# Copyright 2022 99cloud # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # flake8: noqa # fmt: off from . import base list_rules = ( base.Rule( name="default", check_str=(""), description="Defines the default rule used for policies that historically had an empty policy in the supplied policy.json file.", ), base.Rule( name="context_is_admin", check_str=("role:admin"), description="Defines the rule for the is_admin:True check.", ), base.Rule( name="manage_image_cache", check_str=("role:admin"), description="Manage image cache", ), base.Rule( name="metadef_default", check_str=(""), description="No description", ), base.Rule( name="metadef_admin", check_str=("role:admin"), description="No description", ), base.APIRule( name="add_image", check_str=("role:admin or ((role:member or role:_member_) and project_id:%(project_id)s and project_id:%(owner)s)"), description="Create new image", scope_types=["project"], operations=[{"method": "POST", "path": "/v2/images"}], ), base.APIRule( name="delete_image", check_str=("role:admin or ((role:member or role:_member_) and project_id:%(project_id)s)"), description="Deletes the image", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v2/images/{image_id}"}], ), base.APIRule( name="get_image", check_str=("role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))"), description="Get specified image", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/images/{image_id}"}], ), base.APIRule( name="get_images", check_str=("role:admin or (role:reader and project_id:%(project_id)s)"), description="Get all available images", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/images"}], ), base.APIRule( name="modify_image", check_str=("role:admin or ((role:member or role:_member_) and project_id:%(project_id)s)"), description="Updates given image", scope_types=["project"], operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}], ), base.APIRule( name="publicize_image", check_str=("role:admin"), description="Publicize given image", scope_types=["project"], operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}], ), base.APIRule( name="communitize_image", check_str=("role:admin or ((role:member or role:_member_) and project_id:%(project_id)s)"), description="Communitize given image", scope_types=["project"], operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}], ), base.APIRule( name="download_image", check_str=("role:admin or ((role:member or role:_member_) and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))"), description="Downloads given image", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/images/{image_id}/file"}], ), base.APIRule( name="upload_image", check_str=("role:admin or ((role:member or role:_member_) and project_id:%(project_id)s)"), description="Uploads data to specified image", scope_types=["project"], operations=[{"method": "PUT", "path": "/v2/images/{image_id}/file"}], ), base.APIRule( name="delete_image_location", check_str=("role:admin"), description="Deletes the location of given image", scope_types=["project"], operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}], ), base.APIRule( name="get_image_location", check_str=("role:admin or (role:reader and project_id:%(project_id)s)"), description="Reads the location of the image", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/images/{image_id}"}], ), base.APIRule( name="set_image_location", check_str=("role:admin or ((role:member or role:_member_) and project_id:%(project_id)s)"), description="Sets location URI to given image", scope_types=["project"], operations=[{"method": "PATCH", "path": "/v2/images/{image_id}"}], ), base.APIRule( name="add_member", check_str=("role:admin or ((role:member or role:_member_) and project_id:%(project_id)s)"), description="Create image member", scope_types=["project"], operations=[{"method": "POST", "path": "/v2/images/{image_id}/members"}], ), base.APIRule( name="delete_member", check_str=("role:admin or ((role:member or role:_member_) and project_id:%(project_id)s)"), description="Delete image member", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v2/images/{image_id}/members/{member_id}"}], ), base.APIRule( name="get_member", check_str=("role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)"), description="Show image member details", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/images/{image_id}/members/{member_id}"}], ), base.APIRule( name="get_members", check_str=("role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)"), description="List image members", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/images/{image_id}/members"}], ), base.APIRule( name="modify_member", check_str=("role:admin or ((role:member or role:_member_) and project_id:%(member_id)s)"), description="Update image member", scope_types=["project"], operations=[{"method": "PUT", "path": "/v2/images/{image_id}/members/{member_id}"}], ), base.APIRule( name="deactivate", check_str=("role:admin or ((role:member or role:_member_) and project_id:%(project_id)s)"), description="Deactivate image", scope_types=["project"], operations=[{"method": "POST", "path": "/v2/images/{image_id}/actions/deactivate"}], ), base.APIRule( name="reactivate", check_str=("role:admin or ((role:member or role:_member_) and project_id:%(project_id)s)"), description="Reactivate image", scope_types=["project"], operations=[{"method": "POST", "path": "/v2/images/{image_id}/actions/reactivate"}], ), base.APIRule( name="copy_image", check_str=("role:admin"), description="Copy existing image to other stores", scope_types=["project"], operations=[{"method": "POST", "path": "/v2/images/{image_id}/import"}], ), base.APIRule( name="get_task", check_str=("rule:default"), description="Get an image task.\n#\n#This granular policy controls access to tasks, both from the tasks API as well\n#as internal locations in Glance that use tasks (like import). Practically this\n#cannot be more restrictive than the policy that controls import or things will\n#break, and changing it from the default is almost certainly not what you want.\n#Access to the external tasks API should be restricted as desired by the\n#tasks_api_access policy. This may change in the future.\n#", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/tasks/{task_id}"}], ), base.APIRule( name="get_tasks", check_str=("rule:default"), description="List tasks for all images.\n#\n#This granular policy controls access to tasks, both from the tasks API as well\n#as internal locations in Glance that use tasks (like import). Practically this\n#cannot be more restrictive than the policy that controls import or things will\n#break, and changing it from the default is almost certainly not what you want.\n#Access to the external tasks API should be restricted as desired by the\n#tasks_api_access policy. This may change in the future.\n#", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/tasks"}], ), base.APIRule( name="add_task", check_str=("rule:default"), description="List tasks for all images.\n#\n#This granular policy controls access to tasks, both from the tasks API as well\n#as internal locations in Glance that use tasks (like import). Practically this\n#cannot be more restrictive than the policy that controls import or things will\n#break, and changing it from the default is almost certainly not what you want.\n#Access to the external tasks API should be restricted as desired by the\n#tasks_api_access policy. This may change in the future.\n#", scope_types=["project"], operations=[{"method": "POST", "path": "/v2/tasks"}], ), base.APIRule( name="modify_task", check_str=("rule:default"), description="This policy is not used.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v2/tasks/{task_id}"}], ), base.APIRule( name="tasks_api_access", check_str=("role:admin"), description="\n#This is a generic blanket policy for protecting all task APIs. It is not\n#granular and will not allow you to separate writable and readable task\n#operations into different roles.\n#", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/tasks/{task_id}"}, {"method": "GET", "path": "/v2/tasks"}, {"method": "POST", "path": "/v2/tasks"}, {"method": "DELETE", "path": "/v2/tasks/{task_id}"}], ), base.APIRule( name="get_metadef_namespace", check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"), description="Get a specific namespace.", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}"}], ), base.APIRule( name="get_metadef_namespaces", check_str=("role:admin or (role:reader and project_id:%(project_id)s)"), description="List namespace.", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/metadefs/namespaces"}], ), base.APIRule( name="modify_metadef_namespace", check_str=("rule:metadef_admin"), description="Modify an existing namespace.", scope_types=["project"], operations=[{"method": "PUT", "path": "/v2/metadefs/namespaces/{namespace_name}"}], ), base.APIRule( name="add_metadef_namespace", check_str=("rule:metadef_admin"), description="Create a namespace.", scope_types=["project"], operations=[{"method": "POST", "path": "/v2/metadefs/namespaces"}], ), base.APIRule( name="delete_metadef_namespace", check_str=("rule:metadef_admin"), description="Delete a namespace.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v2/metadefs/namespaces/{namespace_name}"}], ), base.APIRule( name="get_metadef_object", check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"), description="Get a specific object from a namespace.", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/objects/{object_name}"}], ), base.APIRule( name="get_metadef_objects", check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"), description="Get objects from a namespace.", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/objects"}], ), base.APIRule( name="modify_metadef_object", check_str=("rule:metadef_admin"), description="Update an object within a namespace.", scope_types=["project"], operations=[{"method": "PUT", "path": "/v2/metadefs/namespaces/{namespace_name}/objects/{object_name}"}], ), base.APIRule( name="add_metadef_object", check_str=("rule:metadef_admin"), description="Create an object within a namespace.", scope_types=["project"], operations=[{"method": "POST", "path": "/v2/metadefs/namespaces/{namespace_name}/objects"}], ), base.APIRule( name="delete_metadef_object", check_str=("rule:metadef_admin"), description="Delete an object within a namespace.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v2/metadefs/namespaces/{namespace_name}/objects/{object_name}"}], ), base.APIRule( name="list_metadef_resource_types", check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"), description="List meta definition resource types.", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/metadefs/resource_types"}], ), base.APIRule( name="get_metadef_resource_type", check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"), description="Get meta definition resource types associations.", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/resource_types"}], ), base.APIRule( name="add_metadef_resource_type_association", check_str=("rule:metadef_admin"), description="Create meta definition resource types association.", scope_types=["project"], operations=[{"method": "POST", "path": "/v2/metadefs/namespaces/{namespace_name}/resource_types"}], ), base.APIRule( name="remove_metadef_resource_type_association", check_str=("rule:metadef_admin"), description="Delete meta definition resource types association.", scope_types=["project"], operations=[{"method": "POST", "path": "/v2/metadefs/namespaces/{namespace_name}/resource_types/{name}"}], ), base.APIRule( name="get_metadef_property", check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"), description="Get a specific meta definition property.", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/properties/{property_name}"}], ), base.APIRule( name="get_metadef_properties", check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"), description="List meta definition properties.", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/properties"}], ), base.APIRule( name="modify_metadef_property", check_str=("rule:metadef_admin"), description="Update meta definition property.", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/properties/{property_name}"}], ), base.APIRule( name="add_metadef_property", check_str=("rule:metadef_admin"), description="Create meta definition property.", scope_types=["project"], operations=[{"method": "POST", "path": "/v2/metadefs/namespaces/{namespace_name}/properties"}], ), base.APIRule( name="remove_metadef_property", check_str=("rule:metadef_admin"), description="Delete meta definition property.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v2/metadefs/namespaces/{namespace_name}/properties/{property_name}"}], ), base.APIRule( name="get_metadef_tag", check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"), description="Get tag definition.", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}"}], ), base.APIRule( name="get_metadef_tags", check_str=("role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"), description="List tag definitions.", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/metadefs/namespaces/{namespace_name}/tags"}], ), base.APIRule( name="modify_metadef_tag", check_str=("rule:metadef_admin"), description="Update tag definition.", scope_types=["project"], operations=[{"method": "PUT", "path": "/v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}"}], ), base.APIRule( name="add_metadef_tag", check_str=("rule:metadef_admin"), description="Add tag definition.", scope_types=["project"], operations=[{"method": "POST", "path": "/v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}"}], ), base.APIRule( name="add_metadef_tags", check_str=("rule:metadef_admin"), description="Create tag definitions.", scope_types=["project"], operations=[{"method": "POST", "path": "/v2/metadefs/namespaces/{namespace_name}/tags"}], ), base.APIRule( name="delete_metadef_tag", check_str=("rule:metadef_admin"), description="Delete tag definition.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}"}], ), base.APIRule( name="delete_metadef_tags", check_str=("rule:metadef_admin"), description="Delete tag definitions.", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v2/metadefs/namespaces/{namespace_name}/tags"}], ), base.APIRule( name="cache_image", check_str=("role:admin"), description="Queue image for caching", scope_types=["project"], operations=[{"method": "PUT", "path": "/v2/cache/{image_id}"}], ), base.APIRule( name="cache_list", check_str=("role:admin"), description="List cache status", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/cache"}], ), base.APIRule( name="cache_delete", check_str=("role:admin"), description="Delete image(s) from cache and/or queue", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v2/cache"}, {"method": "DELETE", "path": "/v2/cache/{image_id}"}], ), base.APIRule( name="stores_info_detail", check_str=("role:admin"), description="Expose store specific information", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/info/stores/detail"}], ), ) __all__ = ("list_rules",)