32a00a6529
1. We register both apirule and rule into enforcer, so we can keep the rule in the check_str 2. We re-generate all the services' policy, we just use the original policy of them. If users want to change, they can change them by themselves. 3. Adjust the post_install.sh, we install the service packages with dependencies. 4. Split the ironic and ironic_inspector policy, they can not be in the same policy file. Change-Id: I9e152e33be4eef60432fb2030d388b3bec4c082e
481 lines
18 KiB
Python
481 lines
18 KiB
Python
# flake8: noqa
|
|
# fmt: off
|
|
|
|
from . import base
|
|
|
|
list_rules = (
|
|
base.Rule(
|
|
name="context_is_admin",
|
|
check_str=("role:admin"),
|
|
description="No description",
|
|
),
|
|
base.Rule(
|
|
name="admin_or_owner",
|
|
check_str=("is_admin:True or project_id:%(project_id)s"),
|
|
description="No description",
|
|
),
|
|
base.Rule(
|
|
name="admin_api",
|
|
check_str=("rule:context_is_admin"),
|
|
description="No description",
|
|
),
|
|
base.Rule(
|
|
name="admin_or_user",
|
|
check_str=("is_admin:True or user_id:%(user_id)s"),
|
|
description="No description",
|
|
),
|
|
base.Rule(
|
|
name="cluster_user",
|
|
check_str=("user_id:%(trustee_user_id)s"),
|
|
description="No description",
|
|
),
|
|
base.Rule(
|
|
name="deny_cluster_user",
|
|
check_str=("not domain_id:%(trustee_domain_id)s"),
|
|
description="No description",
|
|
),
|
|
base.APIRule(
|
|
name="bay:create",
|
|
check_str=("rule:deny_cluster_user"),
|
|
description="Create a new bay.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/v1/bays"}],
|
|
),
|
|
base.APIRule(
|
|
name="bay:delete",
|
|
check_str=("rule:deny_cluster_user"),
|
|
description="Delete a bay.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "DELETE", "path": "/v1/bays/{bay_ident}"}],
|
|
),
|
|
base.APIRule(
|
|
name="bay:detail",
|
|
check_str=("rule:deny_cluster_user"),
|
|
description="Retrieve a list of bays with detail.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/v1/bays"}],
|
|
),
|
|
base.APIRule(
|
|
name="bay:get",
|
|
check_str=("rule:deny_cluster_user"),
|
|
description="Retrieve information about the given bay.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/v1/bays/{bay_ident}"}],
|
|
),
|
|
base.APIRule(
|
|
name="bay:get_all",
|
|
check_str=("rule:deny_cluster_user"),
|
|
description="Retrieve a list of bays.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/v1/bays/"}],
|
|
),
|
|
base.APIRule(
|
|
name="bay:update",
|
|
check_str=("rule:deny_cluster_user"),
|
|
description="Update an existing bay.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "PATCH", "path": "/v1/bays/{bay_ident}"}],
|
|
),
|
|
base.APIRule(
|
|
name="baymodel:create",
|
|
check_str=("rule:deny_cluster_user"),
|
|
description="Create a new baymodel.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/v1/baymodels"}],
|
|
),
|
|
base.APIRule(
|
|
name="baymodel:delete",
|
|
check_str=("rule:deny_cluster_user"),
|
|
description="Delete a baymodel.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "DELETE", "path": "/v1/baymodels/{baymodel_ident}"}],
|
|
),
|
|
base.APIRule(
|
|
name="baymodel:detail",
|
|
check_str=("rule:deny_cluster_user"),
|
|
description="Retrieve a list of baymodel with detail.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/v1/baymodels"}],
|
|
),
|
|
base.APIRule(
|
|
name="baymodel:get",
|
|
check_str=("rule:deny_cluster_user"),
|
|
description="Retrieve information about the given baymodel.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/v1/baymodels/{baymodel_ident}"}],
|
|
),
|
|
base.APIRule(
|
|
name="baymodel:get_all",
|
|
check_str=("rule:deny_cluster_user"),
|
|
description="Retrieve a list of baymodel.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/v1/baymodels"}],
|
|
),
|
|
base.APIRule(
|
|
name="baymodel:update",
|
|
check_str=("rule:deny_cluster_user"),
|
|
description="Update an existing baymodel.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "PATCH", "path": "/v1/baymodels/{baymodel_ident}"}],
|
|
),
|
|
base.APIRule(
|
|
name="baymodel:publish",
|
|
check_str=("rule:admin_api"),
|
|
description="Publish an existing baymodel.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/v1/baymodels"}, {"method": "PATCH", "path": "/v1/baymodels"}],
|
|
),
|
|
base.APIRule(
|
|
name="certificate:create",
|
|
check_str=("rule:admin_or_user or rule:cluster_user"),
|
|
description="Sign a new certificate by the CA.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/v1/certificates"}],
|
|
),
|
|
base.APIRule(
|
|
name="certificate:get",
|
|
check_str=("rule:admin_or_user or rule:cluster_user"),
|
|
description="Retrieve CA information about the given bay/cluster.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/v1/certificates/{bay_uuid/cluster_uuid}"}],
|
|
),
|
|
base.APIRule(
|
|
name="certificate:rotate_ca",
|
|
check_str=("rule:admin_or_owner"),
|
|
description="Rotate the CA certificate on the given bay/cluster.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "PATCH", "path": "/v1/certificates/{bay_uuid/cluster_uuid}"}],
|
|
),
|
|
base.APIRule(
|
|
name="cluster:create",
|
|
check_str=("rule:deny_cluster_user"),
|
|
description="Create a new cluster.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/v1/clusters"}],
|
|
),
|
|
base.APIRule(
|
|
name="cluster:delete",
|
|
check_str=("rule:deny_cluster_user"),
|
|
description="Delete a cluster.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "DELETE", "path": "/v1/clusters/{cluster_ident}"}],
|
|
),
|
|
base.APIRule(
|
|
name="cluster:delete_all_projects",
|
|
check_str=("rule:admin_api"),
|
|
description="Delete a cluster from any project.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "DELETE", "path": "/v1/clusters/{cluster_ident}"}],
|
|
),
|
|
base.APIRule(
|
|
name="cluster:detail",
|
|
check_str=("rule:deny_cluster_user"),
|
|
description="Retrieve a list of clusters with detail.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/v1/clusters"}],
|
|
),
|
|
base.APIRule(
|
|
name="cluster:detail_all_projects",
|
|
check_str=("rule:admin_api"),
|
|
description="Retrieve a list of clusters with detail across projects.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/v1/clusters"}],
|
|
),
|
|
base.APIRule(
|
|
name="cluster:get",
|
|
check_str=("rule:deny_cluster_user"),
|
|
description="Retrieve information about the given cluster.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/v1/clusters/{cluster_ident}"}],
|
|
),
|
|
base.APIRule(
|
|
name="cluster:get_one_all_projects",
|
|
check_str=("rule:admin_api"),
|
|
description="Retrieve information about the given cluster across projects.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/v1/clusters/{cluster_ident}"}],
|
|
),
|
|
base.APIRule(
|
|
name="cluster:get_all",
|
|
check_str=("rule:deny_cluster_user"),
|
|
description="Retrieve a list of clusters.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/v1/clusters/"}],
|
|
),
|
|
base.APIRule(
|
|
name="cluster:get_all_all_projects",
|
|
check_str=("rule:admin_api"),
|
|
description="Retrieve a list of all clusters across projects.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/v1/clusters/"}],
|
|
),
|
|
base.APIRule(
|
|
name="cluster:update",
|
|
check_str=("rule:deny_cluster_user"),
|
|
description="Update an existing cluster.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "PATCH", "path": "/v1/clusters/{cluster_ident}"}],
|
|
),
|
|
base.APIRule(
|
|
name="cluster:update_health_status",
|
|
check_str=("rule:admin_or_user or rule:cluster_user"),
|
|
description="Update the health status of an existing cluster.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "PATCH", "path": "/v1/clusters/{cluster_ident}"}],
|
|
),
|
|
base.APIRule(
|
|
name="cluster:update_all_projects",
|
|
check_str=("rule:admin_api"),
|
|
description="Update an existing cluster.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "PATCH", "path": "/v1/clusters/{cluster_ident}"}],
|
|
),
|
|
base.APIRule(
|
|
name="cluster:resize",
|
|
check_str=("rule:deny_cluster_user"),
|
|
description="Resize an existing cluster.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/v1/clusters/{cluster_ident}/actions/resize"}],
|
|
),
|
|
base.APIRule(
|
|
name="cluster:upgrade",
|
|
check_str=("rule:deny_cluster_user"),
|
|
description="Upgrade an existing cluster.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/v1/clusters/{cluster_ident}/actions/upgrade"}],
|
|
),
|
|
base.APIRule(
|
|
name="cluster:upgrade_all_projects",
|
|
check_str=("rule:admin_api"),
|
|
description="Upgrade an existing cluster across all projects.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/v1/clusters/{cluster_ident}/actions/upgrade"}],
|
|
),
|
|
base.APIRule(
|
|
name="clustertemplate:create",
|
|
check_str=("rule:deny_cluster_user"),
|
|
description="Create a new cluster template.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/v1/clustertemplates"}],
|
|
),
|
|
base.APIRule(
|
|
name="clustertemplate:delete",
|
|
check_str=("rule:admin_or_owner"),
|
|
description="Delete a cluster template.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "DELETE", "path": "/v1/clustertemplate/{clustertemplate_ident}"}],
|
|
),
|
|
base.APIRule(
|
|
name="clustertemplate:delete_all_projects",
|
|
check_str=("rule:admin_api"),
|
|
description="Delete a cluster template from any project.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "DELETE", "path": "/v1/clustertemplate/{clustertemplate_ident}"}],
|
|
),
|
|
base.APIRule(
|
|
name="clustertemplate:detail_all_projects",
|
|
check_str=("rule:admin_api"),
|
|
description="Retrieve a list of cluster templates with detail across projects.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/v1/clustertemplates"}],
|
|
),
|
|
base.APIRule(
|
|
name="clustertemplate:detail",
|
|
check_str=("rule:deny_cluster_user"),
|
|
description="Retrieve a list of cluster templates with detail.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/v1/clustertemplates"}],
|
|
),
|
|
base.APIRule(
|
|
name="clustertemplate:get",
|
|
check_str=("rule:deny_cluster_user"),
|
|
description="Retrieve information about the given cluster template.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/v1/clustertemplate/{clustertemplate_ident}"}],
|
|
),
|
|
base.APIRule(
|
|
name="clustertemplate:get_one_all_projects",
|
|
check_str=("rule:admin_api"),
|
|
description="Retrieve information about the given cluster template across project.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/v1/clustertemplate/{clustertemplate_ident}"}],
|
|
),
|
|
base.APIRule(
|
|
name="clustertemplate:get_all",
|
|
check_str=("rule:deny_cluster_user"),
|
|
description="Retrieve a list of cluster templates.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/v1/clustertemplates"}],
|
|
),
|
|
base.APIRule(
|
|
name="clustertemplate:get_all_all_projects",
|
|
check_str=("rule:admin_api"),
|
|
description="Retrieve a list of cluster templates across projects.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/v1/clustertemplates"}],
|
|
),
|
|
base.APIRule(
|
|
name="clustertemplate:update",
|
|
check_str=("rule:admin_or_owner"),
|
|
description="Update an existing cluster template.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "PATCH", "path": "/v1/clustertemplate/{clustertemplate_ident}"}],
|
|
),
|
|
base.APIRule(
|
|
name="clustertemplate:update_all_projects",
|
|
check_str=("rule:admin_api"),
|
|
description="Update an existing cluster template.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "PATCH", "path": "/v1/clustertemplate/{clustertemplate_ident}"}],
|
|
),
|
|
base.APIRule(
|
|
name="clustertemplate:publish",
|
|
check_str=("rule:admin_api"),
|
|
description="Publish an existing cluster template.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/v1/clustertemplates"}, {"method": "PATCH", "path": "/v1/clustertemplates"}],
|
|
),
|
|
base.APIRule(
|
|
name="federation:create",
|
|
check_str=("rule:deny_cluster_user"),
|
|
description="Create a new federation.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/v1/federations"}],
|
|
),
|
|
base.APIRule(
|
|
name="federation:delete",
|
|
check_str=("rule:deny_cluster_user"),
|
|
description="Delete a federation.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "DELETE", "path": "/v1/federations/{federation_ident}"}],
|
|
),
|
|
base.APIRule(
|
|
name="federation:detail",
|
|
check_str=("rule:deny_cluster_user"),
|
|
description="Retrieve a list of federations with detail.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/v1/federations"}],
|
|
),
|
|
base.APIRule(
|
|
name="federation:get",
|
|
check_str=("rule:deny_cluster_user"),
|
|
description="Retrieve information about the given federation.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/v1/federations/{federation_ident}"}],
|
|
),
|
|
base.APIRule(
|
|
name="federation:get_all",
|
|
check_str=("rule:deny_cluster_user"),
|
|
description="Retrieve a list of federations.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/v1/federations/"}],
|
|
),
|
|
base.APIRule(
|
|
name="federation:update",
|
|
check_str=("rule:deny_cluster_user"),
|
|
description="Update an existing federation.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "PATCH", "path": "/v1/federations/{federation_ident}"}],
|
|
),
|
|
base.APIRule(
|
|
name="magnum-service:get_all",
|
|
check_str=("rule:admin_api"),
|
|
description="Retrieve a list of magnum-services.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/v1/mservices"}],
|
|
),
|
|
base.APIRule(
|
|
name="quota:create",
|
|
check_str=("rule:admin_api"),
|
|
description="Create quota.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/v1/quotas"}],
|
|
),
|
|
base.APIRule(
|
|
name="quota:delete",
|
|
check_str=("rule:admin_api"),
|
|
description="Delete quota for a given project_id and resource.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "DELETE", "path": "/v1/quotas/{project_id}/{resource}"}],
|
|
),
|
|
base.APIRule(
|
|
name="quota:get",
|
|
check_str=("rule:admin_or_owner"),
|
|
description="Retrieve Quota information for the given project_id.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/v1/quotas/{project_id}/{resource}"}],
|
|
),
|
|
base.APIRule(
|
|
name="quota:get_all",
|
|
check_str=("rule:admin_api"),
|
|
description="Retrieve a list of quotas.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/v1/quotas"}],
|
|
),
|
|
base.APIRule(
|
|
name="quota:update",
|
|
check_str=("rule:admin_api"),
|
|
description="Update quota for a given project_id.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "PATCH", "path": "/v1/quotas/{project_id}/{resource}"}],
|
|
),
|
|
base.APIRule(
|
|
name="stats:get_all",
|
|
check_str=("rule:admin_or_owner"),
|
|
description="Retrieve magnum stats.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/v1/stats"}],
|
|
),
|
|
base.APIRule(
|
|
name="nodegroup:get",
|
|
check_str=("rule:admin_or_owner"),
|
|
description="Retrieve information about the given nodegroup.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/v1/clusters/{cluster_id}/nodegroup/{nodegroup}"}],
|
|
),
|
|
base.APIRule(
|
|
name="nodegroup:get_all",
|
|
check_str=("rule:admin_or_owner"),
|
|
description="Retrieve a list of nodegroups that belong to a cluster.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/v1/clusters/{cluster_id}/nodegroups/"}],
|
|
),
|
|
base.APIRule(
|
|
name="nodegroup:get_all_all_projects",
|
|
check_str=("rule:admin_api"),
|
|
description="Retrieve a list of nodegroups across projects.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/v1/clusters/{cluster_id}/nodegroups/"}],
|
|
),
|
|
base.APIRule(
|
|
name="nodegroup:get_one_all_projects",
|
|
check_str=("rule:admin_api"),
|
|
description="Retrieve infornation for a given nodegroup.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "GET", "path": "/v1/clusters/{cluster_id}/nodegroups/{nodegroup}"}],
|
|
),
|
|
base.APIRule(
|
|
name="nodegroup:create",
|
|
check_str=("rule:admin_or_owner"),
|
|
description="Create a new nodegroup.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "POST", "path": "/v1/clusters/{cluster_id}/nodegroups/"}],
|
|
),
|
|
base.APIRule(
|
|
name="nodegroup:delete",
|
|
check_str=("rule:admin_or_owner"),
|
|
description="Delete a nodegroup.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "DELETE", "path": "/v1/clusters/{cluster_id}/nodegroups/{nodegroup}"}],
|
|
),
|
|
base.APIRule(
|
|
name="nodegroup:update",
|
|
check_str=("rule:admin_or_owner"),
|
|
description="Update an existing nodegroup.",
|
|
scope_types=["project"],
|
|
operations=[{"method": "PATCH", "path": "/v1/clusters/{cluster_id}/nodegroups/{nodegroup}"}],
|
|
),
|
|
)
|
|
|
|
__all__ = ("list_rules",)
|