baha/skyline-apiserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1a050ec2c4
skyline-apiserver/skyline_apiserver/policy/manager/ironic.py
zhu.boxiang 8cb60f0833 chore: Move skyline_apiserver out of libs 
1. move skyline_apiserver out of libs
2. remove libs folder
3. remove old skyline folder
4. adjust zull, devstack and dockerfile

Change-Id: I27a4babd3df077d1dfc7555f67a6ea618d4b2966
2022-05-18 17:21:00 +08:00

1035 lines
43 KiB
Python
Raw Blame History

# flake8: noqa
from . import base
list_rules = (
base.Rule(
name="admin_api",
check_str=("role:admin or role:administrator"),
description="Legacy rule for cloud admin access",
),
base.Rule(
name="public_api",
check_str=("is_public_api:True"),
description="Internal flag for public API routes",
),
base.Rule(
name="show_password",
check_str=("!"),
description="Show or mask secrets within node driver information in API responses",
),
base.Rule(
name="show_instance_secrets",
check_str=("!"),
description="Show or mask secrets within instance information in API responses",
),
base.Rule(
name="is_member",
check_str=(
"(project_domain_id:default or project_domain_id:None) and (project_name:demo or project_name:baremetal)"
),
description="May be used to restrict access to specific projects",
),
base.Rule(
name="is_observer",
check_str=("rule:is_member and (role:observer or role:baremetal_observer)"),
description="Read-only API access",
),
base.Rule(
name="is_admin",
check_str=("rule:admin_api or (rule:is_member and role:baremetal_admin)"),
description="Full read/write API access",
),
base.Rule(
name="is_node_owner",
check_str=("project_id:%(node.owner)s"),
description="Owner of node",
),
base.Rule(
name="is_node_lessee",
check_str=("project_id:%(node.lessee)s"),
description="Lessee of node",
),
base.Rule(
name="is_allocation_owner",
check_str=("project_id:%(allocation.owner)s"),
description="Owner of allocation",
),
base.APIRule(
name="baremetal:node:create",
check_str=("role:admin and system_scope:all"),
basic_check_str=("role:admin"),
description="Create Node records",
scope_types=["system"],
operations=[{"method": "POST", "path": "/nodes"}],
),
base.APIRule(
name="baremetal:node:list",
check_str=("role:reader"),
basic_check_str=("role:admin or role:reader"),
description="Retrieve multiple Node records, filtered by an explicit owner or the client project_id",
scope_types=["system", "project"],
operations=[
{"method": "GET", "path": "/nodes"},
{"method": "GET", "path": "/nodes/detail"},
],
),
base.APIRule(
name="baremetal:node:list_all",
check_str=("role:reader and system_scope:all"),
basic_check_str=("role:admin or role:reader"),
description="Retrieve multiple Node records",
scope_types=["system"],
operations=[
{"method": "GET", "path": "/nodes"},
{"method": "GET", "path": "/nodes/detail"},
],
),
base.APIRule(
name="baremetal:node:get",
check_str=(
"(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
),
basic_check_str=("role:admin or role:reader"),
description="Retrieve a single Node record",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:get:filter_threshold",
check_str=("role:reader and system_scope:all"),
basic_check_str=("role:admin or role:reader"),
description="Filter to allow operators to govern the threshold where information should be filtered. Non-authorized users will be subjected to additional API policy checks for API content response bodies.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:get:last_error",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"
),
basic_check_str=("role:admin or role:reader"),
description="Governs if the node last_error field is masked from APIclients with insufficent privileges.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:get:reservation",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"
),
basic_check_str=("role:admin or role:reader"),
description="Governs if the node reservation field is masked from APIclients with insufficent privileges.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:get:driver_internal_info",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"
),
basic_check_str=("role:admin or role:reader"),
description="Governs if the node driver_internal_info field is masked from API clients with insufficent privileges.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:get:driver_info",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"
),
basic_check_str=("role:admin or role:reader"),
description="Governs if the driver_info field is masked from APIclients with insufficent privileges.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:update:driver_info",
check_str=(
"(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"
),
basic_check_str=("role:admin"),
description="Governs if node driver_info field can be updated via the API clients.",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:update:properties",
check_str=(
"(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"
),
basic_check_str=("role:admin"),
description="Governs if node properties field can be updated via the API clients.",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:update:chassis_uuid",
check_str=("role:admin and system_scope:all"),
basic_check_str=("role:admin"),
description="Governs if node chassis_uuid field can be updated via the API clients.",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:update:instance_uuid",
check_str=(
"(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"
),
basic_check_str=("role:admin"),
description="Governs if node instance_uuid field can be updated via the API clients.",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:update:lessee",
check_str=(
"(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"
),
basic_check_str=("role:admin"),
description="Governs if node lessee field can be updated via the API clients.",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:update:owner",
check_str=("role:member and system_scope:all"),
basic_check_str=("role:admin"),
description="Governs if node owner field can be updated via the API clients.",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:update:driver_interfaces",
check_str=(
"(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"
),
basic_check_str=("role:admin"),
description="Governs if node driver and driver interfaces field can be updated via the API clients.",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:update:network_data",
check_str=(
"(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"
),
basic_check_str=("role:admin"),
description="Governs if node driver_info field can be updated via the API clients.",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:update:conductor_group",
check_str=("role:member and system_scope:all"),
basic_check_str=("role:admin"),
description="Governs if node conductor_group field can be updated via the API clients.",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:update:name",
check_str=(
"(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"
),
basic_check_str=("role:admin"),
description="Governs if node name field can be updated via the API clients.",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:update:retired",
check_str=(
"(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"
),
basic_check_str=("role:admin"),
description="Governs if node retired and retired reason can be updated by API clients.",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:update",
check_str=(
"(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
),
basic_check_str=("role:admin"),
description="Generalized update of node records",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:update_extra",
check_str=(
"(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
),
basic_check_str=("role:admin"),
description="Update Node extra field",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:update_instance_info",
check_str=(
"(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"
),
basic_check_str=("role:admin"),
description="Update Node instance_info field",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:update_owner_provisioned",
check_str=("role:admin and system_scope:all"),
basic_check_str=("role:admin"),
description="Update Node owner even when Node is provisioned",
scope_types=["system"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:delete",
check_str=("role:admin and system_scope:all"),
basic_check_str=("role:admin"),
description="Delete Node records",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:node:validate",
check_str=(
"(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"
),
basic_check_str=("role:admin"),
description="Request active validation of Nodes",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}/validate"}],
),
base.APIRule(
name="baremetal:node:set_maintenance",
check_str=(
"(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"
),
basic_check_str=("role:admin"),
description="Set maintenance flag, taking a Node out of service",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/maintenance"}],
),
base.APIRule(
name="baremetal:node:clear_maintenance",
check_str=(
"(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"
),
basic_check_str=("role:admin"),
description="Clear maintenance flag, placing the Node into service again",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/nodes/{node_ident}/maintenance"}],
),
base.APIRule(
name="baremetal:node:get_boot_device",
check_str=(
"(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"
),
basic_check_str=("role:admin or role:reader"),
description="Retrieve Node boot device metadata",
scope_types=["system", "project"],
operations=[
{"method": "GET", "path": "/nodes/{node_ident}/management/boot_device"},
{"method": "GET", "path": "/nodes/{node_ident}/management/boot_device/supported"},
],
),
base.APIRule(
name="baremetal:node:set_boot_device",
check_str=(
"(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"
),
basic_check_str=("role:admin"),
description="Change Node boot device",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/management/boot_device"}],
),
base.APIRule(
name="baremetal:node:get_indicator_state",
check_str=(
"(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
),
basic_check_str=("role:admin or role:reader"),
description="Retrieve Node indicators and their states",
scope_types=["system", "project"],
operations=[
{
"method": "GET",
"path": "/nodes/{node_ident}/management/indicators/{component}/{indicator}",
},
{"method": "GET", "path": "/nodes/{node_ident}/management/indicators"},
],
),
base.APIRule(
name="baremetal:node:set_indicator_state",
check_str=(
"(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"
),
basic_check_str=("role:admin"),
description="Change Node indicator state",
scope_types=["system", "project"],
operations=[
{
"method": "PUT",
"path": "/nodes/{node_ident}/management/indicators/{component}/{indicator}",
},
],
),
base.APIRule(
name="baremetal:node:inject_nmi",
check_str=(
"(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"
),
basic_check_str=("role:admin"),
description="Inject NMI for a node",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/management/inject_nmi"}],
),
base.APIRule(
name="baremetal:node:get_states",
check_str=(
"(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
),
basic_check_str=("role:admin or role:reader"),
description="View Node power and provision state",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}/states"}],
),
base.APIRule(
name="baremetal:node:set_power_state",
check_str=(
"(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
),
basic_check_str=("role:admin"),
description="Change Node power status",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/power"}],
),
base.APIRule(
name="baremetal:node:set_provision_state",
check_str=(
"(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"
),
basic_check_str=("role:admin"),
description="Change Node provision status",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/provision"}],
),
base.APIRule(
name="baremetal:node:set_raid_state",
check_str=(
"(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"
),
basic_check_str=("role:admin"),
description="Change Node RAID status",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/raid"}],
),
base.APIRule(
name="baremetal:node:get_console",
check_str=(
"(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"
),
basic_check_str=("role:admin"),
description="Get Node console connection information",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}/states/console"}],
),
base.APIRule(
name="baremetal:node:set_console_state",
check_str=(
"(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"
),
basic_check_str=("role:admin"),
description="Change Node console status",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/nodes/{node_ident}/states/console"}],
),
base.APIRule(
name="baremetal:node:vif:list",
check_str=(
"(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
),
basic_check_str=("role:admin"),
description="List VIFs attached to node",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}/vifs"}],
),
base.APIRule(
name="baremetal:node:vif:attach",
check_str=(
"(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"
),
basic_check_str=("role:admin"),
description="Attach a VIF to a node",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/nodes/{node_ident}/vifs"}],
),
base.APIRule(
name="baremetal:node:vif:detach",
check_str=(
"(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"
),
basic_check_str=("role:admin"),
description="Detach a VIF from a node",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/nodes/{node_ident}/vifs/{node_vif_ident}"}],
),
base.APIRule(
name="baremetal:node:traits:list",
check_str=(
"(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
),
basic_check_str=("role:admin or role:reader"),
description="List node traits",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/nodes/{node_ident}/traits"}],
),
base.APIRule(
name="baremetal:node:traits:set",
check_str=(
"(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"
),
basic_check_str=("role:admin"),
description="Add a trait to, or replace all traits of, a node",
scope_types=["system", "project"],
operations=[
{"method": "PUT", "path": "/nodes/{node_ident}/traits"},
{"method": "PUT", "path": "/nodes/{node_ident}/traits/{trait}"},
],
),
base.APIRule(
name="baremetal:node:traits:delete",
check_str=(
"(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"
),
basic_check_str=("role:admin"),
description="Remove one or all traits from a node",
scope_types=["system", "project"],
operations=[
{"method": "DELETE", "path": "/nodes/{node_ident}/traits"},
{"method": "DELETE", "path": "/nodes/{node_ident}/traits/{trait}"},
],
),
base.APIRule(
name="baremetal:node:bios:get",
check_str=(
"(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
),
basic_check_str=("role:admin or role:reader"),
description="Retrieve Node BIOS information",
scope_types=["system", "project"],
operations=[
{"method": "GET", "path": "/nodes/{node_ident}/bios"},
{"method": "GET", "path": "/nodes/{node_ident}/bios/{setting}"},
],
),
base.APIRule(
name="baremetal:node:disable_cleaning",
check_str=("role:admin and system_scope:all"),
basic_check_str=("role:admin"),
description="Disable Node disk cleaning",
scope_types=["system"],
operations=[{"method": "PATCH", "path": "/nodes/{node_ident}"}],
),
base.APIRule(
name="baremetal:port:get",
check_str=(
"(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
),
basic_check_str=("role:admin or role:reader"),
description="Retrieve Port records",
scope_types=["system", "project"],
operations=[
{"method": "GET", "path": "/ports/{port_id}"},
{"method": "GET", "path": "/nodes/{node_ident}/ports"},
{"method": "GET", "path": "/nodes/{node_ident}/ports/detail"},
{"method": "GET", "path": "/portgroups/{portgroup_ident}/ports"},
{"method": "GET", "path": "/portgroups/{portgroup_ident}/ports/detail"},
],
),
base.APIRule(
name="baremetal:port:list",
check_str=("role:reader"),
basic_check_str=("role:admin or role:reader"),
description="Retrieve multiple Port records, filtered by owner",
scope_types=["system", "project"],
operations=[
{"method": "GET", "path": "/ports"},
{"method": "GET", "path": "/ports/detail"},
],
),
base.APIRule(
name="baremetal:port:list_all",
check_str=("role:reader and system_scope:all"),
basic_check_str=("role:admin or role:reader"),
description="Retrieve multiple Port records",
scope_types=["system", "project"],
operations=[
{"method": "GET", "path": "/ports"},
{"method": "GET", "path": "/ports/detail"},
],
),
base.APIRule(
name="baremetal:port:create",
check_str=(
"(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)"
),
basic_check_str=("role:admin"),
description="Create Port records",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/ports"}],
),
base.APIRule(
name="baremetal:port:delete",
check_str=(
"(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)"
),
basic_check_str=("role:admin"),
description="Delete Port records",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/ports/{port_id}"}],
),
base.APIRule(
name="baremetal:port:update",
check_str=(
"(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"
),
basic_check_str=("role:admin"),
description="Update Port records",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/ports/{port_id}"}],
),
base.APIRule(
name="baremetal:portgroup:get",
check_str=(
"(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
),
basic_check_str=("role:admin or role:reader"),
description="Retrieve Portgroup records",
scope_types=["system", "project"],
operations=[
{"method": "GET", "path": "/portgroups"},
{"method": "GET", "path": "/portgroups/detail"},
{"method": "GET", "path": "/portgroups/{portgroup_ident}"},
{"method": "GET", "path": "/nodes/{node_ident}/portgroups"},
{"method": "GET", "path": "/nodes/{node_ident}/portgroups/detail"},
],
),
base.APIRule(
name="baremetal:portgroup:create",
check_str=(
"(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)"
),
basic_check_str=("role:admin"),
description="Create Portgroup records",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/portgroups"}],
),
base.APIRule(
name="baremetal:portgroup:delete",
check_str=(
"(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)"
),
basic_check_str=("role:admin"),
description="Delete Portgroup records",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/portgroups/{portgroup_ident}"}],
),
base.APIRule(
name="baremetal:portgroup:update",
check_str=(
"(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"
),
basic_check_str=("role:admin"),
description="Update Portgroup records",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/portgroups/{portgroup_ident}"}],
),
base.APIRule(
name="baremetal:portgroup:list",
check_str=("role:reader"),
basic_check_str=("role:admin or role:reader"),
description="Retrieve multiple Port records, filtered by owner",
scope_types=["system", "project"],
operations=[
{"method": "GET", "path": "/portgroups"},
{"method": "GET", "path": "/portgroups/detail"},
],
),
base.APIRule(
name="baremetal:portgroup:list_all",
check_str=("role:reader and system_scope:all"),
basic_check_str=("role:admin or role:reader"),
description="Retrieve multiple Port records",
scope_types=["system", "project"],
operations=[
{"method": "GET", "path": "/portgroups"},
{"method": "GET", "path": "/portgroups/detail"},
],
),
base.APIRule(
name="baremetal:chassis:get",
check_str=("role:reader and system_scope:all"),
basic_check_str=("role:admin or role:reader"),
description="Retrieve Chassis records",
scope_types=["system"],
operations=[
{"method": "GET", "path": "/chassis"},
{"method": "GET", "path": "/chassis/detail"},
{"method": "GET", "path": "/chassis/{chassis_id}"},
],
),
base.APIRule(
name="baremetal:chassis:create",
check_str=("role:admin and system_scope:all"),
basic_check_str=("role:admin"),
description="Create Chassis records",
scope_types=["system"],
operations=[{"method": "POST", "path": "/chassis"}],
),
base.APIRule(
name="baremetal:chassis:delete",
check_str=("role:admin and system_scope:all"),
basic_check_str=("role:admin"),
description="Delete Chassis records",
scope_types=["system"],
operations=[{"method": "DELETE", "path": "/chassis/{chassis_id}"}],
),
base.APIRule(
name="baremetal:chassis:update",
check_str=("role:member and system_scope:all"),
basic_check_str=("role:admin"),
description="Update Chassis records",
scope_types=["system"],
operations=[{"method": "PATCH", "path": "/chassis/{chassis_id}"}],
),
base.APIRule(
name="baremetal:driver:get",
check_str=("role:reader and system_scope:all"),
basic_check_str=("role:admin or role:reader"),
description="View list of available drivers",
scope_types=["system"],
operations=[
{"method": "GET", "path": "/drivers"},
{"method": "GET", "path": "/drivers/{driver_name}"},
],
),
base.APIRule(
name="baremetal:driver:get_properties",
check_str=("role:reader and system_scope:all"),
basic_check_str=("role:admin or role:reader"),
description="View driver-specific properties",
scope_types=["system"],
operations=[{"method": "GET", "path": "/drivers/{driver_name}/properties"}],
),
base.APIRule(
name="baremetal:driver:get_raid_logical_disk_properties",
check_str=("role:reader and system_scope:all"),
basic_check_str=("role:admin or role:reader"),
description="View driver-specific RAID metadata",
scope_types=["system"],
operations=[
{"method": "GET", "path": "/drivers/{driver_name}/raid/logical_disk_properties"},
],
),
base.APIRule(
name="baremetal:node:vendor_passthru",
check_str=("role:admin and system_scope:all"),
basic_check_str=("role:admin"),
description="Access vendor-specific Node functions",
scope_types=["system", "project"],
operations=[
{"method": "GET", "path": "nodes/{node_ident}/vendor_passthru/methods"},
{"method": "GET", "path": "nodes/{node_ident}/vendor_passthru?method={method_name}"},
{"method": "PUT", "path": "nodes/{node_ident}/vendor_passthru?method={method_name}"},
{"method": "POST", "path": "nodes/{node_ident}/vendor_passthru?method={method_name}"},
{
"method": "PATCH",
"path": "nodes/{node_ident}/vendor_passthru?method={method_name}",
},
{
"method": "DELETE",
"path": "nodes/{node_ident}/vendor_passthru?method={method_name}",
},
],
),
base.APIRule(
name="baremetal:driver:vendor_passthru",
check_str=("role:admin and system_scope:all"),
basic_check_str=("role:admin"),
description="Access vendor-specific Driver functions",
scope_types=["system"],
operations=[
{"method": "GET", "path": "drivers/{driver_name}/vendor_passthru/methods"},
{
"method": "GET",
"path": "drivers/{driver_name}/vendor_passthru?method={method_name}",
},
{
"method": "PUT",
"path": "drivers/{driver_name}/vendor_passthru?method={method_name}",
},
{
"method": "POST",
"path": "drivers/{driver_name}/vendor_passthru?method={method_name}",
},
{
"method": "PATCH",
"path": "drivers/{driver_name}/vendor_passthru?method={method_name}",
},
{
"method": "DELETE",
"path": "drivers/{driver_name}/vendor_passthru?method={method_name}",
},
],
),
base.APIRule(
name="baremetal:node:ipa_heartbeat",
check_str=(""),
basic_check_str=("@"),
description="Receive heartbeats from IPA ramdisk",
scope_types=["project"],
operations=[{"method": "POST", "path": "/heartbeat/{node_ident}"}],
),
base.APIRule(
name="baremetal:driver:ipa_lookup",
check_str=(""),
basic_check_str=("@"),
description="Access IPA ramdisk functions",
scope_types=["project"],
operations=[{"method": "GET", "path": "/lookup"}],
),
base.APIRule(
name="baremetal:volume:list_all",
check_str=("role:reader and system_scope:all"),
basic_check_str=("role:admin or role:reader"),
description="Retrieve a list of all Volume connector and target records",
scope_types=["system", "project"],
operations=[
{"method": "GET", "path": "/volume/connectors"},
{"method": "GET", "path": "/volume/targets"},
{"method": "GET", "path": "/nodes/{node_ident}/volume/connectors"},
{"method": "GET", "path": "/nodes/{node_ident}/volume/targets"},
],
),
base.APIRule(
name="baremetal:volume:list",
check_str=("role:reader"),
basic_check_str=("role:admin or role:reader"),
description="Retrieve a list of Volume connector and target records",
scope_types=["system", "project"],
operations=[
{"method": "GET", "path": "/volume/connectors"},
{"method": "GET", "path": "/volume/targets"},
{"method": "GET", "path": "/nodes/{node_ident}/volume/connectors"},
{"method": "GET", "path": "/nodes/{node_ident}/volume/targets"},
],
),
base.APIRule(
name="baremetal:volume:get",
check_str=(
"(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
),
basic_check_str=("role:admin or role:reader"),
description="Retrieve Volume connector and target records",
scope_types=["system", "project"],
operations=[
{"method": "GET", "path": "/volume"},
{"method": "GET", "path": "/volume/connectors"},
{"method": "GET", "path": "/volume/connectors/{volume_connector_id}"},
{"method": "GET", "path": "/volume/targets"},
{"method": "GET", "path": "/volume/targets/{volume_target_id}"},
{"method": "GET", "path": "/nodes/{node_ident}/volume"},
{"method": "GET", "path": "/nodes/{node_ident}/volume/connectors"},
{"method": "GET", "path": "/nodes/{node_ident}/volume/targets"},
],
),
base.APIRule(
name="baremetal:volume:create",
check_str=(
"(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"
),
basic_check_str=("role:admin"),
description="Create Volume connector and target records",
scope_types=["system", "project"],
operations=[
{"method": "POST", "path": "/volume/connectors"},
{"method": "POST", "path": "/volume/targets"},
],
),
base.APIRule(
name="baremetal:volume:delete",
check_str=(
"(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"
),
basic_check_str=("role:admin"),
description="Delete Volume connector and target records",
scope_types=["system", "project"],
operations=[
{"method": "DELETE", "path": "/volume/connectors/{volume_connector_id}"},
{"method": "DELETE", "path": "/volume/targets/{volume_target_id}"},
],
),
base.APIRule(
name="baremetal:volume:update",
check_str=(
"(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"
),
basic_check_str=("role:admin"),
description="Update Volume connector and target records",
scope_types=["system", "project"],
operations=[
{"method": "PATCH", "path": "/volume/connectors/{volume_connector_id}"},
{"method": "PATCH", "path": "/volume/targets/{volume_target_id}"},
],
),
base.APIRule(
name="baremetal:volume:view_target_properties",
check_str=("(role:reader and system_scope:all) or (role:admin)"),
basic_check_str=("role:admin or role:reader"),
description="Ability to view volume target properties",
scope_types=["system", "project"],
operations=[
{"method": "GET", "path": "/volume/connectors/{volume_connector_id}"},
{"method": "GET", "path": "/volume/targets/{volume_target_id}"},
],
),
base.APIRule(
name="baremetal:conductor:get",
check_str=("role:reader and system_scope:all"),
basic_check_str=("role:admin or role:reader"),
description="Retrieve Conductor records",
scope_types=["system"],
operations=[
{"method": "GET", "path": "/conductors"},
{"method": "GET", "path": "/conductors/{hostname}"},
],
),
base.APIRule(
name="baremetal:allocation:get",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(allocation.owner)s)"
),
basic_check_str=("role:admin or role:reader"),
description="Retrieve Allocation records",
scope_types=["system", "project"],
operations=[
{"method": "GET", "path": "/allocations/{allocation_id}"},
{"method": "GET", "path": "/nodes/{node_ident}/allocation"},
],
),
base.APIRule(
name="baremetal:allocation:list",
check_str=("role:reader"),
basic_check_str=("role:admin or role:reader"),
description="Retrieve multiple Allocation records, filtered by owner",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/allocations"}],
),
base.APIRule(
name="baremetal:allocation:list_all",
check_str=("role:reader and system_scope:all"),
basic_check_str=("role:admin or role:reader"),
description="Retrieve multiple Allocation records",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/allocations"}],
),
base.APIRule(
name="baremetal:allocation:create",
check_str=("(role:member and system_scope:all) or (role:member)"),
basic_check_str=("role:admin"),
description="Create Allocation records",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/allocations"}],
),
base.APIRule(
name="baremetal:allocation:create_restricted",
check_str=("role:member and system_scope:all"),
basic_check_str=("role:admin"),
description="Create Allocation records with a specific owner.",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/allocations"}],
),
base.APIRule(
name="baremetal:allocation:delete",
check_str=(
"(role:member and system_scope:all) or (role:member and project_id:%(allocation.owner)s)"
),
basic_check_str=("role:admin"),
description="Delete Allocation records",
scope_types=["system", "project"],
operations=[
{"method": "DELETE", "path": "/allocations/{allocation_id}"},
{"method": "DELETE", "path": "/nodes/{node_ident}/allocation"},
],
),
base.APIRule(
name="baremetal:allocation:update",
check_str=(
"(role:member and system_scope:all) or (role:member and project_id:%(allocation.owner)s)"
),
basic_check_str=("role:admin"),
description="Change name and extra fields of an allocation",
scope_types=["system", "project"],
operations=[{"method": "PATCH", "path": "/allocations/{allocation_id}"}],
),
base.APIRule(
name="baremetal:allocation:create_pre_rbac",
check_str=(
"(rule:is_member and role:baremetal_admin) or (is_admin_project:True and role:admin)"
),
basic_check_str=("role:admin"),
description="Logical restrictor to prevent legacy allocation rule missuse - Requires blank allocations to originate from the legacy baremetal_admin.",
scope_types=["project"],
operations=[{"method": "PATCH", "path": "/allocations/{allocation_id}"}],
),
base.APIRule(
name="baremetal:events:post",
check_str=("role:admin and system_scope:all"),
basic_check_str=("role:admin"),
description="Post events",
scope_types=["system"],
operations=[{"method": "POST", "path": "/events"}],
),
base.APIRule(
name="baremetal:deploy_template:get",
check_str=("role:reader and system_scope:all"),
basic_check_str=("role:admin or role:reader"),
description="Retrieve Deploy Template records",
scope_types=["system"],
operations=[
{"method": "GET", "path": "/deploy_templates"},
{"method": "GET", "path": "/deploy_templates/{deploy_template_ident}"},
],
),
base.APIRule(
name="baremetal:deploy_template:create",
check_str=("role:admin and system_scope:all"),
basic_check_str=("role:admin"),
description="Create Deploy Template records",
scope_types=["system"],
operations=[{"method": "POST", "path": "/deploy_templates"}],
),
base.APIRule(
name="baremetal:deploy_template:delete",
check_str=("role:admin and system_scope:all"),
basic_check_str=("role:admin"),
description="Delete Deploy Template records",
scope_types=["system"],
operations=[{"method": "DELETE", "path": "/deploy_templates/{deploy_template_ident}"}],
),
base.APIRule(
name="baremetal:deploy_template:update",
check_str=("role:admin and system_scope:all"),
basic_check_str=("role:admin"),
description="Update Deploy Template records",
scope_types=["system"],
operations=[{"method": "PATCH", "path": "/deploy_templates/{deploy_template_ident}"}],
),
)
__all__ = ("list_rules",)
Reference in New Issue View Git Blame Copy Permalink