# Copyright 2022 99cloud # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # flake8: noqa # fmt: off from . import base list_rules = ( base.Rule( name="context_is_admin", check_str=("role:admin"), description="No description", ), base.Rule( name="admin_or_owner", check_str=("is_admin:True or project_id:%(project_id)s"), description="No description", ), base.Rule( name="admin_api", check_str=("rule:context_is_admin"), description="No description", ), base.Rule( name="deny_everybody", check_str=("!"), description="Default rule for deny everybody.", ), base.APIRule( name="container:create", check_str=("is_admin:True or project_id:%(project_id)s"), description="Create a new container.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/containers"}], ), base.APIRule( name="container:create:runtime", check_str=("rule:context_is_admin"), description="Create a new container with specified runtime.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/containers"}], ), base.APIRule( name="container:create:privileged", check_str=("rule:deny_everybody"), description="Create a new privileged container.Warning: the privileged container has a big security risk so be caution if you want to enable this feature", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/containers"}], ), base.APIRule( name="container:create:requested_destination", check_str=("rule:context_is_admin"), description="Create a container on the requested compute host.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/containers"}], ), base.APIRule( name="container:create:image_pull_policy", check_str=("rule:context_is_admin"), description="Create a new container with specified image pull policy.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/containers"}], ), base.APIRule( name="container:delete", check_str=("is_admin:True or project_id:%(project_id)s"), description="Delete a container.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v1/containers/{container_ident}"}], ), base.APIRule( name="container:delete_all_projects", check_str=("rule:context_is_admin"), description="Delete a container from all projects.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v1/containers/{container_ident}"}], ), base.APIRule( name="container:delete_force", check_str=("rule:context_is_admin"), description="Forcibly delete a container.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v1/containers/{container_ident}"}], ), base.APIRule( name="container:get_one", check_str=("is_admin:True or project_id:%(project_id)s"), description="Retrieve the details of a specific container.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/containers/{container_ident}"}], ), base.APIRule( name="container:get_one:host", check_str=("rule:context_is_admin"), description="Retrieve the host field of containers.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/containers/{container_ident}"}, {"method": "GET", "path": "/v1/containers"}, {"method": "POST", "path": "/v1/containers"}, {"method": "PATCH", "path": "/v1/containers/{container_ident}"}], ), base.APIRule( name="container:get_one:image_pull_policy", check_str=("rule:context_is_admin"), description="Retrieve the image_pull_policy field of containers.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/containers/{container_ident}"}, {"method": "GET", "path": "/v1/containers"}, {"method": "POST", "path": "/v1/containers"}, {"method": "PATCH", "path": "/v1/containers/{container_ident}"}], ), base.APIRule( name="container:get_one:privileged", check_str=("rule:context_is_admin"), description="Retrieve the privileged field of containers.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/containers/{container_ident}"}, {"method": "GET", "path": "/v1/containers"}, {"method": "POST", "path": "/v1/containers"}, {"method": "PATCH", "path": "/v1/containers/{container_ident}"}], ), base.APIRule( name="container:get_one:runtime", check_str=("rule:context_is_admin"), description="Retrieve the runtime field of containers.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/containers/{container_ident}"}, {"method": "GET", "path": "/v1/containers"}, {"method": "POST", "path": "/v1/containers"}, {"method": "PATCH", "path": "/v1/containers/{container_ident}"}], ), base.APIRule( name="container:get_one_all_projects", check_str=("rule:context_is_admin"), description="Retrieve the details of a specific container from all projects.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/containers/{container_ident}"}], ), base.APIRule( name="container:get_all", check_str=("is_admin:True or project_id:%(project_id)s"), description="Retrieve the details of all containers.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/containers"}], ), base.APIRule( name="container:get_all_all_projects", check_str=("rule:context_is_admin"), description="Retrieve the details of all containers across projects.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/containers"}], ), base.APIRule( name="container:update", check_str=("is_admin:True or project_id:%(project_id)s"), description="Update a container.", scope_types=["project"], operations=[{"method": "PATCH", "path": "/v1/containers/{container_ident}"}], ), base.APIRule( name="container:start", check_str=("is_admin:True or project_id:%(project_id)s"), description="Start a container.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/start"}], ), base.APIRule( name="container:stop", check_str=("is_admin:True or project_id:%(project_id)s"), description="Stop a container.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/stop"}], ), base.APIRule( name="container:reboot", check_str=("is_admin:True or project_id:%(project_id)s"), description="Reboot a container.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/reboot"}], ), base.APIRule( name="container:pause", check_str=("is_admin:True or project_id:%(project_id)s"), description="Pause a container.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/pause"}], ), base.APIRule( name="container:unpause", check_str=("is_admin:True or project_id:%(project_id)s"), description="Unpause a container.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/unpause"}], ), base.APIRule( name="container:logs", check_str=("is_admin:True or project_id:%(project_id)s"), description="Get the log of a container", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/containers/{container_ident}/logs"}], ), base.APIRule( name="container:execute", check_str=("is_admin:True or project_id:%(project_id)s"), description="Execute command in a running container", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/execute"}], ), base.APIRule( name="container:execute_resize", check_str=("is_admin:True or project_id:%(project_id)s"), description="Resize the TTY used by an execute command.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/execute_resize"}], ), base.APIRule( name="container:kill", check_str=("is_admin:True or project_id:%(project_id)s"), description="Kill a running container", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/kill"}], ), base.APIRule( name="container:rename", check_str=("is_admin:True or project_id:%(project_id)s"), description="Rename a container.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/rename"}], ), base.APIRule( name="container:attach", check_str=("is_admin:True or project_id:%(project_id)s"), description="Attach to a running container", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/containers/{container_ident}/attach"}], ), base.APIRule( name="container:resize", check_str=("is_admin:True or project_id:%(project_id)s"), description="Resize a container.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/resize"}], ), base.APIRule( name="container:top", check_str=("is_admin:True or project_id:%(project_id)s"), description="Display the running processes inside the container.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/containers/{container_ident}/top"}], ), base.APIRule( name="container:get_archive", check_str=("is_admin:True or project_id:%(project_id)s"), description="Get a tar archive of a path of container.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/containers/{container_ident}/get_archive"}], ), base.APIRule( name="container:put_archive", check_str=("is_admin:True or project_id:%(project_id)s"), description="Put a tar archive to be extracted to a path of container", scope_types=["project"], operations=[{"method": "PUT", "path": "/v1/containers/{container_ident}/put_archive"}], ), base.APIRule( name="container:stats", check_str=("is_admin:True or project_id:%(project_id)s"), description="Display the statistics of a container", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/containers/{container_ident}/stats"}], ), base.APIRule( name="container:commit", check_str=("is_admin:True or project_id:%(project_id)s"), description="Commit a container", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/commit"}], ), base.APIRule( name="container:add_security_group", check_str=("is_admin:True or project_id:%(project_id)s"), description="Add a security group to a specific container.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/add_security_group"}], ), base.APIRule( name="container:network_detach", check_str=("is_admin:True or project_id:%(project_id)s"), description="Detach a network from a container.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/network_detach"}], ), base.APIRule( name="container:network_attach", check_str=("is_admin:True or project_id:%(project_id)s"), description="Attach a network from a container.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/network_attach"}], ), base.APIRule( name="container:remove_security_group", check_str=("is_admin:True or project_id:%(project_id)s"), description="Remove security group from a specific container.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/remove_security_group"}], ), base.APIRule( name="container:rebuild", check_str=("is_admin:True or project_id:%(project_id)s"), description="Rebuild a container.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/rebuild"}], ), base.APIRule( name="container:resize_container", check_str=("is_admin:True or project_id:%(project_id)s"), description="Resize an existing container.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/containers/{container_ident}/resize_container"}], ), base.APIRule( name="image:pull", check_str=("rule:context_is_admin"), description="Pull an image.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/images"}], ), base.APIRule( name="image:get_all", check_str=("rule:context_is_admin"), description="Print a list of available images.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/images"}], ), base.APIRule( name="image:get_one", check_str=("rule:context_is_admin"), description="Retrieve the details of a specific image.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/images/{image_id}"}], ), base.APIRule( name="image:search", check_str=("is_admin:True or project_id:%(project_id)s"), description="Search an image.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/images/{image_ident}/search"}], ), base.APIRule( name="image:delete", check_str=("rule:context_is_admin"), description="Delete an image.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v1/images/{image_ident}"}], ), base.APIRule( name="zun-service:delete", check_str=("rule:context_is_admin"), description="Delete a service.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v1/services"}], ), base.APIRule( name="zun-service:disable", check_str=("rule:context_is_admin"), description="Disable a service.", scope_types=["project"], operations=[{"method": "PUT", "path": "/v1/services/disable"}], ), base.APIRule( name="zun-service:enable", check_str=("rule:context_is_admin"), description="Enable a service.", scope_types=["project"], operations=[{"method": "PUT", "path": "/v1/services/enable"}], ), base.APIRule( name="zun-service:force_down", check_str=("rule:context_is_admin"), description="Forcibly shutdown a service.", scope_types=["project"], operations=[{"method": "PUT", "path": "/v1/services/force_down"}], ), base.APIRule( name="zun-service:get_all", check_str=("rule:context_is_admin"), description="Show the status of a service.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/services"}], ), base.APIRule( name="host:get_all", check_str=("rule:context_is_admin"), description="List all compute hosts.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/hosts"}], ), base.APIRule( name="host:get", check_str=("rule:context_is_admin"), description="Show the details of a specific compute host.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/hosts/{host_ident}"}], ), base.APIRule( name="capsule:create", check_str=("is_admin:True or project_id:%(project_id)s"), description="Create a capsule", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/capsules/"}], ), base.APIRule( name="capsule:delete", check_str=("is_admin:True or project_id:%(project_id)s"), description="Delete a capsule", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v1/capsules/{capsule_ident}"}], ), base.APIRule( name="capsule:delete_all_projects", check_str=("rule:context_is_admin"), description="Delete a container in any project.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v1/capsules/{capsule_ident}"}], ), base.APIRule( name="capsule:get", check_str=("is_admin:True or project_id:%(project_id)s"), description="Retrieve the details of a capsule.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/capsules/{capsule_ident}"}], ), base.APIRule( name="capsule:get:host", check_str=("rule:context_is_admin"), description="Retrieve the host field of a capsule.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/capsules/{capsule_ident}"}, {"method": "GET", "path": "/v1/capsules"}, {"method": "POST", "path": "/v1/capsules"}], ), base.APIRule( name="capsule:get_one_all_projects", check_str=("rule:context_is_admin"), description="Retrieve the details of a capsule in any project.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/capsules/{capsule_ident}"}], ), base.APIRule( name="capsule:get_all", check_str=("is_admin:True or project_id:%(project_id)s"), description="List all capsules.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/capsules/"}], ), base.APIRule( name="capsule:get_all_all_projects", check_str=("rule:context_is_admin"), description="List all capsules across projects.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/capsules/"}], ), base.APIRule( name="network:attach_external_network", check_str=("role:admin"), description="Attach an unshared external network to a container", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/containers"}], ), base.APIRule( name="network:create", check_str=("role:admin"), description="Create a network", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/networks"}], ), base.APIRule( name="network:delete", check_str=("role:admin"), description="Delete a network", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v1/networks"}], ), base.APIRule( name="container:actions", check_str=("is_admin:True or project_id:%(project_id)s"), description="List actions and show action details for a container", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/containers/{container_ident}/container_actions/"}, {"method": "GET", "path": "/v1/containers/{container_ident}/container_actions/{request_id}"}], ), base.APIRule( name="container:action:events", check_str=("rule:context_is_admin"), description="Add events details in action details for a container.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/containers/{container_ident}/container_actions/{request_id}"}], ), base.APIRule( name="availability_zones:get_all", check_str=("is_admin:True or project_id:%(project_id)s"), description="List availability zone", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/availability_zones"}], ), base.APIRule( name="quota:update", check_str=("rule:context_is_admin"), description="Update quotas for a project", scope_types=["project"], operations=[{"method": "PUT", "path": "/v1/quotas/{project_id}"}], ), base.APIRule( name="quota:delete", check_str=("rule:context_is_admin"), description="Delete quotas for a project", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v1/quotas/{project_id}"}], ), base.APIRule( name="quota:get", check_str=("is_admin:True or project_id:%(project_id)s"), description="Get quotas for a project", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/quotas/{project_id}"}], ), base.APIRule( name="quota:get_default", check_str=("is_admin:True or project_id:%(project_id)s"), description="Get default quotas for a project", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/quotas/defaults"}], ), base.APIRule( name="quota_class:update", check_str=("rule:context_is_admin"), description="Update quotas for specific quota class", scope_types=["project"], operations=[{"method": "PUT", "path": "/v1/quota_classes/{quota_class_name}"}], ), base.APIRule( name="quota_class:get", check_str=("rule:context_is_admin"), description="List quotas for specific quota class", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/quota_classes/{quota_class_name}"}], ), base.APIRule( name="registry:create", check_str=("is_admin:True or project_id:%(project_id)s"), description="Create a new registry.", scope_types=["project"], operations=[{"method": "POST", "path": "/v1/registries"}], ), base.APIRule( name="registry:delete", check_str=("is_admin:True or project_id:%(project_id)s"), description="Delete a registry.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v1/registries/{registry_ident}"}], ), base.APIRule( name="registry:get_one", check_str=("is_admin:True or project_id:%(project_id)s"), description="Retrieve the details of a specific registry.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/registries/{registry_ident}"}], ), base.APIRule( name="registry:get_all", check_str=("is_admin:True or project_id:%(project_id)s"), description="Retrieve the details of all registries.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/registries"}], ), base.APIRule( name="registry:get_all_all_projects", check_str=("rule:context_is_admin"), description="Retrieve the details of all registries across projects.", scope_types=["project"], operations=[{"method": "GET", "path": "/v1/registries"}], ), base.APIRule( name="registry:update", check_str=("is_admin:True or project_id:%(project_id)s"), description="Update a registry.", scope_types=["project"], operations=[{"method": "PATCH", "path": "/v1/registries/{registry_ident}"}], ), ) __all__ = ("list_rules",)