - name="magnum:cluster:get_all_all_projects", - check_str=("(role:admin)"), + name="cluster:get_all_all_projects", + check_str=("rule:admin_api"), description="Retrieve a list of all clusters across projects.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/clusters/"}], ), base.APIRule( - name="magnum:cluster:update", - check_str=("(not domain_id:%(trustee_domain_id)s)"), + name="cluster:update", + check_str=("rule:deny_cluster_user"), description="Update an existing cluster.", scope_types=["project"], operations=[{"method": "PATCH", "path": "/v1/clusters/{cluster_ident}"}], ), base.APIRule( - name="magnum:cluster:update_health_status", - check_str=("(is_admin:True or user_id:%(user_id)s) or (user_id:%(trustee_user_id)s)"), + name="cluster:update_health_status", + check_str=("rule:admin_or_user or rule:cluster_user"), description="Update the health status of an existing cluster.", scope_types=["project"], operations=[{"method": "PATCH", "path": "/v1/clusters/{cluster_ident}"}], ), base.APIRule( - name="magnum:cluster:update_all_projects", - check_str=("(role:admin)"), + name="cluster:update_all_projects", + check_str=("rule:admin_api"), description="Update an existing cluster.", scope_types=["project"], operations=[{"method": "PATCH", "path": "/v1/clusters/{cluster_ident}"}], ), base.APIRule( - name="magnum:cluster:resize", - check_str=("(not domain_id:%(trustee_domain_id)s)"), + name="cluster:resize", + check_str=("rule:deny_cluster_user"), description="Resize an existing cluster.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/clusters/{cluster_ident}/actions/resize"}], ), base.APIRule( - name="magnum:cluster:upgrade", - check_str=("(not domain_id:%(trustee_domain_id)s)"), + name="cluster:upgrade", + check_str=("rule:deny_cluster_user"), description="Upgrade an existing cluster.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/clusters/{cluster_ident}/actions/upgrade"}], ), base.APIRule( - name="magnum:cluster:upgrade_all_projects", - check_str=("(role:admin)"), + name="cluster:upgrade_all_projects", + check_str=("rule:admin_api"), description="Upgrade an existing cluster across all projects.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/clusters/{cluster_ident}/actions/upgrade"}], ), base.APIRule( - name="magnum:clustertemplate:create", - check_str=("(not domain_id:%(trustee_domain_id)s)"), + name="clustertemplate:create", + check_str=("rule:deny_cluster_user"), description="Create a new cluster template.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/clustertemplates"}], ), base.APIRule( - name="magnum:clustertemplate:delete", - check_str=("(is_admin:True or project_id:%(project_id)s)"), + name="clustertemplate:delete", + check_str=("rule:admin_or_owner"), description="Delete a cluster template.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v1/clustertemplate/{clustertemplate_ident}"}], ), base.APIRule( - name="magnum:clustertemplate:delete_all_projects", - check_str=("(role:admin)"), + name="clustertemplate:delete_all_projects", + check_str=("rule:admin_api"), description="Delete a cluster template from any project.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v1/clustertemplate/{clustertemplate_ident}"}], ), base.APIRule( - name="magnum:clustertemplate:detail_all_projects", - check_str=("(role:admin)"), + name="clustertemplate:detail_all_projects", + check_str=("rule:admin_api"), description="Retrieve a list of cluster templates with detail across projects.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/clustertemplates"}], ), base.APIRule( - name="magnum:clustertemplate:detail", - check_str=("(not domain_id:%(trustee_domain_id)s)"), + name="clustertemplate:detail", + check_str=("rule:deny_cluster_user"), description="Retrieve a list of cluster templates with detail.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/clustertemplates"}], ), base.APIRule( - name="magnum:clustertemplate:get", - check_str=("(not domain_id:%(trustee_domain_id)s)"), + name="clustertemplate:get", + check_str=("rule:deny_cluster_user"), description="Retrieve information about the given cluster template.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/clustertemplate/{clustertemplate_ident}"}], ), base.APIRule( - name="magnum:clustertemplate:get_one_all_projects", - check_str=("(role:admin)"), + name="clustertemplate:get_one_all_projects", + check_str=("rule:admin_api"), description="Retrieve information about the given cluster template across project.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/clustertemplate/{clustertemplate_ident}"}], ), base.APIRule( - name="magnum:clustertemplate:get_all", - check_str=("(not domain_id:%(trustee_domain_id)s)"), + name="clustertemplate:get_all", + check_str=("rule:deny_cluster_user"), description="Retrieve a list of cluster templates.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/clustertemplates"}], ), base.APIRule( - name="magnum:clustertemplate:get_all_all_projects", - check_str=("(role:admin)"), + name="clustertemplate:get_all_all_projects", + check_str=("rule:admin_api"), description="Retrieve a list of cluster templates across projects.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/clustertemplates"}], ), base.APIRule( - name="magnum:clustertemplate:update", - check_str=("(is_admin:True or project_id:%(project_id)s)"), + name="clustertemplate:update", + check_str=("rule:admin_or_owner"), description="Update an existing cluster template.", scope_types=["project"], operations=[{"method": "PATCH", "path": "/v1/clustertemplate/{clustertemplate_ident}"}], ), base.APIRule( - name="magnum:clustertemplate:update_all_projects", - check_str=("(role:admin)"), + name="clustertemplate:update_all_projects", + check_str=("rule:admin_api"), description="Update an existing cluster template.", scope_types=["project"], operations=[{"method": "PATCH", "path": "/v1/clustertemplate/{clustertemplate_ident}"}], ), base.APIRule( - name="magnum:clustertemplate:publish", - check_str=("(role:admin)"), + name="clustertemplate:publish", + check_str=("rule:admin_api"), description="Publish an existing cluster template.", scope_types=["project"], - operations=[ - {"method": "POST", "path": "/v1/clustertemplates"}, - {"method": "PATCH", "path": "/v1/clustertemplates"}, - ], + operations=[{"method": "POST", "path": "/v1/clustertemplates"}, {"method": "PATCH", "path": "/v1/clustertemplates"}], ), base.APIRule( - name="magnum:federation:create", - check_str=("(not domain_id:%(trustee_domain_id)s)"), + name="federation:create", + check_str=("rule:deny_cluster_user"), description="Create a new federation.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/federations"}], ), base.APIRule( - name="magnum:federation:delete", - check_str=("(not domain_id:%(trustee_domain_id)s)"), + name="federation:delete", + check_str=("rule:deny_cluster_user"), description="Delete a federation.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v1/federations/{federation_ident}"}], ), base.APIRule( - name="magnum:federation:detail", - check_str=("(not domain_id:%(trustee_domain_id)s)"), + name="federation:detail", + check_str=("rule:deny_cluster_user"), description="Retrieve a list of federations with detail.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/federations"}], ), base.APIRule( - name="magnum:federation:get", - check_str=("(not domain_id:%(trustee_domain_id)s)"), + name="federation:get", + check_str=("rule:deny_cluster_user"), description="Retrieve information about the given federation.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/federations/{federation_ident}"}], ), base.APIRule( - name="magnum:federation:get_all", - check_str=("(not domain_id:%(trustee_domain_id)s)"), + name="federation:get_all", + check_str=("rule:deny_cluster_user"), description="Retrieve a list of federations.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/federations/"}], ), base.APIRule( - name="magnum:federation:update", - check_str=("(not domain_id:%(trustee_domain_id)s)"), + name="federation:update", + check_str=("rule:deny_cluster_user"), description="Update an existing federation.", scope_types=["project"], operations=[{"method": "PATCH", "path": "/v1/federations/{federation_ident}"}], ), base.APIRule( - name="magnum:magnum-service:get_all", - check_str=("(role:admin)"), + name="magnum-service:get_all", + check_str=("rule:admin_api"), description="Retrieve a list of magnum-services.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/mservices"}], ), base.APIRule( - name="magnum:quota:create", - check_str=("(role:admin)"), + name="quota:create", + check_str=("rule:admin_api"), description="Create quota.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/quotas"}], ), base.APIRule( - name="magnum:quota:delete", - check_str=("(role:admin)"), + name="quota:delete", + check_str=("rule:admin_api"), description="Delete quota for a given project_id and resource.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v1/quotas/{project_id}/{resource}"}], ), base.APIRule( - name="magnum:quota:get", - check_str=("(is_admin:True or project_id:%(project_id)s)"), + name="quota:get", + check_str=("rule:admin_or_owner"), description="Retrieve Quota information for the given project_id.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/quotas/{project_id}/{resource}"}], ), base.APIRule( - name="magnum:quota:get_all", - check_str=("(role:admin)"), + name="quota:get_all", + check_str=("rule:admin_api"), description="Retrieve a list of quotas.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/quotas"}], ), base.APIRule( - name="magnum:quota:update", - check_str=("(role:admin)"), + name="quota:update", + check_str=("rule:admin_api"), description="Update quota for a given project_id.", scope_types=["project"], operations=[{"method": "PATCH", "path": "/v1/quotas/{project_id}/{resource}"}], ), base.APIRule( - name="magnum:stats:get_all", - check_str=("(is_admin:True or project_id:%(project_id)s)"), + name="stats:get_all", + check_str=("rule:admin_or_owner"), description="Retrieve magnum stats.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/stats"}], ), base.APIRule( - name="magnum:nodegroup:get", - check_str=("(is_admin:True or project_id:%(project_id)s)"), + name="nodegroup:get", + check_str=("rule:admin_or_owner"), description="Retrieve information about the given nodegroup.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/clusters/{cluster_id}/nodegroup/{nodegroup}"}], ), base.APIRule( - name="magnum:nodegroup:get_all", - check_str=("(is_admin:True or project_id:%(project_id)s)"), + name="nodegroup:get_all", + check_str=("rule:admin_or_owner"), description="Retrieve a list of nodegroups that belong to a cluster.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/clusters/{cluster_id}/nodegroups/"}], ), base.APIRule( - name="magnum:nodegroup:get_all_all_projects", - check_str=("(role:admin)"), + name="nodegroup:get_all_all_projects", + check_str=("rule:admin_api"), description="Retrieve a list of nodegroups across projects.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/clusters/{cluster_id}/nodegroups/"}], ), base.APIRule( - name="magnum:nodegroup:get_one_all_projects", - check_str=("(role:admin)"), + name="nodegroup:get_one_all_projects", + check_str=("rule:admin_api"), description="Retrieve infornation for a given nodegroup.", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/v1/clusters/{cluster_id}/nodegroups/{nodegroup}"}, - ], + operations=[{"method": "GET", "path": "/v1/clusters/{cluster_id}/nodegroups/{nodegroup}"}], ), base.APIRule( - name="magnum:nodegroup:create", - check_str=("(is_admin:True or project_id:%(project_id)s)"), + name="nodegroup:create", + check_str=("rule:admin_or_owner"), description="Create a new nodegroup.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/clusters/{cluster_id}/nodegroups/"}], ), base.APIRule( - name="magnum:nodegroup:delete", - check_str=("(is_admin:True or project_id:%(project_id)s)"), + name="nodegroup:delete", + check_str=("rule:admin_or_owner"), description="Delete a nodegroup.", scope_types=["project"], - operations=[ - {"method": "DELETE", "path": "/v1/clusters/{cluster_id}/nodegroups/{nodegroup}"}, - ], + operations=[{"method": "DELETE", "path": "/v1/clusters/{cluster_id}/nodegroups/{nodegroup}"}], ), base.APIRule( - name="magnum:nodegroup:update", - check_str=("(is_admin:True or project_id:%(project_id)s)"), + name="nodegroup:update", + check_str=("rule:admin_or_owner"), description="Update an existing nodegroup.", scope_types=["project"], - operations=[ - {"method": "PATCH", "path": "/v1/clusters/{cluster_id}/nodegroups/{nodegroup}"}, - ], + operations=[{"method": "PATCH", "path": "/v1/clusters/{cluster_id}/nodegroups/{nodegroup}"}], ), ) diff --git a/skyline_apiserver/policy/manager/manila.py b/skyline_apiserver/policy/manager/manila.py index 4e4968f..9d3bdfd 100644 --- a/skyline_apiserver/policy/manager/manila.py +++ b/skyline_apiserver/policy/manager/manila.py @@ -1,3 +1,6 @@ +# flake8: noqa +# fmt: off + from . import base list_rules = ( @@ -34,7 +37,7 @@ list_rules = ( base.Rule( name="context_is_admin", check_str=("rule:system-admin"), - description='Privileged users checked via "context.is_admin"', + description="Privileged users checked via \"context.is_admin\"", ), base.Rule( name="admin_or_owner", @@ -52,1572 +55,1173 @@ list_rules = ( description="Default rule for most Admin APIs.", ), base.APIRule( - name="manila:availability_zone:index", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + name="availability_zone:index", + check_str=("(rule:system-reader) or (rule:project-reader)"), description="Get all storage availability zones.", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/os-availability-zone"}, - {"method": "GET", "path": "/availability-zone"}, - ], + operations=[{"method": "GET", "path": "/os-availability-zone"}, {"method": "GET", "path": "/availability-zone"}], ), base.APIRule( - name="manila:scheduler_stats:pools:index", - check_str=("(role:reader and system_scope:all)"), - description="Get information regarding backends (and storage pools) known to the scheduler.", # noqa + name="scheduler_stats:pools:index", + check_str=("rule:system-reader"), + description="Get information regarding backends (and storage pools) known to the scheduler.", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/scheduler-stats/pools"}, - {"method": "GET", "path": "/scheduler-stats/pools?{query}"}, - ], + operations=[{"method": "GET", "path": "/scheduler-stats/pools"}, {"method": "GET", "path": "/scheduler-stats/pools?{query}"}], ), base.APIRule( - name="manila:scheduler_stats:pools:detail", - check_str=("(role:reader and system_scope:all)"), - description="Get detailed information regarding backends (and storage pools) known to the scheduler.", # noqa + name="scheduler_stats:pools:detail", + check_str=("rule:system-reader"), + description="Get detailed information regarding backends (and storage pools) known to the scheduler.", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/scheduler-stats/pools/detail?{query}"}, - {"method": "GET", "path": "/scheduler-stats/pools/detail"}, - ], + operations=[{"method": "GET", "path": "/scheduler-stats/pools/detail?{query}"}, {"method": "GET", "path": "/scheduler-stats/pools/detail"}], ), base.APIRule( - name="manila:share:create", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + name="share:create", + check_str=("(rule:system-admin) or (rule:project-member)"), description="Create share.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/shares"}], ), base.APIRule( - name="manila:share:create_public_share", - check_str=("(role:admin and system_scope:all)"), + name="share:create_public_share", + check_str=("rule:system-admin"), description="Create shares visible across all projects in the cloud.", scope_types=["system"], operations=[{"method": "POST", "path": "/shares"}], ), base.APIRule( - name="manila:share:get", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + name="share:get", + check_str=("(rule:system-reader) or (rule:project-reader)"), description="Get share.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/shares/{share_id}"}], ), base.APIRule( - name="manila:share:get_all", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + name="share:get_all", + check_str=("(rule:system-reader) or (rule:project-reader)"), description="List shares.", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/shares"}, - {"method": "GET", "path": "/shares/detail"}, - ], + operations=[{"method": "GET", "path": "/shares"}, {"method": "GET", "path": "/shares/detail"}], ), base.APIRule( - name="manila:share:update", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + name="share:update", + check_str=("(rule:system-admin) or (rule:project-member)"), description="Update share.", scope_types=["system", "project"], operations=[{"method": "PUT", "path": "/shares"}], ), base.APIRule( - name="manila:share:set_public_share", - check_str=("(role:admin and system_scope:all)"), + name="share:set_public_share", + check_str=("rule:system-admin"), description="Update shares to be visible across all projects in the cloud.", scope_types=["system"], operations=[{"method": "PUT", "path": "/shares"}], ), base.APIRule( - name="manila:share:delete", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + name="share:delete", + check_str=("(rule:system-admin) or (rule:project-member)"), description="Delete share.", scope_types=["system", "project"], operations=[{"method": "DELETE", "path": "/shares/{share_id}"}], ), base.APIRule( - name="manila:share:soft_delete", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + name="share:soft_delete", + check_str=("(rule:system-admin) or (rule:project-member)"), description="Soft Delete a share.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/shares/{share_id}/action"}], ), base.APIRule( - name="manila:share:restore", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + name="share:restore", + check_str=("(rule:system-admin) or (rule:project-member)"), description="Restore a share.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/shares/{share_id}/action"}], ), base.APIRule( - name="manila:share:force_delete", - check_str=( - "(role:admin and system_scope:all) or (role:admin and project_id:%(project_id)s)" - ), + name="share:force_delete", + check_str=("(rule:system-admin) or (rule:project-admin)"), description="Force Delete a share.", scope_types=["system", "project"], operations=[{"method": "DELETE", "path": "/shares/{share_id}"}], ), base.APIRule( - name="manila:share:manage", - check_str=("(role:admin and system_scope:all)"), + name="share:manage", + check_str=("rule:system-admin"), description="Manage share.", scope_types=["system"], operations=[{"method": "POST", "path": "/shares/manage"}], ), base.APIRule( - name="manila:share:unmanage", - check_str=("(role:admin and system_scope:all)"), + name="share:unmanage", + check_str=("rule:system-admin"), description="Unmanage share.", scope_types=["system"], operations=[{"method": "POST", "path": "/shares/unmanage"}], ), base.APIRule( - name="manila:share:list_by_host", - check_str=("(role:reader and system_scope:all)"), + name="share:list_by_host", + check_str=("rule:system-reader"), description="List share by host.", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/shares"}, - {"method": "GET", "path": "/shares/detail"}, - ], + operations=[{"method": "GET", "path": "/shares"}, {"method": "GET", "path": "/shares/detail"}], ), base.APIRule( - name="manila:share:list_by_share_server_id", - check_str=("(role:reader and system_scope:all)"), + name="share:list_by_share_server_id", + check_str=("rule:system-reader"), description="List share by server id.", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/shares"}, - {"method": "GET", "path": "/shares/detail"}, - ], + operations=[{"method": "GET", "path": "/shares"}, {"method": "GET", "path": "/shares/detail"}], ), base.APIRule( - name="manila:share:access_get", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + name="share:access_get", + check_str=("(rule:system-reader) or (rule:project-reader)"), description="Get share access rule, it under deny access operation.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/shares/{share_id}/action"}], ), base.APIRule( - name="manila:share:access_get_all", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + name="share:access_get_all", + check_str=("(rule:system-reader) or (rule:project-reader)"), description="List share access rules.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/shares/{share_id}/action"}], ), base.APIRule( - name="manila:share:extend", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + name="share:extend", + check_str=("(rule:system-admin) or (rule:project-member)"), description="Extend share.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/shares/{share_id}/action"}], ), base.APIRule( - name="manila:share:force_extend", - check_str=( - "(role:admin and system_scope:all) or (role:admin and project_id:%(project_id)s)" - ), + name="share:force_extend", + check_str=("(rule:system-admin) or (rule:project-admin)"), description="Force extend share.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/shares/{share_id}/action"}], ), base.APIRule( - name="manila:share:shrink", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + name="share:shrink", + check_str=("(rule:system-admin) or (rule:project-member)"), description="Shrink share.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/shares/{share_id}/action"}], ), base.APIRule( - name="manila:share:migration_start", - check_str=("(role:admin and system_scope:all)"), + name="share:migration_start", + check_str=("rule:system-admin"), description="Migrate a share to the specified host.", scope_types=["system"], operations=[{"method": "POST", "path": "/shares/{share_id}/action"}], ), base.APIRule( - name="manila:share:migration_complete", - check_str=("(role:admin and system_scope:all)"), + name="share:migration_complete", + check_str=("rule:system-admin"), description="Invokes 2nd phase of share migration.", scope_types=["system"], operations=[{"method": "POST", "path": "/shares/{share_id}/action"}], ), base.APIRule( - name="manila:share:migration_cancel", - check_str=("(role:admin and system_scope:all)"), + name="share:migration_cancel", + check_str=("rule:system-admin"), description="Attempts to cancel share migration.", scope_types=["system"], operations=[{"method": "POST", "path": "/shares/{share_id}/action"}], ), base.APIRule( - name="manila:share:migration_get_progress", - check_str=("(role:reader and system_scope:all)"), + name="share:migration_get_progress", + check_str=("rule:system-reader"), description="Retrieve share migration progress for a given share.", scope_types=["system"], operations=[{"method": "POST", "path": "/shares/{share_id}/action"}], ), base.APIRule( - name="manila:share:reset_task_state", - check_str=( - "(role:admin and system_scope:all) or (role:admin and project_id:%(project_id)s)" - ), + name="share:reset_task_state", + check_str=("(rule:system-admin) or (rule:project-admin)"), description="Reset task state.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/shares/{share_id}/action"}], ), base.APIRule( - name="manila:share:reset_status", - check_str=( - "(role:admin and system_scope:all) or (role:admin and project_id:%(project_id)s)" - ), + name="share:reset_status", + check_str=("(rule:system-admin) or (rule:project-admin)"), description="Reset status.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/shares/{share_id}/action"}], ), base.APIRule( - name="manila:share:revert_to_snapshot", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + name="share:revert_to_snapshot", + check_str=("(rule:system-admin) or (rule:project-member)"), description="Revert a share to a snapshot.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/shares/{share_id}/action"}], ), base.APIRule( - name="manila:share:allow_access", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + name="share:allow_access", + check_str=("(rule:system-admin) or (rule:project-member)"), description="Add share access rule.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/shares/{share_id}/action"}], ), base.APIRule( - name="manila:share:deny_access", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + name="share:deny_access", + check_str=("(rule:system-admin) or (rule:project-member)"), description="Remove share access rule.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/shares/{share_id}/action"}], ), base.APIRule( - name="manila:share:update_share_metadata", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + name="share:update_share_metadata", + check_str=("(rule:system-admin) or (rule:project-member)"), description="Update share metadata.", scope_types=["system", "project"], - operations=[ - {"method": "PUT", "path": "/shares/{share_id}/metadata"}, - {"method": "POST", "path": "/shares/{share_id}/metadata/{key}"}, - {"method": "POST", "path": "/shares/{share_id}/metadata"}, - ], + operations=[{"method": "PUT", "path": "/shares/{share_id}/metadata"}, {"method": "POST", "path": "/shares/{share_id}/metadata/{key}"}, {"method": "POST", "path": "/shares/{share_id}/metadata"}], ), base.APIRule( - name="manila:share:delete_share_metadata", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + name="share:delete_share_metadata", + check_str=("(rule:system-admin) or (rule:project-member)"), description="Delete share metadata.", scope_types=["system", "project"], operations=[{"method": "DELETE", "path": "/shares/{share_id}/metadata/{key}"}], ), base.APIRule( - name="manila:share:get_share_metadata", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + name="share:get_share_metadata", + check_str=("(rule:system-reader) or (rule:project-reader)"), description="Get share metadata.", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/shares/{share_id}/metadata"}, - {"method": "GET", "path": "/shares/{share_id}/metadata/{key}"}, - ], + operations=[{"method": "GET", "path": "/shares/{share_id}/metadata"}, {"method": "GET", "path": "/shares/{share_id}/metadata/{key}"}], ), base.APIRule( - name="manila:share:create_snapshot", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + name="share:create_snapshot", + check_str=("(rule:system-admin) or (rule:project-member)"), description="Create share snapshot.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/snapshots"}], ), base.APIRule( - name="manila:share:delete_snapshot", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + name="share:delete_snapshot", + check_str=("(rule:system-admin) or (rule:project-member)"), description="Delete share snapshot.", scope_types=["system", "project"], operations=[{"method": "DELETE", "path": "/snapshots/{snapshot_id}"}], ), base.APIRule( - name="manila:share:snapshot_update", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + name="share:snapshot_update", + check_str=("(rule:system-admin) or (rule:project-member)"), description="Update share snapshot.", scope_types=["system", "project"], operations=[{"method": "PUT", "path": "/snapshots/{snapshot_id}/action"}], ), base.APIRule( - name="manila:share:update_admin_only_metadata", - check_str=( - "(role:admin and system_scope:all) or (role:admin and project_id:%(project_id)s)" - ), - description='Update metadata items that are considered "admin only" by the service.', + name="share:update_admin_only_metadata", + check_str=("(rule:system-admin) or (rule:project-admin)"), + description="Update metadata items that are considered \"admin only\" by the service.", scope_types=["system", "project"], operations=[{"method": "PUT", "path": "/shares/{share_id}/metadata"}], ), base.APIRule( - name="manila:share_instance_export_location:index", - check_str=("(role:reader and system_scope:all)"), + name="share_instance_export_location:index", + check_str=("rule:system-reader"), description="Return data about the requested export location.", scope_types=["system"], - operations=[ - {"method": "POST", "path": "/share_instances/{share_instance_id}/export_locations"}, - ], + operations=[{"method": "POST", "path": "/share_instances/{share_instance_id}/export_locations"}], ), base.APIRule( - name="manila:share_instance_export_location:show", - check_str=("(role:reader and system_scope:all)"), + name="share_instance_export_location:show", + check_str=("rule:system-reader"), description="Return data about the requested export location.", scope_types=["system"], - operations=[ - { - "method": "GET", - "path": "/share_instances/{share_instance_id}/export_locations/{export_location_id}", # noqa - }, - ], + operations=[{"method": "GET", "path": "/share_instances/{share_instance_id}/export_locations/{export_location_id}"}], ), base.APIRule( - name="manila:share_type:create", - check_str=("(role:admin and system_scope:all)"), + name="share_type:create", + check_str=("rule:system-admin"), description="Create share type.", scope_types=["system"], operations=[{"method": "POST", "path": "/types"}], ), base.APIRule( - name="manila:share_type:update", - check_str=("(role:admin and system_scope:all)"), + name="share_type:update", + check_str=("rule:system-admin"), description="Update share type.", scope_types=["system"], operations=[{"method": "PUT", "path": "/types/{share_type_id}"}], ), base.APIRule( - name="manila:share_type:show", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + name="share_type:show", + check_str=("(rule:system-reader) or (rule:project-reader)"), description="Get share type.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/types/{share_type_id}"}], ), base.APIRule( - name="manila:share_type:index", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + name="share_type:index", + check_str=("(rule:system-reader) or (rule:project-reader)"), description="List share types.", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/types"}, - {"method": "GET", "path": "/types?is_public=all"}, - ], + operations=[{"method": "GET", "path": "/types"}, {"method": "GET", "path": "/types?is_public=all"}], ), base.APIRule( - name="manila:share_type:default", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + name="share_type:default", + check_str=("(rule:system-reader) or (rule:project-reader)"), description="Get default share type.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/types/default"}], ), base.APIRule( - name="manila:share_type:delete", - check_str=("(role:admin and system_scope:all)"), + name="share_type:delete", + check_str=("rule:system-admin"), description="Delete share type.", scope_types=["system"], operations=[{"method": "DELETE", "path": "/types/{share_type_id}"}], ), base.APIRule( - name="manila:share_type:list_project_access", - check_str=("(role:reader and system_scope:all)"), + name="share_type:list_project_access", + check_str=("rule:system-reader"), description="List share type project access.", scope_types=["system"], operations=[{"method": "GET", "path": "/types/{share_type_id}"}], ), base.APIRule( - name="manila:share_type:add_project_access", - check_str=("(role:admin and system_scope:all)"), + name="share_type:add_project_access", + check_str=("rule:system-admin"), description="Add share type to project.", scope_types=["system"], operations=[{"method": "POST", "path": "/types/{share_type_id}/action"}], ), base.APIRule( - name="manila:share_type:remove_project_access", - check_str=("(role:admin and system_scope:all)"), + name="share_type:remove_project_access", + check_str=("rule:system-admin"), description="Remove share type from project.", scope_types=["system"], operations=[{"method": "POST", "path": "/types/{share_type_id}/action"}], ), base.APIRule( - name="manila:share_types_extra_spec:create", - check_str=("(role:admin and system_scope:all)"), + name="share_types_extra_spec:create", + check_str=("rule:system-admin"), description="Create share type extra spec.", scope_types=["system"], operations=[{"method": "POST", "path": "/types/{share_type_id}/extra_specs"}], ), base.APIRule( - name="manila:share_types_extra_spec:show", - check_str=("(role:reader and system_scope:all)"), + name="share_types_extra_spec:show", + check_str=("rule:system-reader"), description="Get share type extra specs of a given share type.", scope_types=["system"], operations=[{"method": "GET", "path": "/types/{share_type_id}/extra_specs"}], ), base.APIRule( - name="manila:share_types_extra_spec:index", - check_str=("(role:reader and system_scope:all)"), + name="share_types_extra_spec:index", + check_str=("rule:system-reader"), description="Get details of a share type extra spec.", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/types/{share_type_id}/extra_specs/{extra_spec_id}"}, - ], + operations=[{"method": "GET", "path": "/types/{share_type_id}/extra_specs/{extra_spec_id}"}], ), base.APIRule( - name="manila:share_types_extra_spec:update", - check_str=("(role:admin and system_scope:all)"), + name="share_types_extra_spec:update", + check_str=("rule:system-admin"), description="Update share type extra spec.", scope_types=["system"], operations=[{"method": "PUT", "path": "/types/{share_type_id}/extra_specs"}], ), base.APIRule( - name="manila:share_types_extra_spec:delete", - check_str=("(role:admin and system_scope:all)"), + name="share_types_extra_spec:delete", + check_str=("rule:system-admin"), description="Delete share type extra spec.", scope_types=["system"], operations=[{"method": "DELETE", "path": "/types/{share_type_id}/extra_specs/{key}"}], ), base.APIRule( - name="manila:share_snapshot:get_snapshot", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + name="share_snapshot:get_snapshot", + check_str=("(rule:system-reader) or (rule:project-reader)"), description="Get share snapshot.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/snapshots/{snapshot_id}"}], ), base.APIRule( - name="manila:share_snapshot:get_all_snapshots", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + name="share_snapshot:get_all_snapshots", + check_str=("(rule:system-reader) or (rule:project-reader)"), description="Get all share snapshots.", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/snapshots"}, - {"method": "GET", "path": "/snapshots/detail"}, - {"method": "GET", "path": "/snapshots?{query}"}, - {"method": "GET", "path": "/snapshots/detail?{query}"}, - ], + operations=[{"method": "GET", "path": "/snapshots"}, {"method": "GET", "path": "/snapshots/detail"}, {"method": "GET", "path": "/snapshots?{query}"}, {"method": "GET", "path": "/snapshots/detail?{query}"}], ), base.APIRule( - name="manila:share_snapshot:force_delete", - check_str=( - "(role:admin and system_scope:all) or (role:admin and project_id:%(project_id)s)" - ), + name="share_snapshot:force_delete", + check_str=("(rule:system-admin) or (rule:project-admin)"), description="Force Delete a share snapshot.", scope_types=["system", "project"], operations=[{"method": "DELETE", "path": "/snapshots/{snapshot_id}"}], ), base.APIRule( - name="manila:share_snapshot:manage_snapshot", - check_str=("(role:admin and system_scope:all)"), + name="share_snapshot:manage_snapshot", + check_str=("rule:system-admin"), description="Manage share snapshot.", scope_types=["system"], operations=[{"method": "POST", "path": "/snapshots/manage"}], ), base.APIRule( - name="manila:share_snapshot:unmanage_snapshot", - check_str=("(role:admin and system_scope:all)"), + name="share_snapshot:unmanage_snapshot", + check_str=("rule:system-admin"), description="Unmanage share snapshot.", scope_types=["system"], operations=[{"method": "POST", "path": "/snapshots/{snapshot_id}/action"}], ), base.APIRule( - name="manila:share_snapshot:reset_status", - check_str=( - "(role:admin and system_scope:all) or (role:admin and project_id:%(project_id)s)" - ), + name="share_snapshot:reset_status", + check_str=("(rule:system-admin) or (rule:project-admin)"), description="Reset status.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/snapshots/{snapshot_id}/action"}], ), base.APIRule( - name="manila:share_snapshot:access_list", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + name="share_snapshot:access_list", + check_str=("(rule:system-reader) or (rule:project-reader)"), description="List access rules of a share snapshot.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/snapshots/{snapshot_id}/access-list"}], ), base.APIRule( - name="manila:share_snapshot:allow_access", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + name="share_snapshot:allow_access", + check_str=("(rule:system-admin) or (rule:project-member)"), description="Allow access to a share snapshot.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/snapshots/{snapshot_id}/action"}], ), base.APIRule( - name="manila:share_snapshot:deny_access", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + name="share_snapshot:deny_access", + check_str=("(rule:system-admin) or (rule:project-member)"), description="Deny access to a share snapshot.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/snapshots/{snapshot_id}/action"}], ), base.APIRule( - name="manila:share_snapshot_export_location:index", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + name="share_snapshot_export_location:index", + check_str=("(rule:system-reader) or (rule:project-reader)"), description="List export locations of a share snapshot.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/snapshots/{snapshot_id}/export-locations/"}], ), base.APIRule( - name="manila:share_snapshot_export_location:show", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + name="share_snapshot_export_location:show", + check_str=("(rule:system-reader) or (rule:project-reader)"), description="Get details of a specified export location of a share snapshot.", scope_types=["system", "project"], - operations=[ - { - "method": "GET", - "path": "/snapshots/{snapshot_id}/export-locations/{export_location_id}", - }, - ], + operations=[{"method": "GET", "path": "/snapshots/{snapshot_id}/export-locations/{export_location_id}"}], ), base.APIRule( - name="manila:share_snapshot_instance:show", - check_str=("(role:reader and system_scope:all)"), + name="share_snapshot_instance:show", + check_str=("rule:system-reader"), description="Get share snapshot instance.", scope_types=["system"], operations=[{"method": "GET", "path": "/snapshot-instances/{snapshot_instance_id}"}], ), base.APIRule( - name="manila:share_snapshot_instance:index", - check_str=("(role:reader and system_scope:all)"), + name="share_snapshot_instance:index", + check_str=("rule:system-reader"), description="Get all share snapshot instances.", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/snapshot-instances"}, - {"method": "GET", "path": "/snapshot-instances?{query}"}, - ], + operations=[{"method": "GET", "path": "/snapshot-instances"}, {"method": "GET", "path": "/snapshot-instances?{query}"}], ), base.APIRule( - name="manila:share_snapshot_instance:detail", - check_str=("(role:reader and system_scope:all)"), + name="share_snapshot_instance:detail", + check_str=("rule:system-reader"), description="Get details of share snapshot instances.", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/snapshot-instances/detail"}, - {"method": "GET", "path": "/snapshot-instances/detail?{query}"}, - ], + operations=[{"method": "GET", "path": "/snapshot-instances/detail"}, {"method": "GET", "path": "/snapshot-instances/detail?{query}"}], ), base.APIRule( - name="manila:share_snapshot_instance:reset_status", - check_str=("(role:admin and system_scope:all)"), + name="share_snapshot_instance:reset_status", + check_str=("rule:system-admin"), description="Reset share snapshot instance's status.", scope_types=["system"], - operations=[ - {"method": "POST", "path": "/snapshot-instances/{snapshot_instance_id}/action"}, - ], + operations=[{"method": "POST", "path": "/snapshot-instances/{snapshot_instance_id}/action"}], ), base.APIRule( - name="manila:share_snapshot_instance_export_location:index", - check_str=("(role:reader and system_scope:all)"), + name="share_snapshot_instance_export_location:index", + check_str=("rule:system-reader"), description="List export locations of a share snapshot instance.", scope_types=["system"], - operations=[ - { - "method": "GET", - "path": "/snapshot-instances/{snapshot_instance_id}/export-locations", - }, - ], + operations=[{"method": "GET", "path": "/snapshot-instances/{snapshot_instance_id}/export-locations"}], ), base.APIRule( - name="manila:share_snapshot_instance_export_location:show", - check_str=("(role:reader and system_scope:all)"), + name="share_snapshot_instance_export_location:show", + check_str=("rule:system-reader"), description="Show details of a specified export location of a share snapshot instance.", scope_types=["system"], - operations=[ - { - "method": "GET", - "path": "/snapshot-instances/{snapshot_instance_id}/export-locations/{export_location_id}", # noqa - }, - ], + operations=[{"method": "GET", "path": "/snapshot-instances/{snapshot_instance_id}/export-locations/{export_location_id}"}], ), base.APIRule( - name="manila:share_server:index", - check_str=("(role:reader and system_scope:all)"), + name="share_server:index", + check_str=("rule:system-reader"), description="Get share servers.", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/share-servers"}, - {"method": "GET", "path": "/share-servers?{query}"}, - ], + operations=[{"method": "GET", "path": "/share-servers"}, {"method": "GET", "path": "/share-servers?{query}"}], ), base.APIRule( - name="manila:share_server:show", - check_str=("(role:reader and system_scope:all)"), + name="share_server:show", + check_str=("rule:system-reader"), description="Show share server.", scope_types=["system"], operations=[{"method": "GET", "path": "/share-servers/{server_id}"}], ), base.APIRule( - name="manila:share_server:details", - check_str=("(role:reader and system_scope:all)"), + name="share_server:details", + check_str=("rule:system-reader"), description="Get share server details.", scope_types=["system"], operations=[{"method": "GET", "path": "/share-servers/{server_id}/details"}], ), base.APIRule( - name="manila:share_server:delete", - check_str=("(role:admin and system_scope:all)"), + name="share_server:delete", + check_str=("rule:system-admin"), description="Delete share server.", scope_types=["system"], operations=[{"method": "DELETE", "path": "/share-servers/{server_id}"}], ), base.APIRule( - name="manila:share_server:manage_share_server", - check_str=("(role:admin and system_scope:all)"), + name="share_server:manage_share_server", + check_str=("rule:system-admin"), description="Manage share server.", scope_types=["system"], operations=[{"method": "POST", "path": "/share-servers/manage"}], ), base.APIRule( - name="manila:share_server:unmanage_share_server", - check_str=("(role:admin and system_scope:all)"), + name="share_server:unmanage_share_server", + check_str=("rule:system-admin"), description="Unmanage share server.", scope_types=["system"], operations=[{"method": "POST", "path": "/share-servers/{share_server_id}/action"}], ), base.APIRule( - name="manila:share_server:reset_status", - check_str=("(role:admin and system_scope:all)"), + name="share_server:reset_status", + check_str=("rule:system-admin"), description="Reset the status of a share server.", scope_types=["system"], operations=[{"method": "POST", "path": "/share-servers/{share_server_id}/action"}], ), base.APIRule( - name="manila:share_server:share_server_migration_start", - check_str=("(role:admin and system_scope:all)"), + name="share_server:share_server_migration_start", + check_str=("rule:system-admin"), description="Migrates a share server to the specified host.", scope_types=["system"], operations=[{"method": "POST", "path": "/share-servers/{share_server_id}/action"}], ), base.APIRule( - name="manila:share_server:share_server_migration_check", - check_str=("(role:reader and system_scope:all)"), + name="share_server:share_server_migration_check", + check_str=("rule:system-reader"), description="Check if can migrates a share server to the specified host.", scope_types=["system"], operations=[{"method": "POST", "path": "/share-servers/{share_server_id}/action"}], ), base.APIRule( - name="manila:share_server:share_server_migration_complete", - check_str=("(role:admin and system_scope:all)"), + name="share_server:share_server_migration_complete", + check_str=("rule:system-admin"), description="Invokes the 2nd phase of share server migration.", scope_types=["system"], operations=[{"method": "POST", "path": "/share-servers/{share_server_id}/action"}], ), base.APIRule( - name="manila:share_server:share_server_migration_cancel", - check_str=("(role:admin and system_scope:all)"), + name="share_server:share_server_migration_cancel", + check_str=("rule:system-admin"), description="Attempts to cancel share server migration.", scope_types=["system"], operations=[{"method": "POST", "path": "/share-servers/{share_server_id}/action"}], ), base.APIRule( - name="manila:share_server:share_server_migration_get_progress", - check_str=("(role:reader and system_scope:all)"), + name="share_server:share_server_migration_get_progress", + check_str=("rule:system-reader"), description="Retrieves the share server migration progress for a given share server.", scope_types=["system"], operations=[{"method": "POST", "path": "/share-servers/{share_server_id}/action"}], ), base.APIRule( - name="manila:share_server:share_server_reset_task_state", - check_str=("(role:admin and system_scope:all)"), + name="share_server:share_server_reset_task_state", + check_str=("rule:system-admin"), description="Resets task state.", scope_types=["system"], operations=[{"method": "POST", "path": "/share-servers/{share_server_id}/action"}], ), base.APIRule( - name="manila:service:index", - check_str=("(role:reader and system_scope:all)"), + name="service:index", + check_str=("rule:system-reader"), description="Return a list of all running services.", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/os-services"}, - {"method": "GET", "path": "/os-services?{query}"}, - {"method": "GET", "path": "/services"}, - {"method": "GET", "path": "/services?{query}"}, - ], + operations=[{"method": "GET", "path": "/os-services"}, {"method": "GET", "path": "/os-services?{query}"}, {"method": "GET", "path": "/services"}, {"method": "GET", "path": "/services?{query}"}], ), base.APIRule( - name="manila:service:update", - check_str=("(role:admin and system_scope:all)"), + name="service:update", + check_str=("rule:system-admin"), description="Enable/Disable scheduling for a service.", scope_types=["system"], - operations=[ - {"method": "PUT", "path": "/os-services/disable"}, - {"method": "PUT", "path": "/os-services/enable"}, - {"method": "PUT", "path": "/services/disable"}, - {"method": "PUT", "path": "/services/enable"}, - ], + operations=[{"method": "PUT", "path": "/os-services/disable"}, {"method": "PUT", "path": "/os-services/enable"}, {"method": "PUT", "path": "/services/disable"}, {"method": "PUT", "path": "/services/enable"}], ), base.APIRule( - name="manila:quota_set:update", - check_str=("(role:admin and system_scope:all)"), + name="quota_set:update", + check_str=("rule:system-admin"), description="Update the quotas for a project/user and/or share type.", scope_types=["system"], - operations=[ - {"method": "PUT", "path": "/quota-sets/{tenant_id}"}, - {"method": "PUT", "path": "/quota-sets/{tenant_id}?user_id={user_id}"}, - {"method": "PUT", "path": "/quota-sets/{tenant_id}?share_type={share_type_id}"}, - {"method": "PUT", "path": "/os-quota-sets/{tenant_id}"}, - {"method": "PUT", "path": "/os-quota-sets/{tenant_id}?user_id={user_id}"}, - ], + operations=[{"method": "PUT", "path": "/quota-sets/{tenant_id}"}, {"method": "PUT", "path": "/quota-sets/{tenant_id}?user_id={user_id}"}, {"method": "PUT", "path": "/quota-sets/{tenant_id}?share_type={share_type_id}"}, {"method": "PUT", "path": "/os-quota-sets/{tenant_id}"}, {"method": "PUT", "path": "/os-quota-sets/{tenant_id}?user_id={user_id}"}], ), base.APIRule( - name="manila:quota_set:show", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + name="quota_set:show", + check_str=("(rule:system-reader) or (rule:project-reader)"), description="List the quotas for a tenant/user.", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/quota-sets/{tenant_id}/defaults"}, - {"method": "GET", "path": "/os-quota-sets/{tenant_id}/defaults"}, - ], + operations=[{"method": "GET", "path": "/quota-sets/{tenant_id}/defaults"}, {"method": "GET", "path": "/os-quota-sets/{tenant_id}/defaults"}], ), base.APIRule( - name="manila:quota_set:delete", - check_str=("(role:admin and system_scope:all)"), - description="Delete quota for a tenant/user or tenant/share-type. The quota will revert back to default (Admin only).", # noqa + name="quota_set:delete", + check_str=("rule:system-admin"), + description="Delete quota for a tenant/user or tenant/share-type. The quota will revert back to default (Admin only).", scope_types=["system"], - operations=[ - {"method": "DELETE", "path": "/quota-sets/{tenant_id}"}, - {"method": "DELETE", "path": "/quota-sets/{tenant_id}?user_id={user_id}"}, - {"method": "DELETE", "path": "/quota-sets/{tenant_id}?share_type={share_type_id}"}, - {"method": "DELETE", "path": "/os-quota-sets/{tenant_id}"}, - {"method": "DELETE", "path": "/os-quota-sets/{tenant_id}?user_id={user_id}"}, - ], + operations=[{"method": "DELETE", "path": "/quota-sets/{tenant_id}"}, {"method": "DELETE", "path": "/quota-sets/{tenant_id}?user_id={user_id}"}, {"method": "DELETE", "path": "/quota-sets/{tenant_id}?share_type={share_type_id}"}, {"method": "DELETE", "path": "/os-quota-sets/{tenant_id}"}, {"method": "DELETE", "path": "/os-quota-sets/{tenant_id}?user_id={user_id}"}], ), base.APIRule( - name="manila:quota_class_set:update", - check_str=("(role:admin and system_scope:all)"), + name="quota_class_set:update", + check_str=("rule:system-admin"), description="Update quota class.", scope_types=["system"], - operations=[ - {"method": "PUT", "path": "/quota-class-sets/{class_name}"}, - {"method": "PUT", "path": "/os-quota-class-sets/{class_name}"}, - ], + operations=[{"method": "PUT", "path": "/quota-class-sets/{class_name}"}, {"method": "PUT", "path": "/os-quota-class-sets/{class_name}"}], ), base.APIRule( - name="manila:quota_class_set:show", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + name="quota_class_set:show", + check_str=("(rule:system-reader) or (rule:project-reader)"), description="Get quota class.", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/quota-class-sets/{class_name}"}, - {"method": "GET", "path": "/os-quota-class-sets/{class_name}"}, - ], + operations=[{"method": "GET", "path": "/quota-class-sets/{class_name}"}, {"method": "GET", "path": "/os-quota-class-sets/{class_name}"}], ), base.APIRule( - name="manila:share_group_types_spec:create", - check_str=("(role:admin and system_scope:all)"), + name="share_group_types_spec:create", + check_str=("rule:system-admin"), description="Create share group type specs.", scope_types=["system"], - operations=[ - {"method": "POST", "path": "/share-group-types/{share_group_type_id}/group-specs"}, - ], + operations=[{"method": "POST", "path": "/share-group-types/{share_group_type_id}/group-specs"}], ), base.APIRule( - name="manila:share_group_types_spec:index", - check_str=("(role:reader and system_scope:all)"), + name="share_group_types_spec:index", + check_str=("rule:system-reader"), description="Get share group type specs.", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/share-group-types/{share_group_type_id}/group-specs"}, - ], + operations=[{"method": "GET", "path": "/share-group-types/{share_group_type_id}/group-specs"}], ), base.APIRule( - name="manila:share_group_types_spec:show", - check_str=("(role:reader and system_scope:all)"), + name="share_group_types_spec:show", + check_str=("rule:system-reader"), description="Get details of a share group type spec.", scope_types=["system"], - operations=[ - { - "method": "GET", - "path": "/share-group-types/{share_group_type_id}/group-specs/{key}", - }, - ], + operations=[{"method": "GET", "path": "/share-group-types/{share_group_type_id}/group-specs/{key}"}], ), base.APIRule( - name="manila:share_group_types_spec:update", - check_str=("(role:admin and system_scope:all)"), + name="share_group_types_spec:update", + check_str=("rule:system-admin"), description="Update a share group type spec.", scope_types=["system"], - operations=[ - { - "method": "PUT", - "path": "/share-group-types/{share_group_type_id}/group-specs/{key}", - }, - ], + operations=[{"method": "PUT", "path": "/share-group-types/{share_group_type_id}/group-specs/{key}"}], ), base.APIRule( - name="manila:share_group_types_spec:delete", - check_str=("(role:admin and system_scope:all)"), + name="share_group_types_spec:delete", + check_str=("rule:system-admin"), description="Delete a share group type spec.", scope_types=["system"], - operations=[ - { - "method": "DELETE", - "path": "/share-group-types/{share_group_type_id}/group-specs/{key}", - }, - ], + operations=[{"method": "DELETE", "path": "/share-group-types/{share_group_type_id}/group-specs/{key}"}], ), base.APIRule( - name="manila:share_group_type:create", - check_str=("(role:admin and system_scope:all)"), + name="share_group_type:create", + check_str=("rule:system-admin"), description="Create a new share group type.", scope_types=["system"], operations=[{"method": "POST", "path": "/share-group-types"}], ), base.APIRule( - name="manila:share_group_type:index", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + name="share_group_type:index", + check_str=("(rule:system-reader) or (rule:project-reader)"), description="Get the list of share group types.", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/share-group-types"}, - {"method": "GET", "path": "/share-group-types?is_public=all"}, - ], + operations=[{"method": "GET", "path": "/share-group-types"}, {"method": "GET", "path": "/share-group-types?is_public=all"}], ), base.APIRule( - name="manila:share_group_type:show", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + name="share_group_type:show", + check_str=("(rule:system-reader) or (rule:project-reader)"), description="Get details regarding the specified share group type.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/share-group-types/{share_group_type_id}"}], ), base.APIRule( - name="manila:share_group_type:default", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + name="share_group_type:default", + check_str=("(rule:system-reader) or (rule:project-reader)"), description="Get the default share group type.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/share-group-types/default"}], ), base.APIRule( - name="manila:share_group_type:delete", - check_str=("(role:admin and system_scope:all)"), + name="share_group_type:delete", + check_str=("rule:system-admin"), description="Delete an existing group type.", scope_types=["system"], operations=[{"method": "DELETE", "path": "/share-group-types/{share_group_type_id}"}], ), base.APIRule( - name="manila:share_group_type:list_project_access", - check_str=("(role:reader and system_scope:all)"), + name="share_group_type:list_project_access", + check_str=("rule:system-reader"), description="Get project access by share group type.", scope_types=["system"], operations=[{"method": "GET", "path": "/share-group-types/{share_group_type_id}/access"}], ), base.APIRule( - name="manila:share_group_type:add_project_access", - check_str=("(role:admin and system_scope:all)"), + name="share_group_type:add_project_access", + check_str=("rule:system-admin"), description="Allow project to use the share group type.", scope_types=["system"], - operations=[ - {"method": "POST", "path": "/share-group-types/{share_group_type_id}/action"}, - ], + operations=[{"method": "POST", "path": "/share-group-types/{share_group_type_id}/action"}], ), base.APIRule( - name="manila:share_group_type:remove_project_access", - check_str=("(role:admin and system_scope:all)"), + name="share_group_type:remove_project_access", + check_str=("rule:system-admin"), description="Deny project access to use the share group type.", scope_types=["system"], - operations=[ - {"method": "POST", "path": "/share-group-types/{share_group_type_id}/action"}, - ], + operations=[{"method": "POST", "path": "/share-group-types/{share_group_type_id}/action"}], ), base.APIRule( - name="manila:share_group_snapshot:create", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + name="share_group_snapshot:create", + check_str=("(rule:system-admin) or (rule:project-member)"), description="Create a new share group snapshot.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/share-group-snapshots"}], ), base.APIRule( - name="manila:share_group_snapshot:get", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + name="share_group_snapshot:get", + check_str=("(rule:system-reader) or (rule:project-reader)"), description="Get details of a share group snapshot.", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/share-group-snapshots/{share_group_snapshot_id}"}, - ], + operations=[{"method": "GET", "path": "/share-group-snapshots/{share_group_snapshot_id}"}], ), base.APIRule( - name="manila:share_group_snapshot:get_all", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + name="share_group_snapshot:get_all", + check_str=("(rule:system-reader) or (rule:project-reader)"), description="Get all share group snapshots.", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/share-group-snapshots"}, - {"method": "GET", "path": "/share-group-snapshots/detail"}, - {"method": "GET", "path": "/share-group-snapshots/{query}"}, - {"method": "GET", "path": "/share-group-snapshots/detail?{query}"}, - ], + operations=[{"method": "GET", "path": "/share-group-snapshots"}, {"method": "GET", "path": "/share-group-snapshots/detail"}, {"method": "GET", "path": "/share-group-snapshots/{query}"}, {"method": "GET", "path": "/share-group-snapshots/detail?{query}"}], ), base.APIRule( - name="manila:share_group_snapshot:update", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + name="share_group_snapshot:update", + check_str=("(rule:system-admin) or (rule:project-member)"), description="Update a share group snapshot.", scope_types=["system", "project"], - operations=[ - {"method": "PUT", "path": "/share-group-snapshots/{share_group_snapshot_id}"}, - ], + operations=[{"method": "PUT", "path": "/share-group-snapshots/{share_group_snapshot_id}"}], ), base.APIRule( - name="manila:share_group_snapshot:delete", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + name="share_group_snapshot:delete", + check_str=("(rule:system-admin) or (rule:project-member)"), description="Delete a share group snapshot.", scope_types=["system", "project"], - operations=[ - {"method": "DELETE", "path": "/share-group-snapshots/{share_group_snapshot_id}"}, - ], + operations=[{"method": "DELETE", "path": "/share-group-snapshots/{share_group_snapshot_id}"}], ), base.APIRule( - name="manila:share_group_snapshot:force_delete", - check_str=( - "(role:admin and system_scope:all) or (role:admin and project_id:%(project_id)s)" - ), + name="share_group_snapshot:force_delete", + check_str=("(rule:system-admin) or (rule:project-admin)"), description="Force delete a share group snapshot.", scope_types=["system", "project"], - operations=[ - {"method": "POST", "path": "/share-group-snapshots/{share_group_snapshot_id}/action"}, - ], + operations=[{"method": "POST", "path": "/share-group-snapshots/{share_group_snapshot_id}/action"}], ), base.APIRule( - name="manila:share_group_snapshot:reset_status", - check_str=( - "(role:admin and system_scope:all) or (role:admin and project_id:%(project_id)s)" - ), + name="share_group_snapshot:reset_status", + check_str=("(rule:system-admin) or (rule:project-admin)"), description="Reset a share group snapshot's status.", scope_types=["system", "project"], - operations=[ - {"method": "POST", "path": "/share-group-snapshots/{share_group_snapshot_id}/action"}, - ], + operations=[{"method": "POST", "path": "/share-group-snapshots/{share_group_snapshot_id}/action"}], ), base.APIRule( - name="manila:share_group:create", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + name="share_group:create", + check_str=("(rule:system-admin) or (rule:project-member)"), description="Create share group.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/share-groups"}], ), base.APIRule( - name="manila:share_group:get", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + name="share_group:get", + check_str=("(rule:system-reader) or (rule:project-reader)"), description="Get details of a share group.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/share-groups/{share_group_id}"}], ), base.APIRule( - name="manila:share_group:get_all", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + name="share_group:get_all", + check_str=("(rule:system-reader) or (rule:project-reader)"), description="Get all share groups.", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/share-groups"}, - {"method": "GET", "path": "/share-groups/detail"}, - {"method": "GET", "path": "/share-groups?{query}"}, - {"method": "GET", "path": "/share-groups/detail?{query}"}, - ], + operations=[{"method": "GET", "path": "/share-groups"}, {"method": "GET", "path": "/share-groups/detail"}, {"method": "GET", "path": "/share-groups?{query}"}, {"method": "GET", "path": "/share-groups/detail?{query}"}], ), base.APIRule( - name="manila:share_group:update", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + name="share_group:update", + check_str=("(rule:system-admin) or (rule:project-member)"), description="Update share group.", scope_types=["system", "project"], operations=[{"method": "PUT", "path": "/share-groups/{share_group_id}"}], ), base.APIRule( - name="manila:share_group:delete", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + name="share_group:delete", + check_str=("(rule:system-admin) or (rule:project-member)"), description="Delete share group.", scope_types=["system", "project"], operations=[{"method": "DELETE", "path": "/share-groups/{share_group_id}"}], ), base.APIRule( - name="manila:share_group:force_delete", - check_str=( - "(role:admin and system_scope:all) or (role:admin and project_id:%(project_id)s)" - ), + name="share_group:force_delete", + check_str=("(rule:system-admin) or (rule:project-admin)"), description="Force delete a share group.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/share-groups/{share_group_id}/action"}], ), base.APIRule( - name="manila:share_group:reset_status", - check_str=( - "(role:admin and system_scope:all) or (role:admin and project_id:%(project_id)s)" - ), + name="share_group:reset_status", + check_str=("(rule:system-admin) or (rule:project-admin)"), description="Reset share group's status.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/share-groups/{share_group_id}/action"}], ), base.APIRule( - name="manila:share_replica:create", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + name="share_replica:create", + check_str=("(rule:system-admin) or (rule:project-member)"), description="Create share replica.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/share-replicas"}], ), base.APIRule( - name="manila:share_replica:get_all", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + name="share_replica:get_all", + check_str=("(rule:system-reader) or (rule:project-reader)"), description="Get all share replicas.", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/share-replicas"}, - {"method": "GET", "path": "/share-replicas/detail"}, - {"method": "GET", "path": "/share-replicas/detail?share_id={share_id}"}, - ], + operations=[{"method": "GET", "path": "/share-replicas"}, {"method": "GET", "path": "/share-replicas/detail"}, {"method": "GET", "path": "/share-replicas/detail?share_id={share_id}"}], ), base.APIRule( - name="manila:share_replica:show", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + name="share_replica:show", + check_str=("(rule:system-reader) or (rule:project-reader)"), description="Get details of a share replica.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/share-replicas/{share_replica_id}"}], ), base.APIRule( - name="manila:share_replica:delete", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + name="share_replica:delete", + check_str=("(rule:system-admin) or (rule:project-member)"), description="Delete a share replica.", scope_types=["system", "project"], operations=[{"method": "DELETE", "path": "/share-replicas/{share_replica_id}"}], ), base.APIRule( - name="manila:share_replica:force_delete", - check_str=( - "(role:admin and system_scope:all) or (role:admin and project_id:%(project_id)s)" - ), + name="share_replica:force_delete", + check_str=("(rule:system-admin) or (rule:project-admin)"), description="Force delete a share replica.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/share-replicas/{share_replica_id}/action"}], ), base.APIRule( - name="manila:share_replica:promote", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + name="share_replica:promote", + check_str=("(rule:system-admin) or (rule:project-member)"), description="Promote a non-active share replica to active.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/share-replicas/{share_replica_id}/action"}], ), base.APIRule( - name="manila:share_replica:resync", - check_str=( - "(role:admin and system_scope:all) or (role:admin and project_id:%(project_id)s)" - ), + name="share_replica:resync", + check_str=("(rule:system-admin) or (rule:project-admin)"), description="Resync a share replica that is out of sync.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/share-replicas/{share_replica_id}/action"}], ), base.APIRule( - name="manila:share_replica:reset_replica_state", - check_str=( - "(role:admin and system_scope:all) or (role:admin and project_id:%(project_id)s)" - ), + name="share_replica:reset_replica_state", + check_str=("(rule:system-admin) or (rule:project-admin)"), description="Reset share replica's replica_state attribute.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/share-replicas/{share_replica_id}/action"}], ), base.APIRule( - name="manila:share_replica:reset_status", - check_str=( - "(role:admin and system_scope:all) or (role:admin and project_id:%(project_id)s)" - ), + name="share_replica:reset_status", + check_str=("(rule:system-admin) or (rule:project-admin)"), description="Reset share replica's status.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/share-replicas/{share_replica_id}/action"}], ), base.APIRule( - name="manila:share_replica_export_location:index", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + name="share_replica_export_location:index", + check_str=("(rule:system-reader) or (rule:project-reader)"), description="Get all export locations of a given share replica.", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/share-replicas/{share_replica_id}/export-locations"}, - ], + operations=[{"method": "GET", "path": "/share-replicas/{share_replica_id}/export-locations"}], ), base.APIRule( - name="manila:share_replica_export_location:show", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + name="share_replica_export_location:show", + check_str=("(rule:system-reader) or (rule:project-reader)"), description="Get details about the requested share replica export location.", scope_types=["system", "project"], - operations=[ - { - "method": "GET", - "path": "/share-replicas/{share_replica_id}/export-locations/{export_location_id}", - }, - ], + operations=[{"method": "GET", "path": "/share-replicas/{share_replica_id}/export-locations/{export_location_id}"}], ), base.APIRule( - name="manila:share_network:create", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + name="share_network:create", + check_str=("(rule:system-admin) or (rule:project-member)"), description="Create share network.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/share-networks"}], ), base.APIRule( - name="manila:share_network:show", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + name="share_network:show", + check_str=("(rule:system-reader) or (rule:project-reader)"), description="Get details of a share network.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/share-networks/{share_network_id}"}], ), base.APIRule( - name="manila:share_network:index", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + name="share_network:index", + check_str=("(rule:system-reader) or (rule:project-reader)"), description="Get all share networks.", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/share-networks"}, - {"method": "GET", "path": "/share-networks?{query}"}, - ], + operations=[{"method": "GET", "path": "/share-networks"}, {"method": "GET", "path": "/share-networks?{query}"}], ), base.APIRule( - name="manila:share_network:detail", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + name="share_network:detail", + check_str=("(rule:system-reader) or (rule:project-reader)"), description="Get details of share networks .", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/share-networks/detail?{query}"}, - {"method": "GET", "path": "/share-networks/detail"}, - ], + operations=[{"method": "GET", "path": "/share-networks/detail?{query}"}, {"method": "GET", "path": "/share-networks/detail"}], ), base.APIRule( - name="manila:share_network:update", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + name="share_network:update", + check_str=("(rule:system-admin) or (rule:project-member)"), description="Update a share network.", scope_types=["system", "project"], operations=[{"method": "PUT", "path": "/share-networks/{share_network_id}"}], ), base.APIRule( - name="manila:share_network:delete", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + name="share_network:delete", + check_str=("(rule:system-admin) or (rule:project-member)"), description="Delete a share network.", scope_types=["system", "project"], operations=[{"method": "DELETE", "path": "/share-networks/{share_network_id}"}], ), base.APIRule( - name="manila:share_network:add_security_service", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + name="share_network:add_security_service", + check_str=("(rule:system-admin) or (rule:project-member)"), description="Add security service to share network.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/share-networks/{share_network_id}/action"}], ), base.APIRule( - name="manila:share_network:add_security_service_check", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + name="share_network:add_security_service_check", + check_str=("(rule:system-admin) or (rule:project-member)"), description="Check the feasibility of add security service to a share network.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/share-networks/{share_network_id}/action"}], ), base.APIRule( - name="manila:share_network:remove_security_service", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + name="share_network:remove_security_service", + check_str=("(rule:system-admin) or (rule:project-member)"), description="Remove security service from share network.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/share-networks/{share_network_id}/action"}], ), base.APIRule( - name="manila:share_network:update_security_service", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + name="share_network:update_security_service", + check_str=("(rule:system-admin) or (rule:project-member)"), description="Update security service from share network.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/share-networks/{share_network_id}/action"}], ), base.APIRule( - name="manila:share_network:update_security_service_check", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + name="share_network:update_security_service_check", + check_str=("(rule:system-admin) or (rule:project-member)"), description="Check the feasibility of update a security service from share network.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/share-networks/{share_network_id}/action"}], ), base.APIRule( - name="manila:share_network:reset_status", - check_str=( - "(role:admin and system_scope:all) or (role:admin and project_id:%(project_id)s)" - ), + name="share_network:reset_status", + check_str=("(rule:system-admin) or (rule:project-admin)"), description="Reset share network`s status.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/share-networks/{share_network_id}/action"}], ), base.APIRule( - name="manila:share_network:get_all_share_networks", - check_str=("(role:reader and system_scope:all)"), + name="share_network:get_all_share_networks", + check_str=("rule:system-reader"), description="Get share networks belonging to all projects.", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/share-networks?all_tenants=1"}, - {"method": "GET", "path": "/share-networks/detail?all_tenants=1"}, - ], + operations=[{"method": "GET", "path": "/share-networks?all_tenants=1"}, {"method": "GET", "path": "/share-networks/detail?all_tenants=1"}], ), base.APIRule( - name="manila:share_network:subnet_create_check", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - description="Check the feasibility of create a new share network subnet for share network.", # noqa + name="share_network:subnet_create_check", + check_str=("(rule:system-admin) or (rule:project-member)"), + description="Check the feasibility of create a new share network subnet for share network.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/share-networks/{share_network_id}/action"}], ), base.APIRule( - name="manila:share_network_subnet:create", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + name="share_network_subnet:create", + check_str=("(rule:system-admin) or (rule:project-member)"), description="Create a new share network subnet.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/share-networks/{share_network_id}/subnets"}], ), base.APIRule( - name="manila:share_network_subnet:delete", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + name="share_network_subnet:delete", + check_str=("(rule:system-admin) or (rule:project-member)"), description="Delete a share network subnet.", scope_types=["system", "project"], - operations=[ - { - "method": "DELETE", - "path": "/share-networks/{share_network_id}/subnets/{share_network_subnet_id}", - }, - ], + operations=[{"method": "DELETE", "path": "/share-networks/{share_network_id}/subnets/{share_network_subnet_id}"}], ), base.APIRule( - name="manila:share_network_subnet:show", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + name="share_network_subnet:show", + check_str=("(rule:system-reader) or (rule:project-reader)"), description="Shows a share network subnet.", scope_types=["system", "project"], - operations=[ - { - "method": "GET", - "path": "/share-networks/{share_network_id}/subnets/{share_network_subnet_id}", - }, - ], + operations=[{"method": "GET", "path": "/share-networks/{share_network_id}/subnets/{share_network_subnet_id}"}], ), base.APIRule( - name="manila:share_network_subnet:index", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + name="share_network_subnet:index", + check_str=("(rule:system-reader) or (rule:project-reader)"), description="Get all share network subnets.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/share-networks/{share_network_id}/subnets"}], ), base.APIRule( - name="manila:security_service:create", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + name="security_service:create", + check_str=("(rule:system-admin) or (rule:project-member)"), description="Create security service.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/security-services"}], ), base.APIRule( - name="manila:security_service:show", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + name="security_service:show", + check_str=("(rule:system-reader) or (rule:project-reader)"), description="Get details of a security service.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/security-services/{security_service_id}"}], ), base.APIRule( - name="manila:security_service:detail", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + name="security_service:detail", + check_str=("(rule:system-reader) or (rule:project-reader)"), description="Get details of all security services.", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/security-services/detail?{query}"}, - {"method": "GET", "path": "/security-services/detail"}, - ], + operations=[{"method": "GET", "path": "/security-services/detail?{query}"}, {"method": "GET", "path": "/security-services/detail"}], ), base.APIRule( - name="manila:security_service:index", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + name="security_service:index", + check_str=("(rule:system-reader) or (rule:project-reader)"), description="Get all security services.", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/security-services"}, - {"method": "GET", "path": "/security-services?{query}"}, - ], + operations=[{"method": "GET", "path": "/security-services"}, {"method": "GET", "path": "/security-services?{query}"}], ), base.APIRule( - name="manila:security_service:update", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + name="security_service:update", + check_str=("(rule:system-admin) or (rule:project-member)"), description="Update a security service.", scope_types=["system", "project"], operations=[{"method": "PUT", "path": "/security-services/{security_service_id}"}], ), base.APIRule( - name="manila:security_service:delete", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + name="security_service:delete", + check_str=("(rule:system-admin) or (rule:project-member)"), description="Delete a security service.", scope_types=["system", "project"], operations=[{"method": "DELETE", "path": "/security-services/{security_service_id}"}], ), base.APIRule( - name="manila:security_service:get_all_security_services", - check_str=("(role:reader and system_scope:all)"), + name="security_service:get_all_security_services", + check_str=("rule:system-reader"), description="Get security services of all projects.", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/security-services?all_tenants=1"}, - {"method": "GET", "path": "/security-services/detail?all_tenants=1"}, - ], + operations=[{"method": "GET", "path": "/security-services?all_tenants=1"}, {"method": "GET", "path": "/security-services/detail?all_tenants=1"}], ), base.APIRule( - name="manila:share_export_location:index", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + name="share_export_location:index", + check_str=("(rule:system-reader) or (rule:project-reader)"), description="Get all export locations of a given share.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/shares/{share_id}/export_locations"}], ), base.APIRule( - name="manila:share_export_location:show", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + name="share_export_location:show", + check_str=("(rule:system-reader) or (rule:project-reader)"), description="Get details about the requested export location.", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/shares/{share_id}/export_locations/{export_location_id}"}, - ], + operations=[{"method": "GET", "path": "/shares/{share_id}/export_locations/{export_location_id}"}], ), base.APIRule( - name="manila:share_instance:index", - check_str=("(role:reader and system_scope:all)"), + name="share_instance:index", + check_str=("rule:system-reader"), description="Get all share instances.", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/share_instances"}, - {"method": "GET", "path": "/share_instances?{query}"}, - ], + operations=[{"method": "GET", "path": "/share_instances"}, {"method": "GET", "path": "/share_instances?{query}"}], ), base.APIRule( - name="manila:share_instance:show", - check_str=("(role:reader and system_scope:all)"), + name="share_instance:show", + check_str=("rule:system-reader"), description="Get details of a share instance.", scope_types=["system"], operations=[{"method": "GET", "path": "/share_instances/{share_instance_id}"}], ), base.APIRule( - name="manila:share_instance:force_delete", - check_str=("(role:admin and system_scope:all)"), + name="share_instance:force_delete", + check_str=("rule:system-admin"), description="Force delete a share instance.", scope_types=["system"], operations=[{"method": "POST", "path": "/share_instances/{share_instance_id}/action"}], ), base.APIRule( - name="manila:share_instance:reset_status", - check_str=("(role:admin and system_scope:all)"), + name="share_instance:reset_status", + check_str=("rule:system-admin"), description="Reset share instance's status.", scope_types=["system"], operations=[{"method": "POST", "path": "/share_instances/{share_instance_id}/action"}], ), base.APIRule( - name="manila:message:get", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + name="message:get", + check_str=("(rule:system-reader) or (rule:project-reader)"), description="Get details of a given message.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/messages/{message_id}"}], ), base.APIRule( - name="manila:message:get_all", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + name="message:get_all", + check_str=("(rule:system-reader) or (rule:project-reader)"), description="Get all messages.", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/messages"}, - {"method": "GET", "path": "/messages?{query}"}, - ], + operations=[{"method": "GET", "path": "/messages"}, {"method": "GET", "path": "/messages?{query}"}], ), base.APIRule( - name="manila:message:delete", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + name="message:delete", + check_str=("(rule:system-admin) or (rule:project-member)"), description="Delete a message.", scope_types=["system", "project"], operations=[{"method": "DELETE", "path": "/messages/{message_id}"}], ), base.APIRule( - name="manila:share_access_rule:get", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + name="share_access_rule:get", + check_str=("(rule:system-reader) or (rule:project-reader)"), description="Get details of a share access rule.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/share-access-rules/{share_access_id}"}], ), base.APIRule( - name="manila:share_access_rule:index", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + name="share_access_rule:index", + check_str=("(rule:system-reader) or (rule:project-reader)"), description="List access rules of a given share.", scope_types=["system", "project"], - operations=[ - { - "method": "GET", - "path": "/share-access-rules?share_id={share_id}&key1=value1&key2=value2", - }, - ], + operations=[{"method": "GET", "path": "/share-access-rules?share_id={share_id}&key1=value1&key2=value2"}], ), base.APIRule( - name="manila:share_access_metadata:update", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + name="share_access_metadata:update", + check_str=("(rule:system-admin) or (rule:project-member)"), description="Set metadata for a share access rule.", scope_types=["system", "project"], operations=[{"method": "PUT", "path": "/share-access-rules/{share_access_id}/metadata"}], ), base.APIRule( - name="manila:share_access_metadata:delete", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), + name="share_access_metadata:delete", + check_str=("(rule:system-admin) or (rule:project-member)"), description="Delete metadata for a share access rule.", scope_types=["system", "project"], - operations=[ - {"method": "DELETE", "path": "/share-access-rules/{share_access_id}/metadata/{key}"}, - ], + operations=[{"method": "DELETE", "path": "/share-access-rules/{share_access_id}/metadata/{key}"}], ), ) diff --git a/skyline_apiserver/policy/manager/neutron.py b/skyline_apiserver/policy/manager/neutron.py index 24c0382..44a8d57 100644 --- a/skyline_apiserver/policy/manager/neutron.py +++ b/skyline_apiserver/policy/manager/neutron.py @@ -1,4 +1,5 @@ # flake8: noqa +# fmt: off from . import base @@ -85,9 +86,7 @@ list_rules = ( ), base.Rule( name="get_flavor_service_profile", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), description="Get a flavor associated with a given service profiles. There is no corresponding GET operations in API currently. This rule is currently referred only in the DELETE of flavor_service_profile.", ), base.Rule( @@ -107,8 +106,8 @@ list_rules = ( ), base.Rule( name="restrict_wildcard", - check_str=("(not field:rbac_policy:target_tenant=*) or rule:admin_only"), - description="Definition of a wildcard target_tenant", + check_str=("(not field:rbac_policy:target_tenant=* and not field:rbac_policy:target_project=*) or rule:admin_only"), + description="Definition of a wildcard target_project", ), base.Rule( name="admin_or_sg_owner", @@ -127,101 +126,63 @@ list_rules = ( ), base.APIRule( name="get_address_group", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared_address_groups" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("role:reader and project_id:%(project_id)s or rule:shared_address_groups"), description="Get an address group", - scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/address-groups"}, - {"method": "GET", "path": "/address-groups/{id}"}, - ], + scope_types=["project"], + operations=[{"method": "GET", "path": "/address-groups"}, {"method": "GET", "path": "/address-groups/{id}"}], ), base.APIRule( name="create_address_scope", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s"), description="Create an address scope", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/address-scopes"}], ), base.APIRule( name="create_address_scope:shared", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Create a shared address scope", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/address-scopes"}], ), base.APIRule( name="get_address_scope", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared_address_scopes" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("role:reader and project_id:%(project_id)s or rule:shared_address_scopes"), description="Get an address scope", - scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/address-scopes"}, - {"method": "GET", "path": "/address-scopes/{id}"}, - ], + scope_types=["project"], + operations=[{"method": "GET", "path": "/address-scopes"}, {"method": "GET", "path": "/address-scopes/{id}"}], ), base.APIRule( name="update_address_scope", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s"), description="Update an address scope", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/address-scopes/{id}"}], ), base.APIRule( name="update_address_scope:shared", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Update ``shared`` attribute of an address scope", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/address-scopes/{id}"}], ), base.APIRule( name="delete_address_scope", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s"), description="Delete an address scope", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "DELETE", "path": "/address-scopes/{id}"}], ), base.APIRule( name="get_agent", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="Get an agent", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/agents"}, - {"method": "GET", "path": "/agents/{id}"}, - ], + operations=[{"method": "GET", "path": "/agents"}, {"method": "GET", "path": "/agents/{id}"}], ), base.APIRule( name="update_agent", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Update an agent", scope_types=["system"], operations=[{"method": "PUT", "path": "/agents/{id}"}], @@ -229,7 +190,6 @@ list_rules = ( base.APIRule( name="delete_agent", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Delete an agent", scope_types=["system"], operations=[{"method": "DELETE", "path": "/agents/{id}"}], @@ -237,7 +197,6 @@ list_rules = ( base.APIRule( name="create_dhcp-network", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Add a network to a DHCP agent", scope_types=["system"], operations=[{"method": "POST", "path": "/agents/{agent_id}/dhcp-networks"}], @@ -245,7 +204,6 @@ list_rules = ( base.APIRule( name="get_dhcp-networks", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="List networks on a DHCP agent", scope_types=["system"], operations=[{"method": "GET", "path": "/agents/{agent_id}/dhcp-networks"}], @@ -253,17 +211,13 @@ list_rules = ( base.APIRule( name="delete_dhcp-network", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Remove a network from a DHCP agent", scope_types=["system"], - operations=[ - {"method": "DELETE", "path": "/agents/{agent_id}/dhcp-networks/{network_id}"}, - ], + operations=[{"method": "DELETE", "path": "/agents/{agent_id}/dhcp-networks/{network_id}"}], ), base.APIRule( name="create_l3-router", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Add a router to an L3 agent", scope_types=["system"], operations=[{"method": "POST", "path": "/agents/{agent_id}/l3-routers"}], @@ -271,7 +225,6 @@ list_rules = ( base.APIRule( name="get_l3-routers", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="List routers on an L3 agent", scope_types=["system"], operations=[{"method": "GET", "path": "/agents/{agent_id}/l3-routers"}], @@ -279,7 +232,6 @@ list_rules = ( base.APIRule( name="delete_l3-router", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Remove a router from an L3 agent", scope_types=["system"], operations=[{"method": "DELETE", "path": "/agents/{agent_id}/l3-routers/{router_id}"}], @@ -287,7 +239,6 @@ list_rules = ( base.APIRule( name="get_dhcp-agents", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="List DHCP agents hosting a network", scope_types=["system"], operations=[{"method": "GET", "path": "/networks/{network_id}/dhcp-agents"}], @@ -295,39 +246,27 @@ list_rules = ( base.APIRule( name="get_l3-agents", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="List L3 agents hosting a router", scope_types=["system"], operations=[{"method": "GET", "path": "/routers/{router_id}/l3-agents"}], ), base.APIRule( name="get_auto_allocated_topology", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("role:reader and project_id:%(project_id)s"), description="Get a project's auto-allocated topology", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/auto-allocated-topology/{project_id}"}], ), base.APIRule( name="delete_auto_allocated_topology", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s"), description="Delete a project's auto-allocated topology", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "DELETE", "path": "/auto-allocated-topology/{project_id}"}], ), base.APIRule( name="get_availability_zone", check_str=("role:reader and system_scope:all"), - basic_check_str=("@"), description="List availability zones", scope_types=["system"], operations=[{"method": "GET", "path": "/availability_zones"}], @@ -335,30 +274,20 @@ list_rules = ( base.APIRule( name="create_flavor", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Create a flavor", scope_types=["system"], operations=[{"method": "POST", "path": "/flavors"}], ), base.APIRule( name="get_flavor", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), description="Get a flavor", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/flavors"}, - {"method": "GET", "path": "/flavors/{id}"}, - ], + operations=[{"method": "GET", "path": "/flavors"}, {"method": "GET", "path": "/flavors/{id}"}], ), base.APIRule( name="update_flavor", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Update a flavor", scope_types=["system"], operations=[{"method": "PUT", "path": "/flavors/{id}"}], @@ -366,7 +295,6 @@ list_rules = ( base.APIRule( name="delete_flavor", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Delete a flavor", scope_types=["system"], operations=[{"method": "DELETE", "path": "/flavors/{id}"}], @@ -374,7 +302,6 @@ list_rules = ( base.APIRule( name="create_service_profile", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Create a service profile", scope_types=["system"], operations=[{"method": "POST", "path": "/service_profiles"}], @@ -382,18 +309,13 @@ list_rules = ( base.APIRule( name="get_service_profile", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="Get a service profile", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/service_profiles"}, - {"method": "GET", "path": "/service_profiles/{id}"}, - ], + operations=[{"method": "GET", "path": "/service_profiles"}, {"method": "GET", "path": "/service_profiles/{id}"}], ), base.APIRule( name="update_service_profile", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Update a service profile", scope_types=["system"], operations=[{"method": "PUT", "path": "/service_profiles/{id}"}], @@ -401,7 +323,6 @@ list_rules = ( base.APIRule( name="delete_service_profile", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Delete a service profile", scope_types=["system"], operations=[{"method": "DELETE", "path": "/service_profiles/{id}"}], @@ -409,7 +330,6 @@ list_rules = ( base.APIRule( name="create_flavor_service_profile", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Associate a flavor with a service profile", scope_types=["system"], operations=[{"method": "POST", "path": "/flavors/{flavor_id}/service_profiles"}], @@ -417,218 +337,160 @@ list_rules = ( base.APIRule( name="delete_flavor_service_profile", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Disassociate a flavor with a service profile", scope_types=["system"], - operations=[ - {"method": "DELETE", "path": "/flavors/{flavor_id}/service_profiles/{profile_id}"}, - ], + operations=[{"method": "DELETE", "path": "/flavors/{flavor_id}/service_profiles/{profile_id}"}], ), base.APIRule( name="create_floatingip", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s"), description="Create a floating IP", scope_types=["project"], operations=[{"method": "POST", "path": "/floatingips"}], ), base.APIRule( name="create_floatingip:floating_ip_address", - check_str=("role:admin and system_scope:all"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:admin and project_id:%(project_id)s"), description="Create a floating IP with a specific IP address", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/floatingips"}], ), base.APIRule( name="get_floatingip", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("role:reader and project_id:%(project_id)s"), description="Get a floating IP", - scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/floatingips"}, - {"method": "GET", "path": "/floatingips/{id}"}, - ], + scope_types=["project"], + operations=[{"method": "GET", "path": "/floatingips"}, {"method": "GET", "path": "/floatingips/{id}"}], ), base.APIRule( name="update_floatingip", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s"), description="Update a floating IP", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/floatingips/{id}"}], ), base.APIRule( name="delete_floatingip", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s"), description="Delete a floating IP", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "DELETE", "path": "/floatingips/{id}"}], ), base.APIRule( name="get_floatingip_pool", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("role:reader and project_id:%(project_id)s"), description="Get floating IP pools", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/floatingip_pools"}], ), base.APIRule( name="create_floatingip_port_forwarding", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s or rule:ext_parent_owner"), description="Create a floating IP port forwarding", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/floatingips/{floatingip_id}/port_forwardings"}], ), base.APIRule( name="get_floatingip_port_forwarding", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("role:reader and project_id:%(project_id)s or rule:ext_parent_owner"), description="Get a floating IP port forwarding", - scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/floatingips/{floatingip_id}/port_forwardings"}, - { - "method": "GET", - "path": "/floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}", - }, - ], + scope_types=["project"], + operations=[{"method": "GET", "path": "/floatingips/{floatingip_id}/port_forwardings"}, {"method": "GET", "path": "/floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}"}], ), base.APIRule( name="update_floatingip_port_forwarding", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s or rule:ext_parent_owner"), description="Update a floating IP port forwarding", - scope_types=["system", "project"], - operations=[ - { - "method": "PUT", - "path": "/floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}", - }, - ], + scope_types=["project"], + operations=[{"method": "PUT", "path": "/floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}"}], ), base.APIRule( name="delete_floatingip_port_forwarding", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s or rule:ext_parent_owner"), description="Delete a floating IP port forwarding", - scope_types=["system", "project"], - operations=[ - { - "method": "DELETE", - "path": "/floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}", - }, - ], + scope_types=["project"], + operations=[{"method": "DELETE", "path": "/floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}"}], ), base.APIRule( name="create_router_conntrack_helper", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s or rule:ext_parent_owner"), description="Create a router conntrack helper", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/routers/{router_id}/conntrack_helpers"}], ), base.APIRule( name="get_router_conntrack_helper", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("role:reader and project_id:%(project_id)s or rule:ext_parent_owner"), description="Get a router conntrack helper", - scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/routers/{router_id}/conntrack_helpers"}, - { - "method": "GET", - "path": "/routers/{router_id}/conntrack_helpers/{conntrack_helper_id}", - }, - ], + scope_types=["project"], + operations=[{"method": "GET", "path": "/routers/{router_id}/conntrack_helpers"}, {"method": "GET", "path": "/routers/{router_id}/conntrack_helpers/{conntrack_helper_id}"}], ), base.APIRule( name="update_router_conntrack_helper", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s or rule:ext_parent_owner"), description="Update a router conntrack helper", - scope_types=["system", "project"], - operations=[ - { - "method": "PUT", - "path": "/routers/{router_id}/conntrack_helpers/{conntrack_helper_id}", - }, - ], + scope_types=["project"], + operations=[{"method": "PUT", "path": "/routers/{router_id}/conntrack_helpers/{conntrack_helper_id}"}], ), base.APIRule( name="delete_router_conntrack_helper", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s or rule:ext_parent_owner"), description="Delete a router conntrack helper", - scope_types=["system", "project"], - operations=[ - { - "method": "DELETE", - "path": "/routers/{router_id}/conntrack_helpers/{conntrack_helper_id}", - }, - ], + scope_types=["project"], + operations=[{"method": "DELETE", "path": "/routers/{router_id}/conntrack_helpers/{conntrack_helper_id}"}], + ), + base.APIRule( + name="create_local_ip", + check_str=("role:member and project_id:%(project_id)s"), + description="Create a Local IP", + scope_types=["project"], + operations=[{"method": "POST", "path": "/local-ips"}], + ), + base.APIRule( + name="get_local_ip", + check_str=("role:reader and project_id:%(project_id)s"), + description="Get a Local IP", + scope_types=["project"], + operations=[{"method": "GET", "path": "/local-ips"}, {"method": "GET", "path": "/local-ips/{id}"}], + ), + base.APIRule( + name="update_local_ip", + check_str=("role:member and project_id:%(project_id)s"), + description="Update a Local IP", + scope_types=["project"], + operations=[{"method": "PUT", "path": "/local-ips/{id}"}], + ), + base.APIRule( + name="delete_local_ip", + check_str=("role:member and project_id:%(project_id)s"), + description="Delete a Local IP", + scope_types=["project"], + operations=[{"method": "DELETE", "path": "/local-ips/{id}"}], + ), + base.APIRule( + name="create_local_ip_port_association", + check_str=("role:member and project_id:%(project_id)s or rule:ext_parent_owner"), + description="Create a Local IP port association", + scope_types=["project"], + operations=[{"method": "POST", "path": "/local_ips/{local_ip_id}/port_associations"}], + ), + base.APIRule( + name="get_local_ip_port_association", + check_str=("role:reader and project_id:%(project_id)s or rule:ext_parent_owner"), + description="Get a Local IP port association", + scope_types=["project"], + operations=[{"method": "GET", "path": "/local_ips/{local_ip_id}/port_associations"}, {"method": "GET", "path": "/local_ips/{local_ip_id}/port_associations/{fixed_port_id}"}], + ), + base.APIRule( + name="delete_local_ip_port_association", + check_str=("role:member and project_id:%(project_id)s or rule:ext_parent_owner"), + description="Delete a Local IP port association", + scope_types=["project"], + operations=[{"method": "DELETE", "path": "/local_ips/{local_ip_id}/port_associations/{fixed_port_id}"}], ), base.APIRule( name="get_loggable_resource", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="Get loggable resources", scope_types=["system"], operations=[{"method": "GET", "path": "/log/loggable-resources"}], @@ -636,7 +498,6 @@ list_rules = ( base.APIRule( name="create_log", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Create a network log", scope_types=["system"], operations=[{"method": "POST", "path": "/log/logs"}], @@ -644,18 +505,13 @@ list_rules = ( base.APIRule( name="get_log", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="Get a network log", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/log/logs"}, - {"method": "GET", "path": "/log/logs/{id}"}, - ], + operations=[{"method": "GET", "path": "/log/logs"}, {"method": "GET", "path": "/log/logs/{id}"}], ), base.APIRule( name="update_log", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Update a network log", scope_types=["system"], operations=[{"method": "PUT", "path": "/log/logs/{id}"}], @@ -663,328 +519,265 @@ list_rules = ( base.APIRule( name="delete_log", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Delete a network log", scope_types=["system"], operations=[{"method": "DELETE", "path": "/log/logs/{id}"}], ), base.APIRule( name="create_metering_label", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Create a metering label", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/metering/metering-labels"}], ), base.APIRule( name="get_metering_label", - check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), + check_str=("role:reader and project_id:%(project_id)s"), description="Get a metering label", - scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/metering/metering-labels"}, - {"method": "GET", "path": "/metering/metering-labels/{id}"}, - ], + scope_types=["project"], + operations=[{"method": "GET", "path": "/metering/metering-labels"}, {"method": "GET", "path": "/metering/metering-labels/{id}"}], ), base.APIRule( name="delete_metering_label", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Delete a metering label", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "DELETE", "path": "/metering/metering-labels/{id}"}], ), base.APIRule( name="create_metering_label_rule", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Create a metering label rule", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/metering/metering-label-rules"}], ), base.APIRule( name="get_metering_label_rule", - check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), + check_str=("role:reader and project_id:%(project_id)s"), description="Get a metering label rule", - scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/metering/metering-label-rules"}, - {"method": "GET", "path": "/metering/metering-label-rules/{id}"}, - ], + scope_types=["project"], + operations=[{"method": "GET", "path": "/metering/metering-label-rules"}, {"method": "GET", "path": "/metering/metering-label-rules/{id}"}], ), base.APIRule( name="delete_metering_label_rule", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Delete a metering label rule", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "DELETE", "path": "/metering/metering-label-rules/{id}"}], ), + base.APIRule( + name="create_ndp_proxy", + check_str=("role:member and project_id:%(project_id)s"), + description="Create a ndp proxy", + scope_types=["project"], + operations=[{"method": "POST", "path": "/ndp_proxies"}], + ), + base.APIRule( + name="get_ndp_proxy", + check_str=("role:reader and project_id:%(project_id)s"), + description="Get a ndp proxy", + scope_types=["project"], + operations=[{"method": "GET", "path": "/ndp_proxies"}, {"method": "GET", "path": "/ndp_proxies/{id}"}], + ), + base.APIRule( + name="update_ndp_proxy", + check_str=("role:member and project_id:%(project_id)s"), + description="Update a ndp proxy", + scope_types=["project"], + operations=[{"method": "PUT", "path": "/ndp_proxies/{id}"}], + ), + base.APIRule( + name="delete_ndp_proxy", + check_str=("role:member and project_id:%(project_id)s"), + description="Delete a ndp proxy", + scope_types=["project"], + operations=[{"method": "DELETE", "path": "/ndp_proxies/{id}"}], + ), base.APIRule( name="create_network", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s"), description="Create a network", scope_types=["project"], operations=[{"method": "POST", "path": "/networks"}], ), base.APIRule( name="create_network:shared", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Create a shared network", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "POST", "path": "/networks"}], ), base.APIRule( name="create_network:router:external", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Create an external network", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "POST", "path": "/networks"}], ), base.APIRule( name="create_network:is_default", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Specify ``is_default`` attribute when creating a network", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "POST", "path": "/networks"}], ), base.APIRule( name="create_network:port_security_enabled", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s"), description="Specify ``port_security_enabled`` attribute when creating a network", scope_types=["project"], operations=[{"method": "POST", "path": "/networks"}], ), base.APIRule( name="create_network:segments", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Specify ``segments`` attribute when creating a network", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "POST", "path": "/networks"}], ), base.APIRule( name="create_network:provider:network_type", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Specify ``provider:network_type`` when creating a network", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "POST", "path": "/networks"}], ), base.APIRule( name="create_network:provider:physical_network", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Specify ``provider:physical_network`` when creating a network", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "POST", "path": "/networks"}], ), base.APIRule( name="create_network:provider:segmentation_id", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Specify ``provider:segmentation_id`` when creating a network", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "POST", "path": "/networks"}], ), base.APIRule( name="get_network", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared or rule:external or rule:context_is_advsvc" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("role:reader and project_id:%(project_id)s or rule:shared or rule:external or rule:context_is_advsvc"), description="Get a network", - scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/networks"}, - {"method": "GET", "path": "/networks/{id}"}, - ], + scope_types=["project"], + operations=[{"method": "GET", "path": "/networks"}, {"method": "GET", "path": "/networks/{id}"}], ), base.APIRule( name="get_network:router:external", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=("@"), + check_str=("role:reader and project_id:%(project_id)s"), description="Get ``router:external`` attribute of a network", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/networks"}, - {"method": "GET", "path": "/networks/{id}"}, - ], + operations=[{"method": "GET", "path": "/networks"}, {"method": "GET", "path": "/networks/{id}"}], ), base.APIRule( name="get_network:segments", - check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), + check_str=("role:admin and project_id:%(project_id)s"), description="Get ``segments`` attribute of a network", - scope_types=["system"], - operations=[ - {"method": "GET", "path": "/networks"}, - {"method": "GET", "path": "/networks/{id}"}, - ], + scope_types=["project"], + operations=[{"method": "GET", "path": "/networks"}, {"method": "GET", "path": "/networks/{id}"}], ), base.APIRule( name="get_network:provider:network_type", - check_str=("role:reader and system_scope:all"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("role:admin and project_id:%(project_id)s"), description="Get ``provider:network_type`` attribute of a network", - scope_types=["system"], - operations=[ - {"method": "GET", "path": "/networks"}, - {"method": "GET", "path": "/networks/{id}"}, - ], + scope_types=["project"], + operations=[{"method": "GET", "path": "/networks"}, {"method": "GET", "path": "/networks/{id}"}], ), base.APIRule( name="get_network:provider:physical_network", - check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), + check_str=("role:admin and project_id:%(project_id)s"), description="Get ``provider:physical_network`` attribute of a network", - scope_types=["system"], - operations=[ - {"method": "GET", "path": "/networks"}, - {"method": "GET", "path": "/networks/{id}"}, - ], + scope_types=["project"], + operations=[{"method": "GET", "path": "/networks"}, {"method": "GET", "path": "/networks/{id}"}], ), base.APIRule( name="get_network:provider:segmentation_id", - check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), + check_str=("role:admin and project_id:%(project_id)s"), description="Get ``provider:segmentation_id`` attribute of a network", - scope_types=["system"], - operations=[ - {"method": "GET", "path": "/networks"}, - {"method": "GET", "path": "/networks/{id}"}, - ], + scope_types=["project"], + operations=[{"method": "GET", "path": "/networks"}, {"method": "GET", "path": "/networks/{id}"}], ), base.APIRule( name="update_network", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s"), description="Update a network", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/networks/{id}"}], ), base.APIRule( name="update_network:segments", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Update ``segments`` attribute of a network", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/networks/{id}"}], ), base.APIRule( name="update_network:shared", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Update ``shared`` attribute of a network", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/networks/{id}"}], ), base.APIRule( name="update_network:provider:network_type", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Update ``provider:network_type`` attribute of a network", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/networks/{id}"}], ), base.APIRule( name="update_network:provider:physical_network", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Update ``provider:physical_network`` attribute of a network", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/networks/{id}"}], ), base.APIRule( name="update_network:provider:segmentation_id", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Update ``provider:segmentation_id`` attribute of a network", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/networks/{id}"}], ), base.APIRule( name="update_network:router:external", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Update ``router:external`` attribute of a network", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/networks/{id}"}], ), base.APIRule( name="update_network:is_default", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Update ``is_default`` attribute of a network", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/networks/{id}"}], ), base.APIRule( name="update_network:port_security_enabled", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s"), description="Update ``port_security_enabled`` attribute of a network", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/networks/{id}"}], ), base.APIRule( name="delete_network", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s"), description="Delete a network", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "DELETE", "path": "/networks/{id}"}], ), base.APIRule( name="get_network_ip_availability", check_str=("role:reader and system_scope:all"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), description="Get network IP availability", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/network-ip-availabilities"}, - {"method": "GET", "path": "/network-ip-availabilities/{network_id}"}, - ], + operations=[{"method": "GET", "path": "/network-ip-availabilities"}, {"method": "GET", "path": "/network-ip-availabilities/{network_id}"}], ), base.APIRule( name="create_network_segment_range", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Create a network segment range", scope_types=["system"], operations=[{"method": "POST", "path": "/network_segment_ranges"}], @@ -992,18 +785,13 @@ list_rules = ( base.APIRule( name="get_network_segment_range", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="Get a network segment range", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/network_segment_ranges"}, - {"method": "GET", "path": "/network_segment_ranges/{id}"}, - ], + operations=[{"method": "GET", "path": "/network_segment_ranges"}, {"method": "GET", "path": "/network_segment_ranges/{id}"}], ), base.APIRule( name="update_network_segment_range", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Update a network segment range", scope_types=["system"], operations=[{"method": "PUT", "path": "/network_segment_ranges/{id}"}], @@ -1011,696 +799,489 @@ list_rules = ( base.APIRule( name="delete_network_segment_range", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Delete a network segment range", scope_types=["system"], operations=[{"method": "DELETE", "path": "/network_segment_ranges/{id}"}], ), base.APIRule( name="create_port", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s"), description="Create a port", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/ports"}], ), base.APIRule( name="create_port:device_owner", - check_str=( - "not rule:network_device or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:context_is_advsvc or rule:network_owner" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("not rule:network_device or role:admin and project_id:%(project_id)s or rule:context_is_advsvc or rule:network_owner"), description="Specify ``device_owner`` attribute when creting a port", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/ports"}], ), base.APIRule( name="create_port:mac_address", - check_str=( - "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s"), description="Specify ``mac_address`` attribute when creating a port", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/ports"}], ), base.APIRule( name="create_port:fixed_ips", - check_str=( - "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:shared" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s or rule:shared"), description="Specify ``fixed_ips`` information when creating a port", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/ports"}], ), base.APIRule( name="create_port:fixed_ips:ip_address", - check_str=( - "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s"), description="Specify IP address in ``fixed_ips`` when creating a port", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/ports"}], ), base.APIRule( name="create_port:fixed_ips:subnet_id", - check_str=( - "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:shared" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s or rule:shared"), description="Specify subnet ID in ``fixed_ips`` when creating a port", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/ports"}], ), base.APIRule( name="create_port:port_security_enabled", - check_str=( - "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s"), description="Specify ``port_security_enabled`` attribute when creating a port", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/ports"}], ), base.APIRule( name="create_port:binding:host_id", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Specify ``binding:host_id`` attribute when creating a port", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "POST", "path": "/ports"}], ), base.APIRule( name="create_port:binding:profile", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Specify ``binding:profile`` attribute when creating a port", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "POST", "path": "/ports"}], ), base.APIRule( name="create_port:binding:vnic_type", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s"), description="Specify ``binding:vnic_type`` attribute when creating a port", scope_types=["project"], operations=[{"method": "POST", "path": "/ports"}], ), base.APIRule( name="create_port:allowed_address_pairs", - check_str=( - "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:admin and project_id:%(project_id)s or rule:network_owner"), description="Specify ``allowed_address_pairs`` attribute when creating a port", - scope_types=["project", "system"], + scope_types=["project"], operations=[{"method": "POST", "path": "/ports"}], ), base.APIRule( name="create_port:allowed_address_pairs:mac_address", - check_str=( - "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:admin and project_id:%(project_id)s or rule:network_owner"), description="Specify ``mac_address` of `allowed_address_pairs`` attribute when creating a port", - scope_types=["project", "system"], + scope_types=["project"], operations=[{"method": "POST", "path": "/ports"}], ), base.APIRule( name="create_port:allowed_address_pairs:ip_address", - check_str=( - "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:admin and project_id:%(project_id)s or rule:network_owner"), description="Specify ``ip_address`` of ``allowed_address_pairs`` attribute when creating a port", - scope_types=["project", "system"], + scope_types=["project"], operations=[{"method": "POST", "path": "/ports"}], ), base.APIRule( name="get_port", - check_str=( - "rule:context_is_advsvc or (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:context_is_advsvc or role:reader and project_id:%(project_id)s"), description="Get a port", - scope_types=["project", "system"], - operations=[ - {"method": "GET", "path": "/ports"}, - {"method": "GET", "path": "/ports/{id}"}, - ], + scope_types=["project"], + operations=[{"method": "GET", "path": "/ports"}, {"method": "GET", "path": "/ports/{id}"}], ), base.APIRule( name="get_port:binding:vif_type", - check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), + check_str=("role:admin and project_id:%(project_id)s"), description="Get ``binding:vif_type`` attribute of a port", - scope_types=["system"], - operations=[ - {"method": "GET", "path": "/ports"}, - {"method": "GET", "path": "/ports/{id}"}, - ], + scope_types=["project"], + operations=[{"method": "GET", "path": "/ports"}, {"method": "GET", "path": "/ports/{id}"}], ), base.APIRule( name="get_port:binding:vif_details", - check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), + check_str=("role:admin and project_id:%(project_id)s"), description="Get ``binding:vif_details`` attribute of a port", - scope_types=["system"], - operations=[ - {"method": "GET", "path": "/ports"}, - {"method": "GET", "path": "/ports/{id}"}, - ], + scope_types=["project"], + operations=[{"method": "GET", "path": "/ports"}, {"method": "GET", "path": "/ports/{id}"}], ), base.APIRule( name="get_port:binding:host_id", - check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), + check_str=("role:admin and project_id:%(project_id)s"), description="Get ``binding:host_id`` attribute of a port", - scope_types=["system"], - operations=[ - {"method": "GET", "path": "/ports"}, - {"method": "GET", "path": "/ports/{id}"}, - ], + scope_types=["project"], + operations=[{"method": "GET", "path": "/ports"}, {"method": "GET", "path": "/ports/{id}"}], ), base.APIRule( name="get_port:binding:profile", - check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), + check_str=("role:admin and project_id:%(project_id)s"), description="Get ``binding:profile`` attribute of a port", - scope_types=["system"], - operations=[ - {"method": "GET", "path": "/ports"}, - {"method": "GET", "path": "/ports/{id}"}, - ], + scope_types=["project"], + operations=[{"method": "GET", "path": "/ports"}, {"method": "GET", "path": "/ports/{id}"}], ), base.APIRule( name="get_port:resource_request", - check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), + check_str=("role:admin and project_id:%(project_id)s"), description="Get ``resource_request`` attribute of a port", - scope_types=["system"], - operations=[ - {"method": "GET", "path": "/ports"}, - {"method": "GET", "path": "/ports/{id}"}, - ], + scope_types=["project"], + operations=[{"method": "GET", "path": "/ports"}, {"method": "GET", "path": "/ports/{id}"}], ), base.APIRule( name="update_port", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s or rule:context_is_advsvc"), description="Update a port", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/ports/{id}"}], ), base.APIRule( name="update_port:device_owner", - check_str=( - "not rule:network_device or rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("not rule:network_device or rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s"), description="Update ``device_owner`` attribute of a port", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/ports/{id}"}], ), base.APIRule( name="update_port:mac_address", - check_str=("role:admin and system_scope:all or rule:context_is_advsvc"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:admin and project_id:%(project_id)s or rule:context_is_advsvc"), description="Update ``mac_address`` attribute of a port", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/ports/{id}"}], ), base.APIRule( name="update_port:fixed_ips", - check_str=( - "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s"), description="Specify ``fixed_ips`` information when updating a port", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/ports/{id}"}], ), base.APIRule( name="update_port:fixed_ips:ip_address", - check_str=( - "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s"), description="Specify IP address in ``fixed_ips`` information when updating a port", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/ports/{id}"}], ), base.APIRule( name="update_port:fixed_ips:subnet_id", - check_str=( - "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:shared" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s or rule:shared"), description="Specify subnet ID in ``fixed_ips`` information when updating a port", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/ports/{id}"}], ), base.APIRule( name="update_port:port_security_enabled", - check_str=( - "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s"), description="Update ``port_security_enabled`` attribute of a port", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/ports/{id}"}], ), base.APIRule( name="update_port:binding:host_id", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Update ``binding:host_id`` attribute of a port", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/ports/{id}"}], ), base.APIRule( name="update_port:binding:profile", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Update ``binding:profile`` attribute of a port", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/ports/{id}"}], ), base.APIRule( name="update_port:binding:vnic_type", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s or rule:context_is_advsvc"), description="Update ``binding:vnic_type`` attribute of a port", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/ports/{id}"}], ), base.APIRule( name="update_port:allowed_address_pairs", - check_str=( - "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:admin and project_id:%(project_id)s or rule:network_owner"), description="Update ``allowed_address_pairs`` attribute of a port", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/ports/{id}"}], ), base.APIRule( name="update_port:allowed_address_pairs:mac_address", - check_str=( - "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:admin and project_id:%(project_id)s or rule:network_owner"), description="Update ``mac_address`` of ``allowed_address_pairs`` attribute of a port", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/ports/{id}"}], ), base.APIRule( name="update_port:allowed_address_pairs:ip_address", - check_str=( - "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:admin and project_id:%(project_id)s or rule:network_owner"), description="Update ``ip_address`` of ``allowed_address_pairs`` attribute of a port", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/ports/{id}"}], ), base.APIRule( name="update_port:data_plane_status", - check_str=("role:admin and system_scope:all or role:data_plane_integrator"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s or role:data_plane_integrator"), description="Update ``data_plane_status`` attribute of a port", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/ports/{id}"}], ), base.APIRule( name="delete_port", - check_str=( - "rule:context_is_advsvc or (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:context_is_advsvc or role:member and project_id:%(project_id)s"), description="Delete a port", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "DELETE", "path": "/ports/{id}"}], ), base.APIRule( name="get_policy", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=("@"), + check_str=("role:reader and project_id:%(project_id)s"), description="Get QoS policies", - scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/qos/policies"}, - {"method": "GET", "path": "/qos/policies/{id}"}, - ], + scope_types=["project"], + operations=[{"method": "GET", "path": "/qos/policies"}, {"method": "GET", "path": "/qos/policies/{id}"}], ), base.APIRule( name="create_policy", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Create a QoS policy", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "POST", "path": "/qos/policies"}], ), base.APIRule( name="update_policy", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Update a QoS policy", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/qos/policies/{id}"}], ), base.APIRule( name="delete_policy", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Delete a QoS policy", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "DELETE", "path": "/qos/policies/{id}"}], ), base.APIRule( name="get_rule_type", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("role:admin or role:reader and system_scope:all"), description="Get available QoS rule types", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/qos/rule-types"}, - {"method": "GET", "path": "/qos/rule-types/{rule_type}"}, - ], + operations=[{"method": "GET", "path": "/qos/rule-types"}, {"method": "GET", "path": "/qos/rule-types/{rule_type}"}], ), base.APIRule( name="get_policy_bandwidth_limit_rule", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("role:reader and project_id:%(project_id)s"), description="Get a QoS bandwidth limit rule", - scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/qos/policies/{policy_id}/bandwidth_limit_rules"}, - { - "method": "GET", - "path": "/qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}", - }, - ], + scope_types=["project"], + operations=[{"method": "GET", "path": "/qos/policies/{policy_id}/bandwidth_limit_rules"}, {"method": "GET", "path": "/qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}"}], ), base.APIRule( name="create_policy_bandwidth_limit_rule", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Create a QoS bandwidth limit rule", - scope_types=["system"], - operations=[ - {"method": "POST", "path": "/qos/policies/{policy_id}/bandwidth_limit_rules"}, - ], + scope_types=["project"], + operations=[{"method": "POST", "path": "/qos/policies/{policy_id}/bandwidth_limit_rules"}], ), base.APIRule( name="update_policy_bandwidth_limit_rule", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Update a QoS bandwidth limit rule", - scope_types=["system"], - operations=[ - { - "method": "PUT", - "path": "/qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}", - }, - ], + scope_types=["project"], + operations=[{"method": "PUT", "path": "/qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}"}], ), base.APIRule( name="delete_policy_bandwidth_limit_rule", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Delete a QoS bandwidth limit rule", - scope_types=["system"], - operations=[ - { - "method": "DELETE", - "path": "/qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}", - }, - ], + scope_types=["project"], + operations=[{"method": "DELETE", "path": "/qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}"}], ), base.APIRule( name="get_policy_dscp_marking_rule", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("role:reader and project_id:%(project_id)s"), description="Get a QoS DSCP marking rule", - scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/qos/policies/{policy_id}/dscp_marking_rules"}, - {"method": "GET", "path": "/qos/policies/{policy_id}/dscp_marking_rules/{rule_id}"}, - ], + scope_types=["project"], + operations=[{"method": "GET", "path": "/qos/policies/{policy_id}/dscp_marking_rules"}, {"method": "GET", "path": "/qos/policies/{policy_id}/dscp_marking_rules/{rule_id}"}], ), base.APIRule( name="create_policy_dscp_marking_rule", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Create a QoS DSCP marking rule", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "POST", "path": "/qos/policies/{policy_id}/dscp_marking_rules"}], ), base.APIRule( name="update_policy_dscp_marking_rule", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Update a QoS DSCP marking rule", - scope_types=["system"], - operations=[ - {"method": "PUT", "path": "/qos/policies/{policy_id}/dscp_marking_rules/{rule_id}"}, - ], + scope_types=["project"], + operations=[{"method": "PUT", "path": "/qos/policies/{policy_id}/dscp_marking_rules/{rule_id}"}], ), base.APIRule( name="delete_policy_dscp_marking_rule", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Delete a QoS DSCP marking rule", - scope_types=["system"], - operations=[ - { - "method": "DELETE", - "path": "/qos/policies/{policy_id}/dscp_marking_rules/{rule_id}", - }, - ], + scope_types=["project"], + operations=[{"method": "DELETE", "path": "/qos/policies/{policy_id}/dscp_marking_rules/{rule_id}"}], ), base.APIRule( name="get_policy_minimum_bandwidth_rule", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("role:reader and project_id:%(project_id)s"), description="Get a QoS minimum bandwidth rule", - scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/qos/policies/{policy_id}/minimum_bandwidth_rules"}, - { - "method": "GET", - "path": "/qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}", - }, - ], + scope_types=["project"], + operations=[{"method": "GET", "path": "/qos/policies/{policy_id}/minimum_bandwidth_rules"}, {"method": "GET", "path": "/qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}"}], ), base.APIRule( name="create_policy_minimum_bandwidth_rule", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Create a QoS minimum bandwidth rule", - scope_types=["system"], - operations=[ - {"method": "POST", "path": "/qos/policies/{policy_id}/minimum_bandwidth_rules"}, - ], + scope_types=["project"], + operations=[{"method": "POST", "path": "/qos/policies/{policy_id}/minimum_bandwidth_rules"}], ), base.APIRule( name="update_policy_minimum_bandwidth_rule", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Update a QoS minimum bandwidth rule", - scope_types=["system"], - operations=[ - { - "method": "PUT", - "path": "/qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}", - }, - ], + scope_types=["project"], + operations=[{"method": "PUT", "path": "/qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}"}], ), base.APIRule( name="delete_policy_minimum_bandwidth_rule", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Delete a QoS minimum bandwidth rule", - scope_types=["system"], - operations=[ - { - "method": "DELETE", - "path": "/qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}", - }, - ], + scope_types=["project"], + operations=[{"method": "DELETE", "path": "/qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}"}], + ), + base.APIRule( + name="get_policy_minimum_packet_rate_rule", + check_str=("role:reader and project_id:%(project_id)s"), + description="Get a QoS minimum packet rate rule", + scope_types=["project"], + operations=[{"method": "GET", "path": "/qos/policies/{policy_id}/minimum_packet_rate_rules"}, {"method": "GET", "path": "/qos/policies/{policy_id}/minimum_packet_rate_rules/{rule_id}"}], + ), + base.APIRule( + name="create_policy_minimum_packet_rate_rule", + check_str=("role:admin and project_id:%(project_id)s"), + description="Create a QoS minimum packet rate rule", + scope_types=["project"], + operations=[{"method": "POST", "path": "/qos/policies/{policy_id}/minimum_packet_rate_rules"}], + ), + base.APIRule( + name="update_policy_minimum_packet_rate_rule", + check_str=("role:admin and project_id:%(project_id)s"), + description="Update a QoS minimum packet rate rule", + scope_types=["project"], + operations=[{"method": "PUT", "path": "/qos/policies/{policy_id}/minimum_packet_rate_rules/{rule_id}"}], + ), + base.APIRule( + name="delete_policy_minimum_packet_rate_rule", + check_str=("role:admin and project_id:%(project_id)s"), + description="Delete a QoS minimum packet rate rule", + scope_types=["project"], + operations=[{"method": "DELETE", "path": "/qos/policies/{policy_id}/minimum_packet_rate_rules/{rule_id}"}], ), base.APIRule( name="get_alias_bandwidth_limit_rule", - check_str=("rule:get_policy_bandwidth_limit_rule"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("role:reader and project_id:%(project_id)s"), description="Get a QoS bandwidth limit rule through alias", scope_types=["project"], operations=[{"method": "GET", "path": "/qos/alias_bandwidth_limit_rules/{rule_id}/"}], ), base.APIRule( name="update_alias_bandwidth_limit_rule", - check_str=("rule:update_policy_bandwidth_limit_rule"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Update a QoS bandwidth limit rule through alias", scope_types=["project"], operations=[{"method": "PUT", "path": "/qos/alias_bandwidth_limit_rules/{rule_id}/"}], ), base.APIRule( name="delete_alias_bandwidth_limit_rule", - check_str=("rule:delete_policy_bandwidth_limit_rule"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Delete a QoS bandwidth limit rule through alias", scope_types=["project"], operations=[{"method": "DELETE", "path": "/qos/alias_bandwidth_limit_rules/{rule_id}/"}], ), base.APIRule( name="get_alias_dscp_marking_rule", - check_str=("rule:get_policy_dscp_marking_rule"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("role:reader and project_id:%(project_id)s"), description="Get a QoS DSCP marking rule through alias", scope_types=["project"], operations=[{"method": "GET", "path": "/qos/alias_dscp_marking_rules/{rule_id}/"}], ), base.APIRule( name="update_alias_dscp_marking_rule", - check_str=("rule:update_policy_dscp_marking_rule"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Update a QoS DSCP marking rule through alias", scope_types=["project"], operations=[{"method": "PUT", "path": "/qos/alias_dscp_marking_rules/{rule_id}/"}], ), base.APIRule( name="delete_alias_dscp_marking_rule", - check_str=("rule:delete_policy_dscp_marking_rule"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Delete a QoS DSCP marking rule through alias", scope_types=["project"], operations=[{"method": "DELETE", "path": "/qos/alias_dscp_marking_rules/{rule_id}/"}], ), base.APIRule( name="get_alias_minimum_bandwidth_rule", - check_str=("rule:get_policy_minimum_bandwidth_rule"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("role:reader and project_id:%(project_id)s"), description="Get a QoS minimum bandwidth rule through alias", scope_types=["project"], operations=[{"method": "GET", "path": "/qos/alias_minimum_bandwidth_rules/{rule_id}/"}], ), base.APIRule( name="update_alias_minimum_bandwidth_rule", - check_str=("rule:update_policy_minimum_bandwidth_rule"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Update a QoS minimum bandwidth rule through alias", scope_types=["project"], operations=[{"method": "PUT", "path": "/qos/alias_minimum_bandwidth_rules/{rule_id}/"}], ), base.APIRule( name="delete_alias_minimum_bandwidth_rule", - check_str=("rule:delete_policy_minimum_bandwidth_rule"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Delete a QoS minimum bandwidth rule through alias", scope_types=["project"], - operations=[ - {"method": "DELETE", "path": "/qos/alias_minimum_bandwidth_rules/{rule_id}/"}, - ], + operations=[{"method": "DELETE", "path": "/qos/alias_minimum_bandwidth_rules/{rule_id}/"}], + ), + base.APIRule( + name="get_alias_minimum_packet_rate_rule", + check_str=("rule:get_policy_minimum_packet_rate_rule"), + description="Get a QoS minimum packet rate rule through alias", + scope_types=["project"], + operations=[{"method": "GET", "path": "/qos/alias_minimum_packet_rate_rules/{rule_id}/"}], + ), + base.APIRule( + name="update_alias_minimum_packet_rate_rule", + check_str=("rule:update_policy_minimum_packet_rate_rule"), + description="Update a QoS minimum packet rate rule through alias", + scope_types=["project"], + operations=[{"method": "PUT", "path": "/qos/alias_minimum_packet_rate_rules/{rule_id}/"}], + ), + base.APIRule( + name="delete_alias_minimum_packet_rate_rule", + check_str=("rule:delete_policy_minimum_packet_rate_rule"), + description="Delete a QoS minimum packet rate rule through alias", + scope_types=["project"], + operations=[{"method": "DELETE", "path": "/qos/alias_minimum_packet_rate_rules/{rule_id}/"}], ), base.APIRule( name="get_quota", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="Get a resource quota", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/quota"}, - {"method": "GET", "path": "/quota/{id}"}, - ], + operations=[{"method": "GET", "path": "/quota"}, {"method": "GET", "path": "/quota/{id}"}], ), base.APIRule( name="update_quota", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Update a resource quota", scope_types=["system"], operations=[{"method": "PUT", "path": "/quota/{id}"}], @@ -1708,377 +1289,258 @@ list_rules = ( base.APIRule( name="delete_quota", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Delete a resource quota", scope_types=["system"], operations=[{"method": "DELETE", "path": "/quota/{id}"}], ), base.APIRule( name="create_rbac_policy", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=("role:admin"), + check_str=("role:member and project_id:%(project_id)s"), description="Create an RBAC policy", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/rbac-policies"}], ), base.APIRule( name="create_rbac_policy:target_tenant", - check_str=("role:admin and system_scope:all or rule:restrict_wildcard"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s or (not field:rbac_policy:target_tenant=* and not field:rbac_policy:target_project=*)"), description="Specify ``target_tenant`` when creating an RBAC policy", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/rbac-policies"}], ), base.APIRule( name="update_rbac_policy", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=("role:admin"), + check_str=("role:member and project_id:%(project_id)s"), description="Update an RBAC policy", - scope_types=["project", "system"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/rbac-policies/{id}"}], ), base.APIRule( name="update_rbac_policy:target_tenant", - check_str=("role:admin and system_scope:all or rule:restrict_wildcard"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s or (not field:rbac_policy:target_tenant=* and not field:rbac_policy:target_project=*)"), description="Update ``target_tenant`` attribute of an RBAC policy", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/rbac-policies/{id}"}], ), base.APIRule( name="get_rbac_policy", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("role:reader and project_id:%(project_id)s"), description="Get an RBAC policy", - scope_types=["project", "system"], - operations=[ - {"method": "GET", "path": "/rbac-policies"}, - {"method": "GET", "path": "/rbac-policies/{id}"}, - ], + scope_types=["project"], + operations=[{"method": "GET", "path": "/rbac-policies"}, {"method": "GET", "path": "/rbac-policies/{id}"}], ), base.APIRule( name="delete_rbac_policy", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=("role:admin"), + check_str=("role:member and project_id:%(project_id)s"), description="Delete an RBAC policy", - scope_types=["project", "system"], + scope_types=["project"], operations=[{"method": "DELETE", "path": "/rbac-policies/{id}"}], ), base.APIRule( name="create_router", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s"), description="Create a router", scope_types=["project"], operations=[{"method": "POST", "path": "/routers"}], ), base.APIRule( name="create_router:distributed", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Specify ``distributed`` attribute when creating a router", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "POST", "path": "/routers"}], ), base.APIRule( name="create_router:ha", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Specify ``ha`` attribute when creating a router", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "POST", "path": "/routers"}], ), base.APIRule( name="create_router:external_gateway_info", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s"), description="Specify ``external_gateway_info`` information when creating a router", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/routers"}], ), base.APIRule( name="create_router:external_gateway_info:network_id", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s"), description="Specify ``network_id`` in ``external_gateway_info`` information when creating a router", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/routers"}], ), base.APIRule( name="create_router:external_gateway_info:enable_snat", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Specify ``enable_snat`` in ``external_gateway_info`` information when creating a router", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "POST", "path": "/routers"}], ), base.APIRule( name="create_router:external_gateway_info:external_fixed_ips", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Specify ``external_fixed_ips`` in ``external_gateway_info`` information when creating a router", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "POST", "path": "/routers"}], ), base.APIRule( name="get_router", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("role:reader and project_id:%(project_id)s"), description="Get a router", - scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/routers"}, - {"method": "GET", "path": "/routers/{id}"}, - ], + scope_types=["project"], + operations=[{"method": "GET", "path": "/routers"}, {"method": "GET", "path": "/routers/{id}"}], ), base.APIRule( name="get_router:distributed", - check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), + check_str=("role:admin and project_id:%(project_id)s"), description="Get ``distributed`` attribute of a router", - scope_types=["system"], - operations=[ - {"method": "GET", "path": "/routers"}, - {"method": "GET", "path": "/routers/{id}"}, - ], + scope_types=["project"], + operations=[{"method": "GET", "path": "/routers"}, {"method": "GET", "path": "/routers/{id}"}], ), base.APIRule( name="get_router:ha", - check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), + check_str=("role:admin and project_id:%(project_id)s"), description="Get ``ha`` attribute of a router", - scope_types=["system"], - operations=[ - {"method": "GET", "path": "/routers"}, - {"method": "GET", "path": "/routers/{id}"}, - ], + scope_types=["project"], + operations=[{"method": "GET", "path": "/routers"}, {"method": "GET", "path": "/routers/{id}"}], ), base.APIRule( name="update_router", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s"), description="Update a router", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/routers/{id}"}], ), base.APIRule( name="update_router:distributed", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Update ``distributed`` attribute of a router", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/routers/{id}"}], ), base.APIRule( name="update_router:ha", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Update ``ha`` attribute of a router", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/routers/{id}"}], ), base.APIRule( name="update_router:external_gateway_info", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s"), description="Update ``external_gateway_info`` information of a router", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/routers/{id}"}], ), base.APIRule( name="update_router:external_gateway_info:network_id", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s"), description="Update ``network_id`` attribute of ``external_gateway_info`` information of a router", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/routers/{id}"}], ), base.APIRule( name="update_router:external_gateway_info:enable_snat", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Update ``enable_snat`` attribute of ``external_gateway_info`` information of a router", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/routers/{id}"}], ), base.APIRule( name="update_router:external_gateway_info:external_fixed_ips", - check_str=("role:admin and system_scope:all"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:admin and project_id:%(project_id)s"), description="Update ``external_fixed_ips`` attribute of ``external_gateway_info`` information of a router", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/routers/{id}"}], ), base.APIRule( name="delete_router", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s"), description="Delete a router", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "DELETE", "path": "/routers/{id}"}], ), base.APIRule( name="add_router_interface", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s"), description="Add an interface to a router", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/routers/{id}/add_router_interface"}], ), base.APIRule( name="remove_router_interface", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s"), description="Remove an interface from a router", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/routers/{id}/remove_router_interface"}], ), + base.APIRule( + name="add_extraroutes", + check_str=("role:member and project_id:%(project_id)s"), + description="Add extra route to a router", + scope_types=["project"], + operations=[{"method": "PUT", "path": "/routers/{id}/add_extraroutes"}], + ), + base.APIRule( + name="remove_extraroutes", + check_str=("role:member and project_id:%(project_id)s"), + description="Remove extra route from a router", + scope_types=["project"], + operations=[{"method": "PUT", "path": "/routers/{id}/remove_extraroutes"}], + ), base.APIRule( name="create_security_group", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s"), description="Create a security group", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/security-groups"}], ), base.APIRule( name="get_security_group", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("role:reader and project_id:%(project_id)s"), description="Get a security group", - scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/security-groups"}, - {"method": "GET", "path": "/security-groups/{id}"}, - ], + scope_types=["project"], + operations=[{"method": "GET", "path": "/security-groups"}, {"method": "GET", "path": "/security-groups/{id}"}], ), base.APIRule( name="update_security_group", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s"), description="Update a security group", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/security-groups/{id}"}], ), base.APIRule( name="delete_security_group", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s"), description="Delete a security group", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "DELETE", "path": "/security-groups/{id}"}], ), base.APIRule( name="create_security_group_rule", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s"), description="Create a security group rule", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/security-group-rules"}], ), base.APIRule( name="get_security_group_rule", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:sg_owner" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("role:reader and project_id:%(project_id)s or rule:sg_owner"), description="Get a security group rule", - scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/security-group-rules"}, - {"method": "GET", "path": "/security-group-rules/{id}"}, - ], + scope_types=["project"], + operations=[{"method": "GET", "path": "/security-group-rules"}, {"method": "GET", "path": "/security-group-rules/{id}"}], ), base.APIRule( name="delete_security_group_rule", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s"), description="Delete a security group rule", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "DELETE", "path": "/security-group-rules/{id}"}], ), base.APIRule( name="create_segment", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Create a segment", scope_types=["system"], operations=[{"method": "POST", "path": "/segments"}], @@ -2086,18 +1548,13 @@ list_rules = ( base.APIRule( name="get_segment", check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="Get a segment", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/segments"}, - {"method": "GET", "path": "/segments/{id}"}, - ], + operations=[{"method": "GET", "path": "/segments"}, {"method": "GET", "path": "/segments/{id}"}], ), base.APIRule( name="update_segment", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Update a segment", scope_types=["system"], operations=[{"method": "PUT", "path": "/segments/{id}"}], @@ -2105,321 +1562,202 @@ list_rules = ( base.APIRule( name="delete_segment", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), description="Delete a segment", scope_types=["system"], operations=[{"method": "DELETE", "path": "/segments/{id}"}], ), base.APIRule( name="get_service_provider", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("role:reader"), description="Get service providers", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/service-providers"}], ), base.APIRule( name="create_subnet", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:network_owner" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s or rule:network_owner"), description="Create a subnet", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/subnets"}], ), base.APIRule( name="create_subnet:segment_id", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Specify ``segment_id`` attribute when creating a subnet", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "POST", "path": "/subnets"}], ), base.APIRule( name="create_subnet:service_types", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Specify ``service_types`` attribute when creating a subnet", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "POST", "path": "/subnets"}], ), base.APIRule( name="get_subnet", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("role:reader and project_id:%(project_id)s or rule:shared"), description="Get a subnet", - scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/subnets"}, - {"method": "GET", "path": "/subnets/{id}"}, - ], + scope_types=["project"], + operations=[{"method": "GET", "path": "/subnets"}, {"method": "GET", "path": "/subnets/{id}"}], ), base.APIRule( name="get_subnet:segment_id", - check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), + check_str=("role:admin and project_id:%(project_id)s"), description="Get ``segment_id`` attribute of a subnet", - scope_types=["system"], - operations=[ - {"method": "GET", "path": "/subnets"}, - {"method": "GET", "path": "/subnets/{id}"}, - ], + scope_types=["project"], + operations=[{"method": "GET", "path": "/subnets"}, {"method": "GET", "path": "/subnets/{id}"}], ), base.APIRule( name="update_subnet", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:network_owner" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s or rule:network_owner"), description="Update a subnet", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/subnets/{id}"}], ), base.APIRule( name="update_subnet:segment_id", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Update ``segment_id`` attribute of a subnet", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/subnets/{id}"}], ), base.APIRule( name="update_subnet:service_types", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Update ``service_types`` attribute of a subnet", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/subnets/{id}"}], ), base.APIRule( name="delete_subnet", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:network_owner" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s or rule:network_owner"), description="Delete a subnet", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "DELETE", "path": "/subnets/{id}"}], ), base.APIRule( name="create_subnetpool", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s"), description="Create a subnetpool", - scope_types=["project", "system"], + scope_types=["project"], operations=[{"method": "POST", "path": "/subnetpools"}], ), base.APIRule( name="create_subnetpool:shared", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Create a shared subnetpool", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "POST", "path": "/subnetpools"}], ), base.APIRule( name="create_subnetpool:is_default", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Specify ``is_default`` attribute when creating a subnetpool", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "POST", "path": "/subnetpools"}], ), base.APIRule( name="get_subnetpool", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared_subnetpools" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("role:reader and project_id:%(project_id)s or rule:shared_subnetpools"), description="Get a subnetpool", - scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/subnetpools"}, - {"method": "GET", "path": "/subnetpools/{id}"}, - ], + scope_types=["project"], + operations=[{"method": "GET", "path": "/subnetpools"}, {"method": "GET", "path": "/subnetpools/{id}"}], ), base.APIRule( name="update_subnetpool", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s"), description="Update a subnetpool", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/subnetpools/{id}"}], ), base.APIRule( name="update_subnetpool:is_default", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("role:admin and project_id:%(project_id)s"), description="Update ``is_default`` attribute of a subnetpool", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/subnetpools/{id}"}], ), base.APIRule( name="delete_subnetpool", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s"), description="Delete a subnetpool", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "DELETE", "path": "/subnetpools/{id}"}], ), base.APIRule( name="onboard_network_subnets", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s"), description="Onboard existing subnet into a subnetpool", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/subnetpools/{id}/onboard_network_subnets"}], ), base.APIRule( name="add_prefixes", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s"), description="Add prefixes to a subnetpool", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/subnetpools/{id}/add_prefixes"}], ), base.APIRule( name="remove_prefixes", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s"), description="Remove unallocated prefixes from a subnetpool", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/subnetpools/{id}/remove_prefixes"}], ), base.APIRule( name="create_trunk", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s"), description="Create a trunk", - scope_types=["project", "system"], + scope_types=["project"], operations=[{"method": "POST", "path": "/trunks"}], ), base.APIRule( name="get_trunk", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("role:reader and project_id:%(project_id)s"), description="Get a trunk", - scope_types=["project", "system"], - operations=[ - {"method": "GET", "path": "/trunks"}, - {"method": "GET", "path": "/trunks/{id}"}, - ], + scope_types=["project"], + operations=[{"method": "GET", "path": "/trunks"}, {"method": "GET", "path": "/trunks/{id}"}], ), base.APIRule( name="update_trunk", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s"), description="Update a trunk", - scope_types=["project", "system"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/trunks/{id}"}], ), base.APIRule( name="delete_trunk", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s"), description="Delete a trunk", - scope_types=["project", "system"], + scope_types=["project"], operations=[{"method": "DELETE", "path": "/trunks/{id}"}], ), base.APIRule( name="get_subports", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("role:reader and project_id:%(project_id)s"), description="List subports attached to a trunk", - scope_types=["project", "system"], + scope_types=["project"], operations=[{"method": "GET", "path": "/trunks/{id}/get_subports"}], ), base.APIRule( name="add_subports", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s"), description="Add subports to a trunk", - scope_types=["project", "system"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/trunks/{id}/add_subports"}], ), base.APIRule( name="remove_subports", - check_str=( - "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" - ), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("role:member and project_id:%(project_id)s"), description="Delete subports from a trunk", - scope_types=["project", "system"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/trunks/{id}/remove_subports"}], ), base.APIRule( name="create_endpoint_group", check_str=("rule:regular_user"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="Create a VPN endpoint group", scope_types=["project"], operations=[{"method": "POST", "path": "/vpn/endpoint-groups"}], @@ -2427,9 +1765,6 @@ list_rules = ( base.APIRule( name="update_endpoint_group", check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="Update a VPN endpoint group", scope_types=["project"], operations=[{"method": "PUT", "path": "/vpn/endpoint-groups/{id}"}], @@ -2437,9 +1772,6 @@ list_rules = ( base.APIRule( name="delete_endpoint_group", check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="Delete a VPN endpoint group", scope_types=["project"], operations=[{"method": "DELETE", "path": "/vpn/endpoint-groups/{id}"}], @@ -2447,22 +1779,13 @@ list_rules = ( base.APIRule( name="get_endpoint_group", check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), description="Get VPN endpoint groups", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/vpn/endpoint-groups"}, - {"method": "GET", "path": "/vpn/endpoint-groups/{id}"}, - ], + operations=[{"method": "GET", "path": "/vpn/endpoint-groups"}, {"method": "GET", "path": "/vpn/endpoint-groups/{id}"}], ), base.APIRule( name="create_ikepolicy", check_str=("rule:regular_user"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="Create an IKE policy", scope_types=["project"], operations=[{"method": "POST", "path": "/vpn/ikepolicies"}], @@ -2470,9 +1793,6 @@ list_rules = ( base.APIRule( name="update_ikepolicy", check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="Update an IKE policy", scope_types=["project"], operations=[{"method": "PUT", "path": "/vpn/ikepolicies/{id}"}], @@ -2480,9 +1800,6 @@ list_rules = ( base.APIRule( name="delete_ikepolicy", check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="Delete an IKE policy", scope_types=["project"], operations=[{"method": "DELETE", "path": "/vpn/ikepolicies/{id}"}], @@ -2490,22 +1807,13 @@ list_rules = ( base.APIRule( name="get_ikepolicy", check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), description="Get IKE policyies", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/vpn/ikepolicies"}, - {"method": "GET", "path": "/vpn/ikepolicies/{id}"}, - ], + operations=[{"method": "GET", "path": "/vpn/ikepolicies"}, {"method": "GET", "path": "/vpn/ikepolicies/{id}"}], ), base.APIRule( name="create_ipsecpolicy", check_str=("rule:regular_user"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="Create an IPsec policy", scope_types=["project"], operations=[{"method": "POST", "path": "/vpn/ipsecpolicies"}], @@ -2513,9 +1821,6 @@ list_rules = ( base.APIRule( name="update_ipsecpolicy", check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="Update an IPsec policy", scope_types=["project"], operations=[{"method": "PUT", "path": "/vpn/ipsecpolicies/{id}"}], @@ -2523,9 +1828,6 @@ list_rules = ( base.APIRule( name="delete_ipsecpolicy", check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="Delete an IPsec policy", scope_types=["project"], operations=[{"method": "DELETE", "path": "/vpn/ipsecpolicies/{id}"}], @@ -2533,22 +1835,13 @@ list_rules = ( base.APIRule( name="get_ipsecpolicy", check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), description="Get IPsec policies", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/vpn/ipsecpolicies"}, - {"method": "GET", "path": "/vpn/ipsecpolicies/{id}"}, - ], + operations=[{"method": "GET", "path": "/vpn/ipsecpolicies"}, {"method": "GET", "path": "/vpn/ipsecpolicies/{id}"}], ), base.APIRule( name="create_ipsec_site_connection", check_str=("rule:regular_user"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="Create an IPsec site connection", scope_types=["project"], operations=[{"method": "POST", "path": "/vpn/ipsec-site-connections"}], @@ -2556,9 +1849,6 @@ list_rules = ( base.APIRule( name="update_ipsec_site_connection", check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="Update an IPsec site connection", scope_types=["project"], operations=[{"method": "PUT", "path": "/vpn/ipsec-site-connections/{id}"}], @@ -2566,9 +1856,6 @@ list_rules = ( base.APIRule( name="delete_ipsec_site_connection", check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="Delete an IPsec site connection", scope_types=["project"], operations=[{"method": "DELETE", "path": "/vpn/ipsec-site-connections/{id}"}], @@ -2576,22 +1863,13 @@ list_rules = ( base.APIRule( name="get_ipsec_site_connection", check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), description="Get IPsec site connections", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/vpn/ipsec-site-connections"}, - {"method": "GET", "path": "/vpn/ipsec-site-connections/{id}"}, - ], + operations=[{"method": "GET", "path": "/vpn/ipsec-site-connections"}, {"method": "GET", "path": "/vpn/ipsec-site-connections/{id}"}], ), base.APIRule( name="create_vpnservice", check_str=("rule:regular_user"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="Create a VPN service", scope_types=["project"], operations=[{"method": "POST", "path": "/vpn/vpnservices"}], @@ -2599,9 +1877,6 @@ list_rules = ( base.APIRule( name="update_vpnservice", check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="Update a VPN service", scope_types=["project"], operations=[{"method": "PUT", "path": "/vpn/vpnservices/{id}"}], @@ -2609,9 +1884,6 @@ list_rules = ( base.APIRule( name="delete_vpnservice", check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="Delete a VPN service", scope_types=["project"], operations=[{"method": "DELETE", "path": "/vpn/vpnservices/{id}"}], @@ -2619,15 +1891,9 @@ list_rules = ( base.APIRule( name="get_vpnservice", check_str=("rule:admin_or_owner"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), description="Get VPN services", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/vpn/vpnservices"}, - {"method": "GET", "path": "/vpn/vpnservices/{id}"}, - ], + operations=[{"method": "GET", "path": "/vpn/vpnservices"}, {"method": "GET", "path": "/vpn/vpnservices/{id}"}], ), ) diff --git a/skyline_apiserver/policy/manager/nova.py b/skyline_apiserver/policy/manager/nova.py index 8cf19e5..340d73d 100644 --- a/skyline_apiserver/policy/manager/nova.py +++ b/skyline_apiserver/policy/manager/nova.py @@ -1,4 +1,5 @@ # flake8: noqa +# fmt: off from . import base @@ -18,16 +19,6 @@ list_rules = ( check_str=("is_admin:True"), description="Default rule for most Admin APIs.", ), - base.Rule( - name="system_admin_api", - check_str=("role:admin and system_scope:all"), - description="Default rule for System Admin APIs.", - ), - base.Rule( - name="system_reader_api", - check_str=("role:reader and system_scope:all"), - description="Default rule for System level read only APIs.", - ), base.Rule( name="project_admin_api", check_str=("role:admin and project_id:%(project_id)s"), @@ -44,408 +35,293 @@ list_rules = ( description="Default rule for Project level read only APIs.", ), base.Rule( - name="system_admin_or_owner", - check_str=("rule:system_admin_api or rule:project_member_api"), - description="Default rule for System admin+owner APIs.", - ), - base.Rule( - name="system_or_project_reader", - check_str=("rule:system_reader_api or rule:project_reader_api"), - description="Default rule for System+Project read only APIs.", + name="project_reader_or_admin", + check_str=("rule:project_reader_api or rule:context_is_admin"), + description="Default rule for Project reader and admin APIs.", ), base.APIRule( name="os_compute_api:os-admin-actions:reset_state", - check_str=("rule:system_admin_api"), - basic_check_str=("role:admin"), + check_str=("rule:project_admin_api"), description="Reset the state of a given server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (os-resetState)"}], ), base.APIRule( name="os_compute_api:os-admin-actions:inject_network_info", - check_str=("rule:system_admin_api"), - basic_check_str=("role:admin"), + check_str=("rule:project_admin_api"), description="Inject network information into the server", - scope_types=["system", "project"], - operations=[ - {"method": "POST", "path": "/servers/{server_id}/action (injectNetworkInfo)"}, - ], + scope_types=["project"], + operations=[{"method": "POST", "path": "/servers/{server_id}/action (injectNetworkInfo)"}], ), base.APIRule( name="os_compute_api:os-admin-password", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Change the administrative password for a server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (changePassword)"}], ), base.APIRule( name="os_compute_api:os-aggregates:set_metadata", - check_str=("rule:system_admin_api"), - basic_check_str=("role:admin"), + check_str=("rule:context_is_admin"), description="Create or replace metadata for an aggregate", scope_types=["system"], - operations=[ - {"method": "POST", "path": "/os-aggregates/{aggregate_id}/action (set_metadata)"}, - ], + operations=[{"method": "POST", "path": "/os-aggregates/{aggregate_id}/action (set_metadata)"}], ), base.APIRule( name="os_compute_api:os-aggregates:add_host", - check_str=("rule:system_admin_api"), - basic_check_str=("role:admin"), + check_str=("rule:context_is_admin"), description="Add a host to an aggregate", scope_types=["system"], - operations=[ - {"method": "POST", "path": "/os-aggregates/{aggregate_id}/action (add_host)"}, - ], + operations=[{"method": "POST", "path": "/os-aggregates/{aggregate_id}/action (add_host)"}], ), base.APIRule( name="os_compute_api:os-aggregates:create", - check_str=("rule:system_admin_api"), - basic_check_str=("role:admin"), + check_str=("rule:context_is_admin"), description="Create an aggregate", scope_types=["system"], operations=[{"method": "POST", "path": "/os-aggregates"}], ), base.APIRule( name="os_compute_api:os-aggregates:remove_host", - check_str=("rule:system_admin_api"), - basic_check_str=("role:admin"), + check_str=("rule:context_is_admin"), description="Remove a host from an aggregate", scope_types=["system"], - operations=[ - {"method": "POST", "path": "/os-aggregates/{aggregate_id}/action (remove_host)"}, - ], + operations=[{"method": "POST", "path": "/os-aggregates/{aggregate_id}/action (remove_host)"}], ), base.APIRule( name="os_compute_api:os-aggregates:update", - check_str=("rule:system_admin_api"), - basic_check_str=("role:admin"), + check_str=("rule:context_is_admin"), description="Update name and/or availability zone for an aggregate", scope_types=["system"], operations=[{"method": "PUT", "path": "/os-aggregates/{aggregate_id}"}], ), base.APIRule( name="os_compute_api:os-aggregates:index", - check_str=("rule:system_reader_api"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:context_is_admin"), description="List all aggregates", scope_types=["system"], operations=[{"method": "GET", "path": "/os-aggregates"}], ), base.APIRule( name="os_compute_api:os-aggregates:delete", - check_str=("rule:system_admin_api"), - basic_check_str=("role:admin"), + check_str=("rule:context_is_admin"), description="Delete an aggregate", scope_types=["system"], operations=[{"method": "DELETE", "path": "/os-aggregates/{aggregate_id}"}], ), base.APIRule( name="os_compute_api:os-aggregates:show", - check_str=("rule:system_reader_api"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:context_is_admin"), description="Show details for an aggregate", scope_types=["system"], operations=[{"method": "GET", "path": "/os-aggregates/{aggregate_id}"}], ), base.APIRule( name="compute:aggregates:images", - check_str=("rule:system_admin_api"), - basic_check_str=("role:admin"), + check_str=("rule:context_is_admin"), description="Request image caching for an aggregate", scope_types=["system"], operations=[{"method": "POST", "path": "/os-aggregates/{aggregate_id}/images"}], ), base.APIRule( name="os_compute_api:os-assisted-volume-snapshots:create", - check_str=("rule:system_admin_api"), - basic_check_str=("role:admin"), + check_str=("rule:context_is_admin"), description="Create an assisted volume snapshot", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "POST", "path": "/os-assisted-volume-snapshots"}], ), base.APIRule( name="os_compute_api:os-assisted-volume-snapshots:delete", - check_str=("rule:system_admin_api"), - basic_check_str=("role:admin"), + check_str=("rule:context_is_admin"), description="Delete an assisted volume snapshot", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "DELETE", "path": "/os-assisted-volume-snapshots/{snapshot_id}"}], ), base.APIRule( name="os_compute_api:os-attach-interfaces:list", - check_str=("rule:system_or_project_reader"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:project_reader_api"), description="List port interfaces attached to a server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/servers/{server_id}/os-interface"}], ), base.APIRule( name="os_compute_api:os-attach-interfaces:show", - check_str=("rule:system_or_project_reader"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:project_reader_api"), description="Show details of a port interface attached to a server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/servers/{server_id}/os-interface/{port_id}"}], ), base.APIRule( name="os_compute_api:os-attach-interfaces:create", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Attach an interface to a server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/os-interface"}], ), base.APIRule( name="os_compute_api:os-attach-interfaces:delete", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Detach an interface from a server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "DELETE", "path": "/servers/{server_id}/os-interface/{port_id}"}], ), base.APIRule( name="os_compute_api:os-availability-zone:list", check_str=("@"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), description="List availability zone information without host information", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/os-availability-zone"}], ), base.APIRule( name="os_compute_api:os-availability-zone:detail", - check_str=("rule:system_reader_api"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:context_is_admin"), description="List detailed availability zone information with host information", scope_types=["system"], operations=[{"method": "GET", "path": "/os-availability-zone/detail"}], ), base.APIRule( name="os_compute_api:os-baremetal-nodes:list", - check_str=("rule:system_reader_api"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:context_is_admin"), description="List and show details of bare metal nodes.\n#\n#These APIs are proxy calls to the Ironic service and are deprecated.\n#", scope_types=["system"], operations=[{"method": "GET", "path": "/os-baremetal-nodes"}], ), base.APIRule( name="os_compute_api:os-baremetal-nodes:show", - check_str=("rule:system_reader_api"), - basic_check_str=("role:admin"), + check_str=("rule:context_is_admin"), description="Show action details for a server.", scope_types=["system"], operations=[{"method": "GET", "path": "/os-baremetal-nodes/{node_id}"}], ), base.APIRule( name="os_compute_api:os-console-auth-tokens", - check_str=("rule:system_reader_api"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:project_admin_api"), description="Show console connection information for a given console authentication token", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "GET", "path": "/os-console-auth-tokens/{console_token}"}], ), base.APIRule( name="os_compute_api:os-console-output", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Show console output for a server", - scope_types=["system", "project"], - operations=[ - {"method": "POST", "path": "/servers/{server_id}/action (os-getConsoleOutput)"}, - ], + scope_types=["project"], + operations=[{"method": "POST", "path": "/servers/{server_id}/action (os-getConsoleOutput)"}], ), base.APIRule( name="os_compute_api:os-create-backup", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Create a back up of a server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (createBackup)"}], ), base.APIRule( name="os_compute_api:os-deferred-delete:restore", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Restore a soft deleted server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (restore)"}], ), base.APIRule( name="os_compute_api:os-deferred-delete:force", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Force delete a server before deferred cleanup", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (forceDelete)"}], ), base.APIRule( name="os_compute_api:os-evacuate", - check_str=("rule:system_admin_api"), - basic_check_str=("role:admin"), + check_str=("rule:project_admin_api"), description="Evacuate a server from a failed host to a new host", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (evacuate)"}], ), base.APIRule( name="os_compute_api:os-extended-server-attributes", - check_str=("rule:system_admin_api"), - basic_check_str=("role:admin or role:reader"), - description="Return extended attributes for server.\n#\n#This rule will control the visibility for a set of servers attributes:\n#\n#- ``OS-EXT-SRV-ATTR:host``\n#- ``OS-EXT-SRV-ATTR:instance_name``\n#- ``OS-EXT-SRV-ATTR:reservation_id`` (since microversion 2.3)\n#- ``OS-EXT-SRV-ATTR:launch_index`` (since microversion 2.3)\n#- ``OS-EXT-SRV-ATTR:hostname`` (since microversion 2.3)\n#- ``OS-EXT-SRV-ATTR:kernel_id`` (since microversion 2.3)\n#- ``OS-EXT-SRV-ATTR:ramdisk_id`` (since microversion 2.3)\n#- ``OS-EXT-SRV-ATTR:root_device_name`` (since microversion 2.3)\n#- ``OS-EXT-SRV-ATTR:user_data`` (since microversion 2.3)\n#\n#Microvision 2.75 added the above attributes in the ``PUT /servers/{server_id}``\n#and ``POST /servers/{server_id}/action (rebuild)`` API responses which are\n#also controlled by this policy rule, like the ``GET /servers*`` APIs.\n#", - scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/servers/{id}"}, - {"method": "GET", "path": "/servers/detail"}, - {"method": "PUT", "path": "/servers/{server_id}"}, - {"method": "POST", "path": "/servers/{server_id}/action (rebuild)"}, - ], + check_str=("rule:project_admin_api"), + description="Return extended attributes for server.\n#\n#This rule will control the visibility for a set of servers attributes:\n#\n#- ``OS-EXT-SRV-ATTR:host``\n#- ``OS-EXT-SRV-ATTR:instance_name``\n#- ``OS-EXT-SRV-ATTR:reservation_id`` (since microversion 2.3)\n#- ``OS-EXT-SRV-ATTR:launch_index`` (since microversion 2.3)\n#- ``OS-EXT-SRV-ATTR:hostname`` (since microversion 2.3)\n#- ``OS-EXT-SRV-ATTR:kernel_id`` (since microversion 2.3)\n#- ``OS-EXT-SRV-ATTR:ramdisk_id`` (since microversion 2.3)\n#- ``OS-EXT-SRV-ATTR:root_device_name`` (since microversion 2.3)\n#- ``OS-EXT-SRV-ATTR:user_data`` (since microversion 2.3)\n#\n#Microvision 2.75 added the above attributes in the ``PUT /servers/{server_id}``\n#and ``POST /servers/{server_id}/action (rebuild)`` API responses which are\n#also controlled by this policy rule, like the ``GET /servers*`` APIs.\n#\n#Microversion 2.90 made the ``OS-EXT-SRV-ATTR:hostname`` attribute available to\n#all users, so this policy has no effect on that field for microversions 2.90\n#and greater. Controlling the visibility of this attribute for all microversions\n#is therefore deprecated and will be removed in a future release.\n#", + scope_types=["project"], + operations=[{"method": "GET", "path": "/servers/{id}"}, {"method": "GET", "path": "/servers/detail"}, {"method": "PUT", "path": "/servers/{server_id}"}, {"method": "POST", "path": "/servers/{server_id}/action (rebuild)"}], ), base.APIRule( name="os_compute_api:extensions", check_str=("@"), - basic_check_str=("@"), description="List available extensions and show information for an extension by alias", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/extensions"}, - {"method": "GET", "path": "/extensions/{alias}"}, - ], + operations=[{"method": "GET", "path": "/extensions"}, {"method": "GET", "path": "/extensions/{alias}"}], ), base.APIRule( name="os_compute_api:os-flavor-access:add_tenant_access", - check_str=("rule:system_admin_api"), - basic_check_str=("role:admin"), + check_str=("rule:context_is_admin"), description="Add flavor access to a tenant", scope_types=["system"], operations=[{"method": "POST", "path": "/flavors/{flavor_id}/action (addTenantAccess)"}], ), base.APIRule( name="os_compute_api:os-flavor-access:remove_tenant_access", - check_str=("rule:system_admin_api"), - basic_check_str=("role:admin"), + check_str=("rule:context_is_admin"), description="Remove flavor access from a tenant", scope_types=["system"], - operations=[ - {"method": "POST", "path": "/flavors/{flavor_id}/action (removeTenantAccess)"}, - ], + operations=[{"method": "POST", "path": "/flavors/{flavor_id}/action (removeTenantAccess)"}], ), base.APIRule( name="os_compute_api:os-flavor-access", - check_str=("rule:system_reader_api"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:context_is_admin"), description="List flavor access information\n#\n#Allows access to the full list of tenants that have access\n#to a flavor via an os-flavor-access API.\n#", scope_types=["system"], operations=[{"method": "GET", "path": "/flavors/{flavor_id}/os-flavor-access"}], ), base.APIRule( name="os_compute_api:os-flavor-extra-specs:show", - check_str=("rule:system_or_project_reader"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:project_reader_or_admin"), description="Show an extra spec for a flavor", scope_types=["system", "project"], - operations=[ - { - "method": "GET", - "path": "/flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}", - }, - ], + operations=[{"method": "GET", "path": "/flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}"}], ), base.APIRule( name="os_compute_api:os-flavor-extra-specs:create", - check_str=("rule:system_admin_api"), - basic_check_str=("role:admin"), + check_str=("rule:context_is_admin"), description="Create extra specs for a flavor", scope_types=["system"], operations=[{"method": "POST", "path": "/flavors/{flavor_id}/os-extra_specs/"}], ), base.APIRule( name="os_compute_api:os-flavor-extra-specs:update", - check_str=("rule:system_admin_api"), - basic_check_str=("role:admin"), + check_str=("rule:context_is_admin"), description="Update an extra spec for a flavor", scope_types=["system"], - operations=[ - { - "method": "PUT", - "path": "/flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}", - }, - ], + operations=[{"method": "PUT", "path": "/flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}"}], ), base.APIRule( name="os_compute_api:os-flavor-extra-specs:delete", - check_str=("rule:system_admin_api"), - basic_check_str=("role:admin"), + check_str=("rule:context_is_admin"), description="Delete an extra spec for a flavor", scope_types=["system"], - operations=[ - { - "method": "DELETE", - "path": "/flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}", - }, - ], + operations=[{"method": "DELETE", "path": "/flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}"}], ), base.APIRule( name="os_compute_api:os-flavor-extra-specs:index", - check_str=("rule:system_or_project_reader"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), - description="List extra specs for a flavor. Starting with microversion 2.47, the flavor used for a server is also returned in the response when showing server details, updating a server or rebuilding a server. Starting with microversion 2.61, extra specs may be returned in responses for the flavor resource.", + check_str=("rule:project_reader_or_admin"), + description="List extra specs for a flavor. Starting with microversion 2.61, extra specs may be returned in responses for the flavor resource.", scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/flavors/{flavor_id}/os-extra_specs/"}, - {"method": "GET", "path": "/servers/detail"}, - {"method": "GET", "path": "/servers/{server_id}"}, - {"method": "PUT", "path": "/servers/{server_id}"}, - {"method": "POST", "path": "/servers/{server_id}/action (rebuild)"}, - {"method": "POST", "path": "/flavors"}, - {"method": "GET", "path": "/flavors/detail"}, - {"method": "GET", "path": "/flavors/{flavor_id}"}, - {"method": "PUT", "path": "/flavors/{flavor_id}"}, - ], + operations=[{"method": "GET", "path": "/flavors/{flavor_id}/os-extra_specs/"}, {"method": "POST", "path": "/flavors"}, {"method": "GET", "path": "/flavors/detail"}, {"method": "GET", "path": "/flavors/{flavor_id}"}, {"method": "PUT", "path": "/flavors/{flavor_id}"}], ), base.APIRule( name="os_compute_api:os-flavor-manage:create", - check_str=("rule:system_admin_api"), - basic_check_str=("role:admin"), + check_str=("rule:context_is_admin"), description="Create a flavor", scope_types=["system"], operations=[{"method": "POST", "path": "/flavors"}], ), base.APIRule( name="os_compute_api:os-flavor-manage:update", - check_str=("rule:system_admin_api"), - basic_check_str=("role:admin"), + check_str=("rule:context_is_admin"), description="Update a flavor", scope_types=["system"], operations=[{"method": "PUT", "path": "/flavors/{flavor_id}"}], ), base.APIRule( name="os_compute_api:os-flavor-manage:delete", - check_str=("rule:system_admin_api"), - basic_check_str=("role:admin"), + check_str=("rule:context_is_admin"), description="Delete a flavor", scope_types=["system"], operations=[{"method": "DELETE", "path": "/flavors/{flavor_id}"}], @@ -453,285 +329,223 @@ list_rules = ( base.APIRule( name="os_compute_api:os-floating-ip-pools", check_str=("@"), - basic_check_str=("@"), description="List floating IP pools. This API is deprecated.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/os-floating-ip-pools"}], ), base.APIRule( name="os_compute_api:os-floating-ips:add", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Associate floating IPs to server. This API is deprecated.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (addFloatingIp)"}], ), base.APIRule( name="os_compute_api:os-floating-ips:remove", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Disassociate floating IPs to server. This API is deprecated.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (removeFloatingIp)"}], ), base.APIRule( name="os_compute_api:os-floating-ips:list", - check_str=("rule:system_or_project_reader"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:project_reader_api"), description="List floating IPs. This API is deprecated.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/os-floating-ips"}], ), base.APIRule( name="os_compute_api:os-floating-ips:create", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Create floating IPs. This API is deprecated.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/os-floating-ips"}], ), base.APIRule( name="os_compute_api:os-floating-ips:show", - check_str=("rule:system_or_project_reader"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:project_reader_api"), description="Show floating IPs. This API is deprecated.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/os-floating-ips/{floating_ip_id}"}], ), base.APIRule( name="os_compute_api:os-floating-ips:delete", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Delete floating IPs. This API is deprecated.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "DELETE", "path": "/os-floating-ips/{floating_ip_id}"}], ), base.APIRule( name="os_compute_api:os-hosts:list", - check_str=("rule:system_reader_api"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:context_is_admin"), description="List physical hosts.\n#\n#This API is deprecated in favor of os-hypervisors and os-services.", scope_types=["system"], operations=[{"method": "GET", "path": "/os-hosts"}], ), base.APIRule( name="os_compute_api:os-hosts:show", - check_str=("rule:system_reader_api"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:context_is_admin"), description="Show physical host.\n#\n#This API is deprecated in favor of os-hypervisors and os-services.", scope_types=["system"], operations=[{"method": "GET", "path": "/os-hosts/{host_name}"}], ), base.APIRule( name="os_compute_api:os-hosts:update", - check_str=("rule:system_admin_api"), - basic_check_str=("role:admin"), + check_str=("rule:context_is_admin"), description="Update physical host.\n#\n#This API is deprecated in favor of os-hypervisors and os-services.", scope_types=["system"], operations=[{"method": "PUT", "path": "/os-hosts/{host_name}"}], ), base.APIRule( name="os_compute_api:os-hosts:reboot", - check_str=("rule:system_admin_api"), - basic_check_str=("role:admin"), + check_str=("rule:context_is_admin"), description="Reboot physical host.\n#\n#This API is deprecated in favor of os-hypervisors and os-services.", scope_types=["system"], operations=[{"method": "GET", "path": "/os-hosts/{host_name}/reboot"}], ), base.APIRule( name="os_compute_api:os-hosts:shutdown", - check_str=("rule:system_admin_api"), - basic_check_str=("role:admin"), + check_str=("rule:context_is_admin"), description="Shutdown physical host.\n#\n#This API is deprecated in favor of os-hypervisors and os-services.", scope_types=["system"], operations=[{"method": "GET", "path": "/os-hosts/{host_name}/shutdown"}], ), base.APIRule( name="os_compute_api:os-hosts:start", - check_str=("rule:system_admin_api"), - basic_check_str=("role:admin"), + check_str=("rule:context_is_admin"), description="Start physical host.\n#\n#This API is deprecated in favor of os-hypervisors and os-services.", scope_types=["system"], operations=[{"method": "GET", "path": "/os-hosts/{host_name}/startup"}], ), base.APIRule( name="os_compute_api:os-hypervisors:list", - check_str=("rule:system_reader_api"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:context_is_admin"), description="List all hypervisors.", scope_types=["system"], operations=[{"method": "GET", "path": "/os-hypervisors"}], ), base.APIRule( name="os_compute_api:os-hypervisors:list-detail", - check_str=("rule:system_reader_api"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:context_is_admin"), description="List all hypervisors with details", scope_types=["system"], operations=[{"method": "GET", "path": "/os-hypervisors/details"}], ), base.APIRule( name="os_compute_api:os-hypervisors:statistics", - check_str=("rule:system_reader_api"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:context_is_admin"), description="Show summary statistics for all hypervisors over all compute nodes.", scope_types=["system"], operations=[{"method": "GET", "path": "/os-hypervisors/statistics"}], ), base.APIRule( name="os_compute_api:os-hypervisors:show", - check_str=("rule:system_reader_api"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:context_is_admin"), description="Show details for a hypervisor.", scope_types=["system"], operations=[{"method": "GET", "path": "/os-hypervisors/{hypervisor_id}"}], ), base.APIRule( name="os_compute_api:os-hypervisors:uptime", - check_str=("rule:system_reader_api"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:context_is_admin"), description="Show the uptime of a hypervisor.", scope_types=["system"], operations=[{"method": "GET", "path": "/os-hypervisors/{hypervisor_id}/uptime"}], ), base.APIRule( name="os_compute_api:os-hypervisors:search", - check_str=("rule:system_reader_api"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:context_is_admin"), description="Search hypervisor by hypervisor_hostname pattern.", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/os-hypervisors/{hypervisor_hostname_pattern}/search"}, - ], + operations=[{"method": "GET", "path": "/os-hypervisors/{hypervisor_hostname_pattern}/search"}], ), base.APIRule( name="os_compute_api:os-hypervisors:servers", - check_str=("rule:system_reader_api"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:context_is_admin"), description="List all servers on hypervisors that can match the provided hypervisor_hostname pattern.", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/os-hypervisors/{hypervisor_hostname_pattern}/servers"}, - ], + operations=[{"method": "GET", "path": "/os-hypervisors/{hypervisor_hostname_pattern}/servers"}], ), base.APIRule( name="os_compute_api:os-instance-actions:events:details", - check_str=("rule:system_reader_api"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:project_admin_api"), description="Add \"details\" key in action events for a server.\n#\n#This check is performed only after the check\n#os_compute_api:os-instance-actions:show passes. Beginning with Microversion\n#2.84, new field 'details' is exposed via API which can have more details about\n#event failure. That field is controlled by this policy which is system reader\n#by default. Making the 'details' field visible to the non-admin user helps to\n#understand the nature of the problem (i.e. if the action can be retried),\n#but in the other hand it might leak information about the deployment\n#(e.g. the type of the hypervisor).\n#", - scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/servers/{server_id}/os-instance-actions/{request_id}"}, - ], + scope_types=["project"], + operations=[{"method": "GET", "path": "/servers/{server_id}/os-instance-actions/{request_id}"}], ), base.APIRule( name="os_compute_api:os-instance-actions:events", - check_str=("rule:system_reader_api"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s"), + check_str=("rule:project_admin_api"), description="Add events details in action details for a server.\n#This check is performed only after the check\n#os_compute_api:os-instance-actions:show passes. Beginning with Microversion\n#2.51, events details are always included; traceback information is provided\n#per event if policy enforcement passes. Beginning with Microversion 2.62,\n#each event includes a hashed host identifier and, if policy enforcement\n#passes, the name of the host.", - scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/servers/{server_id}/os-instance-actions/{request_id}"}, - ], + scope_types=["project"], + operations=[{"method": "GET", "path": "/servers/{server_id}/os-instance-actions/{request_id}"}], ), base.APIRule( name="os_compute_api:os-instance-actions:list", - check_str=("rule:system_or_project_reader"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:project_reader_api"), description="List actions for a server.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/servers/{server_id}/os-instance-actions"}], ), base.APIRule( name="os_compute_api:os-instance-actions:show", - check_str=("rule:system_or_project_reader"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:project_reader_api"), description="Show action details for a server.", - scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/servers/{server_id}/os-instance-actions/{request_id}"}, - ], + scope_types=["project"], + operations=[{"method": "GET", "path": "/servers/{server_id}/os-instance-actions/{request_id}"}], ), base.APIRule( name="os_compute_api:os-instance-usage-audit-log:list", - check_str=("rule:system_reader_api"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:context_is_admin"), description="List all usage audits.", scope_types=["system"], operations=[{"method": "GET", "path": "/os-instance_usage_audit_log"}], ), base.APIRule( name="os_compute_api:os-instance-usage-audit-log:show", - check_str=("rule:system_reader_api"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:context_is_admin"), description="List all usage audits occurred before a specified time for all servers on all compute hosts where usage auditing is configured", scope_types=["system"], operations=[{"method": "GET", "path": "/os-instance_usage_audit_log/{before_timestamp}"}], ), base.APIRule( name="os_compute_api:ips:show", - check_str=("rule:system_or_project_reader"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:project_reader_api"), description="Show IP addresses details for a network label of a server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/servers/{server_id}/ips/{network_label}"}], ), base.APIRule( name="os_compute_api:ips:index", - check_str=("rule:system_or_project_reader"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:project_reader_api"), description="List IP addresses that are assigned to a server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/servers/{server_id}/ips"}], ), base.APIRule( name="os_compute_api:os-keypairs:index", - check_str=("(rule:system_reader_api) or user_id:%(user_id)s"), - basic_check_str=("role:admin or role:reader or user_id:%(user_id)s"), + check_str=("(rule:context_is_admin) or user_id:%(user_id)s"), description="List all keypairs", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/os-keypairs"}], ), base.APIRule( name="os_compute_api:os-keypairs:create", - check_str=("(rule:system_admin_api) or user_id:%(user_id)s"), - basic_check_str=("role:admin or user_id:%(user_id)s"), + check_str=("(rule:context_is_admin) or user_id:%(user_id)s"), description="Create a keypair", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/os-keypairs"}], ), base.APIRule( name="os_compute_api:os-keypairs:delete", - check_str=("(rule:system_admin_api) or user_id:%(user_id)s"), - basic_check_str=("role:admin or user_id:%(user_id)s"), + check_str=("(rule:context_is_admin) or user_id:%(user_id)s"), description="Delete a keypair", scope_types=["system", "project"], operations=[{"method": "DELETE", "path": "/os-keypairs/{keypair_name}"}], ), base.APIRule( name="os_compute_api:os-keypairs:show", - check_str=("(rule:system_reader_api) or user_id:%(user_id)s"), - basic_check_str=("role:admin or role:reader or user_id:%(user_id)s"), + check_str=("(rule:context_is_admin) or user_id:%(user_id)s"), description="Show details of a keypair", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/os-keypairs/{keypair_name}"}], @@ -739,644 +553,468 @@ list_rules = ( base.APIRule( name="os_compute_api:limits", check_str=("@"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), description="Show rate and absolute limits for the current user project", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/limits"}], ), base.APIRule( name="os_compute_api:limits:other_project", - check_str=("rule:system_reader_api"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:project_admin_api"), description="Show rate and absolute limits of other project.\n#\n#This policy only checks if the user has access to the requested\n#project limits. And this check is performed only after the check\n#os_compute_api:limits passes", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "GET", "path": "/limits"}], ), base.APIRule( name="os_compute_api:os-lock-server:lock", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Lock a server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (lock)"}], ), base.APIRule( name="os_compute_api:os-lock-server:unlock", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Unlock a server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (unlock)"}], ), base.APIRule( name="os_compute_api:os-lock-server:unlock:unlock_override", - check_str=("rule:system_admin_api"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s"), + check_str=("rule:project_admin_api"), description="Unlock a server, regardless who locked the server.\n#\n#This check is performed only after the check\n#os_compute_api:os-lock-server:unlock passes", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (unlock)"}], ), base.APIRule( name="os_compute_api:os-migrate-server:migrate", - check_str=("rule:system_admin_api"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s"), + check_str=("rule:project_admin_api"), description="Cold migrate a server to a host", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (migrate)"}], ), base.APIRule( name="os_compute_api:os-migrate-server:migrate_live", - check_str=("rule:system_admin_api"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s"), + check_str=("rule:project_admin_api"), description="Live migrate a server to a new host without a reboot", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (os-migrateLive)"}], ), base.APIRule( name="os_compute_api:os-migrations:index", - check_str=("rule:system_reader_api"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:project_admin_api"), description="List migrations", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "GET", "path": "/os-migrations"}], ), base.APIRule( name="os_compute_api:os-multinic:add", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Add a fixed IP address to a server.\n#\n#This API is proxy calls to the Network service. This is\n#deprecated.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (addFixedIp)"}], ), base.APIRule( name="os_compute_api:os-multinic:remove", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Remove a fixed IP address from a server.\n#\n#This API is proxy calls to the Network service. This is\n#deprecated.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (removeFixedIp)"}], ), base.APIRule( name="os_compute_api:os-networks:list", - check_str=("rule:system_or_project_reader"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:project_reader_api"), description="List networks for the project.\n#\n#This API is proxy calls to the Network service. This is deprecated.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/os-networks"}], ), base.APIRule( name="os_compute_api:os-networks:show", - check_str=("rule:system_or_project_reader"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:project_reader_api"), description="Show network details.\n#\n#This API is proxy calls to the Network service. This is deprecated.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/os-networks/{network_id}"}], ), base.APIRule( name="os_compute_api:os-pause-server:pause", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Pause a server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (pause)"}], ), base.APIRule( name="os_compute_api:os-pause-server:unpause", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Unpause a paused server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (unpause)"}], ), base.APIRule( name="os_compute_api:os-quota-class-sets:show", - check_str=("rule:system_reader_api"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:context_is_admin"), description="List quotas for specific quota classs", scope_types=["system"], operations=[{"method": "GET", "path": "/os-quota-class-sets/{quota_class}"}], ), base.APIRule( name="os_compute_api:os-quota-class-sets:update", - check_str=("rule:system_admin_api"), - basic_check_str=("role:admin"), + check_str=("rule:context_is_admin"), description="Update quotas for specific quota class", scope_types=["system"], operations=[{"method": "PUT", "path": "/os-quota-class-sets/{quota_class}"}], ), base.APIRule( name="os_compute_api:os-quota-sets:update", - check_str=("rule:system_admin_api"), - basic_check_str=("role:admin"), + check_str=("rule:project_admin_api"), description="Update the quotas", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/os-quota-sets/{tenant_id}"}], ), base.APIRule( name="os_compute_api:os-quota-sets:defaults", check_str=("@"), - basic_check_str=("@"), description="List default quotas", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/os-quota-sets/{tenant_id}/defaults"}], ), base.APIRule( name="os_compute_api:os-quota-sets:show", - check_str=("rule:system_or_project_reader"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("(rule:project_reader_api) or role:admin"), description="Show a quota", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/os-quota-sets/{tenant_id}"}], ), base.APIRule( name="os_compute_api:os-quota-sets:delete", - check_str=("rule:system_admin_api"), - basic_check_str=("role:admin"), + check_str=("rule:project_admin_api"), description="Revert quotas to defaults", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "DELETE", "path": "/os-quota-sets/{tenant_id}"}], ), base.APIRule( name="os_compute_api:os-quota-sets:detail", - check_str=("rule:system_or_project_reader"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("(rule:project_reader_api) or role:admin"), description="Show the detail of quota", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/os-quota-sets/{tenant_id}/detail"}], ), base.APIRule( name="os_compute_api:os-remote-consoles", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Generate a URL to access remove server console.\n#\n#This policy is for ``POST /remote-consoles`` API and below Server actions APIs\n#are deprecated:\n#\n#- ``os-getRDPConsole``\n#- ``os-getSerialConsole``\n#- ``os-getSPICEConsole``\n#- ``os-getVNCConsole``.", - scope_types=["system", "project"], - operations=[ - {"method": "POST", "path": "/servers/{server_id}/action (os-getRDPConsole)"}, - {"method": "POST", "path": "/servers/{server_id}/action (os-getSerialConsole)"}, - {"method": "POST", "path": "/servers/{server_id}/action (os-getSPICEConsole)"}, - {"method": "POST", "path": "/servers/{server_id}/action (os-getVNCConsole)"}, - {"method": "POST", "path": "/servers/{server_id}/remote-consoles"}, - ], + scope_types=["project"], + operations=[{"method": "POST", "path": "/servers/{server_id}/action (os-getRDPConsole)"}, {"method": "POST", "path": "/servers/{server_id}/action (os-getSerialConsole)"}, {"method": "POST", "path": "/servers/{server_id}/action (os-getSPICEConsole)"}, {"method": "POST", "path": "/servers/{server_id}/action (os-getVNCConsole)"}, {"method": "POST", "path": "/servers/{server_id}/remote-consoles"}], ), base.APIRule( name="os_compute_api:os-rescue", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Rescue a server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (rescue)"}], ), base.APIRule( name="os_compute_api:os-unrescue", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Unrescue a server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (unrescue)"}], ), base.APIRule( name="os_compute_api:os-security-groups:get", - check_str=("rule:system_or_project_reader"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:project_reader_api"), description="List security groups. This API is deprecated.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/os-security-groups"}], ), base.APIRule( name="os_compute_api:os-security-groups:show", - check_str=("rule:system_or_project_reader"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:project_reader_api"), description="Show security group. This API is deprecated.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/os-security-groups/{security_group_id}"}], ), base.APIRule( name="os_compute_api:os-security-groups:create", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Create security group. This API is deprecated.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/os-security-groups"}], ), base.APIRule( name="os_compute_api:os-security-groups:update", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Update security group. This API is deprecated.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/os-security-groups/{security_group_id}"}], ), base.APIRule( name="os_compute_api:os-security-groups:delete", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Delete security group. This API is deprecated.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "DELETE", "path": "/os-security-groups/{security_group_id}"}], ), base.APIRule( name="os_compute_api:os-security-groups:rule:create", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Create security group Rule. This API is deprecated.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/os-security-group-rules"}], ), base.APIRule( name="os_compute_api:os-security-groups:rule:delete", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Delete security group Rule. This API is deprecated.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "DELETE", "path": "/os-security-group-rules/{security_group_id}"}], ), base.APIRule( name="os_compute_api:os-security-groups:list", - check_str=("rule:system_or_project_reader"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:project_reader_api"), description="List security groups of server.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/servers/{server_id}/os-security-groups"}], ), base.APIRule( name="os_compute_api:os-security-groups:add", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Add security groups to server.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (addSecurityGroup)"}], ), base.APIRule( name="os_compute_api:os-security-groups:remove", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Remove security groups from server.", - scope_types=["system", "project"], - operations=[ - {"method": "POST", "path": "/servers/{server_id}/action (removeSecurityGroup)"}, - ], + scope_types=["project"], + operations=[{"method": "POST", "path": "/servers/{server_id}/action (removeSecurityGroup)"}], ), base.APIRule( name="os_compute_api:os-server-diagnostics", - check_str=("rule:system_admin_api"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s"), + check_str=("rule:project_admin_api"), description="Show the usage data for a server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/servers/{server_id}/diagnostics"}], ), base.APIRule( name="os_compute_api:os-server-external-events:create", - check_str=("rule:system_admin_api"), - basic_check_str=("role:admin"), + check_str=("rule:context_is_admin"), description="Create one or more external events", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "POST", "path": "/os-server-external-events"}], ), base.APIRule( name="os_compute_api:os-server-groups:create", check_str=("rule:project_member_api"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="Create a new server group", scope_types=["project"], operations=[{"method": "POST", "path": "/os-server-groups"}], ), base.APIRule( name="os_compute_api:os-server-groups:delete", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Delete a server group", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "DELETE", "path": "/os-server-groups/{server_group_id}"}], ), base.APIRule( name="os_compute_api:os-server-groups:index", - check_str=("rule:system_or_project_reader"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:project_reader_api"), description="List all server groups", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/os-server-groups"}], ), base.APIRule( name="os_compute_api:os-server-groups:index:all_projects", - check_str=("rule:system_reader_api"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:project_admin_api"), description="List all server groups for all projects", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "GET", "path": "/os-server-groups"}], ), base.APIRule( name="os_compute_api:os-server-groups:show", - check_str=("rule:system_or_project_reader"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:project_reader_api"), description="Show details of a server group", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/os-server-groups/{server_group_id}"}], ), base.APIRule( name="os_compute_api:server-metadata:index", - check_str=("rule:system_or_project_reader"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:project_reader_api"), description="List all metadata of a server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/servers/{server_id}/metadata"}], ), base.APIRule( name="os_compute_api:server-metadata:show", - check_str=("rule:system_or_project_reader"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:project_reader_api"), description="Show metadata for a server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/servers/{server_id}/metadata/{key}"}], ), base.APIRule( name="os_compute_api:server-metadata:create", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Create metadata for a server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/metadata"}], ), base.APIRule( name="os_compute_api:server-metadata:update_all", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Replace metadata for a server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/servers/{server_id}/metadata"}], ), base.APIRule( name="os_compute_api:server-metadata:update", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Update metadata from a server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/servers/{server_id}/metadata/{key}"}], ), base.APIRule( name="os_compute_api:server-metadata:delete", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Delete metadata from a server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "DELETE", "path": "/servers/{server_id}/metadata/{key}"}], ), base.APIRule( name="os_compute_api:os-server-password:show", - check_str=("rule:system_or_project_reader"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:project_reader_api"), description="Show the encrypted administrative password of a server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/servers/{server_id}/os-server-password"}], ), base.APIRule( name="os_compute_api:os-server-password:clear", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Clear the encrypted administrative password of a server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "DELETE", "path": "/servers/{server_id}/os-server-password"}], ), base.APIRule( name="os_compute_api:os-server-tags:delete_all", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Delete all the server tags", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "DELETE", "path": "/servers/{server_id}/tags"}], ), base.APIRule( name="os_compute_api:os-server-tags:index", - check_str=("rule:system_or_project_reader"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:project_reader_api"), description="List all tags for given server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/servers/{server_id}/tags"}], ), base.APIRule( name="os_compute_api:os-server-tags:update_all", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Replace all tags on specified server with the new set of tags.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/servers/{server_id}/tags"}], ), base.APIRule( name="os_compute_api:os-server-tags:delete", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Delete a single tag from the specified server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "DELETE", "path": "/servers/{server_id}/tags/{tag}"}], ), base.APIRule( name="os_compute_api:os-server-tags:update", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Add a single tag to the server if server has no specified tag", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/servers/{server_id}/tags/{tag}"}], ), base.APIRule( name="os_compute_api:os-server-tags:show", - check_str=("rule:system_or_project_reader"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:project_reader_api"), description="Check tag existence on the server.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/servers/{server_id}/tags/{tag}"}], ), base.APIRule( name="compute:server:topology:index", - check_str=("rule:system_or_project_reader"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:project_reader_api"), description="Show the NUMA topology data for a server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/servers/{server_id}/topology"}], ), base.APIRule( name="compute:server:topology:host:index", - check_str=("rule:system_reader_api"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:project_admin_api"), description="Show the NUMA topology data for a server with host NUMA ID and CPU pinning information", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "GET", "path": "/servers/{server_id}/topology"}], ), base.APIRule( name="os_compute_api:servers:index", - check_str=("rule:system_or_project_reader"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:project_reader_api"), description="List all servers", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/servers"}], ), base.APIRule( name="os_compute_api:servers:detail", - check_str=("rule:system_or_project_reader"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:project_reader_api"), description="List all servers with detailed information", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/servers/detail"}], ), base.APIRule( name="os_compute_api:servers:index:get_all_tenants", - check_str=("rule:system_reader_api"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:project_admin_api"), description="List all servers for all projects", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "GET", "path": "/servers"}], ), base.APIRule( name="os_compute_api:servers:detail:get_all_tenants", - check_str=("rule:system_reader_api"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:project_admin_api"), description="List all servers with detailed information for all projects", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "GET", "path": "/servers/detail"}], ), base.APIRule( name="os_compute_api:servers:allow_all_filters", - check_str=("rule:system_reader_api"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:project_admin_api"), description="Allow all filters when listing servers", - scope_types=["system"], - operations=[ - {"method": "GET", "path": "/servers"}, - {"method": "GET", "path": "/servers/detail"}, - ], + scope_types=["project"], + operations=[{"method": "GET", "path": "/servers"}, {"method": "GET", "path": "/servers/detail"}], ), base.APIRule( name="os_compute_api:servers:show", - check_str=("rule:system_or_project_reader"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:project_reader_api"), description="Show a server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/servers/{server_id}"}], ), + base.APIRule( + name="os_compute_api:servers:show:flavor-extra-specs", + check_str=("rule:project_reader_api"), + description="Starting with microversion 2.47, the flavor and its extra specs used for a server is also returned in the response when showing server details, updating a server or rebuilding a server.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/servers/detail"}, {"method": "GET", "path": "/servers/{server_id}"}, {"method": "PUT", "path": "/servers/{server_id}"}, {"method": "POST", "path": "/servers/{server_id}/action (rebuild)"}], + ), base.APIRule( name="os_compute_api:servers:show:host_status", - check_str=("rule:system_admin_api"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s"), + check_str=("rule:project_admin_api"), description="\n#Show a server with additional host status information.\n#\n#This means host_status will be shown irrespective of status value. If showing\n#only host_status UNKNOWN is desired, use the\n#``os_compute_api:servers:show:host_status:unknown-only`` policy rule.\n#\n#Microvision 2.75 added the ``host_status`` attribute in the\n#``PUT /servers/{server_id}`` and ``POST /servers/{server_id}/action (rebuild)``\n#API responses which are also controlled by this policy rule, like the\n#``GET /servers*`` APIs.\n#", - scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/servers/{server_id}"}, - {"method": "GET", "path": "/servers/detail"}, - {"method": "PUT", "path": "/servers/{server_id}"}, - {"method": "POST", "path": "/servers/{server_id}/action (rebuild)"}, - ], + scope_types=["project"], + operations=[{"method": "GET", "path": "/servers/{server_id}"}, {"method": "GET", "path": "/servers/detail"}, {"method": "PUT", "path": "/servers/{server_id}"}, {"method": "POST", "path": "/servers/{server_id}/action (rebuild)"}], ), base.APIRule( name="os_compute_api:servers:show:host_status:unknown-only", - check_str=("rule:system_admin_api"), - basic_check_str=("role:admin"), + check_str=("rule:project_admin_api"), description="\n#Show a server with additional host status information, only if host status is\n#UNKNOWN.\n#\n#This policy rule will only be enforced when the\n#``os_compute_api:servers:show:host_status`` policy rule does not pass for the\n#request. An example policy configuration could be where the\n#``os_compute_api:servers:show:host_status`` rule is set to allow admin-only and\n#the ``os_compute_api:servers:show:host_status:unknown-only`` rule is set to\n#allow everyone.\n#", - scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/servers/{server_id}"}, - {"method": "GET", "path": "/servers/detail"}, - {"method": "PUT", "path": "/servers/{server_id}"}, - {"method": "POST", "path": "/servers/{server_id}/action (rebuild)"}, - ], + scope_types=["project"], + operations=[{"method": "GET", "path": "/servers/{server_id}"}, {"method": "GET", "path": "/servers/detail"}, {"method": "PUT", "path": "/servers/{server_id}"}, {"method": "POST", "path": "/servers/{server_id}/action (rebuild)"}], ), base.APIRule( name="os_compute_api:servers:create", check_str=("rule:project_member_api"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="Create a server", scope_types=["project"], operations=[{"method": "POST", "path": "/servers"}], @@ -1384,25 +1022,20 @@ list_rules = ( base.APIRule( name="os_compute_api:servers:create:forced_host", check_str=("rule:project_admin_api"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s"), description="\n#Create a server on the specified host and/or node.\n#\n#In this case, the server is forced to launch on the specified\n#host and/or node by bypassing the scheduler filters unlike the\n#``compute:servers:create:requested_destination`` rule.\n#", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/servers"}], ), base.APIRule( name="compute:servers:create:requested_destination", check_str=("rule:project_admin_api"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s"), description="\n#Create a server on the requested compute service host and/or\n#hypervisor_hostname.\n#\n#In this case, the requested host and/or hypervisor_hostname is\n#validated by the scheduler filters unlike the\n#``os_compute_api:servers:create:forced_host`` rule.\n#", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/servers"}], ), base.APIRule( name="os_compute_api:servers:create:attach_volume", check_str=("rule:project_member_api"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="Create a server with the requested volume attached to it", scope_types=["project"], operations=[{"method": "POST", "path": "/servers"}], @@ -1410,9 +1043,6 @@ list_rules = ( base.APIRule( name="os_compute_api:servers:create:attach_network", check_str=("rule:project_member_api"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="Create a server with the requested network attached to it", scope_types=["project"], operations=[{"method": "POST", "path": "/servers"}], @@ -1420,9 +1050,6 @@ list_rules = ( base.APIRule( name="os_compute_api:servers:create:trusted_certs", check_str=("rule:project_member_api"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="Create a server with trusted image certificate IDs", scope_types=["project"], operations=[{"method": "POST", "path": "/servers"}], @@ -1430,485 +1057,338 @@ list_rules = ( base.APIRule( name="os_compute_api:servers:create:zero_disk_flavor", check_str=("rule:project_admin_api"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="\n#This rule controls the compute API validation behavior of creating a server\n#with a flavor that has 0 disk, indicating the server should be volume-backed.\n#\n#For a flavor with disk=0, the root disk will be set to exactly the size of the\n#image used to deploy the instance. However, in this case the filter_scheduler\n#cannot select the compute host based on the virtual image size. Therefore, 0\n#should only be used for volume booted instances or for testing purposes.\n#\n#WARNING: It is a potential security exposure to enable this policy rule\n#if users can upload their own images since repeated attempts to\n#create a disk=0 flavor instance with a large image can exhaust\n#the local disk of the compute (or shared storage cluster). See bug\n#https://bugs.launchpad.net/nova/+bug/1739646 for details.\n#", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/servers"}], ), base.APIRule( name="network:attach_external_network", check_str=("rule:project_admin_api"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="Attach an unshared external network to a server", - scope_types=["system", "project"], - operations=[ - {"method": "POST", "path": "/servers"}, - {"method": "POST", "path": "/servers/{server_id}/os-interface"}, - ], + scope_types=["project"], + operations=[{"method": "POST", "path": "/servers"}, {"method": "POST", "path": "/servers/{server_id}/os-interface"}], ), base.APIRule( name="os_compute_api:servers:delete", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Delete a server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "DELETE", "path": "/servers/{server_id}"}], ), base.APIRule( name="os_compute_api:servers:update", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Update a server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/servers/{server_id}"}], ), base.APIRule( name="os_compute_api:servers:confirm_resize", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Confirm a server resize", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (confirmResize)"}], ), base.APIRule( name="os_compute_api:servers:revert_resize", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Revert a server resize", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (revertResize)"}], ), base.APIRule( name="os_compute_api:servers:reboot", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Reboot a server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (reboot)"}], ), base.APIRule( name="os_compute_api:servers:resize", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Resize a server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (resize)"}], ), base.APIRule( name="compute:servers:resize:cross_cell", check_str=("!"), - basic_check_str=("!"), description="Resize a server across cells. By default, this is disabled for all users and recommended to be tested in a deployment for admin users before opening it up to non-admin users. Resizing within a cell is the default preferred behavior even if this is enabled. ", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (resize)"}], ), base.APIRule( name="os_compute_api:servers:rebuild", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Rebuild a server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (rebuild)"}], ), base.APIRule( name="os_compute_api:servers:rebuild:trusted_certs", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Rebuild a server with trusted image certificate IDs", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (rebuild)"}], ), base.APIRule( name="os_compute_api:servers:create_image", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Create an image from a server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (createImage)"}], ), base.APIRule( name="os_compute_api:servers:create_image:allow_volume_backed", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Create an image from a volume backed server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (createImage)"}], ), base.APIRule( name="os_compute_api:servers:start", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Start a server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (os-start)"}], ), base.APIRule( name="os_compute_api:servers:stop", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Stop a server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (os-stop)"}], ), base.APIRule( name="os_compute_api:servers:trigger_crash_dump", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Trigger crash dump in a server", - scope_types=["system", "project"], - operations=[ - {"method": "POST", "path": "/servers/{server_id}/action (trigger_crash_dump)"}, - ], + scope_types=["project"], + operations=[{"method": "POST", "path": "/servers/{server_id}/action (trigger_crash_dump)"}], ), base.APIRule( name="os_compute_api:servers:migrations:show", - check_str=("rule:system_reader_api"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:project_admin_api"), description="Show details for an in-progress live migration for a given server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/servers/{server_id}/migrations/{migration_id}"}], ), base.APIRule( name="os_compute_api:servers:migrations:force_complete", - check_str=("rule:system_admin_api"), - basic_check_str=("role:admin"), + check_str=("rule:project_admin_api"), description="Force an in-progress live migration for a given server to complete", - scope_types=["system", "project"], - operations=[ - { - "method": "POST", - "path": "/servers/{server_id}/migrations/{migration_id}/action (force_complete)", - }, - ], + scope_types=["project"], + operations=[{"method": "POST", "path": "/servers/{server_id}/migrations/{migration_id}/action (force_complete)"}], ), base.APIRule( name="os_compute_api:servers:migrations:delete", - check_str=("rule:system_admin_api"), - basic_check_str=("role:admin"), + check_str=("rule:project_admin_api"), description="Delete(Abort) an in-progress live migration", - scope_types=["system", "project"], - operations=[ - {"method": "DELETE", "path": "/servers/{server_id}/migrations/{migration_id}"}, - ], + scope_types=["project"], + operations=[{"method": "DELETE", "path": "/servers/{server_id}/migrations/{migration_id}"}], ), base.APIRule( name="os_compute_api:servers:migrations:index", - check_str=("rule:system_reader_api"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:project_admin_api"), description="Lists in-progress live migrations for a given server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/servers/{server_id}/migrations"}], ), base.APIRule( name="os_compute_api:os-services:list", - check_str=("rule:system_reader_api"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:context_is_admin"), description="List all running Compute services in a region.", scope_types=["system"], operations=[{"method": "GET", "path": "/os-services"}], ), base.APIRule( name="os_compute_api:os-services:update", - check_str=("rule:system_admin_api"), - basic_check_str=("role:admin"), + check_str=("rule:context_is_admin"), description="Update a Compute service.", scope_types=["system"], operations=[{"method": "PUT", "path": "/os-services/{service_id}"}], ), base.APIRule( name="os_compute_api:os-services:delete", - check_str=("rule:system_admin_api"), - basic_check_str=("role:admin"), + check_str=("rule:context_is_admin"), description="Delete a Compute service.", scope_types=["system"], operations=[{"method": "DELETE", "path": "/os-services/{service_id}"}], ), base.APIRule( name="os_compute_api:os-shelve:shelve", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Shelve server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (shelve)"}], ), base.APIRule( name="os_compute_api:os-shelve:unshelve", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Unshelve (restore) shelved server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (unshelve)"}], ), base.APIRule( name="os_compute_api:os-shelve:shelve_offload", - check_str=("rule:system_admin_api"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_admin_api"), description="Shelf-offload (remove) server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (shelveOffload)"}], ), base.APIRule( name="os_compute_api:os-simple-tenant-usage:show", - check_str=("rule:system_or_project_reader"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:project_reader_api"), description="Show usage statistics for a specific tenant", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/os-simple-tenant-usage/{tenant_id}"}], ), base.APIRule( name="os_compute_api:os-simple-tenant-usage:list", - check_str=("rule:system_reader_api"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:project_admin_api"), description="List per tenant usage statistics for all tenants", - scope_types=["system"], + scope_types=["project"], operations=[{"method": "GET", "path": "/os-simple-tenant-usage"}], ), base.APIRule( name="os_compute_api:os-suspend-server:resume", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Resume suspended server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (resume)"}], ), base.APIRule( name="os_compute_api:os-suspend-server:suspend", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Suspend server", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (suspend)"}], ), base.APIRule( name="os_compute_api:os-tenant-networks:list", - check_str=("rule:system_or_project_reader"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:project_reader_api"), description="List project networks.\n#\n#This API is proxy calls to the Network service. This is deprecated.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/os-tenant-networks"}], ), base.APIRule( name="os_compute_api:os-tenant-networks:show", - check_str=("rule:system_or_project_reader"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:project_reader_api"), description="Show project network details.\n#\n#This API is proxy calls to the Network service. This is deprecated.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/os-tenant-networks/{network_id}"}], ), base.APIRule( name="os_compute_api:os-volumes:list", - check_str=("rule:system_or_project_reader"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:project_reader_api"), description="List volumes.\n#\n#This API is a proxy call to the Volume service. It is deprecated.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/os-volumes"}], ), base.APIRule( name="os_compute_api:os-volumes:create", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Create volume.\n#\n#This API is a proxy call to the Volume service. It is deprecated.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/os-volumes"}], ), base.APIRule( name="os_compute_api:os-volumes:detail", - check_str=("rule:system_or_project_reader"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:project_reader_api"), description="List volumes detail.\n#\n#This API is a proxy call to the Volume service. It is deprecated.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/os-volumes/detail"}], ), base.APIRule( name="os_compute_api:os-volumes:show", - check_str=("rule:system_or_project_reader"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:project_reader_api"), description="Show volume.\n#\n#This API is a proxy call to the Volume service. It is deprecated.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/os-volumes/{volume_id}"}], ), base.APIRule( name="os_compute_api:os-volumes:delete", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Delete volume.\n#\n#This API is a proxy call to the Volume service. It is deprecated.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "DELETE", "path": "/os-volumes/{volume_id}"}], ), base.APIRule( name="os_compute_api:os-volumes:snapshots:list", - check_str=("rule:system_or_project_reader"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:project_reader_api"), description="List snapshots.\n#\n#This API is a proxy call to the Volume service. It is deprecated.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/os-snapshots"}], ), base.APIRule( name="os_compute_api:os-volumes:snapshots:create", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Create snapshots.\n#\n#This API is a proxy call to the Volume service. It is deprecated.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/os-snapshots"}], ), base.APIRule( name="os_compute_api:os-volumes:snapshots:detail", - check_str=("rule:system_or_project_reader"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:project_reader_api"), description="List snapshots details.\n#\n#This API is a proxy call to the Volume service. It is deprecated.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/os-snapshots/detail"}], ), base.APIRule( name="os_compute_api:os-volumes:snapshots:show", - check_str=("rule:system_or_project_reader"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:project_reader_api"), description="Show snapshot.\n#\n#This API is a proxy call to the Volume service. It is deprecated.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/os-snapshots/{snapshot_id}"}], ), base.APIRule( name="os_compute_api:os-volumes:snapshots:delete", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Delete snapshot.\n#\n#This API is a proxy call to the Volume service. It is deprecated.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "DELETE", "path": "/os-snapshots/{snapshot_id}"}], ), base.APIRule( name="os_compute_api:os-volumes-attachments:index", - check_str=("rule:system_or_project_reader"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:project_reader_api"), description="List volume attachments for an instance", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/servers/{server_id}/os-volume_attachments"}], ), base.APIRule( name="os_compute_api:os-volumes-attachments:create", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Attach a volume to an instance", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/os-volume_attachments"}], ), base.APIRule( name="os_compute_api:os-volumes-attachments:show", - check_str=("rule:system_or_project_reader"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), + check_str=("rule:project_reader_api"), description="Show details of a volume attachment", - scope_types=["system", "project"], - operations=[ - {"method": "GET", "path": "/servers/{server_id}/os-volume_attachments/{volume_id}"}, - ], + scope_types=["project"], + operations=[{"method": "GET", "path": "/servers/{server_id}/os-volume_attachments/{volume_id}"}], ), base.APIRule( name="os_compute_api:os-volumes-attachments:update", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Update a volume attachment.\n#New 'update' policy about 'swap + update' request (which is possible\n#only >2.85) only is checked. We expect to be\n#always superset of this policy permission.\n#", - scope_types=["system", "project"], - operations=[ - {"method": "PUT", "path": "/servers/{server_id}/os-volume_attachments/{volume_id}"}, - ], + scope_types=["project"], + operations=[{"method": "PUT", "path": "/servers/{server_id}/os-volume_attachments/{volume_id}"}], ), base.APIRule( name="os_compute_api:os-volumes-attachments:swap", - check_str=("rule:system_admin_api"), - basic_check_str=("role:admin"), + check_str=("rule:context_is_admin"), description="Update a volume attachment with a different volumeId", - scope_types=["system"], - operations=[ - {"method": "PUT", "path": "/servers/{server_id}/os-volume_attachments/{volume_id}"}, - ], + scope_types=["project"], + operations=[{"method": "PUT", "path": "/servers/{server_id}/os-volume_attachments/{volume_id}"}], ), base.APIRule( name="os_compute_api:os-volumes-attachments:delete", - check_str=("rule:system_admin_or_owner"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), + check_str=("rule:project_member_api"), description="Detach a volume from an instance", - scope_types=["system", "project"], - operations=[ - { - "method": "DELETE", - "path": "/servers/{server_id}/os-volume_attachments/{volume_id}", - }, - ], + scope_types=["project"], + operations=[{"method": "DELETE", "path": "/servers/{server_id}/os-volume_attachments/{volume_id}"}], ), ) diff --git a/skyline_apiserver/policy/manager/octavia.py b/skyline_apiserver/policy/manager/octavia.py index bb02bd2..9344552 100644 --- a/skyline_apiserver/policy/manager/octavia.py +++ b/skyline_apiserver/policy/manager/octavia.py @@ -1,4 +1,5 @@ # flake8: noqa +# fmt: off from . import base @@ -55,9 +56,7 @@ list_rules = ( ), base.Rule( name="load-balancer:read", - check_str=( - "rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or rule:load-balancer:admin" - ), + check_str=("rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or rule:load-balancer:admin"), description="No description", ), base.Rule( @@ -72,16 +71,12 @@ list_rules = ( ), base.Rule( name="load-balancer:read-quota", - check_str=( - "rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or role:load-balancer_quota_admin or rule:load-balancer:admin" - ), + check_str=("rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or role:load-balancer_quota_admin or rule:load-balancer:admin"), description="No description", ), base.Rule( name="load-balancer:read-quota-global", - check_str=( - "rule:load-balancer:global_observer or role:load-balancer_quota_admin or rule:load-balancer:admin" - ), + check_str=("rule:load-balancer:global_observer or role:load-balancer_quota_admin or rule:load-balancer:admin"), description="No description", ), base.Rule( @@ -92,9 +87,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:flavor:get_all", check_str=("rule:load-balancer:read"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), description="List Flavors", scope_types=["project"], operations=[{"method": "GET", "path": "/v2.0/lbaas/flavors"}], @@ -102,7 +94,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:flavor:post", check_str=("rule:load-balancer:admin"), - basic_check_str=("role:admin"), description="Create a Flavor", scope_types=["project"], operations=[{"method": "POST", "path": "/v2.0/lbaas/flavors"}], @@ -110,7 +101,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:flavor:put", check_str=("rule:load-balancer:admin"), - basic_check_str=("role:admin"), description="Update a Flavor", scope_types=["project"], operations=[{"method": "PUT", "path": "/v2.0/lbaas/flavors/{flavor_id}"}], @@ -118,9 +108,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:flavor:get_one", check_str=("rule:load-balancer:read"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), description="Show Flavor details", scope_types=["project"], operations=[{"method": "GET", "path": "/v2.0/lbaas/flavors/{flavor_id}"}], @@ -128,7 +115,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:flavor:delete", check_str=("rule:load-balancer:admin"), - basic_check_str=("role:admin"), description="Remove a Flavor", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v2.0/lbaas/flavors/{flavor_id}"}], @@ -136,7 +122,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:flavor-profile:get_all", check_str=("rule:load-balancer:admin"), - basic_check_str=("role:admin or role:reader"), description="List Flavor Profiles", scope_types=["project"], operations=[{"method": "GET", "path": "/v2.0/lbaas/flavorprofiles"}], @@ -144,7 +129,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:flavor-profile:post", check_str=("rule:load-balancer:admin"), - basic_check_str=("role:admin"), description="Create a Flavor Profile", scope_types=["project"], operations=[{"method": "POST", "path": "/v2.0/lbaas/flavorprofiles"}], @@ -152,7 +136,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:flavor-profile:put", check_str=("rule:load-balancer:admin"), - basic_check_str=("role:admin"), description="Update a Flavor Profile", scope_types=["project"], operations=[{"method": "PUT", "path": "/v2.0/lbaas/flavorprofiles/{flavor_profile_id}"}], @@ -160,7 +143,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:flavor-profile:get_one", check_str=("rule:load-balancer:admin"), - basic_check_str=("role:admin or role:reader"), description="Show Flavor Profile details", scope_types=["project"], operations=[{"method": "GET", "path": "/v2.0/lbaas/flavorprofiles/{flavor_profile_id}"}], @@ -168,19 +150,13 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:flavor-profile:delete", check_str=("rule:load-balancer:admin"), - basic_check_str=("role:admin"), description="Remove a Flavor Profile", scope_types=["project"], - operations=[ - {"method": "DELETE", "path": "/v2.0/lbaas/flavorprofiles/{flavor_profile_id}"}, - ], + operations=[{"method": "DELETE", "path": "/v2.0/lbaas/flavorprofiles/{flavor_profile_id}"}], ), base.APIRule( name="os_load-balancer_api:availability-zone:get_all", check_str=("rule:load-balancer:read"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), description="List Availability Zones", scope_types=["project"], operations=[{"method": "GET", "path": "/v2.0/lbaas/availabilityzones"}], @@ -188,7 +164,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:availability-zone:post", check_str=("rule:load-balancer:admin"), - basic_check_str=("role:admin"), description="Create an Availability Zone", scope_types=["project"], operations=[{"method": "POST", "path": "/v2.0/lbaas/availabilityzones"}], @@ -196,39 +171,27 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:availability-zone:put", check_str=("rule:load-balancer:admin"), - basic_check_str=("role:admin"), description="Update an Availability Zone", scope_types=["project"], - operations=[ - {"method": "PUT", "path": "/v2.0/lbaas/availabilityzones/{availability_zone_id}"}, - ], + operations=[{"method": "PUT", "path": "/v2.0/lbaas/availabilityzones/{availability_zone_id}"}], ), base.APIRule( name="os_load-balancer_api:availability-zone:get_one", check_str=("rule:load-balancer:read"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), description="Show Availability Zone details", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/v2.0/lbaas/availabilityzones/{availability_zone_id}"}, - ], + operations=[{"method": "GET", "path": "/v2.0/lbaas/availabilityzones/{availability_zone_id}"}], ), base.APIRule( name="os_load-balancer_api:availability-zone:delete", check_str=("rule:load-balancer:admin"), - basic_check_str=("role:admin"), description="Remove an Availability Zone", scope_types=["project"], - operations=[ - {"method": "DELETE", "path": "/v2.0/lbaas/availabilityzones/{availability_zone_id}"}, - ], + operations=[{"method": "DELETE", "path": "/v2.0/lbaas/availabilityzones/{availability_zone_id}"}], ), base.APIRule( name="os_load-balancer_api:availability-zone-profile:get_all", check_str=("rule:load-balancer:admin"), - basic_check_str=("role:admin or role:reader"), description="List Availability Zones", scope_types=["project"], operations=[{"method": "GET", "path": "/v2.0/lbaas/availabilityzoneprofiles"}], @@ -236,7 +199,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:availability-zone-profile:post", check_str=("rule:load-balancer:admin"), - basic_check_str=("role:admin"), description="Create an Availability Zone", scope_types=["project"], operations=[{"method": "POST", "path": "/v2.0/lbaas/availabilityzoneprofiles"}], @@ -244,48 +206,27 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:availability-zone-profile:put", check_str=("rule:load-balancer:admin"), - basic_check_str=("role:admin"), description="Update an Availability Zone", scope_types=["project"], - operations=[ - { - "method": "PUT", - "path": "/v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}", - }, - ], + operations=[{"method": "PUT", "path": "/v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}"}], ), base.APIRule( name="os_load-balancer_api:availability-zone-profile:get_one", check_str=("rule:load-balancer:admin"), - basic_check_str=("role:admin or role:reader"), description="Show Availability Zone details", scope_types=["project"], - operations=[ - { - "method": "GET", - "path": "/v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}", - }, - ], + operations=[{"method": "GET", "path": "/v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}"}], ), base.APIRule( name="os_load-balancer_api:availability-zone-profile:delete", check_str=("rule:load-balancer:admin"), - basic_check_str=("role:admin"), description="Remove an Availability Zone", scope_types=["project"], - operations=[ - { - "method": "DELETE", - "path": "/v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}", - }, - ], + operations=[{"method": "DELETE", "path": "/v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}"}], ), base.APIRule( name="os_load-balancer_api:healthmonitor:get_all", check_str=("rule:load-balancer:read"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), description="List Health Monitors of a Pool", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/healthmonitors"}], @@ -293,7 +234,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:healthmonitor:get_all-global", check_str=("rule:load-balancer:read-global"), - basic_check_str=("role:admin or role:reader"), description="List Health Monitors including resources owned by others", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/healthmonitors"}], @@ -301,9 +241,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:healthmonitor:post", check_str=("rule:load-balancer:write"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="Create a Health Monitor", scope_types=["project"], operations=[{"method": "POST", "path": "/v2/lbaas/healthmonitors"}], @@ -311,9 +248,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:healthmonitor:get_one", check_str=("rule:load-balancer:read"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), description="Show Health Monitor details", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/healthmonitors/{healthmonitor_id}"}], @@ -321,9 +255,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:healthmonitor:put", check_str=("rule:load-balancer:write"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="Update a Health Monitor", scope_types=["project"], operations=[{"method": "PUT", "path": "/v2/lbaas/healthmonitors/{healthmonitor_id}"}], @@ -331,9 +262,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:healthmonitor:delete", check_str=("rule:load-balancer:write"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="Remove a Health Monitor", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v2/lbaas/healthmonitors/{healthmonitor_id}"}], @@ -341,9 +269,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:l7policy:get_all", check_str=("rule:load-balancer:read"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), description="List L7 Policys", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/l7policies"}], @@ -351,7 +276,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:l7policy:get_all-global", check_str=("rule:load-balancer:read-global"), - basic_check_str=("role:admin or role:reader"), description="List L7 Policys including resources owned by others", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/l7policies"}], @@ -359,9 +283,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:l7policy:post", check_str=("rule:load-balancer:write"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="Create a L7 Policy", scope_types=["project"], operations=[{"method": "POST", "path": "/v2/lbaas/l7policies"}], @@ -369,9 +290,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:l7policy:get_one", check_str=("rule:load-balancer:read"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), description="Show L7 Policy details", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/l7policies/{l7policy_id}"}], @@ -379,9 +297,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:l7policy:put", check_str=("rule:load-balancer:write"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="Update a L7 Policy", scope_types=["project"], operations=[{"method": "PUT", "path": "/v2/lbaas/l7policies/{l7policy_id}"}], @@ -389,9 +304,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:l7policy:delete", check_str=("rule:load-balancer:write"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="Remove a L7 Policy", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v2/lbaas/l7policies/{l7policy_id}"}], @@ -399,9 +311,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:l7rule:get_all", check_str=("rule:load-balancer:read"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), description="List L7 Rules", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/l7policies/{l7policy_id}/rules"}], @@ -409,9 +318,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:l7rule:post", check_str=("rule:load-balancer:write"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="Create a L7 Rule", scope_types=["project"], operations=[{"method": "POST", "path": "/v2/lbaas/l7policies/{l7policy_id}/rules"}], @@ -419,45 +325,27 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:l7rule:get_one", check_str=("rule:load-balancer:read"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), description="Show L7 Rule details", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}"}, - ], + operations=[{"method": "GET", "path": "/v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}"}], ), base.APIRule( name="os_load-balancer_api:l7rule:put", check_str=("rule:load-balancer:write"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="Update a L7 Rule", scope_types=["project"], - operations=[ - {"method": "PUT", "path": "/v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}"}, - ], + operations=[{"method": "PUT", "path": "/v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}"}], ), base.APIRule( name="os_load-balancer_api:l7rule:delete", check_str=("rule:load-balancer:write"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="Remove a L7 Rule", scope_types=["project"], - operations=[ - {"method": "DELETE", "path": "/v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}"}, - ], + operations=[{"method": "DELETE", "path": "/v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}"}], ), base.APIRule( name="os_load-balancer_api:listener:get_all", check_str=("rule:load-balancer:read"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), description="List Listeners", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/listeners"}], @@ -465,7 +353,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:listener:get_all-global", check_str=("rule:load-balancer:read-global"), - basic_check_str=("role:admin or role:reader"), description="List Listeners including resources owned by others", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/listeners"}], @@ -473,9 +360,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:listener:post", check_str=("rule:load-balancer:write"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="Create a Listener", scope_types=["project"], operations=[{"method": "POST", "path": "/v2/lbaas/listeners"}], @@ -483,9 +367,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:listener:get_one", check_str=("rule:load-balancer:read"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), description="Show Listener details", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/listeners/{listener_id}"}], @@ -493,9 +374,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:listener:put", check_str=("rule:load-balancer:write"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="Update a Listener", scope_types=["project"], operations=[{"method": "PUT", "path": "/v2/lbaas/listeners/{listener_id}"}], @@ -503,9 +381,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:listener:delete", check_str=("rule:load-balancer:write"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="Remove a Listener", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v2/lbaas/listeners/{listener_id}"}], @@ -513,9 +388,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:listener:get_stats", check_str=("rule:load-balancer:read"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), description="Show Listener statistics", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/listeners/{listener_id}/stats"}], @@ -523,9 +395,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:loadbalancer:get_all", check_str=("rule:load-balancer:read"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), description="List Load Balancers", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/loadbalancers"}], @@ -533,7 +402,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:loadbalancer:get_all-global", check_str=("rule:load-balancer:read-global"), - basic_check_str=("role:admin or role:reader"), description="List Load Balancers including resources owned by others", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/loadbalancers"}], @@ -541,9 +409,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:loadbalancer:post", check_str=("rule:load-balancer:write"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="Create a Load Balancer", scope_types=["project"], operations=[{"method": "POST", "path": "/v2/lbaas/loadbalancers"}], @@ -551,9 +416,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:loadbalancer:get_one", check_str=("rule:load-balancer:read"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), description="Show Load Balancer details", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/loadbalancers/{loadbalancer_id}"}], @@ -561,9 +423,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:loadbalancer:put", check_str=("rule:load-balancer:write"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="Update a Load Balancer", scope_types=["project"], operations=[{"method": "PUT", "path": "/v2/lbaas/loadbalancers/{loadbalancer_id}"}], @@ -571,9 +430,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:loadbalancer:delete", check_str=("rule:load-balancer:write"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="Remove a Load Balancer", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v2/lbaas/loadbalancers/{loadbalancer_id}"}], @@ -581,9 +437,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:loadbalancer:get_stats", check_str=("rule:load-balancer:read"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), description="Show Load Balancer statistics", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/loadbalancers/{loadbalancer_id}/stats"}], @@ -591,31 +444,20 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:loadbalancer:get_status", check_str=("rule:load-balancer:read"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), description="Show Load Balancer status", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/v2/lbaas/loadbalancers/{loadbalancer_id}/status"}, - ], + operations=[{"method": "GET", "path": "/v2/lbaas/loadbalancers/{loadbalancer_id}/status"}], ), base.APIRule( name="os_load-balancer_api:loadbalancer:put_failover", check_str=("rule:load-balancer:admin"), - basic_check_str=("role:admin"), description="Failover a Load Balancer", scope_types=["project"], - operations=[ - {"method": "PUT", "path": "/v2/lbaas/loadbalancers/{loadbalancer_id}/failover"}, - ], + operations=[{"method": "PUT", "path": "/v2/lbaas/loadbalancers/{loadbalancer_id}/failover"}], ), base.APIRule( name="os_load-balancer_api:member:get_all", check_str=("rule:load-balancer:read"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), description="List Members of a Pool", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/pools/{pool_id}/members"}], @@ -623,9 +465,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:member:post", check_str=("rule:load-balancer:write"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="Create a Member", scope_types=["project"], operations=[{"method": "POST", "path": "/v2/lbaas/pools/{pool_id}/members"}], @@ -633,9 +472,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:member:get_one", check_str=("rule:load-balancer:read"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), description="Show Member details", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/pools/{pool_id}/members/{member_id}"}], @@ -643,9 +479,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:member:put", check_str=("rule:load-balancer:write"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="Update a Member", scope_types=["project"], operations=[{"method": "PUT", "path": "/v2/lbaas/pools/{pool_id}/members/{member_id}"}], @@ -653,21 +486,13 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:member:delete", check_str=("rule:load-balancer:write"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="Remove a Member", scope_types=["project"], - operations=[ - {"method": "DELETE", "path": "/v2/lbaas/pools/{pool_id}/members/{member_id}"}, - ], + operations=[{"method": "DELETE", "path": "/v2/lbaas/pools/{pool_id}/members/{member_id}"}], ), base.APIRule( name="os_load-balancer_api:pool:get_all", check_str=("rule:load-balancer:read"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), description="List Pools", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/pools"}], @@ -675,7 +500,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:pool:get_all-global", check_str=("rule:load-balancer:read-global"), - basic_check_str=("role:admin or role:reader"), description="List Pools including resources owned by others", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/pools"}], @@ -683,9 +507,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:pool:post", check_str=("rule:load-balancer:write"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="Create a Pool", scope_types=["project"], operations=[{"method": "POST", "path": "/v2/lbaas/pools"}], @@ -693,9 +514,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:pool:get_one", check_str=("rule:load-balancer:read"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), description="Show Pool details", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/pools/{pool_id}"}], @@ -703,9 +521,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:pool:put", check_str=("rule:load-balancer:write"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="Update a Pool", scope_types=["project"], operations=[{"method": "PUT", "path": "/v2/lbaas/pools/{pool_id}"}], @@ -713,9 +528,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:pool:delete", check_str=("rule:load-balancer:write"), - basic_check_str=( - "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" - ), description="Remove a Pool", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v2/lbaas/pools/{pool_id}"}], @@ -723,9 +535,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:provider:get_all", check_str=("rule:load-balancer:read"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), description="List enabled providers", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/providers"}], @@ -733,9 +542,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:quota:get_all", check_str=("rule:load-balancer:read-quota"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), description="List Quotas", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/quotas"}], @@ -743,7 +549,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:quota:get_all-global", check_str=("rule:load-balancer:read-quota-global"), - basic_check_str=("role:admin or role:reader"), description="List Quotas including resources owned by others", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/quotas"}], @@ -751,9 +556,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:quota:get_one", check_str=("rule:load-balancer:read-quota"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), description="Show Quota details", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/quotas/{project_id}"}], @@ -761,7 +563,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:quota:put", check_str=("rule:load-balancer:write-quota"), - basic_check_str=("role:admin"), description="Update a Quota", scope_types=["project"], operations=[{"method": "PUT", "path": "/v2/lbaas/quotas/{project_id}"}], @@ -769,7 +570,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:quota:delete", check_str=("rule:load-balancer:write-quota"), - basic_check_str=("role:admin"), description="Reset a Quota", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v2/lbaas/quotas/{project_id}"}], @@ -777,9 +577,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:quota:get_defaults", check_str=("rule:load-balancer:read-quota"), - basic_check_str=( - "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" - ), description="Show Default Quota for a Project", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/quotas/{project_id}/default"}], @@ -787,7 +584,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:amphora:get_all", check_str=("rule:load-balancer:admin"), - basic_check_str=("role:admin or role:reader"), description="List Amphorae", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/octavia/amphorae"}], @@ -795,7 +591,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:amphora:get_one", check_str=("rule:load-balancer:admin"), - basic_check_str=("role:admin or role:reader"), description="Show Amphora details", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/octavia/amphorae/{amphora_id}"}], @@ -803,7 +598,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:amphora:delete", check_str=("rule:load-balancer:admin"), - basic_check_str=("role:admin"), description="Delete an Amphora", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v2/octavia/amphorae/{amphora_id}"}], @@ -811,7 +605,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:amphora:put_config", check_str=("rule:load-balancer:admin"), - basic_check_str=("role:admin"), description="Update Amphora Agent Configuration", scope_types=["project"], operations=[{"method": "PUT", "path": "/v2/octavia/amphorae/{amphora_id}/config"}], @@ -819,7 +612,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:amphora:put_failover", check_str=("rule:load-balancer:admin"), - basic_check_str=("role:admin"), description="Failover Amphora", scope_types=["project"], operations=[{"method": "PUT", "path": "/v2/octavia/amphorae/{amphora_id}/failover"}], @@ -827,7 +619,6 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:amphora:get_stats", check_str=("rule:load-balancer:admin"), - basic_check_str=("role:admin or role:reader"), description="Show Amphora statistics", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/octavia/amphorae/{amphora_id}/stats"}], @@ -835,25 +626,16 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:provider-flavor:get_all", check_str=("rule:load-balancer:admin"), - basic_check_str=("role:admin or role:reader"), description="List the provider flavor capabilities.", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/v2/lbaas/providers/{provider}/flavor_capabilities"}, - ], + operations=[{"method": "GET", "path": "/v2/lbaas/providers/{provider}/flavor_capabilities"}], ), base.APIRule( name="os_load-balancer_api:provider-availability-zone:get_all", check_str=("rule:load-balancer:admin"), - basic_check_str=("role:admin or role:reader"), description="List the provider availability zone capabilities.", scope_types=["project"], - operations=[ - { - "method": "GET", - "path": "/v2/lbaas/providers/{provider}/availability_zone_capabilities", - }, - ], + operations=[{"method": "GET", "path": "/v2/lbaas/providers/{provider}/availability_zone_capabilities"}], ), ) diff --git a/skyline_apiserver/policy/manager/panko.py b/skyline_apiserver/policy/manager/panko.py index 7494580..14fdd81 100644 --- a/skyline_apiserver/policy/manager/panko.py +++ b/skyline_apiserver/policy/manager/panko.py @@ -1,4 +1,5 @@ # flake8: noqa +# fmt: off from . import base @@ -11,18 +12,13 @@ list_rules = ( base.APIRule( name="segregation", check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin or role:reader"), description="Return the user and project the requestshould be limited to", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/v2/events"}, - {"method": "GET", "path": "/v2/events/{message_id}"}, - ], + operations=[{"method": "GET", "path": "/v2/events"}, {"method": "GET", "path": "/v2/events/{message_id}"}], ), base.APIRule( name="telemetry:events:index", check_str=(""), - basic_check_str=("@"), description="Return all events matching the query filters.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/v2/events"}], @@ -30,7 +26,6 @@ list_rules = ( base.APIRule( name="telemetry:events:show", check_str=(""), - basic_check_str=("@"), description="Return a single event with the given message id.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/v2/events/{message_id}"}], diff --git a/skyline_apiserver/policy/manager/placement.py b/skyline_apiserver/policy/manager/placement.py index ed92da5..c6c157a 100644 --- a/skyline_apiserver/policy/manager/placement.py +++ b/skyline_apiserver/policy/manager/placement.py @@ -1,4 +1,5 @@ # flake8: noqa +# fmt: off from . import base @@ -8,279 +9,253 @@ list_rules = ( check_str=("role:admin"), description="Default rule for most placement APIs.", ), + base.Rule( + name="system_admin_api", + check_str=("role:admin and system_scope:all"), + description="Default rule for System Admin APIs.", + ), + base.Rule( + name="system_reader_api", + check_str=("role:reader and system_scope:all"), + description="Default rule for System level read only APIs.", + ), + base.Rule( + name="project_reader_api", + check_str=("role:reader and project_id:%(project_id)s"), + description="Default rule for Project level read only APIs.", + ), + base.Rule( + name="system_or_project_reader", + check_str=("rule:system_reader_api or rule:project_reader_api"), + description="Default rule for System+Project read only APIs.", + ), base.APIRule( name="placement:resource_providers:list", - check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:system_reader_api"), description="List resource providers.", scope_types=["system"], operations=[{"method": "GET", "path": "/resource_providers"}], ), base.APIRule( name="placement:resource_providers:create", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("rule:system_admin_api"), description="Create resource provider.", scope_types=["system"], operations=[{"method": "POST", "path": "/resource_providers"}], ), base.APIRule( name="placement:resource_providers:show", - check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:system_reader_api"), description="Show resource provider.", scope_types=["system"], operations=[{"method": "GET", "path": "/resource_providers/{uuid}"}], ), base.APIRule( name="placement:resource_providers:update", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("rule:system_admin_api"), description="Update resource provider.", scope_types=["system"], operations=[{"method": "PUT", "path": "/resource_providers/{uuid}"}], ), base.APIRule( name="placement:resource_providers:delete", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("rule:system_admin_api"), description="Delete resource provider.", scope_types=["system"], operations=[{"method": "DELETE", "path": "/resource_providers/{uuid}"}], ), base.APIRule( name="placement:resource_classes:list", - check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:system_reader_api"), description="List resource classes.", scope_types=["system"], operations=[{"method": "GET", "path": "/resource_classes"}], ), base.APIRule( name="placement:resource_classes:create", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("rule:system_admin_api"), description="Create resource class.", scope_types=["system"], operations=[{"method": "POST", "path": "/resource_classes"}], ), base.APIRule( name="placement:resource_classes:show", - check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:system_reader_api"), description="Show resource class.", scope_types=["system"], operations=[{"method": "GET", "path": "/resource_classes/{name}"}], ), base.APIRule( name="placement:resource_classes:update", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("rule:system_admin_api"), description="Update resource class.", scope_types=["system"], operations=[{"method": "PUT", "path": "/resource_classes/{name}"}], ), base.APIRule( name="placement:resource_classes:delete", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("rule:system_admin_api"), description="Delete resource class.", scope_types=["system"], operations=[{"method": "DELETE", "path": "/resource_classes/{name}"}], ), base.APIRule( name="placement:resource_providers:inventories:list", - check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:system_reader_api"), description="List resource provider inventories.", scope_types=["system"], operations=[{"method": "GET", "path": "/resource_providers/{uuid}/inventories"}], ), base.APIRule( name="placement:resource_providers:inventories:create", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("rule:system_admin_api"), description="Create one resource provider inventory.", scope_types=["system"], operations=[{"method": "POST", "path": "/resource_providers/{uuid}/inventories"}], ), base.APIRule( name="placement:resource_providers:inventories:show", - check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:system_reader_api"), description="Show resource provider inventory.", scope_types=["system"], - operations=[ - {"method": "GET", "path": "/resource_providers/{uuid}/inventories/{resource_class}"}, - ], + operations=[{"method": "GET", "path": "/resource_providers/{uuid}/inventories/{resource_class}"}], ), base.APIRule( name="placement:resource_providers:inventories:update", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("rule:system_admin_api"), description="Update resource provider inventory.", scope_types=["system"], - operations=[ - {"method": "PUT", "path": "/resource_providers/{uuid}/inventories"}, - {"method": "PUT", "path": "/resource_providers/{uuid}/inventories/{resource_class}"}, - ], + operations=[{"method": "PUT", "path": "/resource_providers/{uuid}/inventories"}, {"method": "PUT", "path": "/resource_providers/{uuid}/inventories/{resource_class}"}], ), base.APIRule( name="placement:resource_providers:inventories:delete", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("rule:system_admin_api"), description="Delete resource provider inventory.", scope_types=["system"], - operations=[ - {"method": "DELETE", "path": "/resource_providers/{uuid}/inventories"}, - { - "method": "DELETE", - "path": "/resource_providers/{uuid}/inventories/{resource_class}", - }, - ], + operations=[{"method": "DELETE", "path": "/resource_providers/{uuid}/inventories"}, {"method": "DELETE", "path": "/resource_providers/{uuid}/inventories/{resource_class}"}], ), base.APIRule( name="placement:resource_providers:aggregates:list", - check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:system_reader_api"), description="List resource provider aggregates.", scope_types=["system"], operations=[{"method": "GET", "path": "/resource_providers/{uuid}/aggregates"}], ), base.APIRule( name="placement:resource_providers:aggregates:update", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("rule:system_admin_api"), description="Update resource provider aggregates.", scope_types=["system"], operations=[{"method": "PUT", "path": "/resource_providers/{uuid}/aggregates"}], ), base.APIRule( name="placement:resource_providers:usages", - check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:system_reader_api"), description="List resource provider usages.", scope_types=["system"], operations=[{"method": "GET", "path": "/resource_providers/{uuid}/usages"}], ), base.APIRule( name="placement:usages", - check_str=( - "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" - ), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:system_or_project_reader"), description="List total resource usages for a given project.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/usages"}], ), base.APIRule( name="placement:traits:list", - check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:system_reader_api"), description="List traits.", scope_types=["system"], operations=[{"method": "GET", "path": "/traits"}], ), base.APIRule( name="placement:traits:show", - check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:system_reader_api"), description="Show trait.", scope_types=["system"], operations=[{"method": "GET", "path": "/traits/{name}"}], ), base.APIRule( name="placement:traits:update", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("rule:system_admin_api"), description="Update trait.", scope_types=["system"], operations=[{"method": "PUT", "path": "/traits/{name}"}], ), base.APIRule( name="placement:traits:delete", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("rule:system_admin_api"), description="Delete trait.", scope_types=["system"], operations=[{"method": "DELETE", "path": "/traits/{name}"}], ), base.APIRule( name="placement:resource_providers:traits:list", - check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:system_reader_api"), description="List resource provider traits.", scope_types=["system"], operations=[{"method": "GET", "path": "/resource_providers/{uuid}/traits"}], ), base.APIRule( name="placement:resource_providers:traits:update", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("rule:system_admin_api"), description="Update resource provider traits.", scope_types=["system"], operations=[{"method": "PUT", "path": "/resource_providers/{uuid}/traits"}], ), base.APIRule( name="placement:resource_providers:traits:delete", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("rule:system_admin_api"), description="Delete resource provider traits.", scope_types=["system"], operations=[{"method": "DELETE", "path": "/resource_providers/{uuid}/traits"}], ), base.APIRule( name="placement:allocations:manage", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("rule:system_admin_api"), description="Manage allocations.", scope_types=["system"], operations=[{"method": "POST", "path": "/allocations"}], ), base.APIRule( name="placement:allocations:list", - check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:system_reader_api"), description="List allocations.", scope_types=["system"], operations=[{"method": "GET", "path": "/allocations/{consumer_uuid}"}], ), base.APIRule( name="placement:allocations:update", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("rule:system_admin_api"), description="Update allocations.", scope_types=["system"], operations=[{"method": "PUT", "path": "/allocations/{consumer_uuid}"}], ), base.APIRule( name="placement:allocations:delete", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("rule:system_admin_api"), description="Delete allocations.", scope_types=["system"], operations=[{"method": "DELETE", "path": "/allocations/{consumer_uuid}"}], ), base.APIRule( name="placement:resource_providers:allocations:list", - check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:system_reader_api"), description="List resource provider allocations.", scope_types=["system"], operations=[{"method": "GET", "path": "/resource_providers/{uuid}/allocations"}], ), base.APIRule( name="placement:allocation_candidates:list", - check_str=("role:reader and system_scope:all"), - basic_check_str=("role:admin or role:reader"), + check_str=("rule:system_reader_api"), description="List allocation candidates.", scope_types=["system"], operations=[{"method": "GET", "path": "/allocation_candidates"}], ), base.APIRule( name="placement:reshaper:reshape", - check_str=("role:admin and system_scope:all"), - basic_check_str=("role:admin"), + check_str=("rule:system_admin_api"), description="Reshape Inventory and Allocations.", scope_types=["system"], operations=[{"method": "POST", "path": "/reshaper"}], diff --git a/skyline_apiserver/policy/manager/trove.py b/skyline_apiserver/policy/manager/trove.py index c78928e..b6b458d 100644 --- a/skyline_apiserver/policy/manager/trove.py +++ b/skyline_apiserver/policy/manager/trove.py @@ -1,756 +1,612 @@ -from . import base - -list_rules = ( - base.Rule( - name="admin", - check_str=("role:admin or is_admin:True"), - description="Must be an administrator.", - ), - base.Rule( - name="admin_or_owner", - check_str=("rule:admin or project_id:%(tenant)s"), - description="Must be an administrator or owner of the object.", - ), - base.Rule( - name="default", - check_str=("rule:admin_or_owner"), - description="Must be an administrator or owner of the object.", - ), - base.APIRule( - name="trove:instance:create", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Create a database instance.", - scope_types=["project"], - operations=[{"method": "POST", "path": "/v1.0/{account_id}/instances"}], - ), - base.APIRule( - name="trove:instance:delete", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Delete a database instance.", - scope_types=["project"], - operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/instances/{instance_id}"}], - ), - base.APIRule( - name="trove:instance:force_delete", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Forcibly delete a database instance.", - scope_types=["project"], - operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/instances/{instance_id}"}], - ), - base.APIRule( - name="trove:instance:index", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="List database instances.", - scope_types=["project"], - operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances"}], - ), - base.APIRule( - name="trove:instance:detail", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="List database instances with details.", - scope_types=["project"], - operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/detail"}], - ), - base.APIRule( - name="trove:instance:show", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Get details of a specific database instance.", - scope_types=["project"], - operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}"}], - ), - base.APIRule( - name="trove:instance:update", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Update a database instance to attach/detach configuration", - scope_types=["project"], - operations=[ - {"method": "PUT", "path": "/v1.0/{account_id}/instances/{instance_id}"}, - {"method": "POST", "path": "/v1.0/{account_id}/instances"}, - ], - ), - base.APIRule( - name="trove:instance:edit", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Updates the instance to set or unset one or more attributes.", - scope_types=["project"], - operations=[{"method": "PATCH", "path": "/v1.0/{account_id}/instances/{instance_id}"}], - ), - base.APIRule( - name="trove:instance:restart", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Restart a database instance.", - scope_types=["project"], - operations=[ - { - "method": "POST", - "path": "/v1.0/{account_id}/instances/{instance_id}/action (restart)", - }, - ], - ), - base.APIRule( - name="trove:instance:resize_volume", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Resize a database instance volume.", - scope_types=["project"], - operations=[ - { - "method": "POST", - "path": "/v1.0/{account_id}/instances/{instance_id}/action (resize)", - }, - ], - ), - base.APIRule( - name="trove:instance:resize_flavor", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Resize a database instance flavor.", - scope_types=["project"], - operations=[ - { - "method": "POST", - "path": "/v1.0/{account_id}/instances/{instance_id}/action (resize)", - }, - ], - ), - base.APIRule( - name="trove:instance:reset_status", - check_str=("(role:admin or is_admin:True)"), - description="Reset the status of a database instance to ERROR.", - scope_types=["project"], - operations=[ - { - "method": "POST", - "path": "/v1.0/{account_id}/instances/{instance_id}/action (reset_status)", - }, - ], - ), - base.APIRule( - name="trove:instance:promote_to_replica_source", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Promote instance to replica source.", - scope_types=["project"], - operations=[ - { - "method": "POST", - "path": "/v1.0/{account_id}/instances/{instance_id}/action (promote_to_replica_source)", # noqa - }, - ], - ), - base.APIRule( - name="trove:instance:eject_replica_source", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Eject the replica source from its replica set.", - scope_types=["project"], - operations=[ - { - "method": "POST", - "path": "/v1.0/{account_id}/instances/{instance_id}/action (eject_replica_source)", - }, - ], - ), - base.APIRule( - name="trove:instance:configuration", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Get the default configuration template applied to the instance.", - scope_types=["project"], - operations=[ - {"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/configuration"}, - ], - ), - base.APIRule( - name="trove:instance:guest_log_list", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Get all informations about all logs of a database instance.", - scope_types=["project"], - operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/log"}], - ), - base.APIRule( - name="trove:instance:backups", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Get all backups of a database instance.", - scope_types=["project"], - operations=[ - {"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/backups"}, - ], - ), - base.APIRule( - name="trove:instance:module_list", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Get informations about modules on a database instance.", - scope_types=["project"], - operations=[ - {"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/modules"}, - ], - ), - base.APIRule( - name="trove:instance:module_apply", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Apply modules to a database instance.", - scope_types=["project"], - operations=[ - {"method": "POST", "path": "/v1.0/{account_id}/instances/{instance_id}/modules"}, - {"method": "POST", "path": "/v1.0/{account_id}/instances"}, - ], - ), - base.APIRule( - name="trove:instance:module_remove", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Remove a module from a database instance.", - scope_types=["project"], - operations=[ - { - "method": "DELETE", - "path": "/v1.0/{account_id}/instances/{instance_id}/modules/{module_id}", - }, - ], - ), - base.APIRule( - name="trove:instance:extension:root:create", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Enable the root user of a database instance.", - scope_types=["project"], - operations=[ - {"method": "POST", "path": "/v1.0/{account_id}/instances/{instance_id}/root"}, - ], - ), - base.APIRule( - name="trove:instance:extension:root:delete", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Disable the root user of a database instance.", - scope_types=["project"], - operations=[ - {"method": "DELETE", "path": "/v1.0/{account_id}/instances/{instance_id}/root"}, - ], - ), - base.APIRule( - name="trove:instance:extension:root:index", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Show whether the root user of a database instance has been ever enabled.", - scope_types=["project"], - operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/root"}], - ), - base.APIRule( - name="trove:cluster:extension:root:create", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Enable the root user of the instances in a cluster.", - scope_types=["project"], - operations=[{"method": "POST", "path": "/v1.0/{account_id}/clusters/{cluster}/root"}], - ), - base.APIRule( - name="trove:cluster:extension:root:delete", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Enable the root user of the instances in a cluster.", - scope_types=["project"], - operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/clusters/{cluster}/root"}], - ), - base.APIRule( - name="trove:cluster:extension:root:index", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Disable the root of the instances in a cluster.", - scope_types=["project"], - operations=[{"method": "GET", "path": "/v1.0/{account_id}/clusters/{cluster}/root"}], - ), - base.APIRule( - name="trove:instance:extension:user:create", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Create users for a database instance.", - scope_types=["project"], - operations=[ - {"method": "POST", "path": "/v1.0/{account_id}/instances/{instance_id}/users"}, - {"method": "POST", "path": "/v1.0/{account_id}/instances"}, - ], - ), - base.APIRule( - name="trove:instance:extension:user:delete", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Delete a user from a database instance.", - scope_types=["project"], - operations=[ - { - "method": "DELETE", - "path": "/v1.0/{account_id}/instances/{instance_id}/users/{user}", - }, - ], - ), - base.APIRule( - name="trove:instance:extension:user:index", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Get all users of a database instance.", - scope_types=["project"], - operations=[ - {"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/users"}, - ], - ), - base.APIRule( - name="trove:instance:extension:user:show", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Get the information of a single user of a database instance.", - scope_types=["project"], - operations=[ - {"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/users/{user}"}, - ], - ), - base.APIRule( - name="trove:instance:extension:user:update", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Update attributes for a user of a database instance.", - scope_types=["project"], - operations=[ - {"method": "PUT", "path": "/v1.0/{account_id}/instances/{instance_id}/users/{user}"}, - ], - ), - base.APIRule( - name="trove:instance:extension:user:update_all", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Update the password for one or more users a database instance.", - scope_types=["project"], - operations=[ - {"method": "PUT", "path": "/v1.0/{account_id}/instances/{instance_id}/users"}, - ], - ), - base.APIRule( - name="trove:instance:extension:user_access:update", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Grant access for a user to one or more databases.", - scope_types=["project"], - operations=[ - { - "method": "PUT", - "path": "/v1.0/{account_id}/instances/{instance_id}/users/{user}/databases", - }, - ], - ), - base.APIRule( - name="trove:instance:extension:user_access:delete", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Revoke access for a user to a databases.", - scope_types=["project"], - operations=[ - { - "method": "DELETE", - "path": "/v1.0/{account_id}/instances/{instance_id}/users/{user}/databases/{database}", # noqa - }, - ], - ), - base.APIRule( - name="trove:instance:extension:user_access:index", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Get permissions of a user", - scope_types=["project"], - operations=[ - { - "method": "GET", - "path": "/v1.0/{account_id}/instances/{instance_id}/users/{user}/databases", - }, - ], - ), - base.APIRule( - name="trove:instance:extension:database:create", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Create a set of Schemas", - scope_types=["project"], - operations=[ - {"method": "POST", "path": "/v1.0/{account_id}/instances/{instance_id}/databases"}, - {"method": "POST", "path": "/v1.0/{account_id}/instances"}, - ], - ), - base.APIRule( - name="trove:instance:extension:database:delete", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Delete a schema from a database.", - scope_types=["project"], - operations=[ - { - "method": "DELETE", - "path": "/v1.0/{account_id}/instances/{instance_id}/databases/{database}", - }, - ], - ), - base.APIRule( - name="trove:instance:extension:database:index", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="List all schemas from a database.", - scope_types=["project"], - operations=[ - {"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/databases"}, - ], - ), - base.APIRule( - name="trove:instance:extension:database:show", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Get informations of a schema(Currently Not Implemented).", - scope_types=["project"], - operations=[ - { - "method": "GET", - "path": "/v1.0/{account_id}/instances/{instance_id}/databases/{database}", - }, - ], - ), - base.APIRule( - name="trove:cluster:create", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Create a cluster.", - scope_types=["project"], - operations=[{"method": "POST", "path": "/v1.0/{account_id}/clusters"}], - ), - base.APIRule( - name="trove:cluster:delete", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Delete a cluster.", - scope_types=["project"], - operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/clusters/{cluster}"}], - ), - base.APIRule( - name="trove:cluster:force_delete", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Forcibly delete a cluster.", - scope_types=["project"], - operations=[ - {"method": "POST", "path": "/v1.0/{account_id}/clusters/{cluster} (reset-status)"}, - ], - ), - base.APIRule( - name="trove:cluster:index", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="List all clusters", - scope_types=["project"], - operations=[{"method": "GET", "path": "/v1.0/{account_id}/clusters"}], - ), - base.APIRule( - name="trove:cluster:show", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Get informations of a cluster.", - scope_types=["project"], - operations=[{"method": "GET", "path": "/v1.0/{account_id}/clusters/{cluster}"}], - ), - base.APIRule( - name="trove:cluster:show_instance", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Get informations of a instance in a cluster.", - scope_types=["project"], - operations=[ - { - "method": "GET", - "path": "/v1.0/{account_id}/clusters/{cluster}/instances/{instance}", - }, - ], - ), - base.APIRule( - name="trove:cluster:action", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Commit an action against a cluster", - scope_types=["project"], - operations=[{"method": "POST", "path": "/v1.0/{account_id}/clusters/{cluster}"}], - ), - base.APIRule( - name="trove:cluster:reset-status", - check_str=("(role:admin or is_admin:True)"), - description="Reset the status of a cluster to NONE.", - scope_types=["project"], - operations=[ - {"method": "POST", "path": "/v1.0/{account_id}/clusters/{cluster} (reset-status)"}, - ], - ), - base.APIRule( - name="trove:backup:create", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Create a backup of a database instance.", - scope_types=["project"], - operations=[{"method": "POST", "path": "/v1.0/{account_id}/backups"}], - ), - base.APIRule( - name="trove:backup:delete", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Delete a backup of a database instance.", - scope_types=["project"], - operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/backups/{backup}"}], - ), - base.APIRule( - name="trove:backup:index", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="List all backups.", - scope_types=["project"], - operations=[{"method": "GET", "path": "/v1.0/{account_id}/backups"}], - ), - base.APIRule( - name="trove:backup:index:all_projects", - check_str=("role:admin"), - description="List backups for all the projects.", - scope_types=["project"], - operations=[{"method": "GET", "path": "/v1.0/{account_id}/backups"}], - ), - base.APIRule( - name="trove:backup:show", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Get informations of a backup.", - scope_types=["project"], - operations=[{"method": "GET", "path": "/v1.0/{account_id}/backups/{backup}"}], - ), - base.APIRule( - name="trove:backup_strategy:create", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Create a backup strategy.", - scope_types=["project"], - operations=[{"method": "POST", "path": "/v1.0/{account_id}/backup_strategies"}], - ), - base.APIRule( - name="trove:backup_strategy:index", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="List all backup strategies.", - scope_types=["project"], - operations=[{"method": "GET", "path": "/v1.0/{account_id}/backup_strategies"}], - ), - base.APIRule( - name="trove:backup_strategy:delete", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Delete backup strategies.", - scope_types=["project"], - operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/backup_strategies"}], - ), - base.APIRule( - name="trove:configuration:create", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Create a configuration group.", - scope_types=["project"], - operations=[{"method": "POST", "path": "/v1.0/{account_id}/configurations"}], - ), - base.APIRule( - name="trove:configuration:delete", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Delete a configuration group.", - scope_types=["project"], - operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/configurations/{config}"}], - ), - base.APIRule( - name="trove:configuration:index", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="List all configuration groups.", - scope_types=["project"], - operations=[{"method": "GET", "path": "/v1.0/{account_id}/configurations"}], - ), - base.APIRule( - name="trove:configuration:show", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Get informations of a configuration group.", - scope_types=["project"], - operations=[{"method": "GET", "path": "/v1.0/{account_id}/configurations/{config}"}], - ), - base.APIRule( - name="trove:configuration:instances", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="List all instances which a configuration group has be assigned to.", - scope_types=["project"], - operations=[ - {"method": "GET", "path": "/v1.0/{account_id}/configurations/{config}/instances"}, - ], - ), - base.APIRule( - name="trove:configuration:update", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Update a configuration group(the configuration group will be replaced completely).", # noqa - scope_types=["project"], - operations=[{"method": "PUT", "path": "/v1.0/{account_id}/configurations/{config}"}], - ), - base.APIRule( - name="trove:configuration:edit", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Patch a configuration group.", - scope_types=["project"], - operations=[{"method": "PATCH", "path": "/v1.0/{account_id}/configurations/{config}"}], - ), - base.APIRule( - name="trove:configuration-parameter:index", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="List all parameters bind to a datastore version.", - scope_types=["project"], - operations=[ - { - "method": "GET", - "path": "/v1.0/{account_id}/datastores/{datastore}/versions/{version}/parameters", - }, - ], - ), - base.APIRule( - name="trove:configuration-parameter:show", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Get a paramter of a datastore version.", - scope_types=["project"], - operations=[ - { - "method": "GET", - "path": "/v1.0/{account_id}/datastores/{datastore}/versions/{version}/parameters/{param}", # noqa - }, - ], - ), - base.APIRule( - name="trove:configuration-parameter:index_by_version", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="List all paramters bind to a datastore version by the id of the version(datastore is not provided).", # noqa - scope_types=["project"], - operations=[ - { - "method": "GET", - "path": "/v1.0/{account_id}/datastores/versions/{version}/paramters", - }, - ], - ), - base.APIRule( - name="trove:configuration-parameter:show_by_version", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Get a paramter of a datastore version by it names and the id of the version(datastore is not provided).", # noqa - scope_types=["project"], - operations=[ - { - "method": "GET", - "path": "/v1.0/{account_id}/datastores/versions/{version}/paramters/{param}", - }, - ], - ), - base.APIRule( - name="trove:datastore:index", - check_str=(""), - description="List all datastores.", - scope_types=["project"], - operations=[{"method": "GET", "path": "/v1.0/{account_id}/datastores"}], - ), - base.APIRule( - name="trove:datastore:show", - check_str=(""), - description="Get informations of a datastore.", - scope_types=["project"], - operations=[{"method": "GET", "path": "/v1.0/{account_id}/datastores/{datastore}"}], - ), - base.APIRule( - name="trove:datastore:delete", - check_str=("(role:admin or is_admin:True)"), - description="Delete a datastore.", - scope_types=["project"], - operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/datastores/{datastore}"}], - ), - base.APIRule( - name="trove:datastore:version_show", - check_str=(""), - description="Get a version of a datastore by the version id.", - scope_types=["project"], - operations=[ - { - "method": "GET", - "path": "/v1.0/{account_id}/datastores/{datastore}/versions/{version}", - }, - ], - ), - base.APIRule( - name="trove:datastore:version_show_by_uuid", - check_str=(""), - description="Get a version of a datastore by the version id(without providing the datastore id).", # noqa - scope_types=["project"], - operations=[ - {"method": "GET", "path": "/v1.0/{account_id}/datastores/versions/{version}"}, - ], - ), - base.APIRule( - name="trove:datastore:version_index", - check_str=(""), - description="Get all versions of a datastore.", - scope_types=["project"], - operations=[ - {"method": "GET", "path": "/v1.0/{account_id}/datastores/{datastore}/versions"}, - ], - ), - base.APIRule( - name="trove:datastore:list_associated_flavors", - check_str=(""), - description="List all flavors associated with a datastore version.", - scope_types=["project"], - operations=[ - { - "method": "GET", - "path": "/v1.0/{account_id}/datastores/{datastore}/versions/{version}/flavors", - }, - ], - ), - base.APIRule( - name="trove:datastore:list_associated_volume_types", - check_str=(""), - description="List all volume-types associated with a datastore version.", - scope_types=["project"], - operations=[ - { - "method": "GET", - "path": "/v1.0/{account_id}/datastores/{datastore}/versions/{version}/volume-types", # noqa - }, - ], - ), - base.APIRule( - name="trove:flavor:index", - check_str=(""), - description="List all flavors.", - scope_types=["project"], - operations=[{"method": "GET", "path": "/v1.0/{account_id}/flavors"}], - ), - base.APIRule( - name="trove:flavor:show", - check_str=(""), - description="Get information of a flavor.", - scope_types=["project"], - operations=[{"method": "GET", "path": "/v1.0/{account_id}/flavors/{flavor}"}], - ), - base.APIRule( - name="trove:limits:index", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="List all absolute and rate limit informations.", - scope_types=["project"], - operations=[{"method": "GET", "path": "/v1.0/{account_id}/limits"}], - ), - base.APIRule( - name="trove:module:create", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Create a module.", - scope_types=["project"], - operations=[{"method": "POST", "path": "/v1.0/{account_id}/modules"}], - ), - base.APIRule( - name="trove:module:delete", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Delete a module.", - scope_types=["project"], - operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/modules/{module}"}], - ), - base.APIRule( - name="trove:module:index", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="List all modules.", - scope_types=["project"], - operations=[{"method": "GET", "path": "/v1.0/{account_id}/modules"}], - ), - base.APIRule( - name="trove:module:show", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Get informations of a module.", - scope_types=["project"], - operations=[{"method": "GET", "path": "/v1.0/{account_id}/modules/{module}"}], - ), - base.APIRule( - name="trove:module:instances", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="List all instances to which a module is applied.", - scope_types=["project"], - operations=[{"method": "GET", "path": "/v1.0/{account_id}/modules/{module}/instances"}], - ), - base.APIRule( - name="trove:module:update", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Update a module.", - scope_types=["project"], - operations=[{"method": "PUT", "path": "/v1.0/{account_id}/modules/{module}"}], - ), - base.APIRule( - name="trove:module:reapply", - check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), - description="Reapply a module to all instances.", - scope_types=["project"], - operations=[{"method": "PUT", "path": "/v1.0/{account_id}/modules/{module}/instances"}], - ), -) - -__all__ = ("list_rules",) +# flake8: noqa +# fmt: off + +from . import base + +list_rules = ( + base.Rule( + name="admin", + check_str=("role:admin or is_admin:True"), + description="Must be an administrator.", + ), + base.Rule( + name="admin_or_owner", + check_str=("rule:admin or project_id:%(tenant)s"), + description="Must be an administrator or owner of the object.", + ), + base.Rule( + name="default", + check_str=("rule:admin_or_owner"), + description="Must be an administrator or owner of the object.", + ), + base.APIRule( + name="instance:create", + check_str=("rule:admin_or_owner"), + description="Create a database instance.", + scope_types=["project"], + operations=[{"method": "POST", "path": "/v1.0/{account_id}/instances"}], + ), + base.APIRule( + name="instance:delete", + check_str=("rule:admin_or_owner"), + description="Delete a database instance.", + scope_types=["project"], + operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/instances/{instance_id}"}], + ), + base.APIRule( + name="instance:force_delete", + check_str=("rule:admin_or_owner"), + description="Forcibly delete a database instance.", + scope_types=["project"], + operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/instances/{instance_id}"}], + ), + base.APIRule( + name="instance:index", + check_str=("rule:admin_or_owner"), + description="List database instances.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances"}], + ), + base.APIRule( + name="instance:detail", + check_str=("rule:admin_or_owner"), + description="List database instances with details.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/detail"}], + ), + base.APIRule( + name="instance:show", + check_str=("rule:admin_or_owner"), + description="Get details of a specific database instance.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}"}], + ), + base.APIRule( + name="instance:update", + check_str=("rule:admin_or_owner"), + description="Update a database instance to attach/detach configuration", + scope_types=["project"], + operations=[{"method": "PUT", "path": "/v1.0/{account_id}/instances/{instance_id}"}, {"method": "POST", "path": "/v1.0/{account_id}/instances"}], + ), + base.APIRule( + name="instance:edit", + check_str=("rule:admin_or_owner"), + description="Updates the instance to set or unset one or more attributes.", + scope_types=["project"], + operations=[{"method": "PATCH", "path": "/v1.0/{account_id}/instances/{instance_id}"}], + ), + base.APIRule( + name="instance:restart", + check_str=("rule:admin_or_owner"), + description="Restart a database instance.", + scope_types=["project"], + operations=[{"method": "POST", "path": "/v1.0/{account_id}/instances/{instance_id}/action (restart)"}], + ), + base.APIRule( + name="instance:resize_volume", + check_str=("rule:admin_or_owner"), + description="Resize a database instance volume.", + scope_types=["project"], + operations=[{"method": "POST", "path": "/v1.0/{account_id}/instances/{instance_id}/action (resize)"}], + ), + base.APIRule( + name="instance:resize_flavor", + check_str=("rule:admin_or_owner"), + description="Resize a database instance flavor.", + scope_types=["project"], + operations=[{"method": "POST", "path": "/v1.0/{account_id}/instances/{instance_id}/action (resize)"}], + ), + base.APIRule( + name="instance:reset_status", + check_str=("rule:admin"), + description="Reset the status of a database instance to ERROR.", + scope_types=["project"], + operations=[{"method": "POST", "path": "/v1.0/{account_id}/instances/{instance_id}/action (reset_status)"}], + ), + base.APIRule( + name="instance:promote_to_replica_source", + check_str=("rule:admin_or_owner"), + description="Promote instance to replica source.", + scope_types=["project"], + operations=[{"method": "POST", "path": "/v1.0/{account_id}/instances/{instance_id}/action (promote_to_replica_source)"}], + ), + base.APIRule( + name="instance:eject_replica_source", + check_str=("rule:admin_or_owner"), + description="Eject the replica source from its replica set.", + scope_types=["project"], + operations=[{"method": "POST", "path": "/v1.0/{account_id}/instances/{instance_id}/action (eject_replica_source)"}], + ), + base.APIRule( + name="instance:configuration", + check_str=("rule:admin_or_owner"), + description="Get the default configuration template applied to the instance.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/configuration"}], + ), + base.APIRule( + name="instance:guest_log_list", + check_str=("rule:admin_or_owner"), + description="Get all informations about all logs of a database instance.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/log"}], + ), + base.APIRule( + name="instance:backups", + check_str=("rule:admin_or_owner"), + description="Get all backups of a database instance.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/backups"}], + ), + base.APIRule( + name="instance:module_list", + check_str=("rule:admin_or_owner"), + description="Get informations about modules on a database instance.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/modules"}], + ), + base.APIRule( + name="instance:module_apply", + check_str=("rule:admin_or_owner"), + description="Apply modules to a database instance.", + scope_types=["project"], + operations=[{"method": "POST", "path": "/v1.0/{account_id}/instances/{instance_id}/modules"}, {"method": "POST", "path": "/v1.0/{account_id}/instances"}], + ), + base.APIRule( + name="instance:module_remove", + check_str=("rule:admin_or_owner"), + description="Remove a module from a database instance.", + scope_types=["project"], + operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/instances/{instance_id}/modules/{module_id}"}], + ), + base.APIRule( + name="instance:extension:root:create", + check_str=("rule:admin_or_owner"), + description="Enable the root user of a database instance.", + scope_types=["project"], + operations=[{"method": "POST", "path": "/v1.0/{account_id}/instances/{instance_id}/root"}], + ), + base.APIRule( + name="instance:extension:root:delete", + check_str=("rule:admin_or_owner"), + description="Disable the root user of a database instance.", + scope_types=["project"], + operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/instances/{instance_id}/root"}], + ), + base.APIRule( + name="instance:extension:root:index", + check_str=("rule:admin_or_owner"), + description="Show whether the root user of a database instance has been ever enabled.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/root"}], + ), + base.APIRule( + name="cluster:extension:root:create", + check_str=("rule:admin_or_owner"), + description="Enable the root user of the instances in a cluster.", + scope_types=["project"], + operations=[{"method": "POST", "path": "/v1.0/{account_id}/clusters/{cluster}/root"}], + ), + base.APIRule( + name="cluster:extension:root:delete", + check_str=("rule:admin_or_owner"), + description="Enable the root user of the instances in a cluster.", + scope_types=["project"], + operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/clusters/{cluster}/root"}], + ), + base.APIRule( + name="cluster:extension:root:index", + check_str=("rule:admin_or_owner"), + description="Disable the root of the instances in a cluster.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1.0/{account_id}/clusters/{cluster}/root"}], + ), + base.APIRule( + name="instance:extension:user:create", + check_str=("rule:admin_or_owner"), + description="Create users for a database instance.", + scope_types=["project"], + operations=[{"method": "POST", "path": "/v1.0/{account_id}/instances/{instance_id}/users"}, {"method": "POST", "path": "/v1.0/{account_id}/instances"}], + ), + base.APIRule( + name="instance:extension:user:delete", + check_str=("rule:admin_or_owner"), + description="Delete a user from a database instance.", + scope_types=["project"], + operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/instances/{instance_id}/users/{user}"}], + ), + base.APIRule( + name="instance:extension:user:index", + check_str=("rule:admin_or_owner"), + description="Get all users of a database instance.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/users"}], + ), + base.APIRule( + name="instance:extension:user:show", + check_str=("rule:admin_or_owner"), + description="Get the information of a single user of a database instance.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/users/{user}"}], + ), + base.APIRule( + name="instance:extension:user:update", + check_str=("rule:admin_or_owner"), + description="Update attributes for a user of a database instance.", + scope_types=["project"], + operations=[{"method": "PUT", "path": "/v1.0/{account_id}/instances/{instance_id}/users/{user}"}], + ), + base.APIRule( + name="instance:extension:user:update_all", + check_str=("rule:admin_or_owner"), + description="Update the password for one or more users a database instance.", + scope_types=["project"], + operations=[{"method": "PUT", "path": "/v1.0/{account_id}/instances/{instance_id}/users"}], + ), + base.APIRule( + name="instance:extension:user_access:update", + check_str=("rule:admin_or_owner"), + description="Grant access for a user to one or more databases.", + scope_types=["project"], + operations=[{"method": "PUT", "path": "/v1.0/{account_id}/instances/{instance_id}/users/{user}/databases"}], + ), + base.APIRule( + name="instance:extension:user_access:delete", + check_str=("rule:admin_or_owner"), + description="Revoke access for a user to a databases.", + scope_types=["project"], + operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/instances/{instance_id}/users/{user}/databases/{database}"}], + ), + base.APIRule( + name="instance:extension:user_access:index", + check_str=("rule:admin_or_owner"), + description="Get permissions of a user", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/users/{user}/databases"}], + ), + base.APIRule( + name="instance:extension:database:create", + check_str=("rule:admin_or_owner"), + description="Create a set of Schemas", + scope_types=["project"], + operations=[{"method": "POST", "path": "/v1.0/{account_id}/instances/{instance_id}/databases"}, {"method": "POST", "path": "/v1.0/{account_id}/instances"}], + ), + base.APIRule( + name="instance:extension:database:delete", + check_str=("rule:admin_or_owner"), + description="Delete a schema from a database.", + scope_types=["project"], + operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/instances/{instance_id}/databases/{database}"}], + ), + base.APIRule( + name="instance:extension:database:index", + check_str=("rule:admin_or_owner"), + description="List all schemas from a database.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/databases"}], + ), + base.APIRule( + name="instance:extension:database:show", + check_str=("rule:admin_or_owner"), + description="Get informations of a schema(Currently Not Implemented).", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/databases/{database}"}], + ), + base.APIRule( + name="cluster:create", + check_str=("rule:admin_or_owner"), + description="Create a cluster.", + scope_types=["project"], + operations=[{"method": "POST", "path": "/v1.0/{account_id}/clusters"}], + ), + base.APIRule( + name="cluster:delete", + check_str=("rule:admin_or_owner"), + description="Delete a cluster.", + scope_types=["project"], + operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/clusters/{cluster}"}], + ), + base.APIRule( + name="cluster:force_delete", + check_str=("rule:admin_or_owner"), + description="Forcibly delete a cluster.", + scope_types=["project"], + operations=[{"method": "POST", "path": "/v1.0/{account_id}/clusters/{cluster} (reset-status)"}], + ), + base.APIRule( + name="cluster:index", + check_str=("rule:admin_or_owner"), + description="List all clusters", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1.0/{account_id}/clusters"}], + ), + base.APIRule( + name="cluster:show", + check_str=("rule:admin_or_owner"), + description="Get informations of a cluster.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1.0/{account_id}/clusters/{cluster}"}], + ), + base.APIRule( + name="cluster:show_instance", + check_str=("rule:admin_or_owner"), + description="Get informations of a instance in a cluster.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1.0/{account_id}/clusters/{cluster}/instances/{instance}"}], + ), + base.APIRule( + name="cluster:action", + check_str=("rule:admin_or_owner"), + description="Commit an action against a cluster", + scope_types=["project"], + operations=[{"method": "POST", "path": "/v1.0/{account_id}/clusters/{cluster}"}], + ), + base.APIRule( + name="cluster:reset-status", + check_str=("rule:admin"), + description="Reset the status of a cluster to NONE.", + scope_types=["project"], + operations=[{"method": "POST", "path": "/v1.0/{account_id}/clusters/{cluster} (reset-status)"}], + ), + base.APIRule( + name="backup:create", + check_str=("rule:admin_or_owner"), + description="Create a backup of a database instance.", + scope_types=["project"], + operations=[{"method": "POST", "path": "/v1.0/{account_id}/backups"}], + ), + base.APIRule( + name="backup:delete", + check_str=("rule:admin_or_owner"), + description="Delete a backup of a database instance.", + scope_types=["project"], + operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/backups/{backup}"}], + ), + base.APIRule( + name="backup:index", + check_str=("rule:admin_or_owner"), + description="List all backups.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1.0/{account_id}/backups"}], + ), + base.APIRule( + name="backup:index:all_projects", + check_str=("role:admin"), + description="List backups for all the projects.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1.0/{account_id}/backups"}], + ), + base.APIRule( + name="backup:show", + check_str=("rule:admin_or_owner"), + description="Get informations of a backup.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1.0/{account_id}/backups/{backup}"}], + ), + base.APIRule( + name="backup_strategy:create", + check_str=("rule:admin_or_owner"), + description="Create a backup strategy.", + scope_types=["project"], + operations=[{"method": "POST", "path": "/v1.0/{account_id}/backup_strategies"}], + ), + base.APIRule( + name="backup_strategy:index", + check_str=("rule:admin_or_owner"), + description="List all backup strategies.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1.0/{account_id}/backup_strategies"}], + ), + base.APIRule( + name="backup_strategy:delete", + check_str=("rule:admin_or_owner"), + description="Delete backup strategies.", + scope_types=["project"], + operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/backup_strategies"}], + ), + base.APIRule( + name="configuration:create", + check_str=("rule:admin_or_owner"), + description="Create a configuration group.", + scope_types=["project"], + operations=[{"method": "POST", "path": "/v1.0/{account_id}/configurations"}], + ), + base.APIRule( + name="configuration:delete", + check_str=("rule:admin_or_owner"), + description="Delete a configuration group.", + scope_types=["project"], + operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/configurations/{config}"}], + ), + base.APIRule( + name="configuration:index", + check_str=("rule:admin_or_owner"), + description="List all configuration groups.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1.0/{account_id}/configurations"}], + ), + base.APIRule( + name="configuration:show", + check_str=("rule:admin_or_owner"), + description="Get informations of a configuration group.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1.0/{account_id}/configurations/{config}"}], + ), + base.APIRule( + name="configuration:instances", + check_str=("rule:admin_or_owner"), + description="List all instances which a configuration group has be assigned to.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1.0/{account_id}/configurations/{config}/instances"}], + ), + base.APIRule( + name="configuration:update", + check_str=("rule:admin_or_owner"), + description="Update a configuration group(the configuration group will be replaced completely).", + scope_types=["project"], + operations=[{"method": "PUT", "path": "/v1.0/{account_id}/configurations/{config}"}], + ), + base.APIRule( + name="configuration:edit", + check_str=("rule:admin_or_owner"), + description="Patch a configuration group.", + scope_types=["project"], + operations=[{"method": "PATCH", "path": "/v1.0/{account_id}/configurations/{config}"}], + ), + base.APIRule( + name="configuration-parameter:index", + check_str=("rule:admin_or_owner"), + description="List all parameters bind to a datastore version.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1.0/{account_id}/datastores/{datastore}/versions/{version}/parameters"}], + ), + base.APIRule( + name="configuration-parameter:show", + check_str=("rule:admin_or_owner"), + description="Get a paramter of a datastore version.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1.0/{account_id}/datastores/{datastore}/versions/{version}/parameters/{param}"}], + ), + base.APIRule( + name="configuration-parameter:index_by_version", + check_str=("rule:admin_or_owner"), + description="List all paramters bind to a datastore version by the id of the version(datastore is not provided).", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1.0/{account_id}/datastores/versions/{version}/paramters"}], + ), + base.APIRule( + name="configuration-parameter:show_by_version", + check_str=("rule:admin_or_owner"), + description="Get a paramter of a datastore version by it names and the id of the version(datastore is not provided).", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1.0/{account_id}/datastores/versions/{version}/paramters/{param}"}], + ), + base.APIRule( + name="datastore:index", + check_str=(""), + description="List all datastores.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1.0/{account_id}/datastores"}], + ), + base.APIRule( + name="datastore:show", + check_str=(""), + description="Get informations of a datastore.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1.0/{account_id}/datastores/{datastore}"}], + ), + base.APIRule( + name="datastore:delete", + check_str=("rule:admin"), + description="Delete a datastore.", + scope_types=["project"], + operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/datastores/{datastore}"}], + ), + base.APIRule( + name="datastore:version_show", + check_str=(""), + description="Get a version of a datastore by the version id.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1.0/{account_id}/datastores/{datastore}/versions/{version}"}], + ), + base.APIRule( + name="datastore:version_show_by_uuid", + check_str=(""), + description="Get a version of a datastore by the version id(without providing the datastore id).", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1.0/{account_id}/datastores/versions/{version}"}], + ), + base.APIRule( + name="datastore:version_index", + check_str=(""), + description="Get all versions of a datastore.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1.0/{account_id}/datastores/{datastore}/versions"}], + ), + base.APIRule( + name="datastore:list_associated_flavors", + check_str=(""), + description="List all flavors associated with a datastore version.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1.0/{account_id}/datastores/{datastore}/versions/{version}/flavors"}], + ), + base.APIRule( + name="datastore:list_associated_volume_types", + check_str=(""), + description="List all volume-types associated with a datastore version.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1.0/{account_id}/datastores/{datastore}/versions/{version}/volume-types"}], + ), + base.APIRule( + name="flavor:index", + check_str=(""), + description="List all flavors.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1.0/{account_id}/flavors"}], + ), + base.APIRule( + name="flavor:show", + check_str=(""), + description="Get information of a flavor.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1.0/{account_id}/flavors/{flavor}"}], + ), + base.APIRule( + name="limits:index", + check_str=("rule:admin_or_owner"), + description="List all absolute and rate limit informations.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1.0/{account_id}/limits"}], + ), + base.APIRule( + name="module:create", + check_str=("rule:admin_or_owner"), + description="Create a module.", + scope_types=["project"], + operations=[{"method": "POST", "path": "/v1.0/{account_id}/modules"}], + ), + base.APIRule( + name="module:delete", + check_str=("rule:admin_or_owner"), + description="Delete a module.", + scope_types=["project"], + operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/modules/{module}"}], + ), + base.APIRule( + name="module:index", + check_str=("rule:admin_or_owner"), + description="List all modules.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1.0/{account_id}/modules"}], + ), + base.APIRule( + name="module:show", + check_str=("rule:admin_or_owner"), + description="Get informations of a module.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1.0/{account_id}/modules/{module}"}], + ), + base.APIRule( + name="module:instances", + check_str=("rule:admin_or_owner"), + description="List all instances to which a module is applied.", + scope_types=["project"], + operations=[{"method": "GET", "path": "/v1.0/{account_id}/modules/{module}/instances"}], + ), + base.APIRule( + name="module:update", + check_str=("rule:admin_or_owner"), + description="Update a module.", + scope_types=["project"], + operations=[{"method": "PUT", "path": "/v1.0/{account_id}/modules/{module}"}], + ), + base.APIRule( + name="module:reapply", + check_str=("rule:admin_or_owner"), + description="Reapply a module to all instances.", + scope_types=["project"], + operations=[{"method": "PUT", "path": "/v1.0/{account_id}/modules/{module}/instances"}], + ), +) + +__all__ = ("list_rules",) diff --git a/skyline_apiserver/policy/manager/zun.py b/skyline_apiserver/policy/manager/zun.py index cebab11..d921809 100644 --- a/skyline_apiserver/policy/manager/zun.py +++ b/skyline_apiserver/policy/manager/zun.py @@ -1,3 +1,6 @@ +# flake8: noqa +# fmt: off + from . import base list_rules = ( @@ -22,593 +25,546 @@ list_rules = ( description="Default rule for deny everybody.", ), base.APIRule( - name="zun:container:create", + name="container:create", check_str=("is_admin:True or project_id:%(project_id)s"), description="Create a new container.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/containers"}], ), base.APIRule( - name="zun:container:create:runtime", - check_str=("(role:admin)"), + name="container:create:runtime", + check_str=("rule:context_is_admin"), description="Create a new container with specified runtime.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/containers"}], ), base.APIRule( - name="zun:container:create:privileged", - check_str=("(!)"), - description="Create a new privileged container.Warning: the privileged container has a big security risk so be caution if you want to enable this feature", # noqa + name="container:create:privileged", + check_str=("rule:deny_everybody"), + description="Create a new privileged container.Warning: the privileged container has a big security risk so be caution if you want to enable this feature", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/containers"}], ), base.APIRule( - name="zun:container:create:requested_destination", - check_str=("(role:admin)"), + name="container:create:requested_destination", + check_str=("rule:context_is_admin"), description="Create a container on the requested compute host.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/containers"}], ), base.APIRule( - name="zun:container:create:image_pull_policy", - check_str=("(role:admin)"), + name="container:create:image_pull_policy", + check_str=("rule:context_is_admin"), description="Create a new container with specified image pull policy.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/containers"}], ), base.APIRule( - name="zun:container:delete", + name="container:delete", check_str=("is_admin:True or project_id:%(project_id)s"), description="Delete a container.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v1/containers/{container_ident}"}], ), base.APIRule( - name="zun:container:delete_all_projects", - check_str=("(role:admin)"), + name="container:delete_all_projects", + check_str=("rule:context_is_admin"), description="Delete a container from all projects.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v1/containers/{container_ident}"}], ), base.APIRule( - name="zun:container:delete_force", - check_str=("(role:admin)"), + name="container:delete_force", + check_str=("rule:context_is_admin"), description="Forcibly delete a container.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v1/containers/{container_ident}"}], ), base.APIRule( - name="zun:container:get_one", + name="container:get_one", check_str=("is_admin:True or project_id:%(project_id)s"), description="Retrieve the details of a specific container.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/containers/{container_ident}"}], ), base.APIRule( - name="zun:container:get_one:host", - check_str=("(role:admin)"), + name="container:get_one:host", + check_str=("rule:context_is_admin"), description="Retrieve the host field of containers.", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/v1/containers/{container_ident}"}, - {"method": "GET", "path": "/v1/containers"}, - {"method": "POST", "path": "/v1/containers"}, - {"method": "PATCH", "path": "/v1/containers/{container_ident}"}, - ], + operations=[{"method": "GET", "path": "/v1/containers/{container_ident}"}, {"method": "GET", "path": "/v1/containers"}, {"method": "POST", "path": "/v1/containers"}, {"method": "PATCH", "path": "/v1/containers/{container_ident}"}], ), base.APIRule( - name="zun:container:get_one:image_pull_policy", - check_str=("(role:admin)"), + name="container:get_one:image_pull_policy", + check_str=("rule:context_is_admin"), description="Retrieve the image_pull_policy field of containers.", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/v1/containers/{container_ident}"}, - {"method": "GET", "path": "/v1/containers"}, - {"method": "POST", "path": "/v1/containers"}, - {"method": "PATCH", "path": "/v1/containers/{container_ident}"}, - ], + operations=[{"method": "GET", "path": "/v1/containers/{container_ident}"}, {"method": "GET", "path": "/v1/containers"}, {"method": "POST", "path": "/v1/containers"}, {"method": "PATCH", "path": "/v1/containers/{container_ident}"}], ), base.APIRule( - name="zun:container:get_one:privileged", - check_str=("(role:admin)"), + name="container:get_one:privileged", + check_str=("rule:context_is_admin"), description="Retrieve the privileged field of containers.", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/v1/containers/{container_ident}"}, - {"method": "GET", "path": "/v1/containers"}, - {"method": "POST", "path": "/v1/containers"}, - {"method": "PATCH", "path": "/v1/containers/{container_ident}"}, - ], + operations=[{"method": "GET", "path": "/v1/containers/{container_ident}"}, {"method": "GET", "path": "/v1/containers"}, {"method": "POST", "path": "/v1/containers"}, {"method": "PATCH", "path": "/v1/containers/{container_ident}"}], ), base.APIRule( - name="zun:container:get_one:runtime", - check_str=("(role:admin)"), + name="container:get_one:runtime", + check_str=("rule:context_is_admin"), description="Retrieve the runtime field of containers.", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/v1/containers/{container_ident}"}, - {"method": "GET", "path": "/v1/containers"}, - {"method": "POST", "path": "/v1/containers"}, - {"method": "PATCH", "path": "/v1/containers/{container_ident}"}, - ], + operations=[{"method": "GET", "path": "/v1/containers/{container_ident}"}, {"method": "GET", "path": "/v1/containers"}, {"method": "POST", "path": "/v1/containers"}, {"method": "PATCH", "path": "/v1/containers/{container_ident}"}], ), base.APIRule( - name="zun:container:get_one_all_projects", - check_str=("(role:admin)"), + name="container:get_one_all_projects", + check_str=("rule:context_is_admin"), description="Retrieve the details of a specific container from all projects.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/containers/{container_ident}"}], ), base.APIRule( - name="zun:container:get_all", + name="container:get_all", check_str=("is_admin:True or project_id:%(project_id)s"), description="Retrieve the details of all containers.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/containers"}], ), base.APIRule( - name="zun:container:get_all_all_projects", - check_str=("(role:admin)"), + name="container:get_all_all_projects", + check_str=("rule:context_is_admin"), description="Retrieve the details of all containers across projects.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/containers"}], ), base.APIRule( - name="zun:container:update", + name="container:update", check_str=("is_admin:True or project_id:%(project_id)s"), description="Update a container.", scope_types=["project"], operations=[{"method": "PATCH", "path": "/v1/containers/{container_ident}"}], ), base.APIRule( - name="zun:container:start", + name="container:start", check_str=("is_admin:True or project_id:%(project_id)s"), description="Start a container.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/start"}], ), base.APIRule( - name="zun:container:stop", + name="container:stop", check_str=("is_admin:True or project_id:%(project_id)s"), description="Stop a container.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/stop"}], ), base.APIRule( - name="zun:container:reboot", + name="container:reboot", check_str=("is_admin:True or project_id:%(project_id)s"), description="Reboot a container.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/reboot"}], ), base.APIRule( - name="zun:container:pause", + name="container:pause", check_str=("is_admin:True or project_id:%(project_id)s"), description="Pause a container.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/pause"}], ), base.APIRule( - name="zun:container:unpause", + name="container:unpause", check_str=("is_admin:True or project_id:%(project_id)s"), description="Unpause a container.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/unpause"}], ), base.APIRule( - name="zun:container:logs", + name="container:logs", check_str=("is_admin:True or project_id:%(project_id)s"), description="Get the log of a container", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/containers/{container_ident}/logs"}], ), base.APIRule( - name="zun:container:execute", + name="container:execute", check_str=("is_admin:True or project_id:%(project_id)s"), description="Execute command in a running container", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/execute"}], ), base.APIRule( - name="zun:container:execute_resize", + name="container:execute_resize", check_str=("is_admin:True or project_id:%(project_id)s"), description="Resize the TTY used by an execute command.", scope_types=["project"], - operations=[ - {"method": "POST", "path": "/v1/containers/{container_ident}/execute_resize"} - ], + operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/execute_resize"}], ), base.APIRule( - name="zun:container:kill", + name="container:kill", check_str=("is_admin:True or project_id:%(project_id)s"), description="Kill a running container", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/kill"}], ), base.APIRule( - name="zun:container:rename", + name="container:rename", check_str=("is_admin:True or project_id:%(project_id)s"), description="Rename a container.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/rename"}], ), base.APIRule( - name="zun:container:attach", + name="container:attach", check_str=("is_admin:True or project_id:%(project_id)s"), description="Attach to a running container", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/containers/{container_ident}/attach"}], ), base.APIRule( - name="zun:container:resize", + name="container:resize", check_str=("is_admin:True or project_id:%(project_id)s"), description="Resize a container.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/resize"}], ), base.APIRule( - name="zun:container:top", + name="container:top", check_str=("is_admin:True or project_id:%(project_id)s"), description="Display the running processes inside the container.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/containers/{container_ident}/top"}], ), base.APIRule( - name="zun:container:get_archive", + name="container:get_archive", check_str=("is_admin:True or project_id:%(project_id)s"), description="Get a tar archive of a path of container.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/containers/{container_ident}/get_archive"}], ), base.APIRule( - name="zun:container:put_archive", + name="container:put_archive", check_str=("is_admin:True or project_id:%(project_id)s"), description="Put a tar archive to be extracted to a path of container", scope_types=["project"], operations=[{"method": "PUT", "path": "/v1/containers/{container_ident}/put_archive"}], ), base.APIRule( - name="zun:container:stats", + name="container:stats", check_str=("is_admin:True or project_id:%(project_id)s"), description="Display the statistics of a container", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/containers/{container_ident}/stats"}], ), base.APIRule( - name="zun:container:commit", + name="container:commit", check_str=("is_admin:True or project_id:%(project_id)s"), description="Commit a container", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/commit"}], ), base.APIRule( - name="zun:container:add_security_group", + name="container:add_security_group", check_str=("is_admin:True or project_id:%(project_id)s"), description="Add a security group to a specific container.", scope_types=["project"], - operations=[ - {"method": "POST", "path": "/v1/containers/{container_ident}/add_security_group"} - ], + operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/add_security_group"}], ), base.APIRule( - name="zun:container:network_detach", + name="container:network_detach", check_str=("is_admin:True or project_id:%(project_id)s"), description="Detach a network from a container.", scope_types=["project"], - operations=[ - {"method": "POST", "path": "/v1/containers/{container_ident}/network_detach"} - ], + operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/network_detach"}], ), base.APIRule( - name="zun:container:network_attach", + name="container:network_attach", check_str=("is_admin:True or project_id:%(project_id)s"), description="Attach a network from a container.", scope_types=["project"], - operations=[ - {"method": "POST", "path": "/v1/containers/{container_ident}/network_attach"} - ], + operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/network_attach"}], ), base.APIRule( - name="zun:container:remove_security_group", + name="container:remove_security_group", check_str=("is_admin:True or project_id:%(project_id)s"), description="Remove security group from a specific container.", scope_types=["project"], - operations=[ - {"method": "POST", "path": "/v1/containers/{container_ident}/remove_security_group"} - ], + operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/remove_security_group"}], ), base.APIRule( - name="zun:container:rebuild", + name="container:rebuild", check_str=("is_admin:True or project_id:%(project_id)s"), description="Rebuild a container.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/rebuild"}], ), base.APIRule( - name="zun:container:resize_container", + name="container:resize_container", check_str=("is_admin:True or project_id:%(project_id)s"), description="Resize an existing container.", scope_types=["project"], - operations=[ - {"method": "POST", "path": "/v1/containers/{container_ident}/resize_container"} - ], + operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/resize_container"}], ), base.APIRule( - name="zun:image:pull", - check_str=("(role:admin)"), + name="image:pull", + check_str=("rule:context_is_admin"), description="Pull an image.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/images"}], ), base.APIRule( - name="zun:image:get_all", - check_str=("(role:admin)"), + name="image:get_all", + check_str=("rule:context_is_admin"), description="Print a list of available images.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/images"}], ), base.APIRule( - name="zun:image:get_one", - check_str=("(role:admin)"), + name="image:get_one", + check_str=("rule:context_is_admin"), description="Retrieve the details of a specific image.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/images/{image_id}"}], ), base.APIRule( - name="zun:image:search", + name="image:search", check_str=("is_admin:True or project_id:%(project_id)s"), description="Search an image.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/images/{image_ident}/search"}], ), base.APIRule( - name="zun:image:delete", - check_str=("(role:admin)"), + name="image:delete", + check_str=("rule:context_is_admin"), description="Delete an image.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v1/images/{image_ident}"}], ), base.APIRule( - name="zun:zun-service:delete", - check_str=("(role:admin)"), + name="zun-service:delete", + check_str=("rule:context_is_admin"), description="Delete a service.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v1/services"}], ), base.APIRule( - name="zun:zun-service:disable", - check_str=("(role:admin)"), + name="zun-service:disable", + check_str=("rule:context_is_admin"), description="Disable a service.", scope_types=["project"], operations=[{"method": "PUT", "path": "/v1/services/disable"}], ), base.APIRule( - name="zun:zun-service:enable", - check_str=("(role:admin)"), + name="zun-service:enable", + check_str=("rule:context_is_admin"), description="Enable a service.", scope_types=["project"], operations=[{"method": "PUT", "path": "/v1/services/enable"}], ), base.APIRule( - name="zun:zun-service:force_down", - check_str=("(role:admin)"), + name="zun-service:force_down", + check_str=("rule:context_is_admin"), description="Forcibly shutdown a service.", scope_types=["project"], operations=[{"method": "PUT", "path": "/v1/services/force_down"}], ), base.APIRule( - name="zun:zun-service:get_all", - check_str=("(role:admin)"), + name="zun-service:get_all", + check_str=("rule:context_is_admin"), description="Show the status of a service.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/services"}], ), base.APIRule( - name="zun:host:get_all", - check_str=("(role:admin)"), + name="host:get_all", + check_str=("rule:context_is_admin"), description="List all compute hosts.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/hosts"}], ), base.APIRule( - name="zun:host:get", - check_str=("(role:admin)"), + name="host:get", + check_str=("rule:context_is_admin"), description="Show the details of a specific compute host.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/hosts/{host_ident}"}], ), base.APIRule( - name="zun:capsule:create", + name="capsule:create", check_str=("is_admin:True or project_id:%(project_id)s"), description="Create a capsule", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/capsules/"}], ), base.APIRule( - name="zun:capsule:delete", + name="capsule:delete", check_str=("is_admin:True or project_id:%(project_id)s"), description="Delete a capsule", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v1/capsules/{capsule_ident}"}], ), base.APIRule( - name="zun:capsule:delete_all_projects", - check_str=("(role:admin)"), + name="capsule:delete_all_projects", + check_str=("rule:context_is_admin"), description="Delete a container in any project.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v1/capsules/{capsule_ident}"}], ), base.APIRule( - name="zun:capsule:get", + name="capsule:get", check_str=("is_admin:True or project_id:%(project_id)s"), description="Retrieve the details of a capsule.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/capsules/{capsule_ident}"}], ), base.APIRule( - name="zun:capsule:get:host", - check_str=("(role:admin)"), + name="capsule:get:host", + check_str=("rule:context_is_admin"), description="Retrieve the host field of a capsule.", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/v1/capsules/{capsule_ident}"}, - {"method": "GET", "path": "/v1/capsules"}, - {"method": "POST", "path": "/v1/capsules"}, - ], + operations=[{"method": "GET", "path": "/v1/capsules/{capsule_ident}"}, {"method": "GET", "path": "/v1/capsules"}, {"method": "POST", "path": "/v1/capsules"}], ), base.APIRule( - name="zun:capsule:get_one_all_projects", - check_str=("(role:admin)"), + name="capsule:get_one_all_projects", + check_str=("rule:context_is_admin"), description="Retrieve the details of a capsule in any project.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/capsules/{capsule_ident}"}], ), base.APIRule( - name="zun:capsule:get_all", + name="capsule:get_all", check_str=("is_admin:True or project_id:%(project_id)s"), description="List all capsules.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/capsules/"}], ), base.APIRule( - name="zun:capsule:get_all_all_projects", - check_str=("(role:admin)"), + name="capsule:get_all_all_projects", + check_str=("rule:context_is_admin"), description="List all capsules across projects.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/capsules/"}], ), base.APIRule( - name="zun:network:attach_external_network", + name="network:attach_external_network", check_str=("role:admin"), description="Attach an unshared external network to a container", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/containers"}], ), base.APIRule( - name="zun:network:create", + name="network:create", check_str=("role:admin"), description="Create a network", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/networks"}], ), base.APIRule( - name="zun:network:delete", + name="network:delete", check_str=("role:admin"), description="Delete a network", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v1/networks"}], ), base.APIRule( - name="zun:container:actions", + name="container:actions", check_str=("is_admin:True or project_id:%(project_id)s"), description="List actions and show action details for a container", scope_types=["project"], - operations=[ - {"method": "GET", "path": "/v1/containers/{container_ident}/container_actions/"}, - { - "method": "GET", - "path": "/v1/containers/{container_ident}/container_actions/{request_id}", - }, - ], + operations=[{"method": "GET", "path": "/v1/containers/{container_ident}/container_actions/"}, {"method": "GET", "path": "/v1/containers/{container_ident}/container_actions/{request_id}"}], ), base.APIRule( - name="zun:container:action:events", - check_str=("(role:admin)"), + name="container:action:events", + check_str=("rule:context_is_admin"), description="Add events details in action details for a container.", scope_types=["project"], - operations=[ - { - "method": "GET", - "path": "/v1/containers/{container_ident}/container_actions/{request_id}", - } - ], + operations=[{"method": "GET", "path": "/v1/containers/{container_ident}/container_actions/{request_id}"}], ), base.APIRule( - name="zun:availability_zones:get_all", + name="availability_zones:get_all", check_str=("is_admin:True or project_id:%(project_id)s"), description="List availability zone", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/availability_zones"}], ), base.APIRule( - name="zun:quota:update", - check_str=("(role:admin)"), + name="quota:update", + check_str=("rule:context_is_admin"), description="Update quotas for a project", scope_types=["project"], operations=[{"method": "PUT", "path": "/v1/quotas/{project_id}"}], ), base.APIRule( - name="zun:quota:delete", - check_str=("(role:admin)"), + name="quota:delete", + check_str=("rule:context_is_admin"), description="Delete quotas for a project", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v1/quotas/{project_id}"}], ), base.APIRule( - name="zun:quota:get", + name="quota:get", check_str=("is_admin:True or project_id:%(project_id)s"), description="Get quotas for a project", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/quotas/{project_id}"}], ), base.APIRule( - name="zun:quota:get_default", + name="quota:get_default", check_str=("is_admin:True or project_id:%(project_id)s"), description="Get default quotas for a project", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/quotas/defaults"}], ), base.APIRule( - name="zun:quota_class:update", - check_str=("(role:admin)"), + name="quota_class:update", + check_str=("rule:context_is_admin"), description="Update quotas for specific quota class", scope_types=["project"], operations=[{"method": "PUT", "path": "/v1/quota_classes/{quota_class_name}"}], ), base.APIRule( - name="zun:quota_class:get", - check_str=("(role:admin)"), + name="quota_class:get", + check_str=("rule:context_is_admin"), description="List quotas for specific quota class", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/quota_classes/{quota_class_name}"}], ), base.APIRule( - name="zun:registry:create", + name="registry:create", check_str=("is_admin:True or project_id:%(project_id)s"), description="Create a new registry.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/registries"}], ), base.APIRule( - name="zun:registry:delete", + name="registry:delete", check_str=("is_admin:True or project_id:%(project_id)s"), description="Delete a registry.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v1/registries/{registry_ident}"}], ), base.APIRule( - name="zun:registry:get_one", + name="registry:get_one", check_str=("is_admin:True or project_id:%(project_id)s"), description="Retrieve the details of a specific registry.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/registries/{registry_ident}"}], ), base.APIRule( - name="zun:registry:get_all", + name="registry:get_all", check_str=("is_admin:True or project_id:%(project_id)s"), description="Retrieve the details of all registries.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/registries"}], ), base.APIRule( - name="zun:registry:get_all_all_projects", - check_str=("(role:admin)"), + name="registry:get_all_all_projects", + check_str=("rule:context_is_admin"), description="Retrieve the details of all registries across projects.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/registries"}], ), base.APIRule( - name="zun:registry:update", + name="registry:update", check_str=("is_admin:True or project_id:%(project_id)s"), description="Update a registry.", scope_types=["project"], diff --git a/skyline_apiserver/types/constants.py b/skyline_apiserver/types/constants.py index e298389..ca7b3cd 100644 --- a/skyline_apiserver/types/constants.py +++ b/skyline_apiserver/types/constants.py @@ -48,10 +48,12 @@ SUPPORTED_SERVICE_EPS = { "cinder": ["cinder"], "glance": ["glance"], "heat": ["heat"], - "ironic": ["ironic.api", "ironic_inspector.api"], + "ironic": ["ironic.api"], + "ironic_inspector": ["ironic_inspector.api"], "keystone": ["keystone"], - "neutron": ["neutron", "neutron-vpnaas"], + "magnum": ["magnum"], "manila": ["manila"], + "neutron": ["neutron", "neutron-vpnaas"], "nova": ["nova"], "octavia": ["octavia"], "panko": ["panko"], @@ -59,5 +61,3 @@ SUPPORTED_SERVICE_EPS = { "trove": ["trove"], "zun": ["zun"], } - -PREFIX_MAPPINGS = {"trove": "trove:", "manila": "manila:", "zun": "zun:"} diff --git a/tools/post_install.sh b/tools/post_install.sh index 0bea21c..c73405f 100755 --- a/tools/post_install.sh +++ b/tools/post_install.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash # Install openstack service package -pip install --no-deps \ +pip install -U \ keystone \ openstack-placement \ nova \ @@ -10,25 +10,10 @@ pip install --no-deps \ trove \ neutron neutron-vpnaas \ openstack-heat \ - ironic-lib ironic ironic-inspector \ - octavia-lib octavia \ + ironic \ + ironic-inspector \ + octavia \ panko \ manila \ magnum \ zun - -# Patch cinder -patch_path="$(python3 -c 'import sysconfig; print(sysconfig.get_paths()["purelib"])')/cinder/__init__.py" -sed -i 's/\(.*eventlet.*\)/# \1/g' $patch_path - -# Patch neutron -patch_path="$(python3 -c 'import sysconfig; print(sysconfig.get_paths()["purelib"])')/neutron/conf/policies/floatingip_pools.py" -sed -i 's/admin/system/g' $patch_path - -# Patch ironic -patch_path="$(python3 -c 'import sysconfig; print(sysconfig.get_paths()["purelib"])')/ironic/common/policy.py" -sed -i 's/\(.*lockutils.*\)/# \1/g' $patch_path - -# Patch ironic_inspector -patch_path="$(python3 -c 'import sysconfig; print(sysconfig.get_paths()["purelib"])')/ironic_inspector/policy.py" -sed -i 's/\(.*lockutils.*\)/# \1/g' $patch_path