diff --git a/skyline_apiserver/policy/manager/barbican.py b/skyline_apiserver/policy/manager/barbican.py index 171fcb5..fdf76fe 100644 --- a/skyline_apiserver/policy/manager/barbican.py +++ b/skyline_apiserver/policy/manager/barbican.py @@ -19,43 +19,13 @@ from . import base list_rules = ( base.Rule( - name="admin", - check_str=("role:admin"), + name="system_reader", + check_str=("role:reader and system_scope:all"), description="No description", ), base.Rule( - name="observer", - check_str=("role:observer"), - description="No description", - ), - base.Rule( - name="creator", - check_str=("role:creator"), - description="No description", - ), - base.Rule( - name="audit", - check_str=("role:audit"), - description="No description", - ), - base.Rule( - name="service_admin", - check_str=("role:key-manager:service-admin"), - description="No description", - ), - base.Rule( - name="admin_or_creator", - check_str=("rule:admin or rule:creator"), - description="No description", - ), - base.Rule( - name="all_but_audit", - check_str=("rule:admin or rule:observer or rule:creator"), - description="No description", - ), - base.Rule( - name="all_users", - check_str=("rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin"), + name="system_admin", + check_str=("role:amdin and system_scope:all"), description="No description", ), base.Rule( @@ -63,56 +33,6 @@ list_rules = ( check_str=("project_id:%(target.secret.project_id)s"), description="No description", ), - base.Rule( - name="secret_acl_read", - check_str=("'read':%(target.secret.read)s"), - description="No description", - ), - base.Rule( - name="secret_private_read", - check_str=("'False':%(target.secret.read_project_access)s"), - description="No description", - ), - base.Rule( - name="secret_creator_user", - check_str=("user_id:%(target.secret.creator_id)s"), - description="No description", - ), - base.Rule( - name="container_project_match", - check_str=("project_id:%(target.container.project_id)s"), - description="No description", - ), - base.Rule( - name="container_acl_read", - check_str=("'read':%(target.container.read)s"), - description="No description", - ), - base.Rule( - name="container_private_read", - check_str=("'False':%(target.container.read_project_access)s"), - description="No description", - ), - base.Rule( - name="container_creator_user", - check_str=("user_id:%(target.container.creator_id)s"), - description="No description", - ), - base.Rule( - name="secret_non_private_read", - check_str=("rule:all_users and rule:secret_project_match and not rule:secret_private_read"), - description="No description", - ), - base.Rule( - name="secret_decrypt_non_private_read", - check_str=("rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read"), - description="No description", - ), - base.Rule( - name="container_non_private_read", - check_str=("rule:all_users and rule:container_project_match and not rule:container_private_read"), - description="No description", - ), base.Rule( name="secret_project_reader", check_str=("role:reader and rule:secret_project_match"), @@ -125,7 +45,7 @@ list_rules = ( ), base.Rule( name="secret_project_admin", - check_str=("rule:admin and rule:secret_project_match"), + check_str=("role:admin and rule:secret_project_match"), description="No description", ), base.Rule( @@ -138,6 +58,111 @@ list_rules = ( check_str=("True:%(target.secret.read_project_access)s"), description="No description", ), + base.Rule( + name="secret_acl_read", + check_str=("'read':%(target.secret.read)s"), + description="No description", + ), + base.Rule( + name="container_project_match", + check_str=("project_id:%(target.container.project_id)s"), + description="No description", + ), + base.Rule( + name="container_project_member", + check_str=("role:member and rule:container_project_match"), + description="No description", + ), + base.Rule( + name="container_project_admin", + check_str=("role:admin and rule:container_project_match"), + description="No description", + ), + base.Rule( + name="container_owner", + check_str=("user_id:%(target.container.creator_id)s"), + description="No description", + ), + base.Rule( + name="container_is_not_private", + check_str=("True:%(target.container.read_project_access)s"), + description="No description", + ), + base.Rule( + name="container_acl_read", + check_str=("'read':%(target.container.read)s"), + description="No description", + ), + base.Rule( + name="order_project_match", + check_str=("project_id:%(target.order.project_id)s"), + description="No description", + ), + base.Rule( + name="order_project_member", + check_str=("role:member and rule:order_project_match"), + description="No description", + ), + base.Rule( + name="audit", + check_str=("role:audit"), + description="No description", + ), + base.Rule( + name="observer", + check_str=("role:observer"), + description="No description", + ), + base.Rule( + name="creator", + check_str=("role:creator"), + description="No description", + ), + base.Rule( + name="admin", + check_str=("role:admin"), + description="No description", + ), + base.Rule( + name="service_admin", + check_str=("role:key-manager:service-admin"), + description="No description", + ), + base.Rule( + name="all_users", + check_str=("rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin"), + description="No description", + ), + base.Rule( + name="all_but_audit", + check_str=("rule:admin or rule:observer or rule:creator"), + description="No description", + ), + base.Rule( + name="admin_or_creator", + check_str=("rule:admin or rule:creator"), + description="No description", + ), + base.Rule( + name="secret_creator_user", + check_str=("user_id:%(target.secret.creator_id)s"), + description="No description", + ), + base.Rule( + name="secret_private_read", + check_str=("'False':%(target.secret.read_project_access)s"), + description="No description", + ), + base.Rule( + name="secret_non_private_read", + check_str=("rule:all_users and rule:secret_project_match and not rule:secret_private_read"), + description="No description", + ), + base.Rule( + name="secret_decrypt_non_private_read", + check_str=("rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read"), + description="No description", + ), base.Rule( name="secret_project_creator", check_str=("rule:creator and rule:secret_project_match and rule:secret_creator_user"), @@ -149,8 +174,18 @@ list_rules = ( description="No description", ), base.Rule( - name="container_project_admin", - check_str=("rule:admin and rule:container_project_match"), + name="container_private_read", + check_str=("'False':%(target.container.read_project_access)s"), + description="No description", + ), + base.Rule( + name="container_creator_user", + check_str=("user_id:%(target.container.creator_id)s"), + description="No description", + ), + base.Rule( + name="container_non_private_read", + check_str=("rule:all_users and rule:container_project_match and not rule:container_private_read"), description="No description", ), base.Rule( @@ -165,224 +200,224 @@ list_rules = ( ), base.APIRule( name="secret_acls:get", - check_str=("(rule:all_but_audit and rule:secret_project_match) or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"), + check_str=("True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"), description="Retrieve the ACL settings for a given secret.If no ACL is defined for that secret, then Default ACL is returned.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/secrets/{secret-id}/acl"}], ), base.APIRule( name="secret_acls:delete", - check_str=("rule:secret_project_admin or rule:secret_project_creator or (rule:secret_project_creator_role and rule:secret_non_private_read) or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"), + check_str=("True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"), description="Delete the ACL settings for a given secret.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v1/secrets/{secret-id}/acl"}], ), base.APIRule( name="secret_acls:put_patch", - check_str=("rule:secret_project_admin or rule:secret_project_creator or (rule:secret_project_creator_role and rule:secret_non_private_read) or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"), + check_str=("True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"), description="Create new, replaces, or updates existing ACL for a given secret.", scope_types=["project"], operations=[{"method": "PUT", "path": "/v1/secrets/{secret-id}/acl"}, {"method": "PATCH", "path": "/v1/secrets/{secret-id}/acl"}], ), base.APIRule( name="container_acls:get", - check_str=("(rule:all_but_audit and rule:container_project_match) or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"), + check_str=("True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))"), description="Retrieve the ACL settings for a given container.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/containers/{container-id}/acl"}], ), base.APIRule( name="container_acls:delete", - check_str=("rule:container_project_admin or rule:container_project_creator or (rule:container_project_creator_role and rule:container_non_private_read) or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"), + check_str=("True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))"), description="Delete ACL for a given container. No content is returned in the case of successful deletion.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v1/containers/{container-id}/acl"}], ), base.APIRule( name="container_acls:put_patch", - check_str=("rule:container_project_admin or rule:container_project_creator or (rule:container_project_creator_role and rule:container_non_private_read) or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"), + check_str=("True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))"), description="Create new or replaces existing ACL for a given container.", scope_types=["project"], operations=[{"method": "PUT", "path": "/v1/containers/{container-id}/acl"}, {"method": "PATCH", "path": "/v1/containers/{container-id}/acl"}], ), base.APIRule( name="consumer:get", - check_str=("rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read or user_id:%(target.container.creator_id)s or (role:member and project_id:%(target.container.project_id)s and True:%(target.container.read_project_access)s) or role:admin and project_id:%(target.container.project_id)s or role:admin and system_scope:all"), + check_str=("True:%(enforce_new_defaults)s and (rule:system_admin or rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)"), description="DEPRECATED: show information for a specific consumer", scope_types=["project", "system"], operations=[{"method": "GET", "path": "/v1/containers/{container-id}/consumers/{consumer-id}"}], ), base.APIRule( name="container_consumers:get", - check_str=("rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read or user_id:%(target.container.creator_id)s or (role:member and project_id:%(target.container.project_id)s and True:%(target.container.read_project_access)s) or role:admin and project_id:%(target.container.project_id)s or role:admin and system_scope:all"), + check_str=("True:%(enforce_new_defaults)s and (rule:system_admin or rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)"), description="List a containers consumers.", scope_types=["project", "system"], operations=[{"method": "GET", "path": "/v1/containers/{container-id}/consumers"}], ), base.APIRule( name="container_consumers:post", - check_str=("rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read or user_id:%(target.container.creator_id)s or (role:member and project_id:%(target.container.project_id)s and True:%(target.container.read_project_access)s) or role:admin and project_id:%(target.container.project_id)s or role:admin and system_scope:all"), + check_str=("True:%(enforce_new_defaults)s and (rule:system_admin or rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)"), description="Creates a consumer.", scope_types=["project", "system"], operations=[{"method": "POST", "path": "/v1/containers/{container-id}/consumers"}], ), base.APIRule( name="container_consumers:delete", - check_str=("rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read or user_id:%(target.container.creator_id)s or (role:member and project_id:%(target.container.project_id)s and True:%(target.container.read_project_access)s) or role:admin and project_id:%(target.container.project_id)s or role:admin and system_scope:all"), + check_str=("True:%(enforce_new_defaults)s and (rule:system_admin or rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)"), description="Deletes a consumer.", scope_types=["project", "system"], operations=[{"method": "DELETE", "path": "/v1/containers/{container-id}/consumers"}], ), base.APIRule( name="secret_consumers:get", - check_str=("rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read or user_id:%(target.secret.creator_id)s or (role:member and project_id:%(target.secret.project_id)s and True:%(target.secret.read_project_access)s) or role:admin and project_id:%(target.secret.project_id)s or role:admin and system_scope:all"), + check_str=("True:%(enforce_new_defaults)s and (rule:system_admin or rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)"), description="List consumers for a secret.", scope_types=["project", "system"], operations=[{"method": "GET", "path": "/v1/secrets/{secret-id}/consumers"}], ), base.APIRule( name="secret_consumers:post", - check_str=("rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read or user_id:%(target.secret.creator_id)s or (role:member and project_id:%(target.secret.project_id)s and True:%(target.secret.read_project_access)s) or role:admin and project_id:%(target.secret.project_id)s or role:admin and system_scope:all"), + check_str=("True:%(enforce_new_defaults)s and (rule:system_admin or rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)"), description="Creates a consumer.", scope_types=["project", "system"], operations=[{"method": "POST", "path": "/v1/secrets/{secrets-id}/consumers"}], ), base.APIRule( name="secret_consumers:delete", - check_str=("rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read or user_id:%(target.secret.creator_id)s or (role:member and project_id:%(target.secret.project_id)s and True:%(target.secret.read_project_access)s) or role:admin and project_id:%(target.secret.project_id)s or role:admin and system_scope:all"), + check_str=("True:%(enforce_new_defaults)s and (rule:system_admin or rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)"), description="Deletes a consumer.", scope_types=["project", "system"], operations=[{"method": "DELETE", "path": "/v1/secrets/{secrets-id}/consumers"}], ), base.APIRule( name="containers:post", - check_str=("rule:admin_or_creator or role:member"), + check_str=("True:%(enforce_new_defaults)s and role:member"), description="Creates a container.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/containers"}], ), base.APIRule( name="containers:get", - check_str=("rule:all_but_audit or role:member"), + check_str=("True:%(enforce_new_defaults)s and role:member"), description="Lists a projects containers.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/containers"}], ), base.APIRule( name="container:get", - check_str=("rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"), + check_str=("True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private) or rule:container_acl_read)"), description="Retrieves a single container.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/containers/{container-id}"}], ), base.APIRule( name="container:delete", - check_str=("rule:container_project_admin or rule:container_project_creator or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"), + check_str=("True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))"), description="Deletes a container.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v1/containers/{uuid}"}], ), base.APIRule( name="container_secret:post", - check_str=("rule:container_project_admin or rule:container_project_creator or rule:container_project_creator_role and rule:container_non_private_read or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"), + check_str=("True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))"), description="Add a secret to an existing container.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/containers/{container-id}/secrets"}], ), base.APIRule( name="container_secret:delete", - check_str=("rule:container_project_admin or rule:container_project_creator or rule:container_project_creator_role and rule:container_non_private_read or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"), + check_str=("True:%(enforce_new_defaults)s and (rule:container_project_admin or (rule:container_project_member and rule:container_owner) or (rule:container_project_member and rule:container_is_not_private))"), description="Remove a secret from a container.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v1/containers/{container-id}/secrets/{secret-id}"}], ), base.APIRule( name="orders:get", - check_str=("rule:all_but_audit or role:member"), + check_str=("True:%(enforce_new_defaults)s and role:member"), description="Gets list of all orders associated with a project.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/orders"}], ), base.APIRule( name="orders:post", - check_str=("rule:admin_or_creator or role:member"), + check_str=("True:%(enforce_new_defaults)s and role:member"), description="Creates an order.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/orders"}], ), base.APIRule( name="orders:put", - check_str=("rule:admin_or_creator or role:member"), + check_str=("True:%(enforce_new_defaults)s and role:member"), description="Unsupported method for the orders API.", scope_types=["project"], operations=[{"method": "PUT", "path": "/v1/orders"}], ), base.APIRule( name="order:get", - check_str=("rule:all_users and project_id:%(target.order.project_id)s or role:member and project_id:%(target.order.project_id)s"), + check_str=("True:%(enforce_new_defaults)s and rule:order_project_member"), description="Retrieves an orders metadata.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/orders/{order-id}"}], ), base.APIRule( name="order:delete", - check_str=("rule:admin and project_id:%(target.order.project_id)s or role:member and project_id:%(target.order.project_id)s"), + check_str=("True:%(enforce_new_defaults)s and rule:order_project_member"), description="Deletes an order.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v1/orders/{order-id}"}], ), base.APIRule( name="quotas:get", - check_str=("rule:all_users or role:reader"), + check_str=("True:%(enforce_new_defaults)s and role:reader"), description="List quotas for the project the user belongs to.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/quotas"}], ), base.APIRule( name="project_quotas:get", - check_str=("rule:service_admin or role:reader and system_scope:all"), + check_str=("True:%(enforce_new_defaults)s and rule:system_reader"), description="List quotas for the specified project.", scope_types=["system"], operations=[{"method": "GET", "path": "/v1/project-quotas"}, {"method": "GET", "path": "/v1/project-quotas/{uuid}"}], ), base.APIRule( name="project_quotas:put", - check_str=("rule:service_admin or role:admin and system_scope:all"), + check_str=("True:%(enforce_new_defaults)s and rule:system_admin"), description="Create or update the configured project quotas for the project with the specified UUID.", scope_types=["system"], operations=[{"method": "PUT", "path": "/v1/project-quotas/{uuid}"}], ), base.APIRule( name="project_quotas:delete", - check_str=("rule:service_admin or role:admin and system_scope:all"), + check_str=("True:%(enforce_new_defaults)s and rule:system_admin"), description="Delete the project quotas configuration for the project with the requested UUID.", scope_types=["system"], operations=[{"method": "DELETE", "path": "/v1/quotas}"}], ), base.APIRule( name="secret_meta:get", - check_str=("rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"), + check_str=("True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read)"), description="metadata/: Lists a secrets user-defined metadata. || metadata/{key}: Retrieves a secrets user-added metadata.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/secrets/{secret-id}/metadata"}, {"method": "GET", "path": "/v1/secrets/{secret-id}/metadata/{meta-key}"}], ), base.APIRule( name="secret_meta:post", - check_str=("rule:secret_project_admin or rule:secret_project_creator or (rule:secret_project_creator_role and rule:secret_non_private_read) or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"), + check_str=("True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"), description="Adds a new key/value pair to the secrets user-defined metadata.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/secrets/{secret-id}/metadata/{meta-key}"}], ), base.APIRule( name="secret_meta:put", - check_str=("rule:secret_project_admin or rule:secret_project_creator or (rule:secret_project_creator_role and rule:secret_non_private_read) or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"), + check_str=("True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"), description="metadata/: Sets the user-defined metadata for a secret || metadata/{key}: Updates an existing key/value pair in the secrets user-defined metadata.", scope_types=["project"], operations=[{"method": "PUT", "path": "/v1/secrets/{secret-id}/metadata"}, {"method": "PUT", "path": "/v1/secrets/{secret-id}/metadata/{meta-key}"}], ), base.APIRule( name="secret_meta:delete", - check_str=("rule:secret_project_admin or rule:secret_project_creator or (rule:secret_project_creator_role and rule:secret_non_private_read) or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"), + check_str=("True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"), description="Delete secret user-defined metadata by key.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v1/secrets/{secret-id}/metadata/{meta-key}"}], @@ -431,70 +466,70 @@ list_rules = ( ), base.APIRule( name="secretstores:get", - check_str=("rule:all_users or role:reader"), + check_str=("True:%(enforce_new_defaults)s and role:reader"), description="Get list of available secret store backends.", scope_types=["project", "system"], operations=[{"method": "GET", "path": "/v1/secret-stores"}], ), base.APIRule( name="secretstores:get_global_default", - check_str=("rule:all_users or role:reader"), + check_str=("True:%(enforce_new_defaults)s and role:reader"), description="Get a reference to the secret store that is used as default secret store backend for the deployment.", scope_types=["project", "system"], operations=[{"method": "GET", "path": "/v1/secret-stores/global-default"}], ), base.APIRule( name="secretstores:get_preferred", - check_str=("rule:all_users or role:reader"), + check_str=("True:%(enforce_new_defaults)s and role:reader"), description="Get a reference to the preferred secret store if assigned previously.", scope_types=["project", "system"], operations=[{"method": "GET", "path": "/v1/secret-stores/preferred"}], ), base.APIRule( name="secretstore_preferred:post", - check_str=("rule:admin"), + check_str=("True:%(enforce_new_defaults)s and role:admin"), description="Set a secret store backend to be preferred store backend for their project.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/secret-stores/{ss-id}/preferred"}], ), base.APIRule( name="secretstore_preferred:delete", - check_str=("rule:admin"), + check_str=("True:%(enforce_new_defaults)s and role:admin"), description="Remove preferred secret store backend setting for their project.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v1/secret-stores/{ss-id}/preferred"}], ), base.APIRule( name="secretstore:get", - check_str=("rule:all_users or role:reader"), + check_str=("True:%(enforce_new_defaults)s and role:reader"), description="Get details of secret store by its ID.", scope_types=["project", "system"], operations=[{"method": "GET", "path": "/v1/secret-stores/{ss-id}"}], ), base.APIRule( name="transport_key:get", - check_str=("rule:all_users or role:reader"), + check_str=("True:%(enforce_new_defaults)s and role:reader"), description="Get a specific transport key.", scope_types=["project", "system"], operations=[{"method": "GET", "path": "/v1/transport_keys/{key-id}}"}], ), base.APIRule( name="transport_key:delete", - check_str=("role:admin and system_scope:all"), + check_str=("True:%(enforce_new_defaults)s and rule:system_admin"), description="Delete a specific transport key.", scope_types=["system"], operations=[{"method": "DELETE", "path": "/v1/transport_keys/{key-id}"}], ), base.APIRule( name="transport_keys:get", - check_str=("rule:all_users or role:reader"), + check_str=("True:%(enforce_new_defaults)s and role:reader"), description="Get a list of all transport keys.", scope_types=["project", "system"], operations=[{"method": "GET", "path": "/v1/transport_keys"}], ), base.APIRule( name="transport_keys:post", - check_str=("role:admin and system_scope:all"), + check_str=("True:%(enforce_new_defaults)s and rule:system_admin"), description="Create a new transport key.", scope_types=["system"], operations=[{"method": "POST", "path": "/v1/transport_keys"}], diff --git a/skyline_apiserver/policy/manager/glance.py b/skyline_apiserver/policy/manager/glance.py index d828a4a..1448cf0 100644 --- a/skyline_apiserver/policy/manager/glance.py +++ b/skyline_apiserver/policy/manager/glance.py @@ -47,357 +47,357 @@ list_rules = ( name="add_image", check_str=("role:admin or (role:member and project_id:%(project_id)s and project_id:%(owner)s)"), description="Create new image", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/v2/images"}], ), base.APIRule( name="delete_image", check_str=("role:admin or (role:member and project_id:%(project_id)s)"), description="Deletes the image", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "DELETE", "path": "/v2/images/{image_id}"}], ), base.APIRule( name="get_image", check_str=("role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))"), description="Get specified image", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/v2/images/{image_id}"}], ), base.APIRule( name="get_images", check_str=("role:admin or (role:reader and project_id:%(project_id)s)"), description="Get all available images", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/v2/images"}], ), base.APIRule( name="modify_image", check_str=("role:admin or (role:member and project_id:%(project_id)s)"), description="Updates given image", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}], ), base.APIRule( name="publicize_image", check_str=("role:admin"), description="Publicize given image", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}], ), base.APIRule( name="communitize_image", check_str=("role:admin or (role:member and project_id:%(project_id)s)"), description="Communitize given image", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}], ), base.APIRule( name="download_image", check_str=("role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))"), description="Downloads given image", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/v2/images/{image_id}/file"}], ), base.APIRule( name="upload_image", check_str=("role:admin or (role:member and project_id:%(project_id)s)"), description="Uploads data to specified image", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/v2/images/{image_id}/file"}], ), base.APIRule( name="delete_image_location", check_str=("role:admin"), description="Deletes the location of given image", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}], ), base.APIRule( name="get_image_location", check_str=("role:admin or (role:reader and project_id:%(project_id)s)"), description="Reads the location of the image", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/v2/images/{image_id}"}], ), base.APIRule( name="set_image_location", check_str=("role:admin or (role:member and project_id:%(project_id)s)"), description="Sets location URI to given image", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}], ), base.APIRule( name="add_member", check_str=("role:admin or (role:member and project_id:%(project_id)s)"), description="Create image member", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/v2/images/{image_id}/members"}], ), base.APIRule( name="delete_member", check_str=("role:admin or (role:member and project_id:%(project_id)s)"), description="Delete image member", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "DELETE", "path": "/v2/images/{image_id}/members/{member_id}"}], ), base.APIRule( name="get_member", check_str=("role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)"), description="Show image member details", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/v2/images/{image_id}/members/{member_id}"}], ), base.APIRule( name="get_members", check_str=("role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)"), description="List image members", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/v2/images/{image_id}/members"}], ), base.APIRule( name="modify_member", check_str=("role:admin or (role:member and project_id:%(member_id)s)"), description="Update image member", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/v2/images/{image_id}/members/{member_id}"}], ), base.APIRule( name="deactivate", check_str=("role:admin or (role:member and project_id:%(project_id)s)"), description="Deactivate image", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/v2/images/{image_id}/actions/deactivate"}], ), base.APIRule( name="reactivate", check_str=("role:admin or (role:member and project_id:%(project_id)s)"), description="Reactivate image", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/v2/images/{image_id}/actions/reactivate"}], ), base.APIRule( name="copy_image", check_str=("role:admin"), description="Copy existing image to other stores", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/v2/images/{image_id}/import"}], ), base.APIRule( name="get_task", check_str=("rule:default"), description="Get an image task.\n#\n#This granular policy controls access to tasks, both from the tasks API as well\n#as internal locations in Glance that use tasks (like import). Practically this\n#cannot be more restrictive than the policy that controls import or things will\n#break, and changing it from the default is almost certainly not what you want.\n#Access to the external tasks API should be restricted as desired by the\n#tasks_api_access policy. This may change in the future.\n#", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/v2/tasks/{task_id}"}], ), base.APIRule( name="get_tasks", check_str=("rule:default"), description="List tasks for all images.\n#\n#This granular policy controls access to tasks, both from the tasks API as well\n#as internal locations in Glance that use tasks (like import). Practically this\n#cannot be more restrictive than the policy that controls import or things will\n#break, and changing it from the default is almost certainly not what you want.\n#Access to the external tasks API should be restricted as desired by the\n#tasks_api_access policy. This may change in the future.\n#", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/v2/tasks"}], ), base.APIRule( name="add_task", check_str=("rule:default"), description="List tasks for all images.\n#\n#This granular policy controls access to tasks, both from the tasks API as well\n#as internal locations in Glance that use tasks (like import). Practically this\n#cannot be more restrictive than the policy that controls import or things will\n#break, and changing it from the default is almost certainly not what you want.\n#Access to the external tasks API should be restricted as desired by the\n#tasks_api_access policy. This may change in the future.\n#", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/v2/tasks"}], ), base.APIRule( name="modify_task", check_str=("rule:default"), description="This policy is not used.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "DELETE", "path": "/v2/tasks/{task_id}"}], ), base.APIRule( name="tasks_api_access", check_str=("role:admin"), description="\n#This is a generic blanket policy for protecting all task APIs. It is not\n#granular and will not allow you to separate writable and readable task\n#operations into different roles.\n#", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/v2/tasks/{task_id}"}, {"method": "GET", "path": "/v2/tasks"}, {"method": "POST", "path": "/v2/tasks"}, {"method": "DELETE", "path": "/v2/tasks/{task_id}"}], ), base.APIRule( name="get_metadef_namespace", check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"), description="Get a specific namespace.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}"}], ), base.APIRule( name="get_metadef_namespaces", check_str=("role:admin or (role:reader and project_id:%(project_id)s)"), description="List namespace.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/v2/metadefs/namespaces"}], ), base.APIRule( name="modify_metadef_namespace", check_str=("rule:metadef_admin"), description="Modify an existing namespace.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/v2/metadefs/namespaces/{namespace_name}"}], ), base.APIRule( name="add_metadef_namespace", check_str=("rule:metadef_admin"), description="Create a namespace.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/v2/metadefs/namespaces"}], ), base.APIRule( name="delete_metadef_namespace", check_str=("rule:metadef_admin"), description="Delete a namespace.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "DELETE", "path": "/v2/metadefs/namespaces/{namespace_name}"}], ), base.APIRule( name="get_metadef_object", check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"), description="Get a specific object from a namespace.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/objects/{object_name}"}], ), base.APIRule( name="get_metadef_objects", check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"), description="Get objects from a namespace.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/objects"}], ), base.APIRule( name="modify_metadef_object", check_str=("rule:metadef_admin"), description="Update an object within a namespace.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/v2/metadefs/namespaces/{namespace_name}/objects/{object_name}"}], ), base.APIRule( name="add_metadef_object", check_str=("rule:metadef_admin"), description="Create an object within a namespace.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/v2/metadefs/namespaces/{namespace_name}/objects"}], ), base.APIRule( name="delete_metadef_object", check_str=("rule:metadef_admin"), description="Delete an object within a namespace.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "DELETE", "path": "/v2/metadefs/namespaces/{namespace_name}/objects/{object_name}"}], ), base.APIRule( name="list_metadef_resource_types", check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"), description="List meta definition resource types.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/v2/metadefs/resource_types"}], ), base.APIRule( name="get_metadef_resource_type", check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"), description="Get meta definition resource types associations.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/resource_types"}], ), base.APIRule( name="add_metadef_resource_type_association", check_str=("rule:metadef_admin"), description="Create meta definition resource types association.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/v2/metadefs/namespaces/{namespace_name}/resource_types"}], ), base.APIRule( name="remove_metadef_resource_type_association", check_str=("rule:metadef_admin"), description="Delete meta definition resource types association.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/v2/metadefs/namespaces/{namespace_name}/resource_types/{name}"}], ), base.APIRule( name="get_metadef_property", check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"), description="Get a specific meta definition property.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/properties/{property_name}"}], ), base.APIRule( name="get_metadef_properties", check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"), description="List meta definition properties.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/properties"}], ), base.APIRule( name="modify_metadef_property", check_str=("rule:metadef_admin"), description="Update meta definition property.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/properties/{property_name}"}], ), base.APIRule( name="add_metadef_property", check_str=("rule:metadef_admin"), description="Create meta definition property.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/v2/metadefs/namespaces/{namespace_name}/properties"}], ), base.APIRule( name="remove_metadef_property", check_str=("rule:metadef_admin"), description="Delete meta definition property.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "DELETE", "path": "/v2/metadefs/namespaces/{namespace_name}/properties/{property_name}"}], ), base.APIRule( name="get_metadef_tag", check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"), description="Get tag definition.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}"}], ), base.APIRule( name="get_metadef_tags", check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"), description="List tag definitions.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/tags"}], ), base.APIRule( name="modify_metadef_tag", check_str=("rule:metadef_admin"), description="Update tag definition.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "PUT", "path": "/v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}"}], ), base.APIRule( name="add_metadef_tag", check_str=("rule:metadef_admin"), description="Add tag definition.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}"}], ), base.APIRule( name="add_metadef_tags", check_str=("rule:metadef_admin"), description="Create tag definitions.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "POST", "path": "/v2/metadefs/namespaces/{namespace_name}/tags"}], ), base.APIRule( name="delete_metadef_tag", check_str=("rule:metadef_admin"), description="Delete tag definition.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "DELETE", "path": "/v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}"}], ), base.APIRule( name="delete_metadef_tags", check_str=("rule:metadef_admin"), description="Delete tag definitions.", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "DELETE", "path": "/v2/metadefs/namespaces/{namespace_name}/tags"}], ), base.APIRule( @@ -425,7 +425,7 @@ list_rules = ( name="stores_info_detail", check_str=("role:admin"), description="Expose store specific information", - scope_types=["system", "project"], + scope_types=["project"], operations=[{"method": "GET", "path": "/v2/info/stores/detail"}], ), ) diff --git a/skyline_apiserver/policy/manager/ironic.py b/skyline_apiserver/policy/manager/ironic.py index b7f3240..3a877bb 100644 --- a/skyline_apiserver/policy/manager/ironic.py +++ b/skyline_apiserver/policy/manager/ironic.py @@ -72,7 +72,14 @@ list_rules = ( name="baremetal:node:create", check_str=("role:admin and system_scope:all"), description="Create Node records", - scope_types=["system"], + scope_types=["system", "project"], + operations=[{"method": "POST", "path": "/nodes"}], + ), + base.APIRule( + name="baremetal:node:create:self_owned_node", + check_str=("role:admin"), + description="Create node records which will be tracked as owned by the associated user project.", + scope_types=["project"], operations=[{"method": "POST", "path": "/nodes"}], ), base.APIRule( @@ -243,6 +250,13 @@ list_rules = ( scope_types=["system", "project"], operations=[{"method": "DELETE", "path": "/nodes/{node_ident}"}], ), + base.APIRule( + name="baremetal:node:delete:self_owned_node", + check_str=("role:admin and project_id:%(node.owner)s"), + description="Delete node records which are associated with the requesting project.", + scope_types=["project"], + operations=[{"method": "DELETE", "path": "/nodes/{node_ident}"}], + ), base.APIRule( name="baremetal:node:validate", check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s)"), diff --git a/skyline_apiserver/policy/manager/manila.py b/skyline_apiserver/policy/manager/manila.py index 5dd2080..9847c26 100644 --- a/skyline_apiserver/policy/manager/manila.py +++ b/skyline_apiserver/policy/manager/manila.py @@ -509,6 +509,27 @@ list_rules = ( scope_types=["system", "project"], operations=[{"method": "POST", "path": "/snapshots/{snapshot_id}/action"}], ), + base.APIRule( + name="share_snapshot:update_metadata", + check_str=("(rule:system-admin) or (rule:project-member)"), + description="Update snapshot metadata.", + scope_types=["system", "project"], + operations=[{"method": "PUT", "path": "/snapshots/{snapshot_id}/metadata"}, {"method": "POST", "path": "/snapshots/{snapshot_id}/metadata/{key}"}, {"method": "POST", "path": "/snapshots/{snapshot_id}/metadata"}], + ), + base.APIRule( + name="share_snapshot:delete_metadata", + check_str=("(rule:system-admin) or (rule:project-member)"), + description="Delete snapshot metadata.", + scope_types=["system", "project"], + operations=[{"method": "DELETE", "path": "/snapshots/{snapshot_id}/metadata/{key}"}], + ), + base.APIRule( + name="share_snapshot:get_metadata", + check_str=("(rule:system-reader) or (rule:project-reader)"), + description="Get snapshot metadata.", + scope_types=["system", "project"], + operations=[{"method": "GET", "path": "/snapshots/{snapshot_id}/metadata"}, {"method": "GET", "path": "/snapshots/{snapshot_id}/metadata/{key}"}], + ), base.APIRule( name="share_snapshot_export_location:index", check_str=("(rule:system-reader) or (rule:project-reader)"), diff --git a/skyline_apiserver/policy/manager/nova.py b/skyline_apiserver/policy/manager/nova.py index c10aa02..368082f 100644 --- a/skyline_apiserver/policy/manager/nova.py +++ b/skyline_apiserver/policy/manager/nova.py @@ -33,11 +33,6 @@ list_rules = ( check_str=("is_admin:True"), description="Default rule for most Admin APIs.", ), - base.Rule( - name="project_admin_api", - check_str=("role:admin and project_id:%(project_id)s"), - description="Default rule for Project level admin APIs.", - ), base.Rule( name="project_member_api", check_str=("role:member and project_id:%(project_id)s"), @@ -48,28 +43,33 @@ list_rules = ( check_str=("role:reader and project_id:%(project_id)s"), description="Default rule for Project level read only APIs.", ), + base.Rule( + name="project_member_or_admin", + check_str=("rule:project_member_api or rule:context_is_admin"), + description="Default rule for Project Member or admin APIs.", + ), base.Rule( name="project_reader_or_admin", check_str=("rule:project_reader_api or rule:context_is_admin"), - description="Default rule for Project reader and admin APIs.", + description="Default rule for Project reader or admin APIs.", ), base.APIRule( name="os_compute_api:os-admin-actions:reset_state", - check_str=("rule:project_admin_api"), + check_str=("rule:context_is_admin"), description="Reset the state of a given server", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (os-resetState)"}], ), base.APIRule( name="os_compute_api:os-admin-actions:inject_network_info", - check_str=("rule:project_admin_api"), + check_str=("rule:context_is_admin"), description="Inject network information into the server", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (injectNetworkInfo)"}], ), base.APIRule( name="os_compute_api:os-admin-password", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Change the administrative password for a server", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (changePassword)"}], @@ -153,28 +153,28 @@ list_rules = ( ), base.APIRule( name="os_compute_api:os-attach-interfaces:list", - check_str=("rule:project_reader_api"), + check_str=("rule:project_reader_or_admin"), description="List port interfaces attached to a server", scope_types=["project"], operations=[{"method": "GET", "path": "/servers/{server_id}/os-interface"}], ), base.APIRule( name="os_compute_api:os-attach-interfaces:show", - check_str=("rule:project_reader_api"), + check_str=("rule:project_reader_or_admin"), description="Show details of a port interface attached to a server", scope_types=["project"], operations=[{"method": "GET", "path": "/servers/{server_id}/os-interface/{port_id}"}], ), base.APIRule( name="os_compute_api:os-attach-interfaces:create", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Attach an interface to a server", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/os-interface"}], ), base.APIRule( name="os_compute_api:os-attach-interfaces:delete", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Detach an interface from a server", scope_types=["project"], operations=[{"method": "DELETE", "path": "/servers/{server_id}/os-interface/{port_id}"}], @@ -209,49 +209,49 @@ list_rules = ( ), base.APIRule( name="os_compute_api:os-console-auth-tokens", - check_str=("rule:project_admin_api"), + check_str=("rule:context_is_admin"), description="Show console connection information for a given console authentication token", scope_types=["project"], operations=[{"method": "GET", "path": "/os-console-auth-tokens/{console_token}"}], ), base.APIRule( name="os_compute_api:os-console-output", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Show console output for a server", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (os-getConsoleOutput)"}], ), base.APIRule( name="os_compute_api:os-create-backup", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Create a back up of a server", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (createBackup)"}], ), base.APIRule( name="os_compute_api:os-deferred-delete:restore", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Restore a soft deleted server", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (restore)"}], ), base.APIRule( name="os_compute_api:os-deferred-delete:force", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Force delete a server before deferred cleanup", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (forceDelete)"}], ), base.APIRule( name="os_compute_api:os-evacuate", - check_str=("rule:project_admin_api"), + check_str=("rule:context_is_admin"), description="Evacuate a server from a failed host to a new host", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (evacuate)"}], ), base.APIRule( name="os_compute_api:os-extended-server-attributes", - check_str=("rule:project_admin_api"), + check_str=("rule:context_is_admin"), description="Return extended attributes for server.\n#\n#This rule will control the visibility for a set of servers attributes:\n#\n#- ``OS-EXT-SRV-ATTR:host``\n#- ``OS-EXT-SRV-ATTR:instance_name``\n#- ``OS-EXT-SRV-ATTR:reservation_id`` (since microversion 2.3)\n#- ``OS-EXT-SRV-ATTR:launch_index`` (since microversion 2.3)\n#- ``OS-EXT-SRV-ATTR:hostname`` (since microversion 2.3)\n#- ``OS-EXT-SRV-ATTR:kernel_id`` (since microversion 2.3)\n#- ``OS-EXT-SRV-ATTR:ramdisk_id`` (since microversion 2.3)\n#- ``OS-EXT-SRV-ATTR:root_device_name`` (since microversion 2.3)\n#- ``OS-EXT-SRV-ATTR:user_data`` (since microversion 2.3)\n#\n#Microvision 2.75 added the above attributes in the ``PUT /servers/{server_id}``\n#and ``POST /servers/{server_id}/action (rebuild)`` API responses which are\n#also controlled by this policy rule, like the ``GET /servers*`` APIs.\n#\n#Microversion 2.90 made the ``OS-EXT-SRV-ATTR:hostname`` attribute available to\n#all users, so this policy has no effect on that field for microversions 2.90\n#and greater. Controlling the visibility of this attribute for all microversions\n#is therefore deprecated and will be removed in a future release.\n#", scope_types=["project"], operations=[{"method": "GET", "path": "/servers/{id}"}, {"method": "GET", "path": "/servers/detail"}, {"method": "PUT", "path": "/servers/{server_id}"}, {"method": "POST", "path": "/servers/{server_id}/action (rebuild)"}], @@ -349,42 +349,42 @@ list_rules = ( ), base.APIRule( name="os_compute_api:os-floating-ips:add", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Associate floating IPs to server. This API is deprecated.", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (addFloatingIp)"}], ), base.APIRule( name="os_compute_api:os-floating-ips:remove", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Disassociate floating IPs to server. This API is deprecated.", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (removeFloatingIp)"}], ), base.APIRule( name="os_compute_api:os-floating-ips:list", - check_str=("rule:project_reader_api"), + check_str=("rule:project_reader_or_admin"), description="List floating IPs. This API is deprecated.", scope_types=["project"], operations=[{"method": "GET", "path": "/os-floating-ips"}], ), base.APIRule( name="os_compute_api:os-floating-ips:create", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Create floating IPs. This API is deprecated.", scope_types=["project"], operations=[{"method": "POST", "path": "/os-floating-ips"}], ), base.APIRule( name="os_compute_api:os-floating-ips:show", - check_str=("rule:project_reader_api"), + check_str=("rule:project_reader_or_admin"), description="Show floating IPs. This API is deprecated.", scope_types=["project"], operations=[{"method": "GET", "path": "/os-floating-ips/{floating_ip_id}"}], ), base.APIRule( name="os_compute_api:os-floating-ips:delete", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Delete floating IPs. This API is deprecated.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/os-floating-ips/{floating_ip_id}"}], @@ -482,28 +482,28 @@ list_rules = ( ), base.APIRule( name="os_compute_api:os-instance-actions:events:details", - check_str=("rule:project_admin_api"), + check_str=("rule:context_is_admin"), description="Add \"details\" key in action events for a server.\n#\n#This check is performed only after the check\n#os_compute_api:os-instance-actions:show passes. Beginning with Microversion\n#2.84, new field 'details' is exposed via API which can have more details about\n#event failure. That field is controlled by this policy which is system reader\n#by default. Making the 'details' field visible to the non-admin user helps to\n#understand the nature of the problem (i.e. if the action can be retried),\n#but in the other hand it might leak information about the deployment\n#(e.g. the type of the hypervisor).\n#", scope_types=["project"], operations=[{"method": "GET", "path": "/servers/{server_id}/os-instance-actions/{request_id}"}], ), base.APIRule( name="os_compute_api:os-instance-actions:events", - check_str=("rule:project_admin_api"), + check_str=("rule:context_is_admin"), description="Add events details in action details for a server.\n#This check is performed only after the check\n#os_compute_api:os-instance-actions:show passes. Beginning with Microversion\n#2.51, events details are always included; traceback information is provided\n#per event if policy enforcement passes. Beginning with Microversion 2.62,\n#each event includes a hashed host identifier and, if policy enforcement\n#passes, the name of the host.", scope_types=["project"], operations=[{"method": "GET", "path": "/servers/{server_id}/os-instance-actions/{request_id}"}], ), base.APIRule( name="os_compute_api:os-instance-actions:list", - check_str=("rule:project_reader_api"), + check_str=("rule:project_reader_or_admin"), description="List actions for a server.", scope_types=["project"], operations=[{"method": "GET", "path": "/servers/{server_id}/os-instance-actions"}], ), base.APIRule( name="os_compute_api:os-instance-actions:show", - check_str=("rule:project_reader_api"), + check_str=("rule:project_reader_or_admin"), description="Show action details for a server.", scope_types=["project"], operations=[{"method": "GET", "path": "/servers/{server_id}/os-instance-actions/{request_id}"}], @@ -524,14 +524,14 @@ list_rules = ( ), base.APIRule( name="os_compute_api:ips:show", - check_str=("rule:project_reader_api"), + check_str=("rule:project_reader_or_admin"), description="Show IP addresses details for a network label of a server", scope_types=["project"], operations=[{"method": "GET", "path": "/servers/{server_id}/ips/{network_label}"}], ), base.APIRule( name="os_compute_api:ips:index", - check_str=("rule:project_reader_api"), + check_str=("rule:project_reader_or_admin"), description="List IP addresses that are assigned to a server", scope_types=["project"], operations=[{"method": "GET", "path": "/servers/{server_id}/ips"}], @@ -573,91 +573,91 @@ list_rules = ( ), base.APIRule( name="os_compute_api:limits:other_project", - check_str=("rule:project_admin_api"), + check_str=("rule:context_is_admin"), description="Show rate and absolute limits of other project.\n#\n#This policy only checks if the user has access to the requested\n#project limits. And this check is performed only after the check\n#os_compute_api:limits passes", scope_types=["project"], operations=[{"method": "GET", "path": "/limits"}], ), base.APIRule( name="os_compute_api:os-lock-server:lock", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Lock a server", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (lock)"}], ), base.APIRule( name="os_compute_api:os-lock-server:unlock", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Unlock a server", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (unlock)"}], ), base.APIRule( name="os_compute_api:os-lock-server:unlock:unlock_override", - check_str=("rule:project_admin_api"), + check_str=("rule:context_is_admin"), description="Unlock a server, regardless who locked the server.\n#\n#This check is performed only after the check\n#os_compute_api:os-lock-server:unlock passes", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (unlock)"}], ), base.APIRule( name="os_compute_api:os-migrate-server:migrate", - check_str=("rule:project_admin_api"), + check_str=("rule:context_is_admin"), description="Cold migrate a server to a host", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (migrate)"}], ), base.APIRule( name="os_compute_api:os-migrate-server:migrate_live", - check_str=("rule:project_admin_api"), + check_str=("rule:context_is_admin"), description="Live migrate a server to a new host without a reboot", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (os-migrateLive)"}], ), base.APIRule( name="os_compute_api:os-migrations:index", - check_str=("rule:project_admin_api"), + check_str=("rule:context_is_admin"), description="List migrations", scope_types=["project"], operations=[{"method": "GET", "path": "/os-migrations"}], ), base.APIRule( name="os_compute_api:os-multinic:add", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Add a fixed IP address to a server.\n#\n#This API is proxy calls to the Network service. This is\n#deprecated.", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (addFixedIp)"}], ), base.APIRule( name="os_compute_api:os-multinic:remove", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Remove a fixed IP address from a server.\n#\n#This API is proxy calls to the Network service. This is\n#deprecated.", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (removeFixedIp)"}], ), base.APIRule( name="os_compute_api:os-networks:list", - check_str=("rule:project_reader_api"), + check_str=("rule:project_reader_or_admin"), description="List networks for the project.\n#\n#This API is proxy calls to the Network service. This is deprecated.", scope_types=["project"], operations=[{"method": "GET", "path": "/os-networks"}], ), base.APIRule( name="os_compute_api:os-networks:show", - check_str=("rule:project_reader_api"), + check_str=("rule:project_reader_or_admin"), description="Show network details.\n#\n#This API is proxy calls to the Network service. This is deprecated.", scope_types=["project"], operations=[{"method": "GET", "path": "/os-networks/{network_id}"}], ), base.APIRule( name="os_compute_api:os-pause-server:pause", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Pause a server", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (pause)"}], ), base.APIRule( name="os_compute_api:os-pause-server:unpause", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Unpause a paused server", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (unpause)"}], @@ -678,7 +678,7 @@ list_rules = ( ), base.APIRule( name="os_compute_api:os-quota-sets:update", - check_str=("rule:project_admin_api"), + check_str=("rule:context_is_admin"), description="Update the quotas", scope_types=["project"], operations=[{"method": "PUT", "path": "/os-quota-sets/{tenant_id}"}], @@ -692,119 +692,119 @@ list_rules = ( ), base.APIRule( name="os_compute_api:os-quota-sets:show", - check_str=("(rule:project_reader_api) or role:admin"), + check_str=("rule:project_reader_or_admin"), description="Show a quota", scope_types=["project"], operations=[{"method": "GET", "path": "/os-quota-sets/{tenant_id}"}], ), base.APIRule( name="os_compute_api:os-quota-sets:delete", - check_str=("rule:project_admin_api"), + check_str=("rule:context_is_admin"), description="Revert quotas to defaults", scope_types=["project"], operations=[{"method": "DELETE", "path": "/os-quota-sets/{tenant_id}"}], ), base.APIRule( name="os_compute_api:os-quota-sets:detail", - check_str=("(rule:project_reader_api) or role:admin"), + check_str=("rule:project_reader_or_admin"), description="Show the detail of quota", scope_types=["project"], operations=[{"method": "GET", "path": "/os-quota-sets/{tenant_id}/detail"}], ), base.APIRule( name="os_compute_api:os-remote-consoles", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Generate a URL to access remove server console.\n#\n#This policy is for ``POST /remote-consoles`` API and below Server actions APIs\n#are deprecated:\n#\n#- ``os-getRDPConsole``\n#- ``os-getSerialConsole``\n#- ``os-getSPICEConsole``\n#- ``os-getVNCConsole``.", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (os-getRDPConsole)"}, {"method": "POST", "path": "/servers/{server_id}/action (os-getSerialConsole)"}, {"method": "POST", "path": "/servers/{server_id}/action (os-getSPICEConsole)"}, {"method": "POST", "path": "/servers/{server_id}/action (os-getVNCConsole)"}, {"method": "POST", "path": "/servers/{server_id}/remote-consoles"}], ), base.APIRule( name="os_compute_api:os-rescue", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Rescue a server", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (rescue)"}], ), base.APIRule( name="os_compute_api:os-unrescue", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Unrescue a server", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (unrescue)"}], ), base.APIRule( name="os_compute_api:os-security-groups:get", - check_str=("rule:project_reader_api"), + check_str=("rule:project_reader_or_admin"), description="List security groups. This API is deprecated.", scope_types=["project"], operations=[{"method": "GET", "path": "/os-security-groups"}], ), base.APIRule( name="os_compute_api:os-security-groups:show", - check_str=("rule:project_reader_api"), + check_str=("rule:project_reader_or_admin"), description="Show security group. This API is deprecated.", scope_types=["project"], operations=[{"method": "GET", "path": "/os-security-groups/{security_group_id}"}], ), base.APIRule( name="os_compute_api:os-security-groups:create", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Create security group. This API is deprecated.", scope_types=["project"], operations=[{"method": "POST", "path": "/os-security-groups"}], ), base.APIRule( name="os_compute_api:os-security-groups:update", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Update security group. This API is deprecated.", scope_types=["project"], operations=[{"method": "PUT", "path": "/os-security-groups/{security_group_id}"}], ), base.APIRule( name="os_compute_api:os-security-groups:delete", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Delete security group. This API is deprecated.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/os-security-groups/{security_group_id}"}], ), base.APIRule( name="os_compute_api:os-security-groups:rule:create", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Create security group Rule. This API is deprecated.", scope_types=["project"], operations=[{"method": "POST", "path": "/os-security-group-rules"}], ), base.APIRule( name="os_compute_api:os-security-groups:rule:delete", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Delete security group Rule. This API is deprecated.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/os-security-group-rules/{security_group_id}"}], ), base.APIRule( name="os_compute_api:os-security-groups:list", - check_str=("rule:project_reader_api"), + check_str=("rule:project_reader_or_admin"), description="List security groups of server.", scope_types=["project"], operations=[{"method": "GET", "path": "/servers/{server_id}/os-security-groups"}], ), base.APIRule( name="os_compute_api:os-security-groups:add", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Add security groups to server.", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (addSecurityGroup)"}], ), base.APIRule( name="os_compute_api:os-security-groups:remove", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Remove security groups from server.", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (removeSecurityGroup)"}], ), base.APIRule( name="os_compute_api:os-server-diagnostics", - check_str=("rule:project_admin_api"), + check_str=("rule:context_is_admin"), description="Show the usage data for a server", scope_types=["project"], operations=[{"method": "GET", "path": "/servers/{server_id}/diagnostics"}], @@ -818,308 +818,308 @@ list_rules = ( ), base.APIRule( name="os_compute_api:os-server-groups:create", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Create a new server group", scope_types=["project"], operations=[{"method": "POST", "path": "/os-server-groups"}], ), base.APIRule( name="os_compute_api:os-server-groups:delete", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Delete a server group", scope_types=["project"], operations=[{"method": "DELETE", "path": "/os-server-groups/{server_group_id}"}], ), base.APIRule( name="os_compute_api:os-server-groups:index", - check_str=("rule:project_reader_api"), + check_str=("rule:project_reader_or_admin"), description="List all server groups", scope_types=["project"], operations=[{"method": "GET", "path": "/os-server-groups"}], ), base.APIRule( name="os_compute_api:os-server-groups:index:all_projects", - check_str=("rule:project_admin_api"), + check_str=("rule:context_is_admin"), description="List all server groups for all projects", scope_types=["project"], operations=[{"method": "GET", "path": "/os-server-groups"}], ), base.APIRule( name="os_compute_api:os-server-groups:show", - check_str=("rule:project_reader_api"), + check_str=("rule:project_reader_or_admin"), description="Show details of a server group", scope_types=["project"], operations=[{"method": "GET", "path": "/os-server-groups/{server_group_id}"}], ), base.APIRule( name="os_compute_api:server-metadata:index", - check_str=("rule:project_reader_api"), + check_str=("rule:project_reader_or_admin"), description="List all metadata of a server", scope_types=["project"], operations=[{"method": "GET", "path": "/servers/{server_id}/metadata"}], ), base.APIRule( name="os_compute_api:server-metadata:show", - check_str=("rule:project_reader_api"), + check_str=("rule:project_reader_or_admin"), description="Show metadata for a server", scope_types=["project"], operations=[{"method": "GET", "path": "/servers/{server_id}/metadata/{key}"}], ), base.APIRule( name="os_compute_api:server-metadata:create", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Create metadata for a server", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/metadata"}], ), base.APIRule( name="os_compute_api:server-metadata:update_all", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Replace metadata for a server", scope_types=["project"], operations=[{"method": "PUT", "path": "/servers/{server_id}/metadata"}], ), base.APIRule( name="os_compute_api:server-metadata:update", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Update metadata from a server", scope_types=["project"], operations=[{"method": "PUT", "path": "/servers/{server_id}/metadata/{key}"}], ), base.APIRule( name="os_compute_api:server-metadata:delete", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Delete metadata from a server", scope_types=["project"], operations=[{"method": "DELETE", "path": "/servers/{server_id}/metadata/{key}"}], ), base.APIRule( name="os_compute_api:os-server-password:show", - check_str=("rule:project_reader_api"), + check_str=("rule:project_reader_or_admin"), description="Show the encrypted administrative password of a server", scope_types=["project"], operations=[{"method": "GET", "path": "/servers/{server_id}/os-server-password"}], ), base.APIRule( name="os_compute_api:os-server-password:clear", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Clear the encrypted administrative password of a server", scope_types=["project"], operations=[{"method": "DELETE", "path": "/servers/{server_id}/os-server-password"}], ), base.APIRule( name="os_compute_api:os-server-tags:delete_all", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Delete all the server tags", scope_types=["project"], operations=[{"method": "DELETE", "path": "/servers/{server_id}/tags"}], ), base.APIRule( name="os_compute_api:os-server-tags:index", - check_str=("rule:project_reader_api"), + check_str=("rule:project_reader_or_admin"), description="List all tags for given server", scope_types=["project"], operations=[{"method": "GET", "path": "/servers/{server_id}/tags"}], ), base.APIRule( name="os_compute_api:os-server-tags:update_all", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Replace all tags on specified server with the new set of tags.", scope_types=["project"], operations=[{"method": "PUT", "path": "/servers/{server_id}/tags"}], ), base.APIRule( name="os_compute_api:os-server-tags:delete", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Delete a single tag from the specified server", scope_types=["project"], operations=[{"method": "DELETE", "path": "/servers/{server_id}/tags/{tag}"}], ), base.APIRule( name="os_compute_api:os-server-tags:update", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Add a single tag to the server if server has no specified tag", scope_types=["project"], operations=[{"method": "PUT", "path": "/servers/{server_id}/tags/{tag}"}], ), base.APIRule( name="os_compute_api:os-server-tags:show", - check_str=("rule:project_reader_api"), + check_str=("rule:project_reader_or_admin"), description="Check tag existence on the server.", scope_types=["project"], operations=[{"method": "GET", "path": "/servers/{server_id}/tags/{tag}"}], ), base.APIRule( name="compute:server:topology:index", - check_str=("rule:project_reader_api"), + check_str=("rule:project_reader_or_admin"), description="Show the NUMA topology data for a server", scope_types=["project"], operations=[{"method": "GET", "path": "/servers/{server_id}/topology"}], ), base.APIRule( name="compute:server:topology:host:index", - check_str=("rule:project_admin_api"), + check_str=("rule:context_is_admin"), description="Show the NUMA topology data for a server with host NUMA ID and CPU pinning information", scope_types=["project"], operations=[{"method": "GET", "path": "/servers/{server_id}/topology"}], ), base.APIRule( name="os_compute_api:servers:index", - check_str=("rule:project_reader_api"), + check_str=("rule:project_reader_or_admin"), description="List all servers", scope_types=["project"], operations=[{"method": "GET", "path": "/servers"}], ), base.APIRule( name="os_compute_api:servers:detail", - check_str=("rule:project_reader_api"), + check_str=("rule:project_reader_or_admin"), description="List all servers with detailed information", scope_types=["project"], operations=[{"method": "GET", "path": "/servers/detail"}], ), base.APIRule( name="os_compute_api:servers:index:get_all_tenants", - check_str=("rule:project_admin_api"), + check_str=("rule:context_is_admin"), description="List all servers for all projects", scope_types=["project"], operations=[{"method": "GET", "path": "/servers"}], ), base.APIRule( name="os_compute_api:servers:detail:get_all_tenants", - check_str=("rule:project_admin_api"), + check_str=("rule:context_is_admin"), description="List all servers with detailed information for all projects", scope_types=["project"], operations=[{"method": "GET", "path": "/servers/detail"}], ), base.APIRule( name="os_compute_api:servers:allow_all_filters", - check_str=("rule:project_admin_api"), + check_str=("rule:context_is_admin"), description="Allow all filters when listing servers", scope_types=["project"], operations=[{"method": "GET", "path": "/servers"}, {"method": "GET", "path": "/servers/detail"}], ), base.APIRule( name="os_compute_api:servers:show", - check_str=("rule:project_reader_api"), + check_str=("rule:project_reader_or_admin"), description="Show a server", scope_types=["project"], operations=[{"method": "GET", "path": "/servers/{server_id}"}], ), base.APIRule( name="os_compute_api:servers:show:flavor-extra-specs", - check_str=("rule:project_reader_api"), + check_str=("rule:project_reader_or_admin"), description="Starting with microversion 2.47, the flavor and its extra specs used for a server is also returned in the response when showing server details, updating a server or rebuilding a server.", scope_types=["project"], operations=[{"method": "GET", "path": "/servers/detail"}, {"method": "GET", "path": "/servers/{server_id}"}, {"method": "PUT", "path": "/servers/{server_id}"}, {"method": "POST", "path": "/servers/{server_id}/action (rebuild)"}], ), base.APIRule( name="os_compute_api:servers:show:host_status", - check_str=("rule:project_admin_api"), + check_str=("rule:context_is_admin"), description="\n#Show a server with additional host status information.\n#\n#This means host_status will be shown irrespective of status value. If showing\n#only host_status UNKNOWN is desired, use the\n#``os_compute_api:servers:show:host_status:unknown-only`` policy rule.\n#\n#Microvision 2.75 added the ``host_status`` attribute in the\n#``PUT /servers/{server_id}`` and ``POST /servers/{server_id}/action (rebuild)``\n#API responses which are also controlled by this policy rule, like the\n#``GET /servers*`` APIs.\n#", scope_types=["project"], operations=[{"method": "GET", "path": "/servers/{server_id}"}, {"method": "GET", "path": "/servers/detail"}, {"method": "PUT", "path": "/servers/{server_id}"}, {"method": "POST", "path": "/servers/{server_id}/action (rebuild)"}], ), base.APIRule( name="os_compute_api:servers:show:host_status:unknown-only", - check_str=("rule:project_admin_api"), + check_str=("rule:context_is_admin"), description="\n#Show a server with additional host status information, only if host status is\n#UNKNOWN.\n#\n#This policy rule will only be enforced when the\n#``os_compute_api:servers:show:host_status`` policy rule does not pass for the\n#request. An example policy configuration could be where the\n#``os_compute_api:servers:show:host_status`` rule is set to allow admin-only and\n#the ``os_compute_api:servers:show:host_status:unknown-only`` rule is set to\n#allow everyone.\n#", scope_types=["project"], operations=[{"method": "GET", "path": "/servers/{server_id}"}, {"method": "GET", "path": "/servers/detail"}, {"method": "PUT", "path": "/servers/{server_id}"}, {"method": "POST", "path": "/servers/{server_id}/action (rebuild)"}], ), base.APIRule( name="os_compute_api:servers:create", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Create a server", scope_types=["project"], operations=[{"method": "POST", "path": "/servers"}], ), base.APIRule( name="os_compute_api:servers:create:forced_host", - check_str=("rule:project_admin_api"), + check_str=("rule:context_is_admin"), description="\n#Create a server on the specified host and/or node.\n#\n#In this case, the server is forced to launch on the specified\n#host and/or node by bypassing the scheduler filters unlike the\n#``compute:servers:create:requested_destination`` rule.\n#", scope_types=["project"], operations=[{"method": "POST", "path": "/servers"}], ), base.APIRule( name="compute:servers:create:requested_destination", - check_str=("rule:project_admin_api"), + check_str=("rule:context_is_admin"), description="\n#Create a server on the requested compute service host and/or\n#hypervisor_hostname.\n#\n#In this case, the requested host and/or hypervisor_hostname is\n#validated by the scheduler filters unlike the\n#``os_compute_api:servers:create:forced_host`` rule.\n#", scope_types=["project"], operations=[{"method": "POST", "path": "/servers"}], ), base.APIRule( name="os_compute_api:servers:create:attach_volume", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Create a server with the requested volume attached to it", scope_types=["project"], operations=[{"method": "POST", "path": "/servers"}], ), base.APIRule( name="os_compute_api:servers:create:attach_network", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Create a server with the requested network attached to it", scope_types=["project"], operations=[{"method": "POST", "path": "/servers"}], ), base.APIRule( name="os_compute_api:servers:create:trusted_certs", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Create a server with trusted image certificate IDs", scope_types=["project"], operations=[{"method": "POST", "path": "/servers"}], ), base.APIRule( name="os_compute_api:servers:create:zero_disk_flavor", - check_str=("rule:project_admin_api"), + check_str=("rule:context_is_admin"), description="\n#This rule controls the compute API validation behavior of creating a server\n#with a flavor that has 0 disk, indicating the server should be volume-backed.\n#\n#For a flavor with disk=0, the root disk will be set to exactly the size of the\n#image used to deploy the instance. However, in this case the filter_scheduler\n#cannot select the compute host based on the virtual image size. Therefore, 0\n#should only be used for volume booted instances or for testing purposes.\n#\n#WARNING: It is a potential security exposure to enable this policy rule\n#if users can upload their own images since repeated attempts to\n#create a disk=0 flavor instance with a large image can exhaust\n#the local disk of the compute (or shared storage cluster). See bug\n#https://bugs.launchpad.net/nova/+bug/1739646 for details.\n#", scope_types=["project"], operations=[{"method": "POST", "path": "/servers"}], ), base.APIRule( name="network:attach_external_network", - check_str=("rule:project_admin_api"), + check_str=("rule:context_is_admin"), description="Attach an unshared external network to a server", scope_types=["project"], operations=[{"method": "POST", "path": "/servers"}, {"method": "POST", "path": "/servers/{server_id}/os-interface"}], ), base.APIRule( name="os_compute_api:servers:delete", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Delete a server", scope_types=["project"], operations=[{"method": "DELETE", "path": "/servers/{server_id}"}], ), base.APIRule( name="os_compute_api:servers:update", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Update a server", scope_types=["project"], operations=[{"method": "PUT", "path": "/servers/{server_id}"}], ), base.APIRule( name="os_compute_api:servers:confirm_resize", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Confirm a server resize", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (confirmResize)"}], ), base.APIRule( name="os_compute_api:servers:revert_resize", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Revert a server resize", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (revertResize)"}], ), base.APIRule( name="os_compute_api:servers:reboot", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Reboot a server", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (reboot)"}], ), base.APIRule( name="os_compute_api:servers:resize", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Resize a server", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (resize)"}], @@ -1133,77 +1133,77 @@ list_rules = ( ), base.APIRule( name="os_compute_api:servers:rebuild", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Rebuild a server", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (rebuild)"}], ), base.APIRule( name="os_compute_api:servers:rebuild:trusted_certs", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Rebuild a server with trusted image certificate IDs", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (rebuild)"}], ), base.APIRule( name="os_compute_api:servers:create_image", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Create an image from a server", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (createImage)"}], ), base.APIRule( name="os_compute_api:servers:create_image:allow_volume_backed", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Create an image from a volume backed server", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (createImage)"}], ), base.APIRule( name="os_compute_api:servers:start", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Start a server", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (os-start)"}], ), base.APIRule( name="os_compute_api:servers:stop", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Stop a server", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (os-stop)"}], ), base.APIRule( name="os_compute_api:servers:trigger_crash_dump", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Trigger crash dump in a server", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (trigger_crash_dump)"}], ), base.APIRule( name="os_compute_api:servers:migrations:show", - check_str=("rule:project_admin_api"), + check_str=("rule:context_is_admin"), description="Show details for an in-progress live migration for a given server", scope_types=["project"], operations=[{"method": "GET", "path": "/servers/{server_id}/migrations/{migration_id}"}], ), base.APIRule( name="os_compute_api:servers:migrations:force_complete", - check_str=("rule:project_admin_api"), + check_str=("rule:context_is_admin"), description="Force an in-progress live migration for a given server to complete", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/migrations/{migration_id}/action (force_complete)"}], ), base.APIRule( name="os_compute_api:servers:migrations:delete", - check_str=("rule:project_admin_api"), + check_str=("rule:context_is_admin"), description="Delete(Abort) an in-progress live migration", scope_types=["project"], operations=[{"method": "DELETE", "path": "/servers/{server_id}/migrations/{migration_id}"}], ), base.APIRule( name="os_compute_api:servers:migrations:index", - check_str=("rule:project_admin_api"), + check_str=("rule:context_is_admin"), description="Lists in-progress live migrations for a given server", scope_types=["project"], operations=[{"method": "GET", "path": "/servers/{server_id}/migrations"}], @@ -1231,56 +1231,56 @@ list_rules = ( ), base.APIRule( name="os_compute_api:os-shelve:shelve", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Shelve server", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (shelve)"}], ), base.APIRule( name="os_compute_api:os-shelve:unshelve", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Unshelve (restore) shelved server", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (unshelve)"}], ), base.APIRule( name="os_compute_api:os-shelve:unshelve_to_host", - check_str=("rule:project_admin_api"), + check_str=("rule:context_is_admin"), description="Unshelve (restore) shelve offloaded server to a specific host", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (unshelve)"}], ), base.APIRule( name="os_compute_api:os-shelve:shelve_offload", - check_str=("rule:project_admin_api"), + check_str=("rule:context_is_admin"), description="Shelf-offload (remove) server", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (shelveOffload)"}], ), base.APIRule( name="os_compute_api:os-simple-tenant-usage:show", - check_str=("rule:project_reader_api"), + check_str=("rule:project_reader_or_admin"), description="Show usage statistics for a specific tenant", scope_types=["project"], operations=[{"method": "GET", "path": "/os-simple-tenant-usage/{tenant_id}"}], ), base.APIRule( name="os_compute_api:os-simple-tenant-usage:list", - check_str=("rule:project_admin_api"), + check_str=("rule:context_is_admin"), description="List per tenant usage statistics for all tenants", scope_types=["project"], operations=[{"method": "GET", "path": "/os-simple-tenant-usage"}], ), base.APIRule( name="os_compute_api:os-suspend-server:resume", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Resume suspended server", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (resume)"}], ), base.APIRule( name="os_compute_api:os-suspend-server:suspend", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Suspend server", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/action (suspend)"}], @@ -1301,98 +1301,98 @@ list_rules = ( ), base.APIRule( name="os_compute_api:os-volumes:list", - check_str=("rule:project_reader_api"), + check_str=("rule:project_reader_or_admin"), description="List volumes.\n#\n#This API is a proxy call to the Volume service. It is deprecated.", scope_types=["project"], operations=[{"method": "GET", "path": "/os-volumes"}], ), base.APIRule( name="os_compute_api:os-volumes:create", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Create volume.\n#\n#This API is a proxy call to the Volume service. It is deprecated.", scope_types=["project"], operations=[{"method": "POST", "path": "/os-volumes"}], ), base.APIRule( name="os_compute_api:os-volumes:detail", - check_str=("rule:project_reader_api"), + check_str=("rule:project_reader_or_admin"), description="List volumes detail.\n#\n#This API is a proxy call to the Volume service. It is deprecated.", scope_types=["project"], operations=[{"method": "GET", "path": "/os-volumes/detail"}], ), base.APIRule( name="os_compute_api:os-volumes:show", - check_str=("rule:project_reader_api"), + check_str=("rule:project_reader_or_admin"), description="Show volume.\n#\n#This API is a proxy call to the Volume service. It is deprecated.", scope_types=["project"], operations=[{"method": "GET", "path": "/os-volumes/{volume_id}"}], ), base.APIRule( name="os_compute_api:os-volumes:delete", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Delete volume.\n#\n#This API is a proxy call to the Volume service. It is deprecated.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/os-volumes/{volume_id}"}], ), base.APIRule( name="os_compute_api:os-volumes:snapshots:list", - check_str=("rule:project_reader_api"), + check_str=("rule:project_reader_or_admin"), description="List snapshots.\n#\n#This API is a proxy call to the Volume service. It is deprecated.", scope_types=["project"], operations=[{"method": "GET", "path": "/os-snapshots"}], ), base.APIRule( name="os_compute_api:os-volumes:snapshots:create", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Create snapshots.\n#\n#This API is a proxy call to the Volume service. It is deprecated.", scope_types=["project"], operations=[{"method": "POST", "path": "/os-snapshots"}], ), base.APIRule( name="os_compute_api:os-volumes:snapshots:detail", - check_str=("rule:project_reader_api"), + check_str=("rule:project_reader_or_admin"), description="List snapshots details.\n#\n#This API is a proxy call to the Volume service. It is deprecated.", scope_types=["project"], operations=[{"method": "GET", "path": "/os-snapshots/detail"}], ), base.APIRule( name="os_compute_api:os-volumes:snapshots:show", - check_str=("rule:project_reader_api"), + check_str=("rule:project_reader_or_admin"), description="Show snapshot.\n#\n#This API is a proxy call to the Volume service. It is deprecated.", scope_types=["project"], operations=[{"method": "GET", "path": "/os-snapshots/{snapshot_id}"}], ), base.APIRule( name="os_compute_api:os-volumes:snapshots:delete", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Delete snapshot.\n#\n#This API is a proxy call to the Volume service. It is deprecated.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/os-snapshots/{snapshot_id}"}], ), base.APIRule( name="os_compute_api:os-volumes-attachments:index", - check_str=("rule:project_reader_api"), + check_str=("rule:project_reader_or_admin"), description="List volume attachments for an instance", scope_types=["project"], operations=[{"method": "GET", "path": "/servers/{server_id}/os-volume_attachments"}], ), base.APIRule( name="os_compute_api:os-volumes-attachments:create", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Attach a volume to an instance", scope_types=["project"], operations=[{"method": "POST", "path": "/servers/{server_id}/os-volume_attachments"}], ), base.APIRule( name="os_compute_api:os-volumes-attachments:show", - check_str=("rule:project_reader_api"), + check_str=("rule:project_reader_or_admin"), description="Show details of a volume attachment", scope_types=["project"], operations=[{"method": "GET", "path": "/servers/{server_id}/os-volume_attachments/{volume_id}"}], ), base.APIRule( name="os_compute_api:os-volumes-attachments:update", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Update a volume attachment.\n#New 'update' policy about 'swap + update' request (which is possible\n#only >2.85) only is checked. We expect to be\n#always superset of this policy permission.\n#", scope_types=["project"], operations=[{"method": "PUT", "path": "/servers/{server_id}/os-volume_attachments/{volume_id}"}], @@ -1406,7 +1406,7 @@ list_rules = ( ), base.APIRule( name="os_compute_api:os-volumes-attachments:delete", - check_str=("rule:project_member_api"), + check_str=("rule:project_member_or_admin"), description="Detach a volume from an instance", scope_types=["project"], operations=[{"method": "DELETE", "path": "/servers/{server_id}/os-volume_attachments/{volume_id}"}],