baha/skyline-apiserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: Update policy

Browse Source 
Latest policy update for Zed release(1.0.0).

Now no feature for openstack service.

nova:
  - https://review.opendev.org/c/openstack/nova/+/849209
ironic:
  - https://review.opendev.org/c/openstack/ironic/+/852794
glance:
  - https://review.opendev.org/c/openstack/glance/+/855435
barbican:
  - https://review.opendev.org/c/openstack/barbican/+/854656
  - https://review.opendev.org/c/openstack/barbican/+/854661
  - https://review.opendev.org/c/openstack/barbican/+/854655
  - https://review.opendev.org/c/openstack/barbican/+/854677
  - https://review.opendev.org/c/openstack/barbican/+/854786
manila:
  - https://review.opendev.org/c/openstack/manila/+/825008

Change-Id: I5d5940a0c15672aee4a0b4cdacab4460e69511a3
This commit is contained in:
Boxiang Zhu 2022-09-09 17:45:38 +08:00
parent def775692d
commit c8e191b457
5 changed files with 393 additions and 323 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

293
skyline_apiserver/policy/manager/barbican.py
View File

@ -19,43 +19,13 @@ from . import base
list_rules = (
base.Rule(
name="admin",
check_str=("role:admin"),
name="system_reader",
check_str=("role:reader and system_scope:all"),
description="No description",
),
base.Rule(
name="observer",
check_str=("role:observer"),
description="No description",
),
base.Rule(
name="creator",
check_str=("role:creator"),
description="No description",
),
base.Rule(
name="audit",
check_str=("role:audit"),
description="No description",
),
base.Rule(
name="service_admin",
check_str=("role:key-manager:service-admin"),
description="No description",
),
base.Rule(
name="admin_or_creator",
check_str=("rule:admin or rule:creator"),
description="No description",
),
base.Rule(
name="all_but_audit",
check_str=("rule:admin or rule:observer or rule:creator"),
description="No description",
),
base.Rule(
name="all_users",
check_str=("rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin"),
name="system_admin",
check_str=("role:amdin and system_scope:all"),
description="No description",
),
base.Rule(
@ -63,56 +33,6 @@ list_rules = (
check_str=("project_id:%(target.secret.project_id)s"),
description="No description",
),
base.Rule(
name="secret_acl_read",
check_str=("'read':%(target.secret.read)s"),
description="No description",
),
base.Rule(
name="secret_private_read",
check_str=("'False':%(target.secret.read_project_access)s"),
description="No description",
),
base.Rule(
name="secret_creator_user",
check_str=("user_id:%(target.secret.creator_id)s"),
description="No description",
),
base.Rule(
name="container_project_match",
check_str=("project_id:%(target.container.project_id)s"),
description="No description",
),
base.Rule(
name="container_acl_read",
check_str=("'read':%(target.container.read)s"),
description="No description",
),
base.Rule(
name="container_private_read",
check_str=("'False':%(target.container.read_project_access)s"),
description="No description",
),
base.Rule(
name="container_creator_user",
check_str=("user_id:%(target.container.creator_id)s"),
description="No description",
),
base.Rule(
name="secret_non_private_read",
check_str=("rule:all_users and rule:secret_project_match and not rule:secret_private_read"),
description="No description",
),
base.Rule(
name="secret_decrypt_non_private_read",
check_str=("rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read"),
description="No description",
),
base.Rule(
name="container_non_private_read",
check_str=("rule:all_users and rule:container_project_match and not rule:container_private_read"),
description="No description",
),
base.Rule(
name="secret_project_reader",
check_str=("role:reader and rule:secret_project_match"),
@ -125,7 +45,7 @@ list_rules = (
),
base.Rule(
name="secret_project_admin",
check_str=("rule:admin and rule:secret_project_match"),
check_str=("role:admin and rule:secret_project_match"),
description="No description",
),
base.Rule(
@ -138,6 +58,111 @@ list_rules = (
check_str=("True:%(target.secret.read_project_access)s"),
description="No description",
),
base.Rule(
name="secret_acl_read",
check_str=("'read':%(target.secret.read)s"),
description="No description",
),
base.Rule(
name="container_project_match",
check_str=("project_id:%(target.container.project_id)s"),
description="No description",
),
base.Rule(
name="container_project_member",
check_str=("role:member and rule:container_project_match"),
description="No description",
),
base.Rule(
name="container_project_admin",
check_str=("role:admin and rule:container_project_match"),
description="No description",
),
base.Rule(
name="container_owner",
check_str=("user_id:%(target.container.creator_id)s"),
description="No description",
),
base.Rule(
name="container_is_not_private",
check_str=("True:%(target.container.read_project_access)s"),
description="No description",
),
base.Rule(
name="container_acl_read",
check_str=("'read':%(target.container.read)s"),
description="No description",
),
base.Rule(
name="order_project_match",
check_str=("project_id:%(target.order.project_id)s"),
description="No description",
),
base.Rule(
name="order_project_member",
check_str=("role:member and rule:order_project_match"),
description="No description",
),
base.Rule(
name="audit",
check_str=("role:audit"),
description="No description",
),
base.Rule(
name="observer",
check_str=("role:observer"),
description="No description",
),
base.Rule(
name="creator",
check_str=("role:creator"),
description="No description",
),
base.Rule(
name="admin",
check_str=("role:admin"),
description="No description",
),
base.Rule(
name="service_admin",
check_str=("role:key-manager:service-admin"),
description="No description",
),
base.Rule(
name="all_users",
check_str=("rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin"),
description="No description",
),
base.Rule(
name="all_but_audit",
check_str=("rule:admin or rule:observer or rule:creator"),
description="No description",
),
base.Rule(
name="admin_or_creator",
check_str=("rule:admin or rule:creator"),
description="No description",
),
base.Rule(
name="secret_creator_user",
check_str=("user_id:%(target.secret.creator_id)s"),
description="No description",
),
base.Rule(
name="secret_private_read",
check_str=("'False':%(target.secret.read_project_access)s"),
description="No description",
),
base.Rule(
name="secret_non_private_read",
check_str=("rule:all_users and rule:secret_project_match and not rule:secret_private_read"),
description="No description",
),
base.Rule(
name="secret_decrypt_non_private_read",
check_str=("rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read"),
description="No description",
),
base.Rule(
name="secret_project_creator",
check_str=("rule:creator and rule:secret_project_match and rule:secret_creator_user"),
@ -149,8 +174,18 @@ list_rules = (
description="No description",
),
base.Rule(
name="container_project_admin",
check_str=("rule:admin and rule:container_project_match"),
name="container_private_read",
check_str=("'False':%(target.container.read_project_access)s"),
description="No description",
),
base.Rule(
name="container_creator_user",
check_str=("user_id:%(target.container.creator_id)s"),
description="No description",
),
base.Rule(
name="container_non_private_read",
check_str=("rule:all_users and rule:container_project_match and not rule:container_private_read"),
description="No description",
),
base.Rule(
@ -165,224 +200,224 @@ list_rules = (
),
base.APIRule(
name="secret_acls:get",
check_str=("(rule:all_but_audit and rule:secret_project_match) or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"),
check_str=("True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"),
description="Retrieve the ACL settings for a given secret.If no ACL is defined for that secret, then Default ACL is returned.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/secrets/{secret-id}/acl"}],
),
base.APIRule(
name="secret_acls:delete",
check_str=("rule:secret_project_admin or rule:secret_project_creator or (rule:secret_project_creator_role and rule:secret_non_private_read) or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"),
check_str=("True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"),
description="Delete the ACL settings for a given secret.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/secrets/{secret-id}/acl"}],
),
base.APIRule(
name="secret_acls:put_patch",
check_str=("rule:secret_project_admin or rule:secret_project_creator or (rule:secret_project_creator_role and rule:secret_non_private_read) or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"),
check_str=("True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"),
description="Create new, replaces, or updates existing ACL for a given secret.",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v1/secrets/{secret-id}/acl"}, {"method": "PATCH", "path": "/v1/secrets/{secret-id}/acl"}],
),
base.APIRule(
name="container_acls:get",
check_str=("(rule:all_but_audit and rule:container_project_match) or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"),
check_str=("True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))"),
description="Retrieve the ACL settings for a given container.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/containers/{container-id}/acl"}],
),
base.APIRule(
name="container_acls:delete",
check_str=("rule:container_project_admin or rule:container_project_creator or (rule:container_project_creator_role and rule:container_non_private_read) or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"),
check_str=("True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))"),
description="Delete ACL for a given container. No content is returned in the case of successful deletion.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/containers/{container-id}/acl"}],
),
base.APIRule(
name="container_acls:put_patch",
check_str=("rule:container_project_admin or rule:container_project_creator or (rule:container_project_creator_role and rule:container_non_private_read) or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"),
check_str=("True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))"),
description="Create new or replaces existing ACL for a given container.",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v1/containers/{container-id}/acl"}, {"method": "PATCH", "path": "/v1/containers/{container-id}/acl"}],
),
base.APIRule(
name="consumer:get",
check_str=("rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read or user_id:%(target.container.creator_id)s or (role:member and project_id:%(target.container.project_id)s and True:%(target.container.read_project_access)s) or role:admin and project_id:%(target.container.project_id)s or role:admin and system_scope:all"),
check_str=("True:%(enforce_new_defaults)s and (rule:system_admin or rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)"),
description="DEPRECATED: show information for a specific consumer",
scope_types=["project", "system"],
operations=[{"method": "GET", "path": "/v1/containers/{container-id}/consumers/{consumer-id}"}],
),
base.APIRule(
name="container_consumers:get",
check_str=("rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read or user_id:%(target.container.creator_id)s or (role:member and project_id:%(target.container.project_id)s and True:%(target.container.read_project_access)s) or role:admin and project_id:%(target.container.project_id)s or role:admin and system_scope:all"),
check_str=("True:%(enforce_new_defaults)s and (rule:system_admin or rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)"),
description="List a containers consumers.",
scope_types=["project", "system"],
operations=[{"method": "GET", "path": "/v1/containers/{container-id}/consumers"}],
),
base.APIRule(
name="container_consumers:post",
check_str=("rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read or user_id:%(target.container.creator_id)s or (role:member and project_id:%(target.container.project_id)s and True:%(target.container.read_project_access)s) or role:admin and project_id:%(target.container.project_id)s or role:admin and system_scope:all"),
check_str=("True:%(enforce_new_defaults)s and (rule:system_admin or rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)"),
description="Creates a consumer.",
scope_types=["project", "system"],
operations=[{"method": "POST", "path": "/v1/containers/{container-id}/consumers"}],
),
base.APIRule(
name="container_consumers:delete",
check_str=("rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read or user_id:%(target.container.creator_id)s or (role:member and project_id:%(target.container.project_id)s and True:%(target.container.read_project_access)s) or role:admin and project_id:%(target.container.project_id)s or role:admin and system_scope:all"),
check_str=("True:%(enforce_new_defaults)s and (rule:system_admin or rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)"),
description="Deletes a consumer.",
scope_types=["project", "system"],
operations=[{"method": "DELETE", "path": "/v1/containers/{container-id}/consumers"}],
),
base.APIRule(
name="secret_consumers:get",
check_str=("rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read or user_id:%(target.secret.creator_id)s or (role:member and project_id:%(target.secret.project_id)s and True:%(target.secret.read_project_access)s) or role:admin and project_id:%(target.secret.project_id)s or role:admin and system_scope:all"),
check_str=("True:%(enforce_new_defaults)s and (rule:system_admin or rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)"),
description="List consumers for a secret.",
scope_types=["project", "system"],
operations=[{"method": "GET", "path": "/v1/secrets/{secret-id}/consumers"}],
),
base.APIRule(
name="secret_consumers:post",
check_str=("rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read or user_id:%(target.secret.creator_id)s or (role:member and project_id:%(target.secret.project_id)s and True:%(target.secret.read_project_access)s) or role:admin and project_id:%(target.secret.project_id)s or role:admin and system_scope:all"),
check_str=("True:%(enforce_new_defaults)s and (rule:system_admin or rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)"),
description="Creates a consumer.",
scope_types=["project", "system"],
operations=[{"method": "POST", "path": "/v1/secrets/{secrets-id}/consumers"}],
),
base.APIRule(
name="secret_consumers:delete",
check_str=("rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read or user_id:%(target.secret.creator_id)s or (role:member and project_id:%(target.secret.project_id)s and True:%(target.secret.read_project_access)s) or role:admin and project_id:%(target.secret.project_id)s or role:admin and system_scope:all"),
check_str=("True:%(enforce_new_defaults)s and (rule:system_admin or rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)"),
description="Deletes a consumer.",
scope_types=["project", "system"],
operations=[{"method": "DELETE", "path": "/v1/secrets/{secrets-id}/consumers"}],
),
base.APIRule(
name="containers:post",
check_str=("rule:admin_or_creator or role:member"),
check_str=("True:%(enforce_new_defaults)s and role:member"),
description="Creates a container.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers"}],
),
base.APIRule(
name="containers:get",
check_str=("rule:all_but_audit or role:member"),
check_str=("True:%(enforce_new_defaults)s and role:member"),
description="Lists a projects containers.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/containers"}],
),
base.APIRule(
name="container:get",
check_str=("rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"),
check_str=("True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)"),
description="Retrieves a single container.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/containers/{container-id}"}],
),
base.APIRule(
name="container:delete",
check_str=("rule:container_project_admin or rule:container_project_creator or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"),
check_str=("True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))"),
description="Deletes a container.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/containers/{uuid}"}],
),
base.APIRule(
name="container_secret:post",
check_str=("rule:container_project_admin or rule:container_project_creator or rule:container_project_creator_role and rule:container_non_private_read or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"),
check_str=("True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))"),
description="Add a secret to an existing container.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/containers/{container-id}/secrets"}],
),
base.APIRule(
name="container_secret:delete",
check_str=("rule:container_project_admin or rule:container_project_creator or rule:container_project_creator_role and rule:container_non_private_read or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"),
check_str=("True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))"),
description="Remove a secret from a container.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/containers/{container-id}/secrets/{secret-id}"}],
),
base.APIRule(
name="orders:get",
check_str=("rule:all_but_audit or role:member"),
check_str=("True:%(enforce_new_defaults)s and role:member"),
description="Gets list of all orders associated with a project.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/orders"}],
),
base.APIRule(
name="orders:post",
check_str=("rule:admin_or_creator or role:member"),
check_str=("True:%(enforce_new_defaults)s and role:member"),
description="Creates an order.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/orders"}],
),
base.APIRule(
name="orders:put",
check_str=("rule:admin_or_creator or role:member"),
check_str=("True:%(enforce_new_defaults)s and role:member"),
description="Unsupported method for the orders API.",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v1/orders"}],
),
base.APIRule(
name="order:get",
check_str=("rule:all_users and project_id:%(target.order.project_id)s or role:member and project_id:%(target.order.project_id)s"),
check_str=("True:%(enforce_new_defaults)s and rule:order_project_member"),
description="Retrieves an orders metadata.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/orders/{order-id}"}],
),
base.APIRule(
name="order:delete",
check_str=("rule:admin and project_id:%(target.order.project_id)s or role:member and project_id:%(target.order.project_id)s"),
check_str=("True:%(enforce_new_defaults)s and rule:order_project_member"),
description="Deletes an order.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/orders/{order-id}"}],
),
base.APIRule(
name="quotas:get",
check_str=("rule:all_users or role:reader"),
check_str=("True:%(enforce_new_defaults)s and role:reader"),
description="List quotas for the project the user belongs to.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/quotas"}],
),
base.APIRule(
name="project_quotas:get",
check_str=("rule:service_admin or role:reader and system_scope:all"),
check_str=("True:%(enforce_new_defaults)s and rule:system_reader"),
description="List quotas for the specified project.",
scope_types=["system"],
operations=[{"method": "GET", "path": "/v1/project-quotas"}, {"method": "GET", "path": "/v1/project-quotas/{uuid}"}],
),
base.APIRule(
name="project_quotas:put",
check_str=("rule:service_admin or role:admin and system_scope:all"),
check_str=("True:%(enforce_new_defaults)s and rule:system_admin"),
description="Create or update the configured project quotas for the project with the specified UUID.",
scope_types=["system"],
operations=[{"method": "PUT", "path": "/v1/project-quotas/{uuid}"}],
),
base.APIRule(
name="project_quotas:delete",
check_str=("rule:service_admin or role:admin and system_scope:all"),
check_str=("True:%(enforce_new_defaults)s and rule:system_admin"),
description="Delete the project quotas configuration for the project with the requested UUID.",
scope_types=["system"],
operations=[{"method": "DELETE", "path": "/v1/quotas}"}],
),
base.APIRule(
name="secret_meta:get",
check_str=("rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"),
check_str=("True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)"),
description="metadata/: Lists a secrets user-defined metadata. || metadata/{key}: Retrieves a secrets user-added metadata.",
scope_types=["project"],
operations=[{"method": "GET", "path": "/v1/secrets/{secret-id}/metadata"}, {"method": "GET", "path": "/v1/secrets/{secret-id}/metadata/{meta-key}"}],
),
base.APIRule(
name="secret_meta:post",
check_str=("rule:secret_project_admin or rule:secret_project_creator or (rule:secret_project_creator_role and rule:secret_non_private_read) or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"),
check_str=("True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"),
description="Adds a new key/value pair to the secrets user-defined metadata.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/secrets/{secret-id}/metadata/{meta-key}"}],
),
base.APIRule(
name="secret_meta:put",
check_str=("rule:secret_project_admin or rule:secret_project_creator or (rule:secret_project_creator_role and rule:secret_non_private_read) or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"),
check_str=("True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"),
description="metadata/: Sets the user-defined metadata for a secret || metadata/{key}: Updates an existing key/value pair in the secrets user-defined metadata.",
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v1/secrets/{secret-id}/metadata"}, {"method": "PUT", "path": "/v1/secrets/{secret-id}/metadata/{meta-key}"}],
),
base.APIRule(
name="secret_meta:delete",
check_str=("rule:secret_project_admin or rule:secret_project_creator or (rule:secret_project_creator_role and rule:secret_non_private_read) or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"),
check_str=("True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"),
description="Delete secret user-defined metadata by key.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/secrets/{secret-id}/metadata/{meta-key}"}],
@ -431,70 +466,70 @@ list_rules = (
),
base.APIRule(
name="secretstores:get",
check_str=("rule:all_users or role:reader"),
check_str=("True:%(enforce_new_defaults)s and role:reader"),
description="Get list of available secret store backends.",
scope_types=["project", "system"],
operations=[{"method": "GET", "path": "/v1/secret-stores"}],
),
base.APIRule(
name="secretstores:get_global_default",
check_str=("rule:all_users or role:reader"),
check_str=("True:%(enforce_new_defaults)s and role:reader"),
description="Get a reference to the secret store that is used as default secret store backend for the deployment.",
scope_types=["project", "system"],
operations=[{"method": "GET", "path": "/v1/secret-stores/global-default"}],
),
base.APIRule(
name="secretstores:get_preferred",
check_str=("rule:all_users or role:reader"),
check_str=("True:%(enforce_new_defaults)s and role:reader"),
description="Get a reference to the preferred secret store if assigned previously.",
scope_types=["project", "system"],
operations=[{"method": "GET", "path": "/v1/secret-stores/preferred"}],
),
base.APIRule(
name="secretstore_preferred:post",
check_str=("rule:admin"),
check_str=("True:%(enforce_new_defaults)s and role:admin"),
description="Set a secret store backend to be preferred store backend for their project.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/v1/secret-stores/{ss-id}/preferred"}],
),
base.APIRule(
name="secretstore_preferred:delete",
check_str=("rule:admin"),
check_str=("True:%(enforce_new_defaults)s and role:admin"),
description="Remove preferred secret store backend setting for their project.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v1/secret-stores/{ss-id}/preferred"}],
),
base.APIRule(
name="secretstore:get",
check_str=("rule:all_users or role:reader"),
check_str=("True:%(enforce_new_defaults)s and role:reader"),
description="Get details of secret store by its ID.",
scope_types=["project", "system"],
operations=[{"method": "GET", "path": "/v1/secret-stores/{ss-id}"}],
),
base.APIRule(
name="transport_key:get",
check_str=("rule:all_users or role:reader"),
check_str=("True:%(enforce_new_defaults)s and role:reader"),
description="Get a specific transport key.",
scope_types=["project", "system"],
operations=[{"method": "GET", "path": "/v1/transport_keys/{key-id}}"}],
),
base.APIRule(
name="transport_key:delete",
check_str=("role:admin and system_scope:all"),
check_str=("True:%(enforce_new_defaults)s and rule:system_admin"),
description="Delete a specific transport key.",
scope_types=["system"],
operations=[{"method": "DELETE", "path": "/v1/transport_keys/{key-id}"}],
),
base.APIRule(
name="transport_keys:get",
check_str=("rule:all_users or role:reader"),
check_str=("True:%(enforce_new_defaults)s and role:reader"),
description="Get a list of all transport keys.",
scope_types=["project", "system"],
operations=[{"method": "GET", "path": "/v1/transport_keys"}],
),
base.APIRule(
name="transport_keys:post",
check_str=("role:admin and system_scope:all"),
check_str=("True:%(enforce_new_defaults)s and rule:system_admin"),
description="Create a new transport key.",
scope_types=["system"],
operations=[{"method": "POST", "path": "/v1/transport_keys"}],

104
skyline_apiserver/policy/manager/glance.py
View File

@ -47,357 +47,357 @@ list_rules = (
name="add_image",
check_str=("role:admin or (role:member and project_id:%(project_id)s and project_id:%(owner)s)"),
description="Create new image",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/images"}],
),
base.APIRule(
name="delete_image",
check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
description="Deletes the image",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/images/{image_id}"}],
),
base.APIRule(
name="get_image",
check_str=("role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))"),
description="Get specified image",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/images/{image_id}"}],
),
base.APIRule(
name="get_images",
check_str=("role:admin or (role:reader and project_id:%(project_id)s)"),
description="Get all available images",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/images"}],
),
base.APIRule(
name="modify_image",
check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
description="Updates given image",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}],
),
base.APIRule(
name="publicize_image",
check_str=("role:admin"),
description="Publicize given image",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}],
),
base.APIRule(
name="communitize_image",
check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
description="Communitize given image",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}],
),
base.APIRule(
name="download_image",
check_str=("role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))"),
description="Downloads given image",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/images/{image_id}/file"}],
),
base.APIRule(
name="upload_image",
check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
description="Uploads data to specified image",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2/images/{image_id}/file"}],
),
base.APIRule(
name="delete_image_location",
check_str=("role:admin"),
description="Deletes the location of given image",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}],
),
base.APIRule(
name="get_image_location",
check_str=("role:admin or (role:reader and project_id:%(project_id)s)"),
description="Reads the location of the image",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/images/{image_id}"}],
),
base.APIRule(
name="set_image_location",
check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
description="Sets location URI to given image",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}],
),
base.APIRule(
name="add_member",
check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
description="Create image member",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/images/{image_id}/members"}],
),
base.APIRule(
name="delete_member",
check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
description="Delete image member",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/images/{image_id}/members/{member_id}"}],
),
base.APIRule(
name="get_member",
check_str=("role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)"),
description="Show image member details",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/images/{image_id}/members/{member_id}"}],
),
base.APIRule(
name="get_members",
check_str=("role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)"),
description="List image members",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/images/{image_id}/members"}],
),
base.APIRule(
name="modify_member",
check_str=("role:admin or (role:member and project_id:%(member_id)s)"),
description="Update image member",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2/images/{image_id}/members/{member_id}"}],
),
base.APIRule(
name="deactivate",
check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
description="Deactivate image",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/images/{image_id}/actions/deactivate"}],
),
base.APIRule(
name="reactivate",
check_str=("role:admin or (role:member and project_id:%(project_id)s)"),
description="Reactivate image",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/images/{image_id}/actions/reactivate"}],
),
base.APIRule(
name="copy_image",
check_str=("role:admin"),
description="Copy existing image to other stores",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/images/{image_id}/import"}],
),
base.APIRule(
name="get_task",
check_str=("rule:default"),
description="Get an image task.\n#\n#This granular policy controls access to tasks, both from the tasks API as well\n#as internal locations in Glance that use tasks (like import). Practically this\n#cannot be more restrictive than the policy that controls import or things will\n#break, and changing it from the default is almost certainly not what you want.\n#Access to the external tasks API should be restricted as desired by the\n#tasks_api_access policy. This may change in the future.\n#",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/tasks/{task_id}"}],
),
base.APIRule(
name="get_tasks",
check_str=("rule:default"),
description="List tasks for all images.\n#\n#This granular policy controls access to tasks, both from the tasks API as well\n#as internal locations in Glance that use tasks (like import). Practically this\n#cannot be more restrictive than the policy that controls import or things will\n#break, and changing it from the default is almost certainly not what you want.\n#Access to the external tasks API should be restricted as desired by the\n#tasks_api_access policy. This may change in the future.\n#",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/tasks"}],
),
base.APIRule(
name="add_task",
check_str=("rule:default"),
description="List tasks for all images.\n#\n#This granular policy controls access to tasks, both from the tasks API as well\n#as internal locations in Glance that use tasks (like import). Practically this\n#cannot be more restrictive than the policy that controls import or things will\n#break, and changing it from the default is almost certainly not what you want.\n#Access to the external tasks API should be restricted as desired by the\n#tasks_api_access policy. This may change in the future.\n#",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/tasks"}],
),
base.APIRule(
name="modify_task",
check_str=("rule:default"),
description="This policy is not used.",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/tasks/{task_id}"}],
),
base.APIRule(
name="tasks_api_access",
check_str=("role:admin"),
description="\n#This is a generic blanket policy for protecting all task APIs. It is not\n#granular and will not allow you to separate writable and readable task\n#operations into different roles.\n#",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/tasks/{task_id}"}, {"method": "GET", "path": "/v2/tasks"}, {"method": "POST", "path": "/v2/tasks"}, {"method": "DELETE", "path": "/v2/tasks/{task_id}"}],
),
base.APIRule(
name="get_metadef_namespace",
check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"),
description="Get a specific namespace.",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}"}],
),
base.APIRule(
name="get_metadef_namespaces",
check_str=("role:admin or (role:reader and project_id:%(project_id)s)"),
description="List namespace.",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/metadefs/namespaces"}],
),
base.APIRule(
name="modify_metadef_namespace",
check_str=("rule:metadef_admin"),
description="Modify an existing namespace.",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2/metadefs/namespaces/{namespace_name}"}],
),
base.APIRule(
name="add_metadef_namespace",
check_str=("rule:metadef_admin"),
description="Create a namespace.",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/metadefs/namespaces"}],
),
base.APIRule(
name="delete_metadef_namespace",
check_str=("rule:metadef_admin"),
description="Delete a namespace.",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/metadefs/namespaces/{namespace_name}"}],
),
base.APIRule(
name="get_metadef_object",
check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"),
description="Get a specific object from a namespace.",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/objects/{object_name}"}],
),
base.APIRule(
name="get_metadef_objects",
check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"),
description="Get objects from a namespace.",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/objects"}],
),
base.APIRule(
name="modify_metadef_object",
check_str=("rule:metadef_admin"),
description="Update an object within a namespace.",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2/metadefs/namespaces/{namespace_name}/objects/{object_name}"}],
),
base.APIRule(
name="add_metadef_object",
check_str=("rule:metadef_admin"),
description="Create an object within a namespace.",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/metadefs/namespaces/{namespace_name}/objects"}],
),
base.APIRule(
name="delete_metadef_object",
check_str=("rule:metadef_admin"),
description="Delete an object within a namespace.",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/metadefs/namespaces/{namespace_name}/objects/{object_name}"}],
),
base.APIRule(
name="list_metadef_resource_types",
check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"),
description="List meta definition resource types.",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/metadefs/resource_types"}],
),
base.APIRule(
name="get_metadef_resource_type",
check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"),
description="Get meta definition resource types associations.",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/resource_types"}],
),
base.APIRule(
name="add_metadef_resource_type_association",
check_str=("rule:metadef_admin"),
description="Create meta definition resource types association.",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/metadefs/namespaces/{namespace_name}/resource_types"}],
),
base.APIRule(
name="remove_metadef_resource_type_association",
check_str=("rule:metadef_admin"),
description="Delete meta definition resource types association.",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/metadefs/namespaces/{namespace_name}/resource_types/{name}"}],
),
base.APIRule(
name="get_metadef_property",
check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"),
description="Get a specific meta definition property.",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/properties/{property_name}"}],
),
base.APIRule(
name="get_metadef_properties",
check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"),
description="List meta definition properties.",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/properties"}],
),
base.APIRule(
name="modify_metadef_property",
check_str=("rule:metadef_admin"),
description="Update meta definition property.",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/properties/{property_name}"}],
),
base.APIRule(
name="add_metadef_property",
check_str=("rule:metadef_admin"),
description="Create meta definition property.",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/metadefs/namespaces/{namespace_name}/properties"}],
),
base.APIRule(
name="remove_metadef_property",
check_str=("rule:metadef_admin"),
description="Delete meta definition property.",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/metadefs/namespaces/{namespace_name}/properties/{property_name}"}],
),
base.APIRule(
name="get_metadef_tag",
check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"),
description="Get tag definition.",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}"}],
),
base.APIRule(
name="get_metadef_tags",
check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"),
description="List tag definitions.",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/tags"}],
),
base.APIRule(
name="modify_metadef_tag",
check_str=("rule:metadef_admin"),
description="Update tag definition.",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "PUT", "path": "/v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}"}],
),
base.APIRule(
name="add_metadef_tag",
check_str=("rule:metadef_admin"),
description="Add tag definition.",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}"}],
),
base.APIRule(
name="add_metadef_tags",
check_str=("rule:metadef_admin"),
description="Create tag definitions.",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "POST", "path": "/v2/metadefs/namespaces/{namespace_name}/tags"}],
),
base.APIRule(
name="delete_metadef_tag",
check_str=("rule:metadef_admin"),
description="Delete tag definition.",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}"}],
),
base.APIRule(
name="delete_metadef_tags",
check_str=("rule:metadef_admin"),
description="Delete tag definitions.",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/v2/metadefs/namespaces/{namespace_name}/tags"}],
),
base.APIRule(
@ -425,7 +425,7 @@ list_rules = (
name="stores_info_detail",
check_str=("role:admin"),
description="Expose store specific information",
scope_types=["system", "project"],
scope_types=["project"],
operations=[{"method": "GET", "path": "/v2/info/stores/detail"}],
),
)

16
skyline_apiserver/policy/manager/ironic.py
View File

@ -72,7 +72,14 @@ list_rules = (
name="baremetal:node:create",
check_str=("role:admin and system_scope:all"),
description="Create Node records",
scope_types=["system"],
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/nodes"}],
),
base.APIRule(
name="baremetal:node:create:self_owned_node",
check_str=("role:admin"),
description="Create node records which will be tracked as owned by the associated user project.",
scope_types=["project"],
operations=[{"method": "POST", "path": "/nodes"}],
),
base.APIRule(
@ -243,6 +250,13 @@ list_rules = (
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:delete:self_owned_node",
check_str=("role:admin and project_id:%(node.owner)s"),
description="Delete node records which are associated with the requesting project.",
scope_types=["project"],
operations=[{"method": "DELETE", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:validate",
check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"),

21
skyline_apiserver/policy/manager/manila.py
View File

@ -509,6 +509,27 @@ list_rules = (
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/snapshots/{snapshot_id}/action"}],
),
base.APIRule(
name="share_snapshot:update_metadata",
check_str=("(rule:system-admin) or (rule:project-member)"),
description="Update snapshot metadata.",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/snapshots/{snapshot_id}/metadata"}, {"method": "POST", "path": "/snapshots/{snapshot_id}/metadata/{key}"}, {"method": "POST", "path": "/snapshots/{snapshot_id}/metadata"}],
),
base.APIRule(
name="share_snapshot:delete_metadata",
check_str=("(rule:system-admin) or (rule:project-member)"),
description="Delete snapshot metadata.",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/snapshots/{snapshot_id}/metadata/{key}"}],
),
base.APIRule(
name="share_snapshot:get_metadata",
check_str=("(rule:system-reader) or (rule:project-reader)"),
description="Get snapshot metadata.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/snapshots/{snapshot_id}/metadata"}, {"method": "GET", "path": "/snapshots/{snapshot_id}/metadata/{key}"}],
),
base.APIRule(
name="share_snapshot_export_location:index",
check_str=("(rule:system-reader) or (rule:project-reader)"),

282
skyline_apiserver/policy/manager/nova.py
View File

File diff suppressed because it is too large Load Diff