baha/skyline-apiserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
8cb60f0833
skyline-apiserver/skyline_apiserver/policy/manager/heat.py
zhu.boxiang 8cb60f0833 chore: Move skyline_apiserver out of libs 
1. move skyline_apiserver out of libs
2. remove libs folder
3. remove old skyline folder
4. adjust zull, devstack and dockerfile

Change-Id: I27a4babd3df077d1dfc7555f67a6ea618d4b2966
2022-05-18 17:21:00 +08:00

1015 lines
39 KiB
Python
Raw Blame History

# flake8: noqa
from . import base
list_rules = (
base.Rule(
name="context_is_admin",
check_str=("(role:admin and is_admin_project:True) OR (role:admin and system_scope:all)"),
description="Decides what is required for the 'is_admin:True' check to succeed.",
),
base.Rule(
name="project_admin",
check_str=("role:admin"),
description="Default rule for project admin.",
),
base.Rule(
name="deny_stack_user",
check_str=("not role:heat_stack_user"),
description="Default rule for deny stack user.",
),
base.Rule(
name="deny_everybody",
check_str=("!"),
description="Default rule for deny everybody.",
),
base.Rule(
name="allow_everybody",
check_str=(""),
description="Default rule for allow everybody.",
),
base.Rule(
name="cloudformation:ListStacks",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
description="No description",
),
base.Rule(
name="cloudformation:CreateStack",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
description="No description",
),
base.Rule(
name="cloudformation:DescribeStacks",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
description="No description",
),
base.Rule(
name="cloudformation:DeleteStack",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
description="No description",
),
base.Rule(
name="cloudformation:UpdateStack",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
description="No description",
),
base.Rule(
name="cloudformation:CancelUpdateStack",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
description="No description",
),
base.Rule(
name="cloudformation:DescribeStackEvents",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
description="No description",
),
base.Rule(
name="cloudformation:ValidateTemplate",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
description="No description",
),
base.Rule(
name="cloudformation:GetTemplate",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
description="No description",
),
base.Rule(
name="cloudformation:EstimateTemplateCost",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
description="No description",
),
base.Rule(
name="cloudformation:DescribeStackResource",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"
),
description="No description",
),
base.Rule(
name="cloudformation:DescribeStackResources",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
description="No description",
),
base.Rule(
name="cloudformation:ListStackResources",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
description="No description",
),
base.Rule(
name="resource_types:OS::Nova::Flavor",
check_str=("rule:project_admin"),
description="No description",
),
base.Rule(
name="resource_types:OS::Cinder::EncryptedVolumeType",
check_str=("rule:project_admin"),
description="No description",
),
base.Rule(
name="resource_types:OS::Cinder::VolumeType",
check_str=("rule:project_admin"),
description="No description",
),
base.Rule(
name="resource_types:OS::Cinder::Quota",
check_str=("rule:project_admin"),
description="No description",
),
base.Rule(
name="resource_types:OS::Neutron::Quota",
check_str=("rule:project_admin"),
description="No description",
),
base.Rule(
name="resource_types:OS::Nova::Quota",
check_str=("rule:project_admin"),
description="No description",
),
base.Rule(
name="resource_types:OS::Octavia::Quota",
check_str=("rule:project_admin"),
description="No description",
),
base.Rule(
name="resource_types:OS::Manila::ShareType",
check_str=("rule:project_admin"),
description="No description",
),
base.Rule(
name="resource_types:OS::Neutron::ProviderNet",
check_str=("rule:project_admin"),
description="No description",
),
base.Rule(
name="resource_types:OS::Neutron::QoSPolicy",
check_str=("rule:project_admin"),
description="No description",
),
base.Rule(
name="resource_types:OS::Neutron::QoSBandwidthLimitRule",
check_str=("rule:project_admin"),
description="No description",
),
base.Rule(
name="resource_types:OS::Neutron::QoSDscpMarkingRule",
check_str=("rule:project_admin"),
description="No description",
),
base.Rule(
name="resource_types:OS::Neutron::QoSMinimumBandwidthRule",
check_str=("rule:project_admin"),
description="No description",
),
base.Rule(
name="resource_types:OS::Neutron::Segment",
check_str=("rule:project_admin"),
description="No description",
),
base.Rule(
name="resource_types:OS::Nova::HostAggregate",
check_str=("rule:project_admin"),
description="No description",
),
base.Rule(
name="resource_types:OS::Cinder::QoSSpecs",
check_str=("rule:project_admin"),
description="No description",
),
base.Rule(
name="resource_types:OS::Cinder::QoSAssociation",
check_str=("rule:project_admin"),
description="No description",
),
base.Rule(
name="resource_types:OS::Keystone::*",
check_str=("rule:project_admin"),
description="No description",
),
base.Rule(
name="resource_types:OS::Blazar::Host",
check_str=("rule:project_admin"),
description="No description",
),
base.Rule(
name="resource_types:OS::Octavia::Flavor",
check_str=("rule:project_admin"),
description="No description",
),
base.Rule(
name="resource_types:OS::Octavia::FlavorProfile",
check_str=("rule:project_admin"),
description="No description",
),
base.Rule(
name="service:index",
check_str=("role:reader and system_scope:all"),
description="No description",
),
base.APIRule(
name="actions:action",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Performs non-lifecycle operations on the stack (Snapshot, Resume, Cancel update, or check stack resources). This is the default for all actions but can be overridden by more specific policies for individual actions.",
scope_types=["project"],
operations=[
{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"},
],
),
base.APIRule(
name="actions:snapshot",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Create stack snapshot",
scope_types=["system", "project"],
operations=[
{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"},
],
),
base.APIRule(
name="actions:suspend",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Suspend a stack.",
scope_types=["system", "project"],
operations=[
{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"},
],
),
base.APIRule(
name="actions:resume",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Resume a suspended stack.",
scope_types=["system", "project"],
operations=[
{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"},
],
),
base.APIRule(
name="actions:check",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Check stack resources.",
scope_types=["system", "project"],
operations=[
{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"},
],
),
base.APIRule(
name="actions:cancel_update",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Cancel stack operation and roll back.",
scope_types=["system", "project"],
operations=[
{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"},
],
),
base.APIRule(
name="actions:cancel_without_rollback",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Cancel stack operation without rolling back.",
scope_types=["system", "project"],
operations=[
{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"},
],
),
base.APIRule(
name="build_info:build_info",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=("@"),
description="Show build information.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/build_info"}],
),
base.APIRule(
name="events:index",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="List events.",
scope_types=["system", "project"],
operations=[
{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/events"},
],
),
base.APIRule(
name="events:show",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Show event.",
scope_types=["system", "project"],
operations=[
{
"method": "GET",
"path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/events/{event_id}",
},
],
),
base.APIRule(
name="resource:index",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="List resources.",
scope_types=["system", "project"],
operations=[
{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources"},
],
),
base.APIRule(
name="resource:metadata",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s or role:heat_stack_user"
),
description="Show resource metadata.",
scope_types=["system", "project"],
operations=[
{
"method": "GET",
"path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/metadata",
},
],
),
base.APIRule(
name="resource:signal",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:heat_stack_user"
),
description="Signal resource.",
scope_types=["system", "project"],
operations=[
{
"method": "POST",
"path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/signal",
},
],
),
base.APIRule(
name="resource:mark_unhealthy",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Mark resource as unhealthy.",
scope_types=["system", "project"],
operations=[
{
"method": "PATCH",
"path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name_or_physical_id}",
},
],
),
base.APIRule(
name="resource:show",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Show resource.",
scope_types=["system", "project"],
operations=[
{
"method": "GET",
"path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}",
},
],
),
base.APIRule(
name="software_configs:global_index",
check_str=("role:reader and system_scope:all"),
basic_check_str=("role:admin or role:reader"),
description="List configs globally.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/software_configs"}],
),
base.APIRule(
name="software_configs:index",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="List configs.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/software_configs"}],
),
base.APIRule(
name="software_configs:create",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Create config.",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v1/{tenant_id}/software_configs"}],
),
base.APIRule(
name="software_configs:show",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Show config details.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/software_configs/{config_id}"}],
),
base.APIRule(
name="software_configs:delete",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Delete config.",
scope_types=["system", "project"],
operations=[{"method": "DELETE", "path": "/v1/{tenant_id}/software_configs/{config_id}"}],
),
base.APIRule(
name="software_deployments:index",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="List deployments.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/software_deployments"}],
),
base.APIRule(
name="software_deployments:create",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Create deployment.",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v1/{tenant_id}/software_deployments"}],
),
base.APIRule(
name="software_deployments:show",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Show deployment details.",
scope_types=["system", "project"],
operations=[
{"method": "GET", "path": "/v1/{tenant_id}/software_deployments/{deployment_id}"},
],
),
base.APIRule(
name="software_deployments:update",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Update deployment.",
scope_types=["system", "project"],
operations=[
{"method": "PUT", "path": "/v1/{tenant_id}/software_deployments/{deployment_id}"},
],
),
base.APIRule(
name="software_deployments:delete",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Delete deployment.",
scope_types=["system", "project"],
operations=[
{"method": "DELETE", "path": "/v1/{tenant_id}/software_deployments/{deployment_id}"},
],
),
base.APIRule(
name="software_deployments:metadata",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s or role:heat_stack_user"
),
description="Show server configuration metadata.",
scope_types=["system", "project"],
operations=[
{
"method": "GET",
"path": "/v1/{tenant_id}/software_deployments/metadata/{server_id}",
},
],
),
base.APIRule(
name="stacks:abandon",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Abandon stack.",
scope_types=["system", "project"],
operations=[
{
"method": "DELETE",
"path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/abandon",
},
],
),
base.APIRule(
name="stacks:create",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Create stack.",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks"}],
),
base.APIRule(
name="stacks:delete",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Delete stack.",
scope_types=["system", "project"],
operations=[
{"method": "DELETE", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"},
],
),
base.APIRule(
name="stacks:detail",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="List stacks in detail.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks"}],
),
base.APIRule(
name="stacks:export",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Export stack.",
scope_types=["system", "project"],
operations=[
{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/export"},
],
),
base.APIRule(
name="stacks:generate_template",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Generate stack template.",
scope_types=["system", "project"],
operations=[
{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/template"},
],
),
base.APIRule(
name="stacks:global_index",
check_str=("role:reader and system_scope:all"),
basic_check_str=("role:admin or role:reader"),
description="List stacks globally.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks"}],
),
base.APIRule(
name="stacks:index",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="List stacks.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks"}],
),
base.APIRule(
name="stacks:list_resource_types",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=("@"),
description="List resource types.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/resource_types"}],
),
base.APIRule(
name="stacks:list_template_versions",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=("@"),
description="List template versions.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/template_versions"}],
),
base.APIRule(
name="stacks:list_template_functions",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=("@"),
description="List template functions.",
scope_types=["system", "project"],
operations=[
{
"method": "GET",
"path": "/v1/{tenant_id}/template_versions/{template_version}/functions",
},
],
),
base.APIRule(
name="stacks:lookup",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s or role:heat_stack_user"
),
description="Find stack.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_identity}"}],
),
base.APIRule(
name="stacks:preview",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Preview stack.",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/preview"}],
),
base.APIRule(
name="stacks:resource_schema",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=("@"),
description="Show resource type schema.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/resource_types/{type_name}"}],
),
base.APIRule(
name="stacks:show",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Show stack.",
scope_types=["system", "project"],
operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_identity}"}],
),
base.APIRule(
name="stacks:template",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Get stack template.",
scope_types=["system", "project"],
operations=[
{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/template"},
],
),
base.APIRule(
name="stacks:environment",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Get stack environment.",
scope_types=["system", "project"],
operations=[
{
"method": "GET",
"path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/environment",
},
],
),
base.APIRule(
name="stacks:files",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Get stack files.",
scope_types=["system", "project"],
operations=[
{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/files"},
],
),
base.APIRule(
name="stacks:update",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Update stack.",
scope_types=["system", "project"],
operations=[{"method": "PUT", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"}],
),
base.APIRule(
name="stacks:update_patch",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Update stack (PATCH).",
scope_types=["system", "project"],
operations=[
{"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"},
],
),
base.APIRule(
name="stacks:update_no_change",
check_str=("rule:stacks:update_patch"),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Update stack (PATCH) with no changes.",
scope_types=["system", "project"],
operations=[
{"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"},
],
),
base.APIRule(
name="stacks:preview_update",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Preview update stack.",
scope_types=["system", "project"],
operations=[
{"method": "PUT", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/preview"},
],
),
base.APIRule(
name="stacks:preview_update_patch",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Preview update stack (PATCH).",
scope_types=["system", "project"],
operations=[
{"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/preview"},
],
),
base.APIRule(
name="stacks:validate_template",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Validate template.",
scope_types=["system", "project"],
operations=[{"method": "POST", "path": "/v1/{tenant_id}/validate"}],
),
base.APIRule(
name="stacks:snapshot",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Snapshot Stack.",
scope_types=["system", "project"],
operations=[
{
"method": "POST",
"path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots",
},
],
),
base.APIRule(
name="stacks:show_snapshot",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Show snapshot.",
scope_types=["system", "project"],
operations=[
{
"method": "GET",
"path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}",
},
],
),
base.APIRule(
name="stacks:delete_snapshot",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Delete snapshot.",
scope_types=["system", "project"],
operations=[
{
"method": "DELETE",
"path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}",
},
],
),
base.APIRule(
name="stacks:list_snapshots",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="List snapshots.",
scope_types=["system", "project"],
operations=[
{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots"},
],
),
base.APIRule(
name="stacks:restore_snapshot",
check_str=(
"(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"
),
description="Restore snapshot.",
scope_types=["system", "project"],
operations=[
{
"method": "POST",
"path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}/restore",
},
],
),
base.APIRule(
name="stacks:list_outputs",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="List outputs.",
scope_types=["system", "project"],
operations=[
{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/outputs"},
],
),
base.APIRule(
name="stacks:show_output",
check_str=(
"(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
),
basic_check_str=(
"role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"
),
description="Show outputs.",
scope_types=["system", "project"],
operations=[
{
"method": "GET",
"path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/outputs/{output_key}",
},
],
),
)
__all__ = ("list_rules",)
Reference in New Issue View Git Blame Copy Permalink