baha/skyline-apiserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor: Register rule and apirule into enforcer

Browse Source 
1. We register both apirule and rule into enforcer, so we can keep
the rule in the check_str
2. We re-generate all the services' policy, we just use the original
policy of them. If users want to change, they can change them by
themselves.
3. Adjust the post_install.sh, we install the service packages with
dependencies.
4. Split the ironic and ironic_inspector policy, they can not be in
the same policy file.

Change-Id: I9e152e33be4eef60432fb2030d388b3bec4c082e
This commit is contained in:
zhu.boxiang 2022-05-31 20:21:20 +08:00
parent 32990f9269
commit 32a00a6529
21 changed files with 3318 additions and 7150 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
requirements.txt
View File

@ -14,9 +14,9 @@ aiosqlite<=0.17.0 # MIT
loguru<=0.5.3 # MIT loguru<=0.5.3 # MIT
PyYAML>=5.4.1,<=6.0 # MIT PyYAML>=5.4.1,<=6.0 # MIT
immutables>=0.16 # Apache-2.0 immutables>=0.16 # Apache-2.0
alembic>=1.7.5,<=1.7.7 # MIT alembic>=1.7.5 # MIT
httpx>=0.16.1 # BSD License (3 clause) httpx>=0.16.1 # BSD License (3 clause)
SQLAlchemy>=1.3.24,<=1.4.36 # MIT SQLAlchemy>=1.3.24 # MIT
PyMySQL>=0.9.3,<=1.0.2 # MIT PyMySQL>=0.9.3,<=1.0.2 # MIT
dnspython>=2.1.0,<=2.2.1 # ISC dnspython>=2.1.0,<=2.2.1 # ISC
click>=7.1.2,<=8.1.3 # BSD License (3 clause) click>=7.1.2,<=8.1.3 # BSD License (3 clause)

47
skyline_apiserver/api/v1/policy.py
View File

@ -14,6 +14,8 @@
from __future__ import annotations from __future__ import annotations
from typing import Dict
from fastapi import APIRouter, Depends, HTTPException, status from fastapi import APIRouter, Depends, HTTPException, status
from skyline_apiserver import schemas from skyline_apiserver import schemas
@ -25,6 +27,41 @@ from skyline_apiserver.schemas import Policies, PoliciesRules, common
router = APIRouter() router = APIRouter()
def _generate_target(profile: schemas.Profile) -> Dict[str, str]:
return {
"user_id": profile.user.id,
"project_id": profile.project.id,
# trove
"tenant": profile.project.id,
# keystone
"trust.trustor_user_id": profile.user.id,
"target.user.id": profile.user.id,
"target.user.domain_id": profile.user.domain.id,
"target.project.domain_id": profile.project.domain.id,
"target.project.id": profile.project.id,
"target.trust.trustor_user_id": profile.user.id,
"target.trust.trustee_user_id": profile.user.id,
"target.token.user_id": profile.user.id,
"target.domain.id": profile.project.domain.id,
"target.domain_id": profile.project.domain.id,
"target.credential.user_id": profile.user.id,
"target.role.domain_id": profile.project.domain.id,
"target.group.domain_id": profile.project.domain.id,
"target.limit.domain.id": profile.project.domain.id,
"target.limit.project_id": profile.project.domain.id,
"target.limit.project.domain_id": profile.project.domain.id,
# ironic
"allocation.owner": profile.project.id,
"node.lessee": profile.project.id,
"node.owner": profile.project.id,
# glance
"member_id": profile.project.id,
"owner": profile.project.id,
# cinder
"domain_id": profile.project.domain.id,
}
@router.get( @router.get(
"/policies", "/policies",
description="List policies and permissions", description="List policies and permissions",
@ -43,10 +80,7 @@ async def list_policies(
session = await generate_session(profile) session = await generate_session(profile)
access = await get_access(session) access = await get_access(session)
user_context = UserContext(access) user_context = UserContext(access)
target = { target = _generate_target(profile)
"user_id": profile.user.id,
"project_id": profile.project.id,
}
result = [ result = [
{"rule": rule, "allowed": ENFORCER.authorize(rule, target, user_context)} {"rule": rule, "allowed": ENFORCER.authorize(rule, target, user_context)}
for rule in ENFORCER.rules for rule in ENFORCER.rules
@ -74,10 +108,7 @@ async def check_policies(
session = await generate_session(profile) session = await generate_session(profile)
access = await get_access(session) access = await get_access(session)
user_context = UserContext(access) user_context = UserContext(access)
target = { target = _generate_target(profile)
"user_id": profile.user.id,
"project_id": profile.project.id,
}
try: try:
result = [ result = [
{"rule": rule, "allowed": ENFORCER.authorize(rule, target, user_context)} {"rule": rule, "allowed": ENFORCER.authorize(rule, target, user_context)}

46
skyline_apiserver/cmd/policy_manager.py
View File

@ -136,16 +136,22 @@ def generate_conf(dir: str, desc: str) -> None:
f.write(f"# {desc}\n\n") f.write(f"# {desc}\n\n")
for rule in rules: for rule in rules:
rule_yaml = rule.format_into_yaml() rule_yaml = rule.format_into_yaml()
if service in constants.PREFIX_MAPPINGS:
rule_yaml = rule_yaml.replace(constants.PREFIX_MAPPINGS[service], "")
f.writelines(rule_yaml) f.writelines(rule_yaml)
LOG.info("Generate policy successful") LOG.info("Generate policy successful")
@click.command(help="Generate service rule code.") @click.command(help="Generate service rule code.")
@click.argument("entry_point") @click.argument("service")
def generate_rule(entry_point: str) -> None: def generate_rule(service: str) -> None:
entry_points = constants.SUPPORTED_SERVICE_EPS.get(service, [])
if not entry_points:
LOG.error(f"Service {service} is not supported.")
return
rules = []
api_rules = []
for entry_point in entry_points:
ep_rules_func = load_list_rules_func(constants.POLICY_NS, entry_point) ep_rules_func = load_list_rules_func(constants.POLICY_NS, entry_point)
if ep_rules_func is None: if ep_rules_func is None:
raise Exception( raise Exception(
@ -153,16 +159,16 @@ def generate_rule(entry_point: str) -> None:
) )
ep_rules = [item for item in ep_rules_func()] ep_rules = [item for item in ep_rules_func()]
rules = []
api_rules = []
for rule in ep_rules: for rule in ep_rules:
if isinstance(rule, DocumentedRuleDefault): if isinstance(rule, DocumentedRuleDefault):
api_rules.append(APIRule.from_oslo(rule)) api_rules.append(APIRule.from_oslo(rule))
elif isinstance(rule, RuleDefault): elif isinstance(rule, RuleDefault):
rules.append(Rule.from_oslo(rule)) rules.append(Rule.from_oslo(rule))
header_str = """ header_str = """\
# flake8: noqa
# fmt: off
from . import base from . import base
list_rules = (""" list_rules = ("""
@ -175,9 +181,7 @@ list_rules = ("""
" description={description},\n" " description={description},\n"
" )," " ),"
) )
rule_mappings = {}
for r in rules: for r in rules:
rule_mappings[f"rule:{r.name}"] = r.check_str
print( print(
rule_format_str.format( rule_format_str.format(
name=json.dumps(r.name), name=json.dumps(r.name),
@ -196,26 +200,10 @@ list_rules = ("""
" )," " ),"
) )
for r in api_rules: for r in api_rules:
name = constants.PREFIX_MAPPINGS.get(entry_point, "") + r.name
check_str = r.check_str
tries = 0
while "rule:" in check_str:
tries += 1
for k, v in rule_mappings.items():
if k + " " in check_str or check_str.endswith(k):
check_str = check_str.replace(k, f"({v})")
elif "(" + k + ")" in check_str:
check_str = check_str.replace(k, v)
if tries > 10:
raise Exception(f"Can't replace rule name in {r.name}")
# Fix for Trove, replace 'project_id:%(tenant)s' with 'project_id:%(project_id)s'
if entry_point == "trove":
check_str = check_str.replace("project_id:%(tenant)s", "project_id:%(project_id)s")
print( print(
apirule_format_str.format( apirule_format_str.format(
name=json.dumps(name), name=json.dumps(r.name),
check_str=json.dumps(check_str), check_str=json.dumps(r.check_str),
description=json.dumps(r.description), description=json.dumps(r.description),
scope_types=json.dumps(r.scope_types), scope_types=json.dumps(r.scope_types),
operations=json.dumps(r.operations), operations=json.dumps(r.operations),
@ -224,7 +212,7 @@ list_rules = ("""
footer_str = """) footer_str = """)
__all__ = ("list_rules",) __all__ = ("list_rules",)\
""" """
print(footer_str) print(footer_str)

17
skyline_apiserver/policy/__init__.py
View File

@ -14,9 +14,10 @@
from __future__ import annotations from __future__ import annotations
from oslo_policy import _parser # type: ignore
from .base import Enforcer, UserContext from .base import Enforcer, UserContext
from .manager import get_service_rules from .manager import get_service_rules
from .manager.base import APIRule
ENFORCER = Enforcer() ENFORCER = Enforcer()
@ -24,8 +25,18 @@ ENFORCER = Enforcer()
def setup() -> None: def setup() -> None:
service_rules = get_service_rules() service_rules = get_service_rules()
all_api_rules = [] all_api_rules = []
for rules in service_rules.values(): for service, rules in service_rules.items():
api_rules = [rule for rule in rules if isinstance(rule, APIRule)] api_rules = []
for rule in rules:
# Update rule name with prefix service.
rule.name = f"{service}:{rule.name}"
# Update check
rule.check_str = rule.check_str.replace("rule:", f"rule:{service}:")
rule.check = _parser.parse_rule(rule.check_str)
# Update basic check
rule.basic_check_str = rule.basic_check_str.replace("rule:", f"rule:{service}:")
rule.basic_check = _parser.parse_rule(rule.basic_check_str)
api_rules.append(rule)
all_api_rules.extend(api_rules) all_api_rules.extend(api_rules)
ENFORCER.register_rules(all_api_rules) ENFORCER.register_rules(all_api_rules)

970
skyline_apiserver/policy/manager/cinder.py
View File

File diff suppressed because it is too large Load Diff

389
skyline_apiserver/policy/manager/glance.py
View File

@ -1,4 +1,5 @@
# flake8: noqa # flake8: noqa
# fmt: off
from . import base from . import base
@ -28,140 +29,9 @@ list_rules = (
check_str=("role:admin"), check_str=("role:admin"),
description="No description", description="No description",
), ),
base.Rule(
name="get_metadef_namespace",
check_str=("rule:metadef_default"),
description="No description",
),
base.Rule(
name="get_metadef_namespaces",
check_str=("rule:metadef_default"),
description="No description",
),
base.Rule(
name="modify_metadef_namespace",
check_str=("rule:metadef_admin"),
description="No description",
),
base.Rule(
name="add_metadef_namespace",
check_str=("rule:metadef_admin"),
description="No description",
),
base.Rule(
name="delete_metadef_namespace",
check_str=("rule:metadef_admin"),
description="No description",
),
base.Rule(
name="get_metadef_object",
check_str=("rule:metadef_default"),
description="No description",
),
base.Rule(
name="get_metadef_objects",
check_str=("rule:metadef_default"),
description="No description",
),
base.Rule(
name="modify_metadef_object",
check_str=("rule:metadef_admin"),
description="No description",
),
base.Rule(
name="add_metadef_object",
check_str=("rule:metadef_admin"),
description="No description",
),
base.Rule(
name="delete_metadef_object",
check_str=("rule:metadef_admin"),
description="No description",
),
base.Rule(
name="list_metadef_resource_types",
check_str=("rule:metadef_default"),
description="No description",
),
base.Rule(
name="get_metadef_resource_type",
check_str=("rule:metadef_default"),
description="No description",
),
base.Rule(
name="add_metadef_resource_type_association",
check_str=("rule:metadef_admin"),
description="No description",
),
base.Rule(
name="remove_metadef_resource_type_association",
check_str=("rule:metadef_admin"),
description="No description",
),
base.Rule(
name="get_metadef_property",
check_str=("rule:metadef_default"),
description="No description",
),
base.Rule(
name="get_metadef_properties",
check_str=("rule:metadef_default"),
description="No description",
),
base.Rule(
name="modify_metadef_property",
check_str=("rule:metadef_admin"),
description="No description",
),
base.Rule(
name="add_metadef_property",
check_str=("rule:metadef_admin"),
description="No description",
),
base.Rule(
name="remove_metadef_property",
check_str=("rule:metadef_admin"),
description="No description",
),
base.Rule(
name="get_metadef_tag",
check_str=("rule:metadef_default"),
description="No description",
),
base.Rule(
name="get_metadef_tags",
check_str=("rule:metadef_default"),
description="No description",
),
base.Rule(
name="modify_metadef_tag",
check_str=("rule:metadef_admin"),
description="No description",
),
base.Rule(
name="add_metadef_tag",
check_str=("rule:metadef_admin"),
description="No description",
),
base.Rule(
name="add_metadef_tags",
check_str=("rule:metadef_admin"),
description="No description",
),
base.Rule(
name="delete_metadef_tag",
check_str=("rule:metadef_admin"),
description="No description",
),
base.Rule(
name="delete_metadef_tags",
check_str=("rule:metadef_admin"),
description="No description",
),
base.APIRule( base.APIRule(
name="add_image", name="add_image",
check_str=("role:admin or (role:member and project_id:%(project_id)s)"), check_str=("role:admin or (role:member and project_id:%(project_id)s and project_id:%(owner)s)"),
basic_check_str=("role:admin or role:admin or role:member"),
description="Create new image", description="Create new image",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v2/images"}], operations=[{"method": "POST", "path": "/v2/images"}],
@ -169,17 +39,13 @@ list_rules = (
base.APIRule( base.APIRule(
name="delete_image", name="delete_image",
check_str=("role:admin or (role:member and project_id:%(project_id)s)"), check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
basic_check_str=("role:admin or role:admin or role:member"),
description="Deletes the image", description="Deletes the image",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/v2/images/{image_id}"}], operations=[{"method": "DELETE", "path": "/v2/images/{image_id}"}],
), ),
base.APIRule( base.APIRule(
name="get_image", name="get_image",
check_str=( check_str=("role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))"),
'role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or "community":%(visibility)s or "public":%(visibility)s))'
),
basic_check_str=("role:admin or role:reader or role:admin or role:member or role:reader"),
description="Get specified image", description="Get specified image",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/images/{image_id}"}], operations=[{"method": "GET", "path": "/v2/images/{image_id}"}],
@ -187,7 +53,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="get_images", name="get_images",
check_str=("role:admin or (role:reader and project_id:%(project_id)s)"), check_str=("role:admin or (role:reader and project_id:%(project_id)s)"),
basic_check_str=("role:admin or role:reader or role:admin or role:member or role:reader"),
description="Get all available images", description="Get all available images",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/images"}], operations=[{"method": "GET", "path": "/v2/images"}],
@ -195,7 +60,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="modify_image", name="modify_image",
check_str=("role:admin or (role:member and project_id:%(project_id)s)"), check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
basic_check_str=("role:admin or role:admin or role:member"),
description="Updates given image", description="Updates given image",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}], operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}],
@ -203,7 +67,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="publicize_image", name="publicize_image",
check_str=("role:admin"), check_str=("role:admin"),
basic_check_str=("role:admin"),
description="Publicize given image", description="Publicize given image",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}], operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}],
@ -211,17 +74,13 @@ list_rules = (
base.APIRule( base.APIRule(
name="communitize_image", name="communitize_image",
check_str=("role:admin or (role:member and project_id:%(project_id)s)"), check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
basic_check_str=("!"),
description="Communitize given image", description="Communitize given image",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}], operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}],
), ),
base.APIRule( base.APIRule(
name="download_image", name="download_image",
check_str=( check_str=("role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))"),
'role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or "community":%(visibility)s or "public":%(visibility)s))'
),
basic_check_str=("role:admin or role:admin or role:member"),
description="Downloads given image", description="Downloads given image",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/images/{image_id}/file"}], operations=[{"method": "GET", "path": "/v2/images/{image_id}/file"}],
@ -229,7 +88,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="upload_image", name="upload_image",
check_str=("role:admin or (role:member and project_id:%(project_id)s)"), check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
basic_check_str=("role:admin or role:admin or role:member"),
description="Uploads data to specified image", description="Uploads data to specified image",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/v2/images/{image_id}/file"}], operations=[{"method": "PUT", "path": "/v2/images/{image_id}/file"}],
@ -237,7 +95,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="delete_image_location", name="delete_image_location",
check_str=("role:admin"), check_str=("role:admin"),
basic_check_str=("role:admin"),
description="Deletes the location of given image", description="Deletes the location of given image",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}], operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}],
@ -245,7 +102,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="get_image_location", name="get_image_location",
check_str=("role:admin or (role:reader and project_id:%(project_id)s)"), check_str=("role:admin or (role:reader and project_id:%(project_id)s)"),
basic_check_str=("role:admin or role:reader or role:admin or role:member or role:reader"),
description="Reads the location of the image", description="Reads the location of the image",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/images/{image_id}"}], operations=[{"method": "GET", "path": "/v2/images/{image_id}"}],
@ -253,7 +109,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="set_image_location", name="set_image_location",
check_str=("role:admin or (role:member and project_id:%(project_id)s)"), check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
basic_check_str=("role:admin"),
description="Sets location URI to given image", description="Sets location URI to given image",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}], operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}],
@ -261,7 +116,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="add_member", name="add_member",
check_str=("role:admin or (role:member and project_id:%(project_id)s)"), check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
basic_check_str=("role:admin or role:admin or role:member"),
description="Create image member", description="Create image member",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v2/images/{image_id}/members"}], operations=[{"method": "POST", "path": "/v2/images/{image_id}/members"}],
@ -269,31 +123,27 @@ list_rules = (
base.APIRule( base.APIRule(
name="delete_member", name="delete_member",
check_str=("role:admin or (role:member and project_id:%(project_id)s)"), check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
basic_check_str=("role:admin or role:admin or role:member"),
description="Delete image member", description="Delete image member",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/v2/images/{image_id}/members/{member_id}"}], operations=[{"method": "DELETE", "path": "/v2/images/{image_id}/members/{member_id}"}],
), ),
base.APIRule( base.APIRule(
name="get_member", name="get_member",
check_str=("role:admin or (role:reader and project_id:%(project_id)s)"), check_str=("role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)"),
basic_check_str=("role:admin or role:reader or role:admin or role:member or role:reader"),
description="Show image member details", description="Show image member details",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/images/{image_id}/members/{member_id}"}], operations=[{"method": "GET", "path": "/v2/images/{image_id}/members/{member_id}"}],
), ),
base.APIRule( base.APIRule(
name="get_members", name="get_members",
check_str=("role:admin or (role:reader and project_id:%(project_id)s)"), check_str=("role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)"),
basic_check_str=("role:admin or role:reader or role:admin or role:member or role:reader"),
description="List image members", description="List image members",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/images/{image_id}/members"}], operations=[{"method": "GET", "path": "/v2/images/{image_id}/members"}],
), ),
base.APIRule( base.APIRule(
name="modify_member", name="modify_member",
check_str=("role:admin or (role:member and project_id:%(project_id)s)"), check_str=("role:admin or (role:member and project_id:%(member_id)s)"),
basic_check_str=("role:admin or role:admin or role:member"),
description="Update image member", description="Update image member",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/v2/images/{image_id}/members/{member_id}"}], operations=[{"method": "PUT", "path": "/v2/images/{image_id}/members/{member_id}"}],
@ -301,7 +151,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="deactivate", name="deactivate",
check_str=("role:admin or (role:member and project_id:%(project_id)s)"), check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
basic_check_str=("role:admin or role:admin or role:member"),
description="Deactivate image", description="Deactivate image",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v2/images/{image_id}/actions/deactivate"}], operations=[{"method": "POST", "path": "/v2/images/{image_id}/actions/deactivate"}],
@ -309,7 +158,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="reactivate", name="reactivate",
check_str=("role:admin or (role:member and project_id:%(project_id)s)"), check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
basic_check_str=("role:admin or role:admin or role:member"),
description="Reactivate image", description="Reactivate image",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v2/images/{image_id}/actions/reactivate"}], operations=[{"method": "POST", "path": "/v2/images/{image_id}/actions/reactivate"}],
@ -317,7 +165,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="copy_image", name="copy_image",
check_str=("role:admin"), check_str=("role:admin"),
basic_check_str=("@"),
description="Copy existing image to other stores", description="Copy existing image to other stores",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v2/images/{image_id}/import"}], operations=[{"method": "POST", "path": "/v2/images/{image_id}/import"}],
@ -325,7 +172,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="get_task", name="get_task",
check_str=("rule:default"), check_str=("rule:default"),
basic_check_str=("!"),
description="Get an image task.\n#\n#This granular policy controls access to tasks, both from the tasks API as well\n#as internal locations in Glance that use tasks (like import). Practically this\n#cannot be more restrictive than the policy that controls import or things will\n#break, and changing it from the default is almost certainly not what you want.\n#Access to the external tasks API should be restricted as desired by the\n#tasks_api_access policy. This may change in the future.\n#", description="Get an image task.\n#\n#This granular policy controls access to tasks, both from the tasks API as well\n#as internal locations in Glance that use tasks (like import). Practically this\n#cannot be more restrictive than the policy that controls import or things will\n#break, and changing it from the default is almost certainly not what you want.\n#Access to the external tasks API should be restricted as desired by the\n#tasks_api_access policy. This may change in the future.\n#",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/tasks/{task_id}"}], operations=[{"method": "GET", "path": "/v2/tasks/{task_id}"}],
@ -333,7 +179,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="get_tasks", name="get_tasks",
check_str=("rule:default"), check_str=("rule:default"),
basic_check_str=("!"),
description="List tasks for all images.\n#\n#This granular policy controls access to tasks, both from the tasks API as well\n#as internal locations in Glance that use tasks (like import). Practically this\n#cannot be more restrictive than the policy that controls import or things will\n#break, and changing it from the default is almost certainly not what you want.\n#Access to the external tasks API should be restricted as desired by the\n#tasks_api_access policy. This may change in the future.\n#", description="List tasks for all images.\n#\n#This granular policy controls access to tasks, both from the tasks API as well\n#as internal locations in Glance that use tasks (like import). Practically this\n#cannot be more restrictive than the policy that controls import or things will\n#break, and changing it from the default is almost certainly not what you want.\n#Access to the external tasks API should be restricted as desired by the\n#tasks_api_access policy. This may change in the future.\n#",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/tasks"}], operations=[{"method": "GET", "path": "/v2/tasks"}],
@ -341,7 +186,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="add_task", name="add_task",
check_str=("rule:default"), check_str=("rule:default"),
basic_check_str=("!"),
description="List tasks for all images.\n#\n#This granular policy controls access to tasks, both from the tasks API as well\n#as internal locations in Glance that use tasks (like import). Practically this\n#cannot be more restrictive than the policy that controls import or things will\n#break, and changing it from the default is almost certainly not what you want.\n#Access to the external tasks API should be restricted as desired by the\n#tasks_api_access policy. This may change in the future.\n#", description="List tasks for all images.\n#\n#This granular policy controls access to tasks, both from the tasks API as well\n#as internal locations in Glance that use tasks (like import). Practically this\n#cannot be more restrictive than the policy that controls import or things will\n#break, and changing it from the default is almost certainly not what you want.\n#Access to the external tasks API should be restricted as desired by the\n#tasks_api_access policy. This may change in the future.\n#",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v2/tasks"}], operations=[{"method": "POST", "path": "/v2/tasks"}],
@ -349,7 +193,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="modify_task", name="modify_task",
check_str=("rule:default"), check_str=("rule:default"),
basic_check_str=("!"),
description="This policy is not used.", description="This policy is not used.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/v2/tasks/{task_id}"}], operations=[{"method": "DELETE", "path": "/v2/tasks/{task_id}"}],
@ -357,15 +200,219 @@ list_rules = (
base.APIRule( base.APIRule(
name="tasks_api_access", name="tasks_api_access",
check_str=("role:admin"), check_str=("role:admin"),
basic_check_str=("!"),
description="\n#This is a generic blanket policy for protecting all task APIs. It is not\n#granular and will not allow you to separate writable and readable task\n#operations into different roles.\n#", description="\n#This is a generic blanket policy for protecting all task APIs. It is not\n#granular and will not allow you to separate writable and readable task\n#operations into different roles.\n#",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[ operations=[{"method": "GET", "path": "/v2/tasks/{task_id}"}, {"method": "GET", "path": "/v2/tasks"}, {"method": "POST", "path": "/v2/tasks"}, {"method": "DELETE", "path": "/v2/tasks/{task_id}"}],
{"method": "GET", "path": "/v2/tasks/{task_id}"}, ),
{"method": "GET", "path": "/v2/tasks"}, base.APIRule(
{"method": "POST", "path": "/v2/tasks"}, name="get_metadef_namespace",
{"method": "DELETE", "path": "/v2/tasks/{task_id}"}, check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"),
], description="Get a specific namespace.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}"}],
),
base.APIRule(
name="get_metadef_namespaces",
check_str=("role:admin or (role:reader and project_id:%(project_id)s)"),
description="List namespace.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/metadefs/namespaces"}],
),
base.APIRule(
name="modify_metadef_namespace",
check_str=("rule:metadef_admin"),
description="Modify an existing namespace.",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/v2/metadefs/namespaces/{namespace_name}"}],
),
base.APIRule(
name="add_metadef_namespace",
check_str=("rule:metadef_admin"),
description="Create a namespace.",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v2/metadefs/namespaces"}],
),
base.APIRule(
name="delete_metadef_namespace",
check_str=("rule:metadef_admin"),
description="Delete a namespace.",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/v2/metadefs/namespaces/{namespace_name}"}],
),
base.APIRule(
name="get_metadef_object",
check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"),
description="Get a specific object from a namespace.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/objects/{object_name}"}],
),
base.APIRule(
name="get_metadef_objects",
check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"),
description="Get objects from a namespace.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/objects"}],
),
base.APIRule(
name="modify_metadef_object",
check_str=("rule:metadef_admin"),
description="Update an object within a namespace.",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/v2/metadefs/namespaces/{namespace_name}/objects/{object_name}"}],
),
base.APIRule(
name="add_metadef_object",
check_str=("rule:metadef_admin"),
description="Create an object within a namespace.",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v2/metadefs/namespaces/{namespace_name}/objects"}],
),
base.APIRule(
name="delete_metadef_object",
check_str=("rule:metadef_admin"),
description="Delete an object within a namespace.",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/v2/metadefs/namespaces/{namespace_name}/objects/{object_name}"}],
),
base.APIRule(
name="list_metadef_resource_types",
check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"),
description="List meta definition resource types.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/metadefs/resource_types"}],
),
base.APIRule(
name="get_metadef_resource_type",
check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"),
description="Get meta definition resource types associations.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/resource_types"}],
),
base.APIRule(
name="add_metadef_resource_type_association",
check_str=("rule:metadef_admin"),
description="Create meta definition resource types association.",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v2/metadefs/namespaces/{namespace_name}/resource_types"}],
),
base.APIRule(
name="remove_metadef_resource_type_association",
check_str=("rule:metadef_admin"),
description="Delete meta definition resource types association.",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v2/metadefs/namespaces/{namespace_name}/resource_types/{name}"}],
),
base.APIRule(
name="get_metadef_property",
check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"),
description="Get a specific meta definition property.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/properties/{property_name}"}],
),
base.APIRule(
name="get_metadef_properties",
check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"),
description="List meta definition properties.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/properties"}],
),
base.APIRule(
name="modify_metadef_property",
check_str=("rule:metadef_admin"),
description="Update meta definition property.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/properties/{property_name}"}],
),
base.APIRule(
name="add_metadef_property",
check_str=("rule:metadef_admin"),
description="Create meta definition property.",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v2/metadefs/namespaces/{namespace_name}/properties"}],
),
base.APIRule(
name="remove_metadef_property",
check_str=("rule:metadef_admin"),
description="Delete meta definition property.",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/v2/metadefs/namespaces/{namespace_name}/properties/{property_name}"}],
),
base.APIRule(
name="get_metadef_tag",
check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"),
description="Get tag definition.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}"}],
),
base.APIRule(
name="get_metadef_tags",
check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"),
description="List tag definitions.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/tags"}],
),
base.APIRule(
name="modify_metadef_tag",
check_str=("rule:metadef_admin"),
description="Update tag definition.",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}"}],
),
base.APIRule(
name="add_metadef_tag",
check_str=("rule:metadef_admin"),
description="Add tag definition.",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}"}],
),
base.APIRule(
name="add_metadef_tags",
check_str=("rule:metadef_admin"),
description="Create tag definitions.",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v2/metadefs/namespaces/{namespace_name}/tags"}],
),
base.APIRule(
name="delete_metadef_tag",
check_str=("rule:metadef_admin"),
description="Delete tag definition.",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}"}],
),
base.APIRule(
name="delete_metadef_tags",
check_str=("rule:metadef_admin"),
description="Delete tag definitions.",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/v2/metadefs/namespaces/{namespace_name}/tags"}],
),
base.APIRule(
name="cache_image",
check_str=("role:admin"),
description="Queue image for caching",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2/cache/{image_id}"}],
),
base.APIRule(
name="cache_list",
check_str=("role:admin"),
description="List cache status",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/cache"}],
),
base.APIRule(
name="cache_delete",
check_str=("role:admin"),
description="Delete image(s) from cache and/or queue",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/cache"}, {"method": "DELETE", "path": "/v2/cache/{image_id}"}],
),
base.APIRule(
name="stores_info_detail",
check_str=("role:admin"),
description="Expose store specific information",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/info/stores/detail"}],
), ),
) )

616
skyline_apiserver/policy/manager/heat.py
View File

@ -1,4 +1,5 @@
# flake8: noqa # flake8: noqa
# fmt: off
from . import base from . import base
@ -30,93 +31,67 @@ list_rules = (
), ),
base.Rule( base.Rule(
name="cloudformation:ListStacks", name="cloudformation:ListStacks",
check_str=( check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
description="No description", description="No description",
), ),
base.Rule( base.Rule(
name="cloudformation:CreateStack", name="cloudformation:CreateStack",
check_str=( check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
description="No description", description="No description",
), ),
base.Rule( base.Rule(
name="cloudformation:DescribeStacks", name="cloudformation:DescribeStacks",
check_str=( check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
description="No description", description="No description",
), ),
base.Rule( base.Rule(
name="cloudformation:DeleteStack", name="cloudformation:DeleteStack",
check_str=( check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
description="No description", description="No description",
), ),
base.Rule( base.Rule(
name="cloudformation:UpdateStack", name="cloudformation:UpdateStack",
check_str=( check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
description="No description", description="No description",
), ),
base.Rule( base.Rule(
name="cloudformation:CancelUpdateStack", name="cloudformation:CancelUpdateStack",
check_str=( check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
description="No description", description="No description",
), ),
base.Rule( base.Rule(
name="cloudformation:DescribeStackEvents", name="cloudformation:DescribeStackEvents",
check_str=( check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
description="No description", description="No description",
), ),
base.Rule( base.Rule(
name="cloudformation:ValidateTemplate", name="cloudformation:ValidateTemplate",
check_str=( check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
description="No description", description="No description",
), ),
base.Rule( base.Rule(
name="cloudformation:GetTemplate", name="cloudformation:GetTemplate",
check_str=( check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
description="No description", description="No description",
), ),
base.Rule( base.Rule(
name="cloudformation:EstimateTemplateCost", name="cloudformation:EstimateTemplateCost",
check_str=( check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
description="No description", description="No description",
), ),
base.Rule( base.Rule(
name="cloudformation:DescribeStackResource", name="cloudformation:DescribeStackResource",
check_str=( check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"),
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"
),
description="No description", description="No description",
), ),
base.Rule( base.Rule(
name="cloudformation:DescribeStackResources", name="cloudformation:DescribeStackResources",
check_str=( check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
description="No description", description="No description",
), ),
base.Rule( base.Rule(
name="cloudformation:ListStackResources", name="cloudformation:ListStackResources",
check_str=( check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
description="No description", description="No description",
), ),
base.Rule( base.Rule(
@ -231,783 +206,402 @@ list_rules = (
), ),
base.APIRule( base.APIRule(
name="actions:action", name="actions:action",
check_str=( check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Performs non-lifecycle operations on the stack (Snapshot, Resume, Cancel update, or check stack resources). This is the default for all actions but can be overridden by more specific policies for individual actions.", description="Performs non-lifecycle operations on the stack (Snapshot, Resume, Cancel update, or check stack resources). This is the default for all actions but can be overridden by more specific policies for individual actions.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}],
{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"},
],
), ),
base.APIRule( base.APIRule(
name="actions:snapshot", name="actions:snapshot",
check_str=( check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Create stack snapshot", description="Create stack snapshot",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[ operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}],
{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"},
],
), ),
base.APIRule( base.APIRule(
name="actions:suspend", name="actions:suspend",
check_str=( check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Suspend a stack.", description="Suspend a stack.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[ operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}],
{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"},
],
), ),
base.APIRule( base.APIRule(
name="actions:resume", name="actions:resume",
check_str=( check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Resume a suspended stack.", description="Resume a suspended stack.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[ operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}],
{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"},
],
), ),
base.APIRule( base.APIRule(
name="actions:check", name="actions:check",
check_str=( check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Check stack resources.", description="Check stack resources.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[ operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}],
{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"},
],
), ),
base.APIRule( base.APIRule(
name="actions:cancel_update", name="actions:cancel_update",
check_str=( check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Cancel stack operation and roll back.", description="Cancel stack operation and roll back.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[ operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}],
{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"},
],
), ),
base.APIRule( base.APIRule(
name="actions:cancel_without_rollback", name="actions:cancel_without_rollback",
check_str=( check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Cancel stack operation without rolling back.", description="Cancel stack operation without rolling back.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[ operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}],
{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"},
],
), ),
base.APIRule( base.APIRule(
name="build_info:build_info", name="build_info:build_info",
check_str=( check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=("@"),
description="Show build information.", description="Show build information.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/build_info"}], operations=[{"method": "GET", "path": "/v1/{tenant_id}/build_info"}],
), ),
base.APIRule( base.APIRule(
name="events:index", name="events:index",
check_str=( check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="List events.", description="List events.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[ operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/events"}],
{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/events"},
],
), ),
base.APIRule( base.APIRule(
name="events:show", name="events:show",
check_str=( check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Show event.", description="Show event.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[ operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/events/{event_id}"}],
{
"method": "GET",
"path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/events/{event_id}",
},
],
), ),
base.APIRule( base.APIRule(
name="resource:index", name="resource:index",
check_str=( check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="List resources.", description="List resources.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[ operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources"}],
{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources"},
],
), ),
base.APIRule( base.APIRule(
name="resource:metadata", name="resource:metadata",
check_str=( check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"),
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s or role:heat_stack_user"
),
description="Show resource metadata.", description="Show resource metadata.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[ operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/metadata"}],
{
"method": "GET",
"path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/metadata",
},
],
), ),
base.APIRule( base.APIRule(
name="resource:signal", name="resource:signal",
check_str=( check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"),
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:heat_stack_user"
),
description="Signal resource.", description="Signal resource.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[ operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/signal"}],
{
"method": "POST",
"path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/signal",
},
],
), ),
base.APIRule( base.APIRule(
name="resource:mark_unhealthy", name="resource:mark_unhealthy",
check_str=( check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Mark resource as unhealthy.", description="Mark resource as unhealthy.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[ operations=[{"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name_or_physical_id}"}],
{
"method": "PATCH",
"path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name_or_physical_id}",
},
],
), ),
base.APIRule( base.APIRule(
name="resource:show", name="resource:show",
check_str=( check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Show resource.", description="Show resource.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[ operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}"}],
{
"method": "GET",
"path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}",
},
],
), ),
base.APIRule( base.APIRule(
name="software_configs:global_index", name="software_configs:global_index",
check_str=("role:reader and system_scope:all"), check_str=("role:reader and system_scope:all"),
basic_check_str=("role:admin or role:reader"),
description="List configs globally.", description="List configs globally.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/software_configs"}], operations=[{"method": "GET", "path": "/v1/{tenant_id}/software_configs"}],
), ),
base.APIRule( base.APIRule(
name="software_configs:index", name="software_configs:index",
check_str=( check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="List configs.", description="List configs.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/software_configs"}], operations=[{"method": "GET", "path": "/v1/{tenant_id}/software_configs"}],
), ),
base.APIRule( base.APIRule(
name="software_configs:create", name="software_configs:create",
check_str=( check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Create config.", description="Create config.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v1/{tenant_id}/software_configs"}], operations=[{"method": "POST", "path": "/v1/{tenant_id}/software_configs"}],
), ),
base.APIRule( base.APIRule(
name="software_configs:show", name="software_configs:show",
check_str=( check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Show config details.", description="Show config details.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/software_configs/{config_id}"}], operations=[{"method": "GET", "path": "/v1/{tenant_id}/software_configs/{config_id}"}],
), ),
base.APIRule( base.APIRule(
name="software_configs:delete", name="software_configs:delete",
check_str=( check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Delete config.", description="Delete config.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/v1/{tenant_id}/software_configs/{config_id}"}], operations=[{"method": "DELETE", "path": "/v1/{tenant_id}/software_configs/{config_id}"}],
), ),
base.APIRule( base.APIRule(
name="software_deployments:index", name="software_deployments:index",
check_str=( check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="List deployments.", description="List deployments.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/software_deployments"}], operations=[{"method": "GET", "path": "/v1/{tenant_id}/software_deployments"}],
), ),
base.APIRule( base.APIRule(
name="software_deployments:create", name="software_deployments:create",
check_str=( check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Create deployment.", description="Create deployment.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v1/{tenant_id}/software_deployments"}], operations=[{"method": "POST", "path": "/v1/{tenant_id}/software_deployments"}],
), ),
base.APIRule( base.APIRule(
name="software_deployments:show", name="software_deployments:show",
check_str=( check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Show deployment details.", description="Show deployment details.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[ operations=[{"method": "GET", "path": "/v1/{tenant_id}/software_deployments/{deployment_id}"}],
{"method": "GET", "path": "/v1/{tenant_id}/software_deployments/{deployment_id}"},
],
), ),
base.APIRule( base.APIRule(
name="software_deployments:update", name="software_deployments:update",
check_str=( check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Update deployment.", description="Update deployment.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[ operations=[{"method": "PUT", "path": "/v1/{tenant_id}/software_deployments/{deployment_id}"}],
{"method": "PUT", "path": "/v1/{tenant_id}/software_deployments/{deployment_id}"},
],
), ),
base.APIRule( base.APIRule(
name="software_deployments:delete", name="software_deployments:delete",
check_str=( check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Delete deployment.", description="Delete deployment.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[ operations=[{"method": "DELETE", "path": "/v1/{tenant_id}/software_deployments/{deployment_id}"}],
{"method": "DELETE", "path": "/v1/{tenant_id}/software_deployments/{deployment_id}"},
],
), ),
base.APIRule( base.APIRule(
name="software_deployments:metadata", name="software_deployments:metadata",
check_str=( check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"),
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s or role:heat_stack_user"
),
description="Show server configuration metadata.", description="Show server configuration metadata.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[ operations=[{"method": "GET", "path": "/v1/{tenant_id}/software_deployments/metadata/{server_id}"}],
{
"method": "GET",
"path": "/v1/{tenant_id}/software_deployments/metadata/{server_id}",
},
],
), ),
base.APIRule( base.APIRule(
name="stacks:abandon", name="stacks:abandon",
check_str=( check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Abandon stack.", description="Abandon stack.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[ operations=[{"method": "DELETE", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/abandon"}],
{
"method": "DELETE",
"path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/abandon",
},
],
), ),
base.APIRule( base.APIRule(
name="stacks:create", name="stacks:create",
check_str=( check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Create stack.", description="Create stack.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks"}], operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks"}],
), ),
base.APIRule( base.APIRule(
name="stacks:delete", name="stacks:delete",
check_str=( check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Delete stack.", description="Delete stack.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[ operations=[{"method": "DELETE", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"}],
{"method": "DELETE", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"},
],
), ),
base.APIRule( base.APIRule(
name="stacks:detail", name="stacks:detail",
check_str=( check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="List stacks in detail.", description="List stacks in detail.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks"}], operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks"}],
), ),
base.APIRule( base.APIRule(
name="stacks:export", name="stacks:export",
check_str=( check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Export stack.", description="Export stack.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[ operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/export"}],
{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/export"},
],
), ),
base.APIRule( base.APIRule(
name="stacks:generate_template", name="stacks:generate_template",
check_str=( check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Generate stack template.", description="Generate stack template.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[ operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/template"}],
{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/template"},
],
), ),
base.APIRule( base.APIRule(
name="stacks:global_index", name="stacks:global_index",
check_str=("role:reader and system_scope:all"), check_str=("role:reader and system_scope:all"),
basic_check_str=("role:admin or role:reader"),
description="List stacks globally.", description="List stacks globally.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks"}], operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks"}],
), ),
base.APIRule( base.APIRule(
name="stacks:index", name="stacks:index",
check_str=( check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="List stacks.", description="List stacks.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks"}], operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks"}],
), ),
base.APIRule( base.APIRule(
name="stacks:list_resource_types", name="stacks:list_resource_types",
check_str=( check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=("@"),
description="List resource types.", description="List resource types.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/resource_types"}], operations=[{"method": "GET", "path": "/v1/{tenant_id}/resource_types"}],
), ),
base.APIRule( base.APIRule(
name="stacks:list_template_versions", name="stacks:list_template_versions",
check_str=( check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=("@"),
description="List template versions.", description="List template versions.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/template_versions"}], operations=[{"method": "GET", "path": "/v1/{tenant_id}/template_versions"}],
), ),
base.APIRule( base.APIRule(
name="stacks:list_template_functions", name="stacks:list_template_functions",
check_str=( check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=("@"),
description="List template functions.", description="List template functions.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[ operations=[{"method": "GET", "path": "/v1/{tenant_id}/template_versions/{template_version}/functions"}],
{
"method": "GET",
"path": "/v1/{tenant_id}/template_versions/{template_version}/functions",
},
],
), ),
base.APIRule( base.APIRule(
name="stacks:lookup", name="stacks:lookup",
check_str=( check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"),
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s or role:heat_stack_user"
),
description="Find stack.", description="Find stack.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_identity}"}], operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_identity}"}],
), ),
base.APIRule( base.APIRule(
name="stacks:preview", name="stacks:preview",
check_str=( check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Preview stack.", description="Preview stack.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/preview"}], operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/preview"}],
), ),
base.APIRule( base.APIRule(
name="stacks:resource_schema", name="stacks:resource_schema",
check_str=( check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=("@"),
description="Show resource type schema.", description="Show resource type schema.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/resource_types/{type_name}"}], operations=[{"method": "GET", "path": "/v1/{tenant_id}/resource_types/{type_name}"}],
), ),
base.APIRule( base.APIRule(
name="stacks:show", name="stacks:show",
check_str=( check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Show stack.", description="Show stack.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_identity}"}], operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_identity}"}],
), ),
base.APIRule( base.APIRule(
name="stacks:template", name="stacks:template",
check_str=( check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Get stack template.", description="Get stack template.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[ operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/template"}],
{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/template"},
],
), ),
base.APIRule( base.APIRule(
name="stacks:environment", name="stacks:environment",
check_str=( check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Get stack environment.", description="Get stack environment.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[ operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/environment"}],
{
"method": "GET",
"path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/environment",
},
],
), ),
base.APIRule( base.APIRule(
name="stacks:files", name="stacks:files",
check_str=( check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Get stack files.", description="Get stack files.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[ operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/files"}],
{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/files"},
],
), ),
base.APIRule( base.APIRule(
name="stacks:update", name="stacks:update",
check_str=( check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Update stack.", description="Update stack.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"}], operations=[{"method": "PUT", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"}],
), ),
base.APIRule( base.APIRule(
name="stacks:update_patch", name="stacks:update_patch",
check_str=( check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Update stack (PATCH).", description="Update stack (PATCH).",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[ operations=[{"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"}],
{"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"},
],
), ),
base.APIRule( base.APIRule(
name="stacks:update_no_change", name="stacks:update_no_change",
check_str=("rule:stacks:update_patch"), check_str=("rule:stacks:update_patch"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Update stack (PATCH) with no changes.", description="Update stack (PATCH) with no changes.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[ operations=[{"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"}],
{"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"},
],
), ),
base.APIRule( base.APIRule(
name="stacks:preview_update", name="stacks:preview_update",
check_str=( check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Preview update stack.", description="Preview update stack.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[ operations=[{"method": "PUT", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/preview"}],
{"method": "PUT", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/preview"},
],
), ),
base.APIRule( base.APIRule(
name="stacks:preview_update_patch", name="stacks:preview_update_patch",
check_str=( check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Preview update stack (PATCH).", description="Preview update stack (PATCH).",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[ operations=[{"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/preview"}],
{"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/preview"},
],
), ),
base.APIRule( base.APIRule(
name="stacks:validate_template", name="stacks:validate_template",
check_str=( check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Validate template.", description="Validate template.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v1/{tenant_id}/validate"}], operations=[{"method": "POST", "path": "/v1/{tenant_id}/validate"}],
), ),
base.APIRule( base.APIRule(
name="stacks:snapshot", name="stacks:snapshot",
check_str=( check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Snapshot Stack.", description="Snapshot Stack.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[ operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots"}],
{
"method": "POST",
"path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots",
},
],
), ),
base.APIRule( base.APIRule(
name="stacks:show_snapshot", name="stacks:show_snapshot",
check_str=( check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Show snapshot.", description="Show snapshot.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[ operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}"}],
{
"method": "GET",
"path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}",
},
],
), ),
base.APIRule( base.APIRule(
name="stacks:delete_snapshot", name="stacks:delete_snapshot",
check_str=( check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Delete snapshot.", description="Delete snapshot.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[ operations=[{"method": "DELETE", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}"}],
{
"method": "DELETE",
"path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}",
},
],
), ),
base.APIRule( base.APIRule(
name="stacks:list_snapshots", name="stacks:list_snapshots",
check_str=( check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="List snapshots.", description="List snapshots.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[ operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots"}],
{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots"},
],
), ),
base.APIRule( base.APIRule(
name="stacks:restore_snapshot", name="stacks:restore_snapshot",
check_str=( check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Restore snapshot.", description="Restore snapshot.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[ operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}/restore"}],
{
"method": "POST",
"path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}/restore",
},
],
), ),
base.APIRule( base.APIRule(
name="stacks:list_outputs", name="stacks:list_outputs",
check_str=( check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="List outputs.", description="List outputs.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[ operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/outputs"}],
{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/outputs"},
],
), ),
base.APIRule( base.APIRule(
name="stacks:show_output", name="stacks:show_output",
check_str=( check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"),
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Show outputs.", description="Show outputs.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[ operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/outputs/{output_key}"}],
{
"method": "GET",
"path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/outputs/{output_key}",
},
],
), ),
) )

529
skyline_apiserver/policy/manager/ironic.py
View File

File diff suppressed because it is too large Load Diff

106
skyline_apiserver/policy/manager/ironic_inspector.py Normal file
View File

@ -0,0 +1,106 @@
# flake8: noqa
# fmt: off
from . import base
list_rules = (
base.Rule(
name="is_admin",
check_str=("role:admin or role:administrator or role:baremetal_admin"),
description="Full read/write API access",
),
base.Rule(
name="is_observer",
check_str=("role:baremetal_observer"),
description="Read-only API access",
),
base.Rule(
name="public_api",
check_str=("is_public_api:True"),
description="Internal flag for public API routes",
),
base.Rule(
name="default",
check_str=("!"),
description="Default API access policy",
),
base.APIRule(
name="introspection",
check_str=("rule:public_api"),
description="Access the API root for available versions information",
scope_types=["project"],
operations=[{"method": "GET", "path": "/"}],
),
base.APIRule(
name="introspection:version",
check_str=("rule:public_api"),
description="Access the versioned API root for version information",
scope_types=["project"],
operations=[{"method": "GET", "path": "/{version}"}],
),
base.APIRule(
name="introspection:continue",
check_str=("rule:public_api"),
description="Ramdisk callback to continue introspection",
scope_types=["project"],
operations=[{"method": "POST", "path": "/continue"}],
),
base.APIRule(
name="introspection:status",
check_str=("role:reader and system_scope:all"),
description="Get introspection status",
scope_types=["project"],
operations=[{"method": "GET", "path": "/introspection"}, {"method": "GET", "path": "/introspection/{node_id}"}],
),
base.APIRule(
name="introspection:start",
check_str=("role:admin and system_scope:all"),
description="Start introspection",
scope_types=["project"],
operations=[{"method": "POST", "path": "/introspection/{node_id}"}],
),
base.APIRule(
name="introspection:abort",
check_str=("role:admin and system_scope:all"),
description="Abort introspection",
scope_types=["project"],
operations=[{"method": "POST", "path": "/introspection/{node_id}/abort"}],
),
base.APIRule(
name="introspection:data",
check_str=("role:admin and system_scope:all"),
description="Get introspection data",
scope_types=["project"],
operations=[{"method": "GET", "path": "/introspection/{node_id}/data"}],
),
base.APIRule(
name="introspection:reapply",
check_str=("role:admin and system_scope:all"),
description="Reapply introspection on stored data",
scope_types=["project"],
operations=[{"method": "POST", "path": "/introspection/{node_id}/data/unprocessed"}],
),
base.APIRule(
name="introspection:rule:get",
check_str=("role:admin and system_scope:all"),
description="Get introspection rule(s)",
scope_types=["project"],
operations=[{"method": "GET", "path": "/rules"}, {"method": "GET", "path": "/rules/{rule_id}"}],
),
base.APIRule(
name="introspection:rule:delete",
check_str=("role:admin and system_scope:all"),
description="Delete introspection rule(s)",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/rules"}, {"method": "DELETE", "path": "/rules/{rule_id}"}],
),
base.APIRule(
name="introspection:rule:create",
check_str=("role:admin and system_scope:all"),
description="Create introspection rule",
scope_types=["project"],
operations=[{"method": "POST", "path": "/rules"}],
),
)
__all__ = ("list_rules",)

1104
skyline_apiserver/policy/manager/keystone.py
View File

File diff suppressed because it is too large Load Diff

277
skyline_apiserver/policy/manager/magnum.py
View File

@ -1,3 +1,6 @@
# flake8: noqa
# fmt: off
from . import base from . import base
list_rules = ( list_rules = (
@ -32,457 +35,445 @@ list_rules = (
description="No description", description="No description",
), ),
base.APIRule( base.APIRule(
name="magnum:bay:create", name="bay:create",
check_str=("(not domain_id:%(trustee_domain_id)s)"), check_str=("rule:deny_cluster_user"),
description="Create a new bay.", description="Create a new bay.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/bays"}], operations=[{"method": "POST", "path": "/v1/bays"}],
), ),
base.APIRule( base.APIRule(
name="magnum:bay:delete", name="bay:delete",
check_str=("(not domain_id:%(trustee_domain_id)s)"), check_str=("rule:deny_cluster_user"),
description="Delete a bay.", description="Delete a bay.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/bays/{bay_ident}"}], operations=[{"method": "DELETE", "path": "/v1/bays/{bay_ident}"}],
), ),
base.APIRule( base.APIRule(
name="magnum:bay:detail", name="bay:detail",
check_str=("(not domain_id:%(trustee_domain_id)s)"), check_str=("rule:deny_cluster_user"),
description="Retrieve a list of bays with detail.", description="Retrieve a list of bays with detail.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/bays"}], operations=[{"method": "GET", "path": "/v1/bays"}],
), ),
base.APIRule( base.APIRule(
name="magnum:bay:get", name="bay:get",
check_str=("(not domain_id:%(trustee_domain_id)s)"), check_str=("rule:deny_cluster_user"),
description="Retrieve information about the given bay.", description="Retrieve information about the given bay.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/bays/{bay_ident}"}], operations=[{"method": "GET", "path": "/v1/bays/{bay_ident}"}],
), ),
base.APIRule( base.APIRule(
name="magnum:bay:get_all", name="bay:get_all",
check_str=("(not domain_id:%(trustee_domain_id)s)"), check_str=("rule:deny_cluster_user"),
description="Retrieve a list of bays.", description="Retrieve a list of bays.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/bays/"}], operations=[{"method": "GET", "path": "/v1/bays/"}],
), ),
base.APIRule( base.APIRule(
name="magnum:bay:update", name="bay:update",
check_str=("(not domain_id:%(trustee_domain_id)s)"), check_str=("rule:deny_cluster_user"),
description="Update an existing bay.", description="Update an existing bay.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v1/bays/{bay_ident}"}], operations=[{"method": "PATCH", "path": "/v1/bays/{bay_ident}"}],
), ),
base.APIRule( base.APIRule(
name="magnum:baymodel:create", name="baymodel:create",
check_str=("(not domain_id:%(trustee_domain_id)s)"), check_str=("rule:deny_cluster_user"),
description="Create a new baymodel.", description="Create a new baymodel.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/baymodels"}], operations=[{"method": "POST", "path": "/v1/baymodels"}],
), ),
base.APIRule( base.APIRule(
name="magnum:baymodel:delete", name="baymodel:delete",
check_str=("(not domain_id:%(trustee_domain_id)s)"), check_str=("rule:deny_cluster_user"),
description="Delete a baymodel.", description="Delete a baymodel.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/baymodels/{baymodel_ident}"}], operations=[{"method": "DELETE", "path": "/v1/baymodels/{baymodel_ident}"}],
), ),
base.APIRule( base.APIRule(
name="magnum:baymodel:detail", name="baymodel:detail",
check_str=("(not domain_id:%(trustee_domain_id)s)"), check_str=("rule:deny_cluster_user"),
description="Retrieve a list of baymodel with detail.", description="Retrieve a list of baymodel with detail.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/baymodels"}], operations=[{"method": "GET", "path": "/v1/baymodels"}],
), ),
base.APIRule( base.APIRule(
name="magnum:baymodel:get", name="baymodel:get",
check_str=("(not domain_id:%(trustee_domain_id)s)"), check_str=("rule:deny_cluster_user"),
description="Retrieve information about the given baymodel.", description="Retrieve information about the given baymodel.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/baymodels/{baymodel_ident}"}], operations=[{"method": "GET", "path": "/v1/baymodels/{baymodel_ident}"}],
), ),
base.APIRule( base.APIRule(
name="magnum:baymodel:get_all", name="baymodel:get_all",
check_str=("(not domain_id:%(trustee_domain_id)s)"), check_str=("rule:deny_cluster_user"),
description="Retrieve a list of baymodel.", description="Retrieve a list of baymodel.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/baymodels"}], operations=[{"method": "GET", "path": "/v1/baymodels"}],
), ),
base.APIRule( base.APIRule(
name="magnum:baymodel:update", name="baymodel:update",
check_str=("(not domain_id:%(trustee_domain_id)s)"), check_str=("rule:deny_cluster_user"),
description="Update an existing baymodel.", description="Update an existing baymodel.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v1/baymodels/{baymodel_ident}"}], operations=[{"method": "PATCH", "path": "/v1/baymodels/{baymodel_ident}"}],
), ),
base.APIRule( base.APIRule(
name="magnum:baymodel:publish", name="baymodel:publish",
check_str=("(role:admin)"), check_str=("rule:admin_api"),
description="Publish an existing baymodel.", description="Publish an existing baymodel.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "POST", "path": "/v1/baymodels"}, {"method": "PATCH", "path": "/v1/baymodels"}],
{"method": "POST", "path": "/v1/baymodels"},
{"method": "PATCH", "path": "/v1/baymodels"},
],
), ),
base.APIRule( base.APIRule(
name="magnum:certificate:create", name="certificate:create",
check_str=("(is_admin:True or user_id:%(user_id)s) or (user_id:%(trustee_user_id)s)"), check_str=("rule:admin_or_user or rule:cluster_user"),
description="Sign a new certificate by the CA.", description="Sign a new certificate by the CA.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/certificates"}], operations=[{"method": "POST", "path": "/v1/certificates"}],
), ),
base.APIRule( base.APIRule(
name="magnum:certificate:get", name="certificate:get",
check_str=("(is_admin:True or user_id:%(user_id)s) or (user_id:%(trustee_user_id)s)"), check_str=("rule:admin_or_user or rule:cluster_user"),
description="Retrieve CA information about the given bay/cluster.", description="Retrieve CA information about the given bay/cluster.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/certificates/{bay_uuid/cluster_uuid}"}], operations=[{"method": "GET", "path": "/v1/certificates/{bay_uuid/cluster_uuid}"}],
), ),
base.APIRule( base.APIRule(
name="magnum:certificate:rotate_ca", name="certificate:rotate_ca",
check_str=("(is_admin:True or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Rotate the CA certificate on the given bay/cluster.", description="Rotate the CA certificate on the given bay/cluster.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v1/certificates/{bay_uuid/cluster_uuid}"}], operations=[{"method": "PATCH", "path": "/v1/certificates/{bay_uuid/cluster_uuid}"}],
), ),
base.APIRule( base.APIRule(
name="magnum:cluster:create", name="cluster:create",
check_str=("(not domain_id:%(trustee_domain_id)s)"), check_str=("rule:deny_cluster_user"),
description="Create a new cluster.", description="Create a new cluster.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/clusters"}], operations=[{"method": "POST", "path": "/v1/clusters"}],
), ),
base.APIRule( base.APIRule(
name="magnum:cluster:delete", name="cluster:delete",
check_str=("(not domain_id:%(trustee_domain_id)s)"), check_str=("rule:deny_cluster_user"),
description="Delete a cluster.", description="Delete a cluster.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/clusters/{cluster_ident}"}], operations=[{"method": "DELETE", "path": "/v1/clusters/{cluster_ident}"}],
), ),
base.APIRule( base.APIRule(
name="magnum:cluster:delete_all_projects", name="cluster:delete_all_projects",
check_str=("(role:admin)"), check_str=("rule:admin_api"),
description="Delete a cluster from any project.", description="Delete a cluster from any project.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/clusters/{cluster_ident}"}], operations=[{"method": "DELETE", "path": "/v1/clusters/{cluster_ident}"}],
), ),
base.APIRule( base.APIRule(
name="magnum:cluster:detail", name="cluster:detail",
check_str=("(not domain_id:%(trustee_domain_id)s)"), check_str=("rule:deny_cluster_user"),
description="Retrieve a list of clusters with detail.", description="Retrieve a list of clusters with detail.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clusters"}], operations=[{"method": "GET", "path": "/v1/clusters"}],
), ),
base.APIRule( base.APIRule(
name="magnum:cluster:detail_all_projects", name="cluster:detail_all_projects",
check_str=("(role:admin)"), check_str=("rule:admin_api"),
description="Retrieve a list of clusters with detail across projects.", description="Retrieve a list of clusters with detail across projects.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clusters"}], operations=[{"method": "GET", "path": "/v1/clusters"}],
), ),
base.APIRule( base.APIRule(
name="magnum:cluster:get", name="cluster:get",
check_str=("(not domain_id:%(trustee_domain_id)s)"), check_str=("rule:deny_cluster_user"),
description="Retrieve information about the given cluster.", description="Retrieve information about the given cluster.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clusters/{cluster_ident}"}], operations=[{"method": "GET", "path": "/v1/clusters/{cluster_ident}"}],
), ),
base.APIRule( base.APIRule(
name="magnum:cluster:get_one_all_projects", name="cluster:get_one_all_projects",
check_str=("(role:admin)"), check_str=("rule:admin_api"),
description="Retrieve information about the given cluster across projects.", description="Retrieve information about the given cluster across projects.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clusters/{cluster_ident}"}], operations=[{"method": "GET", "path": "/v1/clusters/{cluster_ident}"}],
), ),
base.APIRule( base.APIRule(
name="magnum:cluster:get_all", name="cluster:get_all",
check_str=("(not domain_id:%(trustee_domain_id)s)"), check_str=("rule:deny_cluster_user"),
description="Retrieve a list of clusters.", description="Retrieve a list of clusters.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clusters/"}], operations=[{"method": "GET", "path": "/v1/clusters/"}],
), ),
base.APIRule( base.APIRule(
name="magnum:cluster:get_all_all_projects", name="cluster:get_all_all_projects",
check_str=("(role:admin)"), check_str=("rule:admin_api"),
description="Retrieve a list of all clusters across projects.", description="Retrieve a list of all clusters across projects.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clusters/"}], operations=[{"method": "GET", "path": "/v1/clusters/"}],
), ),
base.APIRule( base.APIRule(
name="magnum:cluster:update", name="cluster:update",
check_str=("(not domain_id:%(trustee_domain_id)s)"), check_str=("rule:deny_cluster_user"),
description="Update an existing cluster.", description="Update an existing cluster.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v1/clusters/{cluster_ident}"}], operations=[{"method": "PATCH", "path": "/v1/clusters/{cluster_ident}"}],
), ),
base.APIRule( base.APIRule(
name="magnum:cluster:update_health_status", name="cluster:update_health_status",
check_str=("(is_admin:True or user_id:%(user_id)s) or (user_id:%(trustee_user_id)s)"), check_str=("rule:admin_or_user or rule:cluster_user"),
description="Update the health status of an existing cluster.", description="Update the health status of an existing cluster.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v1/clusters/{cluster_ident}"}], operations=[{"method": "PATCH", "path": "/v1/clusters/{cluster_ident}"}],
), ),
base.APIRule( base.APIRule(
name="magnum:cluster:update_all_projects", name="cluster:update_all_projects",
check_str=("(role:admin)"), check_str=("rule:admin_api"),
description="Update an existing cluster.", description="Update an existing cluster.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v1/clusters/{cluster_ident}"}], operations=[{"method": "PATCH", "path": "/v1/clusters/{cluster_ident}"}],
), ),
base.APIRule( base.APIRule(
name="magnum:cluster:resize", name="cluster:resize",
check_str=("(not domain_id:%(trustee_domain_id)s)"), check_str=("rule:deny_cluster_user"),
description="Resize an existing cluster.", description="Resize an existing cluster.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/clusters/{cluster_ident}/actions/resize"}], operations=[{"method": "POST", "path": "/v1/clusters/{cluster_ident}/actions/resize"}],
), ),
base.APIRule( base.APIRule(
name="magnum:cluster:upgrade", name="cluster:upgrade",
check_str=("(not domain_id:%(trustee_domain_id)s)"), check_str=("rule:deny_cluster_user"),
description="Upgrade an existing cluster.", description="Upgrade an existing cluster.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/clusters/{cluster_ident}/actions/upgrade"}], operations=[{"method": "POST", "path": "/v1/clusters/{cluster_ident}/actions/upgrade"}],
), ),
base.APIRule( base.APIRule(
name="magnum:cluster:upgrade_all_projects", name="cluster:upgrade_all_projects",
check_str=("(role:admin)"), check_str=("rule:admin_api"),
description="Upgrade an existing cluster across all projects.", description="Upgrade an existing cluster across all projects.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/clusters/{cluster_ident}/actions/upgrade"}], operations=[{"method": "POST", "path": "/v1/clusters/{cluster_ident}/actions/upgrade"}],
), ),
base.APIRule( base.APIRule(
name="magnum:clustertemplate:create", name="clustertemplate:create",
check_str=("(not domain_id:%(trustee_domain_id)s)"), check_str=("rule:deny_cluster_user"),
description="Create a new cluster template.", description="Create a new cluster template.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/clustertemplates"}], operations=[{"method": "POST", "path": "/v1/clustertemplates"}],
), ),
base.APIRule( base.APIRule(
name="magnum:clustertemplate:delete", name="clustertemplate:delete",
check_str=("(is_admin:True or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Delete a cluster template.", description="Delete a cluster template.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/clustertemplate/{clustertemplate_ident}"}], operations=[{"method": "DELETE", "path": "/v1/clustertemplate/{clustertemplate_ident}"}],
), ),
base.APIRule( base.APIRule(
name="magnum:clustertemplate:delete_all_projects", name="clustertemplate:delete_all_projects",
check_str=("(role:admin)"), check_str=("rule:admin_api"),
description="Delete a cluster template from any project.", description="Delete a cluster template from any project.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/clustertemplate/{clustertemplate_ident}"}], operations=[{"method": "DELETE", "path": "/v1/clustertemplate/{clustertemplate_ident}"}],
), ),
base.APIRule( base.APIRule(
name="magnum:clustertemplate:detail_all_projects", name="clustertemplate:detail_all_projects",
check_str=("(role:admin)"), check_str=("rule:admin_api"),
description="Retrieve a list of cluster templates with detail across projects.", description="Retrieve a list of cluster templates with detail across projects.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clustertemplates"}], operations=[{"method": "GET", "path": "/v1/clustertemplates"}],
), ),
base.APIRule( base.APIRule(
name="magnum:clustertemplate:detail", name="clustertemplate:detail",
check_str=("(not domain_id:%(trustee_domain_id)s)"), check_str=("rule:deny_cluster_user"),
description="Retrieve a list of cluster templates with detail.", description="Retrieve a list of cluster templates with detail.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clustertemplates"}], operations=[{"method": "GET", "path": "/v1/clustertemplates"}],
), ),
base.APIRule( base.APIRule(
name="magnum:clustertemplate:get", name="clustertemplate:get",
check_str=("(not domain_id:%(trustee_domain_id)s)"), check_str=("rule:deny_cluster_user"),
description="Retrieve information about the given cluster template.", description="Retrieve information about the given cluster template.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clustertemplate/{clustertemplate_ident}"}], operations=[{"method": "GET", "path": "/v1/clustertemplate/{clustertemplate_ident}"}],
), ),
base.APIRule( base.APIRule(
name="magnum:clustertemplate:get_one_all_projects", name="clustertemplate:get_one_all_projects",
check_str=("(role:admin)"), check_str=("rule:admin_api"),
description="Retrieve information about the given cluster template across project.", description="Retrieve information about the given cluster template across project.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clustertemplate/{clustertemplate_ident}"}], operations=[{"method": "GET", "path": "/v1/clustertemplate/{clustertemplate_ident}"}],
), ),
base.APIRule( base.APIRule(
name="magnum:clustertemplate:get_all", name="clustertemplate:get_all",
check_str=("(not domain_id:%(trustee_domain_id)s)"), check_str=("rule:deny_cluster_user"),
description="Retrieve a list of cluster templates.", description="Retrieve a list of cluster templates.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clustertemplates"}], operations=[{"method": "GET", "path": "/v1/clustertemplates"}],
), ),
base.APIRule( base.APIRule(
name="magnum:clustertemplate:get_all_all_projects", name="clustertemplate:get_all_all_projects",
check_str=("(role:admin)"), check_str=("rule:admin_api"),
description="Retrieve a list of cluster templates across projects.", description="Retrieve a list of cluster templates across projects.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clustertemplates"}], operations=[{"method": "GET", "path": "/v1/clustertemplates"}],
), ),
base.APIRule( base.APIRule(
name="magnum:clustertemplate:update", name="clustertemplate:update",
check_str=("(is_admin:True or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Update an existing cluster template.", description="Update an existing cluster template.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v1/clustertemplate/{clustertemplate_ident}"}], operations=[{"method": "PATCH", "path": "/v1/clustertemplate/{clustertemplate_ident}"}],
), ),
base.APIRule( base.APIRule(
name="magnum:clustertemplate:update_all_projects", name="clustertemplate:update_all_projects",
check_str=("(role:admin)"), check_str=("rule:admin_api"),
description="Update an existing cluster template.", description="Update an existing cluster template.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v1/clustertemplate/{clustertemplate_ident}"}], operations=[{"method": "PATCH", "path": "/v1/clustertemplate/{clustertemplate_ident}"}],
), ),
base.APIRule( base.APIRule(
name="magnum:clustertemplate:publish", name="clustertemplate:publish",
check_str=("(role:admin)"), check_str=("rule:admin_api"),
description="Publish an existing cluster template.", description="Publish an existing cluster template.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "POST", "path": "/v1/clustertemplates"}, {"method": "PATCH", "path": "/v1/clustertemplates"}],
{"method": "POST", "path": "/v1/clustertemplates"},
{"method": "PATCH", "path": "/v1/clustertemplates"},
],
), ),
base.APIRule( base.APIRule(
name="magnum:federation:create", name="federation:create",
check_str=("(not domain_id:%(trustee_domain_id)s)"), check_str=("rule:deny_cluster_user"),
description="Create a new federation.", description="Create a new federation.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/federations"}], operations=[{"method": "POST", "path": "/v1/federations"}],
), ),
base.APIRule( base.APIRule(
name="magnum:federation:delete", name="federation:delete",
check_str=("(not domain_id:%(trustee_domain_id)s)"), check_str=("rule:deny_cluster_user"),
description="Delete a federation.", description="Delete a federation.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/federations/{federation_ident}"}], operations=[{"method": "DELETE", "path": "/v1/federations/{federation_ident}"}],
), ),
base.APIRule( base.APIRule(
name="magnum:federation:detail", name="federation:detail",
check_str=("(not domain_id:%(trustee_domain_id)s)"), check_str=("rule:deny_cluster_user"),
description="Retrieve a list of federations with detail.", description="Retrieve a list of federations with detail.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/federations"}], operations=[{"method": "GET", "path": "/v1/federations"}],
), ),
base.APIRule( base.APIRule(
name="magnum:federation:get", name="federation:get",
check_str=("(not domain_id:%(trustee_domain_id)s)"), check_str=("rule:deny_cluster_user"),
description="Retrieve information about the given federation.", description="Retrieve information about the given federation.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/federations/{federation_ident}"}], operations=[{"method": "GET", "path": "/v1/federations/{federation_ident}"}],
), ),
base.APIRule( base.APIRule(
name="magnum:federation:get_all", name="federation:get_all",
check_str=("(not domain_id:%(trustee_domain_id)s)"), check_str=("rule:deny_cluster_user"),
description="Retrieve a list of federations.", description="Retrieve a list of federations.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/federations/"}], operations=[{"method": "GET", "path": "/v1/federations/"}],
), ),
base.APIRule( base.APIRule(
name="magnum:federation:update", name="federation:update",
check_str=("(not domain_id:%(trustee_domain_id)s)"), check_str=("rule:deny_cluster_user"),
description="Update an existing federation.", description="Update an existing federation.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v1/federations/{federation_ident}"}], operations=[{"method": "PATCH", "path": "/v1/federations/{federation_ident}"}],
), ),
base.APIRule( base.APIRule(
name="magnum:magnum-service:get_all", name="magnum-service:get_all",
check_str=("(role:admin)"), check_str=("rule:admin_api"),
description="Retrieve a list of magnum-services.", description="Retrieve a list of magnum-services.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/mservices"}], operations=[{"method": "GET", "path": "/v1/mservices"}],
), ),
base.APIRule( base.APIRule(
name="magnum:quota:create", name="quota:create",
check_str=("(role:admin)"), check_str=("rule:admin_api"),
description="Create quota.", description="Create quota.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/quotas"}], operations=[{"method": "POST", "path": "/v1/quotas"}],
), ),
base.APIRule( base.APIRule(
name="magnum:quota:delete", name="quota:delete",
check_str=("(role:admin)"), check_str=("rule:admin_api"),
description="Delete quota for a given project_id and resource.", description="Delete quota for a given project_id and resource.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/quotas/{project_id}/{resource}"}], operations=[{"method": "DELETE", "path": "/v1/quotas/{project_id}/{resource}"}],
), ),
base.APIRule( base.APIRule(
name="magnum:quota:get", name="quota:get",
check_str=("(is_admin:True or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Retrieve Quota information for the given project_id.", description="Retrieve Quota information for the given project_id.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/quotas/{project_id}/{resource}"}], operations=[{"method": "GET", "path": "/v1/quotas/{project_id}/{resource}"}],
), ),
base.APIRule( base.APIRule(
name="magnum:quota:get_all", name="quota:get_all",
check_str=("(role:admin)"), check_str=("rule:admin_api"),
description="Retrieve a list of quotas.", description="Retrieve a list of quotas.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/quotas"}], operations=[{"method": "GET", "path": "/v1/quotas"}],
), ),
base.APIRule( base.APIRule(
name="magnum:quota:update", name="quota:update",
check_str=("(role:admin)"), check_str=("rule:admin_api"),
description="Update quota for a given project_id.", description="Update quota for a given project_id.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v1/quotas/{project_id}/{resource}"}], operations=[{"method": "PATCH", "path": "/v1/quotas/{project_id}/{resource}"}],
), ),
base.APIRule( base.APIRule(
name="magnum:stats:get_all", name="stats:get_all",
check_str=("(is_admin:True or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Retrieve magnum stats.", description="Retrieve magnum stats.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/stats"}], operations=[{"method": "GET", "path": "/v1/stats"}],
), ),
base.APIRule( base.APIRule(
name="magnum:nodegroup:get", name="nodegroup:get",
check_str=("(is_admin:True or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Retrieve information about the given nodegroup.", description="Retrieve information about the given nodegroup.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clusters/{cluster_id}/nodegroup/{nodegroup}"}], operations=[{"method": "GET", "path": "/v1/clusters/{cluster_id}/nodegroup/{nodegroup}"}],
), ),
base.APIRule( base.APIRule(
name="magnum:nodegroup:get_all", name="nodegroup:get_all",
check_str=("(is_admin:True or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Retrieve a list of nodegroups that belong to a cluster.", description="Retrieve a list of nodegroups that belong to a cluster.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clusters/{cluster_id}/nodegroups/"}], operations=[{"method": "GET", "path": "/v1/clusters/{cluster_id}/nodegroups/"}],
), ),
base.APIRule( base.APIRule(
name="magnum:nodegroup:get_all_all_projects", name="nodegroup:get_all_all_projects",
check_str=("(role:admin)"), check_str=("rule:admin_api"),
description="Retrieve a list of nodegroups across projects.", description="Retrieve a list of nodegroups across projects.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/clusters/{cluster_id}/nodegroups/"}], operations=[{"method": "GET", "path": "/v1/clusters/{cluster_id}/nodegroups/"}],
), ),
base.APIRule( base.APIRule(
name="magnum:nodegroup:get_one_all_projects", name="nodegroup:get_one_all_projects",
check_str=("(role:admin)"), check_str=("rule:admin_api"),
description="Retrieve infornation for a given nodegroup.", description="Retrieve infornation for a given nodegroup.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "GET", "path": "/v1/clusters/{cluster_id}/nodegroups/{nodegroup}"}],
{"method": "GET", "path": "/v1/clusters/{cluster_id}/nodegroups/{nodegroup}"},
],
), ),
base.APIRule( base.APIRule(
name="magnum:nodegroup:create", name="nodegroup:create",
check_str=("(is_admin:True or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Create a new nodegroup.", description="Create a new nodegroup.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/clusters/{cluster_id}/nodegroups/"}], operations=[{"method": "POST", "path": "/v1/clusters/{cluster_id}/nodegroups/"}],
), ),
base.APIRule( base.APIRule(
name="magnum:nodegroup:delete", name="nodegroup:delete",
check_str=("(is_admin:True or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Delete a nodegroup.", description="Delete a nodegroup.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "DELETE", "path": "/v1/clusters/{cluster_id}/nodegroups/{nodegroup}"}],
{"method": "DELETE", "path": "/v1/clusters/{cluster_id}/nodegroups/{nodegroup}"},
],
), ),
base.APIRule( base.APIRule(
name="magnum:nodegroup:update", name="nodegroup:update",
check_str=("(is_admin:True or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Update an existing nodegroup.", description="Update an existing nodegroup.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "PATCH", "path": "/v1/clusters/{cluster_id}/nodegroups/{nodegroup}"}],
{"method": "PATCH", "path": "/v1/clusters/{cluster_id}/nodegroups/{nodegroup}"},
],
), ),
) )

1198
skyline_apiserver/policy/manager/manila.py
View File

File diff suppressed because it is too large Load Diff

1810
skyline_apiserver/policy/manager/neutron.py
View File

File diff suppressed because it is too large Load Diff

1232
skyline_apiserver/policy/manager/nova.py
View File

File diff suppressed because it is too large Load Diff

256
skyline_apiserver/policy/manager/octavia.py
View File

@ -1,4 +1,5 @@
# flake8: noqa # flake8: noqa
# fmt: off
from . import base from . import base
@ -55,9 +56,7 @@ list_rules = (
), ),
base.Rule( base.Rule(
name="load-balancer:read", name="load-balancer:read",
check_str=( check_str=("rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or rule:load-balancer:admin"),
"rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or rule:load-balancer:admin"
),
description="No description", description="No description",
), ),
base.Rule( base.Rule(
@ -72,16 +71,12 @@ list_rules = (
), ),
base.Rule( base.Rule(
name="load-balancer:read-quota", name="load-balancer:read-quota",
check_str=( check_str=("rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or role:load-balancer_quota_admin or rule:load-balancer:admin"),
"rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or role:load-balancer_quota_admin or rule:load-balancer:admin"
),
description="No description", description="No description",
), ),
base.Rule( base.Rule(
name="load-balancer:read-quota-global", name="load-balancer:read-quota-global",
check_str=( check_str=("rule:load-balancer:global_observer or role:load-balancer_quota_admin or rule:load-balancer:admin"),
"rule:load-balancer:global_observer or role:load-balancer_quota_admin or rule:load-balancer:admin"
),
description="No description", description="No description",
), ),
base.Rule( base.Rule(
@ -92,9 +87,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:flavor:get_all", name="os_load-balancer_api:flavor:get_all",
check_str=("rule:load-balancer:read"), check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="List Flavors", description="List Flavors",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v2.0/lbaas/flavors"}], operations=[{"method": "GET", "path": "/v2.0/lbaas/flavors"}],
@ -102,7 +94,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:flavor:post", name="os_load-balancer_api:flavor:post",
check_str=("rule:load-balancer:admin"), check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin"),
description="Create a Flavor", description="Create a Flavor",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v2.0/lbaas/flavors"}], operations=[{"method": "POST", "path": "/v2.0/lbaas/flavors"}],
@ -110,7 +101,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:flavor:put", name="os_load-balancer_api:flavor:put",
check_str=("rule:load-balancer:admin"), check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin"),
description="Update a Flavor", description="Update a Flavor",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2.0/lbaas/flavors/{flavor_id}"}], operations=[{"method": "PUT", "path": "/v2.0/lbaas/flavors/{flavor_id}"}],
@ -118,9 +108,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:flavor:get_one", name="os_load-balancer_api:flavor:get_one",
check_str=("rule:load-balancer:read"), check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Show Flavor details", description="Show Flavor details",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v2.0/lbaas/flavors/{flavor_id}"}], operations=[{"method": "GET", "path": "/v2.0/lbaas/flavors/{flavor_id}"}],
@ -128,7 +115,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:flavor:delete", name="os_load-balancer_api:flavor:delete",
check_str=("rule:load-balancer:admin"), check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin"),
description="Remove a Flavor", description="Remove a Flavor",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2.0/lbaas/flavors/{flavor_id}"}], operations=[{"method": "DELETE", "path": "/v2.0/lbaas/flavors/{flavor_id}"}],
@ -136,7 +122,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:flavor-profile:get_all", name="os_load-balancer_api:flavor-profile:get_all",
check_str=("rule:load-balancer:admin"), check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin or role:reader"),
description="List Flavor Profiles", description="List Flavor Profiles",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v2.0/lbaas/flavorprofiles"}], operations=[{"method": "GET", "path": "/v2.0/lbaas/flavorprofiles"}],
@ -144,7 +129,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:flavor-profile:post", name="os_load-balancer_api:flavor-profile:post",
check_str=("rule:load-balancer:admin"), check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin"),
description="Create a Flavor Profile", description="Create a Flavor Profile",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v2.0/lbaas/flavorprofiles"}], operations=[{"method": "POST", "path": "/v2.0/lbaas/flavorprofiles"}],
@ -152,7 +136,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:flavor-profile:put", name="os_load-balancer_api:flavor-profile:put",
check_str=("rule:load-balancer:admin"), check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin"),
description="Update a Flavor Profile", description="Update a Flavor Profile",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2.0/lbaas/flavorprofiles/{flavor_profile_id}"}], operations=[{"method": "PUT", "path": "/v2.0/lbaas/flavorprofiles/{flavor_profile_id}"}],
@ -160,7 +143,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:flavor-profile:get_one", name="os_load-balancer_api:flavor-profile:get_one",
check_str=("rule:load-balancer:admin"), check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin or role:reader"),
description="Show Flavor Profile details", description="Show Flavor Profile details",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v2.0/lbaas/flavorprofiles/{flavor_profile_id}"}], operations=[{"method": "GET", "path": "/v2.0/lbaas/flavorprofiles/{flavor_profile_id}"}],
@ -168,19 +150,13 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:flavor-profile:delete", name="os_load-balancer_api:flavor-profile:delete",
check_str=("rule:load-balancer:admin"), check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin"),
description="Remove a Flavor Profile", description="Remove a Flavor Profile",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "DELETE", "path": "/v2.0/lbaas/flavorprofiles/{flavor_profile_id}"}],
{"method": "DELETE", "path": "/v2.0/lbaas/flavorprofiles/{flavor_profile_id}"},
],
), ),
base.APIRule( base.APIRule(
name="os_load-balancer_api:availability-zone:get_all", name="os_load-balancer_api:availability-zone:get_all",
check_str=("rule:load-balancer:read"), check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="List Availability Zones", description="List Availability Zones",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v2.0/lbaas/availabilityzones"}], operations=[{"method": "GET", "path": "/v2.0/lbaas/availabilityzones"}],
@ -188,7 +164,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:availability-zone:post", name="os_load-balancer_api:availability-zone:post",
check_str=("rule:load-balancer:admin"), check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin"),
description="Create an Availability Zone", description="Create an Availability Zone",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v2.0/lbaas/availabilityzones"}], operations=[{"method": "POST", "path": "/v2.0/lbaas/availabilityzones"}],
@ -196,39 +171,27 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:availability-zone:put", name="os_load-balancer_api:availability-zone:put",
check_str=("rule:load-balancer:admin"), check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin"),
description="Update an Availability Zone", description="Update an Availability Zone",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "PUT", "path": "/v2.0/lbaas/availabilityzones/{availability_zone_id}"}],
{"method": "PUT", "path": "/v2.0/lbaas/availabilityzones/{availability_zone_id}"},
],
), ),
base.APIRule( base.APIRule(
name="os_load-balancer_api:availability-zone:get_one", name="os_load-balancer_api:availability-zone:get_one",
check_str=("rule:load-balancer:read"), check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Show Availability Zone details", description="Show Availability Zone details",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "GET", "path": "/v2.0/lbaas/availabilityzones/{availability_zone_id}"}],
{"method": "GET", "path": "/v2.0/lbaas/availabilityzones/{availability_zone_id}"},
],
), ),
base.APIRule( base.APIRule(
name="os_load-balancer_api:availability-zone:delete", name="os_load-balancer_api:availability-zone:delete",
check_str=("rule:load-balancer:admin"), check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin"),
description="Remove an Availability Zone", description="Remove an Availability Zone",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "DELETE", "path": "/v2.0/lbaas/availabilityzones/{availability_zone_id}"}],
{"method": "DELETE", "path": "/v2.0/lbaas/availabilityzones/{availability_zone_id}"},
],
), ),
base.APIRule( base.APIRule(
name="os_load-balancer_api:availability-zone-profile:get_all", name="os_load-balancer_api:availability-zone-profile:get_all",
check_str=("rule:load-balancer:admin"), check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin or role:reader"),
description="List Availability Zones", description="List Availability Zones",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v2.0/lbaas/availabilityzoneprofiles"}], operations=[{"method": "GET", "path": "/v2.0/lbaas/availabilityzoneprofiles"}],
@ -236,7 +199,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:availability-zone-profile:post", name="os_load-balancer_api:availability-zone-profile:post",
check_str=("rule:load-balancer:admin"), check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin"),
description="Create an Availability Zone", description="Create an Availability Zone",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v2.0/lbaas/availabilityzoneprofiles"}], operations=[{"method": "POST", "path": "/v2.0/lbaas/availabilityzoneprofiles"}],
@ -244,48 +206,27 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:availability-zone-profile:put", name="os_load-balancer_api:availability-zone-profile:put",
check_str=("rule:load-balancer:admin"), check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin"),
description="Update an Availability Zone", description="Update an Availability Zone",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "PUT", "path": "/v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}"}],
{
"method": "PUT",
"path": "/v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}",
},
],
), ),
base.APIRule( base.APIRule(
name="os_load-balancer_api:availability-zone-profile:get_one", name="os_load-balancer_api:availability-zone-profile:get_one",
check_str=("rule:load-balancer:admin"), check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin or role:reader"),
description="Show Availability Zone details", description="Show Availability Zone details",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "GET", "path": "/v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}"}],
{
"method": "GET",
"path": "/v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}",
},
],
), ),
base.APIRule( base.APIRule(
name="os_load-balancer_api:availability-zone-profile:delete", name="os_load-balancer_api:availability-zone-profile:delete",
check_str=("rule:load-balancer:admin"), check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin"),
description="Remove an Availability Zone", description="Remove an Availability Zone",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "DELETE", "path": "/v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}"}],
{
"method": "DELETE",
"path": "/v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}",
},
],
), ),
base.APIRule( base.APIRule(
name="os_load-balancer_api:healthmonitor:get_all", name="os_load-balancer_api:healthmonitor:get_all",
check_str=("rule:load-balancer:read"), check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="List Health Monitors of a Pool", description="List Health Monitors of a Pool",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/healthmonitors"}], operations=[{"method": "GET", "path": "/v2/lbaas/healthmonitors"}],
@ -293,7 +234,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:healthmonitor:get_all-global", name="os_load-balancer_api:healthmonitor:get_all-global",
check_str=("rule:load-balancer:read-global"), check_str=("rule:load-balancer:read-global"),
basic_check_str=("role:admin or role:reader"),
description="List Health Monitors including resources owned by others", description="List Health Monitors including resources owned by others",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/healthmonitors"}], operations=[{"method": "GET", "path": "/v2/lbaas/healthmonitors"}],
@ -301,9 +241,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:healthmonitor:post", name="os_load-balancer_api:healthmonitor:post",
check_str=("rule:load-balancer:write"), check_str=("rule:load-balancer:write"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Create a Health Monitor", description="Create a Health Monitor",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/lbaas/healthmonitors"}], operations=[{"method": "POST", "path": "/v2/lbaas/healthmonitors"}],
@ -311,9 +248,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:healthmonitor:get_one", name="os_load-balancer_api:healthmonitor:get_one",
check_str=("rule:load-balancer:read"), check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Show Health Monitor details", description="Show Health Monitor details",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/healthmonitors/{healthmonitor_id}"}], operations=[{"method": "GET", "path": "/v2/lbaas/healthmonitors/{healthmonitor_id}"}],
@ -321,9 +255,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:healthmonitor:put", name="os_load-balancer_api:healthmonitor:put",
check_str=("rule:load-balancer:write"), check_str=("rule:load-balancer:write"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Update a Health Monitor", description="Update a Health Monitor",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2/lbaas/healthmonitors/{healthmonitor_id}"}], operations=[{"method": "PUT", "path": "/v2/lbaas/healthmonitors/{healthmonitor_id}"}],
@ -331,9 +262,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:healthmonitor:delete", name="os_load-balancer_api:healthmonitor:delete",
check_str=("rule:load-balancer:write"), check_str=("rule:load-balancer:write"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Remove a Health Monitor", description="Remove a Health Monitor",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/lbaas/healthmonitors/{healthmonitor_id}"}], operations=[{"method": "DELETE", "path": "/v2/lbaas/healthmonitors/{healthmonitor_id}"}],
@ -341,9 +269,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:l7policy:get_all", name="os_load-balancer_api:l7policy:get_all",
check_str=("rule:load-balancer:read"), check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="List L7 Policys", description="List L7 Policys",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/l7policies"}], operations=[{"method": "GET", "path": "/v2/lbaas/l7policies"}],
@ -351,7 +276,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:l7policy:get_all-global", name="os_load-balancer_api:l7policy:get_all-global",
check_str=("rule:load-balancer:read-global"), check_str=("rule:load-balancer:read-global"),
basic_check_str=("role:admin or role:reader"),
description="List L7 Policys including resources owned by others", description="List L7 Policys including resources owned by others",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/l7policies"}], operations=[{"method": "GET", "path": "/v2/lbaas/l7policies"}],
@ -359,9 +283,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:l7policy:post", name="os_load-balancer_api:l7policy:post",
check_str=("rule:load-balancer:write"), check_str=("rule:load-balancer:write"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Create a L7 Policy", description="Create a L7 Policy",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/lbaas/l7policies"}], operations=[{"method": "POST", "path": "/v2/lbaas/l7policies"}],
@ -369,9 +290,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:l7policy:get_one", name="os_load-balancer_api:l7policy:get_one",
check_str=("rule:load-balancer:read"), check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Show L7 Policy details", description="Show L7 Policy details",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/l7policies/{l7policy_id}"}], operations=[{"method": "GET", "path": "/v2/lbaas/l7policies/{l7policy_id}"}],
@ -379,9 +297,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:l7policy:put", name="os_load-balancer_api:l7policy:put",
check_str=("rule:load-balancer:write"), check_str=("rule:load-balancer:write"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Update a L7 Policy", description="Update a L7 Policy",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2/lbaas/l7policies/{l7policy_id}"}], operations=[{"method": "PUT", "path": "/v2/lbaas/l7policies/{l7policy_id}"}],
@ -389,9 +304,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:l7policy:delete", name="os_load-balancer_api:l7policy:delete",
check_str=("rule:load-balancer:write"), check_str=("rule:load-balancer:write"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Remove a L7 Policy", description="Remove a L7 Policy",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/lbaas/l7policies/{l7policy_id}"}], operations=[{"method": "DELETE", "path": "/v2/lbaas/l7policies/{l7policy_id}"}],
@ -399,9 +311,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:l7rule:get_all", name="os_load-balancer_api:l7rule:get_all",
check_str=("rule:load-balancer:read"), check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="List L7 Rules", description="List L7 Rules",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/l7policies/{l7policy_id}/rules"}], operations=[{"method": "GET", "path": "/v2/lbaas/l7policies/{l7policy_id}/rules"}],
@ -409,9 +318,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:l7rule:post", name="os_load-balancer_api:l7rule:post",
check_str=("rule:load-balancer:write"), check_str=("rule:load-balancer:write"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Create a L7 Rule", description="Create a L7 Rule",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/lbaas/l7policies/{l7policy_id}/rules"}], operations=[{"method": "POST", "path": "/v2/lbaas/l7policies/{l7policy_id}/rules"}],
@ -419,45 +325,27 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:l7rule:get_one", name="os_load-balancer_api:l7rule:get_one",
check_str=("rule:load-balancer:read"), check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Show L7 Rule details", description="Show L7 Rule details",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "GET", "path": "/v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}"}],
{"method": "GET", "path": "/v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}"},
],
), ),
base.APIRule( base.APIRule(
name="os_load-balancer_api:l7rule:put", name="os_load-balancer_api:l7rule:put",
check_str=("rule:load-balancer:write"), check_str=("rule:load-balancer:write"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Update a L7 Rule", description="Update a L7 Rule",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "PUT", "path": "/v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}"}],
{"method": "PUT", "path": "/v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}"},
],
), ),
base.APIRule( base.APIRule(
name="os_load-balancer_api:l7rule:delete", name="os_load-balancer_api:l7rule:delete",
check_str=("rule:load-balancer:write"), check_str=("rule:load-balancer:write"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Remove a L7 Rule", description="Remove a L7 Rule",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "DELETE", "path": "/v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}"}],
{"method": "DELETE", "path": "/v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}"},
],
), ),
base.APIRule( base.APIRule(
name="os_load-balancer_api:listener:get_all", name="os_load-balancer_api:listener:get_all",
check_str=("rule:load-balancer:read"), check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="List Listeners", description="List Listeners",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/listeners"}], operations=[{"method": "GET", "path": "/v2/lbaas/listeners"}],
@ -465,7 +353,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:listener:get_all-global", name="os_load-balancer_api:listener:get_all-global",
check_str=("rule:load-balancer:read-global"), check_str=("rule:load-balancer:read-global"),
basic_check_str=("role:admin or role:reader"),
description="List Listeners including resources owned by others", description="List Listeners including resources owned by others",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/listeners"}], operations=[{"method": "GET", "path": "/v2/lbaas/listeners"}],
@ -473,9 +360,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:listener:post", name="os_load-balancer_api:listener:post",
check_str=("rule:load-balancer:write"), check_str=("rule:load-balancer:write"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Create a Listener", description="Create a Listener",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/lbaas/listeners"}], operations=[{"method": "POST", "path": "/v2/lbaas/listeners"}],
@ -483,9 +367,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:listener:get_one", name="os_load-balancer_api:listener:get_one",
check_str=("rule:load-balancer:read"), check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Show Listener details", description="Show Listener details",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/listeners/{listener_id}"}], operations=[{"method": "GET", "path": "/v2/lbaas/listeners/{listener_id}"}],
@ -493,9 +374,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:listener:put", name="os_load-balancer_api:listener:put",
check_str=("rule:load-balancer:write"), check_str=("rule:load-balancer:write"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Update a Listener", description="Update a Listener",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2/lbaas/listeners/{listener_id}"}], operations=[{"method": "PUT", "path": "/v2/lbaas/listeners/{listener_id}"}],
@ -503,9 +381,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:listener:delete", name="os_load-balancer_api:listener:delete",
check_str=("rule:load-balancer:write"), check_str=("rule:load-balancer:write"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Remove a Listener", description="Remove a Listener",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/lbaas/listeners/{listener_id}"}], operations=[{"method": "DELETE", "path": "/v2/lbaas/listeners/{listener_id}"}],
@ -513,9 +388,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:listener:get_stats", name="os_load-balancer_api:listener:get_stats",
check_str=("rule:load-balancer:read"), check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Show Listener statistics", description="Show Listener statistics",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/listeners/{listener_id}/stats"}], operations=[{"method": "GET", "path": "/v2/lbaas/listeners/{listener_id}/stats"}],
@ -523,9 +395,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:loadbalancer:get_all", name="os_load-balancer_api:loadbalancer:get_all",
check_str=("rule:load-balancer:read"), check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="List Load Balancers", description="List Load Balancers",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/loadbalancers"}], operations=[{"method": "GET", "path": "/v2/lbaas/loadbalancers"}],
@ -533,7 +402,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:loadbalancer:get_all-global", name="os_load-balancer_api:loadbalancer:get_all-global",
check_str=("rule:load-balancer:read-global"), check_str=("rule:load-balancer:read-global"),
basic_check_str=("role:admin or role:reader"),
description="List Load Balancers including resources owned by others", description="List Load Balancers including resources owned by others",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/loadbalancers"}], operations=[{"method": "GET", "path": "/v2/lbaas/loadbalancers"}],
@ -541,9 +409,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:loadbalancer:post", name="os_load-balancer_api:loadbalancer:post",
check_str=("rule:load-balancer:write"), check_str=("rule:load-balancer:write"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Create a Load Balancer", description="Create a Load Balancer",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/lbaas/loadbalancers"}], operations=[{"method": "POST", "path": "/v2/lbaas/loadbalancers"}],
@ -551,9 +416,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:loadbalancer:get_one", name="os_load-balancer_api:loadbalancer:get_one",
check_str=("rule:load-balancer:read"), check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Show Load Balancer details", description="Show Load Balancer details",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/loadbalancers/{loadbalancer_id}"}], operations=[{"method": "GET", "path": "/v2/lbaas/loadbalancers/{loadbalancer_id}"}],
@ -561,9 +423,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:loadbalancer:put", name="os_load-balancer_api:loadbalancer:put",
check_str=("rule:load-balancer:write"), check_str=("rule:load-balancer:write"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Update a Load Balancer", description="Update a Load Balancer",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2/lbaas/loadbalancers/{loadbalancer_id}"}], operations=[{"method": "PUT", "path": "/v2/lbaas/loadbalancers/{loadbalancer_id}"}],
@ -571,9 +430,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:loadbalancer:delete", name="os_load-balancer_api:loadbalancer:delete",
check_str=("rule:load-balancer:write"), check_str=("rule:load-balancer:write"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Remove a Load Balancer", description="Remove a Load Balancer",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/lbaas/loadbalancers/{loadbalancer_id}"}], operations=[{"method": "DELETE", "path": "/v2/lbaas/loadbalancers/{loadbalancer_id}"}],
@ -581,9 +437,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:loadbalancer:get_stats", name="os_load-balancer_api:loadbalancer:get_stats",
check_str=("rule:load-balancer:read"), check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Show Load Balancer statistics", description="Show Load Balancer statistics",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/loadbalancers/{loadbalancer_id}/stats"}], operations=[{"method": "GET", "path": "/v2/lbaas/loadbalancers/{loadbalancer_id}/stats"}],
@ -591,31 +444,20 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:loadbalancer:get_status", name="os_load-balancer_api:loadbalancer:get_status",
check_str=("rule:load-balancer:read"), check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Show Load Balancer status", description="Show Load Balancer status",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "GET", "path": "/v2/lbaas/loadbalancers/{loadbalancer_id}/status"}],
{"method": "GET", "path": "/v2/lbaas/loadbalancers/{loadbalancer_id}/status"},
],
), ),
base.APIRule( base.APIRule(
name="os_load-balancer_api:loadbalancer:put_failover", name="os_load-balancer_api:loadbalancer:put_failover",
check_str=("rule:load-balancer:admin"), check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin"),
description="Failover a Load Balancer", description="Failover a Load Balancer",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "PUT", "path": "/v2/lbaas/loadbalancers/{loadbalancer_id}/failover"}],
{"method": "PUT", "path": "/v2/lbaas/loadbalancers/{loadbalancer_id}/failover"},
],
), ),
base.APIRule( base.APIRule(
name="os_load-balancer_api:member:get_all", name="os_load-balancer_api:member:get_all",
check_str=("rule:load-balancer:read"), check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="List Members of a Pool", description="List Members of a Pool",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/pools/{pool_id}/members"}], operations=[{"method": "GET", "path": "/v2/lbaas/pools/{pool_id}/members"}],
@ -623,9 +465,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:member:post", name="os_load-balancer_api:member:post",
check_str=("rule:load-balancer:write"), check_str=("rule:load-balancer:write"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Create a Member", description="Create a Member",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/lbaas/pools/{pool_id}/members"}], operations=[{"method": "POST", "path": "/v2/lbaas/pools/{pool_id}/members"}],
@ -633,9 +472,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:member:get_one", name="os_load-balancer_api:member:get_one",
check_str=("rule:load-balancer:read"), check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Show Member details", description="Show Member details",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/pools/{pool_id}/members/{member_id}"}], operations=[{"method": "GET", "path": "/v2/lbaas/pools/{pool_id}/members/{member_id}"}],
@ -643,9 +479,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:member:put", name="os_load-balancer_api:member:put",
check_str=("rule:load-balancer:write"), check_str=("rule:load-balancer:write"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Update a Member", description="Update a Member",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2/lbaas/pools/{pool_id}/members/{member_id}"}], operations=[{"method": "PUT", "path": "/v2/lbaas/pools/{pool_id}/members/{member_id}"}],
@ -653,21 +486,13 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:member:delete", name="os_load-balancer_api:member:delete",
check_str=("rule:load-balancer:write"), check_str=("rule:load-balancer:write"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Remove a Member", description="Remove a Member",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "DELETE", "path": "/v2/lbaas/pools/{pool_id}/members/{member_id}"}],
{"method": "DELETE", "path": "/v2/lbaas/pools/{pool_id}/members/{member_id}"},
],
), ),
base.APIRule( base.APIRule(
name="os_load-balancer_api:pool:get_all", name="os_load-balancer_api:pool:get_all",
check_str=("rule:load-balancer:read"), check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="List Pools", description="List Pools",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/pools"}], operations=[{"method": "GET", "path": "/v2/lbaas/pools"}],
@ -675,7 +500,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:pool:get_all-global", name="os_load-balancer_api:pool:get_all-global",
check_str=("rule:load-balancer:read-global"), check_str=("rule:load-balancer:read-global"),
basic_check_str=("role:admin or role:reader"),
description="List Pools including resources owned by others", description="List Pools including resources owned by others",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/pools"}], operations=[{"method": "GET", "path": "/v2/lbaas/pools"}],
@ -683,9 +507,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:pool:post", name="os_load-balancer_api:pool:post",
check_str=("rule:load-balancer:write"), check_str=("rule:load-balancer:write"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Create a Pool", description="Create a Pool",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/lbaas/pools"}], operations=[{"method": "POST", "path": "/v2/lbaas/pools"}],
@ -693,9 +514,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:pool:get_one", name="os_load-balancer_api:pool:get_one",
check_str=("rule:load-balancer:read"), check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Show Pool details", description="Show Pool details",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/pools/{pool_id}"}], operations=[{"method": "GET", "path": "/v2/lbaas/pools/{pool_id}"}],
@ -703,9 +521,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:pool:put", name="os_load-balancer_api:pool:put",
check_str=("rule:load-balancer:write"), check_str=("rule:load-balancer:write"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Update a Pool", description="Update a Pool",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2/lbaas/pools/{pool_id}"}], operations=[{"method": "PUT", "path": "/v2/lbaas/pools/{pool_id}"}],
@ -713,9 +528,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:pool:delete", name="os_load-balancer_api:pool:delete",
check_str=("rule:load-balancer:write"), check_str=("rule:load-balancer:write"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Remove a Pool", description="Remove a Pool",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/lbaas/pools/{pool_id}"}], operations=[{"method": "DELETE", "path": "/v2/lbaas/pools/{pool_id}"}],
@ -723,9 +535,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:provider:get_all", name="os_load-balancer_api:provider:get_all",
check_str=("rule:load-balancer:read"), check_str=("rule:load-balancer:read"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="List enabled providers", description="List enabled providers",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/providers"}], operations=[{"method": "GET", "path": "/v2/lbaas/providers"}],
@ -733,9 +542,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:quota:get_all", name="os_load-balancer_api:quota:get_all",
check_str=("rule:load-balancer:read-quota"), check_str=("rule:load-balancer:read-quota"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="List Quotas", description="List Quotas",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/quotas"}], operations=[{"method": "GET", "path": "/v2/lbaas/quotas"}],
@ -743,7 +549,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:quota:get_all-global", name="os_load-balancer_api:quota:get_all-global",
check_str=("rule:load-balancer:read-quota-global"), check_str=("rule:load-balancer:read-quota-global"),
basic_check_str=("role:admin or role:reader"),
description="List Quotas including resources owned by others", description="List Quotas including resources owned by others",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/quotas"}], operations=[{"method": "GET", "path": "/v2/lbaas/quotas"}],
@ -751,9 +556,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:quota:get_one", name="os_load-balancer_api:quota:get_one",
check_str=("rule:load-balancer:read-quota"), check_str=("rule:load-balancer:read-quota"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Show Quota details", description="Show Quota details",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/quotas/{project_id}"}], operations=[{"method": "GET", "path": "/v2/lbaas/quotas/{project_id}"}],
@ -761,7 +563,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:quota:put", name="os_load-balancer_api:quota:put",
check_str=("rule:load-balancer:write-quota"), check_str=("rule:load-balancer:write-quota"),
basic_check_str=("role:admin"),
description="Update a Quota", description="Update a Quota",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2/lbaas/quotas/{project_id}"}], operations=[{"method": "PUT", "path": "/v2/lbaas/quotas/{project_id}"}],
@ -769,7 +570,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:quota:delete", name="os_load-balancer_api:quota:delete",
check_str=("rule:load-balancer:write-quota"), check_str=("rule:load-balancer:write-quota"),
basic_check_str=("role:admin"),
description="Reset a Quota", description="Reset a Quota",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/lbaas/quotas/{project_id}"}], operations=[{"method": "DELETE", "path": "/v2/lbaas/quotas/{project_id}"}],
@ -777,9 +577,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:quota:get_defaults", name="os_load-balancer_api:quota:get_defaults",
check_str=("rule:load-balancer:read-quota"), check_str=("rule:load-balancer:read-quota"),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Show Default Quota for a Project", description="Show Default Quota for a Project",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/lbaas/quotas/{project_id}/default"}], operations=[{"method": "GET", "path": "/v2/lbaas/quotas/{project_id}/default"}],
@ -787,7 +584,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:amphora:get_all", name="os_load-balancer_api:amphora:get_all",
check_str=("rule:load-balancer:admin"), check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin or role:reader"),
description="List Amphorae", description="List Amphorae",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/octavia/amphorae"}], operations=[{"method": "GET", "path": "/v2/octavia/amphorae"}],
@ -795,7 +591,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:amphora:get_one", name="os_load-balancer_api:amphora:get_one",
check_str=("rule:load-balancer:admin"), check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin or role:reader"),
description="Show Amphora details", description="Show Amphora details",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/octavia/amphorae/{amphora_id}"}], operations=[{"method": "GET", "path": "/v2/octavia/amphorae/{amphora_id}"}],
@ -803,7 +598,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:amphora:delete", name="os_load-balancer_api:amphora:delete",
check_str=("rule:load-balancer:admin"), check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin"),
description="Delete an Amphora", description="Delete an Amphora",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/octavia/amphorae/{amphora_id}"}], operations=[{"method": "DELETE", "path": "/v2/octavia/amphorae/{amphora_id}"}],
@ -811,7 +605,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:amphora:put_config", name="os_load-balancer_api:amphora:put_config",
check_str=("rule:load-balancer:admin"), check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin"),
description="Update Amphora Agent Configuration", description="Update Amphora Agent Configuration",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2/octavia/amphorae/{amphora_id}/config"}], operations=[{"method": "PUT", "path": "/v2/octavia/amphorae/{amphora_id}/config"}],
@ -819,7 +612,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:amphora:put_failover", name="os_load-balancer_api:amphora:put_failover",
check_str=("rule:load-balancer:admin"), check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin"),
description="Failover Amphora", description="Failover Amphora",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2/octavia/amphorae/{amphora_id}/failover"}], operations=[{"method": "PUT", "path": "/v2/octavia/amphorae/{amphora_id}/failover"}],
@ -827,7 +619,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:amphora:get_stats", name="os_load-balancer_api:amphora:get_stats",
check_str=("rule:load-balancer:admin"), check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin or role:reader"),
description="Show Amphora statistics", description="Show Amphora statistics",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/octavia/amphorae/{amphora_id}/stats"}], operations=[{"method": "GET", "path": "/v2/octavia/amphorae/{amphora_id}/stats"}],
@ -835,25 +626,16 @@ list_rules = (
base.APIRule( base.APIRule(
name="os_load-balancer_api:provider-flavor:get_all", name="os_load-balancer_api:provider-flavor:get_all",
check_str=("rule:load-balancer:admin"), check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin or role:reader"),
description="List the provider flavor capabilities.", description="List the provider flavor capabilities.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "GET", "path": "/v2/lbaas/providers/{provider}/flavor_capabilities"}],
{"method": "GET", "path": "/v2/lbaas/providers/{provider}/flavor_capabilities"},
],
), ),
base.APIRule( base.APIRule(
name="os_load-balancer_api:provider-availability-zone:get_all", name="os_load-balancer_api:provider-availability-zone:get_all",
check_str=("rule:load-balancer:admin"), check_str=("rule:load-balancer:admin"),
basic_check_str=("role:admin or role:reader"),
description="List the provider availability zone capabilities.", description="List the provider availability zone capabilities.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "GET", "path": "/v2/lbaas/providers/{provider}/availability_zone_capabilities"}],
{
"method": "GET",
"path": "/v2/lbaas/providers/{provider}/availability_zone_capabilities",
},
],
), ),
) )

9
skyline_apiserver/policy/manager/panko.py
View File

@ -1,4 +1,5 @@
# flake8: noqa # flake8: noqa
# fmt: off
from . import base from . import base
@ -11,18 +12,13 @@ list_rules = (
base.APIRule( base.APIRule(
name="segregation", name="segregation",
check_str=("role:admin and system_scope:all"), check_str=("role:admin and system_scope:all"),
basic_check_str=("role:admin or role:reader"),
description="Return the user and project the requestshould be limited to", description="Return the user and project the requestshould be limited to",
scope_types=["system"], scope_types=["system"],
operations=[ operations=[{"method": "GET", "path": "/v2/events"}, {"method": "GET", "path": "/v2/events/{message_id}"}],
{"method": "GET", "path": "/v2/events"},
{"method": "GET", "path": "/v2/events/{message_id}"},
],
), ),
base.APIRule( base.APIRule(
name="telemetry:events:index", name="telemetry:events:index",
check_str=(""), check_str=(""),
basic_check_str=("@"),
description="Return all events matching the query filters.", description="Return all events matching the query filters.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/events"}], operations=[{"method": "GET", "path": "/v2/events"}],
@ -30,7 +26,6 @@ list_rules = (
base.APIRule( base.APIRule(
name="telemetry:events:show", name="telemetry:events:show",
check_str=(""), check_str=(""),
basic_check_str=("@"),
description="Return a single event with the given message id.", description="Return a single event with the given message id.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v2/events/{message_id}"}], operations=[{"method": "GET", "path": "/v2/events/{message_id}"}],

139
skyline_apiserver/policy/manager/placement.py
View File

@ -1,4 +1,5 @@
# flake8: noqa # flake8: noqa
# fmt: off
from . import base from . import base
@ -8,279 +9,253 @@ list_rules = (
check_str=("role:admin"), check_str=("role:admin"),
description="Default rule for most placement APIs.", description="Default rule for most placement APIs.",
), ),
base.Rule(
name="system_admin_api",
check_str=("role:admin and system_scope:all"),
description="Default rule for System Admin APIs.",
),
base.Rule(
name="system_reader_api",
check_str=("role:reader and system_scope:all"),
description="Default rule for System level read only APIs.",
),
base.Rule(
name="project_reader_api",
check_str=("role:reader and project_id:%(project_id)s"),
description="Default rule for Project level read only APIs.",
),
base.Rule(
name="system_or_project_reader",
check_str=("rule:system_reader_api or rule:project_reader_api"),
description="Default rule for System+Project read only APIs.",
),
base.APIRule( base.APIRule(
name="placement:resource_providers:list", name="placement:resource_providers:list",
check_str=("role:reader and system_scope:all"), check_str=("rule:system_reader_api"),
basic_check_str=("role:admin or role:reader"),
description="List resource providers.", description="List resource providers.",
scope_types=["system"], scope_types=["system"],
operations=[{"method": "GET", "path": "/resource_providers"}], operations=[{"method": "GET", "path": "/resource_providers"}],
), ),
base.APIRule( base.APIRule(
name="placement:resource_providers:create", name="placement:resource_providers:create",
check_str=("role:admin and system_scope:all"), check_str=("rule:system_admin_api"),
basic_check_str=("role:admin"),
description="Create resource provider.", description="Create resource provider.",
scope_types=["system"], scope_types=["system"],
operations=[{"method": "POST", "path": "/resource_providers"}], operations=[{"method": "POST", "path": "/resource_providers"}],
), ),
base.APIRule( base.APIRule(
name="placement:resource_providers:show", name="placement:resource_providers:show",
check_str=("role:reader and system_scope:all"), check_str=("rule:system_reader_api"),
basic_check_str=("role:admin or role:reader"),
description="Show resource provider.", description="Show resource provider.",
scope_types=["system"], scope_types=["system"],
operations=[{"method": "GET", "path": "/resource_providers/{uuid}"}], operations=[{"method": "GET", "path": "/resource_providers/{uuid}"}],
), ),
base.APIRule( base.APIRule(
name="placement:resource_providers:update", name="placement:resource_providers:update",
check_str=("role:admin and system_scope:all"), check_str=("rule:system_admin_api"),
basic_check_str=("role:admin"),
description="Update resource provider.", description="Update resource provider.",
scope_types=["system"], scope_types=["system"],
operations=[{"method": "PUT", "path": "/resource_providers/{uuid}"}], operations=[{"method": "PUT", "path": "/resource_providers/{uuid}"}],
), ),
base.APIRule( base.APIRule(
name="placement:resource_providers:delete", name="placement:resource_providers:delete",
check_str=("role:admin and system_scope:all"), check_str=("rule:system_admin_api"),
basic_check_str=("role:admin"),
description="Delete resource provider.", description="Delete resource provider.",
scope_types=["system"], scope_types=["system"],
operations=[{"method": "DELETE", "path": "/resource_providers/{uuid}"}], operations=[{"method": "DELETE", "path": "/resource_providers/{uuid}"}],
), ),
base.APIRule( base.APIRule(
name="placement:resource_classes:list", name="placement:resource_classes:list",
check_str=("role:reader and system_scope:all"), check_str=("rule:system_reader_api"),
basic_check_str=("role:admin or role:reader"),
description="List resource classes.", description="List resource classes.",
scope_types=["system"], scope_types=["system"],
operations=[{"method": "GET", "path": "/resource_classes"}], operations=[{"method": "GET", "path": "/resource_classes"}],
), ),
base.APIRule( base.APIRule(
name="placement:resource_classes:create", name="placement:resource_classes:create",
check_str=("role:admin and system_scope:all"), check_str=("rule:system_admin_api"),
basic_check_str=("role:admin"),
description="Create resource class.", description="Create resource class.",
scope_types=["system"], scope_types=["system"],
operations=[{"method": "POST", "path": "/resource_classes"}], operations=[{"method": "POST", "path": "/resource_classes"}],
), ),
base.APIRule( base.APIRule(
name="placement:resource_classes:show", name="placement:resource_classes:show",
check_str=("role:reader and system_scope:all"), check_str=("rule:system_reader_api"),
basic_check_str=("role:admin or role:reader"),
description="Show resource class.", description="Show resource class.",
scope_types=["system"], scope_types=["system"],
operations=[{"method": "GET", "path": "/resource_classes/{name}"}], operations=[{"method": "GET", "path": "/resource_classes/{name}"}],
), ),
base.APIRule( base.APIRule(
name="placement:resource_classes:update", name="placement:resource_classes:update",
check_str=("role:admin and system_scope:all"), check_str=("rule:system_admin_api"),
basic_check_str=("role:admin"),
description="Update resource class.", description="Update resource class.",
scope_types=["system"], scope_types=["system"],
operations=[{"method": "PUT", "path": "/resource_classes/{name}"}], operations=[{"method": "PUT", "path": "/resource_classes/{name}"}],
), ),
base.APIRule( base.APIRule(
name="placement:resource_classes:delete", name="placement:resource_classes:delete",
check_str=("role:admin and system_scope:all"), check_str=("rule:system_admin_api"),
basic_check_str=("role:admin"),
description="Delete resource class.", description="Delete resource class.",
scope_types=["system"], scope_types=["system"],
operations=[{"method": "DELETE", "path": "/resource_classes/{name}"}], operations=[{"method": "DELETE", "path": "/resource_classes/{name}"}],
), ),
base.APIRule( base.APIRule(
name="placement:resource_providers:inventories:list", name="placement:resource_providers:inventories:list",
check_str=("role:reader and system_scope:all"), check_str=("rule:system_reader_api"),
basic_check_str=("role:admin or role:reader"),
description="List resource provider inventories.", description="List resource provider inventories.",
scope_types=["system"], scope_types=["system"],
operations=[{"method": "GET", "path": "/resource_providers/{uuid}/inventories"}], operations=[{"method": "GET", "path": "/resource_providers/{uuid}/inventories"}],
), ),
base.APIRule( base.APIRule(
name="placement:resource_providers:inventories:create", name="placement:resource_providers:inventories:create",
check_str=("role:admin and system_scope:all"), check_str=("rule:system_admin_api"),
basic_check_str=("role:admin"),
description="Create one resource provider inventory.", description="Create one resource provider inventory.",
scope_types=["system"], scope_types=["system"],
operations=[{"method": "POST", "path": "/resource_providers/{uuid}/inventories"}], operations=[{"method": "POST", "path": "/resource_providers/{uuid}/inventories"}],
), ),
base.APIRule( base.APIRule(
name="placement:resource_providers:inventories:show", name="placement:resource_providers:inventories:show",
check_str=("role:reader and system_scope:all"), check_str=("rule:system_reader_api"),
basic_check_str=("role:admin or role:reader"),
description="Show resource provider inventory.", description="Show resource provider inventory.",
scope_types=["system"], scope_types=["system"],
operations=[ operations=[{"method": "GET", "path": "/resource_providers/{uuid}/inventories/{resource_class}"}],
{"method": "GET", "path": "/resource_providers/{uuid}/inventories/{resource_class}"},
],
), ),
base.APIRule( base.APIRule(
name="placement:resource_providers:inventories:update", name="placement:resource_providers:inventories:update",
check_str=("role:admin and system_scope:all"), check_str=("rule:system_admin_api"),
basic_check_str=("role:admin"),
description="Update resource provider inventory.", description="Update resource provider inventory.",
scope_types=["system"], scope_types=["system"],
operations=[ operations=[{"method": "PUT", "path": "/resource_providers/{uuid}/inventories"}, {"method": "PUT", "path": "/resource_providers/{uuid}/inventories/{resource_class}"}],
{"method": "PUT", "path": "/resource_providers/{uuid}/inventories"},
{"method": "PUT", "path": "/resource_providers/{uuid}/inventories/{resource_class}"},
],
), ),
base.APIRule( base.APIRule(
name="placement:resource_providers:inventories:delete", name="placement:resource_providers:inventories:delete",
check_str=("role:admin and system_scope:all"), check_str=("rule:system_admin_api"),
basic_check_str=("role:admin"),
description="Delete resource provider inventory.", description="Delete resource provider inventory.",
scope_types=["system"], scope_types=["system"],
operations=[ operations=[{"method": "DELETE", "path": "/resource_providers/{uuid}/inventories"}, {"method": "DELETE", "path": "/resource_providers/{uuid}/inventories/{resource_class}"}],
{"method": "DELETE", "path": "/resource_providers/{uuid}/inventories"},
{
"method": "DELETE",
"path": "/resource_providers/{uuid}/inventories/{resource_class}",
},
],
), ),
base.APIRule( base.APIRule(
name="placement:resource_providers:aggregates:list", name="placement:resource_providers:aggregates:list",
check_str=("role:reader and system_scope:all"), check_str=("rule:system_reader_api"),
basic_check_str=("role:admin or role:reader"),
description="List resource provider aggregates.", description="List resource provider aggregates.",
scope_types=["system"], scope_types=["system"],
operations=[{"method": "GET", "path": "/resource_providers/{uuid}/aggregates"}], operations=[{"method": "GET", "path": "/resource_providers/{uuid}/aggregates"}],
), ),
base.APIRule( base.APIRule(
name="placement:resource_providers:aggregates:update", name="placement:resource_providers:aggregates:update",
check_str=("role:admin and system_scope:all"), check_str=("rule:system_admin_api"),
basic_check_str=("role:admin"),
description="Update resource provider aggregates.", description="Update resource provider aggregates.",
scope_types=["system"], scope_types=["system"],
operations=[{"method": "PUT", "path": "/resource_providers/{uuid}/aggregates"}], operations=[{"method": "PUT", "path": "/resource_providers/{uuid}/aggregates"}],
), ),
base.APIRule( base.APIRule(
name="placement:resource_providers:usages", name="placement:resource_providers:usages",
check_str=("role:reader and system_scope:all"), check_str=("rule:system_reader_api"),
basic_check_str=("role:admin or role:reader"),
description="List resource provider usages.", description="List resource provider usages.",
scope_types=["system"], scope_types=["system"],
operations=[{"method": "GET", "path": "/resource_providers/{uuid}/usages"}], operations=[{"method": "GET", "path": "/resource_providers/{uuid}/usages"}],
), ),
base.APIRule( base.APIRule(
name="placement:usages", name="placement:usages",
check_str=( check_str=("rule:system_or_project_reader"),
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=("role:admin or role:reader"),
description="List total resource usages for a given project.", description="List total resource usages for a given project.",
scope_types=["system", "project"], scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/usages"}], operations=[{"method": "GET", "path": "/usages"}],
), ),
base.APIRule( base.APIRule(
name="placement:traits:list", name="placement:traits:list",
check_str=("role:reader and system_scope:all"), check_str=("rule:system_reader_api"),
basic_check_str=("role:admin or role:reader"),
description="List traits.", description="List traits.",
scope_types=["system"], scope_types=["system"],
operations=[{"method": "GET", "path": "/traits"}], operations=[{"method": "GET", "path": "/traits"}],
), ),
base.APIRule( base.APIRule(
name="placement:traits:show", name="placement:traits:show",
check_str=("role:reader and system_scope:all"), check_str=("rule:system_reader_api"),
basic_check_str=("role:admin or role:reader"),
description="Show trait.", description="Show trait.",
scope_types=["system"], scope_types=["system"],
operations=[{"method": "GET", "path": "/traits/{name}"}], operations=[{"method": "GET", "path": "/traits/{name}"}],
), ),
base.APIRule( base.APIRule(
name="placement:traits:update", name="placement:traits:update",
check_str=("role:admin and system_scope:all"), check_str=("rule:system_admin_api"),
basic_check_str=("role:admin"),
description="Update trait.", description="Update trait.",
scope_types=["system"], scope_types=["system"],
operations=[{"method": "PUT", "path": "/traits/{name}"}], operations=[{"method": "PUT", "path": "/traits/{name}"}],
), ),
base.APIRule( base.APIRule(
name="placement:traits:delete", name="placement:traits:delete",
check_str=("role:admin and system_scope:all"), check_str=("rule:system_admin_api"),
basic_check_str=("role:admin"),
description="Delete trait.", description="Delete trait.",
scope_types=["system"], scope_types=["system"],
operations=[{"method": "DELETE", "path": "/traits/{name}"}], operations=[{"method": "DELETE", "path": "/traits/{name}"}],
), ),
base.APIRule( base.APIRule(
name="placement:resource_providers:traits:list", name="placement:resource_providers:traits:list",
check_str=("role:reader and system_scope:all"), check_str=("rule:system_reader_api"),
basic_check_str=("role:admin or role:reader"),
description="List resource provider traits.", description="List resource provider traits.",
scope_types=["system"], scope_types=["system"],
operations=[{"method": "GET", "path": "/resource_providers/{uuid}/traits"}], operations=[{"method": "GET", "path": "/resource_providers/{uuid}/traits"}],
), ),
base.APIRule( base.APIRule(
name="placement:resource_providers:traits:update", name="placement:resource_providers:traits:update",
check_str=("role:admin and system_scope:all"), check_str=("rule:system_admin_api"),
basic_check_str=("role:admin"),
description="Update resource provider traits.", description="Update resource provider traits.",
scope_types=["system"], scope_types=["system"],
operations=[{"method": "PUT", "path": "/resource_providers/{uuid}/traits"}], operations=[{"method": "PUT", "path": "/resource_providers/{uuid}/traits"}],
), ),
base.APIRule( base.APIRule(
name="placement:resource_providers:traits:delete", name="placement:resource_providers:traits:delete",
check_str=("role:admin and system_scope:all"), check_str=("rule:system_admin_api"),
basic_check_str=("role:admin"),
description="Delete resource provider traits.", description="Delete resource provider traits.",
scope_types=["system"], scope_types=["system"],
operations=[{"method": "DELETE", "path": "/resource_providers/{uuid}/traits"}], operations=[{"method": "DELETE", "path": "/resource_providers/{uuid}/traits"}],
), ),
base.APIRule( base.APIRule(
name="placement:allocations:manage", name="placement:allocations:manage",
check_str=("role:admin and system_scope:all"), check_str=("rule:system_admin_api"),
basic_check_str=("role:admin"),
description="Manage allocations.", description="Manage allocations.",
scope_types=["system"], scope_types=["system"],
operations=[{"method": "POST", "path": "/allocations"}], operations=[{"method": "POST", "path": "/allocations"}],
), ),
base.APIRule( base.APIRule(
name="placement:allocations:list", name="placement:allocations:list",
check_str=("role:reader and system_scope:all"), check_str=("rule:system_reader_api"),
basic_check_str=("role:admin or role:reader"),
description="List allocations.", description="List allocations.",
scope_types=["system"], scope_types=["system"],
operations=[{"method": "GET", "path": "/allocations/{consumer_uuid}"}], operations=[{"method": "GET", "path": "/allocations/{consumer_uuid}"}],
), ),
base.APIRule( base.APIRule(
name="placement:allocations:update", name="placement:allocations:update",
check_str=("role:admin and system_scope:all"), check_str=("rule:system_admin_api"),
basic_check_str=("role:admin"),
description="Update allocations.", description="Update allocations.",
scope_types=["system"], scope_types=["system"],
operations=[{"method": "PUT", "path": "/allocations/{consumer_uuid}"}], operations=[{"method": "PUT", "path": "/allocations/{consumer_uuid}"}],
), ),
base.APIRule( base.APIRule(
name="placement:allocations:delete", name="placement:allocations:delete",
check_str=("role:admin and system_scope:all"), check_str=("rule:system_admin_api"),
basic_check_str=("role:admin"),
description="Delete allocations.", description="Delete allocations.",
scope_types=["system"], scope_types=["system"],
operations=[{"method": "DELETE", "path": "/allocations/{consumer_uuid}"}], operations=[{"method": "DELETE", "path": "/allocations/{consumer_uuid}"}],
), ),
base.APIRule( base.APIRule(
name="placement:resource_providers:allocations:list", name="placement:resource_providers:allocations:list",
check_str=("role:reader and system_scope:all"), check_str=("rule:system_reader_api"),
basic_check_str=("role:admin or role:reader"),
description="List resource provider allocations.", description="List resource provider allocations.",
scope_types=["system"], scope_types=["system"],
operations=[{"method": "GET", "path": "/resource_providers/{uuid}/allocations"}], operations=[{"method": "GET", "path": "/resource_providers/{uuid}/allocations"}],
), ),
base.APIRule( base.APIRule(
name="placement:allocation_candidates:list", name="placement:allocation_candidates:list",
check_str=("role:reader and system_scope:all"), check_str=("rule:system_reader_api"),
basic_check_str=("role:admin or role:reader"),
description="List allocation candidates.", description="List allocation candidates.",
scope_types=["system"], scope_types=["system"],
operations=[{"method": "GET", "path": "/allocation_candidates"}], operations=[{"method": "GET", "path": "/allocation_candidates"}],
), ),
base.APIRule( base.APIRule(
name="placement:reshaper:reshape", name="placement:reshaper:reshape",
check_str=("role:admin and system_scope:all"), check_str=("rule:system_admin_api"),
basic_check_str=("role:admin"),
description="Reshape Inventory and Allocations.", description="Reshape Inventory and Allocations.",
scope_types=["system"], scope_types=["system"],
operations=[{"method": "POST", "path": "/reshaper"}], operations=[{"method": "POST", "path": "/reshaper"}],

554
skyline_apiserver/policy/manager/trove.py
View File

@ -1,3 +1,6 @@
# flake8: noqa
# fmt: off
from . import base from . import base
list_rules = ( list_rules = (
@ -17,736 +20,589 @@ list_rules = (
description="Must be an administrator or owner of the object.", description="Must be an administrator or owner of the object.",
), ),
base.APIRule( base.APIRule(
name="trove:instance:create", name="instance:create",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Create a database instance.", description="Create a database instance.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v1.0/{account_id}/instances"}], operations=[{"method": "POST", "path": "/v1.0/{account_id}/instances"}],
), ),
base.APIRule( base.APIRule(
name="trove:instance:delete", name="instance:delete",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Delete a database instance.", description="Delete a database instance.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/instances/{instance_id}"}], operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/instances/{instance_id}"}],
), ),
base.APIRule( base.APIRule(
name="trove:instance:force_delete", name="instance:force_delete",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Forcibly delete a database instance.", description="Forcibly delete a database instance.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/instances/{instance_id}"}], operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/instances/{instance_id}"}],
), ),
base.APIRule( base.APIRule(
name="trove:instance:index", name="instance:index",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="List database instances.", description="List database instances.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances"}], operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances"}],
), ),
base.APIRule( base.APIRule(
name="trove:instance:detail", name="instance:detail",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="List database instances with details.", description="List database instances with details.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/detail"}], operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/detail"}],
), ),
base.APIRule( base.APIRule(
name="trove:instance:show", name="instance:show",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Get details of a specific database instance.", description="Get details of a specific database instance.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}"}], operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}"}],
), ),
base.APIRule( base.APIRule(
name="trove:instance:update", name="instance:update",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Update a database instance to attach/detach configuration", description="Update a database instance to attach/detach configuration",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "PUT", "path": "/v1.0/{account_id}/instances/{instance_id}"}, {"method": "POST", "path": "/v1.0/{account_id}/instances"}],
{"method": "PUT", "path": "/v1.0/{account_id}/instances/{instance_id}"},
{"method": "POST", "path": "/v1.0/{account_id}/instances"},
],
), ),
base.APIRule( base.APIRule(
name="trove:instance:edit", name="instance:edit",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Updates the instance to set or unset one or more attributes.", description="Updates the instance to set or unset one or more attributes.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v1.0/{account_id}/instances/{instance_id}"}], operations=[{"method": "PATCH", "path": "/v1.0/{account_id}/instances/{instance_id}"}],
), ),
base.APIRule( base.APIRule(
name="trove:instance:restart", name="instance:restart",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Restart a database instance.", description="Restart a database instance.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "POST", "path": "/v1.0/{account_id}/instances/{instance_id}/action (restart)"}],
{
"method": "POST",
"path": "/v1.0/{account_id}/instances/{instance_id}/action (restart)",
},
],
), ),
base.APIRule( base.APIRule(
name="trove:instance:resize_volume", name="instance:resize_volume",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Resize a database instance volume.", description="Resize a database instance volume.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "POST", "path": "/v1.0/{account_id}/instances/{instance_id}/action (resize)"}],
{
"method": "POST",
"path": "/v1.0/{account_id}/instances/{instance_id}/action (resize)",
},
],
), ),
base.APIRule( base.APIRule(
name="trove:instance:resize_flavor", name="instance:resize_flavor",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Resize a database instance flavor.", description="Resize a database instance flavor.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "POST", "path": "/v1.0/{account_id}/instances/{instance_id}/action (resize)"}],
{
"method": "POST",
"path": "/v1.0/{account_id}/instances/{instance_id}/action (resize)",
},
],
), ),
base.APIRule( base.APIRule(
name="trove:instance:reset_status", name="instance:reset_status",
check_str=("(role:admin or is_admin:True)"), check_str=("rule:admin"),
description="Reset the status of a database instance to ERROR.", description="Reset the status of a database instance to ERROR.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "POST", "path": "/v1.0/{account_id}/instances/{instance_id}/action (reset_status)"}],
{
"method": "POST",
"path": "/v1.0/{account_id}/instances/{instance_id}/action (reset_status)",
},
],
), ),
base.APIRule( base.APIRule(
name="trove:instance:promote_to_replica_source", name="instance:promote_to_replica_source",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Promote instance to replica source.", description="Promote instance to replica source.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "POST", "path": "/v1.0/{account_id}/instances/{instance_id}/action (promote_to_replica_source)"}],
{
"method": "POST",
"path": "/v1.0/{account_id}/instances/{instance_id}/action (promote_to_replica_source)", # noqa
},
],
), ),
base.APIRule( base.APIRule(
name="trove:instance:eject_replica_source", name="instance:eject_replica_source",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Eject the replica source from its replica set.", description="Eject the replica source from its replica set.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "POST", "path": "/v1.0/{account_id}/instances/{instance_id}/action (eject_replica_source)"}],
{
"method": "POST",
"path": "/v1.0/{account_id}/instances/{instance_id}/action (eject_replica_source)",
},
],
), ),
base.APIRule( base.APIRule(
name="trove:instance:configuration", name="instance:configuration",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Get the default configuration template applied to the instance.", description="Get the default configuration template applied to the instance.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/configuration"}],
{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/configuration"},
],
), ),
base.APIRule( base.APIRule(
name="trove:instance:guest_log_list", name="instance:guest_log_list",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Get all informations about all logs of a database instance.", description="Get all informations about all logs of a database instance.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/log"}], operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/log"}],
), ),
base.APIRule( base.APIRule(
name="trove:instance:backups", name="instance:backups",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Get all backups of a database instance.", description="Get all backups of a database instance.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/backups"}],
{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/backups"},
],
), ),
base.APIRule( base.APIRule(
name="trove:instance:module_list", name="instance:module_list",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Get informations about modules on a database instance.", description="Get informations about modules on a database instance.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/modules"}],
{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/modules"},
],
), ),
base.APIRule( base.APIRule(
name="trove:instance:module_apply", name="instance:module_apply",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Apply modules to a database instance.", description="Apply modules to a database instance.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "POST", "path": "/v1.0/{account_id}/instances/{instance_id}/modules"}, {"method": "POST", "path": "/v1.0/{account_id}/instances"}],
{"method": "POST", "path": "/v1.0/{account_id}/instances/{instance_id}/modules"},
{"method": "POST", "path": "/v1.0/{account_id}/instances"},
],
), ),
base.APIRule( base.APIRule(
name="trove:instance:module_remove", name="instance:module_remove",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Remove a module from a database instance.", description="Remove a module from a database instance.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/instances/{instance_id}/modules/{module_id}"}],
{
"method": "DELETE",
"path": "/v1.0/{account_id}/instances/{instance_id}/modules/{module_id}",
},
],
), ),
base.APIRule( base.APIRule(
name="trove:instance:extension:root:create", name="instance:extension:root:create",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Enable the root user of a database instance.", description="Enable the root user of a database instance.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "POST", "path": "/v1.0/{account_id}/instances/{instance_id}/root"}],
{"method": "POST", "path": "/v1.0/{account_id}/instances/{instance_id}/root"},
],
), ),
base.APIRule( base.APIRule(
name="trove:instance:extension:root:delete", name="instance:extension:root:delete",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Disable the root user of a database instance.", description="Disable the root user of a database instance.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/instances/{instance_id}/root"}],
{"method": "DELETE", "path": "/v1.0/{account_id}/instances/{instance_id}/root"},
],
), ),
base.APIRule( base.APIRule(
name="trove:instance:extension:root:index", name="instance:extension:root:index",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Show whether the root user of a database instance has been ever enabled.", description="Show whether the root user of a database instance has been ever enabled.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/root"}], operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/root"}],
), ),
base.APIRule( base.APIRule(
name="trove:cluster:extension:root:create", name="cluster:extension:root:create",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Enable the root user of the instances in a cluster.", description="Enable the root user of the instances in a cluster.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v1.0/{account_id}/clusters/{cluster}/root"}], operations=[{"method": "POST", "path": "/v1.0/{account_id}/clusters/{cluster}/root"}],
), ),
base.APIRule( base.APIRule(
name="trove:cluster:extension:root:delete", name="cluster:extension:root:delete",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Enable the root user of the instances in a cluster.", description="Enable the root user of the instances in a cluster.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/clusters/{cluster}/root"}], operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/clusters/{cluster}/root"}],
), ),
base.APIRule( base.APIRule(
name="trove:cluster:extension:root:index", name="cluster:extension:root:index",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Disable the root of the instances in a cluster.", description="Disable the root of the instances in a cluster.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/clusters/{cluster}/root"}], operations=[{"method": "GET", "path": "/v1.0/{account_id}/clusters/{cluster}/root"}],
), ),
base.APIRule( base.APIRule(
name="trove:instance:extension:user:create", name="instance:extension:user:create",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Create users for a database instance.", description="Create users for a database instance.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "POST", "path": "/v1.0/{account_id}/instances/{instance_id}/users"}, {"method": "POST", "path": "/v1.0/{account_id}/instances"}],
{"method": "POST", "path": "/v1.0/{account_id}/instances/{instance_id}/users"},
{"method": "POST", "path": "/v1.0/{account_id}/instances"},
],
), ),
base.APIRule( base.APIRule(
name="trove:instance:extension:user:delete", name="instance:extension:user:delete",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Delete a user from a database instance.", description="Delete a user from a database instance.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/instances/{instance_id}/users/{user}"}],
{
"method": "DELETE",
"path": "/v1.0/{account_id}/instances/{instance_id}/users/{user}",
},
],
), ),
base.APIRule( base.APIRule(
name="trove:instance:extension:user:index", name="instance:extension:user:index",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Get all users of a database instance.", description="Get all users of a database instance.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/users"}],
{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/users"},
],
), ),
base.APIRule( base.APIRule(
name="trove:instance:extension:user:show", name="instance:extension:user:show",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Get the information of a single user of a database instance.", description="Get the information of a single user of a database instance.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/users/{user}"}],
{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/users/{user}"},
],
), ),
base.APIRule( base.APIRule(
name="trove:instance:extension:user:update", name="instance:extension:user:update",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Update attributes for a user of a database instance.", description="Update attributes for a user of a database instance.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "PUT", "path": "/v1.0/{account_id}/instances/{instance_id}/users/{user}"}],
{"method": "PUT", "path": "/v1.0/{account_id}/instances/{instance_id}/users/{user}"},
],
), ),
base.APIRule( base.APIRule(
name="trove:instance:extension:user:update_all", name="instance:extension:user:update_all",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Update the password for one or more users a database instance.", description="Update the password for one or more users a database instance.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "PUT", "path": "/v1.0/{account_id}/instances/{instance_id}/users"}],
{"method": "PUT", "path": "/v1.0/{account_id}/instances/{instance_id}/users"},
],
), ),
base.APIRule( base.APIRule(
name="trove:instance:extension:user_access:update", name="instance:extension:user_access:update",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Grant access for a user to one or more databases.", description="Grant access for a user to one or more databases.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "PUT", "path": "/v1.0/{account_id}/instances/{instance_id}/users/{user}/databases"}],
{
"method": "PUT",
"path": "/v1.0/{account_id}/instances/{instance_id}/users/{user}/databases",
},
],
), ),
base.APIRule( base.APIRule(
name="trove:instance:extension:user_access:delete", name="instance:extension:user_access:delete",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Revoke access for a user to a databases.", description="Revoke access for a user to a databases.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/instances/{instance_id}/users/{user}/databases/{database}"}],
{
"method": "DELETE",
"path": "/v1.0/{account_id}/instances/{instance_id}/users/{user}/databases/{database}", # noqa
},
],
), ),
base.APIRule( base.APIRule(
name="trove:instance:extension:user_access:index", name="instance:extension:user_access:index",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Get permissions of a user", description="Get permissions of a user",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/users/{user}/databases"}],
{
"method": "GET",
"path": "/v1.0/{account_id}/instances/{instance_id}/users/{user}/databases",
},
],
), ),
base.APIRule( base.APIRule(
name="trove:instance:extension:database:create", name="instance:extension:database:create",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Create a set of Schemas", description="Create a set of Schemas",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "POST", "path": "/v1.0/{account_id}/instances/{instance_id}/databases"}, {"method": "POST", "path": "/v1.0/{account_id}/instances"}],
{"method": "POST", "path": "/v1.0/{account_id}/instances/{instance_id}/databases"},
{"method": "POST", "path": "/v1.0/{account_id}/instances"},
],
), ),
base.APIRule( base.APIRule(
name="trove:instance:extension:database:delete", name="instance:extension:database:delete",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Delete a schema from a database.", description="Delete a schema from a database.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/instances/{instance_id}/databases/{database}"}],
{
"method": "DELETE",
"path": "/v1.0/{account_id}/instances/{instance_id}/databases/{database}",
},
],
), ),
base.APIRule( base.APIRule(
name="trove:instance:extension:database:index", name="instance:extension:database:index",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="List all schemas from a database.", description="List all schemas from a database.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/databases"}],
{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/databases"},
],
), ),
base.APIRule( base.APIRule(
name="trove:instance:extension:database:show", name="instance:extension:database:show",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Get informations of a schema(Currently Not Implemented).", description="Get informations of a schema(Currently Not Implemented).",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "GET", "path": "/v1.0/{account_id}/instances/{instance_id}/databases/{database}"}],
{
"method": "GET",
"path": "/v1.0/{account_id}/instances/{instance_id}/databases/{database}",
},
],
), ),
base.APIRule( base.APIRule(
name="trove:cluster:create", name="cluster:create",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Create a cluster.", description="Create a cluster.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v1.0/{account_id}/clusters"}], operations=[{"method": "POST", "path": "/v1.0/{account_id}/clusters"}],
), ),
base.APIRule( base.APIRule(
name="trove:cluster:delete", name="cluster:delete",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Delete a cluster.", description="Delete a cluster.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/clusters/{cluster}"}], operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/clusters/{cluster}"}],
), ),
base.APIRule( base.APIRule(
name="trove:cluster:force_delete", name="cluster:force_delete",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Forcibly delete a cluster.", description="Forcibly delete a cluster.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "POST", "path": "/v1.0/{account_id}/clusters/{cluster} (reset-status)"}],
{"method": "POST", "path": "/v1.0/{account_id}/clusters/{cluster} (reset-status)"},
],
), ),
base.APIRule( base.APIRule(
name="trove:cluster:index", name="cluster:index",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="List all clusters", description="List all clusters",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/clusters"}], operations=[{"method": "GET", "path": "/v1.0/{account_id}/clusters"}],
), ),
base.APIRule( base.APIRule(
name="trove:cluster:show", name="cluster:show",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Get informations of a cluster.", description="Get informations of a cluster.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/clusters/{cluster}"}], operations=[{"method": "GET", "path": "/v1.0/{account_id}/clusters/{cluster}"}],
), ),
base.APIRule( base.APIRule(
name="trove:cluster:show_instance", name="cluster:show_instance",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Get informations of a instance in a cluster.", description="Get informations of a instance in a cluster.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "GET", "path": "/v1.0/{account_id}/clusters/{cluster}/instances/{instance}"}],
{
"method": "GET",
"path": "/v1.0/{account_id}/clusters/{cluster}/instances/{instance}",
},
],
), ),
base.APIRule( base.APIRule(
name="trove:cluster:action", name="cluster:action",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Commit an action against a cluster", description="Commit an action against a cluster",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v1.0/{account_id}/clusters/{cluster}"}], operations=[{"method": "POST", "path": "/v1.0/{account_id}/clusters/{cluster}"}],
), ),
base.APIRule( base.APIRule(
name="trove:cluster:reset-status", name="cluster:reset-status",
check_str=("(role:admin or is_admin:True)"), check_str=("rule:admin"),
description="Reset the status of a cluster to NONE.", description="Reset the status of a cluster to NONE.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "POST", "path": "/v1.0/{account_id}/clusters/{cluster} (reset-status)"}],
{"method": "POST", "path": "/v1.0/{account_id}/clusters/{cluster} (reset-status)"},
],
), ),
base.APIRule( base.APIRule(
name="trove:backup:create", name="backup:create",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Create a backup of a database instance.", description="Create a backup of a database instance.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v1.0/{account_id}/backups"}], operations=[{"method": "POST", "path": "/v1.0/{account_id}/backups"}],
), ),
base.APIRule( base.APIRule(
name="trove:backup:delete", name="backup:delete",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Delete a backup of a database instance.", description="Delete a backup of a database instance.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/backups/{backup}"}], operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/backups/{backup}"}],
), ),
base.APIRule( base.APIRule(
name="trove:backup:index", name="backup:index",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="List all backups.", description="List all backups.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/backups"}], operations=[{"method": "GET", "path": "/v1.0/{account_id}/backups"}],
), ),
base.APIRule( base.APIRule(
name="trove:backup:index:all_projects", name="backup:index:all_projects",
check_str=("role:admin"), check_str=("role:admin"),
description="List backups for all the projects.", description="List backups for all the projects.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/backups"}], operations=[{"method": "GET", "path": "/v1.0/{account_id}/backups"}],
), ),
base.APIRule( base.APIRule(
name="trove:backup:show", name="backup:show",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Get informations of a backup.", description="Get informations of a backup.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/backups/{backup}"}], operations=[{"method": "GET", "path": "/v1.0/{account_id}/backups/{backup}"}],
), ),
base.APIRule( base.APIRule(
name="trove:backup_strategy:create", name="backup_strategy:create",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Create a backup strategy.", description="Create a backup strategy.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v1.0/{account_id}/backup_strategies"}], operations=[{"method": "POST", "path": "/v1.0/{account_id}/backup_strategies"}],
), ),
base.APIRule( base.APIRule(
name="trove:backup_strategy:index", name="backup_strategy:index",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="List all backup strategies.", description="List all backup strategies.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/backup_strategies"}], operations=[{"method": "GET", "path": "/v1.0/{account_id}/backup_strategies"}],
), ),
base.APIRule( base.APIRule(
name="trove:backup_strategy:delete", name="backup_strategy:delete",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Delete backup strategies.", description="Delete backup strategies.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/backup_strategies"}], operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/backup_strategies"}],
), ),
base.APIRule( base.APIRule(
name="trove:configuration:create", name="configuration:create",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Create a configuration group.", description="Create a configuration group.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v1.0/{account_id}/configurations"}], operations=[{"method": "POST", "path": "/v1.0/{account_id}/configurations"}],
), ),
base.APIRule( base.APIRule(
name="trove:configuration:delete", name="configuration:delete",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Delete a configuration group.", description="Delete a configuration group.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/configurations/{config}"}], operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/configurations/{config}"}],
), ),
base.APIRule( base.APIRule(
name="trove:configuration:index", name="configuration:index",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="List all configuration groups.", description="List all configuration groups.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/configurations"}], operations=[{"method": "GET", "path": "/v1.0/{account_id}/configurations"}],
), ),
base.APIRule( base.APIRule(
name="trove:configuration:show", name="configuration:show",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Get informations of a configuration group.", description="Get informations of a configuration group.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/configurations/{config}"}], operations=[{"method": "GET", "path": "/v1.0/{account_id}/configurations/{config}"}],
), ),
base.APIRule( base.APIRule(
name="trove:configuration:instances", name="configuration:instances",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="List all instances which a configuration group has be assigned to.", description="List all instances which a configuration group has be assigned to.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "GET", "path": "/v1.0/{account_id}/configurations/{config}/instances"}],
{"method": "GET", "path": "/v1.0/{account_id}/configurations/{config}/instances"},
],
), ),
base.APIRule( base.APIRule(
name="trove:configuration:update", name="configuration:update",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Update a configuration group(the configuration group will be replaced completely).", # noqa description="Update a configuration group(the configuration group will be replaced completely).",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "PUT", "path": "/v1.0/{account_id}/configurations/{config}"}], operations=[{"method": "PUT", "path": "/v1.0/{account_id}/configurations/{config}"}],
), ),
base.APIRule( base.APIRule(
name="trove:configuration:edit", name="configuration:edit",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Patch a configuration group.", description="Patch a configuration group.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v1.0/{account_id}/configurations/{config}"}], operations=[{"method": "PATCH", "path": "/v1.0/{account_id}/configurations/{config}"}],
), ),
base.APIRule( base.APIRule(
name="trove:configuration-parameter:index", name="configuration-parameter:index",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="List all parameters bind to a datastore version.", description="List all parameters bind to a datastore version.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "GET", "path": "/v1.0/{account_id}/datastores/{datastore}/versions/{version}/parameters"}],
{
"method": "GET",
"path": "/v1.0/{account_id}/datastores/{datastore}/versions/{version}/parameters",
},
],
), ),
base.APIRule( base.APIRule(
name="trove:configuration-parameter:show", name="configuration-parameter:show",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Get a paramter of a datastore version.", description="Get a paramter of a datastore version.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "GET", "path": "/v1.0/{account_id}/datastores/{datastore}/versions/{version}/parameters/{param}"}],
{
"method": "GET",
"path": "/v1.0/{account_id}/datastores/{datastore}/versions/{version}/parameters/{param}", # noqa
},
],
), ),
base.APIRule( base.APIRule(
name="trove:configuration-parameter:index_by_version", name="configuration-parameter:index_by_version",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="List all paramters bind to a datastore version by the id of the version(datastore is not provided).", # noqa description="List all paramters bind to a datastore version by the id of the version(datastore is not provided).",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "GET", "path": "/v1.0/{account_id}/datastores/versions/{version}/paramters"}],
{
"method": "GET",
"path": "/v1.0/{account_id}/datastores/versions/{version}/paramters",
},
],
), ),
base.APIRule( base.APIRule(
name="trove:configuration-parameter:show_by_version", name="configuration-parameter:show_by_version",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Get a paramter of a datastore version by it names and the id of the version(datastore is not provided).", # noqa description="Get a paramter of a datastore version by it names and the id of the version(datastore is not provided).",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "GET", "path": "/v1.0/{account_id}/datastores/versions/{version}/paramters/{param}"}],
{
"method": "GET",
"path": "/v1.0/{account_id}/datastores/versions/{version}/paramters/{param}",
},
],
), ),
base.APIRule( base.APIRule(
name="trove:datastore:index", name="datastore:index",
check_str=(""), check_str=(""),
description="List all datastores.", description="List all datastores.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/datastores"}], operations=[{"method": "GET", "path": "/v1.0/{account_id}/datastores"}],
), ),
base.APIRule( base.APIRule(
name="trove:datastore:show", name="datastore:show",
check_str=(""), check_str=(""),
description="Get informations of a datastore.", description="Get informations of a datastore.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/datastores/{datastore}"}], operations=[{"method": "GET", "path": "/v1.0/{account_id}/datastores/{datastore}"}],
), ),
base.APIRule( base.APIRule(
name="trove:datastore:delete", name="datastore:delete",
check_str=("(role:admin or is_admin:True)"), check_str=("rule:admin"),
description="Delete a datastore.", description="Delete a datastore.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/datastores/{datastore}"}], operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/datastores/{datastore}"}],
), ),
base.APIRule( base.APIRule(
name="trove:datastore:version_show", name="datastore:version_show",
check_str=(""), check_str=(""),
description="Get a version of a datastore by the version id.", description="Get a version of a datastore by the version id.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "GET", "path": "/v1.0/{account_id}/datastores/{datastore}/versions/{version}"}],
{
"method": "GET",
"path": "/v1.0/{account_id}/datastores/{datastore}/versions/{version}",
},
],
), ),
base.APIRule( base.APIRule(
name="trove:datastore:version_show_by_uuid", name="datastore:version_show_by_uuid",
check_str=(""), check_str=(""),
description="Get a version of a datastore by the version id(without providing the datastore id).", # noqa description="Get a version of a datastore by the version id(without providing the datastore id).",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "GET", "path": "/v1.0/{account_id}/datastores/versions/{version}"}],
{"method": "GET", "path": "/v1.0/{account_id}/datastores/versions/{version}"},
],
), ),
base.APIRule( base.APIRule(
name="trove:datastore:version_index", name="datastore:version_index",
check_str=(""), check_str=(""),
description="Get all versions of a datastore.", description="Get all versions of a datastore.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "GET", "path": "/v1.0/{account_id}/datastores/{datastore}/versions"}],
{"method": "GET", "path": "/v1.0/{account_id}/datastores/{datastore}/versions"},
],
), ),
base.APIRule( base.APIRule(
name="trove:datastore:list_associated_flavors", name="datastore:list_associated_flavors",
check_str=(""), check_str=(""),
description="List all flavors associated with a datastore version.", description="List all flavors associated with a datastore version.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "GET", "path": "/v1.0/{account_id}/datastores/{datastore}/versions/{version}/flavors"}],
{
"method": "GET",
"path": "/v1.0/{account_id}/datastores/{datastore}/versions/{version}/flavors",
},
],
), ),
base.APIRule( base.APIRule(
name="trove:datastore:list_associated_volume_types", name="datastore:list_associated_volume_types",
check_str=(""), check_str=(""),
description="List all volume-types associated with a datastore version.", description="List all volume-types associated with a datastore version.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "GET", "path": "/v1.0/{account_id}/datastores/{datastore}/versions/{version}/volume-types"}],
{
"method": "GET",
"path": "/v1.0/{account_id}/datastores/{datastore}/versions/{version}/volume-types", # noqa
},
],
), ),
base.APIRule( base.APIRule(
name="trove:flavor:index", name="flavor:index",
check_str=(""), check_str=(""),
description="List all flavors.", description="List all flavors.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/flavors"}], operations=[{"method": "GET", "path": "/v1.0/{account_id}/flavors"}],
), ),
base.APIRule( base.APIRule(
name="trove:flavor:show", name="flavor:show",
check_str=(""), check_str=(""),
description="Get information of a flavor.", description="Get information of a flavor.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/flavors/{flavor}"}], operations=[{"method": "GET", "path": "/v1.0/{account_id}/flavors/{flavor}"}],
), ),
base.APIRule( base.APIRule(
name="trove:limits:index", name="limits:index",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="List all absolute and rate limit informations.", description="List all absolute and rate limit informations.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/limits"}], operations=[{"method": "GET", "path": "/v1.0/{account_id}/limits"}],
), ),
base.APIRule( base.APIRule(
name="trove:module:create", name="module:create",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Create a module.", description="Create a module.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v1.0/{account_id}/modules"}], operations=[{"method": "POST", "path": "/v1.0/{account_id}/modules"}],
), ),
base.APIRule( base.APIRule(
name="trove:module:delete", name="module:delete",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Delete a module.", description="Delete a module.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/modules/{module}"}], operations=[{"method": "DELETE", "path": "/v1.0/{account_id}/modules/{module}"}],
), ),
base.APIRule( base.APIRule(
name="trove:module:index", name="module:index",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="List all modules.", description="List all modules.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/modules"}], operations=[{"method": "GET", "path": "/v1.0/{account_id}/modules"}],
), ),
base.APIRule( base.APIRule(
name="trove:module:show", name="module:show",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Get informations of a module.", description="Get informations of a module.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/modules/{module}"}], operations=[{"method": "GET", "path": "/v1.0/{account_id}/modules/{module}"}],
), ),
base.APIRule( base.APIRule(
name="trove:module:instances", name="module:instances",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="List all instances to which a module is applied.", description="List all instances to which a module is applied.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1.0/{account_id}/modules/{module}/instances"}], operations=[{"method": "GET", "path": "/v1.0/{account_id}/modules/{module}/instances"}],
), ),
base.APIRule( base.APIRule(
name="trove:module:update", name="module:update",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Update a module.", description="Update a module.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "PUT", "path": "/v1.0/{account_id}/modules/{module}"}], operations=[{"method": "PUT", "path": "/v1.0/{account_id}/modules/{module}"}],
), ),
base.APIRule( base.APIRule(
name="trove:module:reapply", name="module:reapply",
check_str=("((role:admin or is_admin:True) or project_id:%(project_id)s)"), check_str=("rule:admin_or_owner"),
description="Reapply a module to all instances.", description="Reapply a module to all instances.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "PUT", "path": "/v1.0/{account_id}/modules/{module}/instances"}], operations=[{"method": "PUT", "path": "/v1.0/{account_id}/modules/{module}/instances"}],

300
skyline_apiserver/policy/manager/zun.py
View File

@ -1,3 +1,6 @@
# flake8: noqa
# fmt: off
from . import base from . import base
list_rules = ( list_rules = (
@ -22,593 +25,546 @@ list_rules = (
description="Default rule for deny everybody.", description="Default rule for deny everybody.",
), ),
base.APIRule( base.APIRule(
name="zun:container:create", name="container:create",
check_str=("is_admin:True or project_id:%(project_id)s"), check_str=("is_admin:True or project_id:%(project_id)s"),
description="Create a new container.", description="Create a new container.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers"}], operations=[{"method": "POST", "path": "/v1/containers"}],
), ),
base.APIRule( base.APIRule(
name="zun:container:create:runtime", name="container:create:runtime",
check_str=("(role:admin)"), check_str=("rule:context_is_admin"),
description="Create a new container with specified runtime.", description="Create a new container with specified runtime.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers"}], operations=[{"method": "POST", "path": "/v1/containers"}],
), ),
base.APIRule( base.APIRule(
name="zun:container:create:privileged", name="container:create:privileged",
check_str=("(!)"), check_str=("rule:deny_everybody"),
description="Create a new privileged container.Warning: the privileged container has a big security risk so be caution if you want to enable this feature", # noqa description="Create a new privileged container.Warning: the privileged container has a big security risk so be caution if you want to enable this feature",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers"}], operations=[{"method": "POST", "path": "/v1/containers"}],
), ),
base.APIRule( base.APIRule(
name="zun:container:create:requested_destination", name="container:create:requested_destination",
check_str=("(role:admin)"), check_str=("rule:context_is_admin"),
description="Create a container on the requested compute host.", description="Create a container on the requested compute host.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers"}], operations=[{"method": "POST", "path": "/v1/containers"}],
), ),
base.APIRule( base.APIRule(
name="zun:container:create:image_pull_policy", name="container:create:image_pull_policy",
check_str=("(role:admin)"), check_str=("rule:context_is_admin"),
description="Create a new container with specified image pull policy.", description="Create a new container with specified image pull policy.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers"}], operations=[{"method": "POST", "path": "/v1/containers"}],
), ),
base.APIRule( base.APIRule(
name="zun:container:delete", name="container:delete",
check_str=("is_admin:True or project_id:%(project_id)s"), check_str=("is_admin:True or project_id:%(project_id)s"),
description="Delete a container.", description="Delete a container.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/containers/{container_ident}"}], operations=[{"method": "DELETE", "path": "/v1/containers/{container_ident}"}],
), ),
base.APIRule( base.APIRule(
name="zun:container:delete_all_projects", name="container:delete_all_projects",
check_str=("(role:admin)"), check_str=("rule:context_is_admin"),
description="Delete a container from all projects.", description="Delete a container from all projects.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/containers/{container_ident}"}], operations=[{"method": "DELETE", "path": "/v1/containers/{container_ident}"}],
), ),
base.APIRule( base.APIRule(
name="zun:container:delete_force", name="container:delete_force",
check_str=("(role:admin)"), check_str=("rule:context_is_admin"),
description="Forcibly delete a container.", description="Forcibly delete a container.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/containers/{container_ident}"}], operations=[{"method": "DELETE", "path": "/v1/containers/{container_ident}"}],
), ),
base.APIRule( base.APIRule(
name="zun:container:get_one", name="container:get_one",
check_str=("is_admin:True or project_id:%(project_id)s"), check_str=("is_admin:True or project_id:%(project_id)s"),
description="Retrieve the details of a specific container.", description="Retrieve the details of a specific container.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/containers/{container_ident}"}], operations=[{"method": "GET", "path": "/v1/containers/{container_ident}"}],
), ),
base.APIRule( base.APIRule(
name="zun:container:get_one:host", name="container:get_one:host",
check_str=("(role:admin)"), check_str=("rule:context_is_admin"),
description="Retrieve the host field of containers.", description="Retrieve the host field of containers.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "GET", "path": "/v1/containers/{container_ident}"}, {"method": "GET", "path": "/v1/containers"}, {"method": "POST", "path": "/v1/containers"}, {"method": "PATCH", "path": "/v1/containers/{container_ident}"}],
{"method": "GET", "path": "/v1/containers/{container_ident}"},
{"method": "GET", "path": "/v1/containers"},
{"method": "POST", "path": "/v1/containers"},
{"method": "PATCH", "path": "/v1/containers/{container_ident}"},
],
), ),
base.APIRule( base.APIRule(
name="zun:container:get_one:image_pull_policy", name="container:get_one:image_pull_policy",
check_str=("(role:admin)"), check_str=("rule:context_is_admin"),
description="Retrieve the image_pull_policy field of containers.", description="Retrieve the image_pull_policy field of containers.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "GET", "path": "/v1/containers/{container_ident}"}, {"method": "GET", "path": "/v1/containers"}, {"method": "POST", "path": "/v1/containers"}, {"method": "PATCH", "path": "/v1/containers/{container_ident}"}],
{"method": "GET", "path": "/v1/containers/{container_ident}"},
{"method": "GET", "path": "/v1/containers"},
{"method": "POST", "path": "/v1/containers"},
{"method": "PATCH", "path": "/v1/containers/{container_ident}"},
],
), ),
base.APIRule( base.APIRule(
name="zun:container:get_one:privileged", name="container:get_one:privileged",
check_str=("(role:admin)"), check_str=("rule:context_is_admin"),
description="Retrieve the privileged field of containers.", description="Retrieve the privileged field of containers.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "GET", "path": "/v1/containers/{container_ident}"}, {"method": "GET", "path": "/v1/containers"}, {"method": "POST", "path": "/v1/containers"}, {"method": "PATCH", "path": "/v1/containers/{container_ident}"}],
{"method": "GET", "path": "/v1/containers/{container_ident}"},
{"method": "GET", "path": "/v1/containers"},
{"method": "POST", "path": "/v1/containers"},
{"method": "PATCH", "path": "/v1/containers/{container_ident}"},
],
), ),
base.APIRule( base.APIRule(
name="zun:container:get_one:runtime", name="container:get_one:runtime",
check_str=("(role:admin)"), check_str=("rule:context_is_admin"),
description="Retrieve the runtime field of containers.", description="Retrieve the runtime field of containers.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "GET", "path": "/v1/containers/{container_ident}"}, {"method": "GET", "path": "/v1/containers"}, {"method": "POST", "path": "/v1/containers"}, {"method": "PATCH", "path": "/v1/containers/{container_ident}"}],
{"method": "GET", "path": "/v1/containers/{container_ident}"},
{"method": "GET", "path": "/v1/containers"},
{"method": "POST", "path": "/v1/containers"},
{"method": "PATCH", "path": "/v1/containers/{container_ident}"},
],
), ),
base.APIRule( base.APIRule(
name="zun:container:get_one_all_projects", name="container:get_one_all_projects",
check_str=("(role:admin)"), check_str=("rule:context_is_admin"),
description="Retrieve the details of a specific container from all projects.", description="Retrieve the details of a specific container from all projects.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/containers/{container_ident}"}], operations=[{"method": "GET", "path": "/v1/containers/{container_ident}"}],
), ),
base.APIRule( base.APIRule(
name="zun:container:get_all", name="container:get_all",
check_str=("is_admin:True or project_id:%(project_id)s"), check_str=("is_admin:True or project_id:%(project_id)s"),
description="Retrieve the details of all containers.", description="Retrieve the details of all containers.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/containers"}], operations=[{"method": "GET", "path": "/v1/containers"}],
), ),
base.APIRule( base.APIRule(
name="zun:container:get_all_all_projects", name="container:get_all_all_projects",
check_str=("(role:admin)"), check_str=("rule:context_is_admin"),
description="Retrieve the details of all containers across projects.", description="Retrieve the details of all containers across projects.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/containers"}], operations=[{"method": "GET", "path": "/v1/containers"}],
), ),
base.APIRule( base.APIRule(
name="zun:container:update", name="container:update",
check_str=("is_admin:True or project_id:%(project_id)s"), check_str=("is_admin:True or project_id:%(project_id)s"),
description="Update a container.", description="Update a container.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v1/containers/{container_ident}"}], operations=[{"method": "PATCH", "path": "/v1/containers/{container_ident}"}],
), ),
base.APIRule( base.APIRule(
name="zun:container:start", name="container:start",
check_str=("is_admin:True or project_id:%(project_id)s"), check_str=("is_admin:True or project_id:%(project_id)s"),
description="Start a container.", description="Start a container.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/start"}], operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/start"}],
), ),
base.APIRule( base.APIRule(
name="zun:container:stop", name="container:stop",
check_str=("is_admin:True or project_id:%(project_id)s"), check_str=("is_admin:True or project_id:%(project_id)s"),
description="Stop a container.", description="Stop a container.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/stop"}], operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/stop"}],
), ),
base.APIRule( base.APIRule(
name="zun:container:reboot", name="container:reboot",
check_str=("is_admin:True or project_id:%(project_id)s"), check_str=("is_admin:True or project_id:%(project_id)s"),
description="Reboot a container.", description="Reboot a container.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/reboot"}], operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/reboot"}],
), ),
base.APIRule( base.APIRule(
name="zun:container:pause", name="container:pause",
check_str=("is_admin:True or project_id:%(project_id)s"), check_str=("is_admin:True or project_id:%(project_id)s"),
description="Pause a container.", description="Pause a container.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/pause"}], operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/pause"}],
), ),
base.APIRule( base.APIRule(
name="zun:container:unpause", name="container:unpause",
check_str=("is_admin:True or project_id:%(project_id)s"), check_str=("is_admin:True or project_id:%(project_id)s"),
description="Unpause a container.", description="Unpause a container.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/unpause"}], operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/unpause"}],
), ),
base.APIRule( base.APIRule(
name="zun:container:logs", name="container:logs",
check_str=("is_admin:True or project_id:%(project_id)s"), check_str=("is_admin:True or project_id:%(project_id)s"),
description="Get the log of a container", description="Get the log of a container",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/containers/{container_ident}/logs"}], operations=[{"method": "GET", "path": "/v1/containers/{container_ident}/logs"}],
), ),
base.APIRule( base.APIRule(
name="zun:container:execute", name="container:execute",
check_str=("is_admin:True or project_id:%(project_id)s"), check_str=("is_admin:True or project_id:%(project_id)s"),
description="Execute command in a running container", description="Execute command in a running container",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/execute"}], operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/execute"}],
), ),
base.APIRule( base.APIRule(
name="zun:container:execute_resize", name="container:execute_resize",
check_str=("is_admin:True or project_id:%(project_id)s"), check_str=("is_admin:True or project_id:%(project_id)s"),
description="Resize the TTY used by an execute command.", description="Resize the TTY used by an execute command.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/execute_resize"}],
{"method": "POST", "path": "/v1/containers/{container_ident}/execute_resize"}
],
), ),
base.APIRule( base.APIRule(
name="zun:container:kill", name="container:kill",
check_str=("is_admin:True or project_id:%(project_id)s"), check_str=("is_admin:True or project_id:%(project_id)s"),
description="Kill a running container", description="Kill a running container",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/kill"}], operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/kill"}],
), ),
base.APIRule( base.APIRule(
name="zun:container:rename", name="container:rename",
check_str=("is_admin:True or project_id:%(project_id)s"), check_str=("is_admin:True or project_id:%(project_id)s"),
description="Rename a container.", description="Rename a container.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/rename"}], operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/rename"}],
), ),
base.APIRule( base.APIRule(
name="zun:container:attach", name="container:attach",
check_str=("is_admin:True or project_id:%(project_id)s"), check_str=("is_admin:True or project_id:%(project_id)s"),
description="Attach to a running container", description="Attach to a running container",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/containers/{container_ident}/attach"}], operations=[{"method": "GET", "path": "/v1/containers/{container_ident}/attach"}],
), ),
base.APIRule( base.APIRule(
name="zun:container:resize", name="container:resize",
check_str=("is_admin:True or project_id:%(project_id)s"), check_str=("is_admin:True or project_id:%(project_id)s"),
description="Resize a container.", description="Resize a container.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/resize"}], operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/resize"}],
), ),
base.APIRule( base.APIRule(
name="zun:container:top", name="container:top",
check_str=("is_admin:True or project_id:%(project_id)s"), check_str=("is_admin:True or project_id:%(project_id)s"),
description="Display the running processes inside the container.", description="Display the running processes inside the container.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/containers/{container_ident}/top"}], operations=[{"method": "GET", "path": "/v1/containers/{container_ident}/top"}],
), ),
base.APIRule( base.APIRule(
name="zun:container:get_archive", name="container:get_archive",
check_str=("is_admin:True or project_id:%(project_id)s"), check_str=("is_admin:True or project_id:%(project_id)s"),
description="Get a tar archive of a path of container.", description="Get a tar archive of a path of container.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/containers/{container_ident}/get_archive"}], operations=[{"method": "GET", "path": "/v1/containers/{container_ident}/get_archive"}],
), ),
base.APIRule( base.APIRule(
name="zun:container:put_archive", name="container:put_archive",
check_str=("is_admin:True or project_id:%(project_id)s"), check_str=("is_admin:True or project_id:%(project_id)s"),
description="Put a tar archive to be extracted to a path of container", description="Put a tar archive to be extracted to a path of container",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "PUT", "path": "/v1/containers/{container_ident}/put_archive"}], operations=[{"method": "PUT", "path": "/v1/containers/{container_ident}/put_archive"}],
), ),
base.APIRule( base.APIRule(
name="zun:container:stats", name="container:stats",
check_str=("is_admin:True or project_id:%(project_id)s"), check_str=("is_admin:True or project_id:%(project_id)s"),
description="Display the statistics of a container", description="Display the statistics of a container",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/containers/{container_ident}/stats"}], operations=[{"method": "GET", "path": "/v1/containers/{container_ident}/stats"}],
), ),
base.APIRule( base.APIRule(
name="zun:container:commit", name="container:commit",
check_str=("is_admin:True or project_id:%(project_id)s"), check_str=("is_admin:True or project_id:%(project_id)s"),
description="Commit a container", description="Commit a container",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/commit"}], operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/commit"}],
), ),
base.APIRule( base.APIRule(
name="zun:container:add_security_group", name="container:add_security_group",
check_str=("is_admin:True or project_id:%(project_id)s"), check_str=("is_admin:True or project_id:%(project_id)s"),
description="Add a security group to a specific container.", description="Add a security group to a specific container.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/add_security_group"}],
{"method": "POST", "path": "/v1/containers/{container_ident}/add_security_group"}
],
), ),
base.APIRule( base.APIRule(
name="zun:container:network_detach", name="container:network_detach",
check_str=("is_admin:True or project_id:%(project_id)s"), check_str=("is_admin:True or project_id:%(project_id)s"),
description="Detach a network from a container.", description="Detach a network from a container.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/network_detach"}],
{"method": "POST", "path": "/v1/containers/{container_ident}/network_detach"}
],
), ),
base.APIRule( base.APIRule(
name="zun:container:network_attach", name="container:network_attach",
check_str=("is_admin:True or project_id:%(project_id)s"), check_str=("is_admin:True or project_id:%(project_id)s"),
description="Attach a network from a container.", description="Attach a network from a container.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/network_attach"}],
{"method": "POST", "path": "/v1/containers/{container_ident}/network_attach"}
],
), ),
base.APIRule( base.APIRule(
name="zun:container:remove_security_group", name="container:remove_security_group",
check_str=("is_admin:True or project_id:%(project_id)s"), check_str=("is_admin:True or project_id:%(project_id)s"),
description="Remove security group from a specific container.", description="Remove security group from a specific container.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/remove_security_group"}],
{"method": "POST", "path": "/v1/containers/{container_ident}/remove_security_group"}
],
), ),
base.APIRule( base.APIRule(
name="zun:container:rebuild", name="container:rebuild",
check_str=("is_admin:True or project_id:%(project_id)s"), check_str=("is_admin:True or project_id:%(project_id)s"),
description="Rebuild a container.", description="Rebuild a container.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/rebuild"}], operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/rebuild"}],
), ),
base.APIRule( base.APIRule(
name="zun:container:resize_container", name="container:resize_container",
check_str=("is_admin:True or project_id:%(project_id)s"), check_str=("is_admin:True or project_id:%(project_id)s"),
description="Resize an existing container.", description="Resize an existing container.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/resize_container"}],
{"method": "POST", "path": "/v1/containers/{container_ident}/resize_container"}
],
), ),
base.APIRule( base.APIRule(
name="zun:image:pull", name="image:pull",
check_str=("(role:admin)"), check_str=("rule:context_is_admin"),
description="Pull an image.", description="Pull an image.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/images"}], operations=[{"method": "POST", "path": "/v1/images"}],
), ),
base.APIRule( base.APIRule(
name="zun:image:get_all", name="image:get_all",
check_str=("(role:admin)"), check_str=("rule:context_is_admin"),
description="Print a list of available images.", description="Print a list of available images.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/images"}], operations=[{"method": "GET", "path": "/v1/images"}],
), ),
base.APIRule( base.APIRule(
name="zun:image:get_one", name="image:get_one",
check_str=("(role:admin)"), check_str=("rule:context_is_admin"),
description="Retrieve the details of a specific image.", description="Retrieve the details of a specific image.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/images/{image_id}"}], operations=[{"method": "GET", "path": "/v1/images/{image_id}"}],
), ),
base.APIRule( base.APIRule(
name="zun:image:search", name="image:search",
check_str=("is_admin:True or project_id:%(project_id)s"), check_str=("is_admin:True or project_id:%(project_id)s"),
description="Search an image.", description="Search an image.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/images/{image_ident}/search"}], operations=[{"method": "GET", "path": "/v1/images/{image_ident}/search"}],
), ),
base.APIRule( base.APIRule(
name="zun:image:delete", name="image:delete",
check_str=("(role:admin)"), check_str=("rule:context_is_admin"),
description="Delete an image.", description="Delete an image.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/images/{image_ident}"}], operations=[{"method": "DELETE", "path": "/v1/images/{image_ident}"}],
), ),
base.APIRule( base.APIRule(
name="zun:zun-service:delete", name="zun-service:delete",
check_str=("(role:admin)"), check_str=("rule:context_is_admin"),
description="Delete a service.", description="Delete a service.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/services"}], operations=[{"method": "DELETE", "path": "/v1/services"}],
), ),
base.APIRule( base.APIRule(
name="zun:zun-service:disable", name="zun-service:disable",
check_str=("(role:admin)"), check_str=("rule:context_is_admin"),
description="Disable a service.", description="Disable a service.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "PUT", "path": "/v1/services/disable"}], operations=[{"method": "PUT", "path": "/v1/services/disable"}],
), ),
base.APIRule( base.APIRule(
name="zun:zun-service:enable", name="zun-service:enable",
check_str=("(role:admin)"), check_str=("rule:context_is_admin"),
description="Enable a service.", description="Enable a service.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "PUT", "path": "/v1/services/enable"}], operations=[{"method": "PUT", "path": "/v1/services/enable"}],
), ),
base.APIRule( base.APIRule(
name="zun:zun-service:force_down", name="zun-service:force_down",
check_str=("(role:admin)"), check_str=("rule:context_is_admin"),
description="Forcibly shutdown a service.", description="Forcibly shutdown a service.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "PUT", "path": "/v1/services/force_down"}], operations=[{"method": "PUT", "path": "/v1/services/force_down"}],
), ),
base.APIRule( base.APIRule(
name="zun:zun-service:get_all", name="zun-service:get_all",
check_str=("(role:admin)"), check_str=("rule:context_is_admin"),
description="Show the status of a service.", description="Show the status of a service.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/services"}], operations=[{"method": "GET", "path": "/v1/services"}],
), ),
base.APIRule( base.APIRule(
name="zun:host:get_all", name="host:get_all",
check_str=("(role:admin)"), check_str=("rule:context_is_admin"),
description="List all compute hosts.", description="List all compute hosts.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/hosts"}], operations=[{"method": "GET", "path": "/v1/hosts"}],
), ),
base.APIRule( base.APIRule(
name="zun:host:get", name="host:get",
check_str=("(role:admin)"), check_str=("rule:context_is_admin"),
description="Show the details of a specific compute host.", description="Show the details of a specific compute host.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/hosts/{host_ident}"}], operations=[{"method": "GET", "path": "/v1/hosts/{host_ident}"}],
), ),
base.APIRule( base.APIRule(
name="zun:capsule:create", name="capsule:create",
check_str=("is_admin:True or project_id:%(project_id)s"), check_str=("is_admin:True or project_id:%(project_id)s"),
description="Create a capsule", description="Create a capsule",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/capsules/"}], operations=[{"method": "POST", "path": "/v1/capsules/"}],
), ),
base.APIRule( base.APIRule(
name="zun:capsule:delete", name="capsule:delete",
check_str=("is_admin:True or project_id:%(project_id)s"), check_str=("is_admin:True or project_id:%(project_id)s"),
description="Delete a capsule", description="Delete a capsule",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/capsules/{capsule_ident}"}], operations=[{"method": "DELETE", "path": "/v1/capsules/{capsule_ident}"}],
), ),
base.APIRule( base.APIRule(
name="zun:capsule:delete_all_projects", name="capsule:delete_all_projects",
check_str=("(role:admin)"), check_str=("rule:context_is_admin"),
description="Delete a container in any project.", description="Delete a container in any project.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/capsules/{capsule_ident}"}], operations=[{"method": "DELETE", "path": "/v1/capsules/{capsule_ident}"}],
), ),
base.APIRule( base.APIRule(
name="zun:capsule:get", name="capsule:get",
check_str=("is_admin:True or project_id:%(project_id)s"), check_str=("is_admin:True or project_id:%(project_id)s"),
description="Retrieve the details of a capsule.", description="Retrieve the details of a capsule.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/capsules/{capsule_ident}"}], operations=[{"method": "GET", "path": "/v1/capsules/{capsule_ident}"}],
), ),
base.APIRule( base.APIRule(
name="zun:capsule:get:host", name="capsule:get:host",
check_str=("(role:admin)"), check_str=("rule:context_is_admin"),
description="Retrieve the host field of a capsule.", description="Retrieve the host field of a capsule.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "GET", "path": "/v1/capsules/{capsule_ident}"}, {"method": "GET", "path": "/v1/capsules"}, {"method": "POST", "path": "/v1/capsules"}],
{"method": "GET", "path": "/v1/capsules/{capsule_ident}"},
{"method": "GET", "path": "/v1/capsules"},
{"method": "POST", "path": "/v1/capsules"},
],
), ),
base.APIRule( base.APIRule(
name="zun:capsule:get_one_all_projects", name="capsule:get_one_all_projects",
check_str=("(role:admin)"), check_str=("rule:context_is_admin"),
description="Retrieve the details of a capsule in any project.", description="Retrieve the details of a capsule in any project.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/capsules/{capsule_ident}"}], operations=[{"method": "GET", "path": "/v1/capsules/{capsule_ident}"}],
), ),
base.APIRule( base.APIRule(
name="zun:capsule:get_all", name="capsule:get_all",
check_str=("is_admin:True or project_id:%(project_id)s"), check_str=("is_admin:True or project_id:%(project_id)s"),
description="List all capsules.", description="List all capsules.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/capsules/"}], operations=[{"method": "GET", "path": "/v1/capsules/"}],
), ),
base.APIRule( base.APIRule(
name="zun:capsule:get_all_all_projects", name="capsule:get_all_all_projects",
check_str=("(role:admin)"), check_str=("rule:context_is_admin"),
description="List all capsules across projects.", description="List all capsules across projects.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/capsules/"}], operations=[{"method": "GET", "path": "/v1/capsules/"}],
), ),
base.APIRule( base.APIRule(
name="zun:network:attach_external_network", name="network:attach_external_network",
check_str=("role:admin"), check_str=("role:admin"),
description="Attach an unshared external network to a container", description="Attach an unshared external network to a container",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers"}], operations=[{"method": "POST", "path": "/v1/containers"}],
), ),
base.APIRule( base.APIRule(
name="zun:network:create", name="network:create",
check_str=("role:admin"), check_str=("role:admin"),
description="Create a network", description="Create a network",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/networks"}], operations=[{"method": "POST", "path": "/v1/networks"}],
), ),
base.APIRule( base.APIRule(
name="zun:network:delete", name="network:delete",
check_str=("role:admin"), check_str=("role:admin"),
description="Delete a network", description="Delete a network",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/networks"}], operations=[{"method": "DELETE", "path": "/v1/networks"}],
), ),
base.APIRule( base.APIRule(
name="zun:container:actions", name="container:actions",
check_str=("is_admin:True or project_id:%(project_id)s"), check_str=("is_admin:True or project_id:%(project_id)s"),
description="List actions and show action details for a container", description="List actions and show action details for a container",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "GET", "path": "/v1/containers/{container_ident}/container_actions/"}, {"method": "GET", "path": "/v1/containers/{container_ident}/container_actions/{request_id}"}],
{"method": "GET", "path": "/v1/containers/{container_ident}/container_actions/"},
{
"method": "GET",
"path": "/v1/containers/{container_ident}/container_actions/{request_id}",
},
],
), ),
base.APIRule( base.APIRule(
name="zun:container:action:events", name="container:action:events",
check_str=("(role:admin)"), check_str=("rule:context_is_admin"),
description="Add events details in action details for a container.", description="Add events details in action details for a container.",
scope_types=["project"], scope_types=["project"],
operations=[ operations=[{"method": "GET", "path": "/v1/containers/{container_ident}/container_actions/{request_id}"}],
{
"method": "GET",
"path": "/v1/containers/{container_ident}/container_actions/{request_id}",
}
],
), ),
base.APIRule( base.APIRule(
name="zun:availability_zones:get_all", name="availability_zones:get_all",
check_str=("is_admin:True or project_id:%(project_id)s"), check_str=("is_admin:True or project_id:%(project_id)s"),
description="List availability zone", description="List availability zone",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/availability_zones"}], operations=[{"method": "GET", "path": "/v1/availability_zones"}],
), ),
base.APIRule( base.APIRule(
name="zun:quota:update", name="quota:update",
check_str=("(role:admin)"), check_str=("rule:context_is_admin"),
description="Update quotas for a project", description="Update quotas for a project",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "PUT", "path": "/v1/quotas/{project_id}"}], operations=[{"method": "PUT", "path": "/v1/quotas/{project_id}"}],
), ),
base.APIRule( base.APIRule(
name="zun:quota:delete", name="quota:delete",
check_str=("(role:admin)"), check_str=("rule:context_is_admin"),
description="Delete quotas for a project", description="Delete quotas for a project",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/quotas/{project_id}"}], operations=[{"method": "DELETE", "path": "/v1/quotas/{project_id}"}],
), ),
base.APIRule( base.APIRule(
name="zun:quota:get", name="quota:get",
check_str=("is_admin:True or project_id:%(project_id)s"), check_str=("is_admin:True or project_id:%(project_id)s"),
description="Get quotas for a project", description="Get quotas for a project",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/quotas/{project_id}"}], operations=[{"method": "GET", "path": "/v1/quotas/{project_id}"}],
), ),
base.APIRule( base.APIRule(
name="zun:quota:get_default", name="quota:get_default",
check_str=("is_admin:True or project_id:%(project_id)s"), check_str=("is_admin:True or project_id:%(project_id)s"),
description="Get default quotas for a project", description="Get default quotas for a project",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/quotas/defaults"}], operations=[{"method": "GET", "path": "/v1/quotas/defaults"}],
), ),
base.APIRule( base.APIRule(
name="zun:quota_class:update", name="quota_class:update",
check_str=("(role:admin)"), check_str=("rule:context_is_admin"),
description="Update quotas for specific quota class", description="Update quotas for specific quota class",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "PUT", "path": "/v1/quota_classes/{quota_class_name}"}], operations=[{"method": "PUT", "path": "/v1/quota_classes/{quota_class_name}"}],
), ),
base.APIRule( base.APIRule(
name="zun:quota_class:get", name="quota_class:get",
check_str=("(role:admin)"), check_str=("rule:context_is_admin"),
description="List quotas for specific quota class", description="List quotas for specific quota class",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/quota_classes/{quota_class_name}"}], operations=[{"method": "GET", "path": "/v1/quota_classes/{quota_class_name}"}],
), ),
base.APIRule( base.APIRule(
name="zun:registry:create", name="registry:create",
check_str=("is_admin:True or project_id:%(project_id)s"), check_str=("is_admin:True or project_id:%(project_id)s"),
description="Create a new registry.", description="Create a new registry.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/registries"}], operations=[{"method": "POST", "path": "/v1/registries"}],
), ),
base.APIRule( base.APIRule(
name="zun:registry:delete", name="registry:delete",
check_str=("is_admin:True or project_id:%(project_id)s"), check_str=("is_admin:True or project_id:%(project_id)s"),
description="Delete a registry.", description="Delete a registry.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/registries/{registry_ident}"}], operations=[{"method": "DELETE", "path": "/v1/registries/{registry_ident}"}],
), ),
base.APIRule( base.APIRule(
name="zun:registry:get_one", name="registry:get_one",
check_str=("is_admin:True or project_id:%(project_id)s"), check_str=("is_admin:True or project_id:%(project_id)s"),
description="Retrieve the details of a specific registry.", description="Retrieve the details of a specific registry.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/registries/{registry_ident}"}], operations=[{"method": "GET", "path": "/v1/registries/{registry_ident}"}],
), ),
base.APIRule( base.APIRule(
name="zun:registry:get_all", name="registry:get_all",
check_str=("is_admin:True or project_id:%(project_id)s"), check_str=("is_admin:True or project_id:%(project_id)s"),
description="Retrieve the details of all registries.", description="Retrieve the details of all registries.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/registries"}], operations=[{"method": "GET", "path": "/v1/registries"}],
), ),
base.APIRule( base.APIRule(
name="zun:registry:get_all_all_projects", name="registry:get_all_all_projects",
check_str=("(role:admin)"), check_str=("rule:context_is_admin"),
description="Retrieve the details of all registries across projects.", description="Retrieve the details of all registries across projects.",
scope_types=["project"], scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/registries"}], operations=[{"method": "GET", "path": "/v1/registries"}],
), ),
base.APIRule( base.APIRule(
name="zun:registry:update", name="registry:update",
check_str=("is_admin:True or project_id:%(project_id)s"), check_str=("is_admin:True or project_id:%(project_id)s"),
description="Update a registry.", description="Update a registry.",
scope_types=["project"], scope_types=["project"],

8
skyline_apiserver/types/constants.py
View File

@ -48,10 +48,12 @@ SUPPORTED_SERVICE_EPS = {
"cinder": ["cinder"], "cinder": ["cinder"],
"glance": ["glance"], "glance": ["glance"],
"heat": ["heat"], "heat": ["heat"],
"ironic": ["ironic.api", "ironic_inspector.api"], "ironic": ["ironic.api"],
"ironic_inspector": ["ironic_inspector.api"],
"keystone": ["keystone"], "keystone": ["keystone"],
"neutron": ["neutron", "neutron-vpnaas"], "magnum": ["magnum"],
"manila": ["manila"], "manila": ["manila"],
"neutron": ["neutron", "neutron-vpnaas"],
"nova": ["nova"], "nova": ["nova"],
"octavia": ["octavia"], "octavia": ["octavia"],
"panko": ["panko"], "panko": ["panko"],
@ -59,5 +61,3 @@ SUPPORTED_SERVICE_EPS = {
"trove": ["trove"], "trove": ["trove"],
"zun": ["zun"], "zun": ["zun"],
} }
PREFIX_MAPPINGS = {"trove": "trove:", "manila": "manila:", "zun": "zun:"}

23
tools/post_install.sh
View File

@ -1,7 +1,7 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# Install openstack service package # Install openstack service package
pip install --no-deps \ pip install -U \
keystone \ keystone \
openstack-placement \ openstack-placement \
nova \ nova \
@ -10,25 +10,10 @@ pip install --no-deps \
trove \ trove \
neutron neutron-vpnaas \ neutron neutron-vpnaas \
openstack-heat \ openstack-heat \
ironic-lib ironic ironic-inspector \ ironic \
octavia-lib octavia \ ironic-inspector \
octavia \
panko \ panko \
manila \ manila \
magnum \ magnum \
zun zun
# Patch cinder
patch_path="$(python3 -c 'import sysconfig; print(sysconfig.get_paths()["purelib"])')/cinder/__init__.py"
sed -i 's/\(.*eventlet.*\)/# \1/g' $patch_path
# Patch neutron
patch_path="$(python3 -c 'import sysconfig; print(sysconfig.get_paths()["purelib"])')/neutron/conf/policies/floatingip_pools.py"
sed -i 's/admin/system/g' $patch_path
# Patch ironic
patch_path="$(python3 -c 'import sysconfig; print(sysconfig.get_paths()["purelib"])')/ironic/common/policy.py"
sed -i 's/\(.*lockutils.*\)/# \1/g' $patch_path
# Patch ironic_inspector
patch_path="$(python3 -c 'import sysconfig; print(sysconfig.get_paths()["purelib"])')/ironic_inspector/policy.py"
sed -i 's/\(.*lockutils.*\)/# \1/g' $patch_path