fix: Compatible with member and _member_
When the default role is _member_ instead of member, the Skyline API response 401 Bug: 2034976 Change-Id: I7c633728c8de9f300eb718f615bc9950e0c96411
This commit is contained in:
yangshaoxue
parent
2ceaa1e3ed
commit
87019798fa
@ -40,7 +40,7 @@ list_rules = (
|
||||
),
|
||||
base.Rule(
|
||||
name="secret_project_member",
|
||||
check_str=("role:member and rule:secret_project_match"),
|
||||
check_str=("(role:member or role:_member_) and rule:secret_project_match"),
|
||||
description="No description",
|
||||
),
|
||||
base.Rule(
|
||||
@ -70,7 +70,7 @@ list_rules = (
|
||||
),
|
||||
base.Rule(
|
||||
name="container_project_member",
|
||||
check_str=("role:member and rule:container_project_match"),
|
||||
check_str=("(role:member or role:_member_) and rule:container_project_match"),
|
||||
description="No description",
|
||||
),
|
||||
base.Rule(
|
||||
@ -100,7 +100,7 @@ list_rules = (
|
||||
),
|
||||
base.Rule(
|
||||
name="order_project_member",
|
||||
check_str=("role:member and rule:order_project_match"),
|
||||
check_str=("(role:member or role:_member_) and rule:order_project_match"),
|
||||
description="No description",
|
||||
),
|
||||
base.Rule(
|
||||
@ -291,14 +291,14 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="containers:post",
|
||||
check_str=("True:%(enforce_new_defaults)s and role:member"),
|
||||
check_str=("True:%(enforce_new_defaults)s and (role:member or role:_member_)"),
|
||||
description="Creates a container.",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "POST", "path": "/v1/containers"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="containers:get",
|
||||
check_str=("True:%(enforce_new_defaults)s and role:member"),
|
||||
check_str=("True:%(enforce_new_defaults)s and (role:member or role:_member_)"),
|
||||
description="Lists a projects containers.",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "GET", "path": "/v1/containers"}],
|
||||
@ -333,21 +333,21 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="orders:get",
|
||||
check_str=("True:%(enforce_new_defaults)s and role:member"),
|
||||
check_str=("True:%(enforce_new_defaults)s and (role:member or role:_member_)"),
|
||||
description="Gets list of all orders associated with a project.",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "GET", "path": "/v1/orders"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="orders:post",
|
||||
check_str=("True:%(enforce_new_defaults)s and role:member"),
|
||||
check_str=("True:%(enforce_new_defaults)s and (role:member or role:_member_)"),
|
||||
description="Creates an order.",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "POST", "path": "/v1/orders"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="orders:put",
|
||||
check_str=("True:%(enforce_new_defaults)s and role:member"),
|
||||
check_str=("True:%(enforce_new_defaults)s and (role:member or role:_member_)"),
|
||||
description="Unsupported method for the orders API.",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "PUT", "path": "/v1/orders"}],
|
||||
@ -452,14 +452,14 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="secrets:post",
|
||||
check_str=("True:%(enforce_new_defaults)s and role:member"),
|
||||
check_str=("True:%(enforce_new_defaults)s and (role:member or role:_member_)"),
|
||||
description="Creates a Secret entity.",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "POST", "path": "/v1/secrets"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="secrets:get",
|
||||
check_str=("True:%(enforce_new_defaults)s and role:member"),
|
||||
check_str=("True:%(enforce_new_defaults)s and (role:member or role:_member_)"),
|
||||
description="Lists a projects secrets.",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "GET", "path": "/v1/secrets"}],
|
||||
|
||||
@ -45,7 +45,7 @@ list_rules = (
|
||||
),
|
||||
base.Rule(
|
||||
name="xena_system_admin_or_project_member",
|
||||
check_str=("(role:admin) or (role:member and project_id:%(project_id)s)"),
|
||||
check_str=("(role:admin) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||
description="NOTE: this purely role-based rule recognizes only project scope",
|
||||
),
|
||||
base.Rule(
|
||||
|
||||
@ -45,14 +45,14 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="add_image",
|
||||
check_str=("role:admin or (role:member and project_id:%(project_id)s and project_id:%(owner)s)"),
|
||||
check_str=("role:admin or ((role:member or role:_member_) and project_id:%(project_id)s and project_id:%(owner)s)"),
|
||||
description="Create new image",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "POST", "path": "/v2/images"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="delete_image",
|
||||
check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
|
||||
check_str=("role:admin or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||
description="Deletes the image",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "DELETE", "path": "/v2/images/{image_id}"}],
|
||||
@ -73,7 +73,7 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="modify_image",
|
||||
check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
|
||||
check_str=("role:admin or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||
description="Updates given image",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}],
|
||||
@ -87,21 +87,21 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="communitize_image",
|
||||
check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
|
||||
check_str=("role:admin or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||
description="Communitize given image",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="download_image",
|
||||
check_str=("role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))"),
|
||||
check_str=("role:admin or ((role:member or role:_member_) and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))"),
|
||||
description="Downloads given image",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "GET", "path": "/v2/images/{image_id}/file"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="upload_image",
|
||||
check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
|
||||
check_str=("role:admin or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||
description="Uploads data to specified image",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "PUT", "path": "/v2/images/{image_id}/file"}],
|
||||
@ -122,21 +122,21 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="set_image_location",
|
||||
check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
|
||||
check_str=("role:admin or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||
description="Sets location URI to given image",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="add_member",
|
||||
check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
|
||||
check_str=("role:admin or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||
description="Create image member",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "POST", "path": "/v2/images/{image_id}/members"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="delete_member",
|
||||
check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
|
||||
check_str=("role:admin or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||
description="Delete image member",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "DELETE", "path": "/v2/images/{image_id}/members/{member_id}"}],
|
||||
@ -157,21 +157,21 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="modify_member",
|
||||
check_str=("role:admin or (role:member and project_id:%(member_id)s)"),
|
||||
check_str=("role:admin or ((role:member or role:_member_) and project_id:%(member_id)s)"),
|
||||
description="Update image member",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "PUT", "path": "/v2/images/{image_id}/members/{member_id}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="deactivate",
|
||||
check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
|
||||
check_str=("role:admin or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||
description="Deactivate image",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "POST", "path": "/v2/images/{image_id}/actions/deactivate"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="reactivate",
|
||||
check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
|
||||
check_str=("role:admin or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||
description="Reactivate image",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "POST", "path": "/v2/images/{image_id}/actions/reactivate"}],
|
||||
|
||||
@ -50,7 +50,7 @@ list_rules = (
|
||||
),
|
||||
base.Rule(
|
||||
name="cloudformation:CreateStack",
|
||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
||||
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||
description="No description",
|
||||
),
|
||||
base.Rule(
|
||||
@ -60,17 +60,17 @@ list_rules = (
|
||||
),
|
||||
base.Rule(
|
||||
name="cloudformation:DeleteStack",
|
||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
||||
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||
description="No description",
|
||||
),
|
||||
base.Rule(
|
||||
name="cloudformation:UpdateStack",
|
||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
||||
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||
description="No description",
|
||||
),
|
||||
base.Rule(
|
||||
name="cloudformation:CancelUpdateStack",
|
||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
||||
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||
description="No description",
|
||||
),
|
||||
base.Rule(
|
||||
@ -225,28 +225,28 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="actions:action",
|
||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
||||
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||
description="Performs non-lifecycle operations on the stack (Snapshot, Resume, Cancel update, or check stack resources). This is the default for all actions but can be overridden by more specific policies for individual actions.",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="actions:snapshot",
|
||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
||||
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||
description="Create stack snapshot",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="actions:suspend",
|
||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
||||
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||
description="Suspend a stack.",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="actions:resume",
|
||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
||||
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||
description="Resume a suspended stack.",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}],
|
||||
@ -260,14 +260,14 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="actions:cancel_update",
|
||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
||||
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||
description="Cancel stack operation and roll back.",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="actions:cancel_without_rollback",
|
||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
||||
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||
description="Cancel stack operation without rolling back.",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}],
|
||||
@ -316,7 +316,7 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="resource:mark_unhealthy",
|
||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
||||
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||
description="Mark resource as unhealthy.",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name_or_physical_id}"}],
|
||||
@ -358,7 +358,7 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="software_configs:delete",
|
||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
||||
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||
description="Delete config.",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "DELETE", "path": "/v1/{tenant_id}/software_configs/{config_id}"}],
|
||||
@ -372,7 +372,7 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="software_deployments:create",
|
||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
||||
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||
description="Create deployment.",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "POST", "path": "/v1/{tenant_id}/software_deployments"}],
|
||||
@ -386,14 +386,14 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="software_deployments:update",
|
||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
||||
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||
description="Update deployment.",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PUT", "path": "/v1/{tenant_id}/software_deployments/{deployment_id}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="software_deployments:delete",
|
||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
||||
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||
description="Delete deployment.",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "DELETE", "path": "/v1/{tenant_id}/software_deployments/{deployment_id}"}],
|
||||
@ -407,21 +407,21 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="stacks:abandon",
|
||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
||||
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||
description="Abandon stack.",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "DELETE", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/abandon"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="stacks:create",
|
||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
||||
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||
description="Create stack.",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="stacks:delete",
|
||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
||||
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||
description="Delete stack.",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "DELETE", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"}],
|
||||
@ -435,14 +435,14 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="stacks:export",
|
||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
||||
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||
description="Export stack.",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/export"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="stacks:generate_template",
|
||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
||||
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||
description="Generate stack template.",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/template"}],
|
||||
@ -533,14 +533,14 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="stacks:update",
|
||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
||||
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||
description="Update stack.",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PUT", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="stacks:update_patch",
|
||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
||||
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||
description="Update stack (PATCH).",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"}],
|
||||
@ -554,28 +554,28 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="stacks:preview_update",
|
||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
||||
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||
description="Preview update stack.",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PUT", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/preview"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="stacks:preview_update_patch",
|
||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
||||
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||
description="Preview update stack (PATCH).",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/preview"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="stacks:validate_template",
|
||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
||||
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||
description="Validate template.",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "POST", "path": "/v1/{tenant_id}/validate"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="stacks:snapshot",
|
||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
||||
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||
description="Snapshot Stack.",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots"}],
|
||||
@ -589,7 +589,7 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="stacks:delete_snapshot",
|
||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
||||
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||
description="Delete snapshot.",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "DELETE", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}"}],
|
||||
@ -603,7 +603,7 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="stacks:restore_snapshot",
|
||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
||||
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||
description="Restore snapshot.",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}/restore"}],
|
||||
|
||||
@ -140,14 +140,14 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:update:driver_info",
|
||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"),
|
||||
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s)"),
|
||||
description="Governs if node driver_info field can be updated via the API clients.",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:update:properties",
|
||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"),
|
||||
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s)"),
|
||||
description="Governs if node properties field can be updated via the API clients.",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
|
||||
@ -161,77 +161,77 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:update:instance_uuid",
|
||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"),
|
||||
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s)"),
|
||||
description="Governs if node instance_uuid field can be updated via the API clients.",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:update:lessee",
|
||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"),
|
||||
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s)"),
|
||||
description="Governs if node lessee field can be updated via the API clients.",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:update:owner",
|
||||
check_str=("role:member and system_scope:all"),
|
||||
check_str=("(role:member or role:_member_) and system_scope:all"),
|
||||
description="Governs if node owner field can be updated via the API clients.",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:update:driver_interfaces",
|
||||
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
||||
check_str=("((role:member or role:_member_) and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
||||
description="Governs if node driver and driver interfaces field can be updated via the API clients.",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:update:network_data",
|
||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"),
|
||||
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s)"),
|
||||
description="Governs if node driver_info field can be updated via the API clients.",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:update:conductor_group",
|
||||
check_str=("role:member and system_scope:all"),
|
||||
check_str=("(role:member or role:_member_) and system_scope:all"),
|
||||
description="Governs if node conductor_group field can be updated via the API clients.",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:update:name",
|
||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"),
|
||||
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s)"),
|
||||
description="Governs if node name field can be updated via the API clients.",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:update:retired",
|
||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"),
|
||||
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s)"),
|
||||
description="Governs if node retired and retired reason can be updated by API clients.",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:update",
|
||||
check_str=("(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
|
||||
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
|
||||
description="Generalized update of node records",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:update_extra",
|
||||
check_str=("(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
|
||||
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
|
||||
description="Update Node extra field",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:update_instance_info",
|
||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
||||
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
||||
description="Update Node instance_info field",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
|
||||
@ -259,35 +259,35 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:validate",
|
||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
||||
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
||||
description="Request active validation of Nodes",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "GET", "path": "/nodes/{node_ident}/validate"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:set_maintenance",
|
||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
||||
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
||||
description="Set maintenance flag, taking a Node out of service",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/maintenance"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:clear_maintenance",
|
||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
||||
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
||||
description="Clear maintenance flag, placing the Node into service again",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "DELETE", "path": "/nodes/{node_ident}/maintenance"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:get_boot_device",
|
||||
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
||||
check_str=("((role:member or role:_member_) and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
||||
description="Retrieve Node boot device metadata",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "GET", "path": "/nodes/{node_ident}/management/boot_device"}, {"method": "GET", "path": "/nodes/{node_ident}/management/boot_device/supported"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:set_boot_device",
|
||||
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
||||
check_str=("((role:member or role:_member_) and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
||||
description="Change Node boot device",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/management/boot_device"}],
|
||||
@ -301,14 +301,14 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:set_indicator_state",
|
||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"),
|
||||
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s)"),
|
||||
description="Change Node indicator state",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/management/indicators/{component}/{indicator}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:inject_nmi",
|
||||
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
||||
check_str=("((role:member or role:_member_) and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
||||
description="Inject NMI for a node",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/management/inject_nmi"}],
|
||||
@ -322,49 +322,49 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:set_power_state",
|
||||
check_str=("(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
|
||||
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
|
||||
description="Change Node power status",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/power"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:set_boot_mode",
|
||||
check_str=("(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
|
||||
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
|
||||
description="Change Node boot mode",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/boot_mode"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:set_secure_boot",
|
||||
check_str=("(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
|
||||
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
|
||||
description="Change Node secure boot state",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/secure_boot"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:set_provision_state",
|
||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
||||
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
||||
description="Change Node provision status",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/provision"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:set_raid_state",
|
||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"),
|
||||
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s)"),
|
||||
description="Change Node RAID status",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/raid"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:get_console",
|
||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"),
|
||||
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s)"),
|
||||
description="Get Node console connection information",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "GET", "path": "/nodes/{node_ident}/states/console"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:set_console_state",
|
||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"),
|
||||
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s)"),
|
||||
description="Change Node console status",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/console"}],
|
||||
@ -378,14 +378,14 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:vif:attach",
|
||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
||||
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
||||
description="Attach a VIF to a node",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "POST", "path": "/nodes/{node_ident}/vifs"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:vif:detach",
|
||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
||||
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
||||
description="Detach a VIF from a node",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "DELETE", "path": "/nodes/{node_ident}/vifs/{node_vif_ident}"}],
|
||||
@ -399,14 +399,14 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:traits:set",
|
||||
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
||||
check_str=("((role:member or role:_member_) and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
||||
description="Add a trait to, or replace all traits of, a node",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/traits"}, {"method": "PUT", "path": "/nodes/{node_ident}/traits/{trait}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:node:traits:delete",
|
||||
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
||||
check_str=("((role:member or role:_member_) and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
||||
description="Remove one or all traits from a node",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "DELETE", "path": "/nodes/{node_ident}/traits"}, {"method": "DELETE", "path": "/nodes/{node_ident}/traits/{trait}"}],
|
||||
@ -469,7 +469,7 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:port:update",
|
||||
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
||||
check_str=("((role:member or role:_member_) and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
||||
description="Update Port records",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PATCH", "path": "/ports/{port_id}"}],
|
||||
@ -497,7 +497,7 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:portgroup:update",
|
||||
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
||||
check_str=("((role:member or role:_member_) and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
||||
description="Update Portgroup records",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PATCH", "path": "/portgroups/{portgroup_ident}"}],
|
||||
@ -539,7 +539,7 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:chassis:update",
|
||||
check_str=("role:member and system_scope:all"),
|
||||
check_str=("(role:member or role:_member_) and system_scope:all"),
|
||||
description="Update Chassis records",
|
||||
scope_types=["system"],
|
||||
operations=[{"method": "PATCH", "path": "/chassis/{chassis_id}"}],
|
||||
@ -616,21 +616,21 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:volume:create",
|
||||
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
||||
check_str=("((role:member or role:_member_) and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
||||
description="Create Volume connector and target records",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "POST", "path": "/volume/connectors"}, {"method": "POST", "path": "/volume/targets"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:volume:delete",
|
||||
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
||||
check_str=("((role:member or role:_member_) and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
||||
description="Delete Volume connector and target records",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "DELETE", "path": "/volume/connectors/{volume_connector_id}"}, {"method": "DELETE", "path": "/volume/targets/{volume_target_id}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:volume:update",
|
||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
||||
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
||||
description="Update Volume connector and target records",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PATCH", "path": "/volume/connectors/{volume_connector_id}"}, {"method": "PATCH", "path": "/volume/targets/{volume_target_id}"}],
|
||||
@ -672,28 +672,28 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:allocation:create",
|
||||
check_str=("(role:member and system_scope:all) or (role:member)"),
|
||||
check_str=("((role:member or role:_member_) and system_scope:all) or (role:member or role:_member_)"),
|
||||
description="Create Allocation records",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "POST", "path": "/allocations"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:allocation:create_restricted",
|
||||
check_str=("role:member and system_scope:all"),
|
||||
check_str=("(role:member or role:_member_) and system_scope:all"),
|
||||
description="Create Allocation records with a specific owner.",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "POST", "path": "/allocations"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:allocation:delete",
|
||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(allocation.owner)s)"),
|
||||
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(allocation.owner)s)"),
|
||||
description="Delete Allocation records",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "DELETE", "path": "/allocations/{allocation_id}"}, {"method": "DELETE", "path": "/nodes/{node_ident}/allocation"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="baremetal:allocation:update",
|
||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(allocation.owner)s)"),
|
||||
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(allocation.owner)s)"),
|
||||
description="Change name and extra fields of an allocation",
|
||||
scope_types=["system", "project"],
|
||||
operations=[{"method": "PATCH", "path": "/allocations/{allocation_id}"}],
|
||||
|
||||
@ -25,7 +25,7 @@ list_rules = (
|
||||
),
|
||||
base.Rule(
|
||||
name="project-member",
|
||||
check_str=("role:member and project_id:%(project_id)s"),
|
||||
check_str=("(role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Project scoped Member",
|
||||
),
|
||||
base.Rule(
|
||||
|
||||
@ -147,7 +147,7 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="create_address_scope",
|
||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
||||
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Create an address scope",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "POST", "path": "/address-scopes"}],
|
||||
@ -168,7 +168,7 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="update_address_scope",
|
||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
||||
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Update an address scope",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "PUT", "path": "/address-scopes/{id}"}],
|
||||
@ -182,7 +182,7 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="delete_address_scope",
|
||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
||||
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Delete an address scope",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "DELETE", "path": "/address-scopes/{id}"}],
|
||||
@ -273,7 +273,7 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="delete_auto_allocated_topology",
|
||||
check_str=("role:member and project_id:%(project_id)s"),
|
||||
check_str=("(role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Delete a project's auto-allocated topology",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "DELETE", "path": "/auto-allocated-topology/{project_id}"}],
|
||||
@ -357,7 +357,7 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="create_floatingip",
|
||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
||||
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Create a floating IP",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "POST", "path": "/floatingips"}],
|
||||
@ -378,14 +378,14 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="update_floatingip",
|
||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
||||
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Update a floating IP",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "PUT", "path": "/floatingips/{id}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="delete_floatingip",
|
||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
||||
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Delete a floating IP",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "DELETE", "path": "/floatingips/{id}"}],
|
||||
@ -399,7 +399,7 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="create_floatingip_port_forwarding",
|
||||
check_str=("role:member and project_id:%(project_id)s or rule:ext_parent_owner"),
|
||||
check_str=("(role:member or role:_member_) and project_id:%(project_id)s or rule:ext_parent_owner"),
|
||||
description="Create a floating IP port forwarding",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "POST", "path": "/floatingips/{floatingip_id}/port_forwardings"}],
|
||||
@ -413,21 +413,21 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="update_floatingip_port_forwarding",
|
||||
check_str=("role:member and project_id:%(project_id)s or rule:ext_parent_owner"),
|
||||
check_str=("(role:member or role:_member_) and project_id:%(project_id)s or rule:ext_parent_owner"),
|
||||
description="Update a floating IP port forwarding",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "PUT", "path": "/floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="delete_floatingip_port_forwarding",
|
||||
check_str=("role:member and project_id:%(project_id)s or rule:ext_parent_owner"),
|
||||
check_str=("(role:member or role:_member_) and project_id:%(project_id)s or rule:ext_parent_owner"),
|
||||
description="Delete a floating IP port forwarding",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "DELETE", "path": "/floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="create_router_conntrack_helper",
|
||||
check_str=("role:member and project_id:%(project_id)s or rule:ext_parent_owner"),
|
||||
check_str=("(role:member or role:_member_) and project_id:%(project_id)s or rule:ext_parent_owner"),
|
||||
description="Create a router conntrack helper",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "POST", "path": "/routers/{router_id}/conntrack_helpers"}],
|
||||
@ -441,21 +441,21 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="update_router_conntrack_helper",
|
||||
check_str=("role:member and project_id:%(project_id)s or rule:ext_parent_owner"),
|
||||
check_str=("(role:member or role:_member_) and project_id:%(project_id)s or rule:ext_parent_owner"),
|
||||
description="Update a router conntrack helper",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "PUT", "path": "/routers/{router_id}/conntrack_helpers/{conntrack_helper_id}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="delete_router_conntrack_helper",
|
||||
check_str=("role:member and project_id:%(project_id)s or rule:ext_parent_owner"),
|
||||
check_str=("(role:member or role:_member_) and project_id:%(project_id)s or rule:ext_parent_owner"),
|
||||
description="Delete a router conntrack helper",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "DELETE", "path": "/routers/{router_id}/conntrack_helpers/{conntrack_helper_id}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="create_local_ip",
|
||||
check_str=("role:member and project_id:%(project_id)s"),
|
||||
check_str=("(role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Create a Local IP",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "POST", "path": "/local-ips"}],
|
||||
@ -469,21 +469,21 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="update_local_ip",
|
||||
check_str=("role:member and project_id:%(project_id)s"),
|
||||
check_str=("(role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Update a Local IP",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "PUT", "path": "/local-ips/{id}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="delete_local_ip",
|
||||
check_str=("role:member and project_id:%(project_id)s"),
|
||||
check_str=("(role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Delete a Local IP",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "DELETE", "path": "/local-ips/{id}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="create_local_ip_port_association",
|
||||
check_str=("role:member and project_id:%(project_id)s or rule:ext_parent_owner"),
|
||||
check_str=("(role:member or role:_member_) and project_id:%(project_id)s or rule:ext_parent_owner"),
|
||||
description="Create a Local IP port association",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "POST", "path": "/local_ips/{local_ip_id}/port_associations"}],
|
||||
@ -497,7 +497,7 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="delete_local_ip_port_association",
|
||||
check_str=("role:member and project_id:%(project_id)s or rule:ext_parent_owner"),
|
||||
check_str=("(role:member or role:_member_) and project_id:%(project_id)s or rule:ext_parent_owner"),
|
||||
description="Delete a Local IP port association",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "DELETE", "path": "/local_ips/{local_ip_id}/port_associations/{fixed_port_id}"}],
|
||||
@ -581,7 +581,7 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="create_ndp_proxy",
|
||||
check_str=("role:member and project_id:%(project_id)s"),
|
||||
check_str=("(role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Create a ndp proxy",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "POST", "path": "/ndp_proxies"}],
|
||||
@ -595,21 +595,21 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="update_ndp_proxy",
|
||||
check_str=("role:member and project_id:%(project_id)s"),
|
||||
check_str=("(role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Update a ndp proxy",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "PUT", "path": "/ndp_proxies/{id}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="delete_ndp_proxy",
|
||||
check_str=("role:member and project_id:%(project_id)s"),
|
||||
check_str=("(role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Delete a ndp proxy",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "DELETE", "path": "/ndp_proxies/{id}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="create_network",
|
||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
||||
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Create a network",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "POST", "path": "/networks"}],
|
||||
@ -637,7 +637,7 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="create_network:port_security_enabled",
|
||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
||||
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Specify ``port_security_enabled`` attribute when creating a network",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "POST", "path": "/networks"}],
|
||||
@ -714,7 +714,7 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="update_network",
|
||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
||||
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Update a network",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "PUT", "path": "/networks/{id}"}],
|
||||
@ -770,14 +770,14 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="update_network:port_security_enabled",
|
||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
||||
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Update ``port_security_enabled`` attribute of a network",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "PUT", "path": "/networks/{id}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="delete_network",
|
||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
||||
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Delete a network",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "DELETE", "path": "/networks/{id}"}],
|
||||
@ -819,7 +819,7 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="create_port",
|
||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
||||
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Create a port",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "POST", "path": "/ports"}],
|
||||
@ -882,7 +882,7 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="create_port:binding:vnic_type",
|
||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
||||
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Specify ``binding:vnic_type`` attribute when creating a port",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "POST", "path": "/ports"}],
|
||||
@ -952,7 +952,7 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="update_port",
|
||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s or rule:context_is_advsvc"),
|
||||
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s or rule:context_is_advsvc"),
|
||||
description="Update a port",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "PUT", "path": "/ports/{id}"}],
|
||||
@ -1015,7 +1015,7 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="update_port:binding:vnic_type",
|
||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s or rule:context_is_advsvc"),
|
||||
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s or rule:context_is_advsvc"),
|
||||
description="Update ``binding:vnic_type`` attribute of a port",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "PUT", "path": "/ports/{id}"}],
|
||||
@ -1050,7 +1050,7 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="delete_port",
|
||||
check_str=("rule:admin_only or rule:context_is_advsvc or role:member and project_id:%(project_id)s"),
|
||||
check_str=("rule:admin_only or rule:context_is_advsvc or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Delete a port",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "DELETE", "path": "/ports/{id}"}],
|
||||
@ -1337,7 +1337,7 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="create_rbac_policy",
|
||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
||||
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Create an RBAC policy",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "POST", "path": "/rbac-policies"}],
|
||||
@ -1351,7 +1351,7 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="update_rbac_policy",
|
||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
||||
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Update an RBAC policy",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "PUT", "path": "/rbac-policies/{id}"}],
|
||||
@ -1372,14 +1372,14 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="delete_rbac_policy",
|
||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
||||
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Delete an RBAC policy",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "DELETE", "path": "/rbac-policies/{id}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="create_router",
|
||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
||||
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Create a router",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "POST", "path": "/routers"}],
|
||||
@ -1400,14 +1400,14 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="create_router:external_gateway_info",
|
||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
||||
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Specify ``external_gateway_info`` information when creating a router",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "POST", "path": "/routers"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="create_router:external_gateway_info:network_id",
|
||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
||||
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Specify ``network_id`` in ``external_gateway_info`` information when creating a router",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "POST", "path": "/routers"}],
|
||||
@ -1449,7 +1449,7 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="update_router",
|
||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
||||
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Update a router",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "PUT", "path": "/routers/{id}"}],
|
||||
@ -1470,14 +1470,14 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="update_router:external_gateway_info",
|
||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
||||
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Update ``external_gateway_info`` information of a router",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "PUT", "path": "/routers/{id}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="update_router:external_gateway_info:network_id",
|
||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
||||
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Update ``network_id`` attribute of ``external_gateway_info`` information of a router",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "PUT", "path": "/routers/{id}"}],
|
||||
@ -1498,42 +1498,42 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="delete_router",
|
||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
||||
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Delete a router",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "DELETE", "path": "/routers/{id}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="add_router_interface",
|
||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
||||
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Add an interface to a router",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "PUT", "path": "/routers/{id}/add_router_interface"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="remove_router_interface",
|
||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
||||
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Remove an interface from a router",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "PUT", "path": "/routers/{id}/remove_router_interface"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="add_extraroutes",
|
||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
||||
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Add extra route to a router",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "PUT", "path": "/routers/{id}/add_extraroutes"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="remove_extraroutes",
|
||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
||||
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Remove extra route from a router",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "PUT", "path": "/routers/{id}/remove_extraroutes"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="create_security_group",
|
||||
check_str=("role:member and project_id:%(project_id)s"),
|
||||
check_str=("(role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Create a security group",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "POST", "path": "/security-groups"}],
|
||||
@ -1547,21 +1547,21 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="update_security_group",
|
||||
check_str=("role:member and project_id:%(project_id)s"),
|
||||
check_str=("(role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Update a security group",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "PUT", "path": "/security-groups/{id}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="delete_security_group",
|
||||
check_str=("role:member and project_id:%(project_id)s"),
|
||||
check_str=("(role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Delete a security group",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "DELETE", "path": "/security-groups/{id}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="create_security_group_rule",
|
||||
check_str=("role:member and project_id:%(project_id)s"),
|
||||
check_str=("(role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Create a security group rule",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "POST", "path": "/security-group-rules"}],
|
||||
@ -1575,7 +1575,7 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="delete_security_group_rule",
|
||||
check_str=("role:member and project_id:%(project_id)s"),
|
||||
check_str=("(role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Delete a security group rule",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "DELETE", "path": "/security-group-rules/{id}"}],
|
||||
@ -1617,7 +1617,7 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="create_subnet",
|
||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s or rule:network_owner"),
|
||||
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s or rule:network_owner"),
|
||||
description="Create a subnet",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "POST", "path": "/subnets"}],
|
||||
@ -1652,7 +1652,7 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="update_subnet",
|
||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s or rule:network_owner"),
|
||||
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s or rule:network_owner"),
|
||||
description="Update a subnet",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "PUT", "path": "/subnets/{id}"}],
|
||||
@ -1673,14 +1673,14 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="delete_subnet",
|
||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s or rule:network_owner"),
|
||||
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s or rule:network_owner"),
|
||||
description="Delete a subnet",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "DELETE", "path": "/subnets/{id}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="create_subnetpool",
|
||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
||||
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Create a subnetpool",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "POST", "path": "/subnetpools"}],
|
||||
@ -1708,7 +1708,7 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="update_subnetpool",
|
||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
||||
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Update a subnetpool",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "PUT", "path": "/subnetpools/{id}"}],
|
||||
@ -1722,35 +1722,35 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="delete_subnetpool",
|
||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
||||
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Delete a subnetpool",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "DELETE", "path": "/subnetpools/{id}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="onboard_network_subnets",
|
||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
||||
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Onboard existing subnet into a subnetpool",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "PUT", "path": "/subnetpools/{id}/onboard_network_subnets"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="add_prefixes",
|
||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
||||
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Add prefixes to a subnetpool",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "PUT", "path": "/subnetpools/{id}/add_prefixes"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="remove_prefixes",
|
||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
||||
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Remove unallocated prefixes from a subnetpool",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "PUT", "path": "/subnetpools/{id}/remove_prefixes"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="create_trunk",
|
||||
check_str=("role:member and project_id:%(project_id)s"),
|
||||
check_str=("(role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Create a trunk",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "POST", "path": "/trunks"}],
|
||||
@ -1764,14 +1764,14 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="update_trunk",
|
||||
check_str=("role:member and project_id:%(project_id)s"),
|
||||
check_str=("(role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Update a trunk",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "PUT", "path": "/trunks/{id}"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="delete_trunk",
|
||||
check_str=("role:member and project_id:%(project_id)s"),
|
||||
check_str=("(role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Delete a trunk",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "DELETE", "path": "/trunks/{id}"}],
|
||||
@ -1785,14 +1785,14 @@ list_rules = (
|
||||
),
|
||||
base.APIRule(
|
||||
name="add_subports",
|
||||
check_str=("role:member and project_id:%(project_id)s"),
|
||||
check_str=("(role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Add subports to a trunk",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "PUT", "path": "/trunks/{id}/add_subports"}],
|
||||
),
|
||||
base.APIRule(
|
||||
name="remove_subports",
|
||||
check_str=("role:member and project_id:%(project_id)s"),
|
||||
check_str=("(role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Delete subports from a trunk",
|
||||
scope_types=["project"],
|
||||
operations=[{"method": "PUT", "path": "/trunks/{id}/remove_subports"}],
|
||||
|
||||
@ -35,7 +35,7 @@ list_rules = (
|
||||
),
|
||||
base.Rule(
|
||||
name="project_member_api",
|
||||
check_str=("role:member and project_id:%(project_id)s"),
|
||||
check_str=("(role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="Default rule for Project level non admin APIs.",
|
||||
),
|
||||
base.Rule(
|
||||
|
||||
@ -30,7 +30,7 @@ list_rules = (
|
||||
),
|
||||
base.Rule(
|
||||
name="project-member",
|
||||
check_str=("role:member and project_id:%(project_id)s"),
|
||||
check_str=("(role:member or role:_member_) and project_id:%(project_id)s"),
|
||||
description="No description",
|
||||
),
|
||||
base.Rule(
|
||||
|
||||
Loading…
Reference in New Issue
Block a user