fix: Compatible with member and _member_
When the default role is _member_ instead of member, the Skyline API response 401 Bug: 2034976 Change-Id: I7c633728c8de9f300eb718f615bc9950e0c96411
This commit is contained in:
yangshaoxue
parent
2ceaa1e3ed
commit
87019798fa
@ -40,7 +40,7 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.Rule(
|
base.Rule(
|
||||||
name="secret_project_member",
|
name="secret_project_member",
|
||||||
check_str=("role:member and rule:secret_project_match"),
|
check_str=("(role:member or role:_member_) and rule:secret_project_match"),
|
||||||
description="No description",
|
description="No description",
|
||||||
),
|
),
|
||||||
base.Rule(
|
base.Rule(
|
||||||
@ -70,7 +70,7 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.Rule(
|
base.Rule(
|
||||||
name="container_project_member",
|
name="container_project_member",
|
||||||
check_str=("role:member and rule:container_project_match"),
|
check_str=("(role:member or role:_member_) and rule:container_project_match"),
|
||||||
description="No description",
|
description="No description",
|
||||||
),
|
),
|
||||||
base.Rule(
|
base.Rule(
|
||||||
@ -100,7 +100,7 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.Rule(
|
base.Rule(
|
||||||
name="order_project_member",
|
name="order_project_member",
|
||||||
check_str=("role:member and rule:order_project_match"),
|
check_str=("(role:member or role:_member_) and rule:order_project_match"),
|
||||||
description="No description",
|
description="No description",
|
||||||
),
|
),
|
||||||
base.Rule(
|
base.Rule(
|
||||||
@ -291,14 +291,14 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="containers:post",
|
name="containers:post",
|
||||||
check_str=("True:%(enforce_new_defaults)s and role:member"),
|
check_str=("True:%(enforce_new_defaults)s and (role:member or role:_member_)"),
|
||||||
description="Creates a container.",
|
description="Creates a container.",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "POST", "path": "/v1/containers"}],
|
operations=[{"method": "POST", "path": "/v1/containers"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="containers:get",
|
name="containers:get",
|
||||||
check_str=("True:%(enforce_new_defaults)s and role:member"),
|
check_str=("True:%(enforce_new_defaults)s and (role:member or role:_member_)"),
|
||||||
description="Lists a projects containers.",
|
description="Lists a projects containers.",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "GET", "path": "/v1/containers"}],
|
operations=[{"method": "GET", "path": "/v1/containers"}],
|
||||||
@ -333,21 +333,21 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="orders:get",
|
name="orders:get",
|
||||||
check_str=("True:%(enforce_new_defaults)s and role:member"),
|
check_str=("True:%(enforce_new_defaults)s and (role:member or role:_member_)"),
|
||||||
description="Gets list of all orders associated with a project.",
|
description="Gets list of all orders associated with a project.",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "GET", "path": "/v1/orders"}],
|
operations=[{"method": "GET", "path": "/v1/orders"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="orders:post",
|
name="orders:post",
|
||||||
check_str=("True:%(enforce_new_defaults)s and role:member"),
|
check_str=("True:%(enforce_new_defaults)s and (role:member or role:_member_)"),
|
||||||
description="Creates an order.",
|
description="Creates an order.",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "POST", "path": "/v1/orders"}],
|
operations=[{"method": "POST", "path": "/v1/orders"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="orders:put",
|
name="orders:put",
|
||||||
check_str=("True:%(enforce_new_defaults)s and role:member"),
|
check_str=("True:%(enforce_new_defaults)s and (role:member or role:_member_)"),
|
||||||
description="Unsupported method for the orders API.",
|
description="Unsupported method for the orders API.",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "PUT", "path": "/v1/orders"}],
|
operations=[{"method": "PUT", "path": "/v1/orders"}],
|
||||||
@ -452,14 +452,14 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="secrets:post",
|
name="secrets:post",
|
||||||
check_str=("True:%(enforce_new_defaults)s and role:member"),
|
check_str=("True:%(enforce_new_defaults)s and (role:member or role:_member_)"),
|
||||||
description="Creates a Secret entity.",
|
description="Creates a Secret entity.",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "POST", "path": "/v1/secrets"}],
|
operations=[{"method": "POST", "path": "/v1/secrets"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="secrets:get",
|
name="secrets:get",
|
||||||
check_str=("True:%(enforce_new_defaults)s and role:member"),
|
check_str=("True:%(enforce_new_defaults)s and (role:member or role:_member_)"),
|
||||||
description="Lists a projects secrets.",
|
description="Lists a projects secrets.",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "GET", "path": "/v1/secrets"}],
|
operations=[{"method": "GET", "path": "/v1/secrets"}],
|
||||||
|
|||||||
@ -45,7 +45,7 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.Rule(
|
base.Rule(
|
||||||
name="xena_system_admin_or_project_member",
|
name="xena_system_admin_or_project_member",
|
||||||
check_str=("(role:admin) or (role:member and project_id:%(project_id)s)"),
|
check_str=("(role:admin) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||||
description="NOTE: this purely role-based rule recognizes only project scope",
|
description="NOTE: this purely role-based rule recognizes only project scope",
|
||||||
),
|
),
|
||||||
base.Rule(
|
base.Rule(
|
||||||
|
|||||||
@ -45,14 +45,14 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="add_image",
|
name="add_image",
|
||||||
check_str=("role:admin or (role:member and project_id:%(project_id)s and project_id:%(owner)s)"),
|
check_str=("role:admin or ((role:member or role:_member_) and project_id:%(project_id)s and project_id:%(owner)s)"),
|
||||||
description="Create new image",
|
description="Create new image",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "POST", "path": "/v2/images"}],
|
operations=[{"method": "POST", "path": "/v2/images"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="delete_image",
|
name="delete_image",
|
||||||
check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
|
check_str=("role:admin or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||||
description="Deletes the image",
|
description="Deletes the image",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "DELETE", "path": "/v2/images/{image_id}"}],
|
operations=[{"method": "DELETE", "path": "/v2/images/{image_id}"}],
|
||||||
@ -73,7 +73,7 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="modify_image",
|
name="modify_image",
|
||||||
check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
|
check_str=("role:admin or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||||
description="Updates given image",
|
description="Updates given image",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}],
|
operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}],
|
||||||
@ -87,21 +87,21 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="communitize_image",
|
name="communitize_image",
|
||||||
check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
|
check_str=("role:admin or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||||
description="Communitize given image",
|
description="Communitize given image",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}],
|
operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="download_image",
|
name="download_image",
|
||||||
check_str=("role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))"),
|
check_str=("role:admin or ((role:member or role:_member_) and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))"),
|
||||||
description="Downloads given image",
|
description="Downloads given image",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "GET", "path": "/v2/images/{image_id}/file"}],
|
operations=[{"method": "GET", "path": "/v2/images/{image_id}/file"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="upload_image",
|
name="upload_image",
|
||||||
check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
|
check_str=("role:admin or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||||
description="Uploads data to specified image",
|
description="Uploads data to specified image",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "PUT", "path": "/v2/images/{image_id}/file"}],
|
operations=[{"method": "PUT", "path": "/v2/images/{image_id}/file"}],
|
||||||
@ -122,21 +122,21 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="set_image_location",
|
name="set_image_location",
|
||||||
check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
|
check_str=("role:admin or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||||
description="Sets location URI to given image",
|
description="Sets location URI to given image",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}],
|
operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="add_member",
|
name="add_member",
|
||||||
check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
|
check_str=("role:admin or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||||
description="Create image member",
|
description="Create image member",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "POST", "path": "/v2/images/{image_id}/members"}],
|
operations=[{"method": "POST", "path": "/v2/images/{image_id}/members"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="delete_member",
|
name="delete_member",
|
||||||
check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
|
check_str=("role:admin or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||||
description="Delete image member",
|
description="Delete image member",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "DELETE", "path": "/v2/images/{image_id}/members/{member_id}"}],
|
operations=[{"method": "DELETE", "path": "/v2/images/{image_id}/members/{member_id}"}],
|
||||||
@ -157,21 +157,21 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="modify_member",
|
name="modify_member",
|
||||||
check_str=("role:admin or (role:member and project_id:%(member_id)s)"),
|
check_str=("role:admin or ((role:member or role:_member_) and project_id:%(member_id)s)"),
|
||||||
description="Update image member",
|
description="Update image member",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "PUT", "path": "/v2/images/{image_id}/members/{member_id}"}],
|
operations=[{"method": "PUT", "path": "/v2/images/{image_id}/members/{member_id}"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="deactivate",
|
name="deactivate",
|
||||||
check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
|
check_str=("role:admin or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||||
description="Deactivate image",
|
description="Deactivate image",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "POST", "path": "/v2/images/{image_id}/actions/deactivate"}],
|
operations=[{"method": "POST", "path": "/v2/images/{image_id}/actions/deactivate"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="reactivate",
|
name="reactivate",
|
||||||
check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
|
check_str=("role:admin or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||||
description="Reactivate image",
|
description="Reactivate image",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "POST", "path": "/v2/images/{image_id}/actions/reactivate"}],
|
operations=[{"method": "POST", "path": "/v2/images/{image_id}/actions/reactivate"}],
|
||||||
|
|||||||
@ -50,7 +50,7 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.Rule(
|
base.Rule(
|
||||||
name="cloudformation:CreateStack",
|
name="cloudformation:CreateStack",
|
||||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||||
description="No description",
|
description="No description",
|
||||||
),
|
),
|
||||||
base.Rule(
|
base.Rule(
|
||||||
@ -60,17 +60,17 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.Rule(
|
base.Rule(
|
||||||
name="cloudformation:DeleteStack",
|
name="cloudformation:DeleteStack",
|
||||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||||
description="No description",
|
description="No description",
|
||||||
),
|
),
|
||||||
base.Rule(
|
base.Rule(
|
||||||
name="cloudformation:UpdateStack",
|
name="cloudformation:UpdateStack",
|
||||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||||
description="No description",
|
description="No description",
|
||||||
),
|
),
|
||||||
base.Rule(
|
base.Rule(
|
||||||
name="cloudformation:CancelUpdateStack",
|
name="cloudformation:CancelUpdateStack",
|
||||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||||
description="No description",
|
description="No description",
|
||||||
),
|
),
|
||||||
base.Rule(
|
base.Rule(
|
||||||
@ -225,28 +225,28 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="actions:action",
|
name="actions:action",
|
||||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||||
description="Performs non-lifecycle operations on the stack (Snapshot, Resume, Cancel update, or check stack resources). This is the default for all actions but can be overridden by more specific policies for individual actions.",
|
description="Performs non-lifecycle operations on the stack (Snapshot, Resume, Cancel update, or check stack resources). This is the default for all actions but can be overridden by more specific policies for individual actions.",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}],
|
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="actions:snapshot",
|
name="actions:snapshot",
|
||||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||||
description="Create stack snapshot",
|
description="Create stack snapshot",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}],
|
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="actions:suspend",
|
name="actions:suspend",
|
||||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||||
description="Suspend a stack.",
|
description="Suspend a stack.",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}],
|
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="actions:resume",
|
name="actions:resume",
|
||||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||||
description="Resume a suspended stack.",
|
description="Resume a suspended stack.",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}],
|
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}],
|
||||||
@ -260,14 +260,14 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="actions:cancel_update",
|
name="actions:cancel_update",
|
||||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||||
description="Cancel stack operation and roll back.",
|
description="Cancel stack operation and roll back.",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}],
|
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="actions:cancel_without_rollback",
|
name="actions:cancel_without_rollback",
|
||||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||||
description="Cancel stack operation without rolling back.",
|
description="Cancel stack operation without rolling back.",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}],
|
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}],
|
||||||
@ -316,7 +316,7 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="resource:mark_unhealthy",
|
name="resource:mark_unhealthy",
|
||||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||||
description="Mark resource as unhealthy.",
|
description="Mark resource as unhealthy.",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name_or_physical_id}"}],
|
operations=[{"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name_or_physical_id}"}],
|
||||||
@ -358,7 +358,7 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="software_configs:delete",
|
name="software_configs:delete",
|
||||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||||
description="Delete config.",
|
description="Delete config.",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "DELETE", "path": "/v1/{tenant_id}/software_configs/{config_id}"}],
|
operations=[{"method": "DELETE", "path": "/v1/{tenant_id}/software_configs/{config_id}"}],
|
||||||
@ -372,7 +372,7 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="software_deployments:create",
|
name="software_deployments:create",
|
||||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||||
description="Create deployment.",
|
description="Create deployment.",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "POST", "path": "/v1/{tenant_id}/software_deployments"}],
|
operations=[{"method": "POST", "path": "/v1/{tenant_id}/software_deployments"}],
|
||||||
@ -386,14 +386,14 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="software_deployments:update",
|
name="software_deployments:update",
|
||||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||||
description="Update deployment.",
|
description="Update deployment.",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "PUT", "path": "/v1/{tenant_id}/software_deployments/{deployment_id}"}],
|
operations=[{"method": "PUT", "path": "/v1/{tenant_id}/software_deployments/{deployment_id}"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="software_deployments:delete",
|
name="software_deployments:delete",
|
||||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||||
description="Delete deployment.",
|
description="Delete deployment.",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "DELETE", "path": "/v1/{tenant_id}/software_deployments/{deployment_id}"}],
|
operations=[{"method": "DELETE", "path": "/v1/{tenant_id}/software_deployments/{deployment_id}"}],
|
||||||
@ -407,21 +407,21 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="stacks:abandon",
|
name="stacks:abandon",
|
||||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||||
description="Abandon stack.",
|
description="Abandon stack.",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "DELETE", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/abandon"}],
|
operations=[{"method": "DELETE", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/abandon"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="stacks:create",
|
name="stacks:create",
|
||||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||||
description="Create stack.",
|
description="Create stack.",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks"}],
|
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="stacks:delete",
|
name="stacks:delete",
|
||||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||||
description="Delete stack.",
|
description="Delete stack.",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "DELETE", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"}],
|
operations=[{"method": "DELETE", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"}],
|
||||||
@ -435,14 +435,14 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="stacks:export",
|
name="stacks:export",
|
||||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||||
description="Export stack.",
|
description="Export stack.",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/export"}],
|
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/export"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="stacks:generate_template",
|
name="stacks:generate_template",
|
||||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||||
description="Generate stack template.",
|
description="Generate stack template.",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/template"}],
|
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/template"}],
|
||||||
@ -533,14 +533,14 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="stacks:update",
|
name="stacks:update",
|
||||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||||
description="Update stack.",
|
description="Update stack.",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "PUT", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"}],
|
operations=[{"method": "PUT", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="stacks:update_patch",
|
name="stacks:update_patch",
|
||||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||||
description="Update stack (PATCH).",
|
description="Update stack (PATCH).",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"}],
|
operations=[{"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"}],
|
||||||
@ -554,28 +554,28 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="stacks:preview_update",
|
name="stacks:preview_update",
|
||||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||||
description="Preview update stack.",
|
description="Preview update stack.",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "PUT", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/preview"}],
|
operations=[{"method": "PUT", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/preview"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="stacks:preview_update_patch",
|
name="stacks:preview_update_patch",
|
||||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||||
description="Preview update stack (PATCH).",
|
description="Preview update stack (PATCH).",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/preview"}],
|
operations=[{"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/preview"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="stacks:validate_template",
|
name="stacks:validate_template",
|
||||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||||
description="Validate template.",
|
description="Validate template.",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "POST", "path": "/v1/{tenant_id}/validate"}],
|
operations=[{"method": "POST", "path": "/v1/{tenant_id}/validate"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="stacks:snapshot",
|
name="stacks:snapshot",
|
||||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||||
description="Snapshot Stack.",
|
description="Snapshot Stack.",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots"}],
|
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots"}],
|
||||||
@ -589,7 +589,7 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="stacks:delete_snapshot",
|
name="stacks:delete_snapshot",
|
||||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||||
description="Delete snapshot.",
|
description="Delete snapshot.",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "DELETE", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}"}],
|
operations=[{"method": "DELETE", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}"}],
|
||||||
@ -603,7 +603,7 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="stacks:restore_snapshot",
|
name="stacks:restore_snapshot",
|
||||||
check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"),
|
check_str=("(role:admin and system_scope:all) or ((role:member or role:_member_) and project_id:%(project_id)s)"),
|
||||||
description="Restore snapshot.",
|
description="Restore snapshot.",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}/restore"}],
|
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}/restore"}],
|
||||||
|
|||||||
@ -140,14 +140,14 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="baremetal:node:update:driver_info",
|
name="baremetal:node:update:driver_info",
|
||||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"),
|
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s)"),
|
||||||
description="Governs if node driver_info field can be updated via the API clients.",
|
description="Governs if node driver_info field can be updated via the API clients.",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
|
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="baremetal:node:update:properties",
|
name="baremetal:node:update:properties",
|
||||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"),
|
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s)"),
|
||||||
description="Governs if node properties field can be updated via the API clients.",
|
description="Governs if node properties field can be updated via the API clients.",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
|
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
|
||||||
@ -161,77 +161,77 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="baremetal:node:update:instance_uuid",
|
name="baremetal:node:update:instance_uuid",
|
||||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"),
|
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s)"),
|
||||||
description="Governs if node instance_uuid field can be updated via the API clients.",
|
description="Governs if node instance_uuid field can be updated via the API clients.",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
|
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="baremetal:node:update:lessee",
|
name="baremetal:node:update:lessee",
|
||||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"),
|
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s)"),
|
||||||
description="Governs if node lessee field can be updated via the API clients.",
|
description="Governs if node lessee field can be updated via the API clients.",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
|
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="baremetal:node:update:owner",
|
name="baremetal:node:update:owner",
|
||||||
check_str=("role:member and system_scope:all"),
|
check_str=("(role:member or role:_member_) and system_scope:all"),
|
||||||
description="Governs if node owner field can be updated via the API clients.",
|
description="Governs if node owner field can be updated via the API clients.",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
|
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="baremetal:node:update:driver_interfaces",
|
name="baremetal:node:update:driver_interfaces",
|
||||||
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
check_str=("((role:member or role:_member_) and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
||||||
description="Governs if node driver and driver interfaces field can be updated via the API clients.",
|
description="Governs if node driver and driver interfaces field can be updated via the API clients.",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
|
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="baremetal:node:update:network_data",
|
name="baremetal:node:update:network_data",
|
||||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"),
|
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s)"),
|
||||||
description="Governs if node driver_info field can be updated via the API clients.",
|
description="Governs if node driver_info field can be updated via the API clients.",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
|
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="baremetal:node:update:conductor_group",
|
name="baremetal:node:update:conductor_group",
|
||||||
check_str=("role:member and system_scope:all"),
|
check_str=("(role:member or role:_member_) and system_scope:all"),
|
||||||
description="Governs if node conductor_group field can be updated via the API clients.",
|
description="Governs if node conductor_group field can be updated via the API clients.",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
|
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="baremetal:node:update:name",
|
name="baremetal:node:update:name",
|
||||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"),
|
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s)"),
|
||||||
description="Governs if node name field can be updated via the API clients.",
|
description="Governs if node name field can be updated via the API clients.",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
|
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="baremetal:node:update:retired",
|
name="baremetal:node:update:retired",
|
||||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"),
|
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s)"),
|
||||||
description="Governs if node retired and retired reason can be updated by API clients.",
|
description="Governs if node retired and retired reason can be updated by API clients.",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
|
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="baremetal:node:update",
|
name="baremetal:node:update",
|
||||||
check_str=("(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
|
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
|
||||||
description="Generalized update of node records",
|
description="Generalized update of node records",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
|
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="baremetal:node:update_extra",
|
name="baremetal:node:update_extra",
|
||||||
check_str=("(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
|
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
|
||||||
description="Update Node extra field",
|
description="Update Node extra field",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
|
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="baremetal:node:update_instance_info",
|
name="baremetal:node:update_instance_info",
|
||||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
||||||
description="Update Node instance_info field",
|
description="Update Node instance_info field",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
|
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
|
||||||
@ -259,35 +259,35 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="baremetal:node:validate",
|
name="baremetal:node:validate",
|
||||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
||||||
description="Request active validation of Nodes",
|
description="Request active validation of Nodes",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "GET", "path": "/nodes/{node_ident}/validate"}],
|
operations=[{"method": "GET", "path": "/nodes/{node_ident}/validate"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="baremetal:node:set_maintenance",
|
name="baremetal:node:set_maintenance",
|
||||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
||||||
description="Set maintenance flag, taking a Node out of service",
|
description="Set maintenance flag, taking a Node out of service",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/maintenance"}],
|
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/maintenance"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="baremetal:node:clear_maintenance",
|
name="baremetal:node:clear_maintenance",
|
||||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
||||||
description="Clear maintenance flag, placing the Node into service again",
|
description="Clear maintenance flag, placing the Node into service again",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "DELETE", "path": "/nodes/{node_ident}/maintenance"}],
|
operations=[{"method": "DELETE", "path": "/nodes/{node_ident}/maintenance"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="baremetal:node:get_boot_device",
|
name="baremetal:node:get_boot_device",
|
||||||
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
check_str=("((role:member or role:_member_) and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
||||||
description="Retrieve Node boot device metadata",
|
description="Retrieve Node boot device metadata",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "GET", "path": "/nodes/{node_ident}/management/boot_device"}, {"method": "GET", "path": "/nodes/{node_ident}/management/boot_device/supported"}],
|
operations=[{"method": "GET", "path": "/nodes/{node_ident}/management/boot_device"}, {"method": "GET", "path": "/nodes/{node_ident}/management/boot_device/supported"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="baremetal:node:set_boot_device",
|
name="baremetal:node:set_boot_device",
|
||||||
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
check_str=("((role:member or role:_member_) and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
||||||
description="Change Node boot device",
|
description="Change Node boot device",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/management/boot_device"}],
|
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/management/boot_device"}],
|
||||||
@ -301,14 +301,14 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="baremetal:node:set_indicator_state",
|
name="baremetal:node:set_indicator_state",
|
||||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"),
|
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s)"),
|
||||||
description="Change Node indicator state",
|
description="Change Node indicator state",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/management/indicators/{component}/{indicator}"}],
|
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/management/indicators/{component}/{indicator}"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="baremetal:node:inject_nmi",
|
name="baremetal:node:inject_nmi",
|
||||||
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
check_str=("((role:member or role:_member_) and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
||||||
description="Inject NMI for a node",
|
description="Inject NMI for a node",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/management/inject_nmi"}],
|
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/management/inject_nmi"}],
|
||||||
@ -322,49 +322,49 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="baremetal:node:set_power_state",
|
name="baremetal:node:set_power_state",
|
||||||
check_str=("(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
|
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
|
||||||
description="Change Node power status",
|
description="Change Node power status",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/power"}],
|
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/power"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="baremetal:node:set_boot_mode",
|
name="baremetal:node:set_boot_mode",
|
||||||
check_str=("(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
|
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
|
||||||
description="Change Node boot mode",
|
description="Change Node boot mode",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/boot_mode"}],
|
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/boot_mode"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="baremetal:node:set_secure_boot",
|
name="baremetal:node:set_secure_boot",
|
||||||
check_str=("(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
|
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"),
|
||||||
description="Change Node secure boot state",
|
description="Change Node secure boot state",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/secure_boot"}],
|
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/secure_boot"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="baremetal:node:set_provision_state",
|
name="baremetal:node:set_provision_state",
|
||||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
||||||
description="Change Node provision status",
|
description="Change Node provision status",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/provision"}],
|
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/provision"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="baremetal:node:set_raid_state",
|
name="baremetal:node:set_raid_state",
|
||||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"),
|
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s)"),
|
||||||
description="Change Node RAID status",
|
description="Change Node RAID status",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/raid"}],
|
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/raid"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="baremetal:node:get_console",
|
name="baremetal:node:get_console",
|
||||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"),
|
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s)"),
|
||||||
description="Get Node console connection information",
|
description="Get Node console connection information",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "GET", "path": "/nodes/{node_ident}/states/console"}],
|
operations=[{"method": "GET", "path": "/nodes/{node_ident}/states/console"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="baremetal:node:set_console_state",
|
name="baremetal:node:set_console_state",
|
||||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"),
|
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s)"),
|
||||||
description="Change Node console status",
|
description="Change Node console status",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/console"}],
|
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/console"}],
|
||||||
@ -378,14 +378,14 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="baremetal:node:vif:attach",
|
name="baremetal:node:vif:attach",
|
||||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
||||||
description="Attach a VIF to a node",
|
description="Attach a VIF to a node",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "POST", "path": "/nodes/{node_ident}/vifs"}],
|
operations=[{"method": "POST", "path": "/nodes/{node_ident}/vifs"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="baremetal:node:vif:detach",
|
name="baremetal:node:vif:detach",
|
||||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
||||||
description="Detach a VIF from a node",
|
description="Detach a VIF from a node",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "DELETE", "path": "/nodes/{node_ident}/vifs/{node_vif_ident}"}],
|
operations=[{"method": "DELETE", "path": "/nodes/{node_ident}/vifs/{node_vif_ident}"}],
|
||||||
@ -399,14 +399,14 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="baremetal:node:traits:set",
|
name="baremetal:node:traits:set",
|
||||||
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
check_str=("((role:member or role:_member_) and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
||||||
description="Add a trait to, or replace all traits of, a node",
|
description="Add a trait to, or replace all traits of, a node",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/traits"}, {"method": "PUT", "path": "/nodes/{node_ident}/traits/{trait}"}],
|
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/traits"}, {"method": "PUT", "path": "/nodes/{node_ident}/traits/{trait}"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="baremetal:node:traits:delete",
|
name="baremetal:node:traits:delete",
|
||||||
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
check_str=("((role:member or role:_member_) and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
||||||
description="Remove one or all traits from a node",
|
description="Remove one or all traits from a node",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "DELETE", "path": "/nodes/{node_ident}/traits"}, {"method": "DELETE", "path": "/nodes/{node_ident}/traits/{trait}"}],
|
operations=[{"method": "DELETE", "path": "/nodes/{node_ident}/traits"}, {"method": "DELETE", "path": "/nodes/{node_ident}/traits/{trait}"}],
|
||||||
@ -469,7 +469,7 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="baremetal:port:update",
|
name="baremetal:port:update",
|
||||||
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
check_str=("((role:member or role:_member_) and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
||||||
description="Update Port records",
|
description="Update Port records",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "PATCH", "path": "/ports/{port_id}"}],
|
operations=[{"method": "PATCH", "path": "/ports/{port_id}"}],
|
||||||
@ -497,7 +497,7 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="baremetal:portgroup:update",
|
name="baremetal:portgroup:update",
|
||||||
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
check_str=("((role:member or role:_member_) and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s)"),
|
||||||
description="Update Portgroup records",
|
description="Update Portgroup records",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "PATCH", "path": "/portgroups/{portgroup_ident}"}],
|
operations=[{"method": "PATCH", "path": "/portgroups/{portgroup_ident}"}],
|
||||||
@ -539,7 +539,7 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="baremetal:chassis:update",
|
name="baremetal:chassis:update",
|
||||||
check_str=("role:member and system_scope:all"),
|
check_str=("(role:member or role:_member_) and system_scope:all"),
|
||||||
description="Update Chassis records",
|
description="Update Chassis records",
|
||||||
scope_types=["system"],
|
scope_types=["system"],
|
||||||
operations=[{"method": "PATCH", "path": "/chassis/{chassis_id}"}],
|
operations=[{"method": "PATCH", "path": "/chassis/{chassis_id}"}],
|
||||||
@ -616,21 +616,21 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="baremetal:volume:create",
|
name="baremetal:volume:create",
|
||||||
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
check_str=("((role:member or role:_member_) and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
||||||
description="Create Volume connector and target records",
|
description="Create Volume connector and target records",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "POST", "path": "/volume/connectors"}, {"method": "POST", "path": "/volume/targets"}],
|
operations=[{"method": "POST", "path": "/volume/connectors"}, {"method": "POST", "path": "/volume/targets"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="baremetal:volume:delete",
|
name="baremetal:volume:delete",
|
||||||
check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
check_str=("((role:member or role:_member_) and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
||||||
description="Delete Volume connector and target records",
|
description="Delete Volume connector and target records",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "DELETE", "path": "/volume/connectors/{volume_connector_id}"}, {"method": "DELETE", "path": "/volume/targets/{volume_target_id}"}],
|
operations=[{"method": "DELETE", "path": "/volume/connectors/{volume_connector_id}"}, {"method": "DELETE", "path": "/volume/targets/{volume_target_id}"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="baremetal:volume:update",
|
name="baremetal:volume:update",
|
||||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),
|
||||||
description="Update Volume connector and target records",
|
description="Update Volume connector and target records",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "PATCH", "path": "/volume/connectors/{volume_connector_id}"}, {"method": "PATCH", "path": "/volume/targets/{volume_target_id}"}],
|
operations=[{"method": "PATCH", "path": "/volume/connectors/{volume_connector_id}"}, {"method": "PATCH", "path": "/volume/targets/{volume_target_id}"}],
|
||||||
@ -672,28 +672,28 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="baremetal:allocation:create",
|
name="baremetal:allocation:create",
|
||||||
check_str=("(role:member and system_scope:all) or (role:member)"),
|
check_str=("((role:member or role:_member_) and system_scope:all) or (role:member or role:_member_)"),
|
||||||
description="Create Allocation records",
|
description="Create Allocation records",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "POST", "path": "/allocations"}],
|
operations=[{"method": "POST", "path": "/allocations"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="baremetal:allocation:create_restricted",
|
name="baremetal:allocation:create_restricted",
|
||||||
check_str=("role:member and system_scope:all"),
|
check_str=("(role:member or role:_member_) and system_scope:all"),
|
||||||
description="Create Allocation records with a specific owner.",
|
description="Create Allocation records with a specific owner.",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "POST", "path": "/allocations"}],
|
operations=[{"method": "POST", "path": "/allocations"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="baremetal:allocation:delete",
|
name="baremetal:allocation:delete",
|
||||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(allocation.owner)s)"),
|
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(allocation.owner)s)"),
|
||||||
description="Delete Allocation records",
|
description="Delete Allocation records",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "DELETE", "path": "/allocations/{allocation_id}"}, {"method": "DELETE", "path": "/nodes/{node_ident}/allocation"}],
|
operations=[{"method": "DELETE", "path": "/allocations/{allocation_id}"}, {"method": "DELETE", "path": "/nodes/{node_ident}/allocation"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="baremetal:allocation:update",
|
name="baremetal:allocation:update",
|
||||||
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(allocation.owner)s)"),
|
check_str=("((role:member or role:_member_) and system_scope:all) or ((role:member or role:_member_) and project_id:%(allocation.owner)s)"),
|
||||||
description="Change name and extra fields of an allocation",
|
description="Change name and extra fields of an allocation",
|
||||||
scope_types=["system", "project"],
|
scope_types=["system", "project"],
|
||||||
operations=[{"method": "PATCH", "path": "/allocations/{allocation_id}"}],
|
operations=[{"method": "PATCH", "path": "/allocations/{allocation_id}"}],
|
||||||
|
|||||||
@ -25,7 +25,7 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.Rule(
|
base.Rule(
|
||||||
name="project-member",
|
name="project-member",
|
||||||
check_str=("role:member and project_id:%(project_id)s"),
|
check_str=("(role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Project scoped Member",
|
description="Project scoped Member",
|
||||||
),
|
),
|
||||||
base.Rule(
|
base.Rule(
|
||||||
|
|||||||
@ -147,7 +147,7 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="create_address_scope",
|
name="create_address_scope",
|
||||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Create an address scope",
|
description="Create an address scope",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "POST", "path": "/address-scopes"}],
|
operations=[{"method": "POST", "path": "/address-scopes"}],
|
||||||
@ -168,7 +168,7 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="update_address_scope",
|
name="update_address_scope",
|
||||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Update an address scope",
|
description="Update an address scope",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "PUT", "path": "/address-scopes/{id}"}],
|
operations=[{"method": "PUT", "path": "/address-scopes/{id}"}],
|
||||||
@ -182,7 +182,7 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="delete_address_scope",
|
name="delete_address_scope",
|
||||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Delete an address scope",
|
description="Delete an address scope",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "DELETE", "path": "/address-scopes/{id}"}],
|
operations=[{"method": "DELETE", "path": "/address-scopes/{id}"}],
|
||||||
@ -273,7 +273,7 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="delete_auto_allocated_topology",
|
name="delete_auto_allocated_topology",
|
||||||
check_str=("role:member and project_id:%(project_id)s"),
|
check_str=("(role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Delete a project's auto-allocated topology",
|
description="Delete a project's auto-allocated topology",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "DELETE", "path": "/auto-allocated-topology/{project_id}"}],
|
operations=[{"method": "DELETE", "path": "/auto-allocated-topology/{project_id}"}],
|
||||||
@ -357,7 +357,7 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="create_floatingip",
|
name="create_floatingip",
|
||||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Create a floating IP",
|
description="Create a floating IP",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "POST", "path": "/floatingips"}],
|
operations=[{"method": "POST", "path": "/floatingips"}],
|
||||||
@ -378,14 +378,14 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="update_floatingip",
|
name="update_floatingip",
|
||||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Update a floating IP",
|
description="Update a floating IP",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "PUT", "path": "/floatingips/{id}"}],
|
operations=[{"method": "PUT", "path": "/floatingips/{id}"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="delete_floatingip",
|
name="delete_floatingip",
|
||||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Delete a floating IP",
|
description="Delete a floating IP",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "DELETE", "path": "/floatingips/{id}"}],
|
operations=[{"method": "DELETE", "path": "/floatingips/{id}"}],
|
||||||
@ -399,7 +399,7 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="create_floatingip_port_forwarding",
|
name="create_floatingip_port_forwarding",
|
||||||
check_str=("role:member and project_id:%(project_id)s or rule:ext_parent_owner"),
|
check_str=("(role:member or role:_member_) and project_id:%(project_id)s or rule:ext_parent_owner"),
|
||||||
description="Create a floating IP port forwarding",
|
description="Create a floating IP port forwarding",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "POST", "path": "/floatingips/{floatingip_id}/port_forwardings"}],
|
operations=[{"method": "POST", "path": "/floatingips/{floatingip_id}/port_forwardings"}],
|
||||||
@ -413,21 +413,21 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="update_floatingip_port_forwarding",
|
name="update_floatingip_port_forwarding",
|
||||||
check_str=("role:member and project_id:%(project_id)s or rule:ext_parent_owner"),
|
check_str=("(role:member or role:_member_) and project_id:%(project_id)s or rule:ext_parent_owner"),
|
||||||
description="Update a floating IP port forwarding",
|
description="Update a floating IP port forwarding",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "PUT", "path": "/floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}"}],
|
operations=[{"method": "PUT", "path": "/floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="delete_floatingip_port_forwarding",
|
name="delete_floatingip_port_forwarding",
|
||||||
check_str=("role:member and project_id:%(project_id)s or rule:ext_parent_owner"),
|
check_str=("(role:member or role:_member_) and project_id:%(project_id)s or rule:ext_parent_owner"),
|
||||||
description="Delete a floating IP port forwarding",
|
description="Delete a floating IP port forwarding",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "DELETE", "path": "/floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}"}],
|
operations=[{"method": "DELETE", "path": "/floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="create_router_conntrack_helper",
|
name="create_router_conntrack_helper",
|
||||||
check_str=("role:member and project_id:%(project_id)s or rule:ext_parent_owner"),
|
check_str=("(role:member or role:_member_) and project_id:%(project_id)s or rule:ext_parent_owner"),
|
||||||
description="Create a router conntrack helper",
|
description="Create a router conntrack helper",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "POST", "path": "/routers/{router_id}/conntrack_helpers"}],
|
operations=[{"method": "POST", "path": "/routers/{router_id}/conntrack_helpers"}],
|
||||||
@ -441,21 +441,21 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="update_router_conntrack_helper",
|
name="update_router_conntrack_helper",
|
||||||
check_str=("role:member and project_id:%(project_id)s or rule:ext_parent_owner"),
|
check_str=("(role:member or role:_member_) and project_id:%(project_id)s or rule:ext_parent_owner"),
|
||||||
description="Update a router conntrack helper",
|
description="Update a router conntrack helper",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "PUT", "path": "/routers/{router_id}/conntrack_helpers/{conntrack_helper_id}"}],
|
operations=[{"method": "PUT", "path": "/routers/{router_id}/conntrack_helpers/{conntrack_helper_id}"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="delete_router_conntrack_helper",
|
name="delete_router_conntrack_helper",
|
||||||
check_str=("role:member and project_id:%(project_id)s or rule:ext_parent_owner"),
|
check_str=("(role:member or role:_member_) and project_id:%(project_id)s or rule:ext_parent_owner"),
|
||||||
description="Delete a router conntrack helper",
|
description="Delete a router conntrack helper",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "DELETE", "path": "/routers/{router_id}/conntrack_helpers/{conntrack_helper_id}"}],
|
operations=[{"method": "DELETE", "path": "/routers/{router_id}/conntrack_helpers/{conntrack_helper_id}"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="create_local_ip",
|
name="create_local_ip",
|
||||||
check_str=("role:member and project_id:%(project_id)s"),
|
check_str=("(role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Create a Local IP",
|
description="Create a Local IP",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "POST", "path": "/local-ips"}],
|
operations=[{"method": "POST", "path": "/local-ips"}],
|
||||||
@ -469,21 +469,21 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="update_local_ip",
|
name="update_local_ip",
|
||||||
check_str=("role:member and project_id:%(project_id)s"),
|
check_str=("(role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Update a Local IP",
|
description="Update a Local IP",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "PUT", "path": "/local-ips/{id}"}],
|
operations=[{"method": "PUT", "path": "/local-ips/{id}"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="delete_local_ip",
|
name="delete_local_ip",
|
||||||
check_str=("role:member and project_id:%(project_id)s"),
|
check_str=("(role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Delete a Local IP",
|
description="Delete a Local IP",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "DELETE", "path": "/local-ips/{id}"}],
|
operations=[{"method": "DELETE", "path": "/local-ips/{id}"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="create_local_ip_port_association",
|
name="create_local_ip_port_association",
|
||||||
check_str=("role:member and project_id:%(project_id)s or rule:ext_parent_owner"),
|
check_str=("(role:member or role:_member_) and project_id:%(project_id)s or rule:ext_parent_owner"),
|
||||||
description="Create a Local IP port association",
|
description="Create a Local IP port association",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "POST", "path": "/local_ips/{local_ip_id}/port_associations"}],
|
operations=[{"method": "POST", "path": "/local_ips/{local_ip_id}/port_associations"}],
|
||||||
@ -497,7 +497,7 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="delete_local_ip_port_association",
|
name="delete_local_ip_port_association",
|
||||||
check_str=("role:member and project_id:%(project_id)s or rule:ext_parent_owner"),
|
check_str=("(role:member or role:_member_) and project_id:%(project_id)s or rule:ext_parent_owner"),
|
||||||
description="Delete a Local IP port association",
|
description="Delete a Local IP port association",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "DELETE", "path": "/local_ips/{local_ip_id}/port_associations/{fixed_port_id}"}],
|
operations=[{"method": "DELETE", "path": "/local_ips/{local_ip_id}/port_associations/{fixed_port_id}"}],
|
||||||
@ -581,7 +581,7 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="create_ndp_proxy",
|
name="create_ndp_proxy",
|
||||||
check_str=("role:member and project_id:%(project_id)s"),
|
check_str=("(role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Create a ndp proxy",
|
description="Create a ndp proxy",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "POST", "path": "/ndp_proxies"}],
|
operations=[{"method": "POST", "path": "/ndp_proxies"}],
|
||||||
@ -595,21 +595,21 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="update_ndp_proxy",
|
name="update_ndp_proxy",
|
||||||
check_str=("role:member and project_id:%(project_id)s"),
|
check_str=("(role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Update a ndp proxy",
|
description="Update a ndp proxy",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "PUT", "path": "/ndp_proxies/{id}"}],
|
operations=[{"method": "PUT", "path": "/ndp_proxies/{id}"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="delete_ndp_proxy",
|
name="delete_ndp_proxy",
|
||||||
check_str=("role:member and project_id:%(project_id)s"),
|
check_str=("(role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Delete a ndp proxy",
|
description="Delete a ndp proxy",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "DELETE", "path": "/ndp_proxies/{id}"}],
|
operations=[{"method": "DELETE", "path": "/ndp_proxies/{id}"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="create_network",
|
name="create_network",
|
||||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Create a network",
|
description="Create a network",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "POST", "path": "/networks"}],
|
operations=[{"method": "POST", "path": "/networks"}],
|
||||||
@ -637,7 +637,7 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="create_network:port_security_enabled",
|
name="create_network:port_security_enabled",
|
||||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Specify ``port_security_enabled`` attribute when creating a network",
|
description="Specify ``port_security_enabled`` attribute when creating a network",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "POST", "path": "/networks"}],
|
operations=[{"method": "POST", "path": "/networks"}],
|
||||||
@ -714,7 +714,7 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="update_network",
|
name="update_network",
|
||||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Update a network",
|
description="Update a network",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "PUT", "path": "/networks/{id}"}],
|
operations=[{"method": "PUT", "path": "/networks/{id}"}],
|
||||||
@ -770,14 +770,14 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="update_network:port_security_enabled",
|
name="update_network:port_security_enabled",
|
||||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Update ``port_security_enabled`` attribute of a network",
|
description="Update ``port_security_enabled`` attribute of a network",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "PUT", "path": "/networks/{id}"}],
|
operations=[{"method": "PUT", "path": "/networks/{id}"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="delete_network",
|
name="delete_network",
|
||||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Delete a network",
|
description="Delete a network",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "DELETE", "path": "/networks/{id}"}],
|
operations=[{"method": "DELETE", "path": "/networks/{id}"}],
|
||||||
@ -819,7 +819,7 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="create_port",
|
name="create_port",
|
||||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Create a port",
|
description="Create a port",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "POST", "path": "/ports"}],
|
operations=[{"method": "POST", "path": "/ports"}],
|
||||||
@ -882,7 +882,7 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="create_port:binding:vnic_type",
|
name="create_port:binding:vnic_type",
|
||||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Specify ``binding:vnic_type`` attribute when creating a port",
|
description="Specify ``binding:vnic_type`` attribute when creating a port",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "POST", "path": "/ports"}],
|
operations=[{"method": "POST", "path": "/ports"}],
|
||||||
@ -952,7 +952,7 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="update_port",
|
name="update_port",
|
||||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s or rule:context_is_advsvc"),
|
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s or rule:context_is_advsvc"),
|
||||||
description="Update a port",
|
description="Update a port",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "PUT", "path": "/ports/{id}"}],
|
operations=[{"method": "PUT", "path": "/ports/{id}"}],
|
||||||
@ -1015,7 +1015,7 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="update_port:binding:vnic_type",
|
name="update_port:binding:vnic_type",
|
||||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s or rule:context_is_advsvc"),
|
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s or rule:context_is_advsvc"),
|
||||||
description="Update ``binding:vnic_type`` attribute of a port",
|
description="Update ``binding:vnic_type`` attribute of a port",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "PUT", "path": "/ports/{id}"}],
|
operations=[{"method": "PUT", "path": "/ports/{id}"}],
|
||||||
@ -1050,7 +1050,7 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="delete_port",
|
name="delete_port",
|
||||||
check_str=("rule:admin_only or rule:context_is_advsvc or role:member and project_id:%(project_id)s"),
|
check_str=("rule:admin_only or rule:context_is_advsvc or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Delete a port",
|
description="Delete a port",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "DELETE", "path": "/ports/{id}"}],
|
operations=[{"method": "DELETE", "path": "/ports/{id}"}],
|
||||||
@ -1337,7 +1337,7 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="create_rbac_policy",
|
name="create_rbac_policy",
|
||||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Create an RBAC policy",
|
description="Create an RBAC policy",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "POST", "path": "/rbac-policies"}],
|
operations=[{"method": "POST", "path": "/rbac-policies"}],
|
||||||
@ -1351,7 +1351,7 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="update_rbac_policy",
|
name="update_rbac_policy",
|
||||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Update an RBAC policy",
|
description="Update an RBAC policy",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "PUT", "path": "/rbac-policies/{id}"}],
|
operations=[{"method": "PUT", "path": "/rbac-policies/{id}"}],
|
||||||
@ -1372,14 +1372,14 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="delete_rbac_policy",
|
name="delete_rbac_policy",
|
||||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Delete an RBAC policy",
|
description="Delete an RBAC policy",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "DELETE", "path": "/rbac-policies/{id}"}],
|
operations=[{"method": "DELETE", "path": "/rbac-policies/{id}"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="create_router",
|
name="create_router",
|
||||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Create a router",
|
description="Create a router",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "POST", "path": "/routers"}],
|
operations=[{"method": "POST", "path": "/routers"}],
|
||||||
@ -1400,14 +1400,14 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="create_router:external_gateway_info",
|
name="create_router:external_gateway_info",
|
||||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Specify ``external_gateway_info`` information when creating a router",
|
description="Specify ``external_gateway_info`` information when creating a router",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "POST", "path": "/routers"}],
|
operations=[{"method": "POST", "path": "/routers"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="create_router:external_gateway_info:network_id",
|
name="create_router:external_gateway_info:network_id",
|
||||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Specify ``network_id`` in ``external_gateway_info`` information when creating a router",
|
description="Specify ``network_id`` in ``external_gateway_info`` information when creating a router",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "POST", "path": "/routers"}],
|
operations=[{"method": "POST", "path": "/routers"}],
|
||||||
@ -1449,7 +1449,7 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="update_router",
|
name="update_router",
|
||||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Update a router",
|
description="Update a router",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "PUT", "path": "/routers/{id}"}],
|
operations=[{"method": "PUT", "path": "/routers/{id}"}],
|
||||||
@ -1470,14 +1470,14 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="update_router:external_gateway_info",
|
name="update_router:external_gateway_info",
|
||||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Update ``external_gateway_info`` information of a router",
|
description="Update ``external_gateway_info`` information of a router",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "PUT", "path": "/routers/{id}"}],
|
operations=[{"method": "PUT", "path": "/routers/{id}"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="update_router:external_gateway_info:network_id",
|
name="update_router:external_gateway_info:network_id",
|
||||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Update ``network_id`` attribute of ``external_gateway_info`` information of a router",
|
description="Update ``network_id`` attribute of ``external_gateway_info`` information of a router",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "PUT", "path": "/routers/{id}"}],
|
operations=[{"method": "PUT", "path": "/routers/{id}"}],
|
||||||
@ -1498,42 +1498,42 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="delete_router",
|
name="delete_router",
|
||||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Delete a router",
|
description="Delete a router",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "DELETE", "path": "/routers/{id}"}],
|
operations=[{"method": "DELETE", "path": "/routers/{id}"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="add_router_interface",
|
name="add_router_interface",
|
||||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Add an interface to a router",
|
description="Add an interface to a router",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "PUT", "path": "/routers/{id}/add_router_interface"}],
|
operations=[{"method": "PUT", "path": "/routers/{id}/add_router_interface"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="remove_router_interface",
|
name="remove_router_interface",
|
||||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Remove an interface from a router",
|
description="Remove an interface from a router",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "PUT", "path": "/routers/{id}/remove_router_interface"}],
|
operations=[{"method": "PUT", "path": "/routers/{id}/remove_router_interface"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="add_extraroutes",
|
name="add_extraroutes",
|
||||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Add extra route to a router",
|
description="Add extra route to a router",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "PUT", "path": "/routers/{id}/add_extraroutes"}],
|
operations=[{"method": "PUT", "path": "/routers/{id}/add_extraroutes"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="remove_extraroutes",
|
name="remove_extraroutes",
|
||||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Remove extra route from a router",
|
description="Remove extra route from a router",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "PUT", "path": "/routers/{id}/remove_extraroutes"}],
|
operations=[{"method": "PUT", "path": "/routers/{id}/remove_extraroutes"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="create_security_group",
|
name="create_security_group",
|
||||||
check_str=("role:member and project_id:%(project_id)s"),
|
check_str=("(role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Create a security group",
|
description="Create a security group",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "POST", "path": "/security-groups"}],
|
operations=[{"method": "POST", "path": "/security-groups"}],
|
||||||
@ -1547,21 +1547,21 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="update_security_group",
|
name="update_security_group",
|
||||||
check_str=("role:member and project_id:%(project_id)s"),
|
check_str=("(role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Update a security group",
|
description="Update a security group",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "PUT", "path": "/security-groups/{id}"}],
|
operations=[{"method": "PUT", "path": "/security-groups/{id}"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="delete_security_group",
|
name="delete_security_group",
|
||||||
check_str=("role:member and project_id:%(project_id)s"),
|
check_str=("(role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Delete a security group",
|
description="Delete a security group",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "DELETE", "path": "/security-groups/{id}"}],
|
operations=[{"method": "DELETE", "path": "/security-groups/{id}"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="create_security_group_rule",
|
name="create_security_group_rule",
|
||||||
check_str=("role:member and project_id:%(project_id)s"),
|
check_str=("(role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Create a security group rule",
|
description="Create a security group rule",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "POST", "path": "/security-group-rules"}],
|
operations=[{"method": "POST", "path": "/security-group-rules"}],
|
||||||
@ -1575,7 +1575,7 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="delete_security_group_rule",
|
name="delete_security_group_rule",
|
||||||
check_str=("role:member and project_id:%(project_id)s"),
|
check_str=("(role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Delete a security group rule",
|
description="Delete a security group rule",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "DELETE", "path": "/security-group-rules/{id}"}],
|
operations=[{"method": "DELETE", "path": "/security-group-rules/{id}"}],
|
||||||
@ -1617,7 +1617,7 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="create_subnet",
|
name="create_subnet",
|
||||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s or rule:network_owner"),
|
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s or rule:network_owner"),
|
||||||
description="Create a subnet",
|
description="Create a subnet",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "POST", "path": "/subnets"}],
|
operations=[{"method": "POST", "path": "/subnets"}],
|
||||||
@ -1652,7 +1652,7 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="update_subnet",
|
name="update_subnet",
|
||||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s or rule:network_owner"),
|
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s or rule:network_owner"),
|
||||||
description="Update a subnet",
|
description="Update a subnet",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "PUT", "path": "/subnets/{id}"}],
|
operations=[{"method": "PUT", "path": "/subnets/{id}"}],
|
||||||
@ -1673,14 +1673,14 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="delete_subnet",
|
name="delete_subnet",
|
||||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s or rule:network_owner"),
|
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s or rule:network_owner"),
|
||||||
description="Delete a subnet",
|
description="Delete a subnet",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "DELETE", "path": "/subnets/{id}"}],
|
operations=[{"method": "DELETE", "path": "/subnets/{id}"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="create_subnetpool",
|
name="create_subnetpool",
|
||||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Create a subnetpool",
|
description="Create a subnetpool",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "POST", "path": "/subnetpools"}],
|
operations=[{"method": "POST", "path": "/subnetpools"}],
|
||||||
@ -1708,7 +1708,7 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="update_subnetpool",
|
name="update_subnetpool",
|
||||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Update a subnetpool",
|
description="Update a subnetpool",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "PUT", "path": "/subnetpools/{id}"}],
|
operations=[{"method": "PUT", "path": "/subnetpools/{id}"}],
|
||||||
@ -1722,35 +1722,35 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="delete_subnetpool",
|
name="delete_subnetpool",
|
||||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Delete a subnetpool",
|
description="Delete a subnetpool",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "DELETE", "path": "/subnetpools/{id}"}],
|
operations=[{"method": "DELETE", "path": "/subnetpools/{id}"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="onboard_network_subnets",
|
name="onboard_network_subnets",
|
||||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Onboard existing subnet into a subnetpool",
|
description="Onboard existing subnet into a subnetpool",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "PUT", "path": "/subnetpools/{id}/onboard_network_subnets"}],
|
operations=[{"method": "PUT", "path": "/subnetpools/{id}/onboard_network_subnets"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="add_prefixes",
|
name="add_prefixes",
|
||||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Add prefixes to a subnetpool",
|
description="Add prefixes to a subnetpool",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "PUT", "path": "/subnetpools/{id}/add_prefixes"}],
|
operations=[{"method": "PUT", "path": "/subnetpools/{id}/add_prefixes"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="remove_prefixes",
|
name="remove_prefixes",
|
||||||
check_str=("rule:admin_only or role:member and project_id:%(project_id)s"),
|
check_str=("rule:admin_only or (role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Remove unallocated prefixes from a subnetpool",
|
description="Remove unallocated prefixes from a subnetpool",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "PUT", "path": "/subnetpools/{id}/remove_prefixes"}],
|
operations=[{"method": "PUT", "path": "/subnetpools/{id}/remove_prefixes"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="create_trunk",
|
name="create_trunk",
|
||||||
check_str=("role:member and project_id:%(project_id)s"),
|
check_str=("(role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Create a trunk",
|
description="Create a trunk",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "POST", "path": "/trunks"}],
|
operations=[{"method": "POST", "path": "/trunks"}],
|
||||||
@ -1764,14 +1764,14 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="update_trunk",
|
name="update_trunk",
|
||||||
check_str=("role:member and project_id:%(project_id)s"),
|
check_str=("(role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Update a trunk",
|
description="Update a trunk",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "PUT", "path": "/trunks/{id}"}],
|
operations=[{"method": "PUT", "path": "/trunks/{id}"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="delete_trunk",
|
name="delete_trunk",
|
||||||
check_str=("role:member and project_id:%(project_id)s"),
|
check_str=("(role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Delete a trunk",
|
description="Delete a trunk",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "DELETE", "path": "/trunks/{id}"}],
|
operations=[{"method": "DELETE", "path": "/trunks/{id}"}],
|
||||||
@ -1785,14 +1785,14 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="add_subports",
|
name="add_subports",
|
||||||
check_str=("role:member and project_id:%(project_id)s"),
|
check_str=("(role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Add subports to a trunk",
|
description="Add subports to a trunk",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "PUT", "path": "/trunks/{id}/add_subports"}],
|
operations=[{"method": "PUT", "path": "/trunks/{id}/add_subports"}],
|
||||||
),
|
),
|
||||||
base.APIRule(
|
base.APIRule(
|
||||||
name="remove_subports",
|
name="remove_subports",
|
||||||
check_str=("role:member and project_id:%(project_id)s"),
|
check_str=("(role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Delete subports from a trunk",
|
description="Delete subports from a trunk",
|
||||||
scope_types=["project"],
|
scope_types=["project"],
|
||||||
operations=[{"method": "PUT", "path": "/trunks/{id}/remove_subports"}],
|
operations=[{"method": "PUT", "path": "/trunks/{id}/remove_subports"}],
|
||||||
|
|||||||
@ -35,7 +35,7 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.Rule(
|
base.Rule(
|
||||||
name="project_member_api",
|
name="project_member_api",
|
||||||
check_str=("role:member and project_id:%(project_id)s"),
|
check_str=("(role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="Default rule for Project level non admin APIs.",
|
description="Default rule for Project level non admin APIs.",
|
||||||
),
|
),
|
||||||
base.Rule(
|
base.Rule(
|
||||||
|
|||||||
@ -30,7 +30,7 @@ list_rules = (
|
|||||||
),
|
),
|
||||||
base.Rule(
|
base.Rule(
|
||||||
name="project-member",
|
name="project-member",
|
||||||
check_str=("role:member and project_id:%(project_id)s"),
|
check_str=("(role:member or role:_member_) and project_id:%(project_id)s"),
|
||||||
description="No description",
|
description="No description",
|
||||||
),
|
),
|
||||||
base.Rule(
|
base.Rule(
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user